[–]▶ No.1071505>>1071539 >>1071542 >>1071547 >>1071566 >>1072338 >>1073591 [Watch Thread][Show All Posts]
>The US National Security Agency (NSA) has developers contributing to the Coreboot project.
>Eugene Myers of the NSA under the Information Assurance Research, NSA/CSS Research Directorate, has been leading some work on an STM/PE implementation for Coreboot.
>This implementation is for an SMI Transfer Monitor (STM) to offer protected execution services on x86 by serving as a hypervisor in x86 SMM mode. The NSA work extends STM to support additional virtual machines and paired with an integrity measurement engine can offer greater security to the system.
https://www.phoronix.com/scan.php?page=news_item&px=Coreboot-STM-PE-NSA
____________________________
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071539>>1071571
>>1071505 (OP)
Archive the link.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071542
>>1071505 (OP)
Fucking glowies.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071547>>1071555
>>1071505 (OP)
Use Trannyboot
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071555
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071566
>>1071505 (OP)
What could possibly go wrong, goys?
>[greedy rubbing noises intensifies]*
---
>no archive
>on a thread specifically about glowniggers
shit OP
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071571>>1071580 >>1071588 >>1072420
>>1071539
I like phoronix, he deserves a few clicks unless he's cucked and I missed something
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071580>>1072420
>>1071571
no one "deserves" clicks
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1071588>>1072025 >>1072332 >>1072420
>>1071571
dumbass, you can't access it behind the cloudflare paywall via tor. always present an archive link first and foremost, then a broken link if you want sites to be able to grub clickshekels as well. otherwise you come across as a shill tbh.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072025
>>1071588
>you can't access it behind the cloudflare paywall via tor.
I read phoronix via tor regularly. You're talking out your arse.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072332>>1072334
>>1071588
Wait.. People were paying for a tor cloud to share bandwidth? Is that it?Am I interpreting this incorrectly?
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072334
>>1072332
Also
>tfw I just got my tools to attempt to coreboot my cf-31
Pls tell me older versions are still around.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072338>>1072341
>>1071505 (OP)
>rabbit logo
ehhhhhh I'm outta this thread
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072341>>1072348
>>1072338
*smooth Jazz plays*
But on a serious note, this isn't good news.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072348>>1072374 >>1072398 >>1072423 >>1072427 >>1072431 >>1072565
>>1072341
It's good news. If you don't have the skill to audit source code, then you're actually shit out of luck regardless of the NSA's involvement. It won't matter if the NSA publicly contributed or contributed stealthily because you don't have the ability to audit source code. If you have the ability, then you can prove what the code is doing. With the ability to audit the code, the source of who wrote the code is irrelevant because you can learn exactly what the code does.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072374>>1072375
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072375
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072398
>>1072348
I can't audit the code and I agree with you.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072420
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072423>>1072998
>>1072348
Wouldn't it be a good idea to crowdsource money to then either hire a freelance to audit the code or to put bounties on bugs ?
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072427>>1072998
>>1072348
>muh 6 million eyes are auditing the code
top fucking kek. the fact that you can see the code means nothing when the software/patch is large and complex.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072429
It's obvious that state actors will attempt to infiltrate/backdoor/control any software or technology in general they consider even remotely relevant.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072431>>1072998
>>1072348
>what is obfuscated code
>what is underhanded code
It's way easier for one person just passing by to hide a needle in a haystack than for a thousand people being around the haystack at all times to find it.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072565>>1072998
>>1072348
>let's pretend Clipper chip, _NSAKEY and Dual_EC_DRBG never happened
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1072998>>1073081 >>1073090
>>1072423
It's perfectly fine to rely on a guy you trust to do the work for you.
>>1072431
>>1072427
>>1072431
Audit the code carefully. You cannot tell me that Coreboot is a project that changes very quickly.
I am well aware of the IOCCC and the weird hacks they do to their code. If I was auditing code for the purpose of proving it's correct, I would probably take the effort to reimplement it in another language as proof that I properly understood what the original code was doing.
>>1072565
What is auditing code?
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073081
>>1072998
>What is auditing code?
You absolutely should audit code, but is it worth the resources it takes to extremely thoroughly comb over code that any sane person have to assume is backdoored given the history between the NSA and civilian security? Even the ISO was smart enough to reject the weak Speck and Simon ciphers[1] and Speck was deleted from the Linux kernel[2]. Security sensitive software should be programmed by named people where all ties are disclosed and should not include any lines contributed by Glow-in-the-Darks.
[1]: https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html
[2]: https://www.tomshardware.co.uk/nsa-speck-removed-linux-4-20,news-59110.html
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073090
>>1072998
Forgot to post (((NSA))) being absolutely rekt by Tomer Ashur: https://www.spinics.net/lists/linux-crypto/msg33291.html
Some lulzy takes with comments by me:
<The NSA (in particular, the exact same person who previously promoted DUAL_EC in ISO) proposed to include Simon & Speck in ISO/IEC 29192-2 back in 2015. For obvious reasons they were met with skepticism. A main concern was the lack of any design rationale and internal cryptanalytic results. The NSA people fought tooth and nail for a year and a half simultaneously arguing two almost mutually-exclusive points: (i) they employ the most talented cryptographers and hence, we should trust them when they say that an algorithm is secure; and (ii) they are average cryptographers and hence they would not be able to insert a backdoor into the algorithm.
>NSA didn't justify why we should use Simon and Speck and they are simoultaneously both l33t hackorz who make epic crypto and too retarded to backdoor
<More than once they argued in a meeting that the cryptanalysis for the ciphers has been stabilized (i.e., that attacks will not improve) just to be proved wrong in the next meeting (their answer: "well, _now_ it has fully stabilized", which was again proven wrong in the next meeting). One of them even had a bet with Tanja Lange that no attack on either Simon or Speck would be extended by 3 rounds or more in the upcoming year. He lost this bet. They were very uncooperative, and made it a point to let us know that they will not be providing more information about the algorithms.
>Glow-in-the-darks still believe in NOBUS
In fact, just read the post in it's entirety. It's beautiful. After you've read it, you'll realise what desperate tryhard liars NSAniggers are. Including them in your development team wastes time, turns design into a soap opera and taints users' trust in your software.
(sage for double post)
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073091
You should be less worried about the people you know are working for NSA and contribute to F/LOSS and more worried about the people you don't know are working for NSA and contribute to F/LOSS.
Especially the ones who don't get a nice salary from a big company for working on an open source project. An envelope full of cash can be a great motivator.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073516
The problem with Coreboot is that it does too little and wants to do it everywhere. It should not need all these "contributions" in the first place. This is another example of the "portability is more important than usability" UNIX philosophy. The point of low level firmware is to be hardware specific. The IBM PCs, Macs, and other 80s computers had totally different firmware because a large part of the OS was part of the firmware. It was just the ROM part of the OS. The Macintosh included GUI tools in the ROM. They were also pretty small because they were written by smart people for one model of computer.
Coreboot doesn't do this. It tries to run on all architectures (not even just x86, but ARM and others too) and it has all these "contributions" (including Google and Intel too) but it really doesn't do anything. It has all these massive build dependencies like GCC. It still needs a "payload" with even more bloated code which then loads a different bloated OS which needs more code for GUIs and even more for browsers. The right way to do this is to have a driver API just like normal operating systems. Drivers that don't depend on a specific OS are a good thing because they make things easier for users and because they can be replaced more easily. EFI was supposed to have done this, but C sucks, so these drivers still have to be reimplemented for each OS. The API should also include proper error handling so real programmers can use them too. A weenie OS can still turn them into panic or some other brain damage, but they shouldn't punish everyone just because they can't program.
Some of this is also the hardware manufacturer's fault. They don't design hardware to be easy to program anymore. GPUs need hundreds of megabytes of drivers. A lot of that is because they're written in C and C++, but it's also because the interfaces are badly designed.
No, the quote is exactly right. RISC is a lazy solution
along the lines of "well, we don't know how to write
compilers that use complex instructions efficiently, and we
don't know how to design complex hardware that runs fast, so
we'll make everything simple, and we can advertise we run at
80Mhz even though the system supports fewer user than a 1
MIP DEC-20."
It's exactly analagous to "you can use pipes and
redirection shell scripts to do anything, so we don't have
to write any REAL programs" and "portability is more
important that usability" philosophies so rampant in the
unix world.
(Was I properly vitrolic this time?)
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073582
lol just read the source. dont care who made it as long as it works properly and is not botnet.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073591>>1073645
>>1071505 (OP)
Not at all surprising. Fucking glowniggerrs have had their radioactive dicks in all types of FOSS projects. SELinux, SystemD, Tor, FreeBSD, RedHat, Debian, likely many others.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073645>>1073649
>>1073591
Can't we just second-vet the code so that it can't happen?
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1073649>>1075489
>>1073645
We can do this. The question is who is willing to invest the resources to do the audit. If you're willing to invest, then that's just too bad.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.
▶ No.1075489
>>1073649
anyone who cares should be willing to do it. if they dont then they can stop complaining.
Disclaimer: this post and the subject matter and contents thereof - text, media, or otherwise - do not necessarily reflect the views of the 8kun administration.