Hacker News new | comments | show | ask | jobs | submit login

Extraordinary claims require extraordinary evidence. So far, I haven't seem him providing the latter.

That's because he isn't making the former. It took a hack [1] like Dan Goodin to make him look as though he were.

His actual claims, as far as I can determine and as corroborated by the Errata Security article, are: (1) that BIOS firmware, and potentially also built-in peripheral device firmware, might serve as a durable reservoir for malware; (2) that buffer overflows and similar sloppy coding practices in USB HID device drivers can serve as infection vectors; (3) that pre-existing malware can use ultrasound as a (buggy, flaky, slow) C&C protocol transport; and, finally and most controversially, (4) that he has live examples, as yet unpublished, of malware which demonstrates all three of these behaviors.

Claim 1 seems not particularly controversial, given that prototypes have been demonstrated at conferences.

Claim 2 has at least one example in the wild, in that a PlayStation 3 jailbreak has successfully used the exact method described as a code injection vector. The PS3, of course, is a static target; how well the method scales to the PC platform is therefore an open question, but given the apparent relative paucity of implementations available, it seems at least plausible as a useful attack vector for malware.

Claim 3 is theoretically valid and, as another HN user pointed out [2] in response to my own skepticism on the subject, has at least one strong proof of concept in the wild.

Claim 4, of course, is unverifiable at this time; given Ruiu's provenance in the field, though, I'm with the Errata Security writer in considering that Ruiu deserves the benefit of the doubt, on the presumption that he'll soon substantiate the claim.

At most, then, his claims are 25% extraordinary, and I argue it took a useless hack like Goodin to make them seem even that much so -- to say nothing of all the recent speculation with regard to Ruiu's mental state, which I can only ascribe to a spectacular failure among HN commenters to consider the source -- specifically, the source of that Ars Technica article, whose lack of credentials should be plain to anyone with the time and interest to examine his journalistic history. What in God's name possessed Ruiu to give a hack like Goodin an interview is entirely beyond me, but that's as close to a sign of poor or impaired judgment as I can see.

[1] https://news.ycombinator.com/item?id=6655448

[2] https://news.ycombinator.com/item?id=6650152


And claiming that a well respected long term reliable researcher is crazy or suddenly a paranoid schizophrenic after sharing a few preliminary findings, is indeed extraordinary.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact