Hacker News new | past | comments | ask | show | jobs | submit login

It's interesting that there's been little attention paid to what this genre of backbone/infrastructure tapping means for companies using content accelerators (or whatever they're called).

Considering what we now know about tailored access operations, I find it hard to imagine they've not used these abilities to subvert the auto-update functionality of virtually every product there is out there.

Ie. client requests auto-update from front-end server, update is switched and replaced before hitting the front-end server & being delivered.




That would seem to be a harder problem for the NSA. First, it has to be an active attack, modifying data in transit rather than merely siphoning it off — probably tougher to cover their tracks in that case. Second, automatic updates are presumably cryptographically signed by the publisher, so the NSA also has to steal or crack the private signing key. Third, how do you target the backdoored version of the software so certain groups/people get it and others don't? CDNs don't work that way.

In the end, it seems much more practical to sneak a backdoor into the software at the source.


Whilst I agree with your point, I think an important question to ask is "harder compared to what exactly?"

Cracking SSL? Weaking crypto standards? Tapping undersea fiber? MITM attacks?

Given all those are used, I find it hard to believe the update vector isn't exploited. Sure you'd need to compromise the signing key first, but that's a single target allowing you the ability to subvert many more without the need for any breaking & entering or social engineering alerting intending targets/victims.

I'll take my tinfoil hat off now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: