Slashdot Mirror
NSA Planned To Hijack Google App Store To Hack Smartphones
Advocatus Diaboli writes: A newly released top secret document reveals that the NSA planned to hijack Google and Samsung app stores to plant spying software on smartphones. The report on the surveillance project, dubbed "IRRITANT HORN," shows the U.S. and its "Five Eyes" alliance: Canada, the United Kingdom, New Zealand and Australia, were looking at ways to hack smartphones and spy on users. According to The Intercept: "The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept. The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012."
Bad part is, this would be middle of the newspaper, at best. Most people in the USA just don't care how badly our government is abusing everyone.
And, since then, almost every Internet service I use has started bringing their stuff out of the US. Not saying that makes us "hack-proof" (not least from our own intelligence agencies) but businesses can't do business with other governments or even large corporations if this kind of thing is suspected to be going on.
Every week or so, another large company tells me that they've pulled all their EU users and their data to their Ireland datacentre so that only the US people's data can be "collected" by the US authorities and otherwise the NSA are just the same as any other foreign hostile entity trying to get into their systems.
DropBox was the latest one I got an email from. The government and education services already do everything in-EU anyway because of a lovely thing called the Data Protection Act (which the US really needs to start adopting its own version of), and now even people's photo-sharing sites are doing the same because they just don't want this kind of stuff reflecting on them because they happen to do business in the US too.
Tell me, people, if China were doing this everybody would be up in arms. But because it's the US, it's okay?
All they've done is made everybody go from "Maybe the NSA could do this if they wanted" to "We have to assume they are doing this, all day, every day, no matter what the law says", move their data abroad, and massively increase awareness of security and encryption.
Hell, I'm now suspicious of Elliptic Curve, especially if it relies on published curve parameters rather than them being an inherently configurable part of the exchange (like Diffie-Helman - agree on a curve that nobody has used before but has certain properties and then use that as the basis for encryption) - I have a feeling that all the push to move on COULD be a cleverly orchestrated move to something such agencies "approve" of in secret even if they say it causes them problems in public.
When you think the trick is happening, maybe it's already been done...
So when is the U.S.A. going to defend itself against the terrorists sabotaging its own and the global information infrastructure?
Why not also the iPhone, or has this already been hacked?
Summation 2
Hijack the android source code repository. Or maybe any blob there included...
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
All they need to do is launch their own pirate app site and they'd have people coming to them :P
Cyanogen works better than Android, and you can avoid Google Play.
"You should never doubt what nobody is sure about." -- Willy Wonka
You are witnessing pure evil at work.
I think that [moving data to Irish subsidiary] fools nobody, we know that DropBox provided a PRISM interface to NSA, and if DropBox can get the data, then it can get it from Ireland. Ultimately you cannot use DropBox because DropBox is a US company.
But your basic point is true, US companies are suffering from NSA actions, not so much directly from the hacking, but from the Republidroids pushing through laws to make it legal. So when they push a law giving immunity to corps for providing NSA with 'cyber-security-data', we know that is simply cover for the PRISM data they're buying from US Corps/Banks/Telcos. Which in turn confirms the program as far more widespread than Microsoft/Apple/Google/Facebook...
With US Corps legally spying on their customers, why would their customers stick around?
There's an ointment for that.
this is why debian has the GPG key-signing parties, and why all packages are GPG-signed by the package maintainer when they compile it, why the ftp masters sign the package when it's uploaded, and why the release files which include the checksums of all the packages are also GPG-signed. under this scenario there are an extremely limited number of extremely paranoid methods by which debian may be compromised. even the scenario of "cooperation between long-term sleeper agents within debian's ranks" would have a one-shot opportunity to get away with introducing malicious code, following the discovery of which their GPG keys would be revoked, the perpetrators kicked out of debian, their packages pulled immediately pending a review, and the already-effective procedures reviewed to involve multi-person GPG signing that would make it even harder for compromise to occur in the future.
now, if you recall, there was an announcement a couple of years back that the development of Mozilla's B2G was declared to be "open" to all, so i contributed with a thorough security-conscious review of how to do package distribution. it turns out that Mozilla is *NOT* open - at all. several other contributors have learned that the Mozilla Foundation is in direct violation of its charter.
basically, the Mozilla Foundation *completely* ignored the advice that i gave - which was that the use of SSL as a distribution mechanism would be vulnerable to *exactly* the kinds of attacks that we see the NSA attempting to do on google. they went so far as to enact censorship, preventing and prohibiting me from pointing out the severe security flaws inherent in their chosen method of package distribution. i remain deeply unimpressed with many aspects of so-called "open-ness" of well-funded software libre projects.
The success of this sort of thing could cripple the walled garden model. We need a more decentralized software distribution system. Yes, people that are terrible at this sort of thing profit from a walled garden. But it is also a crutch, gives too much power to apple, google, etc, and is apparently a security risk.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Pretty much the entire black hat community should be looking to burn these assholes to the ground.
Work for the NSA, you should have all of your private information released to the public.
If these clowns want to hack the world, burn the mother fuckers to the ground.
Fuck you America. Fuck you and your spy agencies.
The world hasn't consented to this, you self important cocksuckers.
Don't give us this crap about you not being able to do anything about it. You keep whining about your right to keep guns, and if this isn't why you keep them, what is the point?
Fix it, or shut the fuck up when the rest of the world does.
"NSA Planned..."? Where is the proof they did not go ahead, or are still planning to, via moles or NSL-threatened insiders?
Such a headline gives the impression we safely dodged a bullet, while still in the midst of a massive firefight (and our side only has sparklers and rubber bands).
That's the classic "you are powerless against NSA spying" claim, however it isn't true. If they had other ways of obtaining the data, they wouldn't need PRISM, so if you avoid the PRISM collaborators you make your data harder to spy on.
As a programmer, you are definitely not powerless. Every single one of you can understand the principles of a One-Time-Pad and that encryption method we know is as secure as the private key. There will be chances to encrypt point to point links with OTP and that will increasingly be done. LOGJAM will be fixed. The problem of Certificate Authorities authorizing NSA site keys, will be fixed too. One fix at a time.
Side note. Do you recall this (Greece spying on Vodafone network mobile phones, using spyware installed in the switches).
http://spectrum.ieee.org/telecom/security/the-athens-affair
Now we know Vodafone did surveillance for GCHQ, it points the finger at them for the Vodafone Greece spying.
So add Vodafone to the 'do not use' list
The report on the surveillance project, dubbed "IRRITANT HORN,"
Hehheh... the gay names of various NSA projects are always great humor.
in other news, wind is windy.
Shouldn't it say "NSA _Plans_ To Hijack Google App Store To Hack Smartphones"? I haven't read anywhere that they cancelled the plan.
I bet its already compromised, maybe for quite some time. What if this and articles like this are put out to make people think the NSA isn't as far along as they are. /paranoid mode off
The project was motivated in part by concerns about the possibility of “another Arab Spring,” which was sparked in Tunisia in December 2010 and later spread to countries across the Middle East and North Africa. Western governments and intelligence agencies were largely blindsided by those events, and the document detailing IRRITANT HORN suggests the spies wanted to be prepared to launch surveillance operations in the event of more unrest.
It appears in some ways that these agencies have become dependent on their digital surveillance, to the point they are missing exactly what they claim to be looking for.
I guess if you want to plan a revolution just use paper...
"If any question why we died, Tell them because our fathers lied."
How many Linux/Unix repositories have been hacked? What exactly drops in when you update?
"If any question why we died, Tell them because our fathers lied."
Sooner or later, every digital device we "own" will also be owned by the NSA, and they will have the ability to brick it. Even your car (thanks OnStar) will be bricked. For what purpose? Who knows? But it's clear that we have more to fear from the pricks at the NSA than we do from any hacker, terrorist or criminal, as the NSA is pure evil.
If telephones are outlawed, then only outlaws will have telephones.
Can this be counted as a win for Windows phones. The NSA didn't even consider spying on them so they must be secure.
Time to offend someone
r in de app stoar nao
Actually, moving it out of country and to a non-US subsidiary means that the NSA no longer needs a search warrant to access the data. They may merely collect, not process data on US persons (that includes corporations). However, when the data moves overseas, it becomes fair game.
The press has done a very bad job in explaining the connections between various events and their implications. The serious negative effects that NSA activities have had has been reported but not explained. Large scale hacking has very negative consequences. This hacking was helped by the NSA and it's efforts to have broad powers to spy on the internet. Encryption software was down graded by the NSA to the disadvantage of everyone but the NSA. NSA activities have harmed American business in both sales and operations. A serious cost benefit analysis of NSA operations is long overdue. People every where should be very worried about what is done secretly in their name.
What do Canadians call their primary spy agency? Is it called the C.I.eh?
Look, just operate under the general assumption that we live in a Police State that makes Eastern German Stasi look like kindergarten cops.
Then you'll be a good serf.
Is it unconstitutional and illegal?
Of course.
Will they do anything about it that actually changes anything?
No.
-- Tigger warning: This post may contain tiggers! --
This is the reason you should NEVER trust an app store. Download your apps manually and manually install on your JAILBROKE phone.
Is anybody surprised?
*Cricket sounds*
Ok, now show of hands: Is anybody surprised the US Populace doesn't care?
*Cricket sounds*
Maybe someone will code an app that gives false info to the NSA when polled at regular intervals. Or perhaps gives so much info that it b0rks the NSA spy grid with useless garbage info.:)