From Paul Asadoorian on the Paul’s Security Weekly podcast, episode 755. He works at Eclypsium, a company that specializes in firmware security research.
7 Likes
It’s still live as I type this, but the full, non-live version should be available later tonight (I’ll try to remember to come back and link it here)
1 Like
I couldn’t find anything about framework laptops at the links above, nor a search.
(timestamped)
3 Likes
He talks about MSI having to ship firmware updates more often, while frameworks firmware is ~10 months old without new updates. I am interested in the blog post, hopefully there will be any arguments.
At 45:01 he does not know how to securely install a package on Ubuntu. I am not sure how seriously I take the statement regarding framework firmware security.
1 Like
What would your answer be? I don’t know anything about this guy, but what he’s saying sounds consistent with everything I’ve learned about security and Linux.
He is absolutely right, if the compiler of the compiler of the compiler is compromised, I have a problem. If he installed and uses Ubuntu anyway, he needs to trust Ubuntu and if he trusts Ubuntu, he needs to trust the compiler, which compiled the compiler which compiled Ubuntu (aka its packages).
So if he trusts ubuntu (and its packages compiled by their compiler), he can just install packages from the ubuntu package repository (which he trusts anyway).
The real problem would not be installing packages, but installing an operating system (the same goes for Windows and Mac, because he cannot validate their infrastructure either).
If he trusts A’s packages, he can just install A’s packages. If he does not trust A, don’t install their OS (with A’s packages pre-included).
So on the first point we all agree, and in practice we all trust these things because there really isn’t an alternative. These points about supply chain security also aren’t unique to Linux distros.
What is unique to the modern Linux ecosystem, I think, is his point about having half a dozen competing ways to install an application (and different versions of that application with a different runtime environment and permissions) in most distros, and it not being obvious which is the “best” way. I’m waiting for this to play out while still defaulting to official distro package repositories as much as I can.
I don’t think it is really unique to Linux. On Windows, people just searched for binaries on the internet and installed them from dubious sites for ages (and they still do, which is probably the worst solution). Sometimes smart people go to the website of the product owner. Now there is the Windows App Store, but there are also app stores like Ninite, game stores like Steam where people can also install some normal software.
I don’t have a lot knowledge about mac, but developers often install software via brew (homebrew), than there is the Apple Store, I think you can download appimages from the product owner as well.
On Android I can choose to install from the Play Store, F-Droid, Aptoide, Accrescent, …