Slashdot Mirror
The Startling Array of Hacking Tools In NSA's Armory
littlekorea writes "A series of servers produced by Dell, air-gapped Windows XP PCs and switches and routers produced by Cisco, Huawei and Juniper count among the huge list of computing devices compromised by the NSA, according to crypto-expert and digital freedom fighter Jacob Applebaum. Revealing a trove of new NSA documents at his 30c3 address (video), Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."
2013 is the year that proved your ‘paranoid’ friend right The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune. Assuming that the technology is not made illegal.
TAO had gathered “some of the most significant intelligence our country has ever seen.”
pure hyperbole. cracking enigma. that was significant. they have provided 0 evidence that what they are
doing now has yielded anything.
Everybody take one application and let's get 'er done.
Quit yer bitching. Everyone knows only terrorists care about privacy.
Better check your compiler while you're at it, and your hardware.
-mrxak
Onions Will Kill You
What sort of straw man is that? No one has claimed that it is impossible to sabotage open source software. But the fact that the saboteur would at least have to try to hide it, which is not the case with secret source software, puts them at a huge disadvantage.
Do you leave your front door unlocked because you're not 100% sure that your lock can't be picked?
> The person who can figure out how we can have all our
> tech toys and our privacy too will earn a fortune.
Can't be done. All your toys are possible because it is cheep to copy and store information. If you can afford it, any military can. As long as information is easy to copy, information can not be private.
The debate is not whether the spy tools should exist, but how they should be used. The NSA was originally meant to be a support organization that assisted the CIA and other federal agencies in protecting national security interests globally; Hence the name National Security Agency.
What it has become lately, thanks to the Department of Homeland Security and our idiot congresscritters, are lackies for the FBI. The FBI has a terrible record going all the way back to the Prohibition of doing whatever it wants and generally running rough-shod over civil rights. It has long shown signs of institutional corruption and rot. This is the source of the rot in our judiciary at the federal level... and like Midas, everything the FBI touches turns to sh*t.
#fuckbeta #iamslashdot #dicemustdie
The fact is that the NSA needs these tools for the same reason the Army needs weapons ranging from small arms to weapons of mass destruction. It needs tools that let it collect signals intelligence on foreign targets. And yes, that includes our "allies." They do it as much to as we do it to them. It's understood that it happens. Even the British and Canadians wouldn't be shy about collecting Top Secret data on our operations that we want to keep from them if they could acquire it without jeopardizing their highly productive and close relationship with the US.
Americans should be outraged that the NSA is now deeply integrated with federal law enforcement per 9/11 "reforms" that all but created an integrated security state. That puts our rights deeply at risk. Prior to 9/11, the most the NSA could legally do was inform Customs and the Coast Guard that smugglers were en route to US territorial waters or airspace. Now, they're damn near as much of an intelligence arm for law enforcement as the military.
What we need is an iron clad, black letter of the law statute that says that no data the NSA collects on Americans is legally admissible unless the communication was collected abroad, occurred entirely outside of US territory and is specifically of a nature that is dangerous to our national security.
At the end of the day, you have to trust someone either way. Saying "It's open source, and therefore more trustworthy," is bullshit--because unless you or someone you trust has went through it line by line, it's functionally little different than trusting a closed-source binary. It's just a false sense of security most of the time.
It comes down to who you trust, not whether their software is open or closed source.
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."
How is anything of this surprising or unexpected?
You don't trust your compiler (and compiler vendor)?
http://cm.bell-labs.com/who/ken/trust.html
Thank you. While it may be harder for spooks to poison the well in open source, it's clearly not impossible. And in any case, they can still change the hardware at the manufacturer or intercept it en route.
This just goes from bad to worse. Now we have to roll our own hardware? Fuck this.
Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.
You have absolutely no idea where the code came from with closed source. Could be from anyone. Not much different from open source except for the fact that with open source you can at least theoretically examine the code itself even though in most cases that will never happen.
For the time being we can start by blocking all outbound UDP data on routers. Unfortunately these hw hacks call nsa over open wifi too. So we'd have to jam wifi in buildings too ..
Network effect works. They would hate to put an encryption key in plain text or the channel they use to send the data, or the destination name/address, so putting in a souce code that anyone could eventually see is a big no. Regarding binary packages, if well some distributions could be compromised by secret laws (RedHat at least resides in US) the code release that they must do ensures that other projects can pick the source, recompile it and use them instead (i.e. Centos), and if you trust the distributions packages are signed so is harder (maybe not NSA-level harder, but harder anyway) to do some MITM work to install touched binaries.
Also, some projects like Tor are adding deterministic builds to validate that the binaries really are what the author says.
You may know where the binary came from, but you have no idea where the code came from. And for all you know, neither did the person who signed the binary.
Given all the US lobbying against Huawei gear being used in critical infrastructure, it seems odd that the NSA is claiming they have managed to penetrate these routers.
Perhaps while NSA was powning Huawei routers they discovered they were already compromised.
Seems far more likely that in doing so, the NSA penetration was in turn detected and prevented by Huawei, or they haven't been able to penetrate to the extent they have with Cisco routers, and therefore they need to keep these out of critical infrastructure.
Sig Battery depleted. Reverting to safe mode.
forget about the compiler, what about the microcode on the processor?
there are millions of applications, hundreds of operating systems, only a handful of processor architectures..
I disagree. The code is out, anybody can review patches, etc. At least if it is developed in an open manor (ie truecrypt is a fine example of an application we shouldn't rely on as while its code is available its development is not transparent). If something is published that's nefarious you have to make some sort of effort to conceal it, and if its developed transparently as well all the more so. If it is proprietary you have to make zero effort to conceal it.
Silly me, I thought the reason for NSA's existence was to make it HARDER for the bad guys to attack our infrastructure, not easier. Shows how little I know about how Washington "works" for us.
"We receive as friendly that which agrees with, we resist with dislike that which opposes us" - Faraday
it is difficult to believe that the NSA is the only one doing this, so who else owns my electronic toys?
GODSURGE, IRONCHEF, CANDYWIRE, MONKEYCALENDAR, SOMBERKNAVE, IRATEMONKEY, TOTEGHOSTLY, DROPOUTJEEP
Just append X's as prefixes or suffixes and now we can identify teenage NSA agents or just AI acting like them.
Freedom fighter indeed.
http://gamehacking.org/vb/threads/12747-nensondubois-codes http://twitter.com/nensondubois_
So basically no online banking platform can be safe once these exploits are released into the public? I do wonder though how they do it though.
The company selling the closed source software is where the code came from. It's their responsibility, it's their business and reputation on the line, and if they're using libraries they didn't develop in-house, it's their job to know how those work too. If they do something bad (and really, it's not that hard to tell if some software is leaking data or accessing files it shouldn't), they'll be the ones held responsible.
By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives. A company can accidentally hire a foreign agent or an NSA plant, but if they do, and it gets out, that company will be held responsible.
-mrxak
Onions Will Kill You
Seeing as how it's the binary you're running, what's the difference? If a company is compromised, they're screwed. People won't buy their software again, they'll know to stop using it. This should make companies careful, and if they're not, they'll get in trouble soon enough. Some anonymous party puts up a clever back door in a patch, what is a user to do then? Whose reputation is damaged?
I am by no means claiming closed source is more secure than open source, I'm saying they're equally insecure. I'm also saying, that at least with closed source, you know who to blame when something goes wrong.
-mrxak
Onions Will Kill You
Open source has the "nothing to hide" argument so it's not something you can ignore completely.
What's most interesting about this presentation (some 44 minutes into it) is the claim that NSA can monitor any iPhone they want, ostensibly via some remote mechanism or backdoor.
Nevermind "thanks Obamacare", now nobody is going to buy *any* technology from a US vendor because it's likely compromised by the NSA.
Just like you don't want to buy from a purely Chinese vendor because it's reporting back to the Chinese version of the NSA.
So, thanks to the NSA and China having a dick-measuring contest on why can spy more, the internet is essentially fucked. No privacy, no e-commerce, hell, no commerce (thanks Target), unless it's all cash.
So the only place you can trust is (ironically), Craigslist!
If telephones are outlawed, then only outlaws will have telephones.
NSA does SIGINT, or signals intelligence, and it doesn't matter what computer solution you think you found, they will own you. The only solution is to avoid all computers. Have something important to say? do so in person. An important thing to record? Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.
CIA and FBI do HUMINT, or old-school spying, but from what I've heard their skills here have withered as they've focused on SIGINT themselves.
inb4 encryption - I assume that they can crack any encrypted files, or they wrote the specs in the first place.
Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."
I must have overlooked it. Where, specifically, did these articles state that?
Perhaps the feds should have insourced the AHA website to the NSA. Seems like they have the tech and the people that know how to use it. Added benefit, US residents already have a file there. One stop shopping for all your personal information needs!
You should be pointing people to this instead:
"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"
http://www.dwheeler.com/trusting-trust/
They do photograph every single letter and parcel, as well as x-ray scan everything that goes through their facility.
Is that "safe"? I don't know.
Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.
Are they photographing every letter under extreme bright lights, making the container effectively transparent?
Not sure, but it's worth exploring every single one of those questions.
Nonsense. It's much easier to hide backdoors and such in the code if it's not open. Open source reduces the chances that no one will spot the problems. It's not perfect, but it doesn't need to be perfect in order to be better, and anyone who claims it isn't a superior option is a damn fool.
Have you met the people in charge of serious open source projects? The answer is: Yes, they will.
There will at the least be the line of defense that is the core contributors to an open source project. The nice thing about open source is that even if they are compromised, anyone performing an audit (say, a major government looking for an operating system?) could detect the problem. It doesn't completely negate the possibility a backdoor will be introduced. It is, however, infinitely preferable to using closed proprietary software from the USA. All such software is now reasonably assumed to be compromised by the NSA.
Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.
How do you know where the code came from with closed source? Just because it says "Microsoft" on the box doesn't mean it all came from Microsoft (whoever he was). Microsoft relicenses a ton of stuff, and while they probably have source to it, doesn't mean they're going through it looking for NSA backdoors. Not to mention the stuff they might put in at a third-party's request (NSAKEY, anyone?).
Sure, if you're not a coder you're going to have a tough time analyzing open source yourself, but there's a world of other people taking a look at it who are likely to speak up if they see something weird. Moreover, there's the "genetic diversity" argument with open source: many many more detail varieties around (different distros and versions of distros, plus mixing and matching of apps between distros and independent application sites) which makes it harder (not impossible, harder) for someone (eg NSA) to target specific weaknesses (but not if there's a system weakness in an algorithm). E.g. if you've done anything to change your standard config (especially if you've made changes, even minor, and recompiled) then an exploit which attacks through e.g. a buffer overflow is more likely to just crash the app/module than successfully implant its payload.
With closed source the attacker can pretty much rely on the target running one of just a handful of easily-determined standard systems, and the payload will have no problem inserting itself.
Not crack-proof, but crack-resistant.
hope and change already happened. Hope peaked and reverted to the mean. Change happened but was largely a downward trend.
while we're investigating things, I wonder how secure a one-time pad is. obv you would need to decode the message by hand.
By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives.
Yes and no. Sure, anyone can download open source code and tinker with it to their evil heart's content. Getting those malicious changes pushed back upstream so that other people will end up with them is another question altogether. Most, if not all, open software projects keep a fairly tight rein on what changes they allow into their repositories, and who from.
(Moral of the story -- get your software from as close to the original project as possible or make sure you trust the intermediaries. And at the very least, verify the hashes/checksums.)
Free Software folks have their reputation too, and often that is the only thing motivating them.
Just a Tuna in the Sea of Life
Or hash it with a strong algorithm and use along, non-entropic, unpredictable, rotated salt.
The CIA still runs everything at the highest level:
http://www.wsws.org/en/articles/2005/07/fbi-j07.html
"The combining of counterintelligence, counterterrorism and spying into one FBI office linked to the CIA and under the direction of a DNI working directly for the White House represents a major step toward the creation of an American secret police force. "
The FBI are definitely subservient. Don't ever kid yourself.
...use "a long", not "along", damn Mac keyboard! :)
inb4 encryption - I assume that they can crack any encrypted files, or they wrote the specs in the first place.
Go back to 4chan, and don't forget your tinfoil hat.
CLI paste? paste.pr0.tips!
Is this one of those fabricated scandals like Benghazi, Fast and Furious, the IRS going after conservatives, the President lying about the AHA, Holder lying in front of congress repeatedly..
Not at all like those ones, With those ones they just denied it even happened or blames things that had nothing to do with the issues. With this they admit that its happening and dont even pretend to care that they are abusing their power
have you seen my sig? there are many others like it but none that are the same
If it is proprietary you have to make zero effort to conceal it.
Well, you should at least probably ensure you turned on the right compiler options to strip the NSA_BACKDOOR_PASSWORD identifier out of the binary.
Someone had to do it.
You see, there is a big flaw in your point. _IF_ the only developers were in the US, you may have a better point. OpenSource is not just coded in the US, and the eyes looking at the code are all over. I think for a while you had a level of trust among OpenSource crowds that everyone was equally altruistic and freedom loving. I am pretty sure that when the leaks came out a few years ago about the NSA jacking encryption that trust evaporated pretty quickly.
What you may want to believe is that all of these coders are here doing "Merikah!" great favors, or at least looking the other way because.. you know, "Merikah!". Guys in Germany don't have any devotion to that cause, and won't be complicit.
So now, that level of trust that people had is gone. Not that OpenSource coders are all out trying to screw each other (as we see with 3 letter agencies and closed source companies), but there is a whole lot more scrutiny. As it should be, and like it was 10-15 years ago.
You can _never_ scrutinize closed source code. That point I agree with, and yes we should all assume that closed source systems ship compromised. As with the paragraph above, we used to assume that not very long ago. This is how we started to catch on to how shitty MS was (remember the ACK wars?).
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
I think there's a "how to make a tinfoil hat for your written correspondence" instructable out there.
And what about the applications the undercover NSA employees take? They are quite active in the open source community.
@de_machina
All that only helps if you're comparing checksums and compiling your own binaries.
If you're not paranoid enough to do that, you're trusting that the compiler/packager/distributor of the binaries didn't amend the source or have a compromised compiler toolset.
If I were to go about attempting to compromise all the (pick-a-Linux-variant) systems out there, I wouldn't submit my "improved" code to kernel.org, but I might attempt to load a compiler at (distributor of selected Linux variant) with a surreptitious payload (see above comment).
That closed-source company may _want_ to stand on their reputation. But they can be ordered to backdoor the software against their will and in secrecy. This is no longer a hypothetical argument, and it _is_ harming the reputation of businesses.
This is a great time for competitors of US tech companies.
If they do something bad (...), they'll be the ones held responsible.
Let's review every single EULA I've ever read going back 35 years or so...
The software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose
They may be responsible, but they're probably not liable and I'm the one who is likely to get injured.
...use "a long", not "along", damn Mac keyboard! :)
Important correction, because that was the part of your post that didn't make any sense ;^)
No, nor should you need to.
For anything sufficiently widely used you will have several competing groups looking at it...
With american commercial software you likely only have the vendor and the nsa looking at it...
For something like linux you have not only the nsa, but also several foreign governments looking at it too. While you may not be able to trust a single party, the chance of error decreases when you have multiple parties who have no reason to collude together.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
If Congress required the NSA to reveal exploits of US made products within 30 days it could boost US sales.
One of the ways NSA developed hacks into MS software was by intercepting the error reports that Windoze sends when it crashes. ;-)
Talk about a lot of data
The article and another one like it I saw on the Guardian indicates that the NSA will intercept your mail (called an interception! ) and "configure" any hardware you ordered then send it on its way.
http://www.spiegel.de/international/world/a-941262.html
I don't understand why Applebaum implied that the bugs described toward the end of the video were the "scariest". They are just that: bugs. They are simply modern digital and, in some cases, wireless versions. If someone has implanted their own hardware into your device, of course they will be able to collect what they want. But someone has to plant it. If one of those bugs was in every monitor cable shipped in the US, that would be scary, but that they can make them from off-the-shelf parts should come as no surprise whatsoever. And the stuff about GHz radio emissions giving Hugo Chavez cancer was pretty stupid if you ask me.
No, the bug technology doesn't surprise me at all, nor does the list of exploits, but it's the blanket surveillance that is outrageous. It's not that they're good spies--we knew that--it's that they can and are spying on literally everyone, and actively handicapping digital security in order to do it.
What percentage of computer users in the world are capable of finding security issues by looking through the code. How many semi competent application programmers are capable of the same thing? Operating System level code has very little in common with application level code and unless you have a lot of real world experience good luck on finding any undiscovered weaknesses by looking at the source code. The majority of hacks today involve social engineering targeted towards tricking the average user into doing something stupid. Add incompetent system administrators to the mix and your system becomes wide open and susceptible to all kinds of mischief.
The same is true of taxation, but I don't see you complaining about that either. The government has natural authority which individuals do not when there exists a legitimate government. One of those is defense and intelligence gathering is now as critical to national defense as any weapon system if not more so.
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10605&actp=SUBSCRIPTION&smlogin=true
Product Affected:
Juniper Products
Problem:
Juniper response to Der Spiegel reports of NSA attacks and monitoring of Juniper products.
Solution:
Juniper Networks recently became aware of, and is currently investigating, alleged security compromises of technology products dated from 2008 and made by a number of companies, including Juniper. We take allegations of this nature very seriously and are working actively to address any possible exploit paths. As a company that consistently operates with the highest of ethical standards, we are committed to maintaining the integrity and security of our products. We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps.
The alleged security compromises included indications of "software implants" and a method for installing malicious code in BIOS. Juniper Networks is not aware of any such BIOS implants in our products and has not assisted anyone in the creation of such implants.
Juniper maintains a Secure Development Lifecycle, and it is against Juniper policy to intentionally include "backdoors" that would potentially compromise our products or put our customers at risk.
Juniper will continue to aggressively investigate this report as we do all reports of potential vulnerabilities in our products, and will continue to notify our customers according to our Security Incident Response Team policies.
