"To Protect and Infect" - the edges of privacy-invading technology

Hannes Frederic Sowa hannes at stressinduktion.org
Tue Dec 31 10:04:52 PST 2013 

On Mon, Dec 30, 2013 at 10:19:21PM -0800, coderman wrote:
> On Mon, Dec 30, 2013 at 9:14 PM, Hannes Frederic Sowa
> <hannes at stressinduktion.org> wrote:
> > ...
> > Actually, somehow, I have a feeling of relief to see that major hardware
> > vendors don't seem to specifically work hand in hand with the NSA to
> > implement backdoors.
> 
> you're assuming this dump is exhaustive.  this is a very specifically
> themed/focused release of top end tactics and exploits (essentially
> weaponized platforms for targeted attacks). Jake says as much about
> what they're dropping, which while impressive, has still gone through
> the "best interest of public safety scrutinizing and censorship"
> rigmarole.
> 
> the indiscriminate, wholesale compromises are just getting started...
> these disclosures will have more impact: financially to the impacted
> vendors, effectively to IC as known vulnerable hardware and software
> is replaced, and to the public at large now exposed to even more
> essentially incomprehensible disclosures of vulnerability and
> compromise.

Sorry, no. It is absolutely important to be exhaustive and correct here.
Otherwise this whole thing could get out of hands and could get much worse.

There is a very big difference e.g. I (and a lot of other people too, I
guess) will react to vendors whose debug interfaces where just hijacked
by the NSA to install backdoors and where the vendors worked hand in
hand with the NSA to do so deliberately. And we cannot just assume that
because it looks like the easiest way to deal with this for us now and
blame others! Also, if this talk does not specifically say that those
vendors were working with the NSA, it would have been important to make
clear that we don't know and we cannot judge them by the facts presented
now. A lot of people, which seem to be really loud, often get this wrong.

If such FUD is spread against vendors, which in my opinion, do actually have a
valid interest in trying to stop those back doors, what do you think will a
lot of members of this community do? Cut off communication with those vendors,
place them on their I-will-never-work-there lists? And I say, that they will
still sell shitloads of trucks of hardware.

As a manager with no technical background on such an accused company,
what do you think will they do? Will they push things like secure boot
down our throats?  Will they make all the hardware much more closed
in fear this community does bad PR against them otherwise? Is that the
outcome we want?

On past Chaos Communication Congresses I really think those vendors would have
been cheered for having an open JTAG interface on a board. It seems days have
changed.

Until now I saw no facts that I distrust the major hardware vendors. I
already have a bad feeling with that but I need to be still reasonable
here, too. I cannot accuse those companies by the facts presented
until now. But essentially, it is important that this community does
work hand in hand with those vendors who are willing to and just got
exploited by the NSA to not bring them to the wrong conclusions and
make tampering with the hardware more hard but instead make open source
bios and firmwares that users can build and verify themselves. Make
documentation more open, show them people do care about that. If secure
boot or other means get established, show the users how they can use
that for *their* own good, build up *their* own crypto chains etc. Make
firmware source-code trackable via source repos, provides ways to rebuild
those code bit-by-bit. Provide repositories with changes, instead of
giant source code drops. Otherwise a new generation of NSA backdoors
will have it much easier to be really hidden in those hardware.

That may add additional costs for those companies. So show them it is worth
it!

> > I don't see that having a JTAG connector publicaly
> > accessible on a RAID controller as a hint for that. The other disclosures
> > also point to my conclusion that the NSA is mostly working on their
> > own. Of course, not all of Snowden's documents are released yet and
> > hence my feeling could be deceiving.
> 
> this is just an example of how, when the NSA pursues "all means and
> methods in parallel, without restraint" seemingly innocuous oversights
> are intentionally leveraged and discouraged from remediation for use
> in tailored access (black bag / targeted) attacks.

Yeah, the NSA and NSA only. Until now I have no facts that anyone but
the NSA does so deliberately.

> > I thought it could be worse.
> 
> it is worse.

Let's don't make it worse ourselfs. ;)

I don't want to see what the PR persons on those accused companies' twitter
feeds will have to go through now. I guess lots of overreaction is happening
now, which is not helpful at all.

Greetings,

  Hannes

More information about the cypherpunks mailing list