After a while all these news items about the NSA and GCHQ can seem a bit too much, but not if we take a step back and really understand the enormity of it all.
The NSA and its cohorts set up fake Facebook websites, spoof security certificates, secretly record webcam streams, vacuum up everything they can lay their hands on etc.
Meanwhile the CIA coolly wipes hundreds of documents from the machines of those who are investigating it, and when caught, threaten their overseers with criminal charges.
Given the scale of their operations, tens of billions of dollars in budgets and how many years they've been at it (this article essentially talks about what the NSA was doing in 2009), is it now futile to think that govt. agencies around the world can ever be expected to turn the clock back?
I mean, really, is there any possible reality that involves the NSA/GCHQ deleting the mountains of data they have surreptitiously recorded? And unplugging or reversing the hundreds of traps, backdoors, viruses, intercepts, decoys that are aimed at common citizens?
In the UK, we did manage to get the identity cards scheme killed and all the data collected destroyed. Admittedly it was still in the pilot stage.
The key to effective political action is getting all the other existing politically active groups to realise that they don't want to do politics under surveillance either. Everyone from the NRA to the NAACP should oppose this.
Talk about guns on the internet? It's trivial to keyword match make and model names, and the NSA can presumably correlate this back to home addresses. They already have the database of who the gun owners are if they were to want to confiscate them.
Everyone should understand that this infrastructure can and will be used to interfere with domestic politics, not to mention being used to attack democracy abroad (see 20th century South American history). You cannot support a system that is unjust to your enemies and assume smugly that it will never be turned around on you (Diane Feinstein passim).
Yes. All of that usually happens when totalitarian regimes fall. These systems are made and run by people, so they can be remade or disbanded if they are no longer wanted.
For now it's probably useful to concentrate upon emphasising how illegal/unconstitutional all of the above activity is and that the buck has to stop somewhere. Someone has to be held accountable.
Also, they don't "vacuum up everything they can lay their hands on." According to this article, they exploit on the order of tens of thousands of systems and have a control system to pull data and recordings from targeted users.
> I mean, really, is there any possible reality that involves the NSA/GCHQ deleting the mountains of data they have surreptitiously recorded?
They will: it costs a lot of money to keep data alive.
And it is a shame, NSA data for research purpose should be put under the UNO protection:
- it holds lower bits of informations interlaced with the "big data" like how flu is propagating;
- we could analyse causality chains and propagation of ideas (the impact of culture);
- we could see corruptions effects, measure it and decide if it worths the price;
- we can record the variation and evolution of natural langage/style;
These data are a treasure, the should be opened after X years, but for economic reason, they will be deleted.
You don't have to get them to delete it. Just defund them so they can't afford to do it in the future. The data will be worthless pretty quickly as it ages.
Remember, Microsoft is part of this plot, even if they have "plausible deniability". Microsoft is giving NSA access to lists of vulnerabilities Windows has many months before Microsoft even begins to work on a fix. They are in effect helping NSA break into many computers, even if they are up to date.
Every single one of these vulnerabilities could be seen as a backdoor, except Microsoft can have plausible deniability, since they are not actually putting a backdoor in the OS themselves - they're "just telling NSA about the vulnerabilities that exist".
If something like CISPA passes, which NSA keeps pushing for, this capability will expand dramatically, as all companies will be forced to give these vulnerabilities to NSA, but not to "protect us" and for cyber "security", as they keep claiming when they try to promote laws like these, but for offense. They will hoard every single one of them, and then use them in such automated systems to infect millions of computers.
Microsoft gets information about vulnerabilities from the same sources as everyone else. They outspend every other software vendor by something like 4:1 on outside software security consultants. If they are in a privileged position regarding WinAPI software vulnerabilities at all, it is a marginally privileged position. No security person working at Microsoft would tell you they were confident that outsiders weren't holding severe, exploitable vulnerabilities back.
NSA, meanwhile, is as competent at sourcing vulnerabilities as any organization on the planet. They have internal research teams that generate them that are presumably competitive with any private research team, and they apparently purchase vulnerabilities like everyone else --- not from Microsoft, but from research teams that sell vulnerabilities.
Microsoft gives pre-release information about vulnerabilities to lots of different organizations; for instance, the IDS and network security vendors get pre-release info to create signatures. This program is, IIRC, over a decade old.
