[coreboot] we've always known this was possible and hence never bothered to do it but ...

ron minnich rminnich at gmail.com
Mon May 12 17:17:15 CEST 2008

On Sun, May 11, 2008 at 11:49 PM, Brendan Trotter <btrotter at gmail.com> wrote:

> Of course there's always the added bonus that a hacker can download
> the source code for coreboot, add their own malicious code, compile,
> flash it and then sell the system on eBay to any unsuspecting sucker.
> Coreboot really is the "rootkit friendly" way to go... :-)

Actually, you have just recapitulated the same mythology that OS
vendors used for so many years to justify proprietary, closed-source
OSes: binary-only OSes were somehow "safer" because *only* the vendor
could change them; open source OSes were dangerous because any bad guy
could modify them. The fact is, to a sufficiently determined and
resourceful hacker, binary vs. source based OS is not really an
impediment. In fact, binary is better: there is no chance of checking
or verification, and people foolishly trust it more.

Or do you believe all those windows rootkits do not exist?

If I have a system with BIOS source code available, I can always
verify what's in BIOS. That's not the case for binary BIOS; all kinds
of stuff can hide in there, esp. if it is an EFI system, which is a
complete operating system and has huge amounts of room for nasty bits
of code.

So, to say the least, I don't accept your argument that open source
BIOS is somehow more "hacker" friendly, unless you mean in the 1980s
sense of the word: the lonely guy in the basement. That model is long
dead. Hackers now are well financed and rich in tools and experience.
Binary is not an impediment to them. Binary is an impediment to those
of us who want security.


More information about the coreboot mailing list