Your Computer May Already be Hacked – NSA Inside?

In a time of universal deceit – telling the truth is a revolutionary act.
George Orwell

In Russia, President Putin’s office just stopped using PC’s and switched to typewriters.  What do they know that we don’t?

Perhaps it’s Intel NSA inside.

———

For those of you who haven’t kept up, the National Security Agency (NSA’s) Prism program has been in the news. Prism provides the NSA with access to data on the servers of Microsoft, Google, Facebook, etc, extracting audio and video chats, photographs, e-mails, documents, etc.

Prism is just a part of the NSA’s larger mass electronic surveillance program that covers every possible path someone might use to communicate; tapping raw data as it flows through fiber optic cables and Internet peering points, copying the addressees on all letters you physically mail, all credit card purchases, your phone calls and your location (courtesy your smart phone.)Slide03

All hell broke loose when Edward Snowden leaked all this to press.

Given my talks on the Secret History of Silicon Valley I was interviewed on NPR about the disclosure that the NSA said they had a new capability that tripled the amount of Skype video calls being collected through Prism. Like most Americans I said, “I didn’t remember getting the memo that the 4th amendment to our constitution had been cancelled.”

But while the interviewer focused on the Skype revelation, I thought the most interesting part was the other claim, “that the National Security Agency already had pre-encryption stage access to email on Outlook.”  Say what??  They can see the plaintext on my computer before I encrypt it? That defeats any/all encryption methods. How could they do that?

Bypass Encryption
While most outside observers think the NSA’s job is cracking encrypted messages, as the Prism disclosures have shown, the actual mission is simply to read all communications. Cracking codes is a last resort.

Slide04

The NSA has a history of figuring out how to get to messages before or after they are encrypted. Whether it was by putting keyloggers on keyboards and recording the keystrokes or detecting the images of the characters as they were being drawn on a CRT.

Today every desktop and laptop computer has another way for the NSA to get inside.

Intel Inside
It’s inevitable that complex microprocessors have bugs in them when they ship. When the first microprocessors shipped the only thing you could hope is that the bug didn’t crash your computer. The only way the chip vendor could fix the problem was to physically revise the chip and put out a new version. But computer manufacturers and users were stuck if you had an old chip. After a particularly embarrassing math bug in 1994 that cost Intel $475 million, the company decided to fix the problem by allowing it’s microprocessors to load fixes automatically when your computer starts.

Slide05

Starting in 1996 with the Intel P6 (Pentium Pro) to today’s P7 chips (Core i7) these processors contain instructions that are reprogrammable in what is called microcode. Intel can fix bugs on the chips by reprogramming a microprocessors microcode with a patch. This patch, called a microcode update, can be loaded into a processor by using special CPU instructions reserved for this purpose. These updates are not permanent, which means each time you turn the computer on, its microprocessor is reset to its built-in microcode, and the update needs to be applied again (through a computer’s BIOS.).

Since 2000, Intel has put out 29 microcode updates to their processors. The microcode is distributed by 1) Intel or by 2) Microsoft integrated into a BIOS or 3) as part of a Windows update. Unfortunately, the microcode update format is undocumented and the code is encrypted. This allows Intel to make sure that 3rd parties can’t make unauthorized add-ons to their chips. But it also means that no one can look inside to understand the microcode, which makes it is impossible to know whether anyone is loading a backdoor into your computer.

The Dog That Never Barked
The NSA has been incredibly thorough in nailing down every possible way to tap into communications. Yet the one company’s name that hasn’t come up as part of the surveillance network is Intel. Perhaps they are the only good guys in the entire Orwellian mess.Slide07

Or perhaps the NSA, working with Intel and/or Microsoft, have wittingly have put backdoors in the microcode updates. A backdoor is is a way of gaining illegal remote access to a computer by getting around the normal security built-in to the computer. Typically someone trying to sneak malicious software on to a computer would try to install a rootkit (software that tries to conceal the malicious code.) A rootkit tries to hide itself and its code, but security conscious sites can discover rootkits by tools that check kernel code and data for changes.

But what if you could use the configuration and state of microprocessor hardware in order to hide? You’d be invisible to all rootkit detection techniques that checks the operating system. Or what if you can make the microprocessor random number generator (the basis of encryption) not so random for a particular machine? (The NSA’s biggest coup was inserting backdoors in crypto equipment the Swiss sold to other countries.)

Rather than risk getting caught messing with everyone’s updates, my bet is that the NSA has compromised the microcode update signing keys  giving the NSA the ability to selectively target specific computers. (Your operating system ensures security of updates by checking downloaded update packages against the signing key.) The NSA then can send out backdoors disguised as a Windows update for “security.” (Ironic but possible.)

That means you don’t need backdoors baked in the hardware, don’t need Intel’s buy-in, don’t have discoverable rootkits, and you can target specific systems without impacting the public at large.

Two Can Play the Game
A few months ago these kind of discussions would have been theory at best, if not paranoia. Slide09The Prism disclosures prove otherwise – the National Security Agency has decided it needs the ability to capture all communications in all forms. Getting inside of a target computer and weakening its encryption or having access to the plaintext of encrypted communication seems likely. Given the technical sophistication of the other parts of their surveillance net, the surprise would be if they haven’t implemented a microcode backdoor.

The downside is that 1) backdoors can be hijacked by others with even worse intent. So if NSA has a microcode backdoor – who else is using it? and 2) What other pieces of our infrastructure, (routers, smartphones, military computers, satellites, etc) use processors with uploadable microcode?

