[conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't look good...

Michael Paoli Michael.Paoli at cal.berkeley.edu
Mon Aug 3 21:13:40 PDT 2020 

Well, as is often the case with many things security,
much/most of the time, it's double-edged sword.

And I (also) remember earlier, with, e.g. the security chip starting
in the early IBM ThinkPad systems.  Again, double-edged sword.
Likewise EFI & secure boot.

Double edged?  How so?  Very simple.  They can be used to
well secure/protect and lock things.  Question is always
who's controlling it and who's locking what from whom?
E.g.:
o providing vendor lock - buy the hardware, and bundled firmware,
   software, and all the bugs and flaws with it - and be very
   "locked in" - quite unable to change what's running on hardware
   one has bought and paid for
o securely control one's device - e.g. laptop.  Make it bloody
   impossible (at least short of majorly altering the laptop hardware,
   such as changing out mainboard or IC(s) soldered onto the mainboard)
   for someone else to boot something else on that computer undesired
   from the owner's wishes.  Also have the storage (drive) on the
   computer encrypted, and likewise locked, so nobody can leverage any
   of the hardware to decrypt the drive's storage ... at least short of
   significantly invading the hardware (e.g. tapping I/O lines on
   communications on/to/from mainboard).

Anyway, some 'o the above, especially also combined with hardware
tampering detection (e.g. many systems will even detect if and warn
if the hardware has been opened, and can then refuse to proceed
further, or only proceed further if a secured authorized
password/passphrase is used to allow things to proceed further).
Many "server" and even "tower"/desktop class computers have these
capabilities, ... some laptops/notebooks do or might also ... but
they're not super security hardened on that basic "open cover"
detection - but still, it can be a good (or bad) first step,
depending how used, by whom.  Some devices (e.g. chips) can
be much more security hardened.  E.g. security chips.  They're
designed so one can't access the stored data on the chip without
knowing/having/providing relevant authentication/key - all
attempts to bypass that (e.g. physically opening the chip) are
designed such that they'll cause any data stored on the chip
to be destroyed.

So ... want your laptop well secured, so if someone else puts their
hands on it, it's dang near impossible for them to get at your
data - or even alter it or the computer without you knowing?
And ... for who's/which definition of "your" - the
laptop/notebook/desktop/phone that you bought?
Or, "you" are the vendor, you consider it "yours" even though
you sold it to consumers, and you don't want 'em to muck with
it no way no how - you just want 'em to buy new replacement
ones only.

Anyway, many things security-wise are typically double-edged
sword, or trade-off(s).  E.g. security vs. convenience.
How much security for how much inconvenience?
How much "security"(?) for how much privacy trade-off?
Security vs. speed/performance?
How much risk avoided, and at what cost?
Much etc.

> From: "Tony Godshall" <tony at of.net>
> Subject: Re: [conspire] (forw) Re: [Felton LUG] Oh boy, this doesn't  
> look good...
> Date: Sat, 1 Aug 2020 15:09:55 -0700

> Protecting from people with physical access to the device is... something
> very few people care much about except vendors who want to keep you from
> accessing you own device. Hell, the whole existence of signed bootloaders
> make just complicates our lives.

More information about the conspire mailing list