Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday June 24 2019, @11:42PM   Printer-friendly
from the deep-seated-insecurities-and-paranoia dept.

NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative

The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”

Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.

In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.

Better to avoid coreboot and feel secure that the hardware could never subvert my expectations of security and privacy. /s


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by JoeMerchant on Tuesday June 25 2019, @03:12AM (2 children)

    by JoeMerchant (3937) on Tuesday June 25 2019, @03:12AM (#859589)

    While the NSA could provide some excellent code, as they do recruit very high level talent, their primary mission to date has been to lessen the levels of security.

    While this is the easy tinfoil hat reflex to respond with, think for a moment:

    The NSA is all over UEFI, learning its weaknesses and exploits for them, they've got staff more highly skilled in BIOS security than the crew that designed and implemented UEFI in the first place. Police of various stripes have been demanding legislated backdoors in consumer goods since forever, and politicians periodically back them and attempt to apply pressure to get them installed in products like UEFI - but anybody who's ripped a DVD or BluRay knows that "secret keys" don't stay secret for very long, and any legislated backdoor is just a headstart for the keyholders and ultimately makes the systems vulnerable to everyone.

    Along comes CoreBoot - open source, open review. While the NSA could be attempting to plant vulnerabilities in the code, I think they have a greater incentive to apply their skillset to closing subtle vulnerabilities - and anything so obvious as a backdoor can simply be ripped out by the review team.

    I agree: NSA code should get the most stringent reviews of any accepted into the project, but to turn their contributions away without review would be to ignore a very valuable resource, and one that probably is actually driving to make a more secure end product. Unless they start promoting wonky things like unproven elliptical curves, etc., in which case they can f right off and release their own fork of CoreBoot to anyone who wants the Trump administration snooping in their systems and archiving all their data for leverage in the coming decades.

    --
    🌻🌻 [google.com]
    Starting Score:    1  point
    Moderation   +3  
       Interesting=2, Informative=1, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2, Interesting) by DECbot on Tuesday June 25 2019, @04:23PM (1 child)

    by DECbot (832) on Tuesday June 25 2019, @04:23PM (#859765) Journal

    I've added an extra layer to my tinfoil hat this morning. Look, you apply resources to make the BIOS firmware open source and make the code clear to read and strictly without any backdoors. Why? because you are hiding the backdoors hidden in the hardware. As the attacker, any system you've compromised the first task is to hide that it's compromised and the second task is to secure it from other attackers. The NSA likely knows UEFI is ripe for compromise and cannot get the vendors to do anything to change that. By rolling their own BIOS and make it ultra secure, they can ensure that they can keep their beachhead on the hardware and hide it from other attackers.
     
    In other words, the CPU and NIC are both compromised and they have to secure the BIOS to ensure that no one else can remove or exploit their access.
     
    Now excuse me as I turn the magnetron for my RF generator back on. We all know that passive RF blocking isn't enough anymore and we all need to protect our domiciles with active measures. Let me know when you've got a free energy device working in the 1200kw range. I'm beginning to suspect the power companies are conspiring with the UPS manufacturers ensuring their corruptive messages are making through the line conditioners, filters, and AC-DC-AC conversion.

    --
    cats~$ sudo chown -R us /home/base