Re: [Tails-dev] Documentation about BIOS and firmware attack…

Delete this message

Reply to this message
Autore: syster
Data:  
To: tails-dev
Oggetto: Re: [Tails-dev] Documentation about BIOS and firmware attacks
Hello :-)

> Being a nice market, it is costly, hard to setup, and hard to find,
> especially 100% blob free hardware. I am not sure more than a few
> percents of the Tails audience would do the switch.



If a user has this information, they might consider switching to
libre/coreboot once their current labtop breaks, or for similar reason.



> Therefore I don't think it would qualify as an actionable input/advice,
> and so how relevant it would be to add it. Giving unactionable security
> advises is a bad practice



Personally speaking, I would feel more comfortable if I read that I can
have the power if I need to mitigate that issue, rather then hoping all
will go well. Obviously it makes sense to explain that this is extremely
unlikely to be needed. It would also create more comfort to myself, if I
read that the developers of the OS I need to trust in, also thought
about how to mitigate such a rare attack.


(btw: beside that I really like the new warning docs)


On 6/27/21 10:05 PM, geb wrote:
> Hello,
>
> syster via Tails-dev:
>> I've just been reading through the new /doc/about/warnings/.
>>
>> It includes "No operating system can protect against BIOS and firmware
>> attacks" and explains why that is, followed by a suggestion how to
>> reduce that issue.
>>
>> What I'm missing is a hint to use Libre/Coreboot as an option to prevent
>> some of such attacks. (at least that is my assumption)
>>
>> https://tails.boum.org/doc/about/warnings/
>
> I am not sure how relevant it would be here : libreboot/coreboot
> computers is mostly a niche market, in general and especially if you
> consider the few models that can run 100% without firmware.
>
> Being a nice market, it is costly, hard to setup, and hard to find,
> especially 100% blob free hardware. I am not sure more than a few
> percents of the Tails audience would do the switch.
>
> Therefore I don't think it would qualify as an actionable input/advice,
> and so how relevant it would be to add it. Giving unactionable security
> advises is a bad practice: If users an unable to do anything based on
> it, except noting there are solutions which are not available to them,
> it make just them feel less safe, powerless, and thus sad... :/
>
> (I found the page being great regarding this last problem btw: it warns
> the users, but immediately after, slow down and either mentions
> solutions if actionable ones exist, either remind them there are
> unlikely to encounter those attacks in real life, and should not worry
> to much (which is nicer, but also true) :-) )
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://www.autistici.org/mailman/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to Tails-dev-unsubscribe@???.
>