>>101762242
he thinks hes safe using firmware compiled by someone else using someone elses compiler

KEKK
they point antenna at your shittop and you get pwned in 1 second

>>101762347
this is an academic question. i'm actually trying to figure out a proper attack vector here.

>>101762367
tamper evident screws, assuming nail polish have been faked before

an implant is usually data line tap see cia vs wikileaks

but they can backdoor any binary in /bin as that is not verified by heads and you wouldnt notice

anyways you will get pwned by antenna no need to touch your device

>>101762394
and so i recommend writing your own firmware

DONT DO FULL DISK ENCRYPTION as funny as that sounds, you have to fully check system files

you can rhash root and sign it hash file
also print hash file and signature on paper

https://man.archlinux.org/man/rhash.1
https://wiki.archlinux.org/title/OpenPGP-card-tools

>>101762367
the entire point of heads is to mitigate the physical access = game over situation. It stops (or makes it far more difficult) for an attacker to do a software based evil maid attack. The only thing that I can think of that isn't covered here is a hardware-based attack. Assuming you could bug a keyboard (like what happened to that tor developer https://privacysos.org/blog/did-this-tor-developer-become-the-first-known-victim-of-the-nsas-laptop-interception-program/) and install it on the target's computer without them noticing/get them to install it.

>>101762394
It allows you to sign all bin files in /usr/bin /bin etc, and verify them at boot time like with the kernel files. Kudos to them, they did actually think of that.
What do you actually mean by "pwned with antenna" anon?

>>101762425
>DONT DO FULL DISK ENCRYPTION as funny as that sounds, you have to fully check system files
I was mistaken in my earlier post. The bin files can be signed, and verified from the heads menu by entering the LUKS volume password and letting the linux system oh the SPI flash chip verify the signed signature files. So the target would have to be actively suspicious of a compromise, and be checking for it. So there's a slightly higher chance that it goes unnoticed, but if they're looking out for it, you're boned. Herein lies the problem. The software attack surface is fucking tiny. Hardware attacks seem like the only sensible way in. The problem is bugging the device without the target knowing. Beyond that, rubber hose cryptanalysis seems like the only other option

>>101762428
>verify them at boot time like with the kernel files. Kudos to them, they did actually think of that.

yes but it sucks considering most distros update all the time

making own read only distro is requirement for this to work

also heads relies on tpm 1.2 using sha1, its shit

>What do you actually mean by "pwned with antenna" anon?
the nsa tao subteam dedicated to owning computers with antennas and magick

https://www.rtl-sdr.com/deep-tempest-eavesdropping-on-hdmi-via-sdr-and-deep-learning/

>the entire point of heads is to mitigate the physical access = game over situation.
epoxy on ram and rom
coreboot clear ram on boot
nail polish on screws
always have your laptop with you, including shower
you dont need specialized firmware for this desudesu

>>101762474
this seems dismissive and misleading.

>yes but it sucks considering most distros update all the time
someone who was seriously worried about something like this would be resigning after each update, you'd have to do this after each kernel rebuild too.

>making own read only distro is requirement for this to work
tails exists for this purpose, and funnily enough pairs extremely well with the features offered by heads (hence the name) given that it (for the most part) verifies that the software on the computer isn't riddled with malware.

>also heads relies on tpm 1.2 using sha1, its shit
please elaborate

>https://www.rtl-sdr.com/deep-tempest-eavesdropping-on-hdmi-via-sdr-and-deep-learning/
Wouldn't that require you to be able to sniff the internal LVDS display connector inside the magnesium chassis of the laptop? you'd either need to be within arms reach (in which case shoulder surfing would be simpler) or just steal the laptop like they did with ross ulbricht.

>>101762512
>someone who was seriously worried about something like this would
no they would make their own distro which never updates and keep checksums and signatures on paper forever

>tails exists for this purpose
offtopic but gnome and systemd should be avoided
any live iso would do i guess but you will want to build specialized iso for your use case

>Wouldn't that require you to be able to sniff the internal LVDS display connector inside the magnesium chassis of the laptop?
the connector is mostly in the open
if you get clear sight on its back
consider the fact that there are 2 antennas next to the screen aswell

>>101762512
>please elaborate
consider outdated closed technology using broken algorithms

>>101762548
no they would make their own distro which never updates and keep checksums and signatures on paper forever
this is a retarded strawman argument. we are not dealing with the install libreboot and go innawoods copypasta. I am talking about an actual real-life situation here.

>any live iso would do i guess but you will want to build specialized iso for your use case
yes, tails.

>the connector is mostly in the open
big metal plate (laptop lid is magnesium alloy) stops frequencies

>consider the fact that there are 2 antennas next to the screen aswell
I believe you're referring to the X220/X230
yes, the wireless antennas run along the edge of the display bezel, inside the plastic. the LVDS connector is almost dead centre on the bottom of the lid (with the lid open) it is behind the magnesium lid. If it did work, the effective range would be small enough for the laptop to be within arms reach. So while this is technically possible, it would be impractical.

>consider outdated closed technology using broken algorithms
then how could you defeat this? i'm not trying to defend heads here, i'm trying to figure out how it could be defeated

>>101762655
>we are not dealing with the install libreboot and go innawoods copypasta. I am talking about an actual real-life situation here.
you fucking nigger linux from scratch is simple and not keeping everything digitally is smart

dont fucking trust the computer with verifying your shit

>yes, tails.
backdoored by cia, gnome, systemd
wont have binaries you need
if you install with apt they wont be verified

>it would be impractical.
consider rf bouncer right outside your house hidden in a plant

>then how could you defeat this? i'm not trying to defend heads here, i'm trying to figure out how it could be defeated
by using the tpm backdoor from factory

ffs just read
https://trmm.net/Heads_threat_model/

>>101762710
>you fucking nigger linux from scratch is simple and not keeping everything digitally is smart
I understand that for someone technical, LFS wouldn't be a difficult undertaking to get a system that boots to a command line. However, implementing crypto properly is something that not even i'd trust myself to do. Using LUKS to encrypt digitally stored data doesn't immediately give law enforcement access does. Having it on a piece of paper that can be read by anyone with a search warrant and working eyes does.

>backdoored by cia, gnome, systemd
Buster hernandez got busted using tails by an 0day in the default video player, not systemd, gnome, or the kernel. bloated userland applications are far more likely to be the entrypoint due to far larger attack surface.

>consider rf bouncer right outside your house hidden in a plant
seems easier to just get a search warrant and bug the keyboard/ install hidden camera at that point.

>ffs just read
I understand that. the entire point is that it moves to root of trust from the software to the hardware/firmware. This makes it harder to own the machine.

The more we go in circles like this, the more i think the $4 wrench method is the cheapest and eaiest way to get into the computer.l

>>101762785
>bloated userland applications are far more likely to be the entrypoint due to far larger attack surface.
THE VIDEO PLAYER WAS FROM GNOME FFS

>Having it on a piece of paper that can be read by anyone with a search warrant and working eyes does.
heads is not about concealement
see HEADS THREAT MODEL

>implementing crypto properly is something that not even i'd trust myself to do
libressl
sequoia pgp
kernel crypto

>seems easier to just get a search warrant and bug the keyboard/ install hidden camera at that point.
they dont need to bug your keyboard if they can read keyboard emi leaks with antenna

>>101762865
>THE VIDEO PLAYER WAS FROM GNOME FFS
yes, i know. but bloat != backdoored...

>heads is not about concealement
heads in and of itself is not subtle. but no one in their right mind wouldn't be using FDE. why are you so against full disk encryption when it's such a standard practice even in government's threat models?

>they dont need to bug your keyboard if they can read keyboard emi leaks with antenna
occams razor. why would you bother trying to read keystrokes with emi when you could just sit behind them with a pair of binoculars?

>>implementing crypto properly is something that not even i'd trust myself to do
l>ibressl
>sequoia pgp
>kernel crypto
here i was assuming that you'd be saying those libraries can't be trusted either..

but back to the point. i'm not trying to defend heads. i'm trying to figure out how to effectively attack it. we're going back and forth arguing semantics.

>>101762934
especially referring to you mentioning the EMI/hiding an rf bounce in a bush, this is not attacking the iranian nuclear program, and i strongly doubt they'd be using heads internally anyway.

if you were an LEO in forensics, and had a heads laptop dropped on your desk, and were told "get the data off of this" or "backdoor it so we can get the password to get into this", how would you do it?

>>101762934
>bloat != backdoored...
bloat == backdoor
systemd is cia thing
gnome is microsoft thing

>why are you so against full disk encryption
no need to encrypt ganoo emacs and toybox or whatever

>here i was assuming that you'd be saying those libraries can't be trusted either..
you can write formal verification for them

>i'm trying to figure out how to effectively attack it
good morning sirs officer, not doing your homework
perhaps a hammer would help your case

>>101762972
bloat == backdoor
systemd is cia thing

do not confuse lennard poettering's retardation for inteligence. something something don't attribute to malice that which could be attributed to stupidity.

>no need to encrypt ganoo emacs and toybox or whatever
this is assuming there's something on the device worth protecting. again, please cut it out with the strawman arguments.

>>101763004
>do not confuse lennard poettering's retardation for inteligence.
Linux has systemd. That is a cia system. They murdered the Debian creator because he resisted them. CIA imports foreigners to inject backdoors into the kernel.
https://www.theverge.com/2021/4/30/22410164/linux-kernel-university-of-minnesota-banned-open-source
https://archive.is/H8Axs

>this is assuming there's something on the device worth protecting. again, please cut it out with the strawman arguments.
you can encrypt your git repos or whatever
there is no reason to encrypt important functionality when you can verify them instead

>strawman
how would you attack
noooo dont list flaws
??

>>101763078
the university of minnesota incident was not the CIA.

>you can encrypt your git repos or whatever
there is no reason to encrypt important functionality when you can verify them instead
i'm not talking about myself here. and even the heads documentation strongly recommends the use of full disk encryption. if the whole point of this is to prevent physical access = game over, why would a target who's worried enough to install heads leave their data readable by a third party with physical access?

>how would you attack
>noooo dont list flaws
>??
i'm talking about your assumption that this person you're referring to would choose to not encrypt their disk, which is very common practice, and often the first thing people do to prevent unauthorized access to data. This is like the people who submitted that KeePassXC vulnerability that required you to have access to the open vault, in which case it was game over anyway. It's always going to be easier to attack someone who has no idea what they're doing and leaves gaping holes in their opsec, but i'm not talking about that fictional person (the strawman you were building)

>>101763146
>why would a target who's worried enough to install heads leave their data readable by a third party with physical access?
WHAT THE FUCK ARE THEY GOING TO DO WITH EMACS BINARY YOU FUCKING NIGGER

>but i'm not talking about that fictional person (the strawman you were building)
>how would you attack heads
uhh backdoor /bin
noo not like that
you are a nigger faggot

truly authenticated system verifies everything

>>101763379
it's not the emacs binary. The goal would be twofold.
1) Get FDE password by either having malicious firmware sniff the password, or by other means
this is attacking the FDE, not heads, but given that heads is running the linux kernel, it presents another system that could be theoretically owned (given that this wouldn't be possible to do to the already removed intel management engine)

2) as i mentioned above, owning heads in lieu of the management engine would provide below ring 0 access to the machine. it's the perfect surveillance system. but backdooring heads presents a sort of Springfield paradox. you want to own heads without them knowing you've owned heads. Maybe wait until they do something stupid and get blind drunk with the machine on? who knows.
This is the problem i'm trying to solve

>>101763430
>this is attacking the FDE, not heads
it is heads bypass as we have achieved persistence without getting detected

>This is the problem i'm trying to solve
just flash bootkit into the rom???

>B) that they've not tamper-proofed the device.
literally tamper the non tamper proofd device
???

>>101763451
?it is heads bypass as we have achieved persistence without getting detected
not if they';re verifying all binary files. ideally we want to get in/under heads


>just flash bootkit into the rom???
heads does HOTP verification of itself with an external hardware security token. not possible without alerting the target.

>literally tamper the non tamper proofd device
this is assuming that they haven't. in the particular situation i'm talking about, i'm operating under the assumption that the theoretical target has

OwO What's dis
Why does this thread glow with a green hue?

>>101763496
>heads does HOTP verification of itself with an external hardware security token. not possible without alerting the target.

lol what are you talking about retarded nigger?
the gpg card is for kernel sig

if you add bootkit into firmware no one will notice

>>101763505
gpg card is for internal signatures, correct.
HOTP is for verifying the integrity of the underlying firmware. please, consult the documentation you pointed me at earlier.

File: Screenshot 2024-08-07 at (...).png (26 KB, 560x128)

26 KB PNG

>>101763496
I saw that edit nigger

>>101763539
>HOTP is for verifying the integrity of the underlying firmware
im sure its totally safe
im sure it cant be exported and written into new firmware with bootkit

>>101763539
THIS NIGGA TRYING TO DO RESEARCH ON 4CHAN
CRY MORE GLOWNIGGER

LOOK HERE AND COMPARE THE END PART TO THE EDITED POST
>>101763545
>>101763545
>>101763545

>>101763591
yeah

also see. lmao
>>101762955

And just like that, OP vanished into thin fucking air.

>>101762242
i was really excited for the thread and then read posts like >>101762972 and >>101763078 and remembered that everyone here is paranoid schizo

oh well

>>101763078
kek that loonix link. it's like restaurant owners getting outraged they were not told beforehand when the inspectors would come