Slashdot videos: Now with more Slashdot!
We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).
Are there any utilities to do such a thing? Why don't these companies provide verification software to users? Has anyone compiled and posted a public list of known-good firmware hashes for the major hard drive vendors and models? This seems to be a critical hole in PC security. I did contact Seagate support asking for hashes of their latest firmware; I got a response stating, "...If you download the firmware directly from our website there is no risk on the file be tampered with." (Their phrasing, not mine.) Methinks somebody hasn't been keeping up with world events lately.
Yet the public record shows that over the years the NSA has honed its ability to steal encryption keys. Recent reports about the compromise of Gemalto's network and sophisticated firmware manipulation programs by the Office of Tailored Access Operations underscore this reality.
The inconvenient truth is that the current cyber self-defense formulas being presented are conspicuously incomplete. Security tools can and will fail. And when they do, what then? It's called Operational Security (OPSEC), a topic that hasn't received much coverage — but it should.
They say the two agencies were trying to intercept encryption keys that were being exchanged between mobile operators and the companies (like Gemalto) who supplied them with SIM cards. The company said it had noticed several security incidents in 2010 and 2011 that fit the descriptions in The Intercept's documents. Gemalto had no idea who was behind them until now. They add, "These intrusions only affected the outer parts of our networks – our office networks — which are in contact with the outside world. The SIM encryption keys and other customer data in general, are not stored on these networks." They claim proper use of encryption and isolation of different networks prevented attackers from getting the information they were after.
The Executive's own Privacy and Civil Liberties Oversight Board has written up an assessment (PDF) of reform measures implemented by the government. For those who want a quick summary the Board published a fact sheet (PDF) which includes a table listing recommendations made by the board almost a year ago and corresponding reforms. The fact sheet reveals that the Board's mandate to "end the NSA's bulk telephone records program" has not been implemented.
In other words, the physical infrastructure of the NSA's global panopticon is still in place. In fact, it's growing larger (PDF). So despite all of the press statements and associated media buzz very little has changed. There are people who view this as an unsettling indication of where society is headed. Ed Snowden claimed that he wanted to "trigger" a debate, but is that really enough? What will it take to tear down Big Brother?
But it makes me wonder: Whom do you trust with your data? And who really owns it? What about in 3-6 years from now? How should I make sure that I retain access to today's data 20 years from now? Is storing things locally even a reasonable option for most people? I have a lot of floppies and old IDE disks from the 90s around here, but no means to access them, and some of the CDs and DVDs has gone bad as well.