OpenBSD Journal

Theo's prediction coming true.

Contributed by frantisek holop on from the blobs-suck-and-are-evil dept.

Read this entertaining article about some of the evils of blobware: http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_macbook_in_60_seco_1.html

(Comments are closed)


Comments
  1. By Anonymous Coward (24.34.57.27) on

    What will people say when comparable flaws are found in open source drivers? This news, and the similar flaw in the Intel Centrino driver, has nothing to do with blobs, it has to do with flaws that weren't previously popular means of entry.

    Comments
    1. By Matthias Kilian (84.134.43.249) on

      Of course it has to do with blobs. It's all about not beeing able to fix (or even check for) bugs. With blobs, only the vendor decides wheter (and when) to fix the driver.

      Comments
      1. By Anonymous Coward (209.183.142.171) on

        > Of course it has to do with blobs. It's all about not beeing able to fix (or even check for) bugs. With blobs, only the vendor decides wheter (and when) to fix the driver.

        It doesn't seem likely that either Apple or Microsoft would have fixed these vulnerabilities before they were discovered or faster than atheros after they were discovered, had they had the source. Sure, there's the possibility but I think that an exploit in a blob running in an open source operating system will be far more relevant. Are we now campaigning for Microsoft and Apple to stop using blobs?

        Comments
        1. By Unanimous Cower (205.240.34.148) on

          > Are we now campaigning for Microsoft and Apple to stop using blobs?

          I think the campaign is for everyone to stand up to being forced to use blobs.

    2. By Anonymous Coward (203.217.30.86) on

      > What will people say when comparable flaws are found in
      > open source drivers?

      They will say "Here, apply this patch. It fixes the problem and similar ones that an audit of the code uncovered".

    3. By Anonymous Coward (165.72.200.11) on

      > What will people say when comparable flaws are found
      > in open source rivers?

      for one thing, i won't have to wait for a patch indefinitely...

      this story is not really about blobs; when the whole system
      in question is binary only, i don't think "blob" applies, it's
      just a simple binary only driver. it's more about the quality
      of these closed source drivers and the speed of updates.

      toshiba still does not have an updated driver for my notebook
      regarding the intel pro/wireless 2200bg issues
      (http://support.intel.com/support/wireless/wlan/sb/CS-023068.htm) and
      notebook users are always "advised" to use the manufacturer's version
      of a particular driver. the intel "pro set wireless software"
      v10.5.0.0 (which hopefully will contain the drivers somewhere)
      is only 130M.... and when i install it this week, my notebook will
      probably become unsupported...

      and yes, this time it is "just" the driver, but next time maybe
      the firmware...

  2. By Anonymous Coward (81.233.44.72) on

    Well, if your entire OS is binary, worrying about the device drivers is just a small part.

    Comments
    1. By Anonymous Coward (87.78.91.56) on

      > Well, if your entire OS is binary, worrying about the device drivers is just a small part.

      lets not talk about binary goverments...

  3. By Anonymous Coward (24.46.21.20) on

    ArsTechnica too:
    http://arstechnica.com/journals/apple.ars/2006/8/2/4856

  4. By gwk@ (24.57.96.182) on

    On security focus as well they even make a positive mention of OpenBSDs stance on binary drivers.
    http://www.securityfocus.com/brief/271

  5. By dingo (69.246.68.23) on

    'Atheros' was on the tip of my mind halfway through the first paragraph.

    Even if Microsoft was given the source code to these drivers, would they have discovered the flaw? I greatly doubt this. Is there any documentation linked that windows vista "vendor software auditors" are provided the full source code of the drivers they approve?

    Trusting Microsoft to have audited vendor code for you is a joke. Theo doesn't stamp any kind of security "guarentee" or signature on his OpenBSD CD's. errata proves this is foolish. And it is their _goal_ to write clean and correct code! Not sales!

    If the presenters discovered the flaw in open source software and notified the apropriate maintainers, OpenBSD would have commited a fix for it in-tree within hours. They don't turn blind ears to correcting code!

    It's too bad they can't do this live, I hope the video presentation is undisputable enough to scare binary driver users. Freebsd and linux users should re-think their position on what "free software" should really mean. Here's a hint: Its not about price!

    All those soekris public wifi deployments, running on the long range atheros chips with windows drivers running in linux. It tickles me.. these are deployed by the very same people who switched to linux because they thought windows sucked, and yet they support vendors who do not support their choice to run open source software!

    Everybody should be reminded of http://www.vendorwatch.org ! Show your support to companies that *SUPPORT YOU* and your choice to use open source drivers.

    Is root on your machine worth a few dollars?
    Is it worth your time compiling custom kernels and hacks?
    Dissecting driver cds and surfing message boards for relavent (binary) files and versions?

    Choose *FREE* software. If your hardware doesn't 'just work', then refund it, and let them know why!!

    Comments
    1. By CODOR (67.158.67.249) on

      All those soekris public wifi deployments, running on the long range atheros chips with windows drivers running in linux. It tickles me.. these are deployed by the very same people who switched to linux because they thought windows sucked, and yet they support vendors who do not support their choice to run open source software!

