Page 1 of 1

BadSD???

Posted: 24 May 2016, 02:44
by fullmoonremix
Salutations... :good:

Here we go again...
http://www.bunniestudios.com/blog/?p=3554
https://www.youtube.com/watch?v=r3GDPwIuRKI

"Best Regards"... :beer:

Posted by 71.250.239.251 via http://webwarper.net
This is added while posting a message to avoid misusing the service

Re: BadSD???

Posted: 26 May 2016, 00:12
by brokenman
If you're going to flood the security section with security warnings, at least post relevant and current information. This is over 3 years old!

Re: BadSD???

Posted: 26 May 2016, 05:30
by Evan
<removed>

Re: BadSD???

Posted: 26 May 2016, 06:01
by fullmoonremix
Salutations... :good:

With one exception prior to April... in the close to 2yrs I have been with Porteus I have not felt the need to post to the "Security" section of the forum.

My thing has always been performance. For me security has always been boring. I've never had any real security concerns...
because I have long mastered persistent threats decades ago. But I must admit this bug has humbled me (and it takes a lot to do that). Lol.

What makes this thread relevant (like all the other threads on this security problem) is the threat is real and does not have an expiration date.
The cheap used eBay hardware that wiped me out was at least 3 yrs old (and I purchased it recently).

This means the threat is 3yrs older NOT 3yrs eradicated just because the link is old. This issue is not a security update or bug fix. This problem is a design one.
So it can only be fixed by the manufacturers. These microcontroller firmware vulnerabilities have been known by the industry since the inception of USB.

Bluetooth has never had this problem because it's standard took these known threats seriously at it's inception.

Fortunately... some manufacturers like Kanguru have taken this threat seriously (somewhat... because they still sell unsigned devices)
even while the rest of the industry ignores it (like SanDisk and Kingston) because of stockholder greed.

In any case... regardless of the age of the link the only known reliable protection (that I am aware of)
is signed USB firmware or Coreboot based solutions (UEFI works but has issues and vunerabilities).

Once infected the only known solution for this class of bug is hardware quarantine or disposal.
Also... if there is a solution (that I am not aware of) this thread is an opportunity to share it.

The purpose of the threads on these issues... is to raise awareness to save others a potential expensive nightmare (which could be the tip of the iceberg).
In my many years of technical experience (@ least 16yrs CompTIA A+ certified) I have found... a hardware threat is just as noteworthy as a software one.

The stories from media news outlets are sensationalized (scaremongering) but the data from the IT Sec conferences should be taken seriously.

There are plenty of noteworthy posts regarding known software security updates and bugs.
Regardless of that... this exploit may not be as sexy (maybe even alarming) but it is still a game changer.

What makes this particular threat so insidious is it's payload(s) will only manifest in a static environment (cd/dvd boot).
This is how I became aware of it because I don't read media news fluff (or even IT Sec releases unless there is first a problem).

My experience and skill in this area allowed me to notice the signs. Such as it blocking my attempts to automate a secure boot.
Which is why I purchased a 3rd party mail order distro in order to clean boot (because my network was compromised).

What was really amusing was I could continue to use the contaminated hardware
with few restrictions or even manifestation as long as I did not challenge the infection.

Once I contained the exploit (although it bricked 6 mobo's that I had managed to securely boot) the original device continued to function.

Alas as a consequence... I could never trust any of the infected hardware ever again outside of a forensic quarantine... so disposal ($1500+ :cry: ) became necessary.

As I stated before... there is nothing wrong with Porteus or Linux. What is wrong... is a false sense of security
(reboot/reinstallation is futile with this bug) in the face of serious emerging persistent covert threats.

Unfortunately... those that don't know this ugly truth will have their system (if compromised)
tell them everything is ok (aka... false negatives) so they too can share "the gift that keeps on giving".

Because Linux (Porteus) is "secure by design" many emerging threats are exploit/trojan based instead of viral. The bottom line here is...
the backbreaking success of ChomeOS and Android (WindozzZ now wants to "hide" in the cloud) is a blessing and a curse and has placed Linux in the crosshairs.

"Best Regards"... :beer:

Posted by 71.250.239.251 via http://webwarper.net
This is added while posting a message to avoid misusing the service