Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AMI Firmware Source Code, Private Key Leaked

Soulskill posted about a year and a half ago | from the never-trust-others-to-respect-your-property-as-much-as-you-do dept.

Security 148

Trailrunner7 writes "Source code and a private signing key for firmware manufactured by a popular PC hardware maker American Megatrends Inc. (AMI) have been found on an open FTP server hosted in Taiwan. Researcher Brandan Wilson found the company's data hosted on an unnamed vendor's FTP server. Among the vendor's internal emails, system images, high-resolution PCB images and private Excel spreadsheets was the source code for different versions of AMI firmware, code that was current as of February 2012, along with the private signing key for the Ivy Bridge firmware architecture. AMI builds the AMIBIOS BIOS firmware based on the UEFI specification for PC and server motherboards built by AMI and other manufacturers. The company started out as a motherboard maker, and also built storage controllers and remote management cards found in many Dell and HP computers. 'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'"

Sorry! There are no comments related to the filter you selected.

Me go pee pee in your coke (-1)

Anonymous Coward | about a year and a half ago | (#43370323)

LOL. Never trust chinks.

Re:Me go pee pee in your coke (1)

fustakrakich (1673220) | about a year and a half ago | (#43370847)

No, never trust upgradable bios. Put the damn chip into a socket, and do upgrades by snail-mail... The internet will never be safe. Which is a good thing, because I don't want anybody telling me what I can upload or download.

Security Through Obscurity (5, Insightful)

Jeremiah Cornelius (137) | about a year and a half ago | (#43371169)

How can you trust what you can never see, or even know is there?

Thesis: Security requires trust.

You are not trusted to know these secrets, therefore you are not secured through their application.

The whole UEFI boondoggle is false security. Worse, this proves that it is vulnerability risk, sold under masquerade, as security.

Re:Security Through Obscurity (1)

fustakrakich (1673220) | about a year and a half ago | (#43371637)

The whole UEFI boondoggle is false security. Worse, this proves that it is vulnerability risk, sold under masquerade, as security.

The dogs are always hungry.. This is just part of the show.

Re:Security Through Obscurity (1)

sexconker (1179573) | about a year and a half ago | (#43372101)

How can you trust what you can never see, or even know is there?

Thesis: Security requires trust.

You are not trusted to know these secrets, therefore you are not secured through their application.

The whole UEFI boondoggle is false security. Worse, this proves that it is vulnerability risk, sold under masquerade, as security.

UEFI is a replacement for BIOS. It has many features that let us deal with hardware that BIOS couldn't provide. UEFI is not a boondoggle, nor is it about security.

Re:Security Through Obscurity (1)

fustakrakich (1673220) | about a year and a half ago | (#43372223)

Either way, something that can brick your machine so easily with software shouldn't be soldered to the board.

Re:Me go pee pee in your coke (1)

mattventura (1408229) | about a year and a half ago | (#43371873)

What some hardware does (not just motherboards) is it has a physical jumper which has to be closed in order to allow the firmware to be changed. No chance of malicious flashing of the firmware (unless someone has physical access, but then you've got bigger problems) but without having to ship firmware on chips.

Keys and source... (1)

idunham (2852899) | about a year and a half ago | (#43370341)

Any way this could be used to circumvent Secure Boot?

Re:Keys and source... (1)

HarrySquatter (1698416) | about a year and a half ago | (#43370377)

No.

Re:Keys and source... (3, Interesting)

Truekaiser (724672) | about a year and a half ago | (#43370595)

Actually, yes it can.
"“By leaking this key and the firmware source, it is possible (and simple) for others to create malicious UEFI updates that will be validated and installed for the vendor’s products that use this Ivy Bridge firmware,” "

It will allow those with secure boot, that is on and has no user visible way of shutting it off. Because every extra option in a uefi/bios costs system builders like dell and hp money. a way of disableing it by flashing a bios,uefi image with that option or it permanently set to off.

Re:Keys and source... (5, Funny)

Bacon Bits (926911) | about a year and a half ago | (#43371005)

It will allow those with secure boot, that is on and has no user visible way of shutting it off. Because every extra option in a uefi/bios costs system builders like dell and hp money. a way of disableing it by flashing a bios,uefi image with that option or it permanently set to off.

Did you write my stereo instructions in the 1980s?

Re:Keys and source... (2)

glrotate (300695) | about a year and a half ago | (#43371513)

Close, he wrote the instructions for your motherboard.

that's umpossible (0)

Anonymous Coward | about a year and a half ago | (#43371869)

the creation of an update that would render the system unbootable, requiring replacement of the mainboard.

what kind of loser doesn't have a JTAG interface?
must be some sort of Apple user.

Re:Keys and source... (4, Insightful)

DarkOx (621550) | about a year and a half ago | (#43371199)

It might do even better than that! You might be about to create a custom bios image; with the secure boot check deliberately broked to not actually check the boot loader is signed but still return attest that it was.

This could allow you to compromise the DRM all the way up the chain.

Re:Keys and source... (0)

Anonymous Coward | about a year and a half ago | (#43372579)

Neat! Now we won't be able to boot Windows as well as Linux! (Things might change now.)

Re:Keys and source... (1)

Anon, Not Coward D (2797805) | about a year and a half ago | (#43370633)

Care to elaborate a little?? Please?

Ok... this chould be bad. (0)

Cyberglich (525256) | about a year and a half ago | (#43370347)

This could be very very bad..

Re:Ok... this chould be bad. (1)

Anonymous Coward | about a year and a half ago | (#43370509)

And this also could be great. Like everything, 90% of firmware sucks. Unlike most other software, replacing the firmware usually isn't even close to an option, and I loathe almost every single hardware company as a result of this.

Re:Ok... this chould be bad. (1)

sveinungkv (793083) | about a year and a half ago | (#43370821)

Unlike most other software, replacing the firmware usually isn't even close to an option If you do some research [coreboot.org] before buying a new main board its a lot closer.

Re:Ok... this chould be bad. (1)

Junta (36770) | about a year and a half ago | (#43371303)

Of course, considering the selection of coreboot applicable hardware is extremely limited and mostly ancient...

Re:Ok... this chould be bad. (0)

Anonymous Coward | about a year and a half ago | (#43371689)

Indeed, I"ve wanted to try it for years, but I've never had a motherboard that was supported by it.

Re:Ok... this chould be bad. (4, Insightful)

briancox2 (2417470) | about a year and a half ago | (#43370571)

Bad? Part of the UEFI barrier for other OS's has just been Open Sourced.

And there was much rejoicing.

Re:Ok... this chould be bad. (1)

Anonymous Coward | about a year and a half ago | (#43370627)

No it hasn't. You're not going to be able to use this to bypass UEFI secure boot even on AMI hardware let alone it being applicable to hardware at large.

Re:Ok... this chould be bad. (0)

Anonymous Coward | about a year and a half ago | (#43370939)

Then why did we need secure boot in the first place?

Re:Ok... this chould be bad. (0)

Anonymous Coward | about a year and a half ago | (#43371237)

Sounds like it can be used to sign your own BIOS updates. And if you can sign your own BIOS updates, how does that not translate back to effectively bypassing UEFI? Sure, you're technically simply working within the system instead of going around it, but if it looks like a bypass, walks like a bypass, quacks like a bypass...

Re:Ok... this chould be bad. (0)

Anonymous Coward | about a year and a half ago | (#43371429)

...if it looks like a bypass, walks like a bypass, quacks like a bypass...

Then it must be a witch! Burn it [to EEPROM]

Re:Ok... this chould be bad. (1)

Billly Gates (198444) | about a year and a half ago | (#43372899)

Bad? Part of the UEFI barrier for other OS's has just been Open Sourced.

And there was much rejoicing.

Or a piece of malware will now sign itself and change the keys making it impossible to remove. It would be better totally unlocked otherwise. If the keys were in ROM where they could not be rewritten then yes there will be much rejoicing but who is to say the malware wont reimage itself in the UEFI and put another set of keys maybe randomly generated on the host?

Link? (5, Insightful)

visualight (468005) | about a year and a half ago | (#43370357)

I could care less about the security implications. Where's the link to the full key and source code?

Re:Link? (1)

Anonymous Coward | about a year and a half ago | (#43370519)

Something tells me the admin of AMISource.com [amisource.com] is about to have a bad day!

Re:Link? (1)

stafil (1220982) | about a year and a half ago | (#43371307)

Just out of curiosity I would love to have a look at their code. I am sure it will appear in piratebay soon.

Anybody knows if it is illegal to download it and have a peek at it?

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43371397)

Who cares. Personally I believe it is morally right to look at code out of intellectual curiosity and that is all I need. You wont get caught illegal or not. And if you are paranoid there are way to acquire it without exposing your IP to a bitorrent tracker.

Re:Link? (2, Informative)

Anonymous Coward | about a year and a half ago | (#43370613)

THEN CARE LESS.
The phrase is "I couldn't care less", you troglodyte.

Re:Link? (-1)

Anonymous Coward | about a year and a half ago | (#43370771)

Fuck off

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43370941)

Not necessarily. Having several systems with AMI BIOSes dating back to the early 1990s, I could care less about the security implications too. Not much less, seeing that none of them use UEFI, but I can't honestly say that I couldn't care less. I'm more interested in reading through the code.

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43372917)

If OP couldn't care less, then he wouldn't have had enough care to post a comment. But he had just enough care to post, though barely. So while his level of care is quite low, it's not empty. If couldn't care less, then that would indicate his level of care is zero, but that would be false since he obviously had enough care to care to write a post declaring the level of care that he had.

Re:Link? (0, Flamebait)

Anonymous Coward | about a year and a half ago | (#43370665)

I couldn't care less about the security implications.

Seeg Hile or something or another for the Grammar Nazi salute!

*I use to get pissed at grammar Nazis. Until one day, someone in authority showed me a resume from someone who made a mistake much less than that one, and said "How can I hire someone who makes such stupid errors as that!?!"

Now, when a grammar Nazi corrects me, I just nod in appreciation or hold back my flames if they're a dick about it.

Things are so bad out there, they'll find any reason to dismiss you.

You may not have problems now or you're secure, but one day, it may matter.

When it was too late, I found out about some of my problems and issues - now, I'm unemployable and on wife support.

There's nothing more humiliating that being on wife support. Especially when you were making six figures.

Just telling you this because I don't want to seem like a dick or come across as someone who thinks "he's all that".

Re:Link? (0)

visualight (468005) | about a year and a half ago | (#43370705)

Roger. It's not an oversight or a mistake on my part. I prefer to say it that way.

I also sometimes say "I give a damn" too.

Because that's the way how I roll.

Re:Link? (1)

Bill, Shooter of Bul (629286) | about a year and a half ago | (#43370809)

Well, I couldn't care more about your off beet phrasing.

Re:Link? (1)

h4rr4r (612664) | about a year and a half ago | (#43371339)

I did not expect that level of frankness to turnip in a slashdot thread.

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43371601)

I want to enjoy this thread, but I'm finding it chard.

Re:Link? (1)

bug1 (96678) | about a year and a half ago | (#43372905)

Well, I could care less about this those who couldnt care more, and couldnt care less about those who care more.

SO THERE !

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43372271)

Well, expect to catch a lot of flak for sounding like an idiot, then.

I prefer to use blortz instead of "the" and blortz word froople in blortz place of "a."

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43370745)

...except that what you corrected in the GP's post wasn't a grammar mistake. The grammar was perfectly fine.

