Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA, GHCQ Implicated In SIM Encryption Hack

Posted by samzenpus on from the protect-ya-neck dept.

First time accepted submitter BlacKSacrificE writes Australian carriers are bracing for a mass recall after it was revealed that a Dutch SIM card manufacturer Gemalto was penetrated by the GCHQ and the NSA in an alleged theft of encryption keys, allowing unfettered access to voice and text communications. The incident is suspected to have happened in 2010 and 2011 and seems to be a result of social engineering against employees, and was revealed by yet another Snowden document. Telstra, Vodafone and Optus have all stated they are waiting for further information from Gemalto before deciding a course of action. Gemalto said in a press release that they "cannot at this early stage verify the findings of the publication" and are continuing internal investigations, but considering Gemalto provides around 2 billion SIM cards to some 450 carriers across the globe (all of which use the same GSM encryption standard) the impact and fallout for Gemalto, and the affected carriers, could be huge.

155 comments

  1. I think I speak for everyone when I say by Anonymous Coward · · Score: 1, Insightful

    jesus fucking christ.

    1. Re:I think I speak for everyone when I say by fisted · · Score: 4, Funny

      Oh come on, how would that even work? It's one and the same person.

      --
      CLI paste? paste.pr0.tips!
    2. Re:I think I speak for everyone when I say by fuzzyfuzzyfungus · · Score: 4, Funny

      Just ask the Holy Spirit, he's consubstantial with both the Son and the Father; despite begetting the son(yet not being the father).

    3. Re:I think I speak for everyone when I say by Anonymous Coward · · Score: 0

      shut up, eat your communion, sit back down

    4. Re:I think I speak for everyone when I say by geekmux · · Score: 1

      jesus fucking christ.

      You speak for everyone?

      Please. You speak for 5% of the planet. The other 95% is far too apathetic to give a shit.

      Tough to believe the IDGAF factor is that high when it comes to privacy? OK, let me know how many millions of people around the planet refuse to carry a cell phone next month when this hits the evening news.

    5. Re:I think I speak for everyone when I say by fustakrakich · · Score: 1

      Not just apathy. Most people actively endorse it with their votes. The dirty little little secret is that most people are very authoritarian, and it shows.

      --
      “He’s not deformed, he’s just drunk!”
    6. Re:I think I speak for everyone when I say by ColdWetDog · · Score: 1

      Is that recursion?

      Or will it be?

      --
      Faster! Faster! Faster would be better!
    7. Re:I think I speak for everyone when I say by lexman098 · · Score: 1

      Predestination

    8. Re:I think I speak for everyone when I say by jythie · · Score: 2

      It is generally less that people are authoritarian, and more that they fear who might be voted in if they do not go for their least disliked candidate. People are pretty easy to scare with abstract 'if you vote for X, then Y wins!' culture war stuff, so much so that it takes precedent over other more real concerns.

    9. Re:I think I speak for everyone when I say by fustakrakich · · Score: 1

      The thing is that it is our issue, not the state's. The state is 'just following orders'.

      --
      “He’s not deformed, he’s just drunk!”
    10. Re:I think I speak for everyone when I say by nobuddy · · Score: 0

      https://s-media-cache-ak0.pini...

    11. Re:I think I speak for everyone when I say by Anonymous Coward · · Score: 0

      Maybe Jesus was hung enough to loop his dick into his own ass? I've seen videos...

    12. Re: I think I speak for everyone when I say by Anonymous Coward · · Score: 0

      Jesus can go fuck himself!

  2. Fallout? by The+Rizz · · Score: 5, Insightful

    the impact and fallout for Gemalto, and the affected carriers, could be huge.

    Why is it that the fallout is centered on these companies, instead of on the NSA and GHCQ? Why are these criminal enterprises masquerading as government agencies so completely above the law?

    1. Re:Fallout? by Anonymous Coward · · Score: 5, Insightful

      It would be nice to know who will pay the damages or that NSA and GHCQ can just destroy businesses as they please.

    2. Re:Fallout? by Anonymous Coward · · Score: 3, Insightful

      sadly i think we get to see option 2 play out

    3. Re:Fallout? by Mordok-DestroyerOfWo · · Score: 2

      No shit! Given the resources of both agencies, it would be trivial for them to come into my workplace and abscond with out signing keys. Just like with lawyers and the business world, a bottomless well of money will typically get you whatever it is that you're looking for.

      --
      "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
    4. Re:Fallout? by Mordok-DestroyerOfWo · · Score: 1

      With *our signing keys.

      --
      "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
    5. Re:Fallout? by Anonymous Coward · · Score: 0, Troll

      Can't you dumbass fucking troll never think of the children? If we don't support our brave men and women identifying and fighting against terrorists and pedophiles, the internet becomes a meetingplace of the worst of mankind -- child rapers, criminals, terrorists. And you support them with your stupid and unproven accusations, with the help of criminals like Edward Snowden.
      Shut the fuck up, and don't open your mouth again, Kid.

    6. Re:Fallout? by Anonymous Coward · · Score: 5, Interesting

      Certainly very true. Absolutely, NSA and GCHQ are at fault here.

      However, these kinds of stories draw the attention of even the most idiotic of individuals. Those that only a few months ago were, without any consideration, spouting, "I don't care if the NSA sees everything I do or works to break into everything." must now stop and realize they were used and lied to, and that the work of these criminal organizations is directly damaging many companies. Various encryption or communication groups and companies have disappeared without any notice by the average person, but they will see the damage when it comes to their cell phones.

    7. Re:Fallout? by Anonymous Coward · · Score: 0

      The Golden Rule..

      He who has the gold, makes the rules.

    8. Re:Fallout? by gl4ss · · Score: 3, Insightful

      or create businesses without public bidding process, selling dubious equpment to them, for which they provide the possibility to manufacture them..

      oh wait they can and will and have done exactly that.

      --
      world was created 5 seconds before this post as it is.
    9. Re:Fallout? by Anonymous Coward · · Score: 0

      Because it's their job, stupid.

    10. Re:Fallout? by AmiMoJo · · Score: 3, Insightful

      Belgian telecoms companies have already started legal proceedings against GCHQ. I hope Gemalto do as well. Even if it comes to nothing it's still one of the best (only) options we have to try to control them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:Fallout? by Anonymous Coward · · Score: 0

      and effected consumers for that matter.

      A nice big 1 billion party class action may be what it takes to finally shut these bastards down.

    12. Re:Fallout? by mitcheli · · Score: 1, Funny

      Oh, let us not be delusional here. New SIM Cards with new keys will be available with the new Galaxy S6 and new iPhone 6s's. Problem solved.

      --
      Select from tblFriends where interesting >= 4;
    13. Re:Fallout? by fuzzyfuzzyfungus · · Score: 3, Insightful

      Some mixture of pragmatism and the victim blaming, I imagine.

      Given that, operationally speaking, the NSA and GHCQ, and friends, are above the law(where it hasn't been modified to simply make what they do legal, because it's them doing it); your only real option is to start assessing providers of security-critical products and services according to the "Were a dangerously out-of-control clandestine entity to come knocking, would you be fucked or really fucked?" standard.

      It is obviously Bad that you need to ask that question; but, since you do, you at least want the answer to be reassuring. Given that, according to what we know so far, the production process for SIMs involved Gemalto burning (insecurely transmitted) Kis in, at the factory, it looks like the production process is dangerously weak against tampering. As with the RSA seed storage/hack fiasco, it looks like that is going to have to change, with the vital secrets either stored a lot more carefully, or, ideally, generated on-SIM and never leaving the SIM during its operational life, short of a direct silicon-level attack.

    14. Re:Fallout? by fuzzyfuzzyfungus · · Score: 1

      I would certainly lay the blame at the feet of the NSA and friends; but such attacks should also be used to refine processes to make them more resistant to such attacks in the future.

      In the case of this SIM hacking, it appears that the current model involves Kis being transmitted(mostly insecurely) to Gemalto and then burned in. This is an obvious weakness compared to having the high-value keying material generated on-SIM and never leaving, ever, short of a direct attack on the chip. Doesn't mean that the feds shouldn't be nailed to the wall(they should); but it is also a useful lesson in what part of the process to harden if we want to be more resistant next time, whether to feds, sophisticated criminals, or others.

    15. Re:Fallout? by ic3m4n1 · · Score: 1

      On related note, isn't it illegal for normal citizens to gain illegal access to corporate systems(a.k.a hack) and enforced by prison sentence.
      What is this double standards in free countries.

    16. Re:Fallout? by fustakrakich · · Score: 2

      Because 98% of those who vote give their consent. We knew what these people were doing since before the Church Commission, yet the voters continue to reelect the perpetrators. Don't blame the government for doing what it is told by the voting public.

      And please save your breath with the 'lack of choices' and 'lesser evil' bullshit. I ain't hearing it! We did this to ourselves. There is nobody else to blame.

      --
      “He’s not deformed, he’s just drunk!”
    17. Re:Fallout? by fustakrakich · · Score: 1

      It should be obvious... You will.... Why the surprised look?

      --
      “He’s not deformed, he’s just drunk!”
    18. Re:Fallout? by DarkOx · · Score: 3, Interesting

      Maybe so but we are supposed to live in a society of laws, both here in the States and in Europe. The US governments general position is Americans are always subject to American laws, and nobody is supposed to be above the law. . Kevin Mitnick did essentially the same thing, called up a manufacturer social engineered them into giving him information. The FBI was certainly on his ass, the federal prosecutors certainly pushed for and obtained a conviction.

      These guys though? Nobody will even look into it on the prosecutorial side because these guys had an NSA badge on why the did it.

      The Computer Fraud and Abuse Act is found at 18 U.S.C. 1030. Subpart (f) reads as follows:

              This section [i.e., the Computer Fraud and Abuse Act] does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

      There is the law, notice the lawfully authorized part? They are not entitled to do anything you and I can't do UNLESS they have a search warrant or there is some other law on the books specifically authorizing the activity. I doubt even the FISA court would have rubber stamped this one.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    19. Re:Fallout? by Anonymous Coward · · Score: 0

      Yeah, makes me wonder how certain companies with huge infrastructure and free end-user service (*cough*...whatsapp...*cough*) managed to get by before facebook bought them. I always thought that somebody with a huge printing press in the basement and specialized equipment for data and network analysis coupled with a large data pipe and a certain affinity for intelligence would be most suited as a...hm...sponsor?

    20. Re:Fallout? by jythie · · Score: 3, Interesting

      Though would it not be amusing if the FBI actually went after them? The departments already have animosity towards each other, though probably not enough to overcome the 'stick togetherness' of law enforcement against everyone else.

    21. Re:Fallout? by Anonymous Coward · · Score: 0

      It seems that the instant reaction is to assume that everything the NSA and GCHQ is unacceptable.

      But frankly, this is the sort of thing GCHQ should be doing (with some caveats, I'll get to those). At the end of the day, their job is to be a spy agency, that is, they're meant to intercept communications and listen in to people who, make no mistake, want to destroy our way of life.

      As such, if this is the only way they could go about listening in on threats then it's part of their job, and it's exactly what they should be doing.

      But now for those caveats, this only remains true if they're specifically targeting threats. If they're doing that then I draw a distinction between this and their widespread harvesting of everyone and anyone's internet data. It's also a problem if they're using it to spy on non-threats and so forth also. But is there actually any evidence of that here? The final caveat is if they then passed on this information for non-security service related tasks, or if they let it leak allowing anyone to abuse this information.

      I fully support what Snowden did, but any damage to companies here is really a result of the focus on this aspect of the leaks than because GCHQ and the NSA did anything actually wrong. As much as it pains me to give any kind of weight to the arguments made anti-leaker fuckfaces the only damage here is that caused by Snowden's leak making it public knowledge. Were this information kept by the security services, and had the security services only hacked into these companies to be able to monitor otherwise secure communications of threats, such as to find out how many more soldiers and tanks Putin intends to send into Eastern Ukraine then I don't really see what the problem is.

      It's what they're there for. Unless there's any evidence they've then gone on to use this hack for something outside of their remit then this is very much a non-story than in itself only exacerbates the corporate damage by making a mountain out of a molehill.

      We shouldn't criticise them for everything, else we begin to sound like a broken record and get ignored for the things that really are a big deal and really are out of their remit and that they should be punished for like Tempora. Asking them to stop all spying full stop is just fucking stupid and shows a complete naivety to the fact that there are other countries out there that dislike us doing exactly this back to us. You're asking our security services to cripple their ability to combat genuine threats to us simply because you're pissed off at other things they did that genuinely were wrong and unnecessary and that's unhelpful to the debate.

    22. Re: Fallout? by Anonymous Coward · · Score: 0

      While I agree with your point that it's ultimately the people to blame, it is also true that the people have been lied to and misled as to what they are voting for and who is responsible.

      I mean, it's not like any candidate says "I support the NSA breaking the law and conducting mass spying instead of targeted spying", is it?

    23. Re:Fallout? by nobuddy · · Score: 1

      Isn't that cute. he thinks the NSA would ever be held accountable for their actions.

    24. Re:Fallout? by nobuddy · · Score: 1

      Can you show me where it is in their charter that they are to break the law without consequence? I must have missed that clause.

    25. Re:Fallout? by HiThereImBob · · Score: 1

      It would be nice to know who will pay the damages or that NSA and GHCQ can just destroy businesses as they please.

      if they are going to destroy businesses, they could at least start with Comcast / Time warner. IMO, that would add credibility to their premise of "national defense".

    26. Re:Fallout? by Anonymous Coward · · Score: 0

      It seems that the instant reaction is to assume that everything the NSA and GCHQ is unacceptable.

      No. Nobody said that. Stop making stuff up.

      But frankly, this is the sort of thing GCHQ should be doing (with some caveats, I'll get to those).

      Wrong again. What they *should* be doing is getting warrants to follow up on actual suspects, not spying on everyone just because they want to and not weakening everyone's protection from real threats (ie. hackers) when it suits them.

      At the end of the day, their job is to be a spy agency, that is, they're meant to intercept communications and listen in to people who, make no mistake, want to destroy our way of life.

      As such, if this is the only way they could go about listening in on threats then it's part of their job,

      So you admit that every citizen, and even congress (remember, they were spied on, too) is a threat to "them."

      If they're doing that then I draw a distinction between this and their widespread harvesting of everyone and anyone's internet data

      It's also a problem if they're using it to spy on non-threats and so forth also

      And they are. 400 million Americans, and who knows how many foreigners. Yet you just said you supported that, so stop trying to play both sides. How many of those people being spied on are "terrorists"? A whopping 0%?

      any damage to companies here is really a result of the focus on this aspect of the leaks than because GCHQ and the NSA did anything actually wrong

      Again trying playing both sides...Make up your mind. Corporate espionage and sabotage (which is EXACTLY what this is), are wrong, and will hurt the company as a result. Once again, this proves that the encryption is broken on what is supposed to be encrypted--ie. a non-functional product--and it weakens everyone. See the Lenovo case for why it is a huge problem.

      The real argument you're trying to play here, yet won't say it yourself, is that the NSA did wrong, but it's OK as long as they don't get caught. Yeah. Nobody is buying it.

      only damage here is that caused by Snowden's leak making it public knowledge

      Damage to... who? The NSA, which have been royally fucking over allies, our own government's compartments (ie. congress), citizens and corporations? Or the people and companies that now know about the massive security holes and are working to improve software and systems to protect against suck attacks? Poor NSA, they got caught, and now you're blaming the messenger.

      Were this information kept by the security services, and had the security services only hacked into these companies to be able to monitor otherwise secure communications of threats, such as to find out how many more soldiers and tanks Putin intends to send into Eastern Ukraine then I don't really see what the problem is.

      Really? You're going to actually pretend that they are using this kind of stuff to listen into Putin so that we know how many soldiers are going into Ukraine? Lets ignore for a minute that what happens between Ukraine and Russia is none of our business. Putin is not going to be using a plain old cellphone to have a conversation about that, I can assure you. And even if that were the case, I don't see how that makes it OK to also bug... everyone on the planet.

      Unless there's any evidence they've then gone on to use this hack for something outside of their remit

      Yeah sure, lets just ignore the mountain of times we already know they have misused their information. That doesn't count, right? And again, it still doesn't matter when they have absolutely no business doing it to begin with. Just the same as it is not OK to put a camera in the ladies bathroom as long as you promise not to share the footage with anyone else.

      You're asking our security services to

    27. Re:Fallout? by Immerman · · Score: 1

      >people who, make no mistake, want to destroy our way of life.

      Don't be melodramatic - for the most part they don't even know what our way of life is, except for the part that involves spending the better part of a century manipulating their domestic politics for our own ends - overthrowing legitimate democracies, installing sadistic dictators, selling them powerful weapons, etc. And honestly I'd rather like to destroy that part of our way of life myself, I just don't think it can be done via militant action.

      For the most part they just want to drive out the foreign devils that are slaughtering civilians and raining death from above, whereas the warlords calling the shots probably secretly love having the foreign devils around giving them legitimacy and bolstering recruitment numbers to leverage in their domestic power struggles. Anything they know about our "way of life" is going to be the same sort of racist caricatures that pervaded US media during WWI and II - propaganda designed to dehumanize the enemy to bolster support for the domestic warmongers.

      There is no doubt the occasional extremist who actually would like to destroy our way of life, but without a vast support structure they're just another random terrorist - maybe they manage to take out a few hundred people, maybe even a few thousand - tragic, but statistically insignificant - you chances of dieing in a car crash are much better. And if they do have the vast support structure, then it becomes a business, and like any institution its primary goal becomes self-perpetuation - not something usually furthered by picking fights with opponents that have you vastly outmatched. Though admittedly occasionally you get an Al Qaeda situation, where a crumbling institution deliberately provokes a dragon in order to give themselves a new patina of relevancy rather than fade gracefully into obscurity.

      Meanwhile, virtually every "terrorist plot" interrupted in the last decade plus has been initiated by agent provocateurs working for the FBI, etc. *Maybe* you could argue that they're trying to "weed out the bad apples", but the available evidence looks a lot more like they're creating the very threat they're using to justify their ever-expanding authority.

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
    28. Re:Fallout? by Anonymous Coward · · Score: 0

      Because voters don't hold the politicians responsible (the politicians are the ones budgeting, etc for these agencies)

    29. Re:Fallout? by Anonymous Coward · · Score: 0

      "sovereign immunity"

    30. Re:Fallout? by sjames · · Score: 1

      So they're supposed to cause ruinous damage to corporations in order to get crypto keys protecting average everyday definitely not terrorists without so much as a by your leave? I don't think so. That's the sort of oppression they're supposed to protect us FROM. They have become the enemy. They are the oppressive government that we grew up being taught to despise. Did you even listen in the 4th grade?

    31. Re: Fallout? by Anonymous Coward · · Score: 0

      Roll over much?

    32. Re:Fallout? by yarbo · · Score: 1

      You don't remember when the FBI let lulzsec destroy Stratfor hoping that Wikileaks would offer money for the exfiltrated data? I'd be surprised if that were the first company that was destroyed after being used as bait by LEA in the US.

    33. Re:Fallout? by grcumb · · Score: 1

      With *our signing keys.

      I've absconded without your signing keys dozens of times already. And I'm bloody skint. :-)

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    34. Re:Fallout? by HiThere · · Score: 1

      How do you propose that they hold the politicians responsible, when both parties that have a measurable chance of being elected support the same policies?

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    35. Re:Fallout? by Anonymous Coward · · Score: 0

      As Lord Hailsham said, how many divisions do the Belgians have?

    36. Re:Fallout? by fgouget · · Score: 1

      with the vital secrets either stored a lot more carefully, or, ideally, generated on-SIM and never leaving the SIM during its operational life, short of a direct silicon-level attack.

      My understanding is that's what they do already. The private key is generated and put directly into the SIM card and never leaves it. But a private key is useless if nobody knows the corresponding public key. It's the transfer of that public key to the entity that needs it, the carrier, that the NSA/GCHQ intercepted.

      Maybe a fix would be for Gemalto to sell blank SIM cards and have the carriers themselves generate and burn the private key to it using a software WORN API: Write Once, Read Never. Of course then the NSA/GCHQ would have no trouble forcing the US carriers to hand over all their public keys but then they can already force them to intercept the communications. At least the rest of the world would only be subject spying by their own government.

    37. Re:Fallout? by sociocapitalist · · Score: 1

      It would be nice to know who will pay the damages or that NSA and GHCQ can just destroy businesses as they please.

      a) the businesses that were hacked or
      b) the taxpayers

      Until enough people get off their fat asses and do something about the situation, which doesn't seem likely to happen before the US falls back to the middle ages.

      --
      blindly antisocialist = antisocial
    38. Re:Fallout? by sociocapitalist · · Score: 1

      There is the law, notice the lawfully authorized part? They are not entitled to do anything you and I can't do UNLESS they have a search warrant or there is some other law on the books specifically authorizing the activity. I doubt even the FISA court would have rubber stamped this one.

      They wouldn't need a search warrant outside the US for non-US citizens.

      --
      blindly antisocialist = antisocial
    39. Re:Fallout? by sociocapitalist · · Score: 1

      Certainly very true. Absolutely, NSA and GCHQ are at fault here.

      However, these kinds of stories draw the attention of even the most idiotic of individuals. Those that only a few months ago were, without any consideration, spouting, "I don't care if the NSA sees everything I do or works to break into everything." must now stop and realize they were used and lied to, and that the work of these criminal organizations is directly damaging many companies. Various encryption or communication groups and companies have disappeared without any notice by the average person, but they will see the damage when it comes to their cell phones.

      'The average person' will never have any idea that any of this happened.

      --
      blindly antisocialist = antisocial
    40. Re:Fallout? by TechnoJoe · · Score: 0

      Even if it comes to nothing it's still one of the best (only) options we have to try to control them.

      There is another option: terminate diplomatic relations with them. The Dutch, Belgians, etc, could get together and say "GCHQ, either you pay for the cost of recalling and replacing those SIM cards, or we're terminating diplomatic relations with the UK." When these spying decisions start to have real blowback (either by paying for the recall or a termination of relations), you'll see these agencies start to change.

  3. Damages by Anonymous Coward · · Score: 5, Insightful

    So who does Gemalto sue when the bankrupting recall they are forced to do is the result of a government approved hack?

    1. Re:Damages by Anonymous Coward · · Score: 1

      This isn't a government-approved hack, at least the Constitution of the United States explicitly prohibits it absent a warrant of probable cause against each snooped individual. Not sure about the UK - I'm pretty sure those poor sods don't have any rights left by now.

    2. Re:Damages by Anonymous Coward · · Score: 1

      Yeah but we've since learned that "government-approved" and "constitutional" are two entirely different things and are not mutually inclusive.

    3. Re:Damages by AmiMoJo · · Score: 4, Insightful

      How would they ever prove it? The stolen documents will be inadmissible. Everything will be protected as a state secret. Their customers won't care of course, but the courts will.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Damages by Anonymous Coward · · Score: 1

      So, the constitutional violation is not in gathering the private keys from a foreign supplier to hostile governments, but in the presumed use of the keys to decrypt without warrant the communications of American persons: citizens, permanent residents and corporations. (Yes, corporate personhood has some positive benefits; it extends constitutional protections to beyond citizens and permanent residents).

    5. Re:Damages by CaptainDork · · Score: 2

      This is not true, and it's crucial to understand why.

      In this context, "Constitution," is American-centric.

      It does not apply to the Dutch.

      The venue of law will have to start with the provenance of the Dutch company (is it owned by the Chinese?) and jurisdictions established before litigation can move forward.

      --
      It little behooves the best of us to comment on the rest of us.
    6. Re:Damages by Anonymous Coward · · Score: 0

      In this context, "Constitution," is American-centric.

      It does not apply to the Dutch.

      And the NSA is an American organization that committed a crime (as per the constitution) within the borders of the US.
      Or are you saying it is now legal for any Americans to commit internet-based crimes as long as the target does not reside in US borders? If, oh I don't know, some nutjob flew a drone over the border and managed to injure or kill someone, that would totally be OK as the assault/murder didn't take place on American soil even though the perpetrator was?

    7. Re:Damages by CaptainDork · · Score: 1

      I haven't " ... since learned that ..." since the Dutch story is new.

      "constitutional" and "Constitutional" have different meanings.

      Government approved? Which government?

      --
      It little behooves the best of us to comment on the rest of us.
    8. Re: Damages by Anonymous Coward · · Score: 0

      I'm not American, but I would be amazed if US constitution protects foreign citizens rather than Americans only. Otherwise, how the fuck did they establish a department specifically for foreign security?

  4. Taxpayers by Anonymous Coward · · Score: 5, Insightful

    So, not only do we fund the hack, but now we need to fund the compensation for it.

    Wonderful job.

    1. Re:Taxpayers by transporter_ii · · Score: 5, Insightful

      They want to know what you are saying, and they are willing to spend every penny you have to find out. And then some.

      --
      Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
    2. Re:Taxpayers by fustakrakich · · Score: 1

      And not only that, 98% of the voters approve. So, you're right. They must be doing a wonderful job, they're still at it. Complaining about the agency while giving consent with one's vote is highly illogical.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re: Taxpayers by Anonymous Coward · · Score: 0

      what are you talking about. we dont vote for nsa agents. both sides will spy and put in charge whomever they feel gives
      them the best chance.

      Our govt is one big: scratch my balls and ill scratch yours.

    4. Re: Taxpayers by fustakrakich · · Score: 1

      People vote for the politicians who authorize the NSA's activities with little to no oversight.

      --
      “He’s not deformed, he’s just drunk!”
    5. Re: Taxpayers by Anonymous Coward · · Score: 0

      what are you talking about. we dont vote for nsa agents.

      Both the Democrats and the Republicans knows that this is going on and is supporting it. They could have cut NSA funding whenever they liked but didn't.
      A vast majority of the voters vote for one of those two parties.

    6. Re: Taxpayers by HiThere · · Score: 1

      Yeah, but voting for another party doesn't do any good either. I've done that rather consistently for decades, though altering which other party occasionally. And most people don't like to vote for someone who doesn't have a chance. (Besides, generally the people who will run for election without any chance of winning aren't any better than the incumbents, though their defects are different...and that's assuming that they're telling the truth.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  5. Blackphone by neilo_1701D · · Score: 1, Insightful

    And so everyone who moved to Blackphone for security purposes... who's to say the same thing can't / didn't happen?

    1. Re:Blackphone by Anonymous Coward · · Score: 0

      You need to understand the difference between standard audio call encryption/decryption process vs. public key cryptography over the Internet.

  6. We're Number 1! We're Number 1! by Anonymous Coward · · Score: 5, Insightful

    Welcome to the USSA. Just like the old USSR, with better technology.

  7. Corruption == Treason by Anonymous Coward · · Score: 4, Funny

    Time to start treating it as such, use your backwards antiquated capital punishment laws for something productive for a change.

    1. Re:Corruption == Treason by fuzzyfuzzyfungus · · Score: 2

      As much as I agree that white collar criminals and spooks are tragically under-executed, and would love to change that, the US constitution (very wisely) includes a comparatively precise and narrow definition of 'treason'. Our 'founding fathers' included some fairly shitty people; but they were mostly shitty people who knew a thing or two about how governments go bad, and that 'treason' is a...delightfully elastic...charge. Thus, they did their best to ensure that it wouldn't be one here.

      There are plenty of other things that they should probably be judged guilty of, and which should probably be capital offenses; but 'treason' is something that you just shouldn't throw around lightly.

    2. Re:Corruption == Treason by Anonymous Coward · · Score: 0

      Au contraire, my friend. We need to bring back antiquated forms of punishment for these vermin so they think twice before doing this ** again.

    3. Re:Corruption == Treason by Anonymous Coward · · Score: 0

      Violating the rights of every single american isn't treason?

      "The betrayal of one's own country by waging war against it or by consciously or purposely acting to aid its enemies."

      Seems to me that counts right under betrayal.
      one could also argue that this is aiding your enemies by creating world wide public out cry against the united states actions.
      It could also be argued that this is a war against the american people.

    4. Re:Corruption == Treason by HiThere · · Score: 1

      It's betrayal alright, but it doesn't fit the definition of treason. It does fit "malfeasance in office", and several other crimes. A million consecutive sentences for malfeasance should be sufficient punishment. Unfortunately, I see no chance of that happening.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  8. Sanctions by Anonymous Coward · · Score: 5, Insightful

    The world should introduce trade-sanctions against the USA and the UK, until they stop attacking other countries, and fall in line.

    1. Re:Sanctions by jabuzz · · Score: 3, Insightful

      Except in the case of the U.K. trade sanctions from other E.U. member states are simply not permissible. I would also doubt the USA would introduce sanctions against the UK on this one, and E.U. sanctions against the USA would require approval from the UK which I doubt they are going to give. That's 45% of the worlds GDP locked in right there.

      Good luck on that plan.

    2. Re:Sanctions by mitcheli · · Score: 2

      And would the same trade-sanctions be applied to France, Russia, China, North Korea, Canada, South Korea, Germany, Spain, Iran, Norway, Sweden, South Africa, Australia, Egypt, Israel, Syria, and the Federated States of Micronesia? (ok, took some liberties on that last one).

      --
      Select from tblFriends where interesting >= 4;
    3. Re:Sanctions by Eunuchswear · · Score: 1

      UKIP could those problems.

      --
      Watch this Heartland Institute video
    4. Re:Sanctions by Anonymous Coward · · Score: 0

      If the EU courts found that the UK government was responsible for $FOO billions in damage to the company and all it's customers, then the EU does actually have quite a bit a few ways it can extract that money. In the case of the US / NSA, it would put in normal WTO sanctioned tariffs on US steel export, etc.

      Basically the UK pays to be part of EU, as all countries do, and receives back subsidies and market access accordingly. In the UK case City of London is their weakest point, where this world financial center has access to EU markets and freedom from much of EU's stricter requirements.

      The UK government isn't willing to pay a EU court fine... then other methods of extracting the money would need to be considered. And the UK isn't really seen as a fellow _player_ in EU these days.

      If there's a ruling against US/NSA?... They'd likely take the cass from Apple or something.

    5. Re:Sanctions by Anonymous Coward · · Score: 1

      If UKIP won the General Election and pulled the UK out of the EU, would the EU be better off privacy-wise? I'd be tempted to vote for them, then expatriate, if it were the case.

    6. Re:Sanctions by jabuzz · · Score: 1

      Wrong, the EU courts don't have jurisdiction over this in the case of the U.K. Even worse the EU courts have insufficient evidence to even bring a case. All they have is a document that allegedly claims this which at best case scenario was stolen by someone now on the run. Good luck bringing a case on that evidence. So the EU courts simply can't fine the UK or the USA because without further evidence all we have is a circumstantial claim.

      Further any attempt to take money from the USA government by taking from US based companies would be illegal under international law, and is simply not going to happen.

    7. Re:Sanctions by havana9 · · Score: 1

      The world should introduce trade-sanctions against the USA and the UK, until they stop attacking other countries, and fall in line.

      Naturally, it's advisable to don't sign commercial treaties with USA and UK, that are tre inverse of trade sanctions. I think governments must abandon TTIP and TPP at their destiny.

    8. Re:Sanctions by sociocapitalist · · Score: 1

      Except in the case of the U.K. trade sanctions from other E.U. member states are simply not permissible. I would also doubt the USA would introduce sanctions against the UK on this one, and E.U. sanctions against the USA would require approval from the UK which I doubt they are going to give. That's 45% of the worlds GDP locked in right there.

      Good luck on that plan.

      Not only that but all the above are sharing data on each other's citizens anyway.

      --
      blindly antisocialist = antisocial
  9. Even if the courts punish US/UK by EmagGeek · · Score: 4, Insightful

    The governments will simply say "come and take it, if you can."

    1. Re:Even if the courts punish US/UK by Anonymous Coward · · Score: 0

      The US has dug a 100ft hole in the graveyard of morality inside which they stand on a 3ft moral high ground they made from a turd they produced after eating their own constitution. That's enough punishment for now, I'm sure economical consequences will follow in due time.

    2. Re:Even if the courts punish US/UK by Anonymous Coward · · Score: 0

      The US has dug a 100ft hole in the graveyard of morality inside which they stand on a 3ft moral high ground they made from a turd they produced after eating their own constitution. That's enough punishment for now, I'm sure economical consequences will follow in due time.

      I too am giddy with anticipation at the thought of the free market sorting all this out.

    3. Re:Even if the courts punish US/UK by Anonymous Coward · · Score: 0

      You obviously know very little about the subject of tariffs and WTO...

  10. There have been enough of these headlines by Anonymous Coward · · Score: 2, Funny

    So its probably about time we shut down the NSA right? They seem to be completely out of control and I'm not sure what they're actually accomplishing.

  11. even more interesting by Pop69 · · Score: 4, Interesting

    I believe the smartcards and USB readers our bank supplies us for authentication of online transactions are supplied by Gemalto

    Are they affected as well ? I would expect so

    1. Re:even more interesting by ledow · · Score: 4, Insightful

      Gemalto do the majority of the smartcard market these days.

      I've used them for everything for business banking to access control.

      Is it not scary enough that they have been compromised to the point of making almost every SIM on the planet useless? By comparison a banking smartcard here or there is nothing.

      Ironically, every few months our bank will tell us that we have to replace the PIN-pads/smartcards/whatever for a newer model "to be secure". Nobody's yet answered then why their software only works on IE (and older versions at that).

    2. Re:even more interesting by AmiMoJo · · Score: 4, Interesting

      Gemalto do a lot of industrial SIMs. I have used them in products designed at work. Many cars with GSM/3G connectivity use their SIMs. Many smart meters, many mobile payment terminals, many sensor networks, many medical devices.

      It's the kind of thing someone could use to bring down a lot of infrastructure. I bet loads of infrastructure monitoring uses Gemalto SIMs for M2M communications. It's probably safe to assume that if GCHQ and the NSA have the keys, so do others. Considering how much leaks out of those two organizations from relatively low level operatives I'm sure China and Russia and probably a few others have at least that much access.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:even more interesting by fuzzyfuzzyfungus · · Score: 1

      I think that it depends on how the keying is handled, and what role the smartcard plays.

      As best I've been able to tell from what articles I've read, the NSA and friends were snarfing the Kis as they were sent from telcos ordering SIMs to Gemalto, where they were burned in. They may have some other program aimed at bugging the silicon or firmware of the smartcard ICs themselves, which would be a different problem; but according to what we know of this attack, it would not affect smartcards that are used to generate their own private key, onboard, or provisioned by the customer, after delivery, just the ones provisioned by Gemalto on behalf of the customer.

      That's a very large number of affected units, of course; but (barring disclosure of further nasty tricks) it isn't an attack on the actual function of the smartcard, just on a weak link in the production process for preconfigured smartcards.

    4. Re:even more interesting by oodaloop · · Score: 4, Informative

      And our Smart Cards we use on classified networks in the intelligence community use Gemalto. Just checked. Goddamnit.

      I'm not even kidding. Seriously.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    5. Re:even more interesting by lgw · · Score: 1

      That's the problem with any backdoor - once it's public that it exists, it's only a matter of time before everyone has the key. The stupid Lenovo spyware was exploited the same day it became public that it existed. This may take a little longer, but we can be certain that every bad actor will get this - organized crime as well as government (the distinction seems less clear over time).

      --
      Socialism: a lie told by totalitarians and believed by fools.
    6. Re:even more interesting by mitcheli · · Score: 2

      Gemalto is also a major supplier of US Government Common Access Cards (CAC's).

      --
      Select from tblFriends where interesting >= 4;
    7. Re:even more interesting by Anonymous Coward · · Score: 0

      It's not the same as Lenovo though. The private keys are still private, only they're now in 3 places, not 1: NSA, GCHQ, and Gemalto.

    8. Re:even more interesting by jiadran · · Score: 1

      The SIM cards come with the keys preconfigured. As the GSM standard uses symmetric cryptography, the key has to be known and thus is stored somewhere outside the SIM card.

      With smart cards, you can (and should) generate the keys yourself, or rather, let the card do it. The card normally uses asymmetric cryptography and will then store the private key internally and never disclose it, thus making it impossible for spy agencies to recover the keys*.

      * There could be weaknesses, either as bugs or explicitly introduced by spy agencies. For instance, the card could use a weak random number generator (I remember an article that some ID cards used IDs that were not so random after all), or the card could have a back-door to extract the private key. In any case, the attack described, where an employee would be bribed to disclose a database of keys would not work for smart cards, but that does not mean that another attack is not possible.

      Also note, just because we know that Gemalto has been compromised does not mean that other companies are more secure.

    9. Re:even more interesting by jiadran · · Score: 1

      Just an idea on how to work around potential weaknesses in the random number generator:
      1) Set up a trusted and isolated system.
      2) Use the system to generate key pairs
      3) Some smart cards allow to import keys, including the private key (but do not allow to re-export the private key)
      4) Dispose of private key after programming the smart card, and dispose of the system when replaced

      This would not get around other weaknesses of the smart cards, but at least you can ensure that the card uses properly generated keys.

  12. Feasibility of end-to-end encryption by dugancent · · Score: 1

    Is it currently? Any chance of phone manufactures implement it by default? How about carriers? Seems to be the only way to truly protect against things like this.

    --
    SJWs are the new boogeyman. -Me
    1. Re:Feasibility of end-to-end encryption by drinkypoo · · Score: 1

      You can have end-to-end encryption right now if you are willing to do some work. Your Android phone has a built-in SIP client. Well, in theory; my SIP settings seem to have disappeared with Lollipop. I hope they'll come back by 5.1, if not sooner. But there's various SIP softphones available for all mobile platforms, probably even including windows phone. Android at least, and probably the others too, supports IPSEC. Everything you need is right there. The problem then becomes whether you can actually trust your phone. The answer is probably no.

      If you truly want to protect against things like this, you're going to need a portable device with wifi and an open CPU. Best of luck finding one. It'll also need an IOMMU and a driver which prohibits the NIC from stepping out of line, or a NIC with open firmware. Otherwise, someone could (theoretically) own your NIC and then browse your memory from it.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Feasibility of end-to-end encryption by Eunuchswear · · Score: 1

      It'll also need an IOMMU and a driver which prohibits the NIC from stepping out of line, or a NIC with open firmware. Otherwise, someone could (theoretically) own your NIC and then browse your memory from it.

      On the (as yet inexistant) Neo900 the wireless module is a USB device. It doesn't get to access the memory if the CPU doesn't want it to.

      --
      Watch this Heartland Institute video
  13. whoo, obvious misinformation! by Thud457 · · Score: 1

    Send the bill to Samaritan , c/o Richmond Valentine

    Be sure to complain about trend ridiculous spy movie plots failing to be as ridiculous as our current reality. Demand a full refund, and damages inflicted due to boredom.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  14. Grand Head Communications Quarters by Anonymous Coward · · Score: 0

    Grand Head Communications Quarters.

  15. The UK needs to pay by Anonymous Coward · · Score: 5, Interesting

    This is an act of industrial espionage and infrastructure sabotage committed by one EU member against another. The UK needs to be held financially responsible for the damage, and punitive sanctions should follow. The UK should also explain how it sees its own future in the EU in the light of these revelations.

  16. such haxx by Anonymous Coward · · Score: 0

    nasjonal sekjurity haxx0rz in ur fonez!

  17. The End by MagickalMyst · · Score: 1

    These "intelligence" agencies should be sued, fined and prosecuted until they are completely out of business.

    --
    Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
    1. Re:The End by Anonymous Coward · · Score: 0

      You can't sue a government agency for executing their duties. This is a well established precedent in the United States.

    2. Re: The End by Anonymous Coward · · Score: 0

      since when does their duties include: hacking everything encryption based to make encryption weak and spying easier. a blatant invasion of privacy.

    3. Re:The End by sjames · · Score: 1

      The NSA has been exceeding it's charter by a wide margin for some time.

  18. From SIM to Chip and PIN by MeNeXT · · Score: 4, Interesting

    Now they can also prove that you were there when they emptied out your bank account. This is probably why they a refusing to provide any information on stingrays it goes way deeper than anyone thought.

    --
    DRM? No thanks, I'll just get it somewhere else...
    1. Re:From SIM to Chip and PIN by fgouget · · Score: 1

      I have been wondering about Stingrays too. Based on the Stingrays Wikipedia page they would not need access to the SIM card's private key. Instead they force the device to use the weaker A5/2 security protocol and then crack it which allows them to recover the SIM card's private key.

      The "GSM Active Key Extraction" performed by the StingRay in step three merits additional explanation. A GSM phone encrypts all communications content using an encryption key stored on its SIM card with a copy stored at the service provider. While simulating the target device during the above explained man-in-the-middle attack, the service provider cell site will ask the StingRay (which it believes to be the target device) to initiate encryption using the key stored on the target device. Therefore, the StingRay needs a method to obtain the target device's stored encryption key else the man-in-the-middle attack will fail.

      GSM primarily encrypts communications content using the A5/1 call encryption cypher. In 2008 it was reported that a GSM phone's encryption key can be obtained using $1,000 worth of computer hardware and 30 minutes of cryptanalysis performed on signals encrypted using A5/1. However, GSM also supports an export weakened variant of A5/1 called A5/2. This weaker encryption cypher can be cracked in real-time. While A5/1 and A5/2 use different cypher strengths, they each utilize the same underlying encryption key stored on the SIM card. Therefore, the StingRay performs "GSM Active Key Extraction" during step three of the man-in-the-middle attack as follows: (1) instruct target device to use the weaker A5/2 encryption cypher, (2) collect A5/2 encrypted signals from target device, and (3) perform cryptanalysis of the A5/2 signals to quickly recover the underlying stored encryption key. Once the encryption key is obtained, the StingRay uses it to comply with the encryption request made to it by the service provider during the man-in-the-middle attack.

      This perfectly illustrates why allowing protocol variants with weaker security is a bad idea. It also makes Gemalto's security lapse look somewhat irrelevant: cracking the SIM's private key seems pretty trivial anyway.

  19. The Danger of Monoculture by ISoldat53 · · Score: 2

    Is Gemalto the only provider of these cards?

    1. Re:The Danger of Monoculture by Anonymous Coward · · Score: 2, Interesting

      No, there are other companies such as Giesecke & Devrient (IIRC the documents show they were also targetted but without success).

      But there are only a small number of them, and each mobile operator generally will get all its SIMs from just one of them since it's not in their interests to order from them all (it's more complex to manage, potentially harder to debug with multiple types of SIM in use, and probably more expensive as signing an exclusive deal will I'm sure come with a discount).

  20. Not the End of the WORLD by Anonymous Coward · · Score: 0

    It's been five years and nobody has noticed this and nothing bad has happened. So now we need to to BLOW UP the world to fix...

    I know I may be wrong, and I'm just spit balling here, but why don't we just let the terroriest and spies buy themselves a new sim card for their throw away cell phone and call it a day.

    The rest of us 2 BILLION people can just assume the NSA doesn't know us and doesn't care who we are. Or do we still need to BLOW UP the world for some reason?

    1. Re: Not the End of the WORLD by Anonymous Coward · · Score: 0

      so that makes everything ok. by your logic only terrorist need encryption.

      i seriously hope you are trolling.

      people say the end of the world is happening all the time. the govt doing what they are doing is making america weaker and weaker. just because the world did not end does not mean that something seriously wrong isnt going on. they are not mutually exclusive.

      the us govt is slowly weakening our technology one by one.

  21. Re:We're Number 1! We're Number 1! by Anonymous Coward · · Score: 0

    Except instead of socialism we have fascism.

  22. Encrypt all the things by ControlsGeek · · Score: 2

    Why is it that each subscriber cannot select their own encryption keys at the time of activation or any time thereafter?

    1. Re:Encrypt all the things by ColdWetDog · · Score: 1

      Because the keys would be the same as the lock on their luggage.

      --
      Faster! Faster! Faster would be better!
    2. Re:Encrypt all the things by Anonymous Coward · · Score: 1

      Because it's a preshared key, so the mobile operator needs to know its half. Ok that doesn't make it impossible, but does make it very difficult to submit the key to the operator to activate your phone. And most subscribers would not know how to generate it. Generally people want to plug in the SIM and have it just work.

    3. Re:Encrypt all the things by Anonymous Coward · · Score: 1

      There's no technical reason you couldn't exchange the smart card's new symmetric key via an asymmetric crypto session, established using the telco's public key and your own private key securely stored on your local machine (in an encrypted keychain). Smart cards could then be modified to allow a symmetric key overwrite operation, while still preventing the symmetric key from being read back out by an attacker in possession of the smart card.

      There isn't a technical problem, but there sure is one hell of a usability problem. Specific software would have to be created (and possibly even integrated in to existing operating systems) to make the whole thing dead simple. You almost wish the problem was technical.

    4. Re:Encrypt all the things by HiThere · · Score: 2

      Yeah, but most people would use "password" as their password.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  23. pot, f#&* kettle by chilenexus · · Score: 3, Insightful

    How much are these agencies/countries now going to expect to be taken seriously when they find that China, Korea, Japan, Russia, or Lesotho have embedded some form of spyware in the electronics they sell us, and make an attempt to shame them for it or claim damages? They'll just roll along and do what they were doing before because they don't see any difference from how we treated them when we weren't at odds with them. The world has just been handed yet another example of how Brits and Americans can't be trusted, and actually deserve to be spied upon and stolen from. The fourth amendment shouldn't stop at our borders, since it is a limitation placed on government, not a perk that is only given to citizens. If you read it, it says "the rights of the people...." There's a similar concept in English Common Law: http://en.wikipedia.org/wiki/F...

  24. Re:We're Number 1! We're Number 1! by fustakrakich · · Score: 1

    And more colorful uniforms. That's a big plus.

    --
    “He’s not deformed, he’s just drunk!”
  25. It would be nice if... by tekrat · · Score: 4, Interesting

    It would be nice if the NSA was using this technology to spy on the real terrorists; and by that I mean the people who actually do want to hurt you and steal from you -- CEOs and Large Banks.

    I mean, there has not been a SINGLE prosecution in the great financial disaster of 2008, yet, I'll be there's plenty of cell phone conversations and text messages about breaking up bad mortgages into financial instruments of mass destruction, and reselling them as AAA+ rated securities.

    Excuse me, but after 20 trillion dollars lost, and another 2 or so trillion given away to prop up a few banks who wanted to play along with the government (until such time that it became time to steal again); it seems to me that the NSA should be more concerned about these guys than a few rouge crazies who blow up the occasional civilian.

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:It would be nice if... by Anonymous Coward · · Score: 0

      ...a few rouge crazies who blow up the occasional civilian.

      People quip that "terrorism" is (one of) the root passwords to the Constitution, but that one's even older and it's never going out of style. We can't let the commies win.

    2. Re:It would be nice if... by seoras · · Score: 1

      Meanwhile in Iceland...

      This is a country that jails bankers for economic fraud and protects activists like Wikileaks.

      http://icelandreview.com/news/2015/02/12/icelandic-bankers-sentenced-prison

      They are lucky enough to have a President who has stood up for the people who elected him.
      http://en.wikipedia.org/wiki/Ólafur_Ragnar_Gr%C3%ADmsson
      ( Read the paragraph below "Crisis of 2008 statements". This is the mouse that roared! :) )

    3. Re:It would be nice if... by sociocapitalist · · Score: 1

      It would be nice if the NSA was using this technology to spy on the real terrorists; and by that I mean the people who actually do want to hurt you and steal from you -- CEOs and Large Banks.

      I mean, there has not been a SINGLE prosecution in the great financial disaster of 2008, yet, I'll be there's plenty of cell phone conversations and text messages about breaking up bad mortgages into financial instruments of mass destruction, and reselling them as AAA+ rated securities.

      Excuse me, but after 20 trillion dollars lost, and another 2 or so trillion given away to prop up a few banks who wanted to play along with the government (until such time that it became time to steal again); it seems to me that the NSA should be more concerned about these guys than a few rouge crazies who blow up the occasional civilian.

      I'm betting that nothing will change so I've told my son he should become a high level banker :-)

      --
      blindly antisocialist = antisocial
  26. The corruption is FAR worse than usually discussed by Anonymous Coward · · Score: 2, Informative

    The problems with corruption in the U.S. government are numerous and severe.

    Matt Taibbi gives a huge amount of detail about the collapse of U.S. society as we have known it: The Divide. Quoting from the Amazon web page: "New York Times bestseller -- Named one of the best books of the year by the Washington Post, NPR, and Kirkus Reviews".

    The book, House of Bush, House of Saud by Craig Unger, tells how Bush and Cheney started a war so that they could make money. One of hundreds of books and articles about the profits and violence and dishonesty: Cheney's Halliburton Made $39.5 Billion on Iraq War. Quoting: "Private or publicly listed firms received at least $138 billion of U.S. taxpayer money for government contracts for services that included providing private security, building infrastructure and feeding the troops."

    #1 Best Seller: America's Bitter Pill: Money, Politics, Back-Room Deals, and the Fight to Fix Our Broken Healthcare System.

    Here is part of a transcript of a 60 Minutes show: Dissecting Obamacare:

    "Brill argues that Obamacare is the product of what he calls an "orgy of lobbying" and backroom deals in which just about everyone with a stake in the $3-trillion-a-year health industry came out ahead - except the taxpayers.

    "Steven Brill: Good news: More people are gonna get health care. Bad news: We have no way in the world that we're gonna be able to pay for it.

    "Steven Brill says that the outrage is what the Affordable Care Act doesn't do.

    "Steven Brill: It doesn't do anything on medical malpractice reform. It doesn't do anything to control drug prices. It doesn't do anything to control hospital profits.

    "Lesley Stahl: So all the cost controlling side of this just went by the wayside?

    "Steven Brill: 99 percent of it."

  27. I don't care, I have a Jolla... by fonske · · Score: 2

    The day after I got my Jolla, my provider (Belgacom) had already installed an app (proximenu) to "service me better" with money transfer services. Very safe services, encrypted by...Gemalto SIM cards. Encryption through legal proceedings - another Belgian invention.

  28. The Cold War is over by Anonymous Coward · · Score: 0

    The bad guys won

    1. Re:The Cold War is over by Anonymous Coward · · Score: 0

      Yeah, the outstanding upholder of rights as learned at the KGB, Putin, has been rather successful since the end of the (previous) Cold War.

    2. Re:The Cold War is over by Anonymous Coward · · Score: 0

      Intelligence agents don't do politics, they just do what they are told. And remember, Putin became a politician in Russia, not in the USSR.

    3. Re: The Cold War is over by Anonymous Coward · · Score: 0

      This. We beat the Nazis and adopted their methods (see Operation Paperclip and the formation of the CIA).

      Then the (allegedly) communist dictatorships fall and now we've adopted their methods as well.

      Yay us...

  29. Why are they using SIMS this way? by Xylantiel · · Score: 1

    The first article says they are just storing a secret key on the SIM and on the network provider's systems. That is just dumb and was totally insecure even before this happened. They should be using privat/public key pairs in which the private key is generated on and never leaves the SIM.

    1. Re:Why are they using SIMS this way? by swillden · · Score: 0

      The first article says they are just storing a secret key on the SIM and on the network provider's systems. That is just dumb and was totally insecure even before this happened. They should be using privat/public key pairs in which the private key is generated on and never leaves the SIM.

      Symmetric cryptography is not "totally insecure", and there's no reason to accept the complexity, large key size and performance hit of asymmetric cryptography when there's a perfectly reasonable key distribution mechanism in place. Further, your proposal wouldn't even help... who cares if the private key was never off the chip? Given a public key how do you know that the corresponding private key was ever on any chip? Answer: You need to obtain the public key in a secure fashion in a controlled environment, such as during manufacturing. If you drill down on the requirements for the context and process needed to identify that public key as trustworthy you find that you have exactly the same requirements for a secure symmetric key injection, which is much simpler and easier to manage.

      And as for attack by NSA/GCHQ, if those are your opponents, and they're actually focused on you, you can't win. At most you can make them work for it a bit, but not very much. So it really doesn't make much sense to include national intelligence agencies in your threat model.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    2. Re:Why are they using SIMS this way? by AHuxley · · Score: 1

      Price and the design of the cell networks going back many years. The security services had a list of needs going back into the 1980's and for the UK it was all network use in Ireland.
      As cell and sim systems advanced the security services just kept up with having total mastery of every aspect of all the different telco networks.
      Now users and telcos have to consider who else has the security services methods? Ex staff, former staff, dual citizens, contractors, foreign contractors. People cults and brands able to pay for the skill sets of ex staff, former staff? Once a telco network is fully open to the security services other groups can buy or are given the same methods over the years.

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Why are they using SIMS this way? by jonwil · · Score: 1

      GSM (and GSM cryptography) was developed way back when the smartest thing a cellphone could do was to store a few phone numbers and the hardware grunt the system had was minimal.

      Also, when GSM was developed, the various intelligence agencies in the NATO countries deliberately wanted the cryptography to be weak in order to make it easier to hack.

    4. Re:Why are they using SIMS this way? by Anonymous Coward · · Score: 0

      Obtain the keys from a manufacturer in one nation hostile to the NSA, permute them in another?
      Or how about generating 1/2 the key in one country and 1/2 the key in another?

    5. Re:Why are they using SIMS this way? by swillden · · Score: 1

      Obtain the keys from a manufacturer in one nation hostile to the NSA, permute them in another? Or how about generating 1/2 the key in one country and 1/2 the key in another?

      So... manufacture all the devices, then ship them to another country, to a facility under a different organization's control, modify them all, then ship them out for distribution?

      That's not going to increase costs at all :-)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  30. I hope the NSA have to pay for this by Anonymous Coward · · Score: 0

    Since they committed the Criminal Act, I do hope that they are brought to justice.

  31. GCHQ by Anonymous Coward · · Score: 0

    GCHQ, not *the* GCHQ.

  32. Back to my CDMA phone... by clonehappy · · Score: 1

    I go.

    1. Re:Back to my CDMA phone... by Anonymous Coward · · Score: 0

      good luck with that, its not any better. Ask Mitnick.

    2. Re:Back to my CDMA phone... by Anonymous Coward · · Score: 0

      Good luck finding a cell tower for that.

  33. Hmm no wonder Congress hasn't by Stan92057 · · Score: 1

    Hmm no wonder Congress hasn't passed the funding for the NSA yet. As they are going to be sued by the manufacturers because there dirty little secret got out. just a guess.

    --
    Jack of all trades,master of none
  34. Re:We're Number 1! We're Number 1! by HiThereImBob · · Score: 1

    Welcome to the USSA. Just like the old USSR, with better technology.

    We beat the Soviets at almost everything. There was only one thing they were better than the USA at - actually BEING Soviets. It's about time we put this last issue to bed and declared ourselves victorious in the cold war!

  35. Re:It would be nice if... the key leaked by Richard_J_N · · Score: 1

    What really got Lenovo into hot water was not just Superfish, but that Superfish got compromised. So, what we really need is for the NSA's stolen key to be leaked.
    If that key leaks, it will finally cause the massive that will force the politicians to re-evaluate what the miscreants in GCHQ/NSA are "lawfully" doing.

  36. I trust this by dohzer · · Score: 1

    I'm sure our next SIM cards will be much more secure... In fact, what's the bet the current batch are too secure, and the next ones will be pre-hacked.

  37. What difference does it make, in practice? by Anonymous Coward · · Score: 0

    Frankly, if you don't believe the NSA and/or GCHQ have access to these communications through the carriers' networks anyway, you're sticking your head in the sand. If somebody else is capable of stealing the keys from said intelligence organizations to use for nefarious purposes, then they're probably even more capable of stealing the keys from their original owner.

    The only difference this key-exfiltration makes is that it makes it harder to monitor the fact that eavesdropping is occurring. It brings up the question of oversight. (Perhaps that is the whole point.) Personally, I just assume my GSM telecommunications are being recorded and stored indefinitely as standard, though, and if I feel a bit shy about saying something, I don't say it. (Quite often I don't talk about certain perfectly innocent things on these kinds of channels, simply because they have a psychological intimacy to them which I don't want to break. Maybe it was the way the sunlight broke through some trees in a particular place at a particular time. Or the way I feel about some social situation. I need secrets like these. They are not things that should be shared widely. I leave them for when I meet in person, in private.)

  38. we dutch don't seem to be bothered by wijnands · · Score: 1

    Nothing in the news, no politicians feigning outrage towards the evil Americans... strange!