NSA's backdoors are real -- but prove nothing about BadBIOS

NSA hacks are consistent with security researcher Dragos Ruiu's claims about BadBIOS, but too many questions persist

1 2 Page 2
Page 2 of 2

I could be, but I doubt it. First, from the beginning I have stated that nearly everything Ruiu was claiming was possible. But I simply don't believe Ruiu is a target of the NSA. Why should he be? Ruiu has yet to reveal any reason for why he would be targeted.

Now, many readers might argue, correctly, that our intelligence agencies have always spied for obscure reasons (such as the FBI's surveillance of John Lennon). But if Ruiu thought there was a plausible motive, wouldn't he offer it up? Maybe some intelligence agency is interested in what he or his partners have learned? Perhaps Ruiu has some insight into one of the NSA's secret devices? If that seems possible, why not state the hypothesis?

The second reason I don't think BadBIOS is composed of NSA implants is that certainly by now Ruiu would have located any malicious software or hardware implants. Ruiu has openly posted memory dumps and involved many forensic experts in his battle to detect his malicious foe. None of them have found anything out of the ordinary. The NSA may have lots of secret spy devices, but none would be able to hide from thorough examination. You cannot perfectly hide yourself.

Lastly, some of Ruiu's claims, like disappearing evidence, are possible but highly unlikely in light of all the other (non-)evidence. I end with the same conclusion I had the last time I covered this topic. Everything Ruiu claims could be true, but it is the sheer amount of implants that would have to be secreted on all his computing devices, plus the huge fact that no forensic expert has found any evidence that leads me to believe that BadBIOS doesn't exist.

Hang on, let me update that. From the NSA reveal, we've learned that many "BadBIOS" implants do exist. I just don't think Ruiu has one.

This story, "NSA's backdoors are real -- but prove nothing about BadBIOS," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2014 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)