NSA-proofing your firmware

anvilfour

You may be rolling an obscure flavor of Linux on your new laptop and sporting a Free Software Foundation bumper sticker on your bio-diesel powered V-Dub, but chances are your open-source laptop isn't really that "free," thanks to closed firmware binaries hidden deep inside hardware itself.

Source : http://www.pcworld.com/article/2860446/this-freedom-loving-laptop-discovered-how-to-make-intel-cpus-boot-without-closed-firmware.html

This issue speaks to the proprietary BIOS and also firmware e.g wireless drivers on your machine. These binary blobs are largely impenetrable and there's no guarantee that spyware doesn't come with them. Despite protests from Linux Developers there is no sign that hardware vendors are going to change this policy any time soon.

Some steps seem to have been made to address this issue. There are of course examples of Open source firmware like coreboot which can replace the BIOS on some machines.

Funding recently was found for the Librem 15 which claims to be a "Laptop which respects your rights," however the coreboot team are considerably skeptical about this:

The possibility of reverse engineering those blobs existed at the time. Although that takes a lot of effort, we’ve done it numerous times before. But they never asked. Had they done so, we would have also told them about another major offender. That’s the microcontroller in the chipset, which needs a signed firmware binary. By “signed” I mean a state-of-the art cryptographic verification mechanism. The chipset will refuse to run any firmware unless it was signed by a secret key held deep within Intel’s most secure dungeons. In short, this blob isn’t going away.

Source : http://blogs.coreboot.org/blog/2015/02/23/the-truth-about-purism-why-librem-is-not-the-same-as-libre/

The article goes on to say that the Librem team originally said that they were going to try to ask Intel for a microcontroller which doesn't request signed binaries but it seems now that the microcontroller will in fact be a regular one, making the laptop no more secure than any other.

Richard Stallman, a developer of GNU also points us towards the GlugGlug project which takes old ThinkPad X60's and puts mostly free firmware on them as well as the Trisquel Operating System.

Once again this seems to fail to address the issue with the microcontroller.

Do we have to give up in despair or is there a way to move towards truly open source firmware throughout your device? I'd like to know what moves you guys have made towards this? Or is it of no concern to you?

anvilfour

See also:

https://en.wikipedia.org/wiki/Binary_blob

FSL

From a business security perspective, particularly if you are engaged in R&D, the only really secure option is to have your internal network totally isolated from the internet. You then have a separate network, which has no hardware overlap in any way shape or form, for those times when you need to communicate outside of your internal network.

In addition any commercially sensitive information sent over the internet, should be encoded using a system of one off keys equal in length to the message length.

You would probably have to be working on a really high value ground breaking project or something spectacularly nefarious to justify such a set up.

anvilfour

FSL wrote: »

From a business security perspective, particularly if you are engaged in R&D, the only really secure option is to have your internal network totally isolated from the internet. You then have a separate network, which has no hardware overlap in any way shape or form, for those times when you need to communicate outside of your internal network.

In addition any commercially sensitive information sent over the internet, should be encoded using a system of one off keys equal in length to the message length.

You would probably have to be working on a really high value ground breaking project or something spectacularly nefarious to justify such a set up.

Thanks FSL,

I think you're right - it seems the only surefire way to protect yourself from binary blobs / firmware with backdoors is to prepare messages offline then move them onto a machine connected to the internet.. anything else is just reducing risk not eliminating it!

anvilfour

Further to the OP, an excellent article on five of the best Linux distros with no proprietary firmware whatsover:

http://www.cyberciti.biz/tips/best-gnu-linux-distributions.html