Hello, If I may, I'd like to offer you a slightly different opinion. I'm a long time lurker on this list and happened to be cleaning out my spam bin when I found this. (No, I'm not joking, nor am I talking down to you, it really went into my mail provider's auto-spam-detection bin.)
Read more in-line below: On Mon, 11 Nov 2024 21:36:10 +0000 s3nsor <s3n...@protonmail.com> wrote: > As a public service, I feel I should share my experiences over the past > month or so. > > I live on the United States, in the middle of the country in a > moderately sized city. > > Six months ago I purchased a new Lenovo E16 Gen 1 laptop from Micro > Center. On the first boot, I booted OpenBSD media and over wrote the > disk with random data. Then I installed OpenBSD 7.5 with full disk > encryption using a key disk. > > After installing the OS, I locked down the UEFI settings, disabling > Bluetooth, disabling always on USB, UEFI rollback etc. I configured a > boot password and systems admin password for the UEFI. Let's start here. If IME can bypass UEFI, why use a UEFI password? By your own admission, that only stops a physical attacker who *needs* physical access. > I downloaded syspatch and firmware packages over Tor using TAILS on a > Puri.sm laptop with read-only coreboot. After installing syspatches and > firmware, the E16 was air gapped. Good idea. But what if TAILS is compromised by a nation state actor? Let's face it, unless you built TAILS from the source code (all of which you review before compiling!!!!) you've no way of knowing if someone in the TAILS team put that little nugget of malware into the system. Likewise, if you don't hand code a compilier then the compilier is trusted by default when it shouldn't be if you're threat model is a nation state actor. > The E16 was never connected to a network of any kind. All network > interfaces were configured to be down. Pf was configured to drop all > packets. That stops openbsd from connecting. Not necessarily any UEFI firmware or Management Engine from connecting. > Base package, X11, and man pages were installed. I was running X by > default. I setup a VM in its own routing domain and configured SSH > access into the routing domain in pf. I installed the compiler for > coding on the VM. All my code is kept on the VM. No other packages were > installed. Ditto. > A month ago, I was at Starbucks waiting to pick up my son for dinner. I > had my laptop plugged into the A/C outlet to charge the battery. An > older Jewish gentleman came and asked me to plug his laptop into the > outlet for him. I obliged, but disconnected my power adapter. To which > he said in a disappointing tone “your plug fell out”. I said “yup”. > > The next time I was waiting at the Starbucks, two days later, another > older Jewish man came and asked to plug in. I again disconnected my > power adapter before plugging his in. Let me tell you a little story about something that happened to me today. I was working near a driveway and a gentlemen pulled up and began backing up. Seeing me, he stopped. Good natured me, thinking I was in his way, walked over and inquired of the black man if he needed me to move. To which he responded, "I will be out of here soon. I will not be in your way very long." Notice, that wasn't what I asked. I reassured him that he was not in my way and that I was asking if I were in his way. He was confused. After a while of back and forth, I realized that he was Jamacain and couldn't understand English or Spanish. I ended up doing a double okie-dokie, smiling, and telling him in both English and Spanish that he was okay. I still don't know if he understood. Likewise, maybe your jewish "friends" just think you're wierdly standoffish. They assume that you have a problem with them. Your behaviors create an air of mistrust. Such an air would be more natural for a security professional, but then such pro-s wouldn't intentionally bring their precious air gaped laptop (complete with top-secret source code), within a mile of nation state actors. > A week goes by. One day at the Starbucks, I’m facing the other > direction to avoid glare while I was working. And I’d plugged my power > adapter into the A b/c there was no one in the coffee shop but me and > the baristas. > > After a few hours of being engrossed in my work, I look up from my work > to find an older Jewish man had plugged into the same outlet as me. > > I’m specifically calling these 3 gentleman as Jewish b/c I think it’s > an important detail. It is. To think that the NSA would be dumb enough to try the same disguise on you 3 times! How they have fallen! > During the past month, I begin to notice suspicious characters at > coffee shops I frequent. Military types using two laptops > simultaneously. People I’ve never seen around before, etc. So people passing through use a coffee shop to get work on their laptops done. > Finally, Tuesday of last week, there was a college aged Asian woman at > my usual Starbucks. Probably Chinese, but I can’t be sure. I'm a > regular and I’ve never seen her before. She was on a cellphone, not > scrolling like normal people, but doing a lot of typing. I think > nothing of it at the time. Boyfriend? > Thursday, at the same Starbucks, the young Asian woman is there again. > I think nothing of it, until a husky older gentleman comes in and asked > to sit at her table and plug into the power outlet which she is plugged > into. After the gentleman sits and begins using his phone, the Asian > woman jumps up and leaves abruptly. Competition is at her boyfriends house and it's time to eliminate her? Seriously, this could be any number of things. There's jumping to conclusions and then there's plain old lack of evidence. > On this day, I was not plugged into the power outlet, I was running off > battery. Coincidentally, almost simultaneously with the Asian woman > leaving, I needed another session on my VM, so I run the command to > connect and the xterm window disappears. I open another xterm, run the > command and it disappears. I do it a third time. I disappears. It’s > then I realize this is exactly the behavior you get when pledge/unveil > are violated. So I know at that instant, my machine is compromised. Umm, this could be almost anything. A random memory corruption bug would do that easily. > I wiped the data from the hard drive. Now you have no way to figure out who did it, how they did it, what they wanted, etc. Like the first thing you do in a security violation situation is to decide what your goals are and then work from there to contain, investigate, and eliminate any sources of infection on your machines. > I think perhaps updating the UEFI would be a good way of eliminating a > possible root kit. I download the latest UEFI update ISO from Lenovo > (over Tor). I reset the UEFI to factory defaults, and attempt to boot > to the upgrade CD after disabling secure boot. The machine refuses to > boot the CD. This makes me believe the UEFI is in fact rooted, because > I’ve booted from to a CD image on the machine once before. Now that's slightly more interesting, but again, this could be just about anything. > Here’s how I think the compromise went down. Attackers initially used > A/C power to connect to IME. With a connection to IME, Why when they could use the wireless to go direct to the IME? Like have you even seen the slides from the Chaos Computer Club talk? Intel's ME is directly connected to the network port. Now it might very well be connected directly to the WiFi as well. https://youtu.be/0o8Co1ekemU Offset about 9:30. > I speculate they > were able to drive either Bluetooth, Wi-Fi, or both. With better > connectivity, I speculate they rooted the UEFI. From there, they were > able to gain some kind of access to processes on the OS. Which is why > my command to connect to my VM instance failed, taking xterm with it. Or the laptop has a HW problem??? > Why am I sharing this story? Particularly, b/c it’s largely anecdotal > and based on my observations and not data. There are experts out there do firmware dumps and investigations. You could ask/pay any one of them to help with this. > Frankly, I’m frustrated. I’m an honest man. I live a quiet life. I’m > not a criminal or a spy. And yet I feel as though I’ve been targeted by > adversaries with apparent nation state capabilities. Why? There are no > answers. Because you are there? Seriously, that's what totalitarian regimes do. But is that what we have in the USA? If "Yes," then it naturally follows that *not* having spyware on you computers is a criminal offense. And we're not at that point -- yet. > Beyond my frustration, I feel deeply violated. Umm, if you're in a totalitarian regime where we all get spied on, then this should be normal for you. You would be numb to it. "Oh yes, the US gov is spying on me." Like, "Oh, the sun comes up in the East". > I run OpenBSD > b/c it has the best manual pages, and I care about privacy. The code > I'm working on is unimportant, except to me to help me cope with the > chaos of the world around me. > > By violating my privacy they’re stealing my peace of mind, and it’s > wrong. And I can’t stop them. > > I’m sharing hoping others can learn from my misfortune, and in their > learning I hope it makes my adversaries’ jobs harder going forward. Well, I hope I've helped you learn a bit too. And if it sounds like I'm a comp sec pro then it is because I studied to be one.* You're welcome, David * "Why didn't you become one?" you ask. I wanted to do other things. Computer security was just important to me to understand. I love the field, not the job, if that makes any sense.
