
NSA Reportedly Intercepts And Alters Routers And Servers Exported From U.S. - yanofsky
http://techcrunch.com/2014/05/13/nsa-reportedly-intercepts-and-alters-routers-and-servers-exported-from-u-s-to-facilitate-surveillance/
======
tomp
Translation of the NSA statement:

We don't deny altering hardware. In fact, if we (likely) install backdoors
into hardware used by foreign intelligence targets; but don't worry, we're not
interested in the casual user. As the US Government relies on commercial
hardware, we make sure that only the US Government can access the backdoors.
We're angry that this was made public, and we can't prove that it jeopardizes
human lives.

~~~
sentenza
It also sheds some new light on the "China-hardware is bad for you" media
campaign that was run right before Snowden happened. It seems that not buying
American means keeping the American intelligence community out of ones
network.

But I guess you _actually_ can't trust the Chinese either. That doesn't leave
many hardware vendors for heavy-duty network equipment to choose from.

~~~
gaius
Sure you can. The Chinese are 10,000 miles away and don't really care about
Western domestic politics. It might be different if you are an arms or pharma
company, but for the average citizen concerned about civil liberties, you
really _can_ trust the Chinese in this case.

~~~
adventured
China cares a great deal about Western politics. Their two biggest markets are
the United States and Europe.

Check out the Chinese support of Hillary and Bill Clinton.

There has been a ton of illegal Chinese money all over US elections for
decades. Read up on the scandals from the 1990's revolving around this, or the
Chinese money that flowed to Hillary in 2008.

Obama.com is (was?) even owned by a money bundler out of China.

Or check out the Chinese hackers that targeted the Romney & Obama campaigns.

[http://www.latimes.com/la-na-
donors19oct19-story.html#page=1](http://www.latimes.com/la-na-
donors19oct19-story.html#page=1)

[http://www.cnn.com/ALLPOLITICS/stories/1999/04/04/china.clin...](http://www.cnn.com/ALLPOLITICS/stories/1999/04/04/china.clinton.money/)

[http://www.thedailybeast.com/articles/2012/10/08/the-
illegal...](http://www.thedailybeast.com/articles/2012/10/08/the-illegal-
donor-loophole.html)

[http://www.washingtontimes.com/news/2014/mar/10/hillary-
clin...](http://www.washingtontimes.com/news/2014/mar/10/hillary-clinton-
campaign-received-funds-jeffrey-th/?page=all)

[http://www.nbcnews.com/id/4264134/ns/nbc_nightly_news_with_b...](http://www.nbcnews.com/id/4264134/ns/nbc_nightly_news_with_brian_williams/t/john-
kerrys-chinese-campaign-connections/#.U3Ix4Sis9kg)

[http://investigations.nbcnews.com/_news/2013/06/06/18807056-...](http://investigations.nbcnews.com/_news/2013/06/06/18807056-chinese-
hacked-obama-mccain-campaigns-took-internal-documents-officials-say)

[http://townhall.com/tipsheet/katiepavlich/2012/10/08/exposin...](http://townhall.com/tipsheet/katiepavlich/2012/10/08/exposing_barack_obamas_illegal_foreign_campaign_money_loophole)

------
beejiu
This reminds me of a story about a TOR developer who suspected her keyboard
from Amazon was intercepted and implanted, because the redirection was
included in the delivery log. Seems quite likely it was, in light of Glenn's
latest slides release.

[http://www.techdirt.com/articles/20140124/10564825981/nsa-
in...](http://www.techdirt.com/articles/20140124/10564825981/nsa-interception-
action-tor-developers-computer-gets-mysteriously-re-routed-to-virginia.shtml)

