Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

NIST Publishes Draft Guidelines For Server BIOS Protection

timothy posted more than 2 years ago | from the why-stop-with-servers? dept.

Security 141

hypnosec writes "The U.S.'s National Institute of Standards and Technology has come up with a set of proposed guidelines for security of server BIOSes— the mechanism on which most modern day computers rely during boot up. Recently quite a few instances of malware have been known to persistently infect computer systems, and cannot be removed even on OS re-installs. NIST is proposing a set of measures through which the BIOS can be made more secure and resistant to such firmware manipulating attacks. Mebromi is one such Trojan. NIST published the draft guidelines [PDF] earlier this week and has proposed four different features through which the server BIOSes can be made more secure: authenticated update mechanism; secure local update mechanism (optional); firmware integrity protections; and non-bypassability features."

cancel ×

141 comments

Sorry! There are no comments related to the filter you selected.

Stupid and wrong (5, Insightful)

jmorris42 (1458) | more than 2 years ago | (#41118651)

Locking the BIOS with signed updates and crap is exactly the wrong way to go. It means there will still be bugs to exploit. But the forces seeking to lock down the PC will advance yet another step under cover of security theater.

The correct solution is to give the machine a one way gate so that after POST the BIOS can't be updated, period. Electrically impossible. That would require an updater in the BIOS and either storing the extended config now flashed into the same chip with the BIOS to either go elsewhere or the flash chip to be smart enough to have a protected area and an unprotected area and only the protected area be unrevokable without a full reboot. It also should go without saying that the BIOS can't look at the unprotected area before the big switch to prevent buffer overflow attacks from getting into the BIOS while the flash is writable and/or stopping the user from invoking a clear extended data function.

A minimal rescue program in mask ROM would be gravy of course. Lets see the leet warez doodz get past that one. Wouldn't put anything past the NSA though.

Re:Stupid and wrong (1)

postbigbang (761081) | more than 2 years ago | (#41118777)

For not much money, a pre-processor could check the status of the ROM-based bootstrap, then sniff the MBR and where it points to for integrity, then say, yo: CPU, go ahead. If the first X:Y bytes don't read correctly, throw a code and refuse to start. How much are small GPUs and slow ARMs? Gotta be faster than watching Dells and HPs boot these days (go get coffee, we'll be right back at ya)....

Re:Stupid and wrong (2, Interesting)

VortexCortex (1117377) | more than 2 years ago | (#41119191)

... And how is this different from secure boot?

Re:Stupid and wrong (4, Insightful)

SuricouRaven (1897204) | more than 2 years ago | (#41120947)

Secure boot works using a cryptographic signing system: The board will only boot code signed by one of the Powers That Be - an organisation big enough for motherboard vendors to bother including the public key for, like Microsoft. This places smaller, niche players at a serious disadvantage. Which is probably the idea. An alternative non-market-distorting approach would be fingerprinting: The BIOS/EFI hashes the MBR (plus however many additional sectors the MBR specifies in an agreed-upon location). If the result doesn't match a stored fingerprint, it can generate a warning and refuse to boot until the user either restores from a matching backup or else selects the 'I intentionally changed the OS' button - in which case the newly-computed hash replaces the stored one.

If Secure Boot were really about security, that is how it would work. But it isn't. It's about creating a barrier in the market which can only be overcome with a pile of cash or good business connections, something that poses only the slightest inconvenience to Microsoft but a major difficulty to linux.

Re:Stupid and wrong (-1)

Anonymous Coward | more than 2 years ago | (#41119229)

Dumb stupid education-hating blacks.

First-generation Asians come here. They value education. They study hard. They do well. They get decent or better careers. They better themselves. They get ahead. They do well.

Blacks who have been here for 200+ years are born here. They value being a thug. They beat up black kids who study hard for "acting white". They go on welfare or sell drugs/prostitutes. They subsist on their own or they land in jail because that's more "gangsta". They remain poor. They blame white oppression.

Nah, there is definitely no relation between being poor and mental illness. Not in America. And any IQ test is "biased" or "culturally relative" because blacks who have been here and been exposed to the culture for over 200 years don't do well. Maybe it's not that IQ tests are "culturally biased". Maybe it's more like blacks simply don't value education. Asians do and they do well here, despite a fundamentally different language and culture.

That does not tell you anything?! Of course it does. You just have to fit the facts into political correctness, which does not leave a lot of room for facts. With political correctness there are only lame excuses and misunderstandings and confusion.

Equal opportunity does NOT produce equal results. It's not race or skin color, it's culture. Get over it. Deal with the reality, see that it sucks, and work to change it, already. God damn, you would think this was hard to understand or something.

Re:Stupid and wrong (-1, Offtopic)

crutchy (1949900) | more than 2 years ago | (#41120819)

white men have smaller cocks than black men, so white men should all be killed so that women can have a better sex life than with the pathetic white limp dicks that they are putting up with now

Easier (4, Insightful)

Weaselmancer (533834) | more than 2 years ago | (#41120455)

You should only update your BIOS when you mean to. I'm of the opinion that it's something that you should mean to do, not something that should just happen automatically ever. So it doesn't need to be writable 99.999% of the time. So how about a switch that toggles the write enable pin to your bios flash on the front panel of your box?

Want to update your bios? Power down box. Insert CD or USB key. Flip write enable switch. Power up. Flash bios then power down. Flip switch to write disable. Boot.

And for an added measure, don't let the thing ever boot from an MBR if the switch is in "write" mode.

Easy peasy.

Re:Easier (1)

drsmithy (35869) | more than 2 years ago | (#41120739)

You should only update your BIOS when you mean to. I'm of the opinion that it's something that you should mean to do, not something that should just happen automatically ever. So it doesn't need to be writable 99.999% of the time. So how about a switch that toggles the write enable pin to your bios flash on the front panel of your box?

Sure would make updating the thousand-odd servers in our datacentres a bit of a pain. Especially the ones we don't have easy physical access to.

Re:Easier (0)

Anonymous Coward | more than 2 years ago | (#41120809)

Sorry but this "insert USB key" stuff is total nonsense. Vendors will just spend the extra $2 and include the flash memory on the motherboard to make it transparent. Useless complexity.

