NSA contributing to Coreboot
Other urls found in this thread:
web.archive.org
pcsteps.com
schneier.com
tomshardware.co.uk
spinics.net
twitter.com
Archive the link.
Fucking glowies.
Use Trannyboot
I love you Leah
What could possibly go wrong, goys?
---
shit OP
I like phoronix, he deserves a few clicks unless he's cucked and I missed something
no one "deserves" clicks
dumbass, you can't access it behind the cloudflare paywall via tor. always present an archive link first and foremost, then a broken link if you want sites to be able to grub clickshekels as well. otherwise you come across as a shill tbh.
I read phoronix via tor regularly. You're talking out your arse.
Wait.. People were paying for a tor cloud to share bandwidth? Is that it?Am I interpreting this incorrectly?
Also
Pls tell me older versions are still around.
ehhhhhh I'm outta this thread
*smooth Jazz plays*
But on a serious note, this isn't good news.
It's good news. If you don't have the skill to audit source code, then you're actually shit out of luck regardless of the NSA's involvement. It won't matter if the NSA publicly contributed or contributed stealthily because you don't have the ability to audit source code. If you have the ability, then you can prove what the code is doing. With the ability to audit the code, the source of who wrote the code is irrelevant because you can learn exactly what the code does.
No.
2deep4u
I can't audit the code and I agree with you.
Also remember that you can download the page yourself via the CTRL+S shortcut, archive it under zip/tar then share it via torrent.
pcsteps.com
Wouldn't it be a good idea to crowdsource money to then either hire a freelance to audit the code or to put bounties on bugs ?
top fucking kek. the fact that you can see the code means nothing when the software/patch is large and complex.
It's obvious that state actors will attempt to infiltrate/backdoor/control any software or technology in general they consider even remotely relevant.
It's way easier for one person just passing by to hide a needle in a haystack than for a thousand people being around the haystack at all times to find it.
It's perfectly fine to rely on a guy you trust to do the work for you.
Audit the code carefully. You cannot tell me that Coreboot is a project that changes very quickly.
I am well aware of the IOCCC and the weird hacks they do to their code. If I was auditing code for the purpose of proving it's correct, I would probably take the effort to reimplement it in another language as proof that I properly understood what the original code was doing.
What is auditing code?
You absolutely should audit code, but is it worth the resources it takes to extremely thoroughly comb over code that any sane person have to assume is backdoored given the history between the NSA and civilian security? Even the ISO was smart enough to reject the weak Speck and Simon ciphers[1] and Speck was deleted from the Linux kernel[2]. Security sensitive software should be programmed by named people where all ties are disclosed and should not include any lines contributed by Glow-in-the-Darks.
[1]: schneier.com
[2]: tomshardware.co.uk
Forgot to post (((NSA))) being absolutely rekt by Tomer Ashur: spinics.net
Some lulzy takes with comments by me:
You should be less worried about the people you know are working for NSA and contribute to F/LOSS and more worried about the people you don't know are working for NSA and contribute to F/LOSS.
Especially the ones who don't get a nice salary from a big company for working on an open source project. An envelope full of cash can be a great motivator.
The problem with Coreboot is that it does too little and wants to do it everywhere. It should not need all these "contributions" in the first place. This is another example of the "portability is more important than usability" UNIX philosophy. The point of low level firmware is to be hardware specific. The IBM PCs, Macs, and other 80s computers had totally different firmware because a large part of the OS was part of the firmware. It was just the ROM part of the OS. The Macintosh included GUI tools in the ROM. They were also pretty small because they were written by smart people for one model of computer.
Coreboot doesn't do this. It tries to run on all architectures (not even just x86, but ARM and others too) and it has all these "contributions" (including Google and Intel too) but it really doesn't do anything. It has all these massive build dependencies like GCC. It still needs a "payload" with even more bloated code which then loads a different bloated OS which needs more code for GUIs and even more for browsers. The right way to do this is to have a driver API just like normal operating systems. Drivers that don't depend on a specific OS are a good thing because they make things easier for users and because they can be replaced more easily. EFI was supposed to have done this, but C sucks, so these drivers still have to be reimplemented for each OS. The API should also include proper error handling so real programmers can use them too. A weenie OS can still turn them into panic or some other brain damage, but they shouldn't punish everyone just because they can't program.
Some of this is also the hardware manufacturer's fault. They don't design hardware to be easy to program anymore. GPUs need hundreds of megabytes of drivers. A lot of that is because they're written in C and C++, but it's also because the interfaces are badly designed.
No, the quote is exactly right. RISC is a lazy solutionalong the lines of "well, we don't know how to writecompilers that use complex instructions efficiently, and wedon't know how to design complex hardware that runs fast, sowe'll make everything simple, and we can advertise we run at80Mhz even though the system supports fewer user than a 1MIP DEC-20." It's exactly analagous to "you can use pipes andredirection shell scripts to do anything, so we don't haveto write any REAL programs" and "portability is moreimportant that usability" philosophies so rampant in theunix world.(Was I properly vitrolic this time?)
lol just read the source. dont care who made it as long as it works properly and is not botnet.
Not at all surprising. Fucking glowniggerrs have had their radioactive dicks in all types of FOSS projects. SELinux, SystemD, Tor, FreeBSD, RedHat, Debian, likely many others.
Can't we just second-vet the code so that it can't happen?
We can do this. The question is who is willing to invest the resources to do the audit. If you're willing to invest, then that's just too bad.
anyone who cares should be willing to do it. if they dont then they can stop complaining.