On Sun, May 11, 2008 at 11:49 PM, Brendan Trotter btrotter@gmail.com wrote:
Of course there's always the added bonus that a hacker can download the source code for coreboot, add their own malicious code, compile, flash it and then sell the system on eBay to any unsuspecting sucker. Coreboot really is the "rootkit friendly" way to go... :-)
Actually, you have just recapitulated the same mythology that OS vendors used for so many years to justify proprietary, closed-source OSes: binary-only OSes were somehow "safer" because *only* the vendor could change them; open source OSes were dangerous because any bad guy could modify them. The fact is, to a sufficiently determined and resourceful hacker, binary vs. source based OS is not really an impediment. In fact, binary is better: there is no chance of checking or verification, and people foolishly trust it more.
Or do you believe all those windows rootkits do not exist?
If I have a system with BIOS source code available, I can always verify what's in BIOS. That's not the case for binary BIOS; all kinds of stuff can hide in there, esp. if it is an EFI system, which is a complete operating system and has huge amounts of room for nasty bits of code.
So, to say the least, I don't accept your argument that open source BIOS is somehow more "hacker" friendly, unless you mean in the 1980s sense of the word: the lonely guy in the basement. That model is long dead. Hackers now are well financed and rich in tools and experience. Binary is not an impediment to them. Binary is an impediment to those of us who want security.
thanks ron