In 2008 Juniper published this Advisory related to ScreenOS Firmware Image Authenticity Notification
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10392
Juniper recommends that all customers read Juniper Security Advisories and stay current with product updates.
Workaround:
N/A
Implementation:
Related Links:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories.
Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team
Hardening Junos Devices
CVSS Score:
N/A
Risk Level:
Medium
Acknowledgements:
There are thousands upon thousands of people looking at open source code. One of them somewhere along the line is going to notice. That should be pretty obvious. I would like to think this would be a tipping point to more Open Source based usage but we all know that most people don't have a clue what all the surveillance talk even means. All they hear is "They are listening to my phone calls" and that's where it ends.
The article and another one like it I saw on the Guardian indicates that the NSA will intercept your mail (called an interception! ) and "configure" any hardware you ordered then send it on its way.
No, it does NOT indicate that at all. What they are talking about is a specific Ops team inside the NSA who go after very specific, hard to reach, high-priority targets. These guys are the full-blown "cloak-and-dagger" type spies, who will break into the target's office at night and replace his monitor cable with a modified one that contains a wireless transmitter. Or replace the ethernet jack at the target's workstation with a modified jack that sniffs the network. Hollywood type stuff. And yes, if the target happened to be expecting an equipment shipment it might get intercepted and tampered with.
But they are not doing this to YOU. This is not a blanket coverage program, they aren't intercepting everybody's newly ordered PC and resoldering parts on the motherboard.
In the DDC technique, source code is compiled twice: once with a second (trusted) compiler (using the source code of the compiler’s parent), and then the compiler source code is compiled using the result of the first compilation. If the result is bit-for-bit identical with the untrusted executable, then the source code accurately represents the executable.
DDC won't save you from bugs/backdoors at a lower level (in the CPU microcode or physical gates). It also assumes you have such a trusted compiler. This has always been the tough part. If I'm worried about my local compiler being attacked, it's easy enough to check on someone else's machine. If I'm worried about a compiler being widely compromised in source form, or hardware being widely compromised, this doesn't help me a bit. Now, you're back to manual auditing.
A series of servers produced by Dell, air-gapped Windows XP PCs and switches and routers produced by Cisco, Huawei and Juniper count among the huge list of computing devices compromised by the NSA
Somebody please help me here !
I can't believe that now Huawei works for the NSA.
I just can't fucking believe it !!
http://www.scmp.com/news/china/article/1286054/it-goes-without-saying-huawei-spies-china-says-ex-cia-chief?page=all
On the above link, ex CIA chief Michael Hayden claimed that Huawei spies for China !
http://www.bloomberg.com/news/2012-10-08/huawei-labeled-cyberspying-threat-faces-u-s-phone-gear-lockout.html
On this link Huawei was lockout from the US market because, "ahem !", Huawei is a SPY DEVICE of the People Liberation Army of China !!
I am totally confused now !
Who the fuck Huawei is working for ?
The Chinese PLA or the American NSA ??
Muchas Gracias, Señor Edward Snowden !
.. Maybe I missed some context here, but as a former FedEx employee with frequent contact with current FedEx employees, I've not heard of every fedex package being subject to x-rays or picture collection, although I wouldn't be surprised at the latter since I believe they've installed state-of-the-art OCR for QR reading on the airbills. The closest thing to x-rays I know of are the laser scanners used for calculating dimensions/weight (dimweight) for appropriate billing (people marking "1 pound" on their Laserjet shipping...). The amount of time it would require to actually x-ray and analyze 5-10 million packages a day would be non-trivial, especially in light of the service commitments. I could be wrong, however, and I'll have to bring it up next time I talk to the guys.
If you were me, you'd be good lookin'. - six string samurai
You should be pointing people to this instead:
"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"
http://www.dwheeler.com/trusting-trust/
How do we know that page isn't just a cleverly disguised NSA site?
No, there aren't. Even the "good cops" who don't report the "bad cops" are then, by definition, "bad cops". Thin Blue Line, and all that.
"The government has natural authority which individuals do not when there exists a legitimate government."
No. There is NO SUCH THING as a 'natural authority'.
Our government (in the US, anyway) is granted powers BY the people, FOR the people, as outlined by our Constitution.
That's what those envelopes with the randomised blue/black pattern printed in the inside are for. Any imaging technique that can read contents shouldn't be able to read past that layer of toner.
... I do everything on my clear-case newton. Too small a base to bother with, looks like I boosted it from the prison newton inventory, and I can see inside so I can tell if they put anything inside - least that's what the guy who sold it to me said...
From TFA:
intercept the hardware in transit, and take it to a secret workshop where it could be discretely fitted with espionage software before being sent on its way.
