Slashdot Mirror
How NSA Spies Stole the Keys To the Encryption Castle
Advocatus Diaboli writes with this excerpt from The Intercept's explanation of just how it is the NSA weaseled its way into one important part of our communications: AMERICAN AND BRITISH spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security Agency whistleblower Edward Snowden. The hack was perpetrated by a joint unit consisting of operatives from the NSA and its British counterpart Government Communications Headquarters, or GCHQ. The breach, detailed in a secret 2010 GCHQ document, gave the surveillance agencies the potential to secretly monitor a large portion of the world's cellular communications, including both voice and data.
Can we all just agree that the NSA is the most nefarious hacking group, the most dangerous and out of control? That they make all the other so called "black hats" look like innocent little babies?
I think we all need to work together to get rid of this terrible, nasty, unpredictable hacker group -- for the sake of national and international security. They represent a clear and present danger to the future of this country.
If telephones are outlawed, then only outlaws will have telephones.
Under what possible interpretation of the law can this be considered the actions of lawful government?
Is this a big deal considering we already have the GSM rainbow tables?
Only the State obtains its revenue by coercion. - Murray Rothbard
It's not just about SIM cards.
Gemalto makes smart card readers etc. Think not just communications, nor banking. Think secure access. We use things like that to ascertain authenticity and inviolability in signed documents, emails etc.
We used.
Should Gemalto be sued by people who use their cards & other products on the grounds that they did not adequately secure their computer systems and thus let in outside crackers to steal the encryption keys ? That the crack was done by GCHQ/NSA does not really alter things -- they were cracked. The point of this is that successful legal, and expensive, action would make all corporates treat security properly; this would have great benefits -- more than just keeping the spooks at bay.
The only problem is that to sue Gemalto the plaintiffs would need to demonstrate that they have suffered. This might be hard, although insisting that they were all given new SIMs might be a start.
We're not even over the NSA hard drive hacks and now this?
Next you're gonna tell me Americans shove food up people's ass for freedom. Oh wait they do.
HUGE SPY PROGRAM EXPOSED: NSA has hidden software in hard drives around the world
Is the NSA Hiding in Your Hard Drive?
NSA Has Ability To Hide Spying Software Deep Within Hard Drives: Cyber Researchers
Is Your Hard Drive Hiding NSA Spyware?
The NSA hides surveillance software in hard drives
'Breakthrough' NSA spyware shows deep grasp of makers' hard drives
NSA planted surveillance software on hard drives, report says
NSA secret spying software discovered by Russian researchers
NSA Hackers Infected Hard Drives With Impossible-To-Remove Spyware
NSA Has Planted Surveillance Software Deep Within Hard Drives Since 2001: Kaspersky
NSA program is embedding secret spying software in hard drives in Russia, China, Middle East, allowing agency to eavesdrop on most of worldâ(TM)s computers: report
Destroying your hard drive is the only way to stop this super-advanced malware
Hard drives beware, the NSA is coming for you
Kaspersky fingers NSA-style Equation Group for hard drive backdoor epidemic
There's no way of knowing if the NSA's spyware is on your hard drive
The NSA's Undetectable Hard Drive Hack Was First Demonstrated a Year Ago
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
Oh, I'm sure they can find something. You can't do anything about it -- you can't sue -- because you don't have standing. You'd have to show they were listening to *you*, just to start with, and then you'd have to have a few million to push it through to the supreme court.
And *then* of course you'd be facing the same idiots that think "shall not infringe" means "infringe", "intrastate" means "interstate", article 3 means article 5, and that "no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized" means "as long as we think it's reasonable, we can search and seize to our heart's content", and " no ex post facto Law shall be passed" means "retroactive punishment is no problem."
The only privacy you have at this point is in your own head. Assuming you haven't spoken, written down, or otherwise "shared" your thoughts.
The system is broken. Badly. And very few care -- we're stuck on this downhill-all-the-way roller coaster ride.
I've fallen off your lawn, and I can't get up.
It's what they'd do.
That's already sort of the case. The NSA and similar agencies in other countries are LOADED with useless incompetent staff and engineers. It has everything to do with their impossible hiring practices combined with it being a shitty unethical job. They don't even pay super well, and anyone competent can make more in the private sector.
This makes the whole thing even more scary to me, because being utterly corrupt and not very bright are pretty much absolute requirements for the job. The fact that they get anywhere at all is because they have a huge budget and federal backing to force companies to play along.
I'm always extremely skeptical of stories that the NSA actually broke something through math. It's way way more plausible that they simply paid someone off on the inside.
Remarkable feat! Guys from Bletchley Park — who also intercepted and decrypted everything they possibly could — would've been proud...
These are the "guys from Bletchley Park" -- in the sense that it's the same government organisation.
"During the Second World War, GC&CS was based largely at Bletchley Park ... GC&CS was renamed the "Government Communications Headquarters" in June 1946"
http://en.wikipedia.org/wiki/G...
I think the points are though, that first, companies do not do a good job of cybersecurity, or security at all for that matter. This is the issue that allowed another party to gain access to the crypto data for the SIM cards and for other security mechanisms in order to defeat them.
And second, while the NSA and the British equivalent might be unweildy bureaucratic monsters where those in-charge might not even know what the appendages are doing, they're well-enough funded that they can afford to buy people off to socially-engineer their way in to places where they wouldn't otherwise have the right to go. That gives them the ability to get into corporate networks or to get data from individuals working for corporations; they buy their way in and the consequences of the actions of the employee are not the NSA's concern. All they want/need is the data, and if they can buy it for cash or buy their way in for cash then they might just do that.
Security is hard. Ultimately it comes down to the individual employee, who has to have access to what he or she works on, but by having that access, also can be a risk. A multimillion dollar system can be compromised by a single technical employee because that employee needs access through those safeguards to do the job. It's really no different than bribing the guards at the castle to get in.
Do not look into laser with remaining eye.
on every US and UK government employee. Let them become life-time victims of identity theft. Let the Chinese and Russian intelligence agencies have a field day. It's the only hope we have that they'll learn.
Why do you think all the recent cell phones that are rated for classified voice, such as the Sectera Edge and Project Fish Bowl all run VoIP for classified communications?
Because they know better than to trust the commercial telephone networks and their voice "security".
Learning HOW to think is more important than learning WHAT to think.
...can we all return the favor by pressuring the government to Grant Snowden Clemency?
If people don't stand up to protect whistleblowers, then there will be no whistle blowers, and government evil will run unchecked.
Sign it.
While I think some of the points, however plausible, are a bit on the side of paranoia, the Libertarians firmly believe that we should have only a defense force and not project power.
The current rational now for IS - or whatever they are called now - is to fight them over there so they don't come over here. They just want control of the Middle East - they are no threat to us. Also, the Arabs, Persians, Kurds, and other people's of the Middle East have been dealing with their ethnic problems for thousands of years. And of course, being there, we the USA are going to fuck things up even more.
Unfortunately, we have a populous who treats our military conquests like a football game. USA! USA! win! It makes small people feel big.
We in the USA are small people who like big guns. We lost the idea of walk softly and carry a big stick.
We bluster, shoot things up and wonder why other peoples hate us.
But this football mentality is how you get people to volunteer to fight in idiotic and unjust wars - get the stupid people to die and get maimed for the elite.
My source.... well... here goes.
Yes, they actively recruit Math and CS majors with high GPAs. That is true. ... probably more steps which I haven't mentioned.
However....
In order to get in you must:
1) Pass a preliminary security interview
2) Pass a polygraph test
3) Pass a drug test (including for marijuana) - this eliminates a LOT of competent people
4) Pass a more in-depth security interview
By the time this is all done, about a year and a half has gone by. A bunch more of their potential recruits will be established at a job they want to stay at at this point. The ones who are still seeking work are unemployed after so much time for a reason - often because they're incompetent.
On top of that, the pool of people morally corrupt enough to even _consider_ working for the NSA is teeny.
GPA is one predictor of competence at work, but it's not a 100% reliable predictor by any means. There are many people who can breeze through academia but who are utterly useless on any real job. People like this _like_ government jobs where they may get a permanent contract and where no one can judge their level of competence.
It REALLY is this way. Every single government security agency on the planet has this same problem and the NSA is no different. Competant people do not work there for long. They will lose their minds or end up the next Edward Snowden.
At what point do we start putting these criminals away? They have broken every law on the books.
One of the most insidious effects of this sort of Panopticon-level data collection & analysis is that it works as well against prosecutors, judges, AGs, and even SCOTUS justices, as it does some CEO or key IT admin somewhere they're interested in compromising.
Parallel construction is blind, therefor the current US justice system no longer is. Along with every other government agency, bureau, department, etc, all the way down.
Total Information = Total Control
The US Government is under the control of those who control that information. Even if the target is squeaky-clean, they are perfectly capable of planting things like kiddie-porn or any other convenient data on a hard drive such that it would stand up to the type/depth of forensics used in the typical criminal trial.
Threatening to leak damaging private information, especially when it involves an elected official right before a(n) (re)election, works without even involving the justice system or making a public scene.
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Actually it is surprising. Many if not most large government IT projects are appallingly run. Vast amounts of money wasted on useless consultants that end up producing very little if anything at all.
As the NSA's budget grows and grows, I suspect this will happen to them. Lots of MBAs that can only organize their own careers, while the crypto-nerds are pushed into the background.
Except that this is not an IT project, but an espionage project. It just happened to have an IT component; one very different than the create a web site / database / payroll system project.
I'm a consultant - I convert gibberish into cash-flow.
And, unlike most of us, Snowden actually did something about it. As a result of his revelations, political pressure is being applied to the government from many different directions to get the situation resolved.
Of course, it cost Snowden his job, and his ability to live in his own country, and might still land him in jail or worse.
You could swallow some of that cynicism and at least try to improve things. Maybe ask the government to grant snowden clemency?
Nah. Why exert the effort to click an online petition when it is so much easier to just bitch about how hopeless things are?
Re "If he was sitting on this information, then why wait so long to release it? "
All the material is now in the hands of the press. The press can release the material in any way it wants or needs to.
Re "Could someone explain where Edward Snowden is getting these kind of leaks and infos from, so long after he fled the NSA?"
The material released by the press is long term generational projects staff get read into as they need to work on the same projects or with staff who do.
Re the how http://www.bbc.com/news/world-... "Edward Snowden: I was a high-tech spy for the CIA and NSA" (28 May 2014)
"...he said he had worked for the CIA and NSA undercover, overseas, and lectured at the Defense Intelligence Agency."
Domestic spying is now "Benign Information Gathering"
This should either be the biggest news story on the planet, or the biggest lie of the year, but the public response seems to be "meh". The problem is, Snowden stole too much. Or claims to have stolen too much. There have been so *many* earthshattering Snowden revelations that both the outrage and the fact-checking seems to have evaporated.
This is a big problem either way.
But on a smart card, asymmetric cryptography can be used. The private key is generated by the chip on user request. It is not supposed to leak outside of the device.
As I understand, this SIM debacle is only possible because the cryptography used here is symmetric, which means the telephone operator must have a copy of the SIM key.
Aside from the feckless fist-shaking at the air, what can the average person really do? Public-key encryption? That gets mentioned every time, and the general consensus is that it's too much work for the average person. Is there any other action that can be taken, or are people just too lazy to care anymore? Maybe there should be more purposeful acts to disrupt the lives of average citizens, to shake them out of their stupor. Wake people up. Perhaps those in power have realized that keeping the populace happy & sedated allows them to do whatever they want. Maybe a full belly and a scratch behind the ears is all we need to become pets to the people running the world now.
Gemalto generate a master SIM key with batches of cards shipped to each Mobile Operator. I work on a project for mobile payments, mediated with a STK loaded on each card. A HSM is loaded with all the master keys. If you have the master key, you can decrypt all the communications with the STK app on the SIM card. If the Master key leaks, all payment operations/transactions are fucked.