Hector Martin

Again, compromise is certain (extra consoles on ttyAMA0, new systemd slices that sandbox users and leave some system components unconfigurable, nfs mounts on machines with no net hardware, funny kernel modules you can’t touch, and oh so much more fun), just need to explain how.

“Trivial” heh. See earlier posts about flash controllers. This is how advanced malware spreads. IT guy takes his favourite memory stick with his OS install and puts it a compromised machine to reinstall. Instead now it becomes the way every new computer in the company gets owned.

So... use something else? Dump the filesystem over the network? XMODEM it out the serial port? There are endless ways to gather evidence safely; it's nigh impossible to "cover everything" for the malware. No implant, no matter how sophisticated, magically counters everything.

If there are as many indicators of compromise as you claim (and it's not just you misinterpreting totally normal stuff), then the malware is shoddy and clearly not designed for stealth. So show us some of them.

FWIW: if I were a three-letter agency designing a Raspberry Pi implant, it would live in the VideoCore firmware blob that rules the system from the shadows and be completely invisible to Linux. And I wouldn't be leaving behind "systemd slices that sandbox users".

and yet paradoxically, this attacker seems to have dispensed with stealth altogether here. I have so many IOCs it’s not funny, so I get the impression this is more about stopping extraction of the samples I do have.

If you have so many IOCs, why not show them to us? You might get some people excited and less likely to call BS on you. Take a video of what you see that isn't normal. Even the most advanced NSA implant can't plug the analog hole.

What analog hole? Are you suggesting I get out my film camera?