That's assuming they don't contain a "Do not admit to having received this gagging order" clause
Which ironically would have been much more "On topic"
NimbUx wrote: ↑Fri Feb 21, 2020 10:39 amHello ! Unless it be disallowed to discuss such matters, I'd like to learn more about what is - and what is not - inside the proprietary, non-open, blocks of firm/software embarked in the RPI4 SoC. Questions such as :
° What level of access our great Engineers at RPF/RPT have to that material (under NDA, I imagine) : full view of the sources ? On demand, on an "need to know" only ?
° To the best of their knowledge, can the RaspberryPi team declare that there is no intentional "backdoor" included in the closed-ware, for (legal or otherwise) interception by the Powers-that-be ? If they cannot make such a statement, could be say why they cannot (f/example: not enough access / gag order...)
° If - as is hopefully the case - it can be asserted that no "spying" device is hidden in the firmware/closed software at the moment, could some kind of "warning canari" be setup and regularly renewed on the Foundation's website to signal that, at the moment, no "backdoor" is known or suspected to exist and no "gag order" has been received ?
Thank you. Please no pointless comments on this question being "paranoïd" - just ignore me if you think it is :=)
Sincere apologies if it was so. I swear did attempt to search before posting, but obviously wasn't successful.
understood...Yes, we have access to all the GPU firmware source - in fact it's been much modified by us. We woudl not be able to do the work required without full access to it.
Sweet !There are no backdoors in the GPU firmware.
We've never been approached to add anything like a backdoor AFAIK, and never had any 'gag' orders
Not so sweet...Note, I am discussing the GPU firmware. There is also firmware on the Wireless chip (Cypress) and the VLI USB hub chip. We do NOT have access to the source code of those, so cannot comment on them in this regard.
A reference to caged birds were used by coal miners as living indicators, early warning against asphyxiating and/or inflamable gaz emanations. In online sites, a Canary is a conspicuous, dated, signed and oft renewed affirmation that the security has not been breached at the date of last posting, and that the posting itself shall be removed if ever the affirmation came to be no more trustable. (I know my English is terrible, but still hope one gets the idea...). And I have no idea what you mean by canaries.
And the proposition here is for the mine owner to put a canary in a cage at the entrance of the pit. Makes excellent sense, especially if next you want to question the allegiances of the poor creature ...
Thanks - someone who understood what my question about canaries actually meant (I am perfectly familiar with the historical use of canaries in coal mines)Heater wrote: ↑Fri Feb 21, 2020 12:33 pmThe term "canaries" does indeed date back to the time of miners taking birds underground to detect toxic/explosive gasses. Before Humphry Davy invented his famous Davy Lamp which did the job much better: https://en.wikipedia.org/wiki/Davy_lamp
In recent times the term has been applied to a rather different situation:
Social media and other companies, in fact anyone, in the USA have to provide details of their internet service users to the government when it is requested. They can be required to install "back doors" to enable the government to spy on people.
At the same time they are not allowed to say that they have received such requests.
Enter the idea of the "canary". Such companies can put up notice that they have never received such a request to aid government spying. Then if they do get such a request they can take that notice down, thus indicating to everyone that something is up.
I have no idea if any net service has ever done this.
As for the firmware: As Bryan Cantrill says: "There is a war going on, firmware vs humanity, choose your side."
We could vainly hope the Pi Foundation would set a good example here but I would not hold my breath.
And as jamesh says we have closed source firmware in everything everywhere now a days. Much of which is far more critical positions in our systems. It's kind of hopeless.
Until recently I would have said:
You can capture ethernet and Wifi traffic with Wireshark, and then analyze.
Even if traffic is encrypted, you can at least identify suspicous traffic.