Antivirus software will ignore FBI spyware: solutions

[mmotyka at lsil.com]

Sunder <sunder at sunder.net> wrote :

>Great and wonderful except:
>
>1. If such spyware has already been installed on your system you can't
>trust your os therefore:
>[snip]
>
Yes - end of story.


>2. Any hard drive you can access so can they.  "They" can patch your
>disk:
>[snip]
>
The only way I can think of to prevent this is to have the disk
completely encrypted in which case you could safely give a copy to
anyone who wanted one. The BIOS shouldn't be trusted either. The problem
then is booting which could be done from some sort of card/dongle that
you carry with you that requires a (many digit)PIN before it
regurgitates your boot code.

>3. Newer G3+ Mac's use open boot prom or some such which lives in
>eeprom.  Such things can be patched at that layer and can propagate on
>bootup.  Booting off a read only disk (CDROM, etc) wouldn't help in this
>case.
>
Yup. Maybe a bootFLASH can be replaced with some SRAM which must be
downloaded from your key device before booting. Something like : power
up, hold processor in reset, remove boot SRAM from bus, load boot code,
switch boot memory to system bus, allow startup.

>4. If you live in a crowded area, your iPod can be lifted off you
>in a false mugging, or break in, pick pocketting while you're at a
>restaurant, movie, etc.
>
A physical device plus a PIN seems somewhat immune to that problem. In
fact you could keep multiple copies.

>5. Watching for files that change daily is a fool's task for the reasons
>mentioned above, and the Sysiphean task it presents.  Better get the
>equivalent of Cops or Tripwire to do the work for you, but they too can be
>tampered with.  
>
Mostly. 

>6. If McAffee bent over to the Feds, you can be sure that so will the
>makers of Zone Alarm and other firewalls.
>
Probably anything that is exported and some that aren't.

>7. Remember, they don't need to capture all your keystrokes.  Just the
>ones you use as passphrases.  And they don't need to copy your whole hard
>drive, though they easily could when you're out of the house.  Just your
>secret key file and your passphrase.
>
>8. If you shut off your computer when you leave your house, it makes their
>job that much easier.  If you leave it on, they could note what's open and
>put it back to the same spot.
>
Not if there is no code in the clear on the machine - no functional
BIOS, no usable HDD.

>9. If you use a login screen, etc, Or they could simply run something that
>would take a snapshot of your desktop, shutdown your Mac, install the
>malware/copy your files, then and boot off of a floppy that displays the
>screen you left up, plus a Type 1 Bomb (MacOS equivalent of blue screen of
>death), and eject the floppy thus - making it look like your Mac crashed,
>or, simply go down to the basement and trip your circuit breakers making
>it look like you've had a power failure (even UPS's run out at some
>point.)
>
With the BIOS and HDD encrypted off is safe.

Might be a neat little gizmo with a keypad. BIOS is encrypted on the
motherboard. Boot memory is SRAM that is lost when power is removed (
lost short of extreme detection measures that is ). The little gizmo
reads the encrypted BIOS, decrypts and transfers it to boot SRAM.

>10. Ordered any new copies of a bit of software?  Maybe they have a deal
>with FedEx, UPS, the Mailman.  Maybe what you're getting is the upgrade
>and then some.  How can you tell that copy of SmallTalk doesn't carry an
>extra bit of code just for you?  How can you tell that the latest patch to
>MacOS you've just downloaded really came from Apple?  Sure DNS said it was
>from ftp.apple.com but how do you know that the router upstream from your
>internet provider didn't route your packets via ftp.fbi.gov?
>
>Once they have physical access, you're fucked.  Remote access is almost as
>dangerous as them having physical access, however it can work in your
>favor as they won't be as familiar with your environment, and thus are far
>more likely to expose the malware to you.
>
>Sure, all of these things are more or less preventable, except for
>physical access, and a lot of these come down to trust and reputation.  
>But reputation and trust are also rubber hose-able (if there is such a
>word.)  :)
>
>You can trust your best friend until you find out otherwise.  You can
>trust your bank until you find out otherwise.  You can trust your software
>provider until you find out otherwise.  But by the time you've found out,
>if you've found out at all, you've already been fucked.
>
Maybe just installing an OS you got as a binary is all it takes to be
F'd. Maybe rebuilding that OS with an F'd compiler propagates the
effedness.

If you have everything encrypted until your key device readies it for
boot then you could run a F'd BIOS, OS and apps as long as you kept the
system isolated. Let it log all it wants. Sounds like a good sentence
for a Windows box.

Mike