
Did this Tor developer become a victim of NSA's laptop interception program? - joering2
http://privacysos.org/node/1311
======
rwg
HEY, KIDS! Do YOU know what time it is?!

 _[wild audience applause]_

THAT'S RIGHT, it's time for _WHICH IS MORE LIKELY?_!

 _[intro music]_

Today on _Which is More Likely?_ , we're looking at a replacement Lenovo
Thinkpad keyboard that was shipped to Alexandria, Virginia, instead of
Seattle, Washington. What a blunder! _[slide whistle sound effect]_

Now put your thinking caps on and ponder, _WHICH IS MORE LIKELY?_!

• The largest intelligence agency on the planet, recently outed by Snowden's
leaked documents for operating a multi-decade worldwide dragnet that secretly
gathered communications on hundreds of millions of people, was too incompetent
to have the US Postal Service display tracking information that hides the fact
they're modifying a laptop keyboard in order to _somehow_ spy on a Tor
developer.

ORRRRRRRRRR!

• The third-party seller who uses Amazon to accept orders screwed up and gave
Amazon the wrong tracking number.

That's all we have time for on today's episode of _Which is More Likely?_
Don't change the channel! Up next is a BRAND NEW episode of _Godwin 's Law and
Order_! Good night from Hollywood!

 _[outro music]_

~~~
icambron
Oh, I like this game. Let's play again: _WHICH IS MORE LIKELY?!_

* The world's largest online retailer that does $54M in sales per day has a bug in its procurement system that randomly transposes tracking codes.

ORRRRRRRR!

* The intelligence agency whose massive scope and pervasive operational shortcomings were recently exposed by one low-level operative had a slip-up in applying a well-publicized tactic to an obviously high value target.

On the other hand, what's great about your way of putting it is that it
juxtaposes your belief in the all encompassing nature of the NSA's programs
with your incredulity that such a program might have been applied specifically
here. I also like the part where the NSA is guarded by the Catch-22 "it wasn't
them, because if it was, you'd never know", such that that there's no scenario
in which you could be convinced that the NSA did _anything_.

And yet again, maybe it's time to stop thinking of the NSA as some far-off
abstraction and start thinking about it is an actual thing that affects our
daily lives.

~~~
rwg
_The intelligence agency whose massive scope and pervasive operational
shortcomings were recently exposed by one low-level operative had a slip-up in
applying a well-publicized tactic to an obviously high value target._

A few comments:

• This "low-level operative" was a system administrator who used social
engineering to obtain other people's authentication credentials and gain
access to material to which he wasn't authorized. He wasn't the janitor or
some clueless field agent.

• Did Snowden expose operational shortcomings? Absolutely. A lot of the
programs that have been publicly revealed through his leaks have been running
for over a decade without ever seeing the light of day, though. That tells me
these "pervasive operational shortcomings" aren't very pervasive. (If they
were, the NSA would be absolute shit at their mission.)

• I don't think Andrea is a "high value target," or at least high value enough
to risk compromising whatever method they might use to bug her keyboard. I
don't say this to belittle her or her work in any way — she seems to be a
skilled programmer/hacker/infosec person. And that's exactly why this whole
"the NSA is bugging her keyboard" theory doesn't make any sense.

Let's assume for the sake of argument that the NSA had planned to bug her
keyboard, and that keyboard is now sitting in an NSA (or contractor) facility
in/near Alexandria, Virginia, waiting for some modification to be made before
shipping it back out. But, oops, they screwed up and forgot to fake the USPS
tracking information. They know she knows because she tweeted about it. She's
also tweeted that she can never trust the keyboard if/when it shows up. Why
would they ship her a bugged keyboard at this point? If/when the keyboard
shows up, she's probably going to take it apart and share anything interesting
she finds with the world. There will be hard evidence.

Even if they hadn't bungled the tracking information in our hypothetical
argument, they're risking exposure of the exact methods they use to bug a
machine for not much potential gain. (Remember, Andrea's a skilled
hacker/programmer. There's a very good chance she'll figure out what's going
on and tell the world if she has any inkling that her laptop's been tampered
with.)

• The keyboard she ordered fits a ThinkPad T60/T61/T400/T500 (and the
equivalent "R" models, plus a few others). Internally, the keyboard and
TrackPoint speak PS/2\. While they could log keystrokes to an on-board chip
and transmit keystrokes via radio, there aren't any especially interesting
things the NSA can do to her laptop via a modified keyboard. They certainly
won't be rooting it that way.

• I said that I don't think Andrea is a "high value target," despite her work
on Tor, because everything about Tor is open. Anyone can download the code and
see exactly how it works. The protocol is well-known. There's no curtain to
peek behind and gain strategic information about Tor's workings.

So while I don't reject the argument that the NSA is trying to bug her laptop
as impossible, I think it's exceedingly improbable. My money's still on
"seller screwed up the tracking number."

 _I also like the part where the NSA is guarded by the Catch-22 "it wasn't
them, because if it was, you'd never know", such that that there's no scenario
in which you could be convinced that the NSA did anything._

The flip side of this argument, which everyone here seems to be clutching onto
and running with, is that if the NSA is capable of it, they're doing it at
every available opportunity, even when it doesn't make any sense to.

~~~
icambron
That generated more response than I expected. I actually _do_ agree that, on
balance, it's somewhat more likely that it's just a benign glitch; I should
have said that. What I was really taking issue with is the dismissiveness with
you treated the suggestion that this might be an NSA attack. I was responding
to what I saw as a slanted and unreasonable framing by doing the same thing
from the other end.

So with less snark: I don't think it's exceedingly improbable at all, and
whether ultimately it turns out to be the case or not, smugly guffawing the
idea that the NSA may have used a trick like that isn't warranted. They really
do intercept people's laptop shipments [1] to plant malware in them. They
really do sneak tiny radio transmitters into end-user hardware. They really
are trying to get backdoors into communication tools. I'll put it this way: if
I worked on the kind of software Andrea works on, I would be seriously
alarmed. Would you keep the keyboard?

On some specific points you made:

* That Snowden had access to other people's credentials seems like a serious operational shortcoming to me. The "low-level" part wasn't an attack on Snowden; the point is that a lot of people have that level of access. In general, the US intelligence apparatus makes a lot of well-publicized mistakes; I'm sure they make a great number of more subtle ones.

* On the NSA's shortcomings generally, I think this is actually nicely illustrative. Because a lot of the stuff Snowden revealed were things a lot of credible people already believed, based on things like weird locked server closets in telecom buildings and PRNGs that seemed fishy and pointless and heresay reports of requests for backdoor access to communication tools and so on. There was just little hard evidence before Snowden. And there won't be here either. So this is entirely consistent with the what the NSA was like in those decades where their programs "never saw the light of day".

* I think being a core Tor developer makes her high value target. It's hard to imagine the NSA wanting to subvert all the things it's subverted and not wanting to backdoor Tor. Keylogging her keyboard is a great way to do that, either by compromising her somehow, or by just stealing her credentials. So I don't follow the "it doesn't make any sense" line of thinking.

* That she's now tweeted about certainly makes it unlikely that, if the NSA has it, they'll go through with sending it bugged. But so?

Where I come out on this is that yes, it's probably nothing, but it should be
treated with suspicion and carefulness, not laughed off because _haha, what,
do you think you 're in a spy movie or something?_ Because, basically, we are.

[1] Yes, I know this is just the keyboard. I don't think that's a relevant
difference.

~~~
rwg
_What I was really taking issue with is the dismissiveness with you treated
the suggestion that this might be an NSA attack. I was responding to what I
saw as a slanted and unreasonable framing by doing the same thing from the
other end._

I was dismissing the linked blog post as much as the suggestion of NSA
involvement. The blog post took a single tweet with a single screenshot,
screwed up half the facts ("tracking details for a computer Shepard ordered" —
uh, no, it was a used laptop keyboard), sensationalized the other half ("it
moved another four times around the military and industrial belt" — uh, no, it
moved from IAD to Alexandria), and tacked a pile of rhetorical questions and
conjecture on the end.

I somehow expected better from an ACLU chapter.

------
mikeash
The obvious explanation here is that the USPS fucked up. As the tweet says,
you'd think the NSA program would be more subtle. Further, there isn't much in
the way of intelligence presence in Alexandria. So what's more likely: that
the NSA does this program in a secret location that's still right next to all
the non-secret stuff, and they can't cover up the tracking data, or that the
USPS accidentally sent a package to the wrong place?

Edit: I want to emphasize how incredibly stupid the article is when analyzing
the tracking data. Key quote:

"From Dulles, it moved another four times around the military and intelligence
belt in suburban Washington DC, finally landing in Alexandria at 11:03 am on
January 23."

First of all, there is nothing significant to Dulles. It's the largest airport
in the area, and this makes it the arrival point for any packages coming in by
air. 90% of my packages have a "Dulles, VA" tracking entry on them by the time
they get to me.

Second, it didn't move "four times". It went from Dulles to a carrier facility
in Alexandria, then it went out for delivery and got delivered. That's two
moves. And how many times do you _expect_ it to move? That's how air-based
package delivery works. It goes to an airport. Then it goes to a local sorting
facility. Then it goes out for delivery.

Third, the phrase "military and intelligence belt" is ridiculous. Especially
so when the only two locations involved are Dulles and Alexandria, neither of
which has much in the way of either military nor intelligence.

The article tries _way_ too hard to make its case, and uses a great deal of
purple prose to state what comes down to, "the package got delivered to
Alexandria, VA which is close to a lot of government agencies". That would
actually be more convincing than the insanity they wrote, although still not
very convincing. But at least it would be honest.

~~~
skue
At this point aren't we all just guessing? Reading this thread I'm surprised
how strongly many folks I respect (like you - viva FQ&A!) are insisting this
could not be an NSA screw up. The truth is we don't know, so why rush to
conclusions (even benign conclusions) instead of waiting to learn more?

And imagine if you were Andrea and you develop software that dissidents around
the world depend on with their life, while also knowing the NSA has
simultaneously tried to weaken it. If the laptop does get rerouted to her with
an apology from USPS and you were her, are you saying you wouldn't hesitate
even a little before accepting it and transferring your data onto it?

Ultimately, I think that's the real story here. The biggest problem with
having a government that watches its citizens isn't the watching per se, it's
the loss of trust.

~~~
mikeash
Yes, we are all just guessing.

And I think you misunderstand. I am not arguing that it "could not be" the
NSA. And I haven't see anyone say that. I am simply arguing that it is
extremely unlikely.

It's a guess, yes, but it's an informed guess. It's a matter of looking at
probabilities and seeing what's more likely. Shippers screw up all the time.
Packages make crazy detours because somebody tossed a box in the wrong truck.
A label falls off and a mixup occurs. Somebody typos a tracking number.

On the other hand, for this to be the NSA, several unlikely things would have
to be true:

1\. The NSA would need to be intercepting computer equipment destined for
certain people and modifying it to spy on them.

2\. The NSA would need to be targeting the person in question for this
program.

3\. The NSA would need to have set up this program in such a boneheaded way
that it shows up on a package tracker. (If I were in charge of this program,
I'd just set it up in FedEx's sorting facility in Memphis and then ensure all
the relevant equipment uses FedEx. Simple, fast, and no chance of the target
finding out.)

4\. The NSA would need to have set up this program in Alexandria, even though
it has little to recommend it for such a thing.

Now, we know that #1 is actually true. So that's one requirement fulfilled,
out of several. But what about the rest?

I'm somewhat skeptical on #2. It's possible, but it seems unlikely. Why would
the NSA target Tor developers? The security of Tor falls apart in the presence
of an adversary that is able to monitor the entire internet, because you can
just correlate traffic that enters with traffic that exits. The NSA can
presumably monitor enough of the internet to defeat Tor right now. So why
bother spying on Tor developers? It's _possible_ as a belt-and-suspenders
maneuver, but this person just doesn't strike me as a likely target.

I'm _really_ skeptical on #3. It's about as believable as having the FBI spy
on me by parking a van outside my house that says "Flowers By Irene". It's
possible, but really unlikely.

And #4 doesn't make a whole lot of sense to me. Again, possible, but unlikely.

So we have one thing that's true, and then several other things that are
individually unlikely, and combine to be really unlikely. It looks to me that
people are committing the basic fallacy of thinking that the truth of #1,
since it's unlikely, somehow makes the rest more likely too.

It comes down to this: is it a screwup by USPS or Amazon or a third-party
reseller, or is it the NSA screwing up royally while trying to plant a bug? In
the absence of evidence, we are stuck guessing, but we can guess
_intelligently_ by realizing that one is vastly more likely than the others.

"When you hear hoofbeats, think of horses not zebras."

That doesn't mean zebras are impossible. But it means you should prefer the
more obvious explanation unless there's evidence to the contrary.

~~~
skue
Fair enough, and thanks for the thoughtful reply. I didn't mean to
misrepresent your position -- I took "The obvious explanation here is that the
USPS fucked up" to mean you belived it couldn't be otherwise, rather than when
weighing the evidence the more obvious [simpler] explanation is that USPS
screwed up.

Like you, I'm also a big proponent of Occam's razor. (Having been a med
student, you don't know how many times I heard that "think horses not zebras"
analogy from attendings.) I guess it just comes down to the degree of faith
each of us has in the NSA and their corporate partners. Some of us are more
willing to doubt their actions and/or believe it's possible they could screw
up this way. But at this point we can only wait and see if we learn anything
more in the coming days -- though probably not. One would hope the NSA is
competent enough to cover this up, even if it was their screw up.

 _Added:_ BTW, there is another explanation that no one has mentioned. Leaving
the Alexandria issue aside, the NSA interception program obviously relies on
participation from one or more corporate partners. And just as we've seen at
the telcos, it's reasonable to assume that there are staff at those partners
who aren't particularly enthusiastic about the program. So it's possible
someone decided to "accidentally" bypass/skip an important step that would
have obscured this. It's not a huge leap to imagine a motivated techie
realizing that this particular delivery would be an ideal opportunity to
direct a lot of attention to the interception program -- if they felt
compelled to take the risk. I'm definitely not saying this is the (or even _a_
) likely possibility, but it's probably the only way we'll ever know if it was
in fact the NSA.

------
tzs
When I read the headline, and the comments here before reading the article, I
was expecting to see tracking data that went from the seller to the buyer with
a mysterious stop near the NSA.

Then I read the article. The tacking data shows a _delivery_ to a destination
near the NSA.

Does anyone here seriously think that the mechanism the NSA uses if they want
to tamper with a laptop on the way to simply change the _destination_ address
to be the NSA? And that no one has noticed this before?

If they are intercepting and modifying domestic shipments, the mechanism would
be something that is executed AT the shipping carrier facilities or possibly
during the final delivery, and would be completely transparent to outside
observers, including both the sender and the receiver of the package.

Watch the "Modern Marvels" episode on package delivery for a look at how the
automated package movement systems work at the major hubs, and you'll see how
a package could be diverted for special treatment and then re-inserted into
the system transparently, with most workers at the facility having no idea
something special is going on.

The best chance at detecting this from outside would probably be to look at
next day delivery orders on items that would be the most time consuming to
modify, to see if those are more likely to miss their delivery deadline. The
idea is that with such a tight schedule, the chances are higher than an
interception will blow the delivery schedule. For items ordered with two day
or longer shipment, the delay in modifying the item could be made up by
upgrading it to one day delivery in the system when it is re-inserted. That's
why observing one day delivery items is the best bet.

