
Spy agencies target mobile phones, app stores to implant spyware - etimberg
http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-implant-spyware-1.3076546
======
cdnsteve
"The case raises questions about whether government agencies, even covert
ones, should carry some responsibility for informing citizens of weaknesses
they've unearthed in devices, operating systems and online infrastructure"

It should be legislation that any government agency discovers a security issue
that it must be disclosed, promptly to software vendors, then after patched,
it must also disclose to the public. Accountability is the keyword here. A
major security agency must be accountable to security issues it finds, crazy
right? After all, these agencies are suppose to be protecting their own
citizens, or one would hope so...

~~~
Zigurd
Duh. They do. Not doing that is the same as not revealing, say, a microbe that
would be useful for wiping out some disfavored population, or, worse still,
genetically engineering such a microbe. The people who make and sell exploits
to governments are no better than freelance biologists weaponizing microbes.

It is hypocritical of them to rattle on about "cyber terror" and conduct their
own cyber war with the same weapons.

------
3princip
Sometimes I feel we miss the wood for the trees. Spy agencies implant SPYware,
not that surprising.

Surely the real story, the original Snowden story, was about PRISM the way
large corporations do the bidding for spy agencies letting them tap
information at the source. This was quickly drowned in a sea of other stories,
and is hardly ever mentioned any more.

~~~
jacquesm
The story is that agencies that are tasked with foreign spying are spying
dragnet-fashion on their own citizens and citizens of allies.

~~~
tedunangst
? Quoting the article:

> Respecting agreements not to spy on each others' citizens, the spying
> partners focused their attention on servers in non-Five Eyes countries,

~~~
rjaco31
That's bullshit imho, Snowden's documents showed that GCHQ spied on American
citizens & NSA spied on British citizens so that they could bypass the whole
"don't spy on nationals" rule.

~~~
tedunangst
I clipped the next three words since they didn't seem relevant but maybe they
are. "the document suggests." so some snowden documents are bullshit and some
aren't?

~~~
btilly
Every Snowden document is authentically what someone in a large and complex
organization said. That someone may or may not have had accurate information.

If you've ever talked to 2 co-workers who have a different understanding of a
particular decision, then you know the phenomena.

That said, it would be perfectly plausible that spy agencies could have
maintained a policy of, "We will passively collect and analyze all
transmissions, including our own citizens" along with one of, "We will
actively infect devices, but make an attempt not to be attacking our own
citizens in the process."

So it is possible that both documents were completely correct.

~~~
tedunangst
All true. Mostly I'm just entertained by how HN resolves apparent conflicts
between documents, and which bullet points trump which other bullet points.

------
Canada
> it appears they didn't alert the companies or the public to these
> weaknesses. That potentially put millions of users in danger of their data
> being accessed by other governments' agencies, hackers or criminals.

I don't care if the bug finder is a white hat researcher or a spy working for
NSA: It's the writer of the bug who puts the user in danger, not the finder of
it.

~~~
shkkmo
It's not an either/or. The behavior of the bug finder directly impacts the
amount of danger end users are put in.

Selling 0 day exploits also puts the user in more danger.

Posting exploits publicly without attempting to notify the maintainer also
puts the user in more danger.

Keeping exploits secret also puts the user in more danger (though less than
selling them).

------
EGreg
Are journalists dripfeeding us Snowden revelations? Why are these revelations
news now, long after the initial disclosure? The same question could apply to
any new disclosure.

~~~
forgottenpass
Yes, [http://cryptome.org/2013/11/snowden-
tally.htm](http://cryptome.org/2013/11/snowden-tally.htm)

Because this leak wasn't a "publish everything at once" leak. Snowden wanted
the journalists to decide what to release, and that requires work, which takes
time.

~~~
chroem-
Two entire years, though?

It's like they're trying to release them just slowly enough so that public
outrage never quite reaches critical mass. They can still trickle all they
want, but I would appreciate it if they released these stories a bit more
regularly and closer together.

~~~
spada
or helping ensure that each story gets some play in the media vs. one period
of outrage and then back to business as usual.

~~~
EGreg
Or different journalists looking to make a name for themselves after the other
stories died down

~~~
krapp
It's almost as if journalism was a business, and Snowden stories were a
valuable commodity.

------
hackuser
I'm not sure I know anyone using the UC Browser; are most users in China?

According to Wikipedia, it routes all data through a proxy which modifies the
data in order to improve performance on mobile platforms (e.g., by using
compression). I think that proxy is a much more likely target for attacks than
500 million individual phones.

------
SeanDav
By now, absolutely everyone knows that using a mobile phone is not secure if
you really are trying to keep something safe.

------
CPLX
Is anyone else struck by the "banality of evil" aspect to all these internal
powerpoint style presentations? These documents are interchangeable with some
plumbing and heating supply chain company marketing presentation, except they
are spying on the planet.

~~~
drzaiusapelord
Banality of Evil? Come on. Equating SIGINT programs to protect America's
interest with the Nazi party is really shrill. I'm no NSA defender, but I
believe nations have the right to SIGINT programs to protect their interests.
The real question is what implementations and limitations are acceptable.

>These documents are interchangeable with some plumbing and heating supply
chain company

Efficiency is universal. Powerpoint-like presentations work in the corporate
structure. Memos, emails, etc are used for a reason. Look at Al Qaeda's job
application form, its bizarrely corporate. Or how Osama Bin Laden's bookshelf
is straight out of a HN reading list. Or how drug dealers hire Ivy League
finance guys to run operations that, if you didn't know the product, would
assume it was some boring commodity widget being sold.

There's no James Bond-ish school of super technology or unique processes.
Whatever management fads are popular in the business world work their way into
government, and that includes intelligence, military, space programs, etc. I'm
always a little surprised at how cheap looking every NASA press conference is
and how many technical issues they always seem to have (mic issues, streaming
issues, etc). If there's really a balality of evil, I'd say that's just a
subset of the banality of all bureaucracies.

If anything, unique organizations that are successful tend to be extremely
rare. Startup culture and other 'progressive organizations' just end up being
'office lite' until they go mainstream/IPO/whatever then they fully embrace
becoming a regular office. The only non-trivial organization I can think that
is successful and has a unique structure is probably Valve, with its
fascinating flat management style.

edit: downvotes for suggesting that maybe the NSA shouldn't be compared to the
party that gassed 6 million people solely for their ethnicity? Grow up, HN.

~~~
6d0debc071
> Banality of Evil? Come on. Equating SIGINT programs to protect America's
> interest with the Nazi party is really shrill.

Comparisons based on common themes are not the same as holding that the things
being compared are equal. The source material for the quote is a general
comment upon evil, drawn from a reflection upon Eichmann. It is not a specific
comment upon the Nazis, but that normal people doing things that seem
perfectly normal (indeed right) to them can perpetuate terrible crimes. The
observation goes something like this:

"The trouble with Eichmann was precisely that so many were like him, and that
many were neither perverted nor sadistic, that they were, and still are,
terribly and terrifyingly normal. From the viewpoint of our legal institutions
and our moral standards of judgement, this normality was much more terrifying
than all the atrocities put together, for it implied… This new type of
criminal… Commits his crimes under circumstances that make it well-nigh
impossible for him to know or feel that he is doing wrong" (s.276)

"It was as though in those last minutes [of Eichmann's life] he was summing up
the lesson that this long course in human wickedness taught us – the lesson of
the fearsome, word-and-thought-defying banality of evil." (s.252)

\- _Eichmann in Jerusalem: A report on the Banality of Evil._ Hannah Arendt.

~~~
CPLX
Yes, in fact that is precisely what I meant.

