This Week In 'The NSA Knows F**king Everything': How It Hacked Most Hard Drives And SIM Cards
from the call-it-a-twofer... dept
Thought that the revelations of NSA/GCHQ spying were dying out? Having some “surveillance fatigue” from all the stories that have been coming out? Have no fear — or, rather, be very very very fearful — because two big new revelations this week show just how far the NSA will go to make sure it collects everything. First up: your hard drives. Earlier this week, Kaspersky Lab revealed that the NSA (likely) has figured out ways to hide its own spyware deep in pretty much any hard drive made by the most popular hard drive manufacturers: Western Digital, Seagate and Toshiba.
Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.
The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran’s uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.
A former NSA employee told Reuters that Kaspersky’s analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.
As the report notes, it appears that this is a kind of “sleeper” software, that is buried inside tons of hard drives, but only “turned on” when necessary. The report notes that it’s unclear as to how the NSA was getting this software in there, but that it couldn’t do it without knowing the source code of the hard drive firmware — information that is not easily accessible. A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It’s possible they’re lying/misleading — but it’s also possible that the NSA figured out other ways to get that information.
And that brings us to door number two: your mobile phone’s SIM card. Today, the Intercept revealed (via the Ed Snowden documents) how the NSA and GCHQ were basically able to hack into the world’s largest manufacturer of mobile phone SIM cards in order to swipe encryption keys, so that your friendly neighborhood intelligence snooper can snoop on you too:
The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.
In all, Gemalto produces some 2 billion SIM cards a year. Its motto is ?Security to be Free.?
With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider?s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.
The details of just how the NSA hacked into Gemalto are quite a story — and proves what a load of crap it is when the NSA and its defenders insist that they only target bad people. As former NSA (and CIA) boss Michael Hayden recently admitted, they actually like to spy on “interesting people.” And who could be more interesting than the people who have access to the encryption keys on billions of mobile phones?
And, yes, both of these hacks basically involve giving the NSA an astounding amount of access to our electronic devices:
Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. ?Once you have the keys, decrypting traffic is trivial,? says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. ?The news of this key theft will send a shock wave through the security community.?
[….]
The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. ?Gaining access to a database of keys is pretty much game over for cellular encryption,? says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is ?bad news for phone security. Really bad news.?
Between both of these big stories this week, it’s clear that the NSA is basically deeply buried in pretty much every bit of electronic equipment these days, with the tools ready to go to spy on just about anything. The idea that this power isn’t being abused regularly is pretty laughable.
Filed Under: certificate, encryption key, gchq, hacking, hard drives, malware, nsa, privacy, sim cards, spyware, surveillance
Companies: gemalto, samsung, seagate, toshiba, western digital
Comments on “This Week In 'The NSA Knows F**king Everything': How It Hacked Most Hard Drives And SIM Cards”
Why the fuck are these terrorists not in jail?
Re: Re:
Or a related question, since they pretty much have unrestricted access to everything, why is there still terrorism in the world?
Re: Re: Re:
1) They have built such huge haystacks that they have to identify targets by others means, which works for interesting targets like Gemalto, but not terrorists.
2) High level terrorist leaders avoid electronic communications, but use secure communications means like trusted couriers.
3) Protesters, and political organizers and parties that are outside of the main stream of politics pose a greater threat to the establishment that the terrorists, and are the real targets of all this surveillance.
Re: Re: Re:
Silly. Terrorism is not their goal, it’s just the bogeyman used to achieve total control.
Re: Re: Re: Re:
It’s a handy standby for when ‘communism’ or ‘socialism’ don’t scare us.
Re: Re: Re:
Probably because the NSA are the terrorists.
Re: Re:
I think its time we demand that these criminals be put in jail.
Re: Re:
Because their the ones who’d have to arrest themselves
That’s not a huge surprise. What are foreign agencies/terrorist doing in the US?
Re: Re:
They’re doing less harm than NSA, CIA, etc.
Re: Re: Re:
Through personal experience, I know you are mistaken.
Re: Re: Re: Re:
Even if I am mistaken, I don’t see how any personal experience you have could demonstrate that. Can you be more clear?
Re: Re: Re:2 Re:
An entity is attacking me with directed energy weapons and particle beam weapons. It’s mostly because they’re dicks. All my stuff has been hacked too. Maybe by both sides.
