
What If China Hacks the NSA's Massive Data Trove? - LemonadeBoy
http://mashable.com/2013/06/08/china-hack-nsa/
======
chmars
What if China hacks Google's data trove? Oh, that already happened:

[http://www.washingtonpost.com/world/national-
security/chines...](http://www.washingtonpost.com/world/national-
security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-
us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_print.html)

And in Denmark, hackers gained full access to many security services
databases, among others the European 'most wanted' database, the driver's
license database, passwords of 10'000 password officers etc.:

[http://www.berliner-zeitung.de/politik/hacker-angriff-
datenl...](http://www.berliner-zeitung.de/politik/hacker-angriff-datenleck-in-
daenemark,10808018,23161384.html)

(Newspaper article in German, sorry …)

~~~
silvestrov
Article in English: [http://cphpost.dk/news/national/hacker-charged-stealing-
poli...](http://cphpost.dk/news/national/hacker-charged-stealing-police-
databases)

~~~
chmars
Thank you!

------
brown9-2
_According to the Washington Post, "An estimated 854,000 people, nearly 1.5
times as many people as live in Washington, D.C., hold top-secret security
clearances."_

It's worth noting that having a Top Secret clearance does not automatically
mean you have access to all information classified as Top Secret.

[http://en.wikipedia.org/wiki/Classified_information_in_the_U...](http://en.wikipedia.org/wiki/Classified_information_in_the_United_States#Sensitive_Compartmented_Information_.28SCI.29_and_Special_Access_Programs_.28SAP.29)

------
shailesh
The scenario that a bigger adversary gaining access to the data is definitely
troublesome. We also need to consider other scenarios.

How about the ramifications of the pipes created for NSA, getting leveraged by
other actors?

What happens when a rogue employee _hacks_ the infrastructure created for
providing the pipe to NSA?

What if a group of such rogue employees across multiple companies act in
concert, may be creating a cartel?

Such things have the potential to remain unnoticed for a pretty long time,
ruining lives of innocent people.

Now, let's replace the word _rogue_ with _innocent and intelligent but
cleverly manipulated by sophisticated player_ and the scenario reads bleaker.

To believe that such things haven't happened before or aren't happening now,
in some part of the world, will be pointless.

Consider a scenario in developing countries: let's say you wrote some piece of
code (unrelated to telecom) for a businessman. Let's also say that the
businessman runs many companies, one of which provides BPO services to telecom
companies. Let's say that the businessman wants to exploit you. He can very
well track your location using the network of the telecom company without
_that_ company knowing it, let alone the law enforcement officials. He can
remain under the radar because the request can be clubbed with other
legitimate ones.

This is not just a US problem, it's a global problem.

It is precisely for such reasons, that we need a manifesto about data
collection policies, like "Do No Evil" or "The Patent Pledge."

~~~
drKarl
"He can remain under the radar because the request can be clubbed with other
legitimate ones."

I still don´t see the legitimacy of the US government accessing citizen´s
data. Perhaps it´s because I´m from an european country, and governments in
europe have laws to proctect citizen´s private data.

~~~
shailesh
> I still don´t see the legitimacy of the US government accessing citizen´s
> data.

I agree with you. My point was related to a legitimate telecom request, for
example to track the telephone of a person declared missing.

------
venomsnake
The fact you are paranoid doesn't mean that there is not someone out there to
get you.

This is useful information. Having access to someones social graph and contact
list could go a long way to subverting dissidents.

If by chance NSA is aiding Russia and China by helping them secure internal
stability and giving them more energy to play on the international scene is
rather ironic.

Also it is not about downloading. Thing about the things you could do by just
altering the data.

------
andr
Do not mistake the NSA's security to that of your average government office.

Since we are probably talking about petabytes of data, this would not be a
one-time download, but would require continuous access to query the dataset
interactively, which wouldn't be hard to detect if you are on the look out for
it.

~~~
Drakim
It's easy to say that "it probably won't happen" today. But so much can happen
to change the game in the future. Budget cuts to security, internal employees
being "in" on the hack, etc.

And what happens when it actually gets hacked? Nothing. Nobody will come out
and say "our bad we shouldn't have collected and stored all this sensitive
data". Heck, you would be lucky if it's not used as evidence for why further
pushes for massive surveillance is needed.

Then there is also the issue that even though the data might be stored with
good intentions today, we don't know who is going to be in charge tomorrow, or
after that. Whatever Obama promises only lasts until somebody else becomes
president, who thinks that all this data that is already stored and ready,
should be used in new interesting ways. The data doesn't even need to leak and
be hacked for it to be misused, when the owners of the data are in constant
flux.

------
fiatmoney
What's more likely is, convinced they're legally obliged to turn over data to
anyone with a plausible government letterhead, private companies start being
subjected to an enormous amount of false flag / social engineering attacks.

------
mtgx
Do you think they'll ever admit they are responsible for something like that?

They'll just make the "cyberwarfare" campaign even louder, and say how new
laws and bigger budgets are needed to keep you safe (and of course continue
their spying and their hacking on others).

The "cyberwarfare" will be the new war on terror, 5-10 years from now.

~~~
bediger4000
> The "cyberwarfare" will be the new war on terror, 5-10 years from now.

Yes, just like the war on terror is the new war on communism.

By 1990, all the defence contractors figured out that without a boogey man to
scare people with, the US government has a lot of things it would rather spend
money on than billable hours.

------
Tycho
What would happen? Well then they'd have an almost unlimited supply of
individuals within our institutions whom they could easily blackmail and use
to subvert those institutions.

But I don't find it much more terrifying than people in our own government
having that power.

------
ott2
As with any juicy enough collection of data, the relevant question is not
"what if an adversary gains access" but "when".

------
dm2
That's part of the reason for the Utah datacenter. Consolidating several NSA
datacenters around the country into one super-secure fortress.

First, separate offline networks and the most advanced network security ever
conceived will be put in place at this new datacenter.

If you're thinking that a reverse engineered Stuxnet might be able to hop over
to the secure network, I doubt it, and even if it does then what will it do to
transmit the data out?

It is slightly insulting to the engineers and security experts whose full-time
job is to keep the NSA secure, but I suppose this scenario is worth discussing
just in-case someone thinks of a clever way which the NSA has not.

The most vulnerable aspect is any remote access either to company servers or
to the NSA search tools. I would hope that a data dump or unrestricted access
to the NSAs "database" would be completely impossible. Even with extensive
insider knowledge of the Utah datacenters systems, an ex-employee would have
zero chance of gaining unauthorized access.

~~~
nolok
"No worry, it's impossible to break/hack/destroy/do !" is the start of so many
disasters.

Especially funny (in a way) at a time where leaks of secret/classified data
and informations is becoming endemic.

~~~
dm2
Whistle-blowing does not equal hacking.

~~~
nolok
Yes, but it still means the data finds a way out.

~~~
dm2
The leaked materials were not solely housed at an NSA datacenter.

~~~
nolok
Yes, and water is wet, that doesn't change anything to my two previous
messages.

------
jdc
It wouldn't be the first time an unintended party gained access to
unsuspecting parties' personal information via government surveillance
systems. The Prime Minister of Greece, among others, had their cellphones
tapped by a hacker using a law enforcement agency's backdoor.

[http://www.schneier.com/blog/archives/2007/07/story_of_the_g...](http://www.schneier.com/blog/archives/2007/07/story_of_the_gr_1.html)

------
Irishsteve
Imagine if the US hacked into the Chinese data repository on their citizens?

Imagine if the US hacked into the Russian data repository on their citizens?

I'm sure it's already happened, and I'm sure it is not a huge coincidence that
Google and Facebook are not the biggest search / social networking companies
in those countries.

No idea about the others mentioned.

Oh and what about if those countries respective agencies have an agreement to
share certain data amongst each other to make things a little easier?

~~~
nolok
> Imagine if the US hacked into the Chinese data repository on their citizens?
> > Imagine if the US hacked into the Russian data repository on their
> citizens?

"Your copying all of my private data from several sources to the nsa, what is
another country hacks that and copy it ?" "No worry, we can hack them and copy
their citizens data too"

I fail to see how to answer the concern for the question, or how that should
be reassuring in anyway. That we can, or cannot, or already do similar data
repository in other countries is irrelevant to the question "should all of my
data be aggregated in a single juicy store".

I'm not even sure I agree with OP's premises (especially since I'm an
European, for me the NSA thing is a foreign governement spying on me and I
expect the EU new data privacy laws to be much more strict than the safe
harbor joke we've had so far), but your answer doesn't address it at all.

------
elorant
We don't even know if this thing has a public interface and even if it did
access would probably be limited to a couple dozen IPs.

Furthermore, the article assumes that an adversary gets somehow the data.
We're probably talking about petabytes of storage, how on earth could you get
hold of all that data? Download it? That would raise a gazillion alarms.

~~~
DoubleMalt
These are immaterial obstacles. It will have a public interface otherwise data
would not get in (and there does not exist anything like a one way street in
computer networking). Extracting interesting parts of the data can be done
with the tools that are available to the agents. If someone breaks in
successfully, they will have someone inside feeding them. Wetware is still the
weakest link in security most of the times.

------
happywolf
Sounds like the Cold War line of thinking. It was Russia then, now China takes
over the place. What if Country_X does Y? Oh we must keep up the pace! What
history tells me is when a government starts to draw people's attention to
some public enemy abroad, usually it has some ax to grind and some shit to
hide.

~~~
rapind
I kind of think the China idea is far fetched too. Sounds a little too
_boogey-man_. Why not a private interest like a cartel / mafia? Or maybe
anonymous, etc.?

------
Nux
It's more a question of "when", not "if".

------
technoslut
I'd doubt that's possible. The NSA has the best mathematicians and
cryptologists in the world. They probably also have the most.

~~~
JonFish85
I'd also imagine that it's far easier to just go after the sources (whoever is
allegedly forking over the data). Not to mention that it's probably much
better organized at the source than in some sort of data dump format. Just a
guess, though.

~~~
technoslut
Tell me when the NSA, or the US in general pre-NSA, has ever endangered or
compromised their encryptions? There surely is enough stories of how the CIA
screwed up and stories like the FBI helping Whitey Bulger to continue
murdering while he was an FBI informant.

------
ForFreedom
Or have they already done that

