Slashdot Mirror
How NSA Spies Stole the Keys To the Encryption Castle
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
Is this a big deal considering we already have the GSM rainbow tables?
Only the State obtains its revenue by coercion. - Murray Rothbard
Should Gemalto be sued by people who use their cards & other products on the grounds that they did not adequately secure their computer systems and thus let in outside crackers to steal the encryption keys ? That the crack was done by GCHQ/NSA does not really alter things -- they were cracked. The point of this is that successful legal, and expensive, action would make all corporates treat security properly; this would have great benefits -- more than just keeping the spooks at bay.
The only problem is that to sue Gemalto the plaintiffs would need to demonstrate that they have suffered. This might be hard, although insisting that they were all given new SIMs might be a start.
on every US and UK government employee. Let them become life-time victims of identity theft. Let the Chinese and Russian intelligence agencies have a field day. It's the only hope we have that they'll learn.
Why do you think all the recent cell phones that are rated for classified voice, such as the Sectera Edge and Project Fish Bowl all run VoIP for classified communications?
Because they know better than to trust the commercial telephone networks and their voice "security".
Learning HOW to think is more important than learning WHAT to think.
British and American laws don't have jurisdiction over computers in the Netherlands.
This should either be the biggest news story on the planet, or the biggest lie of the year, but the public response seems to be "meh". The problem is, Snowden stole too much. Or claims to have stolen too much. There have been so *many* earthshattering Snowden revelations that both the outrage and the fact-checking seems to have evaporated.
This is a big problem either way.
Aside from the feckless fist-shaking at the air, what can the average person really do? Public-key encryption? That gets mentioned every time, and the general consensus is that it's too much work for the average person. Is there any other action that can be taken, or are people just too lazy to care anymore? Maybe there should be more purposeful acts to disrupt the lives of average citizens, to shake them out of their stupor. Wake people up. Perhaps those in power have realized that keeping the populace happy & sedated allows them to do whatever they want. Maybe a full belly and a scratch behind the ears is all we need to become pets to the people running the world now.
Gemalto generate a master SIM key with batches of cards shipped to each Mobile Operator. I work on a project for mobile payments, mediated with a STK loaded on each card. A HSM is loaded with all the master keys. If you have the master key, you can decrypt all the communications with the STK app on the SIM card. If the Master key leaks, all payment operations/transactions are fucked.