Re: Re: Re:3 Re:
Please put on your tinfoil hat, go set under your pyramid, smoke some happy weed, and recite your daily prayers to your Marsian god.
Re: Re: Re:4 Re:
This guy is probably one of them. They actually have disinfo guys stalk people around the internet to convince people directed energy weapons don’t exist so their terror op will get through. 20 years ago these terrorism/intelligence practices were considered covert. Now a bored teenager can find the original research papers for some of the technology hosted on a .mil webpage in an afternoon of googleing.
Re: Re: Re:5 Re:
http://www.zerohedge.com/news/2015-02-03/meet-british-armys-77th-battalion-mobilizing-1500-facebook-warriors-spread-disinform
Re: Re: Re:5 Directed Energy Weapons
What do you think that “Pulse” weapon is cops use from helicopters to disable cars?
Five minutes on Google will give you hundreds of hits on building a damned powerful maser from an old microwave oven. Of course, about half of the plans have no shielding or collimator, so you’ll fry yourself if you ever turn one on.
Hell, even a taser is a directed energy weapon. (aside… know what the taser acronym stands for? Thomas A Swift Electric Rifle (Yes, I’m old:)))
Re: Re: Re:6 Directed Energy Weapons
Some idiot has finally hooked an antenna up to the steering and acceleration/braking controls in some models. There should be a new rule. If you don’t want it hooked up to the internet, don’t put an antenna on it.
Re: Re: Re: Re:
Through personal experience, I know the probability that you have the clearance to view the information needed to quantify your claim is infinitesimally small.
…and that is how I know it is you that are mistaken.
I wonder if this means Stingray stations, which only the FBI is allowed to (not) talk about, uses this technology to give LEOs a lot more info than they have admitted to.
Re: Re:
I bet that is exactly why the FBI doesn’t want to reveal how the stingrays work. If people realize that the FBI/NSA/(insert agency here) can capture packets and decrypt them without any notification or trail then I bet most people would be very quick to not communicate vital/private information over a cell phone.
This is why we need to have end to end encryption as a layer on top of the normal encryption that phones already use.
So the NSA wears the biggest, blackest hat of all.
Shouldn’t there be some prosecuter out there working on a CFAA case against them? I’m sure the NSA could get about 10,000 years in jail for that level of deep invasion into other people’s technology.
Re: Re:
Almost everyone is focusing on the NSA’s ability to “get any data they want”, but if the NSA and other TLA’s are as deeply embedded into computer networks as they’re rumored to be, then they have, or can get, Read-Write access to damn near anything they want. You have to assume they can trivially plant evidence as easily as they can retrieve it.
Unfortunately, If we’ve crossed the rubicon, you can be certain that any prosecutors, judges, politicians, etc, who might initially push back against the NSA and other assorted three letter agencies might quickly find themselves convinced to look the other way, lest they end up out of a job or in prison.
Re: Re: Re:
thence EVERY DIGITAL evidence against everybody is invalid …
due to the fact that the NSA can plant whatever they want (like CP) wherever they want !
THIS IS GREAT!!!
Re: Re: Re: Re:
and EVERY BANKING CARD TRANSACTION evidence is also invalid…
I did not buy that! the NSA bought it with my bank card !
Re: Re: Re:2 Re:
I’ll use this excuse next time I make too many internet purchases while drunk, thanks.
Re: Re: Re: Re:
Can’t wait to see someone try this defense in court and then lose terribly when it doesn’t work.
Re: Re: Re:2 Re:
Can’t wait to see someone try this defense in court and then lose terribly when it doesn’t work.
That’s exactly what would happen. Although for a politician or investigator, it wouldn’t have to get to court – just to the press.
Our societies built-in skepticism and inclination to pre-judge guilt based on the news media is exactly why this would be such a nasty lever, were it to be used – People claim “it wasn’t me” so frequently that no one pays attention when that might actually have been the case.
(please note, I’m not saying this has actually happened. I have not idea if it has or not. But assuming the NSA has its fingers into everything as deeply as it’s been reported – there’s nothing that can really prevent it.)
Re: Re: Re:2 Re:
That just means you have to report them. Just like an IT guy who runs across it, find it and turn them in. Your hands are clean after that.
Hard Drive Firmware
It is certainly feasible that the NSA did not need access to the firmware source code in order to pull off these kind of attacks. Ars Technica has an article explaining. These drives use standard debugging interfaces, and, with a bit of work, anybody with the right skill set can reverse engineer the firmware.
That’s not to say that the NSA didn’t have access to the firmware source. They certainly could get at it if they wanted. Just that they did not necessarily need the source in order to write this kind of malware.
Re: Hard Drive Firmware
I want to second what Kai said: it’s easy. You can easily find YouTube videos discussing how the Chinese clone manufacturers do it against custom hardware, it would be much easier against mass produced parts that have to implement published specs.
Re: Hard Drive Firmware
This is exactly right. I have been hired on multiple occasions by companies who have lost the source code to their firmware. I recover it for them through reverse engineering, sometimes using that exact method.
Re: Re: Hard Drive Firmware
Thanks guys for enlightening information
Re: Hard Drive Firmware
Maybe the NSA did not have the source, the first time.
Once in, they could just use the host systems to deploy along with the manufacturer’s change control and release, etc. no thats too fancy for them, I think they interrupted the shipments; it wasn’t just switches or routers…
Re: Re: Hard Drive Firmware
Remember 3-4 years ago when hard drive prices suddenly went up back to prices from say 2003 ? Well, I certainly do, the guy at the shop I always go to told me “a factory where 90% of hard drives are built was destroyed in a typhoon somewhere in Asia.” That could just mean, CSEC (in my case, hi guys!) grabbed a lot of hard drives from the warehouses they are stored in before being sent to retailers. So prices for already shipped hard drives go up for a while, compensates the companies. Seriously I never heard of such a hard-drive-factory-destroying-typhoon. There is about 6 large different companies that make hard drives of the regular SATA kind, why would all of them use the same factory? Never heard of that.
I got a 500gb WD that is still working, although it needs to have its circuit board changed, since about 5 months, didn’t get to order one because I’m kinda annoyed that I will have to get the circuit board from anybody like that. (such a thing didn’t bother me the other times I changed circuit boards on hard drives, but that was in 2006-2007. Kind of before a lot of things went to shit.
Re: Re: Re: Hard Drive Firmware
that was in 2006-2007. Kind of before a lot of things went to shit.
You mean before you knew about it.
Re: Re: Re: Hard Drive Firmware
You might have something. Especially with windows. It seems like windows is frequently saying a hard disk has become unusable, but putting in a linux boot cd shows no problem. This happened tree times in the last 2 years for me. In one case, I just made the machine a linux machine, in the other case, using linux, i was able to get the drive working with windows again. Its one thing for them to put UA code on the device, but buggy code?
Re: Re: Re:2 Hard Drive Firmware
I don’t think you need to go looking for explanations for why Windows sometimes has problems. Occam’s Razor would lead one to believe it’s just problems with Windows – even if the drive actually is NSA-infected.
Re: Hard Drive Firmware
Yeah, most any bored teenager could do it in an afternoon.
is it sad when it turns out, I wasn’t paranoid enough?
Re: Re:
That was you giving them the undeserved chance
Re: Re:
Insightful and lol funny! Thanks TAC.
Re: Re:
We are going to have to start double and triple wraps for the tinfoil hats as a single rap is still allowing them through.
Even worse, NSA did nothing to close the security holes it discovered/opened up. If other entities are also injecting covert software on hard drive firmware, or also possess the Gemalto keys, *they* have just as much access to our data. No doubt, it’s a national security threat.
If only we had some kind of department or agency in charge of dealing with that sort of thing.
Re: Re:
“Even worse, NSA did nothing to close the security holes it discovered/opened up.”
Of course not. If they close holes, then they can’t use those holes.
Re: Re: Re:
Of course not. If they close holes, then they can’t use those holes
Should we start passing around the butt plugs or should we wait till our holes are sore from the agencies first?
Re: Re: Re: Re:
The holes biggest enemy is the pile
Something tells me we have’nt even scratched the surface of the abuse their participating in this very minute
And now, those of other nations who were’nt aware the extend of our “beloved” intel agencies……what are they gonna do, ignore it, call for a stop, or force a similar implementation they wouldnt have otherwise, thanks to our “beloved” intel agencies showing them just how far they went……….another bloody war, albeit a digital one, everything is fucking war with them……..their gonna keep escalating and escalating, one side then the next, trying to get a one up over another, before you know it, the internet will be the most insecure it has been in its entire fucking lifetime, opposite to the justification that their “protecting” the internet………f good for nothings, instigators of war…….no, instigators of big guy vs little guy in their struggle for dominance
“but that it couldn’t do it without knowing the source code of the hard drive firmware — information that is not easily accessible. A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It’s possible they’re lying/misleading “
I read in another article that a company was asked by the government who were gonna implement their ?something?, to hand over readable source code of their propriety software, for security reasons, which i might add the public has as much right to as well, anyway, the company representative suggested that it could be likely that they keep that source code indefinatly, which at minimum says there is no prior agreement to delete the cide once audited
I think its plausible that a government would pull the national security card, and demand the source code, so yeah, in this respects, i do believe they have access to to what is normally closed source material in the public
and i strongly suspect, considering the obvious benefits to entities such as our “beloved” intel agencies, that they have the samething going on with closed source phone modems, a bit of kit that can recieve/send data REMOTELY
Re: Re:
Also, others claimed theres the possibility of reverse engineering the code
Re: Re: Re:
Why go to the trouble of reverse engineering when they can just issue an NSL and take it?
What do you want to bet that the spyware is activated by the OS using lines of code that also got inserted by the NSA.
Wow, so that is where that Billion dollars went. Burn baby burn.
Time for an Update...
Looks like it’s time for an update on the way that cellular communications are done… In addition to encrypting the wireless signals themselves, it’s about time for the cell phone companies add end to end encryption (like TLS) for the voice data as well. This way even if the wireless signal is cracked using the SIM keys, your communications are still secure.
If not, it looks like it is time that people stop using their cell minutes and switch to using VOIP over SSL and just using their data plans…
Re: Time for an Update...
If it is propriety it is insecure.
I’d like to know what Gemalto is gonna do about it……..knowing that what they’ve handed out is not secure, will they ignore this in the hopes that to few people find out about to cause any issues, or will they be outraged and say/do ….something to oppose such actions and restore a tinsy winsy little faith
Re: Re:
There’s nothing Gemalto can do about it that would be meaningful. The specification was designed more to ensure that unauthorized handsets couldn’t use the network than to prevent mass surveillance from an organization with access to all of their keying material.
“Oh, hey, sorry about the compromised crypto keys on that first SIM, here’s a free replacement. We know that these crypto keys are secure because, well, Um….”
Re: Re: Re:
I get it, but a public statement would fall under my minimum category, i dont expect a fix, but i at least expect them to say something for the record…….given enough of these, im pretty sure the pressure will start mounting up, for meaningfull change whether internally by governments, or externally by programers consistantly hearing about these statements……..maybe enough so, that its going through their minds when their planning their new project from the ground up, who knows, maybe the next evolution of defensive privacy/security is around the corner……..
Re: Re: Re: Re:
They issues a public statement today: http://www.gemalto.com/press/Pages/Information-regarding-a-report-mentioning-a-hacking-of-SIM-card-encryption-keys.aspx
Re: Re: Re:
I don’t see any reason why Gemalto should have all the keying material. It should be the carriers that program a key into each one–and ideally, that key would only be used once, to sign a key that the SIM creates on first use. And that new key should be used rarely, to sign ephemeral keys with perfect forward secrecy. (Of course, if the carrier keeps a key to update SIM firmware, that would make a tempting target for the NSA.)
Re: Re: Re: Re:
This is the same thing RSA Security ran into with their keyfobs. For some reason they shipped them keyed instead of blank. Not only that, the private key was pushed to the fob instead of being generated by it—it’s not like RSA haven’t heard of public key crypto—and thus the keys were all compromised.
Re: Re: Re: Re:
They have it because the threat model when the spec was developed excluded (accidently or intentionally) “TLA’s grabbing all the keys”.
The current crypto key generation model saves time and costs associated with key generation at the time of deployment, and frankly, is probably a large part of why deployment is so smooth (I can go to my cell phone carrier today, ask for a SIM card, and get one, pretty much no questions asked).
(and, by the way, anyone know if the SIM’s pre-printed ID is also the key? From what I”ve seen, the crypto algorithms are clearly symmetric, there’s no reason the SIM ID couldn’t be the actual crypto key)
Did the NSA need the hard drive firmware source ?
“The report notes that it’s unclear as to how the NSA was getting this software in there, but that it couldn’t do it without knowing the source code of the hard drive firmware”
The EFF’s article, however, concludes that “at least two published projects from years past have demonstrated otherwise”.
If im understanding the sim encryption diagrams in another article, if your using a vpn, assuming your vpn provider is’nt compromised, theres still some level of encryption, no?
Re: Re:
Yes, there is.
This is about the crypto used in the communications with the cell tower. That crypo’s primary purpose is to ensure that no unauthorized phones are using the cell system. It’s not really intended to protect your privacy as such.
The breaking of the crypto exposes real vulnerabilities, though, and can make it possible for attackers to gain total access to your phone. If they have that, then they could obtain the private keys to your own crypto. If that happens, all bets are off.
Connecting the Dots
In a past article, Techdirt covered the White House intelligence task force’s report on how to reform the NSA, and the report implied the NSA engaged in financial manipulation. Now fast-forward to this story about SIM Card hacking and you read this:
I’d bet good money the intelligence task force reviewed this operation and freaked out like the rest of us.
Re: Connecting the Dots
I’d bet good money the intelligence task force reviewed this operation and freaked out like the rest of us.
Or not, since there’s no indication that these kinds of activities have stopped. At this point, I don’t see why a reasonable person would believe anything the NSA says.
Yes, I am going out on a limb and saying that if you believe anything the NSA says, you are nuts.
… it’s just easier NOT using mobile devices or computers.
Kinda what I thought a long time ago, and why I still don’t have a cell phone.
Re: Re:
It’s getting harder as phone booths keep disappearing, though.
Re: Re: Re:
Is that why landline phones are the only way to escape the Matrix once unplugged?
Re: Re: Re:
At this point it would be pretty easy for the NSA to tap all the payphones.
I remember when we were all speculating that next they would be installing backdoors……….so it seems they already had
I wonder what those who use these tools think if/when they see these stray comments predicting correctly what their doing……..do they have any regrets…., i want to say no
Hard to sound crazy, but. . .
As a linux user i have wondered if they have a hand in systemd, with it’s change to binary log’s and overall obscuring of the boot process. Red Hat like any other company doesn’t want to risk losing profitable government contracts by not helping to stop terrorists.
But that’s just crazy talk. . . right?
Re: Hard to sound crazy, but. . .
Linux is not that well protected once the attacker gains physical access to the machine, it was designed to prevent remote attacks.
E.g. you can bypass the authentication and gain root access by modifying the kernel boot parameters in GRUB. Disk encryption helps a lot in this scenario, but since we assume physical access, a key logger or well-placed camera should work fine against password-protected disk encryption…
Re: Hard to sound crazy, but. . .
OF COURSE is systemd compromised…
that is the hole reason they are fighting against it!
>_
Spying on you to protect you. 😛
You know it.
I previously commented as IronChef and Iron Chef.
😛
Real cool. Stay safe and sane guys. Everyone I know likes your work;
Im at at a UNION now. 😉
Hats off to Snowden for risking his life to tell us what he did. He surely has earned his place as the most epic leaker in history. But it’s hilarious that despite all its billions of dollars, its massive team of super geniuses, and complete and utter unaccountability for doing damn near anything legal or otherwise, the NSA still let a barely-above-average contractor walk out with millions of pages of its most valuable secrets.
Re: Re:
I think it is inaccurate that Snowden was a “barely-above-average contractor”. It sounds like he was very talented and that is how he ended up getting such privileges.
Good news is that post-Snowden they have probably become so paranoid about access as to cripple their operations. It is also likely that they have tightened up vetting on staff to the point where only the most useless authoritarian, aspergers types make it through. This is on top of the major recruitment problems that will already have resulted from widespread public outrage.
Keep it up friends. The alphabet bandit agencies are dangerous, criminal organizations. Keep repeating it. Again and again. Until they are so toxic that no one wants to associate with them.
So all modern hard drives are hackable by the NSA…
So how many ST506’s do you think it will require to install Call of duty? Will be fine if i set aside a room for them 😀
With these stolen encryption keys, ‘intelligence’ agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments.
So basically, I’m now a terrorist even without any evidence against me. Oh well, I might as well go do what I’m accused of since I’m guilty until proven innocent through torture. See me beheading James Clapper in Daesh territory on YouTube next week!
wha?
I’m afraid some of you have the wrong ideas here. They now have an added feature on all electronics, remember the old machine language? You had to program in assembly to get interpreted to proto basic to run the function at machine level, that’s where this is. On the chip that activates the machine, it tells the transistors, what to register. So they know what and where, now to get them to do something legal with this information, like legally solve a crime. Think of all the missing people in the world that have some electronic thing with them! All the criminals thought to be evaiding the law, all the though crimes, like a dog barking up a tree, right. Them doing something good? Hah..
Time for a new open source project
I think it’s time for a couple of new open source projects.
One to update hard drive firmware with a known _good_ (a.k.a. non-NSA bugged version).
The second to update the encryption keys in your SIM cards.
Boot from a known _good_ copy of Linux (read-only media), reflash HD firmware as soon as you open the box. Check again every so often to make sure it’s still clean.
Installing a new OS used to consist of;
-Partition the hard drive
-Format the hard drive
-Install the OS
Now it needs to be:
-Reflash the hard drive firmware
-Partition the hard drive
-Format the hard drive
-Install the OS
Sure TAO can probably find a way to monkey with it again, but then they’ll have to _actively_ do something. Surveillance has gone ultra-wide band because it’s gotten so easy. When you used to have to break into some one’s home or office, plant a bug, monitor that bug, transcribe what you hear, etc. not a lot of people were surveilled. Now you can just use a computer to tap the internet, track everyone by their cell phones, and now break into large numbers of computers using sleeper hard drive firmware from the comfort of their own offices.
We may not ever be able to completely stop the NSA/GCHQ/etc., but we can sure make it as difficult/time consuming/painful as possible.
Then _maybe_ they’ll have to be a bit more particular about who they surveil.
Re: Time for a new open source project
An open-source firmware for hard disks may not be as simple as that. I’ve heard – 2nd hand, but from a source I put a reasonable amount of trust in – that at least one of the vendors listed has set the hard drives up to require signed firmware, or the disk won’t accept it. if you can’t sign the code with a key the disk will accept, your open source project won’t gain traction.
Also: it would short sighted to assume the scope of the actions here is limited to hard drives. Yes, this set of recently released documents is HDD specific. Yes, HDD’s make an excellent target for this attack vector, for a variety of reasons, not the least of which is that, being hard disks, storage space presumably isn’t an issue and so you presumably wouldn’t be so severely constrained on the size of the malware you were shipping. But hard disks aren’t the only built-in peripherals that allow for field-upgradeable firmware. Video cards, mother boards, CPU’s – almost all of them have some amount of field-writable, onboard storage coupled with the firmware that allows them to operate. In fact, while they’d be harder targets, they might well be more valuable.
After all: You can remove a potentially compromised HDD from a system entirely, and run it off of live media on thumbdrive/cd/dvd/etc. Most people would have a very hard time running that same live media system w/o a video card. Or a motherboard.
Isn’t it illegal even for the government to violate the law? Why isn’t this considered a violation of CFAA? Shouldn’t the perpetrators be charged accordingly?
Re: Re:
Charged by whom? It is illegal, but I don’t think citizens have the right to charge the government with a crime in the USA–a prosecutor has to do it, and they’re not doing it. (Evidently, in some countries private citizens can file criminal charges.)
Re: Re: Re:
Can the companies that had their systems hacked and IP misappropriated file a civil suit?
Re: Re: Re:
Perhaps we’ve finally found a publicly beneficial use-case for ISDS.
Proof that the US gov wouldn’t bother with warrants in order to access US citizen’s information using mandatory backdoors or frontdoors. Whatever you want to call them.
land of the free. let’s keep telling ourselves that..
Re: Re:
Don’t forget that the US is also the land of unfettered Capitalism.
If you can afford it, you too can buy your freedom – from persecution, from surveillance, from incarceration, from law, from taxes, from… whatever the particular level of freedom you can afford offers freedom from.
So the meme “Get rich or die trying.” is now more than ever, the true motto of America.
—
Gummy Bear
“if we have information, we have everything.” (NSA).
But 3% of world is out of this thief. and in this 3%, many of them are scientists with very innovative researches.
They should open any history book and observe that no one is a friend of time. its a foe in the end. Statistically saying , future intelligence would be able to bash up these kinetic child of gods.
Adios.