——

And that may be why the Russian president is now using a typewriter rather than a personal computer.

Putin's TypewriterUpdate: I asked Intel:

  • Has Intel received any National Security Letters?
  • If you had received a National Security Letter would you be able to tell us that you did?
  • has Intel ever been contacted by anyone in the U.S. government about Microcode Updates or the signing keys?
  • Does anyone outside of Intel have knowledge of the Microcode Updates format or the signing keys?
  • Does anyone outside of Intel have access to the Microcode Updates or the signing key

Intel’s response from their Director of Corporate and Legal Affairs (italics mine):

“First, I have no idea whether we’ve ever received a National Security Letter and don’t intend on spending any time trying to find out.  It’s not something we would talk about in any case, regardless of the subject of your blog.

Second, the questions related microcode and the speculative portion of your blog related to our encryption of microcode and the key all seem to focus around one question:  Do we have backdoors available as a result of our microcode download encryption scheme?
The answer is NO.  Only Intel has that knowledge.”

Update 2:  A much better description of the problem was actually presented a year ago at Defcon

if you can’t see the presentation above click here

Listen to the post here: Or download the podcast here

68 Responses

  1. Steve, NSA’s visibility is dependent on the PC being tied to the internet. Surely a naked PC with no connected router or modem, wireless or otherwise, being booted up cannot reveal anything useful to NSA’s satellites or listening stations. I have checked my PC and it emits no radio-frequency data streams as it boots up, unless its wireless capability is enabled. Even enabled, its range is less than a hundred meters. And within 500 meters of my home, there’s nobody else but me. For encryption, I recommend one-time pads for any correspondent you trust. Absolutely unbreakable. And they can be housed in cheap thumbdrives. Do all encryption completely offline.

    • What are “one-time pads”? What type of encryption is good? BitMessage is supposed to use the weakest encryption and Silent Circle will had over your data if requested by the NSA for whatever reason they want. What’s to stop them from giving information to their ‘friends’ the defense contractors or government computer geeks.

      • A one time pad is an unbreakable encryption method, mainly used in the 20th century by spies. Here is a primer: http://bit.ly/ec3VAK. It takes knowhow, a few tables, and a ‘key’, a very long string of truly random numbers. It’s a lot of effort to go to in order to encode, transmit and decode a message, but if done correctly the encrypted message is not crackable by itself.
        You’re a little hasty about Silent Circle. The NSA could obtain information that you’re using it and even the data itself if you’re not using it end to end, but SS has engineered itself not to have data to hand over. Doesn’t mean NSA can’t get it, surely they can, but not by asking SS to hand it over.

        • One time pads are theoretically perfect, but in practice are much weaker than a conventional cryptographic algorithm. Modern crypto algorithms are designed to be robust against e.g. chosen plaintext attacks, something an OTP fails instantly too.

          Whereas in the only area where OTP is provably better than e.g. AES, AES is more than good enough already.

          Better advice is to get OTR messaging for chat (easy), enable SSL with perfect forward secrecy on your webserver (can be easy), do your sensitive stuff through Tor (easy but can be slow). If you need to communicate asynchronously, use PGP and Tor mail.

          If you’re worried that you’re a target, use an usb stick with Tails OS.

          Use RedPhone and TextSecure to make calls and send messages on your Android phone. Use a custom ROM like Cyanogen, although it’s not designed for optimal security it’s much more trustworthy than the providers’ offerings.

          There. That ought to be much better privacy advice than using the one time pad.

        • Vintermann, thanks for your reply but I’m unconvinced that properly encoded one time pad messages are easily crackable. To demonstrate this, I have hastily constructed a one time pad and encoded a message, in English in to the one time pad. Here is the cyphertext:

          “92144 47711 13668 33449 43160 01819″

          Please crack this message and reveal the secret plaintext to the world, and I shall reward you with the sum of 1 bitcoin.

          (Note: These are not just random numbers, I actually did encode a short message in to a just made up one time pad. So a real message is in there. If you give up, I can give you the one time pad encryption key and then you can decrypt it yourself.)

    • power lines can exploited to hack into computer not connected to internet.

      • Please add some detail to
        the possibility of “hacking”
        a computer through power
        lines ….

        • By modulating the mains frequency, PSU induced oscillations affect the CPU to execute the microcode modulated into the frequency changes.

          Well, I’m just kinda kidding right now, but seriously I wouldn’t be too surprised if someone would find a way to do something like that. Look up TEMPEST/van Eck Phreaking for some ideas…

  2. Phong – I thought you would find this interesting.

    Steve Blank is a former military electronics expert, serial entrepreneur, and currently Professor of Entrepreneurship at Stanford.

    He actually makes an interesting theoretical case including some links to research coming out of U of Illinois.

    Eric

  3. What Then Must We Do?

  4. I’m doing some research about this and how to be anonymous on the web and found some interesting recommendations. The simplest one and easy to apply is start using an anonymous browser called Tor.

    Even though is not a complete solution, it gives you a first step to start learning about how to recover your privacy.

    • I’ve been using Tor (torproject.org) for a few weeks now along with their own Tor browser. The way in which I understand a Tor works is that you are assigned a pseudo-IP address each time you log in and the server bounces off numerous other sources before reaching its final destination- confusing the ‘enemy camp’ (correct me if I’m wrong). The Tor browser enables a more user-friendly experience in that one does not need to configure each website for proper use. Interestingly, after opening a hushmail account and logging in a couple times, I noticed there is a link underneath your log-in info which shows your location for each log-in. Each time I did not utilize Tor, my city and state listed in the box. Each time I had been using Tor, location listed as A1. Though, you may notice the disadvantages it has, such as disabling flash player, and other add-ons that display images for security purposes.

