
Don't judge BadBios without sufficient evidence - trauco
http://www.greebo.net/2013/11/06/stop-just-stop/
======
misnome
Scientific method is not "Believe anyone who says anything", otherwise I have
a whole gaggle of homeopathic remedies and time cubes to sell you (prove that
they don't work, to my standards, of course).

Article then claims professional researchers are saying:

> "Because I personally can’t verify this issue is true, the issue must be
> false. QED."

whereas I read it more as:

> "This is a really crazy, far out idea, and all of my professional experience
> leads me to be highly skeptical of the idea unless I see some more reliable
> evidence".

Extraordinary claims require extraordinary proof, as always.

~~~
dsl
This. No research has been presented at all. Just a rambling twitter stream.
No respectable researcher starts spewing statements about a new threat without
doing enough analysis first to at least publish _something_ to support claims.

BadBios could just as likely turn out to be an art piece.

~~~
ChuckMcM
Am I the only one who thinks it will be pretty neat if it turns out to be
performance art?

Sadly the longer it goes without _something_ the more difficult it is to
believe. Time will tell of course, hell of a way to ruin a reputation though
if its bogus.

~~~
munin
this will probably ruin nobodies reptuation, our memories are very short and
similar things that have happened in the past have been forgotten or swept
away.

------
bitwize
Not all of us can be l33t hax--er, security researchers. But we can do some
basic meta-analysis. Aside from some of the transmission vectors like
ultrasound audio stretching plausibility (even in ideal environments, acoustic
data transmission is a royal, error-prone bitch), there is the simple issue
that a non-POC piece of malware _this insidious_ should have arisen in
multiple sites with multiple analysts looking at it. Instead, it's just
Dragos. The other researchers with an interest in badbios are all saying
"listen to Dragos and pay attention because he's awesome." What they should be
saying, if the badbios claims hold up, is "holy shit, I've got it too,
everybody seal your computers in concrete until we figure this out!"

I'm not doubting Dragos's awesomeness; I'm doubting how much bearing his
awesomeness has on the truth value of the badbios narrative. The press getting
wind of this and turning it into a sensational story didn't help.

~~~
Amadou
_malware this insidious should have arisen in multiple sites with multiple
analysts looking at it._

Stuxnet was floating around the net for about a year before there was public
discussion. It was only afterwards that people went back and realized that
something had been there all along.

Part of the problem with expecting people to notice this class of viruses is
that they are not malicious, don't use excessive amounts of resources and are
deliberately designed to be stealthy. They aren't a general purpose bot-net,
they don't target anyone's bank accounts -- in short they have the lowest
possible profile that a well-funded and well-managed engineering organization
can come up with.

From that perspective, the only odd sounding behavior is that infected systems
avoid booting from anything but USB drives. That's a little high-profile for
this class of virus. It isn't enough for me to dismiss Dragos's claims, but it
is incongruous with the assumed design goals.

------
nullc
> We must support all of our researchers, particularly the wrong ones.

We must support researchers who behave like researchers. I wouldn't have made
the claims he's made without first obtaining ... some evidence. I'd expect
people to call me a liar or a loon if I made claims like these without a shred
of evidence. This seems more like an art project than research.

Hook the USB to a logic analyizer, boot a disk in an in circuit emulator.
Something. ... Don't just speculate about the sizes of ttf files in windows.

------
scott_karana
"Don't just BadBios without sufficient evidence" sort of sums up the problem.
Nobody but Dragos has seen any evidence whatsoever, and he hasn't provided it
to anyone else...

If it's a real threat, he's really hurting his case by ignoring the scientific
principles outlines in this article.

------
lawnchair_larry
Asking if it's possible for such malware to exist is the wrong question
(albeit, a fun thought experiment on its own). The right question is, why do
you think you are infected?

Just because it's possible for someone to pick my lock, doesn't mean my
belongings have been stolen. To conclude that my belongings have been stolen,
we must first establish that they are actually missing, and that I did not
lose them on my own. We do not immediately focus on the viability of lock
picking. Everybody wrapped up in this story skipped this important step when
examining the circumstances.

