Slashdot Mirror
Researchers Demo BIOS Attack That Survives Disk Wipes
suraj.sun writes "A pair of Argentinian researchers have found a way to perform a BIOS level malware attack capable of surviving even a hard-disk wipe.
Alfredo Ortega and Anibal Sacco from Core Security Technologies — used the stage at last week's CanSecWest conference to demonstrate methods (PDF) for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts. The technique includes patching the BIOS with a small bit of code that gave them complete control of the machine. The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player."
i think the news story is that the bios is infectable? i'm not sure.
used the stage at last week's CanSecWest conference to demonstrate methods for infecting the BIOS with persistent code that will survive reboots and re-flashing attempts.
The fact that the BIOS is in a chip is not news. News is they've infected it.
Any life is made up of a single moment, the moment in which a man finds out, once and for all, who he is.
Would this affect only Intel, or is this entirely unrelated to this previous article?
http://it.slashdot.org/article.pl?sid=09/03/19/179228
Some people are only alive because it's against the law for me to hunt them down and kill them.
preinstalled, on ASUS boards: it was the BIOS itself. It too survived hard disk wipes, but it didn't survive my sledgehammer.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
"Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope."
Hmm, I'd say you are pretty much pwned in that case even before the attacker infecting the BIOS.
U+F8FF
It's official - we're screwed.
Happy news for most of the nerds on this site who sigh and collectively whisper "Finally!"
Seven puppies were harmed during the making of this post.
If BIOSes, CPUs, and other low-level software had factory-reset pins that could not be bypassed through patching, we wouldn't have these problems.
If the pin is set during POST, the CPU, BIOS, or whatever would reset itself to factory conditions. The device would be configured so the factory-reset sequence could not be tampered with through software updates alone.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Of course you can infect a BIOS. It has drawbacks, however. One is very limited space. A second one is that BIOSes flash differently on different mainboards. Maybe not too differently, which would be a real problem. Hoperfully, there is not enough space in the average BIOS for self-relication (which would need exploit code and flasher code at least).
The fact that this is possible is mildly entertaining, nothing revolutionary. Would have been possible (and obviously possible) with the first Flash BIOSES around.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It's official - we're screwed.
Happy news for most of the nerds on this site who sigh and collectively whisper "Finally!"
/golfclap
What were the editors thinking of when they wrote "perform unveil"?
If the BIOS were not hackable, replacing the drive and resetting the boot sequence, BIOS password, and other settings would be sufficient to re-own your machine.
Of course, if your BIOS password were changed, you'd be out of luck, but at least you'd know it.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So, you patch in some code into the BIOS. Would you be overwriting some functionality to accomplish this? If so, by checking said functionality, could you tell if your BIOS has been corrupted? Such as something simple as seeing if some keyboard functionality still exists (CTRL-ALT-something) or a utility program that iterates through BIOS interrupts and sees if the proper return codes and values come back in the registers?
Wait, you want me to open a PDF from folks who know how to create such a supervirus? Hmm.
Is this a news report or a trailer for a motion picture?
A quick Google shows BIOS malware going back some time, so I don't know what so different from this one...
Need an ISP in South Africa?
So what's the only way to be sure?
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Happy news for most of the nerds on this site who sigh and collectively whisper "Finally!"
Don't know about you, but I like to be the one doing the screwing.
We've had evil viruses around for a while. Anyone remember
W95.CIH? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.
Computers are still chugging along fine. This will probably end up breaking more computers than it ends up hijacking. A broken computer is one that gets flagged and fixed or throw away.
Isn't there some sort of Open Source BIOS initiative out there? I wonder if it too is affected by this exploit.
It would seem that this is a pretty major exploit if it can be pulled off remotely against the different flavors of BIOS. I mean, unlike a thumb drive, you couldn't simply add a little write lock button on the motherboard to lock the bios into read only mode, could you? The BIOS reads a lot of values from the system as it is booting and after the OS is loaded, so I can't see how you could simply lock down the BIOS to prevent unauthorized writes to it.
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
OK, that bolded part is pretty cool and suggests a serious flaw.
I am looking for when an exploit is installed using electromagnetic induction, not just reading the bits remotely but modifying them.
I can see it now. Everybody's computer will come preinstalled with a Faraday cage.
Looks like instead of whack-a-mole we are playing whack-a-hole.
I regret that I only have one mod point to give per post.
"The demo ran smoothly on a Windows machine, a PC running OpenBSD and another running VMware Player." If it's an attack on the BIOS, why would it be dependant on the OS
Not totally,
In one hand:
Sacco and Ortega stressed that in order to execute the attacks, you need either root privileges or physical access to the machine in question, which limits the scope.
Which makes the attack more difficult in operating systems which do not allow users to run with Administrative rights all the time.
But the methods are deadly effective and the pair are currently working on a BIOS rootkit to implement the attack.
I can imagine that, everything you need is ONE time root access to "install" the BIOS instructions and fsck the machine. After that, you are pretty much in control of what comes next.
In some way, I find this similar to the viruses that infected the Master Bood Record, just a bit more interesting...
On the other hand, this will just trigger a bios-patch / virus-release cat and mouse game similar to the standard viruses.
Ubuntu is an African word meaning 'I can't configure Debian'
I was with the summary until that last part... A windows machine, I can accept that. An OpenBSD machine, I can accept that too. But another machine running VMware Player? Thats not an OS, so I don't even know what they were trying to say.
Overclockers
I've found Intel's EFI strategy to be annoying and fragmented. The EFI shell is very dos like, has very poor performance for the frame-buffer devices and leaves a lot to be desired. However, it is likely to become de facto.
I did enjoy most the ALPHA systems SRM. Alpha-SRM had quite a bit of features for a "BIOS" of sorts.
The Sun and Apple OpenFirmware (OpenBoot) systems was probably the closest the world got to a sane pre-boot environment. Openfirmware also has the distinction of being an actual standard IEEE 1275-1994. Unfortunately, they (Sun, Apple mainly) did not help the "linux guys" or the open community until it was too late and protected nearly worthless intellectual property for no good reason. (worthless in the sense its not monetize-able) .
Now I found from long ago the concept of PC BIOS annoying. The BIOS vendors, like Phoenix, American Magatrends, Award, have a lot of collusions with the motherboard vendors in terms of getting all the secret register-poking needed to get things going. There is a lot of black magic, legacy code and the like, but it works.
It will be very hard for a non-Pheonx-AMI-Intel vendor to come up with a new BIOS for the ages. The LinuxBIOS (coreboot) project, last I checked, and very poor support and no major vendor (e.g. Dell or HP) has looked into it seriously.
The world lost when EFI eclipsed OpenFirmware's chances of spreading. Now we are stuck with a half-assed DOS-like shell, a still-extant BIOS like menu screen that the Intel motherboards provide, and judging from the number of revisions and the release notes on the various Intel EFI boards, we may have been better off with AMI/Phoenix's secret sauce and black magic than this EFI cruft.
In the age of 2TB+ volumes it is probably inevitable that we are going to all be using EFI very soon (along with GPT).
I do not foresee Coreboot or OpenBIOS or OpenFirmware making any real progress in pushing out EFI unless Asus or Lenovo sees the utility in having a real pre-boot environment.
Not only do you need root or physical access, you also need the victim to be using a particular type of BIOS. While you could abstract this up to a module, so that it nailed all Phoenix BIOSes, or all Award BIOSes, you'd still need semi-specific payloads for each BIOS OEM. Also, you'd need the target to be using a mainstream commercial BIOS, not UEFI, OpenFirmware, or anything similar.
UEFI will be here and widespread very soon (it's in some machines already, and more every day), and the only real power this 'new' malware has is the persistence/difficulty in removal.
Not impressed.
The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
And here I thought that all the virus writers were just wimps using XSS and Word macros to run generic malware. I wondered where the old school BIOS viruses had gone.
Check out my sysadmin blog!
You mean, like the BIOS-induced "Flash Write Protect" option in virtually every single BIOS ever made in the last ten years or so?
In April 26, 1999, I turned on my computer, and it met me with a black screen. Turned out that my BIOS was flashed because of this virus: http://en.wikipedia.org/wiki/Chernobyl_virus . Had to re-flash the BIOS. Obviously BIOS could have been loaded with something else other than simply erased.
LiFe iS bEAuTiFul
I thought since that really nasty virus that would brick PCs by writing to bios' that every mobo maker put in write protection that, if enabled, would halt the system when something tried to write to the BIOS.
Wouldn't this prevent this kind of attack?
I'm always stunned to read about "researchers" discovering and demonstrating attacks and security flaws that not only have long existed in the wild but that are in fact very commonly found on computers. This particular one hit me years ago and I've since seen it all over the place. Similarly, there's a great hoohah about the supposedly innovative confickers worming around the web. Reading through the reports you wouldn't know the same techniques have been common (with more effort made at cross-platform and hardware-level exploitation) for at least four or five years. I just wonder how often these people look at actual systems to see whether they're compromised, as opposed to assuming they're okay. When I look at people's computers, they're essentially always polluted. The questions are only how bad and by whom.
Let me get this straight:
It pretty much requires physical access and root. If a malicious person gets that sort of access, I'm screwed anyway.
Ok, so I'm not too worried about anyone installing this on my computer without my knowledge.
What I am interested in is the sort of equipment-tracking possibilities this creates. If I could install a tracking rootkit on a laptop which could silently persist and survive disk wipes and ROM flashes, automatically reporting in whenever it gets net access, it would be a huge advantage if the machine were ever stolen. An OS reinstall is likely, because it's a simple way to circumvent the user account password, but this would even protect against a BIOS flash (which is less likely, but still not out of the question).
Eventually, somebody somewhere would hook the laptop up to the web, probably with a completely fresh OS install, and a subpoena on the IP would reveal their location.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Why the heck not? They used to be the standard. But, people found it ANNOYING. So, it's a much touted feature that the modern BIOS can be rewritten by anybody, without direct access to the machine. My first flashable BIOS, you had to make a boot disk with the new BIOS image, and flashing tool. Then you had to turn the PC off and open the case. Then you had to short the "Write BIOS" jumper. Put the jumper from "OFF" to "ON" for 3+ seconds, then move it back onto the "OFF" pegs. This made it so that the BIOS will accept writes on the next reboot only. You cannot leave the jumper on the "ON" pegs or it won't post, thus preventing you from forgetting about it and leaving the BIOS writable.
Anyways, my new board has two BIOS chips. One is read only I think. There's allegedly a jumper I can set to make it bypass the primary BIOS. It's for recovering from an interrupted or bad patch, but I imagine it would work just fine for removing a BIOS virus, too. (I say allegedly because I've never had cause to look for it).
An Open Source BIOS would not be immune to this, at least, depending on how it works. It patches its own code in. Now, that means on an Open Source BIOS, it could work fine, either because the same code is in the same spot, or because the virus looks for the right spot instead of always writing the same address. Or it could completely trash the BIOS. Either way you're screwed! There's also possibility #3 that it would patch over unused blocks and have no effect, or it would be unable to find the right spot to patch, and so do nothing.
ASCII stupid question, get a stupid ANSI
-1, Ewwwww
Sounds like they've somehow written a BIOS that detects code that would overwrite it and either kills the code, causes it to silently fail, or silently infects the new BIOS.
Obviously a failed BIOS flash would be suspicious; a silent fail would be slightly harder to notice. If they could somehow infect the new BIOS, it'd be truly devious and almost impossible to detect.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Controls the everything about the machine...
Every flash upgradeable BIOS needs a monitor program to upgrade the BIOS itself. Typically that monitor program resides in a separate block in flash and is rarely updated (depending on the programmers, of course!). Putting this monitor program in ROM would allow you to solve this and always allow you to update the BIOS.
A picture is worth exactly 1024 words.
I boot without a bios - by toggling in raw machine code from the front panel switches!
This issue is a bit more complicated than you think.
Does anyone use EFI outside of Apple and IA64 based machines?
Microsoft don't support EFI, even tho Vista promised support for it... EFI is really only of benefit to run OSX or possibly Linux.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If it works well then it will silently infect lots of machines...
A virus that destroys it's host is pretty ineffective at spreading because it gets noticed and destroys it's host that might have been usable to bring it to more victims.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You're being watched . . .
This is a brilliant idea. To make it better, we will eventually want to allow this program on the motherboard to take updates. Of course at this point we will need another program to monitor the updates to our program that monitors the updates to the bios. To make that better, it will also have to take updates...
The "backup copy" could be nothing more than a bootstrap loader that re-loads and validates the a fresh copy of the "working" BIOS from a known location, such as a hard drive, USB stick, or network.
Even with large flashes, this "backup BIOS" shouldn't take up much space.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
ISTR firmware viruses infecting C64 floppy disk drives......
After reading the article, I don't think this is novel or new, rather a friendly reminder that firmware viruses are still a potential threat.
LedgerSMB: Open source Accounting/ERP
tl;dr
Bolded part is also part of the poorly written summary. Are we just reading headlines now? Ugh.
Why bother commenting without even reading the summary?
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
What's so gross about hardware hacking?
Heh this did happen to me a few times, very cool virus. From then on I pulled my BIOSes and cut the write-enable pin off the chips, no problems then.
Tsunami -- You can't bring a good wave down!
My fear is that it's possible to get the bios directly from the factory in China pre-loaded with a virus 'back-door'. I doubt the Chinese have any use for MY computer, but I'm pretty sure nearly all the PCs in the US government and military come from China, and I suspect the Chinese may have an interest in them.
Just put a flash jumper on the motherboard that must be set to be able to flash the BIOS. Seems to completely solve the problem.
The fact that this was allowed to happen is clearly a defect in design, materials, or workmanship.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Some machines have a jumper that needs to be set in order to make the bios writable, otherwise it is readonly and there's nothing you can do to it.
Signing the BIOS would just cut out third parties like LinuxBIOS...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Your female acquaintances...
FTFY
ISTR firmware viruses infecting C64 floppy disk drives......
Nothing that would survive a power-cycle, though. That was before we had flash memory - it was either true ROMs or UV-erasable EPROMs.
Flash that can be re-programmed by "in-band" communication (vs. a dedicated maintenance channel like JTAG) is convenient but it is also very risky. I'm glad to see that this issue is getting more publicity. Maybe now we'll see a shift back to hardware write-protection, like a physical jumper inside the PC that has to be connected before you can re-flash the BIOS.
It's not just BIOS either. Your hard drive has reprogrammable firmware (see the recent Seagate bugs). Your wireless adapters (including bluetooth) may have reprogrammable firmware. There's plenty of opportunity for someone with the right knowledge to compromise your system.
Not exactly the solution for a tweaker/updater or those who like to be on the front-line of motherboard tech (when BIOS patches are necessary).
There's a serious difference between nuking a BIOS and infecting it. A disease doesn't survive long if it instantly kills whoever it infects. Same thing with a computer virus. The news is that this isn't like the W95.CIH bug, it doesn't kill the host, it just embeds itself so deeply that it is near impossible to remove and just keeps spreading, like the Herpes virus in humans.
My blog. Good stuff (when I remember to update it). Read it.
Buy a Dell / an Intel motherboard.
Install the shitty Intel thing that no one installs.
Intel has been pushing their out-of-band management shit for ages. Now, it may finally have a use (until it is exploited as well).
I guess guys with thin cocks can really spell.
I wouldn't know. That was Firefox's spellcheck.
they develop a method that survives a bout with a chip puller.
lose != loose
i'm still trying to figure out what the creepy japanese girl with the long hair was doing the whole time
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
No. You can't. The BIOS is the first thing that is run at cold boot time. If it is already infected then you can attempt to ensure that it remains infected. If it is not infected, your code doesn't exist in the BIOS to "reinfect" it. During a warm boot (aka reboot) the code remains resident so, again, it is already infected, making it impossible to "re-infect". Nice hyperbole though.
And I have a penis, which makes it rather limiting when I visit the Gynecologist.
... Wind^H^H^H^H err... ahhh... no. I listed all the well known ones I guess.
News flash: If one has proximity, anything is possible. If I have unfettered access to a machine then I can ensure that I can continue to have that access. No shit. Write up something worth reading when you can obtain the access sans my permission in the first place, or at least don't try to claim that it is a threat to *BSDs, Linux, OS X, and other secure Operating Systems. I know I'm missing one
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
AMD has contributed to Coreboot support on their boards for about 2 years now. (According to the news posts at least.)
How is it that a troll can post umlauts and I cannot? Tried playing with the site encoding in Firefox to no avail...
Want to hear the voice of GOD? cat
It all depends on the BIOS of the machine, which is not supposed to be able to be accessed while operation of the OS, some of the newer ones might, but early 2000 we saw some machines coming out with BIOS that was not reachable by the OS, only when you booted from disk, that was the only time you could do a firmware upgrade, I blame the community for pushing to have everything "easy"...is it not easier to be able to update the BOIS, from inside the OS... I say no, it is not a task you should be doing so easily anyways, flashing a BIOS is last measure, and updating the BIOS, (especially if you can easily brick a computer) is not something to be done often.
Some BIOSes have an option for flash protection; would that be an effective countermeasure?
Want to hear the voice of GOD? cat
Got one of those old IBM keyboards do ya?
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
"capable of surviving even a hard-disk wipe."
The BIOS isn't stored on the hard drive, so why is this surprising?
Coder's Stone: The programming language quick ref for iPad
Well given that the BIOs is not flash-able to clean the infection, to any person of avg, or less then avg computer skill this will mean that the infected computer with this bogus bios, will be rooted until someone goes in to the bios code and does what the attacker had done, which is to "Patch and compensate the 8 bit check sum" to restore the bios to the un infected state. This will be wonderful for PC companys, as they will sell new pc's to replace infected one's =) . (ALL YOUR BIOS BELONG TO US!)
Well, since you have obviously given this subject a lot of thought, perhaps you can answer a question for me. Why do we NEED a replacement for BIOS anyway? The BIOS we have now works, is pretty simple, and most importantly does its job. Is there some reason why we have to have a replacement? Can't BIOS simply be extending for whatever new tech comes out?
Maybe it is because I'm a "if it ain't broke, don't fix it" kind of guy, or that working PC repair I've seen tons of messed up boxes, but I've seen nothing to indicate that BIOS needs replacing. Hell on a badly messed up PC the BIOS is usually the only thing that IS working. I just don't want to see the BIOS replaced with all this extra functionality we frankly don't need in the preboot(use an instant on Linux for that) that could bring more bugs and instability to systems.
ACs don't waste your time replying, your posts are never seen by me.
> Which makes the attack more difficult in operating systems which do not allow users to run with Administrative rights all the time.
No such animal... There are OS's that *encourage* you to run as non root users, but there are none that *disallow* it per se. As well even those OS's/distros which strongly encourage you to not run as root have sudo, which you can use to add yourself to all the right groups.
A lot of users sudo stuff out of habit when it won't run. They are effectively numb to the intent of using sudo and not running as root or the ramifications of what they are doing. "Oh requires root, let me just sudo that... ok done".
This just about negates the purpose of forcing authentication on any operation that requires root access to complete, outside of drive-by attacks. In a lot of cases the users are so used to doing it, they'll just do it for the virus too.
Oh that's right! mac and linux computers are immune to viruses, so this whole sudo thing is irrelevant...
/sarcasm off
-Viz
Don't kid yourself. It's the size of the regexp AND how you use it that counts.
If it's got Tits or Tires, it's gonna give you problems.
Guess they'll have to add Flashable Chips to that saying....
WTF? Over?
Firecox?
This is the sig that says NI (again)
"Ä" => "Ä"
and so on.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
...that is scheduled for inclusion in Conficker.D
I'm sure a lot of people would love to fire Cox, but I don't see that that has to do with this discussion.
Yes, which is why "public" computers should not allow booting from external sources.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Every single BIOS made in the last ten years? Seriously? Every, single one?
I have 3 popular motherboards that do not have that option listed anywhere in the BIOS screens or the Motherboard Manual.
Asus Rampage X58
DFI Lan Party X38
Biostar GeForce 6100-M9
Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
Okay, every *sensible* BIOS in any half-decent board. Seriously, the option is in Award, Pheonix, etc. all the major BIOS's in all the major-name computers I've ever seen. I think I saw a laptop without it once, and once PC that was some bodged-together thing from Japan under a company I'd never heard of.
What CPU would this program run on? The same one that runs your current malware? What's to stop you from being tricked into downloading and running a modified copy of this program that installs the virus while the OS is running?
The only way to be certain to prevent this is a hardware switch to prevent writing to flash. There is nothing you can do in software that an evil program can't also do.
Intron: the portion of DNA which expresses nothing useful.
And I was wonderning what would be Conficker's next trick...
I boot without a bios - by toggling in raw machine code from the front panel switches!
Well, I boot my computer using only punch cards. And I punch the holes in them myself, from memory! With a twig!!
Not if the signature is left to the user to verify. Think if an MD5 sum rather than a gpg sign.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
CIH only nuked the motherboard and destroyed your master boot record one day of the yeah (april?) so it still spread pretty good. Only works on Win9x, not NT so its pretty rare these days
Ah, Slashdot understands HTML unicode identifiers. Thanks!
Want to hear the voice of GOD? cat
Slashdot understands some HTML unicode identifiers. , for instance, vanishes without a trace, as does A and the like.
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
You would have been a lot smarter to just use a 100 ohm resistor to the ground so it could never be pulled high, at least that way you could actually use it again in the future.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
1997 called. They want their "Do NOT leave FLASH_WRITE jumper in ENABLE position" story back.
In other "news", using a floppy drive that ignores the write-protect notch could lead to writes on a read-only disk...
help me i've cloned myself and can't remember which one I am
But that is where my point of "Instant on Linux" comes into play. As you said, for consumers ATM there is no need, but what about in the future? I recently saw an MSI module(sorry i can't find the link, maybe someone here can post it?) that simply plugs into a spare USB pin out on the motherboard and gives you the option of booting straight into it from BIOS.
In this matter we actually have a chance to have our cake and eat it too. Because by using an Instant on Linux not only can you have the functionality of EFI, but you could have different versions. By that I mean for guys like you and me there could be a full implementation of disk and network tools, along with an easy to switch to CLI, and for Joe User you could have a simple XFCE desktop with basic webapps like Firefox. And by going with this method instead of trying to reinvent the wheel with EFI or Openfirmware, you not only allow the user to have choice, but you also allow that functionality to be back ported without replacing the hardware. Simply pick up a module, plug it in, and be good to go. I could even see cases where specifix hardware that needed extra functionality not found in BIOS could simply pack a mini module in with the gear. And with ROM chips getting so tiny it shouldn't be hard to even squeeze this functionality into laptops with little added cost.
But as I said I honestly don't see a need for a replacement for BIOS, not when with Instant on Linux it would be easy to have the BIOS hand off to Linux for the extra functionality. There are plenty of embedded Linux coders out there, so extending it for specific jobs should be easy, and at the same time if the module fails you don't end up with a brick since you can always fall back to BIOS until you get the replacement module. It just seems a lot easier, more profitable, customizable, and less risky to hand it off to Instant on Linux while having the BIOS as the basic starting point.
ACs don't waste your time replying, your posts are never seen by me.
I am still fascinated by all these Fascist Muslim Zionists running around. Children should stop trying to use words they do not understand. Even copying and pasting from a moron still makes you moron.
Perhpas the bios of this particular AC is infected with a Virus. He has tried to wipe his hard drive several times, but his PC keeps pouring out sensless hate speech.
On an unrelated note, I voted for Bush twice and the deregulating Republican Congress that caused this mess. I accept my responsibility and apologize. It is time you did the same. Trying to blame a mess you clearly helped cause on the people trying to fix it is dishonest and irresponsible.
Moron stay on topic This is a tech area not political I'm guessing that this would not be an issue on an older machine where the BIOS was not writable and hard coded. Ah the days of the program Peanuts where this wouldn't have been an issue
no matter how good it is, it is human nature always wants to make things better
Old English. (It looks like an excerpt from Beowulf.)
To have an argument one must be arguing against facts, not made up on the spot drivel from a frustrated, nasty small minded person.
You post is complete crap, an epic fail if I ever saw one!
Oh and if you were a man, you would not post as AC,
the coward part fits you well though.
I've posted my recollection of the presentation which fills in a few of the technical details for some people who missed it - probably missed lots too :)
http://blog.triplecheck.ca/2009/03/few-more-details-regarding-peristent.html
If that option wasn't overrideable by software later, then yes. You could imagine the chipset would power up in a state where writes could be enabled by some sequence of IO port operations. It would also have a state where writes were locked out until the next power cycle. The default would be to enter that state and the readme file for Bios updates would tell people to enable writes before running it.
Another possibility would be to sign the Bios update file and have the bootblock verify it before flashing.
Or you could go for the full on trusted system approach where the bootblock would verify all modules after decompressing them prior to execution. If the bootblock was write protected and only knew the public key used to verify the signature, not the private key used to generate it, this would be very secure.
Ok, the private key may leak, but it seems like forcing malware writers to know one key, one signing algorithm and one chipset unlock sequence for each model of motherboard they target would make things much, much harder for them.
Right now they already need to know a chipset unlock sequence per model, so this sort of thing is very hard to do if you want to work on a decent selection of boards. Still coreboot has helpfully documented that for a few boards.
http://tracker.coreboot.org/trac/coreboot/browser/trunk/util/flashrom
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I'm sure a lot of people would love to fire Cox, but I don't see that that has to do with this discussion.
You're talking about Christopher Cox of the Securities and Exchange Commission, right?
As long as this thread is so far off-topic, here's a question for the original poster. If Obama wanted to destroy the U.S. economically, wouldn't the easiest way be to just do nothing about the economy and let it continue to self-destruct?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Now I don't have to state the obvious.
However, full disclosure has me admit that I too, did use punched cards. However, I "cheated" and used my privileged access to interactive terminals to compile and debug my code BEFORE I sent it to a card punch for output (since the punched deck of cards was the class requirement. In retrospect, I doubt they spend the money to run the assignments, so it probably didn't matter if they were correct or not. This was back in the day when each print job finished with a "billing" page showing your the not-so-cheap cost to print things).
I pity the poor souls who had to use the public card-punch terminals... it was literally the very last year punched cards were required. heh.
This issue is a bit more complicated than you think.
This just about negates the purpose of forcing authentication on any operation that requires root access to complete, outside of drive-by attacks. In a lot of cases the users are so used to doing it, they'll just do it for the virus too. /sarcasm on
Oh that's right! mac and linux computers are immune to viruses, so this whole sudo thing is irrelevant... /sarcasm off
Sorry for the late reply, I was thinking more about the idea of a Worm that automatically replicates (similar to the ones exploitin the Windows RPC service) without user intervention. If user is running as root or has some exploitable process running with high privileges, then it is easier for such a worm to get into the computer and then execute the mentioned exploit to install their payload in the BIOS. After that it will only be a matter of reinstalling a binary file (which could be downloaded from the internet) every time the guest operating system has access to the internet.
I can think of several interesting ways to proceed from there, after all when I was in high school I played with the creation of some virus (old time DOS viruses).
Ubuntu is an African word meaning 'I can't configure Debian'
Some folks felt safe surfing the dark side if they did it inside a virtual machine. They thought "hey, if I get something nasty on my machine, I'll just restore my virtual machine from the checkpoint and voi-la, everything's ok again and I can resume working without a heavy re-install pentalty." But if these crazed Argentinians can infect your machine from an ActiveX control while you're surfing in a virtual machine and you have to reflash your bios to cure the infection, if you can cure it at all, then man, we're all hosed. Bad.
W95.CIH [symantec.com]? Back in the Windows 95 days, this mean son of a bitch could nuke your BIOS from orbit. And we're talking over a decade ago.
Thanks for posting the link, I had forgotten that one of the payloads hit the BIOS as well..
The second payload tries to cause permanent damage to the computer. This payload attacks the Flash BIOS (a part of your computer that initializes and manages the relationships and data flow between the system devices, including the hard drive, serial and parallel ports, and the keyboard) and tries to corrupt the data stored there. As a result, nothing may be displayed when you start the computer. A computer technician would need to fix this
I had mistakenly remembered and thought that the damage was limited to a memory resident payload and a payload that corrupted the Master Boot Record (MBR), which are both after the BIOS in the boot process for a PC. Aww the memories....
I thought this part of the Official information is telling...meaning no matter what solution you use, suggest and / or invest in, nothing will protect a user that does not want to think, does not want to learn, just wants it to work and thinks that it should work without them having to think....
From the detailed description on the W95.CIH Virus, a page referenced from the above link:
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched
I would add in train users to look at ALL updates before blindly auto installing anything, as no one can 100% guarantee that a cracker will not be able to add an obfuscated payload to either an application and/or security update.
I will accept that it would be unlikely, however it is unacceptable for anyone to state in fact that it CAN NOT happen. As that is anything but FACTUAL. It is FUD.
As history has shown us with all operating systems, attempts have been made, though usually they have been discovered before release and prevented. I say usually because I am sure there are a few examples where something has slipped through (an educated guess and playing long odds), I just do NOT have the URLs available as proof. I do know that there have been multiple slashdot articles on payloads that were introduced and made it into the wild and bricked computers of users. So far I believe most have been discovered prior to release into the updates and patches.
There have been numerous slashdot posts on updates and releases from a software or hardware vendor that, while not intended as a virus, due to the company s desire and goal of vendor lock-in, bricked the computers. I know this has happened in the Apple world and in the Microsoft world, and figure that odds are it has happened in the Linux and Unix worlds as well...though admittedly with the open source versions of Linux and Unix a user would have a chance to examine the code, figure out what is going on and develop a solution to the problem. Something a proprietary software / hardware vendor will never allow due to their vendor lock in objectives and goals.
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities
That's not preventing me from cleaning the BIOS by reflashing it. That's infecting the bios from the hard drive to continue an infection.
If you wipe the hard drive, the malware returns through the BIOS. If you flash the BIOS, the malware is rewritten through from the hard drive at boot. That's probably why they're working on a rootkit to hide the hard drive half. Make it a lot harder to eradicate.
However, my standard procedure is to pull a hard drive out of the infected computer first and scan it as a slave. That disables the vast majority of malware protections. If this exploit showed up in the wild, then after detecting it, I would also have to reflash the BIOS (not just wipe user settings with the jumper) before putting the hard drive back into the computer and finishing the cleanup. One more thing to do, but nobody said malware cleanup was supposed to be easy.
One other question I have is what type of machine this thing is infecting? They name three operating systems, but don't mention whether it was different motherboards/BIOSes. If the bad guys have to write hardware-specific code bits for every different manufacturer (and every new BIOS), they're the ones who will be working harder.
Fundamentalism is a crime against humanity
For a point to be refuted you would need to have one, and the facts to back it up.
As you have neither, only paranoid ranting you fail and have lost now go back to 4chan where you belong and leave the adults to rational debate.
Now I found from long ago the concept of PC BIOS annoying. The BIOS vendors, like Phoenix, American Magatrends, Award, have a lot of collusions with the motherboard vendors in terms of getting all the secret register-poking needed to get things going. There is a lot of black magic, legacy code and the like, but it works.
They definitely collude that is very much true. And the reason we need Coreboot ! I do NOT agree with your comment and suggestion of mystery, darkness, black magic as this comes across to me as FUD! Perhaps making it seem hard, difficult or almost impossible so that the average person might be relunctant to improve their lives and move to an open source solution such as Coreboot!
While the Coreboot open source group is publicly stating that it is NOT ready for prime time yet, there are already numerous (read hundreds of...) motherboards and devices supported. So many in fact that you can, today, check their supported list and if the mother board, adapter card or other device is NOT listed as supported, you can avoid allot of hassles. Just buy ONLY Coreboot supported hardware, you will thank me and yourself in the mirror later.
It will be very hard for a non-Pheonx-AMI-Intel vendor to come up with a new BIOS for the ages. The LinuxBIOS (coreboot) project, last I checked, and very poor support and no major vendor (e.g. Dell or HP) has looked into it seriously.
I disagree completely. I would not be surprised to learn that there are developers from some of the major motherboard hardware companies working with the Coreboot group officially or unofficially. This is very common with open source projects that are overcoming the collusion you mentioned above and overcoming the vendor lock-in that ONLY hurts us all and stifles innovation. They can make it harder to innovate, but thanks to open source it is NO LONGER POSSIBLE for anyone to make it impossible. In fact it gets easier and easier every year, every month and every day. Today if you want to avoid proprietary hardware and software you can do it in every vertical market. And today there are so few compromises. The only exception I can think of is one or two Microsoft specific games...hardly surprising there, right.
Additional, if no major vendor is in there fouling up the Coreboot code and group, than I would see that as a HUGE PLUS and not a bad thing at all. It is more likely that some of the coders and engineers have the blessing of their hardware and software company to support Coreboot. These companies are smart and they understand that developing additional markets for their hardware products, especially in this economy, is just plain SMART!
After all I remember reading about a gamer that was frustrated that his fans were not turning off and on correctly, thus his machine was overheating and the operating system shutting down. Through reverse engineering, he discovered that for his operating system (non Microsoft) the fans were not being turned on and off correctly. (Whether this was due to collusion, who knows, it could as easily just been poor testing on the part of the BIOS and hardware motherboard companies who history shows have a pro Microsoft
Is your Internet Throttled? Install DD-Wrt, OpenWRT or Tomato to learn the truth! Google: 1Gbps/1Gbps: 5 Communities