Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Look at the NSA's Most Powerful Internet Attack Tool

Posted by samzenpus on from the big-gun dept.

realized writes in with a closer look at the NSA's QUANTUM system. "Today QUANTUM packs a suite of attack tools, including both DNS injection (upgrading the man-on-the-side to a man-in-the-middle, allowing bogus certificates and similar routines to break SSL) and HTTP injection. That reasonable enough. But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.) And it allows the NSA to hijack both IRC and HTTP-based criminal botnets, and also includes routines which use packet-injection to create phantom servers, and even attempting (poorly) to use this for defense."

16 of 154 comments (clear)

  1. I wonder by Anonymous Coward · · Score: 5, Insightful

    all these software engineers that work for nsa/gov , do they have any fucking morals? do they really believe they are securing the world from the evil guys? are they kept at gunpoint? are they just plain stupid? Fail to realize that us, the makers , have all the power is the worst mistake. Plant secret backdoors, failure modes, weaknesses. Be in charge. You don't owe anything to these black suits. Wake fucking up.

    1. Re:I wonder by epyT-R · · Score: 3, Insightful

      It probably pays well.

    2. Re:I wonder by Arker · · Score: 3, Informative

      It depends, if you are an actual employee I understand the pay is not really spectacular. The benefits, however, are outrageous. And these days of course the government has gotten into outsourcing too, and most of their workers are contractors, not employees. The contractors are obviously paid well, and if theoretically they have less job security practically their programs are only set to expand.

      Anyway, regardless of position, you could probably make more money in the private sector if you are really motivated to go out and make the next big thing. But this sort of job is about more than compensation. It draws people that really believe in the cause (who eventually become disillusioned, and sometimes become whistleblowers) along with amoral sociopaths that get off on power. Unfortunate that the latter stand a much better chance of being promoted and the former of being waterboarded, seems backwards somehow, but oh well.

      --
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-
      Friends don't let friends enable ecmascript.
    3. Re:I wonder by tshawkins · · Score: 5, Interesting

      Its the same question that should have been asked of the doctors that assisted with the torture and stress programs, the psychologists that aided and abetted the threats made against detainees families. The aviation engineers that built remote controlled ariel death machines. The lawyers that twisted and bent the law to try to justify all the above. There is a tendancy for professions to remote themselves from the consequences of thier actions, and to adopt both the "obeying orders" and the "if we dont do it, somebody else will" defense. Scumbags the lot of them, there is a very hot place waiting for them all.

    4. Re:I wonder by UnknownSoldier · · Score: 3, Interesting

      Riiiight, because your faith is magically better then his faith ???

      Grow the fuck up and learn some respect for a different perspective / belief.

  2. wishful thinking by Patent+Lover · · Score: 5, Insightful

    Now if they would just use it to actually stop botnets.

    1. Re:wishful thinking by Burz · · Score: 5, Interesting

      Clearly they have an interest (or conflict of interest) in letting botnets run amok, as it gives them a cover for their own illegal activities.

  3. Re:Feed the beast by Urza9814 · · Score: 4, Funny

    They'll probably just think you're another 13 year old kid about to get himself killed doing something incredibly stupid....

  4. I fully support this by Anonymous Coward · · Score: 5, Funny

    I'm American and I fully support this. This is exactly what intelligence agencies are for. Nothing in any of these leaks in the linked article suggests these capabilities are being abused. I want my government to be able to pursue foreign intelligence targets with capabilities like these and--in a time where people complain relentlessly about government agencies being ineffective--I'm glad they are able to do this.

    Posting anonymously because I've lost too much karma expressing a contrarian opinion on all these Snowden articles. Frankly, I'm more scared of moderators than our government...

    1. Re:I fully support this by epyT-R · · Score: 5, Insightful

      You know, one of these days, you will be the one arrested and thrown in prison without due process for 'terroristic acts', or some other set of stacked charges that cannot be challenged in court because they're matters of 'national security'. It's people like you that allow wannabe tyrants to bypass civil liberties and seize power in the first place. It is a known fact that the feds are breaking the law to pursue their own political or financial agendas. While it is true that the NSA/CIA were chartered to monitor foreign governments, what they've been up to since then has obviously come up short of expectation. They need reigning in and refocusing. Heads need to roll.

      Governments are only ineffective at the things they promised but aren't in the best interests of the high level bureaucrats. Governments are scarily effective at doing whatever it is those in power really want to do. After all, all an employer can do is fire you, but a government can throw you in a box and toss the key.

      I fear the federal government more than some 13th century thugs from the middle east. Groupthink is the most powerful religion in existence. bin laden's goal was to get us to do his work for him, to destroy ourselves from within. So far, he's won every battle.

    2. Re:I fully support this by Concerned+Onlooker · · Score: 4, Insightful

      "All this crying about it being a slippery slope isn't making us any safer."

      I don't know anything about slippery slopes, but I do seem to recall a famous quote about something to do with eternal vigilance and freedom.

      --
      http://www.rootstrikers.org/
  5. Re:Might not be intended for Internet MySQL by Deep+Esophagus · · Score: 4, Funny

    I have to wonder, how many national-security-endangering secrets are terrorists storing in a MySQL database?

  6. It is the private sector by dbIII · · Score: 4, Insightful

    Recent revelations about spying on an Indonesian clove cigarette company for the benefit of US "customers" is one example.
    So that's for the private sector. How the customers in the private sector commission the work and pay for it would make an interesting story. Perhaps they pay via political campaign finance? Let's open that can of worms.

  7. boiled frogs, would be my guess as a security prof by raymorris · · Score: 3, Insightful

    My guess, as a security professional who could have been recruited for a three-letter agency, is that many of them are boiled frogs. There are technical challenges that smart geeks love, plus the whole hacker mystique, but you don't want to be criminal, so you go white-hat, hacking bin Ladin. That adds the whole "international spy" thing into it and maybe you help catch some really bad guys. That would be awesome, spying on al Qaeda. Hmm, if you expanded that technique you could catch a lot of bad guys. So you expand it to log calls to and from Iraq, Afghanistan, and Syria. After a few years, you end up in a place you never would have knowingly sought to go.

  8. Story writer didn't read own story. by BitterOak · · Score: 4, Insightful

    But it also includes gadgets like a plug-in to inject into MySQL connections, allowing the NSA to quietly mess with the contents of a third-party's database. (This also surprisingly suggests that unencrypted MySQL on the internet is common enough to attract NSA attention.)

    When the author wrote that part of the story, he or she seemed to be unaware of what he or she had just written:

    allowing bogus certificates and similar routines to break SSL

    By breaking SSL, the NSA has access to SQL queries whether or not they're encrypted.

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  9. Hypocrite by TiggertheMad · · Score: 4, Funny

    Grow the fuck up and learn some respect for a different perspective / belief.

    I believe that god is seventeen giant, 65 foot long orange lizards, all who are named 'Ralph'. They have mile long, glittering prehensile cocks that drag behind them. Ralph^17 will sail invisibly across the sky once per hour, where all humans on the planet must turn to the South, and bow while chanting, 'Rubber Button' for one minute in order to avoid Ralph's divine and righteous wrath. His son is a stop sign three miles south of Yuma, and all who are able must journey to see him once in their life, lest they be dammed to spend Christmas vacation in New Jersey for all eternity. I demand the same respect that these goofy christian mono-godders get, up to and including wording on American money acknowledging Ralph^17's almighty farts. BOW, HEATHENS!

    I mock you sir, for failing to respect that some people's perspective and beliefs are that 'invisible shit isn't real, and that you should call out the Emperor as naked when he is'.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!