[CPLX]

> dump the firmware and compare it to firmware dumps from other hard drives of the same model

And then ponder the unstated assumption that said other hard drives may or may not have been exploited already. Dealing with a state level actor is hard, in the "trusting trust" sense.

[XorNot]

Well update your threat model appropriately. What are the realities if they've somehow hit every single hard disk in the US? What is the likelihood this level of subterfuge can be maintained? How many people are involved?

Just because you can imagine it doesn't suddenly make it practical, and it certainly doesn't mean they're going to burn that capability outing some guys porn habits either.

[CPLX]

> What are the realities if they've somehow hit every single hard disk in the US?

Who knows. The problem is you're not so concerned with "every single" hard drive in the US, but you may well be concerned with the other one you wish to use as a benchmark.

When you're dealing with things like hardware being compromised on the way from the plant to the store, or (as mentioned) a burned CD being compromised in the mail, and other things that really only governments can do, it changes the whole nature of the threat model.

[atlbeer]

You don't have to actively infect every HDD in the US through the front door.

- Target the build machine used by the dev team to make the firmware

- Target the manufacturing plant and alter it before loading

- etc