~~~
kevinchen
Genuinely curious about the Modern Marvels episode. Do you remember the exact
name or season? I couldn't find it on iTunes.

~~~
tzs
I believe it was season 5, episode 1, "Deliver It". They focus on UPS but
things would be similar for other carriers. The UPS part starts about 9
minutes in. If you have Amazon Prime, they have it for free streaming.

BTW, UPS would be particularly good for intercepts, because UPS operates an
electronics repair facility that does factory authorized repairs. When you
think you are sending your broken laptop by UPS to, say, Toshiba, it can get
automatically diverted to the UPS repair facility a couple miles from the hub,
where Toshiba-trained technicians do the repair.

This means that a laptop shipment being diversion for the NSA would not even
have to be done with some secret diverter on the line somewhere. They could
just make it look like an ordinary repair job. The repair facility is large.
Who would know if one or two of the repair technicians are really NSA agents?

------
viraptor
As much as I'd like to believe that they did mess up the interception
reporting (if they really do interception like that), I've seen enough crazy
tracking reports that I wouldn't be surprised if it was just a stupid mistake.

Just googling for "funny delivery tracking route" for example will give you
things like:

\- 4 times over the ocean -
[http://i696.photobucket.com/albums/vv325/oneupmanship34/Fg0e...](http://i696.photobucket.com/albums/vv325/oneupmanship34/Fg0eg.png?t=1265425500)

\- let's send it to Canada, 3 times -
[http://i30.photobucket.com/albums/c325/duffer987/UPSFTD_zps6...](http://i30.photobucket.com/albums/c325/duffer987/UPSFTD_zps68aae690.jpg)

\- Germany, HK, Germany, HK, ... - [http://laforge.gnumonks.org/fun/dhl-hk-
leipzig-hk-leipzig-hk...](http://laforge.gnumonks.org/fun/dhl-hk-leipzig-hk-
leipzig-hk.jpg)

Getting a strange route within one country is probably an improvement compared
to those...

------
theboss
ITT, people who have never been to DC. Dulles is one of the main airports
everything flys into for DC. As for as I know, it is the biggest.

Dulles has a lot of government contractors and big companies in the area, but
that's about it.

What would be suspicious is if it went from Dulles to Langley, from Langley to
Ft. Meade, from Ft. Meade to Quantico, and from Quantico to Alexandria....but
Dulles to Alexandria is really standard.

edit: It isn't like it got back on a plane and went back to Seattle to be
delivered to this girl. It looks like they straight delivered it to the wrong
city. The government has pretty good OpSec when it comes to things like this.
You think they would straight up route her package through Ft. Meade if they
were planning to install malware on her computer?

~~~
mikeash
Yep, the last few lines of the package tracking could have come from about 90%
of the packages I had delivered to my house in the past few years, until I
moved out of Alexandria.

------
jhgg
I'm a bit confused here. On the bottom right, it says that the package
contained a replacement keyboard, and not an actual laptop.

~~~
ljd
But when that keyboard gets plugged into the motherboard of the laptop, it'll
have an opportunity to install malware in the form of device drivers.

~~~
mschuster91
Worse: laptop keyboards are usually connected to a special embedded firmware
(IIRC on my Clevo laptop it's called EC, short for embedded controller), which
handles the FN+x key combos like LCD brightness, volume control, keyboard
backlight (Lenovo!), WiFi/BT/cellphone-data connectivity, webcam enabling (!)
and other detailed functions.

Now, if this EC chip is vulnerable, a malicious keyboard can have direct DMA
access (just like FireWire controllers, EC is usually connected to the main
PCI bus)... no need for drivers here.

~~~
csmithuk
As per my other post, the keyboard is most likely a PS2 keyboard interface
(physical or emulated) connected to a simple PS2/LPC(ISA) bus interface inside
the EC. It will literally deliver an IRQ to that bus (IRQ 1) at which point
the EC has to suck down a character from the keyboard buffer and do something
with it.

It's not clever, can't use DMA and generally is the dumbest thing in the
entire machine.

If they somehow manage to work around it I'd eat a box of lightbulbs. It's
hard enough to coerce it to work to start with.

Source: I used to design embedded PC kit from the board level.

~~~
mschuster91
Thanks for the clarification!

But one question remains: how does the EC control stuff like the bluetooth
radio and webcams? They're USB devices to the OS, so in theory there should be
a USB hub inside the EC?

~~~
csmithuk
Not necessarily. It may only have power control function. If you pull a USB
device out it's the same as turning it off in theory and vice versa. It's
probably just turning the device off or setting it into standby mode.

edit to add: some Intel south bridges have integrated EC which makes things a
little uncertain.

------
linuxhansl
Whether this actually happened or not is not the point.

The point is that there is now speculation (and in fact a, albeit remote,
possibility) that this could have been the reason.

The loss of trust in the Government is what makes this a story.

~~~
fnordfnordfnord
I find the loss of trust in the gov't encouraging. Healthy skepticism would be
better, but distrust is better than nothing.

------
ghughes
Never attribute to malice that which is adequately explained by opaque
logistics.

~~~
slashdotaccount
Never say never. NSA intercepting its target's purchases to install spyware is
very much possible.

~~~
ghughes
It's possible, but there is no evidence suggesting that is what happened here.

The overwhelming likelihood is that the package simply took an unusual route
due to factors that are unknown to us. For this story to be true, it would
require a level of incompetence that is orders of magnitude beyond that which
we have previously seen from the NSA.

------
DangerousPie
You only phrase your headline as a question if the answer is No, but you
really want it to be Yes.

~~~
mikeash
It fits. The answer is almost certainly No (an honest mistake is far more
likely, and nefarious activity wouldn't look like this anyway), and you can
tell from the way they write (e.g. vastly exaggerating the import of the
tracking info) that they deeply _want_ this to be true.

~~~
krapp
Clearly, absence of evidence is evidence of conspiracy, and evidence to the
contrary is propaganda. It's the only way to know for sure.

~~~
mikeash
I give it about 50/50 odds that a followup article shows up along the lines
of, "they received the laptop and the tracking info for this package shows it
coming straight from the warehouse nearby _and this is clearly evidence that
the NSA is screwing with USPS tracking data_."

~~~
krapp
The site which posted this article wouldn't bother posting an article
contradicting it.

------
kriro
I hope this was not posted before the keyboard arrived. Should be easy enough
to have it taken apart by an expert and see if anything is fishy (and to check
if tracking numbers match).

If it was posted before...why would you do that.

~~~
polack
Looks like she posted it before... Either way I would cut her access to the
Tor project.

------
EricBurnett
All this speculation about what any TLA's may or may not have done seems
fruitless to me. If the keyboard seems legitimately suspect, send it to
someone to do a teardown or plug it in and capture communications, and find
out. That way we'll learn something concrete, and not reinforce this 'NSA of
doooooom' crowd mentality.

------
NN88
The amount of apologetic in this thread is hilarious.

Do you all expect to see "SECRET NSA WAREHOUSE" on the packing slip?

~~~
atmosx
Apparently, they do. Until Snowden releases something along the lines of "List
with 1.500 gadgets that Amazon released that were bugged". Then suddenly we'll
be like " _Oh Jeez, I thought but it but I never really believed..._ ".

The thing is "Would the NSA wanna bug a TOR developer's computer"? and the
answer is "Damn, sure!".

So it's not as far fetched as many here believe imho - and NO there are not
many _better_ ways than this, I can't think of any.

~~~
logn
Exactly. This is why many people in tech weren't that surprised by Snowden's
leaks and were slightly relieved just to see all the suspicions verified. But
most people seem to need a powerpoint explicitly stating what's going on
before they believe it. Prior leaks from NSA defectors without hard proof had
almost no recognition by the public. Even full in-depth exclusives from
Washington Post didn't seem to affect people.

------
peterwoo
No.

[http://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines](http://en.wikipedia.org/wiki/Betteridge%27s_law_of_headlines)

------
blowski
I'm inclined to believe that this is a mistake - "extraordinary claims require
extraordinary evidence" and all that.

...However, since hypothetically this could happen, how could it be prevented?
Would there be some unbreakable way for a manufacturer to tell you if the
keyboard had been tampered with?

I was thinking of those silver foils that are now put over a lot of food items
so that crazies can't put stuff in them in the supermarket. I appreciate
wrapping it in plastic probably wouldn't be enough to defeat the security
services, but you get the idea.

------
VonGuard
Why would the NSA fuck with a TOR developer, when the federal government
contributes a great deal of TOR code and actually runs exit nodes as a matter
of research?

~~~
fnordfnordfnord
>Why would the NSA fuck with a TOR developer,

Why wouldn't they? At the very least a TOR developer might find themselves in
the same room with interesting people.

> when the federal government contributes a great deal of TOR code

The US gov isn't a single monolithic entity with a singular purpose and every
person working in lock-step.

> and actually runs exit nodes as a matter of research?

I wouldn't trust a gov't run TOR node. It may be fine for dissidents in
uninteresting countries, but not for anyone who wants to keep their privacy
safe from the US gov't.

------
jrockway
Bugs in software are so uncommon these days that I always assume any
malfunctions are due to government interference. A human making a mistake
while programming or using a computer? Not bloody likely. The government
trying to infect my laptop with malware contained in a replacement keyboard?
That's the only possible explanation!

------
maerF0x0
Buy a new boxed computer with cash from a local supplier. I doubt the NSA has
installed something on every single computer.

~~~
TacticalCoder
Some OS developers are sufficiently concerned that CPUs are NSA-modified to
not trust, say, Intel's rdrand instruction anymore!

It may very well be that every single Linux system running on a recent or
semi-recent CPU has a rdrand instruction returning a number "nullyfying" (from
the NSA's point of view) the previous entropy sources XOR'ing.

You may call me "paranoid" but... Many people who were categorized as
paranoids years ago turned out actually to be very, very far from the truth
and not anywhere near paranoid enough.

I also remember a SNAFU years ago where a Windows version was compiled with
some symbols left on and people started noticing variable named things like:
"NSA_KEY". And, of course, lots of PR ensued and there was nothing to see and
there were very reasonable explanation as to why there were NSA specific
things in Windows.

Contrarily to you I believe it is very likely that most Windows and Apple OSes
are backdoored by the NSA and I believe it's far from impossible that several
piece of hardware are also backdoored.

I also think it's not impossible that several network cards have "kill
switches" where a certain packet combination bricks the card . There have been
weird reports out there from people seeing really strange things making such a
possibility not science-fiction.

~~~
polymathist
Can we get a source for that SNAFU claim? If true I would be very interested
to read more about it.

~~~
mikeash
Wikipedia actually has a pretty lengthy article about it:

[http://en.wikipedia.org/wiki/Nsakey](http://en.wikipedia.org/wiki/Nsakey)

------
raverbashing
I don't get the "installing malware" part.

Every PC comes with malware already installed by most manufacturers. (Yes, if
I have to spend time removing bloated stuff it's malware, I don't care if it's
an "antivirus demo" or something like that)

Now, if it's a hardware detail, this is more interesting.

~~~
trauco
Not all malware can be removed the way you remove that antivirus demo. From
the Der Spiegel article[1]:

> Take, for example, when they intercept shipping deliveries. If a target
> person, agency or company orders a new computer or related accessories, for
> example, TAO can divert the shipping delivery to its own secret workshops.
> The NSA calls this method interdiction. At these so-called "load stations,"
> agents carefully open the package in order to load malware onto the
> electronics, or even install hardware components that can provide backdoor
> access for the intelligence agencies. All subsequent steps can then be
> conducted from the comfort of a remote computer.

Naturally, if they also load a keyboard logger or whatever, no amount of
formatting that new laptop would help.

[1] [http://www.spiegel.de/international/world/the-nsa-uses-
power...](http://www.spiegel.de/international/world/the-nsa-uses-powerful-
toolbox-in-effort-to-spy-on-global-networks-a-940969-3.html)

------
brianbarker
So buy your laptop from the store, not online? Guess this is good news for
Best Buy, not so much for Newegg.

------
Buge
Really stupid move to post this on twitter before getting it. Should have just
taken a screenshot then waited for it to show up. Then post the screenshot and
have people analyze the keyboard.

By posting before getting the package, the NSA could see the Twitter post and
give a non-modified one instead.

------
ufmace
I wonder what she's going to do with the keyboard when she gets it. Send it
back and buy one locally? Examine it in detail for bugs/weirdness, and then
use it normally? Connect it to a spare laptop, and use it to do searches for
the weirdest porn you can think of?

~~~
mirkozlojic
Nerds need pr0n :)

------
mirkozlojic
Isn't it obvious this is some kind of weird reverse-psychology ? They can
always call catch 22 , or they need not to , we can only guess . But it's kind
of obvious this happened to dismiss the fact they ARE doing this on regular
basis .

------
aragot
Nonsense. Every single piece on those laptops already leaks more than a
teabag, every protocol does more information broadcasting than the BBC, why
would they have it shipped to the headquarters?

NSA's job is to bug computers before they even enter Amazon.

~~~
atmosx
The reason we're discussing this, is because of the laptop's/keyboard's owner:
A TOR developer. If this was uncle Joe no one would even care, because
probably his Facebook data is all that matters anyway.

------
nova22033
I live in Ashburn, VA. I've had a package routed through Ashburn, GA. Someone
got confused between Washington(the state) and Washington(DC)...? Occam's
razor people...

~~~
ZanyProgrammer
So, Alexandria, VA and Seattle, WA are spelled the same?

------
GigabyteCoin
fwiw I recently had a large, professional shipment company state that my
product had been delivered to the new town over, albeit to the same street
address I had ordered it to.

The product was in my po box, but the shipping company claimed it wad
delivered to another adjacent town.

Never attribute to malice that which is adequately explained by stupidity.

------
hoboerectus
That would be a very ordinary rendition.

------
CraigJPerry
I suppose it's possible this could just be a fox's paw on the part of the
shipping company.

~~~
DerekL
A few months ago, I ordered some RAM from Crucial. They used UPS Mail
Innovation, a service by UPS that mails packages for you. I got my package,
but the tracker showed it getting delivered to another address on the other
side of the country. So maybe there's a bug somewhere in the USPS system that
shows you the tracking of the wrong package?

------
notastartup
So let me get this logic:

NSA contractor reveals mass surveillance on population

Independent journalists reporting on the topic has their home broken into

Independent article reports on NSA modifying laptops bound for "terrorists"

Tor developer notices laptop shipping traversing through the opposite
direction

Tor developer is concerned and suspicious

The same people who didn't care about having their freedom to privacy breached
claiming ITS CLEARLY A SHIPPING ERROR LOL.

~~~
atmosx
And famous _security analysts_ are ALWAYS on that side of crowd, isn't that
weird?????

------
streetnigga
The real story here is a small segment of productive coders rightfully feel
themselves focus of nation sized actors that threaten their work.

...

Also the large segment around them that still feel dismissive about their now
confirmed fears.

