I'm not a party to any of this. I've done nothing wrong, I've never been suspected of doing anything wrong, and I don't know anyone who has done anything wrong. I don't even mean that in the sense of "I pissed off the wrong people but technically haven't been charged." I mean that I am a vanilla, average, 9-5 working man of no interest to anybody. My geographical location is an accident of my birth. Even still, I wasn't accidentally born in a high-conflict area, and my government is not at war. I'm a sysadmin at a legitimate ISP and my job is to keep the internet up and running smoothly.
This agency has stalked me in my personal life, undermined my ability to trust my friends attempting to connect with me on LinkedIn, and infected my family's computer. They did this because they wanted to bypass legal channels and spy on a customer who pays for services from my employer. Wait, no, they wanted the ability to potentially spy on future customers. Actually, that is still not accurate - they wanted to spy on everybody in case there was a potentially bad person interacting with a customer.
After seeing their complete disregard for anybody else, their immense resources, and their extremely sophisticated exploits and backdoors - knowing they will stop at nothing, and knowing that I was personally targeted - I'll be damned if I can ever trust any electronic device I own ever again.
You all rationalize this by telling me that it "isn't surprising", and that I don't live in the [USA,UK] and therefore I have no rights.
Indeed, Obama and US congress made it clear we foreign people are just fair game for targeting. At least I'm lucky not to live in a country where targeted assassinations are going on.
Also, it's pretty obvious terrorism is an excuse. The main reason is power and control. Corporate espionage and controlling US-unfriendly political movements is very likely the main goal.
Welcome to my world. "You all rationalize this by telling me that it "isn't surprising", and that I don't live in the [USA,UK] and therefore I have no rights." This is because Americans are naive enough to think we have rights. And I was once one of the fools that thought this was a free country until what made us similar happened to me. And anyone who thinks that they are 2 far removed to be affected by this is in for a rude awakening that I don't wish on anyone and if we don't open peoples eyes 2 how close it is to them before it happens to them they will find out for themselves when it's a moot point. So my question to you is how do you let go and move past something as violating as this? It is rape of epic proportions!
Note: This story is meant to reference the two examples listed, and isn't my personal story. It is someone's story, and has almost certainly happened to many others who are unaware, given the MO described in the leaks.
I would not be surprised to find out that it has happened to me, but I don't think that is the case.
I can't edit anymore to clarify, but since it's not obvious from the post, especially if you don't read the references: I'm not either of the individuals who this happened to.
If government money can put people on the moon for military or security reasons, they will easily be able to spy on you no matter what if the same motives apply.
It's not a matter of humanity, society often puts itself before individuals to make sure society can exists the longest it can. A civilization will easily sacrifice many things to secure its survival.
That's how the strongest defend themselves, it's very hard to stay on top for a long time, so often, those countries will take huge leap of faith and risks to crush their enemies, even if they're on the other side of the world.
If you're an american, you have free speech, and all the democracy and the things around it. If you're outside America, you better be an ally or look like one. Intelligence agencies are a lot about crushing people who might make america look bad, it's about public image, it's almost the same job of a journalist, except you defend your country's interests.
Survival of the fittest. Democracy is just internal management.
This agency gathered information on you, attempted to friend you on linkedin and infected your family's computer.
I don't think any of those actions warrant accusations of inhumanity. I can understand that it's disturbing to feel that you're being stalked, or even just monitored. But it doesn't sound like anyone took action to intervene in your private affairs or intentionally lead you to feel threatened. It's legal and at least arguably moral to hire a private investigator to follow a private citizen around, so long as they follow certain rules. Attempting to friend someone on linkedin under false pretenses is also legal and arguably moral. Infecting a computer with a virus is not legal as far as I know, but I think the real concern there is the nature of the software and not it's existence. As long as they did not harm, the morality of even infecting a computer is questionable.
These people are spies, their job is to spy. To them at least, it isn't a question of the rights granted to you by your citizenship status. It's a tradeoff between the emotional discomfort that you may feel and their job requirement to develop resources that will allow them to stop bad people from doing bad things. I think they made the right decision. If influencing an employee at an ISP can give them more insight into the capability and intent of people they suspect to be up to no good, and the main cost is the distress that said employee or employees will feel as a result of being spied upon, then do it. The needs of the many outweigh the needs of the few.
I understand that we disagree on that, and there is ample room for both sides of the disagreement to be right or one of them to be utterly wrong. But I don't think that either decision is inhumane in any way.
Looking at the comments in support of the NSA here makes me suspect an astroturfing campaign is happening.
Edit: I should add that my suspicion came from noticing that the vast majority of the comments when this was first posted seemed aligned in favor of the NSA's mission.
It wasn't the presence of pro-NSA comments that was interesting but rather that these opinions were the overwhelming majority. This is, of course, how astroturfing becomes effective, it is not the rhetoric that is important but the cognitive bias imparted by the facade of so many people falling to one side of an issue.
This is of course, only a suspicion, but it seemed worth noting.
There was a long interview with Snowden posted recently, which didn't make it to the frontpage. I guess because of Snowden penalty on HN and Snowden fatigue. Anyway, he kept repeating a point which is quite easy to understand for the public I think.
And the reality is when it comes to cyber conflicts [...], we have more to lose.
We spend more on research and development than these other countries, so we shouldn’t be making the internet a more hostile, a more aggressive territory. We should be cooling down the tensions, making it a more trusted environment, making it a more secure environment, making it a more reliable environment, because that’s the foundation of our economy and our future.
[...]
The concept there is that there’s not much value to us attacking Chinese systems. We might take a few computers offline. We might take a factory offline. We might steal secrets from a university research programs, and even something high-tech. But how much more does the United States spend on research and development than China does? Defending ourselves from internet-based attacks, internet-originated attacks, is much, much more important than our ability to launch attacks against similar targets in foreign countries [...].
[...]
When you look at the problem of the U.S. prioritizing offense over defense, imagine you have two bank vaults, the United States bank vault and the Bank of China. But the U.S. bank vault is completely full. It goes all the way up to the sky. And the Chinese bank vault or the Russian bank vault of the African bank vault or whoever the adversary of the day is, theirs is only half full or a quarter full or a tenth full.
But the U.S. wants to get into their bank vault. So what they do is they build backdoors into every bank vault in the world. But the problem is their vault, the U.S. bank vault, has the same backdoor. So while we’re sneaking over to China and taking things out of their vault, they’re also sneaking over to the United States and taking things out of our vault. And the problem is, because our vault is full, we have so much more to lose. So in relative terms, we gain much less from breaking into the vaults of others than we do from having others break into our vaults.
There hasn't been any such penalty for many months. There used to be a weak penalty, which started during the period when there were hundreds of NSA/Snowden stories. But our intention was always to remove that once the quantity normalized, and so we did.
I thought the back doors into our vaults were intentional, so that NSA could get in. Is the NSA willing to allow local companies have a completely secure network if it means they can't get into it also? Seems like they're comfortanle with the risk of hacks as long as they can get to go into the vault and look around too.
There's no reason to pick Offense vs. Defense any more than there is Social Security vs. Education. It's just a question of budgeting. Why wouldn't we invest in both?
To be fair here, the NSA should very well be doing these things, for the purpose of attacking other states. The reason is very clear as the Russian attacks on Estonia ( https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia ) demonstrate a clear need for defensive capability in this area, and where you have defence you end up needing offence.
This persistent confusion between legitimate NSA operations such as preparing to intercept communications of foreign governments and illegitimate such as mass slurping of everyone's email merely serves to discredit the entire privacy defending position, and in the long run will just play into the hands of those that want to read everyone's email for nefarious purposes.
So I happen to be German, and obviously I don't have a say in what commands you guys give to your own secret services. But since this appeared in a German magazine, allow me to say this: given the track record of how you treat your alleged "allies", I don't feel comfortable seeing these developments. And I wouldn't ever trust anybody with these powers, least the nsa or even the US government. These people are still trying to create a US World Empire out of their own hybris, they just cannot leave the world in peace.
Surprisingly, it turns out that this is an easy way to make enemies, as last week's action in Paris have shown. It has been shown since 2005 that the islamists that massacred twelve people were, in fact, radicalized by what they learned about the prison of Abu Ghraib.
Job well done, thank you very much guys.
Lastly, the way our own government is supporting the nsa makes me feel nauseated at some times, furious at other times. We have plenty of work to do locally, that's why usually I don't complain about foreign services. Simply allowing the nsa to gain world domination like that though, just because "that is their job", really is hard to accept for me, and it really rubs me the wrong way.
Agreed. I think the Snowden revelations have harmed the NSA's reputation to the point where most people on HN just assume NSA is a bond-level villain. The NSA serves a purpose, they are meant to be prepared offensively and defensively for the USA's security, which includes the internet. I have no problems with the NSA's purpose and would prefer they continue to exist and prepare against threats to the country.
I do believe the NSA overstepped their mandate in domestic surveillance, and should be held accountable, but let's not forget that this world does have bad guy's - plenty of nations would lose no sleep at night if they hurt America.
To me this goes both ways. If there is a legitimate mission for the NSA to accomplish, then perhaps they should make sure at all times to act in a way that is deserving of the public's trust. The persistent confusion you mention is not the fault of the confused.
I don't understand why there are so many comments saying that the NSA needs offensive digital capabilities. What valid reasons does the NSA have to ever be committing a cyber attack?
This was the British GCHQ. They were spying on non-Europeans using their roaming networks, including US citizens.
If you think there's some sort of restraint with regards to citizens of other 'five eyes' nations, I wonder how you square that with the "but everyone spies on everyone, including allies" argument that can always be found in these threads.
Are you a US citizen? How would you react if supposedly close US allies were bugging the White House, the US senate and AT&T? Repeatedly? Five Eyes, Echelon, Merkel, Belgacom, ...
I agree. The DoD/NSA and other agencies should be developing these capabilities. IT's really the oversight and legal use of weapons against civilians that is the question
It's exactly this unrealistic notion of having your cake and eating it too that landed us in this mess in the first place. And what do you mean by "defensive capability"? Secretive military organizations isn't going to protect civil society. In fact their influence is often in opposition to such protection.
Everything at the lowest levels needs to be tightened up now.
Buffer overflows in trusted code have to go. This means getting rid of the languages with buffer overflow problems. Mostly C and C++. Fortunately we have Go and Rust, plus all the semi-interpreted languages, now, and can do it.
We need something that runs Docker-like containers and, all the way down the bare metal, has no unsafe code. We need dumber server boards, with BIOS and NIC code that's simpler and well-understood. The big cloud companies, Amazon, Facebook, and Google are already doing their own server boards.
Companies which put in "backdoors" should face felony criminal prosecution. That doesn't happen by accident.
Latest CERT advisory: "Vulnerability Note VU#936356 Ceragon FiberAir IP-10 Microwave Bridge contains a hard-coded root password ... Ceragon FiberAir IP-10 Microwave Bridges contain an undocumented default root password. The root account can be accessed through ssh, telnet, command line interface, or via HTTP. ... CERT/CC has attempted to contact the vendor prior to publication without success."
All Ceragon customers should demand their money back, and their products should be seized at US customs as supporting terrorism.
> Buffer overflows in trusted code have to go. This means getting rid of the languages with buffer overflow problems.
In the meantime, since moving away from C will take years, we need to invest in better exploit-mitigation technology instead of relying on bug-hunting-driven-security. That means OS/kernel developers need to start taking security seriously and keeping up with attackers. This means adding proactive measures instead of slowly reacting only when a new CVE comes out. Which sadly far from the reality at the moment.
For example, OpenBSD made headlines for adding W^X to the whole kernel but hackers have already been bypassing W^X on iOS for years:
>> These protections may guard against a (very small subset of) casual attackers, but they're just another minor hurdle for determined attackers.
In addition we need to move away from signature-based AV towards host-based intrusion detection systems (HIDS). It is not accident that all the feds who left government cybersecurity jobs in recent years moved to build private companies creating HIDS products and making millions selling them to big corps (FireEye, Crowdstrike, etc).
The only options available for consumers and the average sys admin are security tools easily bypassed by any semi-sophisticated adversary (for ex: Anti-virus/RKhunter/SELinux/most trusted computing code-integrity systems/etc).
There are a number of objectionable elements to the NSA foreign operations.
- Mass surveillance of all humans is objectionable on human rights terms.
- Attacks on civilian infrastructure. The NSA is executing military operations against civilian infrastructure even in NATO countries.
It isn't conventional foreign policy or warfare for a military agency to be actively and continuously attack the civilian cultural and economic infrastructure in preparation for war.
Judging by the scope of the attack on Belgacom in 2011 that battle is already underway, the surprise I guess should be that it is the allies attacking each other. If China or North Korea would have made an attack like this it would be trumpeted as an act of war, but because it is the UK with NSA assistance it's downplayed as much as possible.
The premise that we need "beneolvient power" to "protect us" from "evil doers" is the oldest trick in the book. If there is no threat, one will be generated. Almost organically, it does not even take overt orginization. The players know cui bono.
Speaking as a citizen, the problem with the US's newest brand of digital weapons, is that they can be used on US population under the radar and w/o killing anyone. This may justify legally their extended use for surveillance unfortunately. The development of the atom bomb and chemical weapons had no "convenient" use on the USs own citizens, and they clearly couldn't get away with it. However, these weapons do, and they are being developed with all the same force, purpose, and financial backing as the a-bomb and chemical weapons were ~100 years ago.
I won't pretend to know what's going on here or its implications. So far humanity has lucked out considering our capacity for building some pretty nasty weaponry. We'll probably go through a series of cyberwars before we come to our senses.
I don't blame the NSA for trying to be ready to fight a cyberwar. Other nations probably wouldn't stop their programs even if the US did. Our culture isn't the only one infected with a sense of Manifest Destiny.
Where we might consider drawing the line begins with necessity. Deciding which actions are necessary and which are gratuitous might prove difficult, assuming we even know, which is why I find it hard to fault Snowden for leaking this information.
As fearsome as the NSA sounds, certainly they have some limits. For instance, why don't they just clean out everyone's bank accounts? Might pay their bills for a few days anyway. But why haven't they gone after certain criminals? Many shady operations keep their money in jurisdictions that probably can't compete with our cyberwar capabilities. Maybe these operations enjoy the protection of a powerful entity but probably not all of them do. And probably many operations still use cash and couriers but the US and others seem to have gotten better at tracking movements of people so it's doubtful such tactics will remain viable forever.
Maybe in the end we have to somehow conquer the notion of distrust. Not sure how it can be done except through telepathy and even then the transition to a telepathic society will probably be full of misery.
The NSA should just leak documents showing all of the other governments doing this stuff so we can move on from the Anti US/UK circle jerk. Seriously if you think your government hasn't invested serious time and money in digital subterfuge you are living in a dream world and need to wake up.
What I find really frightening is where they write:
From a military perspective, surveillance of the Internet is merely "Phase 0" in the US digital war strategy.
[...]
This enables them to "control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0)." Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is "real time controlled escalation".
This isn't about fighting terrorism. It's also not about the usual warfare it's more like the infrastructure or a set of tools to control nearly every other country or the planet or at least make sure that the US will always be able to keep them from disagreeing.
> the only law that applies is the survival of the fittest.
Is this such a problem? In a world where exploits are used to break infrastructure, isn't the best solution simply to build increasingly more secure code? If that won't solve the problem I don't know if legislation will. Right now a determined hacker can harm a company via the internet (e.g. Sony). Are laws really going to stop that from happening?
If not, please correct me. I know little about cyber warfare and would love to know more.
The last 2 articles I read were this one and the earlier piece on Google and neural nets [1]. It's easy to connect the two, add the pervasive integration of technology in our lives, mix in a healthy dose of paranoia --> see a SkyNet future.
I'm pretty late to the party here but there are some fascinating parallels between the USG's actions in the physical world, as in the digital one.
First to USG has made a concerted and successful attempts to place secret digital strongholds and black sites across the globe, including some 'behind the enemy lines' so to speak. In the physical world these are the equivalent to CIA black sites and safe houses, from which you can attack and spy on the enemy, feed in extra weaponry to partisans and rebels (similar to the CIA Benghazi compound, sorry 'consulate', sorry 'embassy'.
The NSA has all these smart dangerous and arguably immoral minds employed to defend the digital borders of the US. But in truth these minds are busier establishing secret pathways through the digital trenchlines in order to have a definive and effective advantage when the cyberwar comes (which of course they are actively encouraging to validate their position, historical actions and future funding).
At the same time they are making a concerted effort to make sure that the security protocols everyone uses are undermined and backdoored. In effect they are making sure that the digital nuclear weapons held by their enemies aren't going to get in the air when the time comes.
Through strong encryption we could make sure that we have the digital equivalent of mutually assured security, but as ever the US isn't interested in this, because the reality is that the military industrial compound aims to make billions of dollars from the industry.
In a world where all communications and hardware devices were secure, they wouldn't make any money. A secure, stable and safe world just isn't profitable.
At best this seems like an arms race but at worst, there are actually battles being fought (of a kind). I wonder what the digital equivalent of a nuke would be such that govts decide that diplomacy is better. Some kind of Digitally Affected Mutual Destruction (DAMD).
Domestic surveillance was controversial and surprising. Is a spy agency preparing ways to attack and cripple foreign infrastructure that unexpected or contentious?
[+] [-] lawnchair_larry|11 years ago|reply
I'm not a party to any of this. I've done nothing wrong, I've never been suspected of doing anything wrong, and I don't know anyone who has done anything wrong. I don't even mean that in the sense of "I pissed off the wrong people but technically haven't been charged." I mean that I am a vanilla, average, 9-5 working man of no interest to anybody. My geographical location is an accident of my birth. Even still, I wasn't accidentally born in a high-conflict area, and my government is not at war. I'm a sysadmin at a legitimate ISP and my job is to keep the internet up and running smoothly.
This agency has stalked me in my personal life, undermined my ability to trust my friends attempting to connect with me on LinkedIn, and infected my family's computer. They did this because they wanted to bypass legal channels and spy on a customer who pays for services from my employer. Wait, no, they wanted the ability to potentially spy on future customers. Actually, that is still not accurate - they wanted to spy on everybody in case there was a potentially bad person interacting with a customer.
After seeing their complete disregard for anybody else, their immense resources, and their extremely sophisticated exploits and backdoors - knowing they will stop at nothing, and knowing that I was personally targeted - I'll be damned if I can ever trust any electronic device I own ever again.
You all rationalize this by telling me that it "isn't surprising", and that I don't live in the [USA,UK] and therefore I have no rights.
I just have one question.
Are you people even human?
[1]https://firstlook.org/theintercept/2014/09/14/nsa-stellar/
[2]https://firstlook.org/theintercept/2014/12/13/belgacom-hack-...
[+] [-] alecco|11 years ago|reply
Also, it's pretty obvious terrorism is an excuse. The main reason is power and control. Corporate espionage and controlling US-unfriendly political movements is very likely the main goal.
[+] [-] tacoman|11 years ago|reply
Is this the first time you've talked about it?
[+] [-] mh_|11 years ago|reply
When the docs first leaked, I wrote this: https://medium.com/@haroonmeer/why-discussions-on-cyber-snoo...
[+] [-] stiffled|11 years ago|reply
[+] [-] lawnchair_larry|11 years ago|reply
I would not be surprised to find out that it has happened to me, but I don't think that is the case.
I can't edit anymore to clarify, but since it's not obvious from the post, especially if you don't read the references: I'm not either of the individuals who this happened to.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] returnofthejedi|11 years ago|reply
https://www.youtube.com/watch?v=WASr5-mS238
But do we know how this ends?
[+] [-] VooDoo6Actual|11 years ago|reply
[deleted]
[+] [-] smokingsalmon|11 years ago|reply
[+] [-] VooDoo6Actual|11 years ago|reply
[+] [-] pekk|11 years ago|reply
[+] [-] jokoon|11 years ago|reply
It's not a matter of humanity, society often puts itself before individuals to make sure society can exists the longest it can. A civilization will easily sacrifice many things to secure its survival.
That's how the strongest defend themselves, it's very hard to stay on top for a long time, so often, those countries will take huge leap of faith and risks to crush their enemies, even if they're on the other side of the world.
If you're an american, you have free speech, and all the democracy and the things around it. If you're outside America, you better be an ally or look like one. Intelligence agencies are a lot about crushing people who might make america look bad, it's about public image, it's almost the same job of a journalist, except you defend your country's interests.
Survival of the fittest. Democracy is just internal management.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] karmacondon|11 years ago|reply
I don't think any of those actions warrant accusations of inhumanity. I can understand that it's disturbing to feel that you're being stalked, or even just monitored. But it doesn't sound like anyone took action to intervene in your private affairs or intentionally lead you to feel threatened. It's legal and at least arguably moral to hire a private investigator to follow a private citizen around, so long as they follow certain rules. Attempting to friend someone on linkedin under false pretenses is also legal and arguably moral. Infecting a computer with a virus is not legal as far as I know, but I think the real concern there is the nature of the software and not it's existence. As long as they did not harm, the morality of even infecting a computer is questionable.
These people are spies, their job is to spy. To them at least, it isn't a question of the rights granted to you by your citizenship status. It's a tradeoff between the emotional discomfort that you may feel and their job requirement to develop resources that will allow them to stop bad people from doing bad things. I think they made the right decision. If influencing an employee at an ISP can give them more insight into the capability and intent of people they suspect to be up to no good, and the main cost is the distress that said employee or employees will feel as a result of being spied upon, then do it. The needs of the many outweigh the needs of the few.
I understand that we disagree on that, and there is ample room for both sides of the disagreement to be right or one of them to be utterly wrong. But I don't think that either decision is inhumane in any way.
[+] [-] pa7ch|11 years ago|reply
Edit: I should add that my suspicion came from noticing that the vast majority of the comments when this was first posted seemed aligned in favor of the NSA's mission.
It wasn't the presence of pro-NSA comments that was interesting but rather that these opinions were the overwhelming majority. This is, of course, how astroturfing becomes effective, it is not the rhetoric that is important but the cognitive bias imparted by the facade of so many people falling to one side of an issue.
This is of course, only a suspicion, but it seemed worth noting.
[+] [-] pdknsk|11 years ago|reply
https://news.ycombinator.com/item?id=8859606
And the reality is when it comes to cyber conflicts [...], we have more to lose.
We spend more on research and development than these other countries, so we shouldn’t be making the internet a more hostile, a more aggressive territory. We should be cooling down the tensions, making it a more trusted environment, making it a more secure environment, making it a more reliable environment, because that’s the foundation of our economy and our future.
[...]
The concept there is that there’s not much value to us attacking Chinese systems. We might take a few computers offline. We might take a factory offline. We might steal secrets from a university research programs, and even something high-tech. But how much more does the United States spend on research and development than China does? Defending ourselves from internet-based attacks, internet-originated attacks, is much, much more important than our ability to launch attacks against similar targets in foreign countries [...].
[...]
When you look at the problem of the U.S. prioritizing offense over defense, imagine you have two bank vaults, the United States bank vault and the Bank of China. But the U.S. bank vault is completely full. It goes all the way up to the sky. And the Chinese bank vault or the Russian bank vault of the African bank vault or whoever the adversary of the day is, theirs is only half full or a quarter full or a tenth full.
But the U.S. wants to get into their bank vault. So what they do is they build backdoors into every bank vault in the world. But the problem is their vault, the U.S. bank vault, has the same backdoor. So while we’re sneaking over to China and taking things out of their vault, they’re also sneaking over to the United States and taking things out of our vault. And the problem is, because our vault is full, we have so much more to lose. So in relative terms, we gain much less from breaking into the vaults of others than we do from having others break into our vaults.
[+] [-] dang|11 years ago|reply
There hasn't been any such penalty for many months. There used to be a weak penalty, which started during the period when there were hundreds of NSA/Snowden stories. But our intention was always to remove that once the quantity normalized, and so we did.
[+] [-] MichaelApproved|11 years ago|reply
[+] [-] ed|11 years ago|reply
[+] [-] fidotron|11 years ago|reply
This persistent confusion between legitimate NSA operations such as preparing to intercept communications of foreign governments and illegitimate such as mass slurping of everyone's email merely serves to discredit the entire privacy defending position, and in the long run will just play into the hands of those that want to read everyone's email for nefarious purposes.
[+] [-] hengheng|11 years ago|reply
Surprisingly, it turns out that this is an easy way to make enemies, as last week's action in Paris have shown. It has been shown since 2005 that the islamists that massacred twelve people were, in fact, radicalized by what they learned about the prison of Abu Ghraib.
Job well done, thank you very much guys.
Lastly, the way our own government is supporting the nsa makes me feel nauseated at some times, furious at other times. We have plenty of work to do locally, that's why usually I don't complain about foreign services. Simply allowing the nsa to gain world domination like that though, just because "that is their job", really is hard to accept for me, and it really rubs me the wrong way.
[+] [-] Afforess|11 years ago|reply
I do believe the NSA overstepped their mandate in domestic surveillance, and should be held accountable, but let's not forget that this world does have bad guy's - plenty of nations would lose no sleep at night if they hurt America.
[+] [-] koepked|11 years ago|reply
[+] [-] Cakez0r|11 years ago|reply
[+] [-] sroerick|11 years ago|reply
There is a clear need for defense. But because of lack of oversight, NSA has overstepped its bounds in both foreign and domestic spheres.
The other side of this argument, one made cogently by Snowden, is that we simply have more to lose by escalating the cyberwar.
[+] [-] matt4077|11 years ago|reply
If you think there's some sort of restraint with regards to citizens of other 'five eyes' nations, I wonder how you square that with the "but everyone spies on everyone, including allies" argument that can always be found in these threads.
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] markvdb|11 years ago|reply
[+] [-] caycep|11 years ago|reply
[+] [-] throwaway349823|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] Animats|11 years ago|reply
Buffer overflows in trusted code have to go. This means getting rid of the languages with buffer overflow problems. Mostly C and C++. Fortunately we have Go and Rust, plus all the semi-interpreted languages, now, and can do it.
We need something that runs Docker-like containers and, all the way down the bare metal, has no unsafe code. We need dumber server boards, with BIOS and NIC code that's simpler and well-understood. The big cloud companies, Amazon, Facebook, and Google are already doing their own server boards.
Companies which put in "backdoors" should face felony criminal prosecution. That doesn't happen by accident.
Latest CERT advisory: "Vulnerability Note VU#936356 Ceragon FiberAir IP-10 Microwave Bridge contains a hard-coded root password ... Ceragon FiberAir IP-10 Microwave Bridges contain an undocumented default root password. The root account can be accessed through ssh, telnet, command line interface, or via HTTP. ... CERT/CC has attempted to contact the vendor prior to publication without success."
All Ceragon customers should demand their money back, and their products should be seized at US customs as supporting terrorism.
[+] [-] dmix|11 years ago|reply
In the meantime, since moving away from C will take years, we need to invest in better exploit-mitigation technology instead of relying on bug-hunting-driven-security. That means OS/kernel developers need to start taking security seriously and keeping up with attackers. This means adding proactive measures instead of slowly reacting only when a new CVE comes out. Which sadly far from the reality at the moment.
For example, OpenBSD made headlines for adding W^X to the whole kernel but hackers have already been bypassing W^X on iOS for years:
http://bsd.slashdot.org/comments.pl?sid=6723643&cid=48812833
>> These protections may guard against a (very small subset of) casual attackers, but they're just another minor hurdle for determined attackers.
In addition we need to move away from signature-based AV towards host-based intrusion detection systems (HIDS). It is not accident that all the feds who left government cybersecurity jobs in recent years moved to build private companies creating HIDS products and making millions selling them to big corps (FireEye, Crowdstrike, etc).
The only options available for consumers and the average sys admin are security tools easily bypassed by any semi-sophisticated adversary (for ex: Anti-virus/RKhunter/SELinux/most trusted computing code-integrity systems/etc).
[+] [-] zmanian|11 years ago|reply
- Mass surveillance of all humans is objectionable on human rights terms.
- Attacks on civilian infrastructure. The NSA is executing military operations against civilian infrastructure even in NATO countries.
It isn't conventional foreign policy or warfare for a military agency to be actively and continuously attack the civilian cultural and economic infrastructure in preparation for war.
[+] [-] jacquesm|11 years ago|reply
[+] [-] jakeogh|11 years ago|reply
[+] [-] Briguy2k|11 years ago|reply
[+] [-] squozzer|11 years ago|reply
I don't blame the NSA for trying to be ready to fight a cyberwar. Other nations probably wouldn't stop their programs even if the US did. Our culture isn't the only one infected with a sense of Manifest Destiny.
Where we might consider drawing the line begins with necessity. Deciding which actions are necessary and which are gratuitous might prove difficult, assuming we even know, which is why I find it hard to fault Snowden for leaking this information.
As fearsome as the NSA sounds, certainly they have some limits. For instance, why don't they just clean out everyone's bank accounts? Might pay their bills for a few days anyway. But why haven't they gone after certain criminals? Many shady operations keep their money in jurisdictions that probably can't compete with our cyberwar capabilities. Maybe these operations enjoy the protection of a powerful entity but probably not all of them do. And probably many operations still use cash and couriers but the US and others seem to have gotten better at tracking movements of people so it's doubtful such tactics will remain viable forever.
Maybe in the end we have to somehow conquer the notion of distrust. Not sure how it can be done except through telepathy and even then the transition to a telepathic society will probably be full of misery.
[+] [-] benstein|11 years ago|reply
[+] [-] thefreeman|11 years ago|reply
[+] [-] tete|11 years ago|reply
From a military perspective, surveillance of the Internet is merely "Phase 0" in the US digital war strategy.
[...]
This enables them to "control/destroy critical systems & networks at will through pre-positioned accesses (laid in Phase 0)." Critical infrastructure is considered by the agency to be anything that is important in keeping a society running: energy, communications and transportation. The internal documents state that the ultimate goal is "real time controlled escalation".
This isn't about fighting terrorism. It's also not about the usual warfare it's more like the infrastructure or a set of tools to control nearly every other country or the planet or at least make sure that the US will always be able to keep them from disagreeing.
[+] [-] tosser002|11 years ago|reply
[+] [-] ancarda|11 years ago|reply
Is this such a problem? In a world where exploits are used to break infrastructure, isn't the best solution simply to build increasingly more secure code? If that won't solve the problem I don't know if legislation will. Right now a determined hacker can harm a company via the internet (e.g. Sony). Are laws really going to stop that from happening?
If not, please correct me. I know little about cyber warfare and would love to know more.
[+] [-] stickhandle|11 years ago|reply
[1]https://medium.com/backchannel/google-search-will-be-your-ne...
[+] [-] junto|11 years ago|reply
First to USG has made a concerted and successful attempts to place secret digital strongholds and black sites across the globe, including some 'behind the enemy lines' so to speak. In the physical world these are the equivalent to CIA black sites and safe houses, from which you can attack and spy on the enemy, feed in extra weaponry to partisans and rebels (similar to the CIA Benghazi compound, sorry 'consulate', sorry 'embassy'.
The NSA has all these smart dangerous and arguably immoral minds employed to defend the digital borders of the US. But in truth these minds are busier establishing secret pathways through the digital trenchlines in order to have a definive and effective advantage when the cyberwar comes (which of course they are actively encouraging to validate their position, historical actions and future funding).
At the same time they are making a concerted effort to make sure that the security protocols everyone uses are undermined and backdoored. In effect they are making sure that the digital nuclear weapons held by their enemies aren't going to get in the air when the time comes.
Through strong encryption we could make sure that we have the digital equivalent of mutually assured security, but as ever the US isn't interested in this, because the reality is that the military industrial compound aims to make billions of dollars from the industry.
In a world where all communications and hardware devices were secure, they wouldn't make any money. A secure, stable and safe world just isn't profitable.
[+] [-] amirmc|11 years ago|reply
[+] [-] philip1209|11 years ago|reply
[+] [-] ajcarpy2005|11 years ago|reply