
Intel FSP 3 NSA backdoor
With 5 eyes countries mandating access to encryption, this is Intel's answer.
Vendors of the FOSS hardware and software communities are voicing their concerns about closed-source firmware. Virtually impenetrable BLOBs (Binary Large Objects) in firmware mean it's difficult to be sure exactly what the computer is doing. Assuming the BLOBs are unencrypted, and they usually are, you'll have to break out a …
It's not widely known or advertised as such, but the Purism kit still requires the Intel Management Engine to boot up. Definitely not a good first choice for high security applications.
Typing from my Talos II workstation, nice and private but quite the stationary lump otherwise. The old Chromebook I used for mobile computing just isn't adequate these days, with software bloat everywhere. No really good options that combine portability, performance, and privacy, sounds like the old adage to "pick two" is the best one can do?
How do you find your Talos II? I'm fairly interested, and have been a POWER fan for decades. A first hand summary report would be gratefully received :-)
I did a lot of embedded work using PowerPCs, and can remember a time when it was possible to boot Windows NT on these boards (I saw this at the board manufacturer, some of their engineers had put that together, and at the time was deeply impressed by the performance). I've always hankered after a proper PowerPC desktop (not a Mac) since.
Happy to oblige, for what it's worth.
Some relevant background, I've been a staunch Linux user for well over two decades, and already moved my PC games to a separate system some years back as I refused to trust Steam with my personal information. I was also using an old AMD true open firmware PC (KCMA-D8) before moving over to the Talos II, back when coreboot meant open source not a build system around Management Engine and FSP binaries.
The best way I can describe it is that it feels just like a normal PC, other than it takes a really long time to boot up. The only significant issue I have observed is that Firefox is extremely slow, basically unusable, but good progress is being made on fixing that [1]. A Chromium port is available and is very usable even on Javascript heavy websites, I use the Ungoogled version of that for daily work and am happy with it (typing this comment using it, in point of fact) [2].
On balance it's a lot faster than the old AMD kit, and knowing I cannot be (easily) subverted at a firmware level is well worth the cost. Even using Tor makes sense on a platform like this, with full control of the system it's possible to control and manipulate the data spillage to various totalitarian regimes, and I've had fun with that in the past. Various packages install from the package manager like you would expect, no complaints on that end.
[1] https://www.talospace.com/2022/02/brief-status-update-on-power9.html
[2] https://twitter.com/RaptorCompSys/status/1487858941396766721?s=20
now Moore's law that the PC would double in power every 18 months is well established
but is there a corollary from that to use that would be along the lines of - as the power of the PC doubles, the complexity and number of levels of control will also increase, doubled if you are lucky ? :o(
I REALLY miss my little old 486dx2 66MHz beast, and almost getting nostalgic for Windows 3.1 as well ffs, even though I swapped it for W95 without so much as a backwards glance :o)
There is no law that says that firmware has to be open source.
Vendors have every right to keep some cards close to their chest, even the consequences are a very difficult time finding bugs and vulnerabilities.
On the other hand, blackhats will have a hard time as well.
blackhats will have a hard time as well
Hmm, security through obscurity has not shonw to hold up well over time. That said, being fully naked isn't the solution either - after all, you often have IP and methodology to protect.
There ought to be some middle path that a trusted organisation lifts the covers and has a peek, but you'd need multiples of those or you end up with a single point of subversion. See Arthur Andersen for audits..
All that really needs to happen is that the manufacturer is made liable for all of the costs of a data breach, if their firmware allowed it to happen and wasn't replaceable by the machine's current owner.
I'd wager there would be a lot more testing and a lot less firmware overall if bugs and backdoors became the manufacturer's financial problem instead of the machine owner's financial problem.
I also find that closed source empowers the black hats and stymies the white hats, for the simple reason that the black hat just has to find one way to crack the binary to engage in nefarious activities, whereas the white hat ostensibly has to locate all possible cracks and patch them. Having source code massively helps the latter and does not significantly help the former.
A lot of the problems with BLOBS have to do with wireless drivers, which are regulated in that they must not be easily modified to transmit on illegal frequencies or at illegal power levels.
Not saying it's a GOOD thing, just saying it's justified. Pointing to the REAL problem, government regulatory agencies and the laws that force manufacturers to abide by them.
Also not saying that a free-for-all in transmit power, frequencies, and RF interference in general is a good thing either...
(an imperfect world filled with imperfections)
as for things like video drivers (and I'm talking about YOU NVidia) they are difficult to fix bugs in if you keep them closed source...
Back in the old days, "firmware" really was "firm" because it was blown onto a ROM and could not be changed. Unless you physically read the ROM, you would never see those bytes. From the end user's point of view it might as well have been wires. After all, even CPUs had microcode, and nobody got upset about not being able to change the microcode; it was just part of the hardware.
The Free Software Foundation says it starts caring at the point where the bytes can be changed post manufacture, i.e. the "firmware" can be updated. Obviously a boundary has to be set somewhere, but it's hard to understand why this exact boundary: what if the updates are not compulsory and you could carry on using the first version of the firmware (or the version that was current at the time you bought the device) if you want? Would that not be equivalent to having brought it in a ROM as part of the device? Should they perhaps refine the boundary to say they start caring at the point where the updates become essential, for example because they are security fixes, instead of just saying they care about bytes that could in theory be updated but don't have to be?
Less than a week after IBM was ordered in an age discrimination lawsuit to produce internal emails in which its former CEO and former SVP of human resources discuss reducing the number of older workers, the IT giant chose to settle the case for an undisclosed sum rather than proceed to trial next month.
The order, issued on June 9, in Schenfeld v. IBM, describes Exhibit 10, which "contains emails that discuss the effort taken by IBM to increase the number of 'millennial' employees."
Plaintiff Eugene Schenfeld, who worked as an IBM research scientist when current CEO Arvind Krishna ran IBM's research group, sued IBM for age discrimination in November, 2018. His claim is one of many that followed a March 2018 report by ProPublica and Mother Jones about a concerted effort to de-age IBM and a 2020 finding by the US Equal Employment Opportunity Commission (EEOC) that IBM executives had directed managers to get rid of older workers to make room for younger ones.
Analysis Toxic discussions on open-source GitHub projects tend to involve entitlement, subtle insults, and arrogance, according to an academic study. That contrasts with the toxic behavior – typically bad language, hate speech, and harassment – found on other corners of the web.
Whether that seems obvious or not, it's an interesting point to consider because, for one thing, it means technical and non-technical methods to detect and curb toxic behavior on one part of the internet may not therefore work well on GitHub, and if you're involved in communities on the code-hosting giant, you may find this research useful in combating trolls and unacceptable conduct.
It may also mean systems intended to automatically detect and report toxicity in open-source projects, or at least ones on GitHub, may need to be developed specifically for that task due to their unique nature.
IBM has quietly announced its first-ever cloudy mainframes will go live on June 30.
Big Blue in February disclosed its plans to provide cloud-hosted virtual machines running the z/OS that powers its mainframes. These would be first offered in a closed "experimental" beta under the IBM Wazi as-a-service brand. That announcement promised "on-demand access to z/OS, available as needed for development and test" with general availability expected "in 2H 2022."
The IT giant has now slipped out an advisory that reveals a “planned availability date” of June 30.
Updated In one of the many ongoing age discrimination lawsuits against IBM, Big Blue has been ordered to produce internal emails in which former CEO Ginny Rometty and former SVP of Human Resources Diane Gherson discuss efforts to get rid of older employees.
IBM as recently as February denied any "systemic age discrimination" ever occurred at the mainframe giant, despite the August 31, 2020 finding by the US Equal Employment Opportunity Commission (EEOC) that "top-down messaging from IBM’s highest ranks directing managers to engage in an aggressive approach to significantly reduce the headcount of older workers to make room for Early Professional Hires."
The court's description of these emails between executives further contradicts IBM's assertions and supports claims of age discrimination raised by a 2018 report from ProPublica and Mother Jones, by other sources prior to that, and by numerous lawsuits.
The Software Freedom Conservancy (SFC), a non-profit focused on free and open source software (FOSS), said it has stopped using Microsoft's GitHub for project hosting – and is urging other software developers to do the same.
In a blog post on Thursday, Denver Gingerich, SFC FOSS license compliance engineer, and Bradley M. Kuhn, SFC policy fellow, said GitHub has over the past decade come to play a dominant role in FOSS development by building an interface and social features around Git, the widely used open source version control software.
In so doing, they claim, the company has convinced FOSS developers to contribute to the development of a proprietary service that exploits FOSS.
Updated ERP vendor Infor is to end development of an on-premises and containerized version of its core product for customers running on IBM iSeries mid-range systems.
Born from a cross-breeding of ERP stalwarts Baan and Lawson, Infor was developing an on-premises containerized version of M3, dubbed CM3, to help ease migration for IBM hardware customers and offer them options other than lifting and shifting to the cloud.
Under the plans, Infor said it would continue to to run the database component on IBM i (Power and I operating system, formerly known as iSeries) while supporting the application component of the product in a Linux or Windows container on Kubernetes.
At The Linux Foundation's Open Source Summit in Austin, Texas on Tuesday, Linus Torvalds said he expects support for Rust code in the Linux kernel to be merged soon, possibly with the next release, 5.20.
At least since last December, when a patch added support for Rust as a second language for kernel code, the Linux community has been anticipating this transition, in the hope it leads to greater stability and security.
In a conversation with Dirk Hohndel, chief open source officer at Cardano, Torvalds said the patches to integrate Rust have not yet been merged because there's far more caution among Linux kernel maintainers than there was 30 years ago.
Analysis A blog post calling for a boycott of the well-known 7-Zip compression app is attracting some discussion on Reddit.
However, it seems criticism for Igor Pavlov and his FOSS compression app 7-Zip is somewhat overblown and may reflect the anti-Russian sentiment of the times.
7-Zip has been around since 1999 and during that two-decade span there have been more widely used Windows compression tools (WinZip and WinRAR, in particular) they are shareware, so try-before-you-buy versus free.
HCL has given users of versions 9.x and 10.x of its Domino groupware platform two years warning that they'll have to upgrade or live without support.
Domino started life as Lotus Notes before IBM bought the company and milked the groupware platform for decades then offloaded it to India's HCL in 2018. HCL has since released two major upgrades: 2020's version 11 and 2021's version 12.
Now it looks like HCL wants to maximize the ROI on those efforts – a suggestion The Register makes as the company today emailed Domino users warning them that versions 9.x and 10.x won't be sold as of December 1, 2022, and won't receive any support as of June 1, 2024.
Open-source cross-platform email and messaging client Thunderbird has hit version 102, with a new look and improved functionality, including Matrix chat support.
The latest release is the first major upgrade since version 91, which The Reg looked at last August. This is normal for the app – it follows the same approximately annual release cycle as Firefox's Extended Support Releases, the most recent of which was also version 91. From now until the next major release, Thunderbird 102 will get a regular stream of minor updates and bug fixes.
102 has a modernized look and feel. There's a new "Spaces" toolbar, which appears vertically on the left of the app window and lets users quickly flip between inbox, address book, calendar, task list, and chat tabs. All of these are built-in features – the former Lightning calendar add-on is now an integral part of the app, as is PGP support, which used to be an add-on called Enigmail. Thunderbird can talk to various groupware calendar and contact servers, including both private and corporate Google Mail accounts, Microsoft Exchange and Office 365, and others.
Biting the hand that feeds IT © 1998–2022