Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday June 24 2019, @11:42PM   Printer-friendly
from the deep-seated-insecurities-and-paranoia dept.

NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative

The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”

Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.

In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.

Better to avoid coreboot and feel secure that the hardware could never subvert my expectations of security and privacy. /s


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by RandomFactor on Tuesday June 25 2019, @12:07AM (15 children)

    by RandomFactor (3682) Subscriber Badge on Tuesday June 25 2019, @12:07AM (#859549) Journal

    I wouldn't dismiss it so lightly.
     
    Cyber warfare is asymmetrical. Every bit of cyber warfare we shut down, even if it shuts it off from us as well, accrues to the US's benefit. And the folks doing this aren't stupid enough to think an open source project won't be dissected by the North Koreans, China, Russia, and every Hackioso in existence.

    --
    В «Правде» нет известий, в «Известиях» нет правды
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 5, Insightful) by edIII on Tuesday June 25 2019, @12:38AM (14 children)

    by edIII (791) on Tuesday June 25 2019, @12:38AM (#859558)

    Correct, we must dismiss it firmly.

    While the NSA could provide some excellent code, as they do recruit very high level talent, their primary mission to date has been to lessen the levels of security. Secret knowledge of these weaknesses, constructed or just discovered, we are all weaponized. All those tools they developed (Shadow Brokers) are extremely indicative of this paradigm. As to the excellence of their deception and subversion, they compromised a CSPRNG they were recommending in a very impressive and hard to detect manner.

    If we are to believe the NSA, they've turned a complete 180 degrees from the organization that conspired with telcos to spy on people. It was one of Obama's lies that he would fight and hold people accountable in that fiasco, and of course, nothing ever did happen.

    Open Source security based on peer review is a LIE. The code isn't being sufficiently reviewed because corporations aren't paying to exhaustively do so, and at most, contribute code once in awhile. Basically, everyone else assumed somebody else was doing the job, but in reality, nobody was doing the job.

    So who is going to put up serious cash to have multiple pentesting outfits check the NSA's contributions out? Who is going to manage the crowdfunding to pay core developers of major projects (FreeBSD, OpenBSD, Debian, etc.) to test it?

    That's why it's not economically viable to accept code contributions from the NSA period. Impossible to trust, and too dangerous to ignore. We would need a new agency who's publicly avowed mission is to increase security levels wherever or however they can, and be governed by laws and regulations that make it TREASON to weaponize security vulnerabilities with oversight from the national security apparatus.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 2, Insightful) by PartTimeZombie on Tuesday June 25 2019, @12:50AM (2 children)

      by PartTimeZombie (4827) on Tuesday June 25 2019, @12:50AM (#859561)

      RandomFactor might be assuming that the NSA will act in his interests just because he lives in the US.

      • (Score: 1) by RandomFactor on Tuesday June 25 2019, @10:36PM (1 child)

        by RandomFactor (3682) Subscriber Badge on Tuesday June 25 2019, @10:36PM (#859892) Journal

        Personally? No, i'm part of the faceless masses, they would sacrifice me in .001 seconds to give some random adversary a hangnail...for the greater good.
         
        However I do believe they will act as directed in the country's interests.
         
        And you can count on widely adopted firmware code being audited at a scale and to a depth rarely seen, with every security group wanting a name, every government with a stake and every hacking group in existence fuzzing and fiddling with it.

        --
        В «Правде» нет известий, в «Известиях» нет правды
        • (Score: 2) by PartTimeZombie on Tuesday June 25 2019, @10:48PM

          by PartTimeZombie (4827) on Tuesday June 25 2019, @10:48PM (#859897)

          However I do believe they will act as directed in the country's interests.

          That might be where we part ways.

          I am sure they will act in what they think will be your country's interests, but that might not align with your interests.

          Particularly if happen to be in the cannon-fodder class.

    • (Score: 1) by fustakrakich on Tuesday June 25 2019, @01:43AM (5 children)

      by fustakrakich (6150) on Tuesday June 25 2019, @01:43AM (#859570) Journal

      We would need a new agency who's publicly avowed mission is to increase security levels wherever or however they can...

      Yes. The New and Improved NSA! (NINSA)2

      Since doing that would be so trivial, why not just elect politicians that will re-purpose the old one? We can keep them down to three letters that way at least.

      Bad news everybody. Oversight is our problem. You can't really farm that out. We are on our own.

      --
      La politica e i criminali sono la stessa cosa..
      • (Score: 5, Informative) by edIII on Tuesday June 25 2019, @02:33AM (4 children)

        by edIII (791) on Tuesday June 25 2019, @02:33AM (#859580)

        The new part is that any NINSA agent, or Senator involved, in weaponization of vulnerabilities can be charged with treason.

        However, given our current sitting president and administration is entirely above the law, I share your incredulity that such a system of trust can be established in the first place. That's why I thought I set the bar so high it was ridiculous on its face.

        --
        Technically, lunchtime is at any moment. It's just a wave function.
        • (Score: 2) by JoeMerchant on Tuesday June 25 2019, @03:29AM

          by JoeMerchant (3937) on Tuesday June 25 2019, @03:29AM (#859598)

          given our current sitting president and administration is entirely above the law

          Newsflash: this has been true for centuries. The current administration is just dumb enough to flaunt it out there where even idiots can see what they're doing. Dumb, and in power - and I'm afraid that 49% of the voters in 2020 are still going to vote to bring them back, because the other side is too greedy to carve out a political stance that could get more than 51% of the vote.

          --
          🌻🌻 [google.com]
        • (Score: 0) by Anonymous Coward on Tuesday June 25 2019, @10:40AM

          by Anonymous Coward on Tuesday June 25 2019, @10:40AM (#859663)

          Has anyone wondered if Osama bin Laden's inspiration was actually John Carpenter's 1981 'Escape from New York'? It has Air Force One crashing into the penal colony of Manhattan, showing a computerized projection of the plane(or escape pod) entering and then tumbling down through a building. It also has the World Trade Center as a major plot point, being the insertion point for Snake's glider and planned extraction point for the captured president. It also ends with the American president showing his disregard for the loss of life, and the anti-hero Snake destroying the peace summit audio tape documenting nuclear fusion, so that the US, China and Russian peace summit will collapse.

        • (Score: 3, Informative) by J053 on Tuesday June 25 2019, @09:31PM (1 child)

          by J053 (3532) <dakineNO@SPAMshangri-la.cx> on Tuesday June 25 2019, @09:31PM (#859862) Homepage
          Don't be so quick to throw around the "TREASON!!!1!!" cry. Our Founding Fathers had good reason to be wary of over-broad accusations of treason - under the laws they had to live with, if I called Trump a fat, cheeto-faced dictator wannabe, that would be considered treason and I could be executed, as well as having all of my property seized and my descendants being denied any kind of government jobs or services (see Bill of Attainder). That's why the US Constitution explicitly and narrowly defines treason:

          Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort. No Person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.

          The Congress shall have Power to declare the Punishment of Treason, but no Attainder of Treason shall work Corruption of Blood, or Forfeiture except during the Life of the Person attainted.

          Art.III, Sec. 3

          This is a good thing. Treason is the worst crime one can commit against one's country, and should be very hard to prove and punish. We need to find another word for what everybody and his brother keeps calling "treason" these days.

          • (Score: 2) by edIII on Tuesday June 25 2019, @10:09PM

            by edIII (791) on Tuesday June 25 2019, @10:09PM (#859883)

            I consider what those NSA agents did to be as bad as what you describe, and wholly deserving of the term treason. They meet, or exceed, the definition.

            We have enemies. We have enemies operating today in U.S Cyberspace, which is the same as United States Territory. We have enemies that have caused many billions in damages to our country. The NSA's paradigm of exploiting/cultivating security weaknesses is tantamount to offering the enemy aid and comfort. In this specific case, it was arming them with cyber weapons that are being used against us. Their specific actions also significantly, and in some cases entirely, reduced the levels of security for the average citizen and small businesses. There is a US city paying ransom to our enemies in cyberspace that operate inside the US against US citizens.

