<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Nov 1, 2013 at 10:03 AM, Chris Snyder <span dir="ltr"><<a href="mailto:chsnyder@gmail.com" target="_blank">chsnyder@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="im">On Thu, Oct 31, 2013 at 2:45 PM, Mark Saad <span dir="ltr"><<a href="mailto:mark.saad@ymail.com" target="_blank">mark.saad@ymail.com</a>></span> wrote:<br>
<div class="gmail_extra"><div class="gmail_quote">
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Here is the entire story. <br>
</div><div><div><div><br><a href="http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/" target="_blank">http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/</a><br>
<br><br></div><div>So beware OpenBSD user , unplug your Mic and Speakers and never use USB !!!<span><font color="#888888"><br></font></span></div><span><font color="#888888"><div></div></font></span></div>
</div></div></blockquote></div><br></div><div class="gmail_extra"><br></div></div><div class="gmail_extra">Okay, sure, great Halloween FUD, ha ha ha. </div><div class="gmail_extra"><br></div><div class="gmail_extra">But all of the attacks, separately, are plausible, no? Even the crazy ultrasonic networking between infected laptops -- I'm a little surprised they didn't include passing QR codes by line-of-sight with the built-in webcam, but maybe that's in the next version.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Why shouldn't we be genuinely concerned about the upgradeable software resident in the bare metal of a server or locked-down workstation? Do our drivers provide sufficient protection against flaws in the proprietary subsystems they talk to? Or are those subsystems generally considered immune to attack?</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">If I wanted to exercise some paranoia, are there standard tools for discovering and checksumming the firmware on a system, to detect if it is tampered with over time?</div>
<span class=""><font color="#888888">
<div class="gmail_extra"><br></div><div class="gmail_extra">Chris Snyder<br><a href="http://chxor.chxo.com/" target="_blank">http://chxor.chxo.com/</a><br></div></font></span></div>
</blockquote></div><br><br><br></div><div class="gmail_extra">I like the idea for "passing QR codes by line-of-sight with the built-in webcam" If you like qr codes and fun with debugging check this out <br><br>
<a href="https://www.haiku-os.org/blog/mmlr/2012-07-01_qr_encode_your_kdl_output">https://www.haiku-os.org/blog/mmlr/2012-07-01_qr_encode_your_kdl_output</a> . The Haiku OS kernel debugger can print a qr code on the screen so someone can look up exactly what the issue was when the box crashed. So they say . It sounds very interesting and I am amazed that Android or iOS do not have this yet. <br>
</div><div class="gmail_extra"><br clear="all"></div><div class="gmail_extra">As for your question about checksumming firmware, you could take a look at flashrom <a href="http://flashrom.org/Flashrom">http://flashrom.org/Flashrom</a> . This super useful tool can dump the roms from a number of devices including system bios, network cards etc. From there you could checksum the output and track it. <br>
<br></div><div class="gmail_extra">Back to Ike's Gem of a story, the more I think about it the more this sounds real. I would not doubt that a 3GO has done this sort of hack , and why not who would look there. I am thinking we , NYCBUG, should start a company that makes LED lights that screw into normal sockets that contain a small arm or mips system . Spooks would love this crap. We'd make a fortune. :)<br>
<br></div><div class="gmail_extra">To Ed's point its not the java language that's bad; its the people who what to say the solution for your business problem is another language . Sure this can be a real issue, say your companies products are all coded in some obscure dialect of pascal, your head programer quits, and no one is capable of handing his work. This would be a good reason to think about recoding it in another language that your staff has better skills with. However, your company is not making enough money , you should use java/.net/cobol/php/ruby/BF/python/voodu/blackmagic is a bad idea. Its all the same to me its the means to make the product its not the product. Unless you are Sun, Oracle or IBM.<br>
</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br>-- <br><br>Mark Saad | <a href="mailto:mark.saad@ymail.com" target="_blank">mark.saad@ymail.com</a>
</div></div>