Hacker News new | ask | show | jobs
by pimterry 82 days ago
> no Gov agency would ever mandate secure firmware

Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc.

Remains to be seen whether this'll help, but good to see somebody have a go at fixing this.
1 comments
ozlikethewizard 82 days ago
Encrypting data at rest is security theatre right? Unless consumers control the keys (which they generally dont want to), the keys will have to be accessible by the system storing the data. So if the system is compromised so are the keys? Like I cannot see the security benefits from encrypting data at rest in a non E2E system.
link
rkangel 82 days ago
It's a whole lot easier to store the keys in a special hardened location than it is to store your whole storage.
link
ozlikethewizard 82 days ago
Right but access to those keys will be available in an unhardened location then? Otherwise you're serving encrypted data. So if the system accessing the data and using the keys is compromised, which we can assume is the case if the data is compromised, then access to the keys is as well?

Maybe I'm being an idiot but it seems like a lot of extra complexity to protect against really only physical attacks where someone directly steals the data storage.

link
winstonwinston 82 days ago
> to protect against really only physical attacks where someone directly steals the data storage.

Yes, physical access poses a significant risk to data security, it should not be ignored.

link
ozlikethewizard 81 days ago
Aren't we legislating the wrong problem here then though? I'd argue prioritising the physical security of your drives over encrypting them is a better aim for services. As if someone can physically steal your drives they've still DOSed your system even if they cannot accesd the content.
link