~~~
danielweber
What is the specific smoking gun I am supposed to see there?

~~~
ds9
The Dulles area is known as a hub for US spook-agency headquarters and
activities.

It's not obvious tho that this is suspicious - there's also a big airport
there and it could be just a shipping facility. I guess the argument is that
it is an unnecessary detour if it could have gone right to Alexandria.

I'd like to see (a) other CA shipments, say non-computer items, to Alexandria
- and whether they go via Dulles and (b) a followup indicating whether Shepard
found anything of interest.

------
hnha
no need for techcrunch spam, the original source was already submitted and
discussed at
[https://news.ycombinator.com/item?id=7734418](https://news.ycombinator.com/item?id=7734418)

~~~
yanofsky
oops, my bad. apologies everyone

------
smutticus
How much hardware is actually made in the USA anymore? Most HW is manufactured
in Taiwan, China, Korea, Thailand, Malaysia or maybe Mexico. I used to work
for a router manufacturer that manufactured all of its equipment in Taiwan and
Mexico. When we shipped to someone in Europe(for example) we shipped directly
from Taiwan to Europe, not through the US. So I have to wonder how much of
this stuff the NSA could actually get their hands on.

The other question I have is what happens when there is an RMA, or the
equipment is sent back for repair? Might someone notice that it's been
tampered with? We need more specifics to really understand what was going on
here. So many questions, no real answers.

~~~
intslack
Anything that's shipped from the US, basically. From the slides released with
Greenwald's new book today:
[https://i.imgur.com/lCM0apx.png](https://i.imgur.com/lCM0apx.png)

Here's the source, but be warned that this is a 90 MB pdf:
[http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPl...](http://hbpub.vo.llnwd.net/o16/video/olmk/holt/greenwald/NoPlaceToHide-
Documents-Uncompressed.pdf)

~~~
csandreasen
I get the feeling that if every router was being intercepted, that picture
would look more like a giant series of assembly lines rather than three people
casually sitting around a Cisco box.

~~~
intslack
Guess I should've been clearer: any equipment they're interested in that ships
from the US is at risk. They don't need to go after all equipment. They only
need to go after equipment being shipped to backbone providers abroad, and
specific targets they are interested in that are "tough to crack."

Further, if one believes that TAO is limiting themselves to terrorists buying
Cisco equipment, I have a bridge to sell you. That's absurd considering they
produly boast about their economic espionage, their spying on activists such
as Wikileaks supporters and other "radicals," and their partners bragging
about how they DDoS IRC chat rooms of hacktivists.

One example: [http://justsecurity.org/2013/11/29/nsa-sexint-abuse-youve-
wa...](http://justsecurity.org/2013/11/29/nsa-sexint-abuse-youve-waiting/)

All of this is summarized in Greenwald's new book.

~~~
csandreasen
I don't expect them to be limiting themselves to terrorists - they're a
foreign intelligence agency. I expect them to be gathering info on foreign
governments, militaries, etc. (along with spying on terrorists).

I've written about the NSA porno article before, so I'll just post the link to
that thread[1]. The TLDR is that Greenwald seems to have left a good deal out
of his reporting in order to both sensationalize and avoid discrediting his
own argument. I haven't read his new book; maybe he addresses it in there.

[1]
[https://news.ycombinator.com/item?id=6885325](https://news.ycombinator.com/item?id=6885325)

~~~
intslack
No, but that's their justification the vast majority of the time. They don't
limit it to foreign governments or militaries either. They do engage in
economic espionage, fact. They do single out anyone they don't like which
isn't limited to terrorists in these campaigns: "radicals", among them
Wikileaks supports, fact.

Stewart Baker has discredited himself[1], his opinion is worth jack shit
frankly. I wouldn't trust anything he says, not only because he was behind
many of these programs as council but also because of Eben Moglen's
interactions with him during the almost-prosecution of Phil Zimmerman, and
suggest you do the same.

That the documents are 'sensationalized' is the favorite refuge of NSA goons:
when Keith Alexander's comment about collecting it all became public, SEXINT,
PRISM, etc. He talks about all of those and leaves no doubt that this
characterization is horse shit after the third chapter.

[1] [http://www.skatingonstilts.com/skating-on-
stilts/2014/04/hid...](http://www.skatingonstilts.com/skating-on-
stilts/2014/04/hiding-in-plain-sight-evidence-that-nsa-isnt-wrecking-internet-
security.html)

~~~
csandreasen
Wow, thanks for accusing me of being an NSA goon. For the record, I said the
reporting was sensationalized, not the documents.

On the economic espionage front, I really don't care if the NSA spies in order
to shape national policy. Things get a lot murkier when intelligence agencies
spy and then hand off that data off to private companies. Huawei was caught
red-handed using stolen source code from Cisco[1]. Cisco probably lost
millions because Huawei was able to undercut them and skimp on R&D costs.
Frankly, I don't want any foreign companies willing to steal trade secrets
managing the same internet backbones I conduct business on, just like China
probably doesn't want their internet backbones running on American equipment.
If there is evidence that the NSA has been handing Huawei source code to
Cisco, or any kind of data to any private organization for that matter, in
order to gain a competitive advantage, then Greenwald has yet to show it.

You can consider Stewart Baker's opinion to be worth jack shit, but apparently
Glenn Greenwald, Ryan Gallagher and Ryan Grim thought his opinion was good
enough to quote extensively for the SEXINT article that they wrote. But that's
not even the point - they could have been quoting Glenn Beck for all I care.
The issue is that they quoted him _very_ selectively in order to not discredit
their argument. That wasn't even the first time: right off the bat they
omitted slides from the PRISM presentation in order to make the argument that
the NSA had direct access to Google/Yahoo/Microsoft/etc.[2] I can see in the
PDF file for Greenwald's book that he still extensively cites the Boundless
Informant slides, despite the fact that they've been thoroughly
discredited[3]. I'm honestly curious - did he mention that part in the book?

The Washington Post silently corrected their initial reporting without issuing
a public statement[4][5], and as far I know Glenn Greenwald has never issued
any retractions. I'm sure that there's probably plenty of interesting
information in the Snowden cache, but I don't trust most of the reporting up
until now.

[1] [http://blogs.cisco.com/news/huawei-and-ciscos-source-code-
co...](http://blogs.cisco.com/news/huawei-and-ciscos-source-code-correcting-
the-record/)

[2] [https://medium.com/state-of-play/8ebc878074ce](https://medium.com/state-
of-play/8ebc878074ce)

[3]
[http://electrospaces.blogspot.com/search/label/BoundlessInfo...](http://electrospaces.blogspot.com/search/label/BoundlessInformant)

[4]
[http://www.forbes.com/sites/jonathanhall/2013/06/07/washingt...](http://www.forbes.com/sites/jonathanhall/2013/06/07/washington-
post-updates-hedges-on-initial-prism-report/)

[5] [http://www.zdnet.com/how-did-mainstream-media-get-the-nsa-
pr...](http://www.zdnet.com/how-did-mainstream-media-get-the-nsa-prism-story-
so-hopelessly-wrong-7000016822/)

~~~
intslack
Sorry for the wall of text, but I quoted verbatim from the book below.

>Wow, thanks for accusing me of being an NSA goon.

I didn't accuse you of being an NSA goon. Stewart is definitely one though.

> If there is evidence that the NSA has been handing Huawei source code to
> Cisco, or any kind of data to any private organization for that matter, in
> order to gain a competitive advantage, then Greenwald has yet to show it.

What does that have to do with anything? Why is NSA interested in “energy,”
“trade,” and “oil” in the PRISM slides? Why is the NSA spying on “heads of
international aid organizations, foreign energy companies and a European Union
official involved in antitrust battles with American technology businesses.”
Why are they “monitor[ing] the communications of senior European Union
officials, foreign leaders including African heads of state and sometimes
their family members, directors of United Nations and other relief programs
[such as UNICEF], and officials overseeing oil and finance ministries.”

The answer is simple:

"When the United States uses the NSA to eavesdrop on the planning strategies
of other countries during trade and economic talks, it can gain enormous
advantage for American industry. In 2009, for example, Assistant Secretary of
State Thomas Shannon wrote a letter to Keith Alexander, offering his
“gratitude and congratulations for the outstanding signals intelligence
support” that the State Department received regarding the Fifth Summit of the
Americas, a conference devoted to negotiating economic accords. In the letter,
Shannon specifically noted that the NSA’s surveillance provided the United
States with negotiating advantages over the other parties."

It's economic espionage no matter how you spin it. When NSA believes it's
pertinent to the "national interests" of the USA, not the "national security"
they'll take it.

>You can consider Stewart Baker's opinion to be worth jack shit, but
apparently Glenn Greenwald, Ryan Gallagher and Ryan Grim thought his opinion
was good enough to quote extensively for the SEXINT article that they wrote.

Two quotes shooting himself in the foot by acknowledging and defending the
program is hardly extensively quoting him.

>they omitted slides from the PRISM presentation in order to make the argument
that the NSA had direct access to Google/Yahoo/Microsoft/etc.

That was the Gellman and the Washington post that claimed that, without
question. The Guardian article framed it as a question. Greenwald never had to
issue any retractions.

And just fyi, Gellman is still sticking to the direct access accusations. And
Greenwald now thinks that he's right, because analysts can query without staff
intervention at Google et al.

I'll quote verbatim from the book:

The companies listed on the PRISM slide denied allowing the NSA unlimited
access to their servers. Facebook and Google, for instance, claimed that they
only give the NSA information for which the agency has a warrant, and tried to
depict PRISM as little more than a trivial technical detail: a slightly
upgraded delivery system whereby the NSA receives data in a “lockbox” that the
companies are legally compelled to provide.

But their argument is belied by numerous points. For one, we know that Yahoo!
vigorously fought in court against the NSA’s efforts to force it to join
PRISM—an unlikely effort if the program were simply a trivial change to a
delivery system. (Yahoo!’s claims were rejected by the FISA court, and the
company was ordered to participate in PRISM.) Second, the Washington Post’s
Bart Gellman, after receiving heavy criticism for “overstating” the impact of
PRISM, reinvestigated the program and confirmed that he stood by the Post’s
central claim: “From their workstations anywhere in the world, government
employees cleared for PRISM access may ‘task’ the system”—that is, run a
search—“and receive results from an Internet company without further
interaction with the company’s staff.”

Third, the Internet companies’ denials were phrased in evasive and legalistic
fashion, often obfuscating more than clarifying. For instance, Facebook
claimed not to provide “direct access,” while Google denied having created a
“back door” for the NSA. But as Chris Soghoian, the ACLU’s tech expert, told
Foreign Policy, these were highly technical terms of art denoting very
specific means to get at information. The companies ultimately did not deny
that they had worked with the NSA to set up a system through which the agency
could directly access their customers’ data.

Finally, the NSA itself has repeatedly hailed PRISM for its unique collection
capabilities and noted that the program has been vital for increasing
surveillance. One NSA slide details PRISM’s special surveillance powers.
Another details the wide range of communications that PRISM enables the NSA to
access. And another NSA slide details how the PRISM program has steadily and
substantially increased the agency’s collection. On its internal messaging
boards, the Special Source Operation division frequently hails the massive
collection value PRISM has provided. One message, from November 19, 2012, is
entitled “PRISM Expands Impact: FY12 Metrics”.

Such congratulatory proclamations do not support the notion of PRISM as only a
trivial technicality, and they give the lie to Silicon Valley’s denials of
cooperation. Indeed, the New York Times, reporting on the PRISM program after
Snowden’s revelations, described a slew of secret negotiations between the NSA
and Silicon Valley about providing the agency with unfettered access to the
companies’ systems. “When government officials came to Silicon Valley to
demand easier ways for the world’s largest Internet companies to turn over
user data as part of a secret surveillance program, the companies bristled,”
reported the Times. “In the end, though, many cooperated at least a bit.”

[...]

The Internet companies’ claim that they hand over to the NSA just the
information that they are legally required to provide is also not particularly
meaningful. That’s because the NSA only needs to obtain an individual warrant
when it wants to specifically target a US person. No such special permission
is required for the agency to obtain the communications data of any non-
American on foreign soil, even when that person is communicating with
Americans. Similarly, there is no check or limit on the NSA’s bulk collection
of metadata, thanks to the government’s interpretation of the Patriot Act—an
interpretation so broad that even the law’s original authors were shocked to
learn how it was being used.

> I can see in the PDF file for Greenwald's book that he still extensively
> cites the Boundless Informant slides, despite the fact that they've been
> thoroughly discredited[3]

How is that? That has nothing to do with whether the US records are correct.

~~~
csandreasen
> I didn't accuse you of being an NSA goon.

Sorry, I misinterpreted your tone.

> Sorry for the wall of text

No worries - I'm about to post my own. :)

> How is that? That has nothing to do with whether the US records are correct.

I have no idea how Greenwald brought up the issue of Boundless Informant in
his book, I just know that I saw slides in his PDF showing the US and Poland
(maybe more - I forget). In that series of articles, they seemed to make
pretty clear that the program was showing where the collection came from, not
where the targets were. So, for example, the numbers from Norway represented
communications collected "to support Norwegian military operations in conflict
areas abroad, or connected to the fight against terrorism, also abroad". Same
with Germany, France, Spain and Italy (I'm probably missing some). When it
comes to the US numbers, I don't see that it's that big of a leap to take the
same statement that the Norwegian intelligence service made, and replace all
instances of "Norway" with "US".

> That was the Gellman and the Washington post that claimed that, without
> question. The Guardian article framed it as a question. Greenwald never had
> to issue any retractions.

From the article published in The Guardian[1]:

 _The National Security Agency has obtained direct access to the systems of
Google, Facebook, Apple and other US internet giants, according to a top
secret document obtained by the Guardian._

...

 _With this program, the NSA is able to reach directly into the servers of the
participating companies and obtain both stored communications as well as
perform real-time collection on targeted users._

With regards to the provider's denials, I don't see anything evasive about
them:

Google: _" I'm not sure what the details of this PRISM program are, but I can
tell you that the only way in which Google reveals information about users are
when we receive lawful, specific orders about individuals -- things like
search warrants. And we continue to stand firm against any attempts to do so
broadly or without genuine, individualized suspicion, and publicize the
results as much as possible in our Transparency Report. Having seen much of
the internals of how we do this, I can tell you that it is a point of pride,
both for the company and for many of us, personally, that we stand up to
governments that demand people's information."_ [2]

Microsoft: _" We provide customer data only when we receive a legally binding
order or subpoena to do so, and never on a voluntary basis. In addition we
only ever comply with orders for requests about specific accounts or
identifiers. If the government has a broader voluntary national security
program to gather customer data we don’t participate in it."_ [3]

Facebook: _" Facebook is not and has never been part of any program to give
the US or any other government direct access to our servers. We have never
received a blanket request or court order from any government agency asking
for information or metadata in bulk, like the one Verizon reportedly received.
And if we did, we would fight it aggressively. We hadn't even heard of PRISM
before yesterday. When governments ask Facebook for data, we review each
request carefully to make sure they always follow the correct processes and
all applicable laws, and then only provide the information if is required by
law. We will continue fighting aggressively to keep your information safe and
secure."_[4]

AOL: _" We do not have any knowledge of the Prism program. We do not disclose
user information to government agencies without a court order, subpoena or
formal legal process, nor do we provide any government agency with access to
our servers."_ [5]

Every one of them is very clear: the NSA needs a court order to get user's
data, and they have only complied with orders for specific users.

