You guys are being either way too paranoid or way under-paranoid.

Why would the NSA bother sticking backdoors in easily reverse engineered (and bypassed) firmware files when they could just as easily stick a few extra hidden transistors in the hardware to accomplish the same thing? Unless you are able to get the design specs from NVidia and personally go through billions of transistors, you have no way of knowing what's there.

And in fact, it was recently shown that people in a factory could make their own hidden additions to a cpu without the parent company even being involved in the matter. Meaning unless you hired a trusted guard to watch that hardware from start to finish, you still can't know for sure - and that's assuming the government can't order the guard to look the other way.

You are talking about this?


Every backdoor is double edged sword in case of non-removable HW backdoor it would leave NSA computers vulnerable. Worth mentioning is fact that nothing is manufactured in USA anymore just look at your Intel CPU

I thought they built a plant in Arizona for Haswell?

Or is that for their 14nm chips?

I was referring to this: http://arstechnica.com/security/2013...y-bridge-cpus/

It's only proof-of-concept (that we know of), but undetectable even by Intel. And if some researchers can do it, then you'd have to assume the NSA has at least considered the idea as well.

And Intel does have chip plants inside the US. They don't really require that much manual labor. AMD/GlobalFoundries also has plants across the western world.

Also, the weaknesses that the NSA has tried to introduce into crypto specs and the internet also affect the US as much as any opponents, and that hasn't seemed to stop them so far from what's come out. That's one of the major criticisms about it, in fact.

My main point isn't that the NSA is actually doing this - they probably aren't. But if you are paranoid enough to think that you need open source drivers and firmware to stop the NSA, then you really need to go full bore and look at the hardware too. Even if you could validate all the software, that would just push the NSA to move into hardware if they aren't there yet.

Following up some recent rumors, it seems the only reason for Nvidia to go open(to some degree) is that SteamOS will ship with Nouveau by default. The blob will be downloaded as an update. And Nvidia wants Steambox really bad, having lost all other consoles to AMD.

that's a quite absurd argumentation.

1. you do not need to be paranoid at all to think about oos to stop nsa from spying as it already happend that they do corrupt various softwares. that's not paranoid that's an already happening and proved scenario. on the other side, such hardware manipulation like you describe is not yet documented to have been happened in such a massive way.

2. what is that for an argumentation to say: "don't waste your time with securing software if you do not look at hardware too". for now yuo will most likely be save if you secure your softare and using standard pc components for hardware. the software issue is a known fact whuile the hardware issue is for now only a proof of concept.

probably, but that does not make it less important to secure the software first.

#johnc

Every one of my CPUs has Made in Malaysia written on it so they might manufacture chips in US but it doesnt mean they cannot be altered in Malay assembly.

#smitty3268
1 Nvidia driver has questionable approach to security as was shown by Nouveau devs so they dont need to even bother with altering something theyll just force NVIDIA to give them access to source and they'll built something like Stuxnet
2 That attack sabotaged hardware RNG which affects only SW which entirely depends relies on it or???
3 vPro approach looks much more feasible IMO. They just have to force Intel to give them certificates and apart from Intel ,NSA and whoever hacks NSA nobody can compromise you. Assuming vPro implementation is bulletproof
4 So which CPUs/GPUs has fully open firmware if its so easy to by-pass / reverse engineer?
5 Most people are assuming: Proprietary = can contain backdoors. Open source = verifiable, hard to pass backdoor there. So how can you fault them for not wanting proprietary SW when you yourself said that NSA isnt likely doing this
6 Nobody here has access to intel chip designs and even if they somehow acquired Intel designs they wouldnt know how to check it for backdoors

The hardware in a GPU has the same access as the firmware, yes. But only one of those is updatable.

If I use a GPU for X years, do you think that a root exploit for X years old program will still work on the current version of it?

If they do that then it's a feather in their cap...also allowing them to work on Nouveau. This is a great move by NVIDIA and then Linus can hopefully give his bird finger a rest

I think you overestimate the difficulty of creating such a system. If you consider that firmware preloaded on hardware is okay (as Stallman & the FSF do), then a motherboard is not a problem. X86 CPUs run ok without loading runtime firmware. Atheros ath5k does not require runtime firmware. AMD GPU, at least some of them, do not require firmware. I know all of this because I recently loaded Debian on a laptop, did not enable the non-free repository, and was pleasantly surprised that everything still worked.