This only applies to parties with significant resources. The same way that locki...

modshatereality · on June 2, 2021

Maybe not exactly futile, but too many security measures can become a serious problem in certain scenarios. Imagine you are being chased and need to get inside your front door as quickly as possible, the more locks you need to operate, the higher chances of not making it inside.

Now I'm going to propose a more likely future scenario. Imagine you are on another planet and there is a software flaw that needs to be patched. Do you want to have to beg some billionaire millions of miles away for the privilege of modifying the code, or do you want the ability to fix it as soon as possible? If its a time-sensitive issue consider the consequences of having to fumble around with deploying signed patches, or installing a new key and updating everything to work with the new key.

None of these trust devices are perfect, they might leak data that can be used to infer keys through side channel, or can be physically inspected, etc, I think we can all agree they are not perfect. So if the security model breaks down with physical access then the only adequate solution is physical security. Putting your faith into some crypto function that will be obsoleted by time is not a winning defense. It's also possible the keys may have been obtained by a malicious adversary, rendering this mathematical security layer ineffective at best. If I can install new keys, then an attacker can also install new keys. If the imperfect security measure causes more problems than it solves, then its worth rethinking.

What problem would it ACTUALLY solve in this scenario? Maybe it could be used to mitigate a breakaway civilization by only allowing patches through remote update channels, keeping new outposts fully dependent on Earth. Potentially at the cost of real lives if that update channel is broken somehow. Though someone always figures out a way to break the lock :)

Please I don't want to hear about some hypothetical dissident of a tyrannical regime, they should have destroyed the device before capture if they had any wits. The regime would probably be forcing its citizens to run fully validated stack anyway and would be all up in their business for (red flag) installing their own key instead of government approved key... Corporate security? Lol do you think your petty secrets are worth restricting humanity by normalizing imperfect security measures? Some of these corporations need to be kept in check somehow, they have too much power already.

The only future I'm on board with is one with a robust well tested software ecosystem controlled by its users/operators/owners, not a careless conglomeration that prioritizes the well being of it's shareholders, or crushing its competition.

qayxc · on June 3, 2021

Hypotheticals aside, there are very real and practical reasons for wanting to protect firmware and prevent tampering; and none of them are nefarious in nature.

One such reason is simply compliance: if a device is only capable of safe operation when running within a certain spec and dangerous otherwise, regulatory frameworks might require manufacturers to ensure said specs are honoured.

While a manufacturer can and must provide the "robust and well tested software ecosystem" you yourself desire, Mrs random tinkerer might not. A device running with modified firmware might therefore lose its operating license and - best case scenario - get damaged in the process, or on account of it being dangerous if operated outside of spec endanger the life, health and/or property of its owner/user/operator.

There's no need to dream up hypothetical scenarios on distant planets when all it takes is a typo to turn an MRI machine into a waffle iron for people or an Insuline dispenser into a super effective suicide device.

Not every device is intended- or safe to be tampered with by unqualified laypeople.

It's also pretty arrogant to assume just because you know how to program to also have sufficient knowledge to be able to understand and make meaningful changes to every conceivable device in existence that uses some kind of firmware.

There's a reason certain jobs require qualification and there's also good reasons certain devices are not to be messed with by unauthorised/unqualified people either.

modshatereality · on June 3, 2021

It's true you shouldn't tinker with many types of hardware without extensive knowledge and experience. You're going to want to staff your off-world outpost with competent engineers and scientists that can develop and test new task-specific software or patch existing software, not some random entry-level programmer or tinkerer. IMO it would be extremely arrogant for a manufacturer to claim their remote updates "must" be tested adequately in every conceivable environment, up to and past the operating requirement extremes because some imaginary regulation dictates it. From {m,b,tr}illions of miles away because AFAIK the best they can do is simulate what might happen, not actually test operation in a real environment as their life actually depends on it. If I cannot audit the encrypted bytestream it sure as hell is not going to be piped into any of my spacecraft, life support, communication systems, or anything TBH. With me, trust starts with being able to read the source code, and modify it when it needs to be fixed. Giving a specific crypto function too much trust could leave you vulnerable or even lock you out of fixing critical flaws that "the manufacturer" sees as perfectly fine and within spec.

Maybe I've just had too many horrific experiences with software updates and that is causing some bias. Or seen too many science fiction films.

userbinator · on June 3, 2021

What a pile of authoritarian paranoia-scaremongering BS. That's the same argument used by John Deere and such to destroy right-to-repair, yet the automotive aftermarket survived for literally a century without that shit.

"Those who give up freedom for security deserve neither."