      Startpage is search engine whose servers don’t store any data (based out of Sweden) which I use in addition to Tor project. It seems they are powered by Google making it just as effective as a search engine. I considered these options to be a beginning until my next feat- Linux.

      I just installed Debian, a version of Linux as a mobile operating system (on USB drives) which is reputed with a far greater ability to provide anonymity online and overall pc security. The next step, I’ve read, is to layer it with a program called Whonix. I’m not yet sure what additional capabilities this will provide. I do not yet understand all the dynamics here in terms of the big (pc security) picture so perhaps someone can fill in a few gaps and detail some of the capabilities and limitations these and similar options have. I also intend to use Tor w/ Debian. I understand that the more layers of security one has, the better.

      Lots of good info, here. Thanks, Mr. Steve.

      • Tor is a great project, and of great use in repressive countries with brutal regimes that oppress their own people, such as Iran, Syria, Egypt, Tunisia, and the United States.
        You can disable scripts globally, and just allow them on sites you trust.
        In countries where the regime is recording everything and storing it such as Syria and the United States, it’s really important to use something called Forward Secrecy, which negotiates new session keys frequently and does not use a single server side master key, which could then be stolen and used to decrypt all previous messages.
        All this is just about routine everyday privacy. If you’re doing anything sensitive that you must not have anybody find out about, don’t use any computer to do it.

      • Although there is a problem with Tor, technically speaking, that is the project is still a Navy asset and receives state department funding: http://eta.securesslhost.net/~pgpboar/viewtopic.php?f=2&start=0&t=563 whether or not this makes it a compromised system you can decide for yourself.

        • Thanks for the insight. You reminded me of what I’d already read but somehow slipped my mind along the way. You are right in that it’s important to be conscious of this fact. I was discussing it with a friend earlier today who has been using Tor on both his pc and phone for a while and seems to have the scoop on security. He described the functionality of Tor with regard to citizen’s use versus the Government’s interest in users and he painted a picture analogous to how a particular type of software was used by an investment firm I used to work for. Essentially, certain words or phrases are programmed into the system to be made noteworthy- in which case further digging would become the next step. Since I have not researched this, I cannot back up this statement, so take it as you will.

          The bottom line is that there isn’t just one application, software, or download that is going to tackle it all. For myself, the key right now is to keep digging, learning, layering security, and sharing insight with others so they can do the same. Additionally, I find it important to support or join the organizations that are challenging the illegality of these practices in court. Even if they win, it’s not a solve-all but it needs to move in that direction. If those organizations can galvanize enough people Internationally, we can move to dismantle the P. A which renders the Const. null and void (for the most part) and demand F .I .S .A go away. It’s a pipe dream- until we do it- or not…..

  5. Thanks Steve. There’s a typo at the top “What do they know [that] we don’t?”

  6. I could be wrong, but I was under the impression that PRISM isn’t an actual collection mechanism, but rather the system used internally to locate and retrieve information. An internal NSA archive if you will, but the actual sigint sourcing happens through other mechanisms.

    • Daniel,
      Yes, that’s what the slides seem to infer.
      My language in the post wasn’t clear.
      And unfortunately in the press/public Prism is now associated with the entire surveillance program.

      steve

  7. I don’t profess to understand how it worked, but I once worked (a real job) with a part time hacker who used a Commodore64 between his computer and his modem since the Commodore was un identifiable online

  8. I bet that this is the first time Steve would not recommend “Get out of the building”

  9. I used to drive a taxi in San Jose in the late 90’s. I picked up a Intellectual Property attorneys and they would tell me the horror stories of the high amount of thefts in Silicon Valley through whatever means possible.

    It’s easier to let others others do the hard work then just take it.

    I’m working on a “project” (business-business model) at the time. Some of what I am doing is technical and I don’t want to even put it on my computer for the reasons stated. As I type, they can know what I’m typing, so even if I’m encrypting it, they might be getting the information BEFORE it’s encrypted.

    This makes me nervous.

    In the early 1980’s, John Stock, former top level CIA agent went public about all the spying.

    http://www.thirdworldtraveler.com/Stockwell/John_Stockwell.html

    So my question is about security, inventing something and how can I keep it private? I can’t afford something like “The Garage” that Microsoft has.

  10. On 9/11, I called to reschedule my flight, and it was clear that I was the only caller. No work for thousands of airline employees.
    If PRISM stopped or stops a new 9/11, then it is not “unreasonable” under the 4th Amendment.

    • Why would PRISM stop a new 9/11? There’s no evidence for that whatsoever, nor is it very likely. If I was planning a conspiracy I’d just make rule #1 to not use either internet or phones. That would be a slight inconvenience, but it would not prevent me planning an attack; it would also make me invisible to the NSAs huge spy apparatus.

  11. Does this mean we should use computers with chips from AMD?

    • From a technical perspective I don’t think so. If the NSA can override / pretend to be an official MS Windows update – and I have no doubts they could rather easily pull that off – then the chip doesn’t matter.

      That said… Hypervisor is problematic as it would actually allow a hacker to remain completely undetected and I am sure the NSA has some rather interesting exploits using this feature on an Intel processor….

      If I was the Kremlin I’d definitely disconnect all computers from the internet. You can still use an internal network.

    • AMD processor families 10h (Barcelona), 11h (Turion X2 Ultra/Llano), 12h (Fusion), 14h (Bobcat), and 15h (Bulldozer) also have upgradable microcode that appears to be encrypted.
      Here’s a good article on earlier AMD K7 and K8 processor microcode updates before they had encryption.

  12. […] Steve Blank is a retired serial entrepreneur and has been a founder or participant in eight Silicon Valley startups since 1978. This article originally appeared on his blog. […]

  13. I think really most of these problems have technical solutions – so long as we get rid of the secret courts, secret court orders, and secret laws. Everything that concerns the law must be out in the open. If not then the USA is just another police state, a state which is inevitably run by the secret services. If you give any institution the power to cancel out nearly all other laws, then that institution will end up ruling – the original intent, good or bad, doesn’t matter at all.

    The USA is a democracy – well so is Russia. Right now with all these new revelations they’re about equal in terms of civil liberties. That is they’re both not much of a democracy at all. In both countries, citizens are free and protected by laws – unless they do something the government doesn’t like in which case it’s off to the Gulag / Gitmo / extraordinary rendition locations.

    • The United States is a Republic. If we can keep it.

      People often react negatively when this is pointed out, but they rarely have something specific to say about the above video. Instead they attack it because they don’t like the people that made it.

  14. Are Apple computers similarly vulnerable?

  15. Perhaps the following shines some more light on this tapping issue. It’s somewhat technical, nevertheless essential to know in light of this discussion.
    1) all servers, workstations, laptops, tabs, smartphones and a host of other equipment that is or acts as a computer contain one or more microprocessors (Intel, Amd, Motorola, etc.).
    2) with the exception of some special Scada equipment, all those microprocessors need (as in must have) an embedded subsystem called a BMC (which runs on microcode). The BMC was designed to facilitate >>Out-of-Band operations<<. It has its own CPU, storage, memory, etc.
    3) Out-of-Band operations are network activities and internal directing and switching processes serving a variety of purposes. At least half of the sub-processes are secret (for commercial and OTHER reasons). And most important they circumvent your usual operating system processes.
    4) the mechanism that manages this microcode on the BMC is called IPMI. There's quite a variety in that. Some manufacturers as e.g. IBM and Intel have extremely complex and sophisticated ways of managing OOB operations.
    5) with nearly all computers (etc.) built after 1998 this is included. And what's more, after version 2.0 it is also encrypted. For those who want to know, commonly with RSA and with a key-length of 2048 bits.
    6) Steve already explained some of what can be done with it. But to be frank, just about anything your normal operating system manages can be altered, corrected, directed, copied.
    7) thus, it can (and is) transmit(ting) the location where the equipment is, it can copy any data from your machine and send it surreptitiously with a hidden protocol OOB to anyone/anywhere.
    8) is the intelligence community using this? Yes, of course.
    9) can one automate surveillance or is it used for special targets? Basically yes it can be automated, but the OOB streams from/to/through providers would increase with a giant factor. Hence it is currently used for special targets/groups of targets.

    Perhaps the above helps to understand the situation we are in.

    • Rob,

      I’ve got a number of HP IPMI-enabled servers and I occasionally use IPMI features in scripts. I also strictly control my IP traffic in the IPMI environment. I know if something is trying to reach a not-approved address.

      IPMI isn’t phoning home. The apps that do phone home are not hard to identify and the destination addresses are not surprising either.

      I’m not denying/defending the NSA allegations. But IPMI is not a part of the scheme.

  16. Mr. Blank, how do you justify truncating the sentence you quote from the Guardian’s article when it so profoundly alters the meaning of that sentence, while seemingly being the basis of your whole argument?

    The original sentence is the following: “The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail”

    You preferred to write “the National Security Agency already had pre-encryption stage access to email on Outlook” (the “.com” part being conveniently missed out), thereby fueling the paranoia that the Wintel alliance has given secret backdoors to the NSA at the processor level.

    I am sure you know all too well Outlook.COM is simply the replacement for Hotmail.com, a cloud email solution provided by Microsoft, while Outlook is the desktop mail program part of Microsoft Office.

    I am not sure why a man as smart and subtle as you has chosen to take such a shortcut and distort facts for the sake of a theory that has no sound basis. Or maybe I have missed something so huge it has blinded me.

    • Raphael,

      I shared my thinking of how I got from the comment about Skype and Outlook to thinking about microcode, Intel and being able to backdoor random number functions.

      It sounds like you’re angry that I’m not as smart as you. Guilty as proven.

      What you’re missing is the second part of the article. Regardless of how faulty my chain of logic in getting there, is it possible to upload microcode to Intel processors? Yes.

      Does anyone know (other than Intel) what the microcode does? No.

      Are the RdRand RdSeed instructions hardwired or microcoded? Intel doesn’t say.

      Would modifying the random number generator/instruction in a Intel processor affect that computers ability to safely encrypt information? Yes.

      Is there anyway to prove this is the case without access to the microcode and processor micro architecture? No.

      Does Intel’s response in the light of the current NSA disclosures give me a high degree of confidence in the integrity of these functions. No – but others with the same data can come to their own conclusions.

      This would have been idle speculation a month ago.

      Given the recent revelations it’s no longer idle.

      (See McGroarty (@mcgroarty) comments below.)

      steve

      • Dear Steve,

        I am not angry at all and I don’t claim to be smarter than you (I certainly am not, at least based on our respective resumes) .

        As a matter of fact, you’re the one who claims to be smarter when you write “I thought the most interesting part was the other claim”, while there was clearly nothing interesting in that part, since it’s no longer news that cloud offerings don’t offer the highest level of security in light of Snowden’s revelations (since Outlook.com clearly is one of those cloud offerings).

        Whether your theories about Intel microcodes are true or not is not really my point. My point is that you can’t truncate and denature a statement, and then use it as a premise for any inference or deduction, whether that inference or deduction is true or not. This not only goes against all laws of logic, but also undermines the assumptions we have about key qualities of a leader, honesty and integrity.

        You could have written that this statement about Outlook.com, the cloud product, made you think about Outlook, the desktop program, but instead, you chose to truncate the statement and then jump to the following conclusion: “They can see the plaintext on my computer before I encrypt it? That defeats any/all encryption methods. How could they do that?”

        I find it ironic that your post starts with the following Orwell citation: “In a time of universal deceit – telling the truth is a revolutionary act.”

        I’m not sure which sort of truth you’re telling here, but I would assume that a thought leader such as you would have the moral obligation to recognize his own mistakes. You would likely gain even more respect from your followers (including me) by doing so.

      • Steve, Back 20 years ago in 6800 days I was paid to write a keylogger program into a compiler for use as a spy tool on a network at an advertising agency. They wanted to see how efficient the typists were on the Pc’s and what they were typing. Words per minute, what words etc. In fact it would be a great way to also see what your children are up to on a PC – dump key presses to a text file daily.

        Anyway, the keylogger I wrote went in at a low level IRQ (interrupt) and then broadcast the presses over the network. It worked well (I got key bounce reduced eventually using the keyboard interrupts, they are low level on the hardware stack and take up very little processing power). This gave full access to anything that anyone typed – simple solution work best (I gave up coding a few years later). .So I agree anything embedded in the BIOS at low level can easily “see” everything we do – if I with limited code could do that then, they not only are probably doing this but surely they are doing it. Now it would just TX typed over the net, its simple. Even better you dont really need screenside copy, because everything’s typed at some point – so after a period you will have everything, It would be easy to also dump freetext characters out from an y text displayed, URL’s and anything else. I remember my low level code didn’t slow the PC down at all (as it was all in machine code). The facts to me seem very simple, if I did that then and was asked to do it – the NSA will have done this and on a much larger scale already.

        That said – we should when its active be able to spot it on the network by packet sniffing unless its encrypted heavily (which again it maybe).

        However in terms of the encryption and the random number seed being spooked, that should be easy to spot ? Cant we run tests on this easily ? Should be easy to write a program to spot anomalies with this ?

        People using debian./tor etc mis the point – this is so low level its happening at the hardware interrupt level, call it BMO or housekeeping functions, it well before the OS comes up on top. Back in the day the key spy I wrote didn’t care what OS you had, it was like a physical box that sat between keyboard and Pc and logged the keys. It wasn’t a physical box I stress, but conceptually that’s what it did, In fact the code was like 300 characters and I actually flashed it onto the machines bios as a spare for 32 character displays (which were never used but left in the core BIOS). So when the PC looked to see the 32 char display codes (which were replaced with my code) it just ran the code it found (mine). Its such a simple hack, almost too simple. If the network wasn’t there it also logged the characters into RAM until the network was there. I had it check every 30 mins or so for a connection.

        It took me (a not very great coder) about a week to code, they may still be using it for all I know, the point is that its been done. If I was asked to do this for a business to spy on their staff then the NSA with all their resources will have infiltrated Intel. AMD et al and then upload similar code. The network location they use will I suspect be fixed and probably registered outside of normal TCP/IP bounds as well for anyone looking into this. I also worked in telecoms a lot and we used “unused” channels in SS7 for secret comms work. In fact the nSA (well CIA) had the company (a US company) I worked for “reserve” 3 channels on the stack for just that reason (if they wanted to intercept the telephone calls) – its there in the model or spec. In fact ask anyone familiar with telecoms and LCR switches about this, its in the protocol. OK I think it says something like “security channel for engineers to help prevent line fraud” but we all know what it was for. Mobile switching came from the fixed line switches as did the base switches (its a while since is looked at the OSS models) but again the channels were there.

        In fact it surprising isn’t it that so many IP adresses are “reserved” – what did they ever expect to use them all for ?

        just take a look:

        192.
        1 to 50
        168.
        127.
        255.

        I haven’t re-checked but there are probably lots of others and thats just first digit reserves ! OK they might even masquerade as NameServers but have a backchannel – in fact thats a great way to hide them. So your Pc is contacting a nameserver, well that’s OK right ? How about if the major public nameservers propogate (my DNS picks them up dynamically from my ISP and I trust this ?).

        OK so your PC uses a DNS, that comes from a switch thats from an ISP, thats the NSA. They “suggest” that all traffic is sent to the NameServer, it i and its does its job and resolves name – great. However it also happens to strip off the first say 1000 bytes (which are the last x key presses or whatever).

        We would never know ……

        Its always amazed me that without a DNS running you can PING certain places, why ? I mean the nameserver is what converts a domain name to an IP, so how can a PC without a DNS facility resolve some URL ? I forget the URL I could use as its been a while but surely there are no toplevel URL’s.

        So I am pretty sure that any IP addresses that are labelled in the book as “unused” or “test” or even not labelled will be good places to try, for anyone digging. Given my background – if I had to design it into the system then I would have placed it pretty low down and hide it amongst the weeds,

        Nobody would be suspicious of NS traffic, reserved or system wide traffic like this. It should be pretty easy to spot (on a compromised PC) because you could setup a fake IP network and see what the Pc sent you on that NS channel and if you reduce the channels and just concentrated on repeating a set keypress code : any 257 digit code would work I think. repeat that many times and then look for its transmission.

        What I mean is this 127.0.0.1 is local right ? Whats 127.1.1.1 ? you see where this is going ? The “pickup” has to be an IP that they own, isn’t changeable and won’t change. They cant keep sending updates of URL’s out there. So I would suggest that they will have a permanent “backchannel” on some IP we wont suspect because the book calls it non existent. Any IP transmissions to that wouldn’t look odd either as it may be part of the overall layer model for the comms channels.

        The problem really is to get a PC that you know is being intercepted and then start fulluy decoding whats coming in and out of the network card, taking out as much as you can and see whats left.

        H.

        • I find the information you provided compelling in a hard-to-follow sort of way. For those of us newer to pc security platforms, could you please break down what you mention with regard to Debian/Tor users?

          I fully realize that utilizing Debian layered with Whonix is not a be-all-end-al solution. Obtaining privacy is something, I believe, one is going to have to work for and keep up with. Even then, it will be a cat and mouse game. Perhaps I’m not interpreting your post correctly, but your perspective seems to be that of attemping pc security a hopeless case. Either way, I’d still like to better understand what Debian/Tor users are missing, in layman’s terms.

          -C

  17. Relevant: http://lists.randombit.net/pipermail/cryptography/2013-July/004728.html

    Parts of the Linux kernel (and presumably other OSes) now rely on Intel chips’ new random number generator. There’s potential here to have reduced entropy on all or select targets’ Intel chips, thereby making it easier to defeat crypto.

    • Steve,

      Thanks for daring to delve into and analyze this topic to the full extent you have while lending your experience and expertise to your readers. While some people are busy playing ‘angry birds’ and others are busy with their preoccupation over a jury’s verdict they don’t agree with, there are a few that realize the vastness of this problem and the great implications looming over our heads. Your commenters have, for the most part, contributed to a productive and informative dialogue that I greatly appreciate being a part of, especially since my recent head-dive into pc security 101.

      My first question for you is regrading the microcode backdoor to which you refer. I don’t dismiss this capability or the fact that big bro will do whatever in the world they can get away with. However, it comes to mind that we are shown how the agency in question went through the sec. court (Fi-suh) in order to gain direct access to servers of companies like Microsoft and Verizon. If the said backdoor to every processor and microprocessor (i.e. android) was in full force, why would they go through the aforementioned red tape for other means of access?

      The second question I have is that if in fact this back door exists in Intel, for example, and is not only a reality but in full force, isn’t there a way to counter-act it? Though I’m far for an expert, I foresee information technology as being limitless and I do believe two can play this game.

      Freedom of the press dot org put out this, which I saved and thought might be helpful to some. https://pressfreedomfoundation.org/encryption-works

      As i mentioned in another post, there is no perfect download or software to protect ourselves completely but with up-to-date info, LAYERS of security, and understanding of their benefits and limitations, I think we have a fighting chance over an abusive system.

      Just the other week, I stumbled over an article about a group of hackers that have spent the past FOUR YEARS hacking into and trying to hack into South Korea’s military intelligence infrastructure. As you know, The U of S of A has bases there and is well integrated into their systems. Well, it seems that McAfee, who is contracted to oversee security in this area has blundered repeatedly and failed to identify the threat. This was, of course, was not widely reported, but it’s there. If you’re curious enough, I’ll find it. But, my point is that while we ought to be as careful as Putin (in light of recent revelations), we also should not be so to quick to surrender to an animal that likes to make itself appear bigger and more deadly than it actually is. They have their vulnerabilities, oversights, and short-comings also.

      I hope you’ll continue to help us break down the revelations yet to come, compliments of Eddie S. Thanks again.

      Cg

      • You have a good point about FISA part and PRISM companies cooperating with NSA. But, what I see is that:

        Microcode backdoor can be used for targeting specific persons through Windows update. It’s redicolous if NSA used this microcode update to set backdoors in every single PC in the world!

        Plus, even if they did that, the they won’t be able to gain so much valuable information as much as PRISM (i.e. tapping people’s traffic and get their information).

        So, What I’m trying to say is that NSA is trying so hard to get as much information as possible about people in order to study their political and religious views and to keep a profile for each person for later reference.

        NSA are setting backdoors everywhere. They are trying to tap internet traffic and telecommunications traffic. They are trying to exploit systems and buy zero-days exploits. Some experts admitted that they’re selling zero-days to NSA!

        Plus, NSA are doing so much operations and so much projects and a lot of these projects are for spying on people.

        Reading the history of NSA is enough or reading ‘Crypto’ book is enough

        Regards,
        cypherpunk

  18. TWO SERIOUS SECONDARY CONSEQUENCES ARISE

    Steve,,,,,, seems neither of my two posts made it to publication even though they were displayed as pending ‘mediation’. So I’ve rolled the entire posts into two links as follows.

    Doesn’t this throw doubt on the privacy of routine business data distribution? In my case its data associated with B2B mobile processes. If we exclude emergency services like Police, Fire and Ambulance most of the rest is associated with
    a) Selling, and
    b) Service.

    I guess Service is not really a big risk except that it exposes what equipment is installed and what the Service Level Agreements in effect are. However, LEAD and PROSPECT tracking, the latter including price negotiation, are highly confidential as purchase decisions approach.

    Then one could ask what is the relative risk when choosing On-line or Distributed Databases where data transport is the delta-only rather than complete screens.

    Anyway here are the two posts missing post contents followed by the same signature to both:

    http://www.w-w-w-w.org/videos/archive/LackOfTrust.docx

    http://www.w-w-w-w.org/videos/archive/CollaborateToCompeteFairly.docx

    Regards
    Brian in Sweden
    Alias Sir George the Dragon Slayer
    Knighted in Canadian Dragons’ Den 2009.

  19. It would be FAR easier for the NSA to insert a mole engineer (or a team) into Microsoft/Intel/ had have these engineered into the products themselves. Why spend time and money on cracking keys?

    Once billions of dollars are known to be allocated by a state player all bets are off. It is most unfortunate that it’s our government that’s doing this to it’s own people under the fear of “terrorism”. A decade back the country likely to engage in this would be “Iran” or “China” – but it’s 2013 and it’s the USA that’s undermining freedom.

    Bottomline: Your best bets are still encrypting everything at source and keeping those keys safe. However, if the NSA *really* wants to get to a citizen, it’s game over for the said citizen (keyboard loggers, water boarding at secret camps, predator drones, “car accidents” etc).

    It seems the crazy gun fanatics were actually right about their paranoia …

    • The truth of the matter is that while NSA will decrypt when it can, usually by getting companies to do all this work for them, what they are really after it social mapping and traffic analysis.

  20. I have questions for the american citizens : are you happy to live without democracy ? Are you doing something to change the system ?
    As a foreigner, never been in the USA, only reading news and books I always felt that the answers where Yes and No.
    Am I wrong ?
    As an illustration , this post is full of technical details and the responses are mostly about way to escape PRISM but what about firing everybody involved and putting them in jail ? Simply ?
    Ah ! OK ! All that stuff IS legal in USA ? And this is a democratic law ?

    • Do you know of any democratic country which is free of surveillance? Most European countries complain about NSA in public, and then accept the fruits of surveillance of their people from the NSA in private.

      • In EU any agency that has the legal right to tap into your data stream needs to get a real court order before. And I mean a real court order, not the types they need to get in US. So yes, surveillance exists in EU as well …

    • We live in a constitutional republic; not a democracy. Remember, a democracy is when two wolves and a sheep are voting on what’s for dinner. A constitutional republic is two wolves and a sheep voting on what’s for dinner but the sheep has a semi-auto 12 gauge.

  21. Fun fact: No one remembers ECHELON.

    • Hmm….perhaps some of us in the audience hadn’t been born yet. What fun facts should we be looking for, without being too specific? It likely continues under a new name and a new budget.

  22. How can I protect myself from microcode update threats?

    • Not sure that there is a way to protect against this type of threat.
      My two cents is that if the NSA is doing this, it’s likely highly targeted. And unless you’ve been dealing with weapons of mass destruction I’d put your individual risk factor relatively low.

      Lots of higher probability risks – rootktits, etc.

      However the last month has had all kinds of surprises.

      steve

      • Thanks for the reply. They’ll find that my religious views are that the upper echelon behind this bizarre evil go to hell and my political views would like to reside on the other side of the globe- the hell away from them. But that’s a conversation for a different day.

        Before I jump to startpage.com, can you please explain to me what zero day is and how it would be used by them with regard to an individual’s laptop? Also what is the ‘Crypto’ book to which you refer? Is that the title and do you know who wrote it? I just recently purchased the book “Cypherpunks” but have yet to read it. I’m hoping there will be a lot of good information in there. Perhaps you’ve read this one?

        Best,
        cg

        • A zeroday exploit is a private exploit discovered by a security researcher and nobody else know about it.

          Crypto book is a book that talks about the history of encryption. You’ll find that NSA is the biggest fighter against data encryption and the reason is that they want to monitor everything.

          The author is Steven Levy. He’s an american journalist who writes a lot about cryptography and cybertech.

          I downloaded an e-book of ‘Cypherpunks’ but didn’t read it yet.

    • Thanks much. I see he’s a journalist for The Wire which I follow for good info and I also see he wrote a more recent book called, “In the Plex: How Google Thinks, Works, and Shapes Our Lives.” I downloaded that one, too. Since you are interested in the book “Cypherpunks,” you might also be interested in the group discussing cryptology, bitcoin, and other related topics in their show. www dot assange dot rt dot com. Russia Today films for them. Jacob Applebaum is featured on the show and he’s super sharp. I enjoy learning from these guys There is nothing nefarious about their work or their intentions even if big bro doesn’t approve.

  23. Just a small correction: it was a GERMAN company’s (Siemens) Swiss- domiciled subsidiary and not “the Swiss” who sold backdoor infested cryptogear.

  24. I always expected any big American organization or from any other country to be controlled by the secret services.

    Those companies don’t even need to know. The NSA spies on all citizens and know who is who, if someone needs money, they know, if someone love prostitute’s services, they know, is someone is a gambler or have sex with their partner’s best friend, her daughter is on drugs…

    All congressmen, judges and power figures are being closely spied by a group of very powerful men.

    Blackmailing them for doing a little “service” for the country on their job is very easy. You ‘d be a “patriot” against “enemies”, “adversaries”, like we foreigners are in US State terminology, including US allies.

    The problem is general of central planning and centralized power.

    Hitler was able to take total control over the entire state after Reichtag fire excuse. Today the excuse is called terrorism and a new class of absolute power emerges like the Praetorian guard, created for protecting Emperors and being the entity that killed most of them.

    In US this power is greater than democracy as the people can’t see what this power is doing so they can’t control it. Out of sight , out of mind.

    I believe the solution or antibodies is decentralization and adding false information to the channels.

    Of course they could try to enter any computer in every home, but that is hell, lots of different OSes, lots of hardware, lots of software differences, lots of standard and configuration options, and the majority of people defending itself, some of them as well educated as the spies(or better).

    This is the reason I believe cloud is the future, but cloud in my physical property that I or my company control ourselves.

    Adding false information is typical spy’s strategy and we need an automatic mechanism for that. This way they could decode the data but don’t know what is true and what is not.

  25. […] Read the whole thing – its thought provoking – and Intel’s response to his questions are lame. Your Computer May Already be Hacked – NSA Inside? | Steve Blank. […]

  26. I find this all very interesting and I just want to throw this out there for any real attorneys that may be watching this thread.. This doesn’t include you trolls that spend your time Googling for answers and aren’t smart enough to interpret the validity of some dip shit blogger….

    If the US Government decides they want to monitor cyber communications to prevent terrorism I personally applaud them for being able to do so… If they are doing so and happen to stumble across illegal activity you may be doing, unrelated to terrorist acts, do they have the right to prosecute? If they collect this information without probable cause does this give them the right to obtain a warrant? If they have the right to prosecute, is the evidence admissible in court?… Just a few things I am curious about.. IMO if the answer to any of these questions is “No” then why is everyone getting so worked up over it in the first place? As Americans keep doing what you do, as long as it doesn’t violate the Patriot Act. I see this situation very similar to the Ethical Principles of Psychologists and Code of Conduct (google it). If your a threat you will be dealt with, if not KCCO.

    • If the US Government decides they want to monitor cyber communications to prevent terrorism I personally applaud them for being able to do so…

      What if their monitoring is also for the purpose of FACILITATING terrorism? You know the sort of thing – ‘false-flag’ attacks to further a more-or-less hidden agenda, that sort of thing. Google ‘Operation Gladio’ for a 101 primer.

      Of course, the good ole US of A would never stoop to such depths would it?

  27. Unless you watch your CPU and all the other chips on your motherboard being DOPED (during the manufacturing process) and kept a 100% unbroken chain of custody through that process as well as the ENTIRE sub manufacturing process’s, you can’t say you aren’t hacked already, and that’s just the HARDWARE alone. For this reason alone electronic voting ought be outlawed.

    But then there’s firmware. You know like all those chips for the voting machines that went missing… Or that malicious patch from time to time. Hey if the voting machine is down, you solved how to hack the vote. (This voting thing is always going to be a side issue, as the same scum doing this exploiting, targeting by spying get into office via election fraud)

    And then there’s what all the slashdot and others talk about programming, code, software.

    I’ll add one more, the wires, vaults, antenna’s, modems, power plants, and infrastructure between each of the nodes.

    So such chips can have hidden logic, which can be destroyed remotely, or the entire chip returned to what it says on the part number, or the chip can be caused to FRY and look like a system failure–and really if you aren’t destructively reverse engineering every chip in every box, you would not ever know. (of course all the wars, chemtrails, dangerous gmo’s, loss of Constitution and bill of rights, the police state, politicians, and banksters who never go to jail, and a media feeding us irrelevant and psyop crap all day and night; all this kind of gives it away)

  28. And here we have it in black and white. Steve- this is strong evidence to support your theory with regard to some Countries like Australia banning Lenovo computers due to a high-tech analysis revealing back-door vulnerability. The question remains, what kind of testing have other pc’s undergone and what has been potentially undetected?

    http://www.afr.com/p/technology/spy_agencies_ban_lenovo_pcs_on_security_HVgcKTHp4bIA4ulCPqC7SL

    -c

  29. Steve, interesting article, but as a programmer, I find this this unlikely. By no means impossible, but unlikely. You should concern yourself more with DRM (Digital Rights Management.) Especially, the DRM Intel has included in recent (especially third-generation) processors like Ivy Bridge. The newest incarnation is called Intel Insider. These contain what is essentially a backchannel, intended to allow Intel-based system to stream hi-def content while protecting it from being accessed. While Intel hasn’t gone into any real detail about how it works, in this statement/blog,

    http://blogs.intel.com/technology/2011/01/intel_insider_-_what_is_it_no/

    Nick Knupffer (Director of Worldwide Marketing Communications), states that Intel Insider should be thought of “as an armoured truck carrying the movie from the Internet to your display, it keeps the data safe from pirates.” But since this by necessity requires marking areas of the CPU and memory inaccessible, and by distributing access keys only to authorized third-parties, it also serves as a hardware-protected place that is used to store, send and receive data, inaccessible to even development tools, meaning data can go the other way as well.

    Very likely, similar mechanisms can be used for similar means, and such systems exist in pretty much all mobile devices today, even if most are only software-enforced.

    • See update 2 at the end of the post (Jonathan Brossard’s presentation) and tell me that you still think it’s unlikely.

  30. […] the problem goes deeper – you can’t really trust your hardware either. This post by Steve Blank discusses how the NSA has likely compromised intel […]

  31. This is a very good tip particularly to those new to the blogosphere.
    Brief but very accurate info… Thanks for sharing this one.
    A must read article!

Comments are closed.

Follow

Get every new post delivered to your Inbox.

Join 160,927 other followers