this post was submitted on 18 Dec 2024
322 points (97.9% liked)

Technology

60113 readers
2949 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
 

TP-link is reportedly being investigated over national security concerns linked to vulnerabilities in its very popular routers.

you are viewing a single comment's thread
view the rest of the comments
[–] tty5@lemmy.world 9 points 1 week ago (2 children)

They (FCC) forced firmwares being signed so nobody can install their own on the off chance it unlocks TX power or frequencies not allowed by FCC.

[–] john89@lemmy.ca 13 points 1 week ago (1 children)

Can't say I've ever seen an example of signed firmware that didn't exist to further exploit the working class.

[–] sugar_in_your_tea@sh.itjust.works 0 points 1 week ago (2 children)

You've never used Linux?

Signed firmware just means you can prove a given key was used to sign something. Most Linux distributions sign their packages so you know one of the trusted keys from the maintainers was used to sign the packages (and yes, this includes firmware), which prevents a man-in-the-middle from modifying packages.

The only problem I have with signed firmware is if there's no way to change the acceptable keys. Signing itself is an important security feature, its only problematic if the user can't upload their own signed packages.

[–] ms_lane@lemmy.world 2 points 1 week ago (1 children)

Requiring signed firmware is just a lock to keep poors out.

It's Never used for consumers benefit, not once, not ever.

[–] sugar_in_your_tea@sh.itjust.works 1 points 1 week ago (1 children)

Signed firmware doesn't cost anything, so I'm not sure what you mean by "keep the poors out." Signed firmware has a very valid use case for preventing supply chain attacks. The only time I have an issue with it if there's no way to make your own signed package or bypass the requirement.

[–] ms_lane@lemmy.world 1 points 1 week ago (1 children)

It costs the ability to flash your own firmware.

The only time I have an issue with it if there's no way to make your own signed package or bypass the requirement.

That's 100% of all signed firmware implementations.

These checks are usually at the application level, so flashing via telnet/SSH still works. It's generally not like TPM where the boot will be blocked if the signature doesn't match, and in many cases, systems with those protections have a way to set your own keys (e.g. like with GrapheneOS on Pixel phones).

[–] john89@lemmy.ca 0 points 1 week ago (1 children)

I don't think you know what firmware is.

[–] sugar_in_your_tea@sh.itjust.works 0 points 1 week ago (1 children)

Maybe you don't. Here's a list of firmware packages in Debian. Signing for router packages follows the same logic as those Debian packages.

[–] john89@lemmy.ca 0 points 1 week ago

I rest my case.

[–] AlexWIWA@lemmy.ml 5 points 1 week ago

They should undo this and just prosecute people who abuse the firmware