David H. Lipman wrote:
> From: "§ñühw¤£f" <snuhwolf5150@hotmail.com>
>
>>> In principle but not yet in actuality.
>
> | Dont worry, we're working on it ;)
>
> I doubt you are :-)
>
> But... I am sure some malicious actor is but to date, nothing.
>
Please explain just *how* you know that to be a *fact*.
Indeed, how would a user know that his/her machine had been compromised
in this way - especially now that modern machines are so much faster
than in days gone by?
Todd H. wrote:
> "~BD~" <BoaterDave@hotmail.co.uk> writes:
>
>> "nobody >" <usenetharvested@aol.com> wrote in message
>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>> ~BD~ wrote:
>>>> I asked this question in the two 'security' newsgroups to which I now
>>>> crosspost.
>>>>
>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>>> If you are truly speaking of Read Only Memory that was installed at
>>> assembly, there's no way that a rootkit could be there unless it was put
>>> on when the ROM was "Burned"
>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>>
>> I'm suggesting that if/when this action is carried out, it might well be
>> possible to introduce malware to a system - which will remain for posterity.
>>
>> If I am right, I'm asking if there is any way that ordinary folk could ever
>> find out the truth. *Is* there a way?
>
> Dave,
>
> I think the short answer is no, i believe (though it's always hard to
> prove a negative). The technique is too new to have tamper detection
> commercially available.
>
> If you're worried, simply reflash your BIOS with an image from the
> manufacturer. And hope they haven't trojaned it themselves.
>
> #include <a_variety_of_global_sourcing_fears.h>
>
>
I appreciate your answer, Todd. Thanks!
You will be pleased to learn that I am not worried on my own account at
this point. The machine I once had - which I'm confident *was*
compromised - was relegated to the scrap heap some long time ago now.<smile>
Cybercrime continues to rise exponentially - maybe this is one reason
why it is happening, but I doubt we'll ever know the truth!
The bad guys will always be two steps in front IMO. Sad. :-(
| David H. Lipman wrote:
>> From: "§ñühw¤£f" <snuhwolf5150@hotmail.com>
>>>> In principle but not yet in actuality.
>> | Dont worry, we're working on it ;)
>> I doubt you are :-)
>> But... I am sure some malicious actor is but to date, nothing.
| Please explain just *how* you know that to be a *fact*.
| Indeed, how would a user know that his/her machine had been compromised
| in this way - especially now that modern machines are so much faster
| than in days gone by?
Speed of the PC has NOTHING to do with it.
I know this to be a fact because there is NO insider information on the occurence.
In this thread nemo mentioned about a FireWire exploit. He read about it. I read about
it and it was confirmed.
The fact there is no BIOS/FirmWare malware/RootKit is a fact based upon knowledge on the
inside.
Just because someone postulates the possibility does NOR mean there exists any.
It is postulated that there is life in the universe outside of the sphere of our Earth.
It has also peen discussed that such life has visited Earth. You can discuss this as a
possiblitty because it has NOT been proven to have happened.
Again...
When you posted "However, have you considered that your BIOS may have been/could be
infected? A whole new ball-game!"
You were injecting pure FUD as nobody should be considering this unless they are wearing
tin foil hats and expecting an invasion from Mars.
David H. Lipman wrote:
> From: "~BD~" <BoaterDave@hotmail.co.uk>
>
> | David H. Lipman wrote:
>>> From: "§ñühw¤£f" <snuhwolf5150@hotmail.com>
>
>
>>>>> In principle but not yet in actuality.
>
>>> | Dont worry, we're working on it ;)
>
>>> I doubt you are :-)
>
>>> But... I am sure some malicious actor is but to date, nothing.
>
>
> | Please explain just *how* you know that to be a *fact*.
>
> | Indeed, how would a user know that his/her machine had been compromised
> | in this way - especially now that modern machines are so much faster
> | than in days gone by?
>
> Speed of the PC has NOTHING to do with it.
>
> I know this to be a fact because there is NO insider information on the occurence.
When you refer to "insider information" you seem to be referring to some
secret band of 'experts' - but do not identify exactly who you mean.
There will *never* be any "insider information" for you to access or
read about until such time as one of the good guys uncovers what the bad
guys are doing! Surely even you must understand that!
> In this thread nemo mentioned about a FireWire exploit. He read about it. I read about
> it and it was confirmed.
>
> The fact there is no BIOS/FirmWare malware/RootKit is a fact based upon knowledge on the
> inside.
What do you mean by "on the inside"?
> Just because someone postulates the possibility does NOT mean there exists any.
True. But it *might* be a possibility!
> It is postulated that there is life in the universe outside of the sphere of our Earth.
> It has also peen discussed that such life has visited Earth. You can discuss this as a
> possibility because it has NOT been proven to have happened.
True. And it *is* possible, isn't it?
> Again...
> When you posted "However, have you considered that your BIOS may have been/could be
> infected? A whole new ball-game!"
>
> You were injecting pure FUD as nobody should be considering this unless they are wearing
> tin foil hats and expecting an invasion from Mars.
As I've said already, it was a remark said 'tongue in cheek'**. If you
re-read the thread in question you'll note that others, too, thought
that 'Albert' is not the simpleton he pretended so to be.
In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>, BoaterDave@hotmail.co.uk says...
> David H. Lipman wrote:
>
> > BoaterDave is and idiot
>
> That is not true. Please deal with *facts*.
Your own history seems to indicate the statement is true.
> > To date NO ONE has "infected" a BIOS.
>
> You cannot possibly know that to be true.
>
> You may simply be unaware of the truth.
I've been working with computers, designing hardware, burning EPROMS,
EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
least most of 30 years.
I have NEVER seen a malware in the wild that rewrites a BIOS, have not
read about one, have not read about anyone that has actually seen one in
real-life....
You need to put the tin-foil hat back on BD.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)
Leythos wrote:
> In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>,
> BoaterDave@hotmail.co.uk says...
>> David H. Lipman wrote:
>>
>>> BoaterDave is and idiot
>> That is not true. Please deal with *facts*.
>
> Your own history seems to indicate the statement is true.
>
>>> To date NO ONE has "infected" a BIOS.
>> You cannot possibly know that to be true.
>>
>> You may simply be unaware of the truth.
>
> I've been working with computers, designing hardware, burning EPROMS,
> EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
> least most of 30 years.
>
> I have NEVER seen a malware in the wild that rewrites a BIOS, have not
> read about one, have not read about anyone that has actually seen one in
> real-life....
>
> You need to put the tin-foil hat back on BD.
>
I have immense respect for your experience, Leythos
You are 'Old school' though ...... and will *always* be two steps behind
the bad guys.
If malware *did* rewrite the BIOS in some malicious way, please explain
just *how* you would know that it had happened.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"~BD~" <BoaterDave@hotmail.co.uk> wrote in message
news:cuSdnflkL49DHyjXnZ2dnUVZ8vudnZ2d@bt.com...
> Leythos wrote:
>> In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>,
>> BoaterDave@hotmail.co.uk says...
>>> David H. Lipman wrote:
>>>
>>>> BoaterDave is and idiot
>>> That is not true. Please deal with *facts*.
>>
>> Your own history seems to indicate the statement is true.
>>
>>>> To date NO ONE has "infected" a BIOS.
>>> You cannot possibly know that to be true.
>>>
>>> You may simply be unaware of the truth.
>>
>> I've been working with computers, designing hardware, burning EPROMS,
>> EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
>> least most of 30 years.
>>
>> I have NEVER seen a malware in the wild that rewrites a BIOS, have not
>> read about one, have not read about anyone that has actually seen one in
>> real-life....
>>
>> You need to put the tin-foil hat back on BD.
>
> I have immense respect for your experience, Leythos
>
> You are 'Old school' though ...... and will *always* be two steps behind
> the bad guys.
>
> If malware *did* rewrite the BIOS in some malicious way, please explain
> just *how* you would know that it had happened.
>
> --
> Dave
On Sat, 19 Sep 2009 20:07:28 +0100, in the land of
24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
secret probation for writing:
>Aratzio wrote:
>> On Sat, 19 Sep 2009 16:58:25 +0100, in the land of
>> 24hoursupport.helpdesk, Tim Jackson <tim@tim-jackson.co.uk> got double
>> secret probation for writing:
>>
>
>>> ROM is Read-Only Memory which is taken to refer to the fact that the CPU
>>> can't routinely write to it by a simple memory operation as it can to
>>> RAM. If the ROM can be written by an electrical programming procedure,
>>> then it is PROM - programmable ROM. EPROM, EEPROM and Flash are all
>>> types of PROM. Writing PROMs requires some sort of arcane programming
>>> procedure carried out by dedicated software, it is not like writing to
>>> RAM, so cannot happen accidentally.
>>
>> Umm, no. Early EEPROM worked exactly like RAM.
>>
>> Enable (nCS/nCE low usually)
>> Outputs off (nOE low usually)
>> Address (A0-Ax to address location to be programmed)
>> Data (D0-Dx with datat to be programmed)
>> Write (nWE low usually)
>> End (either nCS or nWE returns to 1)
>>
>> IIRC the original 28C devices all worked like that.
>>
>> The later devices included a very simple 3 cycle write algorithm
>>
>> Something on the order of:
>> #AAAA #55
>> #5555 #AA
>> #AAAA #90
>>
>> The erase algorithm was a bit more complex and took 5 cycles and you
>> could cycle through the whole device and erase each individual
>> location (reset 0 to 1). Later they actually added full chip and
>> sector erase fuctions that remved the need to address each location
>> and verify each location. Early flash could be damamged if you tried
>> to write a 0 to a 0.
>>
>
>That's only half the story. Writing a byte to EEPROM, EPROM or Flash is
>a slow process taking hundreds or thousands of machine cycles and
>totally unlike RAM.
Half the story? Really, the same command structure to execute a write,
no difference. The only difference is after executing the write
sequence is the polling to wait up to 10ms for the internal write
cycle to complete. The INTERNAL write cycle. The OS does not need to
wait for the completion.
>
>Yes you could initiate a write to *one byte* like you say, but that is
>because the rest of the work is done by internal logic.
Just like SRAM & DRAM. They all have internal logic. Some have more
complex than others.
> Where you say
>"end" that is not the end for the device, nor should it be for the
>programmer if he wants to keep his job. In both 28C64 and Flash, the
>algorithm then has to go into a loop checking a 'busy' flag (for several
>milliseconds per byte in a 28C64) until the internal write process
>completes.
Yes, that is called polling, something done innumerable times when
dealing with hardware and software. See interrupts or communications
protocols.
>An attempt to write successive addresses as if it were RAM
>would not succeed.
Yes, it would, that is called page mode. It would be helpful if you
understood how the hardware worked.
> A read access during an internal write cycle would
>read the flags, not memory contents. So an 'accidental' write to a BIOS
>in an unlocked 28C64 (see below) would not overwrite it, it would
>corrupt one byte and then crash on the next BIOS call.
What you wrote is this:
"Writing PROMs requires some sort of arcane programming procedure
carried out by dedicated software"
Polling requires a read of D7 masking the other 7 bits or D6 the
toggle bit (the 28C64 has no busy pin like some flash). If a
programmer could not write an exceedingly simple process like polling
then they are idiots.
There is nothing arcane about a write sequence with a poll. I doubt
there are many more hardware process more simple.
>
>I accept early 28xx EEPROMs did not have had have any accidental (or
>malicious) write protection.
Yes they did, you could sector lock them.
>On recent devices (eg Atmel AT28C64B) it
>is optional, you *can* leave them open to unanticipated write (like you
>describe) if you are careless enough; or you can 'lock' them to require
>a command sequence to enable writing. However it would be a poor
>designer who used an unprotected device for firmware, which is the
>context we are discussing.
No, you claimed writing to a non volitile required an "arcane
programming procedure" and "not like writing to ram", both of which
are wrong.
On Sat, 19 Sep 2009 15:37:11 -0600, in the land of
24hoursupport.helpdesk, §ñühw¤£f <snuhwolf@netscape.net> got double
secret probation for writing:
>In message <bu0ab5d7ntv6pkm67sae1sr9ve1o1iq1sb@4ax.com>, Aratzio wrote:
>> On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
>> 24hoursupport.helpdesk, §ñühw¤£f <snuhwolf5150@hotmail.com> got double
>> secret probation for writing:
>>
>> >nobody > <usenetharvested@aol.com> pinched out a steaming pile
>> >of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com >:
>> >
>> >>~BD~ wrote:
>> >>> "nobody >" <usenetharvested@aol.com> wrote in message
>> >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>> >>>> ~BD~ wrote:
>> >>>>> I asked this question in the two 'security' newsgroups to which I
>> >now
>> >>>>> crosspost.
>> >>>>>
>> >>>>> "Is there *any* tool which can identify a rootkit on a ROM chip?"
>> >>>> If you are truly speaking of Read Only Memory that was installed at
>> >>>> assembly, there's no way that a rootkit could be there unless it
>> >was put
>> >>>> on when the ROM was "Burned"
>> >>>
>> >>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>> >>>
>> >>> I'm suggesting that if/when this action is carried out, it might
>> >well be
>> >>> possible to introduce malware to a system - which will remain for
>> >posterity.
>> >>>
>> >>> If I am right, I'm asking if there is any way that ordinary folk
>> >could ever
>> >>> find out the truth. *Is* there a way?
>> >>>
>> >>> --
>> >>> Dave
>> >>>
>> >>>
>> >>
>> >>"Flashing the BIOS" means that the chip(s) in question are
>> >>erasable/reprogrammable. By long convention, ROM is static and can
>> >>only be written to ONCE. The term "burning" came from the original
>> >>design where you actually burnt elements of the chip away to store the
>> >>contents.
>> >>
>> >
>> >Firmware Upgrade.
>> >
>> >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>> >So when I downloaded a "flash modem tool" from USR and upgraded a modem
>> >with linux (it was pretty exciting btw and made me feel like I was a
>> >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>> >Or was I mistaken?
>> >Hmmmm...
>>
>> VERY BASIC:
>> ROM - Data fixed in silicon - expensive in small quantity.
>> PROM - Write Once - Read Many - Much less expensive but not eraseable.
>> EPROM - UV Eraseable data - Erase was slow and required UV lamps
>> EEPROM - Electrically Eraseable - Essentially a RAM with retention.
>> (Multiple types of flash & rom fit here)
>> FLASH - An EEPROM with higher density, faster write speeds and more
>> write cycles. Different technology than the original EEPROM. Multiple
>> types now NAND/NOR.
>>
>>
>> A flash modem tool would have been used on any of the "electrically
>> erasable" devices that could be reprogrammed under software control.
>> Anything before that technology would require removal of the memory.
>
>SUDENLY I DONT FEEL SO SPECIAL
Thank you for providing those links, TRT. FYI, I had seen all of them
before! :)
I cannot comment on your assertion that Leythos is, in fact, David
Lipman in disguise. Quite possible I'm sure!
I'll explain my concern. I recently posted this item:-
On this page http://aumha.net/viewtopic.php?f=30&t=4075 those suffering
computer problems are directed to download and run a number of programmes
before asking the AumHa gurus for help with cleaning malware from their
machines.
Blind faith is expected. How can an inexperienced computer user have any
idea whether or not complying with the site 'requirements' is a *good*
thing
to do? Might it not make matters worse?
Maybe someone here can assure me that by following the instructions, no
harm
will come to ones machine.
What do you think?
Has anyone put AumHa to the test?
--
Dave (coming clean ........ I have been banned from asking questions at
Aumha.net)
***************
Having effectively handed over full control of one's machine to the
gurus, my conjecture is that - if the techniques we are discussing
*have* been developed - a machine could be handed back to the owner in a
supposedly 'clean' condition when , in reality, a rootkit has been
installed surreptitiously.
It would appear from what others have said that there is no way that the
end user would ever know.
Fiction? FUD? Supposition? I don't suppose we'll ever know for sure.
What I *do* know for sure is that the 'prime mover' at AumHa (Robear
Dyer) has lied and will give no valid reason for my exclusion from their
'club'. I therefore remain suspicious, skeptical and alert! ;)
In article <cuSdnflkL49DHyjXnZ2dnUVZ8vudnZ2d@bt.com>, BoaterDave@hotmail.co.uk says...
>
> Leythos wrote:
> > In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>,
> > BoaterDave@hotmail.co.uk says...
> >> David H. Lipman wrote:
> >>
> >>> BoaterDave is and idiot
> >> That is not true. Please deal with *facts*.
> >
> > Your own history seems to indicate the statement is true.
> >
> >>> To date NO ONE has "infected" a BIOS.
> >> You cannot possibly know that to be true.
> >>
> >> You may simply be unaware of the truth.
> >
> > I've been working with computers, designing hardware, burning EPROMS,
> > EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
> > least most of 30 years.
> >
> > I have NEVER seen a malware in the wild that rewrites a BIOS, have not
> > read about one, have not read about anyone that has actually seen one in
> > real-life....
> >
> > You need to put the tin-foil hat back on BD.
> >
>
> I have immense respect for your experience, Leythos
>
> You are 'Old school' though ...... and will *always* be two steps behind
> the bad guys.
>
> If malware *did* rewrite the BIOS in some malicious way, please explain
> just *how* you would know that it had happened.
BD, the reason I own a successful I.T. business is that I learn each
days, train, invest in technology, etc.... I am NOT behind the bad-guys
by any means, in fact, since none of our networks have ever been
compromised, I would have to say that I'm ahead of them.
To answer your question, the same way you would know if you're hacked
now - the traffic would be seen and detected.
Now, as I said before, it's not happened outside of a test lab that I
know of anywhere.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)
In article <1qadnbFq8d_zECjXnZ2dnUVZ_rednZ2d@giganews.com>, trt@void.com
says...
> BD, Leythos is nothing but a sock puppet for David Lipman.
>
HA HA HA - I can assure you that I have never posted as anyone other
than myself and I'm not pretending to be anyone I'm not. I state, for a
fact, that I am NOT David Lipman or any other person - other than
myself.
It's funny that you claim I'm a sock for someone when you've been bested
as posting from 30+ identities in support of yourself.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)
Blind faith is all you have to go by when using any program whether it is
from the internet or COTS products for first time users. That's just like
eating at a new restaurant for the first time.
--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
"~BD~" <BoaterDave@hotmail.co.uk> wrote in message
news:mKidnfx3aNv9dCjXnZ2dnUVZ8gOdnZ2d@bt.com...
> The Real Truth MVP wrote:
>> BD, Leythos is nothing but a sock puppet for David Lipman. David Lipman
>> thinks he is the Usenet god. Mr. know it all is wrong. But I'd bet that
>> if anyone other then you would have asked that question(or me) the idiot
>> would have probably did some research. See here
>> http://www.tomshardware.com/news/bio...door,7400.html
>> http://www.v3.co.uk/vnunet/news/2239...ders-antivirus
>> http://www.tomshardware.com/news/lem...bios,2155.html
>
>
>
> Thank you for providing those links, TRT. FYI, I had seen all of them
> before! :)
>
> I cannot comment on your assertion that Leythos is, in fact, David Lipman
> in disguise. Quite possible I'm sure!
>
>
> I'll explain my concern. I recently posted this item:-
>
>
> On this page http://aumha.net/viewtopic.php?f=30&t=4075 those suffering
> computer problems are directed to download and run a number of programmes
> before asking the AumHa gurus for help with cleaning malware from their
> machines.
>
> Blind faith is expected. How can an inexperienced computer user have any
> idea whether or not complying with the site 'requirements' is a *good*
> thing
> to do? Might it not make matters worse?
>
> Maybe someone here can assure me that by following the instructions, no
> harm
> will come to ones machine.
>
> What do you think?
>
> Has anyone put AumHa to the test?
>
> --
> Dave (coming clean ........ I have been banned from asking questions at
> Aumha.net)
>
>
> ***************
>
> Having effectively handed over full control of one's machine to the gurus,
> my conjecture is that - if the techniques we are discussing *have* been
> developed - a machine could be handed back to the owner in a supposedly
> 'clean' condition when , in reality, a rootkit has been installed
> surreptitiously.
>
> It would appear from what others have said that there is no way that the
> end user would ever know.
>
> Fiction? FUD? Supposition? I don't suppose we'll ever know for sure. What
> I *do* know for sure is that the 'prime mover' at AumHa (Robear Dyer) has
> lied and will give no valid reason for my exclusion from their 'club'. I
> therefore remain suspicious, skeptical and alert! ;)
>
> --
> Dave
Aratzio <a6ahlyv02@sneakemail.com> pinched out a steaming pile
of<5s5bb5l21e3iba04fie2jbf4qsrceh10k9@4ax.com>:
>On Sat, 19 Sep 2009 15:37:11 -0600, in the land of
>24hoursupport.helpdesk, §ñühw¤£f <snuhwolf@netscape.net> got double
>secret probation for writing:
>
>>In message <bu0ab5d7ntv6pkm67sae1sr9ve1o1iq1sb@4ax.com>, Aratzio
wrote:
>>> On Sat, 19 Sep 2009 14:47:28 +0000 (UTC), in the land of
>>> 24hoursupport.helpdesk, §ñühw¤£f <snuhwolf5150@hotmail.com> got
double
>>> secret probation for writing:
>>>
>>> >nobody > <usenetharvested@aol.com> pinched out a steaming pile
>>> >of<foSdnalSqNT8vCnXnZ2dnUVZ_gednZ2d@supernews.com >:
>>> >
>>> >>~BD~ wrote:
>>> >>> "nobody >" <usenetharvested@aol.com> wrote in message
>>> >>> news:BdidnU6tuJm5Zi7XnZ2dnUVZ_oVi4p2d@supernews.co m...
>>> >>>> ~BD~ wrote:
>>> >>>>> I asked this question in the two 'security' newsgroups to
which I
>>> >now
>>> >>>>> crosspost.
>>> >>>>>
>>> >>>>> "Is there *any* tool which can identify a rootkit on a ROM
chip?"
>>> >>>> If you are truly speaking of Read Only Memory that was
installed at
>>> >>>> assembly, there's no way that a rootkit could be there unless
it
>>> >was put
>>> >>>> on when the ROM was "Burned"
>>> >>>
>>> >>> "§ñühw¤£f" poses the question of 'flashing' the BIOS.
>>> >>>
>>> >>> I'm suggesting that if/when this action is carried out, it
might
>>> >well be
>>> >>> possible to introduce malware to a system - which will remain
for
>>> >posterity.
>>> >>>
>>> >>> If I am right, I'm asking if there is any way that ordinary
folk
>>> >could ever
>>> >>> find out the truth. *Is* there a way?
>>> >>>
>>> >>> --
>>> >>> Dave
>>> >>>
>>> >>>
>>> >>
>>> >>"Flashing the BIOS" means that the chip(s) in question are
>>> >>erasable/reprogrammable. By long convention, ROM is static and
can
>>> >>only be written to ONCE. The term "burning" came from the
original
>>> >>design where you actually burnt elements of the chip away to
store the
>>> >>contents.
>>> >>
>>> >
>>> >Firmware Upgrade.
>>> >
>>> >Was the modem *designed* with an EEPROM? I'm thinking it wasnt.
>>> >So when I downloaded a "flash modem tool" from USR and upgraded a
modem
>>> >with linux (it was pretty exciting btw and made me feel like I was
a
>>> >smarty) I bet it wasnt an EEPROM chip but a ROM chip.
>>> >Or was I mistaken?
>>> >Hmmmm...
>>>
>>> VERY BASIC:
>>> ROM - Data fixed in silicon - expensive in small quantity.
>>> PROM - Write Once - Read Many - Much less expensive but not
eraseable.
>>> EPROM - UV Eraseable data - Erase was slow and required UV lamps
>>> EEPROM - Electrically Eraseable - Essentially a RAM with retention.
>>> (Multiple types of flash & rom fit here)
>>> FLASH - An EEPROM with higher density, faster write speeds and more
>>> write cycles. Different technology than the original EEPROM.
Multiple
>>> types now NAND/NOR.
>>>
>>>
>>> A flash modem tool would have been used on any of the "electrically
>>> erasable" devices that could be reprogrammed under software
control.
>>> Anything before that technology would require removal of the
memory.
>>
>>SUDENLY I DONT FEEL SO SPECIAL
>
>Oh you are very very special.
>
YAY
YAY
Leythos wrote:
> In article <cuSdnflkL49DHyjXnZ2dnUVZ8vudnZ2d@bt.com>,
> BoaterDave@hotmail.co.uk says...
>> Leythos wrote:
>>> In article <X-ednTEkkuaxxijXnZ2dnUVZ8rCdnZ2d@bt.com>,
>>> BoaterDave@hotmail.co.uk says...
>>>> David H. Lipman wrote:
>>>>
>>>>> BoaterDave is and idiot
>>>> That is not true. Please deal with *facts*.
>>> Your own history seems to indicate the statement is true.
>>>
>>>>> To date NO ONE has "infected" a BIOS.
>>>> You cannot possibly know that to be true.
>>>>
>>>> You may simply be unaware of the truth.
>>> I've been working with computers, designing hardware, burning EPROMS,
>>> EEPROMS, and making PALS, and programming ROM's for 30+ years, or at
>>> least most of 30 years.
>>>
>>> I have NEVER seen a malware in the wild that rewrites a BIOS, have not
>>> read about one, have not read about anyone that has actually seen one in
>>> real-life....
>>>
>>> You need to put the tin-foil hat back on BD.
>>>
>> I have immense respect for your experience, Leythos
>>
>> You are 'Old school' though ...... and will *always* be two steps behind
>> the bad guys.
>>
>> If malware *did* rewrite the BIOS in some malicious way, please explain
>> just *how* you would know that it had happened.
>
> BD, the reason I own a successful I.T. business is that I learn each
> days, train, invest in technology, etc.... I am NOT behind the bad-guys
> by any means, in fact, since none of our networks have ever been
> compromised, I would have to say that I'm ahead of them.
>
> To answer your question, the same way you would know if you're hacked
> now - the traffic would be seen and detected.
>
> Now, as I said before, it's not happened outside of a test lab that I
> know of anywhere.
>
@ Leythos
I'm delighted to learn that your business is successful and that you are
100% certain that none of *your* clients have been compromised.
The whole point of today's sophisticated malware is to utilise machines,
(perhaps in a botnet) for nefarious purposes, WITHOUT declaring its hand
to users.
Please remind me (indeed, explain for others reading here too, perhaps)
exactly *how* the 'average user' can "see" and "detect" traffic in
normal course of usage of their computer. For this particular exercise,
let us assume that the user's resident, up-to-date, paid for, commercial
anti-virus programme has already been rendered ineffective by malware.
This is not a trolling question. I'd like to know *how* an ordinary
computer user would know something was amiss, especially if using one of
today's powerful machines.
In article <xdadncqzuLor3SvXnZ2dnUVZ8sednZ2d@bt.com>, BoaterDave@hotmail.co.uk says...
> The whole point of today's sophisticated malware is to utilise machines,
> (perhaps in a botnet) for nefarious purposes, WITHOUT declaring its hand
> to users.
>
And the entire point is that you can DETECT that malware if you just
understand a LITTLE about security and the way they attack your
systems/network.
With all respect, I'm not about to entertain your trolling. I have
stated that with 30+ years of experience in designing hardware and
programming across almost every platform known, I have never seen or
read/talked to anyone that has experienced a firmware compromise.
While it's possible in a lab environment it does not seem viable outside
of very controlled conditions.
If the NORMAL user is of your skill and blindness they are as lost as
you are - the methods and information has been available for more than a
decade, it's up to you to care or not.
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)
Leythos wrote:
> In article <xdadncqzuLor3SvXnZ2dnUVZ8sednZ2d@bt.com>,
> BoaterDave@hotmail.co.uk says...
>> The whole point of today's sophisticated malware is to utilise machines,
>> (perhaps in a botnet) for nefarious purposes, WITHOUT declaring its hand
>> to users.
>>
>
> And the entire point is that you can DETECT that malware if you just
> understand a LITTLE about security and the way they attack your
> systems/network.
>
> With all respect, I'm not about to entertain your trolling. I have
> stated that with 30+ years of experience in designing hardware and
> programming across almost every platform known, I have never seen or
> read/talked to anyone that has experienced a firmware compromise.
>
> While it's possible in a lab environment it does not seem viable outside
> of very controlled conditions.
>
> If the NORMAL user is of your skill and blindness they are as lost as
> you are - the methods and information has been available for more than a
> decade, it's up to you to care or not.
>
You might just as well have said - "I don't know"!
Following the identity theft incident I suffered some four years ago now
the police from our (then) high-tech crime unit recommended that I
trash my machine (not 'clean' it or replace the hard drive). Maybe
*they* knew something of which you are simply unaware, Leythos!
Some universities teach computer science as a theoretical study of
computation and algorithmic reasoning. These programs often feature the
theory of computation, analysis of algorithms, formal methods,
concurrency theory, databases, computer graphics and systems analysis,
among others. They typically also teach computer programming, but treat
it as a vessel for the support of other fields of computer science
rather than a central focus of high-level study.
I suspect that you are a technician rather than a graduate (nothing
wrong with that) but if I am mistaken please advise at which university
you studied.
Maybe someone else will come forward with an answer.
In article <1r6dnYQoscNT0ivXnZ2dnUVZ8v6dnZ2d@bt.com>, BoaterDave@hotmail.co.uk says...
> You might just as well have said - "I don't know"!
LOL - that would be yourself - you just don't know and you seem
incapable of understanding.
>
> Following the identity theft incident I suffered some four years ago now
> the police from our (then) high-tech crime unit recommended that I
> trash my machine (not 'clean' it or replace the hard drive). Maybe
> *they* knew something of which you are simply unaware, Leythos!
LOL - and this has nothing to do with your BIOS Malware that you keep
going on about.
I've written more code on PROM/ROM that you've made posts in the last
year, so I'll assume that you're just being stupid or playing the troll
game. I'm done with you since you don't seem to "comprehend".
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)
Leythos wrote:
> In article <1r6dnYQoscNT0ivXnZ2dnUVZ8v6dnZ2d@bt.com>,
> BoaterDave@hotmail.co.uk says...
>> You might just as well have said - "I don't know"!
>
> LOL - that would be yourself - you just don't know and you seem
> incapable of understanding.
>
>> Following the identity theft incident I suffered some four years ago now
>> the police from our (then) high-tech crime unit recommended that I
>> trash my machine (not 'clean' it or replace the hard drive). Maybe
>> *they* knew something of which you are simply unaware, Leythos!
>
> LOL - and this has nothing to do with your BIOS Malware that you keep
> going on about.
>
> I've written more code on PROM/ROM that you've made posts in the last
> year, so I'll assume that you're just being stupid or playing the troll
> game. I'm done with you since you don't seem to "comprehend".
>
>
>
I'll take that as a "No - I didn't go to university" shall I? :)
~BD~ wrote:
> David H. Lipman wrote:
>
> ...... nothing at all in response to my questions.
>
>
> Maybe the dreaded swine flu is the reason, eh?
>
> Failing to answer simple, straight-forward, questions does you no credit
> at all Mr Lipman.
>
> --
> Dave (the boater)
You forget this is usenet, you are not owed an answer, you may get one
if someone else wants to spend the time to answer.
If you do some research and pose an "interesting" question you'll have a
better chance of a response.
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
> To date NO ONE has "infected" a BIOS. There have been malware
> attempts and when it comes to Motherboard BIOS at best the BIOS is
> corrupted or deleted rendering the system incapable of booting.
> This subject matter has been dicussed to death in alt.comp.virus and
> alt.comp.anti-virus long before BoaterDave posted to Usenet.
Dave,
You're usually reliable and helpful, but in this case you are unaware
of a presistent BIOS rootkit that happened to be shipping with a
variety of manufacturer's machines, highlighted at this year's
BlackHat conference: http://blogs.zdnet.com/security/?p=3828
and also you may have missed this from last year's CanSec West:
John Mason Jr wrote:
<snip>
>
> You forget this is usenet, you are not owed an answer, you may get one
> if someone else wants to spend the time to answer.
>
>
> If you do some research and pose an "interesting" question you'll have a
> better chance of a response.
>
>
> John
>
daves_not_here@SD235235.org wrote:
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>> To date NO ONE has "infected" a BIOS. There have been malware
>> attempts and when it comes to Motherboard BIOS at best the BIOS is
>> corrupted or deleted rendering the system incapable of booting.
>> This subject matter has been dicussed to death in alt.comp.virus and
>> alt.comp.anti-virus long before BoaterDave posted to Usenet.
>
> Dave,
>
> You're usually reliable and helpful, but in this case you are unaware
> of a persistent BIOS rootkit that happened to be shipping with a
> variety of manufacturer's machines, highlighted at this year's
> BlackHat conference:
> http://blogs.zdnet.com/security/?p=3828
>
> and also you may have missed this from last year's CanSec West:
>
> http://threatpost.com/blogs/research...attack-methods
>
My suspicion is that the 'bad guys' had discovered how to exploit this
long ago - pure conjecture, of course! ;)
I also don't think Mr Lipman has missed anything at all. I think *he*
knows full well what is happening on the Wild, Wild, Web but doesn't
want 'us' to know about it!
| daves_not_here@SD235235.org wrote:
>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>>> To date NO ONE has "infected" a BIOS. There have been malware
>>> attempts and when it comes to Motherboard BIOS at best the BIOS is
>>> corrupted or deleted rendering the system incapable of booting.
>>> This subject matter has been dicussed to death in alt.comp.virus and
>>> alt.comp.anti-virus long before BoaterDave posted to Usenet.
>> Dave,
>> You're usually reliable and helpful, but in this case you are unaware
>> of a persistent BIOS rootkit that happened to be shipping with a
>> variety of manufacturer's machines, highlighted at this year's
>> BlackHat conference:
>> http://blogs.zdnet.com/security/?p=3828
>> and also you may have missed this from last year's CanSec West:
| My suspicion is that the 'bad guys' had discovered how to exploit this
| long ago - pure conjecture, of course! ;)
| I also don't think Mr Lipman has missed anything at all. I think *he*
| knows full well what is happening on the Wild, Wild, Web but doesn't
| want 'us' to know about it!
| --
| Dave
These are NOT "in the wild". The CoreSecurity method is lab experiment.
The Computer form of LoJack is not a third party RootKit nor really a RootKit but a
possible exploitable vector.
Promoting your suspicions, even with an appended smiley, is again injecting FUD.
David H. Lipman wrote:
> From: "~BD~" <BoaterDave@hotmail.co.uk>
>
> | daves_not_here@SD235235.org wrote:
>>> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>>>> To date NO ONE has "infected" a BIOS. There have been malware
>>>> attempts and when it comes to Motherboard BIOS at best the BIOS is
>>>> corrupted or deleted rendering the system incapable of booting.
>>>> This subject matter has been dicussed to death in alt.comp.virus and
>>>> alt.comp.anti-virus long before BoaterDave posted to Usenet.
>
>>> Dave,
>
>>> You're usually reliable and helpful, but in this case you are unaware
>>> of a persistent BIOS rootkit that happened to be shipping with a
>>> variety of manufacturer's machines, highlighted at this year's
>>> BlackHat conference:
>>> http://blogs.zdnet.com/security/?p=3828
>
>>> and also you may have missed this from last year's CanSec West:
>
>>> http://threatpost.com/blogs/research...attack-methods
>
>
> | More detail here, too
> | http://blogs.zdnet.com/security/?p=2962
>
> | My suspicion is that the 'bad guys' had discovered how to exploit this
> | long ago - pure conjecture, of course! ;)
>
> | I also don't think Mr Lipman has missed anything at all. I think *he*
> | knows full well what is happening on the Wild, Wild, Web but doesn't
> | want 'us' to know about it!
>
> | --
> | Dave
>
> These are NOT "in the wild". The CoreSecurity method is lab experiment.
>
> The Computer form of LoJack is not a third party RootKit nor really a RootKit but a
> possible exploitable vector.
>
> Promoting your suspicions, even with an appended smiley, is again injecting FUD.
>
I do appreciate your reply. Thank you.
Now, not just for me - but for everyone else reading this thread too -
please explain just *how* you *know* that there are no "in the wild"
methods of adding malware to parts of a computer other than the hard disk.
Just because *you* have never heard about it - does that make it a fact?
In article <84tyywx2zv84skegx2zv__84r5u0x2zv@yahoo.com>, daves_not_here@SD235235.org says...
> You're usually reliable and helpful, but in this case you are unaware
> of a presistent BIOS rootkit that happened to be shipping with a
> variety of manufacturer's machines, highlighted at this year's
> BlackHat conference:
>
Notice how IT SHIPPED ALREADY INSTALLED - that's significantly different
than being installed by browsing a website....
--
You can't trust your best friends, your five senses, only the little
voice inside you that most civilians don't even hear -- Listen to that.
Trust yourself. spam999free@rrohio.com (remove 999 for proper email address)
"~BD~" wrote:
> Now, not just for me - but for everyone else reading this thread too -
I'm reading and I don't need an explanation.
> please explain just *how* you *know* that there are no "in the wild"
> methods of adding malware to parts of a computer other than the hard disk.
Some of us in alt.computer.security (me included) research malware and
have contact with other researchers, some of whom do it for a living;
for example, they might work for an anti-virus company and have access
to thousands of current samples. I also keep up to date with what's
going on "in the wild" by following various security blogs and forums.
> Just because *you* have never heard about it - does that make it a fact?
Probably, because David does the same sort of thing and if there had
been any news he/I would have heard about it.
daves_not_here@SD235235.org wrote:
> "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote:
>> To date NO ONE has "infected" a BIOS. There have been malware
>> attempts and when it comes to Motherboard BIOS at best the BIOS is
>> corrupted or deleted rendering the system incapable of booting.
>> This subject matter has been dicussed to death in alt.comp.virus and
>> alt.comp.anti-virus long before BoaterDave posted to Usenet.
>
> Dave,
>
> You're usually reliable and helpful, but in this case you are unaware
> of a presistent BIOS rootkit that happened to be shipping with a
> variety of manufacturer's machines, highlighted at this year's
> BlackHat conference:
> http://blogs.zdnet.com/security/?p=3828
"Computrace LoJack for Laptops, which is is pre-installed on about 60
percent of all new laptops, is a software agent that lives in the BIOS
and periodically calls home to a central authority for instructions in
case a laptop is stolen. The call-home mechanism allows the central
authority to instruct the BIOS agent to wipe all information as a
security measure, or to track the whereabouts of the system."
"“This is a rootkit. It might be legitimate rootkit, but it’s a
dangerous rootkit,” Sacco declared."
"Sacco and Ortega stressed that in order to execute the attacks, you
need either root privileges or physical access to the machine in
question, which limits the scope. But the methods are deadly effective
and the pair are currently working on a BIOS rootkit to implement the
attack."
In other words, as Dave L, I, and others have already said, it CAN be
done. A bridge from Cuba to Tampa CAN be built as well. Right now,
writing malware code to "build that bridge" would be about as probable
as getting the "birthers" to STFU.
Please note... it's not unusual for vulnerabilities like this to "get
airplay" at conferences and such. I've seen similar stories over the
years that have ended up as "chicken little" episodes.
That little statement "the pair are currently working on a BIOS rootkit"
kind of sums it up. The badasses have been trying to write a BIOS
rootkit for how many years now? Have we seen one yet? Do Sacco and
Ortega know something that the malware writers don't?
Re: Firmware Rootkits - detection 'tool' available? 
Linear Mode
