[Cryptography] Who needs NSA implants?

Jerry Leichter leichter at lrw.com
Wed Dec 9 07:05:22 EST 2015


>> Because diverting them will let NSA flash BIOS trojans (or hard drive
>> firmware trojans).  All three of the issues that you mentioned are
>> resolved if you merely wipe the hard drive upon reciept.  NSA prefers
>> exploits that survive hard drive erasure and installation of a fresh
>> OS of your choice.
> Yes, but Jerry's point was that the original vulnerabilities are not
> accidental. Does getting admin privilege on such a system allow for
> installation of malware that survives a hard disk erasure in some
> places or is physical access ultimately necessary to do that?
Sure, I'll take credit for making that point.  :-)

Actually, I should have put a smiley on my subject line.  The only real point I was making was that the stuff we buy is so full of holes, as manufactured and delivered, that the highly sophisticated attacks we like to talk about don't much matter.  It's as if safes were regularly delivered with holes in the walls made of balsa wood painted to look like solid steel, and we were worrying about whether the locks could be picked by doing synthesis of 3D volumetric models based on backscatter X-rays.

BTW, this particular round of vulnerabilities *would* disappear if you wiped the disk and reinstalled the OS, but the previous two sets of vulnerabilities in shipping PC's would survive a clean installation of Windows.  Who knows what else is in there?  The current crop are *probably* due to incompetence rather than enemy action - but could you really tell for sure?
                                                        -- Jerry



More information about the cryptography mailing list