

Ask HN: How does the NSA manage to hack elite companies? - toddhd


======
toddhd
We're all software engineers (OK, a lot of us are software engineers). As
someone in the computer business, hackers always fascinate me. Admittedly, I'm
not a hacker, not in the "break into a secure system and take control of it"
sense of the word.

Today I saw this article
([http://www.theguardian.com/technology/2013/oct/30/google-
rep...](http://www.theguardian.com/technology/2013/oct/30/google-reports-nsa-
secretly-intercepts-data-links)). I'm sure you've seen similar ones recently,
from large companies and other countries. When you think about companies like
Yahoo and Google, you realize that we are talking about some very, very smart
people. These are not easy companies to get into. Their interviews are
designed to screen out all but the very best, the most elite programmers. And
when you are basically the "go to website" for most of the known world, you
spend a LOT of time on things like security, and tracking requests, etc. And
let's be honest, Google and Yahoo are in the business of tracking other
websites - it is their bread and butter. They understand it and know it.

So I ask myself - HOW? How did the government manage to find and acquire
programmers so skilled, so elite, that they are even smarter than the Google
and Yahoo guys tied together? Moreover, how did they manage to consistently
hack them?

To my knowledge, there are two main ways to get into a system. The first is
what most people assume - that's a brute force attack. Find a weakness in the
system, exploit that weakness, break in and do what you can before pappa bear
catches you and kicks you out. Not a very effective approach for long term
information gathering, right? And once done, the exploit is usually addressed.

The other way is to get someone "on the inside" to help. Get them hired, and
then get them to covertly build a "back door" for them, an easy way in. This
too is way easier said than done on so many levels. I don't know about you,
but there are several guys on my team, and when security changes are made,
there are lots of people who are aware of it, and would likely see it. It
would be tough for me to build a back door without someone seeing it being
checked in. Or able to find it easily, even just "tripping over it".

But I digress. In order to hack Google, Yahoo, France, Germany, yada yada
yada, you'd have to get an inside guy, a super-elite smarter-than-google type
of hacker into every one of those places. They'd have to have elite hackers
growing on a farm somewhere if nothing else, and then all the connections
everywhere to secretly get them hired and into positions of security and
power. HOW???

I just don't understand. I seems like a unrealistic task to me. Maybe that's
why I'm a run of the mill engineer however... :)

~~~
mschuster91
The only thing you need to tap into a SSL-secured infrastructure is an inside
guy who has read access to the private key. Essentially, anyone with root
access to the front-end server. That doesn't leave behind any traces.

Same for breaking into the networks (like the NSA did with the Google data
center interconnections): you only need to know into which fiber you have to
place a tap module into. And a subpoena or whatever against the company
providing the fiber service (as most of the fibers are leased to Google by
some other infrastructure company).

------
DanBC
GCHQ employs great mathematicians when they're young. It gives them a pleasant
working environment. There's probably travel to US to work with American
colleagues, and similar travel from US to work with UK colleagues.

There are plenty of genuine adversaries to use in recruitment.

And then, when you're doing the job, you're just cracking crypto or finding
exploits, you're not spying on your neighbours.

There's a few fun bits of propaganda - GCHQ HACKS TERRORIST WEBSITE, REPLACES
BOMB INSTRUCTIONS WITH CAKE RECIPES - for example.

So, you have these _really freakin ' smart_ people working on these
interesting problems. They can learn from the rest of the Internet. They just
can't share their learning back.

And then you have some managers somewhere reading the law, and coming up with
some interesting non-conventional interpretation, and making use of all these
interesting exploits and broken crypto systems.

Parliamentary oversight fails for some reason.

------
midnitewarrior
If I were the NSA, I would have sleeper "retired government contractors"
(a.k.a. former employees / dual-employees) getting jobs in the private sector
in critical infrastructure roles.

None of these NSA guys have "Senior Cryptoanalyst, NSA" on their resume, they
are get manufactured titles and positions representing some remote office in
the Department of Defense. People take jobs after being in government service,
so it would be very plausible for a "former government contractor" to take a
job with Google, Microsoft or any other major technology company to get
proprietary access to critical infrastructure.

This would be much easier than the "brute force attack" method of hacking a
network.

------
ig1
Because the threat-model they use didn't include a well-funded government
opponent with submarines and the manpower and ability to physically interfere
with private lines.

------
thrillgore
I think much of the NSA's recent subversion comes from the amount of muscle
they put on the telcos. The fact that technologists are concerned about the
policy effects of PRISM and everything else revealed by Edward Snowden, the
NSA hasn't had much luck with technology companies outside of their NSLs.

------
gnu8
What's the incident response protocol for illegal intrusion by a government
agency? These crimes are never investigated or prosecuted, so what can you do
except remove them from your systems and keep it quiet?

------
J_Darnley
The NSA orders companies to bend over.

------
ibstudios
Because they are big.

