Hacker News new | ask | show | jobs
by etiam 3393 days ago
Finally some tools for this. Very good. Would this be the first reasonably doable method for extracting all the blobs? Seem like it must be a well-needed foundation to build on for security companies.

But...

  We recommend generating an EFI whitelist after
  purchasing a system or when you are sure it has
  not been infected
Not that I have a better suggestion, but with interdicted shipments and other vulnerable points along the supply chain before a system is in the care of its owner, it doesn't exactly seem like a sure bet that it's clean on arrival. How would one otherwise be "sure it has not been infected"? Any feasible ways?

Next step would be to provide lists of known good signatures from some controlled environment, or at least a consensus system to know whether the version one finds matches the version others have?
2 comments
Canada 3393 days ago
If you have access to more than one identical system they can be compared. Or there could be a public list of known good hashes as you suggest.

In any case having a tool to even perform the check is great.

link
throwaway91111 3393 days ago
This doesn't preclude the infect-at-the-factory issue: you'd end up verifying you HAVE the rootkit (and reverting to that if it changes).
link
Canada 3392 days ago
I'm assuming not all of the machines from the factory will be infected. Because if that were so, then the chances of being found out is high and consequences would be dire for the manufacturer.

If my assumption is correct then buying a retail machine and comparing its firmware to the one you order with your credit card should be fine.

link
gpm 3393 days ago
> How would one otherwise be "sure it has not been infected"? Any feasible ways?

If you are willing to assume they aren't infecting every computer. Walk into a random brick and mortar store and buy it there.

If you're paranoid to the point where you don't trust the people at a random brick and mortar store, point at a display model (or if they have non-display models visible one of those) and insist on that one in particular, without it leaving your sight at any point in time.

link