[clug] Offline snooping

[Bob Edwards]

On 06/02/14 17:18, Scott Ferguson wrote:
> Re-sending to the list
>
> On 06/02/14 16:03, Bryan Kilgallin wrote:
>> Thanks, Scott:
>>
>>> Much of the
>>> software used by the NSA is either hidden in commercial proprietary
>>> software (Closed Source), or proprietary firmware (i.e. embedded coded
>>> used for devices e.g. your hard drive controller, your network card,
>>> your BIOS etc).
>>
>> How much of a hassle is the firmware problem?
>
> Define hassle? :)
>
> If you want control of your computer you need control of all the code -
> that includes the firmware. If you don't have control then you cede it
> to others - that is my definition of hassle in this instance.
>

Of course, trusting the firmware, or otherwise, is not the end of the
story. Certainly, there are demonstrated exploits against firmware-
infused malware, so it may well be reasonable to not trust it anymore.

However, why should you trust your CPU and it's microcode? If not the
main CPU, what about the GPU or other processing elements inside your
computer (network card, block device, usb controller, wifi processor
etc.)? Who's to say that there isn't a dormant agent waiting for a
wake-up signal to start exfiltrating the directory listings of your
block device(s) etc.?

What about running a "soft CPU" built on an FPGA, because then you
sidestep any such risk, right? But almost all FPGA code is compiled
using proprietry tools - who's to say that they can't add a "little
extra" to your home-brew CPU design?

Where do you start from if you want a truly trusted computing platform?
What would you need to have in order to stand up in court and testify
that you know beyond a reasonable doubt that your computing platform
is completely trustworthy?

Cheers,

Bob Edwards.