Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

So glad to see minis on here so I hopefully can find a receptive audience to my rant:

None of these super cheap Chinese devices come with bios or firmware support or updates.

Minisforum, topton, qotom, beelink etc all have like maybe 1 or 2 bios updates AND EVEN THAT MANY IS RARE!

In the post spectre age, just look at amd security bulletins! Every few months there’s major bios/firmware/cpu vulnerabilities

And all the tech bloggers happily continue to showcase these devices (ltt, level1techs, sth) without any mention of the bios.

People recommend them as firewalls!



I'm a bit confused? Most security issues can be solved with microcode updates, kernel-level mitigations, or compilation level mitigations? I'm not exactly sure why this is as big of an issue as you make it sound? Realistically, anyone who cares about security should turn off SMT, which fixes speculative vulnerabilities (which is most of the serious ones). Additionally, a lot of the headlining vulnerabilities these days seem to require physical access of some kind, more relevant for portable devices.

Edit: the best solution of course would be to have Coreboot.


Most != all

Os level microcode updates only address a portion of these vulns, same for disabling smt. One unpatched vulnerability is too many let alone numerous. Not all require physical access either


Firmwares shouldn't need that many updates in the first place. Frequency of updates should be taken as inverse of its code quality.

Sadly there are too many low quality firmwares and even more below and below the floor, but that should be the theory.


Yea but most proper are subject to the duopoly of intel/amd. And appearantly their “firmware” sucks!


Don't they use off-the-shelf parts? Can't I just use the update of the manufacturer?


Spectre was a load of horseshit and probably all of the subsequent "vulnerabilities". Deliberately make your cpu slower because some people don't trust the code running on their computer. Why do you run it if you don't trust it?


A spicy take, but there's some truth to it. This class of vulnerability is way more important for PAAS providers that run workloads from multiple untrusted sources on the same hardware.

Running with mitigations=off on a single user workstation ain't the end of the world, assuming you actually trust the code you're running (and if you don't trust it... why are you running it to begin with?).

Desktop OS design still assumes that programs can access user data on disk anyway, after all.

(This isn't an excuse to throw buggy / broken firmware into the world and not support it, which is also something these no-name vendors are happy to do)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: