Slashdot Mirror

← Back to Stories (view on slashdot.org)

Have a Privacy-Invasion Wishlist? Peruse NSA's Top Secret Catalog

Posted by timothy on from the after-christmas-specials dept.

An anonymous reader writes with a link to Der Spiegel, which describes a Top-Secret spy-agency catalog which reveals that the NSA "has been secretly back dooring equipment from US companies including Dell, Cisco, Juniper, IBM, Western Digital, Seagate, Maxtor and more, risking enormous damage to US tech sector." Der Spiegel also has a wider ranging article about the agency's Tailored Access Operations unit.

24 of 259 comments (clear)

  1. And Ultimately by mrspoonsi · · Score: 5, Insightful

    The NSA will achieve the opposite for the USA, not more security but less, with the rest of the world now keen to do their own thing, the NSA are a loose cannon on a rolling ship.

    1. Re:And Ultimately by Anonymous Coward · · Score: 5, Insightful

      The NSA has already achieve the opposite for the USA

      There FTFY... Talking to non IT people, the thing that most people don't seem to have understood is that Snowdon and hundreds of administrators from private contractors like him had uncontrolled access to all of the data. Those people will for 100% sure include some spies from hostile powers like Russia, China and North Korea. Some of those people will have already extracted data. People working for the NSA and DOD wrote the orange book about this. They have no excuse to pretend they didn't know that gathering all this data together would be dangerous.

      The real thing that the NSA and GCHQ are trying to hide, is not the spying. It is that they were caught seriously endangering their countries for profit.

    2. Re:And Ultimately by GodGell · · Score: 1, Insightful

      Nice metaphor

      Please don't tell me it's new to you...

      Please, don't be an asshole, at least not for good reason.
      Why you would think one particular ancient metaphor in one particular language must be known by all the 7 billion people in all corners of this planet is beyond me.

      (You do know you're on the Internet, don't you?)

      --
      [SHOW SOME LENIENCY TOWARDS ... I mean, FUCK BETA] Eat. Survive. Reproduce. GOTO 10
    3. Re:And Ultimately by paiute · · Score: 5, Insightful

      Have we already acquiesced to the NSA's desired reality?
      Were these criminal activities which could not have been prevented by old-fashioned police work done within the law or were Orwellian-scale intrusions absolutely necessary?

      --
      If Slashdot were chemistry it would look like this:Cadaverine
    4. Re:And Ultimately by VortexCortex · · Score: 5, Insightful

      A scientist would say: Prove their evidence is real.

      They lied to congress, and have a a long history of evil. It would be foolish to trust anything they say. See, that's the thing with secrets and lies: You can never trust anything they say to be true. "Oh we're strengthening security." Prove it -- Could be weakening security instead, we don't know because: Secrets. Oh, so they say these guys are terrorists? Prove it. You'll have to use independent evidence -- not like digital records can't be fabricated, what with all the routers and systems backdoored or exploited. They could have written the damn email from the guy's system themselves at a whim. These spooks are real creeps, tasked with socio-political control, not safety. What they do is target "radicals". They thought the Civil Rights Movement was "radical". The Privacy Rights Movement is considered "radical" too, especially since it requires an end government secrets. Everyone knows the atrocities the CIA gets up to, you think any of theses guys have qualms about silencing "radicals" any way they can?

      Anyone think these programs are beneficial? That's an unproven claim. Disprove the null hypothesis: No secret spy organization can be proven to be beneficial. They can't be proven to be telling the truth. A secret oversight committee just moves the problem around.

      You're 4 times more likely to die from lightning strike. The flu kills six times more people than a 9/11 scale attack every ear. Cars and cheeseburgers have killed Four Thousand times more lives than a 9/11 scale attack since 9/11. The cost to benefit ratio of the spying programs is ridiculous. Life is dangerous: There are risks that are acceptable. If we're brave enough to drive the kids to get a Happy Meal, then what possible fear can we have of a minuscule in comparison terrorist threat? Even if all 50 of those supposed bombers would have gone off, they'd still wouldn't justify the cost to privacy, freedom, and trust in our governments -- Falling down in the shower is more dangerous than terrorists. Where's the free government bath-mats if terrorists are such a big concern? Mutually assured destruction means big countries are no threat. The cold war didn't end, the military industrial complex just turned on its own people in secret. Everything Eisenhower warned us about came true.

      The very word 'secrecy' is repugnant in a free and open society; and we are as a people inherently and historically opposed to secret societies, to secret oaths, and to secret proceedings.
      - John F. Kennedy

      What a "radical" thought.

  2. Don't buy from US companies by Anonymous Coward · · Score: 2, Insightful

    Don't use US service providers. It should be obvious by now, but the reason why the US warn about all kinds of subversion and attacks is that they know what they themselves are doing to the rest of the world.

    1. Re:Don't buy from US companies by noh8rz10 · · Score: 4, Insightful

      naive. if US is doing this, then Chinese and Russians are doing it too.

    2. Re:Don't buy from US companies by Carewolf · · Score: 5, Insightful

      i wonder if many companies were listed from around the world, but spiegel focused on US companies because the anti-american angle works well for them.

      It is not the Spiegel that wrote the slashdot summary, it is the Spiegel that wrote the article that includes the non-American companies, and the American Slashdot that only included American companies. So how about rethinking your comment?

  3. A good example to the lawmakers needs to be given by Anonymous Coward · · Score: 2, Insightful

    At earlier convenience we need to tell to IT non-savy senators and congressmen. The backdoor is like an all purpose key. Now all the criminals and agencies will exploit this.

    Such a simple explanation and analogy should be adequate to deliver the point.

  4. Re:Dell by Anonymous Coward · · Score: 5, Insightful

    I'm surprised you couldn't come up with at least some possibilities on your own, K. S. Kyosuke. I always thought that you were a smart cookie.

    One obvious one is that the disk's firmware is updated to detect and modify critical Windows executables, DLLs or drivers with some additional code to send out information to remote servers once a network connection is detected, or perhaps to introduce flaws that can be exploited easily. The same could be done for Linux kernel binaries or modules, too, of course.

    Another pretty obvious one is that the disk's firmware alters log files to remove any traces of intrusions, making it appear as though no intrusion has occurred.

    I'm sure there are many, many other ways that I haven't thought of.

  5. BIOS by Anonymous Coward · · Score: 3, Insightful

    Looks like this is a loud and clear call for more intensive open source BIOS development.

    1. Re:BIOS by couchslug · · Score: 3, Insightful

      That and for UVPROM BIOS or other flashing method which cannot be done by the PCs own software.

      Remote management = remote exploitation.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  6. Re:Misleading Summary by the+eric+conspiracy · · Score: 5, Insightful

    Do you think the NSA is somehow unique in possessing tapping and forensic tools for IT equipment?

    Every police agency in the world will have some of this stuff. Heck, when I accidentally repartitioned a hard drive a couple of years ago I used some software to recover files by carving them. One of the items listed in the article was a splitter cable for crying out loud.

    Backdoors are seriously different from exploits. One implies collusion between a national security agency and a manufacturer. An exploit is the work of somebody independent of the manufacturer.

    The NSA is seriously a problem. However this summary states US equipment manufacturers are in collusion with them. Without presenting any evidence, and filters out information that contradicts that statement from the reference it cites.

    This is not journalism. It's a troll.

  7. Re:The summary is not wrong. by Desler · · Score: 5, Insightful

    Didn't say the summary was wrong. What it said was perfectly correct, but leaving out the fact that the article didn't just talk about US companies made it misleading.

  8. Re:What are you going to do about it? by Anonymous Coward · · Score: 4, Insightful

    Well, if you put it that way... it certainly sounds easier to just let the government keep fucking me up the ass.
    By now I'm used to it. And your way sounds like work. Yuck.

  9. Re:coin, sides, same by PPH · · Score: 3, Insightful

    How much is it worth to those tech companies to know exactly what their customers are doing?

    And to the Chinese? Or Russians?

    Snowden may have a guest pass in any one of these countries just to keep information surrounding these capabilities quiet. Russia did say he could stay so long as he quit spilling secrets.

    It might be a mistake to think in terms of a 'them vs us' race. If the NSA says, "Backdoor the chips" to US companies and then shares that information with our 'enemies' in return for their backdoor exploits, that is worth more to all then trying to keep the capabilities to ourselves. They know we do it, we know they do it. But its still useful technology for keeping our respective populations under control. And that's what each of these governments fears more than an attack from the outside. The FBI/CIA/NSA might miss the occasional 9/11 or Boston bombing. But get on Twitter and try to amass public support for a "throw the bums out" movement and see how long that lasts.

    --
    Have gnu, will travel.
  10. Re:Dell by gweihir · · Score: 4, Insightful

    It can do any number of things, but they have to be pre-arranged, as the disk cannot access main memory. It can, for example, inject code into the boot-loader or compromise known executables. The firmware compromise is not really necessary, but it can help disguising things. For example, with a firmware compromise you can do things like boot-code compromise only if the power went up less than a minute ago or if there was a reset shortly before. Then anybody reading the bootloader to verify it will not see the compromise. A BIOS-attack would be doing something similar, but without the possibility to hide so easily. (If these things become widespread, I will start to verify my BIOS regularly with an SPI adapter. No way to hide from that.