Adding some obscure switch to hardware computers is also completely delusional. Servers need to be managed lights-out. Consumers won't know what to make of it (see ThinkPad wireless switch). It uglies up your laptop. Social engineering malware will convince people to turn it off. And Apple and Lenovo etc wants to funnel firmware updates through their normal updater.

Signed updates make 100% total sense. The only reason you guys are coming up with these simplistic hacks is (possibly justified) industry political paranoia. Nobody cares. Come up with a superior technical solution then people will listen.

Re:Easier (2)

SuricouRaven (1897204) | more than 2 years ago | (#41120967)

It doesn't need to be a hardware switch. It can be a simple non-writeable flag, the hardware designed such that once set it can never be un-set short of a power cycle. All the BIOS/EFI need do is set the flag prior to booting the OS. If you want to update the firmware, you'd need to do it through the setup screen, which runs before the OS. You'd still need physical access (Or at least a network KVM device) which is the only real way to ensure security for something this low level, but that seems to be a small price to pay. This isn't something that needs to be done to servers routinely, it's a once-every-few-years thing at most, and it doesn't even need them taken out the rack or opened up.

Re:Stupid and wrong (2)

dgatwood (11270) | more than 2 years ago | (#41118825)

The correct solution is to give the machine a one way gate so that after POST the BIOS can't be updated, period.

That would likely prevent BIOS updates from being provided by your OS vendor, which might not be the best idea. The correct solution would be to require that every BIOS update provided after POST be signed, while still allowing unsigned updates to be installed by the user manually from within a menu in the BIOS UI prior to booting.

Re:Stupid and wrong (0)

Anonymous Coward | more than 2 years ago | (#41118909)

Actually, it's easy.

You pop up a gui that says "Insert a flash drive"
"Warning flash drive will be erased!"
format flash drive something bios can read, or start rom at first sector
"Your system will now reboot"
reboots
BIG RED WARNING FROM BIOS "A BIOS UPDATE DRIVE HAS BEEN DETECTED. PRESS Y IF YOU ARE TRYING TO UDPATE YOUR BIOS NOW. BOOT WILL CONTINUE AFTER 30 SECONDS"

Re:Stupid and wrong (5, Informative)

dgatwood (11270) | more than 2 years ago | (#41118985)

Actually, it's not easy. A trojan horse can draw the same UI, write the same file to the flash drive, and a naïve user would probably dutifully follow the instructions because the user would not know any better. Your "solution" is no better than the status quo.

Allowing a power-user (someone who knows how to hold down the magic keys and isn't afraid of the BIOS UI) to install an unsigned update explicitly and manually is one thing. Such a user can be assumed to know enough about what he or she is doing to understand the risks of downloading a BIOS update from an untrusted source. Allowing unsigned BIOS updates to be installed by average users as a part of their normal day-to-day update process, however, is another thing entirely, and is a very bad idea.

Re:Stupid and wrong (2)

chmod a+x mojo (965286) | more than 2 years ago | (#41119593)

I don't know about where you work / what shady operations you run with, but we don't let clueless idiot users either reboot or have physical access to our servers - you know, what the article is talking about- in any of the places I contract to. Either you are vetted to know WTF you are doing or you don't get to so much as SEE the machines.

Re:Stupid and wrong (1)

jamstar7 (694492) | more than 2 years ago | (#41119889)

OK, this is supposed to be for servers, only accessed by authorised IT guys. Simple enough.

Let the hardware vender spend the half cent on a jumper right by the BIOS chip. Shut it down, pull it off the net, unplug the drive cables, etc. Plug in the damned jumper. Boot up, flash the ROM off a verified safe flash drive. Shut down. Pull the damned jumper. Hook the cables back up, hook back to the network, close the box reboot. Nice & safe, rig the BIOS where if the jumper is CLOSED, update is possible possible because the jumper controls the write voltage to the BIOS.

Re:Stupid and wrong (0)

Anonymous Coward | more than 2 years ago | (#41120551)

Now do that for 9000 machines, all plugged together per rack and per building.

You also want to flash those drives and network gear occasionally. The NIST draft guide doesn't apply to these needs.

Re:Stupid and wrong (1)

Lehk228 (705449) | more than 2 years ago | (#41118975)

instead, allow adding signing keys in the bios menu, so if you want to load your own bios you generate a key, type it in at bios, then install bios.

Re:Stupid and wrong (1)

dgatwood (11270) | more than 2 years ago | (#41119025)

That's not significantly different than allowing an unsigned BIOS, security-wise, but requires a lot of extra effort if you're testing/developing custom BIOS firmware images. It's certainly a valid alternative; I'm just not sure it buys you anything.

Re:Stupid and wrong (1)

Lehk228 (705449) | more than 2 years ago | (#41119183)

it treats all loading as a single class, image signed from array keys[]

it would also allow you to import your key once and sign test bioses as you work without rebooting to load

Re:Stupid and wrong (1)

EdIII (1114411) | more than 2 years ago | (#41119013)

I think preventing casual bios updates from any source would be the preferred and correct solution for servers. We have a movement towards lights out datacenters, but even so, some things should just have to be done in person.

I'm not opposed to BIOS updates only being performed from an attached flash drive and completely impossible while the machine is running as jmorris42 proposes.

Also, remember how often people update BIOS in the first place. Hardly ever. How often is an operating system wiped to get rid of malware? A heck of lot more often. I would accept the trade off having a semi-permanent BIOS and confidence that is not compromised over some convenience any day. Especially on servers that can be running sensitive platforms.

Re:Stupid and wrong (3, Interesting)

dgatwood (11270) | more than 2 years ago | (#41119215)

I suppose updating your BIOS is not extremely common in the Windows world, though I've done more than one BIOS update over the years despite having used only a single-digit number of devices that actually have a BIOS, so it isn't that rare. And I would agree that updating the BIOS on server hardware is particularly exceptional.

The problem is that whatever standard somebody comes up with for servers is liable to trickle down into consumer goods. We'd be better off deciding on a single set of good, sane standards that everyone can live with, including consumer product makers. Coming from the Mac world, where nearly every piece of hardware has seen at least one EFI or SMC update [apple.com] , making it "almost impossible" seems like a very bad idea for general-purpose hardware.

Re:Stupid and wrong (1)

evilviper (135110) | more than 2 years ago | (#41121055)

And I would agree that updating the BIOS on server hardware is particularly exceptional.

WTF are you talking about? Every time a server is having hardware issues, one of the first steps the trained-monkeys at Dell tell you to do is update the firmware (if newer versions are available), including the BIOS.

Welcome to /., where a prereq for sweeping generalizations is that you don't actually have any experience in the field...

Re:Stupid and wrong (2)

jmorris42 (1458) | more than 2 years ago | (#41119245)

You could still allow lights out. Most servers support boot over net so the BIOS is required to have a partial IP stack. Just allow bringing in the new BIOS via tftp from the IPMI remoted BIOS console if nobody is available to insert a USB stick and you don't want to allow reading it out of a FAT partition on the primary drive.. It could print an SHA-256 sum of what it downloaded to ensure you weren't hit by a man in the middle. Hell, it could even check a signature against a key in the current BIOS and warn if it was signed by someone else. Lots of possibilities. But if it is electrically possible to write the BIOS after the bootloaded is executed security isn't really possible.

Re:Stupid and wrong (2)

Joce640k (829181) | more than 2 years ago | (#41120865)

We have a movement towards lights out datacenters, but even so, some things should just have to be done in person.

What you need is a physical switch on the front of the machine and a robot to go and flip it for you.

The robot can be padlocked when not in use.

Re:Stupid and wrong (0)

Anonymous Coward | more than 2 years ago | (#41120895)

I suppose you know nothing about servers?
BIOS in servers does a lot more than booting the OS, and there often are subtle bugs in the monitoring that need to be fixed by BIOS update.
Professional working environments often specify a minimal BIOS revision before the system can be installed.

Re:Stupid and wrong (1)

Dunbal (464142) | more than 2 years ago | (#41119415)

BIOS updates

Honestly, how often do you update your BIOS? Drivers, yes. But BIOS? Have you ever "needed" to do it, in the lifetime of your computer? Apart from to correct bugs that never should have shipped in the first place I mean.

Re:Stupid and wrong (2)

sumdumass (711423) | more than 2 years ago | (#41120419)

It depends on if you use the computer for simple file shares and word processing or if it is used for different things like application servers and so on. Drivers have bugs in them all the time. Some bugs simply cannot be worked around. Changes in the Kernel for windows XP service pack 2, ended up with quite a few bios updates and driver fixes (especially for printers) needing to be made. I've seen applications that caused memory issues that bios updates fixed too.

It's like the old saying for microsoft office where 80% of the people will only used 20% of the features or something like that. The vast majority of people will not notice problems in what the bios and or driver update fixes. Manufacturers don't really create and release BIOS updates or diver fixes because they want to keep an idle team of programers busy for a while. It's generally to fix something and that something has caused someone problems.

Servers are different (2)

Esteanil (710082) | more than 2 years ago | (#41118995)

To put it very simply, servers need to be able to resist things like Blue Pill [wikipedia.org] and other advanced persistent threats.
This is vital for secure data processing and storage, and therefore needed by many organisations, businesses and governments.

I can't wait until the first good, fairly inexpensive servers come with this option. That's the point at which I'm changing career paths over to Sales ;-)

Re:Stupid and wrong (4, Insightful)

msauve (701917) | more than 2 years ago | (#41119059)

That would require an updater in the BIOS and either storing the extended config now flashed into the same chip with the BIOS to either go elsewhere or the flash chip to be smart enough to have a protected area and an unprotected area and only the protected area be unrevokable without a full reboot.

Let me change that from something completely unparsable, to something simple.

All that's needed is a jumper on the motherboard which must be closed in order to modify the BIOS.

Re:Stupid and wrong (0)

Anonymous Coward | more than 2 years ago | (#41119251)

That was my thought. Apart from laptops and handhelds, which we're not discussing, you should always have the option of flipping a jumper. Considering how risky firmware updates can be, I can't imagine anybody doing those over the net without somebody available to fix the problem locally if need be.

For my home computer, I'd love to have a switch on the case required in order to change BIOS settings and a jumper on the board in order to flash a new one. A similar thing for servers seems reasonable. Adding something the a required key or something like that to install a new OS or write to the boot sector might not be a bad idea.

Re:Stupid and wrong (1)

jmorris42 (1458) | more than 2 years ago | (#41119277)

Without a special flash chip or adding another one your simple electrical fix isn't practical. The ESCD info typically gets reflashed on a pretty regular basis if anything in the machine changes. To save cost it is usually in the same physical flash with the BIOS. Also, your simple jumper would preclude lights out server management.

No, it has to be a gate that can only be cleared by a cold start once flipped on.

Re:Stupid and wrong (1)

msauve (701917) | more than 2 years ago | (#41119435)

If you change your hardware, you close a jumper (or a switch during boot). If you can't handle that, you deserve what you get.

BTW, if the lights are out, you're not gonna be managing anything.

Re:Stupid and wrong (0)

Anonymous Coward | more than 2 years ago | (#41120395)

I also was thinking of a jumper, although a switch on the front panel of the computer will be better, since you don't always want to remote the server from the rack to update the BIOS.

Since ILO (remote lights out management of servers) has access to everything as well, I would say that ILO should also be able to access this switch. Although at some point it will probably happen that ILO will be broken into by malware, but it seems simple enough that it could be secured.

Re:Stupid and wrong (0)

Anonymous Coward | more than 2 years ago | (#41120405)

Actually, don't have a switch, just only allow bios to be updated through ILO. At least you have to be logged into ILO to update it. And ILO is a separate computer in the server which is unaffected with what is happening on the main computer in the server.

Re:Stupid and wrong (3, Insightful)

fustakrakich (1673220) | more than 2 years ago | (#41119219)

Yeah, my first thought was, if you want protected BIOS, I suggest it be read only, put it in a socket, and if needs an update, you have one shipped, or go to your local store and get one. Damned if the socket won't be bigger than the whole machine pretty soon...

Re:Stupid and wrong (1)

Dunbal (464142) | more than 2 years ago | (#41119395)

If I remember correctly that's how it used to be. BIOS could only be changed by changing out the chip and re-flashing the EPROM (when we had EPROMs). But you're right, there are many powerful companies who are desperate to see the "top down" model enforced on computers, from entertainment companies to software companies.

Re:Stupid and wrong (1)

SuricouRaven (1897204) | more than 2 years ago | (#41120991)

It's just a more profitable model. Apple taught the industry that. Magins on hardware are painfully thin, but if you strictly control the hardware you can use it to promote all manner of far-more-profitable things. Like app stores.

Re:Stupid and wrong (1)

symbolset (646467) | more than 2 years ago | (#41119555)

Signed bootloaders with hardware keys are exactly the right way to go, except that the implementation forces Microsoft software in this evolution. As in other realms Microsoft is trying to preempt our progress with the mandate that we also buy their products. But their products are not prerequisite to progress. They are anathema to it.

Re:Stupid and wrong (3, Interesting)

crispytwo (1144275) | more than 2 years ago | (#41120009)

Along the same logic, I would argue, why do we need to have the bios have built in writable flash memory these days? So many simple options to solve this come to mind, but if I really wanted to update the bois - which is incredibly rare - couldn't we be a little more hands on and use a USB key for example?
here's a possible solution:
- I could pull out a small USB drive/key from the special slot on the mobo
- stick it into my USB slot on a running computer
- write a new bios to it with my fancy updater tool - simple so far
- stick it back into the mobo (it could even lock in with a clip for those who vibrate a lot)
- (re)boot
- new bios is read from the -special- USB.

bonuses:
- if something goes wrong - place in a new different USB drive/key
- test with a different USB drive/key to see if the update is better, then update the special one
- I can think of others too!

what I mean by "special USB", is that it is only accessed and read by a booting bios, so doesn't have pass through or presence to the OS. It may be especially small.

I seem to remember somewhere that we don't really need much of a BIOS since the kernels do all the probing for themselves a second time anyway, so in many respects we have 2 boots, once (slowly) in BIOS, which is promptly thrown away, and another in whatever OS you might load.

Re:Stupid and wrong (-1, Redundant)

evilviper (135110) | more than 2 years ago | (#41121095)

if I really wanted to update the bois - which is incredibly rare - couldn't we be a little more hands on and use a USB key for example?

That'll work well when you need to update the BIOS on hundreds of servers...

Re:Stupid and wrong (-1, Redundant)

evilviper (135110) | more than 2 years ago | (#41121085)

The correct solution is to give the machine a one way gate so that after POST the BIOS can't be updated, period.

That'll work well when you need to update the BIOS on hundreds of servers...

Step one? (4, Interesting)

girlintraining (1395911) | more than 2 years ago | (#41118735)

Step one: Kill UEFI with fire.
Step two (optional): Everything else.

I'm perfectly serious -- If you have UEFI, it doesn't matter how secure everything else is, you're screwed, and you're screwed because Microsoft asked the companies making the motherboards to screw you for the sake of adding yet another failed DRM attempt to their next operating system: Windows 8, "Explode On Launchpad Edition".

Re:Step one? (3, Interesting)

Microlith (54737) | more than 2 years ago | (#41118991)

UEFI is not the problem.

The problem is that the security architecture that was added to UEFI was designed by Microsoft and (obviously) favors them completely. Unfortunately, they're the only OS level software developer in the UEFI Promoters group so they pretty much get whatever they want and, I suspect, can overrule complaints from "Contributors."

A real fair solution would have had such keys administered by the UEFI Foundation and included the ability to auto-add keys from read-only media.

Re:Step one? (1)

Altanar (56809) | more than 2 years ago | (#41119715)

UEFI security architecture was designed by Intel, not Microsoft. Please, enough with the conspiracy theories.

Re:Step one? (1)

Microlith (54737) | more than 2 years ago | (#41119773)

Source of some sort?

Re:Step one? (1)

girlintraining (1395911) | more than 2 years ago | (#41119835)

Source of some sort?

Source [wikipedia.org] . "The original EFI specification was developed by Intel and was used as the starting point from which the UEFI version(s) were developed."

However, as you'll note; the only OS vendor participating in the UEFI trade group is Microsoft... so that should be a big hint about what UEFI is all about.

Re:Step one? (1)

Microlith (54737) | more than 2 years ago | (#41119977)

I know that it was built originally by Intel. They did it more than 10 years ago when Itanium came out. But the security infrastructure didn't exist until UEFI 2.31. That is what I suspect was designed by Microsoft. Your link doesn't say anything to that respect.

that should be a big hint about what UEFI is all about.

No, I can see the value in replacing the BIOS with something newer. EFI existed at all because Intel was silly NIH.

Re:Step one? (3, Informative)

Aryeh Goretsky (129230) | more than 2 years ago | (#41120243)

Hello,

A list of OS software developers who are members of UEFI:

  • Apple
  • Canonical
  • Cisco
  • Cray
  • Fujitsu
  • Hewlett-Packard
  • IBM
  • Microsoft
  • NEC
  • Novell
  • Oracle
  • Red Flag
  • Red Hat

And there are also other companies who work in the same neighborhood (CPU manufacturers, firmware developers, etc.). Source: UEFI Membership List [uefi.org] .

While I understand (and, to some extent, sympathize with) the desire to hold Microsoft solely responsible for every activity in the computing industry, this is clearly a joint effort across the industry to replace a two decade-old invention whose time has come. And as far as I know, the largest installed base of UEFI firmware—albeit an older version of the standard—is Apple [wikipedia.org] , a company not precisely known for having a cordial relationship with Microsoft.

Regards,

Aryeh Goretsky

Re:Step one? (1)

SuricouRaven (1897204) | more than 2 years ago | (#41121005)

No, it's a standards group. That means every company has two goals in mind:
1. Make it a good, workable, effective standard which solves all deficiencies of the previous standard in the most practical and optimal manner.
2. Maximise their own business benefit from the new standard.

Goal two usually means things like ensuring the standard can only be implimented using patents they hold. In this case, Microsoft's goal two plans included finding some way to obstruct linux, which is a looming threat to them on the desktop: Something simmering for years as a minor annoyance, but threatening to grow explosively any moment.

