He's not reporting a bug, he's reporting a security vulnerability which may indeed be a subset of "bug" but it's a very special subset of bug, the sort where even senior management are obliged to get their finger out of their arse and "Do the Right Thing". Especially given eBay are an American company as I seem to remember yanks being big on this thing called "Fiduciary duty to shareholders" which will most certainly not be served, even in the short-term, let alone the medium or long-term by sticking two fingers up at this kid.
...they may have made some implementation faults that will allow an attacker to falsely keep their checks happy while still modifying boot files.
Well that to.
The key is probably only useful for signing firmware, probably only for this vendor and possibly only for this chipset, maybe even a single main board.
TFA implies it was for "Ivy bridge" so yeah probably tied to chipset, maybe multiple boards but the point is they've demonstrated something arguably close to gross incompetence, misplacing source code is careless, misplacing the signing key is a different league. This is a commercial product how hard would it be to have the key in two parts, held by two individuals on the dev/release team?
This system is built purely on trust and its gone, I mean, yeah "I'm sure they'll be more careful next time" but sarcasm aside there's no real way for them to demonstrate that.
The truly paranoid might even point out that if someone with the means found the FTP server first they could already have trojaned AMI's build servers (running AMI bioses no doubt) with a root kit tainted bios that produced new tainted bioses during compilation and lo' all AMI bios forever after are hence tainted in a never ending FUBAR circle of doom!!!
With three entire exclamation marks and all assuming it's genuine.
Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured.
Secure Boot is dead, long live security.
Yeah, except until Red Hat spots Canonical making in-roads on their business model and then squishes them...
http://www.trendcaller.com/2009/02/canonical-half-as-revenue-efficient-as.html...bit out of date but it'd still be suicide for Canonical to compete against Red Hat too directly, too soon, hence the cloud/service strategy (http://www.thevarguy.com/2010/04/29/ubuntu-matt-asay-discusses-canonical-revenue-strategy/) they seem to be heading for I suppose? Unfortunately that's going to get holed below the water-line to an extent by Red Hat's OpenShift (http://en.wikipedia.org/wiki/OpenShift) and I just don't believe there's enough revenue in "Linux Desktop as a Service" to make it viable.
To be fair I'm probably a Red Hat fan-boi, I respect what Canonical are doing but... I just can't see how their going to make it work in the long run.:^/
"Actually, BT is probably in bed with the people who actually run the country"
TFTFY.
On an only sightly less cynical note, you have to wonder if "the current government" are (as a conceptual entity rather than the specific case we have at the moment) any better at administering such a large/long project than a benign coperate monopoly (if such a thing exists)?
"Uban sprawl" - Since about the 17th Century (http://en.wikipedia.org/wiki/Great_Fire_of_London#London_in_the_1660s) Painfully expensive - Check Traffic congestion - Check Smelly - Check Noisy - Check "soul-crushing" - Can be
Restaurants, shops, galleries, theatres, sports venues - some of the best in the world. Boring - Nope
The only benifit to the population at large in this entire exercise is that we now have the names and addresses of the people stupid enough to pony up ~$180,000 for an almost certiainly pointless TLD. 419-fodder if ever there was any.
You're really comapring an unknown and evidently not-so-hot Apple developer leaving debug in their code to Ken Thompson, arguably one of the greatest programmers ever, slipping a self replicating trojan into the binary image of a compiler? "Purhlease..."
You're comparing Apple(s) to oranges. Detecting highly cunning subterfuge is an enitrely different ball game to picking up that one of your peers sat over on the other desk has accidentally left a few lines of debug in.
Seonded, and it still is the case in 2011. I'd done the RHCT on RHEL 5 under my own steam and my company paid for me and a handful of others to do the RHCSA/RHCE on RHCE 6. I would have done the same course as you and sat both exams on the Friday, RHCSA in the morning and RHCE in the afternoon. I passed both and at least 4 of my collegues did as well (although one used to work for Redhat as a trainer so it was a bit of a given), however we have several perfectly/very good sysadmins who failed. It's not a gimme and requires actual hands-on expiriece, the course is crammed with around an average of 40-60 pages of material a day.
Although you did miss "regular supersonic passenager aircraft flights" off that list, it was so scienece fiction we stopped using it because it was making everyone else look bad. Oh and it blew up of course.
Slashdot Mirror
Yeah but at least we've got The Ministry of Sound and Ministry of Silly Walks.
...will be printing 3D sharks, gluing the firkkin' lasers onto their heads and fitting them with little robotic legs.
In Soviet Brummie-land the companies engineer you!
I live in the UK so I barely get to experience "Summer" on Earth, let alone space you insensitive clod!
He's not reporting a bug, he's reporting a security vulnerability which may indeed be a subset of "bug" but it's a very special subset of bug, the sort where even senior management are obliged to get their finger out of their arse and "Do the Right Thing". Especially given eBay are an American company as I seem to remember yanks being big on this thing called "Fiduciary duty to shareholders" which will most certainly not be served, even in the short-term, let alone the medium or long-term by sticking two fingers up at this kid.
what has been done when some rogue government agency demands all of there "analytics" under some secret warrant or fishing letter.
TFTFY
Just because I'm 40 years old and can't run an iron man anymore....
"anymore"? Dude this is Slashdot, 99% of us couldn't run down the road, pictures or GTFO. :^)
...they may have made some implementation faults that will allow an attacker to falsely keep their checks happy while still modifying boot files.
Well that to.
The key is probably only useful for signing firmware, probably only for this vendor and possibly only for this chipset, maybe even a single main board.
TFA implies it was for "Ivy bridge" so yeah probably tied to chipset, maybe multiple boards but the point is they've demonstrated something arguably close to gross incompetence, misplacing source code is careless, misplacing the signing key is a different league. This is a commercial product how hard would it be to have the key in two parts, held by two individuals on the dev/release team?
This system is built purely on trust and its gone, I mean, yeah "I'm sure they'll be more careful next time" but sarcasm aside there's no real way for them to demonstrate that.
The truly paranoid might even point out that if someone with the means found the FTP server first they could already have trojaned AMI's build servers (running AMI bioses no doubt) with a root kit tainted bios that produced new tainted bioses during compilation and lo' all AMI bios forever after are hence tainted in a never ending FUBAR circle of doom!!!
With three entire exclamation marks and all assuming it's genuine.
Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured. Secure Boot is dead, long live security.
http://www.bbc.co.uk/news/technology-18927928 ...yawn...
You've made an unfounded assumption that Anonymous Coward is a person, you'll need a citation for that as we all know that on the Internet, nobody knows you're a dog.
search-solely-for-profit [rather than search-for-general-utility in the economic sense] eavesdroppers in the middle of Kings Cross
As opposed to the tax spending eavesdroppers over in the middle of Vauxhall? ;^)
Yeah, except until Red Hat spots Canonical making in-roads on their business model and then squishes them...
http://www.trendcaller.com/2009/02/canonical-half-as-revenue-efficient-as.html ...bit out of date but it'd still be suicide for Canonical to compete against Red Hat too directly, too soon, hence the cloud/service strategy (http://www.thevarguy.com/2010/04/29/ubuntu-matt-asay-discusses-canonical-revenue-strategy/) they seem to be heading for I suppose? Unfortunately that's going to get holed below the water-line to an extent by Red Hat's OpenShift (http://en.wikipedia.org/wiki/OpenShift) and I just don't believe there's enough revenue in "Linux Desktop as a Service" to make it viable.
To be fair I'm probably a Red Hat fan-boi, I respect what Canonical are doing but... I just can't see how their going to make it work in the long run. :^/
I would say at your parent's house but this being slashdot that's probably not offsite.
"Actually, BT is probably in bed with the people who actually run the country"
TFTFY.
On an only sightly less cynical note, you have to wonder if "the current government" are (as a conceptual entity rather than the specific case we have at the moment) any better at administering such a large/long project than a benign coperate monopoly (if such a thing exists)?
Exactly, that describes London to a tee.
"Uban sprawl" - Since about the 17th Century (http://en.wikipedia.org/wiki/Great_Fire_of_London#London_in_the_1660s)
Painfully expensive - Check
Traffic congestion - Check
Smelly - Check
Noisy - Check
"soul-crushing" - Can be
Restaurants, shops, galleries, theatres, sports venues - some of the best in the world.
Boring - Nope
I'm afraid the 1st of April has been and gone.
The only benifit to the population at large in this entire exercise is that we now have the names and addresses of the people stupid enough to pony up ~$180,000 for an almost certiainly pointless TLD. 419-fodder if ever there was any.
http://www.youtube.com/watch?v=fLegSgWi0cI
March of the Gladiators (Circus Clown Music)
You're really comapring an unknown and evidently not-so-hot Apple developer leaving debug in their code to Ken Thompson, arguably one of the greatest programmers ever, slipping a self replicating trojan into the binary image of a compiler? "Purhlease..."
You're comparing Apple(s) to oranges. Detecting highly cunning subterfuge is an enitrely different ball game to picking up that one of your peers sat over on the other desk has accidentally left a few lines of debug in.
Fair game ;^)
Considerable more immune, yes.
That's option B, option A is called "Open Source".
I hope.
Gun, bomb, assassinate, rifle, olympics, jihad if not ;^)
Seonded, and it still is the case in 2011. I'd done the RHCT on RHEL 5 under my own steam and my company paid for me and a handful of others to do the RHCSA/RHCE on RHCE 6. I would have done the same course as you and sat both exams on the Friday, RHCSA in the morning and RHCE in the afternoon. I passed both and at least 4 of my collegues did as well (although one used to work for Redhat as a trainer so it was a bit of a given), however we have several perfectly/very good sysadmins who failed.
It's not a gimme and requires actual hands-on expiriece, the course is crammed with around an average of 40-60 pages of material a day.
"They have also highways and bridges that don't crumble to dust"
No-one mention the Hammersmith flyover okay.
http://en.wikipedia.org/wiki/Hammersmith_Flyover
Although you did miss "regular supersonic passenager aircraft flights" off that list, it was so scienece fiction we stopped using it because it was making everyone else look bad. Oh and it blew up of course.
Will Smith had his day off interrupted?
God bless Will, God bless America!