Slashdot Mirror

← Back to Stories (view on slashdot.org)

Replicating the NSA's Gadgets Using Open Source

Posted by samzenpus on from the spy-on-it-yourself dept.

An anonymous reader writes "Wireless security researcher Michael Ossmann asked himself: 'Could I make the gadgets that the agency uses to monitor and locate mobile phones, tap USB and Ethernet connections, maintain persistent malware on PCs, communicate with malware across air gaps, and more, by just using open source software and hardware?' In this podcast he shares his insights on what to use — and how — to duplicate hardware devices found in the ANT catalog."

24 of 47 comments (clear)

  1. No surprise here by Anonymous Coward · · Score: 1

    In abstract: technology is repeatable

    I also wouldn't be surprised if some of the trinkets and software he's looking at were initially made by plugging together a few open source projects just like he's doing. The beta and release models probably have anything with an oppressive license removed, but internal alphas tend to be kludged together from anything available.

    1. Re:No surprise here by ledow · · Score: 4, Interesting

      Indeed. My greatest use of Open Source, freeware, shareware and other kinds of "free" software is "what if"-type questions. They would be difficult to answer if all that existed were paid-for commercial solutions that you were then tied into.

      Do we need Smoothwall in our large school? Hold on, let me bash out a squid + DansGuardian + iptables setup on an old office machine - look, it does roughly this. Great, should we buy the "commercial" product or is this more-than-enough for what we need (and I usually get both answers over time, depending on where I am)? Actually had one school use my box for 5 years rather than pay Smoothwall nearly a grand a year for updates.

      Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.

      My last one was digital signage. The school I work for had Powerpoints exported to MP4, then put onto a USB stick and plugged into an LG TV with looping turned on. Looked horrible but did the job. They knew it was the bare-bones and were looking for an all-in solution.

      I put in a Xibo box as a test and asked if that was closer to what they wanted. Overnight, the LG TV become attached to a PC running Xibo Client. We've tested it running over RDP from a VM and even off a Raspberry Pi. It's bridged the gap between "an old TV showing something" and "stupendously expensive site-wide digital signage system" nicely. And in fact will probably be as far as we go. If we end up having ten displays showing more than 3 or 4 different schedules, I'll be amazed and it will indeed be time to move to a more commercially-supported package. But for now? A £100 TV and £25 for a RPi box with appropriate cabling. Seems to do the trick quite nicely.

      We were going to buy a helpdesk system (don't quite know why). Stuck GLPI on, nobody's ever complained and I've been using GLPI for nearly 10 years in various places.

      The beauty of open-source stuff is that you can prototype for free, find out whether there is some element that you will NEED to pay for (i.e. better customisability, more scalability, commercial support, etc.) and not worry about the licence interfering at any point. When you throw it all out, or push a working system into wider deployment, the licensing doesn't really affect you. The only point is does affect you is when you try to commercialise it yourself.

      My first reaction upon being asked to do something is "Can I find a bit of free/open software that will do that?". If I can, then we can judge our real needs and requirement. If I can't, nothing lost - and it probably is something that takes a lot of commercial backing to make viable, but at least I know that.

      Especially in schools, some bits of free/open software are ubiquitous precisely because they are "good enough" - GIMP, Irfanview, Audacity, Blender, etc.

      And when prototyping anything, I tend to find someone's already beaten me to it, and usually by cobbling together open components.

      Even the open-source projects, most of the time someone's just cobbled together a lot of other open-source projects and their functionality and just lumped them into one convenient package or written a front-end that relies on dozens of other projects in order to reduce the strain.

      If the NSA *AREN'T* using open-source (or some agency-equivalent in a private secure codebase) in a modular manner to build both hardware and software for their "one-off" kinds of devices, then they really need to pull their finger out.

    2. Re:No surprise here by Anonymous Coward · · Score: 1

      Actually had one school use my box for 5 years rather than pay Smoothwall nearly a grand a year for updates.

      Nearly a grand a year is barely nothing. Especially for firewall updates. Thats what, 10 hours of your time over the course of a year? Did you do 10 hours a *year* to support your solution? If so you don't value your time enough.

      Cobbling together open-source stuff is great, but it has to be a cost benefit analysis. 1 grand a year is peanuts for a product, support and updates.

    3. Re:No surprise here by ledow · · Score: 4, Interesting

      £100 (GBP, notice, not USD) per hour in a school (note, UK schools are schools, for children, not universities or colleges)? You must be kidding.

      And beside that, the box ran maintenance free for 5 years. The only changes we ever made were to block specific things we suddenly decided now needed to be blocked (and thus would have the same cost on the Smoothwall solution).

      That was one of the points that stopped us buying - the fact that we'd not needed to maintain the "prototype" machine and it has just kept running. There was even a "what happens if the box dies" plan that never went into action because, well, it's still running now for all I know.

      Please note also that Smoothwall will often charge a lot more - i.e. for a 19" rack mount box to install this junk on, and initial purchase price. The last quote I saw for a similar-size school this year was £9000 all-in for the first three years.

      Given the 2 hours to build it (even compiling Squid from scratch to do transparent proxy properly), the other stuff it did, and the old office server it was running on, I work that out at £4500 an hour. If I was earning that, I wouldn't be working for Smoothwall or schools...

    4. Re:No surprise here by Anonymous Coward · · Score: 1

      Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office.

      That may (or may not) be true, but the question was why they couldn't use it everywhere, not why everyone can't use it. I personally haven't used Microsoft Office in over a decade and never missed it. Does that make me dumb, too?

    5. Re:No surprise here by TemporalBeing · · Score: 1

      Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.

      Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office. The discussion's been had a thousand times. LO might work for you and your students, but don't pretend that it's an apples-for-apples replacement.

      And there's plenty of reasons why it is also superior to Microsoft Office, but don't let that get in your way.

      The only real compelling reason to continue using Microsoft Office is if you are tied to a specific feature set, plugin, etc used and supported by Microsoft Office. Most everything can be ported over with minimal effort.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  2. laws of physics Yes, laws of your state, No by Anonymous Coward · · Score: 3, Insightful

    Yes, but anything messing with a cell phone is illegal unless you are above the law (law enforcement, Government etc.) It is even illegal to have a police scanner or radar detector in some (police) states.

    1. Re:laws of physics Yes, laws of your state, No by Chrisq · · Score: 1

      Yes, but anything messing with a cell phone is illegal unless you are above the law (law enforcement, Government etc.)

      Not your own cellphone for proof of concept surely?

    2. Re:laws of physics Yes, laws of your state, No by mariox19 · · Score: 1

      surely?

      You must be new around here. Let me be the first to welcome you to the United States of America.

      --

      quiquid id est, timeo puellas et oscula dantes.

  3. National Security by mfh · · Score: 5, Insightful

    If the NSA does it, hey that's national security and they are allowed to do anything.

    If you do it, you're going to be spending the rest of your life in a 10' cube for national security.

    --
    The dangers of knowledge trigger emotional distress in human beings.
  4. lately thats not been possible. by nimbius · · Score: 3, Interesting

    the NSA's gadgets, to date, have been secret courts and gag orders. Anyone with a crowbar and a laptop can certainly wiretap an entire neighborhood, but it takes real skill to engineer a series of legal and political precidents and procedures around the power to get away with it. so, lets take a stab at it slashdot!

    what i propose is an open-source means of manufacturing consent at the senate and congressional levels of government. The license for ensuring the president and cabinet members acquiesce to everything from rendition to secret torture camps should probably be 3-clause BSD. Warrantless GPS surveillance can use GNU radio, but the technology to forcibly demand the tracking device be returned should be licensed GPLv3. Im still stumped as to how we're going to get a CC licensed version of a gag order from a secret court

    --
    Good people go to bed earlier.
  5. Lets make problems worse. by jellomizer · · Score: 3, Interesting

    Why bother trying to solve problems, lets just make them so much worse.

    OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
    So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" can get their hands on it, and use it to cause all sorts of problems.

    If you are concerned about your privacy giving these tools to the public is just a bad idea. Sure the black hat argument, if we break in then they will have to fix it and make it more secure... But can they really always do that, Not all software and PC's are equal in security needs.
    But that is like saying we should all drive armored cars, carry guns, and live like a military personal because there are some kids who just want to destroy things because they can and makes them feel like a big man.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Lets make problems worse. by drinkypoo · · Score: 2

      instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public

      False dichotomy. Some believe that the only way to do the first thing is to do the second thing, not just in the interests of disclosure but also simply education. How are you going to learn to defend against the attacks without the attacks to practice against?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Lets make problems worse. by TheCarp · · Score: 1

      > If you are concerned about your privacy giving these tools to the public is just a bad idea. Sure the black hat
      > argument, if we break in then they will have to fix it and make it more secure..

      I think you believe your own straw man.

      What is being assaulted here is the relative bubble the NSA operates in. You see, if the NSA develops a tool, that is them. Its tradecraft, its keeping us safe, its under control. They have it, we have no proof anyone else does. No "real" problem...just an "academic" problem of us whiny people complaining about "rights".

      However, when someone produces it and shows how easy it is, its no longer the NSA in a vacuume, its anybody with a few bucks. `The thing is....this isn't special. If you really, truely want these devices, you can, for the most part, build them yourself with time. That is true now, it was true a few years ago.

      The only real difference is how plausible the deniability is when someone claims that its hard or it requires sophistication to some huge level. It isn't true, its not been true for a while, and it is high time to dispel that myth.

      Fact is, the risk is already out there. We already see specialized hardware attacks on ATMs. We have already seen "evil maid" attacks on laptops of Poker players: http://securitywatch.pcmag.com...

      I don't think informing people with concrete examples of the real threats and popping the bubble around the NSA is really a bad thing. The "bad guys" of whatever flavor you imagine, already have these tools and no qualms about using them.

      --
      "I opened my eyes, and everything went dark again"
  6. Ok wait, hang on by Sycraft-fu · · Score: 3, Insightful

    Is there any evidence of this "air gap malware" crap? Yes I remember there was a preliminary story on Slashdot... I don't remember any followup, any proof, just some wild ass speculation.

    Is there any evidence that such a thing actually exists?

    1. Re:Ok wait, hang on by fulldecent · · Score: 2

      It is audio exfiltration, not audio infection. Not very oh-my-god stuff here.

      --

      -- I was raised on the command line, bitch

    2. Re:Ok wait, hang on by Sycraft-fu · · Score: 2

      The claim made was reinfection via audio. However, as I said, I've seen no proof. Nor, for that matter, any proof on the audio exfiltration malware. Just the one sensationalist preliminary article and no followup.

      Hence why I'm interested if there is actually any more information, or if this is just more Internet echo chamber where one unfounded report becomes an Absolute Truth(tm).

    3. Re:Ok wait, hang on by nospam007 · · Score: 2

      "If you used 1kHz at the top of the audio range it would basically be inaudible. "

      But it might annoy some teens, an added bonus.

    4. Re:Ok wait, hang on by phantomfive · · Score: 1

      My understanding of the claim was that once the computer was infected, it used inaudible sound to communicate. Also, AFACT it was nothing more than an experimental project. Nothing particularly interesting.

      --
      "First they came for the slanderers and i said nothing."
    5. Re:Ok wait, hang on by rtb61 · · Score: 1

      Air gap espionage I thought that was the pet project of the CIA, with MK Ultra suspected as still running as an off balance sheet semi-privatised but fully politicised entity, undoubtedly doing some very strange things, with some very strange people. Not so much cooperating with the NSA but in competition with them. One wanders if the NSA will start shifting some research efforts into that whole mind control area, as that is one remaining area that have as yet failed to tap.

      --
      Chaos - everything, everywhere, everywhen
  7. Podcast Spam by ilikenwf · · Score: 3, Insightful

    Really, this is just promotion of some podcast.

  8. No, This is the First Step in Fixing the Problem by Anonymous Coward · · Score: 3, Insightful

    OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
    So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" can get their hands on it, and use it to cause all sorts of problems.

    First, it can be argued that, to solve a problem, you must first understand it. Knowing how the NSA is violating our privacy at a technical level is the first step in preventing it.

    Second, if having our Dear, Beloved Leaders violate our privacy and constitutional rights is not enough incentive to find solutions to these issues, then maybe having every script kiddie able to do the same might result in some resources being put into place to solve this problem, particularly with respect to corporations who have been actively facilitating this nonsense in the past (*cough* Microsoft, *cough* Cisco, etc.).

    So while the short term pain might be a bit unpleasant, it seems to me the long term, much needed changes are probably well worth it.

  9. Please be careful by ctrl-alt-canc · · Score: 1

    Duplicating the gadget can be very dangerous!

  10. NSA has weakened national security by IDtheTarget · · Score: 1

    I'm wondering when somebody in congress will initiate legal action against the NSA for weakening national security.

    It's generally acknowledged by now that the NSA has intentionally weakened various cryptographic algorithms, including AES. I'm responsible for various WAN links at my organization, and they use AES-256 IPSec tunnels to secure the traffic. That traffic is extremely sensitive in nature. The NSA may have intended to only allow themselves to crack this encryption, but how am I supposed to know that some other hacker hasn't figured out how to take advantage of the NSA's actions? How do I tell my director that our data is secure, and that we're meeting state and federal regulatory requirements?