It turned out that when Dragos supplied what he thought was an "indicator of
compromise" as it's called in the industry, or suspicious activity, in every
instance it in fact was not suspicious at all, and Dragos either made a
technical error or misunderstood what he was looking at.

You don't have to be a paranoid crazy to make this mistake, so the John Nash
comparisons are over the top. I've been there in my career, which is partially
why I recognize it in him. Unfortunately he has committed too strongly to this
position, so he's not able to walk himself back from his early conclusions.
I'm not at all naive or misinformed as to what malware capabilities could be
(and I have some healthy paranoia myself), it's just that it's completely
besides the point in this case.

------
bovey
Dragos Ruiu is a respected researcher which a LOT of people trust. His word
carries considerable weight. Thus, when he goes public saying there is a
critical - not to mention quite sensational - security issue, it has an
immediate effect outside of himself. An alarm goes off; in business, in the
security industry, and predictably in the media. "What do we know of this new
virus Dragos has identified"?

"Urr...nothing, really". "Come on, you gotta know something. Is our hardware
vulnerable?". "Urrr...dunno. We don't know if it exists, even". "But but, Ars
Technica, ErrataRob and Schneier have written about it?" "Sigh, yes, I know."

This is why I've been vocal about getting these data confirmed. It's not about
bashing Ruiu, it's not about being negative, it's not about whether I myself
am able to verify everything - it's about trying - and failing - to get people
to not lose their heads before the data are in.

So please don't frame this as "naysayer" discussion. If you shout fire in a
crowded theater, you better have something to back it up with.

------
undoware
Bump this n times. As I said before, it's a new world -- we know about
MUSCULAR. More relevantly, but less recently, we also know about what took out
the uranium enrichment facility at Na'antz (sp?): the virus Israel and the
U.S. have more or less admitted to creating, with a wink and a nod, that we
have seen evidence of elsewhere in the world. I confess I don't have the links
anymore, nor the time to go hunting them down again, but Google does.

Remember: There are already documented cases of virii making themselves almost
entirely undetectable, crossing air gaps on USB sticks, and then blowing up,
e.g., specific brands of peripherals (such as industrial centrifuges) by
altering their firmware.

Is it really a stretch to imagine a variant that (a) is bios-based and (b)
uses the tech behind every modem since 300 baud -- the modulation of digital
data into sound? That breaks itself up into undetectable pieces? We've seen
these techniques before.

~~~
dsl
Yes it is a stretch.

a. BIOS are all insanely different. A motherboard manufacturer can switch
ethernet controllers within a run of a single board and ship an entirely new
BIOS. You would need to generate thousands of viral stubs to get the infection
spread being claimed, and the malware would need to move around GB of these
BIOS so it has them handy when it runs into a new motherboard.

b. Researchers have worked on this and demonstrated it was possible. They had
to modify off the shelf hardware to make it work. PC speakers are not designed
to emit frequencies outside the audible range. It's like saying "we have the
technology for cell phones, and my home router has a radio built in, it must
be able to talk to cell towers!"

The situation where I see his claims being plausible is if a state actor has
broken in and modified his hardware, and combined it with a viral threat
custom built for what they know he has in his home.

~~~
Amadou
_They had to modify off the shelf hardware to make it work._

I would like to read about this experiment you mention, do you have a link?

------
drvdevd
Maybe no one person has the expertise to analyze a sample of this malware in
its entirety. But treating malware samples like weapons to hide (to be even
disassembled only in maximum isolation?), somehow seems similar to the line of
thought taken by commercial software vendors who think distributing binaries
without source makes them more secure (okay maybe that's a stretch).

But my main point is - viruses (and other forms of malware) aren't actual
biological viruses necessitating strict containment. They're code and we CAN
understand them. More access means publicly accessible countermeasures are
likely to develop faster. And yes - some people will take advantage of this by
adapting the techniques employed therein for evil. I think it's worth the risk
to try to understand it.

And yeah, don't just run it on your machine directly in a debugger of course.
That's likely to be containment enough.

------
alextingle
Yeah, this story is the netsec version of cold fusion. It's probably not true.
It seems impossible. But, what if...?