I blame it all on bad elves.
Have gnu, will travel.
They only X-ray and irradiate Federal mail. Civilian mail is not important enough to this as it would cost the USPS way too much to do that for every parcel.
This stuff goes far, quite far, and to quote Jacob Applebaum: "I can't remember voting on any of this stuff, or even having seen a public debate on it".
How about you?
I imagine there's not a need to image the Fedex packages because it all goes into your DB anyway, which they undoubtedly have access to (if you know it or not). I agree that x-ray is implausible.
"Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."
.. the BIOS, the PCI BIOS, the Video Card, the NIC, the PXE ROM or buried in the CPU microcode ...
Where could the code be hiding
http://cdn4.spiegel.de/images/image-583917-panoV9free-akfw.jpg
"If any question why we died, Tell them because our fathers lied."
Only a matter of resources not because they would have any moral qualms about it!
You mean like the trojan that was in OpenSSH for years?
The code can be compromised
1) In the source (undetectable in closed source) (detected by some reviewers for open source)
2) in the binary
3) in the compiler
4) device drivers
The host can be compromised
1) in the hardware
2) in the firmware/bios
3) external device means
The peripherals can be compromised
1) in the hardware
2) in the firmware
3) in the software
running software can be compromised
1) viruses
2) malware
3) root kits
network can be compromised
1) by physical devices routers/switches/hubs/wires
2) in the wireless
3) in the internet
4) traffic analysis and statistics
remote servers can be compromised
1) by all the same
2) middleman
3) third party trust
Transport of devices
1) snail mail
2) shipper (middle man attack)
People are compromised by use of
1) phone
2) car
3) cameras
4) social media
5) purchases
6) credit cards
7) music
8) social routines
9) social habits
10) social engineering
11) schedules
12) work/office
13) other
Without these (and any I have missed) being secured there is no way to insure the security of the system.
With an all seeing eye like a large government entity there is no way to prevent it with the exception of passing a constitutional amendment that makes it clear that it IS not legal without specific warrant. All other means falls short of the goal.
To spy on foreign nations in my opinion is what nations do. ALL OF THEM that are capable. Spying on ones own citizens is what governments that are not democracies do. If a democratic government starts spying on its own citizens then it ceases to be a democracy.
> It also assumes you have such a trusted compiler. This has always been the tough part.
When Thompson wrote the original paper, it was tough. In the meantime, many more compiler options have arisen, and the complexity (measured in size of injected, specialized code) of Thompson's "attack" is O(n^2) where n is the total number of compilers to be compromised. When you combine this fact with the now-documented aversion of the NSA to having its methods uncovered, one quickly comes to the conclusion that it's not very likely that DCC is unproductive because all (or even most) combinations of compilers have been trojaned.
They hacked those, too.
Oh! Now I understand why they made me change all my Huawei hardware for Cisco. I thought it was only part of the economy war, but now I understand it was for safety.
Yeah! Safety.
By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives. A company can accidentally hire a foreign agent or an NSA plant, but if they do, and it gets out, that company will be held responsible.
Unless the company is Microsoft or Apple or Intel. Or really any US based company without the legal means to battle the government in court (all of them).
A truly random one-time pad longer than your cipher text is not crackable other than brute-force. Use a code along with the OTP and it's uncrackable (because the crackers won't recognize the plaintext when they do decipher it.) Of course you need to distribute copies of your codebook and OTP, which is why they developed ciphers in the first place...the only trick is to develop a code that parses to plain boring text. "Aunt Martha sends her love; she made a wonderful cherry pie for the church potluck last week, everyone was raving about it!"
They do openly state on their website that they randomly x-ray scan packages however:
http://www.fedex.com/gh/shippingguide/terms/#11
Wall-Mart hacker! We have a Blue-Light Special in aisle H [Hell]. Get the PINs while they are hot.
At Ft. Meade, Maryland, it is observed the many Domino's Pizza trucks entering the facility! :-p
The sooner I get my PhD in computer engineering, the sooner I can do something about there being fewer stories like this.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.
You have absolutely no idea where the code came from with closed source. Could be from anyone. Not much different from open source except for the fact that with open source you can at least theoretically examine the code itself even though in most cases that will never happen.
From the beginning of the Washington Posts actual link from the /. story..
A German magazine lifted the lid on the operations of the National Security Agency’s hacking unit Sunday, reporting that American spies intercept computer deliveries, exploit hardware vulnerabilities, and even hijack Microsoft’s internal reporting system to spy on their targets.
Citing internal NSA documents, the magazine said Sunday that TAO’s mission was “Getting the ungettable,” and quoted an unnamed intelligence official as saying that TAO had gathered “some of the most significant intelligence our country has ever seen.”
Der Spiegel said TAO had a catalog of high-tech gadgets for particularly hard-to-crack cases, including computer monitor cables specially modified to record what is being typed across the screen, USB sticks secretly fitted with radio transmitters to broadcast stolen data over the airwaves, and fake base stations intended to intercept mobile phone signals on the go.
and to the point, which is the problem with closed source software, the NSA is hacking into the software/hardware, why? Because these companies put these holes in there hardware/software for this very purpose!
I can't understand why people believe any of these stories? For one it is no secret these companies are doing this of there own freewill, 2. Now that they got caught, there denying any involvement, people aren't buying into there "oh my, were as shocked as you" PR, I find it extremely suspicious that this German Newspaper happened (yes 'happened' despite what they claim) across this document, which is trying to say the NSA and these million/billion dollar companies had nothing to do with any secretive (which again has been public knowledge for a long time) agreements to allow the NSA to do what they want with little to no effort.
Having said that, it is also very real the NSA has access to super computers, and accomplished underground hackers, programmers, ect doing the work, but the costs would be very noticeable. (even with blackmailing hackers/programmers, with prison time, for those they decide to recruit, and or target)
Unlike the unknown wilderness hacker, who has to either find a hole, or happens across one. The NSA knows exactly what to go after, with open source wilderness programers can fix it, and it because it is open there are no questions or doubts as to if you can trust it to be fixed or patched, and fixed/patched permanently, then reviewed by the community (or scrutinized) .
Goes without saying, considering MS's, and Apples, ect... Lack of openness, there patches/updates always come into question because they either didn't patch the hole, or it is designed to allowed another one to open up.
All hail the New World Order and our masters at NSA. I was not a true believer in the NSA NWO but then I watched the 30c3 vid mentioned in the summary. Holy crap. No wonder Charlie Stross gave up on his next novel. I am now beyond horrified and simply in awe of our new Overlords.
Bitter and proud of it.
One problem here is that the "multiple parties" are looking for holes to take advantage of, not to fix.
Another problem is that for example Linux is generating more holes per week than it is fixing, and the attitude sucks (https://lwn.net/Articles/538600/, https://lwn.net/Articles/313621/, etc).
If OSS were serious about security they would immediately use grsecurity and managed runtimes (JVM and like). I don't expect either happening anytime soon.
A truly random OTP does not require any further coding. There is not even any point in trying brute-force. Any text of the same length of the cyphertext is a potential plaintext without any way of telling if this is the correct one.
Actually they tap the mail; its one of the oldest programs around - they can divert all mail going to a house, open it, photograph it, and then deliver it. The postal service doesn't like to talk about it, but its about 100 years old. Just an FYI. US Government Employee = scum.
The NSA uses ultra-bright light burst photograph technology to 'see' the contents of most letters that pass through the mail system. NSA computer systems 'rebuild' the text visible from multiple layers of paper within the envelope. The technology is cheap, simple, and mostly effective.
Remember, full surveillance programs are NOT designed to be 100% effective. Targeted surveillance programs are used when that level of accuracy is needed. Full surveillance programs, like the home spy system designed by Microsoft and the NSA in the Xbox One console, are simply attempts to grab all possible information from all possible sources, and to constantly invent new ways to trap previously unavailable information.
You overestimate their abilities. They couldn't even detect when Snowden was operating inside their network, and have been unable to determine what he took out prevent it being published. They know who had copies of the material, who is working on it, and for all their targeted hacking and exploits they can't do shit about it.
They have some scary tech, sure, but if you are careful there are limits to what they can do. For example this story states that they intercept computers being delivered and bug them. Well, anyone who thinks they might be a target can just go to a random computer store and buy an anonymous laptop with cash. Unless they install covert radios in every computer sold an airgap is still highly effective.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
That's fine, my handwriting is strong enough a cipher as it is.
Maybe we deserve this world ?
So, you're suggesting that open source will be more secure? Oh! That's right! If it's open source, the NSA wouldn't be able to find exploits in it... Because after all, it's open source, it can't be hacked!
As the chronic gambler should know that the casino wins on the long run.
The thief knows what would happen if he's caught.
He's point, I think, is not about less or more secure. either is as likly to incroporate bugs a the other. It is about the chances of finding a vulnerability and the time it takes to fix it.
With open source, If you happen (or know someone) find a vulnerability chancesa re you can fix it right a way, report/submit a patch. As for a closed source, all you can do is report and wait (slashdot is full of articles about that).
if there's a choice between blaming someone for a problem and avoiding the problem, avoiding (when possible) is always the winner strategy.
