NSA alleges 'BIOS plot to destroy PCs' Senior National Security Agency (NSA) officials have told US news magazine program “60 Minutes” that a foreign nation tried to infect computers with a BIOS-based virus that would have enabled them to be remotely destroyed. NSA Director General Keith Alexander and Information Assurance Director Debora Plunkett both appeared on …
The reports that I saw were unclear about whether the targets in these cases were "US Persons". Those targets, however were smuggling illegal drugs into the country, not out or within. Accordingly it is possible or even likely that the intercepts were proper and the attempt at secrecy was aimed at protecting intelligence sources and methods.
"That means that pretty much 7 billion are also tracked."
NSA has in the neighborhood of 35,000 employees. It is not credible that each of them (managers to secretaries and machine repairpersons) tracks an average of 200,000 people in any sense that even remotely approaches meaningful. Not by at least two orders of magnitude.
Feeding my metadata into the machine so that I can be mistakenly Jean Charles de Menezesed based on some trial-less "guilt by association" cranked out by an algorithm is being fucking tracked.
Too tinfoil hat for you? Too bad. The burden of proof is on your government now, not those who just want to be left alone.
Or will I be targeted for tax audits because of my political group? Have my e-mails raided because I'm a journalist? Be thrown in gitmo because I work with whistleblowers?
Computer says no. Your life, thus, goes bye-bye. And you're okay with this?!?
I don't think I said anything to suggest I approve of it, or think it is warranted or effective. Neither have I seen much evidence that the bad things mentioned are common. Tax audits because of a political group? Not much to do with the NSA, much more to do with the FBI and municipal police departments. Email raided because a journalist/working with whistleblowers? Certainly that's possible, but again has little to do with the NSA and a lot to do with prosecutors and the FBI or local authorities.
I cannot say whether your metadata or mine would correlate with a target and raise suspicion, and that is a serious problem that can be addressed either by not doing the analysis at all or by ensuring that such things as entry into "no fly" databases rely on much more careful investigation than sometimes seems to be the case. I could be satisfied with either, keeping in mind that the alternative in which service providers are required to retain metadata for access by law enforcement agencies may not represent much of an increase in our security over what we have at present.
You don't seem to get it. Any situation in which our metadata is being collected in a dragnet fashion is unacceptable. It doesn't matter if it's the FBI, GCHQ, the NSA, the RCMP or the fucking IRS. If you want to investigate a person then you get a fucking warrant for that person and that's that.
You do not trawl through data looking for "suspicious patterns" and use that as justification to trawl through the data! You do not keep a lifetime's worth of metadata (or even a year's worth!) and go back in time to peer through someone's life and find every minor mistake they ever made based on some broken suspicion that a cranky neighbor had that might be leaving our more than the maximum number of bags of garbage.
You keep talking as though it is okay for us to give up our rights. That it is inevitable and that it is an acceptable and natural consequence of...what, exactly? Protection from the boogyman?
Whether the breach today is the FBI or tomorrow the IRS it makes no nevermind. Human beings in positions of power over other human beings abuse that power. It doesn't matter which agency they belong to. The more power you give them to peer into our lives the more harm they will do. The totality of human history is a fucking testament to this fact!
Noone can be trusted with the kind of power represented by unfettered access to our metadata, let alone the communications data in full. Noone.
Any use of technological assets to collect information about an individual must be narrowly targeted, only records relevant to the narrow warrant collected and retained and the entire process carefully reviewed by independent civil rights organisations. (Rotated out so as to prevent regulatory capture.)
The NSA has already been seen to give information to the DEA and then tell them to lie about the source. How long before their databases are used to raid journalists, a practice already underway? You argue that agencies are isolated and that evidence of malfeasance in one isn't evidence that it will occur in another.
I say that the totality of human history says that absolute power corrupts absolutely, and given that the US government in general has thrown out the presumption of innocence as regards proles I think the NSA - and any other TLA - need to prove their innocence. After all, we don't have the means to investigate their guilt. It's all hush-hush tip-top super secret stuff that proles aren't allowed to see.
No TLA cna be trusted with our privacy. No amount of bureaucracy can make dragnets okay. Nothing can justify dragnets. is that clear enough? Or are there more predictable bits of apologist newsspeak you'd like to trot out?
"NSA has in the neighborhood of 35,000 employees. It is not credible that each of them (managers to secretaries and machine repairpersons) tracks an average of 200,000 people in any sense that even remotely approaches meaningful. Not by at least two orders of magnitude."
Yet Amazon, Facebook and Google all manage to do plenty of meaningful tracking.
>You want a budget of *how much* to track 60 people?
But,but...
If they are only tracking 60 people, why the heck can they not follow procedures that have existed for 50+ years and get a warrant/judicial order?
If they need it right away, fine. Start listening, file the paperwork and let a judge decide after the fact.
Don't tell me you can't manage 60 intercepts with proper judicial oversight.
Btw, we're all in the same boat. The new Canadian CSIS HQ building is hundreds of millions over budget. And had to move due to increasing power requirements - presumably not caused by limited snooping to a few dozen citizens.
Just like here in the UK they like to feed the public a few snippets and tell them in very vague terms how much they have done to prevent disaster.
For instance, did you know that the security services have prevented hundreds if not thousands of terrorist attacks in the last couple of years and this is only down to the fact that they can spy on everyone and retain all the data they want.
Of course, as we are only 'little people' we could never hope to verify the truth in these claims. If they say this is true it must be.
"the security services have prevented hundreds if not thousands of terrorist attacks in the last couple of years and this is only down to the fact that they can spy on everyone and retain all the data they want."
That's nothing. I have a rock here that keeps away tigers!
Neither am I, although I have to admit that even if it were MI5 saying this I would not believe them either. As far as I am concerned I would not accept that fisherman's tale from the Almighty Himself without independent evidence let alone any country's intelligence service. What they are saying is that we are (excuse me, it's very hard to type and cry with laughter at one and the same time) just going to have to trust them (Oh God my sides are splitting).
Ah, your usual eloquence and insight.
The enemy is not the NSA. The enemy is you, and everyone else who thinks that the progress of civilization is measured in the amount of benefits that government delivers, because of the ever-expanding role of government intervention in the life of society and the lives of its citizens required to deliver those benefits.
"The enemy is you, and everyone else who thinks that the progress of civilization is measured in the amount of benefits that government delivers, because of the ever-expanding role of government intervention in the life of society and the lives of its citizens required to deliver those benefits."
Erm, is not being under surveillance an ever expanding role of government intervention?
But then, you strike me as a tea party type.
Also known as the type that never met a Constitutional amendment that they did not despise and disparage.
"The enemy is you, and everyone else who thinks that the progress of civilization is measured in the amount of benefits that government delivers,"
Did this make sense in your head before you typed it? Did you think that complaining about the NSA is about wanting MORE government intervention? Do you think that government intervention is only good when it does harm? Or are you a hopeless idealist who thinks that a state of having no government would be anything other than hell on earth? Basically, WTF are you talking about?
Good way to annoy the NSA and GCHQ, evil fucks that they are:
Refuse to hire ex-NSA/GCHQ people into private industry. Let the grunts know that working for the NSA/GCHQ is a one-way street. You are forever after tainted and no one will ever trust you again.
That should stick a spike into their University recruiting pipeline. Those government pensions not looking so guaranteed now eh ?
Refuse to hire ex-NSA/GCHQ people into private industry. Let the grunts know that working for the NSA/GCHQ is a one-way street. You are forever after tainted and no one will ever trust you again.
Even a massive boycott along these lines - which will never happen, but let's entertain the possibility for a moment - would not be much of a deterrent to desperate job-seekers offered relatively high-paying, relatively interesting work in the "intelligence" industry. The long-term risks pale in comparison to the short-term benefits.
I'm not intimately familiar with the situation in the UK, but here in the US recent grads have a tough time of it, even in ostensibly high-demand fields, and they're facing crippling student debt, inflating food and energy prices, a still-tumultuous housing market, etc. You offer them jobs and they'll take 'em.
But the simple fact of the matter is that you'd never get enough employers to sign on to such a program. What's in it for them? Listed corporations wouldn't be able to uphold it anyway, if it were at all effective - their boards would find a CEO who didn't artificially limit the labor market.
MEH. All those TLAs, including NSA, are just CYA front-ends to hide the real masterminds.
There are hints and answers, though, scattered around seemingly innocent places. Just like this one, from haikuonline or some such:
Guess what I found out?
My CAT rules the universe!
That explains a LOT.
" ...developed BIOS malware “disguised as a request for a software update” that would have turned PCs into “a brick.”
Wow, this threat has been around since the first PC was ever put in the hands of your average joe. Bricking ones PC is a pretty trivial feat, all it takes is an urge to upgrade the BIOS, combined with downloading the wrong (or corrupted) image, and/or a lack of reading comprehension. It doesn't take a rogue state to wrap a 100k of garbage in a cmos flasher that looks legit. Also what good would it do to knock out a few thousand porn boxes anyway? The malware would be identified and flagged within a day.
Come on NSA, if you're going to feed us bullshit at least try! How about a story about how you stopped the evil-doers from causing a financial apocalypse? Or thwarted hackers killing the power grid? If stopping a half assed 4chanish inconvenience from going live is truly the best the NSA has to brag about, we're all fucked.
"I seem to recall, around win 98 era a virus called chernobyl which purported to flash and corrupt the bios.
It was a bit of a non event as i recall."
I recall the same "chernobyl" virus and had to replace a good number of boards as well as explain to the customers that it was not a warranty issue, but a virus that "bricked" their machines (only way to prove it was to scan their HDD on our test system & show them the results along with the details of the infection on various AV vendors sites). Gigabyte made a lot of money when that virus was going around with their dual-BIOS boards.
It's been around ever since some bean-counter demanded removal of the write-protect switch from a system's flash logic circuitry.
How it ought to be, is that to do a BIOS upgrade you'd start by taking the lid off the system and moving a jumper or switch to write-enable. Then update. Then set it back to write-protect. (Note: nothing to stop manufacturers shipping it write-enabled, if they know that their average customer is a moron. Intelligent customers would protect it on delivery -- or buy from a different manufacturer).
How much did removing one jumper save? One cent? Probably less. Bullet, meet foot.
I actually prefer the Gigabyte dual BIOS system. One ROM that never gets over-written and one CMOS that can be easily updated without opening the case. If the update gets borked for any reason (power failure in the middle of the update) you can still revert to the ROM and redo the upgrade.
But absent the dual BIOS, yes it ought to be a locked setting (dip or jumper doesn't matter to me).
Can you overwrite the BIOS remotely? All the systems I've used you can only update the BIOS when running the BIOS admin, ie *outside* the operating system and the network stack, and you can only update the BIOS from a physical media in your grubby mit by shoving it into the appropriate receptical.
I believe it's called "winflash" or something similar. I've seen a few computers with a windows-based BIOS updater. Has been a while but from what I recall it is a nice looking convenient little windows utility to update your bios.
And it would be just as scary if there was a Linux version, unless you have a sure way of reverting to an earlier version.
Such a tool could be used remotely.
For that matter, look at the issues with Samsung UEFI some months back. IIRC it was booting Ubuntu from USB stick OR something in MS Office that could trash the UEFI BIOS enough that the machine would be bricked (for the average home user anyway). Something like that could also be triggered remotely I expect.
"They didn't think of it first!"
Are you sure they didn't?
Agent Paranoid: "RED ALERT! Somebody's bug is overwriting our bug!"
Agent Waffle: "Can we still monitor the affected PCs?"
Agent Paranoid: "Nah, it's like trying to read a brick!"
Agent Waffle: "Alert the media; "Terrorists Bricking PCs!"
Parodying that "You're gonna need a bigger boat" line in the movie, Jaws, NSA need smarter folk ...... for those who know how to work in cyber to bypass and overwhelm everything physical and terrestrial, are that which they are dealing with and ineffectually doing vain battle against, to maintain in increasingly failed and siloed power vacuums, that which controls and commands them to abuse and misuse information and intelligent feeds for the mindless retention of status quo seeds/feeds/needs.
Use the mighty inherently worthless paper fiat dollar to buy in and direct new intelligence supply for onward control export to every other ignorant and arrogant jurisdiction/struggling executive administration. Quite obviously, does present supply not deliver peace and prosperity to all, and anything less will always create madness and mayhem and increasingly more targeted search and research and development for that and/or those who would be chief cause of novel future intelligence supply blockage.
And indeed, such is the same easy solution for any currency paper fiat supplier to engage with and secure XSSXXXX ProVision with NEUKlearer HyperRadioProActive IT .... which be at least both Sensual and Sensitive Intellectual Property Supply Services to Order, and Tailor Made to Guarantee Successful CyberIntelAIgent Virtual Design which Astutely Anonymously Autonomously Disrupts, Degrades and Destroys Perverse Parasitic and Corrupt Collaborative Bodies/Conspiratorial Enterprises.
And doing its Ab Fab Fabless IT Thing with you too and Oft Alone, by virtue of your doubts and ignorance in what its HyperRadioProActive IT is doing for you already ...... via the Portal of Global Operating Devices and NINJA Apps....... Networks Internetworking Novel JOINT Applications in JOINT Operations Internetworking NEUKlearer Technologies ..... for SMARTR Advanced IntelAIgent Solutions Systems Communicating Quantum Leaps in Bits and Bytes of Information and Language for Universal Transcription/Earthly Sharing/Global Systems ReBooting.
Or is putting rabbits on moons and sending monkeys into space easier for you to accept as a more intelligent use of time and resources in this heavenly place? How most very odd. :-)
First telling the Judiciary Committee that "no data" was collected on US persons, which he later admitted was "incorrect" after Snowden's relevations.
Second was telling them that the spying had foiled 54 terror plots, but later admitted that only 13 of those were within the US, and only "one or two" were identified from collecting the phone records (who called who, when, from where, for how long, etc.)
There were probably others that I'm not aware of, or he hasn't be caught at yet.
So why does he think that ANYONE should believe what he was saying in the 60 Minutes interview?
The more so because "9/11" had nothing to do with "connecting dots", it had to do with FBI infighting (moles being shut down out of pure spite and bureaucratic put-downs at the right moment) and possibly shenanigans about covering up a long-running deal with a mobster hitman.
No technical system is going to help with that. Unless you get all the stupid out of the system and give everything to AIs.
It actually had a good bit to do with connecting the dots. Most specifically DoJ regs that prevented intelligence and law enforcement from sharing certain data. But admitting that would squarely blame the failed policies of a Democrat administration. And we can't have that.
Yes, corrective action didn't require the massive rewrite of laws and the creation of a new leviathan within the big leviathan. But then that wouldn't advance Statist purposes either.
1. Pearl Harbor was an attack on a military base not a civilian building. For better or worse we deem that members of the military have accepted the risk of dying for their country and treat their deaths differently from civilian deaths.
2. Four years after Pearl Harbor we had closure. The bastages that ordered it were mostly dead and the few that were left had surrendered. They were in no position to launch any further similar assaults ANYWHERE. That is not true of the current situation.
I'd also note that in the intervening four years we also had something the world hasn't seen since: total war. Most people regard that as a good thing. As for me, I'm willing to risk it. I think we're on the brink of another such conflict and the longer we wait the higher the chances that we move too late. But I'd wager a year's salary you disagree with me on that.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
