Quantcast
Channel: Hacker News
Viewing all articles
Browse latest Browse all 25817

AMD to consider coreboot/Libreboot support for Ryzen

March 2, 2017, 11:59 pm
$
0
0
sorted by:
best
topnewcontroversialoldq&a

AMD, if you do that, I will buy it. Full stop.

edit: Thanks stranger! I'm glad to see I'm capturing the general sentiment. I don't have any (?other) social media accounts, so please share that with AMD if you agree!

I'll switch all my hardware to AMD, no joke.

when I finally build my first gaming PC I'm definitely going full AMD. fuck nvidia

Wish I knew more about their sleaziness before I built mine

What is the issue with nvidia? I previously had an AMD but the labtop was very old, and upgraded to an nvidia back in November

Good to see series like Total War affiliated with AMD, I'll look into only going AMD in future depending on replies

They deliberately sabotage using their consumer cards in a VM. When the driver detects it's running in a VM, it outputs "error 43" and stops working. (I think KVM can hide itself to bypass the current checks, but who knows if that will work with later drivers)

Since I'd like to delegate Windows and Games to an untrusted VM, this means I'll get AMD for my next GPU.

That is absolutely, incredibly ridiculous

Do not appreciate being artificially constrained

To clarify, you can get the driver just fine without login on. Logging on is required for the GeForce Experience app, which does stuff like keep your drivers up to date, allow you to configure overlays and recording, automatic settings optimization for games on your hardware etc. But the login requirements are fucking bullshit, and it has soured me on nVidia somewhat.

They trick game developers into using libraries for some effects (notably awesome hair) which, for some reason, run extremely slow with AMD hardware.

Actually, the reason is known: Deliberately feeding the GPU complexity several times beyond what's visible in practice, which AMD GPUs of the era weren't good at handling (it's invisible, after all).

AMD responded by releasing equivalent libraries that work well across GPU vendors, as open source, and promoting them. Kudos to AMD.

What libraries are we talking about?

Hairworks.

Witcher 3 is a great example

What other examples are there?

also PhysX afaik

Yeah IIRC PhysX runs on the GPU only if you have an NVIDIA GPU, otherwise it just runs on the CPU

This video is a great summary of several of the elements:

https://m.youtube.com/watch?v=ZcF36_qMd8M

And it was a big part of why I just bought an RX 480 instead of a GeForce.

Yes, same for me. Pls AMD do it

For real. I'm going to be building within the next 12-18 months and I'd go full AMD

I do. I avoid Intel/nVidia whenever I can find an equipment that fits my need at AMD.

I do it consistently since they opened their documentation and supported open source drivers. Had I need new machine before Zen, I'd seriously consider and probably go for FX-8350.

I've been buying team red for about 2 years now, ever since the AMDGPU project started gaining momentum.

Coreboot compatibility isn't going to make or break my support, but it's really nice to see AMD taking an open source friendly stance across their products.

I wasn't gonna upgrade my cpu anytime soon but I will purchase a Ryzen 1800x immediately if they do this. DO IT AMD.

This. Same reason I won't consider nvidia at all, even if their perf/$ might be better.
Please AMD!

This and sriov on (consumer) GPUs - next build for me may come sooner than later. AMD being cool does pose a risk to my wallet. Yes please!

Do you know what supports sriov? I am also interested in AMD hardware especially for virtualization. I am currently limited to running one accelerated VM at a time, but I would like to carve up my Fury and at least do two.

Either way, I'm hoping the new boards have good IOMMU groups, and that I can stop building custom kernels to keep my VM alive.

This is precisely what I want as well, you also get the most out of the multiple cores in such systems

AMD offers (or will offer soon, no idea about availability) FirePro cards that support sriov: http://www.amd.com/en-us/solutions/professional/virtualization

My hope (and there were some rumors around internets somewhere) that new vega cards will have this as well. I hope they just dump this functionality into consumer cards and let us have it. Naturally there would be no support, but i hope there will be no purposeful locking out either like nvidia is trying to do. Then when KVM/qemu start supporting these MxGPU cards i am hopeful consumer cards could take advantage of that as well. Lots of hopes.

+1

If you do that, I will buy it, make my family buy it, and recommend it to all my friends.

+1. I will build a new PC just to send a message. Fuck Intel.

I'm waiting for laptops with Ryzen - since I run Linux, having CoreBoot as well definitely would make sense.

I just decided against buying a new computer for now.

AMD, if you're reading this: you can change this decision. And should you do that, it won't be an i7 I'll be buying.

Let's just hope they realize what a huge fucking win this would be.

If they do it, Intel has to answer by doing it as well... They can no longer afford not to, as that would make AMD the only game in town for security critical applications and the security conscious crowd in general.... Which means big bucks!

Get hyped!

If they do it, Intel has to answer by doing it as well... They can no longer afford not to,

Let's be real. They can afford to make plenty of mistakes. Let's hope they learn fast.

AMD wouldn't be the only game for auditable security applications, but they would be the only one with bleeding-edge tech. While important for researchers, developers, and mission-critical applications, it barely scratches the surface of computing.

Well, yes. But they will have to adopt it sooner or later.

AMD wouldn't be the only game for auditable security applications, but they would be the only one with bleeding-edge tech.

AFAIK, the other two players would be Power, which awesome as it may be will cost you the soul of your first begotten son, and 10 year old Intel hardware.

So even though this might not be the only game in town, it's the only game in town for general purpose and budget conscious departments that are are aware of and troubled by the implications of having a black box running unauditable code on ring -1 , but might have not been able to do anything about it, either due to lack of funds and incompatibility (Windows doesn't run o Power), or running their stack on 10 year old HW not being an option.

While important for researchers, developers, and mission-critical applications, it barely scratches the surface of computing.

You know, I have a feeling that this is about to change. Cyber is one market that I have no doubt in my mind will explode any day now, specially in the current climate of general mistrust between nation states, and all the allegations floating around about Russia's meddling in the US election...

That sort of news generate a lot of buzz. All it takes is for a few guys with deep pockes to take notice and get the ball rolling, setting the trend, which quickly snowballs into a concern many business type people never knew they had, and into the public spotlight.

It's a fucking goldmine. It's one of those things that "nobody knew they wanted, until they had it".

Buy whatever stock you think it's gonna make a killing.

I dunno. I have a Parallella board, and I'd imagine Raspberry Pi isn't exactly beefy enough to have a TPM. RISC-V is heading there, too. It's not impossible, but it's definitely not 95+% of the computing market.

It's a fucking goldmine.

True, but there is also money to be made in selling customers as a product. And governments would pay a pretty penny to have near-undetectable remote access into any arbitrary target they want to monitor or manipulate. I wouldn't even imagine it being common to use the ability, but it would be worth a lot just to have it.

I have to agree that it would be a pretty sweet business move from AMD.

Holy shit, if this is true that would make me a loyal amd buyer. This is a big step for security. I hope this comes true.

Same here. I've been dreading/avoiding buying a new laptop for this reason alone.

If any CPU without these odious "management extensions" were available and it were merely sufficient to my needs - it would win my purchase every time.

The majority of ARM CPUs don't have them. Some do, of course, but many have no startup code at all other than u-boot.

Don't most devices actually using those arm chips require extensive binary blobs to actually run the other parts of the system though?

Yep. Booting might be free, but good luck finding open source GPU drivers.

I was under the impression that most actually have a small (hundreds of bytes) mask rom used to load u-boot from something external.

AMD's desktop construction core products don't (eg FX8350).

Interesting. So a solution is already available. Why are those CPUs not mentioned more often in discussions like this?

Even snowden twitted about that nice

Here are the Snowden tweets for reference.

@Snowden 10:24 AM - 2 Mar 2017: Good moment for @AMD to open-source their PSP & firmware. In the next cycles, many will discuss replacing @intel.

@Snowden 10:30 AM - 2 Mar 2017: This is a low-cost, low-risk opportunity for @AMD to distinguish themselves from @intel on an on-going basis. It's a shame to miss it.

Uh, not exactly. Here's the response to that question:

Thanks for the inquiry. Currently we do not have plans to release source code but you make a good argument for reasons to do so. We will evaluate and find a way to work with security vendors and the community to everyone's benefit.

That's a very non-commital corporate PR response. The "work with security vendors and the community to everyon's benefit" part can be interpreted in a ton of different ways, especially if "everyone" includes state governments, AMD corporate customers, etc.

While I would like to see this happen, you can bet that we're not getting the full story as to why the PSP was introduced.

In case you did not see, need to go down a little to see follow-up.

I will bring this to the attention of the product team for serious consideration, so please feel like you have been heard even if we were not able to give you an easy 'yes' right away.

Still, it is not a commitment but at least they said they will seriously consider it.

That's as close as corporate PR responses can get to "we're sincerely going to consider it", I think.

As they said in the post, as a publicly traded company they cannot announce new projects on reddit. They must do a press release of sorts to ensure all their investors are aware.

Yeah, not really. Something like that would likely be okay to announce without filing with the SEC. It can be seen as normal operating procedure, and is not something that would directly impact stock value, like a major acquisition or a merger with another company.

That said, I hope they follow through.

(Disclaimer: I am not a lawyer. If you are in this situation, go ask your legal department.)

If the really were never considering it they wouldn't mention consideration, PR should know the dangers of a backlash at a perceived false promise.

Considering it does not guarantee the desired outcome. It could literally be a 5 minute meeting where they determine 'nope'.

It could literally be a 5 minute meeting where they determine 'nope'.

AMD answers FOSS advocates prayers.

"No" says AMD.

of course it doesn't but it's better than nothing

Considering is not a promise.

percieved

I don't think they will worry about such perceptions. It's normal for PR events to have comments like "we'll think about it", and it does not mean anything final.

I'm not sure if he hasn't been briefed on the PSP's purpose (it's a surveillance device, placed in every AMD CPU because some alphabet soup agency said so), or if he's merely giving the rest of us a little lip service in hopes we'll forget about it, but there's not a snowball's chance in hell of the PSP ever being opened or made optional.

That's the initial response, yes. And people made the same point you did. After that - and after seeing how many people were interested - he said something a bit more substantial.

I will bring this to the attention of the product team for serious consideration.

That, rather than his first comment, is what has people more excited.

He also posted about it on Twitter, and it looks like Edward Snowden may have seen it too

https://twitter.com/cavemanjim/status/837459160392470528

This AMA question could not have possibly gone better (unless they flat out said OK and pasted the source into the AMA lol)

unless they flat out said OK and pasted the source into the AMA lol

That would be a pretty hilarious way to announce they were open sourcing it. Schedule an AMA, wait for the inevitable (if not inevitably upvoted) question about it, reply "OK, here's the source: ...", end AMA.

Funny but did you read the AMA? Didn't it say they cant announce anything new because of shareholders? Wouldn't releasing source code violate that or was the rule for future products?

Yes.

They could simultaneously do a press release but as funny as that would be 1) it's probably longer than a Reddit comment is allowed 2) as a company like that it would be out of taste as much as I might want them to.

They could announce it on their website during the ama and then a second later post the source in a comment.

Well, they shouldn't be. I'm not sure if this James guy hasn't been briefed on the PSP's purpose (it's a surveillance device, placed in every AMD CPU because some alphabet soup agency said so), or if he's merely giving the rest of us a little lip service in hopes we'll forget about it, but there's not a snowball's chance in hell of the PSP ever being opened or made optional.

RemindMe! 365 days

Would be nice, though, wouldn't it.

I'm pretty sure that they don't own all of the IP present in the PSP code.

I'm pretty sure that would not be the only reason preventing them from releasing the source code for it.

Even if we have to reverse engineer it from scratch, that's fine as long as there are ways to inject user signing keys so that we can meaningfully run and test our own code. Genode, for example, has already been proven to work inside an ARM TrustZone context, so we could have a full user-controlled OS in there.

That doesn't resolve the security issue of a potential backdoor. With the full code, you can verify that you're running what they say, with no hidden extras.

Obviously hardware backdoors would still be an issue, but as-is these management engines are hardware backdoors.

If they provide hardware documentation and a way to inject signing keys, then it doesn't matter what's in their binary since we can make our own to replace it entirely.

Are you volunteering to write this replacement (hundreds of thousands of lines of professional firmware code)? If AMD releases the source code, it saves from that huge burden. It's ridiculous for the open source community having to duplicate things anyway. It's about inventing the same wheel again.

The only thing I'd want to replace it with is a no-op.

Just an UEFI setting to disable PSP would suffice in that case.

Being that the PSP appears to be a surveillance device, such a setting would likely be pure placebo. So long as the PSP is present and electrically active, it is a security threat.

Being that the PSP appears to be a surveillance device, such a setting would likely be pure placebo.

Now that's just complete FUD. There's a huge difference between mistrust of a closed, proprietary black box, and accusing AMD of outright spying on customers. Has there ever been any evidence at all to suggest that PSP is actively being used for surveillance?

My understanding is that mistrust of Intel ME and AMD PSP stems purely from an inability to verify the code running on it and thus to verify that there are no security vulnerabilities, verify that remote management is disabled, etc. and that there's never been any significant evidence of an immediate vulnerability or surveillance. The same reason people don't trust any closed devices (EDIT: Or code in general). Is that incorrect?

Obviously hardware backdoors would still be an issue, but as-is these management engines are hardware backdoors.

You could have a hardware backdoor anywhere in the CPU: not just in the management engine. The reason hardware backdoors are considered less of a risk is because they cannot be updated.

So, where is the line between software and hardware? Is microcode okay?

We're only going to have truly free machines when the hardware is liberated.

I'll take a liberated management engine/PSP in the meantime and as a critical first step..

Microcode is considered a non-ISA blob and since it's updateable, it's considered software.

I agree with you that we need fully free hardware.

I just found this relevant article by RMS, that you might enjoy: https://www.gnu.org/philosophy/free-hardware-designs.en.html

I wonder if this would lead to a situation where the community celebrates for the source code for a while, but then goes back to tinfoil mode ranting that it's all useless because AMD CPUs are full of backdoors on silicon anyway.

FOLKS don't just post here! Take it to Twitter, their Forums and the others! Posting here, AMD WILL NOT SEE IT. Make it PUBLIC and say your bit!

Adding official Coreboot support would be simply incredible.

I've tweeted at AMD about it, but I'll see what else I can do.

It really would fit in quite well with the current direction of the company, with projects like AMDGPU, Vulkan, and GPUOpen having major impacts on the market.

Very positive message. Well stated.

AMD used release the AEGIS code based in the past for coreboot iirc.

AGESA

In case someone is interested.

I'd be super up for Libreboot support. I'll probably be upgrading my CPU (and also my Mobo) relatively soon, and I'd definitely go AMD if it meant I could run an entirely FOSS system. Hopefully they'll also make their GPU firmware FOSS at some point too.

Just messaged them. If AMD supports LibreBoot, I'll support AMD.

i hope we will see some new amd laptops

From AMD's contact page:

"AMD believes that what a company stands for is as important as what it produces."

Let's start standing for trust. Real trust.

And blow the lid off whatever alphabet agency backdoor code is in there? Fat chance.

The alphabet soup is usually added long after the device has shipped. I am not aware of any provable cases of government backdoors having been found from original firmware code.

The alphabet soup is usually added long after the device has shipped.

Why? What would make you think they haven't paid and/or strong-armed AMD into adding this obviously-malicious piece of hardware?

I am not aware of any provable cases of government backdoors

I can't think of any other reason for the PSP to be mandatory (i.e. few or no CPU models don't have one) and completely inscrutable. Can you?

having been found from original firmware code.

That's only relevant if the code has been fully reverse engineered and thoroughly audited. Has it?

What would make you think they haven't paid and/or strong-armed AMD into adding this obviously-malicious piece of hardware?

AMD has contracts with high-profile customers that set very strict guidelines regarding confidential data protection. Do you think that companies like Lockheed Martin will order any AMD products if these things are not absolutely clear? If anything sneaky is found by the customer, AMD loses a lucrative contract, with possibly a lawsuit following, and there will be a bunch of really bad publicity after that.

NSA has added their own surveillance mods to devices afterwards, they snoop on Internet traffic, and so on. We have plenty of proof on those. However, it does not happen so that NSA walks via the door into a company and says "hey guys, lets add some backdoorz!". It does not work like that, and there is no proof to support that either.

AMD has contracts with high-profile customers that set very strict guidelines regarding confidential data protection. Do you think that companies like Lockheed Martin will order any AMD products if these things are not absolutely clear?

Seeing as those companies are BFFs with the alphabet soup, I'm not seeing the problem.

If anything sneaky is found by the customer, AMD loses a lucrative contract

AMD loses a lucrative contract to who? Intel? Intel does the same thing.

and there will be a bunch of really bad publicity after that.

No there won't. Almost no one cares about hardware backdoors. They all think they have nothing to hide.

However, it does not happen so that NSA walks via the door into a company and says "hey guys, lets add some backdoorz!". It does not work like that

I imagine it works more along the lines of “we will plant child porn on your home computer and have you jailed for a very long time unless you do exactly as we tell you.”

there is no proof to support that either.

Again, I don't know of any other reason for the PSP to be present in consumer equipment. Given its uselessness, inscrutability, and ability to covertly observe and/or control the rest of the CPU, I require affirmative proof that it is not a backdoor. It certainly smells of one.

I'm not saying that what you are saying is completely impossible, but there just is no proper proof.

Snowden has documented NSA surveillance, so we have clear proof on that, but I have not heard anyone exposing a case where an OEM would have designed a backdoor in a shipping product with cooperation of NSA. I assume there would have been some whistleblower at this point, or just some random guy analyzing machine language firmware of a device and finding something sneaky. Once again, all the NSA backdoors that I am aware of, have been added after the device has shipped from the OEM.

It's just delusional to think that NSA can just walk into big companies and arrange a backdoor party. There would be many manufacturers that would just say "what the hell is this garbage, fuck off". It's not good for their business. Eventually some big executive would explode in anger and craft a news report uncovering how NSA tries to constantly taint the security of their products.

You clearly underestimate how scary some 3-letter agencies can be. Also, your Lockheed Martin example was pretty good. Defense contractors already have to tell the US government pretty much everything, and it takes a lot of time and money to present this information in the required format. They aren't very concerned about US government spying. At my company, it's the Chinese government you have to worry about (we're pretty big in the aerospace/defense industry)

At my company, it's the Chinese government you have to worry about (we're pretty big in the aerospace/defense industry)

What's your opinion, can we trust code coming from China or Taiwan? Most system firmware and embedded controller code is written over there.

In my opinion, yes for most cases. But for a company with trade secrets that the Chinese or Russian government would be very interested​ in, no.

I work in the security space too, and while we don't do anything that interesting to those countries, we still have relatively strict requirements for things, as in n non citizen can have direct access to anything sold to military customers. It makes hiring and manufacturing a little more difficult, but not completely unreasonable.

We already have to abide by export restrictions (some of our projects can't be sold outside the US, though most of the rest can be sold to Russia). If we were in weapons (like Lockheed Martin), I'm sure the rules would be far more strict.

Do you think that companies like Lockheed Martin will order any AMD products if these things are not absolutely clear?

I think they would probably end up paying extra for a signing key on serial numbers they ordered to modify or disable it. I mean, I can only hope and pray they wipe the stock SoC somehow and don't blindly trust intel/amd to store the signing keys to the platform manager securely.

And blow the lid off whatever alphabet agency backdoor code is in there

I had to read this comment and the follow up comment twice before realizing you guys were not talking about Google.

Nice branding there.

Contacted them, and hopefully it will make a difference. I would definitely switch to AMD if they made such an effort to support openness.

I will bring this to the attention of the IP present in the PSP code.

I will switch to amd as fast as possible if they do this.

Can I ask what the differences are between core and libreboot?

Libreboot removes all the proprietary blobs from coreboot. I'm not sure how viable libreboot is with the recent drama, though.

watchu talk'n bout?

https://www.reddit.com/r/linux/comments/52zkfb/gnu_libreboot_developer_throws_a_tantrum_changes/

The lead dev chucked a spaz and called the FSF a bunch of horrible people.

watchu talk'n bout?

Libreboot mainly being run by a drama-seeking SJW with little to no technical competency. And she telling "FSF to go fuck itself" over completely unproved allegations (from herself, "on behalf" of someone else, unasked, and who denies it). Stuff like that. It's not something which instils confidence in the longetivity and stability of a project.

If I were in the market for anything like this, seeing as Libreboot is just a rebranded/deblobbed version of Coreboot, I'd say going for Coreboot sounds like a much more viable and stable option.

Coreboot uses some binary blobs to get hardware running, where Libreboot does not.

libreboot is free software packaging of early boot software, including a version of coreboot without the binary blobs. From the official website:

Libreboot's main upstream providers are coreboot (which we deblob, for hardware initialization), depthcharge (bootloader, and default libreboot payload on ARM), and GRUB (bootloader, and default libreboot payload on x86). We also integrate flashrom (for installing libreboot), and several of our own utilities, scripts and configuration files. All of this is integrated into a single, coherent package that is easy to use. We add our own patches to the various upstreams used, and where feasible try to merge upstream as much as possible.

I believe one uses binary blobs where necessary and the other is full open source.

Yes, you can.

But you already know that, as you already did... :)

I pledge to buy a new gaming laptop with an AMD chip for my Linux Software based GPU

Please AMD, open up the source code for you PSP!!

There's also a message in the AMA where it is suggested to AMD that releasing the specs of binary ABI would be enough. What do you think about this option?

Please AMD, do it.

I have never bought a PC for myself, but AMD, if you do this, I will go out and build one. Hell, I'll even use an AMD graphics card for good measure!

That is massive stuff for creating healthy hardware environment. I've been AMD CPU user for 15 years now. And watching their cool open source efforts makes it worth it.

Let's just hope they learn fast.

Completely serious, if Coreboot support is present I will buy a high end Ryzen for my new gaming rig, later this year.

I've just called the AMD offices in Milan, Italy. The person I spoke to didn't know reddit or PSP, but they did give me the email address of their local Business Developer, which I wrote to a minute ago.

Just a reminder to everybody, a call is stronger than a personal email, and an email is stronger than a message on reddit. Let's do this!

Ryzen is a prime example of optimizing a product to target the largest common denominator. Assuming everyone at AMD has been heavily focused on optimizing parameters of their product to suit the largest target market at the smallest cost (both during the development and transition into marketing of Ryzen), I hope this little request for Libreboot support isn't eighty-sixed as marginal gains.

Libreboot is less about marginal gains and more of an investment into the future of freedom in computing.

While it is possible for sustained success with little regard for digital freedoms (a marginal concern), and profit incentives seem to oppose investment in digital rights (an unpopular, or more correctly, a lesser known factor), keep in mind that an element of a working business model may yet to be properly exploited in practice.

Just another parameter to consider.

I would also like non-shitty graphics drivers. I bought a $300 card in mid-2014, still shite support. I hate nvidia the company, wanted to vote with my dollar, but my next card won't be an AMD if the drivers continue to suck. The open source driver can't even play some mp4 videos properly on my fairly vanilla setup.

Why would you even need a GPU to decode MP4?

Meh. The open source drivers caused the videos (a good 5% of my movies) to be displayed improperly. The catalyst ones worked fine. I don't know why. But the catalyst driver still falls flat on its face in many cases today.

Did you open a bug report? AMD OSS Driver team seems extremely responsive.

Good idea. I'll upgrade to the latest and try it again some day.

I'm a bot, bleep, bloop. Someone has linked to this thread from another place on reddit:

If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads.(Info/Contact)

I am in!

Since this reached /r/all can someone put a simple ELI5? I'm a programmer and have no idea what this is about.

Basically, this is about the hardware-level stuff. The code that talks directly to motherboards. Libreboot and coreboot are projects to get open source code running right from the moment an electron touches the metal, instead of proprietary firmware (the code running your hardware at that super low level) running the show.

The chunk of code that AMD is considering open sourcing would allow libreboot/coreboot to support a whole bunch of motherboards.

It would be a nice move

+1, buying AMD only if this becomes a thing

This would be great, do want!

YES, please!

I got an FX-8370E this last year becasue not had the PSP. I really hope that they release the source code (or at least drop it from Ryzen consumer CPUs)

If AMD supports libreboot, I'll replace my Intel with a Ryzen immediately

No demand here. I'm ignorant of PSP and coreboot.

If they do this, next computers me and people close to me buy will have AMD processors, for sure.

if so, I'll switch to AMD for the foreseeable future.

Wouldn't releasing the source code be a security risk?

I have no tech knowledge of these things, so if someone could ELI5 why this is a noob question that'd be great.

Basically the big security risk is that it's closed source, essentially a black box. The PSP has all the functionality of a 100% transparent lowest-level-possible always running backdoor, and since you can't even boot without it our only option is to take the developer's word for it that there's nothing nefarious going on inside. Opening the source will make it possible to audit for such nefarious functionalities, and (arguably more importantly) replaceable with tried-and-true trusted alternatives.

It does seem counterintuitive but the best security comes from putting code out in the open for anyone to verify, rather than keeping it hidden and waiting for centralized developers to react to vulnerabilities (or worse, make vulnerabilities a feature). That's what it means when you hear people say security through obscurity isn't very secure at all.

Security through obscurity isn't supposed to be the end-all-be-all of it. It's only supposed to be one part. For example, if I open up port 22 on my computer with sshd running to the internet, I get a lot of annoying, random login attempts. If I move sshd to some other random port, those login attempts vanish.

With source code, you actually want as many eyes as possible on it. This way, you test how secure the code is and patch the holes (that people will find and exploit).

That's true. I should have clarified that relying solely on obscurity isn't secure, for instance an unencrypted connection running through a random port.

That doesn't resolve the security issue of a backlash at a perceived false promise.

It's about inventing the same point you did.

Search
Viewing all articles
Browse latest Browse all 25817

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

September 22, 2019, 11:40 pm

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

February 16, 2017, 4:24 pm

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

January 5, 2014, 10:34 pm

Ominde Commission Report and Recommendations – Ominde Report of 1964

March 16, 2015, 5:14 am

Bureau of Internal Revenue: Regional Offices (Directory)

January 9, 2014, 11:06 pm

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

March 26, 2017, 11:23 pm

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

October 17, 2016, 7:20 am

Mp3 Download: Mdu - Kunjenjenjena

December 7, 2017, 8:16 am

How the kill the job , when DTP request running for long hours.

July 26, 2013, 2:41 am

Microsoft Intune から展開しているアプリのアップデートについて

October 17, 2016, 4:11 am

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

September 1, 2017, 10:00 pm

Car crash in Dunton Bassett leaves driver in critical condition

October 7, 2014, 7:51 am

Macky 2, Two Others In Road Accident

March 29, 2015, 5:34 am

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

May 14, 2015, 11:27 pm

Detroit mafia: D’Anna Brothers agree to plea deal

April 21, 2016, 6:56 am

Delivery block field greyed out using VA02

January 26, 2016, 2:52 pm

Muloraki Au

June 22, 2016, 1:44 am

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出w【リベンジポルノ】@PornHub

October 12, 2017, 2:23 pm

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

February 9, 2018, 4:56 am

FIAT 500 B0111 B0112

July 5, 2018, 10:31 am
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>