[mdlug] [Fwd: [opensuse-offtopic] And now the Manchurianmicrochip]

Ingles, Raymond Raymond.Ingles at compuware.com
Tue Feb 3 08:33:56 EST 2009


> From: Joseph C. Bender

> This article is full of fear and devoid of information.

 Yes on one, and very close on two. There's *almost* no information, and
plenty of disinformation. Sticking an entire 'call home' module into a
bunch of systems is effectively impossible. (What, you're gonna hardcode
an IP address? And squeeze an entire IP stack, OS and hypervisor into
the microcode?)

 The more limited tweaks I mentioned (e.g. providing small deliberate
flaws to get around memory protection) *are* possible, but difficult. If
I were China, I'd at least be researching the possibility. It would
offer a way for malware to get past a lot of intrusion detection
systems, which would be very valuable for espionage.

 The article is overblown, and off-target. It exaggerates a real threat,
and actually makes acknowledging or dealing with the real threat more
difficult. Consider what you have to worry about when you have to be
paranoid:

 http://cm.bell-labs.com/who/ken/trust.html

 Note what he says there: "A well installed microcode bug will be almost
impossible to detect."

> If such functionality is there, one would expect to be able to find
> information on detection of such hardware and how it might phone home,
> so that network defenses could potentially be constructed to combat
the
> problem.

 In espionage, sometimes you don't plug a hole. Because if you know it's
there - and They don't know that you know - you can control what goes
out that hole, and feed Them the information you want Them to believe.
More, if They find out the hole is plugged, They'll try to open up
another one... and you might not find out about that one.

 Plus, *if* such holes were found, the U.S. could use them on *other*
countries, too...

 I'm not saying this is actually what's going on. I think the actual
threat is probably a lot smaller than the article makes it out to be,
but it's not zero.

 Sincerely,

 Ray Ingles                                   (313) 227-2317

  "No federal income tax was assessed before 1913, because
  government didn't require the kind of dough it needs now
         that it's running a concierge business."
 - Bill Maher, "When You Ride Alone You Ride With bin Laden"
The contents of this e-mail are intended for the named addressee only. It contains information that may be confidential. Unless you are the named addressee or an authorized designee, you may not copy or use it, or disclose it to anyone else. If you received it in error please notify us immediately and then destroy it.



More information about the mdlug mailing list