Mercury Rising 鳯女

Politics, life, and other things that matter

Broken Promis

Posted by Charles II on July 15, 2013

For those with long memories, Promis was a program developed in 1974 by Inslaw. The developers claimed DoJ ripped them off. The case swirled endlessly. According to Wikipedia:

A conspiracy theory developed around the case, with allegations that “back doors” had been inserted into the software so that whomever the Justice Department had sold it to could be spied upon.

Now, this is of historical curiosity only. But now a much more credible and threatening suggestion has been made. Steve Blank, Forbes:

Today every desktop and laptop computer has another way for the NSA to get inside.

Starting in 1996 with the Intel P6 (Pentium Pro) to today’s P7 chips (Core i7) these processors contain instructions that are reprogrammable in what is called microcode. Intel can fix bugs on the chips by reprogramming a microprocessors microcode with a patch. This patch, called a microcode update, can be loaded into a processor by using special CPU instructions reserved for this purpose. These updates are not permanent, which means each time you turn the computer on, its microprocessor is reset to its built-in microcode, and the update needs to be applied again (through a computer’s BIOS.).

The microcode is distributed by 1) Intel or by 2) Microsoft integrated into a BIOS or 3) as part of a Windows update. Unfortunately, the microcode update format is undocumented and the code is encrypted.

perhaps the NSA, working with Intel and/or Microsoft, have wittingly have put backdoors in the microcode updates.

The downside is that 1) backdoors can be hijacked by others with even worse intent. So if NSA has a microcode backdoor – who else is using it? and 2) What other pieces of our infrastructure, (routers, smartphones, military computers, satellites, etc) use processors with uploadable microcode?

Now, this is just a suggestion, not a fact. But it points to a serious potential problem. Even if you approve of NSA spying, do you approve of some unknown party who has compromised the encrypted keys having total control of your computer?

There are consequences well beyond what may happen to NSA capability, and tentative confirmation of Blank’s conjecture. Arvin Ganesan, CNN:

For the Internet companies named in reports on NSA surveillance, their bottom line is at risk because European markets are crucial for them. It is too early assess the impact on them, but the stakes are clearly huge. For example, Facebook has about 261 million active monthly European users, compared with about 195 million in the U.S. and Canada, and 22% of Apple’s net income came from Europe in the first quarter of 2013.

Europe was primed for a backlash against NSA spying because people care deeply about privacy after their experience of state intrusion in Nazi Germany and Communist Eastern Europe.

on July 11, The Guardian reported that Microsoft helped the NSA and FBI bypass its own encryption to access its users’ data, based on documents from Edward Snowden

Transparency is an important first step. Its absence only exacerbates a trust deficit that companies already had in Europe. And trust is crucial. Google’s chief legal officer recognized this on June 19 when he said, “Our business depends on the trust of our users,” during a Web chat about the NSA scandal. (emphasis added)

.

We’ve known about the dangers of backdoors at least since 1974 and Promis. It should have been obvious how dangerous this sort of thing is, especially given how dependent our entire economy is on computers and the Internet.

BTW, this points out that even encryption of communications is no guarantee of privacy. Until we regain respect for the Fourth Amendment, and have a government that understands that it’s in everyone’s best interests that they not know everything, one can predict that the downward spiral will not be broken.

9 Responses to “Broken Promis”

  1. Isn’t this the case that Danny Cassalaro reported on, then was later found “suicided” in a motel room?

  2. Stormcrow said

    Before you get too spun up about this, recall the NSA’s long-established preferences for driftnet intel collection.

    They’ve always preferred to work fairly high up the routing chain, because they need to physically intervene at the fewest number of locations to maximize their “take”.

    Putting backdoors in P7s is one thing, collecting the intel from a billion or so, over the Internet (so the traffic leaves traces in activity logs) is quite another. This doesn’t create just one operational security risk, it creates two: (i) a billion or so individual collection operations: 1 per CPU. (ii) the fingerprints of the data traffic as it’s schlepped along several network hops from the victim PCs to Fort Meade.

    Risk (i) will eventually lead to exposure even if the individual risk per op is quite small; you’re committing intrusions by the hundreds of millions.

    Risk (ii) is serious because you cannot assume that ALL the network carriers your intel traffic passes through will roll over and scrub their traffic logs when you ask them to.

    OTOH, tapping the datastream at a backbone ISP (traditional NSA methodology) involves essentially zero risk for the operation itself; if the ISP folds in the first place. They’re going to stick to the cover story you’ve handed them like grim death, because they’re now an accessory themselves. Same deal with traffic: the ISP is complicit from the git-go.

    • Charles II said

      On a mass scale, it might be a problem.

      But the NSA is able to isolate all encrypted e-mail. That’s one of the bases that they claim for hanging onto it.

      Since breaking encrypts takes resources, it wouldn’t be much of a step for them to decide they need to have access pre-encryption on people who use encryption.

      They can probably further narrow that substantially by excluding business to business communiques.

      At this point, they’re only pwning people who value their privacy.

      What am I not seeing?

      • Stormcrow said

        The part where the NSA decides which CPU(s) to poll, based on an encrypted email.

        Once that email passes outside of the perimeter of the sender’s trusted network, the packets that carry it no longer contain the MAC address of the original sending system. In fact, they’ll lose that at the very first router they pass through. It’ll get stripped off the packets and replaced by the MAC address of the system they’re being relayed through.

        By the time the encrypted email lands in the NSA’s “inbox” at Fort Meade, the most relevant bit of evidence those packets will contain is the value of the first non RFC-1918 IP address on their route. That’ll probably turn out to be a firewall or a perimeter router.

        In the case of a typical small SOHO network (like mine), it’ll be the IP of the WAN interface of the cable modem.

        How does the NSA backtrack to the encrypting CPU?

        On my network, that could be any one of about 6. The NSA knows nothing about any of them, from information in the packets themselves. And there’s nothing in the IT world like ATF Form 4473, that’s supposed to make firearm sales traceable. There’s no paper trail.

        All this leaves is physical inspection of the “suspect” systems.

        Black bag jobs DO NOT scale to hundreds of millions.

      • Charles II said

        So you’re saying it would work on CPUs that are not part of a network. Or that they could send a Trojan to map the network and deduce which CPUs to monitor.

        This sounds to me like a problem that a multi-billion dollar intelligence agency dedicated to signals intelligence could figure out. But I don’t claim to be a computer security expert.

      • Stormcrow said

        Postscript:

        Let’s suppose, for the sake of argument, that the NSA has some sort of protocol worked out, presumably in collusion with the CPU vendor(s), by which they can send “to whom it may concern” packets to my network to ask the CPUs to identify themselves.

        The model I’m using is ARP (Address Resolution Protocol), which routers use to translate destination IPs to destination MAC addresses. The network interface itself doesn’t understand IP addresses; it doesn’t process packets at that level. But its MAC address is in its own firmware. So if the correspondence between MAC and IP isn’t already known to the sending router, it’ll send out ARP packets to every IP on the network, asking “which of you is IP blah.blah.blah.blah?”. It uses the replies to freshen its tables with the absent MAC, then sends the packet out, with the right destination MAC prepended.

        Here’s the catch: this’ll be non-local traffic, without a prior solicitation from an internal system.

        A “default deny” firewall ruleset (you have to be an ignorant idjit to set up a firewall any other way) will drop it on the floor, and it’ll fail of ingress.

        But suppose it gets through – somehow.

        It WILL show up in the firewall logs if the firewall is set up properly.

        It’ll also show up on the internal network. It must, in order to do its job. Rig a spanning port on the switch right inside the firewall. Connect this to the “sensor” network interface of a sniffer (Wireshark) or an IDS. What they’ll see is inbound traffic without an outbound client requesting it. And strange traffic at that.

        Big red flag.

        The fun part is this: if only one out of 10,000 local networks is rigged this way, but the NSA is interrogating local networks by the millions, they out themselves fairly soon by sheer probability.

  3. MarkH said

    What it tells me is that our computers and our networks are woefully insecure, er unsecure.

Sorry, the comment form is closed at this time.

 
%d bloggers like this: