#badBIOS Updates (with TEMPEST. And, halting surveillance, Snowden/Germany)

“The greatest trick the Devil ever played was convincing the world he didn’t exist.” One of my favorite quotes, well applicable to every aspect of security, and particularly apropos here…

Jake Appelbaum has gone on Twitter and strongly implied that material in the Snowden documents (or other, perhaps Wikileaks-derived material) proves the badBIOS malware to be an NSA / CSE / GCHQ tool.

Despite his earlier claims in re: other material that “if I had it, I’d just dump it on Pastebin,” this time ’round he’s insisting on only giving it to Dragos if the man comes by Berlin in person.

Nevertheless, Appelbaum’s claim passes the smell test. The Ars Technica and Slashdot stories on badBIOS — and every public forum posting on the subject — have been *DELUGED* by what appear to be shills, all yelling “it’s fake! it’s a scam!”

To my eye, that sounds like someone with a lot of resources really doesn’t want John Q. Hacker believing this kind of stuff is possible.

Second up is a post from John Young to the usual lists, pointing out that there are NON-ELECTROMAGNETIC forms of radiation which penetrate SCIFs… at least, those SCIF designs that have been made public! (Similarly, publicly known TEMPEST techniques “do not cover the full spectrum of collectible signals and metrics of compromising emanations.”)

Young speculates that Dragos’ badBIOS discovery is disinformation meant to distract from these methods. I doubt it, Dragos has too much to lose. If anything, malware using these classified forms of radiation (I’m going to go out on a limb and guess this is Lord Kelvin’s “longitudinal radiation”) has hidden that functionality by appearing to use more prosaic methods first.

Or, what Dragos believes to be malware is something very different and far more pernicious.

Halting surveillance: Obama says, while he’ll keep spying on the public, he’ll stop watching the bankers to show the US government’s willingness to reform. I believe the term “UR DOIN IT WRONG” applies here. If anything, watching the bankers is one of the few legitimate uses of the NSA! http://www.reuters.com/article/2013/10/31/us-usa-security-imf-idUSBRE99U1EQ20131031

Snowden and Germany: First of all, here’s the video footage of German Green Party parliamentarian Stroebele with Snowden in Moscow. http://download.media.tagesschau.de/video/2013/1031/TV-20131031-2233-4301.webm.h264.mp4

Snowden apparently has a tremendous urge to explain things and is quite willing to talk. (One could joke living poor in Moscow would do that to anyone.)

Nevertheless, his letter to the German government is so general it could have been sent to anyone. Evidently he’s covering himself against accusations of supporting a foreign government to the detriment of his own — he has been exceedingly careful to characterize himself as a patriot. http://www.spiegel.de/media/media-32616.pdf

Note that some commentators (John Young again) have got this letter wrong, it’s not for the EU parliament. Come to think of it, the EU parliament SHOULD try and bring in Snowden anyway!

Also, here’s Snowden’s very brief and mostly content-free interview with a German reporter that accompanied Stroebele. http://www.sueddeutsche.de/politik/edward-snowden-i-have-no-regrets-1.1808706

https://twitter.com/ioerror/status/396090797470142464
I think I know when and why @dragosr was owned. I also think I know who likely did it and many of the details. A hint: #NSA #CSE #GCHQ

https://twitter.com/ioerror/status/396093081159614464
Yes, the NSA absolutely has such capabilities. They have it in both hardware and software.

https://twitter.com/ioerror/status/396093639849291776
@dragosr I have information that will clear up some of the details. Fly through Berlin on the way to Japan or on the way home?

Advertisements
%d bloggers like this: