| ▲ | AnthonyMouse 11 hours ago |
| > Manufacturers have never had to care about security because no Gov agency would ever mandate secure firmware. The problem is that "secure firmware" is a relativistic statement. You ship something with no known bugs and then someone finds one. What you need is not a government mandate for infallibility, it's updates. But then vendors want to stop issuing them after 3 years, meanwhile many consumers will keep using the device for 15. And "require longer support" doesn't fix it because many of the vendors will go out of business. What you need is the ability for consumers to replace the firmware. That solves the problem in three ways. First, when the company goes out of business you can still put a supported third party firmware on the device. Second, you can do that immediately, because the open source firmwares have a better security record than the OEMs to begin with. And third, then the device is running a widely used open source firmware instead of a custom device-specific proprietary black box, which makes it easier for the government or anyone else who is so inclined to find vulnerabilities and patch them. |
|
| ▲ | 0xbadcafebee 4 hours ago | parent | next [-] |
| > What you need is not a government mandate for infallibility, it's updates So, we don't need an electrical code to enforce correct wiring. We just need a kind soul driving by our house to notice the company who built our house wired it up wrong. Then that kind person can inform the company of the bad wiring. And if the company agrees it's their wiring at fault, we can wait 3 months for a fix. Then the next month another kind soul finds more bad wiring. And we just have to hope there is an army of kind strangers out there checking every building built by every company. And hope in the meantime that the building doesn't burn down. Meanwhile, people have to live with bad wiring for years, that could have been completely prevented to begin with, by an electrician following the electrical code we all already agree on. |
| |
| ▲ | inejge 3 hours ago | parent | next [-] | | > So, we don't need an electrical code to enforce correct wiring. For an analogy to work, its underlying elements should have a relation to the target. Your analogy is not in the same universe. For electrical work, there is a baseline of materials and practices which is known to produce acceptable results if adhered to. For software, there isn't. (Don't tell me about the Space Shuttle. Consumer software doesn't cost tens of millions and isn't written with dedicated teams over the decades.) | |
| ▲ | danaris 3 hours ago | parent | prev [-] | | I mean, if you could download an update that would fix the wiring in your house, it would be much less critical that the initial installer got it right. (Still much more important than your router, though; it doesn't stop being an electrocution hazard during the un-updated period.) Trying to make analogies from software to hardware will always fall down on that point. If you want to argue that there should be stricter security & correctness requirements for routers, maybe look more toward "here is how people actually treat them in practice" with regard to ignoring updates...? |
|
|
| ▲ | thayne 8 hours ago | parent | prev | next [-] |
| > What you need is the ability for consumers to replace the firmware. I don't think that's enough. Most people aren't going to replace the firmware on their device with an open source replacement made by someone else. Now if the firmware was required to be open source, and automatic updates could be seamlessly switched over to a non-profit or government agency in the event of the company going out of business, you might have something. But there would be a lot of details to work out. |
|
| ▲ | samus 5 hours ago | parent | prev | next [-] |
| > And "require longer support" doesn't fix it because many of the vendors will go out of business. Which is not a real issue in practice. It's like arguing that warranty doesn't matter because the vendor might go out of business. |
| |
| ▲ | consp 3 hours ago | parent [-] | | It might also be illegal. Don't know about the US but forcing a bankruptcy to avoid regulations is usually frowned upon by the court system here. So putting a product in a child-dummycorp to go poof when you want and let the parent stay afloat usually puts the parent in the line of fire directly and you are screwed either way. |
|
|
| ▲ | avadodin 2 hours ago | parent | prev | next [-] |
| The government obviously cares less about citizens running firmware China can hack than it does about citizens potentially running firmware the government can't hack. |
|
| ▲ | wmf 10 hours ago | parent | prev | next [-] |
| The concept of community firmware seems like a huge cop-out that allows companies to externalize costs. And it probably won't help security because 99% of devices will never get the third-party firmware installed anyway. |
| |
| ▲ | AnthonyMouse 10 hours ago | parent | next [-] | | If they were trying to save costs they would ship the community firmware on the device to begin with because then they wouldn't have to write and maintain their own. The community welcomes them to externalize those costs onto the people with better incentives to improve the software. What they're actually trying to do is obsolete the devices faster because then they won't add new protocols or other software-only features to older devices so you have to buy a new one, or only expose features in more expensive models that the less expensive hardware would also be capable of doing. Which is all the more reason for us to not have that. And if they were required to allow anyone to replace the firmware then you would get companies reflashing and selling them that way from the store because the free firmware has more advertisable features. There's a reason you can go to major PC OEMs and pick between Windows, Linux and "don't even install one" and the reason is that if you give customers a choice, they generally don't want their software to be made by the OEM. | |
| ▲ | sroussey 10 hours ago | parent | prev [-] | | It could be part of dissolution of the company to mandate community firmware. But it depends on their licenses… Anyhow, this is a common enough practice. Many companies that provide infrastructure type software and sell to Fortune 500 companies often have a clause whereby they deliver their software to their customers if the shut down. | | |
| ▲ | AnthonyMouse 10 hours ago | parent [-] | | We don't care about their licenses; that's their problem. If they need firmware with a license that allows them to redistribute it there are plenty of free ones to choose from. And you can't wait until after they're dead to have them do something. By then they're gone or judgment proof because they're already bankrupt. Especially when you're talking about companies that aren't in the jurisdiction because you can't even make them do anything when they're already not shipping products to you anymore. It has to be from Day 1. | | |
| ▲ | walterbell 9 hours ago | parent [-] | | > It has to be from Day 1. There was a promising design from Azure Sphere for 10 years of IoT device Linux security updates from Microsoft, even if the IoT vendor went out of business. This required a hardware design to isolate vendor userspace code from device security code, so they could be updated independently. Could be resurrected as open standard with FRAND licensing. | | |
| ▲ | AnthonyMouse 9 hours ago | parent [-] | | The main thing you need is for the lowest-level code to be open and replaceable/patchable because it's the only part which is actually specific to the device. Windows running on Core Boot is a better place to be than custom Linux running on opaque blob, because in the first case you can pretty easily get to newer Windows, vanilla Linux or anything else you want running on Core Boot after the original version of Windows goes out of support, and you can update Core Boot, whereas the latter often can't even get you to a newer version of Linux. | | |
| ▲ | walterbell 8 hours ago | parent [-] | | Modern coreboot depends on opaque blobs on CPU (FSP/ACM on Intel) and auxiliary processors (ME/PSP), but AMD is moving in the right direction with OpenSIL host firmware. Arm devices have their own share of firmware blobs. A decade of security updates for routers would require stable isolation between low-level device security and IoT vendor userspace. In Sphere, the business model for 10 years of paid updates was backed by hardware isolation. Anyone know why it didn't get market traction? There was a dev board, but no products shipped. |
|
|
|
|
|
|
| ▲ | post-it an hour ago | parent | prev | next [-] |
| Why not just put the onus on ISPs? 99% of users lease their router from their ISP. If updates stop after three years, looks like you're getting a complimentary service appointment to get a new router. |
|
| ▲ | kelnos 5 hours ago | parent | prev | next [-] |
| > But then vendors want to stop issuing them after 3 years Tough shit. You provide updates for the mandated amount of time, or you lose access to the market. No warnings, you're just done. > And "require longer support" doesn't fix it because many of the vendors will go out of business. Source code escrow plus a bond. The bond is set at a level where a third party can pay engineers to maintain the software and distribute updates for the remainder of the mandated support period. And as time passes with documented active support, the bond requirements for that device go down until the end of the support period. Requiring that the customer be allowed to replace the firmware is essential, I agree, but not for this reason. That requirement, by itself, just externalizes the support costs onto open source communities. Companies that sell this sort of hardware need to put up the resources, up front, irrevocably, to ensure the cost of software maintenance is covered for the entire period. Personally I don't buy consumer router hardware that I can't immediately flash OpenWRT on, but that option is not suitable for the general public. |
| |
| ▲ | steve_gh 3 hours ago | parent [-] | | How does this help? 99% of the population aren't technically minded enough. Most people just buy a wifi router, plug it in (maybe having read the instructions) and that's it. They have neither the skills nor the inclination to update firmware. The real problem is: assuming that firmware can be updated, how do you run a nationwide update programme overcoming a population that doesn't really care or have the skills to do it. Vehicle safety standards (mandated annual safety checks like the UK MoT test) is the closest analogy I can think of - in the UK you can't insure your car without a valid MoT. If you were serious, then maybe tying ISP access to updated router firmware would be the way to go. | | |
|
|
| ▲ | nobodyandproud 5 hours ago | parent | prev | next [-] |
| That’s a technical solution to a business and incentives problem. How does one ensure the support for the devices is funded? |
|
| ▲ | macintux 10 hours ago | parent | prev | next [-] |
| > What you need is the ability for consumers to replace the firmware. > That solves the problem in three ways. That alleviates the problem, but definitely doesn't solve it. Updates are still required, and most people will never update devices they don't directly interact with. |
