Stories
Slash Boxes
Comments

SoylentNews is people

NSA Contributing Low-Level Code to Coreboot UEFI BIOS Alternative

posted by martyb on Monday June 24 2019, @11:42PM   Printer-friendly
from the deep-seated-insecurities-and-paranoia dept.

DannyB writes:

NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative

The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”

Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.

In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.

Better to avoid coreboot and feel secure that the hardware could never subvert my expectations of security and privacy. /s

Original Submission

 
This discussion has been archived. No new comments can be posted.
NSA Contributing Low-Level Code to Coreboot UEFI BIOS Alternative | Log In/Create an Account | Top | 38 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Informative) by J053 on Tuesday June 25 2019, @09:31PM (1 child)

    by J053 (3532) <{dakine} {at} {shangri-la.cx}> on Tuesday June 25 2019, @09:31PM (#859862) Homepage
    Don't be so quick to throw around the "TREASON!!!1!!" cry. Our Founding Fathers had good reason to be wary of over-broad accusations of treason - under the laws they had to live with, if I called Trump a fat, cheeto-faced dictator wannabe, that would be considered treason and I could be executed, as well as having all of my property seized and my descendants being denied any kind of government jobs or services (see Bill of Attainder). That's why the US Constitution explicitly and narrowly defines treason:

    Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

    The Congress shall have Power to declare the Punishment of Treason, but no Attainder of Treason shall work Corruption of Blood, or Forfeiture except during the Life of the Person attainted.

    Art.III, Sec. 3

    This is a good thing. Treason is the worst crime one can commit against one's country, and should be very hard to prove and punish. We need to find another word for what everybody and his brother keeps calling "treason" these days.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by edIII on Tuesday June 25 2019, @10:09PM

    by edIII (791) on Tuesday June 25 2019, @10:09PM (#859883)

    I consider what those NSA agents did to be as bad as what you describe, and wholly deserving of the term treason. They meet, or exceed, the definition.

    We have enemies. We have enemies operating today in U.S Cyberspace, which is the same as United States Territory. We have enemies that have caused many billions in damages to our country. The NSA's paradigm of exploiting/cultivating security weaknesses is tantamount to offering the enemy aid and comfort. In this specific case, it was arming them with cyber weapons that are being used against us. Their specific actions also significantly, and in some cases entirely, reduced the levels of security for the average citizen and small businesses. There is a US city paying ransom to our enemies in cyberspace that operate inside the US against US citizens.

    I stand by what I said. These people need be tried for treason. It absolutely should be treasonous to weaponize security vulnerabilities, or in other words, create powerful platforms of cyber weapons. The only thing the government needs to do is increase our levels of security, and they deserve all the skepticism they get after what they've done.

    --
    Technically, lunchtime is at any moment. It's just a wave function.