LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - News
User Name
Password
Linux - News This forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.

Notices


Reply
  Search this Thread
Old 02-20-2015, 11:24 PM   #16
RandomTroll
Senior Member
 
Registered: Mar 2010
Distribution: Slackware
Posts: 1,953

Rep: Reputation: 270Reputation: 270Reputation: 270

Quote:
Originally Posted by displace View Post
I've just disassembled one of my HDD's. You can also read the firmware directly from the SPI Flash chip
Could you access it with software alone, or did you have to connect directly to the chip? The SpriteMods fellow said the contents of his flash chip were compressed in a way he couldn't decompress: was yours uncompressed or did you figure out how to decompress it?

Quote:
Originally Posted by displace View Post
a lot of HDD's come with an external SOIC8 SPI flash chips, I wonder if it is possible to physically write-protect these chips by soldering the WP pin of the chip directly to GND.
Ground it? It enables WP; I would think one would want to put a voltage on it.

Would there be a market for controller cards with real ROMs?
 
Old 02-23-2015, 04:56 AM   #17
displace
Member
 
Registered: Jan 2013
Location: EU
Distribution: Debian
Posts: 268

Rep: Reputation: 25
I take that back, according to some scientiffic articles I've read it would seem that the tiny soic8 chip only stores a small portion of the firmware that is designed to initialize the disk. The full firmware is actually stored on an unaccessable region on the disk itself. This makes it impossible to access with a classic SPI reader, so a jtag interface might be the best way after all.

Quote:
Originally Posted by RandomTroll View Post
Could you access it with software alone, or did you have to connect directly to the chip? The SpriteMods fellow said the contents of his flash chip were compressed in a way he couldn't decompress: was yours uncompressed or did you figure out how to decompress it?
You need to connect the SPI (bus pirate) directly to the soic8 chip to bypass all hardware restrictions (personally I use soic8 clips). Then use a tool like flashrom to dump the full contents of the chip. I have not yet tried to dump the contents, so I do not know about the compression.


Quote:
Originally Posted by RandomTroll View Post
Ground it? It enables WP; I would think one would want to put a voltage on it.

Would there be a market for controller cards with real ROMs?
Sorry, I should have written it as a "/WP" pin. According to a winbond datasheet, a low signal (GND) will enable the write-protect, but before doing so, a connection to a high voltage must first be severed (i.e. remove a pull-up resistor).
 
Old 02-28-2015, 02:10 PM   #18
curtvaughan
Member
 
Registered: Nov 2014
Location: Austin, TX
Distribution: Mint, Devuan, MX, Ubuntu, ArcoLinux on hardware; vboxes of varying flavors
Posts: 42

Rep: Reputation: Disabled
If the only way, these days, to guarantee security from snoopware is to disassemble hardware and re-solder at the chip level, the war has already been lost. The folks skillful enough to do this sort of "hacking" mostly have jobs working for the NSA/CIA, etc., already. Good guys with these skills are generally not the folks being targeted by the blackhats, and the few who have been - Assange and Snowden, et al - are either under house arrest or in refugee status. We live in interesting times.
 
Old 02-28-2015, 08:51 PM   #19
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,939

Rep: Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619
We used to use debug to read that memory location. It is a memory region not a locked place that the system can't read or use.
 
Old 02-28-2015, 08:59 PM   #20
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
I remember posting in a similar thread, but I can't find it.

Basically, unless you are a person of interest and work for a gov't or at a power plant you shouldn't worry yourself, as this bootkit it extremely rare.

So, stop disassembling your HDDs, take off your tin foil hats and relax a bit.
 
Old 02-28-2015, 11:56 PM   #21
ceyx
Member
 
Registered: May 2009
Location: Fort Langley BC
Distribution: Kubuntu,Free BSD,OSX,Windows
Posts: 342

Rep: Reputation: 59
@metaschima :

With all due respect, I heartily disagree with most of your post.

Quote:
unless you are a person of interest and work for a gov't or at a power plant you shouldn't worry yourself,
This is a point that most folks don't get. They say "Well, I don't care if they tap my computer or phone. All they'd get is me chatting with my friends. The twist that folks do not get is that 'they' can and will if they need to, retroactively and selectively 'connect the dots' - the facts of your life - to paint a picture of someone that is most disparaging. As we have all seen in the past, the 'person of interest' gets tried by the media (and not the courts) and thus deflects the real issues because they have him/her painted as some sort of pariah. If the messenger is ugly, so is his message ? I can name incidents were this happened, and in the end the 'perp' was found to be right - but his / her life was over. Kind of has a chilling effect on the next guy.

So you may not be a person of interest now, but in the future? No problem, they have the data stored in Utah or some place. I agree with you that for most of us this is unlikely, but why are we even playing this stupid game ?

And again, I do not want to be rude but
Quote:
this bootkit it extremely rare
How would you know ? Got any numbers to back that up ? You are probably right, but your assurances are weak.

If anyone said to me in 2010 that the spooks were able to tap into most anything including google and yahoo AT WILL, I would have said 'yeah right, take off your tinfoil hat and relax '.

So without disassembling a hard disk to see what is going on, look to the past to see if there are precedents to this kind of behaviour from those who are suppossed to be 'protecting us'. Indeed there are many precedents; the latest being the Gemalto sim card hack.

And just using common sense, the storyline is faulty. It goes like this : Spooks waylay a shipment of a hard disk or computer to a 'person of interest'. Norton in NSA shipping phones up to Ralph and says "Hey Ralph, whip me up a rootkit for a Seagate Model XYZ and make it snappy." And Ralph, being the wonderkind that he is, responds in time for the shipment to go out and arrive at the target's drop point, who suspects nothing.

I don't think it would work like that. Betcha there is a library somewhere of this type of rootkit, and if they could they WOULD put it on everyones HD. Why not ? And just the fact that anyone ( me ) could even suspect that this could be happening is damning enough. There are so many examples of this in the past it is beyond belief.

Thanks for the opportunity to bounce these thoughts around. I am not wearing a tinfoil hat, nor disassembling my HDs, and I am quite relaxed. I am likely to pass on into oblivion quite anonymously, but I must agree with odiseo77 :

this is outrageous.

Quote:
Ben Franklin: Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

Last edited by ceyx; 03-01-2015 at 12:14 AM. Reason: spelling
 
Old 03-01-2015, 10:46 AM   #22
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
Quote:
Beginning in 2001, and possibly as early as 1996, the Equation Group began conducting highly targeted and complex exploitation and espionage operations against victims in countries around the world. The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
...
The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
...
“The CD-ROM uses ‘autorun.inf’ to execute an installer that will first attempt to escalate privileges using two known EQUATION group exploits. Next, it attempts to run the group’s DOUBLEFANTASY implant and install it into the victim’s machine. The exact method by which these CDs were interdicted is unknown. However, we do not believe the conference organizers did this on purpose, considering the super-rare DOUBLEFANTASY malware, together with its installer with two zero-day exploits, doesn’t end up on a CD by accident,” the report says.
...
Kaspersky researchers have sinkholed several of the C&C domains used by the Equation Group attackers and have so far counted more than 500 victims, but the total over the lifetime of the campaign is likely far higher. The C&C infrastructure includes hundreds of domains in a number of countries, including the United States, the UK, Italy and Germany.

Nearly all of the C&C domains and servers were shut down by the attackers last year, but some were still active as late as last month. But Raiu said that there are no samples of the Equation Group’s tools from 2014.

“The scariest thing about them is that we don’t have any samples from 2014. So somewhere in 2013 these guys went off the radar,” he said. “We have no idea what they did in 2014, which is very, very scary.”
http://threatpost.com/massive-decade...covered/111080

Pretty much all the info I have been able to find on this suggests that this is a highly targeted operation and that the malware is rare or very rare (doublefantasy). Think of this as a tool used by a secret service to monitor and attack specific targets. I think that keeping it rare also decreased its chance of being detected. If you were one of the victims, it is likely you have more to worry about than this malware.

I have already been taking precautions, but not specifically against this bootkit. I don't use USB sticks or optical media or HDDs that I did not purchase myself at random from a store. I'm not saying not to take precautions, I'm saying stop freaking out about this specific malware. There is plenty of other malware out there that is much more likely to affect you than this one.
 
Old 03-01-2015, 11:34 AM   #23
fogpipe
Member
 
Registered: Mar 2011
Distribution: Slackware 64 -current,
Posts: 550

Rep: Reputation: 196Reputation: 196
Quote:
Originally Posted by metaschima View Post
[url]Pretty much all the info I have been able to find on this suggests that this is a highly targeted operation and that the malware is rare or very rare (doublefantasy). Think of this as a tool used by a secret service to monitor and attack specific targets. I think that keeping it rare also decreased its chance of being detected. If you were one of the victims, it is likely you have more to worry about than this malware.

I have already been taking precautions, but not specifically against this bootkit. I don't use USB sticks or optical media or HDDs that I did not purchase myself at random from a store. I'm not saying not to take precautions, I'm saying stop freaking out about this specific malware. There is plenty of other malware out there that is much more likely to affect you than this one.
It didnt seem so highly targeted to me. Did you see the map and the story at arstechnia? The arstechnia coverage was the most complete and to me impartial that i have read:
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
Some news outlets pitched the story with the equivalent of "NSA hunts bad guys".
The official spin on this one started immediately, some versions of the story are barely recognizable.

Last edited by fogpipe; 03-01-2015 at 05:03 PM.
 
Old 03-01-2015, 01:18 PM   #24
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
That's a very in-depth article, but it adds more evidence that the bootkit is highly targeted and has ties to the NSA, Stuxnet, and Flame. It was also developed by an agency with "nearly unlimited resources". The fact that the malware checks to see if it is worth infecting a target means that it is highly targeted, it is not for mass surveillance, and it is designed to minimize risk of being detected.

