[mdlug] [Fwd: [opensuse-offtopic] And now the Manchurianmicrochip]

Aaron Kulkis akulkis00 at gmail.com
Tue Feb 3 17:46:04 EST 2009


Ingles, Raymond wrote:
>> From: Joseph C. Bender
> 
>> This article is full of fear and devoid of information.
> 
>  Yes on one, and very close on two. There's *almost* no information, and
> plenty of disinformation. Sticking an entire 'call home' module into a
> bunch of systems is effectively impossible. (What, you're gonna hardcode
> an IP address? And squeeze an entire IP stack, OS and hypervisor into
> the microcode?)
> 
>  The more limited tweaks I mentioned (e.g. providing small deliberate
> flaws to get around memory protection) *are* possible, but difficult. If
> I were China, I'd at least be researching the possibility. It would
> offer a way for malware to get past a lot of intrusion detection
> systems, which would be very valuable for espionage.
> 
>  The article is overblown, and off-target. It exaggerates a real threat,
> and actually makes acknowledging or dealing with the real threat more
> difficult. Consider what you have to worry about when you have to be
> paranoid:
> 
>  http://cm.bell-labs.com/who/ken/trust.html
> 
>  Note what he says there: "A well installed microcode bug will be almost
> impossible to detect."
> 
>> If such functionality is there, one would expect to be able to find
>> information on detection of such hardware and how it might phone home,
>> so that network defenses could potentially be constructed to combat
> the
>> problem.
> 
>  In espionage, sometimes you don't plug a hole. Because if you know it's
> there - and They don't know that you know - you can control what goes
> out that hole, and feed Them the information you want Them to believe.
> More, if They find out the hole is plugged, They'll try to open up
> another one... and you might not find out about that one.
> 
>  Plus, *if* such holes were found, the U.S. could use them on *other*
> countries, too...
> 
>  I'm not saying this is actually what's going on. I think the actual
> threat is probably a lot smaller than the article makes it out to be,
> but it's not zero.
> 

According to a reply I received, from someone who happens to be an
officer stationed in S. Korea, the article only scratches the surface.

Apparently, DOD has proof.



More information about the mdlug mailing list