[Semibug] ISAs and the Dawning Hardware Security Revolution

Steve Litt slitt at troubleshooters.com
Tue Jan 2 14:53:03 EST 2024 

Aaron Lopez said on Mon, 1 Jan 2024 23:42:40 +0100

>Hey guys,
>
>I found the following article on the advances in Hardware Security
>quite interesting:
>
>https://www.darkreading.com/endpoint-security/isa-dawning-hardware-security-revolution
>
>Hardware seems to be advancing more and more in aspects that regard
>security (various protections implemented in processor technology
>ecc.) but in honesty I find it all very overwhelming. If you guys know
>of any links or useful information that can help answer questions like
>"What security features should I be looking out for when I purchase
>hardware?" and "Does the operating system I use leverage those
>hardware features?" that would be cool.

Unless you're running a data center with peoples' social security
numbers and credit card numbers, my answer would be "no features". Use
good firewalls. The article said exactly one variant of one BSD version
supports this new hardware. Who wants to be limited to one OS variant?

And then there's the added complexification. Remember before secure
boot and UEFI, when you could boot just about anything on any media?
When you could back up your whole bootloader and partition structure by
dd'ing the first 512 bytes of the disk? When you didn't have to worry
about UEFI shims, and wonder when secure boot will start being
mandatory, limiting your choice of OS version/distro/variant? Before
the days when, if your computer's UEFI had a small bug, writing to that
special VFAT "boot partition" would permanently brick your computer?

Now you buy a new computer, and spend white knuckle hours fooling around
in your bios hoping to set your UEFI just right so you can boot the
various OS'es and media the way you want to.

Just say no to complexification. You don't need that noise.

I'm sure many will debate me saying "but security!". Well, security has
costs, and there are many sources and levels of security risk. If
you've already set up a great LAN to Internet firewall (OpenBSD/pf
anyone?) and firewalls on all your LAN's computers, and you're using
sane computing practices, and you're still not feeling secure enough,
then my suggestion would be that before you complexify your life with
this hardware, do the following:

* Quit using a smart phone.

* Stop using all Wifi, and make sure there are no wifi devices in your
  house.

* Go to every appliance in your house and turn off/disable all its
  TCP/IP, or at least put in a random 50 character password and
  promptly forget it.

* Buy a used car without all the phone-home crap. Many new cars require
  you to sign a privacy policy.

* Quit using Facebook.

* Dumpsterize your smart TV and replace it with a used 10 year old TV.

* Toss your "smart speakers" in the trash.

* Don't use bluetooth.

* Never tell anybody anything you wouldn't want the government, law
  enforcement, enemy governments, or your worst enemy to know.

* Never use your mother's maiden name or your first pet's name as
  security questions. I can probably find out those things with
  an hour's research from my desk, and if not, your facebook
  account or social engineering would make it very easy. Instead
  maintain a list of fanciful answers. For instance, your mother's
  maiden name is "1976 Ford Pinto".

* Encrypt every partition on your computer. Encrypt every backup. Never
  back up to "the cloud."

* I can go on and on, but you get the picture.

If you take care of all of these things and still seek further
security, then you have justification for the added complexity this
hardware brings you.

One of the main reasons I use Unix derived operating systems is
simplicity. The simpler it is, the easier it is for me to configure,
troubleshoot, understand, and write code for. Simplicity is an asset.

SteveT

Steve Litt 

Autumn 2023 featured book: Rapid Learning for the 21st Century
http://www.troubleshooters.com/rl21

More information about the Semibug mailing list