Someone has poor understanding of how computers work, but it isn't necessarily the NY Times.
Once a computer is compromised, you can't trust anything about it. You may believe reinstalling the OS is enough, but it is possible that some remote control tool is still lurking in a main BIOS reflashed while compromised, or in the GPU firmware, or tens of other places.
While it should potentially be possible to reflash everything, it is practically cheaper to replace the computers. Do YOU know how to reflash your bios with a trusted version, your GPU firmware, etc?
I don't mean "I know how to look it up on Google, and I'm sure I can do it if needed". This thing is hard to automate and do at scale even if you do know how to do it, especially if not all your computer models are uniform. Depending on how old and varied the hardware is, it is very likely that the economical solution, (assuming you suspect an attacker capable of these feats), is to replace all the computers.
[Though, all the hardware they replaced it with has been, most likely, built and QAd in China. Why would you trust _that_? The rabbit hole goes very deep. Practically too deep for anyone without a billion dollar R&D budget these days]
I made no such claim, but verifying bios and firmware signatures (and indeed detecting changes when they happen), and reinstalling them at scale is not a major challenge with a well managed IT infrastructure.
I can accept however that the Times may well have been running 10 year old PCs, with manual IT management processes, and outdated security software, and that replacement may have been overdue and economically more viable.
> verifying bios and firmware signatures (and indeed detecting changes when they happen), and reinstalling them at scale is not a major challenge with a well managed IT infrastructure.
Can you back up that claim with reference to a system that does that?
EVERY single management system I can think of trusts the system to report its status. You can't trust a compromised system to report its status.
Assume you have 5,000 desktop computers. How do you set them up so you can verify bios and firmware signatures without forcing a good bios reflash in the first place? (An action that does require soldering or jumper setting on modern motherboards!)
> I can accept however that the Times may well have been running 10 year old PCs
If you're running your business properly, 3-4 years is the oldest any PC should ever get. If you know a business running 10 year old PCs, tell them to get a new accountant. Today's $300 ATOM netbook (with your 10 year old screen and keyboard) will have positive ROI compared to maintaining a 10 year old machine (The best 2002 Pentium 4 is comparable to a modern ATOM, but needs 5-10 times as much power). You'll be saving money just with energy/cooling costs.
Good point, as in theory both the BIOS and the BIOS flash update routine could be replaced/virtualized... confirming a successful update even though the update was ignored.
> I made no such claim, but verifying bios and firmware signatures (and indeed detecting changes when they happen), and reinstalling them at scale is not a major challenge with a well managed IT infrastructure.
Uh, reprovision the VMs, reinstall your packages, QA everything and be back up and running in a couple hours. At least that's what they could do if they had a competent SE team running things.
If you believe that, than you are not part of a competent team, and do not understand enough to evaluate anyone's competence. See, e.g. http://en.wikipedia.org/wiki/Blue_Pill_%28software%29 - despite the (justified) criticism listed there, the principle holds.
According to the Wikipedia article, tptacek / matasano says he can detect it, and if tptacek says, I'll take his word for it. (And yes, timing attacks are inherently hard to fake, though -- since this is a targeted attack, there could be a blue pill version that targets a specific matasano detector version. Continues ad absurdum)
Regardless - the advice given by parent is useless against a BIOS or deepest-level hypervisor rootkit.
A note to all armchair security people: Security is not just another engineering field like (say) networking, UI or databases: It is pervasive and very different:
Engineering is the practice of making sure that whatever is in the spec, works.
Security is the practice of making sure that anything outside the spec, doesn't work (unless it is desirable for some reason, in which case it should be added to the spec).
Once a computer is compromised, you can't trust anything about it. You may believe reinstalling the OS is enough, but it is possible that some remote control tool is still lurking in a main BIOS reflashed while compromised, or in the GPU firmware, or tens of other places.
While it should potentially be possible to reflash everything, it is practically cheaper to replace the computers. Do YOU know how to reflash your bios with a trusted version, your GPU firmware, etc?
I don't mean "I know how to look it up on Google, and I'm sure I can do it if needed". This thing is hard to automate and do at scale even if you do know how to do it, especially if not all your computer models are uniform. Depending on how old and varied the hardware is, it is very likely that the economical solution, (assuming you suspect an attacker capable of these feats), is to replace all the computers.
[Though, all the hardware they replaced it with has been, most likely, built and QAd in China. Why would you trust _that_? The rabbit hole goes very deep. Practically too deep for anyone without a billion dollar R&D budget these days]