NSA hid spying software in hard drive firmware, report says

http://www.cbc.ca/news/technology/ns...says-1.2959252

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

Yousuf Khan wrote

http://www.cbc.ca/news/technology/ns...says-1.2959252

The U.S. National Security Agency has figured out how to hide spying
software deep within hard drives made by Western Digital, Seagate,
Toshiba and other top manufacturers,

There aren't any other top manufacturers anymore.

giving the agency the means to eavesdrop on the majority of the world's
computers,

Not if those systems can't communicate with anything.

according to cyber researchers and former operatives.

According to spivs and con men flogging software, actually.

That long-sought and closely guarded ability

Wota ****ing ******...

was part of a cluster of spying programs discovered by Kaspersky Lab, the
Moscow-based security software maker

Who might just have a vested interest in making
claims about what the NSA gets up to.

that has exposed a series of Western cyberespionage operations.

Pigs arse they have.

Kaspersky said it found personal computers in 30 countries infected with
one or more of the spying programs,

Is this where we're all sposed to swoon or sumfin ?

with the most infections seen in Iran, followed by Russia, Pakistan,
Afghanistan, China, Mali, Syria, Yemen and Algeria.

Easy to claim...

The targets included government and military institutions,
telecommunication companies, banks, energy companies, nuclear
researchers, media, and Islamic activists, Kaspersky said.

Odd that they are flogging something that claims to find stuff like that.

On 17/02/2015 2:04 PM, Rod Speed wrote:
Yousuf Khan wrote

http://www.cbc.ca/news/technology/ns...says-1.2959252


The U.S. National Security Agency has figured out how to hide spying
software deep within hard drives made by Western Digital, Seagate,
Toshiba and other top manufacturers,

There aren't any other top manufacturers anymore.

It probably just doesn't include hard drive manufacturers anymore, it
probably now also includes SSD manufacturers. Storage in general.

giving the agency the means to eavesdrop on the majority of the
world's computers,

Not if those systems can't communicate with anything.

Communications is not the only way to spy on somebody. You could also
intercept these computers physically, and take their storage out. If
you've used any hardware-based encryption schemes on these drives, then
an NSA backdoor might weaken the encryption scheme to something that's
less random. So you can say then you should use software-based
encryption instead, but of course, without this knowledge how would you
even know how to decide which is the more secure method to use. In some
cases, even the software based ones are severely compromised.

Another possibility is that some storage media have a secure hardware
erase feature. If a backdoor were put in, perhaps these secure erases
aren't erases at all?

according to cyber researchers and former operatives.

According to spivs and con men flogging software, actually.

That long-sought and closely guarded ability

Wota ****ing ******...

was part of a cluster of spying programs discovered by Kaspersky Lab,
the Moscow-based security software maker

Who might just have a vested interest in making
claims about what the NSA gets up to.

In this day and age, it really isn't tenable to maintain a non-skeptical
view about the NSA's activities. Everything that was thought to be
tin-hat conspiracy theories about the NSA have turned out to be true.
You're burying your head in the sand if you don't believe it.

As for these specific researchers, sure they may have a vested interest,
but this can be easily checked by other researchers. Peer review.

that has exposed a series of Western cyberespionage operations.

Pigs arse they have.

Kaspersky said it found personal computers in 30 countries infected
with one or more of the spying programs,

Is this where we're all sposed to swoon or sumfin ?

with the most infections seen in Iran, followed by Russia, Pakistan,
Afghanistan, China, Mali, Syria, Yemen and Algeria.

Easy to claim...

Also the least useful of their claims. It really doesn't matter where
they are found, it's more likely they are found everywhere.

The targets included government and military institutions,
telecommunication companies, banks, energy companies, nuclear
researchers, media, and Islamic activists, Kaspersky said.

Odd that they are flogging something that claims to find stuff like that.

Well, I'm sure there isn't much of a market selling security software to
Islamist organizations. But the fact that nuclear institutions were
targeted is already well proven: look up Stuxnet.

Yousuf Khan

Yousuf Khan wrote
Rod Speed wrote
Yousuf Khan wrote

http://www.cbc.ca/news/technology/ns...says-1.2959252

The U.S. National Security Agency has figured out how to hide spying
software deep within hard drives made by Western Digital, Seagate,
Toshiba and other top manufacturers,

There aren't any other top manufacturers anymore.

It probably just doesn't include hard drive manufacturers anymore, it
probably now also includes SSD manufacturers. Storage in general.

giving the agency the means to eavesdrop on the majority of the world's
computers,

Not if those systems can't communicate with anything.

Communications is not the only way to spy on somebody.