Sounds good to me! (1)

GNULinuxGuy (2483278) | more than 2 years ago | (#41118739)

So glad this is finally being taken seriously! I've often wondered why we don't see more persistent infections given how firmware is handled these days.

Re:Sounds good to me! (1)

bmo (77928) | more than 2 years ago | (#41119533)

> I've often wondered why we don't see more persistent infections given how firmware is handled these days.

Because writing malware for bioses and firmware means you have to be able to insert your bits of evil into firmware for a multitude of versions of Phoenix BIOS, AMI BIOS, EFI, etc. And that's hard work.

Just look at the OpenBIOS project. Just trying to get that to work on a bunch of motherboards and to stay up to date is sisyphean.

It's more productive to write malware for the OS. It's much less heterogeneous. It was blairq, I believe, on here that likened Windows to a field of cloned sweet corn's succeptibility to disease.

--
BMO

Re:Sounds good to me! (2)

Grave (8234) | more than 2 years ago | (#41120029)

Except that when it comes to servers, the differences are far fewer. Target just a few different variations of a Dell or HP motherboard, all with very similar architecture, and the potential for havoc is great.

Why NIST? (1, Offtopic)

Gothmolly (148874) | more than 2 years ago | (#41118807)

Why is the government proposing any standards for computer BIOSes? Can you say backdoor? Can you say "abuse of the Commerce Clause" ?

Re:Why NIST? (2, Insightful)

Anonymous Coward | more than 2 years ago | (#41118881)

I would say that an organization called the National Institute of Standards and Technology is exactly the type of organization that would set standards for computer BIOSes. Doesn't mean you have to follow them, if you're worried about it.

All NIST publications are open and available, so it's not like they're going to sneak something in that no one knows about.

Re:Why NIST? (0)

Anonymous Coward | more than 2 years ago | (#41119203)

I would say that an organization called the National Institute of Standards and Technology is exactly the type of organization that would set standards for computer BIOSes. Doesn't mean you have to follow them, if you're worried about it...

Well, I suppose if I walked around with the level of ignorance that you do, I wouldn't worry about it. I mean c'mon, we're only talking about a Government organization with the power and influence to turn "standards" into "mandates"...What could possibly go wrong?

Not sure if trolling (1)

Anonymous Coward | more than 2 years ago | (#41119331)

Congress has the power to ' fix the standard of weights and measures' by the constitution. NIST is the body that does that. They also happen to pay for a lot of measurements of material properties (density, hardness, etc) and publish them online for free. NIST does sometimes publish standards, but those standards don't carry the force of law, nor can NIST pass laws about the standards. If you want to be paranoid about government overreach, just watch congress, they're the ones that make laws.

Re:Why NIST? (1)

QuantumRiff (120817) | more than 2 years ago | (#41118915)

AHEM.. You do understand that a single source to define standards of weights and measures is kind of one of the single most KEY parts of Commerce, right? That they were established to make sure that things like "a pound" are defined, and tested and validated.

Perhaps you should read up on some of the other standards NIST has, like time. They are THE stratum 1 server for most people that use NTP. (time.gov).

Re:Why NIST? (0)

Esteanil (710082) | more than 2 years ago | (#41119043)

You know, the quote button is an excellent choice for good answers to stupid questions - then you can be modded up and he modded to oblivion, while retaining everything that was written... ;-)

Re:Why NIST? (0)

joocemann (1273720) | more than 2 years ago | (#41119881)

You know, the quote button is an excellent choice for good answers to stupid questions - then you can be modded up and he modded to oblivion, while retaining everything that was written... ;-)

I don't usually quote people, but I can tell you practice what you preach ;)

.

Ferrous

Re:Why NIST? (1)

drsmithy (35869) | more than 2 years ago | (#41120779)

You do understand that a single source to define standards of weights and measures is kind of one of the single most KEY parts of Commerce, right? That they were established to make sure that things like "a pound" are defined, and tested and validated.

Rubbish. It's just another tool of a socialist government trying to control the people.

In a true free market, sellers would be able to call anything they wanted to a "pound", and if a buyer wasn't aware of how much each and every seller's "pound" actually was, it would be their own fault.

Re:Why NIST? (0)

the eric conspiracy (20178) | more than 2 years ago | (#41118917)

Uh if you don't like it do your own.

Crikey.

Read nothing but the summary. (-1)

Anonymous Coward | more than 2 years ago | (#41118829)

Read nothing but the summary. Does it favor windows 8 bios fuckulinux?

Easy solve (0, Informative)

Anonymous Coward | more than 2 years ago | (#41118887)

Physical jumper to stop writing to the BIOS flash if it isn't set, and code in the rom to disallow bpoting beyond the post aside from the update if it is set. Impossible for any kind of automated attack, and servers should never get a deep update like that without being closely supervised anyway

Mod Parent Up - This is the best solution (0)

Anonymous Coward | more than 2 years ago | (#41119023)

Seriously.

Re:Easy solve (2)

NemoinSpace (1118137) | more than 2 years ago | (#41119109)

A physical jumper would cost extra money. How about a NON FLASHABLE bios? - we used to have them. We used to have non shitty programmers that could write code that didn't have to be updated every 6 months. There was a time a flashable bios was justified. Now it's just a cross between laziness and DRM.
Seeing this article reveals we have some very stupid people in some very high places in the IT world.

Re:Easy solve (0)

Anonymous Coward | more than 2 years ago | (#41119261)

Non shitty programmers would cost extra money. Programmers that could anticipate and code for future hardware cost even more.
Seeing this comment reveals we have some very stupid people in some very low places in the IT world.

Re:Easy solve (2)

cachimaster (127194) | more than 2 years ago | (#41119399)

A physical jumper would cost extra money. How about a NON FLASHABLE bios?

No, sorry that's crazy. BIOS updates are essential to fix security bugs. A non-flashable bios would make your system *more* insecure.

