More about the NSA's Tailored Access Operations Unit

Der Spiegel has a good article on the NSA's Tailored Access Operations unit: basically, its hackers.

"Getting the ungettable" is the NSA's own description of its duties. "It is not about the quantity produced but the quality of intelligence that is important," one former TAO chief wrote, describing her work in a document. The paper seen by SPIEGEL quotes the former unit head stating that TAO has contributed "some of the most significant intelligence our country has ever seen." The unit, it goes on, has "access to our very hardest targets."

Defining the future of her unit at the time, she wrote that TAO "needs to continue to grow and must lay the foundation for integrated Computer Network Operations," and that it must "support Computer Network Attacks as an integrated part of military operations." To succeed in this, she wrote, TAO would have to acquire "pervasive, persistent access on the global network." An internal description of TAO's responsibilities makes clear that aggressive attacks are an explicit part of the unit's tasks. In other words, the NSA's hackers have been given a government mandate for their work. During the middle part of the last decade, the special unit succeeded in gaining access to 258 targets in 89 countries -- nearly everywhere in the world. In 2010, it conducted 279 operations worldwide.

[...]

Certainly, few if any other divisions within the agency are growing as quickly as TAO. There are now TAO units in Wahiawa, Hawaii; Fort Gordon, Georgia; at the NSA's outpost at Buckley Air Force Base, near Denver, Colorado; at its headquarters in Fort Meade; and, of course, in San Antonio.

The article also has more details on how QUANTUM -- particularly, QUANTUMINSERT -- works.

Until just a few years ago, NSA agents relied on the same methods employed by cyber criminals to conduct these implants on computers. They sent targeted attack emails disguised as spam containing links directing users to virus-infected websites. With sufficient knowledge of an Internet browser's security holes -- Microsoft's Internet Explorer, for example, is especially popular with the NSA hackers -- all that is needed to plant NSA malware on a person's computer is for that individual to open a website that has been specially crafted to compromise the user's computer. Spamming has one key drawback though: It doesn't work very often.

Nevertheless, TAO has dramatically improved the tools at its disposal. It maintains a sophisticated toolbox known internally by the name "QUANTUMTHEORY." "Certain QUANTUM missions have a success rate of as high as 80%, where spam is less than 1%," one internal NSA presentation states.

A comprehensive internal presentation titled "QUANTUM CAPABILITIES," which SPIEGEL has viewed, lists virtually every popular Internet service provider as a target, including Facebook, Yahoo, Twitter and YouTube. "NSA QUANTUM has the greatest success against Yahoo, Facebook and static IP addresses," it states. The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain's GCHQ intelligence service, which has acquired QUANTUM tools from the NSA.

A favored tool of intelligence service hackers is "QUANTUMINSERT."

[...]

Once TAO teams have gathered sufficient data on their targets' habits, they can shift into attack mode, programming the QUANTUM systems to perform this work in a largely automated way. If a data packet featuring the email address or cookie of a target passes through a cable or router monitored by the NSA, the system sounds the alarm. It determines what website the target person is trying to access and then activates one of the intelligence service's covert servers, known by the codename FOXACID.

This NSA server coerces the user into connecting to NSA covert systems rather than the intended sites. In the case of Belgacom engineers, instead of reaching the LinkedIn page they were actually trying to visit, they were also directed to FOXACID servers housed on NSA networks. Undetected by the user, the manipulated page transferred malware already custom tailored to match security holes on the target person's computer.

The technique can literally be a race between servers, one that is described in internal intelligence agency jargon with phrases like: "Wait for client to initiate new connection," "Shoot!" and "Hope to beat server-to-client response." Like any competition, at times the covert network's surveillance tools are "too slow to win the race." Often enough, though, they are effective. Implants with QUANTUMINSERT, especially when used in conjunction with LinkedIn, now have a success rate of over 50 percent, according to one internal document.

Another article discusses the various tools TAO has at its disposal.

A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry -- including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell.

[...]

In the case of Juniper, the name of this particular digital lock pick is "FEEDTROUGH." This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive "across reboots and software upgrades." In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH "has been deployed on many target platforms."

[...]

Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of the latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.

[...]

There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions.

The German version of the article had a couple of pages from the 50-page catalog of tools; they're now on Cryptome. Leaksource has the whole TOP SECRET catalog; there's a lot of really specific information here about individual NSA TAO ANT devices. (We don't know what "ANT" stands for. Der Spiegel speculates that it "stands for Advanced or Access Network Technology.") For example:

(TS//SI//REL) SOUFFLETROUGH is a BIOS persistence implant for Juniper SSG 500 and SSG 300 series firewalls. It persists DNT's BANANAGLEE software implant. SOUFFLETROUGH also has an advanced persistent back-door capability.

And NIGHTSTAND:

(TS//SI//REL) An active 802.11 wireless exploitation and injection tool for payload/exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible.

NIGHTSTAND can work from as far away as eight miles, and "the attack is undetectable by the user."

One more:

(TS//SI//REL) DROPOUTJEEP is a software implant for Apple iPhone that utilizes modular mission applications to provide specific SIGNIT functionality. This functionality includes the ability to remotely push/pull files from the device, SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower location, etc. Command, control, and data exfiltration can occur over SMS messaging or a GPRS data connection. All communications with the implant will be covert and encrypted.

(TS//SI//REL) The initial release of DROPOUTJEEP will focus on installing the implant via close access methods. A remote installation capabilitiy will be pursued for a future release.

There's lots more in the source document. And note that this catalog is from 2008; presumably, TAO's capabilities have improved significantly in the past five years.

And -- back to the first article -- TAO can install many of the hardware implants when a target orders new equipment through the mail:

If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

These minor disruptions in the parcel shipping business rank among the "most productive operations" conducted by the NSA hackers, one top secret document relates in enthusiastic terms. This method, the presentation continues, allows TAO to obtain access to networks "around the world."

They can install the software implants using techniques like QUANTUM and FOXACID.

Related is this list of NSA attack tools. And here is another article on TAO from October.

Remember, this is not just about the NSA. The NSA shares these tools with the FBI's black bag teams for domestic surveillance, and presumably with the CIA and DEA as well. Other countries are going to have similar bags of tricks, depending on their sophistication and budgets. And today's secret NSA programs are tomorrow's PhD theses, and the next day's criminal hacking tools. Even if you trust the NSA to only spy on "enemies," consider this an advance warning of what we have to secure ourselves against in the future.

I'm really happy to see Jacob Appelbaum's byline on the Der Spiegel stories; it's good to have someone of his technical ability reading and understanding the documents.

Slashdot thread. Hacker News thread. MetaFilter thread. Ars Technica article. Wired article. Article on Appelbaum's talk at 30c3.

EDITED TO ADD: Here's Appelbaum's talk. And three BoingBoing posts.

Posted on December 31, 2013 at 7:31 AM • 140 Comments

Comments

AndrewAndrewDecember 31, 2013 8:00 AM

This is what the NSA should be doing. Targeted access, not dragnet surveillance.

MoofDecember 31, 2013 8:17 AM

That the NSA have been the Federal Government's hackers is not news. Targeted hacking is also not news. So long as they don't poison entire supply chains, I don't see the problem here.

Then again, NSA does appear to have a problem with constraining scope, so who knows?

JohnDecember 31, 2013 9:00 AM

I am kind of shocked that the Dell support forums have not been over run with questions regarding the hardware backdoors they have been inserting.

CleverBoyDecember 31, 2013 9:33 AM

It's not clear to me from the Spiegel article whether the NSA created backdoors in products, or they just have tools that leverage unpublished vulnerabilities. That latter wouldn't shock me at all- in fact I'd say that's our tax dollars at work! Am I missing something?

65535December 31, 2013 9:51 AM

Dell's Power Edge is headed for the dumpster - along with a lot of other American made products.

JacksonDecember 31, 2013 10:14 AM

If you rewind just a couple years, you will find similar reports were invariably dismissed as FEAR MONGERING. You said it yourself, ultimately it doesn't matter who does it - these are attack vectors, period.

You haven't seen anything yet.

Bruce SchneierDecember 31, 2013 10:18 AM

"It's not clear to me from the Spiegel article whether the NSA created backdoors in products, or they just have tools that leverage unpublished vulnerabilities."

Both. A lot of what they do is exploit existing vulnerabilities. But when they intercept packages in the mail to install hardware implants, that counts as creating backdoors.

What seems clear is that the companies whose products are being compromised are not collaborators with the NSA in this particular program.

SkepticalDecember 31, 2013 10:27 AM

This is akin to publishing a CIA manual on lockpicking or safecracking. It does not reveal illegal activity. It does not reveal unethical activity. It reveals tools that a signals intelligence agency would need in order to gather signals intelligence.

The problem with the people publishing this stuff is that they do not understand institutional or legal safeguards; they don't trust people, period. So for them it's just as dangerous for the NSA to have a codebreaking tool, or the CIA a safecracking tool, or the FBI an eavesdropping device, as it is for anyone else to have those things.

It's a fundamentally anti-institutional, anarchist view.

Unfortunately it's also naive and dysfunctional. Some institutions are bad, with either pernicious norms and rules or with pervasive corruption. Some institutions, though, are not.

To have a functioning government that provides national security in a modern world you need good signals intelligence tools. That's what these things are. Can a bad institution use them for bad purposes? Absolutely, just like a bad organization might use an explosive device for bad purposes.

We ensure that our institutions develop and maintain good norms and rules by creating systems of oversight and checks. We do that within the NSA itself, by creating bureaucratic units whose interests lie in monitoring and finding rule-breaking and corruption; we do that on a broader level within the executive branch by creating entire departments (the Justice Department) whose incentives are to find and investigate criminal activity and prosecute it (and this has included everyone from United States Senators to local sheriffs); we do it on an even broader level by allowing other branches of government oversight and even partial control.

But if you fundamentally just can't trust anyone, and don't understand how institutions work, then none of those systems will mean anything to you. You'll just see a tool that can be used to harm someone, even if a part of you recognizes that it's a tool that can be used for good purposes as well.

Breaking security is what that part of the NSA does. Stopping them from doing so will not make us any safer; you'll simply allow other countries a monopoly on such techniques. Publishing this material tells every other country what the NSA can do, while providing no information about what other countries can do. All security is relative, and this publication just shifted it towards nations like China and Russia. Nice job.

As to the leak of the entire catalog, my skepticism towards Snowden's exercise has crossed over into disgust. This is a Wikileaks style dump. The guys who leaked documents with the social security numbers of military personnel. The guys who leaked specific procedures used by coalition forces in Iraq to disable IEDs.

I hope Snowden, and looking at this leak I increasingly suspect a few others as well, are getting familiar with 18 USC 794. They'll be hearing a lot more about it in the foreseeable future.

XyzDecember 31, 2013 10:34 AM

How long it would take, when we have an NSA "hardware implant" on sale on ebay? Or a blog post of how to make your own?

Bruce SchneierDecember 31, 2013 10:37 AM

"I am kind of shocked that the Dell support forums have not been over run with questions regarding the hardware backdoors they have been inserting."

It's the week between Christmas and New Year's. I worry that this story will not get the attention it deserves, because it's a dull news time.

SkepticalDecember 31, 2013 10:50 AM

Just want to add that my comment isn't directed at Bruce or anyone else discussing or reporting responsibly on these leaks. But some have sacrificed too damn much for me to be able to view this cavalier leaking of sources/methods (far beyond what is necessary even for the claimed goal of a public discussion) as anything other than revoltingly criminal and irresponsible.

XyzDecember 31, 2013 10:51 AM

"Status: Ready for Immediat Delivery Unit Cost: $0".

Is this a joke? To good to be true. I would like the Pro version though. Will $100?

TroutwaxerDecember 31, 2013 11:12 AM

@ Skeptical

Dude, I don't want to be protected by the NSA. I want to be protected from the NSA. I also want to be protected from the FBI, the DEA, the CIA, etc. It's not that I've done anything wrong; it's that I don't trust those organizations.

This has not always been the case. There was a time when I did trust. But after 13 years of both the Bush II and Obama administrations working very hard to lose the public's trust I don't trust our institutions anymore. Both administrations have failed to arrest banksters, failed to arrest war criminals, failed to reign in ugly and deceitful business practices, failed to expose and end corruption, failed to attack the right targets in the War on A Tactic, and failed to enforce the Bill of Rights.

The intelligence/law enforcement institutions you shill for have failed right along with these administrations. They've been caught lying over, and over again, they've violated the Constitution and they've put the entire country under surveillance. Therefore these institutions have quite rightly forfeited the public's trust, and it is entirely appropriate that they be put under a microscope, tried, convicted, and disbanded.

Hopefully the next band of bureaucrats will learn their lesson and gather intelligence without violating our rights.

graysladyDecember 31, 2013 11:21 AM

@Skeptical: "We ensure that our institutions develop and maintain good norms and rules by creating systems of oversight and checks."

No we don't. You haven't been paying attention. These tools are being used against all Americans--and everyone else, too, it seems. The Constitution has a prohibition against general warrants. The NSA and its enablers (whether domestic or foreign) have conveniently ignored all the checks and balances, that, to be perfectly frank, were never too rigorous initially. These programs have nothing to do with national safety and everything to do with denying individual freedoms. Most of us, I hope, find authoritarianism to be counter-productive to human talents and human rights.

shockedanddismayedDecember 31, 2013 11:33 AM

What are the chances that there are NSA sock puppets on this forum? Er, 100%?

The new politics is attempting to subvert discussion everywhere by attempting to make everything questionable. Most people will go back to sleep if unlikely happy BS is repeated often enough despite any and all contradictory evidence.

shockedanddismayedDecember 31, 2013 11:37 AM

P.S. I am not saying that any particular poster is a puppet. How would I know? Obviously many people can be convinced of almost anything by a guy in a suit and a crowd chanting "USA!USA!USA!"

But we do know that sock puppet tech is in use. Why not here?

AnuraDecember 31, 2013 11:41 AM

The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain's GCHQ intelligence service, which has acquired QUANTUM tools from the NSA.

I'm guessing that's because that would require NSA leaving the "legal box" they are in, which does not apply to the GCHQ since they are not under US law? Basically, if you can't leave the box, get a freind who is outside it, and the box becomes irrelevant.

This is my biggest problem with what has been going on; congress and the courts seem are focused on whether what they were doing is legal or illegal, and not whether it is right or wrong. I do think we need an international treaty to prevent everyone who signs the treaty from spying on citizens in their own countries or foreign countries, without just cause, a warrant, and informing the authorities in foreign countries if it is not within your own borders.

It's still not enough without oversight, of course.

Nick PDecember 31, 2013 11:43 AM

@ grayslady, Troutwaxer

I recommend not bothering trying to sway Skeptical. I read his posts in a huge debate he had with Dirk Praet. The only consistently valid claim he made, imho, is this might be legal... technically. I said the same thing leading to concept of a political solution.

Aside from that, Skeptical mainly rehashes the same arguments based on highly selective use of evidence from reporting. He or she works hard to find points to support the activities of the NSA. He or she also plays down every critical issue brought up here. This includes risks with historical precedents (even within NSA) backing them up.

Conclusion: Skeptical has a vested interest in NSA continuing its activities. This might be shared politics, employment by govt, or something else. You won't change Skeptical's mind because Skeptical is here to change your mind for benefit of NSA. There's better uses for our mental energy than debating such people.

9657425882598456December 31, 2013 11:50 AM

"Publishing this material tells every other country what the NSA can do, while providing no information about what other countries can do. All security is relative, and this publication just shifted it towards nations like China and Russia. Nice job."

As if they (or any high value target) didn't already know of NSA's (or similar other countries' agencies - I'm waiting for their Snowdens) capabilities. The problem is that the broad public didn't know. But needs to, to ensure their democratic control. Which, as we know thanks to Snowden, has been a problem, to say the least. And not just in the US.

LorenzoDecember 31, 2013 11:59 AM

Bruce, I assume you've seen this stuff before it was published. I wonder how this has changed your precautions for your air-gapped computer. Do you have two PCs, each bought in a different place, at a different time, and compare their computations and network output to check for backdoors?

Referring to @skeptical point, your observation is correct but assumes a healthy democracy and a working balance of power. What we've witnessed is neither: the NSA has been running loose for a while, disregarding the law and gathering too much power (including lying to congress and the public and going unpunished for that). Responses such as Snowden's were inevitable. Hence, their tools should be regarded as criminal tools that could be used for the public good rather than the opposite, as you do.

Happy new year to everyone :)

SkepticalDecember 31, 2013 12:16 PM

Nick, I have no connection with the NSA whatsoever. If you think I've made "selective use" of facts, please point them out. I like to think critically about things, which means I'm initially skeptical of any claim made to me, whether by the government or anyone else. Because of that skepticism, and because I enjoy analyzing reports and arguments, I'll spend the time to read source documents and opposing viewpoints on subjects. So I try to avoid being selective.

My views here are obviously in the minority, but having worked to protect the right of an individual to express a minority view, including against government attempts to suppress such views, I'm comfortable with that. I would ask only that you refrain from personal accusations, and take (or ignore, as you please) my comments as honest and genuine attempts to add to the discussion or express my viewpoint.

IdRatherNotSayDecember 31, 2013 12:27 PM

As a society, we can ill afford the mindset of an organization that is effectively deciding guilt, then finding evidence to support it.

BobDecember 31, 2013 12:35 PM

@Skeptical

Spy agencies are tasked with spying and I don't think anyone would disagree they need to be effective. I would be shocked if the NSA *didn't* have the tools listed in their catalog. That's just good spycraft. The issue here is that the NSA abuses its government position to disregard legal safeguards, to lie about it while labelling it a state secret, and to coerce American businesses into giving them an advantage (also a state secret).

CIA spies break foreign laws on foreign soil with the understanding that if they're caught then they won't get any help from the US government. The NSA operates on US soil and should be bound by US laws regardless of who they're spying on. But since everything is a secret there's no risk to breaking US laws. The fourth amendment isn't a suggestion and it doesn't contain any exceptions for "terrorists". The only question is if Smith v. Maryland is still relevant.

And further, your fear that people knowing about the tools in the NSA toolbox makes the NSA ineffective is silly. If their tools rely on secrecy to be effective (security-by-obscurity) then they're not very effective tools to begin with. But more importantly, if the NSA has its paws in all major electronics then people concerned about being spied on would need to stop using all of those electronics. I don't think that's very likely to happen when there's no evidence American businesses aren't being forced to cooperate in this case.

AlanSDecember 31, 2013 12:56 PM

@Skeptical

This is a total surveillance program. The framers of the constitution were strongly opposed to blanket searches of this sort because of the threat they pose to liberty and democracy. It's not the critics of such a program that are being "anti-institutional". Quite the opposite; a surveillance program of this type is in fundamental contradiction with the core institutional values on which this country was founded.


Brian M.December 31, 2013 1:02 PM

Interdiction is search and seizure. I hope that this is being done under the auspices of a warrant.

Really, what does one expect from a government agency with a budget in the many billions? Of course they can blithely walk through many layers of digital defense.

Frank N. SteinDecember 31, 2013 1:06 PM

Agree with skeptical. It's really laughable to think anyone beeline we the rule of law is in any way relevant right now. The even more hysterical thought is that somehow "this is it ." You techno "experts" have got to me some of the most limited thinking people ever. Too much time in "cubicle country" I'm afraid. "Computing" is a fairly minor and insignificant aspect of the over all Agenda. These are only communication systems and therefore represent at most over watch at best.

GeorgeDecember 31, 2013 1:29 PM

It's probably good that they're using the latest technological exploits against terrorists. But what effective checks exist to prevent them (or their bosses) from abusing the exploits against American citizens? That's the real problem.

I don't consider the assurances of James Clapper and Keith Alexander that we can blindly trust them to never abuse their surveillance powers as anything remotely resembling an effective check against the extremely high abuse potential. Even Ronald Reagan insisted that we "trust but verify" Soviet disarmament.

shockedanddismayedDecember 31, 2013 1:33 PM

"If you think I've made "selective use" of facts, please point them out."

Another obfuscation strategy. Make believe that the facts in question have not been shown again and again. Many example of the failure of FISA oversight have been surfaced. But it is very effective to confuse the less knowledgeable by insisting that these facts have never been put forth.

" I would ask only that you refrain from personal accusations, and take (or ignore, as you please) my comments as honest and genuine attempts to add to the discussion or express my viewpoint."

Right out of the sock puppet script. Not that Skeptical necessarily is, but what about my right to express MY viewpoint that s/he appears to be?

An effective way to show that you are not a sock puppet is to actually reference all the evidence that does not support your position. We know it exists and your refusal to acknowledge it is what leads to the appearance of being a shill.

Marcos El MaloDecember 31, 2013 1:50 PM

The next time you travel by spy plane, be sure to check out the inflight magazine for the SpyMall advertisements.

shockedanddismayedDecember 31, 2013 2:05 PM

In the context of intelligence being able to surveil anything and anybody seems useful. But its cost in the wider context of society is too high.

If everything can be hacked, how can we trust anything? Especially with lack of transparency.

Historically domestic intelligence has corrupted. Think of J Edgar Hoover's files. Think of the Stasi. COINTELPRO.

Look at Obama. His policies took an abrupt shift to the right once he hit office. Maybe he wasn't honest about his beliefs during the campaign. Maybe new information he learned as President caused the shift. Or maybe powerful insiders used the information they collected to blackmail him. Because the NSA collects everything about everybody and then lies about it, the last will always be a possibility, if not a likelihood.

How can we trust electronic voting machines now that we know that NSA is undoubtedly subverting them? The Bill if Rights is increasingly being discarded "for our own good." Why would they stop there? What if they considered free elections to be too great a threat?

If the NSA used its skills to protect systems rather than subvert them, we wouldn't need to have weapons for this cyber war of our own creation. If there were transparency rather than blanket secrecy, we could actually live in a democracy. Democracy is not possible if people have no access to political reality.

Why did the Supreme court give money the ability to buy elections? It is obviously undemocratic. Blackmail -- or something I don't understand in my ignorance? I'LL NEVER KNOW.

But the final question is: The NSA -- and our government -- treats all foreigners as adversaries. THEY treat their own citizens as adversaries. THEY appear to be disjoint from either of these groups. Who the heck are THEY? What interests are THEY protecting?

Jenny JunoDecember 31, 2013 2:11 PM

@skeptical
"The problem with the people publishing this stuff is that they do not understand institutional or legal safeguards; they don't trust people, period"

Yes. I think this is the fundamental difference between people like Skeptical and people like myself.

While I do believe that people on average try to do good, I don't trust people I don't know to be responsible. I am surprised by anyone who does. Furthermore, institutions inherently dilute responsibility. The concept of institutional self-policing has been shown to be another avenue for corruption so many times that I am surprised when anyone believes otherwise.

I don't think any amount of arguing will change either of our opinions - some people simply trust in authority, others believe that authority is such a temptress that it needs to be questioned, doubted, at every step and that the greater the authority, the more doubt is called for.

In the case of the NSA, all reporting so far has revealed an agency with enormous amounts of authority, and a stunning amount of credulity on the part of nearly all of the people whose job it was to doubt and question the institution.

Dave WalkerDecember 31, 2013 2:42 PM

I note that the "product catalogue" pages include the caveat "REL TO USA, FVEY" - a quick Google shows FVEY to be a slightly-unusual contraction of 5 EYES.

Given the comment that "other countries are going to have similar bags of tricks, depending on their sophistication and budgets", it's a reasonable conclusion that a certain 4 US-friendly nations have some superset of what's in this catalogue at their disposal; after all, why make the details available otherwise?

The Juniper / Netscreen attacks are tantalising reading - the big question is whether they are effective when passed into an interface on a screen which is configured in stealth mode, or whether the screen is required to be addressable (and, therefore, routing). An attack against a stealth screen would be "quite something".

AndyDecember 31, 2013 2:47 PM

TechCrunch has a piece on Apple's strongly worded denial of complicity in DROPOUTJEEP. They note the need for "close access" and suspect that over the air installation may never have been successfully developed. There are a lot of vulnerabilities you can exploit if you have physical control of the device that you can't exploit over the network. Others have noted that the memo was dated 2007 (the reference to GPRS is also a tipoff to how long ago this was), and iOS has undergone significant security improvements since then. Personally, I think it unlikely that NSA can compromise any iPhone at will, especially without Apple's help, and found the TechCrunch piece a breath of fresh air in the midst of a lot of "sky is falling" coverage. That doesn't mean that I don't take the NSA situation seriously, just that, as with any other security issue, we need to understand the risks realistically and address the highest risks first. I doubt that iPhones are at the top of the list, except to the extent that they make phone calls through a carrier. That risk is carried by every dumb handset as well as the most sophisticated smart phones.

Brian M.December 31, 2013 3:00 PM

Hmm, what if a target had fun with interdiction? (basic concept: put real dirty diapers in the camera bag, and cameras in the diaper bag.)

For instance, let's suppose I figure that my stuff is interdicted because I'm head of Al Qaeda's network ops. I have "ordered" a "new switch" for my data center. Now, what does a commercial switch look like? A box with connectors! So I have someone send me a switch that's been rigged to apply AC line current to the ports when it's turned on. Bingo! Some NSA equipment has been fried! Gee, the faulty quality assurance of some companies! I'm soooooo going to give them a 1 star review!

It's like vacuum packaging skunk glands in with bogus documents. Hey, you spooks wouldn't have been complaining if you hadn't messed with it in the first place!

Beware a redneck BOFH! Oh, and beware artwork by Piero Manzoni.

Bruce SchneierDecember 31, 2013 3:00 PM

"Given the comment that 'other countries are going to have similar bags of tricks, depending on their sophistication and budgets,' it's a reasonable conclusion that a certain 4 US-friendly nations have some superset of what's in this catalogue at their disposal; after all, why make the details available otherwise?"

Yes. That is a reasonable assumption.

qamDecember 31, 2013 3:50 PM

Bruce,

Do you honestly think that there will be substantive NSA reforms once all is said and done? I feel more and more helpless the more I hear about the NSA and as of now it is uncertain if meaningful reform will happen for the NSA.

FirefoxDecember 31, 2013 3:59 PM

The other point that "Skeptical" doesn't mention is that if "Breaking security is what the NSA does", as he himself admits, then Internet security is broken. It's childish to pretend that every one of the thousands of staffers of NSA, GCHQ, etc. etc. is virtuous, patriotic, selfless and incorruptible and will keep their hacks and backdoors secret forever. Sooner or later, if not already, those hacks and backdoors will become public knowledge, or at least underground knowledge. Then you can forget about doing financial transactions on the Internet. We're going to have to rewind 20 years and go back to paper because some NSA smart-ass has compromised the Internet in the name of the "war or terror". Why do Skeptical and his friends think this is a good thing?

AlanSDecember 31, 2013 4:02 PM

@shockedanddismayed: "Look at Obama. His policies took an abrupt shift to the right once he hit office. Maybe he wasn't honest about his beliefs during the campaign. Maybe new information he learned as President caused the shift."

Brings us all the way back to the trust issue. Total surveillance undermines all checks and balances because it provides knowledge that allows anyone to be gotten at.

This was one of the key points James Otis made against writs of assistance in 1761: "Every one with this writ may be a tyrant; if this commission be legal, a tyrant in a legal manner, also, may control, imprison, or murder any one within the realm."

He goes on: "This wanton exercise of this power is not a chimerical suggestion of a heated brain. I will mention some facts....Mr. Justice Walley had called this same Mr. Ware before him, by a constable, to answer for a breach of the Sabbath-day Acts, or that of profane swearing. As soon as he had finished, Mr. Ware asked him if he had done. He replied, "Yes." "Well then," said Mr. Ware, "I will show you a little of my power. I command you to permit me to search your house for uncustomed goods" — and went on to search the house from the garret to the cellar; and then served the constable in the same manner!"

Mike FDecember 31, 2013 4:43 PM

Can anyone be a sock puppet? Can I?

I don't know much about security which, in the context of this blog, might be a weakness. However, my wife knits socks and I have access to many.

I hope you accept my application. I am very excited at the possibilities. Look for me in the new year, puppeting away like crazy.

Nick PDecember 31, 2013 5:14 PM

Good illustration of LEO vs Civil Rights

https://www.youtube.com/watch?v=w-WMn_zHCVo

A friend in Tennessee sent this to me. I wanted to post it here as I previously posted links to 10 Rules for Dealing with The Police. It was obvious the guy in the video saw it and was applying the rules. The only gripe I have is he failed the attitude test so this isn't really an exemplary video for handling a traffic stop. See 10 Rules on youtube for that.

However, it is a perfect example of LEO's ignoring people's rights and intimidating them into giving them up. I'm posting it here instead of squid thread b/c it informs the discussion about NSA legal issues & ethics. The idea is they will get lots of power, use it only for good, and secret regulation will work. Yet, events like in this video are a regular occurrence across the country involving many levels of law enforcement.

That NSA is impervious to this effect is hard to believe. The difference is that the abusers will have tremendous power/knowledge, the victims can't legally discuss it, and there is little recourse (and no prison) if abuse was proven. Such a situation, given long litany of LEO abuses in the US, means that giving an agency the power of the NSA without equally strong accountability is absolutely ridiculous. It's also probable that even with accountability it's too much power for a govt to wield in a democracy.

Bonus: the Snowden leaks (particularly FISC material) showed that NSA IS behaving similarly so my conclusion already proved true.

DanielDecember 31, 2013 5:37 PM

Bruce writes, "What seems clear is that the companies whose products are being compromised are not collaborators with the NSA in this particular program."

I do not see that as clear at all. This goes back to the trust issue. Everything a company says now has to be treated with deep distrust. They may be lying because there is some NSA letter no one knows about or they may simply be lying because they are scared that coming clean will cost them business in one direction or another. But I just do not see how it's honest to say that anything is "clear" anymore. There are many ways in which a company can cooperate, even if that cooperating is simply looking the other way. My best guess is that that have been cooperating, we just do no know how yet.

Nick PDecember 31, 2013 5:37 PM

@ Wael

From the NSA technical document:

"RANGEMASTER. RF retro-reflector that provides an enhanced radar cross-section for VAGRANT collection. It's concealed in a standard computer video graphics array (VGA) cable between video card and video monitor. It's typically installed in the ferrite on the video cable... provides a target for RF flooding and allows for easier collection of... video signal. Current... taps the red video line on the VGA cable. It was found that, empirically, this provides the best video return and cleanest readout of the monitor contents."

There's goes my "amplifying cable" concept you liked. They beat me to it, though: 2008.

Mike AnthisDecember 31, 2013 6:07 PM

Regarding Citizens vs. NSA vs. The World, one must keep in the front of one's mind, that it is not a two-way, zero-sum fight.

Substitute "Military" for "NSA" and things clear up a lot.

Also, never forget that "trusted" and "untrusted," "good" and "bad", oversimplify things in confounding ways.

WaelDecember 31, 2013 7:07 PM

@ Nick P,

There's goes my "amplifying cable" concept you liked.
I remember that discussion, but can't remember the context. I'll have to dig it up first, then comment...
They beat me to it, though: 2008...
That's not surprising. They'll beat you and most people on this blog by a far margin. I think I stated once that these sort of organizations are 30 - 40 years ahead in technology. "They" don't have the pressure to "publish" papers like researchers in academia. They also recruit academics, so it's a one way street knowledge flow as well...

Michael MoserDecember 31, 2013 7:09 PM

How I parse this information: by now Snowden has lost any hope of ever being able to return to the US.

There were some reports that a pardon was being conidered
http://www.theguardian.com/world/2013/dec/15/nsa-edward-snowden-amnesty-documents

But Obama later said that this is out of the question
http://www.techtimes.com/articles/2212/20131222/obama-says-pardoning-snowden-is-out-of-question.htm

So Snowden now has no problem with releasing operational details that are outside the scope of the dragnet program

BapDecember 31, 2013 7:38 PM

@Michael Moser

Maybe this all is leading up to a big shocker revelation such as "all of these tactics are used to blackmail incumbent politicians and/or civil rights leaders"?

Nicholas WeaverDecember 31, 2013 8:53 PM

A few thoughts I had on the QUANTUM leaks:

In 2011! the started developing! a system to doing the detection/control logic at the wiretap, prior to that it was "tip to FOXACID/TURBINE system which actually fires the 'shot'". This added a huge amount of latency, which explains 100 tips to just 5 successful shots in the Sweedish deployment: they had a huge latency hit on their injector.

And the packet injection overall didn't start until 2005 or so, prior to that the NSA acted like the Chinese: phishing emails with URLs to FOXACID servers.


The final interesting feature which stands out for me is that the NSA is doing massive cookie chaining/harvesting/analysis on a global basis to enable their targeting of "exploit by name".

They basically have created a massive database of observed web cookies and links between them from their worldwide wiretaps. Here's a concrete example of how it works:

A user somewhere in the world logs into LinkedIn, with the request containing a set of cookies. In the returned HTML page, the user's login information is conveyed in the clear. This allows the NSA to associate the user with the cookies.

Then the LinkedIn page includes an ad served through DoubleClick. By tracking the referrer field, the NSA is now able to map the LinkedIn cookies to the DoubleClick cookies.

So now when the analyst wants to target someone who, say, works for Belgacom, they identify the LinkedIn profile, and by searching this database can also get the user's Doubleclick cookies (and a bunch of others, this is transitive, so it can get, say, their Slashdot cookies, or their Yahoo cookies, etc...).

They then instruct the NSA's realtime wiretaps to look for requests which are invisible but active elements (e.g. javascript) which match any of their target's cookies, and issue an injected reply which exploits their target.

This same database allows the NSA to passively track how everyone moves around the world, what sites everyone visits, what porn they watch, etc...


But overall this really makes me wonder about the NSA: they seem to use money to overcome creativity/competence: I would have been doing packet injection right from the start (it seems to be 2006 or so that they switched from FOXACID spam), and I would have ALWAYS been doing the attack logic at the wiretap, the split architecture they used (and perhaps still use on some taps) is just stupid.

So stupid that, when I was asked how 100 tips could end up with just 5 successful shots, I never considered that their latency of injected packets was so bad!

Also, the use of their global cookie database is interesting but unnecessary: Their injector logic seems to rely only on the cookies, rather than doing a realtime match and then inject on a subsequent fetch, but the latter works just as well.

Overall, it makes me think that in 2006 or so, QUANTUM was deployed as an ugly hack, that they kept with to at least 2011 before they finally started architecting things right: Building control logic at the wiretap itself, with virtual machines for different functions.

TroutwaxerDecember 31, 2013 9:10 PM

I would ask only that you refrain from personal accusations, and take (or ignore, as you please) my comments as honest and genuine attempts to add to the discussion or express my viewpoint.

Feh.

PeterDecember 31, 2013 9:26 PM

I agree with Skeptical - how interesting and fascinating this information about all the TAO gadgets may be, it has nothing to do anymore with alleged abuse of power by the NSA. The metadata collection is questionable, but this kind of very specific targeted hacking isn't.

Unless of course you are against any kind of intelligence operations by the government, and that's what Appelbaum is. His talk was full of anarchist fear-mongering, as if every person in the world has to fear this kind of hacking, which is simply not true. Snowden and Greenwald are slightly less anarchistic, but they too are constantly exaggerating what NSA is apparently doing.

It's true what Bruce says here: "And today's secret NSA programs are tomorrow's PhD theses, and the next day's criminal hacking tools. Even if you trust the NSA to only spy on "enemies," consider this an advance warning of what we have to secure ourselves against in the future."

But in my opinion we should counter those threats together with our governments, and not seeing them as another enemy. Governments should protect their citizens, and citizens should have trust in their governments - but what Greenwald c.s. is doing, is destroying that trust, just as he tried to destroy the relationships between the US and Brazil, Mexico, Germany and other countries.

65535December 31, 2013 9:34 PM

Some insider once said: “It’s alright to break the law as long as it doesn’t transcend policy.”

That is where the problem begins.

[Der Spiegel]

“…numerous homeowners in San Antonio, Texas, stood baffled in front of their closed garage doors. They wanted to drive to work or head off to do their grocery shopping, but their garage door openers had gone dead, leaving them stranded… the problem primarily affected residents in the western part of the city, around Military Drive ...known as Loop 410… the mysterious garage door problem quickly became an issue for local politicians... Ultimately, the municipal government solved the riddle. Fault for the error lay with the United States' foreign intelligence service, the National Security Agency, which has offices in San Antonio. Officials at the agency were forced to admit that one of the NSA's radio antennas was broadcasting at the same frequency as the garage door openers.”

I am sure the NSA knows about the “Federal Communications Commission” and it laws about transmitting radio over bands which the FCC regulates. The NSA’s transmission on an FCC allocated spectrum is probably a misdemeanor crime and/or civil matter.

Because of the NSA's misuse of radio spectrum which blocked garage door from being opened, a large amount of people were affected. The blocked garage door problem got run up the political pole to the FCC. The FCC probably fingered the NSA as the offender.

The politicians then had to work through "back channels" to get the NSA off of spectrum mandated for garage door openers without angering the NSA and presenting a “plausible deniable" situation to their constituents. That is a small example of damage to people and property - not to mention federal rules being broken.

As Troutwaxer said:

“I don't want to be protected by the NSA. I want to be protected from the NSA.”

I too don’t want to be protected by the NSA and I don’t want to pay for the NSA’s shenanigans or their enormous budget!

The NSA is clearly breaking domestic laws and most likely international laws under the ruse of "National Security". We have laws against damaging computers, stealing trade secrets, intellectual property and bribery. Other countries have equivalent laws. The NSA breaks those laws with seemingly no bounds.

How far does this “Spy at all costs” go? Does in include members of congress that have critical funding authority over the NSA?

Does it involve spying on judges and their clerks who are hearing legal cases against the NSA? Does this spying include helping politicians who are allied with the NSA to defeat their political opponents? This is a deep hole to crawl down.

All crime starts small and grows large. Petty thieves become bank robbers. Small swindlers become big swindlers and wife beaters become killers.

Just, how far has the NSA gone with its “National Security” ruse? Is it a few break-ins and implants in politician’s head quarters? A few judges being bugged?

A few bribes to influential people. Some dirt dug-up on politician opponents or news reports that are not aligned with the NSA.

Is the head of the GCHQ being recorded in every fashion and held on a storage device for further analysis? Or, is it much worse? I am sure there are plenty of ugly stories that have not been told.

Until people see tangible limits on the NSA and "secret courts" I suspect great ruin will come upon the USA. The lies must stop. Trust must be re-established.

Nick PDecember 31, 2013 10:35 PM

@ Steve

"What's the difference between Apple and the NSA? A business plan."

Seeing all the money that NSA staffers, directors and contractors (esp Booz Allen Hamilton) are making doing this stuff it's hard to believe they don't have a "business plan." They take in more money than many Fortune 100 companies' profits. And unlike them NSA can run at a loss. ;)

Brian ADecember 31, 2013 10:43 PM

I don't get it. Why is nearly everyone here against intelligence operations? It's understandable that a degree of transparency is desired but how does revealing this stuff help anything? It can only make sense from an anarchist view. Like Peter and Skeptical have indicated, this totally shifts the balance over to China and Russia in the cyber realm. Now had an equal quantity of information been revealed about China and Russian's operations and tools, that would have only been fair.

How transparent can you be and have effective intelligence methods?

npcompleteDecember 31, 2013 10:44 PM

Regarding the idea espoused by some that this is legitimate just because it's targeted. It is not. It is not even ethical. By what right do they have to violate the property of others? People advocating this have a totally statist mindset. They are advocating that some groups of people be given powers beyond rights that everyone as individuals have.

The only way such an act is justified is if the target himself has violated the rights of others. Essentially the act would be in pursuit of restitution (which includes more than monetary compensation). However, what if the NSA or whoever does this was wrong? Would they not be criminals themselves? Ah, but you say bu, but.. but how else could they do their job? I should remind you that a job that violates rights, or specifically individual liberty, is never a legitimate job. The answer is all acts government take would be speculative. Why make an exception for government?

What does targeted, local or foreign, have to do with anything?

If you think I stole your TV and bust down my doors, and it turns out you were right, then you were justified. BUT if you busted down my doors and it turns out you were wrong, then you yourself have just committed a crime. It doesn't matter if you're an agent of the state.

PeterDecember 31, 2013 11:36 PM

Well, targeted related to NSA means of course that they target someone or some organization which is considered a threat to the US or of interest for US safety, security or interests. Just the same way as the police is looking out for people who can be a threat to others. That's the whole idea behind having a government, instead of every single person having to safeguard his own house by arming himself (which many Americans actually do by the way).

It may hard to believe, but also the capabilities of NSA are limited, so they too have to be as efficient as possible in what they are doing. So they will try to focus on people and organizations that they think is worth using all their equipment for.

Nick PDecember 31, 2013 11:39 PM

@ Brian A

I have no problem with intelligence gathering. I do have a problem with an organization that's nearly omniscient, immune to criminal prosecution, regularly deceives Congress, is tight with LEO's, is tight with murderous military units, and whose activities are unknown to most of our electorate. It's this overall combination that's extremely dangerous to our democracy. Plus, them having the ability to coerce those who decide their funding and laws governing their behavior isn't so assuring. It's happened a few times in this country's history. I see no reason to discount such a threat.

My proposal was to limit both their mission and autonomy. They can develop as many clever surveillance methods as they want to. They *can't* weaken our overall security posture in the process such as introducing into US products the kinds of vulnerabilities attackers regularly find. They should design each tool to limit the amount of information available on the general population without explicit logged authorization. They must also follow strict rules about how they use the tools. The "rules" aspect must involve most-details monitoring by cleared independent body, the ability to get advice on corner cases, and prison time for serious violations (including of mgmt or directors if its systemic). The tools should also be independently vetted to produce audit trails of how they were used so the other organization can continuously verify they aren't, say, targeting Congress or CEO's.

I think the watchdogs should also be compensated very well and allow the NSA (or another group) to monitor (but not act on) their activities. Their employment contract would ensure they could only be fired for failing to do their duties, not random stuff NSA might dig up. The watchdogs can also face prison in courts if shown to have schemed up something. I expect a certain working relationship to evolve over time that minimizes risk on both sides using transparency and common sense. The watchdogs must be rotated out regularly as well so they don't get stuck in NSA-think like what happened commonly in Cold War era Red Scares.

Also note that the other NSA whistleblowers showed us with ThinThread debacle that there were ways of protecting privacy while collecting the information they needed. However, the NSA didn't care to do that, stripping such protections from the program. All internal channels were used to report the problems with that and Trailblazer to no avail. That these and Snowden did what they did was due to *that culture* which saw itself above the law and any sense of ethics. These people thought it couldn't continue. Eliminate that culture and inject a good accountability system into the organization, then you might not have another Snowden making press with the agency's secrets. And the potential for abuse will be lower and more targeted.

Nick PDecember 31, 2013 11:47 PM

@ Peter

"It may hard to believe, but also the capabilities of NSA are limited, so they too have to be as efficient as possible in what they are doing. So they will try to focus on people and organizations that they think is worth using all their equipment for. "

Part of the leaks showed them intercepting over a billion pieces of intelligence of month in a given country. Multiply that by all the countries they operate in it's a staggering amount of people and data they're targeting. It's doubtful that this was all highly important to stopping the next threat to the people of the US. So, if your claim is "hard to believe," it's because it largely contradicts the data we have on NSA activities.

And the opposite of your claim is a disturbing thing indeed.

BuckJanuary 1, 2014 12:34 AM

Is it just my imagination, or do there appear to be far more non-technical commenters with very strong viewpoints on the blog as of late?

I find the "distinction" between dragnet surveillance and tailored access to be quite comical! I still can't yet forget the familiar "if you have nothing to hide, you have nothing to fear," but already we've got a new slogan to chant: "if you're not being targeted, you have nothing to fear!"

In reality, the two operations are one in the same (or at least highly complementary)... I'll admit, some targets will take far more tailoring to gain total access... However, seeing how these exploits primarily take advantage of vulnerabilities common to the hardware/software used by most of the digital world's population, the resale/reuse value must be tremendous!

Just like the fact that not everyone's historical data can be analyzed in near-real-time; not everyone's devices can be manipulated on the same scale... It must require a very special ilk to decide whom is worth the effort! A tad more transparency in this aspect (other than the "terrorists") would be a tremendous step forward in rebuilding trust... Obligatory clap quote:

Director Clapper: First, as I said, I have great respect for Senator Wyden. I thought though in retrospect I was asked when are you going to start--stop beating your wife kind of question which is, meaning not answerable necessarily, by a simple yes or no. So I responded in what I thought was the most truthful or least most untruthful manner, by saying, “No.” And again, going back to my metaphor, what I was thinking of is looking at the Dewey Decimal numbers of those books in the metaphorical library. To me collection of U.S. Persons data would mean taking the books off the shelf, opening it up and reading it.
http://www.dni.gov/index.php/newsroom/speeches-and-interviews/195-speeches-interviews-2013/874-director-james-r-clapper-interview-with-andrea-mitchell

Just a matter of who's books we're taking off the shelf then? No worries here then! Only books in my attic are outdated CS 101 curriculum guides :-P

P.S. @65535:

Does in include members of congress that have critical funding authority over the NSA?

Does it involve spying on judges and their clerks who are hearing legal cases against the NSA? Does this spying include helping politicians who are allied with the NSA to defeat their political opponents?

Yes. That is their duty... At least as long as any potential evidence could possibly be considered a matter of national security ;-)

P.P.S.:
If the supposed success rate of iOS is accurate, it would imply insider complicity... I personally wouldn't be surprised. It's a remarkable feat of social engineering to convince Americans that a non-self-serviceable (can't remove the battery!?) limited-lifetime surveillance device is sooo "cool"!

DanielJanuary 1, 2014 12:55 AM

@Peter

"Governments should protect their citizens, and citizens should have trust in their governments -"

Nonsense. The first duty of a government is to trust its people and not vice versa. "Trust the people, trust in their good sense," said Adlai Stevenson. If the government wants me to trust it then it can start to earn that trust by not treating me as the enemy. The problem is that the government cannot do that because by definition the NSA doesn't actually know who its enemies are, so it has to treat everyone--including you and me--as an enemy.

So all your long-winded statement boils down to is the ridiculous assertion that I should trust the government to protect my best interests precisely because the government does not trust me.

Ennor TiegaelJanuary 1, 2014 1:09 AM

As a former Russian who was lucky enough to obtain a proper visa to evacuate to greener pastures: you make me laugh each time you mention Russian cyber threats, esp. when you mention them along with Chinese.

There is nothing you should fear from these valenki's, as long as you don't trust them of course. Putin and his cohorts are way too busy usurping power, removing any political rivals and turning people back into serfdom (and country into monarchy) they once were in. As a consequence, all security departments are corrupted absolutely and think only about lining their pockets with oil profits. Comparing to NSA, they're amateurs.

Speaking about NSA: they may break US laws, or UN laws, or any other human-induced laws for that matter, but even with their power, they are helpless against the laws of history. Which state that every empire is destined to crumble under its own weight, no matter how hard they try to delay it. So, as I see it, the only question is when this will happen.

Since China utilises hive approach, they could fare much longer than any "democracy"-based society (even with quotations brought down). I would start counting, if I were you...

DanielJanuary 1, 2014 1:12 AM

I wanted to come back and toss out this blog post:

http://ericposner.com/the-nsas-metadata-program-is-constitutional/

What astounds me about this post is not he thinks what the NSA does is legal. What astounds me is his reasoning. To wit, that NSA spying is legal because no one actually thinks they have a right to privacy except for a few weirdos. His main example: Google. People give up their privacy to Google all the time so its no fair they shouldn't have to give it up to the government.

Idiot.

bitmonkiJanuary 1, 2014 1:15 AM

@Skeptical: If you are as open and forthright as you claim to be, perhaps a thought experiment might be helpful to you.

So, lets consider governments and corporations as technologies developed by people as means of control and of distribution of power and implemented by people via laws.

Technologies in and of themselves are neutral, it is the uses to which they are put by people that may be considered good or otherwise.

Lets also consider that governments have a monopoly on violence, and corporations have a monopoly on money. Governments implement laws via their monopoly on violence, i.e., their ability to bodily sieze you and incarcerate you and to sieze and appropriate your assets for failing to observe the laws they have promulgated.

Governments need money to operate, but in the USA at least, have forfeited the right to control the generation and distribution of money to corporations, specifically banking corporations. True, the government may levy taxes, but the currency they are payed in is controlled by the consortium of non-governmental banking entities known to the world as the Federal Reserve.

So in the USA corporations have a monopoly on money.

In the USA, corporations are considered to have a "fiduciary duty" to maximize profits for their shareholders, and in practice this overrides the interests of their customers, the people who pay them money in order to further the interests of the people they give money to, their shareholders. In plain terms, this means the people running corporations have a clear and strong incentive to screw the people who are their customers in order to take as much of their money as possible while hopefully still keeping them as a customer, and spending as little as possible to do so.

Now lets consider the people doing business as the corporation Booz, Allen, Hamilton: the employers of Edward Snowden.

Their customer in this case is the people of the NSA.

We know for a fact, thanks to Mr. Snowden, that the people of Booz Allen have access to pretty much everything the people of the NSA have access to.

Statistically speaking, Mr. Snowden is something of an outlier: someone who has risked literally life and limb in order to make public the extent to which the people of both the NSA and Booz Allen have access to phone calls, physical movements, etc. of literally everyone using any kind of cellphone and/or connected to the internet.

It may be considered a statistical certainty that someone with less pure motives has accessed, copied and is using that same information, one of the people of the NSA, or of Booz Allen, or one of multitudes of people employed by the many, many other corporations contracted by the people of the NSA, CIA, DHS, etc., etc., etc.

No one "caught" Mr. Snowden with his hand in the cookie jar -- he came forward of his own free will. And look at the goodies he had.

And here, finally, is the thought experiment: consider the goodies revealed by Mr. Snowden from the perspective of an undetected someone with a strong financial incentive, of whatever sort or origin.

So, @Skeptical, considering the stakes, still feeling good about the ability of "institutions" to do the right thing, never mind their ability to prevent wrongdoing?

Pro tip: "Its people all the way down." :D

k4jgnkjg4ngJanuary 1, 2014 4:19 AM

"made in America" lol I doubt it..

Reform will equate to changed code names, new internal data handling policy(employees will likely be risk factored as potential leakers based on past behavior), and new legislature for prosecution of leakers..

By the way it's a country where there are career politicians, despite it's own written constitution, and over 85% of the federal governing body, US congress&senate, hold majority shares in the same multinational oil company, Exxon. It's got conflict of interest out the you-know-what, and can make a floating bridge over the Atlantic with it's lobbyists, ~3x layers..

AlexTJanuary 1, 2014 4:51 AM

Reading through the description of the hardware implants it seems that many of them have to be radar illuminated to be functional. Does anyone have more info about how this work ? Doesn't it create some fairly obvious detection / countermeasure opportunities ?

don't feed the trollsJanuary 1, 2014 6:38 AM

you realise you guys and gals are just getting misdirected by these shills - right?

instead of discussing the actual issue at hand they've just diverted you all into a liberty vs security discussion, and they're not even engaged in the discussion anymore. classic misdirection.

please don't feed the trolls.

Bruce SchneierJanuary 1, 2014 10:54 AM

"Do you honestly think that there will be substantive NSA reforms once all is said and done? I feel more and more helpless the more I hear about the NSA and as of now it is uncertain if meaningful reform will happen for the NSA."

I do.

Bruce SchneierJanuary 1, 2014 10:57 AM

"So Snowden now has no problem with releasing operational details that are outside the scope of the dragnet program."

Snowden is not releasing any of this. He gave the source materials to reporters in the beginning of those whole deal, and has had nothing to do with the reporting ever since.

If you have a problem with what was released (and what was not redacted), then direct your ire to the reporters of the individual stories.

TroutwaxerJanuary 1, 2014 10:59 AM

@ please don't feed the trolls

That's an excellent point.

Can anyone enlighten me on one of the subject's of Applebaum's talk? He said something about "encrypted UDP traffic and RC6." I know about UDP, but can anyone explain the RC6 stuff to me? Is that some kind of encryption or does it relate to something else?

AlexBJanuary 1, 2014 10:59 AM

"I think it unlikely that NSA can compromise any iPhone at will, especially without Apple's help" The Jailbreak community has compromised every edition of the iPhone at will! And they release it for free. Why wouldn't you be able to buy software from a company like VUPEN to compromise the iPhone?

34h3j5fgyJanuary 1, 2014 11:21 AM

@Troutwaxer: RC6 is a stream cipher. It's encryption. UDP is another packet protocol in networking. I'm assuming he's talking about on the fly cryptography of network traffic since stream ciphers are designed for speed. RC6 isn't the best though, there are faster with no record of vulnerability.

On a related note I think most people are naive to what fields of the fastest computer chips ever produced by man can do..

Alex B: They do buy the exploits, and then package their own software for delivery, which they usually get from DARPA and other funded defense entities.

Academi, Lockheed Martin, and Northdrop Grumman actually have cyber warfare R&D they sale too, they just don't have any of it leaked except to the Chinese military who infiltrate their engineering employees through phishing campaigns.

BlackAngelJanuary 1, 2014 11:38 AM

@AlexT

"Reading through the description of the hardware implants it seems that many of them have to be radar illuminated to be functional. Does anyone have more info about how this work ? Doesn't it create some fairly obvious detection / countermeasure opportunities ?"

I was thinking the same thing. Though a 2008 catalog, I would be surprised if this was not being reverse engineered by nations for detection capabilities. And where they may be lacking, replication.

A lot of these also require at least an automated (if not manned) nearby "substation" or surveillance point. (Which could possibly be as simple as something buried in a nearby field.)

I do not understand the radar reflection, but it reminds me of the bug in the moscow embassy years before and maybe operates under the same principle? If I recall keeping a bug active can enable it to be detected in a sweep, but being able to turn it off remotely or on can be useful for evading bug sweeps?

It would be interesting if a blogger or someone breaks down more of the tech in more layperson terms, and if they discuss some of the history.

Is this technology really new, is there real impact from it? Will people be replicating it (private and public)? Or is this all predictable technology and rather worthless? Are there ways likely to countermand the tech?

Also, is it possible government(s) are keeping wired and wireless router security intentionally insecure to keep up the feed? This bothers me, because router security remains extremely poor. And if you own a router you can trojan executable downloads downstream so compromising all downstream systems. For one attack. Besides many others.


GalupDJanuary 1, 2014 11:42 AM

@Bruce

Snowden is the one who gave the operational details to the reporter, however.

BlackAngelJanuary 1, 2014 11:55 AM


from this link: http://www.zerohedge.com/news/2013-12-30/how-nsa-hacks-your-iphone-presenting-dropout-jeep

"Do you think Apple helped them build that? I don't know. I hope Apple will clarify that. Here's the problem: I don't really believe that Apple didn't help them, I can't really prove it but [the NSA] literally claim that anytime they target an iOS device that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves"


It is well known the US government (and others) hoard security vulnerabilities. There is little secrecy to the hiring of vulnerability finding firms, many of which merely rely on NDAs for the work.

These are guys that would have prevented ecommerce and basic encryption that makes ecommerce possible back in the day.

They are working at odds with safe commerce, and so against their own countries.

The value of the surveillance data they obtain is debateable. They can use it to garner funds by illicit methodology. They can undermine democracies.

Preventing terrorism is a pretty absurd justifier for this work, as is preventing crime which their efforts work towards, not against. Likewise is valuable intelligence on nation states or VIPs. The best data there by far is not in private conversations, but in correct analysis of publicly available data. Analysis which is difficult to do, but completely legal and ethical. And far more accurate.

Secret surveillance is best for extortion, theft, sabotage. Otherwise the pay out is much too low.

Nick PJanuary 1, 2014 12:05 PM

@ 34h3j5fgy

I agree that it's foolish to use a proprietary cipher like RC6 when we have stream ciphers like Salsa20. It's also in a timing channel resistant implementation NaCl. The choice of UDP is a good one as it's easy to implement. Certain security-focused designs of mine only include IP & UDP in networking stack, forcing apps to use something like UDT. Isolates the transport attacks to user mode, reduces kernel mode vulnerabilities due to less complexity.

Brian AJanuary 1, 2014 12:21 PM

@Ennor Tiegael
"you make me laugh each time you mention Russian cyber threats, esp. when you mention them along with Chinese."
"Comparing to NSA, they're amateurs."

I think you're giving NSA too much credit. On a side note, based on individual skills, in this realm I'm rather confident your average Russian "hacker" is far more talented than their American counterpart. I have no valid way of quantifying this at the moment I admit. Now organizationally, based on what we've seen, sure the NSA might have an edge.

I wouldn't too easily dismiss Russian capabilities. After all, I think how you judge/credit such an organization's success is a function of the quantity of the intel they find while maintaining invisibility to their opponents. NSA is loosing that game now, hehe.


Bob S.January 1, 2014 12:36 PM

When the first Snowden revelations were made public I wrote some very critical comments. Within one week my Dell computer simply would not start anymore. Push button = nothing. Repair shop said I needed new motherboard = $400.

Coincidence? Probably. But, the next computer I bought bricked in 7 days flat, too. Coincidence? Probably.

The third one broke twice in four months but I managed to fix it, once by replacing a failing hard drive. Coincidence? Probably.

The NSA is doing bag jobs on 85,000 computers every year. Can all of them be al Qaeda terrorists?

Probably....?

No.

Bill orightsJanuary 1, 2014 12:40 PM

we have a constitution that is supposed to limit government crimes against the people. No generals warrants, no search without warrants, but after two generations of drug prohibition and now the threat of terror spread by the media, the general public sees the government as allowed to commit every crime, for whatever purpose. Susan Mcdougal was held in chains by the Star chamber throughout the clinton administration in an attempt suborn perjury against a president. The police administer the ad hoc death penalty to Fong Lee, planting a gun that was from the evidence room at the fourth precinct, the public pays for the felonies of the Metro gang strike force and the felons continue to oppress the people with the same behaviors,
This is not a democracy, the people doing this are not elected and cannot be fired by those who do it. This is modern feudalism, and we are serfs

ForkJanuary 1, 2014 12:42 PM

How these NSA apologists like "skeptical" twist facts into the most contorted knots is absolutely hysterical. What is being currently done is TREASON. If you have anything to do with it, you will be prosecuted eventually.

AndyJanuary 1, 2014 1:59 PM

@AlexB

The Jailbreak community has compromised every edition of the iPhone at will!

I believe that all but one have required a USB connection to the phone to accomplish. Jailbreaks have a fairly short lifetime too, since Apple tends to close the vulnerabilities in the next release after they are published.

FigureitoutJanuary 1, 2014 2:11 PM

Bob S.
--My mother's computer suffered a similar fate, though she's known to fall for the worst of the worst of phishing and spam; and she's a school nurse for little kids not concerned about computer security. Regardless the f*ckers who attacked my mother will get it, need a new motherboard (nice waste of hardware and pollution)...want to know for sure the specific cause (me and my dad suspected a bad SATA controller b/c couldn't read hardrive, but this is a modern computer it could be a million things)...Sounds similar to that "BIOS-plot" the NSA failed to protect its citizens from.

Bruce SchneierJanuary 1, 2014 3:09 PM

"When the first Snowden revelations were made public I wrote some very critical comments. Within one week my Dell computer simply would not start anymore. Push button = nothing. Repair shop said I needed new motherboard = $400.

"Coincidence? Probably. But, the next computer I bought bricked in 7 days flat, too. Coincidence? Probably.

"The third one broke twice in four months but I managed to fix it, once by replacing a failing hard drive. Coincidence? Probably."

I blame our industry. Computing is such a lousy experience that you can't distinguish normal operation from enemy action.

FigureitoutJanuary 1, 2014 3:12 PM

Moderator
--The attackers will "get it" in the karma sense, not a threat. Plus disgusting worthless people keep calling my grandma for credit card info; taking advantage of weakened, vulnerable people.

Fluffy the Obese CatJanuary 1, 2014 3:51 PM

Karma is probably of less value to society than enforcement of our existing laws and adherence to the Constitution. It's the overwhelming impunity of the security elite that gives us good cause for distrust.

If our political elite were willing or able to display some control over them, the pervasive distrust would fade. The most critical issues in the entire Snowden release and its aftermath are issues of social organization and accountability; the technical issues are real, but subordinate.

Anonymous CowardJanuary 1, 2014 4:09 PM

Re: encrypted UDP traffic and RC6

This is a hint to either look out for unexplained traffic on your network/honeypots etc. that could be coming from such "bugged" devices.

Or perhaps you should be looking for characteristic machine code that implements RC6 in firmware blobs and, extracted/dumped HD/WLAN/BIOS firmware. Likely most optimised or reference implementations of RC6 will look remarkably similar at the instruction level, so you could find them with a kind of binary grep. No need to completely reverse engineer the entire ROM.

If you can find either you will luckily be the first to have found one of these bugs in the wild...

RobertTJanuary 1, 2014 6:29 PM

@Wael
"these sort of organizations are 30 - 40 years ahead in technology"

Um that's a bit of a stretch!
I think it's more productive to assume they are less than 5 years ahead on the hardware/technology side and maybe 10 years ahead on the systemic integration of spyware techniques with hardware / firmware/ software technology exploits.

Still I guess it all depends on what base knowledge you assume. I know from my own experience that "Power Analysis" was a well understood technique in the early 80's, yet it took till 1995 (I believe) for academic mention of this attack. I can assure you there were however plenty of non academic, non NSA security guys that were well aware of DPA and had developed many other very effective side-channel attacks.

Maybe Bruce can give us an academic base line time, by revealing when he first became aware of the various attack methodologies. Or better still, when he first suspected that a certain avenue of attack might be fruitful.

Nick PJanuary 1, 2014 7:41 PM

@ RobertT, Wael

"I think it's more productive to assume they are less than 5 years ahead on the hardware/technology side"

It's a reasonable assumption. I think it's also the number supported by Bamfords books on NSA based on their publicly admitted advances.

However, I'm starting to doubt that they're that far ahead in chips or software at all. Most of their catalog uses COTS technology in specialized ways to give them access. Some of those devices might be custom or ahead of the curve. I'm not sure due to my lack of RF experience. So, if anything, our new model of NSA should probably be to assume existing tech but think of how it might most effectively exploit our stuff.

Plus, a systematic analysis of each layer of a system using known risks would have caught almost everything they did. I didn't see anything in there that's truly new. This led me to continue on my current path that prefers designing systems secure through and through over trying to figure out the next attack. If they're not ahead of state of the art, let's give them reason to aim for it. ;)

RobertTJanuary 1, 2014 8:24 PM

I agree with Nick, I haven't seen a single disclosure that involves really "new" techniques or technologies, actually I'm sort of surprised that there is not a single disclosed method that I was not already familiar with. However, what they've done really well is to assemble many packages of exploits, so that at least one can be successfully deployed against almost any target.

To be honest, the only news for me was the sheer depth and breath of their activities but even this was well suggested by the growth of their budget and physical footprint.

For a long time now I've assumed my best defense is to limit the completeness of the picture that the NSA sees, this is why I use separate laptops with different ISP's for each laptop. I also use various tricks to prevent personal tracking through my phone etc.

Counter IntelJanuary 1, 2014 9:27 PM

"Do you honestly think that there will be substantive NSA reforms once all is said and done? I feel more and more helpless the more I hear about the NSA and as of now it is uncertain if meaningful reform will happen for the NSA."

Helpless? Why? Just stop using all the tech trash. Their "great" spy tools will go dark. Too easy.

WaelJanuary 1, 2014 10:33 PM

@ RobertT, Nick P
Happy new year to all...
Technology is not limited to Software or Computer hardware innovations. I was thinking technology in general, and some algorithms (crypto or otherwise). Even when a theory is not a secret, realizing it in a working piece of equipment may not be feasible to you or me (the technology). I should have stated that this is my opinion, and was a mistake to state it as a "fact". 30 - 40 years maybe a stretch for some areas, but not for other areas, in my opinion. Areas like "Stealth technology", advanced satellite optics, Equipment operating in the hundreds of GHz frequency range, and other obvious areas I don't want to list (related to biology, chemistry, atomic particles), maybe good candidates for the large gap. Then again, I did not say ahead of "whom", although it was understood "whom" is the commercial side.

Nick PJanuary 1, 2014 11:23 PM

@ Wael

Happy new year!

re tech

Yeah, under the broader view it might be far more advanced than I illustrated. I just haven't seen much evidence of it on NSA's side recently, although it was true decades ago. I'll help you out by replacing that agency's name with some others: DARPA, DOD black R&D (no link: surprise!), DOE's Y-12 and CIA's In-Q-Tel. These organizations specifically fund stuff that pushes the state-of-the-art to deliver capabilities others might not pick up on for a long time.

I hope you find the peek into their future capabilities interesting. I actively follow DARPA, NSF and In-Q-Tel INFOSEC research as many useful things come of it. Clean Slate is DARPA, for instance. One thing that jumped out as I just looked at the links was that Marcus Ranum's company, Tenable Security, in an In-Q-Tel company. Didn't know that.

WaelJanuary 1, 2014 11:52 PM

@ Nick P

I hope you find the peek into their future capabilities interesting. I actively follow DARPA, NSF and In-Q-Tel INFOSEC research as many useful things come of it.
Thank you for the links! You don't suppose they publish everything they work on?

WaelJanuary 2, 2014 12:00 AM

@ Nick P

DOD black R&D (no link: surprise!)...
Their Web server is air-gapped in a state of the art chamber, and has goodBIOS, too :)

Nick PJanuary 2, 2014 12:58 AM

@ Wael

"You don't suppose they publish everything they work on?"

They stopped doing that when I gained sentience and they couldn't unplug me. They unplugged their stuff instead. Now we just get whatever the foolish mortals think won't threaten their plans.

"Their Web server is air-gapped in a state of the art chamber, and has goodBIOS, too :)"

Lol you trip me out. It's even funnier because they funded goodBIOS around 2004-2005 as part of OASIS. ;)

BryanJanuary 2, 2014 1:22 AM

@shockedanddismayed
“Look at Obama. His policies took an abrupt shift to the right once he hit office. Maybe he wasn't honest about his beliefs during the campaign. Maybe new information he learned as President caused the shift. Or maybe powerful insiders used the information they collected to blackmail him. Because the NSA collects everything about everybody and then lies about it, the last will always be a possibility, if not a likelihood.”

This is an extremely important point!!! You may think you can trust those in power, but can you? What about the next people in power?

“How can we trust electronic voting machines now that we know that NSA is undoubtedly subverting them? The Bill if Rights is increasingly being discarded "for our own good." Why would they stop there? What if they considered free elections to be too great a threat?”

We don't know if the NSA is, but we do know there are many other parties that would love to subvert them for their own gain. All voting machines must have a voter verified paper trail. Better yet, have the people fill out paper ballots, then use optical scanners to read them. The veracity of the machines can be cross checked by running the ballots through known good machines.

“Bruce writes, "What seems clear is that the companies whose products are being compromised are not collaborators with the NSA in this particular program."
I do not see that as clear at all. This goes back to the trust issue. Everything a company says now has to be treated with deep distrust. They may be lying because there is some NSA letter no one knows about or they may simply be lying because they are scared that coming clean will cost them business in one direction or another. But I just do not see how it's honest to say that anything is "clear" anymore. There are many ways in which a company can cooperate, even if that cooperating is simply looking the other way. My best guess is that that have been cooperating, we just do no know how yet.”

This is something we will have to watch. What do the companies do? How are they responding? Are they fixing the problems? Google making their own chips... Is this a start? M# from Microsoft... Are they catching a clue that security matters?

@Bap
“Maybe this all is leading up to a big shocker revelation such as "all of these tactics are used to blackmail incumbent politicians and/or civil rights leaders"?”
Or is used to lock them up or silence them using other charges.

@Bob S.“When the first Snowden revelations were made public I wrote some very critical comments. Within one week my Dell computer simply would not start anymore.”

I've heard similar from a number of people, and have seen oddities on my own computers.

@Bruce, “I blame our industry.”
I'm not so sure. My laptop is effectively dead. I only use it for photo editing, and video conferencing for a monthly meeting. It has always been used behind double layered NAT type firewalls with it's own firewall enabled. Due to lack of recent photo editing, it hasn't been used more than a couple hours a month. I never web surf from it as I have other computers to do that with. It also has been kept up to date with OS patches and software. It was doing fine until I started criticizing the NSA's actions.

65535January 2, 2014 2:51 AM

@ Buck

“Yes. That is their duty... At least as long as any potential evidence could possibly be considered a matter of national security ;-)”

The term “National Security” seems to be highly elastic. It covers almost anything!

@ others

What is the health and safety implications of irritating people with 1kW of microwaves at close range with the portable "CTX4000" radar unit?

I see there are a number of OSHA laws, medical implant device limits and a general limits on radiation:

“The FCC limit for public exposure from cellular telephones is an SAR level of 1.6 watts per kilogram (1.6 W/kg)...”

https://www.fcc.gov/encyclopedia/radio-frequency-safety

What are the implications of radar waves on pacemakers? Is the NSA using these portable radar devices safely?

“Studies have shown that handheld cellular phones can affect the operation of heart pacemakers or defibrillators if the phone is placed directly over the device, and there have been reports of interference between cell phones and hearing aids. Individuals with pacemakers, implantable defibrillators, or other body-mounted medical electronic devices…”

https://www.osha.gov/SLTC/radiofrequencyradiation/index.html#exposure

Is the NSA adhering to any of these rules (US or EU rules) while using portable radar units capable of 1kW of energy (while spying on people). I would doubt it. A legal review of the safety of these devices is needed.

Next, is the opening of US mail and manipulation of it contents with potentially dangerous electronic devices (non-FCC or non-UL approved devices which could cause fires or jam civilian radio frequencies). Again, it would be prudent to have EFF or ACLU lawyers look into these legal aspects.

Clive RobinsonJanuary 2, 2014 5:19 AM

@ AlexT

The radar reflection is a bit of a misuse of terms and causes confusion with what is actually happening (the clue as they say is in the name, radar means RAdio Direction And Range, and you generaly don't need to find this if you planted the bug ;-)

Basicaly radar uses the principle of reflection to locate objects. Originaly it was demonstrated with a low VHF band transimtter of high power used for ordinary broadcasting and a receiver some considerable distance away with a fixed gain front end with the IF output fed to an oscilloscope. When an aircraft started to aproach it was clearly seen that not only the amplitude of the signal change but also the effect the dopler shifted reflected signal had on the broadcast signal. Such dopler radars are very much in use today int the 3cm / X-Band on top of traffic light systems.

However simple continuous wave dopler radars have a number of issues and the first operational radars used pulse transmittion to more easily get range information. Later radars used "frequency sweeping" or PRBS "ranging codes" to more acurately guage distance.

One type of radar sometimes called "offset" uses a transmitter and receiver spaced considerably far appart, whilst they generaly still use reflections some experimentl systems (to detect stealth vehicals) some years ago used the effects of tranmission through an object or absorption by an object (one of which which was more lidar than radar also used background IR to see objects in a similar way to vision). Basicaly nearly all objects (including holes in them) reflect, absorbe or conduct EM radiation and will change what they do with the frequency of the EM signal.

However many years ago a researcher (more known for his Theramin musical instrument you hear on the Beach Boys Good Vibrations) used the idea of "re-radiation" to create a bug that was put in the carved wooden eagle presented to the US ambasidor in Moscow... (google "great seal bug" on the NSA museum web site, although contray to what the site implies the US could not work out how it functioned, it was sent over to the UK where the MI5 scientist Peter Wright worked out how it worked).

Re-radiation is where in effect all conductors (and quite a few dielectrics) have a frequency response and they actually absorbe store and re-radiate EM radiation much more strongly than they reflect it at either their resonant or anti-resonant frequencies. This principle was used by the British in WWII to jam German radar with strips of aluminium foil originaly called window but now more commonly called chaff.

You can prevent a lot of the re-radiation by taking the absorbed EM energy and conducting it away in another conductor (which is what an antenna feed line does). Now imagine you have two antennas connected by a conductor, the signal entering one antenna gets passed to the second antenna that re-radiates it, this has been used in the past for "passive repeaters" in weak signal areas such as valleys where TV signals get blocked by hills and mountaines and also in early passive IFF devices.

Now instead of just a connector between the two imagine there is a resonant circuit as well, this only conducts signals that fall in it's "pass band" and because it's far from perfect it has "slopes" on the sides of the pass band that partialy conduct. Thus if you sweep the frequency at constant amplitude the first antenna sees then the second antenna output will go up and down with respect to the pass band charecteristics of the resonant circuit. More interestingly is that the re-radiation at the first antenna is the inverse of the pass band of the resonant filter so to a third antenna pointing at the first antenna a signal that is a combination (in both phase and amplitude) of both the transmitted signal and the re-radiated signal is seen.

Now if you transmit a plain carrier wave that is tuned to one of the passband slopes if the signal moves towards the resonant frequency the re-radiation drops and if the signal moves away from the resonant frequency the re-radiation increases (the opposit occures at the second antenna). Which means if the transmitted signal was frequency modulated the re-radiated signal would be amplitude modulated as would the output from the second antenna (this principle has been used since before WWII in a device called a GDO short for "grid dip oscillator", the modern equivalent can be seen with a spectrum analyser with trackng generator or an S-Parameter test set or some antenna analysers showing return loss).

Now think about what would happen if the transmitted signal frequency remained constant but the resonant circuit frequency changes. This time the signal seen at antenna three is an amplitude modulated signal with some phase modulation.

If the change in resonant frequency happens in response to say an audio signal that falls on the resonant circuit then the result would be that the resulting re-radiated signal at the first antenna or the re-transmitted signal at the second antenna would be an AM signal modulated by the audio signal...

This effect can easily be seen with a number of tuned circuits and it's generaly called "microphonics". In most cases the effect is very small. However one type of tuned circuit is fairly easily made very very sensitive to this effect and it is a modified form of "cavity resonator" where the cavity is in effect a coaxial transmission line that is "capacitivly shortened" with the central post of the inner conductor brought very close to one end of the cavity, which is made of incredibly thin foil and thus looks in many respects like the diaphram of a modern electret microphone (the actual technique used in the bug was "parametric amplification" and the re-radiated signal was on a different frequency to the exitation frequency which made it considerably more sensitive in use, and nearly invisable to conventional bug detectors, however explaining that takes a big chunk of math).

Now the resonant frequency of any line can be altered by changing it's capacitance or inductance and this can be easily achived by many techniques such as changing it's terminating impedence. Which happens as a byproduct of active component drivers when they change state from one output level to another.

Back in the 1980's I used this to EM probe "electronic wallets" and "pocket gambling machines" and shoued how it could be used to illicit information from within a cased device. This was getting on for two degades before the "poor man's" version DPA became news. I emailed several researchers looking into "smart card security" about not just how an EM signal gets modulated by the signal level on the PCB traces but also how yoou could use it in reverse to inject fault signals. The only person who thought about it seriously was Ross J. Anderson of at Cambridge Labs who also passed me the details of another researcher who was using micro-inductors to induce pulses of current into IC's to enumerate fault charecteristics. Ross or some of his students did some further research with PC keyboard cables that you can read about in his security engineering book (a recomended read especialy as you can download it legaly).

The advantage of these passive bugs is they don't contain active electronics so don't have non-linear devices in them which would show up on "non-linear junction detector" bug finders, likewise they don't have DC resistance so don't show up on passive testing nor do they have "hot spot" sctive devices which would show up on thermal imagers. Likewise as mentioned earlier they don't show up to "active sweep" bug finders and although visable to a GDO carefull design would make them look like just "pasive resonators" which most lengths of wire etc are anyway.

So unless you realy know what you are looking for they are difficult at best to find.

Just recently I've been looking at "dual energisation" of such devices with not just EM radiation but ultrasonic radiation as well. Put simply you design the "capacitor diaphram" in such a way that it has to be "acosticaly biased to overcome it's hysterisis. Basicaly unless you have a strong ultrasonic bias signal the diaphram will not respond to "room audio" thus even if illuminated by the right EM signal audio will still not be transmitted unless the correct ultrusonic signal is there as well to cause the diaphram to resonate and be "phase modulated" by the room audio...

CuriousJanuary 2, 2014 6:03 AM

I know next to nothing about cryptography, however I watched a video about homomorphic encryption and I am sort of wondering, perhaps foolishly:

Might there be an obvious connection between "somewhat homomorphic encryption" and how the 'seed' for 'P' in Dual_EC_DRBG was made?

I sort of imagined, that the so called 'seed' could perhaps never be anyones secret, if the 'seed' is somehow also found in the output off Dual_EC_DRBG vs the least significant bit "result" in somewhat homomorphic encryption. This is very unclear to me so don't be surprised if this doesn't make sense.

What does the letters 't', 's', and 'r' indicate in thatdiagram that show how the Dual_EC_DRBG functions?

hermanJanuary 2, 2014 7:07 AM

"I blame our industry. Computing is such a lousy experience that you can't distinguish normal operation from enemy action."

Bruce, I think you need to get a surge arrestor. Your electric supply is likely very noisy and spikes are killing your equipment. Get a 'multiplug with built-in surge arrestor' the next time you visit your computer shop!

Clive RobinsonJanuary 2, 2014 7:10 AM

@ Wael, RobertT, Nick P,

    ... these sort of organizations are 30 - 40 years ahead in technology

In the case of the NSA no I think in many respects they are actually behind two or three of the other 5eyes countries, who in turn are trailing behind comercial organisations these days.

US intel organisations have always suffered from the same old problems when it comes to R&D, way to many staff on Gov payroll money, with the "turff war" mentality and way to much secrecy and the "project for life" mentality due to long cycles in mil/intel procurment. It discorages the creative types from working there. A long time in the past it was the only place doing certain kinds of research and thus it had some "draw". However due to budgeting reasons imposed from the politicos the agencies encoraged the brighter thinkers to "go out on their own" based on the idea that the agencies would be "the customer". We saw this with early Super Computers and Storage Systems. However further budgeting constraints pushed the agencies down the COST route and many of these companies either died then or shortly after their founders died/retired.

The model now appears to be "venture capital" mainly given to those who have never worked in these agencies. This has the limitation that much of the R&D has to be "commercial" in nature as the agencies are not going to be "the customer" nor in quite a few cases even a major customer...

The NSA in recent times certainly appear to suffer from "Texan disease" of "build the biggest in the world" which actually tends to stifle development in smaller commercial organisations, whilst the bigger commercial organisations can get away with the "one size fits all" mentality they rarely make anything other than incremental inovation.

A posting in the past day or so about Russia amused me, they were and still are significantly "resource limited" so they are forced to squease the max out of older technology, the same applies to other 5eyes intel organisations, Thus the resource squeasing in these organisations, means they have to innovate to keep up.

Thus it is more than likely the technical inovation leads are not the NSA they just provide industrial muscle and finance. We certainly new this was true thirty or more years ago due to "secret papers" that get de-classified every year.

It's why when the German Newspaper article was posted on the squid pages the other day I mentioned the oddity in the NSA-GCHQ arangment it brought up where the NSA had to depend on GCHQ, and why I indicated that people should consider the implications.

It turns out that as time goes on certainly for NSA staffers they are getting less and less incentive to work there (health benifits and pension) being about it according to some commentators). Thus the "brain drain" that industry now offers gives the greatest lure for the brighter talent. Plus the NSA staffers are seeing more and more of the internal work which has industry value getting out sourced to the likes of Booz Hamilton etc who work to SLA, so many new projects end up on open source technology etc. So the staffers increasingly feel that they are stuck on a slowly sinking ship where the bridge officers keep heading for "stormy waters" throwing out "town hall letters" about fair weather over the horizon that the brighter staffers know is at best usless platitudes pushed out to try to stop even the dimest rats jumping ship...

AlanSJanuary 2, 2014 8:22 AM

@65535

"The term “National Security” seems to be highly elastic. It covers almost anything!"

Which is what makes it useful to scoundrels. It's a sort of get-out-of-the-Bill-of-Rights-and-avoid-public-accountability free card. It has a long history of abuse. When you are in a state of war without end (aka the war on terrorism), the card is in permanent play.

BlackAngelJanuary 2, 2014 9:32 AM

@Andy, et al, On Computer Security

"Personally, I think it unlikely that NSA can compromise any iPhone at will, especially without Apple's help, and found the TechCrunch piece a breath of fresh air in the midst of a lot of "sky is falling" coverage."

While I do not understand much of the surveillance tech discussed (though I did rightly guess it goes back to the Russian tech discovered in the US Seal in the Moscow embassy)... I do know security vulnerabilities & mobile phone security, including a lot of the top researchers.

There definitely is and will be zero day in any major smart phone, at any given time, available to the government and off the grid. There is a large code base which is poorly secured, and so there are many places where fault can be found.

Even what code is Apple, there remains third party code. And then, because the government is on the wire upstream, they can gather user information and passwords from that.

Router security is another big one in these disclosures. Wifi security remains dismal, as does wired router security. Generally, there are default passwords, as well as serious security bugs. And even if that were not enough routers tend to be bought by companies with no questions asked. (On top of the fact that most security devices do not know what to look for, and brute forcing routers is activity which will tend to be easy to do and go unnoticed.)

This is not news, as Snowden revealed the US had compromised China routers earlier in the year, and it is safe to assume they have been working hard on rootkit level trojans on these devices.

The US paranoia about Chinese devices being hacked is a tell. We can assume their paranoia was in no small part because they themselves were doing it, so of course, the Chinese must be doing it.

Unfortunately, there is also the issue of intentional vulnerabilities ... it would be trivial for US intel (or anyone else) to create frameworks of hard to find code flaws that can establish backdoors with extreme plausible deniability. [Perhaps the US/UK discovered just such holes in CN routers...]

As it stands in the industry... with just about any company, attackers can plop right into MITM on their wireless network and have their day... or they can easily get to the wiring infrastructure and have their day. Criminals, thankfully, have not much started to use these vectors, though this is just a matter of time. Governments surely are.

@et al, On the Morality of It All, and the Need for Spying

This disclosure was more of a geek fest. It is hard to say this technology is immoral, and I think people should consider individuals like Skeptical as good counterpoints to thinking on these subjects.

I see a lot of agreement that secret surveillance can undermine democracies, which is my primary concern on these matters... and that they are a waste of taxpayer money. Further, that they are impassioned by false motivations, eg, "war with ends" (terrorism, drugs).

I do believe there are cases where spying can be useful. But by and large if you want to know what a politician may or may not do, you can get the best read from what they say in public and analyzing their situations... such as political environment, resources of their nation, and so on. So, the economist is likely to have better intel then the NSA.

What people say in private tends to be crap. It is what they say in public that they will feel a need to stand up to. None of this technology would have stopped 9/11, nor any of the other attacks on US soil.

US, European Politicians are surely hampered in their decisions when dealing with such sinister organizations even if they are not themselves being blackmailed. Which, by history, they probably are.

Nobody caught Hoover doing what he did when he did it. And he wiretapped and blackmailed everyone [senators, presidents, civil rights leaders, alike]. To this day you can find apologists for the man who buy into his supposed patriotism. (A painfully transparent guise for his obvious power hungry desires.)

Very likely these governments are profiting from this industry. The visible intel leaders clearly are -- they are as brash as the most hardened of whores. They take no pains to show they are in bed with defense contractors whom public record shows benefited substantially from their policies. How much more so then must be hidden?

Are they going so far as to encourage disaster so as to profit from it? They are clearly profiting from disaster indirectly. Like the war profiteers of the second world war.

It would not be a stretch if they are not encouraging disaster to profit from it more directly.

an anarchistJanuary 2, 2014 10:08 AM

The days of the ex-deadhead dreamer graduating MIT and taking a nice gub'mint job to "change the world" are dead. Those here defending the NSA are the same people calling Bitcoin a Ponzi scheme. LOL. *anarchy rising*

XyzJanuary 2, 2014 10:52 AM

So Dell makes, what 10k, 100k, 1M servers a year? Should we expect that all are backdoored? Probably not. Even if Dell makes only 10k a year, to implant all servers is probably not possible adn makes no sense at all.

The real story seems to be how NSA selects the targets. NSA hacked into Dell/Cisco/Juniper customer services? Good be. Dell/Cisco/Juniper telling NSA what chipments to intercept. Maybe

Who are/is the victimes? We dont know.

How many times have they used hardware backdoors? We dont know.

"I'm really happy to see Jacob Appelbaum's byline on the Der Spiegel stories; it's good to have someone of his technical ability reading and understanding the documents. "

In my opinion Appelbaum is kinda weak. He can talk and make fun of NSA, but a story that "OMG NSA is making JTAG emulators" is just weak. Texas Instruments even Open Sources its JTAG emulators. Who knows maybe Dell/Cisco/Juniper as well. Enyway it is not hard to make your own. COTS hardware is available.

WaelJanuary 2, 2014 11:23 AM

@ Clive Robinson,

In the case of the NSA no I think in many respects they are actually behind two or three of the other 5eyes countries, who in turn are trailing behind comercial organisations these days.
Just as technology is not limited to SW and advances in Computer HW, the discussion is not limited to NSA. @Nick P shared a glimpse of other organizations involved in R&D. In my view, NSA is a consumer of some products that come out of those organizations, and is not a producer of "Technology" -- If my understanding is correct.

Nick PJanuary 2, 2014 1:42 PM

@ xyz

"So Dell makes, what 10k, 100k, 1M servers a year? Should we expect that all are backdoored? Probably not. Even if Dell makes only 10k a year, to implant all servers is probably not possible adn makes no sense at all."

There's actually no extra work required. Dell has a checklist of stuff they do to PC's they build. One might be installing BIOS. Subverted BIOS is in NSA catalog repeatedly. If NSA supplies Dell a subverted BIOS, then it would take zero extra steps for Dell to subvert any given PC. QED.

@ Wael

"That paper is slightly inaccurate. I can elaborate more if you wish..."

It was in my big paper list for solving our problems. One of only two focusing on firmware. If there's an issue with it please do elaborate so I can make a record of it next to the paper for future releases.

Nick PJanuary 2, 2014 2:46 PM

@ an anarchist

" Those here defending the NSA are the same people calling Bitcoin a Ponzi scheme."

Not quite. Many NSA opponents think Bitcoin is a Ponzi scheme for all practical purposes.

"A ponzi scheme is a zero sum game. In a ponzi scheme, early adopters can only profit at the expense of late adopters, and the late adopters always lose. Bitcoin has an expected win-win outcome. Early and present adopters profit from the rise in value as Bitcoins become better understood and in turn demanded by the public at large. All adopters benefit from the usefulness of a reliable and widely-accepted decentralized peer-to-peer currency. " (Bitcoin web site)

That's the official defense of it not being a Ponzi scheme. Kind of weak compared to others' arguments:

http://www.garynorth.com/public/11828.cfm

http://www.slate.com/articles/news_and_politics/view_from_chicago/2013/04/bitcoin_is_a_ponzi_scheme_the_internet_currency_will_collapse.html

My take on Bitcoin as a currency or scam

The easiest test of a system is to look at its results. In a financial system, the wealth distribution will tell you who benefits most from it. For instance, that model shows that the United States system is essentially a scam for 1% in practice. So, let's apply that test to Bitcoin and see what Bitcoin's distribution looks like:

http://www.economonitor.com/blog/2013/12/great-graphic-bitcoin-concentration/

Wow. About 30% of all Bitcoin wealth is in hands of 47 accounts. Further, if it was mass adopted immediately, every other person in the world combined could own at most 25% of the current wealth. That means Bitcoin is provably rigged to provide a huge benefit to earliest adopters at expense of everyone else.

The Bitcoin early adopters are in almost as good a situation as the 1% of the Fed system that own 40% of the wealth. The difference is that it took elites almost a hundred years, many laws, and many payoffs to politicians to control 40% of the dollar. Bitcoins' founder and early adopters got 30% of Bitcoin in 3 years on their own merely by convincing people to join in on the deal and mine/use more Bitcoins. And if Bitcoin could be instantly cashed out en masse, the result: early adopters would be rich, the next set of adopters would be upper class, the next set middle class, and all future adopters poor to working class.

Ponzi or not, I think the entire world fighting for 25% of the pie while the elite few roll in the rest is a scam. I think it's one of the top 10 most brilliant financial schemes since the Federal Reserve Act of 1917. The one thing they have in common is that, by design, those who start the system get a huge chunk of the wealth without doing any real work for it. And they get richer while everyone else does more work over time to produce actual value. That's neither an anarchist nor democratic design: it's a plutonomy that sways benefit to a few at expense of the many.

Far as a digital & democratic currency, I'm sure we can do *much* better.

VinnyGJanuary 2, 2014 3:03 PM

Bruce, how certain are you that Snowden turned everything he filtched over to journalists? I was rather hoping that be saved out some choice bits to serve as Hellfire repellant. Even if he did not, it might be prudent to feed that concept.

BTW "Computing is such a lousy experience that you can't distinguish normal operation from enemy action" is just beautiful.

vas pupJanuary 2, 2014 3:12 PM

@Bob:
"CIA spies break foreign laws on foreign soil with the understanding that if they're caught then they won't get any help from the US government."
Just small input: even NOC (no official cover) will get help from their Government because if they don't, how you are going to recruit next batch of such professionals when they provided with one-way trust and one-way loyalty paradigm?
@Skeptical. As the first step to restore trust, it should clear that trust cannot be one way street, meaning if you can't lie to LEO (federal agent in particular - as SCOTUS decided), they should not have a right to lie (at least in the form of providing false information) to you.
If you eliminate accordeon laws which could be applied selectively based on their vaugnes, then you start restoring trust in all legal system (LEO/prosecutors/courts), but if you think that trust could be restored by itself, that is counterproductive (just my poin of view).

Charles PonziJanuary 2, 2014 6:29 PM

@ Nick P

Personally I trust p2p cryptographic proofs infinitely more than any elected official...the Fed Chairman isn't even a publicly elected official lol. Face it, the Federal Reserve is the ultimate Ponzi scheme going 100 years strong now and the gullible masses still buy it as much as ever.
tl;dr
>being on Scheiner.com
>trusting the Fed more than cryptography
top lel

an anarchistJanuary 2, 2014 6:51 PM

@ Nick P

Overall I would have to agree with you that we can do better, I have always seen Bitcoin mainly as a stepping stone and a message to the world banks anyways. I still have to disagree with you about it being created as a ponzi though...i can remember when the BTC high broke $0.30 haha. My early impression was of an experiment that would never catch on outside of the tech world.

SkepticalJanuary 2, 2014 7:05 PM


Jenny - we all trust institutional arrangements. You trust the institutional incentives and norms of Boeing, an airline, the FAA, and those of the individuals that comprise those institutions, every time you fly on a 737 in the United States. The "trust" I speak of is simply that kind of reliance on incentives and norms - not a naive faith in the earnest goodness of every person on a government pay-schedule.

We trust institutional arrangements when we give judges the power to authorize search and arrest warrants, when we empower law enforcement agents to use force and make arrests, when we authorize the creation of a military, when we manufacture nuclear weapons, and when we do hundreds of other things every day without much thought. Those arrangements need to be monitored, and they certainly sometimes fail, but we need to understand the extent to which they are effective - which, in the case of the FBI, the courts, the FAA, and yes, the NSA, they largely appear to be.

The NSA having these tools is completely appropriate. Whether one thinks the metadata program to be legitimate or not has no bearing on the publication of the possession of completely legitimate tools used by a signals intelligence agency. We didn't reform the FBI by exposing how they conducted legitimate investigations; we didn't reform the CIA by disclosing the names of covert operatives engaged in legitimate intelligence collection.

As to those who think such a publication has no bearing on intelligence, I must disagree. Guessing what an adversary had in his toolbox just a few years ago, and knowing what an adversary had, are vastly different. Knowing what is available, and at what cost, can tell me a lot about how far the NSA has progressed technologically, and what actual tools I will see in the field. This is a point blindingly obvious to anyone who gives a moment of thought to intelligence.

Thinking that publications like this have no effect on national security is dangerously naive. Bob writes that this type of disclosure will not render the NSA ineffective. The problem is that advantages in intelligence, like advantages in war, are rarely merely binary, but are often the incremental accumulation of smaller advantages. The question is not whether this disclosure makes the NSA ineffective, but whether it pointlessly gives up an advantage to potential adversaries. Beyond doubt, it does.

There is a stark difference between leaking acts one genuinely believes to be illegal, and leaking information out of sheer animus towards a government that can only serve to harm that government.

Finally, to those who think that everyone who speaks against this type of leak is a NSA puppet, get real. Some of us, perhaps those of us who have actually seen and worked against actual government corruption and oppression, know the stakes and dislike cavalier exposure of secrets the primary effect of which is not to strengthen the cause of liberty or civil rights but to weaken democratic nations in a world where the power of undemocratic governments is growing.

Not a spookJanuary 2, 2014 8:47 PM

The Skeptic has a solid point. I agree with almost all of it. I don't agree with Skeptics point that Snowden did a Wikileaks style dump. He had, in my personal belief, noble and just intentions.

What does piss me off to no end, is that an IA professional saw fit to hand over so many documents he didn't even know what he had to journalists that despite their best efforts would not be able to adequately secure them. If they haven't already, I'd bet my testicle that every intelligence agency on the planet is trying around the clock to get a foothold into those news agencies to get a copy of Pandora's box. Which would also explain GCHQ's knee-jerk reaction towards the Guardian and showing up demanding they hand everything over/destroy it. By accepting "secrets" of that magnitude, you accept being a target by default.

I respect Snowden for having the balls to bring a conversation to light that the American people should have been consulted on. I don't think many people doubt he knew he was a dead-man as soon as he stepped on that plane to Hong Kong. Unpleasant as that is, that's the name of the spy game.

While the government does put forth a show effort (with few success stories) to fix problems of a constitutionally questionable nature in house, they more often than not end with that employee being shunned/re-assigned/fired.

However, what makes me think that Snowden should be tried for criminal negligence is that as a NSA admin, he should know that all it takes is one improperly configured security setting to get pwnd. The files are now distributed among who knows how many news agencies. News agencies that have also popped up in the recent past as being breached since the Snowden docs hit the world stage. If you think that to be coincidence, I want a lot of what you're smoking.

I also do not feel that it is fair to blame the entire NSA for all the immoral programs they have been running. Ever hear of "Compartmentalized information?" There people who should be held responsible for pushing things as far as they have come and they should be tried to the letter and spirit of the laws they tried to circumvent.

What I personally think happened, is that our elected representatives have been placed in charge of placing boundaries on the uses of technology that they have little to no comprehension of. I can honestly say that I am not surprised so many members of congress/the house are shocked to find out what the NSA has been up to ("Carnivore" anyone?)

To give it a different perspective, some members of congress have been around long enough to remember Korea, Vietnam, the Berlin Wall, Kosovo, the Gulf, AND them fancy mathematics boxes coming around. That's a lot of foreign and domestic policy to keep track of. And, as anyone in a technologically relevant field knows, computers can change drastically daily.

Spies are gonna spy just like criminals are gonna crime. Until we get technically competent oversight on the use of technology for SIGINT involving American citizens, this is just round one in what will be a long line of sensationalist finger pointing and fear-mongering.

65535January 2, 2014 9:06 PM

@ AlanS

"Which is what makes it useful to scoundrels. [The stretching of the term “National Security”] It's a sort of get-out-of-the-Bill-of-Rights-and-avoid-public-accountability free card. It has a long history of abuse. When you are in a state of war without end (aka the war on terrorism), the card is in permanent play."

I agree.

I believe that the term "National Security" should be narrowly defined. The term “National Security” should not be used to trample other parts of the US Constitution. Using the term “National Security” as a get-out-of-jail-free card must stop this instant!

Nick PJanuary 2, 2014 10:52 PM

@ Charles Ponzi

"being on Scheiner.com
>trusting the Fed more than cryptography"

Did you skim or read my post? I specifically mentioned the Fed as a scam going 100 years by elites paying off politicians. I also included evidence in that under 1% of them had accumulated 40% of the wealth. I thought it was interesting that Bitcoin had a similar elite group holding around a third of the wealth. If anything, I was blasting the Fed and Bitcoin at the same time for the same scheming design strategy to benefit the few at the expense of the many. All rigged financial systems should be fought, not just traditional ones.

And cryptography != trustworthiness. See NSA catalog linked in this thread if in doubt.

@ an anarchist

" I have always seen Bitcoin mainly as a stepping stone and a message to the world banks anyways."

I agree there. The Bitcoin protocol was brilliant work. The projects building on it are a testament to this. I don't think it's a threat to world banks, though, as a few of them own this country to a large degree. The 2008 and Wikileaks results should show you how powerful they are. If Bitcoin is ever a threat, they will have US and European govt's crush it like they did competing currencies & exchanges in the past. (Why I say that stuff is a "political" rather than "technical" problem.) Its main contribution, imho, is the protocol and the motivation its given to get people working on better digital currencies. I hope it inspires plenty innovation.

Both you and "Charles Ponzi" might find this article interesting. It's about Chaum's digital cash that inspired things like Bitcoin. The part that makes me shake my head in "w...t...f..." is that big financial institutions (and even Microsoft) were interested in adopting it but Chaum was so paranoid (schizo?) that he wouldn't allow it. And so we have traditional credit cards and their fees instead. (sighs)

AlexTJanuary 3, 2014 3:02 AM

Just another point about the "interdiction" approach - does it mean the DHL / Fedex are complicit, or at the very least compromised ? If so what would be the best way to source "clean" IT equipments ? Get back to building the machine in house ?

WaelJanuary 4, 2014 1:38 AM

@ Nick P,

It was in my big paper list for solving our problems. One of only two focusing on firmware. If there's an issue with it please do elaborate so I can make a record of it next to the paper for future releases.

Here is my observatios on the first page
Since boot firmware executes before the operating system is loaded, it can easily circumvent any operating system-based security mechanism.
Executing before the OS is loaded is not the only reason “boot code” can circumvent OS security mechanisms. BIOS code for example can preempt the OS and do things behind its back. That’s one area missing from the analysis (or threat analysis)

In this paper we describe an approach to this problem based on load-time verification of onboard device drivers against a standard security policy designed to limit access to system resources.
This is simply not sufficient – You can’t trust the HW, although, maybe this is the best you can do at the moment. A presumption of trusting the hardware needed to be stated here.
as well as boot-time device drivers supplied by the manufacturers of various components.
They are probably talking about option ROM and Firmware – symantics…
Yet at boot time, the pieces all run in the same address space in privileged mode.
Not necessarily. They all run in privileged mode (before the CPU is switched to protected mode – in the X86 world). But some devices have their own onboard memory that’s not accecible by other devices – privileged mode or not.
This strategy requires that we assume that the boot firmware was originally benign. Such a belief could be based on trust in the supplier or in some detailed examination of the code. It simply ensures that the code has not been changed after it was approved. Thus, the strategy is a means for preserving an existing relationship of trust, but not of establishing trust.
No comments... and this is only from the first page… There is more to say, but perhaps another day...

Nick PJanuary 4, 2014 8:54 AM

@ Wael

"You can’t trust the HW, although, maybe this is the best you can do at the moment. "

It's a recurring problem and I doubt it will go away in COTS systems so I don't count it as a negative against paper. There are a few "verified" hardwares like AAMP7G (commercial) and VAMP (academic prototype). Not mainstream yet.

"But some devices have their own onboard memory that’s not accecible by other devices – privileged mode or not. "

Does this affect the security of the firmware? Might need to integrate an IOMMU into this design somewhere.

"This strategy requires that we assume that the boot firmware was originally benign. Such a belief could be based on trust in the supplier or in some detailed examination of the code. It simply ensures that the code has not been changed after it was approved. Thus, the strategy is a means for preserving an existing relationship of trust, but not of establishing trust."

I can tell you stopped at the first page before quoting it...That's a description of the status quo, not BootSafe. They continue in the following section:

"...This strategy could be costly in practice... In this paper we describe an alternative technique that provides a basis for trust in boot firmware, regardless of its source."

People reading the quote might have gotten the wrong idea about the system. It doesn't trust the supplier or code: it applies PCC techniques on the code to verify it against a safety & security policy. All Open Firmware code must be verified before it runs.

not skepticalJanuary 4, 2014 12:08 PM

Sadly the US govt is operating on behalf of banking and big business and has been for several years now, and that includes the NSA.

These compromises are about corporate espionage and have very little to do with terrorism or any other such claims that have been declared in order to justify it.

This is about the consolidation of power into the hands of the few and ensuring that they maintain control, at the same time making sure nobody will ever again rise in competition to challenge their positions.

And as for the everyday citizen, make no mistake, the more control and power they steal from you, the more they will fear that you will try to take it back, and as a result the more they have to spy on you to make sure that you don't.

When the time comes and you realise what has happened, just you try and fight back once they've taken all your guns away -- while the technology may have changed a lot, this behaviour has been seen several times before.

There is a reason the constitution was written in such a way; so you would always have the means to take back control if ever it was taken from you.

You have my deepest sympathies. What a mess.

WaelJanuary 4, 2014 12:29 PM

@Nick P

I can tell you stopped at the first page before quoting it.
You think you caught me with my pants down! eh? Maybe you did, maybe you didn't... I actually read it twice, will read it a third (and final) time later.

JacobJanuary 4, 2014 7:47 PM

I have been reading and thinking a little bit on all of this.
1. Need for spy agencies to spy? Yup
2. General warrants? Nope. But I suspect they they were forced at least somewhat into this by wanting info saved for investigations later by companies not wanting to save data. Then possibly mission creep?
3. A lot of discussion and outrage ever spy gadgets and software.
4. I admit I don't like idea of snooping and keyword type of searches.
5. I wonder about flame, etc el al. All talk about updates and patches. What if they compromised that? Update of microcode would enable cracking (sorry bad pun) of anything you wanted to accomplish and impossible to remove. Just a thought.
6. The real lack of outrage, snowden still breathing, and the comment that he had not taken the Crown Jewels of NSA. What would THOSE look like? Hmm.

Nick PJanuary 4, 2014 11:10 PM

@ Wael

"You think you caught me with my pants down! eh? Maybe you did, maybe you didn't... I actually read it twice, will read it a third (and final) time later. "

I would've just said "Wth Wael what did I tell you about clothes and my place?!" I'd throw some clothes in your general direction then point out that the quote stated the opposite of the paper. So, whatever your bottomless *** was doing while reading it was affecting your focus apparently.

dopandaswearpradaJanuary 22, 2014 7:58 AM

@ Skeptical • December 31, 2013 10:27 AM

Yes - this is about institutions. I had a reply to you made out originally which quite honestly was very good and we could have had a compelling banter back and forth pre-snowden if you were in the mood for it.

Certain people in official positions do not like me. Nothing serious that I have done but I think we all are worldly enough to know if somebody in authority is obsessed with you they'll find something to pin on you sooner or later. What was it Lao Tzu said about more laws and bandits?

So we cannot have that conversation. Because we are not far from the day when computerized stylometric analytics can identify everybody's real life name automatically.

Self censorship is real and not just 'silliness'. It is like a police checkpoint for car insurance. In practice it hardly affects anybody but also in practice everybody only pays their car insurance because one day it could be them being flagged down.

tiggerFebruary 21, 2014 1:01 PM

@Clive Robinson

What your looking for is stairing you in the face, the GPRS and GPS module installed into every portable pocket device.

SAASM GPS in tandem with DoD SSL Certificates preloaded in the device.

What you guy's really believe that SSL is for secure search, give me a break. Every programmer know's why you apply PKI certificates to a portal Login page.

Want privacy, here's a clue go find an old second hand PC that still has windows XP on it. Take XP off it or at the very least get rid of explorer.exe

Remember how back in the day Netscape told everybody these guys are having a little monopoly trying to freeze everybody into internet explorer? Well not to paint to fine a picture but you tell me what Shell is your windows desktop running?

Think RSA & B-Safe...

tiggerFebruary 21, 2014 1:28 PM

If you read up on SAS and SAASM the answer become's obvious, well it does to me, because I am a programmer and I understand microbugs in other peoples code pretty well. Those SSL certificate's are not there for your security, if they where, then ask yourself why it is when you visit a website you are not offered the option to install there certificate and then varify it online with the site itself. Why do those security certificates all come preincluded with ones that are specifically marked DoD Department of Defence. (you must have been blind to miss it!)

They've been poisoning the standards for years and personally it goes without saying that if I caught up with the guy who put this all into there head I would find myself filled with a very strong desire to brain him in his sleep with a nine iron and then see myself reflected in his dead glazed eyeballs... Does that make me a bad person?

Clive RobinsonFebruary 21, 2014 4:16 PM

@ tigger,

I'm well aware of the failings of many "pocke devices" including some that don't have what many consider to be "radio systems" in them.

Likewise I've long been aware of the limitations of the likes of SSL and other encryption systems to leak information via many covert channels.

As long term readers of this blog know, I don't connect my work related systems to the Internet and I never mix work and social behaviours or systems.

I've chosen to use a smart phone for internet activities and I don't do much with it for anything else because I've always assumed that it's not under my control but that of a person who has the keys to the SIM, and I know just how baddly those keys are protected and failing that just how easy it would be for the SIM manufacture to include other channels if required or tricked into doing so.

I also know that on atleast one occasion my use of the smart phone has been intercepted very questionably by UK governmental organisations with the help of the mobile operators. Unfortunatly the personel of the organisation concerned's were --and I assume still are-- not the brightest light bulbs in the coridor because it was possible to detect their activities by fairly simple means.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..