| ▲ | dmitrygr 12 hours ago |
| problem is: how do you prove the firmware in the flash chip matches source? And I do not mean me, with a disassembler and a pi pico to read out the flash chip. I mean the 70-yaer-old corner shop owner that buys this router to provide free WiFi for customers? |
|
| ▲ | WarOnPrivacy 12 hours ago | parent | next [-] |
| > how do you prove the firmware in the flash chip matches source? Trusted, qualified independent experts: Ala Underwriters Laboratories. |
| |
| ▲ | dmitrygr 12 hours ago | parent [-] | | One word for you: dieselgate https://en.wikipedia.org/wiki/Volkswagen_emissions_scandal | | |
| ▲ | kelnos 5 hours ago | parent | next [-] | | A process not working on occasion doesn't mean the entire verification method is garbage. I get the desire to not have to trust a third party, but realistically, there isn't a way to function without doing so, outside of going out and living in the forest in a cabin you've built yourself, either doing without electricity, or with solar panels you've built yourself from raw materials. Human processes aren't like computers. They're messy. They fail sometimes. They need checks and balances. Sometimes those checks and balances don't work. Sometimes the checks only work well after the fact, and the people who were harmed aren't all made whole. That's life. We probably can't do much better. | |
| ▲ | actionfromafar 11 hours ago | parent | prev | next [-] | | Someone did go to jail, so there's at least that. | | |
| ▲ | dmitrygr 11 hours ago | parent [-] | | Yes. But a lot of people still got cars that were not as represented. So if we follow the same pattern, somebody will go to jail, but most routers will not be running verified or safe code. | | |
| ▲ | Snafuh 11 hours ago | parent | next [-] | | Do you apply the same scrutiny to the food you eat? Some trust has to be created through testing standards and the law, but generally we do believe what the label says in day to day life. | | |
| ▲ | dmitrygr 9 hours ago | parent [-] | | In so far as I cook myself? Yes | | |
| ▲ | kelnos 5 hours ago | parent [-] | | So you personally test your produce to ensure it's safe to eat, has no pesticides embedded in it that could harm you, etc.? You do that after every single trip to the grocery store or farmer's market? Every trip? You don't spot check, and assume/hope/trust that the ones you don't test are safe? |
|
| |
| ▲ | actionfromafar 11 hours ago | parent | prev [-] | | The routers thing? That's probably just a scam to get donations to the Trump Family Bunker/Ballroom in DC or other pet project. |
|
| |
| ▲ | KennyBlanken 9 hours ago | parent | prev [-] | | Friendly reminder that _all_ automakers - European, American, and Asian - had been doing this emissions cheating for decades. Detection of the car being on a rolling road, special button combos that trigger the emissions testing map, etc |
|
|
|
| ▲ | gbin 12 hours ago | parent | prev | next [-] |
| A trusted website that compiles it from source and a way for you to go to a webpage and flash from there automatically. The FPV community does that all the time with a set of websites for their ESC, flight controllers, radio, all open source. You can add signatures etc but just a trusted website goes a long way vs a random blob preinstalled |
| |
| ▲ | dmitrygr 12 hours ago | parent [-] | | That proves that the one they checked, had the correct firmware. It does not prove that the one from the next batch that you bought did. We are all technical people here we and understand that there isn’t really an easy way to do this that a random non-technical person could actually understand and use. | | |
| ▲ | PickledHotdog 11 hours ago | parent [-] | | Isn't the person you're replying to suggesting people can update the firmware to the trusted version via a website? So it doesn't matter if you get one from 'the next batch' - provided you're on top of updating the firmware. | | |
| ▲ | dmitrygr 11 hours ago | parent [-] | | If only somebody could make a firmware that claims to have accepted the update, but then proceeds to not actually update itself. Read out the version string from the update and save it. Show that when asked what your version is. | | |
|
|
|
|
| ▲ | zobzu 8 hours ago | parent | prev | next [-] |
| not to mention even on the bananapi you gotta trust mediatek. |
|
| ▲ | megous 11 hours ago | parent | prev [-] |
| There's no solution to that other than having knowledge and researching the code/device yourself. You can pick apart modern Linux/busybox based IoTs fairly quickly, so effort needed is not really a huge issue. Maybe trusted community of people could do it for everyone, but there's currently all kinds of potential legal trouble brewing in that approach. Complete and public reverse engineering of every aspect of any device would have to be made completely legal, so that people could freely publish all artifacts extracted from a device and produced during reverse engineering and collaborate on them without any fear of repercussions. Also HW manufacturers would have to be prohibited from NDAing documentation for SoCs, etc. Side benefit would be that this would also serve as a documentation for freeing the device and developing alternative firmwares with modernized sw/reduced attack surface. |
| |
| ▲ | dmitrygr 11 hours ago | parent [-] | | We are in violent agreement. And precisely because there is no simple solution to it, half-measures like what is proposed here do absolutely no good, and often times do harm. |
|
