
Report: NSA intercepting laptops ordered online, installing spyware - obstacle1
http://www.forbes.com/sites/erikkain/2013/12/29/report-nsa-intercepting-laptops-ordered-online-installing-spyware/
======
throwaway_yy2Di
Oh so that's why my Lenovo was held for "customs". Hope they at least removed
the Chinese backdoors while they were installing the American ones.

Look at me, I'm so clever using HTTPS and GnuPG and FOSS linux when my
hardware RNG is key escrowed, my USB cable is transmitting, my factory BIOS
has at least two nationalities of spyware, and Big Brother is watching me
naked in 720p. So glad I'm not a journalist and have an adequate physique.

~~~
blazespin
Yeah, the customs point is very interesting and worthy of upvote. I suspect
they'd need a warrant to do this on an American (one would hope) but I highly
doubt they'd need one to do this on anyone who ordered it from across the
border.

Canadians (and Americans who talk to Canadians) in particular are probably
highly vulnerable to this spying. Emailing Americans, calling Americans,
ordering laptops from the US, etc. The NSA is probably free to tap/interdict
all of those interactions without any kind of pre-approval or probable cause.

Bottom line: the NSA has done irreparable harm to global trust in dealing with
the US(and, sadly, the US dealing with those outside their borders), be it
communications or buying their products.

------
Yver
And suddenly, people like Richman Stallman seem much less crazy when they ask
for free (as in _libre_ ) hardware, free BIOS, free everything.

~~~
kevingadd
Is 'free as in libre' hardware really any protection if the NSA intercepted
your device at the border and planted undetectable MITM malware/hardware? Are
you really gonna take the whole thing apart and check every chip for
modifications?

~~~
nitrogen
The "free as in libre" part would make it much more difficult to create an
_undetectable_ MITM. You might have a much greater diversity of hardware, so
they'd have to find and maintain more exploits. The full software/firmware
stack would be verifiable by cryptographic signature. The hardware itself
could be checked by looking for chips that don't match other units from the
same lot, either visually or behaviorally, and even x-raying the components if
necessary.

------
geuis
My suspension of disbelief is getting really close to breaking. Don't get me
wrong, I'm fully against the entire NSA spying deal. But these "reports" just
keep getting more and more outrageous. The problem is not that I don't think
these things have been happening, but rather that the continuous slow leaking
by news media is causing the next big reveal to be just more background noise.

We need a big, sudden, destructive reveal that causes a lot of impact. Not the
slow drizzle of 'this week in civil liberties violations'. Probably too late
for this, sadly.

~~~
kapitalx
IMHO the only reason the NSA leaks have been so effective in shaping public
opinion is that it's a 'slow drizzle'. Otherwise they would have ended up like
other wikileak mass dumps which are too overwhelming to absorb and are quickly
forgotten.

~~~
Houshalter
It seems kind of silly that something has to literally be "new news" in order
to be worth broadcasting or discussing, even if it hasn't before.

------
ihsw
Maybe it would've been better for this news to have been broken a month or two
ago, for maximum financial impact.

In all seriousness, one has to wonder how shipments get diverted, and how
easily this process can be taken advantage of. Surely the companies handling
these "special" shipments are made aware of details on a need-to-know basis
(eg: super-secret gov. employee is going to be taking the shipment for an
hour, don't ask why and don't tell anyone), but are they able to verify that
their handlers are who they say they are?

Would you trust a shipping company based in China? Why would you trust an
American one any more than a Chinese one?

~~~
rdl
This capability already exists for counter drug and other interceptions. I'm
sure it was FBI asking ups and fedex to hold a suspected drug shipment and let
them look at it briefly; it is entirely possible no one at the shipper, and
certainly not on the line, knew it was NSA. They might have said terrorism,
too, but probably not. Maybe just "a law enforcement matter" with no questions
asked.

------
redthrowaway
Doesn't this seem a little moustache-twirly, even for the NSA? I imagine the
only way they'd actually expend the necessary man-hours on this is if they
were intercepting hardware ordered by people who were already targets of
interest. Now, that probably means Merkel should buy her laptops in-store,
with cash, but this really doesn't seem like the sort of panopticon story
we've been reading elsewhere. Unless, of course, they've managed to convince a
judge to give them a warrant to compromise the Dell/etc factory image.

------
fragsworth
This is just fucking outrageous. Is there no line they wouldn't cross?

Our only option, now, to protect ourselves, is a healthy amount of paranoia
and knowledge of security.

We should now live by the following rule: If it's possible that the government
could do something to spy on you, _then they have probably done it_.

Everything you type into a computer connected to the Internet, that you didn't
build, must be assumed to be logged by the NSA.

------
zebra
Even Joe Average should be acknowledged that clean reinstallation after
getting new hardware is a good practice.

