Vorbis made it into a lot of products that were not Apple or MS, from Sandisk to Samsung.

Daala is shaping up to be excellent as well, but its biggest competition may be VPx in the long run... Google announced they would start 18-month release cycles for major VPx codec revisions after 10. That creates a Chrome-like effect on the mindshare of early adopters, so it should be interesting. Of course, who is backing Daala? Mozilla... who may get dragged into release-cycle competition with Google on another product. :)

http://www.nojitter.com/post/2...

That stat about VP9 meeting 60% of Youtube delivery is interesting.

Honestly, I don't think anyone has raised the question with them. They have responded very well to the concerns of Qubes users, developers and other communities. Something tells me they would love to emulate the Apple of the 1970s and supply schematics.

I don't get this part. You're against closed design for motherboards but not for firmware?

The hypocrisy charge doesn't hold. Purism is a tiny startup and they are not going to be able to deliver the whole kit and kaboodle down to the last transistor to you immediately. In the meantime, we can have hardware whose documentation is thorough and therefore FOSS-friendly with no mystery drivers; We can have all open software and firmware on a powerful system if Intel is willing.

Also if an alternative to SecureBoot were offered by a small security firm or FOSS project, how would they get their boot code signed??

I think you mean its better for MS and vendor bank accounts, not ours.

There should be a permanent sh!tlist pinned to the top of Slashdot with any vendor that promotes this scheme for "PCs".

Microsoft's long-time disruptive technology shark in the water was that they promoted a platform that was just open enough to let techies (and 3rd party vendors) on a budget customize the systems however they need. This is the essence of a "personal computer", for the MS camp at least. Now MS has jumped their own shark.

Their tepid claims of being FOSS-friendly are being shown as ultimately false. Like Apple, they still won't incorporate open A/V formats into their products and their OSes will tell you an inserted Linux-formatted volume "must be formatted before use". Heaven forbid if I ever give an EXT3 formatted flash drive to an Android user, and they decide someday to look at it with Windows. They are similarly hostile when it comes to Linux multiboot setups. Its wilful negligence that still reigns in Redmond and must be fought with tooth and nail to gain any concession.

And how necessary for security are these firmware-level lockouts?? They are not! Qubes OS employs a scheme that, in combination with a TPM, prevents a computer from being able to reproduce a chosen passphrase if its been tampered-with. No doubt, the MS excuse will be that the consumer or administrator can't be bothered to remember a sentence to verify system integrity.

I suggest rallying around vendors like this: https://www.crowdsupply.com/pu...
Eventually, we should pressure the market to open up the whole damn stack; We will probably be forced to.

I'm not a developer, but I don't mind being called a fanboy for something like this.

And no, there's no reason why another OS couldn't use a TPM in the same way. Qubes seems to be the only one so far with this interesting feature.

Anti Evil Maid was designed initially for physical attacks, as the name implies. It does eliminate the 'Evil Maid' scenario if its assumed the attacker is unskilled and/or only has time to plug a USB or similar device into the computer. So it greatly reduces the opportunity for successful physical attacks.

For remote attacks against motherboard firmware, AEM ought to work 100% of the time. This is especially true if you have disabled booting from internal drives, in which case your HD firmware could become compromised and still not be able to obtain any unencrypted keys or data.

Qubes R3 will have an unprivileged storage domain which should protect you even if the HD firmware is *already* infected or indeterminate at install time.

The best way to deal with the situation is to run browsers under a hardened type-1 hypervisor that has a tiny attack surface itself. Create an 'untrusted' domain and tool around the Internet to your heart's content, or use disposable VMs that appear for risky temporary tasks and then self-delete.

If we want this rich content in our lives we have to accept the complexity and the risk to some degree. Using an OS built on security by isolation allows us all that complexity, but behind very strong, simple security structures that are built on the best hardware virtualization features. This is probably the only good way to keep private data and core systems from being exploited.

I even have reservations about air-gapping as a 'good' security solution: As the practice stands with PCs now, its too free-form and there are too many complex code layers to think about and work around while sneaker-netting info and code between systems. A USB device that got infected could pretend to be any of hundreds of devices that use dodgy, vulnerable drivers; and that doesn't even touch on the risk from complex file formats or desktop features.

That is not such a big difference, considering most installations are still using OpenSSL (more eyes...).

LibreSSL is still valued for their efforts, but they and most of the IT community waited until a major crisis occurred before taking action. Now that OpenSSL has been in the spotlight and finally received decent funding to do their own reviews and cleanup, I'm not sure where that leaves LibreSSL.

I'm guessing Fedora will have it in about 5-10 days, during which time about three 100MB Libre Office updates will already have been posted to their mirrors.

PS- Hi Timothy! :wave: Slashdot won't let me change my sig...... :D

As someone else mentioned, Kanguru has write protect (and I think a few others -- I have some drives by Imation and RiData that have the switch). But that doesn't necessarily protect you from something like badUSB, which can infect drive firmware.

Kanguru states their drive firmwares are protected with digital signatures. However, that means the firmwares are writeable under certain conditions, and we now know that certain organizations make it their job to steal the private keys of security vendors (you can bet the practice is not limited to SIM cards). In that case, you may be better off with a 'plain' thumb drive that has a non-changeable firmware especially if it has a write-protect switch.

What really, really sucks is that virtually no manufacturers are stepping up to the plate with better hardware designs that can mitigate the problem... and even the OPAL2 spec appears to state that firmware protection is optional. Merely putting write-protect jumpers on the firmware storage chips would prevent most attacks (the remote ones).

An exception to the lack of manufacturer concern may be the new Purism brand that just launched their Librem 15 OSS-friendly laptop. They are interested in putting at least a jumper on the motherboard that can block BIOS changes. They also promise to release an edition of the Librem that allows the user to cut power to wireless, mic and camera.

Another mitigation is Qubes OS, which has an architecture that greatly ups the bar for security and it can detect tampering in the BIOS, kernel, hypervisor, etc.

Qubes OS will detect this type of attack, and in most cases prevent it. It can also protect you against badUSB if you create a USBVM to handle the USB controllers.

Detection comes via the Anti-Evil Maid package, which uses a TPM to measure the system firmware, bootloader, kernel and hypervisor. It optionally can create a USB thumbdrive for booting Qubes in AEM mode. (AEM should *always* detect a compromised base system, but using a thumbdrive can help prevent an attack from succeeding in an 'Evil Maid' scenario.)

Qubes uses Xen, a type 1 bare-metal hypervisor with a miniscule attack surface, and uses that as a chokepoint to regulate ALL system activity (including network and graphics) in a way other OSes do not. Graphics is one of the weaknesses in VM host security that enables 'VM Breakout' escalation attacks. In using VMs for all sensitive functions, remote attacks are highly unlikely to escalate and take over the core system or firmware.

This is a very interesting choice: Great display and extremely high Linux compatibility.

I won't say there is nothing irrational about the marketing of organic food. But organic farming does largely achieve its primary goals: Keeping the soil healthy and lowering pesticide exposure.

As for vegans, they are simply against animal exploitation and cruelty. Its not a scientific issue.

The way that conservatives attempt to pick at the 'irrationality' of others is instructional here. Its really a defense of large, exploitive industries with monopolistic tendencies. OTOH, the manner in which conservatives escape abusive industries is to form communities like the Amish or Christian Scientists, which IMO are worse than the problem.