The Startling Array of Hacking Tools In NSA's Armory

littlekorea writes "A series of servers produced by Dell, air-gapped Windows XP PCs and switches and routers produced by Cisco, Huawei and Juniper count among the huge list of computing devices compromised by the NSA, according to crypto-expert and digital freedom fighter Jacob Applebaum. Revealing a trove of new NSA documents at his 30c3 address (video), Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."

Open source?

[TWiTfan]

Are you going to go through every line of code to make sure it's okay, and then compile it yourself?

Re:Open source?

Everybody take one application and let's get 'er done.

Re:Open source?

[mrxak]

Better check your compiler while you're at it, and your hardware.

Re:Open source?

What sort of straw man is that? No one has claimed that it is impossible to sabotage open source software. But the fact that the saboteur would at least have to try to hide it, which is not the case with secret source software, puts them at a huge disadvantage.

Do you leave your front door unlocked because you're not 100% sure that your lock can't be picked?

Re:Open source?

[TWiTfan]

At the end of the day, you have to trust someone either way. Saying "It's open source, and therefore more trustworthy," is bullshit--because unless you or someone you trust has went through it line by line, it's functionally little different than trusting a closed-source binary. It's just a false sense of security most of the time.

It comes down to who you trust, not whether their software is open or closed source.

Re:Open source?

[mrxak]

At least with closed source you can just assume you're compromised, or trust the (known) people who put it out. Open source backdoors, if anybody even notices them (and let's be fair here, the NSA hires way smarter people than your average coder), will appear as accidental bugs, placed there anonymously. Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.

Re:Open source?

[jlv]

You don't trust your compiler (and compiler vendor)?
http://cm.bell-labs.com/who/ken/trust.html

Re:Open source?

Thank you. While it may be harder for spooks to poison the well in open source, it's clearly not impossible. And in any case, they can still change the hardware at the manufacturer or intercept it en route.

This just goes from bad to worse. Now we have to roll our own hardware? Fuck this.

Re:Open source?

[sjbe]

Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.

You have absolutely no idea where the code came from with closed source. Could be from anyone. Not much different from open source except for the fact that with open source you can at least theoretically examine the code itself even though in most cases that will never happen.

Re:Open source?

[gmuslera]

Network effect works. They would hate to put an encryption key in plain text or the channel they use to send the data, or the destination name/address, so putting in a souce code that anyone could eventually see is a big no. Regarding binary packages, if well some distributions could be compromised by secret laws (RedHat at least resides in US) the code release that they must do ensures that other projects can pick the source, recompile it and use them instead (i.e. Centos), and if you trust the distributions packages are signed so is harder (maybe not NSA-level harder, but harder anyway) to do some MITM work to install touched binaries.

Also, some projects like Tor are adding deterministic builds to validate that the binaries really are what the author says.

Re:Open source?

You may know where the binary came from, but you have no idea where the code came from. And for all you know, neither did the person who signed the binary.

Re:Open source?

forget about the compiler, what about the microcode on the processor?

there are millions of applications, hundreds of operating systems, only a handful of processor architectures..

Re:Open source?

I disagree. The code is out, anybody can review patches, etc. At least if it is developed in an open manor (ie truecrypt is a fine example of an application we shouldn't rely on as while its code is available its development is not transparent). If something is published that's nefarious you have to make some sort of effort to conceal it, and if its developed transparently as well all the more so. If it is proprietary you have to make zero effort to conceal it.

Re:Open source?

[mrxak]

The company selling the closed source software is where the code came from. It's their responsibility, it's their business and reputation on the line, and if they're using libraries they didn't develop in-house, it's their job to know how those work too. If they do something bad (and really, it's not that hard to tell if some software is leaking data or accessing files it shouldn't), they'll be the ones held responsible.

By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives. A company can accidentally hire a foreign agent or an NSA plant, but if they do, and it gets out, that company will be held responsible.

Re:Open source?

[mrxak]

Seeing as how it's the binary you're running, what's the difference? If a company is compromised, they're screwed. People won't buy their software again, they'll know to stop using it. This should make companies careful, and if they're not, they'll get in trouble soon enough. Some anonymous party puts up a clever back door in a patch, what is a user to do then? Whose reputation is damaged?

I am by no means claiming closed source is more secure than open source, I'm saying they're equally insecure. I'm also saying, that at least with closed source, you know who to blame when something goes wrong.

Re:Open source?

Open source has the "nothing to hide" argument so it's not something you can ignore completely.

Re:Open source?

[noh8rz10]

NSA does SIGINT, or signals intelligence, and it doesn't matter what computer solution you think you found, they will own you. The only solution is to avoid all computers. Have something important to say? do so in person. An important thing to record? Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.

CIA and FBI do HUMINT, or old-school spying, but from what I've heard their skills here have withered as they've focused on SIGINT themselves.

inb4 encryption - I assume that they can crack any encrypted files, or they wrote the specs in the first place.

Re:Open source?

[hacker]

You should be pointing people to this instead:

"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"

http://www.dwheeler.com/trusting-trust/

Re:Open source?

[hacker]

Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.

They do photograph every single letter and parcel, as well as x-ray scan everything that goes through their facility.

Is that "safe"? I don't know.

Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.

Are they photographing every letter under extreme bright lights, making the container effectively transparent?

Not sure, but it's worth exploring every single one of those questions.

Re:Open source?

Nonsense. It's much easier to hide backdoors and such in the code if it's not open. Open source reduces the chances that no one will spot the problems. It's not perfect, but it doesn't need to be perfect in order to be better, and anyone who claims it isn't a superior option is a damn fool.

Re:Open source?

Have you met the people in charge of serious open source projects? The answer is: Yes, they will.

There will at the least be the line of defense that is the core contributors to an open source project. The nice thing about open source is that even if they are compromised, anyone performing an audit (say, a major government looking for an operating system?) could detect the problem. It doesn't completely negate the possibility a backdoor will be introduced. It is, however, infinitely preferable to using closed proprietary software from the USA. All such software is now reasonably assumed to be compromised by the NSA.

Re:Open source?

Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.

How do you know where the code came from with closed source? Just because it says "Microsoft" on the box doesn't mean it all came from Microsoft (whoever he was). Microsoft relicenses a ton of stuff, and while they probably have source to it, doesn't mean they're going through it looking for NSA backdoors. Not to mention the stuff they might put in at a third-party's request (NSAKEY, anyone?).

Sure, if you're not a coder you're going to have a tough time analyzing open source yourself, but there's a world of other people taking a look at it who are likely to speak up if they see something weird. Moreover, there's the "genetic diversity" argument with open source: many many more detail varieties around (different distros and versions of distros, plus mixing and matching of apps between distros and independent application sites) which makes it harder (not impossible, harder) for someone (eg NSA) to target specific weaknesses (but not if there's a system weakness in an algorithm). E.g. if you've done anything to change your standard config (especially if you've made changes, even minor, and recompiled) then an exploit which attacks through e.g. a buffer overflow is more likely to just crash the app/module than successfully implant its payload.

With closed source the attacker can pretty much rely on the target running one of just a handful of easily-determined standard systems, and the payload will have no problem inserting itself.

Not crack-proof, but crack-resistant.

Re:Open source?

[noh8rz10]

while we're investigating things, I wonder how secure a one-time pad is. obv you would need to decode the message by hand.

Re:Open source?

By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives.

Yes and no. Sure, anyone can download open source code and tinker with it to their evil heart's content. Getting those malicious changes pushed back upstream so that other people will end up with them is another question altogether. Most, if not all, open software projects keep a fairly tight rein on what changes they allow into their repositories, and who from.

(Moral of the story -- get your software from as close to the original project as possible or make sure you trust the intermediaries. And at the very least, verify the hashes/checksums.)

Re:Open source?

[swv3752]

Free Software folks have their reputation too, and often that is the only thing motivating them.

Re:Open source?

[hacker]

Or hash it with a strong algorithm and use along, non-entropic, unpredictable, rotated salt.

Re:Open source?

[hacker]

...use "a long", not "along", damn Mac keyboard! :)

Re:Open source?

[fisted]

inb4 encryption - I assume that they can crack any encrypted files, or they wrote the specs in the first place.

Go back to 4chan, and don't forget your tinfoil hat.

Re:Open source?

[skids]

If it is proprietary you have to make zero effort to conceal it.

Well, you should at least probably ensure you turned on the right compiler options to strip the NSA_BACKDOOR_PASSWORD identifier out of the binary.

Re:Open source?

[egcagrac0]

Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.

I think there's a "how to make a tinfoil hat for your written correspondence" instructable out there.

Re:Open source?

[demachina]

And what about the applications the undercover NSA employees take? They are quite active in the open source community.

Re:Open source?

[egcagrac0]

All that only helps if you're comparing checksums and compiling your own binaries.

If you're not paranoid enough to do that, you're trusting that the compiler/packager/distributor of the binaries didn't amend the source or have a compromised compiler toolset.

If I were to go about attempting to compromise all the (pick-a-Linux-variant) systems out there, I wouldn't submit my "improved" code to kernel.org, but I might attempt to load a compiler at (distributor of selected Linux variant) with a surreptitious payload (see above comment).

Re:Open source?

[Euler]

That closed-source company may _want_ to stand on their reputation. But they can be ordered to backdoor the software against their will and in secrecy. This is no longer a hypothetical argument, and it _is_ harming the reputation of businesses.

This is a great time for competitors of US tech companies.

Re:Open source?

[egcagrac0]

If they do something bad (...), they'll be the ones held responsible.

Let's review every single EULA I've ever read going back 35 years or so...

The software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose

They may be responsible, but they're probably not liable and I'm the one who is likely to get injured.

Re:Open source?

...use "a long", not "along", damn Mac keyboard! :)

Important correction, because that was the part of your post that didn't make any sense ;^)

Re:Open source?

[Bert64]

No, nor should you need to.

For anything sufficiently widely used you will have several competing groups looking at it...

With american commercial software you likely only have the vendor and the nsa looking at it...
For something like linux you have not only the nsa, but also several foreign governments looking at it too. While you may not be able to trust a single party, the chance of error decreases when you have multiple parties who have no reason to collude together.

Re:Open source?

[WOOFYGOOFY]

The article and another one like it I saw on the Guardian indicates that the NSA will intercept your mail (called an interception! ) and "configure" any hardware you ordered then send it on its way.

 

Re:Open source?

[cavreader]

What percentage of computer users in the world are capable of finding security issues by looking through the code. How many semi competent application programmers are capable of the same thing? Operating System level code has very little in common with application level code and unless you have a lot of real world experience good luck on finding any undiscovered weaknesses by looking at the source code. The majority of hacks today involve social engineering targeted towards tricking the average user into doing something stupid. Add incompetent system administrators to the mix and your system becomes wide open and susceptible to all kinds of mischief.

Re:Open source?

[Guru80]

There are thousands upon thousands of people looking at open source code. One of them somewhere along the line is going to notice. That should be pretty obvious. I would like to think this would be a tipping point to more Open Source based usage but we all know that most people don't have a clue what all the surveillance talk even means. All they hear is "They are listening to my phone calls" and that's where it ends.

Re:Open source?

The article and another one like it I saw on the Guardian indicates that the NSA will intercept your mail (called an interception! ) and "configure" any hardware you ordered then send it on its way.

No, it does NOT indicate that at all. What they are talking about is a specific Ops team inside the NSA who go after very specific, hard to reach, high-priority targets. These guys are the full-blown "cloak-and-dagger" type spies, who will break into the target's office at night and replace his monitor cable with a modified one that contains a wireless transmitter. Or replace the ethernet jack at the target's workstation with a modified jack that sniffs the network. Hollywood type stuff. And yes, if the target happened to be expecting an equipment shipment it might get intercepted and tampered with.

But they are not doing this to YOU. This is not a blanket coverage program, they aren't intercepting everybody's newly ordered PC and resoldering parts on the motherboard.

Re:Open source?

In the DDC technique, source code is compiled twice: once with a second (trusted) compiler (using the source code of the compiler’s parent), and then the compiler source code is compiled using the result of the first compilation. If the result is bit-for-bit identical with the untrusted executable, then the source code accurately represents the executable.

DDC won't save you from bugs/backdoors at a lower level (in the CPU microcode or physical gates). It also assumes you have such a trusted compiler. This has always been the tough part. If I'm worried about my local compiler being attacked, it's easy enough to check on someone else's machine. If I'm worried about a compiler being widely compromised in source form, or hardware being widely compromised, this doesn't help me a bit. Now, you're back to manual auditing.

Re:Open source?

[Rinikusu]

.. Maybe I missed some context here, but as a former FedEx employee with frequent contact with current FedEx employees, I've not heard of every fedex package being subject to x-rays or picture collection, although I wouldn't be surprised at the latter since I believe they've installed state-of-the-art OCR for QR reading on the airbills. The closest thing to x-rays I know of are the laser scanners used for calculating dimensions/weight (dimweight) for appropriate billing (people marking "1 pound" on their Laserjet shipping...). The amount of time it would require to actually x-ray and analyze 5-10 million packages a day would be non-trivial, especially in light of the service commitments. I could be wrong, however, and I'll have to bring it up next time I talk to the guys.

Re:Open source?

You should be pointing people to this instead:

"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"

http://www.dwheeler.com/trusting-trust/

How do we know that page isn't just a cleverly disguised NSA site?

Re:Open source?

That's what those envelopes with the randomised blue/black pattern printed in the inside are for. Any imaging technique that can read contents shouldn't be able to read past that layer of toner.

Re:Open source?

They only X-ray and irradiate Federal mail. Civilian mail is not important enough to this as it would cost the USPS way too much to do that for every parcel.

Re:Open source?

[noh8rz10]

I imagine there's not a need to image the Fedex packages because it all goes into your DB anyway, which they undoubtedly have access to (if you know it or not). I agree that x-ray is implausible.

Re: Open source?

Only a matter of resources not because they would have any moral qualms about it!

Re:Open source?

You mean like the trojan that was in OpenSSH for years?

Re:Open source?

[Mathinker]

> It also assumes you have such a trusted compiler. This has always been the tough part.

When Thompson wrote the original paper, it was tough. In the meantime, many more compiler options have arisen, and the complexity (measured in size of injected, specialized code) of Thompson's "attack" is O(n^2) where n is the total number of compilers to be compromised. When you combine this fact with the now-documented aversion of the NSA to having its methods uncovered, one quickly comes to the conclusion that it's not very likely that DCC is unproductive because all (or even most) combinations of compilers have been trojaned.

Re:Open source?

By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives. A company can accidentally hire a foreign agent or an NSA plant, but if they do, and it gets out, that company will be held responsible.

Unless the company is Microsoft or Apple or Intel. Or really any US based company without the legal means to battle the government in court (all of them).

Re:Open source?

[bjohnson]

A truly random one-time pad longer than your cipher text is not crackable other than brute-force. Use a code along with the OTP and it's uncrackable (because the crackers won't recognize the plaintext when they do decipher it.) Of course you need to distribute copies of your codebook and OTP, which is why they developed ciphers in the first place...the only trick is to develop a code that parses to plain boring text. "Aunt Martha sends her love; she made a wonderful cherry pie for the church potluck last week, everyone was raving about it!"

Re:Open source?

[hacker]

They do openly state on their website that they randomly x-ray scan packages however:

http://www.fedex.com/gh/shippingguide/terms/#11

Re:Open source?

Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.

You have absolutely no idea where the code came from with closed source. Could be from anyone. Not much different from open source except for the fact that with open source you can at least theoretically examine the code itself even though in most cases that will never happen.

From the beginning of the Washington Posts actual link from the /. story..

A German magazine lifted the lid on the operations of the National Security Agency’s hacking unit Sunday, reporting that American spies intercept computer deliveries, exploit hardware vulnerabilities, and even hijack Microsoft’s internal reporting system to spy on their targets.

Citing internal NSA documents, the magazine said Sunday that TAO’s mission was “Getting the ungettable,” and quoted an unnamed intelligence official as saying that TAO had gathered “some of the most significant intelligence our country has ever seen.”

Der Spiegel said TAO had a catalog of high-tech gadgets for particularly hard-to-crack cases, including computer monitor cables specially modified to record what is being typed across the screen, USB sticks secretly fitted with radio transmitters to broadcast stolen data over the airwaves, and fake base stations intended to intercept mobile phone signals on the go.

and to the point, which is the problem with closed source software, the NSA is hacking into the software/hardware, why? Because these companies put these holes in there hardware/software for this very purpose!

I can't understand why people believe any of these stories? For one it is no secret these companies are doing this of there own freewill, 2. Now that they got caught, there denying any involvement, people aren't buying into there "oh my, were as shocked as you" PR, I find it extremely suspicious that this German Newspaper happened (yes 'happened' despite what they claim) across this document, which is trying to say the NSA and these million/billion dollar companies had nothing to do with any secretive (which again has been public knowledge for a long time) agreements to allow the NSA to do what they want with little to no effort.

Having said that, it is also very real the NSA has access to super computers, and accomplished underground hackers, programmers, ect doing the work, but the costs would be very noticeable. (even with blackmailing hackers/programmers, with prison time, for those they decide to recruit, and or target)

Unlike the unknown wilderness hacker, who has to either find a hole, or happens across one. The NSA knows exactly what to go after, with open source wilderness programers can fix it, and it because it is open there are no questions or doubts as to if you can trust it to be fixed or patched, and fixed/patched permanently, then reviewed by the community (or scrutinized) .

Goes without saying, considering MS's, and Apples, ect... Lack of openness, there patches/updates always come into question because they either didn't patch the hole, or it is designed to allowed another one to open up.

Re:Open source?

[jhol13]

One problem here is that the "multiple parties" are looking for holes to take advantage of, not to fix.
Another problem is that for example Linux is generating more holes per week than it is fixing, and the attitude sucks (https://lwn.net/Articles/538600/, https://lwn.net/Articles/313621/, etc).

If OSS were serious about security they would immediately use grsecurity and managed runtimes (JVM and like). I don't expect either happening anytime soon.

Re:Open source?

[HuguesT]

A truly random OTP does not require any further coding. There is not even any point in trying brute-force. Any text of the same length of the cyphertext is a potential plaintext without any way of telling if this is the correct one.

Re:Open source?

Actually they tap the mail; its one of the oldest programs around - they can divert all mail going to a house, open it, photograph it, and then deliver it. The postal service doesn't like to talk about it, but its about 100 years old. Just an FYI. US Government Employee = scum.

Re:Open source?

[AmiMoJo]

You overestimate their abilities. They couldn't even detect when Snowden was operating inside their network, and have been unable to determine what he took out prevent it being published. They know who had copies of the material, who is working on it, and for all their targeted hacking and exploits they can't do shit about it.

They have some scary tech, sure, but if you are careful there are limits to what they can do. For example this story states that they intercept computers being delivered and bug them. Well, anyone who thinks they might be a target can just go to a random computer store and buy an anonymous laptop with cash. Unless they install covert radios in every computer sold an airgap is still highly effective.

Re:Open source?

[Jesrad]

Are they photographing every letter under extreme bright lights, making the container effectively transparent?

That's fine, my handwriting is strong enough a cipher as it is.

Re:Open source?

[kenshin33]

As the chronic gambler should know that the casino wins on the long run.
The thief knows what would happen if he's caught.
He's point, I think, is not about less or more secure. either is as likly to incroporate bugs a the other. It is about the chances of finding a vulnerability and the time it takes to fix it.
With open source, If you happen (or know someone) find a vulnerability chancesa re you can fix it right a way, report/submit a patch. As for a closed source, all you can do is report and wait (slashdot is full of articles about that).
if there's a choice between blaming someone for a problem and avoiding the problem, avoiding (when possible) is always the winner strategy.

Re:Open source?

[Kynde]

No. I think you've misunderstood one-time padding (or brute-forcing).

Brute forcing is when you try (almost) every possible key, which is significantly shorter than the message, to see what the message will turn out with said key hoping to find the right one. If the message turns out to make sense (contain english words or ascii alphabet for example) it is likely to be correct.

With OTP the key and the message are of equal length. Going through every key is the same as going through every possible message. So you will not only hit alphabet, but you'll get shakespeare and snowden leaks alike.

That makes all forms of bruteforcing futile. No extra codes necessary.

One bit example:
my message is M (0 or 1) and my pad is P (0 or 1).
M xor P = C cipher text, and equally C xor P is M.

Now, given C, say 1. You can trivially bruteforce it into 0 as if P had been 1 or into 1 as if P had been 0, but that solves nothing. Because both possibilites are equally likely. Repeat that on every bit and all you will ever know about the message is its length.

The length leakage is also easy to counter to some extent by appropriate amount of random padding (adding some extra gunk to the end).

Re:Open source?

[sosume]

How do you know that the internet is even real and not a cleverly designed honeypot?

Re:Open source?

examine the code itself even though in most cases that will never happen

Spoken from the perspective of a basement teenager. FYI, for-profit companies are the ones who are likely to have the time, resources, and inclination to examine or modify open-source code -- not teenagers like yourself. The "many eyes" thing refers primarily to large organizations with clear goals, not random individuals at home on a saturday night.

Additional FYI: since linux is now big business, you can bet your house that many large organizations are doing exactly that (examining and modifying).

Re:Open source?

What percentage of computer users in the world are capable of finding security issues by looking through the code

If you're talking about random teenagers in their basements, then the answer is not many. If you're talking about Google, Red Hat, IBM, Facebook, etc, who employ top-tier programmers, then the answer is many. The point is that the possibility is open, which is the opposite of closed source software, where you are forced to put all of your eggs (trust) into one basket.

Re:Open source?

[DarwinSurvivor]

One thing you can use to increase the strength of OTP is extra data. They may not be able to crack the code, but they may be able to get an idea of the type of data it is by its length and the size of the key source (alpha only, alpha-num, etc).

Re:Open source?

[DarwinSurvivor]

You mean like the trojan that was in OpenSSH for 2 days?

FTFY.

Re: Open source?

Op never said they were doing it to everyone. Op said they do it,period and that is correct, they do. So your post is a strawman, attacking something no one said.

Re:Open source?

[egcagrac0]

In my experience, security envelopes aren't lined with toner, but with printer's ink (like from an offset press, not an inkjet).

My understanding is that those envelopes are helpful to prevent optical-light shining (like candling an egg), but I don't think they'll protect against x-ray. Anyone got an x-ray machine we can test with?

Re:Open source?

[noh8rz10]

your example isn't very helpful, but I see what you mean and I hadn't realized it before. You can't brute force to look for dictionary words, because you'll find infinite words.

ABCDE
ZEBRA
PARIS
HAPPY

Re:Open source?

[Chaz12]

The NSA and any national intelligence forces have ZERO access to messages that are encrypted 256 at source and only decrypted using long (eg 25 character non-dictionary) passwords that have been exchanged manually. Even a SuperComputer would take hundreds of thousands of years or more to crack these, and never forget paper messages exchanged manually bypass ANY security altogether! So either stone-age bits of paper or very high tech encryption will suffice. If there is an additional random insert of characters based on a further password, decryption is totally totally impossible! The only weak point is getting hold of the passwords and encryption methods. If these are secure, no-one else can get at the data. The sensible thing to do of course is to have a different passwords for each data destination, So even if one is compromised, all the others are secure!

Re: Open source?

You still have to trust the compiler, the hardware and firmware.

2013

[Presto+Vivace]

2013 is the year that proved your ‘paranoid’ friend right The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune. Assuming that the technology is not made illegal.

Re:2013

[CohibaVancouver]

The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune

They'll earn some money for sure, but not a fortune. The public & the bean counters are more interested in low prices than privacy. If your 'private' device is $100 more, everyone will buy the cheaper device.

Re:2013

[innerweb]

It will be made illegal. In many ways it already is. You must submit the key to encrypted material if proper law enforcement asks. Your lines are allowed to be tapped. Your locks are allowed to be broken.

The problem is not the agency, but the paranoid and ruthless people who abuse it. There are many people in law enforcement/intelligence communities who are honest law abiding citizens! There are a few who are not. The question becomes how do we watch the watchers? How do we catch the abusers? I am not sure this will ever be an easy thing to do. Knowledge is the most powerful tool one can have, and for those with an illegal or perverse agenda, the gathering of information provides opportunities to gain leverage over others, advantages in business and political dirt to get what they want. So, they will always try to use the system.

So long as the people who take power (not the elected officials, but the string pullers), have that power, and we the people allow them to, this is how it will be. There is no way at the moment to record anything and expect absolute security. I am not sure your own mind will be safe for much longer. It has always been this way. There is always someone, or a few people conspiring to control as much as possible around them through whatever means, legal, moral, ethical or not to do what they want. Some do it in the name of a god, some in the name of patriotism, some just because it is what they want.

What really needs to be figured out is how to stop these people from doing what they do. I do not think it is possible, as the people stopping them will most likely be those people.

Re:2013

Sure, sure, if you can build it all from the ground up... processor, bios, os, apps... then you can have ultimate security (unless of course, one of your own people backdoors you)

btw, the US tried that with Multix, and found that it was too cumbersome to keep the system updated

Re:2013

There are many people in law enforcement/intelligence communities who are honest law abiding citizens!

Mensa is an 'intelligence community'. What you are talking about is the spying industry, and there is no such thing as a honest spy.

Re:2013

The best way? Don't give them extraordinary powers in the first place.

Re:2013

wrong...
100% of LEO's (of whatever level) are corrupt, here's why:
you KNOW that virtually all but the totally clueless kops KNOW who is on the take for what (no matter how trivial, it is AGAINST THE LAW! ! ! that is *all* the 'justification' The They (tm) need to FUCK OUR LIVES OVER FOR NOTHING, but they are immune from 'THE LAW'), whether it is free donuts, testilying, 'sweetening' evidence, railroading the poor/stupid/downtrodden, fixing tickets, jobs for relatives, or even actual bribes, etc, etc, etc... they KNOW who is cooping, who is extorting sex, who is a bully, etc, etc, etc... they KNOW... ...but they don't say shit, do they ? ? ?

us great unwashed are EXPECTED -if not jailed- for NOT turning in our fellow citizens; but piggies DO NOT turn each other in, NO MATTER WHAT, do they ? ? ? if that isn't the very definition of corruption, i don't know what is...

they are ALL corrupt, because they ALL protect the corrupted ones...

piggies are NOT here to 'protect and serve' us li'l peeps, they are here to 'protect and serve' the interests of the korporatocracy...

Re:2013

[jader3rd]

The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune.

Given how the majority of the population is trying to share every piece of information about themselves that they can online, I doubt that would be true. Security/privacy is too inconvenient.

Re:2013

[skids]

There's no quick tech fix for this. Mostly because the problem is partially cultural. Qualitative trust webs have to be academically validated, then essential behaviors to support them have to be installed in the population. It will take at least decades and most of the work will go completely unrewarded, because our monetary/compensation system is hopelessly corrupt, being that it also needs said fix.

Re:2013

Where is FakeBlock when you need it.

Re:2013

[Chozabu]

Well, there is http://retroshare.sourceforge.net/

Re:2013

[antdude]

And everyone thinks I am way too paranoid. I proved them wrong/incorrect. :D

significant intel?

TAO had gathered “some of the most significant intelligence our country has ever seen.”

pure hyperbole. cracking enigma. that was significant. they have provided 0 evidence that what they are
doing now has yielded anything.

Re:significant intel?

[mrxak]

There is some indication that the NSA is a rampant bureaucracy run by geeks with an unlimited budget who do things just to see if they can, but that doesn't mean they haven't gotten useful information or accomplished anything significant. I'd say the destruction of Iranian centrifuges was a master stroke, personally.

Now, as for their domestic surveillance operations, I'd say it's pretty fair that they've not prevented any terrorist attacks whatsoever. That's the problem with broad collection of data, it's all the harder to sort through for anything useful. It's unfortunate that they're going to keep trying, instead of returning to targeted intelligence gathering.

Re:significant intel?

[SuricouRaven]

If they had prevented any terrorist attacks, they'd be shouting it from the rooftops right now in an attempt to win more political support and counter any representatives who question their broad spying progams.

Re:significant intel?

[mrxak]

Well, in fact they did claim they stopped terrorist attacks, but that was later determined to be a complete fabrication.

Re:significant intel?

sure, _everybody_ knows about enigma.... now, you can be pretty damn sure that few people know about it at the time (or even 30 years after the fact)
It is the nature of national security to keep it secret, once that the cat(s)'re out of the bag, there is no way to get them back in

Re:significant intel?

[cold+fjord]

NSA helped foil terror plot in Belgium, documents, officials say

An intercepted e-mail from one of the cell members to his ex-girlfriend indicated he was about to launch a suicide attack. A defense lawyer in the case told CNN that prosecutors at trial acknowledged that the United States intercepted the communication and passed it to the Belgians.

Re:significant intel?

[Desler]

Nice try cold fjord:

The Belgium plot, though not confirmed to be one of the 50 that relied on the recently revealed secretive NSA program to monitor online messages, appears to fit the bill.

So it's not even confirmed that it had anything to do with the programs in question. And then you dig later into the article:

e-mail information relating to the case was "provided voluntarily by the companies Microsoft and Yahoo, as authorized by the Patriot Act."

So basically it wasn't the NSA's surveillance programs that helped it was that Microsoft and Yahoo voluntarily provided the information to the FBI. So in conclusion, your article contradicts itself in stating it can't even verify that this case had anything to do with anything revealed from NSA spying on Americans and it even states that the information was gathered by companies who voluntarily gave it to the FBI.

Now please explain how your article is supposed to be justification for mass surveillance on US citizens by the NSA?

Re:significant intel?

[cold+fjord]

In short, neither Microsoft nor Yahoo fought the issue and didn't require a court order. The information is consistent with what we've learned about the operations of the NSA involving those companies. You also overlook that it is CNN that labels it as NSA, not me. Even given NSA's involvement they clearly have wanted to stay out of the spotlight and would likely have handed the information to the FBI which has liaisons with overseas law enforcement agencies. At the end you are still stuck trying to explain how US intelligence obtaining terrorists emails and cooperating with allies in law enforcement against terrorists doesn't happen when it clearly does.

Re:significant intel?

[s.petry]

I'd say the destruction of Iranian centrifuges was a master stroke, personally.

Why? Because the same people that destroyed their infrastructure told you that Iran is "evil"? Does "Iran = evil" mean that we should act in an evil fashion? Is Iran as evil as people tell you? Personally I no longer believe that line of rhetoric (30 years ago I did). I believe that two wrongs don't make a right. I also believe that we should treat people equally, regardless of Religion, Race, or gender.

For the duration of my life, which is longer than most people on this site, I have heard about how Iran is "evil" and plans to take over the world. I heard about how they hate Israel, but have never seen them do anything outside of their borders. They yelled a lot when Mossad allegedly destroyed infrastructure, but I have not seen the Republican guard blow shit up in Israel or even be accused. How "bad" or "good" the treatment of their own people is becomes subjective to the people that live there, not my opinion, and that treatment is based on their Religion. The US denounces Iran and their beliefs, yet we have no problem with Talmud Jewish beliefs that much of Israel follows (not to be confused with Rabbinical Jewish beliefs).

I'm not claiming that Iran does not do wrong things, but as a whole and in comparison to the US it's not even close. We went to war with Iraq on a completely fabricated premise killing millions. We helped a revolt in Libya, Egypt, are helping in Syria. We give arms to some 'terrorists' and launch Hellfire missiles at others. We have soldiers that will tell you stories about how the poppy growth in Afghanistan has boomed under US control, yet under the Taliban it was outlawed and production was virtually stopped. Today world wide heroine use/production/trafficking is killing more people than the Taliban ever did.

I'm also not claiming that Israel is "bad" because I don't live there so only have 2nd hand knowledge.

The point is, that the US is not some "justice" force out there righting wrongs and correcting injustice. Quite the contrary, we are causing more harm than helping in numerous countries. We, the intellectuals, really need to challenge handed down propaganda. Instead of accepting it, try to question it.

Our founding fathers had a mountain of quotes I could refer to, but I won't. We were supposed to be the example for Free Society, Republican Government, and tolerance. We were not supposed to be a thug.

Re:significant intel?

[Desler]

In short, neither Microsoft nor Yahoo fought the issue and didn't require a court order.

Yeah, and? What relevance does that have to anything? ISPs has given law enforcement information on criminals before the Patriot Act or NSA's mass snooping on US citizens.

The information is consistent with what we've learned about the operations of the NSA involving those companies.

Except your article specifically makes no mention of any NSA involvement. It clearly states only the FBI and the two companies.

Even given NSA's involvement they clearly have wanted to stay out of the spotlight and would likely have handed the information to the FBI which has liaisons with overseas law enforcement agencies.

They were involved? You have proof of this? The article makes no such mention. To quote:

The documents stated that as early as December 2007, the FBI handed Belgian authorities a disc with information relating to these e-mail addresses that had been provided to the FBI by Microsoft and Yahoo.

And claiming the NSA was trying to stay out of the spotlight? Bullshit. You're now simply making shit up now after being proven wrong by your own supposed evidence.

At the end you are still stuck trying to explain how US intelligence obtaining terrorists emails and cooperating with allies in law enforcement against terrorists doesn't happen when it clearly does

Did I ever claim that didn't happen? Nope. Of course they obtain that information and work with other foreign governments about terrorists. No one has made any such contradictory claim as this pathetic strawman you've constructed.

The post you responded to and my point was that information like this is not gathered by NSA's mass surveillance on US citizens. As your own article points out, it was obtained by the FBI via Microsoft and Yahoo providing it.

Re:significant intel?

Destruction of Iranian centrifuges a 'master stroke'? LOL... You didn't hear that they then went out and bought new, more powerful centrifuges?
Yeah, that solved a whole lot and accelerated their production schedule too! What a master stroke that was....

Re:significant intel?

[cold+fjord]

This is what I responded to.

Well, in fact they did claim they stopped terrorist attacks, but that was later determined to be a complete fabrication.

That is false. Next, what was the title of the article I linked to? " NSA helped foil terror plot in Belgium, documents, officials say"

The roles and cooperation between the NSA and FBI are documented in previous news stories. What you believe is irrelevant, and it makes very little difference in terms of the news, or the law. The police of a foreign nation received the contents of an email sent by a Jihadi in their country from US intelligence agencies working with a multinational corporation in the US, and headed off a suicide attack in the process. As far as I see your only real interest is to prevent that sort of cooperation despite the obvious outcome. The courts have repeatedly found their actions lawful in decided cases.

Re:significant intel?

[jd]

Killing a bunch of wageslave (or just regular slave) engineers in the process. When the innocent become expendable, no matter how valid the cause, when murder and terror become alternatives to diplomacy, the aggressor is not fit even to be spat upon. You know why William Gibson's Neuromancer was so wrong? Technology is progressing far faster, sure, but that's normal in sci-fi. No, William Gibson's mistake was in not foreseeing how degenerate humanity can get.

Re:significant intel?

[Urkki]

... not foreseeing how degenerate humanity can get.

Foreseeing? Humanity is at its least degenerate today, at least in the developed world. It's not long ago when things we now consider totally depraved were considered normal. Just think about the world wars of last century, then consider what was done in the age of colonialism, and things just get more grisly the farther back you go.

Getting some engineers of enemy tribe killed is nothing in the grand history of humanity.

Re: significant intel?

Nice reply.

Re:significant intel?

[jd]

World War 1 is an excellent example of degeneracy. But let's face it, there is a level of honesty in charging machine guns and gassing enemy trenches. A depraved honesty, but honesty nonetheless.

Blackwater vehicles machine-gunning civilian populations for the hell of it, drones launching missiles at kids going to peace conferences - this lacks even the honesty.

Even earlier, the Charge of the Light Brigade was supposedly described as "magnificent, but it isn't war". I suppose the same could really be said of the Dambuster raid. There was nothing magnificent about Tora Bora, or the use of large radius, indiscriminate incendiaries earlier. Nor the use of cluster bombs colour coded to look like food drops.

The deliberate bombing of air raid shelters in Iraq was arguably worse than the Nazi bombings of London in the Blitz. The Nazis had no capacity to aim and seem to have been relatively indiscriminate. Bad enough to be a war crime and unacceptable to any civilized people. Firing laser-targeted missiles knowingly at civilian shelters, that goes from mere grotesquely savage incompetence to willful mass murder. To me, there is no question that having the capacity to do less harm but using it to inflict more is the greater evil and the more degenerate.

Re:significant intel?

[Urkki]

I think any modern intentional bombing of civilians pales in comparison to what happened to civilians in conquered cities before modern times. The whole remaining siege army pillaging, raping and murdering in a very close-and-personal way, with full approval of the commanders.

But more to the point, now nasty stuff like this is considered a war crime. Back then it was a reward for being a soldier in an invading army.

This is what cold fjord

[Desler]

Quit yer bitching. Everyone knows only terrorists care about privacy.

2013

> The person who can figure out how we can have all our
> tech toys and our privacy too will earn a fortune.

Can't be done. All your toys are possible because it is cheep to copy and store information. If you can afford it, any military can. As long as information is easy to copy, information can not be private.

Spy tools

[girlintraining]

The debate is not whether the spy tools should exist, but how they should be used. The NSA was originally meant to be a support organization that assisted the CIA and other federal agencies in protecting national security interests globally; Hence the name National Security Agency.

What it has become lately, thanks to the Department of Homeland Security and our idiot congresscritters, are lackies for the FBI. The FBI has a terrible record going all the way back to the Prohibition of doing whatever it wants and generally running rough-shod over civil rights. It has long shown signs of institutional corruption and rot. This is the source of the rot in our judiciary at the federal level... and like Midas, everything the FBI touches turns to sh*t.

Re:Spy tools

[HornWumpus]

J Edgar dreamed of having files on congress like the NSA does.

