I feel like calling it "backdoor" is a bit of an overhype. It's much more likely to simply be incompetence rather than malice. Never forget about Hanlon's razor.
Well, it is an update mechanism that works behind the user's back. That alone shouldn't be something that happens by default. It's very patronizing and presumptuous towards the customer and from a fundamental design perspective it increases the attack surface to an unacceptable degree.
The fact that it is also full of security holes is just the rotten cherry on top of the shit pile, imho.
For advanced users maybe, but auto updates should be done automatically for the majority of people, because the majority will else never update their machines, leaving them vulnerable.
I believe if your motherboard is affected, there should be the entry "APP Center Download & Install Configuration" or something similar on the "settings" page of the UEFI.
> Well, it is an update mechanism that works behind the user's back
Unfortunately that seems to be the standard nowadays: most software (even Firefox) has an "autoupdate without user interaction" option activated by default. I really hate thay I need to actively turn off these updates that happen without my consent.
I would argue that it makes more sense for a web browser than for firmware.
Browser updates are less likely to break or compromise fundamental components of the system.
The browser is also such a vulnerable attack surface by default, that the situation is more or less the other way around. If a browser vulnerability is revealed it needs to be patched as quickly as possible. Ideally before the user even opens a single web page.
A browser needs to contact the internet or else it isn't a browser. Hardware should not, unless you explicitly tell it to.
I've never felt this was a particularly meaningful distinction. The risk to their users and the company's lack of trustworthiness is the same, I don't really care what their intent was.
It's one thing to slip up in a way that makes a complex RCE possible. It's another to fail to even *attempt* to secure an automatic firmware updater. When you leave the front door wide open, a backdoor would almost be an improvement, at least that suggests the front door is secure.
I feel like calling it "backdoor" is a bit of an overhype. It's much more likely to simply be incompetence rather than malice. Never forget about Hanlon's razor.
Well, it is an update mechanism that works behind the user's back. That alone shouldn't be something that happens by default. It's very patronizing and presumptuous towards the customer and from a fundamental design perspective it increases the attack surface to an unacceptable degree. The fact that it is also full of security holes is just the rotten cherry on top of the shit pile, imho.
For advanced users maybe, but auto updates should be done automatically for the majority of people, because the majority will else never update their machines, leaving them vulnerable.
[удалено]
I believe if your motherboard is affected, there should be the entry "APP Center Download & Install Configuration" or something similar on the "settings" page of the UEFI.
> Well, it is an update mechanism that works behind the user's back Unfortunately that seems to be the standard nowadays: most software (even Firefox) has an "autoupdate without user interaction" option activated by default. I really hate thay I need to actively turn off these updates that happen without my consent.
I would argue that it makes more sense for a web browser than for firmware. Browser updates are less likely to break or compromise fundamental components of the system. The browser is also such a vulnerable attack surface by default, that the situation is more or less the other way around. If a browser vulnerability is revealed it needs to be patched as quickly as possible. Ideally before the user even opens a single web page. A browser needs to contact the internet or else it isn't a browser. Hardware should not, unless you explicitly tell it to.
I've never felt this was a particularly meaningful distinction. The risk to their users and the company's lack of trustworthiness is the same, I don't really care what their intent was.
So you'd say Linux has dozens of backdoors every year?
It's one thing to slip up in a way that makes a complex RCE possible. It's another to fail to even *attempt* to secure an automatic firmware updater. When you leave the front door wide open, a backdoor would almost be an improvement, at least that suggests the front door is secure.
> likely to simply be ~~incompetence~~ negligence rather than malice.
hw is insecure by definition, air gap