No. I think you've misunderstood one-time padding (or brute-forcing).
Brute forcing is when you try (almost) every possible key, which is significantly shorter than the message, to see what the message will turn out with said key hoping to find the right one. If the message turns out to make sense (contain english words or ascii alphabet for example) it is likely to be correct.
With OTP the key and the message are of equal length. Going through every key is the same as going through every possible message. So you will not only hit alphabet, but you'll get shakespeare and snowden leaks alike.
That makes all forms of bruteforcing futile. No extra codes necessary.
One bit example:
my message is M (0 or 1) and my pad is P (0 or 1).
M xor P = C cipher text, and equally C xor P is M.
Now, given C, say 1. You can trivially bruteforce it into 0 as if P had been 1 or into 1 as if P had been 0, but that solves nothing. Because both possibilites are equally likely. Repeat that on every bit and all you will ever know about the message is its length.
The length leakage is also easy to counter to some extent by appropriate amount of random padding (adding some extra gunk to the end).
1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW
Actually they use x-ray technology to scan layer by layer to separate the ink from the paper so they can scan even magazines page by page without opening.
How do you know that the internet is even real and not a cleverly designed honeypot?
I don't see any such thing. Basically that article is a watered down version of the Der Spiegel original.
I guess /. submitters and editors don't follow any truth in advertising norm... I'm shocked.
Where is the "hot tip on how to know if your own machines have been owned"?
examine the code itself even though in most cases that will never happen
Spoken from the perspective of a basement teenager. FYI, for-profit companies are the ones who are likely to have the time, resources, and inclination to examine or modify open-source code -- not teenagers like yourself. The "many eyes" thing refers primarily to large organizations with clear goals, not random individuals at home on a saturday night.
Additional FYI: since linux is now big business, you can bet your house that many large organizations are doing exactly that (examining and modifying).
What percentage of computer users in the world are capable of finding security issues by looking through the code
If you're talking about random teenagers in their basements, then the answer is not many. If you're talking about Google, Red Hat, IBM, Facebook, etc, who employ top-tier programmers, then the answer is many. The point is that the possibility is open, which is the opposite of closed source software, where you are forced to put all of your eggs (trust) into one basket.
One thing you can use to increase the strength of OTP is extra data. They may not be able to crack the code, but they may be able to get an idea of the type of data it is by its length and the size of the key source (alpha only, alpha-num, etc).
You mean like the trojan that was in OpenSSH for 2 days?
FTFY.
Op never said they were doing it to everyone. Op said they do it,period and that is correct, they do. So your post is a strawman, attacking something no one said.
In my experience, security envelopes aren't lined with toner, but with printer's ink (like from an offset press, not an inkjet).
My understanding is that those envelopes are helpful to prevent optical-light shining (like candling an egg), but I don't think they'll protect against x-ray. Anyone got an x-ray machine we can test with?
your example isn't very helpful, but I see what you mean and I hadn't realized it before. You can't brute force to look for dictionary words, because you'll find infinite words.
ABCDE
ZEBRA
PARIS
HAPPY
The NSA and any national intelligence forces have ZERO access to messages that are encrypted 256 at source and only decrypted using long (eg 25 character non-dictionary) passwords that have been exchanged manually. Even a SuperComputer would take hundreds of thousands of years or more to crack these, and never forget paper messages exchanged manually bypass ANY security altogether! So either stone-age bits of paper or very high tech encryption will suffice. If there is an additional random insert of characters based on a further password, decryption is totally totally impossible! The only weak point is getting hold of the passwords and encryption methods. If these are secure, no-one else can get at the data. The sensible thing to do of course is to have a different passwords for each data destination, So even if one is compromised, all the others are secure!
You still have to trust the compiler, the hardware and firmware.
Ofcourse can there be security bugs in Open Source. Which can be exploited by the NSA and others. But such bugs are far less common then in Closed Source. Open Source in itself doesn't promise security, but it _is_ a _requirement_ for security! No Open Source (including in hardware)? No security. Any program (OS) running on a TC chip? No security. (en.wikipedia.org/wiki/Trusted_Computing) Also: if it is Open Source, it is not possible to hide backdoors and security flawed programming. Since everybody can see the code, the criminal putting the malware in the code, always will be found. And thus, there are no deliberate security errors in Open Source. Also, because everybody can see the code, it forces the programmers to code neatly (otherwise, they will get a lot of bad comments). Closed Source programmers can mess around as much as they want - as long as the program works. Nobody can see their mess. PS: the button 'create an account' doesn't work... Hence, there will be 'Anonymous Coward' above my post.