Despite a "multi-year effort to prevent hackers from altering computers while they boot up has largely failed because of lax application of preventive steps, researchers say, despite disclosures that flaws are being exploited."
More from the article:
In the latest sign that the problem persists, researchers at the federally funded MITRE lab said this week that many customers of Intel Corp still had not adopted revised security designs Intel distributed in March after the MITRE team found new vulnerabilities in the start-up process. That could mean many newer Windows computers remain exposed, the MITRE team told Reuters ahead of a presentation at the Black Hat security conference in Las Vegas next week. The stubborn glitches illustrates how such well-funded spying programs as those exposed by former National Security Agency contractor Edward Snowden can continue to succeed against targets that depend on a complex supply chain.
Ironically, the article also points out:
Long before Snowden's documents began appearing the media, professional technicians and U.S. officials were concerned about the vulnerabilities that left computers severely exposed as they are turned on. Years ago, then-U.S. National Security Agency Director Keith Alexander privately urged the chief executives of major American technology companies to do something about the boot-up procedure known as the Basic Input/Output System, or BIOS.
(Score: 5, Informative) by Anonymous Coward on Saturday August 02 2014, @04:46PM
They want computers to only boot to the OS they were sold with, therein turning them into more fully disposable devices.
(Score: 5, Interesting) by U on Saturday August 02 2014, @04:55PM
The core of this article is the following argument:
This argument is quite incoherent, since if malware already has root access to the operating system, you're already SOL. The only further advantage obtained by trojaning the MBR is the potential ability to conceal the malware better via rootkits (but this is assuming there is no other way to compromise the kernel.)
The real problem here is the vulnerability of operating systems. If you don't want the MBR to be trojanable, the operating system shouldn't allow it. This is more a testament to the failure of operating systems to provide real security guarantees than anything else.
Of course, secure boot is also a convenient vehicle for the tivoisation of absolutely all consumer devices. Currently Microsoft's rules for x86 PCs say that Secure Boot must be disableable, so this isn't a threat. Yet these rules also state that secure boot must NOT be disableable on ARM devices. It's pretty clear that the only reason Microsoft isn't mandating secure boot on x86 is because it doesn't think it can get away with it (firstly because they're already a regulated monopoly in the x86 PC market, and secondly because people are used to being able to install what they want on x86, so an inevitable backlash would happen. In fact it did anyway due to widespread misunderstanding about Microsoft's intentions. Though I believe Microsoft only decided to mandate that Secure Boot on x86 must be disableable after the backlash.)
(Score: 3, Insightful) by Runaway1956 on Saturday August 02 2014, @06:03PM
Uh-huh - I may have missed that had I not read your post before reading TFA. (I'm tired, and ready to fall into bed.)
I could be a wise-ass, and point out that Intel is fearful of these exploits, while AMD doesn't seem to be bothered by it.
Abortion is the number one killed of children in the United States.
(Score: 3, Interesting) by U on Saturday August 02 2014, @07:47PM
Intel is pretty addicted to code signing. The amount of signed code checked before an Intel x86 processor even executes the first opcode is disturbing:
See here [coreboot.org] and here [coreboot.org] for details.
It barely needs mentioning that UEFI firmware will be signed, and firmware updates verified. There's a provision in the UEFI specification for the installation of unsigned firmware via manual confirmation via physical presence, but implementation of this is "optional".
(Score: 3, Insightful) by kaszz on Sunday August 03 2014, @12:46AM
Seems like a giant plot to evict user coded software from users computer system. NSA via Intel etc want to hook users into their exploits by mandate and force.
As smartphones has shown. Code signing isn't really a protection but it sure obstruct free software. Or shall we say user audited and inspected code.
(Score: 0) by Anonymous Coward on Monday August 04 2014, @04:03AM
IMH-and-possibly-mistaken-O I'll disagree about Code signing being a protection. And while I understand and agree with the basis of your fear of it as a way to obstruct free software, the real bottom line is that Code signing is wonderful, as long as the user has all of the source code, the tools to modify as they desire, and ability to generate their own keys and sign their own builds. If the user has the power of access and ability to modify all source, then Code signing is pure joy. The pathological case is simply a single signed boot loader that proceeds to bootstrap from unsigned code. There, the user whether they like or dislike code signing wins at no cost. The problem that code signing is trying to solve is a good one to solve. It's just whether or not the person who actually shelled out dollars for the device is the "owner" of the system, or just the "renter" of a black box. A society where everyone is the "renter" of a black box controlled by a corporation (easily infiltratable by one or more governments), does not sound good to me. But a society where everyone is the "owner" of devices that they can run according to manufacturer specs, or their own in a "general purpose" fashion, sounds like where I'd like to see things go. Snowden+14months and I'm not optomistic about the way the winds are blowing in a society where the president is quoted as "yeah, we torture some folks, and no, there will be no criminal prosecution of that"...
(Score: 2) by opinionated_science on Saturday August 02 2014, @07:26PM
Yes, it would appear that malign corporate interests override the benefits to humanity...no surprise there.
(Score: 0) by Anonymous Coward on Saturday August 02 2014, @10:26PM
I give up. srsly if the computer chip comes with a state mandated backdoor then this amounts to official police state and we users can do nothing about it. if we the paying customer cannot trust the manufacturer then really we have to change our perspective. I think this needs to be verified and openly dragged into the ... error.. sunshine.
(Score: 1, Interesting) by Anonymous Coward on Sunday August 03 2014, @01:33AM
That was the last operating system Microsoft
put out that DID NOT have 'Product Activation'
baked into it.
So that leaves us activating Windows XP and
later by phone if that is still possible.
Or flout the DMCA in the USA and somehow
disable it without going online or making
the phone call.
If those options are out/unavailable, then
as Private Hudson (Bill Paxton) said in
ALIENS (1986) "It's game over, man, game over!"
for Windows users....