      "They that can give up liberty to obtain a little temporary safety deserve neither liberty nor safety"

      Apparently by using ndiswrapper under Linux you give up both your liberty and your safety...

    2. By Nick Holland (68.43.117.34) nick@holland-consulting.net on http://www.openbsd.org/faq/

      > ... Freebsd and linux users should re-think their position on what "free
      > software" should really mean. Here's a hint: Its not about price!

      Many people have long since demonstrated their real motivation behind "free software": it isn't about free as in "free speech", it's about free as in "free beer". As in, "Amything goes as long as I don't have to pay for it."

      All the talk about "Freedom" and "Liberty" and "community" is obviously just noise to mask their true motivation...getting something kinda working without spending money. They call it expedience. I call it "selling out".

      Comments
      1. By Anonymous Coward (70.74.247.192) on

        > All the talk about "Freedom" and "Liberty" and "community" is obviously just noise to mask their true motivation...getting something kinda working without spending money. They call it expedience. I call it "selling out".

        These insecurity incidents are perfect opportunies to educate the public about binary blobs and to demand open documentations to hardware. However, the article's author misses these key issues entirely. Instead of leading readers to the main problems (blobs and closed hardware,) the author lead readers to the OS vendor flame wars as apparent in the comments. I didn't read all of the comments, but read enough to know these people don't have a clue or care about freedom.

        Comments
        1. By Matthias Kilian (84.134.41.13) on

          > These insecurity incidents are perfect opportunies to educate the public about binary blobs and to demand open documentations to hardware.

          It's difficult and often rather frustrating to do so. The other day I got a mail on our local LUG mailinglist where some guy was really happy that he got his shiny graphics card running on Linux -- using a blob driver. This "but it works" attitude has been spread for years.

          But it's even worse: some weeks ago, on a weekend meeting with some good friends (all cs graduated, and now in so-called IT business), when I explained why it's a silly idea to trust in quality of blobs, the only answers I got were "but you've to accept that the users just want it to work some way" and "you won't get any user base if you don't accept the vendor's blobs".

          This is where Nicks statement about that strange idea of "community" comes into the game: people talk about that strange community, about market share, about convenience, but THE ONLY THING THEY WANT IS A CHEAP REPLACEMENT FOR WINDOWS. Fuck it! Sorry, but that's what it is.

          Get used to it -- people still happily accept buggy blobs, even if you prove that their systems may be compromised. The single worst statement about buggy software and worms I ever heard was from a "IT" guy, who should have at least some clue: this guy said that he doesn't care about worms, because he had enough bandwidth to cope with that.

          Unbelievable? Sure, but it's the sad truth. Ignorance and unresponsibility seem to be the default attitude for most users.

          > However, the article's author misses these key issues entirely. Instead of leading readers to the main problems (blobs and closed hardware,) the author lead readers to the OS vendor flame wars as apparent in the comments.

          Well, at least the reason for the bad quality is mentioned:

          "... that wireless device drivers are largely developed and written by an odd mix of hardware and software developers in an environment where time-to-market often trumps any thorough code review for potential security flaws."

          > I didn't read all of the comments, but read enough to know these people don't have a clue or care about freedom.

          The comments just look like the usual OS war trolling. It's really funny to see how many people feel personally insulted whenever "their" OS is reported to have bugs (even if it just isn't about a specific OS).

  6. By Nicolai (12.216.45.89) on http://www.ameswire.com

    It's not unreasonable to say Theo's position on the issue is "true" regardless of whether people are currently finding bugs.

    It's a safe assumption to make that horribly complex code leads to problems, and it's still safe to assume further, that many such problems will be discovered. In fact, this is a universally accepted premise.

    Whether you call the particular code in question a "binary blob" or something else doesn't change that fact.

    Anyway, keep up the good work OpenBSD. Cheers to developers and other contributors for making such a great system.

    NO COMPROMISE!

  7. By JR (69.138.23.185) on

    do you think this demonstration proves it? video

    Comments
    1. By Anonymous Coward (70.48.232.163) on

      > do you think this demonstration proves it? video

      Wouldn't know, since it requires a flash plugin. The irony. ;)

      Comments
      1. By Ironator (24.84.108.103) on

        > > do you think this demonstration proves it? video
        >
        > Wouldn't know, since it requires a flash plugin. The irony. ;)

        You keep using that word. I do not think it means what you think it means.

        http://sc.tri-bit.com/Irony

        Comments
        1. By Anonymous Coward (70.48.232.163) on

          > You keep using that word. I do not think it means what you think it means.

          "When I use a word, it means just what I choose it to mean -- neither more nor less."

          I did give a moment's thought, and "ironic" seemed like the best fit. If you can think of a more clear and concise way to convey the feeling of finding someone's words humorously inappropriate and having the opposite of their intended effect, I'd be happy to learn it!

          So, what happened in the flash? Any transcript for the free software types? :)

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]