SoylentNews is people
SoylentNews
Security researchers at FireEye / Mandiant [say] "We identified the presence of a financially-motivated threat group that we track as FIN1, whose activity at the organisation dated back several years."
[...] "FIN1 used this malware to access the victim environment and steal cardholder data. The group, which may be located in Russia, is known for stealing data that is easily monetised from financial services organisations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies."
[...] The malware's installation location also means it will persist even after re-installing the operating system, widely considered the most effective way to eradicate malware.
Can we all agree that updating firmware should require the movement of a physical jumper?
(Score: 4, Informative) by edIII on Tuesday December 08 2015, @11:38PM
I have no idea what you're on about, but it's nonsensical. Privacy advocacy on its own provides very little meaningful increases in security for the OS.
A jumper works wonderfully if it works exactly as advertised. Meaning you can't possibly write to the firmware without the jumper being in place.
In this situation, pray tell, how do you physically short a jumper from a remote network? I can't figure out how, so I certainly can't figure out what you've been smoking :)
It's what we've needed for a very long time. A method by which we could install read-only firmware. Want to update? Short the jumper, insert the USB stick, restart the unit, wait for flash success, remove USB stick, unshort the jumper, and restart.
Very simple reason why manufacturers don't do this. They're lazy, don't care, and don't want it to be that hard to update firmware in the first place. It provides a very high barrier to entry, but one I think may eventually be absolutely necessary.
What makes very little sense is that people poo-poo the jumper, but endorse Secure Boot and UEFI (which makes running most Linux distros impossible). Encrypted keys are not nearly as secure as the jumper, and they actually provide a pretty contentious barrier to entry themselves. The jumper is the FOSS version of SecureBoot that doesn't require any encrypted keys.
Also quite puzzling, is your further diatribe on privacy. I think you're spot on, but you're overlooking the fact that the jumper can provide people what you want in the first place; Privacy & Security. Neither of which can come without absolute transparency (not one single blob/binary), and the ability to moderate secure boot loaders and firmwares you need to get your system up and running.
What you want most likely is a combination of a Purism product with a jumper secured read-only bios. The bios/firmwares themselves need not be written the motherboard at all, but held on a USB stick, or MicroSD. Pull it out, put in another system (dev), load your bios/firmwares and possibly bootloaders, put it back in the system, and restart. The USB stick by default could be read-only period in that setup, if we're okay with requiring a pair of systems.
Technically, lunchtime is at any moment. It's just a wave function.