Excuse my Bios, but…

Check out the Phoenix Technologies announcement on their BIOS hardware authentication scheme.

People like Bruce Schneier lecture us all on how hard it is to create a trusted network verification model that holds up under a variety of conditions and needs. And who needs this (very few)?

Some of you may recall how Microsoft had to pull back on their extra evil hardware authentication when it turned out XP didn’t work when you added a device like a DVD. Everybody complained, vendors got really annoyed with customer support, and Microsoft got blamed (well, it was their fault). They’re trying to moderate this in practice, but it’s not a deterministic strategy for a host of technical and practical reasons.

But Microsoft has an OS monopoly and can get away with failure. Does Phoenix have a monopoly on the BIOS? Don’t think so. The customer hates this process of verification – it makes him feel like a criminal. So the vendor notices the customer hates the product, buys another BIOS from AMI or any of the hundreds of others, gets rid of this nonsense for the customer, and the problem is self-correcting.

And now Phoenix is going to disallow network access from people who don’t match this same faulty hardware profile? Great – it didn’t work before, so let’s make it even bigger this time. Sounds like lunacy? It is. Phoenix has been trying this trick for years and years – and it won’t work unless you keep people from upgrading / fixing their PCs.

Can you imagine how people would react if you told them they couldn’t change the oil filter on their cars, or take it to the local oil changers and buy a standard filter? You’d have to throw the car away – sorry Charlie.

As the real security guys will tell you, verification of trusted networked sources is actually a very difficult game, even using hardware and secure links. You fool yourself into believing that you can live in a black and white universe. In reality, with security this brings more problems, because too narrow a window results, so exceptions are made to the rules and soon you’re back to the same corner case issues as before. The real success comes down to knowing the character of the individuals and the use / practice of measures, such as the friend/foe rules of engagement process used in the military.

The last thing everyone needs is an Internet where people are refused access for arbitrary reasons, subverting the entire point of TCP/IP and networked communications – to exchange information – by preying on people’s fears of the “bad guys” gaining access. Maybe if Microsoft would just secure their OS better, we wouldn’t have this fear in the first place.

Now that I’ve pointed out the problem from the perspective of an Internet expert, we could all use a crafty rebuttal from a security expert as to why this is just another brand of snake oil. Hey Bruce, where are you?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.