Hacker News new | past | comments | ask | show | jobs | submit login
NSA Starts Contributing Low-Level Code to UEFI BIOS Alternative (tomshardware.com)
237 points by ItsTotallyOn on June 22, 2019 | hide | past | favorite | 139 comments

I applaud moving away from UEFI, to something simpler and more transparent, and something not hostile from the start to open source.

I like how relatively simple my Coreboot systems are. The sooner that Coreboot can minimally initialize hardware and invoke an open source bootloader or Linux kernel payload directly, the better. (Bonus, if the kernel doesn't need legacy PC BIOS services.)

Regarding concerns raised in the article, I'd be more suspicious of closed microcode and firmware blob parts, than of open source parts. Many knowledgeable eyes on the open parts can help. Though, of course, open parts could, in theory, be crafted to provide affordances for naughtiness involving closed parts. I have mixed feelings about recent initiatives to push closed updates more widely and reliably, and look forward to more-open hardware.

I still think it's problematic, since it is in the vital interest of the NSA, and one of its core missions, to be able to penetrate endpoint security at that level. If they contribute to Coreboot, then that means either that they want to compromise the project or that their "tailored access" group already has enough other ways of comfortably breaking the security of any PC at a level that is low enough (to evade all user-level software, anti-virus vendors, etc.). Both possibilities are bad for international users, even if the second one is obviously more preferable.

It makes no sense for the NSA to assist making PCs secure for non-military use and for use by non-US citizens against their own attacks, because it contradicts their mission statements. The only other (not totally implausible) explanation is that different departments within the NSA are so disconnected from each other that they have started to work against each other.

> The only other (not totally implausible) explanation is that different departments within the NSA are so disconnected from each other that they have started to work against each other.

Not at all implausible; this was literally, and very deliberately, the case. There was offense -- SIGINT -- and there was defense -- the Information Assurance Directorate -- operating largely independently. Here's [the previous director, Mike Rogers, on the division][0]:

> This traditional approach we have where we created these two cylinders of excellence and then built walls of granite between them

As you can read in that article, though, the two halves were merged a few years ago in a reorg.


vital interest of the NSA, and one of its core missions, to be able to penetrate endpoint security

It's also a core mission of the NSA to protect US networks from attack. If they're inserting backdoors in products used by US businesses, they're directly undermining their core mission.

> If they're inserting backdoors in products used by US businesses, they're directly undermining their core mission.

Which is not unheard of.

That's a myth or some weaker form of legislation. Their mandate is to secure, esp for COMSEC, defense organizations. They usually have contractors build the tech for that, esp Type 1. Non-defense cant buy it. They also publish hardening guides for all sorts of tech. Anyone can use those since almost all of those techs are insecure.

So, NSA has a massive mandate for stopping another 9/11 with surveillance but restricted one on defensive side mainly about securing defense organizations. That group recently downgraded its standards with Commercial Solutions for Classified or whatever it is.

You mean like the NIST ECC curves backdoored by the NSA?


What about PRISM? Protecting US networks is clearly not a part of their mission.

The NSA absolutely does have two, somewhat contradictory, missions; they're tasked with both offense and defense. One is "spying", or more formally "signals intelligence" a.k.a. SIGINT; the other is indeed "network defense". Until fairly recently it was in essence two organizations loosely joined administratively. You can read some more here: https://www.schneier.com/blog/archives/2016/02/nsa_reorganiz...

Do you even understand what PRISM was?

More info to better conform to the guidelines.

OP, your insinuation is that PRISM weakened US networks, but that is a misunderstanding of what the program actually did. Wikipedia:

>The actual collection process is done by the Data Intercept Technology Unit (DITU) of the FBI, which on behalf of the NSA sends the selectors to the US Internet service providers, which were previously served with a Section 702 Directive. Under this directive, the provider is legally obliged to hand over (to DITU) all communications to or from the selectors provided by the government.[38] DITU then sends these communications to NSA, where they are stored in various databases, depending on their type.

I personally think it's important to understand what types of surveillance our government is doing and not listen to FUD on what people think they are doing. In this case, there's no weakening of a network. The FBI provides a selector (email) to the service provider, and the provider uses their own systems to retrieve the data and send it back. The "direct line" that many people reference is to the database of selectors, so that FBI can push it directly to the provider.

Please don't post like this—it breaks the site guidelines.

If you know more, the best thing is to share some of what you know, so the rest of us can learn. A lot of people read these threads who are curious and open to good information.


I'm sure they have a much better system in place by now.

You can’t really avoid it anyway. How do you know a contributor isn’t secretly working for the NSA (or a foreign equivalent). The only way to prevent backdoors is to inspect the code and keep it small and simple.

Does the same argument apply to SELinux? That the NSA can already compromise any version of the Linux kernel, or alternatively that the NSA has been fighting itself since the year 2000?

Does the NSA's endorsement of AES over 3DES mean that the NSA has had a backdoor in AES for decades? Does it make no sense to include actually-secure algorithms in Suite B?

> Does the same argument apply to SELinux? That the NSA can already compromise any version of the Linux kernel, or alternatively that the NSA has been fighting itself since the year 2000?

Definitely. As far as I can see (public civilian sources only), the NSA's Tailored Access division can compromise any off-the-shelf PC. Or at least, given that we know that they've had the ability to install persistent viruses in the firmware of consumer hard drives 10+ years ago, it seems plausible to assume that standard PC hardware is not secure against targeted attacks.

> Does the NSA's endorsement of AES over 3DES mean that the NSA has had a backdoor in AES for decades? Does it make no sense to include actually-secure algorithms in Suite B?

Of course not. That would be a silly assumption, since we know from the Snowden revelations that the NSA is primarily targeting endpoint security. They might be able to break certain implementations of stream ciphers or maybe even have working (algebraic?) attacks against certain block ciphers - they seem to build and use a lot of ASICs, presumably not just for cryptocoin mining -, but even if these attacks exist, it would be very speculative to assume that they are used routinely.

If I wanted to break into any Linux system, I'd first create a Trojan horse and ask the administrator to kindly install it. If that didn't work, I might compromise the router and hijack the system update mechanism (maybe using stolen certificates). If that didn't work, I'd become a package maintainer or major contributor and sneak in some backdoors obfuscated as programming errors. Or I could intercept the hardware and install my own firmware on the machines. And so on and so forth. Heck, even civilian companies overtly advertise that they can break into any computer, so why should the NSA not be capable of doing it?

No need to break cryptography if endpoints are insecure.

I can do all these things myself - compromise any standard off-the-shelf PC given physical access, add persistent viruses to the firmware of consumer hard drives given physical access, trick a sysadmin into installing something, become a package maintainer and add some backdoors, etc.

So I don't think any of what you've said says anything about the NSA's capabilities, and it certainly does not let us conclude that UEFI is compromised in some way beyond being typically installed on firmware that's not hardened against physical attack (which is also true of Coreboot, traditional BIOSes, and everything else).

I think the parent comment was attempting to address the NSA's _willingness_ to carry out these kind of actions, not their capability to. There is documented evidence (in fact, this article mentions some known incidents) of the NSA _actually_ doing these things. That's what's different between any rogue, ethos-less malicious actor and them.

The NSA is not in charge of setting up and maintaining critical computer systems for US national security.

Contractors do that, according to DOD or DOE guidelines, which in turn means that these systems might end up using BIOS, coreboot, or something else.

The NSA itself might be using some of these systems, so its in their interest to make them secure.

Actually, part of the NSA's mission statement is to secure things.

It's just that that part of the mission has taken a back seat to the offensive, tailored access parts for the past few decades; particularly after 9/11.

I remember reading somewhere a couple years ago that this was actually a bit of a point of consternation amongst the leadership back when Snowden leaked PRISM. My memory fails me however at remembering the exact article...


NSA also interested in security of their hardware/software, it's logical move.

Perfect comment. Thank you.

Basically at this point, (((which we have been talking abt for literally decades [nobody ever even believed Echelon existed, six-degrees, PRISM, Stuxnet, Duqu, etc.... -- and this doesnt even take into consideration FB, GOOG, ATT, CARNIVORE, etc etc etc WHERE THE FUCK IS PALANTIR on HN???]))) one must accept that no matter what if you have a machine, They have you.

If you have a machine connected to internet, they have you.

>> Many knowledgeable eyes on the open parts can help

Well, that is the problem. No one (well, say very very few) do code reviews on their own -- they do not provide as much benefits as coding (learning and reputation wise). Its a bit like the problem in academic publishing: Replication trials are not prestigious enough, so they are done far to rarely, albeit they are very important.

There are companies out there, that will do it for money, and many great open source products have been reviewed that way. But I don't think this happens often enough.

>...they do not provide as much benefits as coding (learning and reputation wise).

I think that's because code reviews have changed from being helpful form of preventing you from stubbing yourself on your toe to, "Why would you do this...? No0b..." kind of format.

If code reviews were weighted as equally beneficial to the code and as being approached as being beneficial to the growth of the developer making the change, then I could see it having much more benefit in learning; however, that would take a dynamic change in the general culture.

...but saying that code reviews don't provide as much learning benefit is to just infer that there's nothing that can be done about that when, in fact, there is. :)

I suspect that code openly contributed by the NSA will get quite a lot of scrutiny - more than average code contributions. For that reason, if they wanted to subvert something like this, I doubt they'd advertise the source of the contributions like this.

While that's a valid concern, the real question should be: despite that, is it more trustworthy than closed source or not?

LOTS of security companies do code reviews and constantly looking for security holes in OSS, it is after all a huge feather in their cap and reputation boost to find holes and earn the big $$. Imagine if they were able to find a deliberate hole in NSA provided UEFI code.

> I applaud moving away from UEFI, to something simpler and more transparent, and something not hostile from the start to open source.

Coreboot is not an alternative to UEFI. You can make TianoCore builds that use Coreboot, even!

People in this thread are talking about how they wouldn't trust the NSA at all. I went to a presentation and talked with people from the NSA before and at face value they seemed like a silicon valley tech company. In their presentation they talked about how they were interested in open source, diversity, big data, artificial intelligence, and all the other buzzwords. They all seemed like they genuinely thought what they were doing was helping people. I know what they've done (and continue to do) but it's strange being able to attach a face to an action. You're more likely to believe them and buy what they are saying. I suppose the best thing to do is check over their code and accept it if everything looks good. They probably are being genuine.

As a an extra piece of information that I found interesting, they were pushing the diversity stuff hard. Everyone that gave the presentation were women (and they weren't low level people), they had an African-American person that worked there talk about how inclusive it was, they talked about how they're super accepting of LGBTQ+ people, and on and on. The tech stuff was for like 5 minutes, then the rest was on diversity (at a tech presentation, looking for recruits). I'm not exaggerating.

Something to keep in mind is the fact that even (or especially) within agencies like the NSA, secret operations are kept secret from every staff member who doesn’t need to know about it for the op to succeed (higher-level people too).

Also, they know they have a public image problem since Snowden and are doing everything they can to change that.

It’s likely you can trust the individuals you saw to be nice people. But that doesn’t mean the agency as a whole can be trusted not to compromise the digital privacy and security of American citizens (not to mention citizens of other countries).

EDIT: As another commenter noted, the NSA is unfortunately a combination of red and blue teams within a single agency. So when you see positive signals that they’re working towards improving security, don’t believe for a moment that they aren’t working equally hard towards pwnage.

If this was before 2015, there's a chance the person giving the talk about inclusivity was my father-in-law; I know in the last few years of his career there he got involved in the push for diversity. He always talked very fondly of his career at the NSA.

I think in a lot of ways the NSA is a better workplace than any silicon valley tech company; you don't really have to worry about profitability, there's an enormous breadth of interesting work to be done, and you get to work with a lot of really talented people (I think the NSA is the largest employer of mathematicians in the US). Of course there are downsides too, like the low pay (set by Congress) and the constant drug tests and polygraphs.

Based on my discussions with him, I believe that the organization has two conflicting goals; to improve the IT security of the US and its allies, and to weaken the IT security of everyone else. And there are historical examples of the NSA doing both. But internally apparently there is a lot of debate about what the NSA should be doing, especially post Snowden. So yeah, I can believe that plenty of people at the NSA are deservedly proud of their work. Not everyone there is a cynical government drone working to undermine IT security globally. But of course when the NSA starts contributing to your project, you don't know which of their two goals they're working towards...

As an aside, my father-in-law is a very passionate mathematician, and in his retirement he just published a book on some interesting and approachable topics in mathematics that much of the HN crowd would probably find interesting: https://bookstore.ams.org/mcl-22/

If the polygraphs are anywhere close to as bad as some CIA/NSA/etc. personnel describe online (e.g. [1]), no amount of money or interesting work can get me to have myself violated like that.

[1] https://antipolygraph.org/statements/statement-038.shtml

I don't know anyone that works there, but there was this article in The Intercept a while back about how management has become more corporate. That was back in 2005/2006. https://theintercept.com/2018/08/15/nsa-sigint-curmudgeon-si...

Even though the NSA falls under Department of Defense, their stated mission is to collect and process global information so more or less it is functioning very similarly to a human brain, providing intelligence and guidance not only in the security area, but it's also influencing all American domestic and international policies.

Even back in 2010, the NSA was already collecting over 1.7 billion of communication records every day. As far as I know, that amount probably doubles every couple of year so just imagine the enormous size of data that they have to process. It's no wonder the NSA is the only single entity in the world that own gigantic centers of supercomputers. Without AI technologies their information analysis mission would be nearly impossible so it just makes perfect sense the NSA is after those technologies. Honestly I would be surprised if they don't already own quantum computing power.

In addition to low-level firmware codes, I imagine for all those 1.7 billion records of data to be routed back to the NSA every day without a trace, completely invisible to the rest of the world, it must have required another hidden layer of network protocol beyond the current OSI model that we have. The low-level firmware codes must work in sync and convert data following the model of this hidden network protocol for it to transfer away successfully without being detected.

For it to operate effectively, the NSA must be miles ahead of any Silicon Valley company. Their work is truly astonishing no matter how you look at it.

I'm not sure about the NSA but I know that plenty of employers of that kind would frown upon having their personnel (or ex personnel) identified like that without their consent.

You're right of course. With Mel I know he's very forthright about his career in the NSA, so I figured it would be alright. I just confirmed with him too, just to make sure.

So all of this makes what they actually do as a living okay? You know, dragnet surveillance, physically wiretapping Google's internal network, backdooring encryption, etc.? Since when are we trusting the face value of anything somebody at the NSA says? Where's the skepticism gone from the Snowden days? Like, these people aren't our friends. Any code contributions from organisations like this, which do not have our best interests at heart and at worst actively attempt to subvert efforts at hardening encryption and other security efforts, need to be combed over with a fine-tooth comb.

Hell, as a European, the NSA is very clearly the enemy. Their goal is to protect US citizens, maybe, with very unconstitutional methods. They have little to no interest in the privacy or legal rights of people outside of the US, and yet have an unimaginable global reach.

The fact that they’re not committing their changes under a pseudonym or front company suggests that they’re okay with the world knowing about what they’re up to. Same with their reverse-engineering toolkit.

What Snowden publicized was, for the most part, completely hidden from the view of society. The NSA wasn’t coming to tech conferences announcing their new surveillance tools.

Don’t think that the new parts of Coreboot won’t attract scrutiny from security-conscious companies and individuals.

> The fact that they’re not committing their changes under a pseudonym or front company suggests that they’re okay with the world knowing about what they’re up to.

They are not committing their most secretive and effective tools on GitHub for Christ's sake.

what snowden released had several previously public benign components.

It can be a "defensive" move from NSA though, they have other ways to "attack"...

No, it doesn’t, but I haven’t heard anyone claim that.

Basically, the coolest job ever.

Are they breaking any laws?

They've likely broken many laws, but we'll never hear about it, much like the CIA.

I think a comparison to tech companies is quite apt - there are people at Facebook, Palantir, Oracle, Microsoft, Google, Amazon, etc. who are quite genuine about doing some open-aource stuff to improve the world, but for each of those companies you will find plenty of people who quite earnestly believe the company's wider mission will hurt the world. Do you accept network stack acceleration patches from Facebook if they'll accelerate mining personal data? Do you applaud improved V8 performance if it drives people from local apps onto monitored and monetized webapps? etc.

I think it makes sense to be cautious about all of these. I don't think the NSA is an abnormal risk to society, compared to the other major OSS contributors out there.

> they were interested in open source, diversity, big data, artificial intelligence, and all the other buzzwords

I'm sure they were. Being interested in modern technology doesn't imply anything about someone's intentions.

> They all seemed like they genuinely thought what they were doing was helping people.

I've known and worked with several people that used to work at the NSA. I have no doubt at all that they believed they were doing important, helpful work. For many people, most of the time, that was probably true. However, even the best intentioned person will have a hard time actually verifying that speculation; by definition, someone who believed that the NSA's work was good/helpful probably also believes it's important to respect compartmentalization and not ask too many questions about things they don't need to know.

However, this is expected, because it's what most people believe about themselves. As Quark explained[1] about his own motivations as a smuggler, "No one involved in an extra-legal activity thinks of himself as nefarious. I'm a businessman, okay?"

> they were pushing the diversity stuff hard

I saw the same pro-diversity effort at the DOE. I wouldn't be surprised to see similar efforts throughout the public sector. None of this says anything related to the NSA's trustworthiness.

[1] DS9 s06e25 "The Sound of Her Voice"

It's a military agency whose stated mission goal (among others) is to be able to compromise any military or civil information processing system used by non-US citizens.

You're a bit gullible if you think that the nice folks from the NSA you meet have any say in what their agency does with the technology and projects they are involved in. I'm sure this aspect of it is one of the more frustrating parts of working for the NSA, especially right now, but it's also fair to say that they probably know what they signed up for.

Not sure how diversity is related to the potential conflict of interest of NSA work...

More diversity means more chance of another Snowden. People are more likely to take risks to protect people similar to themselves, and more diversity increases the chances that the NSA is harming people similar to their own employees.

Are you implying snowden is a woman/African American/lgbt or an advocate for these groups?

No. People do not only help people similar to themselves. I'm just talking about probabilities.

> I went to a presentation and talked with people from the NSA before and at face value they seemed like a silicon valley tech company.

Why is that a reason to trust them?

> They all seemed like they genuinely thought what they were doing was helping people.

The worst people in history all thought they were doing good too.

> As a an extra piece of information that I found interesting, they were pushing the diversity stuff hard

Diversity at the NSA doesn't factor whatsoever into whether I trust them or not. The damage they've done to secure communications and their cavalier attitude to dragnet surveillance is all I need to know about them.

Don't buy into the PR bullshit.

The NSA is a huge place, you saw only a small segment. Their primary role is to spy on US and international citizens and make sure that nothing diabolical is going on. PRISM (and other programs revealed by Snowden) showed that they have no qualms about violating the Constitution and privacy rights of citizen in pursuit of their job. I am sure there are lots of good people at the NSA just working 9 to 5 feeding their families, however don't overlook that their job is to spy on anything and everything that is going across the internet in order to look for threats to the country, whether it is constitutional or not.

> they seemed like a silicon valley tech company.

Yeah I don't trust them...

Talk to people who worked at the NSA 15 years ago and their opinions of what is happening now.

If they trust you enough the truth is interesting.

Of course, thats the image they would love to present. And of course, why would they even have the actual people in the know making these presentations.

And it is very natural they'd be interested in Big Data and Artificial Intelligence. Even a fool could understand why.

Don't drink the kool-aid. ...they probably have a bunch of LGBT African-American women whose sole job it is to be visible.

The NSA is one of the few companies legally allowed to do stuff like only hire you if you're a U.S. citizen and even say so in their job advertisements, and keep you out of certain kinds of roles (the ones where the real action is, probably), without being held to transparency standards and nondiscrimination laws that would apply to private corporates. They can always cite undisclosed nonspecific security concerns rather than having to say "We didn't allow that person into that role because it isn't a middle-aged white guy".

I'm 19. I've never been a fan of the NSA, my bad I should have been more clear with what I meant. At least I got a cool notepad https://i.imgur.com/yu103Lg.jpg

When I was in college I used to have positive sentiments towards college recruiting events too. It made me feel very special to think that these organizations wanted to engage in a dialoge of sorts and be in business with me and my fellow students. Now (15 years later), I realize that these people are basically actors in a live-action TV advertising spot and no more credible than one either.

The core is usually HR-people who do these kinds of events as a fulltime gig. They are usually very much out of touch with the rest of their organization because they do indeed spend all their time talking to students, and almost no time engaged in whatever business their organization is actually engaged in. To spice things up, they throw in one or two "real" employees. The reason they come is because there will be an HR policy whereby an employee is enouraged to spend one day per year on an activity like that to tick a box for their next promotion, so they grudgingly go there, but still secretly think of it as a waste of time. They still play their role though in the live-action TV advertising spot and put on a friendly face.

My own experience is that I was quite entrepreneurially-minded when I was in college. I wanted to be in business with a lot of organizations, just not as an employee. I used to go to all these events, hoping that they can put me in touch with people who do certain things, know certain things, get to decide certain things, etc. etc. I would always hit a brick wall. Because the people at the recruiting fair are there solely to get you to interview for the internship program or whatever. If you approach them with any other kind of request, the HR-people are neither incentivized to, nor, in most cases, able to accommodate you. For the real employees (the guy doing his one-day-a-year-stint), you as a college student, are not worth actually investing time into, so they won't do anything for you either.

In other words: Their presence at the recruitment event is not the presence of a human being that wants to engage with you on a human level, nor the presence of an organization that wants to be in business with you, but rather the presence of a robot who can accept your application for the internship program and who is not programmed for any other kind of interaction with you.

You don't need to take my word for it, either. You can easily put it to the test.

Next time you go to one of these events, bring a pencil and say: "I will happily interview for your internship program, but as a sign that you are SERIOUS about wanting to engage in a business relationship with me, I would like you to use company money to buy this pencil from me for 50 cents".

Witnessing what happens next will hopefully rid you of feeling special. -- I can assure you, you won't sell a single pencil. If you do: That's the company you should work for.

I'm not in college, I live as a digital nomad in Eastern Europe. My parents wanted me to go down the traditional path so they made me talk to various companies/agencies to make sure I didn't want to get a normal job and go to school before I left. Your post made me even more glad I didn't go down the traditional path though.

Don't all federal government jobs generally require US citizenship?

Oh, cool. I really enjoy coreboot in principle, but I wish more systems supported it. None of my daily drivers are running Coreboot, as of today. I’m pretty inept when it comes to low level stuff, but I’ve been playing around trying to port Coreboot to an unsupported laptop board. It’s probably futile, but it was pretty exciting seeing some serial output for the first time.

From lurking around, one of the more surprising things I’ve found is that DDR RAM initialization seems to be the single most difficult aspect of the whole boot process, or at least on typical PC platforms. Not to say everything else isn’t also difficult; the debugging tools available to the general public for firmware are fairy rudimentary.

There was a story a few years ago about "Intel Boot Guard" making it impossible to install things like Coreboot. I don't know if that was ever resolved.

That's not strictly true. In my view, Boot Guard is sort of like a locked bootloader. In Boot Guard, the CPU verifies a signature on system firmware before loading it. The signature is verified using a public key from the platform manufacturer. So under the Boot Guard regime, the platform manufacturer essentially gets a vote in whether your platform can run modified firmware level code. Or you find a jailbreak.

OK, in that case I'd be very interested to know which motherboard manufacturers are friendly to installation of replacement firmware and which not.

coreboot.org links to libreboot.org, but the list of supported hardware is pretty short: https://libreboot.org/docs/hardware/

I think purism might be amenable. Worth double checking with them.

They don't even use Intel CPUs, it seems. Boutique vendors would be out of my price range, and the few boards supported by Libreboot seem to be circa 2009 models, presumably preceding Boot Guard. I doubt that it's something I'll be using any time soon.

It is the job of journalists to ask these controversial questions about NSA's role as a saboteur vs contributing in good faith to really improve the security of systems. So, nothing wrong with that. Healthy skepticism and all that.

In my experience, when closed source research teams start to contribute to well-run open-source projects there can be valuable contributions.

But it highly depends on having independent and technically competent maintainers with strong personalities who are not easily manipulated into accepting patches that they don't understand or violate their technical principles.

I hope the Coreboot people are extremely careful about this. Accepting code from a giant agency with the goal of making everyone less safe is very dangerous.

It could also be the NSA does not trust proprietary firmware for similar reasons people are working on open source firmware to begin with.

The problem is NSA really only knows their motives.

The other problem with the NSA is that they have two goals. One is to protect the US and US entities security and the other is subvert foreign entities. If they start publicy recommending coreboot for what they deem senstive installations then their intentions are obviously not malicous. Problem is the NSA may never publicy specify that its for senstive installtions and may only ever be an internal guideline.

Their MO seems to be to improve the overall IT security of the nation such that it's less vulnerable to less sophisticated actors but still vulnerable to them.

This is likely tacit recognition that UEFI is such a dumpster fire that it's not only vulnerable to them.

"Their MO seems to be to improve the overall IT security of the nation such that it's less vulnerable to less sophisticated actors but still vulnerable to them."

That's exactly what they do. How they rate and evaluate their high-security products (Type 1 or EAL6+) vs majority of market (EAL4 or less) under Common Criteria corroborates your claim. EAL4, which Linux and others top out at, says it's only trusted to stop "casual or inadvertant attempts to breach security." Anything prolonged or well-funded will breach it.

I've seen this play out a few times recently in NIST standards/"guidelines" or other protocols since Dual_EC_DRBG and have the opinion that there's two very opposed competing forces within not just the NSA but other agencies in general. There's plenty of publicly employed individuals who work hard to secure stuff properly, it's their entire remit. While I disagree with the pervasive surveillance state the west is creating for itself, this is not a terrible situation to have and I wish those fighting the good fight all the best.

It's for the rest of the us to work out who is who though! Cryptographers seem to be suitably aware though.

> While I disagree with the pervasive surveillance state the west is creating for itself...

The West? Really?

I think your overlooking the elephant in the room, who just happens to be Chinese and is concerned about his "social credit".

China is a dictatorship. I expect dictatorships to be evil. I hope democracies can do better.

It's possible to be concerned about both, and I am. But this discussion is about the NSA and their activities.

It's worth noting that it's even worse than that - some of the NSA employees contributing might not be aware of the motives involved if any are concealed.

From what I have read of how compartmentalized that organization is; could be no ill intent exists for now. Later however, the knowledge they gain could be used for a different purpose.

> no ill intent exists for now. Later however, the knowledge they gain

The thing is, if there's no ill intent now, there shouldn't be any backdoor to allow them to have any sort of special knowledge later. Unless you mean familiarity with the codebase in general. If they however do insert a backdoor, even without using it for anything now, "just in case", than that in itself is ill intent.

I do mean familiarity. Also, there is connections with other people in the project.

> If they start publicy recommending coreboot for what they deem senstive installations then their intentions are obviously not malicious.

How can you know that? If they actually did install a backdoor into coreboot, they'd obviously just patch it out of their own installations.

Other government agencies likely use NSA recommendations. If the NSA is recommending software that they have a backdoor to, then that would cause some.majoe problems if it came out.

I imagine senators would not like finding that they've been subject to that.

You don’t even need to get this speculative. All of the standards that both private and public sector systems must comply with are publicly available. I’ve worked with Fedramp service providers that handle varying levels of sensitive government information, they comply with the same NIST standards that you and I can download from their website. The NSA is mandated the inform large portions of those standards under their Information Assurance mission. If the NSA is tricking you and I into using compromised crypto, then they are also forcing huge amounts of federal systems to do the same.

Operation BULLRUN said they were both backdooring systems and weakening standards to ensure they could get in. There's also been attacks facilitated by their activities. Thanks to Snowden, we don't have to speculate: NSA, FBI, and CIA are enemies of the state if our cybersecurity is concerned. They must always be assumed hostile.

One exception I make is defense contractors that take money from them to build OSS tech. In that case, one can just scrutinize the tech itself. Most of the positive contributions in this area come from Galois Inc. Cryptol language is an example. On proprietary side, Rockwell Collins SHADE toolkit and AAMP7G CPU were likely NSA-funded to large degree.

On the contrary, the NSA's motives are clear and transparent. Try to make the system secure against anyone else and breakable by us.

The NSA's track record here is mixed, so I'm not sure how to feel. They actually improved the design of DES.

> Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."

I got curious and found the post you were referring to (https://www.schneier.com/blog/archives/2004/10/the_legacy_of...). They tweaked the algorithm, and that tweak turned out to make it more secure; they also cut the key size by more than half, making sure they could brute force it. That doesn't exactly scream benevolence.

All they did was make sure breakable-by-them encryption was in use much longer than it should have been. I'd hardly call it a mixed track record.

> However, the NSA also ensured that the key size was drastically reduced such that they could break it by brute force attack.


The same was said of selinux. I think perhaps the NSA is slightly more complicated with more complex goals than you describe.

Are people really so quick to forget?


Their goals are at the very least nationalist.

As a non US citizen why should I trust them at all?

Their main directive errodes my privacy on most levels in most sense of the words.

All I said is that they may have complex goals, while pointing out selinux was also contributed primarily by them. I take it that means your position is that they only contribute code for the purpose of exploiting people for national security, and selinux is also suspect?

I mean, being primarily contributed by the NSA is a great reason to not use SELinux, especially if you're outside of the US. AppArmor exists and does a lot of the same job, so why not use the safer option?

The chief problem with AppArmor is that its primary mechanism of identifying objects in the system (to which relevant policy rules are applied) relies on paths. In Linux, paths are not usable as strong identifiers because Linux provides a variety of ways to alias those objects. Additionally, some objects that deserve scrutiny from a mandatory access control perspective don't map cleanly to paths.

They're a spy agency, they're presumably capable of not signing their work.

Their two missions are Signals Intelligence and Information Assurance. The contributions they make to security technology and standards are going to be equally as effective no matter what country you’re a citizen of. If you think the work they release is motivated by an intention to compromise your security, then you must also believe they are trying to do the same thing to the US federal government. A goal which hardly seems very nationalist.

Did you already forget how long they knew of EternalBlue instead of immediately forcing patches?

Both of those missions are at odds with improving security. Try harder.

Information Assurance is not at odds with improving security. It is literally the NSAs mandate to improve the security of the federal government (and other US entities).

You’re making an assumption that in order to gather signals intelligence, that they need to trick people into using compromised cryptography.

A fact that is not in dispute is that huge portions of the US federal government implement NSA recommendations and standards. For your assumption to be true, the NSA must be intentionally weakening federal systems. Nothing about that seems nationalistic to me.

Has that changed? A decade ago when I looked at their charter they were supposed to strengthen security; not weaken it.

lmao at trusting their "charters" to gauge their real aims

If there's a concern about that, then maybe some other governments should be paying people to be intimately involved with projects like Coreboot, Linux, GNU, open hardware, etc. -- such that those people are spending enough time that they can understand and keep an eye on things, as well as furthering the projects with their more conventional contributions.

(I know Coreboot has had at least a few people who seem to be activists or enthusiasts who are not potentially beholden to anyone, but people getting paid can afford to spend much more time on projects than volunteers can.)

I won’t be an NSA apologist because in the last 20 years they have in fact made everyone less safe with their undermining of open standards.

But for the purpose of accuracy it should be pointed out that one of the two missions of the NSA is to safeguard American commerce, which they did for many decades prior (see: DES, selinux, etc.).

I hate it when news outlets assume readers don't know what they are talking about and use analogies like "UEFI BIOS Alternative" without mentioning the actual thing on the title ("Coreboot").

Especially when it's flat out wrong. Coreboot is low level init code that launches a payload. Which can be TianoCore EDK2 or SeaBIOS.

This isn't a bad thing. I had no idea what coreboot was and wouldn't have clicked on the link. They're appealing to a broader audience without being clickbaity.

> I hate it when news outlets assume readers don't know what they are talking about

How about don’t know what they’re writing about?

I sure as hell have never heard about “Windows UEFI” before.

I wouldn't trust NSA with a "hello world" program. The way they might phrase it could trigger hidden feature in linker which in turn could trigger hidden instructions in CPU making the 3 lines program a backdoor into your system.

You better avoid the Linux kernel then as the NSA have contributed a lot more than 3 lines.

I hate to break it to you, but NSA's hello world program is line by line identical with the others you have seen. How did they infiltrate us so badly! It's a scary day for anyone running mission critical hello world programs in production.

brings the concerns that seem to have been forgotten about the strange CPU behavior with their preffered version with elliptical curve

Could you imagine the shitstorm if Coreboot was accepting code from a Chinese intelligence agency? I'm American myself and am glad NSA is on my side. But they've proven themselves time and time again to be completely untrustworthy when it comes to securing our computer systems.

"glad NSA is on my side", you are 100% sure about this?

maybe they also have nothing to hide /s

I applaud this and I think the coreboot team is good enough to be critical and diligent about patches they will receive.

This is great news - not only will competent NSA hackers improve Coreboot, but their participation will usher in even more scrutiny and review of the code. This is a win for everyone.

In reading the discussion here, I'd like to bring up an error that the News Media typically makes when discussing large groups of people... That is, they implicitly or explicitly judge large groups of people -- most notably other countries / other nationalities -- by the actions of the few.

Applied to a group, in this case the NSA, I don't believe that they should be judged by the actions of a few of their members... I am sure there are both socially positive and socially negative actors in the group (and everybody in between), thus it is disingenuous to judge the group in either direction...

Me, I'm completely neutral about the NSA, with one exception, and that is that I feel that companies should NEVER be exposed to secret NSL's... either make those communications a part of the public record for congressional and other legal/legislative oversight, or don't send them in the first place!

But that's not the people of the NSA, whom I hold harmless... That's part of the mission of the NSA, and well, mere mortal citizens are probably not going to change that anytime soon...

If anyone really wants a secure computer, build yourself a VAX-11/780 out of transistors, and write the operating system too... (If I ever did, I'd put on a few of my super-secret cooking recipes ("Mmm, however did you get those BBQ ribs to taste so good? It's a secret!") along with a note "If you got this message, you are definitely elite, and please don't delete my BBQ sauce recipe!").

Try and get that with no RF link in the electronics... I double dare you...<g>

In the meantime, back up your files, and audit your communications regularly for anything you wouldn't want on the news 24/7... <g>

But the NSA? Not evil...

>Try and get that with no RF link in the electronics... I double dare you...<g>

Build my GPL3'd Signals Intelligence device, and you can audit it :)


Didn't know that that existed... Looks really nice!!!

(Although, technically, to be really secure, you'd have to audit the entire RF spectrum AND lower frequency wavelengths, i.e., ultrasonic AND have to figure out what to do with signals that are intermittent and/or frequency hop!!! Then of course you have the power supply lines and the ability to send super-low frequency signals via all of that... In other words, you'd have to audit all wave frequencies from all connected devices, simultaneously, and keep in mind such possibilities as frequency hopping, and intermittent periods of silence... like if someone really wanted to be stealthy, they could send something like 1 byte per hour... and that hour is randomized, so it's actually a random interval between 50 and 70 minutes... and/or hide that in random radio noise... the possibilities are endless... <g> (This is why I leave security to the security people and just assume that no information is private anymore...))

But, all of that being said, your link looks really nice, and I didn't know that existed before! It looks cool and worthy of experimentation!

A public STM implementation has long been needed.

In 2009, ITL/Qubes wrote about DRTM (Intel TXT, AMD SKINIT) and STM, https://invisiblethingslab.com/resources/bh09dc/Attacking%20... & https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rut...

> The late launch ... promises to effectively provide all the benefits of a computer restart without actually restarting it. It is hard to overemphasize the potential impact that a technology such as TXT could have on computer security ... We describe a practical attack that is capable of bypassing the TXT's trusted boot process ... As part of the attack we also discuss practical attacks on SMM memory ... Intel's remedy to malicious SMM handler is called STM, which stands for SMM Transfer Monitor. The purpose of STM is to sandbox the existing SMM handler by virtualizing it using VT-x and VT-d technologies. STM should be thought of as of a peer hypervisor to the VMM that is being loaded using late launch. STM is supposed to be measured during the late launch process ... no STM, as of today, is unfortunately available on the market, which yields our attack applicable to all current systems. One aim of our research ... is to stimulate developers to create an STM.

The May 2019 version of Windows 10 added support ("SystemGuard") for DRTM-enabled hardware that could benefit from an STM, https://www.microsoft.com/security/blog/2018/04/19/introduci... & https://www.platformsecuritysummit.com/2018/references/#syst...

In 2018, NSA gave a presentation on their STM work, https://www.platformsecuritysummit.com/2018/speaker/myers/

> We describe our work to demonstrate an enhanced SMI transfer monitor (STM) to provide protected execution services on the x86 platform ... Our STM enhancements create a protected execution capability by extending the STM to support additional VMs (PE/VM)

From a coreboot developer, https://twitter.com/_zaolin_/status/1055474061428572162?s=21

> We are currently implementing @intel #TXT and #SRTM measured boot support as part of Google's verified boot which can be used on all supported platforms in @coreboot_org

When I read the headline, my brain first parsed it as a scandal breaking, then I read the article and found that it was not that. I just hope the open source community will be very serious about auditing that code and not accept any blobs coming from people affiliated with the NSA.

Your brain was correct...something like 5 years before correct. I bet in 5 years this will be a scandal breaking because whatever NSA code gets adopted, it will be unveiled later as a backdoor.

If the NSA wanted to add a backdoor, they would likely not do it in a patch openly contributed by them.

It's probably more subtle than that: coreboot is a hodgepodge of open source aspects and oblique blobs that contain god knows what. That's why libreboot exists (shares a lot of coreboot code but doesn't allow blobs). If the NSA wants to do some dirt, then the dirt will probably go into the blobs and/or happen as a result of how the open source code interacts with the blobs in ways that are not obvious to anyone who doesn't know what's in the blobs. So I can see how getting some influence in the coreboot community would be of strategic value to them to implement schemes to weaken IT security for whoever they want to weaken it for.

I was setting up Windows servers 15 years ago, the company was chuffed to be using special secure NSA tweaked versions of the OS, which was nice of them...

Terrific! About time we had some people with proper technical expertise contributing to our everyday systems. #Taxpayer dollars put to use

If Govt's around the world want to really secure their IT systems, then just remove the laws that get hackers into trouble for hacking Govt systems. Still keep the law for non-Govt systems or for changing anything on a govt system and then the Govt can sit back and enjoy free pen testing.

Keep proven bad actors and miscreants, be it government or large tech, out of establishing standards.

What could possibly go wrong.

timeo danaos et dona ferentes

LOL! Trusting NSA for UEFI code is like.... I hope cryptographers and hackers better than what NSA has go through that code with a fine toothed comb.

The title is pretty shitty but you should at least click through before making a comment.

This is a contribution to Coreboot, which is an alternative to UEFI/BIOS.

As much as I dislike US government agencies in general, I think this time they have good motive to provide good code. Undermining this code would also undermine the systems of other government agencies.

In this case, I trust the NSA more than random contributors on the internet that have less known motives and may in many cases be agents of foreign spy agencies.

>The title is pretty shitty but you should at least click through before making a comment.

Something, something, site guidelines about suggesting the commentor didn't RTFA.

>I trust the NSA more than random contributors on the internet that have less known motives and may in many cases be agents of foreign spy agencies.

To be fair, I think that you stated the OC's point and failed to recognise it:

Your domestic spy agency is another's foregin spy agency. Why should they trust yours over theirs? Both have (presumably) equally less-known motives, yeah?

For non-americans, NSA is a "foreign spy agency"...

And "illegal combatant"

Coreboot is NOT an UEFI alternative. Unless you want to regress computing to closed platforms (it can be open source and closed platform).

Coreboot is what you can run before an UEFI implementation, they aren't mutually exclusive.

My wish is a good open source UEFI implementation running on top of tight coreboot setup, that goes all out on the security features.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact