Page 1 of 1

TrueCrypt helped me catch NSA firmware backdoor

PostPosted: Thu Sep 18, 2014 4:49 pm
by EdwardSnowden
I have a desktop computer, call it PC-A that in the past I have on at least three separate different occasions reformatted from scratch (with at least a one pass zero using killdisk) the HDD each time before installing Windows 7 64-bit onto the PC-A.

The very first thing I would do after reformatting the PC and reinstalling Windows would be to install TrueCrypt 7.1a and then do a full disk encryption on it before doing anything else. (including before installing any device drivers or connecting it to the network, etc)

Those who have used TrueCrypt full disk encryption knows that it forces you to burn a rescue disk before using FDE. Since I don't want to waste a disc each time, I've always downloaded and used WinCDEmu to bypass that TC requirement.

However, recently, (and I tried this on three separate occasions, each time totally starting from scratch) when I reformat,wipe and after reinstalling Windows on PC-A, I notice that when attempting to install WinCDEmu that right after I click install, I get a weird error stating that "Microsoft Register Server has Stopped Working" and details show a "BEX" error related to DEP, referencing WinCDEmuContextMenu.dll_unloaded

I have made absolutely ZERO hardware changes, no BIOS or firmware upgrades. Every time I have used the exact same Windows 7 DVD-ROM to install the OS via the bootable disc, the disc itself is fine with no scratches. I have also consistently used the exact same version of WinCDEmu and checksum it each time to make sure there is no bit-rot or file integrity issues. I do the same for TrueCrypt and use the exact same version of TrueCrypt. As a matter of fact, since I've done the exact same procedure so many times and I know TrueCrypt will ask for to burn a rescue disk, the very very FIRST thing I do after a fresh install of Windows 7 is to install WinCDEmu 3.6 even prior to installing TrueCrypt itself.

I even tried the SAME Windows 7 64bit DVD bootable disc on another computer (call it PC-B) that I have that is airgapped and never connected to the network at all, and used the EXACT same version of WinCDEmu resting on the exact same external usb storage medium with no problems and don't get the error messages.

So, my procedure is EXACTLY the same, nothing has changed. Prior to the suspected infection, I had at least THREE different times used the same procedure with the exact same software and on the exact same hardware configuration (PC-A) and never had any issues or errors.

Now, after the interdiction, I still use the exact same procedure, exact same hardware, exact same software and yet I get the persistent error messages. As a means of test/control, I even tried the exact Windows DVD install disc and the exact version (checksum) of WinCDEmu 3.6 on TWO seperate computers, one that is airgapped and another one that is not airgapped and neither of them have any issues nor give the error messages.

And on the infected machine, when I try to proceed with the FDE and encrypt the host protected area, it will not work. It seems to work but the next time I reboot the computer to do the "test", it does not recognize my password even though I am 100% sure the password is correct. In addition, the harddrive is a standard Seagate HDD, and this is all commodity hardware, but when I mounted the harddrive to a different machine, it would not correctly recognize it and I would have not been able to have access to it to clone the drive or extract any data. It seems to only work when mounted on the original device.

This is something I've never encountered before. Since I do at least a "one pass zero" to wipe the entire harddrive each time prior to reinstalling Windows, since there has been no hardware changes, and since I always install WinCDEmu prior to making any changes to the newly installed computer OS (prior to connecting to the Internet, or updating drivers, or installing any other application, etc) the only thing that can possibly explain this bizarro behavior is that I've been interdicted and attacked by an advanced persistent threat such as the NSA.

Re: TrueCrypt helped me catch NSA firmware backdoor

PostPosted: Sun May 03, 2015 1:35 am
by brian6
this is an old post. but I think you have not been the victim of a advanced persistent attack by the NSA. 1. besides your general paranoia and privacy concerns why would they target you as an individual? I mean are you a journalist, a human rights worker, a programmer or coder working on a project that 1. lots of people will use 2. is of a security nature 2. it does indeed sound like your getting a different result even though ZERO VARIABLES have changed.... but I must say I run into problems with my pc's where i know everything should work but it doesn't. I mean try a different hard drive on that same PC and do the same steps if it works forget about the old hard drive! I had a hard drive that was acting funny so i did a test on it. the test stated the drive was OK but it did find a few bad sectors and no matter what couldn't get that drive to work so trashed and used another and no problems!

helpful at all?