
The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle - frandroid
https://firstlook.org/theintercept/2015/02/19/great-sim-heist/
======
lawnchair_larry
_" TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed
the email and Facebook accounts of engineers and other employees of major
telecom corporations and SIM card manufacturers in an effort to secretly
obtain information that could give them access to millions of encryption keys.
They did this by utilizing the NSA’s X-KEYSCORE program, which allowed them
access to private emails hosted by the SIM card and mobile companies’ servers,
as well as those of major tech corporations, including Yahoo and Google."_

First, it came for the terrorists, and I did not speak out, because I was not
a terrorist.

Then, it came for the muslims, and I did not speak out, because I was not a
muslim.

Then, it came for the Dutch, Belgian, and German engineers, and I did not
speak out, because I was not a Dutch, Belgian, or German engineer.

If you're an engineer, developer, sales staff, or pretty much anything else,
and you work at a company that has something worth stealing, you should think
about how this ends. If they don't come for you first, your personal life is
now completely fair game for nation state attackers.

They will stop at nothing, they have limitless budgets, they will attack your
private life, they will reflash the firmware in components of your personal
devices, and they will stalk you. Even when you did nothing wrong, even when
your employer did nothing wrong, even when your social graph is in no way
linked to anyone who ever did anything wrong.

~~~
CamperBob2
Just as important, if you're an engineer, developer, or mathematician who
works for the NSA or a similar agency, you need to take a long look in the
mirror and ask yourself if this is really what you wanted to do when you grew
up.

~~~
Cthulhu_
What, work with some of the smartest people on the planet with a near-infinite
budget solving the biggest big data problems out there whilst defending your
country from turrists? Sign me up!

~~~
mike_hearn
The smartest people on the planet are not working at the NSA. Most of what
they're doing is just plain old data aggregation and analysis, with a side
helping of large scale but ordinary hacking. The type that lots of teenagers
have done.

From a technical perspective, the sort of research going on at Google (deep
neural nets, etc) is in a whole other intellectual league.

~~~
mirimir
Conspiracy theories aside, couldn't the NSA just draft Google?

~~~
uptown
I'd be stunned if they didn't have employees embedded at Google and other
major technology firms.

~~~
beagle3
It has been my assumption that Facebook's and Google's core network and
security teams are each a large crowd of embedded spies working for various
intelligence agencies.

Think about it: You're a NSA/Mossad/MI5 NetOps operative. You can have access
to a lot of information without risking your life, get paid by your agency AND
google/facebook. What's not to like?

~~~
mike_hearn
Wouldn't work well. Way too many of these companies key employees are not US
citizens and many aren't in the USA at all.

Google, for example, has a large security team in Switzerland, with quite a
few German and British employees. The NSA sees itself as a military
organisation, it is bound by military rules.

~~~
beagle3
> The NSA sees itself as a military organisation, it is bound by military
> rules.

What rules would that be? In the military, actively seeking (and using)
information you have no right/classification to see is a serious offence.
According to articles I've read, not a single NSA employee was disciplined for
e.g. spying on their SOs or Exs.

Also: If the NSA doesn't have Swiss and German citizens working for it, it's
not a very good intelligence agency. And we know for a fact that it is, at
least as far as reach is concerned.

------
anologwintermut
Personally, the biggest take away to this is the invasive targeting of
completely innocent and ordinary people simply as a means to get access to
things the NSA needed (sim Card keys). We have concrete evidence they nailed
peoples personal email accounts and social networks merely as a means to an
get crypto keys in mass. Sure, the potential mass surveillance is exceedingly
problematic, but thats mainly problematic because of the potential for abuse.
Abuse that we either assumed would happen or already had, but as far as I know
there was little direct evidence of.

The absolute lowest bar for surveillance seems to be that a government doesn't
use it to intentionally target innocent people/ those not in the game (hell,
lets lower it even further to be only people the government themselves believe
are innocent).[0]

That potentially allows dragnet collection of data if no one looks at it. It
might allow hacking just a company's servers to get access to third party
data. It probably allows you to spy on foreign heads of state (even if it's a
boneheaded move). But it damn well doesn't allow you to go through the
personal communications of people who you know have done nothing wrong and
aren't even working for someone who has.

[0] This is precisely the woefully low bar Obama has been espousing : “The
bottom line is that people around the world, regardless of their nationality,
should know that the United States is not spying on ordinary people who don’t
threaten our national security and that we take their privacy concerns into
account in our policies and procedures,”

~~~
higherpurpose
It's interesting because last I checked Obama/NSA were saying they don't
collect content, only metadata (that harmless, _harmless_ metadata [1]). If
that's the case, why were they so interested in the SIM key?!

[1] - [http://justsecurity.org/10311/michael-hayden-kill-people-
bas...](http://justsecurity.org/10311/michael-hayden-kill-people-based-
metadata/)

~~~
anologwintermut
Because they were useful for targeted surveillance? Not that I agree with the
means or the scope, but there's an above board explanation for the desire to
get the keys . Suppose you have a handful of phones in Pakistan or Iran you
need access to very covertly (e.g. some rogue guy in the ISI where getting
caught snooping has major consequences). The least risky way to access his
communications is to get the keys. The least risky way to do that is to get
them from the broadest source possible(to obscure who you're really interest
in) and the one most removed from your target. So there's a legit reason to
want the keys, even if your only targeting a few legit targets.

But the means of doing so is truly questionable, even given all their
assertions about trust us and we don't look at everyones stuff.

------
Spearchucker
In 2007 I worked with Gemalto when they ported a Java/PKCS #11 Chip & PIN
implementation to the .NET Micro Framework/CAPI for Microsoft, who were using
it for challenge/response authN on a remote access project for the UK Ministry
of Defence. There was a case study of the project on Microsoft.com, but it
seems to no longer be there.

Anyway, this sucks because the Gemalto guys I did this with were to this day
among the best vendors I've ever worked with. Really awesome guys, _smart_ ,
and incredibly willing to share what they knew and did. And it's somewhat
ironic that Gemalto are trusted by the UK MoD for sourcing their smart card
components in Europe.

So much for keeping it local to avoid hacks.

------
bsder
Personally, my biggest takeaway is that _anything_ centralized is compromised,
period.

Any centralized system is such a juicy target that the NSA _will_ compromise
it. The only way to avoid dragnet issues is to decentralize and force the NSA
to expend resources at the edges.

This doesn't means that you can make an individual target secure. The NSA can
always outspend you. But you can prevent the NSA from easily just vacuuming up
everybody cheaply.

~~~
chinathrow
Agreed. I still wait to learn that AWS is compromised on a huge scale too. No
words yet - mark this post and let's see and wait.

~~~
anonbanker
replying as breadcrumbs.

------
dthal
>>The document noted that many SIM card manufacturers transferred the
encryption keys to wireless network providers “by email or FTP with simple
encryption methods that can be broken … or occasionally with no encryption at
all.”

If that's true, then NSA/GCHQ aren't the only people who could have grabbed a
big pile of keys.

~~~
nicolas314
I can confirm this. In many cases these keys are exchanged over email with
simple DES encryption and a key known to everybody in the business (pretty
obvious key BTW). It really boils down to the security procedures in place
between the SIM manufacturer and Mobile Network Operators.

~~~
jdbernard
I want to chime in to offer the counter. I used to work for Gemalto. I'm not
exactly sure _which_ keys you are talking about, but when I was there
Gemalto's standard practice for the transfer of the keys mentioned in the
article--individual SIM embedded keys--was to use AllynisConnect (which I only
mention because it's easily found on Google) to facilitate the transfer of
individual SIM keys to the customer. Obviously I'm not going to comment on the
details of the cryptography involved, but it was much more considered than
"simple encryption methods or no encryption at all."

Notably this mechanism would not protect the keys against an attacker who was
inside Gemalto's or the customer's secure network, as seems to be the case
here.

I'd be interested in knowing which keys specifically you are talking about.

~~~
nicolas314
In many cases you have specific procedures in place for security-conscious
MNOs, but some of these procedures are such a pain that you inevitably end up
finding workarounds to get the business going, e.g. email or USB tokens
between various people who are not supposed to have those keys. Of course
security officers and other officials are not aware of this. Dig through any
sales mailbox and you will find CSV files (usually called output files)
containing Ki encrypted with simple DES. I let you ask around to learn which
DES key is most often used. Disclaimer: this is not specific to Gemalto.

~~~
jdbernard
Unfortunately that is very possible, and of course I can't speak for other
companies. I will say that Gemalto has internal access protection for these
and other information.

Of course, there are lots of things I didn't have visibility on and it is
possible that I am overly optimistic.

------
higherpurpose
This is exactly why Intel's upcoming SGX worries me greatly, too. NSA could
get the "key" to all SGX machines and therefore to _all_ applications using
SGX to secure themselves properly (ironically enough) [1].

Intel really needs to figure out how to protect the SGX system against such a
key robbery, and not by promising to only give access to a couple of employees
in the whole company who know a _very_ special hand-shake. Intel needs to
modify the SGX system in such a way that you _don 't have to trust Intel_ (or
anyone hacking Intel) to keep the key secure, even if that means the company
not giving itself access to SGX at all (which includes not having the ability
to update it).

[1] - [http://blog.invisiblethings.org/2013/09/23/thoughts-on-
intel...](http://blog.invisiblethings.org/2013/09/23/thoughts-on-intels-
upcoming-software.html)

~~~
kevin_b_er
You mistake the point of SGX. The point of is a reincarnation of treacherous
computing. Intel SGX requires remote attestation. This means that YOU, the
owner of the device, is not trusted. To have 3rd party keys would mean they
would have to trust you. With trust in you, how could it be marketed to the
copyright owners? The answer is that it cannot. The point of Intel SGX is to
deny ownership of the device to its owner.

But yes, any situation like this where you cannot be trusted means a hacker
can gain a higher level of trust than you if they break the security.

~~~
mike_hearn
SGX does not require remote attestation. Just like all prior TC platforms, it
offers remote attestation but there is no requirement that it be used.

By the way, very frequently the owner of a computer is not in fact
trustworthy. Situations where that occurs crop up all the time in security
engineering.

For example a big use of TC is making Bitcoin wallets that are secure against
malware. There are other uses too, like safe outsourcing of private data
storage/computation to the cloud.

~~~
anonymousDan
Yup, cloud is a major motivation for SGX (see e.g.
[https://www.usenix.org/system/files/conference/osdi14/osdi14...](https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-
baumann.pdf) for an example of how it might be put to use). I think it is good
idea for making it more difficult for malicious insiders to mount an attack,
but any claims of it protecting you from the NSA are laughable given Intel
will probably hand over keys to them anyway.

------
TruthWillFree
What is problematic here is that the legitimacy of almost all information
exchanged in a digital form has been lost almost entirely. How much longer
must we presume ignorance in what is really happening? How much longer will
the innocent be bullied through technological and psychological means to
promote the interests of the current national security apparatus with
interests entirely different than the rest of America/World? What happened to
Aaron Swartz is only a taste of what is happening to the rest of us who
believe these types of activities are unethical and a violation of
constitutional law. Do we honestly believe that this isn't being used for
insider trading, to capture sensitive medical information, and steal other
trade secrets that should be protected by law? Wake up America. We need to
stand up against this digital tyranny.

------
droopybuns
How many silicon valley patriots would support this outrageous attack?

It was one week ago that Obama was arguing that this kind of activity is
necessary.

[http://www.newyorker.com/business/currency/stanford-obama-
ti...](http://www.newyorker.com/business/currency/stanford-obama-tim-cook-
privacy-security)

This is not a republican/democrat problem. This is an institutional problem.
We need comprehensive reform of both parties and it should be followed by a
purging of the existing federal machine.

~~~
anonbanker
the call to revolution falls upon the deaf ears of the well-fed in the silicon
valley, my friend.

------
bigbugbag
Interestingly this is about Gemalto, a company with a remarkable history.

Remember times when the USofA wasn't adopting the smart card technology ? Well
it had something to do with this chip technology (crypto) being a foreign
technology which coincidently was the propriety of the French company Gemplus.

At the turn of the millenium an US investment funds (Texas Pacific Group)
managed to find its way in Gemplus capital after a couple denials, which is
the start what is known in France as l'affaire Gemplus. To summarize instead
of helping to conquer the US market, TPG used its power to change the board of
director (and choose Alex Mandl as the head), initiated rounds of layoff and
moved the R&D to the US to take control of the sought after technology.

The whole thing is shown to be an operation of the C.I.A. through In-Q-Tel to
take control of the chip card technology and possibly insert backdoors before
exporting. Slow to react, it takes several years for the french government to
create its own version of In-Q-Tel called "Fonds Stratégique d'Investissement"
and try to reclaim Gemplus, now Gemalto, by becoming the majority stakeholder
with 8% of shares in 2009, a move that happens too late and TPG having gotten
what they wanted sells its share a year later.

------
chinathrow
I always wondered if HSMs are at risk to be compromised at the core (read: the
manufacturer) such as those frome SafeNet (in use e.g. with Box.com on their
enterprise external HSM plan).

And guess what, Gemalto merged with SafeNet the other day.

[http://www.safenet-inc.com/SafeNet-Gemalto-Merger/](http://www.safenet-
inc.com/SafeNet-Gemalto-Merger/)

Everything is compromised. Everything!

References:

[https://www.box.com/blog/breaking-the-last-barrier-to-
cloud-...](https://www.box.com/blog/breaking-the-last-barrier-to-cloud-
adoption-with-box-enterprise-key-management/)

[http://www.safenet-inc.com/data-encryption/hardware-
security...](http://www.safenet-inc.com/data-encryption/hardware-security-
modules-hsms/)

------
rsingel
This is yet another good argument for TextSecure and RedPhone, which don't
depend on the SIM card encryption.

[https://whispersystems.org/](https://whispersystems.org/)

~~~
hannibalhorn
While certainly a step in the right direction, the lack of an open baseband
remains a huge problem, even with TextSecure. Any smartphone has a whole
separate OS running, with access to the system bus and memory, that we
generally have zero visibility into. There could be exploitable bugs, there
could be actual backdoors, and we just have no idea. If you truly want to
secure data, you need to use an airgapped system with hardware that is much
more open.

~~~
orbifold
That should be a solvable problem, aren't there tons of operating systems
professors and electrical engineers around in Europe that could in principle
develop an open baseband chip and operating system? Germany and France should
have an interest that their communication can't be trivially backdoored by the
NSA.

~~~
SXX
Main issue is there really no specifications available on many things. Also
it's will be nearly impossible to pass certification so no real manufacturer
would use it.

If you want more details you may check OsmocomBB site and IRC.

> Germany and France should have an interest that their communication can't be
> trivially backdoored by the NSA.

Nobody saying that governments don't have trusted hardware with only their own
backdoors. In almost every country manufacturer have to provide source code
and specs in order to pass certification so gov does have everything needed.

Though it's not help anybody else as it's will never be open.

------
thorntonbf
At some point, people have to begin to realize that this has progressed past
"looking for terrorists."

Statists are gonna state, I guess.

~~~
GabrielF00
The article specifically cites the mobile phone networks of Iran, Yemen,
Afghanistan, and Somalia as targets. One is a state sponsor of terrorism, the
other three are places where the US is actively fighting terrorism.

~~~
scintill76
You conveniently left out Iceland, from the very same sentence that is the
source of what you listed. As far as I know, Iceland is innocent of terrorism
accusations from the US. (OK, benefit of the doubt: maybe The Intercept added
Iceland to the article later, or you genuinely didn't see it.)

Anyway, you really think the "bad countries" you named from a 5-year-old
document are an exhaustive list of what they've got today? You think the
agencies won't scoop up any other countries' keys, including the United
States', just in case their metadata graphs later suggest sleeper agents in
"the good countries"?

I'm too ticked to make a good argument about morality or lack thereof right
now, so I'll just leave it here. They hacked and surveilled non-terrorists to
get the keys, and got the keys of at least one "non-terrorist country"
(Iceland), so no, I don't find your argument convincing, and I think the
parent post's point stands.

~~~
GabrielF00
From the Intercept article its not clear why this type of data was collected
from an Icelandic carrier. The linked graph appears to show 100 IMSI's from
Iceland, as opposed to 100,000 from Somalia* and tens of thousands from
Afghanistan. It's possible that the Iceland data was acquired incidentally
because it happened to come from the same sources that were sending data on
more interesting countries. It's possible that there's something of value to
be learned in Iceland. I don't know. The Intercept gives us very little
context as to the actual products that the intelligence agencies produce.
[Edit: Page 11 of this document indicates that the acquisition of keys from
Iceland and Tajikistan was unexpected and that those countries were not
targeted:
[https://firstlook.org/theintercept/document/2015/02/19/pcs-h...](https://firstlook.org/theintercept/document/2015/02/19/pcs-
harvesting-scale/)]

I don't dispute the fact that the US government has intelligence-gathering
priorities that don't involve terrorism. I would argue that at least one
reason terrorism is discussed is that there are diplomatic consequences to
saying one spies on foreign governments. I also agree with the more cynical
view, that terrorism is cited as a rationale because terrorism is scary and
something opposed by everyone the US is trying to convince.

I believe very strongly that the world would be a lot safer if the US
government knew certain things like the intentions of the Russian leadership
and the capabilities of the Russian armed forces. Or the state of the Iranian
nuclear program and that country's negotiating position. Or what exactly is
happening on the ground in the midst of all the chaos in Libya or Syria or
Yemen.

The answers to these questions will determine the fate of entire regions of
the world.

*A subsequent document puts a later figure for Somalia at 300,000.

~~~
scintill76
In the interest of the fuller picture, thanks for noting that Iceland and
Tajikistan were incidental. I don't know that we have a definitive answer from
these docs on whether those keys were even saved. Even if not, it's unsettling
that an "automated process" turns up keys "not on the list of interest." The
article even says the "system failed to produce results against Pakistani
networks, denoted as “priority targets” in the document."

I don't know how far I'd be willing to go to effect a hypothetical, unknown
increase in safety and control. I do know that the US government and its
allies are destroying the reputations of innocent companies, the peace of mind
of hundreds of Gemalto/network employees who will now be wondering if they
were personally hacked and to what extent, and the human rights of privacy of
hundreds of thousands of people who use SIM cards. Is it worth it? I guess
we'll never know, and I don't think the spies can truly say either.

Maybe some of that falls on leakers' shoulders too, but in any case it's not
very confidence-inspiring that lowly people like Manning and Snowden were able
to steal what they did.

------
knodi123
How is snowden still producing high-level stuff like this?

Did he really steal info on that many headline-worthy stories all in one go,
or does he have fresh sources?

Sometimes this feels like another instance of what I call the "weird al
phenomenon", where any person who hears a silly parody of a pop song
attributes it to weird al, because "wait, you're telling me there are other
song parody writers?"

~~~
rys
It's safe to assume that the vast quantities of documentation he liberated
have enough newsworthy material in them to last those with access a very very
long time.

~~~
zecho
Greenwald and Poitras have said this publicly many times. They have years
worth of material to report from the cache of files.

------
digitalneal
I think its safe to say NSA/GCHQ are not the only ones in the game who have
hit this target.

~~~
rl3
On that note, I wonder if their compromising of these systems affords the
target any sort of immunization from attacks by other actors.

It would make sense that NSA/GHCQ wouldn't want their foreign competitors to
share in the prize, and it would also be congruent with their interests to not
afford competing actors access to such a prize.

Then again, this notion is likely far too romantic. The reality is probably
closer to one where foreign actors have compromised everything just the same.

~~~
Kalium
Sometimes denying data to others is as good as advertising that someone else
got there first. So you might want to leave the treasure trove in place so
that nobody else figures out you have it.

Intelligence is wheels within wheels within wheels...

