I like how relatively simple my Coreboot systems are. The sooner that Coreboot can minimally initialize hardware and invoke an open source bootloader or Linux kernel payload directly, the better. (Bonus, if the kernel doesn't need legacy PC BIOS services.)
Regarding concerns raised in the article, I'd be more suspicious of closed microcode and firmware blob parts, than of open source parts. Many knowledgeable eyes on the open parts can help. Though, of course, open parts could, in theory, be crafted to provide affordances for naughtiness involving closed parts. I have mixed feelings about recent initiatives to push closed updates more widely and reliably, and look forward to more-open hardware.
It makes no sense for the NSA to assist making PCs secure for non-military use and for use by non-US citizens against their own attacks, because it contradicts their mission statements. The only other (not totally implausible) explanation is that different departments within the NSA are so disconnected from each other that they have started to work against each other.
Not at all implausible; this was literally, and very deliberately, the case. There was offense -- SIGINT -- and there was defense -- the Information Assurance Directorate -- operating largely independently. Here's [the previous director, Mike Rogers, on the division]:
> This traditional approach we have where we created these two cylinders of excellence and then built walls of granite between them
As you can read in that article, though, the two halves were merged a few years ago in a reorg.
It's also a core mission of the NSA to protect US networks from attack. If they're inserting backdoors in products used by US businesses, they're directly undermining their core mission.
Which is not unheard of.
So, NSA has a massive mandate for stopping another 9/11 with surveillance but restricted one on defensive side mainly about securing defense organizations. That group recently downgraded its standards with Commercial Solutions for Classified or whatever it is.
OP, your insinuation is that PRISM weakened US networks, but that is a misunderstanding of what the program actually did. Wikipedia:
>The actual collection process is done by the Data Intercept Technology Unit (DITU) of the FBI, which on behalf of the NSA sends the selectors to the US Internet service providers, which were previously served with a Section 702 Directive. Under this directive, the provider is legally obliged to hand over (to DITU) all communications to or from the selectors provided by the government. DITU then sends these communications to NSA, where they are stored in various databases, depending on their type.
I personally think it's important to understand what types of surveillance our government is doing and not listen to FUD on what people think they are doing. In this case, there's no weakening of a network. The FBI provides a selector (email) to the service provider, and the provider uses their own systems to retrieve the data and send it back. The "direct line" that many people reference is to the database of selectors, so that FBI can push it directly to the provider.
If you know more, the best thing is to share some of what you know, so the rest of us can learn. A lot of people read these threads who are curious and open to good information.
Does the NSA's endorsement of AES over 3DES mean that the NSA has had a backdoor in AES for decades? Does it make no sense to include actually-secure algorithms in Suite B?
Definitely. As far as I can see (public civilian sources only), the NSA's Tailored Access division can compromise any off-the-shelf PC. Or at least, given that we know that they've had the ability to install persistent viruses in the firmware of consumer hard drives 10+ years ago, it seems plausible to assume that standard PC hardware is not secure against targeted attacks.
> Does the NSA's endorsement of AES over 3DES mean that the NSA has had a backdoor in AES for decades? Does it make no sense to include actually-secure algorithms in Suite B?
Of course not. That would be a silly assumption, since we know from the Snowden revelations that the NSA is primarily targeting endpoint security. They might be able to break certain implementations of stream ciphers or maybe even have working (algebraic?) attacks against certain block ciphers - they seem to build and use a lot of ASICs, presumably not just for cryptocoin mining -, but even if these attacks exist, it would be very speculative to assume that they are used routinely.
If I wanted to break into any Linux system, I'd first create a Trojan horse and ask the administrator to kindly install it. If that didn't work, I might compromise the router and hijack the system update mechanism (maybe using stolen certificates). If that didn't work, I'd become a package maintainer or major contributor and sneak in some backdoors obfuscated as programming errors. Or I could intercept the hardware and install my own firmware on the machines. And so on and so forth. Heck, even civilian companies overtly advertise that they can break into any computer, so why should the NSA not be capable of doing it?
No need to break cryptography if endpoints are insecure.
So I don't think any of what you've said says anything about the NSA's capabilities, and it certainly does not let us conclude that UEFI is compromised in some way beyond being typically installed on firmware that's not hardened against physical attack (which is also true of Coreboot, traditional BIOSes, and everything else).
Contractors do that, according to DOD or DOE guidelines, which in turn means that these systems might end up using BIOS, coreboot, or something else.
The NSA itself might be using some of these systems, so its in their interest to make them secure.
It's just that that part of the mission has taken a back seat to the offensive, tailored access parts for the past few decades; particularly after 9/11.
I remember reading somewhere a couple years ago that this was actually a bit of a point of consternation amongst the leadership back when Snowden leaked PRISM. My memory fails me however at remembering the exact article...
Basically at this point, (((which we have been talking abt for literally decades [nobody ever even believed Echelon existed, six-degrees, PRISM, Stuxnet, Duqu, etc.... -- and this doesnt even take into consideration FB, GOOG, ATT, CARNIVORE, etc etc etc WHERE THE FUCK IS PALANTIR on HN???]))) one must accept that no matter what if you have a machine, They have you.
Well, that is the problem. No one (well, say very very few) do code reviews on their own -- they do not provide as much benefits as coding (learning and reputation wise). Its a bit like the problem in academic publishing: Replication trials are not prestigious enough, so they are done far to rarely, albeit they are very important.
There are companies out there, that will do it for money, and many great open source products have been reviewed that way. But I don't think this happens often enough.
I think that's because code reviews have changed from being helpful form of preventing you from stubbing yourself on your toe to, "Why would you do this...? No0b..." kind of format.
If code reviews were weighted as equally beneficial to the code and as being approached as being beneficial to the growth of the developer making the change, then I could see it having much more benefit in learning; however, that would take a dynamic change in the general culture.
...but saying that code reviews don't provide as much learning benefit is to just infer that there's nothing that can be done about that when, in fact, there is. :)
Coreboot is not an alternative to UEFI. You can make TianoCore builds that use Coreboot, even!
As a an extra piece of information that I found interesting, they were pushing the diversity stuff hard. Everyone that gave the presentation were women (and they weren't low level people), they had an African-American person that worked there talk about how inclusive it was, they talked about how they're super accepting of LGBTQ+ people, and on and on. The tech stuff was for like 5 minutes, then the rest was on diversity (at a tech presentation, looking for recruits). I'm not exaggerating.
Also, they know they have a public image problem since Snowden and are doing everything they can to change that.
It’s likely you can trust the individuals you saw to be nice people. But that doesn’t mean the agency as a whole can be trusted not to compromise the digital privacy and security of American citizens (not to mention citizens of other countries).
EDIT: As another commenter noted, the NSA is unfortunately a combination of red and blue teams within a single agency. So when you see positive signals that they’re working towards improving security, don’t believe for a moment that they aren’t working equally hard towards pwnage.
I think in a lot of ways the NSA is a better workplace than any silicon valley tech company; you don't really have to worry about profitability, there's an enormous breadth of interesting work to be done, and you get to work with a lot of really talented people (I think the NSA is the largest employer of mathematicians in the US). Of course there are downsides too, like the low pay (set by Congress) and the constant drug tests and polygraphs.
Based on my discussions with him, I believe that the organization has two conflicting goals; to improve the IT security of the US and its allies, and to weaken the IT security of everyone else. And there are historical examples of the NSA doing both. But internally apparently there is a lot of debate about what the NSA should be doing, especially post Snowden. So yeah, I can believe that plenty of people at the NSA are deservedly proud of their work. Not everyone there is a cynical government drone working to undermine IT security globally. But of course when the NSA starts contributing to your project, you don't know which of their two goals they're working towards...
As an aside, my father-in-law is a very passionate mathematician, and in his retirement he just published a book on some interesting and approachable topics in mathematics that much of the HN crowd would probably find interesting:
Even back in 2010, the NSA was already collecting over 1.7 billion of communication records every day. As far as I know, that amount probably doubles every couple of year so just imagine the enormous size of data that they have to process. It's no wonder the NSA is the only single entity in the world that own gigantic centers of supercomputers. Without AI technologies their information analysis mission would be nearly impossible so it just makes perfect sense the NSA is after those technologies. Honestly I would be surprised if they don't already own quantum computing power.
