Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Joe Fitz Profile picture
Joe Fitz
@securelyfitz
Hardware Security Trainer and Researcher
Nat Welch Profile picture 1 subscribed
Oct 8, 2018 23 tweets 4 min read
Do I Have a Hardware Implant?

I’ve gotten lots of inquiries if I could analyze some hardware for or could recommend someone who might.

I’ll be blunt - most of you don’t need this. Here are some things you should consider before seeking out services like this: 1. It’s unlikely you’re affected. Really. Even assuming every claim is true, and even if there is a secret device on every single X brand motherboard, it’s unlikely you’re targeted by whatever payload the implant carries.
Oct 5, 2018 12 tweets 3 min read
Hector and others have identified the component used in the bloomberg article to represent the hardware implant. I'd like to share my perspective on whether it's realistically possible: If someone said that the implant was found inside a coupler, first I'd check component suppliers for couplers that might fit the bill. And the one displayed is pretty much the smallest one you can find with 'coupler' in the name.
Oct 4, 2018 17 tweets 4 min read
At one point in time I had a conversation about how I would put a hardware implant into a system. I'm delighted to see @qrs had a very similar assessment: Given a photo of a server motherboard, this was my response after a few minutes. You'll have to take my word i wrote this 4 Sept 2017.

" Well, you picked an easy one, it already has a backdoor :)"
Oct 4, 2018 32 tweets 6 min read
There’s recent news about some really interesting hardware implants. I wanted to take a bit to share more technical thoughts and details that can’t be reduced to a mainstream article on the topic.
threaded: securinghardware.com/articles/hardw… The core of the claim is that someone implanted extra components on some server motherboards that would do malicious stuff, subvert the system and possibly allow it to ‘phone home’. I looked at the claims through a technical and feasibility lens.
Jul 24, 2018 12 tweets 4 min read
Remember the USB fans from Singapore that were in the news? @HackingThings and I took some more of them apart and there's plenty of potential for foul play. This is an older lightning port fan that @HackingThings had. No surprise there's a chip in there to speak SDQ to tell the iPhone to supply power
Jun 4, 2018 20 tweets 4 min read
Congratulations, your talk has been declined! Many of us have been disappointed or relieved by a rejection in the past few days. As a follow-on to my previous post about the CFP process and writing an abstract, I figured it would be fitting to write a bit about what to do now. Long form posted and will be updated here: securinghardware.com/articles/congr…

Don’t worry, a post about what to do if you’re *accepted* should come right on time, about a week before Black Hat and Defcon.
Mar 29, 2018 23 tweets 3 min read
Thinking about submitting to a CFP? You should, no matter how n00b or 1337 you think you are. But picking the right topic and venue can be tough. My experience is mostly infosec but likely applies to many fields. These are some examples of talks l'd attend: 1. So you've been in the industry for a year (or more)? You've learned a lot. Share with others the resources you found helpful, the mistakes you made, and what you wish you knew a year ago. Many BSides have first time attendees and people looking to get into the field.
Jan 5, 2018 15 tweets 4 min read
Thread time! Why can't they just quickly patch #meltdown or #spectre and push out another cpu? Why could it possibly take years? Why don't they use AGILE or x/y/z? Lots of reasons:
(note: my goal is not to criticize chip manufacturers - it's to defend the constraints they have) Let's start with a standard software product many are familiar with and work off that. First, every time you hit 'build' it's called a 'stepping', costs millions of dollars & takes several months. If you want a profitable product, you may only get 10 chances to press 'build'.
Jan 4, 2018 10 tweets 2 min read
Here's my layman's not-totally-accurate-but-gets-the-point-across story about how  #meltdown & #spectre type attacks work:

Let's say you go to a library that has a 'special collection' you're not allowed access to, but you want to to read one of the books. 1/10 You go in and go to the librarian and say "I'd like special book #1, and the Sue Grafton novel that corresponds to the first letter of page 1 of that book." 2/10