| |
| ▲ | wmf 10 hours ago | parent [-] | | Auto-update obviously. | | |
| ▲ | macintux 10 hours ago | parent | next [-] | | Which introduces new security risks, but more importantly, the consumer has to configure the device to use open source firmware, and set up auto updates, unless the device is being auto updated by the device manufacturer and forces all of their customers to switch to the new firmware, which seems very unlikely. | |
| ▲ | kelnos 5 hours ago | parent | prev [-] | | How? The device phones home to the manufacturer's servers to get new updates. Manufacturer goes out of business, servers get shut down. How does it know where to get updates now? | | |
| ▲ | M95D 3 hours ago | parent [-] | | > Manufacturer goes out of business, servers get shut down. Continue your chain of reasoning: DNS name becomes unmaintained, gets grabbed by open source / foundation / gov agency, pushes open source firmware update. Same thing happens today with botnet C&C servers. |
|
|
|
|
| ▲ | gerdesj 10 hours ago | parent | prev | next [-] |
| "You ship something with no known bugs and then someone finds one." You managed to say that with a straight face! Let's keep this ... non partisan. You might recall that many vendors have decided to embed static creds in firmware and only bother patch them out when caught out. How on earth is embedded creds in any way: "no known bugs"? I think we are on the same side (absolutely) but please don't allow the buggers any credibility! |
| |
| ▲ | AnthonyMouse 10 hours ago | parent [-] | | > How on earth is embedded creds in any way: "no known bugs"? You misunderstand how organizational knowledge works. You see, it doesn't. Some embeds the credentials, someone else ships the product. The first person doesn't even necessarily still work there at that point. Remember that time NASA sent a Mars orbiter to Mars and then immediately crashed it because some of them were using pounds and the others newtons? Literally rocket scientists. The best we know how to do here is to keep the incentives aligned so the people who suffer the consequences of something can do something about it. And in this case the people who suffer the consequences are the consumers, not the company that may have already ceased to exist, so we need to give the consumers a good way to fix it. |
|
|
| ▲ | catlikesshrimp 10 hours ago | parent | prev | next [-] |
| Somebody has to pay for the support. There is no free meal. Enterprise must be able to pay for support for as long as they use devices. Solved. I can only think of requiring the devices to be serviceable, as you say. The absolute only way I can think of charging the consumers, ie the owners, is to charge a tax on internet connections. Then the government would pay somehow vulnerability hunters working along patchers, who can oversee each other. Consumers are tricky: if you include support in the sale price, the company will grab the money and run in 3 or 5 years; and some companies will sell cheaper because they know they won't provide support. |
| |
| ▲ | AnthonyMouse 10 hours ago | parent [-] | | > Somebody has to pay for the support. There is no free meal. The problem is not that people need a free meal. The problem is that people need the ability to eat some other food when the OEM's restaurant is closed or unsatisfactory. | | |
| ▲ | nobodyandproud 5 hours ago | parent | next [-] | | Who creates and regularly keeps the firmware for the dozens and dozens of router models secure and up-to-date? Who ensures the maintainers for these routers are incentivized to do this competently and in a timely fashion? You haven’t answered these key questions, which are equally or more important than whether a community firmware can be applied. | |
| ▲ | catlikesshrimp 7 hours ago | parent | prev [-] | | I mean, OEM would make the device upgradeable, government will pay independent bounty hunters and patchers and will push the updates. Then consumers pay for all that. |
|
|
|
| ▲ | RobotToaster 9 hours ago | parent | prev [-] |
| >The problem is that "secure firmware" is a relativistic statement. No it isn't, software formally verified to EAL7 is guaranteed to be secure. |
| |
| ▲ | AnthonyMouse 9 hours ago | parent | next [-] | | I would like to introduce you to Spectre and Rowhammer. | | |
| ▲ | RobotToaster 9 hours ago | parent [-] | | Secure software won't protect you from insecure hardware, which also needs to be formally verified for a secure system. | | |
| ▲ | AnthonyMouse 9 hours ago | parent [-] | | > Secure software won't protect you from insecure hardware Then what's KPTI etc.? > which also needs to be formally verified for a secure system. Now we just need a correct and complete theory of quantum mechanics and to do something about that Heisenberg thing. In general formal proofs tell you if something is true given a stipulated set of assumptions. They don't tell you if one of the stipulated assumptions is wrong or can be caused to be wrong on purpose by doing something nobody had previously known to be possible. |
|
| |
| ▲ | crote 4 hours ago | parent | prev | next [-] | | Sure, you formally verified that the software confirms to the specification, but how are you going to prove that the specification is correct? | |
| ▲ | kelnos 5 hours ago | parent | prev [-] | | You're being sarcastic, right? The entire concept of "guaranteed to be secure" is a fantasy. Even EAL7 can't guarantee anything. It can only say that the tools used for verification didn't find anything wrong. I'm not saying the tools are garbage, but the tools were made by humans, and humans are fallible. |
|
