Re: manufacturers are to blame 100%
EXACTLY what I was thinking...
> "Because almost no one patches their BIOSes, almost every BIOS in the wild is affected by at least one vulnerability, and can be infected," Kopvah says.
> "The point is less about how vendors don't fix the problems, and more how the vendors' fixes are going un-applied by users, corporations, and governments."
Bollocks! Absolute bollocks. The problem is the vendors and the BIOS cartel. 100% vendors and the BIOS cartel.
BIOS and its (astonishingly) even more clusterfuck successor, the name of which I dare not invoke, is an unbelievably opaque morass of unnecessary antiquated obsolete demented crap. It's difficult to imagine that even a very well funded government TLA could contrive a better abomination with which to disseminate little "accidents" if it had been tasked with pwning the whole world's computers. A BIOS is an ancient, barely maintained, bug-ridden clusterfuck when the vendors buy it in. Obsolete before the the hardware even ships, the only "updates" the vendors seem to dare touch are trivial compatibility additions like adding IDs for new CPUs or pissing about with the UI. Blaming the end-user for this is psychotic.
> The need for better BIOS security is "starting to sink in" with top vendors Lenovo, Dell and HP moving to squash flaws in their gear. ASUS Kopvah says a good example of those which had not patched or acknowledged BIOS flaws.
> Some BIOS are woefully insecure. The pair found Giagbyte's BIOS had borked access controls that did nothing to prevent attacks.
See. Told you so! I wonder what, EXACTLY, is supposed to be the point of my flashing on "some woefully insecure BIOS." I'll also happily wager a fiver that even "top vendors Lenovo, Dell and HP" BIOSes are NOT free of "0-days" either.
> "The point is less about how vendors don't fix the problems, and more how the vendors' fixes are going un-applied by users, corporations, and governments."
Really? REALLY?
Bollocks.
Sincerely,
Incandescent with Indignation, Chipping Sodbury.
PS. +1 to the jumper/dip revival movement, +1 to coreboot. Shirely it's time to put an end to this shit-by-design shit. Sometimes it almost seems like some great unseen power actually wants to keep computing insecure and is scuttling about spewing demented overcomplexity and turbidity to that end. http://www.theregister.co.uk/2015/03/18/is_the_dns_security_protocol_a_waste_of_everyones_time_and_money/
PPS. Thank god these opaque, archaic, over complex, "woefully insecure" clusterfuck blobs are now cryptographically signed by the NSA's Redmond division. Taking away my jumper switch and handing control of my computer to the trusted (by reciprocal definition - as I seem to have been told rather a lot lately) US government certainly makes me feel all safe and fuzzy. They're cryptographically secure clusterfuck blobs now FFS! Awesome!
/indignant ranting
Biting the hand that feeds IT