Re:Link? (1)

Anon, Not Coward D (2797805) | about a year and a half ago | (#43370777)

Seig hail to our new Sintax Nazi Overlord

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43370811)

Syntax ;)

Re:Link? (1)

Anon, Not Coward D (2797805) | about a year and a half ago | (#43370907)

oh for the irony...

Re:Link? (3, Interesting)

mjr167 (2477430) | about a year and a half ago | (#43370925)

There is nothing wrong with being on "wife support", assuming she can afford to keep you. Change your title to "home maker" and think of it as an opportunity.

My husband stays home with our kids building block towers and signing about the letter A all day. There is actually a growing community of stay at home husbands, and if you think about it, it is really the next logical step towards equality. If we want women to have the option to go out and earn a 6 figure salary, then we need to be willing to let men stay home and feel proud about it.

If you have no kids to raise, then take the opportunity to reinvent yourself. Start a non-profit. Make soda can sculptures that you can sell at your local craft show. Volunteer. These are the things we expected and praised women for doing and there is no shame in men doing them to.

So pick up your head, take pride in the fact that you have a loving, supportive wife, and turn this into an opportunity. The value of a man, or woman, is not measured solely by their income, but rather how they work to better others.

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43372389)

Wut ? "Score:2, Troll"? - I know that it is normal nowadays to both be working, and I guess that having spent a lot of effort to get trained, it is frustrating to be denied the opportunity to use that training productively regardless of your gender..... but still in what way is this anything except true ?

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43370675)

++

Re:Link? (1)

Anon, Not Coward D (2797805) | about a year and a half ago | (#43370715)

From one of the features FA:

"I’ve contacted both the vendor involved and AMI to alert them to the issue. Obviously, I won’t be releasing the name of the vendor, the FTP address, or anything that was seen on the server."

Maybe we won't see it ever :(

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43370757)

The name is out there if you know how to look, and the files are still there. Pandora's box has definitely been opened.

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43371341)

Oh, so we should of course just trust you as well? If the files are still there, why don't you at least post the name of the vendor, if not the link?

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43371703)

No, you should not trust me. You're supposed to learn how to look. Exploits used to be published with small deliberate coding errors in them to prevent script kiddies from just compiling and running them. Handing dangerous stuff to people who haven't gained the corresponding knowledge used to be known as a bad thing. So I won't tell you.

Re:Link? (1)

fustakrakich (1673220) | about a year and a half ago | (#43370945)

We shouldn't believe him then. The old 'tits, or GTFO' applies. In fact, it sounds like attempted extortion.

Re:Link? (0)

Anonymous Coward | about a year and a half ago | (#43371415)

I didn't read a part where he was threatening AMI with release of all the sensitive material unless they paid him a wealthy sum or offered him a prestigious job in exchange for keeping this quiet. Maybe you can help me find it?

Re:Link? (1)

fustakrakich (1673220) | about a year and a half ago | (#43371663)

Yeah, that's right, he's going to post a threat online.

Gee, that's a nice BIOS you get there. It'd be a shame to see anything happen to it.

Re:Link? (1)

Anonymous Coward | about a year and a half ago | (#43371321)

*ahem* http://www.mmnt.net/db/0/0/ftp.jetway.com.tw

Re:Link? (1)

Anonymous Coward | about a year and a half ago | (#43371891)

http://pastebin.com/LFGhmfS9

Better Writeup (1)

bill_mcgonigle (4333) | about a year and a half ago | (#43372667)

This has the link, but that'll do you no good [virustracker.info] at this point.

In related news, I'm more interested in buying an AMI motherboard now. Especially one with CoreBoot flashed over it.

Re:Better Writeup (1)

Billly Gates (198444) | about a year and a half ago | (#43372943)

So you are more interested in purchasing something malware writters who now know the keys to sign their malware as a rootkit making it impossible to remove?

I'm safe from this (0)

Anonymous Coward | about a year and a half ago | (#43370379)

I runz the Linux!

Re:I'm safe from this (1, Flamebait)

sveinungkv (793083) | about a year and a half ago | (#43370583)

I runz the Linux!

I runz the Coreboot! [coreboot.org] ftfy

Re:I'm safe from this (0)

Anonymous Coward | about a year and a half ago | (#43370717)

I gotz the runz!

North Korea to use AMI motherboards (0, Troll)

Anonymous Coward | about a year and a half ago | (#43370449)

To mint trillions of counterfeit dollars to buy nuclear warheads from the republic of bitcoinistan.

You are fucked americans, very fucked.

I hope you put a HOSTS file in your secure boot sector.

Predicted (0)

Anonymous Coward | about a year and a half ago | (#43370491)

I predicted a few years back that because of all this crazy DRM stuff eventually you'd get a virus that would require you to throw out your computer.

linux in bios just got even easier (1)

Anonymous Coward | about a year and a half ago | (#43370493)

Besides all the gloom and doom, I can see a use case for this. someone tell coreboot.org? it would make updating your (ami)bios with embedded linux a bit simpler, eh?

There's so much "I told you so" in this... (5, Insightful)

Meshugga (581651) | about a year and a half ago | (#43370561)

...it's not even funny.

Re:There's so much "I told you so" in this... (5, Funny)

Anonymous Coward | about a year and a half ago | (#43370689)

C'mon, it's a little funny.

Like? (1, Insightful)

Sycraft-fu (314770) | about a year and a half ago | (#43372247)

What did you "tell them"? Since you didn't elaborate I fail to see what you are going for or how this is insightful.

I can only guess this is something along the lines of the people crying about "Waaaaa security through obscurity!" in which case I want to hear their solution to code signing/verification on a system that doesn't involve a secret private key. You might note that public/private key signing is how Linux distros secure and verify their application distribution services.

Re:There's so much "I told you so" in this... (1)

Darinbob (1142669) | about a year and a half ago | (#43372589)

Untrue. I laughed briefly before I started crying.

Why is only the worst case is mentioned? (1, Insightful)

Anonymous Coward | about a year and a half ago | (#43370639)

Why is only the worst case is mentioned? This can actually be good and help projects like coreboot support more hardware. Or maybe someone will make opensource fork of their firmware as there is a lot to improve in current uefi implementation.
As for the viruses I don’t think even with the signing key we will not see many bios viruses as it is really hard to write that actually does anything beside bricking the hardware. And on most systems it is impossible to update bios after the os is loaded.

you can flash in windows (0)

Anonymous Coward | about a year and a half ago | (#43370725)

you can flash in windows

Re:you can flash in windows (0)

Anonymous Coward | about a year and a half ago | (#43370779)

Not always. In most bioses you can set the lock that prevents from flashing until you boot into bios and disable it.

Re:Why is only the worst case is mentioned? (0)

Anonymous Coward | about a year and a half ago | (#43370825)

The coreboot people will not look at this, but of course everybody will imply that they did if they successfully reverse engineer something. This makes life harder for them, not easier. The crooks on the other hand will have absolutely no qualms about using this against their victims. Of course that's the story here: The complete and utter failure of a flawed security design. The E in UEFI is what's wrong, and the lack of jumpers that turn off write capability to the firmware *in*hardware*.

So much for SecureBoot (1)

the eric conspiracy (20178) | about a year and a half ago | (#43370651)

What a waste of time.

Re:So much for SecureBoot (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43371211)

There is nothing wrong with SecureBoot, and in fact is a good idea. The problem is security by obscurity. Current SecureBoot implementations are just hoping you never discover the private key. A CORRECT way to do it is to allow custom keys to be loaded by people who have physical access to the machine. If you want Windows to be booted, you load their public key into your secure boot list. If you want to also boot Fedora/Ubuntu/Debian/Redhat, you install their public key. If you want to install a custom Linux, you generate a keypair, sign the binaries, and load the public keys.

Prove it!! (0)

Anonymous Coward | about a year and a half ago | (#43370663)

This is just scare mongering!

Doh (1)

MugenEJ8 (1788490) | about a year and a half ago | (#43370683)

'The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,' researcher Adam Caudill said. 'Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.'

It's safe to assume the latter, as malware commanders don't want the computer offline or under scrutiny. Just give them another vector to attack and easier ways to cover up the bot.../p

NOTHING IS LEAKED (1)

CanEHdian (1098955) | about a year and a half ago | (#43370735)

There isn't anything useful that has been leaked.

Re:NOTHING IS LEAKED (1)

lastman71 (1314797) | about a year and a half ago | (#43373003)

Would you be so kind to elaborate? Thanks.

It is designed to be "secure" pain in ass. (0, Offtopic)

boorack (1345877) | about a year and a half ago | (#43370787)

This shows what a frickin fiasco is this UEFI Secure Boot crap. It was designed by Microsoft as a DRM-like lock-in tool for their Windows OS and it shows DRM-related problems again and again. TPM chips are around for years and are capable of solving all problems Microsoft promises to "fix" with this UEFI-secure-DRM-windows-only-Boot crap. In my opinion it qualifies as abuse of monopolistic power and should be prosecuted as such. I'd expect a lot of PC vendor arm twisting evidence to show up if such prosecution would ever take place. And BTW, please don't reply to me with "any OS vendor can request a key from Microsoft" or "any vendor can request hardware vendors to install its key" crapola. These are just lies spewed around by Microsoft stooges and paid trolls. They already abused dominant position in key distribution (just before last Christmas season) and they'll do it again and again anytime it fits them. The only sensible solution would be to force Microsoft and hardware vendors to abandon this flawed standard using antitrust measures or other means.

Re:It is designed to be "secure" pain in ass. (2)

Gadget_Guy (627405) | about a year and a half ago | (#43371477)

The basis of your whole rant was that Microsoft invented this technology, but you were wrong. I suggest that you go read up on [wikipedia.org] the UEFI [uefi.org] before you start making these sorts of proclaimations. The standard was originally developed by Intel, not Microsoft, and they contributed the initial version to the UEFI Forum (which includes reprentatives from ten other companies other than Microsoft on their board).

I have no doubt that you will consider me to be a "Microsoft stooge" for pointing this out.

Re:It is designed to be "secure" pain in ass. (0)

boorack (1345877) | about a year and a half ago | (#43372003)

The basis of my rant is that this technology is a DRM, causes problems for all non-MS participants, Microsoft controls this technology (by controlling key distribution) and Microsoft has already abused its control. All conveniently omitted by you. Regarding UEFI itself: yes, Intel designed original version of it but it was Microsoft who forced additional requirements [ozlabs.org] that made Secure Boot such a pain. So I still think that anyone supporting this broken standard either misguided or is a liar. Should I add "useful idiots" to my list of "Microsoft stooges" and "paid trolls" ?

URL, plz? kthx (0)

Anonymous Coward | about a year and a half ago | (#43370833)

If there's no downloadable version, it's not LEAKED.

ftp.asus.com.tw (1, Funny)

Anonymous Coward | about a year and a half ago | (#43370953)

"I’ve contacted both the vendor involved and AMI to alert them to the issue. Obviously, I won’t be releasing the name of the vendor, the FTP address, or anything that was seen on the server."

If Adam Caudill won't disclose it then I will.

ftp.asus.com.tw [asus.com.tw] (which is currently down)

Implication to secure boot... (5, Interesting)

philipmather (864521) | about a year and a half ago | (#43370969)

Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured. Secure Boot is dead, long live security.

Implication to secure end users. (0)

Anonymous Coward | about a year and a half ago | (#43371857)

Considering all the malware, botnet, viruses, spyware, etc, etc, I'm not sure we can claim the end user is any better when it comes to security.

Re:Implication to secure boot... (1)

Sulphur (1548251) | about a year and a half ago | (#43371877)

Assuming for a moment that the validity of this key is confirmed independently then any further question about the technical feasibility of using this to sub/pervert a Secure Boot arrangement is moot when you consider the deeper and more practical implication which is that you can't trust a major motherboard vendor to keep a signing key properly secured.

Secure Boot is dead, long live security.

All hail our Moot Boot overlords.

magnet link (1)

Anonymous Coward | about a year and a half ago | (#43370983)

magnet:?xt=urn:btih:bd8b50ebfc73b4f0ea53bda4f7f6a1861b1eb19c&dn=leaked%5Fbios

Re:magnet link (0)

Anonymous Coward | about a year and a half ago | (#43373205)

You are awesome, thanks for this!

Just sayin... (0)

Anonymous Coward | about a year and a half ago | (#43371093)

Just sayin... if I found that, would have kept it to myself

Ha Ha Ha HA! (0)

Anonymous Coward | about a year and a half ago | (#43371213)

This was no accident, and I can pretty much guarantee that in writing or your private signing key back (IMHO)!!!

Well, secure boot in no longer secure!!!!

What a croc!

CAPTCHA = 'violate' -- I kid not, it really was that!

Two years (2)

ThatsNotPudding (1045640) | about a year and a half ago | (#43371387)

I'm hoping we're about two years away from a real PC motherboard initiative along the lines of Raspberry PI. Wouldn't that be nice? A motherboard that isn't infected with vulnerable OEM black boxes and proprietary BS code and OS lock-in?

More specific details (1)

Anonymous Coward | about a year and a half ago | (#43371431)

Posting as AC for hopefully obvious reasons. I discovered the server while Googling for some obscure AMD datasheets and passed the information off to Mr. Wilson. Not going to provide the exact domain name of the server, but it's operated by Jetway.

In addition to this BIOS code, it contains what appear to be full design files for a few motherboards (Gerbers, schematics, test software) and a number of datasheets (with prominent CONFIDENTIAL watermarks) for chips made by Nvidia, Intel, Atheros, Realtek and others.

Re:More specific details (1)

X0563511 (793323) | about a year and a half ago | (#43371679)

Sounds like a Kevin Mitnick wannabe got his cache discovered...

Re:More specific details (0)

Anonymous Coward | about a year and a half ago | (#43371765)

Cool story bro.

AMI sucks (0)

Anonymous Coward | about a year and a half ago | (#43371653)

Now everyone can see, on actual source level, just how much AMI's firmware sucks.

Custom Firmware? (4, Insightful)

CrimsonKnight13 (1388125) | about a year and a half ago | (#43371759)

Would it be possible that more ambitious/less sinister programmers and/or modders could create a highly customized firmware or BIOS that allowed for more options? I guess I see a positive outcome to any leaked source code rather than the negative weaponry most people imagine.

Re:Custom Firmware? (1)

mrand (147739) | about a year and a half ago | (#43373073)

Possible? Yes. Likely? That's somewhat less clear.

Did it include the build environment also, or just the raw source? Does the source match up with your chipset VERY closely (if not, do you have long road ahead)?

When compiling a Jasper Forest BIOS for example, there is:
1. Source for the Jasper Forest family of CPUs (which is different than the source for all other familes)
2. Source for any BIOS-supported ICs on the system which differ from Intel's reference design (perhaps you have a different super I/O, for example?)
3. A configurator which sets a ton of build options #define's. It has an integrated compiler as well
4. An Intel BIOS packaging tool which adds a few Intel proprietary things

The only one that I would guarantee to be universal is is #1: Different BIOS source for the different families of CPU's.

          Marc

Re:Custom Firmware? (1)

CrimsonKnight13 (1388125) | about a year and a half ago | (#43373137)

I appreciate the insight. I wasn't sure if the source was a generic AMI base or a more specific firmware/BIOS build for a single motherboard.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?