~~~
rl3
Good point. However, it might be possible to deny adversaries without alerting
them to the fact that they were denied in the first place.

~~~
Kalium
Depends how advanced the adversary is. It also depends on if you want to deny
them, because you might learn something by watching what they do. Or you might
feed them false data and see what happens.

Aren't mind games fun?

------
steeve
Remember when hacking Sony was an act of war?

------
summerdown2
I think one of the big issues here is that for an intelligence agency, good
defensive security is essentially silent. There's not a lot of money or
political capital in "nothing broke today."

On the other hand, good offensive capabilities, even if kept secret
externally, are loud and flashy within the organisation, and come with lots of
political capital beyond it.

Because of this asymmetry, I think it's almost impossible for an intelligence
organisation to stop its "defense" mission being swallowed by the "attack"
one. And so we all end up less free and less safe.

I do sometimes wonder what the world would be like if the NSA took it as its
mission to secure the internet and chain of encryption, rather than constantly
breaking it. If, for example, they used their resources to seek out
vulnerabilities and exploits and fix them.

Maybe such a world is impossible. But I do think there's a valid space for a
national cyber defense organisation that runs counter to this trend, that acts
to shore up the infrastructure rather than constantly subverting it.

------
b6
I donate to the EFF whenever possible. What else can I do to fight these
bastards? I think the NSA is a threat to humanity and I feel helpless.

------
gerty
French press is trying to connect Gemalto and NSA. Common denominator is Alex
Mandl. He's currently Executive Chairman of Gemalto. Previously, he was in
Board of Directors of In-Q-Tel which is a CIA company.

------
pests
One notable line:

"GCHQ operatives identified key individuals and their positions within Gemalto
and then dug into their emails. In one instance, GCHQ zeroed in on a Gemalto
employee in Thailand who they observed sending PGP-encrypted files, noting
that if GCHQ wanted to expand its Gemalto operations, “he would certainly be a
good place to start.”"

~~~
merrua
Does that suggest they have an exploit in PGP?

------
Lanzaa
One key thing that stood out to me was this:

> [GCHQ operatives] noted that the use of PGP could mean the contents were
> potentially valuable.

This good reminder that encrypting everything is important for security. Only
encrypting valuable or sensitive information provides information to an
attacker on where they should focus their efforts.

------
sehugg
Ironically Gemalto also tracks statistics on data breaches -- guess they ought
to update their numbers?

[http://www.cso.com.au/mediareleases/21603/gemalto-
releases-f...](http://www.cso.com.au/mediareleases/21603/gemalto-releases-
findings-of-2014-breach-level/)

------
leesalminen
Do they want me to be apathetic about the actions of our government? I'm
getting close.

~~~
orbifold
You should read "The Crisis of Democracy", in short yes, you are supposed to
be apathetic, the people in power get uncomfortable quickly if you take an
interest in what they do.

------
junto
Since the US and British governments operate on the premise of invading the
privacy of all citizens without warrant in order to prevent a handful of bad
apples, should other countries consider a temporary blanket ban on all US
citizens from visiting to their countries in order to make a point?

I know that only 4% of US citizens have passports, and most countries rely on
US trade, but still it would certainly send a message?

Simplistic I know but somehow we need to voice our dissatisfaction with the
way things are headed. Foreign citizens can't change US policy, only US
citizens can vote out their corrupted system.

The privacy of non-US citizens is considered as fair game. We have no comeback
presently.

~~~
dTal
>I know that only 4% of US citizens have passports

You're off by an order of magnitude. It's actually about 38% [0]. Bear in mind
Americans even need a passport to travel to Canada or Mexico now.

I also do not think that preventing Americans from travelling abroad will
improve their global perspective.

[0]
[http://travel.state.gov/content/passports/english/passports/...](http://travel.state.gov/content/passports/english/passports/statistics.html)

------
steffenfrost
Isn't the NSA breaking US law by hacking into a commercial entity's network?

~~~
SoftwareMaven
Which is probably why GCHQ was the one doing the actual hacking. NSA just got
a share in the prize.

~~~
dredmorbius
That seems to be the real value in the Five Eyes network.

Each member can undertake surveillance of the domestic communications of the
other members, thus absolving the own-state surveillance apparatus from claims
of domestic spying. But the poisoned fruit may be (and appears to be) freely
shared.

~~~
a3n
If I receive and use/sell stolen property, I've broken the law even if I
didn't steal it.

I would think if anyone could work their way through the "standing"
restrictions, it could be shown in court that the NSA violated the
Constitution by receiving "stolen" surveillance data.

The reason why we have the 4th Amendment is not because the act of spying is
feared (as egregious as that is), it's because of what the government might do
with the results. So receiving the data violates at least the spirit of the
constitution, and I would think the letter also.

~~~
dredmorbius
Maybe. Seems to me that there's a bit of an issue with the general operating
mode of an intelligence agency. I've said in the past that I wasn't generally
overly concerned with stories such as the NSA's reported monitoring of German
chancellor Angela Merkel -- which later reports suggest might _not_ have
happened -- apparently they're not even totally up on which close national
ally heads-of-state they're spying on. But keeping tabs on other countries --
even friendly ones -- yeah, that's part of the basic remit.

But an organize "we'll spy on yours if you spy on ours" arrangement,
particularly with a "don't ask for it, we'll just give it to you"
understanding. That's violating the intent of legal and constitutional
protections every which way.

At the same time, if a talent scout in North Whateveristan gets handed a sheaf
of goatskins exfiltrated from the local TCP-over-parchment connectivity
provider, the legality of that data's acquisition shouldn't be a hinderence.

But if North Whateveristan happens to be a friend and we're concerned with
that the goatskins reveal, then breaking that information to the government
(or other friends in slow places) should be possible at _some_ level.

If there's a resolution by law in this, it's likely going to have to require
explicit controls over how and when data of a given nation's nationals or
residents is provided to that nation. And bars on mass transfers.

Perhaps mandating them _outside_ intelligence services through diplomatic
channels?

At least that'll give Wikileaks a sporting chance.

~~~
a3n
> But an organize "we'll spy on yours if you spy on ours" arrangement,
> particularly with a "don't ask for it, we'll just give it to you"
> understanding. That's violating the intent of legal and constitutional
> protections every which way.

That is exactly my point. And it's horrible, it's the government thuggishly
wiping its ass with the Constitution. East Germany would have swooned in
ecstasy at all the intelligence porn collected by the NSA.

------
gcb0
the first line from the one-page-PDF source for the article is:

    
    
       "Billing servers to suppress SMS billing"
    

were the GCHQ risking bankrupting the government because of abusive SMS
billing from the telcos?

[1]
[https://firstlook.org/theintercept/document/2015/02/19/cne-a...](https://firstlook.org/theintercept/document/2015/02/19/cne-
access-core-mobile-networks-2/)

------
ChuckMcM
Sadly this would be an excellent application for the CFAA except that they
agencies involved are immune from its prosecution.

~~~
a3n
Maybe so, but ...

> Additionally, the spy agency targeted unnamed cellular companies’ core
> networks, giving it access to “sales staff machines for customer information
> ...

So these corporations had customers' personal data stolen. I believe they're
obligated to inform those customers, and possibly other obligations. (No
direct knowledge, just spouting off what I've read during the Target and Home
Depot breaches.)

------
bcl
Gemalto doesn't just make sim cards. They also make OTP tokens -
[http://www.gemalto.com/readers/tokens](http://www.gemalto.com/readers/tokens)

~~~
chinathrow
And HSMs since their merger with SafeNet.

------
CyberDildonics
And yet for some reason the idea that data should be separately encrypted at
every protocol layer is something people fight.

------
hobarrera
Shouldn't TLS/GPG/OTR/etc have our backs on this anyway (at least on the data-
side of it)? I mean, they can now intercept and read any mobile data traffic,
but that traffic usually has layer-specific encryption as well (eg: TLS for
banking). Doesn't that cover us? Am I missing something?

------
malandrew
I'm wondering if this also involves stealing keys that secures the Gemalto AWS
mult-factor auth devices.

------
cm2187
It doesn't justify the NSA/GCHQ's actions but the fact these keys could be
stolen like that mostly means mobile communications were never really secure
in the first place.

I am every day more appalled by the scale of the data breaches we learn about
every week.

------
_pmf_
I've always regarded encryption that is not end-to-end as a gimmick.

------
motters
Surely this has got to be illegal. When will the lawsuits commence?

------
Iv
At this point, if you are surprised by this, you should not be working in the
security field.

------
Tharkun
So, should I get a new SIM?

~~~
chinathrow
You might start with asking your mobile operator how they react to this
compromise.

------
SXX
Nothing new. At this point nobody should consider any closed source encryption
like something even nearly trustworthy.

~~~
jdbernard
That has very little to do with this particular attack. The NSA did not attack
the proprietary code, which uses standard, open, and publicly-known and
documented cryptographic operations, by the way. They compromised the key
custodians.

While I agree in principle about open source, using purely open-source
software would not have provided any defence here.

~~~
SXX
> While I agree in principle about open source, using purely open-source
> software would not have provided any defence here.

In open source software / hardware there wouldn't be "master key" that can't
be changed and that have to be used by telecom's. Yeah of course no doubt NSA
may penetrate in network of every of them, but it's would be a lot more
costly.

~~~
mike_hearn
No, really, this isn't about open source stuff.

Any architecture that requires pre-shared symmetric keys is going to have this
problem. The fix is architectural, not open sourcing stuff. From what I
understand LTE is significantly better.

------
uptown
Absolutely everything is compromised.

~~~
0x5f3759df-i
That is just the opposite argument of saying that nothing is compromised.
Neither are correct.

------
xai3luGi
At this point, we might as well just go back to landlines and fax machines.

~~~
saganus
Aren't those even easier to wiretap?

I believe (maybe I'm wrong here) that the word wiretap comes precisely because
people could literally "tap" into the wire and listen everything.

Or did I miss the sarcasm?

~~~
khuey
The old technologies required more effort (somebody had to go physically tap
the wire).

~~~
saganus
When I re-read the parent's post I thought to myself "of course he is being
sarcastic!"

But then I saw your post and it made me think. And I believe you are onto
something here.

I mean, sure, probably tapping one phone is much easier physically, just
connect the wires and you're done. However the point you bring is game-
changer.

In ye' olden days spooks were interested in certain persons only, but now it
seems that we are all fair game, and so the "easy" way of wiretapping becomes
incredibly hard when you want to spy on _everyone_.

It's basically an scalability problem then. Never saw it that way.

~~~
MichaelGG
Except more and more, calls are going over VoIP, which is essentially never
encrypted. Even calls from one landline to another, even to a neighbor, might
end up on VoIP. And in any given call, there are probably multiple resellers.
Each with full capability to intercept, redirect, modify, etc. any call. And
tech support is often given access to capture any call, as a troubleshooting
measure.

Even companies like AT&T, who you'd think with exorbitant prices would always
pay for proper direct connections, actually try to find the cheapest bidder in
any way possible. For some destinations, they might a list that's 20+
resellers deep.

In short, tapping major connectivity points is probably enough to capture a
_lot_ of calls even if you place them from a landline. (Not to mention there's
no real security mindset in telecom at all.)

~~~
doctorshady
That depends on what network you're using. If you're using a landline from the
incumbent local exchange carrier, the probability of a local call going over
voip is effectively almost zero. Likewise, for long distance carriers, AT&T,
the ex-MCI networks Verizon owns, and the Sprint wireline long distance
network (their mobile stuff goes over separate facilities; their long distance
network, as well as most of the ex-MCI networks use a platform called the
DMS-250, which is very much oriented to non-packet connectivity) generally
don't use voip trunks for national traffic. Also, there is no least cost
routing operation like on most of the smaller carriers, so there's no need to
hit any sort of public network until it reaches the access tandem at your
destination, at which point, it definitely isn't exchanged in any sort of IP
format.

Internationally, it depends on what carrier they interconnect with and what
they want. Generally speaking, I think Verizon will use more IP-based routes
(usually to more expensive countries) then the other two.

By contrast, landline service coming from the cable company generally does go
over voip, but only within their internal network. For local and inbound
calls, it'll still hit some DSx trunks back to the phone network. 1+ long
distance traffic, at least on Comcast, is definitely in IP format, and could
very well even be hitting the public internet for least cost routing
operations.