NSA is a dual-role organization; it also houses the USG's center for defensive technology expertise. It is the opposite of surprising that NSA would have the same relationship with Microsoft as, say, Symantec would.
Finally, CISPA does nothing resembling what you claimed it does. CISPA is opt-in; it cannot be used to force a company to disclose anything. CISPA is about incident data, not vulnerabilities. It is already lawful to share vulnerability information with the government. The gray area in data sharing is non- anonymized incident data, which can be covered by any of 10+ different regulations that make even IP-level metadata risky to share for collaborative defense.
CISPA is an extraordinarily short bill; you can simply read it instead of taking my word for it.
Very frustrating as I work with a Microsoft-oriented company at the moment. Any mention of this to their architectural team results in nothing short of "mwuhahaha you're talking shit". There is some weird universal trust there that really makes no sense at all.
To add insult to injury they don't log, don't have an IDS and don't have a clue stick to hit themselves with.
The NSA, breaking into US computers, is violating the Third Amendment, in my opinion.
No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.
Perhaps if research were to show that "soldier" could be more broadly interpreted to mean "agent of security," you could really get some momentum going for this line of though. After all, we aren't required to keep other pieces of security enforcement in our homes, such as turrets on the roof controlled by the government.
At the time when this was written, there was a clear distinction between times of peace and war.
Nowadays, especially from the start of the "War on terror", this distinction has been artificially demolished; one of the consequences is that there is way more leverage to wark around laws (and to do many other nasty things).
An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.
Will all the conspiracy theorists come out of the woodwork, please. We need your help.
That's strange. If ever I tried to build a botnet with millions of nodes I'd surely be thrown in prison for years at least. Probably decades. But if I've learned anything in my short time on this planet, it's to always commit your crimes behind the corporate or government veils. Preferably both.
> GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to “legal/policy restrictions.” A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns that performing “active” hacking attacks for surveillance “may be illegal” under British law.
Wow, finally a limit on what GCHQ thinks that they are allowed to do! Now can the NSA be prosecuted for these actions when done in the UK? #notgonnahappen
At some point, laptops, displays, and handheld devices started carrying built-in microphones and cameras as a feature. Perhaps the new feature is devices that don't have these things? To use a mic or camera, you'd explicitly have to plug it in and could physically unplug it later.
Better then, to have hardware switches similar to the iPhone lock switch.
I'd welcome that in general! Make the switch open up the camera app directly, and a similar one for the mics; binding it to your phone or recording app, depending on what you prefer.
Make each switch a LED which -if they are- signals ON-state as the screen is turned on or off.
Edit: And incoming call screen would have to reflect the mic being off, in which case flicking the switch would accept the call.
Through all of the news articles and the analyses I have read, I still don't understand how exactly all of this works. I understand the MITM concept, but the Man-On-The-Side parts boggle m:
"When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive."
Where is the security hole? My network card? OS? Browser? But then there are so many layers in there. Is it a specially malformed ICMP packet? Or is it a vulnerability in the OS's RPC functions? It's one thing to exploit a vulnerability in Java or Flash, but just using "malicious packets"?
It seems to me that they are sending out packets identifying themselves as facebook. If you're not using SSL this is expected to be possible. If you are using SSL to communicate with FB then it's likely that the NSA has the private keys for FB's SSL certificates.
Since they see everyone as a potential threat, taint their data so that everyone appears to be that threat. Millions of us could increase the signal-to-noise ratio in their collected data by using a bot to perform random human-like web searches and visits.
If 100 people are searching for <insert bad thing here>, the government has actionable surveillance data. If 100 thousand or 10 million are searching for it in ways that are indistinguishable from a human, then that data becomes unreliable and is no longer actionable.
Adding email to this would strike a fatal blow. Someone could figure a way to create a secure layer to inform a client when a given email being sent was fake, and thus suppress it visually. Soon from the government perspective everyone would be cheating on their spouses and spouting extremist views and plotting this or that.
This would result in an increase in liberty by proving to the government that it should fear its people, if only because its sophisticated surveillance tools now confirm that all the people are evil.
All of this sounds like excellent operational technology. I don't understand all the outrage here. If you sit down and ask yourself, "What kind of technology would I build if I wanted to infiltrate government/military networks of technologically sophisticated adversaries?", this is basically what you'd end up with. This is exactly the sort of thing I would expect the NSA to spend their time on.