The physical jumper would help in some situations, but not all, let me explain: I'm one of the guys cited on that draft, we made a pretty generic bios rootkit that worked fine. One of our attack scenarios inclueded having physical access to the device before the victim, I.E. you receive an already rootkited laptop/PC. A jumper wont help in that case, only a signed BIOS would. It sucks because it smells a lot like DRM but very often security and freedom are mutually exclusive.

Re:Easy solve (1)

Fred Ferrigno (122319) | more than 2 years ago | (#41119667)

One of our attack scenarios inclueded having physical access to the device before the victim, I.E. you receive an already rootkited laptop/PC. A jumper wont help in that case, only a signed BIOS would.

And when the attacker inevitably finds an exploit and installs a rootkit anyway, they'll change the keys so you can't install the officially signed BIOS.

Re:Easy solve (1)

cachimaster (127194) | more than 2 years ago | (#41120069)

And when the attacker inevitably finds an exploit and installs a rootkit anyway, they'll change the keys so you can't install the officially signed BIOS.

Exactly. You can't really protect a generic computer from unknown software bugs. Also if you have physical access is game over anyway, you could replace a big enough piece of hardware with a malicious one and that's it, pwned.

Re:Easy solve (0)

Anonymous Coward | more than 2 years ago | (#41120105)

If someone is going to fiddle with your new machine before you get it, there's a lot more sinister things they could do and a signed bios won't matter.
Regardless, I vote for bios on ROM. New update? Get the new ROM.

Re:Easy solve (1)

SuricouRaven (1897204) | more than 2 years ago | (#41121019)

If that scenario, the victim is screwd no matter how securely the bios is protected. Any attacker good enough to hack firmware should be quite capable of exploiting the hardware itsself. Time-delay system-killers, a hacked network card that starts sending duplicate packets to any IP that gives it a key string of bytes, a keylogger that stores the passwords entered when installing the OS for later retrieval (Possibly via hacked network card). It can all be done, because things like that have long been done to games consoles to make modchips.

Re:Easy solve (1)

drsmithy (35869) | more than 2 years ago | (#41120793)

How about a NON FLASHABLE bios? - we used to have them. We used to have non shitty programmers that could write code that didn't have to be updated every 6 months.

No we didn't, we had bugs that went unreported and code that didn't get fixed, ever.

How about a physical lock on the BIOS (0)

Anonymous Coward | more than 2 years ago | (#41118893)

One of many options that I think should be implemented is a jumper on the motherboard that has to be shorted in order to make any change to the BIOS (settings, updates, etc). Run a switch (even a key switch) from the jumper to the outside of the case. When you want to change the BIOS you put the switch into the short position. When done set it back.

Only draw back is it makes it difficult to make a change to the BIOS remotely. But if you are doing that frequently you can just leave the jumper shorted and find a different way to secure the BIOS. For companies with big pockets like Google or Facebook, they could put some sort of a remote relay on the jumper.

BIOS (0)

Anonymous Coward | more than 2 years ago | (#41118895)

If you can't protect the OS (patching) how the hell are you going to protect the system from BIOS attacks?

Management Port anyone? (3, Interesting)

Igot1forya (2609733) | more than 2 years ago | (#41118897)

I think for high-end hardware for servers and stuff, an RS232 serial port only accessible when enabled for updates should be the only conduit for installing BIOS updates. Think of it as a management port. Us network guys do this already via SSH, Telnet and TFTP and you guessed it, SERIAL already. I don't know of any virus's able to jump a physical divide like a serial port.

Cow Tits Feel Good, But Come On.. (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#41118943)

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.

Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.

If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.

The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.

But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use - which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.

Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.

I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then... you won't notice it.

Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running[1], scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.

[1] In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.

[2] Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".

[3] http://www.stallman.org/ [stallman.org]

Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.

So scan away, or blissfully ignore it, but we need more people like RMS[3] in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.

I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".

##

Schneier has covered it before: power line fluctuations (differences on the wire in keys pressed).

There's thermal attacks against cpus and temp, also:

ENF (google it)

A treat (ENF Collector in Java):

sourceforge dot net fwdslash projects fwdslash nfienfcollector

No single antimalware scanner exists which offers the ability to scan (mostly proprietary) firmware on AGP/PCI devices (sound cards, graphics cards, usb novelty devices excluding thumb drives), BIOS/CMOS.

If you boot into ultimate boot cd you can use an archane text interface to dump BIOS/CMOS and examine/checksum.

The real attacks which survive disk formats and wipes target your PCI devices and any firmware which may be altered/overwritten with something special. It is not enough to scan your hard drive(s) and thumb drives, the real dangers with teeth infect your hardware devices.

When is the last time you:

Audited your sound card for malware?
Audited your graphics card for malware?
Audited your network card for malware?

Google for:

* AGP and PCI rootkit(s)
* Network card rootkit(s)
* BIOS/CMOS rootkit(s)

Our modern PC hardware is capable of much more than many can imagine.

Do you:

* Know your router's firmware may easily be replaced on a hacker's whim?
* Shield all cables against leakage and attacks
* Still use an old CRT monitor and beg for TEMPEST attacks?
* Use TEMPEST resistant fonts in all of your applications including your OS?
* Know whether or not your wired keyboard has keypresses encrypted as they pass to your PC from the keyboard?
* Use your PC on the grid and expose yourself to possible keypress attacks?
* Know your network card is VERY exploitable when plugged into the net and attacked by a hard core blackhat or any vicious geek with the know how?
* Search out informative papers on these subjects and educate your friends and family about these attacks?
* Contact antimalware companies and urge them to protect against many or all these attacks?

Do you trust your neighbors? Are they all really stupid when it comes to computing or is there a geek or two without a conscience looking to exploit these areas?

The overlooked threat are the potential civilian rogues stationed around you, especially in large apartment blocks who feed on unsecured wifi to do their dirty work.

With the recent news of Russian spies, whether or not this news was real or a psyop, educate yourself on the present threats which all antimalware scanners fail to protect against and remove any smug mask you may wear, be it Linux or OpenBSD, or the proprietary Windows and Mac OS you feel are properly secured and not vulnerable to any outside attacks because you either don't need an antivirus scanner (all are inept to serious attacks) or use one or several (many being proprietary mystery machines sending data to and from your machine for many reasons, one is to share your information with a group or set database to help aid in threats), the threats often come in mysterious ways.

