That was news to many security experts, who had never before heard of the "BIOS plot," even though "60 Minutes" asserted that "computer manufacturers" had worked with the NSA "to close this vulnerability." Such an undertaking would have been well known in the information-security community.Basically, the scheme amounted to a fake BIOS upgrade that bricks your 'puter. But newer machines and Macs are protected, and most people never upgrade their BIOS. Besides, how can the Chinese expect a computer-free West to buy cheap Chinese products via Ebay? Security expert Robert Graham offers this response:
Plunkett gave only the barest outline of the supposed Communist scheme, not specifying when and how the plot was uncovered and foiled. CBS' confirmation of the plot's existence and provenance relied on unnamed "cybersecurity experts briefed on the operation" who "told us it was China."
Security experts aren't buying it.
There are no technical details. Yes, they talk about "BIOS", but it's redundant, unrelated to their primary claim. Any virus/malware can destroy the BIOS, making a computer unbootable, "bricking" it. There's no special detail here. All they are doing is repeating what Wikipedia says about BIOS, acting as techie talk layered onto the discussion to make it believable, much like how Star Trek episodes talk about warp cores and Jeffries Tubes.Another security expert, Graham Cluley, considers the report "nonsense." He asks some damned good questions:
Stripped of techie talk, this passage simply says "The NSA foiled a major plot, trust us." But of course, there is no reason we should trust them. It's like how the number of terrorist plots foiled by telephone eavesdropping started at 50 then was reduced to 12 then to 2 and then to 0, as the NSA was forced to justify their claims under oath instead of in front of news cameras. The NSA has proven itself an unreliable source for such information -- we can only trust them if they come out with more details -- under oath.
Moreover, they don't even say what they imply. It's all weasel-words. Nowhere in the above passage does a person from the NSA say "we foiled a major cyber terror plot". Instead, it's something you piece together by the name "BIOS plot", cataclysmic attacks on our economy (from the previous segment), and phrases like "would it have worked".
So, in the end, it's just like the existing testimony from Clapper and Alexander that is never precisely a lie, but likewise, intentionally deceptive.
How exactly did they [the NSA] foil the plot? The report says that they worked with computer manufacturers to “close the vulnerability”. What did that entail?There's no way the NSA could have offered a warning to Asus and Gigabyte and all of those other mobo-makers without one word leaking out. Besides -- aren't those motherboards actually manufactured in China? Did the NSA warn the Chinese to beware of China?
Did every PC in America get a firmware update to their BIOS that we simply didn’t notice? Or was it, instead, that the Chinese plot was actually to introduce flaws and vulnerabilities into new BIOS chips used in future computers, and manufacturers were warned to keep their eyes open for meddling?
Some people are surprised that CBS News would swallow government propaganda so readily. Feh. That sort of thing has been going on for decades.
Added note: It just hit me. Above, I ask how the NSA could maintain total secrecy while warning motherboard manufacturers (including those not based in this country) about the Chinese BIOS scheme. But an even better question is why. Why would the NSA keep a Chinese malware plot secret?
Let us suppose that there was some overwhelming need for secrecy. Okay...then why did the NSA get all blabby about the affair when CBS showed up for an interview? What has changed?
The whole thing makes no sense.
2 comments:
There's no such thing as a BIOS chip. BIOS is what's on a CMOS chip. And clearly, this is bullshit.
Here's another angle that may be missing and somewhat related to kill switches and backdoors. I'll be drawing from Dave Emory's excellent reporting on the subjects/suspects Tor and the Libertarian project named Bitcoin. He and a researcher named Pterrafractyl have collected out a lot of good articles I recommend reading. The angle I'd like to construct starts at spitfirelistdotcom with three articles that point to a German company named Lantiq.
http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch
http://www.infineon.com/cms/regional-pages/infineon-romania/research_development/security.html
http://www.zdnet.com/dont-let-paranoia-over-the-nsa-and-tpm-weaken-your-security-7000019791/
http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
Post a Comment