Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:How is a HDD firmware written? (Score 1) 320

by Agripa (#49179431) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

That sounds like a chicken-egg problem. If the drive can access the platters without firmware, what's the point of the firmware then? Or if the 'small bootloader' can actually access the platters, then what does it need to read the 'real thing' from the platters for?

The Flash storage for the boot-loader may be too small or in the old days it would be in mask ROM. It is also likely more convenient to program the current firmware image onto the drive instead of into the Flash. The drive meta-data like the sector relocation tables have to be read in from the drive anyway.

Comment: Re:The solution (Score 1) 320

by Agripa (#49179405) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

How does making the firmware non-writable protect against the No Such Agency simply inserting their code into the original firmware in the first place - along with gagging the manufacturer and requiring them to keep the presence of this added code secret?

Are they going to gag anybody who discovers that the manufacturer was complicit in allowing the NSA or any other agency to do this? Proof would be available to anybody capable to downloading the firmware image from the product and it only takes one person to discover and advertise the truth.

Then what happens to the reputation of the manufacturer when faced with undeniable proof that they did this? The government can grant then immunity from civil lawsuits like they did with the telecommunication companies but are they going to mandate that others continue to buy their products?

Comment: Re: Disable jumper (Score 1) 320

by Agripa (#49179293) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

The simple solutions are the best a WP jumper for the flash. How hard could that be?

This used to be easy because the write protect switch could operate either through the high voltage programming supply or the write strobe. Internal charge pumps have obviated the need for an external high voltage programming supply and embedded Flash has no write strobe to access.

Comment: Re:Pretty pointless (Score 1) 320

by Agripa (#49179275) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

NSLs can't do that. The law is quite specific about what an NSL can request. Not only can't it demand pro-active measures like backdoors, NSLs can't even demand the content of communications that the recipient already has. NSLs are limited by law to demanding communications metadata only.

I assume the communication companies were handing over a lot more than the NSLs can demand in the spirit of cooperation and that is why the retroactive immunity was necessary. The safe bet is that everything including content is handed over where it can be used for parallel construction to avoid court review.

Comment: Re:Hashes not useful (Score 1) 320

by Agripa (#49179261) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Being able to read the Flash image back over JTAG for comparison would be a good start.

Better I think would be to add hardware write protection which for Flash used to be fail-safe since it relied on an external programming supply but those days are long gone. Now you would have to tie the write protection into the write strobe which assumed access to it.

Comment: Re:Hashes not useful (Score 1) 320

by Agripa (#49179223) Attached to: Ask Slashdot: How Does One Verify Hard Drive Firmware?

Seagate is correct. Putting a hash on the website doesn't improve security at all because anyone who can change the download can also change the web page containing the hash.

More importantly Seagate has nothing to gain and much to lose if they provide a means to verify that their hardware has not be altered. Right now there is no way to know so Seagate can just deny it. Providing a means to prove it can only make them look bad and add to their already numerous customer service problems.

In light of the above, I assume that *all* Seagate products have been compromised by the NSA from the factory.

Comment: Re: BS aside, is the K-XL a good thing or not? (Score 1) 431

by Agripa (#49155403) Attached to: Obama Vetoes Keystone XL Pipeline Bill

I suspect that the reason(s) Obama doesn't just deny the application are simple: to deny the project would alienate organized labor (that stands in support of the thousands of construction jobs the pipeline means, just for the construction phase), and once denied, the Canadian firm can appeal the denial and probably has the right to demand a justification for the denial, and a Presidential 'I don't wanna' won't stand up in court.

Not issuing a denial prevents court review and the delay is equivalent to denying it anyway.

Comment: Re:You reap what you sow... (Score 1) 406

by Agripa (#49154523) Attached to: NSA Director Wants Legal Right To Snoop On Encrypted Data

The damage the NSA has done will take a generation to repair and that would be a generation with the NSA not actively doing damage the entire time. Absent that, we're not going back to the way things were... possibly ever.

I disagree. The damage will never be repaired if only because the NSA (and FBI and other law enforcement) will continue to cause further damage.

Comment: Re:He can make the policy (Score 1) 406

by Agripa (#49154509) Attached to: NSA Director Wants Legal Right To Snoop On Encrypted Data

The rest of the world don't want products with official US backdoors though.

Or unofficial backdoors with the NSA and FBI intercepting shipments of equipment through UPS, Fedex, and USPS to install their own. Since the warrants for such are not publicly available after any amount of time, I assume no warrants are needed and that there is no court review.

Comment: Re:The Devil is in the Implementation. (Score 1) 406

by Agripa (#49154481) Attached to: NSA Director Wants Legal Right To Snoop On Encrypted Data

The Government cannot compel you to incriminate yourself (give up the key) (5th Amendment).....If that doesn't work, who says you can recall the password or didn't lose the key

For fixed installations like a private NAS or workstation, it is possible to arrange for the key to be stored physically in a way such that a seizure would presumably destroy it.

One can't proceed from the informal to the formal by formal means.

Working...