When I was in college, I interviewed at the NSA for a co-op - they start you early, and it was a really generous program too, they even offered full fellowships for grad school, if you went to Johns Hopkins. (I did not join)
At one point, one person told me that NSA was five years (I think it might even have been ten) ahead of industry. They sounded like they meant it in a very broad sense, although since it came after they mentioned their on-site fab at Fort Meade, I interpreted it to mean hardware. In the years since, I’ve heard of NSA contracts (I never knew any actual contract details) with hardware manufacturers to fund hardware R&D. That all made it sound like NSA wasn’t off on its own far ahead, but instead probably got general purpose stuff a few months before everyone else, and I assumed they had some custom ASICs that were all their own, but probably just used process technology similar to the rest of the world. Seems unlikely that they’d have a better fab than Intel, even if they could conceivably afford it.
This story has made me wonder whether that person really was thinking about software. It does sound like the malware folks at NSA are pretty far ahead. This kind of thing seems like the sort of investment - mostly manpower - that would be really easy to justify for them, instead of the insane amounts of money and effort that a serious state-of-the-art hardware facility would require.
Of course, I expect they’re really doing both, and more besides.
Were they really that far ahead? None of this stuff is novel, to my knowledge. Persistent firmware infections were being demo’d in phrack in 2009, but you can find government people talking openly about malicious firmware in passing pre-1990 pretty easily. The thing that makes this significant is the brute force work that has been spent building unified frameworks, not the actual techniques techniques.
I guess the question is far ahead of who - like you said, it’s a lot of effort spent making it work, and infecting many (all?) major HD manufacturers over the course of years. I was assuming that even though (or even if) the attacks were known, it wasn’t worth the effort for most other organizations / individuals, on that scale.
See also the brief history of NSA backdoors discussed here. All this stuff together is super, super scary.
Also, and particularly damning, we’ve gotten to the point where SSDs are just soldered onto boards in our laptops, which means we simply can’t replace them with known firmware virus free versions…
Firmware storage should be removable, replaceable, auditable. Changes to hardware firmware should require physical user interaction (push this button) and should be permanently logged and viewable (a small eink display showing the number of all firmware updates, dates and hashes of the update).
Yes, that should be the case (it’s not), but any and all of that could still be a ruse. And, how do you train people to understand that, and understand that any tampering (e.g. an extraneous wire, extraneous chip) means somethings up?
Keep in mind that there’s a good portion of the population who doesn’t give a shit about the NSA spying, and that an even greater percentage of the population doesn’t equate the day to day privacy invasion of using the WWW without a condom (adblock, HTTPS everywhere, NoScript, etc) is an even bigger problem than the NSA.
Why is it a bigger problem? What if the NSA just orders the collection of all of your data instead of tapping fiber optic lines? Do you even know which of the data collection companies has all of your data? Would the news of such an event say to you, “Oh shit! My data is now in the hands of the NSA!” No. Those data agencies are even more secretive and fishy than the NSA is! (OK, I’m exaggerating a little bit of course)
Non-mobile version: http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20150216