On Sun, 29 Jul 2018 08:43:30 +0100, Simon wrote in message
<2ED6325A-A0B9-425B-8236-50657A44AE3E@???>:

> Arnt Karlsen <arnt@???> wrote:
>
> > ..or "make do with whatever you have onboard" in new "creative"
> > ways.
> >
> > ..people has played music on printers and harddisks produced to
> > print oud documents and store data, by hacking them in new creative
> > ways, for decades.
>
> Yes, but that's someone with access to the hardware doing it - and
> hardly a general purpose way of communicating without the user
> realising.

..to have full access to our own hardware, we must have accurate
knowledge of it, which BTW is precisely what we don't have, with
all these secret chipset backdoors.

> IMO this thread has strayed rather a long way into tinfoil
> hat territory ...

...just like climate change fixes and anti-aircraft artillery tactics,
where we try to guess _what_ the enemy might try to do, and try to stop
him from succeeding playing any of those tricks, without caring too much
about the precise details on how he might try do those tricks.

> However, there is a practical (or at least, possible) way for a
> storage device (eg SSD) to "phone home". Since it holds the
> bootloader and the OS, then in theory it could examine the contents
> of that, and feed in it's own shim before the main OS and sit there
> as this undetectable layer between the OS and the hardware, or just
> add in it's own bit of code to the OS (though code signing might
> break with that). That would probably work as a very targeted attack
> (and lets be honest, if you are of that much interest to the TLAs
> then you have bigger problems to worry about) where the target
> environment is well understood, but in the general case I think it
> would be more work than is justified. Just think of all the
> compatibility issues it would be likely to cause - getting that model
> of drive a bad reputation for crashing the systems. Even where it's a
> highly targeted attack, it would almost certainly be easier to simply
> "borrow" your laptop and copy the data from it than it would be to
> somehow persuade you to buy and fit a compromised new SSD !
>
> At some point you have to put the paranoia on hold and get on with
> life ;-)

..a luxury we can afford once we know which trick the enemy is going to
play on us. Meanwhile we're lucky if we waste no more than 2/3 of our
ammo on our bad guesses. The cost of getting on with life. ;o)

--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.