The most interesting thing about the article is who it targets. Based upon this and its relation to Stuxnet and Flame, you can probably guess who created it.
 
Old 03-01-2015, 03:57 PM   #25
fogpipe
Member
 
Registered: Mar 2011
Distribution: Slackware 64 -current,
Posts: 550

Rep: Reputation: 196Reputation: 196
Quote:
Originally Posted by metaschima View Post
That's a very in-depth article, but it adds more evidence that the bootkit is highly targeted and has ties to the NSA, Stuxnet, and Flame. It was also developed by an agency with "nearly unlimited resources". The fact that the malware checks to see if it is worth infecting a target means that it is highly targeted, it is not for mass surveillance, and it is designed to minimize risk of being detected.

The most interesting thing about the article is who it targets. Based upon this and its relation to Stuxnet and Flame, you can probably guess who created it.
You seem to be assuming something about a target worth infecting.
What if the criteria were just devices running an alternate os as evidence that the owner cares about security, or what if the criteria were just visiting technical and programming forums. I dont think given the data we have we can make any assumptions about what looks like a good target to the nsa.If the malware is already on the device or already on a server and is checking the device to see if its a worthy target the computer is as good as infected anyway.
As you pointed out, we are dealing with a class of criminal that has access to unlimited resources and likely capable of surveilling nearly unlimited targets.

What do you think this is for?
Quote:
A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.”
http://www.wired.com/2012/03/ff_nsadatacenter/

The question is not are you paranoid the question is, are you paranoid enough?

By virtue of this thread alone, i bet all its participants have, or will have, at least some private data in that nsa collection center and may have qualified as likely targets for infection.

Last edited by fogpipe; 03-01-2015 at 04:01 PM.
 
Old 03-01-2015, 05:03 PM   #26
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
In this particular case the bootkit only runs on Windoze.

I think the real question is, will you let the NSA's boasts and bluffs intimidate you into becoming excessively paranoid and attracting attention to yourself as having something to hide that they should know about.
 
Old 03-01-2015, 05:20 PM   #27
fogpipe
Member
 
Registered: Mar 2011
Distribution: Slackware 64 -current,
Posts: 550

Rep: Reputation: 196Reputation: 196
Quote:
Originally Posted by metaschima View Post
In this particular case the bootkit only runs on Windoze.
I dont think id be betting on that if i had something to hide.
Quote:
Originally Posted by metaschima View Post
I think the real question is, will you let the NSA's boasts and bluffs intimidate you into becoming excessively paranoid and attracting attention to yourself as having something to hide that they should know about.
I liked the way hans solo put it "Just fly casual!" Whistling in the dark? Whatever metaphor you use this has a chilling effect on communication and the exchange of ideas.
I think its good to be aware of and a factor in what ever security precautions one already takes. Any thing can be misused and even if one is crazy enough to trust the government, there is no telling whose hands this technology may end up in.
What we can do about it is to elect politicians who will investigate and cut the budget allowances for these kinds of programs. We cant trust any government agency with unlimited resources and no accountability.

https://optin.stopwatching.us/

Last edited by fogpipe; 03-01-2015 at 05:49 PM.
 
Old 03-01-2015, 05:38 PM   #28
metaschima
Senior Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982

Rep: Reputation: 492Reputation: 492Reputation: 492Reputation: 492Reputation: 492
I understand and I strongly believe that the NSA should not backdoor encryption:
https://www.linuxquestions.org/quest...al-4175535220/

However, I also think that the NSA is deliberately trying to make people paranoid. I'm actually a good example of that. They are the ones that have driven me to learn more about cryptography, because I don't feel safe from them. I am also much more conscious about security updates than before. I even run libressl instead of openssl because I don't trust the openssl developer. So, yeah I am actually much more paranoid than before, but I also realize that this is what they want. They want to make people paranoid so that they attract attention to themselves.

The truth is that the NSA does NOT have the ability to monitor everyone everywhere, even with their huge data centers and mass surveillance capabilities and backdoors and weakening cryptography, they still lack the computing power and manpower. They are forced to focus on people that attract attention. So, if you attract attention you can be sure that they are watching you. Instead, try to stay under the radar as much as possible. I am actually much more interested in steganography than cryptography because it attracts less attention, but you can combine the two and you always should.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Best software for diagnosing hard drives? Avaholic22 Linux - Software 4 11-04-2014 08:46 PM
firmware scsi hard drives shadowfire36 Linux - Hardware 12 10-12-2007 10:51 AM
Problem with software install and hard drives pete_knox Linux - Newbie 9 06-11-2007 03:53 PM
LXer: Reuters Partners With Novell to Offer Reuters Market Data System on SUSE Linux Enterprise Server LXer Syndicated Linux News 0 04-26-2006 08:33 AM
Upgrading hard drives on Software raid 1 boot drives. linuxboy123 Linux - General 0 12-11-2003 03:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - News

All times are GMT -5. The time now is 06:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration