LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices

Reply
 
Search this Thread
Old 04-17-2013, 12:55 PM   #1
teckk
Senior Member
 
Registered: Oct 2004
Distribution: FreeBSD Arch
Posts: 1,752

Rep: Reputation: 188Reputation: 188
AMIBIOS Source Code and AMI's UEFI Signing Key Leaked


http://adamcaudill.com/2013/04/04/se...ky-ftp-server/

http://www.techpowerup.com/182484/AM...ey-Leaked.html

http://ami.com/News/PressRelease/?PrID=392

http://www.pclinuxos.com/forum/index.php?topic=115013.0
 
Old 04-27-2013, 09:01 AM   #2
Sigg3.net
Member
 
Registered: Mar 2008
Location: Oslo, Norway
Distribution: Fedora 17, Ubuntu 12 LTS and Ubuntu server 10.04
Posts: 161

Rep: Reputation: 22
Another good reason why open source and the GPL should be advocated
Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.
 
Old 04-27-2013, 10:10 AM   #3
jens
Senior Member
 
Registered: May 2004
Location: Belgium
Distribution: Debian, Slackware, Fedora
Posts: 1,190

Rep: Reputation: 159Reputation: 159
Old news...

While things like this should never happen, do keep in mind that those keys were never meant for end users (they're meant to be replaced by vendors).

Quote:
Another good reason why open source and the GPL should be advocated
Business secrets are not infallible, 1 weak link like an open FTP at a sub dev team is enough, so at best it's security through obscurity.
Those keys have nothing to do with either "security through obscurity" or OSS/GPL (ignoring the almost funny silverlight upload tool).

Last edited by jens; 04-28-2013 at 08:57 AM.
 
Old 04-27-2013, 10:16 AM   #4
Sigg3.net
Member
 
Registered: Mar 2008
Location: Oslo, Norway
Distribution: Fedora 17, Ubuntu 12 LTS and Ubuntu server 10.04
Posts: 161

Rep: Reputation: 22
When 1 hardware key is hard-coded into the firmware, my opinion is that it is security through obscurity. You just need 1 key to defeat the whole house of cards. Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference

Also, proprietary source code is available for purchase on the darker sites of the intarwebz.
 
Old 04-27-2013, 03:06 PM   #5
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Slack14_64_Multilib
Posts: 3,089
Blog Entries: 4

Rep: Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746
http://www.linuxquestions.org/questi...ed-4175456994/
 
Old 04-28-2013, 02:25 AM   #6
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Yes, I do remember posting it as well.
 
Old 04-28-2013, 09:53 AM   #7
jens
Senior Member
 
Registered: May 2004
Location: Belgium
Distribution: Debian, Slackware, Fedora
Posts: 1,190

Rep: Reputation: 159Reputation: 159
Quote:
Originally Posted by Sigg3.net View Post
When 1 hardware key is hard-coded into the firmware,
It's revocable.
OEMs can add/change as many keys as they like ...

Quote:
Originally Posted by Sigg3.net View Post
my opinion is that it is security through obscurity.
Even if it would rely on just one key (it doesn't), where's the obscurity?

Quote:
Originally Posted by Sigg3.net View Post
You just need 1 key to defeat the whole house of cards.
That's not true.
They're both revocable and expandable.
You can add a different key for every driver and change/blacklist them later.

Quote:
Originally Posted by Sigg3.net View Post
Remember when the first bluray code was found. If the process was F/OSS it would not be possible to use this approach to security because the source would be available to anyone. That was my point with the GPL reference
I still don't see the similarity.
Do you consider keeping your ssh and gpg keys private as anti-FOSS/GPL as well ... ?

PS: I think you're confusing Secure Boot with the bigger Restricted Boot problem.

Last edited by jens; 04-28-2013 at 10:08 AM.
 
Old 04-28-2013, 10:14 AM   #8
Sigg3.net
Member
 
Registered: Mar 2008
Location: Oslo, Norway
Distribution: Fedora 17, Ubuntu 12 LTS and Ubuntu server 10.04
Posts: 161

Rep: Reputation: 22
Sorry, I thought the hard-coded keys could not be changed. My bad
 
Old 04-28-2013, 10:49 AM   #9
jens
Senior Member
 
Registered: May 2004
Location: Belgium
Distribution: Debian, Slackware, Fedora
Posts: 1,190

Rep: Reputation: 159Reputation: 159
Quote:
Originally Posted by Sigg3.net View Post
Sorry, I thought the hard-coded keys could not be changed. My bad
Main reason why all default keys have a Microsoft tag is rather obvious:
They're the only ones providing/selling them (it would be nice and less confusing if this changed, everyone is allowed to do so).

That said, I dislike its current implementation as much as anyone else

Last edited by jens; 04-28-2013 at 10:52 AM.
 
Old 04-29-2013, 08:07 PM   #10
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,282

Rep: Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088Reputation: 1088
I pleasantly and smugly observe that the folks who dreamed up (version 1.0 of ...) this feature definitely were not cryptographers.
 
Old 04-30-2013, 10:15 AM   #11
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Slack14_64_Multilib
Posts: 3,089
Blog Entries: 4

Rep: Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746Reputation: 746
Quote:
Originally Posted by sundialsvcs View Post
I pleasantly and smugly observe that the folks who dreamed up (version 1.0 of ...) this feature definitely were not cryptographers.
My five-year-old child advisor will also be asked to decipher any code I am thinking of using. If he breaks the code in under 30 seconds, it will not be used. Note: this also applies to passwords.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
AMI Firmware Source Code and Private Key Leaked H_TeXMeX_H General 0 04-05-2013 12:59 PM
PlayStation 'master key' leaked online Jeebizz Linux - News 0 10-24-2012 04:41 PM
Playstation 3 Code Signing Cracked For Good Jeebizz Linux - News 2 01-05-2011 02:00 PM
LXer: Code signing systems LXer Syndicated Linux News 0 12-14-2005 08:31 PM
Windows 2000 and NT source code leaked closet geek General 38 03-06-2004 02:43 PM


All times are GMT -5. The time now is 04:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration