Stop. Just stop.

In the last few weeks, a prominent researcher, Dragos Ruiu (@dragosr) has put his neck out describing some interesting issues with a bunch of his computers. If his indicators of compromise are to be believed (and there is the first problem), we have a significant issue. The problem is the chorus of “It’s not real” “It’s impossible” “It’s fake” is becoming overwhelming without sufficient evidence one way or another. Why are so many folks in our community ready to jump on the negative bandwagon, even if they can’t prove it or simply don’t have enough evidence to say one way or another?

My issue is not “is it true” or “I think it’s true” or “I think it’s false”, it’s that so many info sec “professionals” are basically claiming:

  1. Because I personally can’t verify this issue is true, the issue must be false. QED.

This fails both Logic 101, class 1, and also the scientific method. 

This is not a technical issue, it’s a people issue.

We must support all of our researchers, particularly the wrong ones. This is entirely obvious. If we eat our young and most venerable in front of the world’s media, we will be a laughing stock. Certain “researchers” are used by their journalist “friends” to say very publicly “I think X is a fool for thinking that his computers are suspect”. This is utterly wrong, foolhardy, and works for the click bait articles the J’s write and on their news cycle, not for us.

Not everybody is a viable candidate for having the sample. In my view, the only folks who should have a sample of this thing are those who have sufficient operational security and budget to brick and then utterly destroy at least two or twenty computers in a safe environment. That doesn’t describe many labs. And even then, you should have a good reason for having it. I consider the sample described to needing the electronic equivalent of Level PC4 bio labs. Most labs are not PC4, and I bet most of infosec computing labs are not anywhere near capable of hosting this sample.

Not one of us has all of the skills required to look at this thing. The only way this can be made to work is by working together, pulling together E.Eng folks with the sort of expensive equipment only a well funded organisation or a university lab might muster, microcontroller freaks, firmware folks, CPU microcode folks, USB folks, file system folks, assembly language folks, audio folks, forensic folks, malware folks, folks who are good at certain types of Windows font malware, and so on. There is not a single human being alive who can do it all. It’s no surprise to me that Dragos has struggled to get a reproducible but sterile sample out. I bet most of us would have failed, too.

We must respect and use the scientific method. The scientific method is well tested and true. We must rule out confirmation bias, we must rule out just “well, a $0.10 audio chip will do that as most of them are paired with $0.05 speakers and most of the time it doesn’t matter”. I actually don’t care if this thing is real or not. If it’s real, there will be patches. If it’s not real, it doesn’t matter. I do care about the scientific method, and it’s lack of application in our research community. We aren’t researchers for the most part, and I find it frustrating that most of us don’t seem to understand the very basic steps of careful lab work and repeating important experiments.

We must allow sufficient time to allow the researchers to collaborate and either have a positive or negative result, analyse their findings and report back to us. Again, I come back to our journalist “friends”, who can’t live without conflict. The 24 hour news cycle is their problem, not our problem. We have Twitter or Google Plus or conferences. Have some respect and wait a little before running to the nearest J “friends” and bleating “It’s an obvious fake”.

We owe a debt to folks like Dragos who have odd results, and who are brave enough to report them publicly. Odd results are what pushes us forward as an industry. Cryptoanalysis wouldn’t exist without them. If we make it hard or impossible for respected folks like Dragos to report odd results, imagine what will happen the next time? What happens if it’s someone without much of a reputation? We need a framework to collaborate, not to tear each other down.

Our industry’s story is not the story about the little boy who cried wolf. We are (or should be) more mature than a child’s nursery rhyme. Have some respect for our profession, and work with researchers, not sully their name (and yours and mine) by announcing before you have proof that something’s not quite right. If anything, we must celebrate negative results every bit as much as positive results, because I don’t know about you, but I work a lot harder when I know an app is hardened. I try every trick in the book, including the stuff that is bleeding edge as a virtual masterclass in our field. I bet Dragos has given this the sort of inspection that only the most ardent forensic researcher might have done. If he hasn’t gotten that far, it’s either sufficiently advanced to be indistinguishable from magic, or he needs help to let us understand what is actually there. I bet that few of us could have gotten as far as Dragos has.

To me, we must step back, work together as an industry – ask Dragos: “What do you need?” “How can we help?” and if that’s “Give me time”, then let’s step back and give him time. If it’s a USB circuit analyser or a microcontroller dev system and plus some mad soldering skills, well, help him, not tear him down. Dragos has shown he has sufficient operational security to research another 12-24 months on this one. We don’t need to know now, now, or now. We gain nothing by trashing his name.

Just stop. Stop trashing our industry, and let’s work together.

15 thoughts on “Stop. Just stop.”

  1. Andrew, best infosec blog post of 2013. Way to end us all on a high note. Way to be there for your fellow fellows!

  2. Excellent post. I hope you don’t mind me linking to your work from my own rant on the topic. Bottom line is that Ruiu has been villified and criticised for no reason. He saw something that he thought was unusual and began investigating it, and did the responsible thing – what we are told is the right behavior – and disclosed it. Perhaps he should have held off until he had a complete analysis but he didn’t and he shouldn’t have to justify his position.

  3. Hi,

    100% agree; especially for the scientific method. My first thought was “impossible”. But second thought is “it might be possible, but i dont know enough to understand it”.

    Lets assume he is right and then find arguments (proof!) against it. Falsification. Period.

    Every other way is wrong.

    Just my 2 cents

    Thomas Wallutis

  4. This text is just ludicrous. While you only write general sociological cliches, some other people – such as Philip Jaenke who wrote “The badBIOS Analysis Is Wrong” – are doing the actual research and are explaining the basic facts to others, too. It is not possible to design motherboard-independent codes for BIOS that could go undetected, it is impossible to use the microphone at BIOS, so all these speculations may be quickly shown to be wrong. If he has some malware, it is working totally differently than what his fairy-tale is saying.

    Your suggestion that it is impossible to detect and reverse engineer modified BIOS is laughable. I am a physicist but I have done enough machine code programming and reverse engineering myself to know that it’s nonsense. Who can’t see such things in the BIOS is just incompetent, unlike Philip Jaenke. If someone wants to fire such incompetent people, he has a good enough case. They’re just clowns wasting resources. You want to rotate the meritocracy upside down. Collect the world’s most gullible and incompetent folks, pretend that they’re the elite of the technological industry, and allow them to trash the professionals.

    In reality, one professional is really enough to settle whether the proposed scenario may work and the answer is No, whether you like it or not.

  5. Well done,
    In general we seem to be looking for someone to fail, rather than succeed.
    Regardless of the outcome of this, discussion (well be selective what you read) and awareness that we don’t have mainstream protection tools at below OS level, will (I hope) benefit Cyber Security.
    So to Dragos thx … and to others add value.

  6. > some other people – such as Philip Jaenke who wrote “The badBIOS Analysis Is Wrong” –
    > are doing the actual research and are explaining the basic facts to others, too.

    Did someone feed Philip Jaenke after midnight, thereby causing him to multiply? Why don’t you gremlins go back and READ the source material you seem to be trying to dispute.

    > It is not possible to design motherboard-independent codes for BIOS that could go
    > undetected, it is impossible to use the microphone at BIOS, so all these speculations
    > may be quickly shown to be wrong. If he has some malware, it is working totally
    > differently than what his fairy-tale is saying.

    In reading your response, it seems apparent that that you have read none of Dragos’ messages describing the attack. No one (except Philip Jaenke) has come close to using the phrase, “motherboard independent BIOS”. Likewise, no claim has been advanced of a BIOS accessing the microphone. The BIOS may or may not be involved in the attack we are discussing, if it were involved, most would assume it’s work to be finished very early in the boot process. Remember, we’re talking about a computer *system*, hardware level attacks may bounce and pivot here in many places.

    From Wikipedia:
    “In modern personal computers the BIOS is used only during booting and initial loading of system software. Before the operating system’s first graphical screen is displayed, input and output are typically handled through BIOS. A boot menu such as the textual menu of Windows that allows one to choose an operating system to boot or to boot into Safe Mode or to use the last known good configuration, is displayed and receives keyboard input through BIOS.”

    Try and use your imagination to visualize how code within the BIOS, an option ROM, or any one of the many extension ROMs might be used to set up the computer to perform any number of malicious tasks. Are you still having trouble seeing it?

    > Your suggestion that it is impossible to detect and reverse engineer modified BIOS is
    > laughable. I am a physicist but I have done enough machine code programming and
    > reverse engineering myself to know that it’s nonsense. Who can’t see such things in
    > the BIOS is just incompetent, unlike Philip Jaenke. If someone wants to fire such
    > incompetent people, he has a good enough case. They’re just clowns wasting resources.
    > You want to rotate the meritocracy upside down. Collect the world’s most gullible and
    > incompetent folks, pretend that they’re the elite of the technological industry, and
    > allow them to trash the professionals.

    Yes indeed, “who can’t see such things in the BIOS” is certainly incompetent! Words of wisdom from a physicist who has done “enough machine code programming and reverse engineering” to know… Thank god for the voice of reason in this crazy discussion! For a moment there, I was actually starting to use my brain to think critically.

    > In reality, one professional is really enough to settle whether the proposed scenario
    > may work and the answer is No, whether you like it or not.

    Well it’s settled then! Thank you sir for clearing this up for the rest of the security community. Sometimes it takes a straight shooter to come in and make tough calls, taking the kinds of liberties that you have, to make sense of it all… When the dust settles, the townspeople will cheer! Now decent hardworking folks can get back to work knowing that everything is safe and secure!

    -z

  7. Lubos: If we assumed the malware targeted modernish laptops running Windows we could have our malware (initial vector could be via some exploit) to check to see if the BIOS vendor is supported, pull down the flash image from the ROM, add our code as an ISA component and then flash our modified code up. I have actually done just that in the past on Award machines (making a bunch of thin clients and needed to incorporate etherboot code) about eight years back and using the vendor supplied tool (which had a command line for scriptability) it was a cinch, and no notification of the change on next bootup either. The code you’d add would likely be just to assure persistence. If you borrowed an idea from Computrace you could have some basic NTFS code to copy a file executed on boot (in CTs case it was rpcnet.exe) to a different name and replace the original with your payload which would load the actual file at its conclusion. You’d have to keep the malware small or just have the persistence payload a downloaded/dropper that would reinstall the whole thing if need be. The whole audio comms would be done as a win32 service. It’s the most logical place to do it as you don’t need to worry about differing audio hardware – just use windows audio.

    So I think that something similar (but not the same) as what Ruiu has claimed could be readily implemented. It wouldn’t be platform independent, nor would it be OS independent – these two claims of his add a lot of doubt as to how you’d achieve this.

    Ruiu may have been fooled and may have erred in his analysis, but this doesn’t mean we should have these personal attacks on the guy. He saw something he thought was weird and drew some (controversial) conclusions.

    No doubt a full analysis will clear everything up.

  8. If the Snowden-thing has proven at least one thing, is, that even the most skeptical person regarding conspiracies must tell now that not everything is “un-imaginable” :-) And this thing here is one additional sign in the direction of “what can be done”
    Cheers

  9. Although this kind of paranoid delusion may be unusual to you, and since it occurred in someone with a fair amount of technical skill (and perhaps a friend), you want to believe him.

    However, I can tell you that there are hundreds, maybe thousands of people who believe that their computers are infected with some kind of mythical malware. They have been “fighting with it” for years. Their computers are infected soon after they buy them. They take them back to the manufacturer or the store where they bought them and demand new ones time and again. The malware hits them the moment they turn the computer on. They can offer you gigabytes of “data” to back up their claims, none of which show anything abnormal.

    It’s a particular breed of paranoid delusion. Have you heard of gang stalking? There are thousands of people who believe they are being stalked by secretive gangs. Very similar. I know because in a past job, I worked in security response, and saw these stories from a different person every few months.

    Now of course it’s unfortunate that it happened to someone who was well known enough in the community that when he spoke, a reporter was willing to write an article based on his statements with zero proof. And now there is some kind of conflict between those who recognize he’s deluded and those who want to believe him with no proof. It’s unfortunate, but just because you like and respect him doesn’t mean he’s infallible.

  10. As a self-tutored security engineer i must applaud the initiative and intent of this post.

    I’ve been called paranoid by people who barely had a look, said to lack vision by people who only look at numbers ( as in finance ) , been fired multiple times for not fitting in with the idiots who believe it’s all in a book. One time only to see three years later what i found is on national news and my initial findings and assumptions hold true ( dating back to early 2000′s ) The damage this has done to my reputation seems beyond repair. I’ll probably not hold up with the greats but have my merits, i hope and expect this badBIOS stuff to turn out as “true” because it is in line with what i’ve diagnosed and hypothesized on the evolution of pro-malware. It is also in line with forecasts by some global-size corporations.

    ICT is stuffed with people who lack experience and insight, especially in ICT Security. People who think business instead of security, who think procedure instead of process, who believe tutorials instead of reasoning ( even in front of simple facts ), who believe claims/hype instead of reason based on experience, who trust liars above facts. My personal error is not to be highly technical ( no assembly here ) but to rely on over 20 years of operational experience, curiosity, pscyhological insight and have all that wrapped with a love for induction.

    — on Philip Jaenke: His initial article was written with quite a bit of emotion, his later comments are valuable and support the badBIOS angle i assume Dragos is reporting.

  11. thanks for your point-of-view vanderaj.

    good to see someone with a philosophically sound approach to this. we are putting together our own update on this subject, and will link to your article. thanks again!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>