On Tue, Dec 31, 2013 at 06:14:56AM +0100, Hannes Frederic Sowa wrote:

On Mon, Dec 30, 2013 at 08:56:57PM -0500, griffin@cryptolab.net wrote:

...

This talk is divided into two parts. Morgan Marquis-Boire and Claudio Guarnieri talking about the militarization of the internet in part one, including both targeted and dragnet surveillance in deep-packet inspection. (See also Citizen Labs' work on BlueCoat). In part two, Jake Appelbaum talks about some of the most hardcore and cutting-edge NSA surveillance tactics and equipment. (See also yesterday's Der Spiegel articles).

Part 1: http://www.youtube.com/watch?v=XZYo9TPyNko

Part 2: https://www.youtube.com/watch?v=b0w36GAyZIA

Actually, somehow, I have a feeling of relief to see that major hardware vendors don't seem to specifically work hand in hand with the NSA to implement backdoors. I don't see that having a JTAG connector publicaly accessible on a RAID controller as a hint for that. The other disclosures also point to my conclusion that the NSA is mostly working on their own. Of course, not all of Snowden's documents are released yet and hence my feeling could be deceiving.

Also:

From the talk I got the impression, that attacks on iPhones always seem to work. The slide from der Spiegel shows that this infection only works via close access method and a remote infection path would be available in the future (the slide is from 2008, but we don't know if this actually exists now): http://www.spiegel.de/static/happ/netzwelt/2014/na/v1/pub/img/Handy/S3222_DR...

I guess the slide got accidentally chopped off in the talk or am I missing something? The UPD+RC6 story does not make sense to me, too (how could they know about the encryption algorithm if they didn't dissect the actual bytes). I also don't believe that current state of TLS would help much preventing those redirection attacks. Greetings, Hannes

On Mon, Dec 30, 2013 at 10:19:21PM -0800, coderman wrote:

On Mon, Dec 30, 2013 at 9:14 PM, Hannes Frederic Sowa wrote:

...

... Actually, somehow, I have a feeling of relief to see that major hardware vendors don't seem to specifically work hand in hand with the NSA to implement backdoors.

you're assuming this dump is exhaustive. this is a very specifically themed/focused release of top end tactics and exploits (essentially weaponized platforms for targeted attacks). Jake says as much about what they're dropping, which while impressive, has still gone through the "best interest of public safety scrutinizing and censorship" rigmarole.

the indiscriminate, wholesale compromises are just getting started... these disclosures will have more impact: financially to the impacted vendors, effectively to IC as known vulnerable hardware and software is replaced, and to the public at large now exposed to even more essentially incomprehensible disclosures of vulnerability and compromise.

Sorry, no. It is absolutely important to be exhaustive and correct here. Otherwise this whole thing could get out of hands and could get much worse. There is a very big difference e.g. I (and a lot of other people too, I guess) will react to vendors whose debug interfaces where just hijacked by the NSA to install backdoors and where the vendors worked hand in hand with the NSA to do so deliberately. And we cannot just assume that because it looks like the easiest way to deal with this for us now and blame others! Also, if this talk does not specifically say that those vendors were working with the NSA, it would have been important to make clear that we don't know and we cannot judge them by the facts presented now. A lot of people, which seem to be really loud, often get this wrong. If such FUD is spread against vendors, which in my opinion, do actually have a valid interest in trying to stop those back doors, what do you think will a lot of members of this community do? Cut off communication with those vendors, place them on their I-will-never-work-there lists? And I say, that they will still sell shitloads of trucks of hardware. As a manager with no technical background on such an accused company, what do you think will they do? Will they push things like secure boot down our throats? Will they make all the hardware much more closed in fear this community does bad PR against them otherwise? Is that the outcome we want? On past Chaos Communication Congresses I really think those vendors would have been cheered for having an open JTAG interface on a board. It seems days have changed. Until now I saw no facts that I distrust the major hardware vendors. I already have a bad feeling with that but I need to be still reasonable here, too. I cannot accuse those companies by the facts presented until now. But essentially, it is important that this community does work hand in hand with those vendors who are willing to and just got exploited by the NSA to not bring them to the wrong conclusions and make tampering with the hardware more hard but instead make open source bios and firmwares that users can build and verify themselves. Make documentation more open, show them people do care about that. If secure boot or other means get established, show the users how they can use that for *their* own good, build up *their* own crypto chains etc. Make firmware source-code trackable via source repos, provides ways to rebuild those code bit-by-bit. Provide repositories with changes, instead of giant source code drops. Otherwise a new generation of NSA backdoors will have it much easier to be really hidden in those hardware. That may add additional costs for those companies. So show them it is worth it!

...

I don't see that having a JTAG connector publicaly accessible on a RAID controller as a hint for that. The other disclosures also point to my conclusion that the NSA is mostly working on their own. Of course, not all of Snowden's documents are released yet and hence my feeling could be deceiving.

this is just an example of how, when the NSA pursues "all means and methods in parallel, without restraint" seemingly innocuous oversights are intentionally leveraged and discouraged from remediation for use in tailored access (black bag / targeted) attacks.

Yeah, the NSA and NSA only. Until now I have no facts that anyone but the NSA does so deliberately.

...

I thought it could be worse.

it is worse.

Let's don't make it worse ourselfs. ;) I don't want to see what the PR persons on those accused companies' twitter feeds will have to go through now. I guess lots of overreaction is happening now, which is not helpful at all. Greetings, Hannes

On Tue, Dec 31, 2013 at 07:08:10PM -0800, coderman wrote:

...

Until now I saw no facts that I distrust the major hardware vendors.

then you're not paying attention :)

Most of the implants are installed without we surely know if the vendors did know about that or am I missing something? Every implant needs a dropper which installs it or access to the supply chain etc. I also don't count RSA as a hardware vendor in this case, as the backdoored RNG was included in their bSafe suite, which is purely software. Greetings, Hannes

On Tue, Dec 31, 2013 at 11:04:19PM -0800, coderman wrote:

On Tue, Dec 31, 2013 at 8:02 PM, Hannes Frederic Sowa wrote:

...

... Most of the implants are installed without we surely know if the vendors did know about that or am I missing something?

are you only considering this 30C3/catalog set of docs?

I was just referring to the Snowden documents.

venally complicit to conveniently compromised to blissfully ignorant compromise of hardware vendors goes back to CryptoAG and as recently as the BULLRUN leaks. a bit too long and complicated a thread for this list, i think...

Ok, CryptoAG is a story of its own, I agree. But they are not that much of a major hardware vendor, either. Depends on which customer base you consider.

...

I also don't count RSA as a hardware vendor in this case, as the backdoored RNG was included in their bSafe suite, which is purely software.

sure, just another example of in scope target for a "compromise all the things" approach.

my point was to highlight their response as particularly deceptive and inexcusable when observing how the various parties not only respond, but act, in response to these leaks. (e.g. Google deploying crypto over their internal fibers is positive action. sitting silent or deflecting criticism not confidence inspiring...)

Agreed, but in the end it is important how they act in the long term. But that needs more time to come until conclusions can be drawn. It is much more difficult for hardware vendors to strike such good PR stunts as Google did. Also, I guess, Google had this change in the works for a longer time, otherwise I don't know if they could make the switch to crypto for their internal cross-DC links so rapidly. It still seems a lot of work + testing and their services seem highly depending on good latency. Greetings, Hannes