SOURCE: Purism, SPC

Purism

July 05, 2017 12:00 ET

Wannacry, Petya, NotPetya, Vault 7, Dark Matter, Show Numerous Key Flaws in Popular Devices

Purism Librem laptops are immune to such threats because of a deeply rooted philosophical difference about security

SAN FRANCISCO, CA--(Marketwired - July 05, 2017) - Purism, the social purpose corporation which designs and produces security focused hardware and software, has released a new report on the latest cybersecurity threats and why nearly all devices are vulnerable to such attacks. The very design of modern hardware and software invites a host of threats, from sophisticated attacks, criminal activity, to hobbyist attempts, and reactive software patches simply cannot be released quickly enough to plug security holes. All manufacturers beside Purism are reactive to security threats only. Being proactive about security comes down to philosophy, business model, and reducing the attack surface to begin with.

There are 4 key factors as to why popular devices produced by large manufacturers are susceptible to rising security concerns:

  1. Proprietary software, where the source code is not auditable, leaving exploitable holes for criminals to take advantage of without the public knowing until it is too late
  2. Software written to address a wide array of hardware, leaving a large attack surface, rather than being small and tightly integrated with hardware
  3. Monolithic proprietary UEFI/BIOS with low-level remote access capabilities, rather than coreboot, a small secure fast boot firmware
  4. Inadequate reactive software updates to patch security vulnerabilities, rather than the more proactive removal of security holes to begin with, and having public source code to be audited

The best security in software follows a simple set of rules that the largest manufacturers fail because of their business models:

  1. Release the source code
  2. Tightly integrate the software with the hardware removing useless exploitable software
  3. Use less code, pre-install less bloatware, equals less attack area
  4. Avoid mystery binary code for critical components like WiFi cards
  5. Put protecting users over corporate profit; such as do not track users, do not require financial details to install apps, do not phone home with identifiable data, do not participate in corporate surveillance

WannaCry, Petya, and NotPetya, are increasing in complexity in a whack-a-mole, distributed criminals vs centralized corporation software battle where the users are the victim. The current proposed solutions from proprietary software vendors is reactive to these threats, which by definition means they will continue to happen in increasing frequency and potency. There is real motive for criminals to create ransomware, wreak havoc, and upset markets, and the reactive proprietary software patching approach is unacceptable as a security story.

Lower level threats a lot released with Vault 7, like Dark Matter, Intel AMT, EFI/UEFI exploits highlight that criminals are going deeper than software and operating systems, where even the reactive approach does not help, since proprietary operating system vendors do not release EFI/UEFI updates, and BIOS, EFI/UEFI updates are not commonly done by users.

In a proactive model, where the source code is released, making the attack surface small, and sharing the code for audit, has been the philosophical difference as to why Purism Librem laptops have been immune to all these threats.

"Protecting our digital life is a growing concern for individuals, reactive patching does not provide the peace of mind that users want" said Todd Weaver, CEO and Founder at Purism. "We provide that peace of mind by making security protection easy and the default for users."

Purism's Librem laptop line has been specifically designed to address these gaping security issues that big box manufacturers are unable and unwilling to combat due to being reactive and not releasing the source code. To date, Librems have been completely immune from the following cybersecurity attacks: Wannacry, Intel AMT, Petya, Dark Matter, All Vault 7 EFI/UEFI exploits, and NotPetya.

About Purism, SPC
Purism is a Social Purpose Corporation devoted to bringing security, privacy, software freedom, and digital independence to everyone's personal computing experience. With operations based in San Francisco (California) and around the world, Purism manufactures premium-quality laptops and tablets, creating beautiful and powerful devices meant to protect users' digital lives without requiring a compromise on ease of use. Purism designs and assembles its hardware in the United States, carefully selecting internationally sourced components to be privacy-respecting and fully Free-Software-compliant. Security and privacy-centric features come built-in with every product Purism makes, making security and privacy the simpler, logical choice for individuals and businesses.

Contact Information