Maybe the ancients had it right: stone tablets and their own unique language(s) rooted in symbolism.

#

I'm more concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.

When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.

Some have begun with BIOS security:

http://www.biosbits.org/ [biosbits.org]

Some BIOS has write protection in its configuration, a lot of newer computers don't.

#

"Disconnect your PC from the internet and don't add anything you didn't create yourself. It worked for the NOC list machine in Mission Impossible"

The room/structure was likely heavily shielded, whereas most civvies don't shield their house and computer rooms. There is more than meets the eye to modern hardware.

Google:

subversion hack:
tagmeme(dot)com/subhack/

network card rootkits and trojans
pci rootkits
packet radio
xmit "fm fingerprinting" software
"specific emitter identification"
forums(dot)qrz(dot)com

how many malware scanners scan bios/cmos and pci/agp cards for malware? zero, even the rootkit scanners. have you checksummed/dumped your bios/cmos and firmware for all your pci/agp devices and usb devices, esp vanity usb devices in and outside the realm of common usb devices (thumbdrives, external hdds, printers),

Unless your computer room is shielded properly, the computers may still be attacked and used, I've personally inspected computers with no network connection running mysterious code in the background which task manager for windows and the eqiv for *nix does not find, and this didn't find it all.

Inspect your windows boot partition in *nix with hexdump and look for proxy packages mentioned along with command line burning programs and other oddities. Computers are more vulnerable than most would expect.

You can bet all of the malware scanners today, unless they are developed by some lone indy coder in a remote country, employ whitelisting of certain malware and none of them scan HARDWARE devices apart from the common usb devices.

Your network cards, sound cards, cd/dvd drives, graphics cards, all are capable of carrying malware to survive disk formatting/wiping.

Boot from a Linux live cd and use hexdump to examine your windows (and *nix) boot sectors to potentially discover interesting modifications by an unknown party.

#
eof

The BIOS is not the problem (0)

Anonymous Coward | more than 2 years ago | (#41119003)

Retarded hardware that blindly lets you flash anything you want to the BIOS is the problem.

This is not a matter of software security, it's a matter of low level hardware security. This isn't something we're going to fix with "security certificates" and bullshit like that (though I'm sure that's what everyone will resort to- signed BIOS updates, thus bringing the life of your average hardware admin one step closer to absolute hell). This is something that you can easily fix by requiring physical interaction with the hardware prior to launching an update.

At the minimum, there should be a 1-bit DIP switch on the logic board of server spec gear that lets you select between the following:

1) Updates can be applied directly from the OS, and are made active immediately after reboot
2) Updates can be applied directly from the OS, but are buffered in a secondary flash chip and only dumped into the primary firmware chip if the system is halted and powered up by holding down the power button for more then 10 seconds

If you've got the DIP switch set to #2, then anything can write to the firmware all it wants. It doesn't matter, because those writes are redirected to a secondary chip which are never ever executed by the hardware. It's just a staging area for updates, until someone physically starts the update procedure from the front of the machine.

Of course the usual solution to this sort of thing is to just throw obfuscated crypto at the problem, so I doubt anyone will bother implementing anything like this. And in the end, whatever stupid solution they do come up with will likely be hacked by the underground in a matter of months, leaving everyone right back where they were before- with vulnerable systems that can be updated through software, except now the process for legitimately updating things is that much more complex.

-AC

Guarenteed-clean factory reset (2)

davidwr (791652) | more than 2 years ago | (#41119033)

Computers, especially servers, need a guarenteed-clean factory reset procedure.

How it might work:
IF you boot with a certain jumper set, an immutable "rescue BIOS" boots the computer into a "recovery mode." This may be as simple as booting off of a specific location, such as the first n sectors of whatever is on SATA drive 0. The "rescue BIOS" doesn't need to be any more complicated than a read-only copy of the real BIOS using factory-default settings instead of the "BIOS settings" the user or virus set.

IF you have a known-clean, preferably but not necessarily digitally-signed boot disk attached, you will be able to clean your BIOS, and, once that is clean, the rest of your system. Presumably the vendor would supply a bootable DVD or CD for this purpose.

Re:Guarenteed-clean factory reset (0)

Anonymous Coward | more than 2 years ago | (#41120411)

Sounds good... But I don't see this working if other components in the system have bios version dependencies. Back revving to "OOTB" could break compatibility.

4 most important lines in whole paper (1)

davidwr (791652) | more than 2 years ago | (#41119087)

Read carefully, this is very important:

Comments on this publication may be submitted to:
National Institute of Standards and Technology
Attn: Computer Security Division, Information Technology Laboratory
100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930

Phrack citation (2)

cachimaster (127194) | more than 2 years ago | (#41119171)

I find interesting that the draft cites a Phrack issue. If a NIST cite do not legitimize a journal, I don't know what it does.

Physical hardware write switch (0)

Anonymous Coward | more than 2 years ago | (#41119237)

Back in my old Amiga 1000 days, the firmware came first, and it was the 'kickstart' disk. After it was loaded (in firmware ram), it would be soft-wired off and the small bit of firmware that computer had wouldn't allow writes to those chips anymore. It might sound like 'the old days', but I wouldn't mind flipping a switch when updating bios rom, and after its written, it stays there as read only till you decide to update it again. It sounds like 'old timer days', but it sure keeps firmware malware out. Oh, and kill UEFI with fire!

NIST made up of government desk jockies (0)

Anonymous Coward | more than 2 years ago | (#41119311)

It never gets much of anything done. Lots of talk, talk, talk, spread over years.

simpler idea (1)

amoeba1911 (978485) | more than 2 years ago | (#41119317)

how about this: make bios read-only, and include a momentary push button that needs to be pushed in order to make the bios writable for a limited amount of time. Is this too simple?

Re:simpler idea (0)

Anonymous Coward | more than 2 years ago | (#41119639)

how about making it open source...

Re:simpler idea (0)

Anonymous Coward | more than 2 years ago | (#41119801)

Came here for this comment...

They used to have jumpers... You had to have the jumper set to update it. When done power off put jumper back.

