And the biggest news of this article is:

NEC Still makes computers????

So it is in "secure firmware".

A static ROM would protect the hypervisor OS from being modified - and it would also increase boot speed. And all updateable utilities could be run in secure sandboxes.

There are many simple ways to prevent secumbing to the dark side if one is ever vigilant. LOL!

TWO SCENARIOS FOR EXTENDED BIOS SERVICES: ONE VERY USEFUL, THE OTHER VERY DANGEROUS.

NEC's Phoenix BIOS with hypervisor is what I call an Extended BIOS Service (EBS), a BIOS with extended monitoring, control and programing facilities with considerable potential to operate, monitor and report activities well below the RADAR of both PC operating systems and users. Extended BIOS Services are an excellent idea and can provide users with many useful features BUT ONLY if their activities remain under the full and total control of the user or PC administrator, otherwise they're potentially very dangerous and a serious security risk.

Unfortunately, it's highly unlikely that users will ever be given full control over BIOS/EBS activities as it would be going against the steady (and seemingly inexorable) trend seen over the past 20 years or so whereby OS manufacturers, programmers, marketers and others are increasing their monitoring and control of the PC, either with or without the user's knowledge.

Every new development--scripting, Java, the Internet, messaging etc.--provides users with increasing functionality, but equally it also provides outsiders with better and more transparent access to one's PC and to the activities carried out thereon. It seems that every new development is adapted to provide more centralized control of your PC by large corporations; Windows Product Activation and Windows Update being the quintessential examples of this technology. Both of which would not have been a practical possibility without the development of specialized Internet communications. In view of the ever improving access to PCs by remote users, it would be foolhardy to assume that large corporations could resist the temptation to gain even more control over one's PC when BIOS/EBS facilities are introduced.

Nevertheless, if BIOS/EBS activities were under full control of the user, they have the potential to provide many obvious advantages for the user. For years, I've said PCs needs an ancillary bus to monitor activities such as hardware status, crashes, low-level/kernel OS hooks, bugs, software crashes etc., and hypervisor may make this a reality although not in the way I would have wished.

Let's look at two scenarios, the first where the user isn't in control of BIOS/EBS features, and secondly, where the user does have total control.

1. THE DOWNSIDE - WHEN USERS AREN'T IN FULL CONTROL OF THEIR PC's BIOS/EBS TECHNOLOGY.

1.1 It's hard to believe--in fact beyond any reasonable credibility--that BIOS/EBS technology would be completely immune from Trojans--either malicious spyware and/or viruses, or from unapproved installations by manufacturers of hidden and supposedly 'benign' services (ostensibly under the guise to 'protect' us [when they really mean themselves].

1.2 Those wishing to use BIOS/EBS services are unlikely to tell us exactly what info is being downloaded to or uploaded from our PCs. Even if forced to disclose their nefarious activities then it'll be with seemingly innocuous half-truths and statements such as 'we're updating your system configuration' or similar obfuscating diatribe. Let's look again at the quintessential precedent: during Windows Update or on-line Product Activation sessions, Microsoft doesn't divulge the contents of the traffic/data which passes back and forth between our PCs and its servers, so why would their approach be any more benign when given access to the more powerful BIOS/EBS services (especially given its striking ability to hide remote access and monitoring)? Of course they'd adopt the technology in a flash. Giving up control is anathema to such entities and true to form, they'd be milking BIOS/EBS services for all they're worth for improved access to your PCs.

1.3 Almost certainly, BIOS/EBS activities such as updating to and downloading from the Internet will be completely invisible to the end user. More worrying is that it's easy to make just about any BIOS/EBS activity completely invisible to all operating system calls and functions, anti-virus, anti-spyware and security programs and so on. Even programs designed to monitor hardware cab be easily fooled. (With such potential to do damage a PC or invade one's privacy, users should strenuously resist any laissez-faire, uncontrolled, undocumented or secretive development of BIOS/EBS. Moreover, its specifications should be in the public domain and a part of open standards. Clearly, Extended BIOS Services have the potential to be the biggest security threat yet to the PC.)

1.4 Restating the above point: both PC hardware and software monitoring--i.e.: PC surveillance--can be undertaken without the PC user's knowledge, NOR would anti-virus and anti-spyware be able to detect dangerous BIOS/EBS activity and then warn the user as BIOS and hardware-based routines can be completely hidden from the OS (as the OS is only capable of detecting and accessing hardware system calls that the hardware/firmware makes available to it). Scanning the hardware or BIOS calls simply will not find deliberately obfuscated hardware subsystems. However, the reciprocal is NOT true: if designed to be undetectable, PC monitoring can be carried out in secret.

1.5 If users and or OS manufacturers (Microsoft etc.) were to think they could 'engineer' their way around hidden monitoring schemes within the BIOS and hardware by rigorous detection and testing of every possible system call/address etc. then they're kidding themselves. For it's dead easy to build undetectable 'bridging monitoring' into hardware. This works like conventional phone tapping by lightly loading I/O [line] addresses with 'detector amplifiers' (in layman's speak: it is not possible for the OS to monitor and control hardware/firmware which is specifically designed to be undetectable as there are NO hardware system calls or I/O hooks to detect let alone latch onto).

1.6 Elementary prototypes of this technology have existed for sometime, BIOSes often update themselves on-line with the aid of OS-based programs. However the practice of going through the OS needn't be so, Extended BIOS Services can directly access the Internet through hardware specifically designed for the purpose.

1.7 Hidden surveillance of PC hardware/software and user activity by the BIOS/EBS would be a godsend to all and sundry: law enforcement, RIAA and other copyright hustlers, OS and program manufacturers (Microsoft et al).

1.8 System design can be such to allow remote users 'authorized' access to the BIOS/EBS via a secure 'backdoor' that completely bypasses the OS and without any user knowledge--a la Clipper Chip-type technology. Remember the Clipper Chip? Extended BIOS services could just be the technology to allow Clipper to come of age.

1.9 BIOS monitoring systems are easily designed to provide hierarchical access. For example, with or without the PC user's knowledge, Microsoft might only have sufficient authorization to monitor and control Windows Update, Windows Product Activation etc., yet an authority with higher access privileges than Microsoft (e.g.: PC's manufacturer, law enforcement etc.), could independently, secretly and transparently, monitor BOTH Microsoft's and the PC user's activity without either Microsoft or the user being aware of the fact. Ironically, Microsoft too could be monitored without its knowledge, such a schema could allow authorities to surreptitiously monitor both Microsoft and the PC user simultaneously (this is why Microsoft will bring pressure on mobo manufacturers to ensure this loophole will be plugged).

1.10 For some considerable time I've envisioned that hardware or hardware/firmware monitoring bots would become a serious issue. It's possible that NEC's Phoenix BIOS with hypervisor might be BIOS/EBS' first large scale public outing. Keep in mind that ideal places for bots to hide are within CPU support chips. These large scale integrated circuits, LSIs, can be easily re-engineered to support 'Extended BIOS Services'. I'm not suggesting we users adopt an overly paranoid response to the threat of subversive monitoring but rather that we should be ever vigilant, for sooner or later such monitoring is bound to happen. Moreover, users should start demanding full and total control over any BIOS/EBS activity--monitoring or otherwise, and that users will publicly expose the nefarious activities of the perpetrators--manufacturers, RIAA, etc.--and that equipment which surreptitiously harbors monitoring bots or similar would be thoroughly exposed and blackballed.

1.11 It is possible for motherboard manufactures to have hidden and or unpublished BIOS subsystems unbeknown to all except itself. There is considerable security implications here.

2. THE UPSIDE: IF USERS WERE IN FULL CONTROL OF BIOS/EBS TECHNOLOGY.

2.1 Full control over the BIOS/EBS area means that users would be free to install any suitable anti-virus, anti-spyware or other utility of their choice. Full control over BIOS activities--especially where the BIOS functions can be tailored to suit the user's needs--will, in some instances, give the user unprecedented control over the PC environment (essentially elevating the user access from 'Administrator' to 'SuperUser'--something Microsoft and program makers would have never intended. (Again, this is another reason why PCs will not be constructed with full control over BIOS/EBS facilities, anything that has the possibility to 'break into' Windows technology will be vigorously opposed by Microsoft.)

2.2 With suitable BIOS/EBS utilities installed users could much more precisely monitor both PC hardware and operating system. This this would greatly assist with the maintenance and reliability (by reducing the opacity of many system faults).

2.3 Debug utilities designed for and installed in the BIOS/EBS area would greatly assist users and program developers to better understand the inner workings of Windows; eventually, this would lead to better system and program reliability.

2.4 Anti-spyware utilities installed into the BIOS/EBS area will permit a much better monitoring and control of spyware than is now possible.

2.5 With suitable utilities installed in the BIOS/EBS area, the activity of legitimate OSes and applications can be monitored with considerably more precision. To ensure user privacy, users would be able to modify, delete or change 'call-home' data generated by the OS or applications. There is a possibility this might help to bypass any software registration. The powers that be would be aghast at such a thought so gain we've another reason why the BIOS/EBS facilities will not be designed to benefit the user.

Isn't it funny how the laws of reciprocity don't apply when big corporations get involved?

If you are so concerned with being monitored, have you ever heard of a firewall? Or tripwire? or any of the various means of status monitoring what happens on your machine or on the network?

I know, I know...but we are all just victims!

And if MS controls the OS, then there is no telling what they are already doing. And since Linux is open source, it must be controlled by the (pick one of the myriad conspiratorial groups vying for world domination), and OSX, - I don't even want to know what Jobs has cooking in his sneaky little mind!

Been watching the X-files lately?

Im sure someone is working on a linux bios, with embedded OpenSource firmware that can be modded.

That will be the future.

These are the beginning stages of viral/trojan/spyware infection/attacks that cannot be removed without replacing the computer. Updates to the BIOS that take complete control of the system by remote...this has many uses. The two biggest uses being monitoring and control. This might be fine for IT departments managing hundreds of machines. But, it could easily be a complete disaster for individual home users.

People complain about all this spying claiming it's from the Bush admin. but those same people will be more than happy to comply with things like this. What's the difference? Spying is spying. This is surely a method of spying on home users. Wether it be used to deal with P2P, child porn, DRM, or just simple attacks from foreign countries. It's all the same thing. The only way to fight it is to have the understanding of what it is BEFORE you buy it.

Don't think for a minute that Microsoft isn't going to create links of some sort to allow future versions of IE to gain access to the bios easily enough so that some website can instantly take your computer from you...if we're not already there. I guess I should blame Bush for that too?

All those things that hard core tin-foil hat conspiracy theorists complain about IS coming to be realized. It's just being given to us under labels that distract people.

These are the beginning stages of viral/trojan/spyware infection/attacks that cannot be removed without replacing the computer.

Yeah, I guess it's pretty hard to re-flash the BIOS....

You are taking for granted a level of sophistication that the average user doesn't possess and probably never will. There's no requirement that you be a CS or EE in order to use a PC.

Good for you!

You found a way to argue with my comment, even though it is *completely* irrelevant to the actual point being made!

Here's a cookie!

/sarcasm

OP: You'd need to buy a new system.

My response: No, you don't.

Your response: But people are dumb!

Thanks for the revelation...

Good. Then if re-flashing the BIOS in a PROM is so kompleekated that the user couldn't do it (and it offers such a source of compromise), then there is nothing that should prevent the manufacturer from burning it into a static socketed ROM that would be immune to any updates or malicious corruption.

Then, in the even that some event necessitates an update, the unsophisticated' user can take the unit to a service center where they can simply replace the old ROM with a new ROM.

The sky is falling...the sky is falling...

{Obviously, as it takes a CE or EE o re-flash the BIOS! What have they been doing for all these years! Oh my! LOL!}

nice, i can see this being used down the road to control piracy on PC's

That's bad if this technology can be used to stop downloading of music and movies over P2P.

Just what is needed, an attack vector on remote computers running along side windows... oh, waitaminute... isn't windows generally vulnerable enough (especially when you add user error like phishing and such)?

Seriously, this sounds like something a nations security agency would come up with - back doors built right into the hardware.

Tend to agree. If it is happening at the printer level, with mass cooperation with major printer vendors and software producers to prevent counterfeiting, it almost certainly is happening at the lowest levels of the machines.

It's funny though, because it will end up biting all parties in the a** eventually.

Not much of an attack vector if the environment is static ROM based based and any network anti-virus update function is run in a sandbox with self checks prior to accessing Windows..

What will be interesting is any additional utility functionality that might be later leveraged to analyze and manipulate unmounted Windows elements.

With Intel facilitating such functionality, it will be interesting to see how the various parties take advantage of this capability.