Slashdot Mirror
The Startling Array of Hacking Tools In NSA's Armory
littlekorea writes "A series of servers produced by Dell, air-gapped Windows XP PCs and switches and routers produced by Cisco, Huawei and Juniper count among the huge list of computing devices compromised by the NSA, according to crypto-expert and digital freedom fighter Jacob Applebaum. Revealing a trove of new NSA documents at his 30c3 address (video), Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."
2013 is the year that proved your ‘paranoid’ friend right The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune. Assuming that the technology is not made illegal.
Better check your compiler while you're at it, and your hardware.
-mrxak
Onions Will Kill You
What sort of straw man is that? No one has claimed that it is impossible to sabotage open source software. But the fact that the saboteur would at least have to try to hide it, which is not the case with secret source software, puts them at a huge disadvantage.
Do you leave your front door unlocked because you're not 100% sure that your lock can't be picked?
The debate is not whether the spy tools should exist, but how they should be used. The NSA was originally meant to be a support organization that assisted the CIA and other federal agencies in protecting national security interests globally; Hence the name National Security Agency.
What it has become lately, thanks to the Department of Homeland Security and our idiot congresscritters, are lackies for the FBI. The FBI has a terrible record going all the way back to the Prohibition of doing whatever it wants and generally running rough-shod over civil rights. It has long shown signs of institutional corruption and rot. This is the source of the rot in our judiciary at the federal level... and like Midas, everything the FBI touches turns to sh*t.
#fuckbeta #iamslashdot #dicemustdie
There is some indication that the NSA is a rampant bureaucracy run by geeks with an unlimited budget who do things just to see if they can, but that doesn't mean they haven't gotten useful information or accomplished anything significant. I'd say the destruction of Iranian centrifuges was a master stroke, personally.
Now, as for their domestic surveillance operations, I'd say it's pretty fair that they've not prevented any terrorist attacks whatsoever. That's the problem with broad collection of data, it's all the harder to sort through for anything useful. It's unfortunate that they're going to keep trying, instead of returning to targeted intelligence gathering.
-mrxak
Onions Will Kill You
The fact is that the NSA needs these tools for the same reason the Army needs weapons ranging from small arms to weapons of mass destruction. It needs tools that let it collect signals intelligence on foreign targets. And yes, that includes our "allies." They do it as much to as we do it to them. It's understood that it happens. Even the British and Canadians wouldn't be shy about collecting Top Secret data on our operations that we want to keep from them if they could acquire it without jeopardizing their highly productive and close relationship with the US.
Americans should be outraged that the NSA is now deeply integrated with federal law enforcement per 9/11 "reforms" that all but created an integrated security state. That puts our rights deeply at risk. Prior to 9/11, the most the NSA could legally do was inform Customs and the Coast Guard that smugglers were en route to US territorial waters or airspace. Now, they're damn near as much of an intelligence arm for law enforcement as the military.
What we need is an iron clad, black letter of the law statute that says that no data the NSA collects on Americans is legally admissible unless the communication was collected abroad, occurred entirely outside of US territory and is specifically of a nature that is dangerous to our national security.
If they had prevented any terrorist attacks, they'd be shouting it from the rooftops right now in an attempt to win more political support and counter any representatives who question their broad spying progams.
You don't trust your compiler (and compiler vendor)?
http://cm.bell-labs.com/who/ken/trust.html
Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.
You have absolutely no idea where the code came from with closed source. Could be from anyone. Not much different from open source except for the fact that with open source you can at least theoretically examine the code itself even though in most cases that will never happen.
You may know where the binary came from, but you have no idea where the code came from. And for all you know, neither did the person who signed the binary.
Given all the US lobbying against Huawei gear being used in critical infrastructure, it seems odd that the NSA is claiming they have managed to penetrate these routers.
Perhaps while NSA was powning Huawei routers they discovered they were already compromised.
Seems far more likely that in doing so, the NSA penetration was in turn detected and prevented by Huawei, or they haven't been able to penetrate to the extent they have with Cisco routers, and therefore they need to keep these out of critical infrastructure.
Sig Battery depleted. Reverting to safe mode.
I disagree. The code is out, anybody can review patches, etc. At least if it is developed in an open manor (ie truecrypt is a fine example of an application we shouldn't rely on as while its code is available its development is not transparent). If something is published that's nefarious you have to make some sort of effort to conceal it, and if its developed transparently as well all the more so. If it is proprietary you have to make zero effort to conceal it.
it is difficult to believe that the NSA is the only one doing this, so who else owns my electronic toys?
NSA does SIGINT, or signals intelligence, and it doesn't matter what computer solution you think you found, they will own you. The only solution is to avoid all computers. Have something important to say? do so in person. An important thing to record? Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.
CIA and FBI do HUMINT, or old-school spying, but from what I've heard their skills here have withered as they've focused on SIGINT themselves.
inb4 encryption - I assume that they can crack any encrypted files, or they wrote the specs in the first place.
You should be pointing people to this instead:
"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"
http://www.dwheeler.com/trusting-trust/
They do photograph every single letter and parcel, as well as x-ray scan everything that goes through their facility.
Is that "safe"? I don't know.
Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.
Are they photographing every letter under extreme bright lights, making the container effectively transparent?
Not sure, but it's worth exploring every single one of those questions.
Free Software folks have their reputation too, and often that is the only thing motivating them.
Just a Tuna in the Sea of Life
You see, there is a big flaw in your point. _IF_ the only developers were in the US, you may have a better point. OpenSource is not just coded in the US, and the eyes looking at the code are all over. I think for a while you had a level of trust among OpenSource crowds that everyone was equally altruistic and freedom loving. I am pretty sure that when the leaks came out a few years ago about the NSA jacking encryption that trust evaporated pretty quickly.
What you may want to believe is that all of these coders are here doing "Merikah!" great favors, or at least looking the other way because.. you know, "Merikah!". Guys in Germany don't have any devotion to that cause, and won't be complicit.
So now, that level of trust that people had is gone. Not that OpenSource coders are all out trying to screw each other (as we see with 3 letter agencies and closed source companies), but there is a whole lot more scrutiny. As it should be, and like it was 10-15 years ago.
You can _never_ scrutinize closed source code. That point I agree with, and yes we should all assume that closed source systems ship compromised. As with the paragraph above, we used to assume that not very long ago. This is how we started to catch on to how shitty MS was (remember the ACK wars?).
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
No, nor should you need to.
For anything sufficiently widely used you will have several competing groups looking at it...
With american commercial software you likely only have the vendor and the nsa looking at it...
For something like linux you have not only the nsa, but also several foreign governments looking at it too. While you may not be able to trust a single party, the chance of error decreases when you have multiple parties who have no reason to collude together.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
http://www.spiegel.de/international/world/a-941262.html
.. Maybe I missed some context here, but as a former FedEx employee with frequent contact with current FedEx employees, I've not heard of every fedex package being subject to x-rays or picture collection, although I wouldn't be surprised at the latter since I believe they've installed state-of-the-art OCR for QR reading on the airbills. The closest thing to x-rays I know of are the laser scanners used for calculating dimensions/weight (dimweight) for appropriate billing (people marking "1 pound" on their Laserjet shipping...). The amount of time it would require to actually x-ray and analyze 5-10 million packages a day would be non-trivial, especially in light of the service commitments. I could be wrong, however, and I'll have to bring it up next time I talk to the guys.
If you were me, you'd be good lookin'. - six string samurai
I'd say the destruction of Iranian centrifuges was a master stroke, personally.
Why? Because the same people that destroyed their infrastructure told you that Iran is "evil"? Does "Iran = evil" mean that we should act in an evil fashion? Is Iran as evil as people tell you? Personally I no longer believe that line of rhetoric (30 years ago I did). I believe that two wrongs don't make a right. I also believe that we should treat people equally, regardless of Religion, Race, or gender.
For the duration of my life, which is longer than most people on this site, I have heard about how Iran is "evil" and plans to take over the world. I heard about how they hate Israel, but have never seen them do anything outside of their borders. They yelled a lot when Mossad allegedly destroyed infrastructure, but I have not seen the Republican guard blow shit up in Israel or even be accused. How "bad" or "good" the treatment of their own people is becomes subjective to the people that live there, not my opinion, and that treatment is based on their Religion. The US denounces Iran and their beliefs, yet we have no problem with Talmud Jewish beliefs that much of Israel follows (not to be confused with Rabbinical Jewish beliefs).
I'm not claiming that Iran does not do wrong things, but as a whole and in comparison to the US it's not even close. We went to war with Iraq on a completely fabricated premise killing millions. We helped a revolt in Libya, Egypt, are helping in Syria. We give arms to some 'terrorists' and launch Hellfire missiles at others. We have soldiers that will tell you stories about how the poppy growth in Afghanistan has boomed under US control, yet under the Taliban it was outlawed and production was virtually stopped. Today world wide heroine use/production/trafficking is killing more people than the Taliban ever did.
I'm also not claiming that Israel is "bad" because I don't live there so only have 2nd hand knowledge.
The point is, that the US is not some "justice" force out there righting wrongs and correcting injustice. Quite the contrary, we are causing more harm than helping in numerous countries. We, the intellectuals, really need to challenge handed down propaganda. Instead of accepting it, try to question it.
Our founding fathers had a mountain of quotes I could refer to, but I won't. We were supposed to be the example for Free Society, Republican Government, and tolerance. We were not supposed to be a thug.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
They do openly state on their website that they randomly x-ray scan packages however:
http://www.fedex.com/gh/shippingguide/terms/#11
That's fine, my handwriting is strong enough a cipher as it is.
Maybe we deserve this world ?
No. I think you've misunderstood one-time padding (or brute-forcing).
Brute forcing is when you try (almost) every possible key, which is significantly shorter than the message, to see what the message will turn out with said key hoping to find the right one. If the message turns out to make sense (contain english words or ascii alphabet for example) it is likely to be correct.
With OTP the key and the message are of equal length. Going through every key is the same as going through every possible message. So you will not only hit alphabet, but you'll get shakespeare and snowden leaks alike.
That makes all forms of bruteforcing futile. No extra codes necessary.
One bit example:
my message is M (0 or 1) and my pad is P (0 or 1).
M xor P = C cipher text, and equally C xor P is M.
Now, given C, say 1. You can trivially bruteforce it into 0 as if P had been 1 or into 1 as if P had been 0, but that solves nothing. Because both possibilites are equally likely. Repeat that on every bit and all you will ever know about the message is its length.
The length leakage is also easy to counter to some extent by appropriate amount of random padding (adding some extra gunk to the end).
1 Earth is warming, 2 It's us, 3 it's royally bad, 4 we need to take action NOW
Did you see that compromised on board network adapter or the USB cable? Those things were amazing pieces of tech.
The network adapter really just looked like a big RJ45 jack with some hardware on the back. That's what the non compromised version looks like. It does all the layer 1 stuff right there so you don't need to worry about things like impedance matching. The NSA added an extra chip which is invisible from the outside that acts as a second layer 2/3 controller. A simple single component replacement and that machine is now owned forever. Worse, there is NO WAY that you would know it from on the machine.
Speaking as someone who has a Bachelor Degree in Computer Engineering, I'm impressed. Scared, but still impressed.
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
One thing you can use to increase the strength of OTP is extra data. They may not be able to crack the code, but they may be able to get an idea of the type of data it is by its length and the size of the key source (alpha only, alpha-num, etc).