We don't deny altering hardware. In fact, if we (likely) install backdoors into hardware used by foreign intelligence targets; but don't worry, we're not interested in the casual user. As the US Government relies on commercial hardware, we make sure that only the US Government can access the backdoors. We're angry that this was made public, and we can't prove that it jeopardizes human lives.
It also sheds some new light on the "China-hardware is bad for you" media campaign that was run right before Snowden happened. It seems that not buying American means keeping the American intelligence community out of ones network.
But I guess you _actually_ can't trust the Chinese either. That doesn't leave many hardware vendors for heavy-duty network equipment to choose from.
This reminds me of a story about a TOR developer who suspected her keyboard from Amazon was intercepted and implanted, because the redirection was included in the delivery log. Seems quite likely it was, in light of Glenn's latest slides release.
How much hardware is actually made in the USA anymore? Most HW is manufactured in Taiwan, China, Korea, Thailand, Malaysia or maybe Mexico. I used to work for a router manufacturer that manufactured all of its equipment in Taiwan and Mexico. When we shipped to someone in Europe(for example) we shipped directly from Taiwan to Europe, not through the US. So I have to wonder how much of this stuff the NSA could actually get their hands on.
The other question I have is what happens when there is an RMA, or the equipment is sent back for repair? Might someone notice that it's been tampered with? We need more specifics to really understand what was going on here. So many questions, no real answers.
This is not based upon any particular knowledge or expertise, but upon many years of casual observation, general news reporting, and anecdote from friends and whomever: Given their position as well as long-standing ties both politically and militarily as well as economically, I have to -- in my own mind -- seriously question the independence of anything of real interest to the U.S., that's happening in Taiwan.
I don't mean that the Taiwanese aren't their own people with their own interests; nonetheless, I would expect to find their various systems rather thoroughly and effectively infiltrated.
Again, I don't have any real knowledge in this regard. I'd welcome more knowledgeable comments in response to mine.
I simply cannot fathom how the NSA could hope to intercept and physically mess with every single piece of $10 to $10,000 router sold.
If true, and I have a hard time believing it is not, either this is done at the design level (and not just on router chips), or only for big ticket backbone and/or enterprise equipment.
I'm not sure how much is shipped directly from the over seas manufacturer to the customer. However, the NSA could be intercepting RMA hardware as well.
What are the hidden router capabilities being exploited here? What piece of COTS hardware couldn't be exploited by an attacker with unlimited physical access to it prior to delivery?
Rumors about this have been around for a long time but as far as I know, nobody has proven anything.
The safest guess right now is that if an American intelligence agency wants to infiltrate your corporate network, they'll take the IPMI route. With that they probably wouldn't even have to rely on a backdoor but could use the existing security holes.
If you have the ability to insert backdoors on widely used hardware with no realistic alternative implementations, without anyone other than a very select few (who all have plenty to lose if they reveal anything) knowing about it; AND the only thing you'll use it for is National Security (preventing someone from building a nuke to drop on your country), why would you NOT go through with it?
How can we protect ourselves from this type of interception? It seems impossible. Why would any non-american customers buy US made devices? Any protections that are added can/will be bypassed if the US gov gets physical access (or even remote).
Just about the time of the previous revelation of computers from outside the US being intercepted by TLAs, my new Lenovo was delayed for a long time in some customs facility (according to UPS tracking).
Software is not a concern as I blew away the preinstalled and put a relatively trusted OS on. But hardware - I haven't had time to look into it but I'm still wanting some sort of guide on what to look for after unscrewing the case.
I wish they posted more details surrounding the implants, what they can do, and how they work. Knowing this would help us detect when devices were compromised.
"Do you mean a car designed in the US and built in China, or a Japanese car built in Ohio?" I'm pretty sure that given how few choices of mainstream hardware there are you are screwed no matter what you buy.
I've started doing the same. Of course, I wouldn't be shocked if either or both of the following were true:
1. Other countries collude with America in this practise;
2. Other countries are also practising this.
Open source is a potential solution to this problem. It doesn't guarantee security (heartbleed anyone?), but it does allow anyone, anywhere, any time (assuming capability) to verify. My router runs Open-WRT, so I feel safer.
[+] [-] tomp|12 years ago|reply
We don't deny altering hardware. In fact, if we (likely) install backdoors into hardware used by foreign intelligence targets; but don't worry, we're not interested in the casual user. As the US Government relies on commercial hardware, we make sure that only the US Government can access the backdoors. We're angry that this was made public, and we can't prove that it jeopardizes human lives.
[+] [-] sentenza|12 years ago|reply
But I guess you _actually_ can't trust the Chinese either. That doesn't leave many hardware vendors for heavy-duty network equipment to choose from.
[+] [-] beejiu|12 years ago|reply
http://www.techdirt.com/articles/20140124/10564825981/nsa-in...
[+] [-] danielweber|12 years ago|reply
[+] [-] hnha|12 years ago|reply
[+] [-] yanofsky|12 years ago|reply
[+] [-] smutticus|12 years ago|reply
The other question I have is what happens when there is an RMA, or the equipment is sent back for repair? Might someone notice that it's been tampered with? We need more specifics to really understand what was going on here. So many questions, no real answers.
[+] [-] pasbesoin|12 years ago|reply
I don't mean that the Taiwanese aren't their own people with their own interests; nonetheless, I would expect to find their various systems rather thoroughly and effectively infiltrated.
Again, I don't have any real knowledge in this regard. I'd welcome more knowledgeable comments in response to mine.
[+] [-] intslack|12 years ago|reply
Here's the source, but be warned that this is a 90 MB pdf: http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPl...
[+] [-] stuki|12 years ago|reply
If true, and I have a hard time believing it is not, either this is done at the design level (and not just on router chips), or only for big ticket backbone and/or enterprise equipment.
[+] [-] eyeareque|12 years ago|reply
[+] [-] uptown|12 years ago|reply
[+] [-] tptacek|12 years ago|reply
[+] [-] sentenza|12 years ago|reply
The safest guess right now is that if an American intelligence agency wants to infiltrate your corporate network, they'll take the IPMI route. With that they probably wouldn't even have to rely on a backdoor but could use the existing security holes.
[+] [-] stuki|12 years ago|reply
If you have the ability to insert backdoors on widely used hardware with no realistic alternative implementations, without anyone other than a very select few (who all have plenty to lose if they reveal anything) knowing about it; AND the only thing you'll use it for is National Security (preventing someone from building a nuke to drop on your country), why would you NOT go through with it?
[+] [-] eyeareque|12 years ago|reply
[+] [-] ds9|12 years ago|reply
Software is not a concern as I blew away the preinstalled and put a relatively trusted OS on. But hardware - I haven't had time to look into it but I'm still wanting some sort of guide on what to look for after unscrewing the case.
[+] [-] eyeareque|12 years ago|reply
[+] [-] dang|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] Faust1985|12 years ago|reply
[+] [-] IgorPartola|12 years ago|reply
[+] [-] jon_black|12 years ago|reply
1. Other countries collude with America in this practise; 2. Other countries are also practising this.
Open source is a potential solution to this problem. It doesn't guarantee security (heartbleed anyone?), but it does allow anyone, anywhere, any time (assuming capability) to verify. My router runs Open-WRT, so I feel safer.
[+] [-] higherpurpose|12 years ago|reply