Slashdot Mirror
NSA Prepares For Future Techno-Battles By Plotting Network Takedowns
Advocatus Diaboli (1627651) writes According to top secret documents from the archive of NSA whistleblower Edward Snowden seen exclusively by SPIEGEL, they are planning for wars of the future in which the Internet will play a critical role, with the aim of being able to use the net to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money. Also check out — New Snowden documents show that the NSA and its allies are laughing at the rest of the world.
while millions of americans starve
More like the US and its 4 bitches. lol
As usual has something to say on the New NSA Documents on Offensive Cyberoperations https://www.schneier.com/blog/... with links to additional sources.
Connect everything to the Internet, even crucial things. All hail the Internet of Things! What could possibly go wrong?
"Television Host: The feeling is definitely there. It's a new morning in America... fresh, vital. The old cynicism is gone. We have faith in our leaders. We're optimistic as to what becomes of it all. It really boils down to our ability to accept. We don't need pessimism. There are no limits."
=> http://www.imdb.com/title/tt00...
"...the NSA and its allies are laughing at the rest of the world."
Seriously, the two probable behaviors of voyeurs are either (1) laughter, or (2) heavy breathing.
I hoped this privacy-invading mass surveillance shit would stop instead it is escalating in a new arms race.
"NSA .. are planning .. to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money."
Did I just slip through a crack in the universe, to a place where the past decades of computer intrusions didn't take place. If so, then that would explain why people are still connecting their critical infrastructure directly to the Internet.
I cannot possibly see any kind of justification for 'public right to know' or 'public interest' here.
Here, it's just a bunch of idiots who hate the West in general (and the United States in particular), trying to give the Western security apparatus a black eye. I fail to see how leaking our game plans to enemies and competitors is going to make us any safer.
Like it or not, the West is the light on the hill for the whole world. People who believe otherwise should imagine the whole world being run along Chinese, Russian or Islamist lines... The West does a lot of bad shit, but we are choir boys, compared to the rest of the world.
Dear leaker community: please stop shitting in your own nest. You have no idea what you're doing, or what kind of world you're trying to create.
Just because you spent hundreds of billions on rickety architecture doesn't mean we have to use it. To paraphrase Richard Nixon - "My DNS server entries mean whatever I choose them to mean" in fact, the whole .gov and .mil arena can be routed to goat.se in minutes and there is nothing you can do to stop it.
In other words, the internet exists by the consent of the governed. It's our internet, and we'll do as we please.
More simply explained. People's bosses aren't willing to pay for properly isolating their infrastructure because
a) they don't understand
b) they don't care
and c) they want direct access to their stuff from wherever they are, just like the vendor promised.
Did I just slip through a crack in the universe, to a place where the past decades of computer intrusions didn't take place.
In every past intrusion, the intruders were always held to be 100% to blame.
No manager ever went to jail for gross negligence after a million credit card numbers were stolen, or a control system was attacked.
No major company that was breached ever got sued for all they have by customers whose personal information and privacy were compromised due to the company's gross negligence --- again the intruders were held to have all the blame.
The most serious breaches happen every day by most every business large and small.... you can bet your bottom dollar, that the vast majority of breaches are swept under the rug, and we never learn about them. Unless the breach becomes severe enough or something happens where the company can no longer hide it.... I suspect 90% of small and medium businesses are not disclosing this kind of stuff properly, not even if customers are at risk
When was the last time you got a letter from your grocery store?
Businesses are having workstations on their LAN infected with random malware all the time.
Just about any service provider you do business with has your information and has Windows workstations, and that should make the public scared as hell
But by and large, the public is unaware, even "security experts" are unaware.
that doing stuff like this makes all of the US a target for every other nation on this planet!
I got to the chocolate box before you, that's why the hard ones have teeth marks.
Don't want your infrastructure paralyzed? Don't connect it to a global public network.
Afraid the NSA has compromised the infrastructure of your nation? Pull the plug to the rest of the world, isolate your network, reload everything including firmware and have that firmware analyzed byte by byte for potential vulnerabilities. Or buy silent typewriters and use them in soundproof roofs that have been swept for bugs.
These guys have compromised the planet all the way down to the equipment manufacturers. They have themselves endangered national security by injecting such vulnerabilities for the black hat community to discover and enjoy. This has become less about national security and more about manipulation/control of the populace/world. They have overstepped their bounds greatly to the point of being dangerous to the liberty of every man, woman and child on the face of this Earth potentially and very little is being done to put a leash on them.
Seriously, what hasn't the NSA illegally pwned yet? They are conducting organized crime basically and our government has told us to shove it. I'd laugh too. Hell, I might even die laughing. I don't think I'd be able to stop.
Ripping out a couple of fibre optic cables has the same effect, as happened with severe storms in Australia.
I'm sure one disenfranchised pleb could easily create the same mayhem, US corporations have the most to loose.
And if a few plebs got organised ???
The rest of the world is laughing at the NSA.
Go well
You forgot it is too expensive to duplicate the internet for your factory or plant.
It's not really that important, you don't have to use it.
Few days ago Der Spiegel published dozens of TS documents with a detailed list of security software that the NSA can and cannot break, and now this. These are exactly the things whose publication the NSA feared the most, some documents even describe a counter-cyber-espionage operation against South Korea (a US ally). Many people at NSA are going to need a lot of Maalox tablets tomorrow. LOOOOOL !!!
windoze
The agent responsible for what happens in these pages could be a good start to slutshaming these assholes.
http://www.spiegel.de/media/me...
1st. this is just justification for their building structured departments around attacking infrastructure. 2nd network security begins and ends at having two home networks. one connected to the internet and another connected to nothing. And a external hard drive to ferry the shit that matters.
Or they have a felony conviction for pot on their record and every job application asks if they have ever been convicted of a felony. The background check companies are allowed to do will reveal those that lied.
Let's face it, the system of denial because of legal issues is huge in the US which also happens to have the largest prison population in the world. Convicted felons, whether they served their time honorably or not, are denied a job, a home, the right to participate in our political system and in general to be considered "rehabilitated". In short, they are stigmatized from the first arrest for the rest of their lives.
This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
The intruders are 100% to blame.
False dichotomy, moron. There can be multiple people at fault for different things. The intruders for an obvious reason, and the company for not using reasonable levels of security.
If someone smashes a window and burglarizes your home is it your fault because you didn't put bars over your windows?
There is such a thing as negligence, and in this context, it occurs when even multi-million (or billion!) dollar companies fail to use even a minimal level of security. You seriously can't tell the difference between a reasonable level of security and absolutely perfect security? Yes, I'm going to put forth the *outrageous* idea that companies should protect data with a reasonable level of security, and that they shouldn't ignore reality and put everyone's data at risk with absolutely laughable security practices. Wow, the poor babies!
And Snowden must enjoy living in Russia because he is digging his own hole everytime he release information on the US counter intelligence services that have nothing to do with the average US citizen.
As a US citizen, I care very much about things like ethics and justice; those are things which the US is supposed to aspire to, but doesn't, and no thanks to ignorant fools like yourself. Someone isn't subhuman just because they're born outside the US, and they deserve protections from indiscriminate surveillance as well. An organization like the NSA which has committed so many wrongs does not deserve any sympathy from anyone.
and obscuring the fact that the US is by no means the only country on the planet with espionage and counterintelligence operations across the globe.
"Everybody else is doing it, so it must be okay!" If we're such an excellent country, then maybe we should set an example for other countries by not doing evil things. Seriously, you people spew forth this nonsensical justification almost every time it comes out, and it gets tiring pointing out the fallacy.
Connecting the dots?
They hack computer A, hack computer B, send computer B's data to A, and collect it as it crosses their mass surveillance network. 'A' is used as a scapegoat:
"It's absurd: As they are busy spying, the spies are spied on by other spies. In response, they routinely seek to cover their tracks or to lay fake ones instead. In technical terms, the ROC lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin -- the act of exporting the data that has been gleaned. But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators. "
So the hack of Sony might be NSA, to justify attacks on North Korea, or simply get a bigger budget and force Obama into backing them.
But also several incidents have seemed odd. With US targets being arrested for hacking with strong evidence trails back to them, remember Pirate Bay founder?:
http://mashable.com/2014/10/30/pirate-bay-founder-guilty-of-hacking-denmark/
"Gottfrid Svartholm Warg, a Swedish hacker and founder of file-sharing website The Pirate Bay, was found guilty of hacking crimes in Denmark on Thursday."
"In what the prosecution called the country's biggest hacking case, Svartholm Warg, 30, was found guilty of breaking into various Danish public databases controlled by IT service provider CSC in 2012, accessing hundreds of thousands of social security numbers, criminal records and extradition agreements. Svartholm Warg allegedly committed the crime along with his accomplice, a 21-year-old Dane only known as "JKT" (the judge asked his name not to be published) according to media reports."
"Throughout the trial, Svartholm Warg's lawyer argued that the hacker was innocent, and that someone else carried out the crimes by hacking into his computer."
"I have recommended that the court dismiss the case based on the remote access argument," Svartholm Warg’s lawyer Luise Høj said, according to TorrentFreak. "It is clear that my client’s computer has been the subject of remote control, and therefore he is not responsible."
"The hacking theory was supported by security researcher Jacob Appelbaum, who provided evidence in the trial. Appelbaum expressed his disappointment with the conviction on Twitter."
... why don't they shut off the power supply in North Korea, or the water pump in Mosul, Iraq?
I mean, if they laugh at the rest of the world at our 'backwardness', go shut off the power supply, water supply, telecommunication network which feeds the terrorists in Iraq/North Korea/Syria/Northern Nigeria
Instead of laughing at the rest of the world, show us, NSA, show us how capable you are!
Look, if there's a need for cyberwarfare (let's assume the premise) then bring it under the Pentagon and let the NSA get back to purely defensive infrastructure stuff. There should not be a rogue civillian agency making War, if for no other reason than that the real Generals need full situational awareness.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
OpenSSH attack where NSA is able to inject their own public key into the openssh binary and bypass all the system checks to prevent such an attack. The NSA guy bragged he was able to do it in (3?) days while visiting Australia.
Developing Blue Pill attacks using hypervisor and intel virtualization.
Poe's law or ignorance? Network isolation is more about putting things where they belong and doing less. Network services are network services. The only significant difference is choosing to not connect to other networks, thus the term inter-network. No "duplicate the internet" required.
If someone smashes a window and burglarizes your home is it your fault because you didn't put bars over your windows?
Your remark is a false analogy. You are missing an important concept called duty of care in regards to companies that require you to provide them sensitive information in order to purchase a service from them. Try this one: you go to the jewelry store, and secure into their care a $100,000 jeweled necklace for repairs. Overnight, a burglar smashes a window in the store and swipes your necklace. The store just calls you up and informs you it has been stolen, so you won't be able to pick it up, and we're sorry we can't help you replace it, BUT we will offer you a 25% discount coupon good for 2 years. There were no bars on the windows, and a worker just left your piece on a work desk or file cabinet. Only the products actually owned by the shop are locked up in a special vault after closing.
An essential fact to keep in mind, is that you as consumer have no control of the shop's level of security.
Now imagine if instead of a $100,000 necklace, it was a piece of intellectual property or personal details, where theft could be occurring without clear physical evidence.
I will agree if a burglar smashes the window of your house and burglarizes your home, the burglar is fully responsible, but only if caught.
In fact, you as homeowner will bear the cost in reality. The cost in lost items, OR the cost in increased insurance premiums that will ultimately exceed any amounts claimed.
Although you as homeowner had a choice to beef up your security, you could have chosen not to.
However you are not free of liability in this situation.. Your liability is your loss in this case.
If someone smashes a window and burglarizes your home is it your fault because you didn't put bars over your windows?
Let's suppose you ask me to store your bike in my house, for a small amount of money, because I say that your bike will be safer than in your own.
Let's suppose a burglar smashes my window and steals your bike, as you say.
Should I be held accountable, refund you your money, pay you for the stolen bike, possibly a bit more because the bike was special or whatever? Or should I just say "Shit happens, get over it. Blame the burglar"?
Do you see the problem now, fscking troll?
Until these agencies have properly mandated oversight at a level that allows them to dismiss or bring criminal charges against the offended then this situation will never improve. Realistically there has to be some sort of intelligence gathering operations for nation states and if governments are going to crack down on whistle blowers in these organizations then they have to balance it with proper legal oversight.
It is clear the issue of Quality Assurance and control within these organizations is something that is yet to be addressed because everyone is a citizen, even spies and politicians. Until that day comes all that is happening is there are a lot of gung-ho cowboys with access to a lot of very powerful tools and not a lot of respect for the people that it is their duty to protect.
Seeing these things gives me very little re-assurance that these organizations are actually performing their missions as opposed to being on some power trip. They don't create anything of value, they don't build things people can use, they subvert the work of professional IT people who are trying to protect their colleagues and customers businesses from cyber-fraud and then, they treat us with contempt because they have access to the superior resources that our tax dollars equipped them with in the first place.
Obviously they feel they are exempt from demonstrating the same form of ethics that IT professionals have to demonstrate everyday. I would have honestly expected them to act with more decorum however it seems obvious that the power trip is just too much and legally constructed oversight into these organizations is the only thing that will make them focus on the stewardship that they have been entrusted to perform.
My ism, it's full of beliefs.
you don't even have to be convicted of a felony.
being charged is enough to blackball you.
went from a valued company employee to unemployable in my field. (unix & storage systems deployment/analyst/admin/architect)
over a family problem (mainly caused my a minor)
skip forward a few years.
now I am fighting a disabling disease without good health insurance and unable to get a job within my limits.
luckily my age and the small number of jobs in the area that I qualify for will make a disabilty qualification easier.
And living on shitty wages has made my frugal living skills sharper.
Why bother with software tools?
If I were they, I'd just use the explosive devices they've almost certainly already pre-positioned.
We know that they've tapped in to quite a number of underwater fibre-optic cables, which is the reason that Google started encrypting traffic on their private fibre. Google originally made the incorrect assumption that dedicated fibre didn't need to be encrypted.
Since they went to the trouble to tap the lines, why would they NOT have left explosives after doing the surgery?
Well DUH....
All the more reason to bug Micro$oft to fix bugs.
As the single largest vector of system infections Micro$oft
seem to be playing loosie goosie and we are all at risk for it.
Fix them bugs ladies and gents.
The astounding bit is the astounding parade of tuesday patches
mostly the bugs are stupid blunder but not all.
At this point all the TLAs and near and far nations and corporations
have copies of WindowZ and it is a simple race to find exploit or find
and plug. For microsoft to take 90+ days to fix a known and verified bug
seems like a lot of time. Given the cash flow to management there is
clearly a mismatch to the talent I know to be there.
All the players need to get it together and focus on stability and correctness.
Yes you too Linus...
N.B. It is clearly time to jailbreak any phone that the seller fails to update.
When network operators like AT&T blocks hardware vendors like Samsung
from issuing patches BY CONTRACT we have a problem. OK I am feeling
a bit Samstung but they are not alone. PS how hard is it to engineer in a bigger
battery so I can get 36 hours of life from the thing... That is not software, that
is not very much in the way of a case adjustment. I would be happy with
a phone the size of a box of Marlboros. BTW Darrell was a nice guy.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Is to know its a Magic Trick.. and what you see.. is not really whats going on
it gets tiring pointing out the fallacy.
ObXKCD
We're better than this.
let this be flaming sword when you install an and use any american software or hardware... that is not FLOSS or you don't have access to its source code...
Good article.