[1] [http://www.theguardian.com/world/2013/jun/06/us-tech-
giants-...](http://www.theguardian.com/world/2013/jun/06/us-tech-giants-nsa-
data)

[2]
[https://plus.google.com/u/0/+YonatanZunger/posts/huwQsphBron](https://plus.google.com/u/0/+YonatanZunger/posts/huwQsphBron)

[3] [http://www.microsoft.com/en-
us/news/press/2013/jun13/06-06st...](http://www.microsoft.com/en-
us/news/press/2013/jun13/06-06statement.aspx)

[4]
[https://www.facebook.com/zuck/posts/10100828955847631](https://www.facebook.com/zuck/posts/10100828955847631)

[5] [http://blog.aol.com/2013/06/07/aol-statement-regarding-
nsa-p...](http://blog.aol.com/2013/06/07/aol-statement-regarding-nsa-prism/)

EDIT: Fixed formatting

~~~
intslack
The two statements from The Guardian are referencing the documents themselves.
If you want to talk about out of context, you missed the headline and the
multiple paragraphs framing it as a question of what the providers say versus
what the NSA documents say.

"Direct access," these are the NSA's own words. The Guardian ran the providers
statements versus what the NSA documents said. That's a fact. That's why there
are no retractions in The Guardian's story, and as Soghoian says they don't
actually deny "direct access" in those statements, legally. What's likely is
that the companies allow them to run informal searches to narrow the data
down.

As for the "court order," they're just talking about a FISA court order which
only "allows the data to be queried when there is a reasonable suspicion,
based on specific facts, that the particular basis for the query is associated
with a foreign terrorist organization," which they readily ignore, and it's
more like a general warrant because NSA relies on self-reporting. As Snowden
indicated, and LOVEINT showed, analysts can just use bullshit justifications
and cover it up. And if they targetted a U.S. citizen, according to their own
documents, it's "not a big deal."

~~~
csandreasen
Yes - they denied it... because it was false. "Direct access" is not the NSA's
own words, they were The Guardian's/The Washington Post's words. The slides
themselves say "Collection directly from the servers of these U.S. service
providers...", which we later found out means "provided under court order
directly from the providers". The Guardian article goes on to say:

 _" When the FAA was first enacted, defenders of the statute argued that a
significant check on abuse would be the NSA's inability to obtain electronic
communications without the consent of the telecom and internet companies that
control the data. But the Prism program renders that consent unnecessary, as
it allows the agency to directly and unilaterally seize the communications off
the companies' servers."_

That is a blatant lie. The companies receive court orders - they have the
ability to challenge the court order in the same way that they would challenge
a subpoena or search warrant by going back to the court. If the FISA court
doesn't agree, there's still a higher court to appeal to. There has yet to be
a retraction of The Guardian's statement.

> As for the "court order," they're just talking about a FISA court order
> which only "allows the data to be queried when there is a reasonable
> suspicion, based on specific facts, that the particular basis for the query
> is associated with a foreign terrorist organization,"

You're mixing up programs now. That quote comes from an ODNI statement[1]
about the FISA Section 215 metadata collection (I'm not going into that one
now - that's a whole different mess, and IMHO that program is rightly
controversial). The PRISM slides repeatedly indicate that this collection
under FISA Section 702, which gathers content and which has a whole different
set of legal requirements. Most prominently, people collected on under 702
must be reasonably believed to be outside the US and not an American
citizen/green card holder/etc. The Snowden trove has yet to show any general
warrant style orders related to PRISM.

I think the LOVEINT example actually works in favor of my argument - there was
a small group people doing illegal stuff at NSA; they got caught; as a result,
they don't work there anymore. You could go on to ask why the DOJ didn't
prosecute, and I wouldn't fault you for questioning - I don't know the answer
to that one. But citing LOVEINT to justify limiting the NSA's capabilities is
kind of like saying "this cop fired his weapon and killed an innocent
civilian, so we need to disarm the entire police force."

[1] [http://www.dni.gov/index.php/newsroom/press-
releases/191-pre...](http://www.dni.gov/index.php/newsroom/press-
releases/191-press-releases-2013/868-dni-statement-on-recent-unauthorized-
disclosures-of-classified-information)

~~~
intslack
You're right, partly. Either way, NSA ha(d|s) direct access to Yahoo and
Google's internal networks with MUSCULAR and various other WINDSTOP programs
that have collected many more records than MUSCULAR, without requiring
warrants _whatsoever_. Arguing over why The Guardian didn't retract is just
splitting hairs at this point, because they did include the slide that claimed
"direct collection from the servers." Then there's also UPSTREAM. PRISM is
hardly the smoking gun in these long chain of events. And again you're right,
I did mix up the 215 blurb.

Nice chat.

~~~
csandreasen
> Nice chat.

At least we can agree on that. Thanks for the chat.

------
uptown
So is it safe to assume every Intel or AMD CPU also likely has hidden
capabilities waiting to be exploited by the NSA?

~~~
tptacek
What are the hidden router capabilities being exploited here? What piece of
COTS hardware couldn't be exploited by an attacker with unlimited physical
access to it prior to delivery?

~~~
wes-exp
Indeed. Somehow a story about NSA tampering with devices _after manufacture_
is being twisted into "all commercial products are deliberately backdoored".
If you actually use logic, these are separate issues.

Actually, if anything, the story is proof that the routers are not backdoored
from the start, otherwise why would they have to intercept shipments?

~~~
borando
_Actually, if anything, the story is proof that the routers are not backdoored
from the start_

Let me preface my response by saying I think there are probably more non-
malicious (accidental) vulnerabilities than intentional backdoors.

Schneier has seen many of the original documents, and his constant refrain is
that NSA programs are robust -- that they have multiple totally unrelated ways
to accomplish any one goal. Quoting one of his articles:

"First and foremost, the surveillance state is robust. It is robust
politically, legally, and technically. I can name three different NSA programs
to collect Gmail user data. These programs are based on three different
technical eavesdropping capabilities. They rely on three different legal
authorities. They involve collaborations with three different companies. And
this is just Gmail. The same is true for cell phone call records, Internet
chats, cell-phone location data."

[https://www.schneier.com/essay-469.html](https://www.schneier.com/essay-469.html)

The takeaway is that, knowing the NSA has capability _A_ doesn't prove they
lack capabilities B, C, D...Z.

------
eyeareque
How can we protect ourselves from this type of interception? It seems
impossible. Why would any non-american customers buy US made devices? Any
protections that are added can/will be bypassed if the US gov gets physical
access (or even remote).

~~~
ds9
Just about the time of the previous revelation of computers from outside the
US being intercepted by TLAs, my new Lenovo was delayed for a long time in
some customs facility (according to UPS tracking).

Software is not a concern as I blew away the preinstalled and put a relatively
trusted OS on. But hardware - I haven't had time to look into it but I'm still
wanting some sort of guide on what to look for after unscrewing the case.

~~~
eyeareque
The scary part is that blowing away the OS install won't save you completely.
There are BIOS, firmware attacks, to name a couple. Take a look at the
following link with information about persistent root access via hard drive
firmware hacking. Even if you reinstall the OS, your box will continue to be
owned:

[http://spritesmods.com/?art=hddhack&page=1](http://spritesmods.com/?art=hddhack&page=1)

------
eyeareque
I wish they posted more details surrounding the implants, what they can do,
and how they work. Knowing this would help us detect when devices were
compromised.

------
dang
A dupe of
[https://news.ycombinator.com/item?id=7734418](https://news.ycombinator.com/item?id=7734418).

------
Faust1985
Hrm, guess I wont buy American any more.

~~~
IgorPartola
"Do you mean a car designed in the US and built in China, or a Japanese car
built in Ohio?" I'm pretty sure that given how few choices of mainstream
hardware there are you are screwed no matter what you buy.

~~~
Faust1985
Oh certainly, I'm not saying I'm there's a need to be a fanatical purist and
go through component that goes into my equipment.

I'll just stop purchasing the bulk from US supplies and subsidiaries it's not
like there aren't alternative suppliers with good prices.

------
higherpurpose
Can HN please stop censoring/penalizing NSA stories? Getting flagged is one
thing, but I believe they are also penalized by the site.

