from the deep-seated-insecurities-and-paranoia dept.
NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative
The NSA has started assigning developers to the Coreboot project, which is an open source alternative to Windows BIOS/UEFI firmware. The NSA's Eugene Myers has begun contributing SMI Transfer Monitor (STM) implementation code for the x86 processor. Myers works for NSA’s Trusted Systems Research Group, which according to the agency’s website, is meant to “conduct and sponsor research in the technologies and techniques which will secure America's information systems of tomorrow.”
Myers published a paper about STM last year on how NSA’s STM implementation could work. All Coreboot code, including all the STM contributions from the NSA, are open source, so anyone could verify that there is no backdoor in there -- in theory.
In practice, the NSA could have also written the code in a less-than-secure way with vulnerabilities that are hard to detect without more experienced security researchers. Alternatively, the NSA could also update this implementation years later, when there are less eyes on the STM implementation and the update would no longer make headlines.
Better to avoid coreboot and feel secure that the hardware could never subvert my expectations of security and privacy. /s
(Score: 0) by Anonymous Coward on Monday June 24 2019, @11:48PM (19 children)
If you want security and privacy with your computing, use microcontrollers fabbed in China.
Like Arduino FTW.
(Score: 3, Insightful) by RandomFactor on Tuesday June 25 2019, @12:07AM (15 children)
I wouldn't dismiss it so lightly.
Cyber warfare is asymmetrical. Every bit of cyber warfare we shut down, even if it shuts it off from us as well, accrues to the US's benefit. And the folks doing this aren't stupid enough to think an open source project won't be dissected by the North Koreans, China, Russia, and every Hackioso in existence.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 5, Insightful) by edIII on Tuesday June 25 2019, @12:38AM (14 children)
Correct, we must dismiss it firmly.
While the NSA could provide some excellent code, as they do recruit very high level talent, their primary mission to date has been to lessen the levels of security. Secret knowledge of these weaknesses, constructed or just discovered, we are all weaponized. All those tools they developed (Shadow Brokers) are extremely indicative of this paradigm. As to the excellence of their deception and subversion, they compromised a CSPRNG they were recommending in a very impressive and hard to detect manner.
If we are to believe the NSA, they've turned a complete 180 degrees from the organization that conspired with telcos to spy on people. It was one of Obama's lies that he would fight and hold people accountable in that fiasco, and of course, nothing ever did happen.
Open Source security based on peer review is a LIE. The code isn't being sufficiently reviewed because corporations aren't paying to exhaustively do so, and at most, contribute code once in awhile. Basically, everyone else assumed somebody else was doing the job, but in reality, nobody was doing the job.
So who is going to put up serious cash to have multiple pentesting outfits check the NSA's contributions out? Who is going to manage the crowdfunding to pay core developers of major projects (FreeBSD, OpenBSD, Debian, etc.) to test it?
That's why it's not economically viable to accept code contributions from the NSA period. Impossible to trust, and too dangerous to ignore. We would need a new agency who's publicly avowed mission is to increase security levels wherever or however they can, and be governed by laws and regulations that make it TREASON to weaponize security vulnerabilities with oversight from the national security apparatus.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2, Insightful) by PartTimeZombie on Tuesday June 25 2019, @12:50AM (2 children)
RandomFactor might be assuming that the NSA will act in his interests just because he lives in the US.
(Score: 1) by RandomFactor on Tuesday June 25 2019, @10:36PM (1 child)
Personally? No, i'm part of the faceless masses, they would sacrifice me in .001 seconds to give some random adversary a hangnail...for the greater good.
However I do believe they will act as directed in the country's interests.
And you can count on widely adopted firmware code being audited at a scale and to a depth rarely seen, with every security group wanting a name, every government with a stake and every hacking group in existence fuzzing and fiddling with it.
В «Правде» нет известий, в «Известиях» нет правды
(Score: 2) by PartTimeZombie on Tuesday June 25 2019, @10:48PM
That might be where we part ways.
I am sure they will act in what they think will be your country's interests, but that might not align with your interests.
Particularly if happen to be in the cannon-fodder class.
(Score: 1) by fustakrakich on Tuesday June 25 2019, @01:43AM (5 children)
We would need a new agency who's publicly avowed mission is to increase security levels wherever or however they can...
Yes. The New and Improved NSA! (NINSA)2
Since doing that would be so trivial, why not just elect politicians that will re-purpose the old one? We can keep them down to three letters that way at least.
Bad news everybody. Oversight is our problem. You can't really farm that out. We are on our own.
La politica e i criminali sono la stessa cosa..
(Score: 5, Informative) by edIII on Tuesday June 25 2019, @02:33AM (4 children)
The new part is that any NINSA agent, or Senator involved, in weaponization of vulnerabilities can be charged with treason.
However, given our current sitting president and administration is entirely above the law, I share your incredulity that such a system of trust can be established in the first place. That's why I thought I set the bar so high it was ridiculous on its face.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by JoeMerchant on Tuesday June 25 2019, @03:29AM
Newsflash: this has been true for centuries. The current administration is just dumb enough to flaunt it out there where even idiots can see what they're doing. Dumb, and in power - and I'm afraid that 49% of the voters in 2020 are still going to vote to bring them back, because the other side is too greedy to carve out a political stance that could get more than 51% of the vote.
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @10:40AM
Has anyone wondered if Osama bin Laden's inspiration was actually John Carpenter's 1981 'Escape from New York'? It has Air Force One crashing into the penal colony of Manhattan, showing a computerized projection of the plane(or escape pod) entering and then tumbling down through a building. It also has the World Trade Center as a major plot point, being the insertion point for Snake's glider and planned extraction point for the captured president. It also ends with the American president showing his disregard for the loss of life, and the anti-hero Snake destroying the peace summit audio tape documenting nuclear fusion, so that the US, China and Russian peace summit will collapse.
(Score: 3, Informative) by J053 on Tuesday June 25 2019, @09:31PM (1 child)
Art.III, Sec. 3
This is a good thing. Treason is the worst crime one can commit against one's country, and should be very hard to prove and punish. We need to find another word for what everybody and his brother keeps calling "treason" these days.
(Score: 2) by edIII on Tuesday June 25 2019, @10:09PM
I consider what those NSA agents did to be as bad as what you describe, and wholly deserving of the term treason. They meet, or exceed, the definition.
We have enemies. We have enemies operating today in U.S Cyberspace, which is the same as United States Territory. We have enemies that have caused many billions in damages to our country. The NSA's paradigm of exploiting/cultivating security weaknesses is tantamount to offering the enemy aid and comfort. In this specific case, it was arming them with cyber weapons that are being used against us. Their specific actions also significantly, and in some cases entirely, reduced the levels of security for the average citizen and small businesses. There is a US city paying ransom to our enemies in cyberspace that operate inside the US against US citizens.
I stand by what I said. These people need be tried for treason. It absolutely should be treasonous to weaponize security vulnerabilities, or in other words, create powerful platforms of cyber weapons. The only thing the government needs to do is increase our levels of security, and they deserve all the skepticism they get after what they've done.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 5, Interesting) by JoeMerchant on Tuesday June 25 2019, @03:12AM (2 children)
While this is the easy tinfoil hat reflex to respond with, think for a moment:
The NSA is all over UEFI, learning its weaknesses and exploits for them, they've got staff more highly skilled in BIOS security than the crew that designed and implemented UEFI in the first place. Police of various stripes have been demanding legislated backdoors in consumer goods since forever, and politicians periodically back them and attempt to apply pressure to get them installed in products like UEFI - but anybody who's ripped a DVD or BluRay knows that "secret keys" don't stay secret for very long, and any legislated backdoor is just a headstart for the keyholders and ultimately makes the systems vulnerable to everyone.
Along comes CoreBoot - open source, open review. While the NSA could be attempting to plant vulnerabilities in the code, I think they have a greater incentive to apply their skillset to closing subtle vulnerabilities - and anything so obvious as a backdoor can simply be ripped out by the review team.
I agree: NSA code should get the most stringent reviews of any accepted into the project, but to turn their contributions away without review would be to ignore a very valuable resource, and one that probably is actually driving to make a more secure end product. Unless they start promoting wonky things like unproven elliptical curves, etc., in which case they can f right off and release their own fork of CoreBoot to anyone who wants the Trump administration snooping in their systems and archiving all their data for leverage in the coming decades.
🌻🌻 [google.com]
(Score: 2, Interesting) by DECbot on Tuesday June 25 2019, @04:23PM (1 child)
I've added an extra layer to my tinfoil hat this morning. Look, you apply resources to make the BIOS firmware open source and make the code clear to read and strictly without any backdoors. Why? because you are hiding the backdoors hidden in the hardware. As the attacker, any system you've compromised the first task is to hide that it's compromised and the second task is to secure it from other attackers. The NSA likely knows UEFI is ripe for compromise and cannot get the vendors to do anything to change that. By rolling their own BIOS and make it ultra secure, they can ensure that they can keep their beachhead on the hardware and hide it from other attackers.
In other words, the CPU and NIC are both compromised and they have to secure the BIOS to ensure that no one else can remove or exploit their access.
Now excuse me as I turn the magnetron for my RF generator back on. We all know that passive RF blocking isn't enough anymore and we all need to protect our domiciles with active measures. Let me know when you've got a free energy device working in the 1200kw range. I'm beginning to suspect the power companies are conspiring with the UPS manufacturers ensuring their corruptive messages are making through the line conditioners, filters, and AC-DC-AC conversion.
cats~$ sudo chown -R us /home/base
(Score: 2) by JoeMerchant on Tuesday June 25 2019, @08:11PM
https://scifi.stackexchange.com/questions/138292/story-that-includes-asian-american-woman-being-hypnotized-into-killing-herself-w [stackexchange.com]
🌻🌻 [google.com]
(Score: 3, Interesting) by Anonymous Coward on Tuesday June 25 2019, @03:21AM
So, do not use a free and open firmware, and instead use a closed firmware from random vendor that is near guaranteed to include exploitable bugs, if not intentional back-doors (even if innocent, like some debugging back-door left in the production builds)?
Yes, NSA touching the code leaves a taint, but free and open code still beats proprietary for being trustworthy.
Maybe NSA taking interest in core boot will lead to more systems where you can flash core boot and get rid of the proprietary firmware. A deal with the devil-- but, at least, we might get something good out of it.
(Score: 1, Interesting) by Anonymous Coward on Tuesday June 25 2019, @03:43AM
The Chinese government and a few others presumably.
(Score: 1) by anubi on Tuesday June 25 2019, @03:32AM (2 children)
My arduinos are the only later tech machines I do trust. Damn near everything else I have has back doors.
I guess my fear is that when I really need the thing, it won't work, or it will hold other stuff hostage until I agree to something else.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @07:50AM (1 child)
So people should do stuff like get an Apple phone AND a Huawei phone? ;)
Unless of course they're going to somehow upset BOTH the US and China Govs?
(Score: 2) by Runaway1956 on Tuesday June 25 2019, @01:39PM
It is my goal in life to piss EVERYBODY off. :^)
(Score: 5, Insightful) by Rosco P. Coltrane on Tuesday June 25 2019, @12:02AM (12 children)
It's an open source project, so the code is available. I see no problems if the NSA contributes code: for once, that's open source code that will be under EXTREME scrutiny because of who and what the contributor is :)
(Score: -1, Flamebait) by Anonymous Coward on Tuesday June 25 2019, @12:10AM (1 child)
Is mental deficiency a trait that runs in your family?
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @12:12AM
The system works.
(Score: 1) by fustakrakich on Tuesday June 25 2019, @12:22AM
Look for "time bombs". Set your clock ahead a few years/decades (well, a little less than two), see what happens.
Heh, Windows will probably freak...
La politica e i criminali sono la stessa cosa..
(Score: 2) by pipedwho on Tuesday June 25 2019, @12:27AM (6 children)
This is true.
And on top of that, the NSA, like any paranoid agency is extremely unlikely to intentionally introduce a flaw that can be discovered by a third party outside their control. It is of no benefit to the NSA, either due to bad publicity on how they botched a supposedly secure implementation, or because then they won't be the only ones that can use their back door.
The sort of backdoor that I'd expect from the NSA would include some sort of magic number with a trap door that can't be 'discovered' with anything less than a brute force approach measured to take a time frame with a resolution of 'ages of the universe'. And after the Dual Curve EC PRNG debacle, I doubt they'd be able to pull off a stunt like that again.
(Score: 2, Interesting) by fustakrakich on Tuesday June 25 2019, @12:38AM (1 child)
some sort of magic number:
20380119031408
La politica e i criminali sono la stessa cosa..
(Score: 2) by pipedwho on Tuesday June 25 2019, @12:55AM
It's fitting the 2038 unix signed 32 bit overflow just after "pi o'clock AM".
But, I'm thinking of a number that has been constructed and included as part of the design, not so much a time bomb.
(Score: 2) by JoeMerchant on Tuesday June 25 2019, @03:24AM (3 children)
Mostly this, I think:
would be some sort of cryptography that only they can break with the massive quantum computer they have implemented under Cheyenne Mountain (wonder why NORAD moved out? Hmmm.....)
They might be ordered to try, and as an agency they might want to look dumber than they are. But, there's also value for them in helping to build truly secured systems for the private sector. Having a rogue state take down the banking system for a week isn't much of a "best case scenario" for any security agency.
🌻🌻 [google.com]
(Score: 4, Interesting) by pipedwho on Tuesday June 25 2019, @04:14AM (2 children)
I doubt that. Anything the NSA can build in their secret dungeon is potentially on a few years away being built by someone else. If the NSA is aware of a cryptoanalytic technique that allows something to be broken easily by their own systems, they'll most likely be looking to secure it in a way where someone else with a similar system at some point in the future can't break it.