But it is the only way to get hold of the information that you
have collected by eavesdropping on a particular computer.

You could also intercept these computers physically, and take their
storage out.

If you are going to do that, there isn't any point in eavesdropping
using something you have installed on a particular hard drive.

If you've used any hardware-based encryption schemes on these drives, then
an NSA backdoor might weaken the encryption scheme to something that's
less random.

If you don’t like that risk it is completely trivial to use
your own software based encryption scheme that can
not possibly have been compromised like that. And to
use more than one layer of that so that even if there
does turn out to be a flaw in one of them its still secure.

So you can say then you should use software-based encryption instead, but
of course, without this knowledge how would you even know how to decide
which is the more secure method to use.

Its completely trivial to research that.

In some cases, even the software based ones are severely compromised.

They can't be if you do your own.

Another possibility is that some storage media have a secure hardware
erase feature. If a backdoor were put in, perhaps these secure erases
aren't erases at all?

Trivially avoidable by physically destroying the device instead.

And hard drives are now so cheap that that is very affordable.

according to cyber researchers and former operatives.

According to spivs and con men flogging software, actually.

That long-sought and closely guarded ability

Wota ****ing ******...

was part of a cluster of spying programs discovered by Kaspersky Lab,
the Moscow-based security software maker

Who might just have a vested interest in making
claims about what the NSA gets up to.

In this day and age, it really isn't tenable to maintain a non-skeptical
view about the NSA's activities. Everything that was thought to be tin-hat
conspiracy theories about the NSA have turned out to be true.

Nope, not on the question of whether they can actually see anything they
want to.

There is no way to see anything on a system which
does not communicate and completely trivial to
see if anyone has ever had any physical access to it.

You're burying your head in the sand if you don't believe it.

In fact the classic one time pad is MUCH more useful than it
was in the past essentially because you don’t even have the
problem of moving it from the source to the destination when
you use it to encrypt what you don’t want anyone else to see.

As for these specific researchers, sure they may have a vested interest,

No may have about it, of course they do.

but this can be easily checked by other researchers. Peer review.

Not even possible when they don’t specify the detail of what
they claim to have discovered, like that claim at the top about
what the NSA has installed on hard drives so that anyone can
see if any of their drives have that on them.

That was done with Sony's root kit, but when it hasn’t been done
with that claim about what the NSA is doing, it clearly isn't happening
or they would have spelt out how to check if its happened or not.

that has exposed a series of Western cyberespionage operations.

Pigs arse they have.

Kaspersky said it found personal computers in 30 countries infected
with one or more of the spying programs,

Is this where we're all sposed to swoon or sumfin ?

with the most infections seen in Iran, followed by Russia, Pakistan,
Afghanistan, China, Mali, Syria, Yemen and Algeria.

Easy to claim...

Also the least useful of their claims. It really doesn't matter where they
are found, it's more likely they are found everywhere.

Its much more likely they are lying thru their
teeth and that the NSA has done nothing of
the sort with the hard drives we actually own.

And even if they had done, who cares ? The most they can
get hold of on any of my systems is some detail about what
bank accounts I have and the govt knows all that anyway.

They will also be able to see what I have said in usenet etc,
but that is trivially available using groups.google etc anyway.

They will also be able to see my ebay, amazon and aliexpress
transactions, but all those operations have all that detail anyway.

They will also be able to see what I choose to read etc.

So what ? I couldn’t care less.

If I do ever decide to murder someone I will make sure
that I physically destroy anything that I use in the planning
and execution of that and only use stuff that I have obtained
at garage/yard sales years ago to do it too. And wont be silly
enough to have a cellphone with me when I do it either.

The targets included government and military institutions,
telecommunication companies, banks, energy companies, nuclear
researchers, media, and Islamic activists, Kaspersky said.

Odd that they are flogging something that claims to find stuff like that.

Well, I'm sure there isn't much of a market selling security software to
Islamist organizations. But the fact that nuclear institutions were
targeted is already well proven: look up Stuxnet.

I don’t care, I don’t run one.

On 21/02/2015 1:38 PM, Rod Speed wrote:
Yousuf Khan wrote
Rod Speed wrote
giving the agency the means to eavesdrop on the majority of the
world's computers,

Not if those systems can't communicate with anything.

Communications is not the only way to spy on somebody.

But it is the only way to get hold of the information that you
have collected by eavesdropping on a particular computer.

You could also intercept these computers physically, and take their
storage out.

If you are going to do that, there isn't any point in eavesdropping
using something you have installed on a particular hard drive.

You're going to have get off your one-tracked mind about spying being
only about eavesdropping. Spying can also be about good old fashioned
physically stealing data. Steal the computer, clone the data off of the
drive quickly, then put the system back in place before anyone notices
it was missing. The NSA itself probably wouldn't be doing these
activities, but the NSA also provides tools to its sister spy
organizations, like the FBI or CIA, both of which can do these sort of
activities.

Also if it's remote eavesdropping that you're interested in, then who's
to say that they can't simply combine a bunch of tools together? You
break the security on the drive with your firmware exploits, and then
you use another piece of compromised equipment that can broadcast the
data off of it, such as the Ethernet, Wi-Fi, or Bluetooth controllers
which might also have backdoors in them. I've even seen a story where
they embedded a secret broadcast feature right inside a run-of-the-mill
USB cable!

But as I said, it's not just about communications eavesdropping here.

If you've used any hardware-based encryption schemes on these drives,
then an NSA backdoor might weaken the encryption scheme to something
that's less random.

If you don’t like that risk it is completely trivial to use
your own software based encryption scheme that can
not possibly have been compromised like that. And to
use more than one layer of that so that even if there
does turn out to be a flaw in one of them its still secure.

So you can say then you should use software-based encryption instead,
but of course, without this knowledge how would you even know how to
decide which is the more secure method to use.

Its completely trivial to research that.

Oh, is it really? Where? On the Internet? So some guy on a blog says
some software is secure, that's all you need? Show me a trustable source.

In some cases, even the software based ones are severely compromised.

They can't be if you do your own.

If people could do their own, then they wouldn't need to buy software.

Another possibility is that some storage media have a secure hardware
erase feature. If a backdoor were put in, perhaps these secure erases
aren't erases at all?

Trivially avoidable by physically destroying the device instead.

That's only if you suspect that you're going to be spied on. No one is
going to destroy their own data preemptively, without a good reason.

And hard drives are now so cheap that that is very affordable.

I have no idea why this is relevant to anything.

In this day and age, it really isn't tenable to maintain a
non-skeptical view about the NSA's activities. Everything that was
thought to be tin-hat conspiracy theories about the NSA have turned
out to be true.

Nope, not on the question of whether they can actually see anything they
want to.

Go ahead, keep your head buried in the sand.

There is no way to see anything on a system which
does not communicate and completely trivial to
see if anyone has ever had any physical access to it.

Tell me how it's trivial to figure out if someone has had physical
access to your system? Remember these are spies trained for these sort
of things, and who know how to cover their tracks.

As for these specific researchers, sure they may have a vested interest,

No may have about it, of course they do.

but this can be easily checked by other researchers. Peer review.

Not even possible when they don’t specify the detail of what
they claim to have discovered, like that claim at the top about
what the NSA has installed on hard drives so that anyone can
see if any of their drives have that on them.

We don't know what their specific evidence is based on a mainstream
press article about it. But they have likely provided their peers with
the necessary information.

Its much more likely they are lying thru their
teeth and that the NSA has done nothing of
the sort with the hard drives we actually own.

Head, sand: meet Rod.

snip rest

Yousuf Khan

Yousuf Khan wrote
Rod Speed wrote
Yousuf Khan wrote
Rod Speed wrote

giving the agency the means to eavesdrop on the majority of the
world's computers,

Not if those systems can't communicate with anything.

Communications is not the only way to spy on somebody.

But it is the only way to get hold of the information that you
have collected by eavesdropping on a particular computer.

You could also intercept these computers physically, and take their
storage out.

If you are going to do that, there isn't any point in eavesdropping
using something you have installed on a particular hard drive.

You're going to have get off your one-tracked mind about spying being only
about eavesdropping.

Never said it was. I JUST pointed out that however you collect
the information, there has to be some way to get that collected
information to those who want that collected information and
so its trivially easy to ensure that they can't get hold of it.

Spying can also be about good old fashioned physically stealing data.

But its trivially easy to ensure that whatever they steal is of absolutely
no use whatever to them, and its also trivially easy to ensure that you
will always knows if someone has stolen anything.

Steal the computer, clone the data off of the drive quickly, then put the
system back in place before anyone notices it was missing.

Its trivially easy to ensure that any physical break in will always be
detected.

And even easier to ensure that nothing they clone will be any use at all to
them.

The NSA itself probably wouldn't be doing these activities, but the NSA
also provides tools to its sister spy organizations, like the FBI or CIA,
both of which can do these sort of activities.

And trivially easy to ensure that they will be detected doing that.

Also if it's remote eavesdropping that you're interested in, then who's to
say that they can't simply combine a bunch of tools together?

No use at all to anyone if you adequately encrypt anything that matters.

You break the security on the drive with your firmware exploits,

Not even possible if you have your own security as well as what the drive
comes with.

and then you use another piece of compromised equipment that can broadcast
the data off of it, such as the Ethernet, Wi-Fi, or Bluetooth controllers
which might also have backdoors in them.

Useless when whatever they can broadcast will be of no use to them.

I've even seen a story where they embedded a secret broadcast feature
right inside a run-of-the-mill USB cable!

Useless when whatever they can broadcast will be of no use to them.

But as I said, it's not just about communications eavesdropping here.

And as I said, that is even easier to protect.

If you've used any hardware-based encryption schemes on these drives,
then an NSA backdoor might weaken the encryption scheme to something
that's less random.

If you don’t like that risk it is completely trivial to use
your own software based encryption scheme that can
not possibly have been compromised like that. And to
use more than one layer of that so that even if there
does turn out to be a flaw in one of them its still secure.

So you can say then you should use software-based encryption instead,
but of course, without this knowledge how would you even know how to
decide which is the more secure method to use.

Its completely trivial to research that.

Oh, is it really?

Yep.

Where?

Same place you research anything.

On the Internet? So some guy on a blog says some software is secure,
that's all you need? Show me a trustable source.

Trivially easy to TEST any claims made.

In some cases, even the software based ones are severely compromised.

They can't be if you do your own.

If people could do their own, then they wouldn't need to buy software.

Some choose to buy it when its no big deal if it is compromised.

I choose to use what I have bought to secure my net banking details.
If that does get compromised, it’s just a nuisance because I choose to
put the funds that matter only with banks that guarantee that I will
never lose my money even if the world financial system implodes.

I have a completely separate system with a completely separate
FI that guarantees that whatever happens with my card, I will never
lose any of my money. And I only keep a relatively small amount of
cash there so even if that guarantee turns out to not be delivered,
its just a very minor nuisance and something to blog about etc.

Another possibility is that some storage media have a secure hardware
erase feature. If a backdoor were put in, perhaps these secure erases
aren't erases at all?

Trivially avoidable by physically destroying the device instead.

That's only if you suspect that you're going to be spied on.

Nope, its also available if you are quite sure you aren't going
to be spied on but are paranoid enough to ensure that even
if some rouge spy has ****ed up and has targeted you in
error that there is still nothing you can lose.

No one is going to destroy their own data preemptively, without a good
reason.

But if the device dies, some are cautious enough to
physically destroy the device even if there is nothing
on the device except their banking transaction history
and stuff like that and they want to eliminate any
possibility of identity theft etc.

I have just been communicating with someone who is
so mindlessly paranoid that he refuses to ever buy anything
in Apple's app store because of the trivial risk that he may
be identified when doing that. He's too stupid to use a gift
card and spends hours insisting on finding free apps instead
of spending $2 on what will do what he wants to do.

And hard drives are now so cheap that that is very affordable.

I have no idea why this is relevant to anything.

Its obviously relevant to how much it costs to destroy that
hard drive instead of claiming on the warranty if it does die.

In this day and age, it really isn't tenable to maintain a non-skeptical
view about the NSA's activities. Everything that was thought to be
tin-hat conspiracy theories about the NSA have turned out to be true.

Nope, not on the question of whether they can actually see anything they
want to.

Go ahead, keep your head buried in the sand.

Not even possible for them to see anything they want
to, particularly with a system that never communicates
with anything and which is completely secured using
a one time pad system.

There is no way to see anything on a system which
does not communicate and completely trivial to
see if anyone has ever had any physical access to it.

Tell me how it's trivial to figure out if someone has had physical access
to your system?

By ensuring that there is always a full record
of every movement inside your house. Even
you can implement something like that.

Remember these are spies trained for these sort of things, and who know
how to cover their tracks.

Not even possible with physical access.

As for these specific researchers, sure they may have a vested interest,

No may have about it, of course they do.

but this can be easily checked by other researchers. Peer review.

Not even possible when they don’t specify the detail of what
they claim to have discovered, like that claim at the top about
what the NSA has installed on hard drives so that anyone can
see if any of their drives have that on them.

We don't know what their specific evidence is based on a mainstream press
article about it. But they have likely provided their peers with the
necessary information.

They aren't that stupid, because that inevitably risks
that leaking via someone like Manning or Snowdon.

Its much more likely they are lying thru their
teeth and that the NSA has done nothing of
the sort with the hard drives we actually own.

Head, sand: meet Rod.

Even you should be able to do better than that pathetic effort.

Obviously not.

snip rest

Taint gunna go away just because you snip it.