Maybe interesting:
(Reuters) - The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.
http://www.reuters.com/article/2015/02/16/us-usa-cyberspying-idUSKBN0LK1QV20...
With regards, Paul van der Vlis.
Thanks for referring to an article, as I only heard about it briefly.
This only seems logical in light of the eavesdropping devices installed in products whilst in shipment, and the announcement last week about leaking software keys. Also the research of BadUSB has shown what kind of integrated systems are possible. http://hackaday.com/2014/10/05/badusb-means-were-all-screwed/
I guess there are many ways in which the security can be improved. For example explicitly approving the features an USB-device can use. Or storing hashes of all files on disk on another storage device to notice malicious behaviour by the disk, or by refraining from using keys used in a simcard when messaging. As much as I'd like to fully trust all the systems produced, all processes are vulnerable to attack and thus we have to be cautious.
By having as much of the hardware and software stack verified or verifiable as possible, it becomes harder to hide such malicious programs. Especially if the interfaces are clearly defined and strictly implemented. In that regard it is wonderful there is being worked on an open processor http://www.lowrisc.org/ and there exists a formally verified free software kernel http://l4hq.org/projects/kernel/
Thanks for sharing the article, Nico Rikken
Hi Paul,
Thank you for sharing the article.
It's a shame how people at 'security' are putting other people in a cat-and-mouse game, forcing them to monitor them and take action on their own expense.
As they don't belong to the scrupulous, what about the scenario you watch the endorsed hardware page on FSF [1], buy a laptop from there, and they'd halt it at the post and infect something bad in it without anyone knowing it? How would you know?
Best Regards,