=================================================================== RCS file: /cvsrepo/anoncvs/cvs/www/Attic/press.html,v retrieving revision 1.423 retrieving revision 1.424 diff -u -r1.423 -r1.424 --- www/Attic/press.html 2004/11/30 18:12:57 1.423 +++ www/Attic/press.html 2004/12/07 22:04:22 1.424 @@ -16,6 +16,53 @@
+The closed-source component required to support this hardware is +completely independent of the associated operating system, and as +such, is also independent of the engineering team, security team, +auditing process, and quality control procedures normally related +to the operating system... ++
+What's possibly even more disturbing is that we're talking about +a chunk of code in the operating system, running with the highest +possible level of privilege (the kernel), which is supplied by a +third-party vendor. This code could do anything once loaded, including +leaking active WEP keys, gathering usage statistics, sniffing and +disclosing traffic, and it could even introduce a subtle backdoor +into the operating system itself (much the same as any device driver +in a closed source operating system). +
+[A]lthough some of these scenarios are a +little far-fetched, the possibility for them to exist is there... +Ultimately it becomes an issue of trust, which is a cornerstone of +good security: whom do you trust, and how much do you trust them? +
And he comments that trust "seems to be a one-way street": vendors +demand that you trust them, but they won't trust you to know how +their hardware and software operates. +This lack of trust is one reason why OpenBSD has recently completed +reverse-engineering the + +Atheros wireless chipset driver +that was originally provided as a binary insert. +
+