BadBIOS forensics

[rysiek]

Dnia środa, 16 lipca 2014 10:41:34 Steve Furlong pisze:
> On Wed, Jul 16, 2014 at 7:19 AM, Bluelotus <bluelotus at openmailbox.org>
> 
> wrote:
> > I am donating BadBIOS infected laptops, flashdrives, tampered live fedora
> 
> CD, infected personal files (plain text files, MP3, PDF, jpg, tiff, doc),
> infected external DVD writer, etc. to any one interested in conducting
> forensics
> 
> 
> Forensics is fine, I suppose, but wouldn't it be better to donate them to
> some organization that you don't like? The reelection committee for some
> politician you don't like, a lobbying group whose position you despise, or
> a charity which is conspicuous for high overhead might be deserving
> recipients.

No. I feel an internal disgust at such an idea. Had you full control of the 
bugs/implants and could actually get the info/data out and then leak it to 
Wikileaks/whatever, then it would have a shred of sense, because you could use 
these tools as a force for good.

The way it is, you don't have such control. So you would be giving these away 
to some orgs you don't like hoping this will get them in hot water with the 
NSA/the government.

There are two scenarios here. Either you'd be de facto giving a present to the 
NSA -- and I don't feel like giving the NSA presents; or, it would be an org 
that works with the NSA, or at least is conducive to whatever the gov does -- 
hence, the implant-gathered data would not be used.

Of course you could also hit a potential whistleblower within such an 
organisation, which would be even worse.

Either way, a bad, bad idea.

Forensics is the way here.

> (Not on topic, but I never donate cash to charities or other
> not-for-profits. I've done various support work (as a paid consultant) for
> quite a few NFPs, including work on their accounting databases, and every
> single one had funny business going on with the money. Not necessarily
> covering up pilferage by corporation bosses, though there was some of that,
> but always overhead that was much higher than reported. And usually the
> total compensation of the bosses was much higher than reported, if you
> include non-trivial expenses like paid-for cars. I'm not interested in
> putting money in the pocket of someone with three times my income while
> they poor-mouth to get more donations.)

Sorry you had bad experiences. I work in an NGO that tries to be at least 
partially funded by donations, and it's fucking hard. We want to be funded by 
donations because being funded by grants or sponsors is always a "strings 
attached" situation, and we need to be as independent as possible. Employees 
here get decent, but not high, pay, and there are no perks like paid-for cars.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20140717/574206bc/attachment-0001.sig>