Slashdot Mirror
Replicating the NSA's Gadgets Using Open Source
An anonymous reader writes "Wireless security researcher Michael Ossmann asked himself: 'Could I make the gadgets that the agency uses to monitor and locate mobile phones, tap USB and Ethernet connections, maintain persistent malware on PCs, communicate with malware across air gaps, and more, by just using open source software and hardware?' In this podcast he shares his insights on what to use — and how — to duplicate hardware devices found in the ANT catalog."
Yes, but anything messing with a cell phone is illegal unless you are above the law (law enforcement, Government etc.) It is even illegal to have a police scanner or radar detector in some (police) states.
If the NSA does it, hey that's national security and they are allowed to do anything.
If you do it, you're going to be spending the rest of your life in a 10' cube for national security.
The dangers of knowledge trigger emotional distress in human beings.
the NSA's gadgets, to date, have been secret courts and gag orders. Anyone with a crowbar and a laptop can certainly wiretap an entire neighborhood, but it takes real skill to engineer a series of legal and political precidents and procedures around the power to get away with it. so, lets take a stab at it slashdot!
what i propose is an open-source means of manufacturing consent at the senate and congressional levels of government. The license for ensuring the president and cabinet members acquiesce to everything from rendition to secret torture camps should probably be 3-clause BSD. Warrantless GPS surveillance can use GNU radio, but the technology to forcibly demand the tracking device be returned should be licensed GPLv3. Im still stumped as to how we're going to get a CC licensed version of a gag order from a secret court
Good people go to bed earlier.
Why bother trying to solve problems, lets just make them so much worse.
OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" can get their hands on it, and use it to cause all sorts of problems.
If you are concerned about your privacy giving these tools to the public is just a bad idea. Sure the black hat argument, if we break in then they will have to fix it and make it more secure... But can they really always do that, Not all software and PC's are equal in security needs.
But that is like saying we should all drive armored cars, carry guns, and live like a military personal because there are some kids who just want to destroy things because they can and makes them feel like a big man.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Is there any evidence of this "air gap malware" crap? Yes I remember there was a preliminary story on Slashdot... I don't remember any followup, any proof, just some wild ass speculation.
Is there any evidence that such a thing actually exists?
Indeed. My greatest use of Open Source, freeware, shareware and other kinds of "free" software is "what if"-type questions. They would be difficult to answer if all that existed were paid-for commercial solutions that you were then tied into.
Do we need Smoothwall in our large school? Hold on, let me bash out a squid + DansGuardian + iptables setup on an old office machine - look, it does roughly this. Great, should we buy the "commercial" product or is this more-than-enough for what we need (and I usually get both answers over time, depending on where I am)? Actually had one school use my box for 5 years rather than pay Smoothwall nearly a grand a year for updates.
Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.
My last one was digital signage. The school I work for had Powerpoints exported to MP4, then put onto a USB stick and plugged into an LG TV with looping turned on. Looked horrible but did the job. They knew it was the bare-bones and were looking for an all-in solution.
I put in a Xibo box as a test and asked if that was closer to what they wanted. Overnight, the LG TV become attached to a PC running Xibo Client. We've tested it running over RDP from a VM and even off a Raspberry Pi. It's bridged the gap between "an old TV showing something" and "stupendously expensive site-wide digital signage system" nicely. And in fact will probably be as far as we go. If we end up having ten displays showing more than 3 or 4 different schedules, I'll be amazed and it will indeed be time to move to a more commercially-supported package. But for now? A £100 TV and £25 for a RPi box with appropriate cabling. Seems to do the trick quite nicely.
We were going to buy a helpdesk system (don't quite know why). Stuck GLPI on, nobody's ever complained and I've been using GLPI for nearly 10 years in various places.
The beauty of open-source stuff is that you can prototype for free, find out whether there is some element that you will NEED to pay for (i.e. better customisability, more scalability, commercial support, etc.) and not worry about the licence interfering at any point. When you throw it all out, or push a working system into wider deployment, the licensing doesn't really affect you. The only point is does affect you is when you try to commercialise it yourself.
My first reaction upon being asked to do something is "Can I find a bit of free/open software that will do that?". If I can, then we can judge our real needs and requirement. If I can't, nothing lost - and it probably is something that takes a lot of commercial backing to make viable, but at least I know that.
Especially in schools, some bits of free/open software are ubiquitous precisely because they are "good enough" - GIMP, Irfanview, Audacity, Blender, etc.
And when prototyping anything, I tend to find someone's already beaten me to it, and usually by cobbling together open components.
Even the open-source projects, most of the time someone's just cobbled together a lot of other open-source projects and their functionality and just lumped them into one convenient package or written a front-end that relies on dozens of other projects in order to reduce the strain.
If the NSA *AREN'T* using open-source (or some agency-equivalent in a private secure codebase) in a modular manner to build both hardware and software for their "one-off" kinds of devices, then they really need to pull their finger out.
Really, this is just promotion of some podcast.
OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" can get their hands on it, and use it to cause all sorts of problems.
First, it can be argued that, to solve a problem, you must first understand it. Knowing how the NSA is violating our privacy at a technical level is the first step in preventing it.
Second, if having our Dear, Beloved Leaders violate our privacy and constitutional rights is not enough incentive to find solutions to these issues, then maybe having every script kiddie able to do the same might result in some resources being put into place to solve this problem, particularly with respect to corporations who have been actively facilitating this nonsense in the past (*cough* Microsoft, *cough* Cisco, etc.).
So while the short term pain might be a bit unpleasant, it seems to me the long term, much needed changes are probably well worth it.
£100 (GBP, notice, not USD) per hour in a school (note, UK schools are schools, for children, not universities or colleges)? You must be kidding.
And beside that, the box ran maintenance free for 5 years. The only changes we ever made were to block specific things we suddenly decided now needed to be blocked (and thus would have the same cost on the Smoothwall solution).
That was one of the points that stopped us buying - the fact that we'd not needed to maintain the "prototype" machine and it has just kept running. There was even a "what happens if the box dies" plan that never went into action because, well, it's still running now for all I know.
Please note also that Smoothwall will often charge a lot more - i.e. for a 19" rack mount box to install this junk on, and initial purchase price. The last quote I saw for a similar-size school this year was £9000 all-in for the first three years.
Given the 2 hours to build it (even compiling Squid from scratch to do transparent proxy properly), the other stuff it did, and the old office server it was running on, I work that out at £4500 an hour. If I was earning that, I wouldn't be working for Smoothwall or schools...