
Replacing a Thinkpad X60 Bootflash Chip - WestCoastJustin
https://blog.patternsinthevoid.net/replacing-a-thinkpad-x60-bootflash-chip.html
======
userbinator
The idea of booting OS from ROM has been around for a long time; in the PC
world, there's servers with a hypervisor in the BIOS. Interesting to see this
being done as a mod, however.

16MB may not seem like a lot of space compared to gigabyte-sized distros, but
if you look at things like TinyCore or even more extreme, the (non-Linux)
MenuetOS, you can still put a lot of functionality in there.

With [http://shop.gluglug.org.uk/product/ibm-lenovo-
thinkpad-x60-c...](http://shop.gluglug.org.uk/product/ibm-lenovo-
thinkpad-x60-coreboot/) and now this, and an (unofficial) schematic available,
it seems the X60 is becoming a great platform for hardware hacking. I've
noticed the prices for a used one have been going up.

------
kelvie
I get a cert error when trying to access the site.

~~~
exo762
This is a self-signed cert. Pretty normal stuff for pages by hackers for
hackers. Do you care who is running that site? Are you going to provide them
any personal data? Were your browser hardened by you? If you answered no, no,
yes then you are pretty safe.

~~~
nullc
How kind of them to setup the site in a way which is indistinguishable from a
MITM, so that its a common and usual thing and when there actually is a MITM
against other sites you use you'll suffer from none of that uncomfortable
alarm.

~~~
technomancy
How is that different from a plain HTTP site? It's just that your browser has
chosen to interpret it in a misleading way.

~~~
nullc
The difference is that authentication was expected here. If you don't get
authentication when it was expected and asked for that should be a red flag
that something is amiss.

Effectively this creates a chicken little situation where attacks are
indistinguishable from common configurations. This lowers the costs of
attacking because it reduces the risk of detection, it also makes attacks more
successful because it trains users to click through the warnings.

~~~
tinco
This is not a misconfiguration, it is actually better to use a self signed
certificate if you want to ensure authenticity even in the face of world power
adversaries.

~~~
drdaeman
If one wants an opportunistic encryption, there're tcpcrypt or IPsec for that.

If one wants to encourage others to blindly accept untrusted certificates from
whatever server decides "to hell with authorities" \- that's not a good idea.
When those World Power Adversaries will consider messing with the site,
visitors will already be trained to accept the certificate (hah!)

If one really insists on self-signed certificate, there should be at least an
HTTP (i.e. accessible without accepting anything!) page describing the
reasoning behind the whole situation and providing means to validate the
certificate. Like, say, a PGP signature of certificate in question, signed
with a key that could be traced to site owner with reasonable level of trust.
Or at least TLSA DNS records (dig says there're none).

~~~
nullc
> If one wants an opportunistic encryption, there're tcpcrypt or IPsec for
> that.

And HTTP/2.0 thankfully. OE is a good improvement, indeed, but it's not worth
teaching users bad practices for the authenticated stuff.

------
yuhong
Of course, I am not a fan of violating firmware standards like UEFI/ACPI and
dislike it when x86 Chromebooks did this. Having different firmware for
different OSes defeats the point of firmware standards. I think it is possible
to run UEFI as a payload in coreboot.

------
taiki
why are you disabling the card bus, firewire and sd card ports?

~~~
hosay123
At least 2 of those interfaces support DMA to host RAM..
[https://en.wikipedia.org/wiki/DMA_attack](https://en.wikipedia.org/wiki/DMA_attack)

~~~
taiki
D'oh. Somehow missed the fact that you were hardening the machine against
attack.

------
pasbesoin
Noted this at the bottom of the page:

 _You 're currently helping people in censored regions with FlashProxy.
Thanks!_ [1]

I just think that users/browsers should be aware of what activity a site may
incur.

\--

[1]
[https://crypto.stanford.edu/flashproxy/options.html](https://crypto.stanford.edu/flashproxy/options.html)

~~~
guelo
Now you're on a terrorist watchlist.