In addition to low-level firmware codes, I imagine for all those 1.7 billion records of data to be routed back to the NSA every day without a trace, completely invisible to the rest of the world, it must have required another hidden layer of network protocol beyond the current OSI model that we have. The low-level firmware codes must work in sync and convert data following the model of this hidden network protocol for it to transfer away successfully without being detected.
For it to operate effectively, the NSA must be miles ahead of any Silicon Valley company. Their work is truly astonishing no matter how you look at it.
Hell, as a European, the NSA is very clearly the enemy. Their goal is to protect US citizens, maybe, with very unconstitutional methods. They have little to no interest in the privacy or legal rights of people outside of the US, and yet have an unimaginable global reach.
What Snowden publicized was, for the most part, completely hidden from the view of society. The NSA wasn’t coming to tech conferences announcing their new surveillance tools.
Don’t think that the new parts of Coreboot won’t attract scrutiny from security-conscious companies and individuals.
They are not committing their most secretive and effective tools on GitHub for Christ's sake.
I think it makes sense to be cautious about all of these. I don't think the NSA is an abnormal risk to society, compared to the other major OSS contributors out there.
I'm sure they were. Being interested in modern technology doesn't imply anything about someone's intentions.
> They all seemed like they genuinely thought what they were doing was helping people.
I've known and worked with several people that used to work at the NSA. I have no doubt at all that they believed they were doing important, helpful work. For many people, most of the time, that was probably true. However, even the best intentioned person will have a hard time actually verifying that speculation; by definition, someone who believed that the NSA's work was good/helpful probably also believes it's important to respect compartmentalization and not ask too many questions about things they don't need to know.
However, this is expected, because it's what most people believe about themselves. As Quark explained about his own motivations as a smuggler, "No one involved in an extra-legal activity thinks of himself as nefarious. I'm a businessman, okay?"
> they were pushing the diversity stuff hard
I saw the same pro-diversity effort at the DOE. I wouldn't be surprised to see similar efforts throughout the public sector. None of this says anything related to the NSA's trustworthiness.
 DS9 s06e25 "The Sound of Her Voice"
You're a bit gullible if you think that the nice folks from the NSA you meet have any say in what their agency does with the technology and projects they are involved in. I'm sure this aspect of it is one of the more frustrating parts of working for the NSA, especially right now, but it's also fair to say that they probably know what they signed up for.
Why is that a reason to trust them?
The worst people in history all thought they were doing good too.
> As a an extra piece of information that I found interesting, they were pushing the diversity stuff hard
Diversity at the NSA doesn't factor whatsoever into whether I trust them or not. The damage they've done to secure communications and their cavalier attitude to dragnet surveillance is all I need to know about them.
Don't buy into the PR bullshit.
Yeah I don't trust them...
If they trust you enough the truth is interesting.
And it is very natural they'd be interested in Big Data and Artificial Intelligence. Even a fool could understand why.
The NSA is one of the few companies legally allowed to do stuff like only hire you if you're a U.S. citizen and even say so in their job advertisements, and keep you out of certain kinds of roles (the ones where the real action is, probably), without being held to transparency standards and nondiscrimination laws that would apply to private corporates. They can always cite undisclosed nonspecific security concerns rather than having to say "We didn't allow that person into that role because it isn't a middle-aged white guy".
The core is usually HR-people who do these kinds of events as a fulltime gig. They are usually very much out of touch with the rest of their organization because they do indeed spend all their time talking to students, and almost no time engaged in whatever business their organization is actually engaged in. To spice things up, they throw in one or two "real" employees. The reason they come is because there will be an HR policy whereby an employee is enouraged to spend one day per year on an activity like that to tick a box for their next promotion, so they grudgingly go there, but still secretly think of it as a waste of time. They still play their role though in the live-action TV advertising spot and put on a friendly face.
My own experience is that I was quite entrepreneurially-minded when I was in college. I wanted to be in business with a lot of organizations, just not as an employee. I used to go to all these events, hoping that they can put me in touch with people who do certain things, know certain things, get to decide certain things, etc. etc. I would always hit a brick wall. Because the people at the recruiting fair are there solely to get you to interview for the internship program or whatever. If you approach them with any other kind of request, the HR-people are neither incentivized to, nor, in most cases, able to accommodate you. For the real employees (the guy doing his one-day-a-year-stint), you as a college student, are not worth actually investing time into, so they won't do anything for you either.
In other words: Their presence at the recruitment event is not the presence of a human being that wants to engage with you on a human level, nor the presence of an organization that wants to be in business with you, but rather the presence of a robot who can accept your application for the internship program and who is not programmed for any other kind of interaction with you.
You don't need to take my word for it, either. You can easily put it to the test.
Next time you go to one of these events, bring a pencil and say: "I will happily interview for your internship program, but as a sign that you are SERIOUS about wanting to engage in a business relationship with me, I would like you to use company money to buy this pencil from me for 50 cents".
Witnessing what happens next will hopefully rid you of feeling special. -- I can assure you, you won't sell a single pencil. If you do: That's the company you should work for.
From lurking around, one of the more surprising things I’ve found is that DDR RAM initialization seems to be the single most difficult aspect of the whole boot process, or at least on typical PC platforms. Not to say everything else isn’t also difficult; the debugging tools available to the general public for firmware are fairy rudimentary.
coreboot.org links to libreboot.org, but the list of supported hardware is pretty short: https://libreboot.org/docs/hardware/
In my experience, when closed source research teams start to contribute to well-run open-source projects there can be valuable contributions.
But it highly depends on having independent and technically competent maintainers with strong personalities who are not easily manipulated into accepting patches that they don't understand or violate their technical principles.
The problem is NSA really only knows their motives.
The other problem with the NSA is that they have two goals. One is to protect the US and US entities security and the other is subvert foreign entities. If they start publicy recommending coreboot for what they deem senstive installations then their intentions are obviously not malicous. Problem is the NSA may never publicy specify that its for senstive installtions and may only ever be an internal guideline.
This is likely tacit recognition that UEFI is such a dumpster fire that it's not only vulnerable to them.
That's exactly what they do. How they rate and evaluate their high-security products (Type 1 or EAL6+) vs majority of market (EAL4 or less) under Common Criteria corroborates your claim. EAL4, which Linux and others top out at, says it's only trusted to stop "casual or inadvertant attempts to breach security." Anything prolonged or well-funded will breach it.
It's for the rest of the us to work out who is who though! Cryptographers seem to be suitably aware though.
The West? Really?
I think your overlooking the elephant in the room, who just happens to be Chinese and is concerned about his "social credit".
The thing is, if there's no ill intent now, there shouldn't be any backdoor to allow them to have any sort of special knowledge later. Unless you mean familiarity with the codebase in general. If they however do insert a backdoor, even without using it for anything now, "just in case", than that in itself is ill intent.
How can you know that? If they actually did install a backdoor into coreboot, they'd obviously just patch it out of their own installations.
I imagine senators would not like finding that they've been subject to that.
One exception I make is defense contractors that take money from them to build OSS tech. In that case, one can just scrutinize the tech itself. Most of the positive contributions in this area come from Galois Inc. Cryptol language is an example. On proprietary side, Rockwell Collins SHADE toolkit and AAMP7G CPU were likely NSA-funded to large degree.
> Bruce Schneier observed that "It took the academic community two decades to figure out that the NSA 'tweaks' actually improved the security of DES."
> However, the NSA also ensured that the key size was drastically reduced such that they could break it by brute force attack.
Their goals are at the very least nationalist.
As a non US citizen why should I trust them at all?
Their main directive errodes my privacy on most levels in most sense of the words.
You’re making an assumption that in order to gather signals intelligence, that they need to trick people into using compromised cryptography.
A fact that is not in dispute is that huge portions of the US federal government implement NSA recommendations and standards. For your assumption to be true, the NSA must be intentionally weakening federal systems. Nothing about that seems nationalistic to me.
(I know Coreboot has had at least a few people who seem to be activists or enthusiasts who are not potentially beholden to anyone, but people getting paid can afford to spend much more time on projects than volunteers can.)
But for the purpose of accuracy it should be pointed out that one of the two missions of the NSA is to safeguard American commerce, which they did for many decades prior (see: DES, selinux, etc.).
How about don’t know what they’re writing about?
I sure as hell have never heard about “Windows UEFI” before.
Applied to a group, in this case the NSA, I don't believe that they should be judged by the actions of a few of their members... I am sure there are both socially positive and socially negative actors in the group (and everybody in between), thus it is disingenuous to judge the group in either direction...
Me, I'm completely neutral about the NSA, with one exception, and that is that I feel that companies should NEVER be exposed to secret NSL's... either make those communications a part of the public record for congressional and other legal/legislative oversight, or don't send them in the first place!
But that's not the people of the NSA, whom I hold harmless... That's part of the mission of the NSA, and well, mere mortal citizens are probably not going to change that anytime soon...
If anyone really wants a secure computer, build yourself a VAX-11/780 out of transistors, and write the operating system too... (If I ever did, I'd put on a few of my super-secret cooking recipes ("Mmm, however did you get those BBQ ribs to taste so good? It's a secret!") along with a note "If you got this message, you are definitely elite, and please don't delete my BBQ sauce recipe!").
Try and get that with no RF link in the electronics... I double dare you...<g>
In the meantime, back up your files, and audit your communications regularly for anything you wouldn't want on the news 24/7... <g>
But the NSA? Not evil...
Build my GPL3'd Signals Intelligence device, and you can audit it :)
(Although, technically, to be really secure, you'd have to audit the entire RF spectrum AND lower frequency wavelengths, i.e., ultrasonic AND have to figure out what to do with signals that are intermittent and/or frequency hop!!! Then of course you have the power supply lines and the ability to send super-low frequency signals via all of that... In other words, you'd have to audit all wave frequencies from all connected devices, simultaneously, and keep in mind such possibilities as frequency hopping, and intermittent periods of silence... like if someone really wanted to be stealthy, they could send something like 1 byte per hour... and that hour is randomized, so it's actually a random interval between 50 and 70 minutes... and/or hide that in random radio noise... the possibilities are endless... <g> (This is why I leave security to the security people and just assume that no information is private anymore...))
But, all of that being said, your link looks really nice, and I didn't know that existed before! It looks cool and worthy of experimentation!
In 2009, ITL/Qubes wrote about DRTM (Intel TXT, AMD SKINIT) and STM, https://invisiblethingslab.com/resources/bh09dc/Attacking%20... & https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rut...
> The late launch ... promises to effectively provide all the benefits of a computer restart without actually restarting it. It is hard to overemphasize the potential impact that a technology such as TXT could have on computer security ... We describe a practical attack that is capable of bypassing the TXT's trusted boot process ... As part of the attack we also discuss practical attacks on SMM memory ... Intel's remedy to malicious SMM handler is called STM, which stands for SMM Transfer Monitor. The purpose of STM is to sandbox the existing SMM handler by virtualizing it using VT-x and VT-d technologies. STM should be thought of as of a peer hypervisor to the VMM that is being loaded using late launch. STM is supposed to be measured during the late launch process ... no STM, as of today, is unfortunately available on the market, which yields our attack applicable to all current systems. One aim of our research ... is to stimulate developers to create an STM.
The May 2019 version of Windows 10 added support ("SystemGuard") for DRTM-enabled hardware that could benefit from an STM, https://www.microsoft.com/security/blog/2018/04/19/introduci... & https://www.platformsecuritysummit.com/2018/references/#syst...
In 2018, NSA gave a presentation on their STM work, https://www.platformsecuritysummit.com/2018/speaker/myers/
> We describe our work to demonstrate an enhanced SMI transfer monitor (STM) to provide protected execution services on the x86 platform ... Our STM enhancements create a protected execution capability by extending the STM to support additional VMs (PE/VM)
From a coreboot developer, https://twitter.com/_zaolin_/status/1055474061428572162?s=21
> We are currently implementing @intel #TXT and #SRTM measured boot support as part of Google's verified boot which can be used on all supported platforms in @coreboot_org
This is a contribution to Coreboot, which is an alternative to UEFI/BIOS.
As much as I dislike US government agencies in general, I think this time they have good motive to provide good code. Undermining this code would also undermine the systems of other government agencies.
In this case, I trust the NSA more than random contributors on the internet that have less known motives and may in many cases be agents of foreign spy agencies.
Something, something, site guidelines about suggesting the commentor didn't RTFA.
>I trust the NSA more than random contributors on the internet that have less known motives and may in many cases be agents of foreign spy agencies.
To be fair, I think that you stated the OC's point and failed to recognise it:
Your domestic spy agency is another's foregin spy agency. Why should they trust yours over theirs? Both have (presumably) equally less-known motives, yeah?