Last Updated on November 30, 2018 by Dave Farquhar
This weekend, CBS ran a story about how the NSA foiled a sinister plot to brick millions of PCs and cause a financial meltdown. At least they didn’t say MELTDOWN.
My opinion is that this is a puff piece. A source managed to scare a journalist with a threat that sounded credible enough, and make something routine sound big and threatening.
Let’s start with the threat. Attacking the BIOS is a concept that dates back to the late 1990s, when field-upgradable BIOSes became common. Write random data to that chip, and the PC forgets how to boot. Whether it’s fixable depends on a few different things, but in the worst-case scenario, a technician swaps the motherboard with a close-enough match. Locating the close-enough match is the hardest and most time-consuming part of the repair. Once the board arrives, swapping it in takes minutes.
If a shop can’t locate a suitable board to swap in, then you have to replace the PC. Recovering the data is trivial though; just put the hard drive in the new system and copy the data over.
How one goes about foiling a plot to release a virus is another question. Perhaps a double agent sabotoged the code, or perhaps they infiltrated the group, got a copy of the code, and tipped it off to antivirus vendors. It doesn’t really matter; that’s the NSA’s job and what matters is that they did their job.
In other news, the mail carrier delivered my mail yesterday, and the day before too. Stop the presses.
But I also question the actual damage behind this plot. Bricking a pile of BIOSes would be an inconvenience for a lot of people, but what would they do? They would take their computers in to a repair shop. The computer would be repaired or replaced. A lot of struggling retailers would get a boom in new business. Intel, AMD and Microsoft would get a nice bump in profits. Apple might too, as some of the victims might switch to Apple kit. And a lot of vulnerable computers running outdated software would get replaced with newer, more secure systems.
It would be painful, but there could be some long-term benefits, much like the analog to digital conversion of television a few years ago, which caused a boom in HDTV sales. And in the end, national security would increase.
And that’s assuming the attack was successful. The mechanism to get at the BIOS in order to change it varies. Dealing with all of those variables isn’t necessarily impossible, but it’s difficult, even with AMI’s source code leak. CIH was successful because the chipset it targeted, the Intel 430TX, was extremely common at the time. Nothing today is as dominant as the 430TX was in 1998, and people keep their PCs much longer now than they did then.
CIH bricked about 60 million computers and caused $1 billion in damage. Replicating that success is likely to be difficult, and it would take more than that to ruin the U.S. economy, if that was the goal.
It’s a puff piece. It reinforces the slight majority of U.S. citizens who approve of the NSA spying on its own citizens because terrorism. Perhaps it sways a few people on the fence. Few, if any, of the people who object will be swayed by something like this, because they object due to deeper political beliefs, or due to deeper issues like the implications of the NSA intentionally weakening cryptographic algorithms. Those same people would also point out that foiling a virus plot is a completely separate issue from a government spying on its own citizens, since the nameless nation-state in the story would have done its R&D on its own networks.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.
7 thoughts on “The NSA’s disaster aversion by keeping BIOSes safe for the free world”
Every time I read something about the NSA, I think of what Will Rogers said: “Live in such a way that you would not be ashamed to sell your parrot to the town gossip.”
I hear that argument a lot (and I have nothing to hide–I have two dormant government-issued security clearances), but I can quickly think of at several problems with it:
1. As far as I know, the people I talk to every day have nothing to hide either, but I have no idea about a year from now, or 7 years from now. People can and do change.
2. The average person commits three felonies per day, which was the subject of a book by that very title in 2009. That’s not a problem if nobody’s watching, but if everything we do is being recorded it becomes a much bigger problem.
3. Probably none of this is a problem for you or me, but it would have been a huge problem for Martin Luther King Jr. We’re going to need an MLK Jr again someday, and if political dissidence becomes impossible, we won’t have that person when we need him or her to set the country straight.
4. Abuses are taking place. The spy agencies are feeding information to the DEA for use in drug cases, and instructing them to conceal the origin. So, by definition, these drug defendants cannot get a fair trial because the other side is committing perjury. I don’t have a lot of sympathy for drug dealers, but what if they’re wrong? We have to give a fair trial if for no other reason than to protect the wrongly accused.
5. Another example of abuse was the Kim Dotcom case. Why is NSA data being used in a copyright case? At least in the Dotcom case, his lawyers know about it, but the original classification marking makes the origin clear. Kim Dotcom may be a lot of things, but he’s not a threat to anyone’s national security.
Thank you Dave! I agree so very much with you. You put this in great words that I fully agree with and will back up until my heart stops beating.
n. 1) a crime sufficiently serious to be punishable by death or a term in state or federal prison, as distinguished from a misdemeanor which is only punishable by confinement to county or local jail and/or a fine. 2) a crime carrying a minimum term of one year or more in state prison, since a year or less can be served in county jail. However, a sentence upon conviction for a felony may sometimes be less than one year at the discretion of the judge and within limits set by statute. Felonies are sometimes referred to as “high crimes” as described in the U.S. Constitution.
A member of the St. Louis Giordano crime family couldn’t commit 3 felonies a day, year end and year out, without being sent away. Do you really think you could?
Most people are decent law abiding individuals, including Dave Farquhar, that would never willingly commit a felony as defined above.
“Don’t carry a gun. It’s nice to have them close by, but don’t carry them. You might get arrested.”
Most likely crime families don’t commit three every day. The teenager down the street from me, though, probably does. A very active one might commit more like 30. When I was a kid, I knew people who could commit 10-15 a day, and it’s a lot easier now.
Joseph, I know you run Linux. Have you ever watched a DVD on your Linux box? You’ve violated the Digital Millenium Copyright Act and committed a felony.
Any time someone copies a movie or a video game, or trades MP3s they didn’t perform themselves, they’ve committed a felony.
I see people commit felonies every Saturday. They have a box of CDs out at their garage sale. They put them all on their computer or MP3 player, and now they’re selling the CDs because the CDs are clutter. To an overzealous prosecutor, that’s a felony per song.
I go out of my way to be a law-abiding citizen, but still manage to slip up from time to time. I commit a lot more misdemeanors than felonies, but I’ve been cited for a lot of things in the last 3 years, including a single weed that was taller than four inches, trash being put out a day early, and not having trash service at a vacant house. Things I haven’t been cited for but could have include peeling paint, insufficient smoke detectors, a broken windshield, driving with snow on my car, and a burned-out tail light. I also got cited for one of my tenants having expired license plates.
And new ways to catch people are being invented every day. LG Smart TVs phone home and tell you what they’re playing. Rip a DVD to a USB hard drive and play it from there, and LG knows about it, as does anyone else who’s watching the network.
Laws not keeping up with technology make it easy to commit felonies, as do obsolete laws. Every city has silly laws. Some never get broken, but others have laws regarding alcohol consumption or acts that typically happen in bedrooms that frequently get broken.
Most of it isn’t malicious, and in a lot of cases the perpetrator has no idea he or she has committed a crime. I found out peeling paint and putting trash out early were illegal when I got cited for that weed.
And here’s the worst thing: In spite of these flagrant violations of the Constitution, I saw a story this week saying how many terrorist plots were foiled thanks to domestic spying and wouldn’t have been caught by other, legal means. ZERO.
I know you have your mind made up, but I hope everyone else who’s reading this will consider all of it.
Thanks for this! I hear people say that same thing all of the time, “Well, I don’t have anything to hide. I’m not doing anything wrong.” And as you point out, they probably are and don’t even know it. And when those in power decide they want to exercise it over you (for whatever reason you have come into their sights) a database of all your recorded transgressions WILL be use against you.
I’m reminded of a traffic safety school I was required to attend one Saturday (in lieu of being found guilty of a traffic violation that, of course, I didn’t commit). The officer who taught the course showed up 5 minutes late and opened with, “I know most of you are thinking to yourselves, ‘Why am I here?'” He then went on to say that each of us had broken the law and that we were all obvious, hardcore, repeat offenders. Repeat offenders?
He then began to list the all of the offenses he had just found outside, in the last five minutes, related to each of our cars that were parked outside the strip mall where the class was being held. His point was that the average citizen can be cited for breaking the law at almost any time, especially if they are driving a car. There are so many laws, that the average citizen isn’t even aware of all the laws that they may be breaking at any given moment.
Actually, he was attempting to disarm those of us in the class who may have come with a bad attitude. He message was that if any of us were on a high horse, that we should just relax for the day as we were ALL, no doubt, guilty of something and deserving of punishment, whether or not we were guilty of the offense for which we had been sent to traffic safety school!
I have forgotten everything presented about traffic safety that day, but I have not forgotten that officer’s unintentionally Orwellian intro. I have reflected, often, that we as citizens can’t be law abiding any more as there are so many laws, many of them conflicting and many of which we aren’t even aware of. That those in power have no qualms about using legal entrapment. And that those in power see everyone else as, “No doubt, guilty of something, and deserving of punishment!”
I have no doubt that officer (and others of his ilk, high and low) would love to get his hands on the NSA’s database. And THAT, Joseph, is the issue.
Stalin didn’t need a list of crimes. He had the NKVD and they could create lists.
If it gets to this point in America, no one will be safe. Lists or no lists.
“If you use your smart toothbrush, the data can be immediately sent to your
dentist and your insurance company, but it also allows someone from the NSA to
know what was in your mouth three weeks ago.”
Comments are closed.