[nycbug-talk] Happy Halloween, here is some wacky Horror story

Mark Saad mark.saad at ymail.com
Fri Nov 1 11:10:14 EDT 2013

On Fri, Nov 1, 2013 at 10:03 AM, Chris Snyder <chsnyder at gmail.com> wrote:

> On Thu, Oct 31, 2013 at 2:45 PM, Mark Saad <mark.saad at ymail.com> wrote:
>> Here is the entire story.
>> http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
>> So beware OpenBSD user , unplug your Mic and Speakers and never use USB
>> !!!
> Okay, sure, great Halloween FUD, ha ha ha.
> But all of the attacks, separately, are plausible, no? Even the crazy
> ultrasonic networking between infected laptops -- I'm a little surprised
> they didn't include passing QR codes by line-of-sight with the built-in
> webcam, but maybe that's in the next version.
> Why shouldn't we be genuinely concerned about the upgradeable software
> resident in the bare metal of a server or locked-down workstation? Do our
> drivers provide sufficient protection against flaws in the proprietary
> subsystems they talk to? Or are those subsystems generally considered
> immune to attack?
> If I wanted to exercise some paranoia, are there standard tools for
> discovering and checksumming the firmware on a system, to detect if it is
> tampered with over time?
> Chris Snyder
> http://chxor.chxo.com/

I like the idea for "passing QR codes by line-of-sight with the built-in
webcam"  If you like qr codes and fun with debugging check this out

https://www.haiku-os.org/blog/mmlr/2012-07-01_qr_encode_your_kdl_output  .
The Haiku OS kernel debugger can print a qr code on the screen so someone
can look up exactly what the issue was when the box crashed. So they say .
It sounds very interesting and I am amazed that Android or iOS do not have
this yet.

As for your question about checksumming firmware, you could take a look at
flashrom http://flashrom.org/Flashrom . This super useful tool can dump the
roms from a number of devices including system bios, network cards etc.
>From there you could checksum the output and track it.

Back to Ike's Gem of a story, the more I think about it the more this
sounds real. I would not doubt that a 3GO has done this sort of hack , and
why not who would look there.  I am thinking we , NYCBUG, should start a
company that makes LED lights that screw into normal sockets that contain a
small arm or mips system . Spooks would love this crap. We'd  make a
fortune. :)

To Ed's point its not the java language that's bad; its the people who what
to say the solution for your business problem is another language  .  Sure
this can be a real issue, say your companies products are all coded in some
obscure dialect of pascal, your head programer quits, and no one is capable
of handing his work. This would be a good reason to think about recoding it
in another language that your staff has better skills with.  However, your
company is not making enough money , you should use
java/.net/cobol/php/ruby/BF/python/voodu/blackmagic is a bad idea. Its all
the same to me its the means to make the product its not the product.
Unless you are Sun, Oracle or IBM.


Mark Saad | mark.saad at ymail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20131101/a6cc5f2a/attachment.html>

More information about the talk mailing list