version 1.423, 2004/11/30 18:12:57 |
version 1.424, 2004/12/07 22:04:22 |
|
|
<h2><font color="#e00000">Media Coverage</font></h2> |
<h2><font color="#e00000">Media Coverage</font></h2> |
<hr> |
<hr> |
|
|
|
<h2>December, 2004</h2> |
|
<ul> |
|
|
|
<li><font color="#009000"><strong> |
|
<a href="http://www.securityfocus.com/columnists/281"> |
|
Closed Source Hardware</a> |
|
Security Focus, December 1, 2004</strong></font><br> |
|
Symantec Threat Analyst Jason Miller analyzes the potential security threats |
|
when hardware vendors won't provide device documentation and |
|
instead provide "binary only" driver code for inclusion in open source |
|
operating systems. |
|
Miller is an open-source fan who says he uses a variety of systems, including |
|
OpenBSD on his firewall. |
|
Of the recent trend to closed-source binary drivers for open-source |
|
systems, he writes: |
|
<blockquote> |
|
The closed-source component required to support this hardware is |
|
completely independent of the associated operating system, and as |
|
such, is also independent of the engineering team, security team, |
|
auditing process, and quality control procedures normally related |
|
to the operating system... |
|
<br/> |
|
What's possibly even more disturbing is that we're talking about |
|
a chunk of code in the operating system, running with the highest |
|
possible level of privilege (the kernel), which is supplied by a |
|
third-party vendor. This code could do anything once loaded, including |
|
leaking active WEP keys, gathering usage statistics, sniffing and |
|
disclosing traffic, and it could even introduce a subtle backdoor |
|
into the operating system itself (much the same as any device driver |
|
in a closed source operating system). |
|
<br/> |
|
[A]lthough some of these scenarios are a |
|
little far-fetched, the possibility for them to exist is there... |
|
Ultimately it becomes an issue of trust, which is a cornerstone of |
|
good security: whom do you trust, and how much do you trust them? |
|
</blockquote> |
|
<p>And he comments that trust "seems to be a one-way street": vendors |
|
demand that you trust them, but they won't trust you to know how |
|
their hardware and software operates. |
|
This lack of trust is one reason why OpenBSD has recently completed |
|
reverse-engineering the |
|
<a href="http://www.openbsd.org/cgi-bin/man.cgi?query=ath&apropos=0&sektion=4"> |
|
Atheros wireless chipset driver</a> |
|
that was originally provided as a binary insert. |
|
<p> |
|
</ul> |
|
|
<h2>November, 2004</h2> |
<h2>November, 2004</h2> |
<ul> |
<ul> |
|
|