top | item 39879195

(no title)

Yeah these types of security issues will be used by politicians to force hardware makers to lockdown hardware, embed software in chips.

The go fast startups habit of “import the world to make my company products” is a huge security issue IT workers ignore.

The only solution politics and big tech will chase is obsolete said job market by pulling more of the stack into locked down hardware, with updates only allowed to come from the gadget vendor.

discuss

georgyo|1 year ago

I'm not saying political forces won't try legislating the problem away, but that won't even help here.

A supply chain attack can happen in hardware or software. Hardware has firmware, which is software.

What makes this XZ attack so scary is that it was directly from a "trusted" source. A similar attack could come from any trusted source.

At least with software it is much easier to patch.

heresWaldo|1 year ago

Like you said it has firmware which is flashable. Secure enclaves are never 100% secure but if only, for example, Apple can upload to them, it dramatically reduces some random open source project being git pulled. Apple may still pull open source but they would be on the hook to avoid this.

Open sources days of declaring “use at your risk” have become a liability in this hyper networked society. It’s now becoming part of the problem it was imagined up to solve.

avidiax|1 year ago

The NSA demands that Intel and AMD provide backdoor ways to turn off the IME/PSP, which are basically a small OS running in a small processor inside your processor. So the precedent is that the government wants less embedded software in their hardware, at least for themselves.

If we relied on gadget vendors to maintain such software, I think we can just look at any IoT or router manufacturer to get an idea of just how often and for how long they will update the software. So that idea will probably backfire spectacularly if implemented.

BlueFalconHD|1 year ago

What does the IME or PSP do?

berkes|1 year ago

Why would "embed software in chips" be a solution?

If anything, I'd expect it to be an even bigger risk, because when (not if) a security issue is found in the hardware, you now have no way to fix it, other than throwing out this server/fridge/toothbrush or whatever is running it.

heresWaldo|1 year ago

A flashable secure enclave segment in the hardware stack is an option to patch around embedded bugs.

I haven’t worked in hardware design since the era of Nortel, and it was way different back then but the general physics are the same; if, else, while, and math operations in the hardware are not hard.

In fact your hardware is a general while loop; while has power, iterate around refreshing these memory states with these computed values, even in the absence of user input (which at the root is turning it on).

Programmers have grown accustomed to being necessary to running ignorant business machines but that’s never been a real requirement. Just a socialized one. And such memes are dying off.

WesolyKubeczek|1 year ago

Which will make updates either expensive or impossible. You will be able to write books about exploitable bugs in the hardware, and those books will easily survive several editions.