I don't think the majority of people are outraged that a spy organisation spies. The things that have got most people rattled are:
a) The breadth of the spying, including many, many innocent people.
b) The long-term storage of data, likewise.
c) Deliberate weakening of security standards we all rely upon.
d) The fact it's all happening without democratic debate.
If instead of the above, they threw innocent people's data away, targeted their intrusions, engaged with the democratic mechanisms, and used their expertise to improve internet security, a lot of people would be much happier.
Exactly. So much of the article is about capabilities with little context for how broadly it is applied. Even the "millions" in the title is just about the server capacity for managing the infected computers, and later they admit that the actual number of computers is an order of magnitude less.
When I was in middle/highschool -- late 90's-03 -- using a mix of home-made tools, scripts I tweaked, some trojans I hex edited to make work for me...I had almost all of my schools home computers logging into an IRC room where I could use them to DoS attack and easily knock off (especially before few had broadband) anyone -- all my infected IRC clients could also upload, often around firewall/virus protection varying degrees of other trojans that let me print on their computers, watch them on webcams, open their cd-roms... I was young, told most people and really didn't abuse it: and finally learned 'hackers make things, crackers break things' -- but the point is: yes this isn't a surprise, and in many cases the sophistication is not even too deep, but ya like many said: we need this to keep being published so the open community as a whole can understand, and circumvent if need be.
“If we can get the target to visit us in some sort of web
browser, we can probably own them,” an agency hacker boasts
in one secret document. “The only limitation is the ‘how.’”
> By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.
Can anyone explain why they need to conceal it as a Facebook server? Why is that essential to infecting your computer? Why can't it just send you the malware, and then redirect you to the real Facebook (since their mission is accomplished anyway)?
It sounds like they are going after a vulnerability in the browser. My guess would be that do a man-in-the-middle attack where they have a device that acts as a proxy so you get YOUR Facebook page, but with an exploit injected into the code.
>"The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet."
"TURMOIL", really? Honestly, is this just an elaborate setup for a new bond film or something, this is getting ridiculous.
I've been seeing this pattern a lot in nontechnical news recently, and have always been baffled as to what other kind of server there is (short of some basic network service implemented purely in logic gates, I guess).
>> computer servers
> I've been seeing this pattern a lot in nontechnical news recently, and have always been baffled as to what other kind of server there is ...
In this fast-breaking story, the expression "computer servers" has joined "software program" and "underground tunnel" at the Department of Redundancy Department.
[+] [-] r0h1n|12 years ago|reply
The NSA and its cohorts set up fake Facebook websites, spoof security certificates, secretly record webcam streams, vacuum up everything they can lay their hands on etc.
Meanwhile the CIA coolly wipes hundreds of documents from the machines of those who are investigating it, and when caught, threaten their overseers with criminal charges.
Given the scale of their operations, tens of billions of dollars in budgets and how many years they've been at it (this article essentially talks about what the NSA was doing in 2009), is it now futile to think that govt. agencies around the world can ever be expected to turn the clock back?
I mean, really, is there any possible reality that involves the NSA/GCHQ deleting the mountains of data they have surreptitiously recorded? And unplugging or reversing the hundreds of traps, backdoors, viruses, intercepts, decoys that are aimed at common citizens?
[+] [-] pjc50|12 years ago|reply
The key to effective political action is getting all the other existing politically active groups to realise that they don't want to do politics under surveillance either. Everyone from the NRA to the NAACP should oppose this.
Talk about guns on the internet? It's trivial to keyword match make and model names, and the NSA can presumably correlate this back to home addresses. They already have the database of who the gun owners are if they were to want to confiscate them.
Remind nonwhite people about the FBI's attempts to blackmail MLK. http://www.theguardian.com/world/2014/jan/07/fbi-office-brea...
Everyone should understand that this infrastructure can and will be used to interfere with domestic politics, not to mention being used to attack democracy abroad (see 20th century South American history). You cannot support a system that is unjust to your enemies and assume smugly that it will never be turned around on you (Diane Feinstein passim).
[+] [-] bananas|12 years ago|reply
But, as Huxley was so keen to point out, that's not going to happen when people are staring at Honey Boo Boo and Hollyoaks.
[+] [-] infinity0|12 years ago|reply
[+] [-] motters|12 years ago|reply
For now it's probably useful to concentrate upon emphasising how illegal/unconstitutional all of the above activity is and that the buck has to stop somewhere. Someone has to be held accountable.
[+] [-] lern_too_spel|12 years ago|reply
Also, they don't "vacuum up everything they can lay their hands on." According to this article, they exploit on the order of tens of thousands of systems and have a control system to pull data and recordings from targeted users.
[+] [-] julie1|12 years ago|reply
They will: it costs a lot of money to keep data alive.
And it is a shame, NSA data for research purpose should be put under the UNO protection: - it holds lower bits of informations interlaced with the "big data" like how flu is propagating; - we could analyse causality chains and propagation of ideas (the impact of culture); - we could see corruptions effects, measure it and decide if it worths the price; - we can record the variation and evolution of natural langage/style;
These data are a treasure, the should be opened after X years, but for economic reason, they will be deleted.
[+] [-] atmosx|12 years ago|reply
[+] [-] Consultant32452|12 years ago|reply
[+] [-] fit2rule|12 years ago|reply
[+] [-] higherpurpose|12 years ago|reply
http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-t...
Every single one of these vulnerabilities could be seen as a backdoor, except Microsoft can have plausible deniability, since they are not actually putting a backdoor in the OS themselves - they're "just telling NSA about the vulnerabilities that exist".
If something like CISPA passes, which NSA keeps pushing for, this capability will expand dramatically, as all companies will be forced to give these vulnerabilities to NSA, but not to "protect us" and for cyber "security", as they keep claiming when they try to promote laws like these, but for offense. They will hoard every single one of them, and then use them in such automated systems to infect millions of computers.
[+] [-] tptacek|12 years ago|reply
Microsoft gets information about vulnerabilities from the same sources as everyone else. They outspend every other software vendor by something like 4:1 on outside software security consultants. If they are in a privileged position regarding WinAPI software vulnerabilities at all, it is a marginally privileged position. No security person working at Microsoft would tell you they were confident that outsiders weren't holding severe, exploitable vulnerabilities back.
NSA, meanwhile, is as competent at sourcing vulnerabilities as any organization on the planet. They have internal research teams that generate them that are presumably competitive with any private research team, and they apparently purchase vulnerabilities like everyone else --- not from Microsoft, but from research teams that sell vulnerabilities.
Microsoft gives pre-release information about vulnerabilities to lots of different organizations; for instance, the IDS and network security vendors get pre-release info to create signatures. This program is, IIRC, over a decade old.
NSA is a dual-role organization; it also houses the USG's center for defensive technology expertise. It is the opposite of surprising that NSA would have the same relationship with Microsoft as, say, Symantec would.
Finally, CISPA does nothing resembling what you claimed it does. CISPA is opt-in; it cannot be used to force a company to disclose anything. CISPA is about incident data, not vulnerabilities. It is already lawful to share vulnerability information with the government. The gray area in data sharing is non- anonymized incident data, which can be covered by any of 10+ different regulations that make even IP-level metadata risky to share for collaborative defense.
CISPA is an extraordinarily short bill; you can simply read it instead of taking my word for it.
[+] [-] bananas|12 years ago|reply
Very frustrating as I work with a Microsoft-oriented company at the moment. Any mention of this to their architectural team results in nothing short of "mwuhahaha you're talking shit". There is some weird universal trust there that really makes no sense at all.
To add insult to injury they don't log, don't have an IDS and don't have a clue stick to hit themselves with.
Their funeral!
[+] [-] Fuxy|12 years ago|reply
Not impossible for NSA to get in but a lot more difficult.
[+] [-] logn|12 years ago|reply
No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.
[+] [-] diydsp|12 years ago|reply
Perhaps if research were to show that "soldier" could be more broadly interpreted to mean "agent of security," you could really get some momentum going for this line of though. After all, we aren't required to keep other pieces of security enforcement in our homes, such as turrets on the roof controlled by the government.
Keep it up.
[+] [-] pizza234|12 years ago|reply
Nowadays, especially from the start of the "War on terror", this distinction has been artificially demolished; one of the consequences is that there is way more leverage to wark around laws (and to do many other nasty things).
[+] [-] lern_too_spel|12 years ago|reply
[+] [-] mattlutze|12 years ago|reply
[+] [-] oskarth|12 years ago|reply
Will all the conspiracy theorists come out of the woodwork, please. We need your help.
[+] [-] dhimes|12 years ago|reply
[+] [-] saraid216|12 years ago|reply
You're welcome.
[+] [-] aspensmonster|12 years ago|reply
Edit:
https://prod01-cdn02.cdn.firstlook.org/wp-uploads/2014/03/ha...
Mirror: http://i.imgur.com/JbLqxAY.jpg
Fuckin' hell. I think we can consider the internet more than owned. More like bent over and pounded.
[+] [-] josephlord|12 years ago|reply
Wow, finally a limit on what GCHQ thinks that they are allowed to do! Now can the NSA be prosecuted for these actions when done in the UK? #notgonnahappen
[+] [-] aasarava|12 years ago|reply
[+] [-] hrkristian|12 years ago|reply
I'd welcome that in general! Make the switch open up the camera app directly, and a similar one for the mics; binding it to your phone or recording app, depending on what you prefer.
Make each switch a LED which -if they are- signals ON-state as the screen is turned on or off.
Edit: And incoming call screen would have to reflect the mic being off, in which case flicking the switch would accept the call.
[+] [-] aurumpotest|12 years ago|reply
See http://time.com/10115/google-project-ara-modular-smartphone/ and similar projects.
[+] [-] snake_plissken|12 years ago|reply
"When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive."
Where is the security hole? My network card? OS? Browser? But then there are so many layers in there. Is it a specially malformed ICMP packet? Or is it a vulnerability in the OS's RPC functions? It's one thing to exploit a vulnerability in Java or Flash, but just using "malicious packets"?
[+] [-] Consultant32452|12 years ago|reply
[+] [-] sys32768|12 years ago|reply
If 100 people are searching for <insert bad thing here>, the government has actionable surveillance data. If 100 thousand or 10 million are searching for it in ways that are indistinguishable from a human, then that data becomes unreliable and is no longer actionable.
Adding email to this would strike a fatal blow. Someone could figure a way to create a secure layer to inform a client when a given email being sent was fake, and thus suppress it visually. Soon from the government perspective everyone would be cheating on their spouses and spouting extremist views and plotting this or that.
This would result in an increase in liberty by proving to the government that it should fear its people, if only because its sophisticated surveillance tools now confirm that all the people are evil.
[+] [-] mattkrea|12 years ago|reply
[+] [-] minimax|12 years ago|reply
[+] [-] summerdown2|12 years ago|reply
a) The breadth of the spying, including many, many innocent people.
b) The long-term storage of data, likewise.
c) Deliberate weakening of security standards we all rely upon.
d) The fact it's all happening without democratic debate.
If instead of the above, they threw innocent people's data away, targeted their intrusions, engaged with the democratic mechanisms, and used their expertise to improve internet security, a lot of people would be much happier.
[+] [-] akjj|12 years ago|reply
[+] [-] adamrights|12 years ago|reply
[+] [-] caf|12 years ago|reply
[+] [-] innocentius|12 years ago|reply
Can anyone explain why they need to conceal it as a Facebook server? Why is that essential to infecting your computer? Why can't it just send you the malware, and then redirect you to the real Facebook (since their mission is accomplished anyway)?
[+] [-] endeavor|12 years ago|reply
[+] [-] abjorn|12 years ago|reply
"TURMOIL", really? Honestly, is this just an elaborate setup for a new bond film or something, this is getting ridiculous.
[+] [-] blueskin_|12 years ago|reply
I've been seeing this pattern a lot in nontechnical news recently, and have always been baffled as to what other kind of server there is (short of some basic network service implemented purely in logic gates, I guess).
[+] [-] lutusp|12 years ago|reply
In this fast-breaking story, the expression "computer servers" has joined "software program" and "underground tunnel" at the Department of Redundancy Department.
[+] [-] ForHackernews|12 years ago|reply
[+] [-] clamprecht|12 years ago|reply
[+] [-] Canada|12 years ago|reply
[+] [-] pvnick|12 years ago|reply
I'm only half joking.
[+] [-] chroem|12 years ago|reply
[+] [-] pistolpete20|12 years ago|reply
[+] [-] eliteraspberrie|12 years ago|reply
[+] [-] guest29572|12 years ago|reply