The best way for that is to make sure the 'trapdoor' technique in place is not breakable by themselves or anyone else that doesn't possess a secret key. If they design it correctly, that generator coefficient can be made so not even the NSA itself could 'crack' it without prior knowledge of the key value.
However, that approach becomes obvious when 'magic numbers' are included in a design that may not have the security properties they purport to have, but are instead chosen to include mathematically derivable 'trap doors' that weaken the algorithm to something crackable to anyone possessing this secret 'trap door' key.
(Score: 2) by JoeMerchant on Tuesday June 25 2019, @12:51PM (1 child)
All of cryptography is about the secret's lifetime as a secret. There's a vague function of 1 / ( exposure x effort ) -> time to break, and with globally deployed systems like UEFI that exposure x effort quantity approaches infinity. No matter what the protocols are protecting the deployed key, unless they've also built in a key rotation mechanism to keep the active key fresh (and such a thing would be too obvious in open source, and difficult in a system like BIOS), that key is going to be required for a large number of operations, raising its exposure level to a point where it is virtually certain to be leaked eventually - particularly with the effort that will be being expended to obtain it.
🌻🌻 [google.com]
(Score: 2) by pipedwho on Wednesday June 26 2019, @01:07AM
True. The way 'magic number' trap doors happen is to choose a 'random' number, but select (or generate) it to have a property that makes it either easier to brute force knowing the generation partials. When the number is supposed to be 'random', it should be taken from a public authenticated source or other standardised deterministic method.
For example, let's say an algorithm requires a large 4096 bit prime modulus. The defined standard modulus could be a huge randomly generated base with prime properties appropriate to the security of the algorithm. However, if the NSA generates that 'prime' where it is actually a composite made up of two 2048 bit primes, it could choose one of primes to be 'weakened' by having properties that significantly improve the ability to brute force a message/key exchange encrypted with said algorithm. A non-NSA attacker would have to first factor the 4096 'prime', which requires substantial effort and is not currently possible with today's technological state. And the NSA never needs to expose these keys outside their own systems.
This is why 'magic numbers' are frowned upon in the crypto world. The NIST standardised prime curves for ECDSA/ECDH are examples of this contention. The curves are 'random' prime curves that are used in all standard implementations. These curves are 'believed' to be secure, but there is no way to guarantee that the NSA hasn't carefully chosen them to allow them to be more easily brute force attack an encrypted message or key exchange. The numbers are huge (eg. 256bit, 512bit) making them very difficult to dissect in anything less than polynomial time (unless you already know the roots/weaknesses).
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @04:29AM (1 child)
Think strategically, FOR the US (not its opponents). This may affect YOU.
It is excellent that the USA is pointing its resources to this project! You cannot trust UEFI which is proprietary and baked in Microsft's offshore ovens (India, China). Having trustworthy systems is vital for the US military and also the civilian population, industry, power grids, etc.
So USAians: you cannot foam at the mouth at your own government agencies trying to do their job to keep you alive and safe, AND then complain about all the backdoors and hack attempts, scam calls and other troubles pouring in from those 'other' countries. Pick which side you are on.
(Score: 1, Insightful) by Anonymous Coward on Tuesday June 25 2019, @08:01AM
The other non-covert and non-military agencies have done far more to keep US citizens safe.
Heck I think the US citizens might be safer if the CIA was shutdown and many of them thrown into prison.
There are lots of countries without an "NSA" and their people are just as safe from China and India as the US people are. And they're more at risk from the USA because of the NSA, CIA etc.
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @01:07AM
NSA + IOS = DOA
(Score: 2, Informative) by Anonymous Coward on Tuesday June 25 2019, @06:52AM
One minor mistake, please don't uppercase any letter of the word 'coreboot'.
https://review.coreboot.org/20030 [coreboot.org]
(Score: 0) by Anonymous Coward on Tuesday June 25 2019, @12:56PM (1 child)
So who believes that the NSA puts a backdoor in coreboot, but doesn't have one in UEFI? That makes no sense.
Anyway, the Intel Management Engine and the AMD counterpart are much better places to put secret backdoors in.
(Score: 2) by DannyB on Tuesday June 25 2019, @01:15PM
Tampering with coreboot can distract from the management engine tampering.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by DutchUncle on Tuesday June 25 2019, @03:07PM
I don't trust the NSA either, but maybe, just maybe, they have decided that leaving security holes at the lowest levels makes THEIR job harder too (because if there's an opening for NSA, there's an opening for an opponent). Maybe they really have decided to do the defensive part of their job (protecting against outside interference) rather than the offensive one (inserting their own interference and spying on everybody on the off-chance that they catch someone guilty among all of the innocent).
Hey, it could happen.