So, if the UEFI firmware trusts a Microsoft tool that Microsoft trusted a third-party to make and that isn’t open source, it’s not the firmware provider’s fault?
Isn’t this like saying it’s OK for Boeing to be shit because a subcontractor assembled the plane with poorly investigated used parts?
I wasn’t saying anything about who bears “fault”. My aim with that post (and honestly all the posts I’ve made in this thread) was about understanding the details of the vulnerability well enough for folks to be able to ascertain a) whether they’re affected and b) how to remediate.
About “fault”, I’m not sure I really agree that’s the best way to talk about these things in general unless they did them purposefully. (WEI, for instance, was malicious bullshit. But I don’t have any particular reason to think in this specific situation Microsoft didn’t handle responsible disclosure properly or anything.)
Clearly Microsoft made a boo boo in choosing to trust the vulnerable tools in the first place, but vulnerabilities are inevitable.
I’ll definitely say I don’t consider Microsoft “trustworthy” enough to protect my stuff. If only because Microsoft stuff is bloated and has a huge amount of attack surface. But also because their history make it clear they’ll perpetrate really shitty things against their users on purpose. The former could only really be addressed by them slimming down their technology stack. The latter by abolishing the profit motive.
And also, in general UEFI is apparently a cluster fuck of poor, buggy implementations. So there’s that.
In all, this is one doesn’t strike me as terribly high on the “blameworthy” meter unless you just consider it a symptom of Microsoft being assholes, which is undeniably true.
So, if the UEFI firmware trusts a Microsoft tool that Microsoft trusted a third-party to make and that isn’t open source, it’s not the firmware provider’s fault?
Isn’t this like saying it’s OK for Boeing to be shit because a subcontractor assembled the plane with poorly investigated used parts?
I wasn’t saying anything about who bears “fault”. My aim with that post (and honestly all the posts I’ve made in this thread) was about understanding the details of the vulnerability well enough for folks to be able to ascertain a) whether they’re affected and b) how to remediate.
About “fault”, I’m not sure I really agree that’s the best way to talk about these things in general unless they did them purposefully. (WEI, for instance, was malicious bullshit. But I don’t have any particular reason to think in this specific situation Microsoft didn’t handle responsible disclosure properly or anything.)
Clearly Microsoft made a boo boo in choosing to trust the vulnerable tools in the first place, but vulnerabilities are inevitable.
I’ll definitely say I don’t consider Microsoft “trustworthy” enough to protect my stuff. If only because Microsoft stuff is bloated and has a huge amount of attack surface. But also because their history make it clear they’ll perpetrate really shitty things against their users on purpose. The former could only really be addressed by them slimming down their technology stack. The latter by abolishing the profit motive.
And also, in general UEFI is apparently a cluster fuck of poor, buggy implementations. So there’s that.
In all, this is one doesn’t strike me as terribly high on the “blameworthy” meter unless you just consider it a symptom of Microsoft being assholes, which is undeniably true.