            I stand by what I said. These people need be tried for treason. It absolutely should be treasonous to weaponize security vulnerabilities, or in other words, create powerful platforms of cyber weapons. The only thing the government needs to do is increase our levels of security, and they deserve all the skepticism they get after what they've done.

            --
            Technically, lunchtime is at any moment. It's just a wave function.
    • (Score: 5, Interesting) by JoeMerchant on Tuesday June 25 2019, @03:12AM (2 children)

      by JoeMerchant (3937) on Tuesday June 25 2019, @03:12AM (#859589)

      While the NSA could provide some excellent code, as they do recruit very high level talent, their primary mission to date has been to lessen the levels of security.

      While this is the easy tinfoil hat reflex to respond with, think for a moment:

      The NSA is all over UEFI, learning its weaknesses and exploits for them, they've got staff more highly skilled in BIOS security than the crew that designed and implemented UEFI in the first place. Police of various stripes have been demanding legislated backdoors in consumer goods since forever, and politicians periodically back them and attempt to apply pressure to get them installed in products like UEFI - but anybody who's ripped a DVD or BluRay knows that "secret keys" don't stay secret for very long, and any legislated backdoor is just a headstart for the keyholders and ultimately makes the systems vulnerable to everyone.

      Along comes CoreBoot - open source, open review. While the NSA could be attempting to plant vulnerabilities in the code, I think they have a greater incentive to apply their skillset to closing subtle vulnerabilities - and anything so obvious as a backdoor can simply be ripped out by the review team.

      I agree: NSA code should get the most stringent reviews of any accepted into the project, but to turn their contributions away without review would be to ignore a very valuable resource, and one that probably is actually driving to make a more secure end product. Unless they start promoting wonky things like unproven elliptical curves, etc., in which case they can f right off and release their own fork of CoreBoot to anyone who wants the Trump administration snooping in their systems and archiving all their data for leverage in the coming decades.

      --
      🌻🌻 [google.com]
      • (Score: 2, Interesting) by DECbot on Tuesday June 25 2019, @04:23PM (1 child)

        by DECbot (832) on Tuesday June 25 2019, @04:23PM (#859765) Journal

        I've added an extra layer to my tinfoil hat this morning. Look, you apply resources to make the BIOS firmware open source and make the code clear to read and strictly without any backdoors. Why? because you are hiding the backdoors hidden in the hardware. As the attacker, any system you've compromised the first task is to hide that it's compromised and the second task is to secure it from other attackers. The NSA likely knows UEFI is ripe for compromise and cannot get the vendors to do anything to change that. By rolling their own BIOS and make it ultra secure, they can ensure that they can keep their beachhead on the hardware and hide it from other attackers.
         
        In other words, the CPU and NIC are both compromised and they have to secure the BIOS to ensure that no one else can remove or exploit their access.
         
        Now excuse me as I turn the magnetron for my RF generator back on. We all know that passive RF blocking isn't enough anymore and we all need to protect our domiciles with active measures. Let me know when you've got a free energy device working in the 1200kw range. I'm beginning to suspect the power companies are conspiring with the UPS manufacturers ensuring their corruptive messages are making through the line conditioners, filters, and AC-DC-AC conversion.

        --
        cats~$ sudo chown -R us /home/base
    • (Score: 3, Interesting) by Anonymous Coward on Tuesday June 25 2019, @03:21AM

      by Anonymous Coward on Tuesday June 25 2019, @03:21AM (#859593)

      So, do not use a free and open firmware, and instead use a closed firmware from random vendor that is near guaranteed to include exploitable bugs, if not intentional back-doors (even if innocent, like some debugging back-door left in the production builds)?

      Yes, NSA touching the code leaves a taint, but free and open code still beats proprietary for being trustworthy.

      Maybe NSA taking interest in core boot will lead to more systems where you can flash core boot and get rid of the proprietary firmware. A deal with the devil-- but, at least, we might get something good out of it.

    • (Score: 1, Interesting) by Anonymous Coward on Tuesday June 25 2019, @03:43AM

      by Anonymous Coward on Tuesday June 25 2019, @03:43AM (#859606)

      So who is going to put up serious cash to have multiple pentesting outfits check the NSA's contributions out?

      The Chinese government and a few others presumably.