Re:simpler idea (0)

Anonymous Coward | more than 2 years ago | (#41120549)

Yup, this is the $.05 solution that trumps $20M in DRM research and development. But that wouldn't sell whole new generations of new mobos, so it couldn't even be talked about for secure boot solutions.

Re:simpler idea (1)

sumdumass (711423) | more than 2 years ago | (#41120555)

Getting to a jumper is not always an easy task. When you have a 2 or 4 U server bolted into a rack of 4 or 5 other servers, it is somewhat of a major undertaking pulling it out, taking the cover off, hooking things back up to flash, putting the cover back on, then bolting it back in. You cannot always get to the back of them so holding it half in and out while reaching behind and looking at the reflections of a mirror to see what you are doing complicates things too. Also, when you have something like a 2 or 4 U server with a raid and redundant power supplies, they tend to get heavy.

This is probably part of the reasons why you can flash bioses from within the operating system now anyways.

Re:simpler idea (0)

Anonymous Coward | more than 2 years ago | (#41120627)

But a big push-button with a flip-hood over it, nuke-launch style, wouldn't be hard to get to, even on a rack server.

Re:simpler idea (1)

SuricouRaven (1897204) | more than 2 years ago | (#41121029)

Or just use the papeclip-sized hole method.

Too complex. Much easier way. (1)

Anonymous Coward | more than 2 years ago | (#41119413)

Hardware jumper.

Jumper on. Bios is read/write.

Jumper off. (default) Bios is read only. Period. No exceptions. Not possible to write when its off. At all.

Done and done. No signing anything needed. 100% under the control of the machine owner.

Too hard? Make it a fucking button somewhere. Too insecure? Make it a key lock.

Re:Too complex. Much easier way. (1)

sumdumass (711423) | more than 2 years ago | (#41120571)

Too hard? Make it a fucking button somewhere. Too insecure? Make it a key lock.

This is probably the way to go if a jumper is going to be required. You get a bunch of servers in a rack or cabinet and it starts getting complicated to get to the jumpers. But I would make it open nothing closed flash. This way if the wires to the switch get pinched and cut for some reason, it fails to safe (open- no flash).

How about non-writable BIOS ROMs? (0)

Anonymous Coward | more than 2 years ago | (#41119863)

I remember upgrading the BIOS on my AT&T PC 6300 back about ... jeez, it was 22 years ago. The upgrade consisted of removing one socketed chip and replacing it with another. Quite a secure BIOS since you cannot write to ROM.

Thinking about modern equivalents, how about storing the BIOS on a read only memory device again. SIM chips come to mind. Maybe create some sort of new device that would be equally cheap to manufacture. Sure, you would lose the ability to download a new BIOS and perform the upgrade via software, but hey, you can't beat the security of it. If the BIOS chip could be made a write-once device, then you could still have the convenience of downloading, just with the added step of burning.

Some people might complain about physical replacement being impractical in a large datacenter, but having worked in a datacenter with more than 30,000 servers I can attest that this would not be a likely issue: we never did a single BIOS update in the 3 years I worked there.

Hacked By Android (0)

Anonymous Coward | more than 2 years ago | (#41120037)

We can say that the BIZOS is protected.. read th articles submitted by hackers The Hackers Idea [hackingstuffs.com]

With Intel... (1)

stanlyb (1839382) | more than 2 years ago | (#41120305)

With Intel chipset, i could say only one thing: FORGET about security. Why? Pretty simply, the chipset itself is with already built-in remote control module. Even before booting. Oh, nooo, not true, even if the computer is shut down (but is still connected to the power socket of course).

coast dress (-1, Offtopic)

telanxs (2715251) | more than 2 years ago | (#41120661)

# days. -- Earn Cash and Prizes [earncashandprizes.info], and get free stuff! * * Re: (Score:2) by bmo (77928) writes: Alter Relationship > I've often wondered why we don't see more persistent infections given how firmware is handled these days. Because writing malware for bioses and firmware means you have to be able to insert your bits of evil into firmware for a multitude of versions of Phoenix BIOS, AMI BIOS, EFI, etc. And that's hard work. Just look at the OpenBIOS project. Just trying to get that to work on a bunch of motherboards and to stay up to date is sisyphean. It's more productive to write malware for the OS. It's much less he o o Re: (Score:1) by Grave (8234) writes: Alter Relationship Except that when it comes to servers, the differences are far fewer. Target just a few different variations of a Dell or HP motherboard, all with very similar architecture, and the potential for havoc is great. + # Why NIST? (Score:1) by Gothmolly (148874) writes: Alter Relationship Why is the government proposing any standards for computer BIOSes? Can you say backdoor? Can you say "abuse of the Commerce Clause" ? -- Only on Slashdot does an AC get modded Informative for pointing out that the LHC is in Europe. * * Re: (Score:1) by Anonymous Coward writes: I would say that an organization called the National Institute of Standards and Technology is exactly the type of organization that would set standards for computer BIOSes. Doesn't mean you have to follow them, if you're worried about it. All NIST publications are open and available, so it's not like they're going to sneak something in that no one knows about. o 2 hidden comments

9/11 (1)

crutchy (1949900) | more than 2 years ago | (#41120801)

hopefully its a little more thought out than their report on 9/11

A switch is the answer - for BIOS and O/S... (0)

Anonymous Coward | more than 2 years ago | (#41120861)

It is not that difficult to design the BIOS to need a H/W switch to be closed before update.

Equally, it is not that difficult to design an Operating System to require a H/W switch to be closed before any update of critical components takes place. I have done that myself while working in the dirty area of a virus lab. That gives you strong security against any attempts to compromise your system.

A lot of the current security issues which exist could easily be solved in this way - if only S/W designers would consider using a H/W solution...

Move along, Nothing to see here. (0)

Anonymous Coward | more than 2 years ago | (#41121027)

.. all part of the Glorious War On General Computing Machines. Too dangerous for general consumption.

Has everyone forgotten the concept of ROM? (That's Read Only Memory for you young'ins).

Considering the average lifespan of a PC these days is 2 years or less, would it hurt to make the boot code read-only? It's not like the average user is going to shed tears 10 years from now that they can't boot Windoze 12 on the system they buy today!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?