Conversation

dropping CCs at request Anyway, all said I agree with you. But the concerns you mention here are also true of Android devices. I would rather have physically replaceable radio modules and then work on reveng or memory isolating the drivers. twitter.com/DanielMicay/st

This Tweet is unavailable.

Replying to

Big difference between a device with components that are strongly hardened, highly audited and have good ongoing security support vs. the complete opposite. Also, portraying it backwards by misinterpreting how DMA / IOMMUs work is just wrong.

Lance R. Vick ( @lrvick@mastodon.social )

@lrvick

Sep 11, 2020

Replying to

@DanielMicay

You can't claim hardware is secure you can't see the firmware for. Tomorrow's update could be hostile. You present a fair argument though. We either design to distrust the radios, or we might as well blindly trust their updates. I am convinced here.

Replying to

Devices you're talking about have entirely closed source hardware and firmware. If you choose components that are known to be insecure and also don't apply fixes to known security vulnerabilities, backdoors are a non-issue, because you have the front door wide open to attackers.

Replying to

and

You're also once again misrepresenting closed source software as a black box. It isn't, and in fact, if you're looking for malicious, hidden backdoors, I do not really see how you're any better off trying to find them hidden in source code vs. from the final assembly code.

5:23 PM · Sep 11, 2020Twitter Web App

Replying to

and

There is a whole compilation pipeline leading to that assembly code and all of the fancy language / compiler features, etc. are tools for the attacker to hide / generate their backdoor. Also, really, when it's full of unintentional vulnerabilities, how is any of this relevant?

Replying to

and

Why are you okay with using the Linux kernel when it's full of remote and local code execution backdoors? You talk about theoretical backdoors when there are real, unintentional (supposedly) backdoors called vulnerabilities which you don't seem in a rush to get fixed...

Lance R. Vick ( @lrvick@mastodon.social )

@lrvick

Sep 11, 2020

Replying to

@DanielMicay

I want a future where I don't need to any closed code, and then rip out unauditable open code until the OS is something super lean and capable of being reviewed/trusted by the community. Maybe this takes a decade. Long term I feel we are screwed without this option existing.

Replying to

Auditing doesn't magically uncover all vulnerabilities, and you're talking about a vulnerability that was intentionally inserted and designed to be hidden, which means whoever did it had the opportunity to use all available tools to keep it concealed. They might actually be quite

Show replies