=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/Attic/press.html,v retrieving revision 1.423 retrieving revision 1.424 diff -c -r1.423 -r1.424 *** www/Attic/press.html 2004/11/30 18:12:57 1.423 --- www/Attic/press.html 2004/12/07 22:04:22 1.424 *************** *** 16,21 **** --- 16,68 ----
+ The closed-source component required to support this hardware is + completely independent of the associated operating system, and as + such, is also independent of the engineering team, security team, + auditing process, and quality control procedures normally related + to the operating system... ++
+ What's possibly even more disturbing is that we're talking about + a chunk of code in the operating system, running with the highest + possible level of privilege (the kernel), which is supplied by a + third-party vendor. This code could do anything once loaded, including + leaking active WEP keys, gathering usage statistics, sniffing and + disclosing traffic, and it could even introduce a subtle backdoor + into the operating system itself (much the same as any device driver + in a closed source operating system). +
+ [A]lthough some of these scenarios are a + little far-fetched, the possibility for them to exist is there... + Ultimately it becomes an issue of trust, which is a cornerstone of + good security: whom do you trust, and how much do you trust them? +
And he comments that trust "seems to be a one-way street": vendors + demand that you trust them, but they won't trust you to know how + their hardware and software operates. + This lack of trust is one reason why OpenBSD has recently completed + reverse-engineering the + + Atheros wireless chipset driver + that was originally provided as a binary insert. +
+