Re: CDR: Antivirus software will ignore FBI spyware: solutions

2001-11-26 Thread Sunder 

Great and wonderful except:

1. If such spyware has already been installed on your system you can't
trust your os therefore:

a. It may use your OS to hide the key capture log, so you
   won't be able to just watch files.  Think of a kernel patch
   that removes all references to a specific file, not just
   sets it to be hidden.

b. It may use your OS to hide that the OS was altered if you
   decide to use a debugger by patching the debugger also, and
   when say "Finder" looks at the System file, it's really
   looking at the inactive original one, rather than the one
   that was patched. (or it could be an extension that hides
   itself and the capture file from the OS, etc.)

2. Any hard drive you can access so can they.  "They" can patch your
disk:

a. I'm not sure about newer MacOS's, but I remember that older
   MacOS's, those on 68k boxes stored driver code for the disk
   on one of the blocks on the drive, so even if your OS wasn't
   booted with the spyware, simply mounting that drive would
   load the driver, and anything that goes with it. 

   I had the experience of having such a driver getting corrupted
   back when I used a Mac. I recall I had to use special software
   to mount the disk without the old driver - actualy to just zap
   the old driver off the disk and replace it.

b. If the malware is on your hard drive, it can propagate like
   a virus to your iPod.  Sanitize your OS, only to have it
   come back when you hook up said iPod.

3. Newer G3+ Mac's use open boot prom or some such which lives in
eeprom.  Such things can be patched at that layer and can propagate on
bootup.  Booting off a read only disk (CDROM, etc) wouldn't help in this
case.

4. If you live in a crowded area, your iPod can be lifted off you
in a false mugging, or break in, pick pocketting while you're at a
restaurant, movie, etc.

5. Watching for files that change daily is a fool's task for the reasons
mentioned above, and the Sysiphean task it presents.  Better get the
equivalent of Cops or Tripwire to do the work for you, but they too can be
tampered with.  

6. If McAffee bent over to the Feds, you can be sure that so will the
makers of Zone Alarm and other firewalls.

7. Remember, they don't need to capture all your keystrokes.  Just the
ones you use as passphrases.  And they don't need to copy your whole hard
drive, though they easily could when you're out of the house.  Just your
secret key file and your passphrase.

8. If you shut off your computer when you leave your house, it makes their
job that much easier.  If you leave it on, they could note what's open and
put it back to the same spot.

9. If you use a login screen, etc, Or they could simply run something that
would take a snapshot of your desktop, shutdown your Mac, install the
malware/copy your files, then and boot off of a floppy that displays the
screen you left up, plus a Type 1 Bomb (MacOS equivalent of blue screen of
death), and eject the floppy thus - making it look like your Mac crashed,
or, simply go down to the basement and trip your circuit breakers making
it look like you've had a power failure (even UPS's run out at some
point.)

10. Ordered any new copies of a bit of software?  Maybe they have a deal
with FedEx, UPS, the Mailman.  Maybe what you're getting is the upgrade
and then some.  How can you tell that copy of SmallTalk doesn't carry an
extra bit of code just for you?  How can you tell that the latest patch to
MacOS you've just downloaded really came from Apple?  Sure DNS said it was
from ftp.apple.com but how do you know that the router upstream from your
internet provider didn't route your packets via ftp.fbi.gov?

Once they have physical access, you're fucked.  Remote access is almost as
dangerous as them having physical access, however it can work in your
favor as they won't be as familiar with your environment, and thus are far
more likely to expose the malware to you.

Sure, all of these things are more or less preventable, except for
physical access, and a lot of these come down to trust and reputation.  
But reputation and trust are also rubber hose-able (if there is such a
word.)  :)

You can trust your best friend until you find out otherwise.  You can
trust your bank until you find out otherwise.  You can trust your software
provider until you find out otherwise.  But by the time you've found out,
if you've found out at all, you've already been fucked.




--Kaos-Keraunos-Kybernetos---
 + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\
  \|/  :aren't security.  A |share them, you don't hang them on your/\|/\
<--*-->:camera won't stop a |monitor, or under your keyboard, you   \/|\/
  /|\  :masked killer, but  |don't email them, or put them on a web  \|/
 + v + :will violate privac

Re: CDR: Antivirus software will ignore FBI spyware: solutions

2001-11-26 Thread mmotyka 

Sunder <[EMAIL PROTECTED]> wrote :

>Great and wonderful except:
>
>1. If such spyware has already been installed on your system you can't
>trust your os therefore:
>[snip]
>
Yes - end of story.


>2. Any hard drive you can access so can they.  "They" can patch your
>disk:
>[snip]
>
The only way I can think of to prevent this is to have the disk
completely encrypted in which case you could safely give a copy to
anyone who wanted one. The BIOS shouldn't be trusted either. The problem
then is booting which could be done from some sort of card/dongle that
you carry with you that requires a (many digit)PIN before it
regurgitates your boot code.

>3. Newer G3+ Mac's use open boot prom or some such which lives in
>eeprom.  Such things can be patched at that layer and can propagate on
>bootup.  Booting off a read only disk (CDROM, etc) wouldn't help in this
>case.
>
Yup. Maybe a bootFLASH can be replaced with some SRAM which must be
downloaded from your key device before booting. Something like : power
up, hold processor in reset, remove boot SRAM from bus, load boot code,
switch boot memory to system bus, allow startup.

>4. If you live in a crowded area, your iPod can be lifted off you
>in a false mugging, or break in, pick pocketting while you're at a
>restaurant, movie, etc.
>
A physical device plus a PIN seems somewhat immune to that problem. In
fact you could keep multiple copies.

>5. Watching for files that change daily is a fool's task for the reasons
>mentioned above, and the Sysiphean task it presents.  Better get the
>equivalent of Cops or Tripwire to do the work for you, but they too can be
>tampered with.  
>
Mostly. 

>6. If McAffee bent over to the Feds, you can be sure that so will the
>makers of Zone Alarm and other firewalls.
>
Probably anything that is exported and some that aren't.

>7. Remember, they don't need to capture all your keystrokes.  Just the
>ones you use as passphrases.  And they don't need to copy your whole hard
>drive, though they easily could when you're out of the house.  Just your
>secret key file and your passphrase.
>
>8. If you shut off your computer when you leave your house, it makes their
>job that much easier.  If you leave it on, they could note what's open and
>put it back to the same spot.
>
Not if there is no code in the clear on the machine - no functional
BIOS, no usable HDD.

>9. If you use a login screen, etc, Or they could simply run something that
>would take a snapshot of your desktop, shutdown your Mac, install the
>malware/copy your files, then and boot off of a floppy that displays the
>screen you left up, plus a Type 1 Bomb (MacOS equivalent of blue screen of
>death), and eject the floppy thus - making it look like your Mac crashed,
>or, simply go down to the basement and trip your circuit breakers making
>it look like you've had a power failure (even UPS's run out at some
>point.)
>
With the BIOS and HDD encrypted off is safe.

Might be a neat little gizmo with a keypad. BIOS is encrypted on the
motherboard. Boot memory is SRAM that is lost when power is removed (
lost short of extreme detection measures that is ). The little gizmo
reads the encrypted BIOS, decrypts and transfers it to boot SRAM.

>10. Ordered any new copies of a bit of software?  Maybe they have a deal
>with FedEx, UPS, the Mailman.  Maybe what you're getting is the upgrade
>and then some.  How can you tell that copy of SmallTalk doesn't carry an
>extra bit of code just for you?  How can you tell that the latest patch to
>MacOS you've just downloaded really came from Apple?  Sure DNS said it was
>from ftp.apple.com but how do you know that the router upstream from your
>internet provider didn't route your packets via ftp.fbi.gov?
>
>Once they have physical access, you're fucked.  Remote access is almost as
>dangerous as them having physical access, however it can work in your
>favor as they won't be as familiar with your environment, and thus are far
>more likely to expose the malware to you.
>
>Sure, all of these things are more or less preventable, except for
>physical access, and a lot of these come down to trust and reputation.  
>But reputation and trust are also rubber hose-able (if there is such a
>word.)  :)
>
>You can trust your best friend until you find out otherwise.  You can
>trust your bank until you find out otherwise.  You can trust your software
>provider until you find out otherwise.  But by the time you've found out,
>if you've found out at all, you've already been fucked.
>
Maybe just installing an OS you got as a binary is all it takes to be
F'd. Maybe rebuilding that OS with an F'd compiler propagates the
effedness.

If you have everything encrypted until your key device readies it for
boot then you could run a F'd BIOS, OS and apps as long as you kept the
system isolated. Let it log all it wants. Sounds like a good sentence
for a Windows box.

Mike

Re: CDR: Antivirus software will ignore FBI spyware: solutions

2001-11-26 Thread measl 


While it's of little help to M$ lusers, those of us in the *nix world can
use CDROM based filesystems for all but the user data.  Yes, you may be
compromised, but it won't change any code (which is definitely *not* to
say that you aren't in danger from loss of passphrases, etc.) - at least
on sensitive machines. 

I have been using this technique of FreeBSD systems for a little under two
years now (yes, you need to build several copies of your root system :).

 -- 
Yours, 
J.A. Terranson
[EMAIL PROTECTED]

If Governments really want us to behave like civilized human beings, they
should give serious consideration towards setting a better example:
Ruling by force, rather than consensus; the unrestrained application of
unjust laws (which the victim-populations were never allowed input on in
the first place); the State policy of justice only for the rich and 
elected; the intentional abuse and occassionally destruction of entire
populations merely to distract an already apathetic and numb electorate...
This type of demogoguery must surely wipe out the fascist United States
as surely as it wiped out the fascist Union of Soviet Socialist Republics.

The views expressed here are mine, and NOT those of my employers,
associates, or others.  Besides, if it *were* the opinion of all of
those people, I doubt there would be a problem to bitch about in the
first place...