Re:Spy tools

[Desler]

The NSA has always been like this. The only difference between now and the 70s and earlier is their better tools. The NSA has been an abusive, corrupt organization since its outset. The very things they are doing now is what the Church Committee and FISA was meant to prevent. FISA was not meant to be a rubber stamping of any and all actions of the NSA as it has become.

Re:Spy tools

[Desler]

What do you mean? The NSA was being used for domestic spying on political adversaries for decades before the Church Committee. It was a major reason the committee was formed.

Re:Spy tools

[icebike]

What it has become lately, thanks to the Department of Homeland Security and our idiot congresscritters, are lackies for the FBI.

Wrong on two counts.

NSA is not part of DHS.
The FBI is the foot soldier and sock puppet of the NSA, not the other way around.

Re:Spy tools

[Charliemopps]

Exactly, the NSA has more power than any branch of government ever had. Any Judge or political official that opposes them will be blackmailed into submission immediately.

Re:Spy tools

[roman_mir]

Department of Homeland Security, otherwise known as Schutzstaffel or SS for short.

Re:Spy tools

[ducomputergeek]

Actually, it's better to say that the NSA is a support organization of the Department of Defense. And as such are often at odds with Langley since both are competing for the same budget dollars.

Re:Spy tools

[HornWumpus]

My one hope is Snowden got those files. But I doubt it.

The files on Congress, federal judges and the executive branch are the keys to the kingdom. They will never see the light of day.

Dumping those files would complete the Herculean task of cleaning the DC stables.

Re:Spy tools

[jd]

Not quite. The tools would be invented by someone, eventually. And that someone will have just the same accountability issues as the NSA. So you are guaranteed tools of this power being used by some megalomaniac or diabolical mastermind. So they cannot be factors in the equation.

The first question is how to upgrade security to the point that no such tool can ever work. Future tools, who knows, but this grade of attack must be permanently beyond anyone's capability.

I can picture ways of making it very, very hard - at a price - but a total solution is going to be a challenge.

Re:Spy tools

I think the spy tool disclosure may be a step too far. Whilst the details (many of the full sized slides) are good tech porn, I don't think such information should be revealed. Snowden really should not release unnecessary information such as this. He is right to disclose breaches of the constitution but other disclosures are attention seeking. Some attention seeking may be necessary to promote and agitate the cause but the release of much of this detail is perhaps not warranted.

Snowden is a flawed hero, but a hero nonetheless. Slap him lightly, thank him, pardon him and bring him home.

Re:Spy tools

[MacDork]

The debate is not whether the spy tools should exist

Did you watch the hour long youtube video? I'm guessing no. This is about whether it's okay for the NSA to launch automated malware attacks at scale. That extends far beyond the realm of passive "spy tools." Should the NSA be allowed to infect your machine with malware or fly a drone over your neighborhood to wirelessly compromise wifi routers? These are not tools of targeted spying anymore than carpet bombing your neighborhood would be targeted. They are actively infecting your systems, making them dangerously insecure.

This is not what should outrage us

[MikeRT]

The fact is that the NSA needs these tools for the same reason the Army needs weapons ranging from small arms to weapons of mass destruction. It needs tools that let it collect signals intelligence on foreign targets. And yes, that includes our "allies." They do it as much to as we do it to them. It's understood that it happens. Even the British and Canadians wouldn't be shy about collecting Top Secret data on our operations that we want to keep from them if they could acquire it without jeopardizing their highly productive and close relationship with the US.

Americans should be outraged that the NSA is now deeply integrated with federal law enforcement per 9/11 "reforms" that all but created an integrated security state. That puts our rights deeply at risk. Prior to 9/11, the most the NSA could legally do was inform Customs and the Coast Guard that smugglers were en route to US territorial waters or airspace. Now, they're damn near as much of an intelligence arm for law enforcement as the military.

What we need is an iron clad, black letter of the law statute that says that no data the NSA collects on Americans is legally admissible unless the communication was collected abroad, occurred entirely outside of US territory and is specifically of a nature that is dangerous to our national security.

Re:This is not what should outrage us

[mrxak]

I'd go a step further. It shouldn't just be legally inadmissible, it shouldn't be collectable at all. If it's accidentally collected, it should immediately be purged and the responsible parties prosecuted. If the FBI wants to develop their own NSA-like capabilities for domestic law enforcement, they can do so in a targeted fashion with warrants, but the NSA should be focused entirely on overseas operations, just like the CIA, just like the military. Mixing foreign and domestic all up in one agency is a very bad idea, (I hope) for obvious reasons.

Re:This is not what should outrage us

[gmuslera]

You may be not outraged that your country have weapons. But you should be very outraged that they are using them, in all the world to every innocent people (stripping basically every human of a fundamentan human right), in all the country, and in particular, in you.

If you think that what they are doing is not a crime, try to do the same and get caught, the sun will be a white dwarf by the time you can get out of jail, considering how they are punishing minor ofenses. If any other country would be doing the same to US, at the same level and deepness, probably a lot of nukes would be flying right now.

Re:This is not what should outrage us

Then they'd just "launder" the information.

Re:This is not what should outrage us

no data the NSA collects

They'd just create a new organization under a different name.

legally admissible

Admissible to whom? They aren't taking people to court; they are just collecting and selling secrets.

unless the communication was collected abroad, occurred entirely outside of US territory

If they routed the information off-shore, they would consider it acceptable to collect. If any party was outside the US (before, after, or during the time of the communication in question), they would consider it acceptable to collect.

specifically of a nature that is dangerous to our national security

They already consider everything to be dangerous to our national security. This is not at all a qualifier.

I agree with what you're saying and trying to do, but we need to remember that these weasels will gladly abuse any loophole they can.

Re:This is not what should outrage us

[Charliemopps]

No, the NSA needs to be dismantled and a new constitutional amendment explicitly outlawing this sort of wiretapping on anyone, us citizen or not unless they have a REAL warrant from a REAL judge. Like the man said, They've even compromised Solaris. Which group of Terrorists is using Solaris? This has nothing to do with protecting us, and everything to do with controlling us.

Re:This is not what should outrage us

[Transfinite]

That should apply to any nation. Don't use the NSA equivalents to spy on your own.

Re:This is not what should outrage us

[Transfinite]

Just make it illegal for any gov body, whose role is protect from foreign interests, to collect or syphon data from a 3rd party, on their own nationals, If they are presently in that nation. From any location in the solar heliosphere. The

Re:This is not what should outrage us

[jovius]

The real illusion is to believe in the paradigm of hierarchy and security clearances. The social class system is based on the level of information made available. The ones on top are liberated, and they most likely want to keep it that way. The funny thing is that it's all based on nothing, because everybody can act however one likes regardless. The system is build with sand, which can be blown away without any effort. The scariest thing is how much real iron the illusionary system has accumulated for protection and how the physical means act as a catalyst for more power, reinforcing the emotion.

Re:This is not what should outrage us

[OhPlz]

We already have the 4th amendment. What we need are judges that will uphold the laws we already have and not subvert them to serve the government's own interests. More laws won't fix this mess.

Re:This is not what should outrage us

Shit! They got him!

Re:This is not what should outrage us

What we need is an iron clad, black letter of the law statute that says that no data the NSA collects on Americans is legally admissible unless the communication was collected abroad, occurred entirely outside of US territory and is specifically of a nature that is dangerous to our national security.

What do you think the UKUSA agreement was about? GCHQ spies on american's traffic and passes it to the NSA so they can say that they didn't do the 'dirty work'
and vice versa for British traffic.

Re:This is not what should outrage us

I got a big laugh when you said "legally admissable". This stuff isn't used for law enforcement it's used for economic espionage. Look at who they target to spy, a lot of them are foriegn businessmen and diplomats.

Re:This is not what should outrage us

> just like the military

The NSA is part of the Department of Defense, and all of the military branches have folks doing work for the NSA.

Re:This is not what should outrage us

The internet is a global network. The terms such as abroad, foreign, domestic are pretty much meaningless. If you keep using them in spy laws, they will be used as in whatever way No Such Agency suits. Better focus on how targeted the surveillance is supposed to be. Or even better: just turn off that damn tax dollar tap that fills NSA's Olympic swimming pool of money.

Re:This is not what should outrage us

[steelfood]

Hyperbole won't get you anywhere.

Quite frankly, the internet was a U.S. creation. Thus the keys to the internet always lay in the hands of the U.S. If there was anyone capable of containing the internet, it would be the U.S. That was not supposed to be. Things were not supposed to be this way.

What we understood up to two, three years ago was that the U.S. was a bastion of freedom and free speech, and thus the internet would be free from such censorship and threats of censorship. What we realize now, today, is that the internet run by the U.S. is no better than any one-party institutionalized, nationalized communications infrastructure. It's subject to the same levels of power abuse that any other nation-state would exert upon the infrastructure it owns.

People are just now realizing that there needs to be an international solution, one that transcends the bounds of any individual nation-state, one that cannot be owned and thus compromised by any single party. It's all a matter of if certain other privacy- and hence freedom-loving countries can get their act together to put such a system into place.

Chances are though, every country wants this power, if not over their own people, then over other countries. Thus such a thing could never possibly come about. If it's not stopped at a technological level, it'd be stopped at a physical (cable-laying) level.

Re:This is not what should outrage us

[AmiMoJo]

Not every country is as bad as the US/UK. Don't try to excuse what they are doing by claiming everyone else is at it. Germany didn't try to tap Obama's phone, and I doubt they would try because among allies there are lines, and crossing them is a good way to get yourself excluded from intelligence sharing agreements. Plus, it's just a dick move.

Re:This is not what should outrage us

A lot of it is used for law enforcement. The NSA isn't a one-trick pony.

Re:This is not what should outrage us

[gmuslera]

If internet was US daugther, with this is literally fucking her, you are saying that the father have the right to do so?

Is like building some of the roads, then claiming ownership of your car (and as your car goes to your house, to your house, and your clothes, and you). Internet is more than its infrastructure as you are more than dumb flesh and bone.

Yes, they can do it. A bank can take your money too, they are there for profit and taking your money is a fast way to do it, but they should? More than regulations there is a matter of trust, once you break it you should never again put your money (and data) there.

Re:This is not what should outrage us

[7-Vodka]

You know what? you have made such an ignorant statement I'm no longer able to use any of my 15 mod points on this discussion.

NSA is now deeply integrated with federal law enforcement per 9/11 "reforms" that all but created an integrated security state.

If you had bothered to watch the video you would have noticed that the leaked documents put much of this NSA activity starting 15 YEARS ago. That's 1998. They were already collecting all your email, internet and phone data AND STORING IT years before 9/11.

Yes that means that those things you weren't proud you did in your distant past can be used against you forever.

1. Lusitania
2. Mossadegh
3. Gulf of Tonkin
4. Operation Gladio
5. Operation Northwoods
6. USS Liberty
7. 9/11
8. Anthrax attacks

Wake up Neo, you've always been a slave. Worldwide spying, exploitation, propaganda AND financial manipulation. It's been done for hundreds of years according to the capability of the time. Everything you think you know is a lie.

What we're reaching is the end game. When the rulers of this planet can finally bind everyone in such strong chains from birth that even the pretense of freedom can be dropped.

Fortunately, the empire and the dollar are walking debt infested corpses and their plans will come crashing down before they reach endgame.

Yawn

How is anything of this surprising or unexpected?

Transparent government

So.. when does the hope and change start? Is it long enough yet that "blame Bush" is no longer the answer to everything?

Is this one of those fabricated scandals like Benghazi, Fast and Furious, the IRS going after conservatives, the President lying about the AHA, Holder lying in front of congress repeatedly..

Re:Transparent government

[noh8rz10]

hope and change already happened. Hope peaked and reverted to the mean. Change happened but was largely a downward trend.

Re:Transparent government

[ganjadude]

Is this one of those fabricated scandals like Benghazi, Fast and Furious, the IRS going after conservatives, the President lying about the AHA, Holder lying in front of congress repeatedly..

Not at all like those ones, With those ones they just denied it even happened or blames things that had nothing to do with the issues. With this they admit that its happening and dont even pretend to care that they are abusing their power

So outbound UDP is a first thing to block

[freax]

For the time being we can start by blocking all outbound UDP data on routers. Unfortunately these hw hacks call nsa over open wifi too. So we'd have to jam wifi in buildings too ..

Re:So outbound UDP is a first thing to block

[Mister+Transistor]

Yeah, except your Cisco-and-NSA-compromised router with the "if pktaddress=nsa.gov then allow" rule hidden and permanently on will just pass it and not log or tell you anything... As a plus, your Microsoft-and-NSA-compromised systools won't show the traffic, either.

Re:So outbound UDP is a first thing to block

[fisted]

Are these compromised, too?
I got myself a handful for christmas, which should in combination with a MCU give a known-good network tap.
Problem NSA?

Re:So outbound UDP is a first thing to block

[fisted]

FTFM

Re:So outbound UDP is a first thing to block

As a plus, your Microsoft-and-NSA-compromised systools won't show the traffic, either.

Assuming that the user is too illiterate to use anything but Windows.
 

Cisco and Huawei

[icebike]

Given all the US lobbying against Huawei gear being used in critical infrastructure, it seems odd that the NSA is claiming they have managed to penetrate these routers.

Perhaps while NSA was powning Huawei routers they discovered they were already compromised.

Seems far more likely that in doing so, the NSA penetration was in turn detected and prevented by Huawei, or they haven't been able to penetrate to the extent they have with Cisco routers, and therefore they need to keep these out of critical infrastructure.

Re:Cisco and Huawei

[phantomfive]

Sometimes it's difficult to figure out what is going in government with all the different motivations different people have, most of which you don't even know about.

In the Huawei case, it's entirely possible that Huawei's competitors were better at lobbying than Huawei. See also Apple vs Samsung.

Re:Cisco and Huawei

[wiggles]

They know the Chinese have managed to penetrate them precisely because they have penetrated them the same way.

Re:Cisco and Huawei

They know the Chinese have managed to penetrate them precisely because they have penetrated them the same way.

Now that must be why I feel like I've been DPd by the Chinese government and the NSA for 10 years... Man am I sore.

Re:Cisco and Huawei

The Huawei people admitted that their hardware was backdoored already, their only claim was that all network gear has government backdoors. We didn't necessarily believe them until a few months later when Snowden turned whistleblower.

Also Huawei has crap software so probably anyone motivated can exploit it not just governments.

Re:Cisco and Huawei

[mars-nl]

Perhaps while NSA was powning Huawei routers they discovered they were already compromised.

It's time for some nice plug-in mechanism for such routers. So each government can write their own eavesdropping plug-in and the manufacturer can put them all in. Yay.

Silly me

[davide+marney]

Silly me, I thought the reason for NSA's existence was to make it HARDER for the bad guys to attack our infrastructure, not easier. Shows how little I know about how Washington "works" for us.

Re:Silly me

The NSA...:

• ... weakens our crypto
• ... hoards/uses zero day exploits
• ... backdoors virtually all equipment

The NSA is the worst thing that could happen to internet security. Time to hack those drones and let them bomb the real terrorists... in Ft Meade.

at the risk of sounding paranoid

[Presto+Vivace]

it is difficult to believe that the NSA is the only one doing this, so who else owns my electronic toys?

Re:at the risk of sounding paranoid

[Voyager529]

so who else owns my electronic toys?

If you have an iPhone/iPad/iPod, Apple.
If you have an Android phone/tablet, Google, and likely Samsung/HTC/Hawei/LG.
If you have a Windows Phone/tablet, Microsoft, and likely Nokia/HTC/Samsung.
If you watch movies on your phone, the MPAA.
If you play music on your phone, the RIAA.
If you have a data plan on your device, then AT&T/Verizon/Sprint/T-Mobile, or your regional MVNO.

Re:at the risk of sounding paranoid

[mrxak]

In some cases, the weakening of encryption standards done by the NSA, and various backdoors they've managed to install in systems used by everyone, there may be foreign and criminal organizations that are simply riding the NSA's coattails to compromise your security in the exact same manner.

But you're right, if the NSA has been doing this, so has everyone else. The NSA is just better funded.

Re:at the risk of sounding paranoid

[Presto+Vivace]

almost all our electronic toys are made in China. It is difficult to dismiss the possibility that they have inserted their own malware into our toys.

Re:at the risk of sounding paranoid

[Charliemopps]

It's irrelevant if others are doing it. We have proof the NSA is doing it. They need to stop. We can worry about everyone else after we get our federal government to obey the law.

Re:at the risk of sounding paranoid

[AHuxley]

Its depends on your electronics, the local optical loops, your tame telco and cooperation by your countries crypto/telco/gov/mil staff/national gov.
Its hard for any one nation to reach around the world into domestic local telco optical loops unless they risk placing their own region hardware.
The NSA and GCHQ really have the 'only' global solution to that domestic or regional problem - the old/new Commonwealth countries, many new/old shared bases, invites into countries to 'help' by new nations, failed countries or other mil/political arrangements for installing local telco hardware taps.
So with standards in junk encryption, tame hardware, tame software, tame academics, tame gov testing and *regional* access the who else owns question is down to the 5 Eyes nations, a few other nations in good with the USA, the contractors, ex staff, former staff and their new private sector interests.
You need the codes, keys, location and skill set to track the 'person' or 'group' - the location part is the part missing for so many nations who have the tech ready.
Satellites, embassies, spy ships, mil aircraft or turned local staff can fill in gaps but are very risky or just very easy to track.

What's with the names..

GODSURGE, IRONCHEF, CANDYWIRE, MONKEYCALENDAR, SOMBERKNAVE, IRATEMONKEY, TOTEGHOSTLY, DROPOUTJEEP

Just append X's as prefixes or suffixes and now we can identify teenage NSA agents or just AI acting like them.

Re:What's with the names..

[mrxak]

A lot of these names probably come off of random word lists, to help disguise the purpose in case foreign agents learn of a code name.

Re:What's with the names..

It's not entirely random, they have lists of approved words from which random choices are made. I think this information was in one of the earlier Snowden releases, if it wasn't a public secret already before that. I read about it on slashdot ;)
    It's probably to prevent too silly sounding combinations. I imagine the words should be easily distinguishable from eachother and easily recongized over a crackling phone line too. Not as relevant with current day methods of communication but in the past that must have played a role.

welp

[nensondubois]

Freedom fighter indeed.

Remote BIOS flash?

[billcarson]

So basically no online banking platform can be safe once these exploits are released into the public? I do wonder though how they do it though.

Re:Remote BIOS flash?

[Charliemopps]

Likely they either:
Paid the company that designed it
Bribed someone working for that company
Simply got their own NSA agents hired at the company with the sole purpose of having them write exploits into the code (most likely)

Re:Remote BIOS flash?

[deconfliction]

So basically no online banking platform can be safe once these exploits are released into the public? I do wonder though how they do it though.

I'm not quite sure I understand your question. I would rearrange the ideas this way- No online banking platform will be safe until these exploits are known publicly, and defended against technicly. As to your title- makes you long for the days of flash-write-protect jumpers and dipswitches doesn't it...

Re:Remote BIOS flash?

[billcarson]

See it from a positive point of view: maybe the Coreboot project wil finally take off because of this?

Re:Remote BIOS flash?

Why do all of your possibilities assume that someone inside of the companies are responsible? A small team of programmers could reverse-engineer BIOS software and release NSA-malware'd versions of them as needed. As to how they do it, read the damn article.

Anyway, they wouldn't make all BIOS code bugged by default; it would be detected by somebody eventually and ruin the whole operation through public disclosure. The NSA's success with exploits is based on the selection of appropriate exploits which is further based on the urgency of getting data from each specific target and the target's own level of sophistication in being able to detect the exploit.

Re:Remote BIOS flash?

[deconfliction]

agreed. coreboot, flash write protect jumper, secure boot, linux, and a physical RO or WORM media to recover/reload all firmware and bootloader... Ah, I long for the days when I imagined I had computational security...

iPhone

What's most interesting about this presentation (some 44 minutes into it) is the claim that NSA can monitor any iPhone they want, ostensibly via some remote mechanism or backdoor.

Re:iPhone

You left out the part where they admitted they did require physical access to the device to initiate the process.....

There goes the economy. Thanks NSA.

[tekrat]

Nevermind "thanks Obamacare", now nobody is going to buy *any* technology from a US vendor because it's likely compromised by the NSA.

Just like you don't want to buy from a purely Chinese vendor because it's reporting back to the Chinese version of the NSA.

So, thanks to the NSA and China having a dick-measuring contest on why can spy more, the internet is essentially fucked. No privacy, no e-commerce, hell, no commerce (thanks Target), unless it's all cash.

So the only place you can trust is (ironically), Craigslist!

Re:There goes the economy. Thanks NSA.

If you are trusting a random craigslist posting over the governments (US and China), you really need you head examined.

Re:There goes the economy. Thanks NSA.

I disagree. Why trust known liars, scammers, and criminals over a person who only might be one of those thongs?

Re:There goes the economy. Thanks NSA.

Nevermind "thanks Obamacare", now nobody is going to buy *any* technology from a US vendor because it's likely compromised by the NSA.

Oh puh-leeze. If the mortgage meltdown didn't destroy the U.S. economy, nothing short of all out nuclear warfare is going to.

Just like you don't want to buy from a purely Chinese vendor because it's reporting back to the Chinese version of the NSA.

Yes- it's *exactly like that*. The fact that you are buying and using so much Chinese made stuff despite you're not wanting to, is *precisely* what makes your earlier statement wrong. We don't have a choice. We can go back to pen and paper, but computers do some pretty cool stuff, even if you have to assume they are crawling with the mafia and NSA.

So, thanks to the NSA and China having a dick-measuring contest on why can spy more, the internet is essentially fucked. No privacy, no e-commerce, hell, no commerce (thanks Target), unless it's all cash.

So the only place you can trust is (ironically), Craigslist!

Oh get real. Somehow the fallable technology of written checks and credit card magstripes has survived. Of course there is real scary shit if you try to understand how that happened. I.e. the bottom line security of technology as it relates to the monetary system and economy has always been the thug's gun. It still is, and probably will be for some time. This war hasn't just started, and it's not just about to end. It's the long war.

Re:There goes the economy. Thanks NSA.

I am going to make millions shorting tech stocks.

Where?

Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."

I must have overlooked it. Where, specifically, did these articles state that?

Re:Where?

[skids]

Probably it was in the video, because people seem to think everyone has time to watch oodles of video without a posted transcript to skim over, and nobody cares to actually associate their hyperlinks to the text they attach the href to.

Re:Where?

I watched the video, too. It still didn't explain "how to know if your machines have been owned" but, instead, focused on the numerous ways the NSA has been exploiting various companies. While still interesting, none of the information presented contained what the summary alluded to.

Re:Where?

[AndrewBuck]

It is in the video which is definitely worth taking the time to watch. He mentions several things to look for, pictures of lots of the hardware they slip into people's computers, and specifically mentions looking for UDP packets encrypted with RC6.

Not posting anonymously because I want those fuckers at the NSA to know what I think of them.
-AndrewBuck

Affordable Healthcare Act

Perhaps the feds should have insourced the AHA website to the NSA. Seems like they have the tech and the people that know how to use it. Added benefit, US residents already have a file there. One stop shopping for all your personal information needs!

Actually you're wrong

The CIA still runs everything at the highest level:

http://www.wsws.org/en/articles/2005/07/fbi-j07.html

"The combining of counterintelligence, counterterrorism and spying into one FBI office linked to the CIA and under the direction of a DNI working directly for the White House represents a major step toward the creation of an American secret police force. "

The FBI are definitely subservient. Don't ever kid yourself.

Half a straw man

[s.petry]

You see, there is a big flaw in your point. _IF_ the only developers were in the US, you may have a better point. OpenSource is not just coded in the US, and the eyes looking at the code are all over. I think for a while you had a level of trust among OpenSource crowds that everyone was equally altruistic and freedom loving. I am pretty sure that when the leaks came out a few years ago about the NSA jacking encryption that trust evaporated pretty quickly.

What you may want to believe is that all of these coders are here doing "Merikah!" great favors, or at least looking the other way because.. you know, "Merikah!". Guys in Germany don't have any devotion to that cause, and won't be complicit.

So now, that level of trust that people had is gone. Not that OpenSource coders are all out trying to screw each other (as we see with 3 letter agencies and closed source companies), but there is a whole lot more scrutiny. As it should be, and like it was 10-15 years ago.

You can _never_ scrutinize closed source code. That point I agree with, and yes we should all assume that closed source systems ship compromised. As with the paragraph above, we used to assume that not very long ago. This is how we started to catch on to how shitty MS was (remember the ACK wars?).

not really

[publiclurker]

Even if someone I've never heard of finds a backdoor and reports it, word will get around to people that I do trust to verify things.

Congress should require NSA to reveal exploits

[schwit1]

If Congress required the NSA to reveal exploits of US made products within 30 days it could boost US sales.

Windows error reports

[minstrelmike]

One of the ways NSA developed hacks into MS software was by intercepting the error reports that Windoze sends when it crashes.
Talk about a lot of data ;-)

The entire catalog can be viewed here:

[ChrisStoecker]

http://www.spiegel.de/international/world/a-941262.html

Applebaum incorrectly characterizes tools

I don't understand why Applebaum implied that the bugs described toward the end of the video were the "scariest". They are just that: bugs. They are simply modern digital and, in some cases, wireless versions. If someone has implanted their own hardware into your device, of course they will be able to collect what they want. But someone has to plant it. If one of those bugs was in every monitor cable shipped in the US, that would be scary, but that they can make them from off-the-shelf parts should come as no surprise whatsoever. And the stuff about GHz radio emissions giving Hugo Chavez cancer was pretty stupid if you ask me.

No, the bug technology doesn't surprise me at all, nor does the list of exploits, but it's the blanket surveillance that is outrageous. It's not that they're good spies--we knew that--it's that they can and are spying on literally everyone, and actively handicapping digital security in order to do it.

It isn't a crime

[MikeRT]

If you think that what they are doing is not a crime, try to do the same and get caught

The same is true of taxation, but I don't see you complaining about that either. The government has natural authority which individuals do not when there exists a legitimate government. One of those is defense and intelligence gathering is now as critical to national defense as any weapon system if not more so.

Juniper's post about their products

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10605&actp=SUBSCRIPTION&smlogin=true

Product Affected:
Juniper Products

Problem:
  Juniper response to Der Spiegel reports of NSA attacks and monitoring of Juniper products.

Solution:
  Juniper Networks recently became aware of, and is currently investigating, alleged security compromises of technology products dated from 2008 and made by a number of companies, including Juniper. We take allegations of this nature very seriously and are working actively to address any possible exploit paths. As a company that consistently operates with the highest of ethical standards, we are committed to maintaining the integrity and security of our products. We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps.

The alleged security compromises included indications of "software implants" and a method for installing malicious code in BIOS. Juniper Networks is not aware of any such BIOS implants in our products and has not assisted anyone in the creation of such implants.

Juniper maintains a Secure Development Lifecycle, and it is against Juniper policy to intentionally include "backdoors" that would potentially compromise our products or put our customers at risk.

Juniper will continue to aggressively investigate this report as we do all reports of potential vulnerabilities in our products, and will continue to notify our customers according to our Security Incident Response Team policies.

In 2008 Juniper published this Advisory related to ScreenOS Firmware Image Authenticity Notification

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10392

Juniper recommends that all customers read Juniper Security Advisories and stay current with product updates.

Workaround:
N/A

Implementation:

Related Links:

        KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process

        KB16765: In which releases are vulnerabilities fixed?

        KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories.

        Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team

        Hardening Junos Devices

CVSS Score:
N/A

Risk Level:
Medium

Acknowledgements:

Huawei ? Are you fucking kidding ???

[Taco+Cowboy]

A series of servers produced by Dell, air-gapped Windows XP PCs and switches and routers produced by Cisco, Huawei and Juniper count among the huge list of computing devices compromised by the NSA

Somebody please help me here !

I can't believe that now Huawei works for the NSA.

I just can't fucking believe it !!

http://www.scmp.com/news/china/article/1286054/it-goes-without-saying-huawei-spies-china-says-ex-cia-chief?page=all

On the above link, ex CIA chief Michael Hayden claimed that Huawei spies for China !

http://www.bloomberg.com/news/2012-10-08/huawei-labeled-cyberspying-threat-faces-u-s-phone-gear-lockout.html

On this link Huawei was lockout from the US market because, "ahem !", Huawei is a SPY DEVICE of the People Liberation Army of China !!

I am totally confused now !

Who the fuck Huawei is working for ?

The Chinese PLA or the American NSA ??

Re:Huawei ? Are you fucking kidding ???

[easyTree]

Who the fuck Huawei is working for ?

The Chinese PLA or the American NSA ??

Do you like Oranges or Bananas?

Re:Huawei ? Are you fucking kidding ???

[mars-nl]

It's simple: the NSA is actually a covert operation of the Chinese PLA which in turn is a CIA operation. And Obama is a spy for the German secret service.

"There are many people in law enforcement/intellig

No, there aren't. Even the "good cops" who don't report the "bad cops" are then, by definition, "bad cops". Thin Blue Line, and all that.

Natural authority?

"The government has natural authority which individuals do not when there exists a legitimate government."

No. There is NO SUCH THING as a 'natural authority'.

Our government (in the US, anyway) is granted powers BY the people, FOR the people, as outlined by our Constitution.

Which is why...

... I do everything on my clear-case newton. Too small a base to bother with, looks like I boosted it from the prison newton inventory, and I can see inside so I can tell if they put anything inside - least that's what the guy who sold it to me said...

Can't even trust Santa

[PPH]

From TFA:

intercept the hardware in transit, and take it to a secret workshop where it could be discretely fitted with espionage software before being sent on its way.

I blame it all on bad elves.

I'll admit it ...

[golodh]

I'm surprised by what I saw, heard, and read about NSA interception technology.

This stuff goes far, quite far, and to quote Jacob Applebaum: "I can't remember voting on any of this stuff, or even having seen a public debate on it".

How about you?

Re:I'll admit it ...

[koan]

Do secret intelligence services often put their tactics up to a public vote?

As a side note, who wouldn't want to work on this team cracking computers World wide, bitchin.

If your machines have been owned ..

[codeusirae]

"Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."

Where could the code be hiding .. the BIOS, the PCI BIOS, the Video Card, the NIC, the PXE ROM or buried in the CPU microcode ...

Re:If your machines have been owned ..

[mars-nl]

Or in Tamagotchis or in SD-card controllers.

laugh

[koan]

http://cdn4.spiegel.de/images/image-583917-panoV9free-akfw.jpg

It's simple as this

The code can be compromised
1) In the source (undetectable in closed source) (detected by some reviewers for open source)
2) in the binary
3) in the compiler
4) device drivers

The host can be compromised
1) in the hardware
2) in the firmware/bios
3) external device means

The peripherals can be compromised
1) in the hardware
2) in the firmware
3) in the software

running software can be compromised
1) viruses
2) malware
3) root kits

network can be compromised
1) by physical devices routers/switches/hubs/wires
2) in the wireless
3) in the internet
4) traffic analysis and statistics

remote servers can be compromised
1) by all the same
2) middleman
3) third party trust

Transport of devices
1) snail mail
2) shipper (middle man attack)

People are compromised by use of
1) phone
2) car
3) cameras
4) social media
5) purchases
6) credit cards
7) music
8) social routines
9) social habits
10) social engineering
11) schedules
12) work/office
13) other

Without these (and any I have missed) being secured there is no way to insure the security of the system.

With an all seeing eye like a large government entity there is no way to prevent it with the exception of passing a constitutional amendment that makes it clear that it IS not legal without specific warrant. All other means falls short of the goal.

To spy on foreign nations in my opinion is what nations do. ALL OF THEM that are capable. Spying on ones own citizens is what governments that are not democracies do. If a democratic government starts spying on its own citizens then it ceases to be a democracy.

Re:It's simple as this

[s.petry]

You are extrapolating way too much to be coherent. We can break down your point into 2 categories. Hardware and Software. For the sake of debate, let us assume that a BIOS, Firmware, PROM, etc.. is Hardware. Why we can do that is because "normally" you can't edit PROM or firmware on a machine that's running. ILO/LOM/ILOM/ALOM/DRAC, etc.. today give some level of access to that software. Personally I'm not a fan of those systems without in depth analysis of what they are, how they are built, etc... They have a purpose, but add insecurity.

We (I have pointed it out for years as have others) know that hardware can be compromised. I'm sure you can look up older posts I made on this site that point this out, though the concern was more that China having access to the hardware at a low level since they are building it could change the hardware enough to compromise it before it made it's way back to the US. That is still a concern, but we now know that our own Government has been slipping in enough back doors that it's not a real point. For all we know, the NSA and China may be sharing the same back doors for the same purposes.

As you point out, when hardware is compromised it does not matter what OS you have, or what software you run. You are pwned from the time you turn on the machine. This type of access is difficult, but not impossible. Infect a machine in the factory, and every box being shipped is then compromised (I think we all remember viruses being shipped on various CDs, DVDs, and hard drives from MFRs. TFA makes it appear as if you need physical access to every single host, and that is simply not true.

Then we have OS and Software, which is the easier layer to hack because it requires no physical access. The person I responded to claimed that OSS is less secure or the same security as closed source. That is what my argument is against.

I never claimed it was fool proof or secure, I claimed it was better than closed source because independent people without ties to a watcher, can watch the watcher.

It's not tinfoil hat time.

[sahuxley]

They hacked those, too.

Huawei may be compromised.

[LiquidPaper]

Oh! Now I understand why they made me change all my Huawei hardware for Cisco. I thought it was only part of the economy war, but now I understand it was for safety.

Yeah! Safety.

Get'm While They Are HOT

Wall-Mart hacker! We have a Blue-Light Special in aisle H [Hell]. Get the PINs while they are hot.

At Ft. Meade, Maryland, it is observed the many Domino's Pizza trucks entering the facility! :-p

heh!

[eyenot]

The sooner I get my PhD in computer engineering, the sooner I can do something about there being fewer stories like this.

Re:heh!

[EmperorArthur]

Did you see that compromised on board network adapter or the USB cable? Those things were amazing pieces of tech.

The network adapter really just looked like a big RJ45 jack with some hardware on the back. That's what the non compromised version looks like. It does all the layer 1 stuff right there so you don't need to worry about things like impedance matching. The NSA added an extra chip which is invisible from the outside that acts as a second layer 2/3 controller. A simple single component replacement and that machine is now owned forever. Worse, there is NO WAY that you would know it from on the machine.

Speaking as someone who has a Bachelor Degree in Computer Engineering, I'm impressed. Scared, but still impressed.

Ladies and Gentlement ...

[Evil+Pete]

... we are fucked!

All hail the New World Order and our masters at NSA. I was not a true believer in the NSA NWO but then I watched the 30c3 vid mentioned in the summary. Holy crap. No wonder Charlie Stross gave up on his next novel. I am now beyond horrified and simply in awe of our new Overlords.

ultra-bright light burst sees most letter contents

The NSA uses ultra-bright light burst photograph technology to 'see' the contents of most letters that pass through the mail system. NSA computer systems 'rebuild' the text visible from multiple layers of paper within the envelope. The technology is cheap, simple, and mostly effective.

Remember, full surveillance programs are NOT designed to be 100% effective. Targeted surveillance programs are used when that level of accuracy is needed. Full surveillance programs, like the home spy system designed by Microsoft and the NSA in the Xbox One console, are simply attempts to grab all possible information from all possible sources, and to constantly invent new ways to trap previously unavailable information.

How cute!

[LostMyBeaver]

So, you're suggesting that open source will be more secure? Oh! That's right! If it's open source, the NSA wouldn't be able to find exploits in it... Because after all, it's open source, it can't be hacked!

Re:ultra-bright light burst sees most letter conte

Actually they use x-ray technology to scan layer by layer to separate the ink from the paper so they can scan even magazines page by page without opening.

"hot tip on howto know if your machines are owned"

I don't see any such thing. Basically that article is a watered down version of the Der Spiegel original.

I guess /. submitters and editors don't follow any truth in advertising norm... I'm shocked.

Hot tip?

[nuckfuts]

Where is the "hot tip on how to know if your own machines have been owned"?

Re:Hot tip?

[thoughtlover]

Where is the "hot tip on how to know if your own machines have been owned"?

It seems the 'hot tip' was to get clicks. The best I came away with as a 'tip' is already obvious --don't buy from Cisco, Huawei, or Juniper. Other tips I can think of are, 1. Because of TAO hardware interceptions, buy used via Craigslist, and 2. Run a Linux-based firewall that can block selective traffic like MS Crash Reporter.

Re:Hot tip?

[thoughtlover]

Where is the "hot tip on how to know if your own machines have been owned"?

Apparently it's in the first link --Here's the tip:

"He also left IT security managers with a handy tip to begin their search. He suggested they search for suspect traffic sent via the UDP protocol and secured by the RC6 encryption algorithm developed and freely released by RSA Technologies, which prior leaks suggest was the recipient of a $10 million prize for its efforts to aid the NSA."

Open Source is a requirement

[mennop]

Ofcourse can there be security bugs in Open Source. Which can be exploited by the NSA and others. But such bugs are far less common then in Closed Source. Open Source in itself doesn't promise security, but it _is_ a _requirement_ for security! No Open Source (including in hardware)? No security. Any program (OS) running on a TC chip? No security. (en.wikipedia.org/wiki/Trusted_Computing) Also: if it is Open Source, it is not possible to hide backdoors and security flawed programming. Since everybody can see the code, the criminal putting the malware in the code, always will be found. And thus, there are no deliberate security errors in Open Source. Also, because everybody can see the code, it forces the programmers to code neatly (otherwise, they will get a lot of bad comments). Closed Source programmers can mess around as much as they want - as long as the program works. Nobody can see their mess. PS: the button 'create an account' doesn't work... Hence, there will be 'Anonymous Coward' above my post.