
NSA/GCHQ: The HACIENDA Program for Internet Colonization - mstolpm
http://www.heise.de/ct/artikel/NSA-GCHQ-The-HACIENDA-Program-for-Internet-Colonization-2292681.html
======
munin
An anonymous hacker announces that they owned thousands of home routers to
scan the entire Internet, security expert Rob Graham runs his masscan tool to
scan the entire Internet, but when it's disclosed that .govs run nmap it's
time to patch your TCP stacks?

Whether or not you think that governments should spy, the amount of hype here
seems staggering.

~~~
Yver
> when it's disclosed that .govs run nmap it's time to patch your TCP stacks?

They don't just nmap the internet, they systematically compromise vulnerable
targets as per the article and the slides. And unlike common criminals,
there's no hope of them being stopped by any law enforcement agency.

If they're really going after every non 5-Eyes machine they can compromise,
people living outside of the 5-Eyes need to protect themselves.

~~~
a3n
And unlike common criminals, if they decide that you deserve to be
extraordinarily rendered, there's no hope of stopping them.

 _This_ is why you should resist government spying, because once you come to
their attention, they could mistakenly or rightly decide that you need to be
fucked with in some way, which could range from a brief arrest to murder.
Merely coming to a government's attention puts you at risk, so we should
minimize the chance that anyone can come to the government's attention.

------
ibisum
I still find it hard to believe that there are people who justify these
heinous tools as 'necessary' or 'vital' to the survival of the Western
"democracies" who deploy them. Its a terrible state of affairs that we justify
such intrusions - and yet fail to see, when 'the other side' lashes out in
anger, the reasons why it is so. We are stuck in a feedback loop here, and it
seems the only thing to do is turn off the microphone. But oh, the stage
lights - how they draw us in!

Quickly people. Build a better Internet.

~~~
tptacek
"Heinous tools"? They're literally running nmap.

~~~
jafaku
"They are using a tool I know, therefore it's ok"

~~~
tptacek
The only way a reasonable person could write this comment is if they didn't
know what nmap did.

~~~
coldtea
The only way a reasonable person would correct his comment is if he though
mislabelling nmap as heinous is of any importance with regards to the heinous
nature of the whole operation.

~~~
tptacek
Yes, that's about right.

------
unfamiliar
None of this looks particularly new or shocking to me. Seems like automation
of standard techniques, which I would be more surprised to find out they
weren't using. And hacking foreign networks... isn't that exactly their job as
signals intelligence?

~~~
opendais
The problem is they do things like take out the internet in all of Syria.

[http://www.theverge.com/2014/8/13/5998237/nsa-responsible-
fo...](http://www.theverge.com/2014/8/13/5998237/nsa-responsible-
for-2012-syrian-internet-outage-snowden-says)

They are targeting civilian networks, not military ones. That is a huge
problem. Its one thing if they were trying to break into foreign, legitimate
targets of interest [military, defense industry, foreign intelligence, foreign
governments].

That isn't what they are doing. They are just trying to get access to
everything they can get their hands on. Civilian and military alike.

~~~
tptacek
The problem with your comment is that it has nothing to do with this story. It
involves a different intelligence agency, doesn't involve routers, doesn't
involve attacks of any sort, and could not have brought down the Internet in
Asmara Eritrea, let alone Syria.

~~~
opendais
What do you think "take control of as many machines as possible" means? Asking
them nicely to hand over their SSH keys?

"The covert infrastructure includes so-called Operational Relay Boxes (ORBs),
which are used to hide the location of the attacker when the Five Eyes launch
exploits against targets or steal data (Figure 18). Several times a year, the
spy club tries to take control of as many machines as possible, as long as
they are abroad. For example, in February 2010 twentyfour spies located over
3000 potential ORBs in a single work day (Figure 19). However, going over the
port scan results provided by HACIENDA was considered too laborous (Figure
20), so they programmed their OLYMPIA system to automate the process (Figure
21). As a result, the spies brag that they can now locate vulnerable devices
in a subnet in less than five minutes (Figure 22)."

~~~
tptacek
If you literally believe that GCHQ has owned up every machine it is
technically and feasibly capable of owning up, there's not a lot of reasonable
conversation that can happen between the two of us.

~~~
opendais
Pretty much. You blatantly ignore the repeated statements that the
vulnerability scan is a prelude to actively attacking machines for some
reason. I'm not sure why.

I'm not saying they are attacking any machine they can. They are, however,
attacking _some_ machines.

You don't develop the capability to build target lists, to attack targets, and
state you do attack targets...unless y'know, you actually do.

You might use it on a limited scale at specific targets but you do use it. The
problem is, I don't have faith they actually engage in selective targeting.

------
tptacek
There is absolutely no way the USG's best program for mass-scale network
reconnaissance relies on nmap. All possible respect to Fyodor, but nmap just
isn't very good at that task, and if ever there was a bikeshedding problem in
software security, port scanning and active host identification is it.

~~~
jeffmcjunkin
Though I respect both your opinion and Fyodor greatly, I have to disagree
here.

Mass-scale isn't really the issue. They have plenty of hosts to work with, so
masscan wouldn't help. They're doing more than just open port detection, so
nmap's _many_ other features are helpful, as is the fact that nmap's scanning
signatures aren't as suspicious as a custom scanning service that just so
happened to be deployed worldwide.

------
blouberzam
So they break into my router, then fuck with somebody else's network, and then
I'm getting blamed for it ?

1\. using my bandwidth, electricity etc is theft. 2\. framing me for for their
crimes is criminal conspiracy. 3\. fucking with somebody else's network is
terrorism.

Either all these people (not just the scape goats) go to jail, or they just
declared the internet as law less zone. Effectively legalizing piracy spam
blackhat-hacking etc.

Because proving guilt is now impossible, every plaintive can just point to
dark government circles having control over their computer. In case proving
guilt is no longer the guiding principle for justice they just lost the bases
for governmental monopoly of violence, the right to collect taxes etc.

Also it's only going to be a matter of time, until some other criminal(s) gets
access to their ORBs & start ddosing or blackmailing everybody with impunity.

Governments should stay out of the internet, because now we have cyberwar.
They just create MORE chaos & disorder. Give the internet back to the geeks &
maybe we'll get some semblance of decency back.

------
atmosx
The entire internet apparently has a common enemy. The more we learn the more
I realize how broken todays internet is.

It's insane the such operations are going forward without the victim-states
raising extremely serious concerns.

I wonder how the future's internet will become if this insanity doesn't stop.

~~~
happyscrappy
Well luckily everyone will soon start boycotting the US and the UK, and Canada
and Australia etc. Any day now.

~~~
Zigurd
Yeah the Cisco layoffs have nothing to do with loss of trust.

------
Zigurd
And Anne Neuberger blathers about reaching some new "social contract:"
[http://blog.longnow.org/02014/08/11/the-nsa-reaches-
out/](http://blog.longnow.org/02014/08/11/the-nsa-reaches-out/)

It would be like a social contract with a venomous snake.

~~~
Zigurd
If you honestly want to defend Anne Neuberger's "Intelligent America"
scenario, go right ahead.

It is in fact a grossly dishonest chunk of wishful thinking wrapped in Soccer
Mom-friendly platitudes.

------
jdong
BREAKING: Government has discovered nmap.

