On Mon, Dec 30, 2013 at 10:19:21PM -0800, coderman wrote:
On Mon, Dec 30, 2013 at 9:14 PM, Hannes Frederic Sowa <hannes@stressinduktion.org> wrote:
... Actually, somehow, I have a feeling of relief to see that major hardware vendors don't seem to specifically work hand in hand with the NSA to implement backdoors.
you're assuming this dump is exhaustive. this is a very specifically themed/focused release of top end tactics and exploits (essentially weaponized platforms for targeted attacks). Jake says as much about what they're dropping, which while impressive, has still gone through the "best interest of public safety scrutinizing and censorship" rigmarole.
the indiscriminate, wholesale compromises are just getting started... these disclosures will have more impact: financially to the impacted vendors, effectively to IC as known vulnerable hardware and software is replaced, and to the public at large now exposed to even more essentially incomprehensible disclosures of vulnerability and compromise.
Sorry, no. It is absolutely important to be exhaustive and correct here. Otherwise this whole thing could get out of hands and could get much worse. There is a very big difference e.g. I (and a lot of other people too, I guess) will react to vendors whose debug interfaces where just hijacked by the NSA to install backdoors and where the vendors worked hand in hand with the NSA to do so deliberately. And we cannot just assume that because it looks like the easiest way to deal with this for us now and blame others! Also, if this talk does not specifically say that those vendors were working with the NSA, it would have been important to make clear that we don't know and we cannot judge them by the facts presented now. A lot of people, which seem to be really loud, often get this wrong. If such FUD is spread against vendors, which in my opinion, do actually have a valid interest in trying to stop those back doors, what do you think will a lot of members of this community do? Cut off communication with those vendors, place them on their I-will-never-work-there lists? And I say, that they will still sell shitloads of trucks of hardware. As a manager with no technical background on such an accused company, what do you think will they do? Will they push things like secure boot down our throats? Will they make all the hardware much more closed in fear this community does bad PR against them otherwise? Is that the outcome we want? On past Chaos Communication Congresses I really think those vendors would have been cheered for having an open JTAG interface on a board. It seems days have changed. Until now I saw no facts that I distrust the major hardware vendors. I already have a bad feeling with that but I need to be still reasonable here, too. I cannot accuse those companies by the facts presented until now. But essentially, it is important that this community does work hand in hand with those vendors who are willing to and just got exploited by the NSA to not bring them to the wrong conclusions and make tampering with the hardware more hard but instead make open source bios and firmwares that users can build and verify themselves. Make documentation more open, show them people do care about that. If secure boot or other means get established, show the users how they can use that for *their* own good, build up *their* own crypto chains etc. Make firmware source-code trackable via source repos, provides ways to rebuild those code bit-by-bit. Provide repositories with changes, instead of giant source code drops. Otherwise a new generation of NSA backdoors will have it much easier to be really hidden in those hardware. That may add additional costs for those companies. So show them it is worth it!
I don't see that having a JTAG connector publicaly accessible on a RAID controller as a hint for that. The other disclosures also point to my conclusion that the NSA is mostly working on their own. Of course, not all of Snowden's documents are released yet and hence my feeling could be deceiving.
this is just an example of how, when the NSA pursues "all means and methods in parallel, without restraint" seemingly innocuous oversights are intentionally leveraged and discouraged from remediation for use in tailored access (black bag / targeted) attacks.
Yeah, the NSA and NSA only. Until now I have no facts that anyone but the NSA does so deliberately.
I thought it could be worse.
it is worse.
Let's don't make it worse ourselfs. ;) I don't want to see what the PR persons on those accused companies' twitter feeds will have to go through now. I guess lots of overreaction is happening now, which is not helpful at all. Greetings, Hannes