    Full disk encryption with boot from a non-writable medium (kernel and initrd on CD in a non-burner drive, for example) will neutralize a compromised disk firmware pretty effectively or alternatively protect the boot-loader against manipulation. Of course "they" could then try to compromise the CD drive...

    Still, the NSA is not magic. They do not even have the best hackers, just those with the biggest egos ans smallest morals. These tend to be rather mediocre. No, the problem is that PC security sucks badly and that you can break into almost any standard installation if you throw enough money at the problem. My guess would be that even a restrictive firewall configuration on a Linux firewall keeps them out reliably. Of course, if you use Windows, they can just get past that with the update mechanism and with active help from Microsoft...

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  11. Re:Fedora Linux Question by gweihir · · Score: 3, Insightful

    SELinux is not under suspicion. Putting backdoors in it would be glaringly obvious to anybody halfway competent doing an analysis, as it is just an access control layer and hence rather simple. Being hard to find is a critical characteristic of any professionally placed backdoor, and hence a backdoor in SELinux is very unlikely. You are barking up the wrong tree.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Re:Dell by Bert64 · · Score: 4, Insightful

    You sure this isn't an Apple feature called "power nap", the system wakes up and downloads updates, checks for new email etc, then goes back to sleep.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  13. Re:Dell by deconfliction · · Score: 3, Insightful

    fortunately I just turn off the wifi when I put the machine to sleep. it still does it, but at least I know it isn't sending anything to anyone.

    And you are 'turning off' the wifi exactly how? Disconnecting the antenna, or trusting the software switch? (as opposed to a hardware switch interrupting the power or antenna, wouldn't that be a nice feature...)

  14. Bullshit by pablo_max · · Score: 4, Insightful

    "loose cannon"? Bullshit.
    Don't you think for one damn minute that the NSA is "off the ranch" with their programs. They were implemented at the behest of our beloved and benevolent leaders.
    The "justice" branch (haha) just declared everything is just fine after all. The executive branch and legislative branch has already said time and time again that the NSA is doing useful and important work.

    What really chaps my ass, is not that the government tells people these programs are for the so-called "war on terror" or that certainly, the government would never use it against non-terrorist, but the that nearly every poll indicates that most 'mericans fucking believe them!
    I know they have done their best over the last 40 years to indoctrinate kids starting in kindergartener, but it is sad that so many folks just close their eyes and refuse to ask hard questions.
    Think about it...forcing children to pledge allegiance to a government... It is fucking crazy. We are brainwashed never to question our masters, and it is working. Fuck, look at the shit your facebook friends post! That is a representation of America.
    Disclosure, I feel I have the right to bitch. I did my 4 years in the services and about half that was in the shitty hotspots of the world keeping and eye on brown people.

  15. Re:This will be a boon to other countries by davecb · · Score: 3, Insightful

    Because US companies are in greater danger of subversion by the NSA than foreign ones.

    --
    davecb@spamcop.net
  16. Re:coin, sides, same by 93+Escort+Wagon · · Score: 3, Insightful

    Don't think for a second that these back-doors that companies put in at the behest of the NSA aren't also being used to the benefit of those companies.

    Read the article please. The companies didn't do anything (really, you seriously think Huawei or Samsung is providing back doors to the NSA?). The NSA is compromising them the same way other bad guys get in - by finding and exploiting flaws in the OS.

    The few mentions of hardware in the article are things like special monitor cables which would have to be added to a targeted computer by an agent.

    --
    #DeleteChrome
  17. Re:coin, sides, same by WaffleMonster · · Score: 3, Insightful

    Don't think for a second that these back-doors that companies put in at the behest of the NSA aren't also being used to the benefit of those companies.

    There is no evidence from the article we are talking about intentional backdoors created at the request of NSA. Rather the kind of backdoors created by unintentional programming errors where once exploited allows foothold to be maintained by patching firmware of various hardware subsystems.

    So, if the NSA were shuttered tomorrow, what makes you think those back-doors are going to go away? How much is it worth to those tech companies to know exactly what their customers are doing? How much is it worth to their institutional shareholders?

    How much is legal trouble, bad publicity and resulting loss of customers worth to shareholders?

    A (un)intentional backdoor actively exploited to gain market intelligence is a backdoor with high probability of discovery. Likewise any use of covert capability erodes that capability.