On Mon, Mar 02, 2015 at 02:26:02PM +0100, Paul van der Vlis wrote:
Op 02-03-15 om 12:05 schreef Albert Dengg:
hi, On Mon, Mar 02, 2015 at 11:24:39AM +0100, Simon Josefsson wrote:
Paul van der Vlis paul-kzJ6NpsJWJiWrUy98/Atqw@public.gmane.org writes:
...
What do I forget?
well depending on what counts:
- (web) camera
I did mention a webcam.
- in most case the touchpad i think
I did mention that.a
sorry i overlooked it...
- the display itself most likly conatins firmware
Hmm... Correct!
in shourt: most "high level" hardware parts (e.g. entities normally considered as on funktional item) conatin firmware of sorts, and unfortunatly most of it is non-free (and in some cases it might not be possible to replace them, as some pieces of hardware are probably not designed with uprading firmware in mind).
I am most interested in the devices what have replaceable firmware. Because somebody could do bad things with it, like they did with the firmware of harddisks.
It would be nice if it would be possible to make a list of all parts of the hardware what have upgradeable firmware. Not sure that's possible...
personnaly i would also seperate "upgradeable" into two katagories: * doable at runtime (either dynamic loading from userspace or by beeing able to write to it while the system is running) * upradable by using an external programmer or replacing the storage (flash)
the first group poses the most imidieate problem for the user, as it is (relativly) easy for an attacker as soon as he has temporary controll over the computer. the latter is of course also intressting for people willing to invest time into developing truely free systems. The security problem in closed, non changeable firmware is of course also there, however i regard it in the same class as malicious hardware design by itself, see for example clipper chip).
as for the list: it would also be helpfull to list every component that has been considered, but deemed not to contain firmware relevant for the list, as this makes it possible to judge hardware not directly listed whithout having to assume that everything that is not listed is harmless (which is a problem, as systems change all the time).
thx for bringing up the subject.
regards, albert