GNU Project Updates on Proprietary Surveillance, Malware in Cars, DRM in Trains, UEFI Insecure Boot and More
THE sister site took note of a new headsup from Dora Scilipoti, who is close to Richard Stallman and the FSF. The article "Malware in Proprietary Software" has been updated. Scilipoti has detailed the latest changes. Those changes were made in January 2024 and February 2024. We already said (several months ago) that Dr. Stallman had been busy updating the GNU Web site. Despite cancer, he's working hard. He's very active.
Updates continue to be made all the time. They didn't make much noise/fuss about it, but Scilipoti has habitually mentioned changes and new articles.
The updates below show that they do in fact keep up with emergent trends and thus new risks to digital freedom. We're thus reproducing the full update from Scilipoti (notice added below regarding the licence).
Malware in Proprietary Software - Latest Additions
Item posted by Dora Scilipoti <dora> on Fri 08 Mar 2024 02:05:58 AM UTC.
The initial injustice of proprietary software often leads to further injustices: malicious functionalities.
The introduction of unjust techniques in nonfree software, such as back doors, DRM, tethering, and others, has become ever more frequent. Nowadays, it is standard practice.
We at the GNU Project show examples of malware that has been introduced in a wide variety of products and dis-services people use everyday, and of companies that make use of these techniques.
Here are our latest additions
February 2024
- Surveillance cameras put in by government A to surveil for it may be surveilling for government B as well. That's because A put in a product made by B with nonfree software.
(Please note that this article misuses the word "hack" to mean "break security.")
January 2024
- Recent autos offer a feature by which the drivers can connect their snoop-phones to the car. That feature snoops on the calls and texts and gives the data to the car manufacturer, and to the state.
A good privacy law would prohibit cars recording this data about the users' activities. But not just this data—lots of other data too.
- Newag, a Polish railway manufacturer, puts DRM inside trains to prevent third-party repairs.
- The train's software contains code to detect if the GPS coordinates are near some third party repairers, or the train has not been running for some time. If yes, the train will be "locked up" (i.e. bricked). It was also possible to unlock it by pressing a secret combination of buttons in the cockpit, but this ability was removed by a manufacturer's software update.
- The train will also lock up after a certain date, which is hardcoded in the software.
- The company pushes a software update that detects if the DRM code has been bypassed, i.e. the lock should have been engaged but the train is still operational. If yes, the controller cabin screen will display a scary message warning about "copyright violation."
Proprietary Insecurity in LogoFAIL
- x86 and ARM based computers shipped with UEFI are potentially vulnerable to a design omission called LogoFAIL. A cracker can replace the BIOS logo with a fake one that contains malicious code. Users can't fix this omission because it is in the nonfree UEFI firmware that users can't replace.
4K UHD Blu-ray Disks, Super Duper Malware
- The UHD (Ultra High Definition, also known as 4K) Blu-ray standard involves several types of restrictions, both at the hardware and the software levels, which make “legitimate” playback of UHD Blu-ray media impossible on a PC with free/libre software.
- DRM - UHD Blu-ray disks are encrypted with AACS, one of the worst kinds of DRM. Playing them on a PC requires software and hardware that meet stringent proprietary specifications, which developers can only obtain after signing an agreement that explicitly forbids them from disclosing any source code.
- Sabotage - UHD Blu-ray disks are loaded with malware of the worst kinds. Not only does playback of these disks on a PC require proprietary software and hardware that enforce AACS, a very nasty DRM, but developers of software players are forbidden from disclosing any source code. The user could also lose the ability to play AACS-restricted disks anytime by attempting to play a new Blu-ray disk.
- Tethering - UHD Blu-ray disks are encrypted with keys that must be retrieved from a remote server. This makes repeated updates and internet connections a requirement if the user purchases several UHD Blu-ray disks over time.
- Insecurity - Playing UHD Blu-ray disks on a PC requires Intel SGX (Software Guard Extensions), which not only has numerous security vulnerabilities, but also was deprecated and removed from mainstream Intel CPUs in 2022.
- Back Doors - Playing UHD Blu-ray disks on a PC requires the Intel Management Engine, which has back doors and cannot be disabled. Every Blu-ray drive also has a back door in its firmware, which allows the AACS-enforcing organization to "revoke" the ability to play any AACS-restricted disk.
- Microsoft has been annoying people who wanted to close the proprietary program OneDrive on their computers, forcing them to give the reason why they were closing it. This prompt was removed after public pressure.
This is a reminder that angry users still have the power to make developers of proprietary software remove small annoyances. Don't count on public outcry to make them remove more profitable malware, though. Run away from proprietary software!
See licence/licensing information below and pass on. █
Copyright © 2024 Free Software Foundation, Inc.
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.