Hi,
On Tue, May 13, 2008 at 12:47 AM, ron minnich rminnich@gmail.com wrote:
On Sun, May 11, 2008 at 11:49 PM, Brendan Trotter btrotter@gmail.com wrote: So, to say the least, I don't accept your argument that open source BIOS is somehow more "hacker" friendly, unless you mean in the 1980s sense of the word: the lonely guy in the basement. That model is long dead. Hackers now are well financed and rich in tools and experience. Binary is not an impediment to them. Binary is an impediment to those of us who want security.
How long would it take you to add some code to coreboot that displays the string "Hello world"? How long would it take you to add some code to a proprietary BIOS that displays the string "Hello world"?
After you've measured how long it takes, give both modified binaries and both original binaries to your Grandparents (who I assume are normal people, without programming experience), and find out how long it takes them to figure out which binaries are the unmodified originals (without your help).
Of course this is just a silly side issue. The main reason for my post was to highlight your hypocrisy - "Everyone look! Some propretory BIOS has an SMM related vulnerability! The world, sooner or later, is going to get the message :-)". It's like a morbidly obese person laughing at how large a slightly chubby person is, or a heroin dealer complaining that alcohol should be banned because it's bad for your health. Not that SMM vulnerabilities are the only security holes in coreboot (you might want to do a web search for "blue pill" and consider implementing an "enable/disable VMX" option somewhere).
Cheers,
Brendan