Slashdot Mirror
How NSA Spies Stole the Keys To the Encryption Castle
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
When you have the money and will technology and people are easy to get
I'm a consultant - I convert gibberish into cash-flow.
Can we all just agree that the NSA is the most nefarious hacking group, the most dangerous and out of control? That they make all the other so called "black hats" look like innocent little babies?
I think we all need to work together to get rid of this terrible, nasty, unpredictable hacker group -- for the sake of national and international security. They represent a clear and present danger to the future of this country.
If telephones are outlawed, then only outlaws will have telephones.
Under what possible interpretation of the law can this be considered the actions of lawful government?
Is this a big deal considering we already have the GSM rainbow tables?
Only the State obtains its revenue by coercion. - Murray Rothbard
It's not just about SIM cards.
Gemalto makes smart card readers etc. Think not just communications, nor banking. Think secure access. We use things like that to ascertain authenticity and inviolability in signed documents, emails etc.
We used.
Should Gemalto be sued by people who use their cards & other products on the grounds that they did not adequately secure their computer systems and thus let in outside crackers to steal the encryption keys ? That the crack was done by GCHQ/NSA does not really alter things -- they were cracked. The point of this is that successful legal, and expensive, action would make all corporates treat security properly; this would have great benefits -- more than just keeping the spooks at bay.
The only problem is that to sue Gemalto the plaintiffs would need to demonstrate that they have suffered. This might be hard, although insisting that they were all given new SIMs might be a start.
We're not even over the NSA hard drive hacks and now this?
Next you're gonna tell me Americans shove food up people's ass for freedom. Oh wait they do.
HUGE SPY PROGRAM EXPOSED: NSA has hidden software in hard drives around the world
Is the NSA Hiding in Your Hard Drive?
NSA Has Ability To Hide Spying Software Deep Within Hard Drives: Cyber Researchers
Is Your Hard Drive Hiding NSA Spyware?
The NSA hides surveillance software in hard drives
'Breakthrough' NSA spyware shows deep grasp of makers' hard drives
NSA planted surveillance software on hard drives, report says
NSA secret spying software discovered by Russian researchers
NSA Hackers Infected Hard Drives With Impossible-To-Remove Spyware
NSA Has Planted Surveillance Software Deep Within Hard Drives Since 2001: Kaspersky
NSA program is embedding secret spying software in hard drives in Russia, China, Middle East, allowing agency to eavesdrop on most of worldâ(TM)s computers: report
Destroying your hard drive is the only way to stop this super-advanced malware
Hard drives beware, the NSA is coming for you
Kaspersky fingers NSA-style Equation Group for hard drive backdoor epidemic
There's no way of knowing if the NSA's spyware is on your hard drive
The NSA's Undetectable Hard Drive Hack Was First Demonstrated a Year Ago
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
At what point do we start putting these criminals away? They have broken every law on the books.
Oh, I'm sure they can find something. You can't do anything about it -- you can't sue -- because you don't have standing. You'd have to show they were listening to *you*, just to start with, and then you'd have to have a few million to push it through to the supreme court.
And *then* of course you'd be facing the same idiots that think "shall not infringe" means "infringe", "intrastate" means "interstate", article 3 means article 5, and that "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" means "as long as we think it's reasonable, we can search and seize to our heart's content", and " no ex post facto Law shall be passed" means "retroactive punishment is no problem."
The only privacy you have at this point is in your own head. Assuming you haven't spoken, written down, or otherwise "shared" your thoughts.
The system is broken. Badly. And very few care -- we're stuck on this downhill-all-the-way roller coaster ride.
I've fallen off your lawn, and I can't get up.
Yes well they were at war with Germany. Now the government is at war with - the people?
Veterans Today on February 11, 2015
Why the United States Always Loses Its Wars
We are the global village bully that's hated by much of the world.
America loses all its wars because it seems we've always been on the wrong side of history. Morally nor legally should any nation have the right to invade and occupy another sovereign nation, much less believe it can achieve victory in long, protracted wars.
Yet in violation of all ethical precepts and all international laws, the sole global superpower citing its impunity through exceptionalism hypocritically insists it can maintain its moral high ground in its relentless pursuit of regime changes anywhere it so chooses on earth. We are the global village bully that's hated by much of the world.
And it's pure self-aggrandizing bullshit to perpetrate the myth that America is hated because of our "freedom," another rhetorical brainwashing lie. We now live in a fascist totalitarian police state run by a globalized crime syndicate of the central banking cabal. As of last April per a Princeton-Northwestern study the US has officially been designated an oligarchy.
Last year after a group of ethnic Russians living in Crimea voted to become part of Russia, the Russian military claimed control over its own naval base there that the US-NATO had been lusting to steal after the unlawful overthrow of Ukraine's democratically elected sovereign government.
Ever since it's been nonstop lies and propaganda propagated to demonize Putin as the aggressor when in fact all along it's the American Empire that's been recklessly pushing what could end up World War III against nuclear powered Russia. With US-NATO missiles installed on Russia's doorstep in virtually every former Soviet eastern bloc nation, hemming Russia in, who's really the aggressor here?
The WMD lie that was the repeated mantra used as prewar drum beating propaganda to launch a war against humanity in Iraq a dozen years earlier is now being replayed as deja vu all over again to amnesic, dumbed down Americans. Despite defeats in both Iraq and Afghanistan still being dragged out as America's longest running wars in its history, the US-NATO war machine is once again prepping for yet more war raging now in Eastern Ukraine.
The US government's rush to war hit a minor snag the other day when various European nations like France and Germany announced their opposition and refusal to send arms to the Ukraine government, wanting to give peace talks with Russia a chance. Today's headlines state that Obama has been forced to pause in his arms rush, not unlike the world turning against his rush a year and a half ago for air strikes in Syria after the false flag chemical weapons attack that was actually launched by US backed rebels.
So it may not be full speed ahead for US Empire to ship its heavy weaponry to the eastern warfront after all. It is being reported that mercenaries speaking American English, Polish, French and Flemish are fighting for the Kiev government in Eastern Ukraine against ethnic Russians who are fighting for their independence, their home and their very survival. And with their backs up against the wall, recently the eastern Ukrainians have beaten back the Ukrainian government forces. Again, the US has a knack for being on the wrong side of history.
No true victor can emerge from any war on either side. The incessant US aggressor boasting superior firepower as the most deadly, expensive military force on the planet (spending more than the next ten nations combined), America has little to show for itself as it has not won a single war in seventy years!
Neo-colonialism cloaked in imperialism, balkanization, economic exploitation, debtors' theft, indentured servitude and enslavement can never be justified as the spoils of war. It's a losing proposition in every imaginable way, not only for the aggressive American Empire that keeps starting and losing war aft
It's what they'd do.
That's already sort of the case. The NSA and similar agencies in other countries are LOADED with useless incompetent staff and engineers. It has everything to do with their impossible hiring practices combined with it being a shitty unethical job. They don't even pay super well, and anyone competent can make more in the private sector.
This makes the whole thing even more scary to me, because being utterly corrupt and not very bright are pretty much absolute requirements for the job. The fact that they get anywhere at all is because they have a huge budget and federal backing to force companies to play along.
I'm always extremely skeptical of stories that the NSA actually broke something through math. It's way way more plausible that they simply paid someone off on the inside.
Remarkable feat! Guys from Bletchley Park — who also intercepted and decrypted everything they possibly could — would've been proud...
These are the "guys from Bletchley Park" -- in the sense that it's the same government organisation.
"During the Second World War, GC&CS was based largely at Bletchley Park ... GC&CS was renamed the "Government Communications Headquarters" in June 1946"
http://en.wikipedia.org/wiki/G...
I think the points are though, that first, companies do not do a good job of cybersecurity, or security at all for that matter. This is the issue that allowed another party to gain access to the crypto data for the SIM cards and for other security mechanisms in order to defeat them.
And second, while the NSA and the British equivalent might be unweildy bureaucratic monsters where those in-charge might not even know what the appendages are doing, they're well-enough funded that they can afford to buy people off to socially-engineer their way in to places where they wouldn't otherwise have the right to go. That gives them the ability to get into corporate networks or to get data from individuals working for corporations; they buy their way in and the consequences of the actions of the employee are not the NSA's concern. All they want/need is the data, and if they can buy it for cash or buy their way in for cash then they might just do that.
Security is hard. Ultimately it comes down to the individual employee, who has to have access to what he or she works on, but by having that access, also can be a risk. A multimillion dollar system can be compromised by a single technical employee because that employee needs access through those safeguards to do the job. It's really no different than bribing the guards at the castle to get in.
Do not look into laser with remaining eye.
on every US and UK government employee. Let them become life-time victims of identity theft. Let the Chinese and Russian intelligence agencies have a field day. It's the only hope we have that they'll learn.
Why do you think all the recent cell phones that are rated for classified voice, such as the Sectera Edge and Project Fish Bowl all run VoIP for classified communications?
Because they know better than to trust the commercial telephone networks and their voice "security".
Learning HOW to think is more important than learning WHAT to think.
...can we all return the favor by pressuring the government to Grant Snowden Clemency?
If people don't stand up to protect whistleblowers, then there will be no whistle blowers, and government evil will run unchecked.
Sign it.
While I think some of the points, however plausible, are a bit on the side of paranoia, the Libertarians firmly believe that we should have only a defense force and not project power.
The current rational now for IS - or whatever they are called now - is to fight them over there so they don't come over here. They just want control of the Middle East - they are no threat to us. Also, the Arabs, Persians, Kurds, and other people's of the Middle East have been dealing with their ethnic problems for thousands of years. And of course, being there, we the USA are going to fuck things up even more.
Unfortunately, we have a populous who treats our military conquests like a football game. USA! USA! win! It makes small people feel big.
We in the USA are small people who like big guns. We lost the idea of walk softly and carry a big stick.
We bluster, shoot things up and wonder why other peoples hate us.
But this football mentality is how you get people to volunteer to fight in idiotic and unjust wars - get the stupid people to die and get maimed for the elite.
My source.... well... here goes.
Yes, they actively recruit Math and CS majors with high GPAs. That is true. ... probably more steps which I haven't mentioned.
However....
In order to get in you must:
1) Pass a preliminary security interview
2) Pass a polygraph test
3) Pass a drug test (including for marijuana) - this eliminates a LOT of competent people
4) Pass a more in-depth security interview
By the time this is all done, about a year and a half has gone by. A bunch more of their potential recruits will be established at a job they want to stay at at this point. The ones who are still seeking work are unemployed after so much time for a reason - often because they're incompetent.
On top of that, the pool of people morally corrupt enough to even _consider_ working for the NSA is teeny.
GPA is one predictor of competence at work, but it's not a 100% reliable predictor by any means. There are many people who can breeze through academia but who are utterly useless on any real job. People like this _like_ government jobs where they may get a permanent contract and where no one can judge their level of competence.
It REALLY is this way. Every single government security agency on the planet has this same problem and the NSA is no different. Competant people do not work there for long. They will lose their minds or end up the next Edward Snowden.
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
Except that this is not an IT project, but an espionage project. It just happened to have an IT component; one very different than the create a web site / database / payroll system project.
I'm a consultant - I convert gibberish into cash-flow.
And, unlike most of us, Snowden actually did something about it. As a result of his revelations, political pressure is being applied to the government from many different directions to get the situation resolved.
Of course, it cost Snowden his job, and his ability to live in his own country, and might still land him in jail or worse.
You could swallow some of that cynicism and at least try to improve things. Maybe ask the government to grant snowden clemency?
Nah. Why exert the effort to click an online petition when it is so much easier to just bitch about how hopeless things are?
Who you intercept and who you actually fighting don't have to be the same people. You listen to everybody to find out, who your targets are. This is obvious to all, and the security people — who have huge leeway in interpreting laws — act to perform their mission, which is to keep us safe...
Now, are we — the rest of society — willing to trade our privacy for these gains in security? Does the freedom being surrendered qualify as essential and the gain — as temporary?
In Soviet Washington the swamp drains you.
Could someone explain where Edward Snowden is getting these kind of leaks and infos from, so long after he fled the NSA?
Or was this information, and the other stuff he claimed in the last couple of months, all part of the package he took with him back then?
If he was sitting on this information, then why wait so long to release it?
Or does he have a new source 'inside'?
Re "If he was sitting on this information, then why wait so long to release it? "
All the material is now in the hands of the press. The press can release the material in any way it wants or needs to.
Re "Could someone explain where Edward Snowden is getting these kind of leaks and infos from, so long after he fled the NSA?"
The material released by the press is long term generational projects staff get read into as they need to work on the same projects or with staff who do.
Re the how http://www.bbc.com/news/world-... "Edward Snowden: I was a high-tech spy for the CIA and NSA" (28 May 2014)
"...he said he had worked for the CIA and NSA undercover, overseas, and lectured at the Defense Intelligence Agency."
Domestic spying is now "Benign Information Gathering"
The problem is tame junk encryption is really open to many ex staff, former staff, other nations, cults, faiths, rich people, political groups, anyone with lots of cash and a few contacts.
SISMI-Telecom scandal https://en.wikipedia.org/wiki/...
Greek wiretapping case 2004–05 https://en.wikipedia.org/wiki/...–05
Cell networks have a very low standard of local encryption thanks to weak junk international standards been set over many years. The results can now be see and understood.
Domestic spying is now "Benign Information Gathering"
This should either be the biggest news story on the planet, or the biggest lie of the year, but the public response seems to be "meh". The problem is, Snowden stole too much. Or claims to have stolen too much. There have been so *many* earthshattering Snowden revelations that both the outrage and the fact-checking seems to have evaporated.
This is a big problem either way.
But on a smart card, asymmetric cryptography can be used. The private key is generated by the chip on user request. It is not supposed to leak outside of the device.
As I understand, this SIM debacle is only possible because the cryptography used here is symmetric, which means the telephone operator must have a copy of the SIM key.
That's a valid question. I'll try to answer it. Yes, neither act is "theft" in the jargon of the law. But you're asking why people (who aren't lawyers) are treating one as theft and not the other.
One answer is that "we" (generally) don't feel that there is any strong societal contract with the TV/movie corps, so there's little or no "trust" for the pirates to steal (from that social contract). On the other hand "we" do very much feel that there is - or at least should be - a strong societal contract with the government that purportedly represents us. So any hypocritical action taken by the government feels like a betrayal, a "theft of trust" from us.
Another answer is "nobody likes a hypocrite, and they like him even less when he punishes others for doing what he does". For an analogy: your coworker loves to quote scripture, but helps themself to the office stationery; your boss loves to quote company policy and fired your coworker, but helps themself to the office pension plan; your senator loves to quote the constitution but voted for free speech zones and civil forfeiture laws before taking a revolving door VP position at your company and fired your boss only to outsource half of your department and walk away even richer when what was left collapsed. Which of these three would you consider assholes, and which would you consider the worst?
Aside from the feckless fist-shaking at the air, what can the average person really do? Public-key encryption? That gets mentioned every time, and the general consensus is that it's too much work for the average person. Is there any other action that can be taken, or are people just too lazy to care anymore? Maybe there should be more purposeful acts to disrupt the lives of average citizens, to shake them out of their stupor. Wake people up. Perhaps those in power have realized that keeping the populace happy & sedated allows them to do whatever they want. Maybe a full belly and a scratch behind the ears is all we need to become pets to the people running the world now.
Gemalto generate a master SIM key with batches of cards shipped to each Mobile Operator. I work on a project for mobile payments, mediated with a STK loaded on each card. A HSM is loaded with all the master keys. If you have the master key, you can decrypt all the communications with the STK app on the SIM card. If the Master key leaks, all payment operations/transactions are fucked.
Considering this audience is pretty much the only one that understands the implications behind these revelations. WE should be the ones raising the issues and getting in the government's face about this, but technologists are notoriously passive when it comes to protesting the government. With that in mind, there's not too much _I_ can do as a Canadian to protest the NSA/GCHQ, but there's definitely the CSE who are one of the "5 eyes" members.
However the easiest response to mass surveillance is mass encryption, and that doesn't involve standing outside for hours shouting at people who couldn't care less or trying to educate the average person about why this isn't just part of the fight on 'terrorism' but it's a direct assault on all of us. Obviously the entire cell phone network design will need an overhaul after these keys have been leaked, and hopefully the overhaul uses better techniques.