Microsoft is no stranger to the use of "Fear, Uncertainty and Doubt" in the pursuit of monopolistic goals; the company perfected the tactic in the early 1990s as a way of scaring enterprise customers away from GNU/Linux; today, the company shows off its mastery of FUD in its filings to the Federal Trade Commission condemning proposals for Right-to-Repair rules. Read the rest

Thangrycat is a newly disclosed vulnerability in Cisco routers that allows attackers to subvert the router's trusted computing module, which allows malicious software to run undetectably and makes it virtually impossible to eliminate malware once it has been installed. Read the rest

Locking bootloaders with trusted computing is an important step towards protecting users from some of the most devastating malware attacks: by allowing the user to verify their computing environment, trusted computing can prevent compromises to operating systems and other low-level parts of their computer's operating environment. Read the rest

Israeli security research firm CTS-Labs has published a white paper detailing nine flaws in AMD processors that they claim leave users open to devastating attacks with no mitigation strategies; these attacks include a range of manufacturer-installed backdoors. Read the rest

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

Iphone 6s that have been repaired by independent service centers are bricking themselves, seemingly permanently, with a cryptic message about "Error 53." Read the rest

My latest Locus column is "What’s Inside the Box," a discussion of whether owners, users or third parties should be able to know and/or control what their computers are doing:

The answer to this that most of the experts I speak to come up with is this:

The owner (or user) of a device should be able to know (or control) which software is running on her devices.

This is really four answers, and I’ll go over them in turn, using three different scenarios: a computer in an Internet cafe, a car, and a cochlear implant. That is, a computer you sit in front of, a computer you put your body into, and a computer you put in your body.

Cory Doctorow: What’s Inside the Box Read the rest

Writing in PC Pro, Stewart Mitchell describes a partnership between GPS vendor TomTom and Fair Pay insurance, an auto insurer, to offer discounts to people whose GPS devices report low incidences of sudden stops and unsafe turns. I rather like this idea, the idea that your device could offer testimony on your behalf, but a lot depends on how it is implemented.

On the one hand, TomTom could generate trustworthy readings by completely locking its device so that users can't inspect or modify their operations, which would open up the possibility that your device was recording and transmitting information about your location and movements without your knowledge or permission. On the other hand, TomTom could produce a stats-gathering app whose workings were publicly disclosed, but which used a TPM-style module to verify that it hadn't been modified for the purposes of gathering and signing information that you can pass on to the insurer.

This would give TomTom owners the choice of booting their device into a known, publicly verifiable state that respected their privacy, but also produced statistics that third parties could trust. It would also give TomTom owners the choice of booting into alternative environments that did different things.

"We've dispensed with generalisations and said to our customers, if you believe you're a good driver, we'll believe you and we'll even give you the benefit up front," said Nigel Lombard of Fair Pay Insurance.

“If you think of your insurance as your car's MPG - the better you drive, the longer your fuel will last.

Read the rest

It's been years since the idea of "trusted computing" was first mooted -- a hardware layer for PCs that can verify that your OS matches the version the vendor created. At the time, TC advocates proposed that this would be most useful for thwarting malicious software, like rootkits, that compromise user privacy and security.

But from the start, civil liberties people have worried that there was a danger that TC could be used to lock hardware to specific vendors' operating systems, and prevent you from, for example, tossing out Windows and installing GNU/Linux on your PC.

The latest iteration of Trusted Computing is called "UEFI," and boards are starting to ship with UEFI hardware that can prevent the machine from loading altered operating systems. This would be a great boon to users -- if the PC vendors supplied the keys necessary to unlock the UEFI module and load your own OS. That way, UEFI could verify the integrity of any OS you chose to run.

But PC vendors -- either out of laziness or some more sinister motive -- may choose not to release those keys, and as a result, PC hardware could enter the market that is technically capable of running GNU/Linux, but which will not allow you to run any OS other than Windows.

What's more, UEFI may fall into the category of "effective access control for a copyrighted work," which means that breaking it would be illegal under the DMCA -- in other words, it could be illegal to choose to run any OS other than the one that the hardware vendor supplied. Read the rest