We're all software engineers (OK, a lot of us are software engineers). As someone in the computer business, hackers always fascinate me. Admittedly, I'm not a hacker, not in the "break into a secure system and take control of it" sense of the word.
Today I saw this article (http://www.theguardian.com/technology/2013/oct/30/google-rep...). I'm sure you've seen similar ones recently, from large companies and other countries. When you think about companies like Yahoo and Google, you realize that we are talking about some very, very smart people. These are not easy companies to get into. Their interviews are designed to screen out all but the very best, the most elite programmers. And when you are basically the "go to website" for most of the known world, you spend a LOT of time on things like security, and tracking requests, etc. And let's be honest, Google and Yahoo are in the business of tracking other websites - it is their bread and butter. They understand it and know it.
So I ask myself - HOW? How did the government manage to find and acquire programmers so skilled, so elite, that they are even smarter than the Google and Yahoo guys tied together? Moreover, how did they manage to consistently hack them?
To my knowledge, there are two main ways to get into a system. The first is what most people assume - that's a brute force attack. Find a weakness in the system, exploit that weakness, break in and do what you can before pappa bear catches you and kicks you out. Not a very effective approach for long term information gathering, right? And once done, the exploit is usually addressed.
The other way is to get someone "on the inside" to help. Get them hired, and then get them to covertly build a "back door" for them, an easy way in. This too is way easier said than done on so many levels. I don't know about you, but there are several guys on my team, and when security changes are made, there are lots of people who are aware of it, and would likely see it. It would be tough for me to build a back door without someone seeing it being checked in. Or able to find it easily, even just "tripping over it".
But I digress. In order to hack Google, Yahoo, France, Germany, yada yada yada, you'd have to get an inside guy, a super-elite smarter-than-google type of hacker into every one of those places. They'd have to have elite hackers growing on a farm somewhere if nothing else, and then all the connections everywhere to secretly get them hired and into positions of security and power. HOW???
I just don't understand. I seems like a unrealistic task to me. Maybe that's why I'm a run of the mill engineer however... :)
The only thing you need to tap into a SSL-secured infrastructure is an inside guy who has read access to the private key. Essentially, anyone with root access to the front-end server. That doesn't leave behind any traces.
Same for breaking into the networks (like the NSA did with the Google data center interconnections): you only need to know into which fiber you have to place a tap module into. And a subpoena or whatever against the company providing the fiber service (as most of the fibers are leased to Google by some other infrastructure company).
GCHQ employs great mathematicians when they're young. It gives them a pleasant working environment. There's probably travel to US to work with American colleagues, and similar travel from US to work with UK colleagues.
There are plenty of genuine adversaries to use in recruitment.
And then, when you're doing the job, you're just cracking crypto or finding exploits, you're not spying on your neighbours.
There's a few fun bits of propaganda - GCHQ HACKS TERRORIST WEBSITE, REPLACES BOMB INSTRUCTIONS WITH CAKE RECIPES - for example.
So, you have these really freakin' smart people working on these interesting problems. They can learn from the rest of the Internet. They just can't share their learning back.
And then you have some managers somewhere reading the law, and coming up with some interesting non-conventional interpretation, and making use of all these interesting exploits and broken crypto systems.
If I were the NSA, I would have sleeper "retired government contractors" (a.k.a. former employees / dual-employees) getting jobs in the private sector in critical infrastructure roles.
None of these NSA guys have "Senior Cryptoanalyst, NSA" on their resume, they are get manufactured titles and positions representing some remote office in the Department of Defense. People take jobs after being in government service, so it would be very plausible for a "former government contractor" to take a job with Google, Microsoft or any other major technology company to get proprietary access to critical infrastructure.
This would be much easier than the "brute force attack" method of hacking a network.
Because the threat-model they use didn't include a well-funded government opponent with submarines and the manpower and ability to physically interfere with private lines.
I think much of the NSA's recent subversion comes from the amount of muscle they put on the telcos. The fact that technologists are concerned about the policy effects of PRISM and everything else revealed by Edward Snowden, the NSA hasn't had much luck with technology companies outside of their NSLs.
What's the incident response protocol for illegal intrusion by a government agency? These crimes are never investigated or prosecuted, so what can you do except remove them from your systems and keep it quiet?
[+] [-] toddhd|12 years ago|reply
Today I saw this article (http://www.theguardian.com/technology/2013/oct/30/google-rep...). I'm sure you've seen similar ones recently, from large companies and other countries. When you think about companies like Yahoo and Google, you realize that we are talking about some very, very smart people. These are not easy companies to get into. Their interviews are designed to screen out all but the very best, the most elite programmers. And when you are basically the "go to website" for most of the known world, you spend a LOT of time on things like security, and tracking requests, etc. And let's be honest, Google and Yahoo are in the business of tracking other websites - it is their bread and butter. They understand it and know it.
So I ask myself - HOW? How did the government manage to find and acquire programmers so skilled, so elite, that they are even smarter than the Google and Yahoo guys tied together? Moreover, how did they manage to consistently hack them?
To my knowledge, there are two main ways to get into a system. The first is what most people assume - that's a brute force attack. Find a weakness in the system, exploit that weakness, break in and do what you can before pappa bear catches you and kicks you out. Not a very effective approach for long term information gathering, right? And once done, the exploit is usually addressed.
The other way is to get someone "on the inside" to help. Get them hired, and then get them to covertly build a "back door" for them, an easy way in. This too is way easier said than done on so many levels. I don't know about you, but there are several guys on my team, and when security changes are made, there are lots of people who are aware of it, and would likely see it. It would be tough for me to build a back door without someone seeing it being checked in. Or able to find it easily, even just "tripping over it".
But I digress. In order to hack Google, Yahoo, France, Germany, yada yada yada, you'd have to get an inside guy, a super-elite smarter-than-google type of hacker into every one of those places. They'd have to have elite hackers growing on a farm somewhere if nothing else, and then all the connections everywhere to secretly get them hired and into positions of security and power. HOW???
I just don't understand. I seems like a unrealistic task to me. Maybe that's why I'm a run of the mill engineer however... :)
[+] [-] mschuster91|12 years ago|reply
Same for breaking into the networks (like the NSA did with the Google data center interconnections): you only need to know into which fiber you have to place a tap module into. And a subpoena or whatever against the company providing the fiber service (as most of the fibers are leased to Google by some other infrastructure company).
[+] [-] DanBC|12 years ago|reply
There are plenty of genuine adversaries to use in recruitment.
And then, when you're doing the job, you're just cracking crypto or finding exploits, you're not spying on your neighbours.
There's a few fun bits of propaganda - GCHQ HACKS TERRORIST WEBSITE, REPLACES BOMB INSTRUCTIONS WITH CAKE RECIPES - for example.
So, you have these really freakin' smart people working on these interesting problems. They can learn from the rest of the Internet. They just can't share their learning back.
And then you have some managers somewhere reading the law, and coming up with some interesting non-conventional interpretation, and making use of all these interesting exploits and broken crypto systems.
Parliamentary oversight fails for some reason.
[+] [-] midnitewarrior|12 years ago|reply
None of these NSA guys have "Senior Cryptoanalyst, NSA" on their resume, they are get manufactured titles and positions representing some remote office in the Department of Defense. People take jobs after being in government service, so it would be very plausible for a "former government contractor" to take a job with Google, Microsoft or any other major technology company to get proprietary access to critical infrastructure.
This would be much easier than the "brute force attack" method of hacking a network.
[+] [-] ig1|12 years ago|reply
[+] [-] thrillgore|12 years ago|reply
[+] [-] gnu8|12 years ago|reply
[+] [-] J_Darnley|12 years ago|reply
[+] [-] ibstudios|12 years ago|reply