UEFI + SecureBoot : a bless or a disaster?

If it doesn't relate to Debian, but you still want to share it, please do it here

Re: UEFI + SecureBoot : a bless or a disaster?

Postby neuraleskimo » 2020-08-05 13:15

LE_746F6D617A7A69 wrote:If someone claims that his program does not have any bugs, then it only means that he didn't tested the program thoroughly ;)

The probability that the program has a bug grows exponentially with the number of lines of code.
The probability that there's a security hole, grows exponentially with the number of bugs.
The above holds for 100% of software created by humanity so far.

This also explains why after tens of years of development of security systems still we have hundreds of CVEs each year.
I dare to claim that adding countless layers of security is the main factor responsible for countless security holes.

KISS = Keep It Simple, Stupid!


Yes. This is exactly why I advocate for the use of well vetted libraries, no/low-overhead abstractions, and the use of modern verification/validation tools.
Black Lives Matter
neuraleskimo
 
Posts: 195
Joined: 2019-03-12 23:26

Re: UEFI + SecureBoot : a bless or a disaster?

Postby Deb-fan » 2020-08-06 15:07

Looked up boothole, got to the point where it said with local root access we were able to blahblahblah. Lost much interest right there, with root access local or remote, makes further discussion pointless. With that (root access) mostly game over if the person has malicious intent. Still glad people devote time/energy discovering-docing junk like this though, upstream will address it, as a desktop nixer clearly doesn't qualify as something which needs immediate attention. Naming it boothole was a perfect choice imo in this case.

Already noted think secureboot is mostly useless too. Though however many layers, whomever wishes to use, is up to each admin. :)
Most powerful FREE tech-support tool on the planet * HERE. *
Deb-fan
 
Posts: 968
Joined: 2012-08-14 12:27

Re: UEFI + SecureBoot : a bless or a disaster?

Postby LE_746F6D617A7A69 » 2020-08-06 20:32

Deb-fan wrote:Looked up boothole, got to the point where it said with local root access we were able to blahblahblah.

That's the whole point: most of that ''shocking vulnerabilities" discovered recently (in the past few years) require the root privileges - so the obvious and quite simple question is:
If those "security holes" are requiring the root privileges, then why they are called a "security holes"? - the admin is allowed to do just anything, including potentially insecure operations (like changing the firmware)

I think that it's all about the fame & fear -> some "hackers" with at most average skills can get attention and even get paid for pretending to be a "security experts" ...

Of course they can get paid only by the press - none of serious companies will hire them - to avoid scandals ...
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 414
Joined: 2020-05-03 14:16

Previous

Return to Offtopic

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable