I started by writing about the relative security between cloud vs. local computing. Then I looked at the security implications of an opaque hardware layer.
Today I came across another nasty problem which lies somewhere in between the these topics and is probably more of a realistic security challenge for free (auditable) software users.
Between the ware that is soft and the ware that is hard, lies the ware that is firm. Of course, firmware is not firm in the "not subject to change or revision" sense as with "firm prices". Quite the opposite. Firmware, by design, can be changed relatively easily.
Just thinking about firmware makes hardened computing freedom fighters start to think of homegrown alternatives and, on cue, here’s the libreboot project. Its relative lack of market penetration provides an idea of how serious the problem of proprietary firmware potentially is. But the story just gets worse. The libreboot developers explain that proprietary firmware is not just about the boot loading.
The most glaring issue on modern Intel hardware is the Management Engine. This is a separate processor that exists in all [modern] Intel chip sets… The management engine provides remote access capabilities, independently from the running operating system. It has full access to your RAM, and it has full networking support.
Throw in some IPMI or other straight up "out-of-band control" (i.e. backdoor) and it’s game, set, match. For us (semi-)normal people, we’ll never know if Big Brother is trying to pick our locks, but for some people, there is no doubt. I’m really curious what Edward Snowden is doing about this. Probably using carrier pigeons as defined in RFC 1149 "A Standard for the Transmission of IP Datagrams on Avian Carriers"