Search for military installed backdoors on laptop












134














My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?



and



I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?



Update



Is that possible to determine infected files (e.g. pictures, excel files, word files, etc.) from the others and take the not infected ones from the confiscated laptop to use on another laptop? If yes, Is there a safe for it?










share|improve this question
























  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Dec 21 at 15:52










  • "nuked from orbit" means what exactly? (I suppose you didn't actually go to orbit and threw a nuklear weapon onto your laptop, as then you wouldn't ask the question.)
    – Paŭlo Ebermann
    12 hours ago
















134














My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?



and



I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?



Update



Is that possible to determine infected files (e.g. pictures, excel files, word files, etc.) from the others and take the not infected ones from the confiscated laptop to use on another laptop? If yes, Is there a safe for it?










share|improve this question
























  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Dec 21 at 15:52










  • "nuked from orbit" means what exactly? (I suppose you didn't actually go to orbit and threw a nuklear weapon onto your laptop, as then you wouldn't ask the question.)
    – Paŭlo Ebermann
    12 hours ago














134












134








134


31





My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?



and



I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?



Update



Is that possible to determine infected files (e.g. pictures, excel files, word files, etc.) from the others and take the not infected ones from the confiscated laptop to use on another laptop? If yes, Is there a safe for it?










share|improve this question















My laptop was confiscated by the military institute of my country and they made me to give them all my passwords (I cannot tell you the name of my country). They did not give it back to me for one week (yes, it was out of my sight for a while).
I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?



and



I need to make sure if they have added something to monitor my activities or steal my data or not? And if they have done that, what should I do to prevent them.
I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?



Update



Is that possible to determine infected files (e.g. pictures, excel files, word files, etc.) from the others and take the not infected ones from the confiscated laptop to use on another laptop? If yes, Is there a safe for it?







malware windows privacy backdoor






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 9 hours ago

























asked Dec 18 at 10:43









Posse

7772311




7772311












  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Dec 21 at 15:52










  • "nuked from orbit" means what exactly? (I suppose you didn't actually go to orbit and threw a nuklear weapon onto your laptop, as then you wouldn't ask the question.)
    – Paŭlo Ebermann
    12 hours ago


















  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Dec 21 at 15:52










  • "nuked from orbit" means what exactly? (I suppose you didn't actually go to orbit and threw a nuklear weapon onto your laptop, as then you wouldn't ask the question.)
    – Paŭlo Ebermann
    12 hours ago
















Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop
Dec 21 at 15:52




Comments are not for extended discussion; this conversation has been moved to chat.
– Rory Alsop
Dec 21 at 15:52












"nuked from orbit" means what exactly? (I suppose you didn't actually go to orbit and threw a nuklear weapon onto your laptop, as then you wouldn't ask the question.)
– Paŭlo Ebermann
12 hours ago




"nuked from orbit" means what exactly? (I suppose you didn't actually go to orbit and threw a nuklear weapon onto your laptop, as then you wouldn't ask the question.)
– Paŭlo Ebermann
12 hours ago










10 Answers
10






active

oldest

votes


















190














If the device left your sight for any amount of time, replace it. It can no longer be trusted.



The cost to assure it can still be trusted significantly exceeds the cost of getting a new one





There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.



If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):




  • Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.


  • Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.


  • PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.



Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.






I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?




In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.



Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.




I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?




Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this (and don't store the photo on the computer!). If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.



The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.






share|improve this answer























  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Dec 21 at 19:45






  • 2




    Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
    – redbow_kimee
    Dec 22 at 23:04










  • @redbow_kimee That's extremely unlikely due to how quickly it would become known.
    – forest
    Dec 23 at 3:09






  • 3




    Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
    – Peter Cordes
    2 days ago








  • 2




    @PeterCordes Malicious firmware can get around SMI_COUNT.
    – forest
    2 days ago



















43














Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.



Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.



All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.



Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.






share|improve this answer





















  • Comments are not for extended discussion; this conversation has been moved to chat.
    – Rory Alsop
    Dec 21 at 19:46



















37














The main information we are lacking is your threat model.



Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.



And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.



If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.



The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.



If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.



For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.



The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.



However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.






share|improve this answer





























    12














    In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.



    To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.



    Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.



    Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.






    share|improve this answer































      10














      If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.



      I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).



      It may not be possible to wipe it even under safe conditions due to compromised firmware.



      If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.



      You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.



      There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.






      share|improve this answer

















      • 2




        Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
        – Mark
        Dec 19 at 0:45






      • 2




        ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
        – Tom
        Dec 19 at 13:36






      • 2




        @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
        – forest
        Dec 21 at 4:07












      • @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
        – Tom
        Dec 21 at 9:45










      • @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
        – forest
        Dec 21 at 9:52



















      8














      Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.




      1. Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.


      2. Do the same for every single component of your home network.


      3. Do the same for every device that was connected to said network during the time after the laptop was "returned".


      4. Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.


      5. Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".


      6. Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.


      7. I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.







      share|improve this answer

















      • 3




        This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
        – Xen2050
        Dec 22 at 15:55






      • 1




        Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
        – rackandboneman
        Dec 22 at 19:54






      • 5




        Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
        – rackandboneman
        Dec 22 at 19:57



















      4















      I need to make sure if they have added something to monitor my activities or steal my data or not




      Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.



      As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.




      And if they have done that, what should I do to prevent them.




      I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.



      Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.



      Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.



      You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?



      You may want to escape from that country as soon as possible, for what concerns me.






      share|improve this answer



















      • 4




        Leaving the country really is the best advice.
        – Gherman
        Dec 20 at 15:01






      • 3




        It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
        – schroeder
        Dec 20 at 19:24








      • 2




        There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
        – Xen2050
        Dec 22 at 16:51










      • The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
        – rackandboneman
        Dec 22 at 20:01










      • @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
        – forest
        2 days ago





















      0














      A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.



      That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.



      A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.






      share|improve this answer

















      • 12




        You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
        – Mark
        Dec 19 at 0:43






      • 15




        @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
        – Tom
        Dec 19 at 11:44






      • 2




        Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
        – allo
        Dec 20 at 14:11










      • A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
        – rackandboneman
        Dec 22 at 19:58



















      0














      Install your own spyware on it and let it run on idle for a week, catch the snoopers in the act or just destroy the laptop and buy a new one.






      share|improve this answer








      New contributor




      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.


















      • Welcome. The "replace it" angles is already covered by the accepted answer. As for "install your own spyware", that's not going to work. The spyware you install would have to be at a lower level in the technology stack as the military-installed one. That's not going to be likely.
        – schroeder
        39 mins ago



















      -7














      If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".



      Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.



      Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.



      So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.






      share|improve this answer



















      • 2




        I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
        – usr-local-ΕΨΗΕΛΩΝ
        Dec 20 at 12:07












      • Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
        – marshal craft
        Dec 20 at 12:33










      • "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
        – usr-local-ΕΨΗΕΛΩΝ
        Dec 20 at 12:39










      • In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
        – usr-local-ΕΨΗΕΛΩΝ
        Dec 20 at 12:41










      • Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
        – marshal craft
        Dec 20 at 12:46











      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199971%2fsearch-for-military-installed-backdoors-on-laptop%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      10 Answers
      10






      active

      oldest

      votes








      10 Answers
      10






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      190














      If the device left your sight for any amount of time, replace it. It can no longer be trusted.



      The cost to assure it can still be trusted significantly exceeds the cost of getting a new one





      There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.



      If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):




      • Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.


      • Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.


      • PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.



      Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.






      I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?




      In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.



      Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.




      I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?




      Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this (and don't store the photo on the computer!). If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.



      The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.






      share|improve this answer























      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:45






      • 2




        Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
        – redbow_kimee
        Dec 22 at 23:04










      • @redbow_kimee That's extremely unlikely due to how quickly it would become known.
        – forest
        Dec 23 at 3:09






      • 3




        Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
        – Peter Cordes
        2 days ago








      • 2




        @PeterCordes Malicious firmware can get around SMI_COUNT.
        – forest
        2 days ago
















      190














      If the device left your sight for any amount of time, replace it. It can no longer be trusted.



      The cost to assure it can still be trusted significantly exceeds the cost of getting a new one





      There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.



      If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):




      • Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.


      • Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.


      • PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.



      Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.






      I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?




      In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.



      Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.




      I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?




      Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this (and don't store the photo on the computer!). If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.



      The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.






      share|improve this answer























      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:45






      • 2




        Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
        – redbow_kimee
        Dec 22 at 23:04










      • @redbow_kimee That's extremely unlikely due to how quickly it would become known.
        – forest
        Dec 23 at 3:09






      • 3




        Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
        – Peter Cordes
        2 days ago








      • 2




        @PeterCordes Malicious firmware can get around SMI_COUNT.
        – forest
        2 days ago














      190












      190








      190






      If the device left your sight for any amount of time, replace it. It can no longer be trusted.



      The cost to assure it can still be trusted significantly exceeds the cost of getting a new one





      There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.



      If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):




      • Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.


      • Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.


      • PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.



      Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.






      I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?




      In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.



      Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.




      I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?




      Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this (and don't store the photo on the computer!). If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.



      The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.






      share|improve this answer














      If the device left your sight for any amount of time, replace it. It can no longer be trusted.



      The cost to assure it can still be trusted significantly exceeds the cost of getting a new one





      There is effectively no way to verify that the hardware has not been tampered with without significant expertise and employing non-trivial resources. The only solution is to replace the laptop and all associated components. Without knowing your country or other aspects of the situation you are in, there is no way for me to comment on the likelihood of this, only on the technical feasibility.



      If you do need to verify the integrity of the laptop, there are a few things to check (non-exhaustive):




      • Weight distribution - Verify the precise weight of each component (IC, PCB, etc). Weight distributions can be analyzed using gyroscopic effects. This requires having uncompromised equipment nearby for comparison. Extremely precise measuring equipment is required.


      • Power consumption - Verify the power consumption of each component over time. Backdoors often use power, and their presence can sometimes be detected with a power analysis attack. Do not rely on this however, as integrated circuits can use extremely little power nowadays.


      • PCB X-ray inspection - Use X-rays to view the circuit board internals. This requires expensive equipment for a multi-layer printed circuit board such as a laptop motherboard. It also requires many man hours of intensive inspection of each square micrometer of the device.



      Sounds excessive? It is, but this is what you would have to do to have a good level of confidence that no malicious hardware modifications have been made. It will be cheaper just to buy a new laptop.






      I nuked it from orbit but I just realised that it was on sleep state for 2 days and not in shutdown state, so it was connected to my modem via wifi. Does it need to be worried about?




      In theory, compromised hardware or firmware would be made to compromise your wireless access point or other devices listening in. While a suspended state (sleep mode) normally also disables the NIC, you cannot make that assumption if the hardware is compromised. However, while this is theoretically possible, it would require a far more targeted attack, and most military groups will not want to give away the 0days they have by shooting them at any nearby wireless device they can find.



      Unfortunately, it is also theoretically possible that your modem has been compromised. I do not think that is very likely at all though, as they could have just done that through your internet connection, assuming they can control or compromise your ISP. If they have tampered with your hardware, it's much more likely that they have only done so for surveillance purposes, not to spread some worm.




      I have double checked the laptop physically and there is no sign of screw or plastic deformation. Is that still possible that they have compromised its hardware?




      Absolutely. There are many ways to open a laptop without that fact being apparent. While sophisticated chassis intrusion detection mechanisms exist, there are some "ghetto" techniques which you may be able to use in the future. One technique is to sprinkle nail polish with glitter on the joints of the system, inside and out. Take a high-resolution photo of this (and don't store the photo on the computer!). If the device is opened, the precise layout of the glitter will be disrupted, and it will become exceptionally difficult to put it back in place. You can compare it with the stored photo and look for subtle differences.



      The term for this is tamper-evidence, which is any technique that makes it hard to tamper with a device without that fact being noticeable. More professional options would include bespoke tamper-evident security tape or holographic stickers. Unfortunately, this can only help you in the future and will obviously be incapable of protecting your system retroactively.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited 10 hours ago

























      answered Dec 18 at 11:34









      forest

      31.3k1598107




      31.3k1598107












      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:45






      • 2




        Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
        – redbow_kimee
        Dec 22 at 23:04










      • @redbow_kimee That's extremely unlikely due to how quickly it would become known.
        – forest
        Dec 23 at 3:09






      • 3




        Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
        – Peter Cordes
        2 days ago








      • 2




        @PeterCordes Malicious firmware can get around SMI_COUNT.
        – forest
        2 days ago


















      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:45






      • 2




        Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
        – redbow_kimee
        Dec 22 at 23:04










      • @redbow_kimee That's extremely unlikely due to how quickly it would become known.
        – forest
        Dec 23 at 3:09






      • 3




        Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
        – Peter Cordes
        2 days ago








      • 2




        @PeterCordes Malicious firmware can get around SMI_COUNT.
        – forest
        2 days ago
















      Comments are not for extended discussion; this conversation has been moved to chat.
      – Rory Alsop
      Dec 21 at 19:45




      Comments are not for extended discussion; this conversation has been moved to chat.
      – Rory Alsop
      Dec 21 at 19:45




      2




      2




      Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
      – redbow_kimee
      Dec 22 at 23:04




      Replacing the device might be a threat of equivalent force in this case. OPs country could stealthily take control of the computer supply chain and infect a significant supply within its borders.
      – redbow_kimee
      Dec 22 at 23:04












      @redbow_kimee That's extremely unlikely due to how quickly it would become known.
      – forest
      Dec 23 at 3:09




      @redbow_kimee That's extremely unlikely due to how quickly it would become known.
      – forest
      Dec 23 at 3:09




      3




      3




      Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
      – Peter Cordes
      2 days ago






      Surprised you don't mention malicious firmware (for the main motherboard, or for any of the devices). x86 System Management Mode allows nearly-undetectably doing things behind the back of the OS. (There is a performance counter (AMD) or MSR (Intel) that counts System Management Interrupts, though, so you could check for suspiciously-high SMI activity. Is there an equivalent register to Intel's MSR_SMI_COUNT on AMD architecture?)
      – Peter Cordes
      2 days ago






      2




      2




      @PeterCordes Malicious firmware can get around SMI_COUNT.
      – forest
      2 days ago




      @PeterCordes Malicious firmware can get around SMI_COUNT.
      – forest
      2 days ago













      43














      Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.



      Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.



      All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.



      Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.






      share|improve this answer





















      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:46
















      43














      Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.



      Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.



      All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.



      Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.






      share|improve this answer





















      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:46














      43












      43








      43






      Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.



      Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.



      All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.



      Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.






      share|improve this answer












      Methodology aside, just assume that the laptop and anything within audio and visual reach of the laptop is compromised and therefore subject to monitoring as well as the activity on the computer itself.



      Searching for, tampering with, or removal of the computer/monitoring devices might well be detected and seen as a criminal act. Also, complete destruction of the laptop or pointedly not being used can also be viewed with extreme suspicion.



      All you can really do is continue to use the laptop, but with the knowledge that activity is being monitored (so only do "legal" stuff on it). Visual/audio monitoring devices need not involve the laptop being powered up.



      Invest in a nice, secure, padded (and soundproof) laptop bag to store the laptop in when not in use.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Dec 18 at 16:33









      Snow

      53136




      53136












      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:46


















      • Comments are not for extended discussion; this conversation has been moved to chat.
        – Rory Alsop
        Dec 21 at 19:46
















      Comments are not for extended discussion; this conversation has been moved to chat.
      – Rory Alsop
      Dec 21 at 19:46




      Comments are not for extended discussion; this conversation has been moved to chat.
      – Rory Alsop
      Dec 21 at 19:46











      37














      The main information we are lacking is your threat model.



      Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.



      And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.



      If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.



      The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.



      If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.



      For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.



      The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.



      However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.






      share|improve this answer


























        37














        The main information we are lacking is your threat model.



        Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.



        And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.



        If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.



        The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.



        If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.



        For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.



        The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.



        However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.






        share|improve this answer
























          37












          37








          37






          The main information we are lacking is your threat model.



          Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.



          And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.



          If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.



          The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.



          If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.



          For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.



          The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.



          However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.






          share|improve this answer












          The main information we are lacking is your threat model.



          Is it likely that the military targets you specifically, and would be willing expand some resources on you? We don't need to know the details, but the answer changes depending on whether or not what happened is more or less standard procedure for your country, or you are being singled out.



          And we don't know what secrets you are protecting. If you have personal data and communications, that's a different game than being an active element in a political opposition movement or other activity that might get you murdered if they get the data. There are countries in the world where being a human rights activist can get you on a death list.



          If this is standard procedure, and your data isn't life-or-death, you can take the usual precautions, complete OS reinstall, firmware flashing, if you want to go the extra mile, replace components such as the Ethernet port and whatever else is replaceable. Then operate under the assumption that you might have missed something more deeply embedded, but your chances are better than average that you are clear.



          The same is true for the active network connection. It is likely that your adversary did standard attack patterns. If your network is secured, and you don't see any signs of intrusion on the inside (firewall logs, IDS if you have, etc.) you could be fine.



          If it is more likely that you received special attention, I would strongly suggest using the machine in some innocent ways (surfing the web, etc.) somewhere and then leaving it out in the open when you go to the toilet. Or in other words: Make it get stolen. That way nobody can blame you, the adversary cannot tell for sure if you intentionally "lost" the device and in any case can't prove it, and it's the only way to be sure. Even if you had it sitting nearby powered off, there could still be a microphone hidden inside that monitors you. So getting rid of it is the only safe option.



          For the details, I can't do better than forest in his answer to show how deeply stuff could be hidden inside. They could've even switched out components with seemingly identical ones, plus backdoors. There are things you can do to hardware that the manufacturer would have trouble finding.



          The same is unfortunately true for your network. There is always one more 0-day out there, and backdoors in network devices aren't exactly unheard of as well. If you are a high-profile target, you need to assume that the network has been compromised.



          However, all of this advanced stuff isn't free or cheap. That is why the threat model is important. It is unlikely the military would use its best stuff on a random search.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Dec 19 at 11:55









          Tom

          4,832729




          4,832729























              12














              In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.



              To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.



              Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.



              Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.






              share|improve this answer




























                12














                In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.



                To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.



                Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.



                Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.






                share|improve this answer


























                  12












                  12








                  12






                  In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.



                  To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.



                  Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.



                  Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.






                  share|improve this answer














                  In addition to what others have mentioned about detecting hardware changes (chiefly that it is nearly impossible), you should recognize that the most likely vector of compromise would be the installation of software, especially if they only had your device for a fairly limited period of time.



                  To have a reasonable level of certainty that your device is clean from software exploits you should throw out the hard drive and start with a fresh one and a fresh install. Many of the more practical (and easy) low-level rootkits modify the firmware on hard drives to prevent a normal format from removing the malware. This is also one of the easiest ways to alter a system fairly quickly and "undetectably". If your laptop has a replaceable network card, this would also be something to consider replacing as it is also another fairly useful place to deploy a hardware implant.



                  Lastly, any malware likely needs to phone home eventually. Start up your computer and any common applications you run. Connect it to an external router (this is important as you cannot trust software running on the laptop) that records all traffic. Let the laptop sit unused for at least 24 hours. Now, painstakingly validate all the IP's via ARIN or other registries, to see if any of them look suspicious. You will almost certainly have several that you cannot validate, even if the machine is not compromised, but this may give you some confidence-level of compromise. Do be aware that nation-states often possess the ability to inject traffic into legitimate streams from legitimate locations, and also may compromise legitimate services or use existing legitimate services (such as a service like docs.google.com where any user can create documents of arbitrary data). In addition network traffic on any network protocol is suspect and should not be discounted while trying to validate the traffic.



                  Lastly, think of your risk profile. Is your nation known for hacking devices and monitoring them? Are you a victim of bad luck or are there legitimate reasons why they should or did suspect you? A certain level of paranoia is healthy, but be practical with your assessment. Custom hardware implants are not cheap, and the cost of discovery can be both embarrassing and costly. If you are not a likely suspect and of some importance, the most likely implant will be software/firmware based, if anything was implanted at all. As others have pointed out, any credentials you had on your machine/that your provided/or any active browser cookies, and all files on the system should now be considered compromised.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Dec 18 at 23:03

























                  answered Dec 18 at 21:05









                  shellster

                  36714




                  36714























                      10














                      If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.



                      I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).



                      It may not be possible to wipe it even under safe conditions due to compromised firmware.



                      If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.



                      You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.



                      There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.






                      share|improve this answer

















                      • 2




                        Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
                        – Mark
                        Dec 19 at 0:45






                      • 2




                        ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
                        – Tom
                        Dec 19 at 13:36






                      • 2




                        @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
                        – forest
                        Dec 21 at 4:07












                      • @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
                        – Tom
                        Dec 21 at 9:45










                      • @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
                        – forest
                        Dec 21 at 9:52
















                      10














                      If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.



                      I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).



                      It may not be possible to wipe it even under safe conditions due to compromised firmware.



                      If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.



                      You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.



                      There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.






                      share|improve this answer

















                      • 2




                        Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
                        – Mark
                        Dec 19 at 0:45






                      • 2




                        ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
                        – Tom
                        Dec 19 at 13:36






                      • 2




                        @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
                        – forest
                        Dec 21 at 4:07












                      • @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
                        – Tom
                        Dec 21 at 9:45










                      • @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
                        – forest
                        Dec 21 at 9:52














                      10












                      10








                      10






                      If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.



                      I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).



                      It may not be possible to wipe it even under safe conditions due to compromised firmware.



                      If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.



                      You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.



                      There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.






                      share|improve this answer












                      If they have all your passwords, as you say, and had possession of the laptop, the laptop, its operating system and software installed are all suspect. As suggested, nuke from orbit.



                      I would also be concerned that any software that might possibly have been implanted could (and would) attempt to compromise other computers on connected networks. Do not connect this machine to an ethernet, nor power it on near any WiFi networks if it has WiFi (nor around Bluetooth devices though I know little about this).



                      It may not be possible to wipe it even under safe conditions due to compromised firmware.



                      If they had the laptop for, say, 30 minutes (or less), the drive could (and would) have been imaged/copied. Its secrets are no longer yours alone.



                      You also have some work ahead of you to change all your passwords: you might want to nuke the accounts for extra safety. Delete all content (if possible) and close the account. Good luck with that. Information may have already been collected, however.



                      There have been answers regarding hardware modification, and while this is a possibility, clearly software tampering should be high on your mind.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Dec 18 at 20:20









                      newyork10023

                      1012




                      1012








                      • 2




                        Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
                        – Mark
                        Dec 19 at 0:45






                      • 2




                        ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
                        – Tom
                        Dec 19 at 13:36






                      • 2




                        @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
                        – forest
                        Dec 21 at 4:07












                      • @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
                        – Tom
                        Dec 21 at 9:45










                      • @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
                        – forest
                        Dec 21 at 9:52














                      • 2




                        Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
                        – Mark
                        Dec 19 at 0:45






                      • 2




                        ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
                        – Tom
                        Dec 19 at 13:36






                      • 2




                        @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
                        – forest
                        Dec 21 at 4:07












                      • @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
                        – Tom
                        Dec 21 at 9:45










                      • @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
                        – forest
                        Dec 21 at 9:52








                      2




                      2




                      Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
                      – Mark
                      Dec 19 at 0:45




                      Forget compromised firmware, if they're serious about monitoring the OP, how about a compromised Ethernet port, or a compromised monitor cable?
                      – Mark
                      Dec 19 at 0:45




                      2




                      2




                      ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
                      – Tom
                      Dec 19 at 13:36




                      ...or a compromised memory bank? There's no limit to the shenanigans you can play with hardware.
                      – Tom
                      Dec 19 at 13:36




                      2




                      2




                      @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
                      – forest
                      Dec 21 at 4:07






                      @Tom I think it would be very hard to compromise the DIMM (if that's what you mean by memory bank) without the implant being extremely obvious. Modern DRAM operates at such blindingly fast speeds and with such extreme sensitivity to latency that a fairly large, bulky logic analyzer is required to even so much as analyze the commands being sent to the DRAM modules. Humanity simply lacks the technological capability to create a small implant that's capable of actually monitoring memory in that way.
                      – forest
                      Dec 21 at 4:07














                      @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
                      – Tom
                      Dec 21 at 9:45




                      @forest - yes, you would have to go above the individual module. And you won't get much logic. I was more thinking about a simple copy, similar to a monitoring port.
                      – Tom
                      Dec 21 at 9:45












                      @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
                      – forest
                      Dec 21 at 9:52




                      @Tom I'm not sure if it'd be able to simply copy data either. At those speeds, the electrical characteristics of wires begins to matter.
                      – forest
                      Dec 21 at 9:52











                      8














                      Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.




                      1. Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.


                      2. Do the same for every single component of your home network.


                      3. Do the same for every device that was connected to said network during the time after the laptop was "returned".


                      4. Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.


                      5. Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".


                      6. Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.


                      7. I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.







                      share|improve this answer

















                      • 3




                        This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
                        – Xen2050
                        Dec 22 at 15:55






                      • 1




                        Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
                        – rackandboneman
                        Dec 22 at 19:54






                      • 5




                        Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
                        – rackandboneman
                        Dec 22 at 19:57
















                      8














                      Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.




                      1. Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.


                      2. Do the same for every single component of your home network.


                      3. Do the same for every device that was connected to said network during the time after the laptop was "returned".


                      4. Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.


                      5. Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".


                      6. Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.


                      7. I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.







                      share|improve this answer

















                      • 3




                        This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
                        – Xen2050
                        Dec 22 at 15:55






                      • 1




                        Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
                        – rackandboneman
                        Dec 22 at 19:54






                      • 5




                        Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
                        – rackandboneman
                        Dec 22 at 19:57














                      8












                      8








                      8






                      Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.




                      1. Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.


                      2. Do the same for every single component of your home network.


                      3. Do the same for every device that was connected to said network during the time after the laptop was "returned".


                      4. Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.


                      5. Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".


                      6. Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.


                      7. I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.







                      share|improve this answer












                      Given what you've told us, you need to assume that not only is the laptop irrecoverably compromised, but so is your entire home network, everything connected to it, and every account you have anywhere that was ever accessed from the laptop or from another device connected to your home network.




                      1. Physically destroy the laptop, preferably by melting/burning it rather than simple shredding or pulverisation.


                      2. Do the same for every single component of your home network.


                      3. Do the same for every device that was connected to said network during the time after the laptop was "returned".


                      4. Close and delete every account that you have on every website that you have ever accessed from the laptop or from any of the devices in step 3.


                      5. Cancel and physically destroy any and all credit/debit/gift cards that you have ever made payments from via the laptop or via any of the devices in step 3. Also cancel any payments that were made using any of those cards during the time after the laptop was "returned".


                      6. Close all your bank accounts, withdrawing their entire contents in cash. Destroy any paperwork in your possession associated with any of those accounts.


                      7. I cannot emphasise strongly enough the importance of fleeing to a country with better protections against these sorts of abuses by arms of the government.








                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Dec 19 at 23:01









                      Sean

                      183115




                      183115








                      • 3




                        This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
                        – Xen2050
                        Dec 22 at 15:55






                      • 1




                        Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
                        – rackandboneman
                        Dec 22 at 19:54






                      • 5




                        Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
                        – rackandboneman
                        Dec 22 at 19:57














                      • 3




                        This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
                        – Xen2050
                        Dec 22 at 15:55






                      • 1




                        Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
                        – rackandboneman
                        Dec 22 at 19:54






                      • 5




                        Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
                        – rackandboneman
                        Dec 22 at 19:57








                      3




                      3




                      This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
                      – Xen2050
                      Dec 22 at 15:55




                      This seemed really really excessive, but it all made sense leading up to the final point, so +1. Except maybe sell the devices instead of destroy them. And I'd guess this may be good advice too: DON'T TRY TO LEAVE A COUNTRY LIKE THAT WITH LOTS OF CASH, THEY'LL JUST TAKE IT AT THE BORDER
                      – Xen2050
                      Dec 22 at 15:55




                      1




                      1




                      Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
                      – rackandboneman
                      Dec 22 at 19:54




                      Destroying the machine would only confirm the monitor's suspicion - continue using it, but only use it for stuff that would give nothing but wasted time and boredom to a would-be spy!
                      – rackandboneman
                      Dec 22 at 19:54




                      5




                      5




                      Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
                      – rackandboneman
                      Dec 22 at 19:57




                      Also, I would assume a government-authorized organisation that means business would not need to do one single thing to an individuals home computer to compromise their internet connection, bank accounts or communications accounts. In any country.
                      – rackandboneman
                      Dec 22 at 19:57











                      4















                      I need to make sure if they have added something to monitor my activities or steal my data or not




                      Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.



                      As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.




                      And if they have done that, what should I do to prevent them.




                      I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.



                      Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.



                      Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.



                      You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?



                      You may want to escape from that country as soon as possible, for what concerns me.






                      share|improve this answer



















                      • 4




                        Leaving the country really is the best advice.
                        – Gherman
                        Dec 20 at 15:01






                      • 3




                        It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
                        – schroeder
                        Dec 20 at 19:24








                      • 2




                        There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
                        – Xen2050
                        Dec 22 at 16:51










                      • The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
                        – rackandboneman
                        Dec 22 at 20:01










                      • @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
                        – forest
                        2 days ago


















                      4















                      I need to make sure if they have added something to monitor my activities or steal my data or not




                      Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.



                      As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.




                      And if they have done that, what should I do to prevent them.




                      I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.



                      Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.



                      Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.



                      You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?



                      You may want to escape from that country as soon as possible, for what concerns me.






                      share|improve this answer



















                      • 4




                        Leaving the country really is the best advice.
                        – Gherman
                        Dec 20 at 15:01






                      • 3




                        It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
                        – schroeder
                        Dec 20 at 19:24








                      • 2




                        There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
                        – Xen2050
                        Dec 22 at 16:51










                      • The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
                        – rackandboneman
                        Dec 22 at 20:01










                      • @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
                        – forest
                        2 days ago
















                      4












                      4








                      4







                      I need to make sure if they have added something to monitor my activities or steal my data or not




                      Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.



                      As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.




                      And if they have done that, what should I do to prevent them.




                      I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.



                      Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.



                      Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.



                      You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?



                      You may want to escape from that country as soon as possible, for what concerns me.






                      share|improve this answer















                      I need to make sure if they have added something to monitor my activities or steal my data or not




                      Consider that they have all your data already. You surrended all your passwords, so even data that is not on your laptop (e.g. mail, cloud) is now in their hands. Extended comment: if you were not under arrest you could always change as many passwords as you could after giving them, but we want to assume our attacker has so much resources and efficiency that they grabbed an entire copy of all your online activities by the second you wrote down your password on a piece of paper. Pessimistic approach.



                      As pointed out by @forest, you can do something to try to prove they did it, but it is so expensive that you better go BestBuy as fastest as possible to get a new laptop. Unless your goal is to whistleblow your government is spying on you and how.




                      And if they have done that, what should I do to prevent them.




                      I assume you asked "what should I do to prevent them in the future?". Please edit if not. Getting a new laptop and implementing proper security measures is good, just as we others are doing.



                      Full disk encryption, plausibly-deniable hidden volumes and complex passwords are the basic tools. A military corp targeting an individual can have so many resources (including 0-days) that you can not prevent them to hack you forever, but you can still protect yourself and make it a painful time for them.



                      Remember, you said you gave them the passwords. This is where TrueCrypt/VeraCrypt come handy. I recommend you to take a look at this QA. Remember to use the cover OS often. Once in the future you will be questioned again for your passwords, give them the decryption key for the "outer" OS. They are not stupid, they will try their best to extort you that you are running a hidden OS too. For example, just that you are using VeraCrypt instead of stock Windows BitLocker or stock Linux LVM, that might be grounds for questioning/extortion.



                      You may also want to carefully and safely copying documents from the old hard drive using a USB adapter. Documents, not executables. And, out of paranoia, who can tell if some PDF documents were altered to exploit a 0day in one of the popular readers?



                      You may want to escape from that country as soon as possible, for what concerns me.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Dec 22 at 8:54

























                      answered Dec 20 at 12:25









                      usr-local-ΕΨΗΕΛΩΝ

                      1,121415




                      1,121415








                      • 4




                        Leaving the country really is the best advice.
                        – Gherman
                        Dec 20 at 15:01






                      • 3




                        It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
                        – schroeder
                        Dec 20 at 19:24








                      • 2




                        There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
                        – Xen2050
                        Dec 22 at 16:51










                      • The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
                        – rackandboneman
                        Dec 22 at 20:01










                      • @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
                        – forest
                        2 days ago
















                      • 4




                        Leaving the country really is the best advice.
                        – Gherman
                        Dec 20 at 15:01






                      • 3




                        It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
                        – schroeder
                        Dec 20 at 19:24








                      • 2




                        There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
                        – Xen2050
                        Dec 22 at 16:51










                      • The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
                        – rackandboneman
                        Dec 22 at 20:01










                      • @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
                        – forest
                        2 days ago










                      4




                      4




                      Leaving the country really is the best advice.
                      – Gherman
                      Dec 20 at 15:01




                      Leaving the country really is the best advice.
                      – Gherman
                      Dec 20 at 15:01




                      3




                      3




                      It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
                      – schroeder
                      Dec 20 at 19:24






                      It is important to note that in such a situation, trying to deceive the military who is trying to break into your computer might introduce serious consequences. Lying to them outright is a recipe for disaster.
                      – schroeder
                      Dec 20 at 19:24






                      2




                      2




                      There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
                      – Xen2050
                      Dec 22 at 16:51




                      There's an interesting idea about "plausible deniability" and encryption - TrueCrypt's Plausible Deniability is Theoretically Useless - "It's also a strictly dominant strategy for the government to keep torturing you... So no matter if you're using a hidden volume or not, the government gets the highest reward by continuing to torture you. So if you and the government are both rational and self-interested, then you are going to use a hidden volume, and the government is going to keep torturing you."
                      – Xen2050
                      Dec 22 at 16:51












                      The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
                      – rackandboneman
                      Dec 22 at 20:01




                      The more interesting question is, if that military organisation would have found anything that interested them in the first place, would they have returned the laptop at all and left the owner at large?
                      – rackandboneman
                      Dec 22 at 20:01












                      @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
                      – forest
                      2 days ago






                      @Xen2050 That website has an extremely naïve understanding of elementary game theory. TrueCrypt's plausible deniability is useful in a large number of threat models. Now, whether or not it's easy to maintain an outer volume that has convincing metadata (timestamps indicative of genuine access) is a different story.
                      – forest
                      2 days ago













                      0














                      A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.



                      That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.



                      A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.






                      share|improve this answer

















                      • 12




                        You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
                        – Mark
                        Dec 19 at 0:43






                      • 15




                        @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
                        – Tom
                        Dec 19 at 11:44






                      • 2




                        Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
                        – allo
                        Dec 20 at 14:11










                      • A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
                        – rackandboneman
                        Dec 22 at 19:58
















                      0














                      A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.



                      That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.



                      A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.






                      share|improve this answer

















                      • 12




                        You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
                        – Mark
                        Dec 19 at 0:43






                      • 15




                        @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
                        – Tom
                        Dec 19 at 11:44






                      • 2




                        Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
                        – allo
                        Dec 20 at 14:11










                      • A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
                        – rackandboneman
                        Dec 22 at 19:58














                      0












                      0








                      0






                      A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.



                      That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.



                      A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.






                      share|improve this answer












                      A backdoor still has to communicate to the attacker, so watching network chatter via your router should suffice. Wiping a harddrive and reinstalling an OS may not be enough, they had it for a week, they could've taken it apart, installed a network tap device and put it back together.



                      That's not all there is either, there may be no network activity and the program/device may be silently collecting data for somebody to physically retrieve later, probably via a knock on your door.



                      A new laptop is in order, however I'd keep the old one, maybe even put it on a DMZ so it can't talk to other devices on your home network and it goes without saying, it can't be used for anything sensitive ever again.







                      share|improve this answer












                      share|improve this answer



                      share|improve this answer










                      answered Dec 18 at 22:22









                      RandomUs1r

                      1354




                      1354








                      • 12




                        You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
                        – Mark
                        Dec 19 at 0:43






                      • 15




                        @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
                        – Tom
                        Dec 19 at 11:44






                      • 2




                        Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
                        – allo
                        Dec 20 at 14:11










                      • A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
                        – rackandboneman
                        Dec 22 at 19:58














                      • 12




                        You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
                        – Mark
                        Dec 19 at 0:43






                      • 15




                        @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
                        – Tom
                        Dec 19 at 11:44






                      • 2




                        Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
                        – allo
                        Dec 20 at 14:11










                      • A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
                        – rackandboneman
                        Dec 22 at 19:58








                      12




                      12




                      You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
                      – Mark
                      Dec 19 at 0:43




                      You probably should look at a copy of the NSA's hardware implant catalog that leaked a few years back. They've got backdoors that can communicate in all sorts of ways, including by modulating an externally-transmitted radio signal.
                      – Mark
                      Dec 19 at 0:43




                      15




                      15




                      @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
                      – Tom
                      Dec 19 at 11:44




                      @RandomUs1r - the adversary here is the military, not some run-of-the-mill cybercriminal with a backdoor he copied from some darknet forum. There are plenty of ways to send out data in ways that even most cybersecurity professionals would not detect. Some of my friends would approach a device like this with an oscilloscope. There's half a dozen documented ways to get data into and out of machines that are seemingly not connected to any network. There's plenty of ways to hide network, system and memory activities.
                      – Tom
                      Dec 19 at 11:44




                      2




                      2




                      Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
                      – allo
                      Dec 20 at 14:11




                      Or the malware does not communicate at all, but just stores the data until the laptop is searched again.
                      – allo
                      Dec 20 at 14:11












                      A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
                      – rackandboneman
                      Dec 22 at 19:58




                      A trained user with an oscilloscope would only stand any chance if they knew roughly what they are even looking for.
                      – rackandboneman
                      Dec 22 at 19:58











                      0














                      Install your own spyware on it and let it run on idle for a week, catch the snoopers in the act or just destroy the laptop and buy a new one.






                      share|improve this answer








                      New contributor




                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.


















                      • Welcome. The "replace it" angles is already covered by the accepted answer. As for "install your own spyware", that's not going to work. The spyware you install would have to be at a lower level in the technology stack as the military-installed one. That's not going to be likely.
                        – schroeder
                        39 mins ago
















                      0














                      Install your own spyware on it and let it run on idle for a week, catch the snoopers in the act or just destroy the laptop and buy a new one.






                      share|improve this answer








                      New contributor




                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.


















                      • Welcome. The "replace it" angles is already covered by the accepted answer. As for "install your own spyware", that's not going to work. The spyware you install would have to be at a lower level in the technology stack as the military-installed one. That's not going to be likely.
                        – schroeder
                        39 mins ago














                      0












                      0








                      0






                      Install your own spyware on it and let it run on idle for a week, catch the snoopers in the act or just destroy the laptop and buy a new one.






                      share|improve this answer








                      New contributor




                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      Install your own spyware on it and let it run on idle for a week, catch the snoopers in the act or just destroy the laptop and buy a new one.







                      share|improve this answer








                      New contributor




                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      share|improve this answer



                      share|improve this answer






                      New contributor




                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.









                      answered 55 mins ago









                      Meh

                      1




                      1




                      New contributor




                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.





                      New contributor





                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.






                      Meh is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                      Check out our Code of Conduct.












                      • Welcome. The "replace it" angles is already covered by the accepted answer. As for "install your own spyware", that's not going to work. The spyware you install would have to be at a lower level in the technology stack as the military-installed one. That's not going to be likely.
                        – schroeder
                        39 mins ago


















                      • Welcome. The "replace it" angles is already covered by the accepted answer. As for "install your own spyware", that's not going to work. The spyware you install would have to be at a lower level in the technology stack as the military-installed one. That's not going to be likely.
                        – schroeder
                        39 mins ago
















                      Welcome. The "replace it" angles is already covered by the accepted answer. As for "install your own spyware", that's not going to work. The spyware you install would have to be at a lower level in the technology stack as the military-installed one. That's not going to be likely.
                      – schroeder
                      39 mins ago




                      Welcome. The "replace it" angles is already covered by the accepted answer. As for "install your own spyware", that's not going to work. The spyware you install would have to be at a lower level in the technology stack as the military-installed one. That's not going to be likely.
                      – schroeder
                      39 mins ago











                      -7














                      If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".



                      Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.



                      Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.



                      So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.






                      share|improve this answer



















                      • 2




                        I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:07












                      • Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
                        – marshal craft
                        Dec 20 at 12:33










                      • "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:39










                      • In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:41










                      • Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
                        – marshal craft
                        Dec 20 at 12:46
















                      -7














                      If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".



                      Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.



                      Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.



                      So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.






                      share|improve this answer



















                      • 2




                        I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:07












                      • Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
                        – marshal craft
                        Dec 20 at 12:33










                      • "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:39










                      • In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:41










                      • Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
                        – marshal craft
                        Dec 20 at 12:46














                      -7












                      -7








                      -7






                      If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".



                      Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.



                      Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.



                      So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.






                      share|improve this answer














                      If the laptop is a Windows 10 due to secure boot, Windows virtual memory, driver signing- you can ensure the machine is trustable. This doesn't rule out malicious applications installed and set to run and access the computers resources however they would have virtually no way to access other applications or process which don't "put them selves out there".



                      Windows virtual memory addressing essentially scrambles memory of user mode applications. So if a virus tries to access memory through hacked methods it's not able to discern what's what. So every process has its own 2 gb or so virtual memory that it uses which is translated by windows to real address space. Process memory is basically private to that process. They can share memory with handles. But I believe this would require the cooperation of both process.



                      Additionally malicious software set to run can see network traffic but that can be viewed by anyone also ounce it's broadcasted on a physical network.



                      So basically securely written applications cant be eased dropped. Unless the "military" had access to oem, Windows, or intel/amd and they make that ability available to them, or they have realized vulnerabilities not yet known to exist.







                      share|improve this answer














                      share|improve this answer



                      share|improve this answer








                      edited Dec 20 at 11:28

























                      answered Dec 20 at 11:22









                      marshal craft

                      947




                      947








                      • 2




                        I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:07












                      • Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
                        – marshal craft
                        Dec 20 at 12:33










                      • "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:39










                      • In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:41










                      • Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
                        – marshal craft
                        Dec 20 at 12:46














                      • 2




                        I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:07












                      • Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
                        – marshal craft
                        Dec 20 at 12:33










                      • "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:39










                      • In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
                        – usr-local-ΕΨΗΕΛΩΝ
                        Dec 20 at 12:41










                      • Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
                        – marshal craft
                        Dec 20 at 12:46








                      2




                      2




                      I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
                      – usr-local-ΕΨΗΕΛΩΝ
                      Dec 20 at 12:07






                      I disagree. Trusted boot prevents the genuine UEFI firmware to run untrusted software (i.e. software cannot be tampered). It does not prevent tampered hardware to boot the genuine OS. Your assertion on virtual memory is correct, but nobody prevents a military corp with enough resoruces to replace the UEFI firmware with a hypervisor on top of which the OS runs. Then you have ring-0 control over machine.
                      – usr-local-ΕΨΗΕΛΩΝ
                      Dec 20 at 12:07














                      Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
                      – marshal craft
                      Dec 20 at 12:33




                      Intel management engine is the starting point, intel needs to provide the oem with information and tooling to use the secure execution processor, which windows uses. There was a recent exploit with macs, but this was with the secure execution engine not used and configured which is done by oems, Windows would not boot under such an environment, and this still would require intels tools.
                      – marshal craft
                      Dec 20 at 12:33












                      "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
                      – usr-local-ΕΨΗΕΛΩΝ
                      Dec 20 at 12:39




                      "Windows won't boot". That's new for me, I will research on thah. Thank you. Yes, a TPM module can validate hardware and refuse to issue the key if the hardware is compromised, but that's something different from the OS to validate the hardware. An example is Magisk for Android. Magisk operates with unlocked bootloader but is capable of tricking Android into thinking that the hardware and the OS are intact. From what I have learned, Magisk is mostly invulnerable. So Android cannot refuse to boot. This justifies my surprise in your sentence. This is a very interesting topic
                      – usr-local-ΕΨΗΕΛΩΝ
                      Dec 20 at 12:39












                      In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
                      – usr-local-ΕΨΗΕΛΩΝ
                      Dec 20 at 12:41




                      In the Magisk example: the locked phone will refuse to boot Magisk because hardware checks the OS. But when the software (e.g. SafetyNet) tries to assess the hardware, Magisk creates a layer of smoke that makes the software think the hardware is sane. Surely, Android vs Magisk is just a bare example, I don't know what Windows does to validate hardware when hardware is capable to provide a fake attestation
                      – usr-local-ΕΨΗΕΛΩΝ
                      Dec 20 at 12:41












                      Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
                      – marshal craft
                      Dec 20 at 12:46




                      Basically the oem sets fuses in m.e. Which are used to verify firmware was signed usinng cryptography. The oem can update firmware etc, but keeps the system locked down. Also the oem works with Windows and uefi to pass on trust to those components. Also windows doesn't itself use uefi drivers normally. Though it can as worst case plug and play feature where it cant find a driver I think. Obviously this would be a hole in its driver signing mechanism. So I'm not sure how it is handled but presume it is.
                      – marshal craft
                      Dec 20 at 12:46


















                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.





                      Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                      Please pay close attention to the following guidance:


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f199971%2fsearch-for-military-installed-backdoors-on-laptop%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      What visual should I use to simply compare current year value vs last year in Power BI desktop

                      How to ignore python UserWarning in pytest?

                      Alexandru Averescu