Ed: BTW, does somebody know how to audit your laptop in its current state?

~~~
mgurlitz
The linked article on Der Spiegel has a section on what they call
"persistence:"

 _The specialists at ANT, which presumably stands for Advanced or Access
Network Technology, could be described as master carpenters for the NSA 's
department for Tailored Access Operations (TAO)... The ANT developers have a
clear preference for planting their malicious code in so-called BIOS, software
located on a computer's motherboard that is the first thing to load when a
computer is turned on... This has a number of valuable advantages: an infected
PC or server appears to be functioning normally, so the infection remains
invisible to virus protection and other security programs. And even if the
hard drive of an infected computer has been completely erased and a new
operating system is installed, the ANT malware can continue to function and
ensures that new spyware can once again be loaded onto what is presumed to be
a clean computer. The ANT developers call this "Persistence" and believe this
approach has provided them with the possibility of permanent access._

[http://www.spiegel.de/international/world/catalog-reveals-
ns...](http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-
doors-for-numerous-devices-a-940994.html)

~~~
sillysaurus2
This is probably one of the most important problems of our generation to solve
(as hackers, not philanthropists) and it's sort of amazing that it's hardly
known, let alone discussed. I've brought it up before and it seems like
everyone's reaction is that it's not worth worrying about. But there are
adversaries besides the NSA, such as malware. And since userspace programs can
upgrade your BIOS, then therefore it's possible to write a viruses to infect
your BIOS exactly as described here. If the BIOS security model is even
slightly broken, then malware will find a way into it, and security is hard to
do perfectly. Why are we trusting proprietary motherboard manufacturers not to
have backdoors in their closed-source systems? The answer is probably because
we have little choice in the matter. Thus we're giving up a basic right: for
us to have faith in our security practices. If, say, Colin Percival's careful
security habits can simply be circumvented by his motherboard, then none of us
are safe.

We need an open source motherboard for people who care about protecting
themselves from this kind of thing. Or at least an open source BIOS. But it's
an insidious problem, because once a BIOS is infected, it controls everything
that may ever replace the BIOS. Therefore it's almost impossible to detect if
your BIOS has been "man in the middle'd," and hence even an open source BIOS
may not be enough.

I don't have a good solution, but this is a terribly important problem to
solve.

~~~
harshreality
Can the bios chips/eeproms be replaced on a running computer?

Can you remove the bios chip, put it in a different (running) computer, use
flashrom to read it, put it back, use flashrom to read it again, and compare
the two?

Either the virus doesn't hide itself (on calls to read from the bios nvram),
and it will be visible on comparison with a pristine (if you have one) copy of
the same bios, or it does hide itself and it will be visible on comparison to
itself once put in a running machine that didn't boot from the contaminated
code, right?

~~~
sillysaurus2
I'm so glad someone is thinking about the problem of "how do we know our
hardware hasn't been subverted?" It's hard, and there are many facets.

As far as I can tell, what's needed is: (a) an open source BIOS, (b) coupled
with some physical BIOS chip reader. And the chip reader needs to be cheap
enough for us to assemble ourselves; we can't really trust some company to
make it for us, because the company could be coerced into subverting it or it
could be subverted in transit after we order it. So it seems like we need an
open source blueprint of a BIOS chip reader that's cheap and easy enough for
anyone to make themselves. (A tall order, to be sure.)

(a) is a requirement because if the BIOS is closed source, then there's no way
to know whether it's backdoored. (b) is a requirement because if it's
impossible for an external device to obtain a memory dump of the ROM, then we
won't be able to verify that the open source BIOS hasn't been subverted. And
it _has_ to be a memory dump obtained by an _external_ device; we certainly
can't trust a BIOS to verify its own integrity. Hence a separate, physical
device is going to be a necessary and standard security requirement for the
first time in the history of the open source community's security
practices.[1]

So when we build a new computer, the first step is to order the parts. (Note:
the parts may be subverted by an adversary in transit.)

Then we'd either (1) order the parts for the open source BIOS verifier device,
or (2) order the fully assembled BIOS verifier from some trusted company. As I
said before, (2) is a dangerous idea because an adversary can simply intercept
your packages in transit and subvert the verifier. So this whole process is
unfortunately going to be so much of a pain in the ass that few people are
going to want to do it. But a painful option is better than no option.

Now, the packages for your new computer arrive, along with the components for
the BIOS verifier. You assemble the computer and the verifier. Then you boot
from a bootdisc which is designed to replace your motherboard's BIOS with the
open source one.

At this point -- and this is the part I'm unclear about -- the verifier
somehow needs to be able to obtain a dump of the motherboard's ROM containing
the BIOS. Then the verifier calculates the checksum of the dump, and you can
finally verify that the checksum matches the expected one (the expected
checksum would be published on the open source BIOS's website alongside each
of its download links).

If all of these steps are followed, then we are safe. Otherwise no one can be
sure they're safe, not even Colin. (I'm hoping if I mention often enough that
Colin's security practices can be defeated by this, then people will realize
the magnitude of the danger facing us.)

I'm sad because there's almost no way to turn this idea into a company. All
companies (especially US companies) are constantly coerced or subverted by
governments. So it's unlikely that the steps I've outlined will ever be widely
adopted. But without these steps, there's no way to trust any of our security
measures. This BIOS malware technique must have been one of the NSA's most
lucrative and powerful, because nobody has yet even bothered to care about
verifying BIOS integrity at the hardware level.

[1] - It's interesting to consider the question: Have even our most paranoid
and trusted figureheads like Stallman ever verified the integrity of their
computer's BIOS? Or did they simply trust that their Yeelong Lemote laptop
BIOS wasn't subverted in transit after they ordered it? I'd bet the latter,
because I've never heard of an external tool that can obtain a memory dump of
a laptop motherboard's ROM, though I'd love to be wrong about that.

EDIT: And now this submission has been totally buried off the frontpage. So no
one will even read this. Awesome.
[http://hnrankings.info/6983099/](http://hnrankings.info/6983099/)

~~~
nitrogen
In light of
[https://news.ycombinator.com/item?id=6980058](https://news.ycombinator.com/item?id=6980058)
and
[https://www.usenix.org/system/files/conference/woot12/woot12...](https://www.usenix.org/system/files/conference/woot12/woot12-final28.pdf),
you also need a way of verifying that your BIOS chip is a dumb EEPROM or
verifying its own micro-firmware.

------
whyenot
This is starting to get really bad. Why aren't there demonstrations in the
streets? I tried to sound out my relatives over the holidays to see what they
think about Snowden/NSA and nobody seems to care.

~~~
devanti
Because the average person is short sited. They don't do anything (or don't
realize how terrible it is) until it directly affects them.

------
zby
For reference - discussion of the source article from Der Spiegel:
[https://news.ycombinator.com/item?id=6979239](https://news.ycombinator.com/item?id=6979239)

------
linuxhansl
Interesting my Lenovo order just delayed by over 30 days.

Not that I won't wipe it and put Linux on it anyway, but if the hardware or
BIOS was tempered with I'd be none the wiser.

(Not that I'd be worth effort, but anyway)

~~~
leeoniya
same with my order (finally being delivered tomorrow), though i'm highly
doubtful that they do this for all computers. prolly only ones for already-
monitored targets. doing it for everyone is highly impractical and expensive.

------
salient
I thought the NSA wasn't "attacking domestic citizens"? They can't excuse this
one away as an "error" anymore. NSA/Obama administration lied. Again. What a
surprise.

And boy are these NSA stories flagged into oblivion or what? NSA/FBI psy-ops
or just good ol' HN folks "getting bored" with the NSA abuses?

------
bkoa
Does anybody have the links to these internal documents on which this
allegation is based?

------
Istof
I just figured why my laptop is transmitting on cellphone frequencies.

------
notastartup
I am so raging at news regarding NSA's rogue behavior. Why isn't anything
being done about this serious breach of privacy, the freedom to be you, the
pillars of democracy? It's like NSA is saying "Look at me fuckers we are above
the law and you are just going to have to take it up the ass".

Seriously? This is depressing, knowing that some asshole at the top is
ordering all of these things and telling us to close your eyes and say nothing
while the ass fucking goes on. At least buy everyone dinner before you've
decided to fuck them.

~~~
ketralnis
> Why isn't anything being done

Because you're not doing it. Nor him, nor her, nor I. Because somebody has to
actually _do it_ , not just muse that somebody else should do it.

~~~
Houshalter
Well what can we do except vote? Maybe right a few angry letters? There isn't
really anything that I know I _can_ do to help.

~~~
ketralnis
I don't pretend to know either.

Could it be changed by voting? This has presumably spanned more than one
party's rule in any individual chamber and in practise, the party is the only
choice.

Do letters work? I'm in Feinstein's district and she makes it pretty clear
that she likes things the way they are.

Protest? Does that actually do anything? It's essentially asking someone to
voluntarily cede power because "pretty please". Has anything actually been
changed by a march in the last decade? I'm not actually sure I'd like a world
where a mob's protest is a successful way to change things.

Revolt? I don't hate _everything_ the US Government does and I do hate a
higher percentage of what some other governments do, so I'd hate to replace
this one with worse. We're already pretty far to the right of most other
comparable nations. The last thing we need is a constitution written after
privacy has been essentially written off. I also value my personal safety,
selfish as that sounds.

So I wish I knew too. Wishing on the internet that somebody would do
"something" about it sure isn't working, but I don't know what would.

~~~
notastartup
I would get a petition going, but I'm not American.

