Another Reason to Boycott UEFI and Proprietary Software From Microsoft: Insecurity

Dr. Roy Schestowitz

2015-01-09 17:27:48 UTC
Modified: 2015-01-09 17:27:48 UTC

Summary: Some blobs like Microsoft's Windows patches and the binary-level UEFI 'validation' do not and cannot provide real security, only insecurity in disguise

THE 'PROMISE' of UEFI 'secure' boot is as ludicrous as Microsoft's claims that it pursues security. UEFI does nothing real for security; in fact, it once again does the very opposite. Quoting the news:

A pair of security researchers have found a buffer overflow vulnerability within the implementation of the unified extensible firmware interface (UEFI) within the EDK1 project used in firmware development.

Bromium researcher Rafal Wojtczuk and MITRE Corp's Corey Kallenberg said the bug in the FSVariable.c source file was linked to a variable used to reclaim empty space on SPI flash chips.

According to other news, as told (spun) by a Microsoft booster.,"Microsoft's advance security notification service no longer publicly available". The booster says that "Microsoft is taking its Advance Notification Service private, claiming the change is due to changes in the way users want their advance security notifications." Microsoft sure tells the NSA about ways to hijack/wiretap Microsoft software, so it's a matter of privilege, not some company-wide policy.

How does the above serve users? It doesn't. This is about Microsoft, not users. Users will be left even more vulnerable. As Pogson correctly points out, "There are no Patch Tuesdays with Debian GNU/Linux so the bad guys are no further ahead. We can all get Debian’s patches as soon as they generate them and we can usually install the updates on running systems with no adverse consequences, like a re-re-reboot."

Moreover, in large corporations in particular, patching code internally is possible or even relying on third parties. Don't ever trust security at binary level, such as large blobs being sent that are supposedly 'patched' or some opaque board giving 'approval' before the running of a binary blob, mostly likely based on some cryptic signature approved by unknown people for unknown reasons (usually employees of companies that work with the NSA). Real security emanates from transparency, which breeds trust and provides to ability for one to study and patch one's own programs (or rely on others to do so using their specialised skills). ⬆

"Anyone wonder why the Microsoft SQL server is called the sequel server? Is that because no matter what version it's at there's always going to be a sequel needed to fix the major bugs and security flaws in the last version?"

--Unknown

We Need to Liberate the Client Side and Userspace Too: Lots of work remains to be done
Recent IRC Logs (Since Site Upgrade): better late than never
Techrights Videos Will be Back Soon: We want do publish video without any of the underlying complexity and this means changing some code
Microsoft is Faking Its Financial Performance, Buying Companies Helps Perpetuate the Big Lies (or Pass the Debt Around): Our guess is that Microsoft will keep pretending to be huge, even as the market share of Windows (and other things) continues to decrease
Techrights Will Tell the Story (Until Next Year!) of How Since 2022 It Has Been Under a Coordinated Attack by a Horde of Vandals and Nutcases: People like these belong in handcuffs and behind bars (sometimes they are) and our readers still deserve to know the full story. It's a cautionary tale for other groups and sites
Why It Became Essential to Split GNU/Linux Stories from the Rest: These sites aren't babies anymore. In terms of age, they're already adults.
Losses and Gains in an Age of Oligarchy - A Techrights Perspective: If you don't even try to fix something, there's not even a chance it'll get fixed
Google (and the Likes Of It) Will Cause Catastrophic Information Loss Rather Than Organise the World's Information: Informational and cultural losses due to technological plunder
Links 28/09/2023: GNOME 45 Release Party, 'Smart' Homes Orphaned: Links for the day
Security Leftovers: Xen, breaches, and more
GNOME Console Won’t Support Color Palettes or Profiles; Will Support Esperanto: Reprinted with permission from Ryan Farmer
Let's Hope GNU Makes it to 100: Can GNU still be in active use in 2083? Maybe.
GNU is 40, Linux is Just 32: Today it's exactly 40 years since Richard Stallman sent a message regarding GNU
GNU/Linux and Free Software News Mostly in Tux Machines Now: We've split the coverage
Links 27/09/2023: GNOME Raves and Firefox 118: Links for the day
Links 27/09/2023: 3G Phase-Out, Monopolies, and Exit of Rupert Murdoch: Links for the day
IBM Took a Man’s Voice, Pitting Him Against His Own Work, While Companies Profit from Low-Effort Garbage Generated by Bots and “Self-Service”: Reprinted with permission from Ryan Farmer
Links 26/09/2023: KDE, Programming, and More: Links for the day
Mozilla Promotes the Closed Web and Proprietary Webapps That Are Security and Privacy Hazards: This is just another reminder that the people who run Mozilla don't know the history of Firefox, don't understand the Web, and are beholden to "GAFAM", not to Firefox users
Debian More Like an Exploitative Sweatshop Than a Family: Wiltshire is riding a high horse in the UK, talking down to Indians who are "low-level" volunteers in his kingdom of authoritarians, guarded by an army of British lawyers who bully bloggers
Small Computers in Large Numbers: A Pipeline of Open Hardware: They guard and prioritise their "premiums", causing severe price hikes due to supply/demand disparities.
Microsoft Deserves a Medal for Being Worst at Security (the Media Deserves a Medal for Cover-up): There are still corruptible/bribed publishers that quote Microsoft staff like they're security gurus
Real Life Should be Offline, Not Online, and It Requires Free Software: Resistance means having the guts to say "no!", even in the face of great societal burden and peer pressure
10 Reasons to Permanently Export or Liberate Your Site From WordPress, Drupal, and Other Bloatware: There are certainly more more advantages, but 10 should suffice for now
About 200,000 Objects in Techrights Web Site: This hopefully helps demonstrate just how colossal the migration actually is
Good Teachers Would Tell Kids to Quit Social Control Media Rather Than Participate in It (Teaching Means Education, Not Misinformation): Insist that classrooms offer education to children rather than offer children to corporations
Twitter: From Walled Gardens to Paywalls and/or Amplifiers of Fascism: There's moreover a push to promote politicians who are as scummy as Twitter's owner
The World Wide Web is Being Confiscated From Us (Like Syndication Was Withdrawn About a Decade Ago) and We Need to Fight Back: We're worse off when fewer people promote RSS feeds and instead outsource to social control media (censorship, surveillance, manipulation)
Next Up: Restoring IRC Log Pipelines, Bulletins/Full Text RSS, Wiki (Archived, Static), and Pipelines for Daily Links: There are still many tasks left ahead of us, but we've progressed a lot
An Era of Rotting Technology, Migration Crises, and Cliffhanging: We've covered examples from IBM, resembling the Microsoft world

Another Reason to Boycott UEFI and Proprietary Software From Microsoft: Insecurity

Recent Techrights' Posts