I was looking at porting a mobo to coreboot (Dell) and learned about Intel boot guard. That kind of thing should fall under right to repair and be illegal. My device, my choice on how I flash it.
And how does the device know that it is the owner of the device trying to flash it and not an attacker wanting to bypass secure boot? It's safer to have it assume that everyone flashing it is an attacker.
I don't think making secure devices should be made illegal. People who want to buy insecure devices are an outlier which means there isn't much demand for a purposefully insecure device. Using the legal system to force manufactures to purposefully make insecure things doesn't seem right to me.
>It's safer to have it assume that everyone flashing it is an attacker
In other words: "let's put everyone in jail because someone might be a thief", I find this way of thinking to be moronic. I wonder how an attacker could get physical access to a machine, disassemble it and flash without getting detected. Plus, if I already have physical access to the machine and plenty of time to execute such an attack, why not just grab the drive?
I hate this trend of forcing users to run nonsense programs in order to use their devices, like Windows 11 forcing you to have a Microsoft account during the installation process.
>let's put everyone in jail because someone might be a thief
No, it's more like devices should consider security holistically and only offer an API that is secure. Hacker News doesn't allow any users to edit any other's comment. Is that putting all users in jail because we don't have a capability which is technically possible?
>I wonder how an attacker could get physical access to a machine, disassemble it and flash without getting detected.
Just because an attack may be niche it doesn't mean that the vulnerability should be ignored. Some customers like businesses can be extra paranoid of attacks like these and have concerns about these attacks.
>it's more like devices should consider security holistically and only offer an API that is secure
I am not against this, this would be ideal.
>Hacker News doesn't allow any users to edit any other's comment
Those comments are not yours, so this is a false analogy. I am talking about something that is technically possible and within your own device.
>Just because an attack may be niche it doesn't mean that the vulnerability should be ignored
True, but I also believe that preventing the users from fully using their devices is not good, providing an API like you said would be the perfect solution.
>Because the drive should be encrypted
The average user doesn't know about drive enryption.
> The average user doesn't know about drive enryption.
Nor should they. Good news though, it’s on by default in any recent Windows which supports it. So a great many millions of users are using it without needing to know or care.
Bullshit. The User should be able to get at every implementation detail. These things should be discoverable. A tech that cannot be learned except by some esoteric priesthood is a failed tech.
>Those comments are not yours, so this is a false analogy
It was an example of showing a capability exposed to users designed with security in mind. Mods being able to edit posts on forums despite not "owning" them is a normal feature. A better example for this site specifically would be submission titles.
>The average user doesn't know about drive enryption.
All major consumer operating systems Windows, macOS, iOS, and Android use drive encryption by default. Users don't need to know about it to be protected by it.
IMO, as long as a human is using the device, there's always the rubber hose. Thus, Benjamin Frank's sacrificing liberty for security quote is quite applicable, especially since the threat here is very unlikely for most consumers.