
The Secret Surveillance Catalogue - jbegley
https://theintercept.com/surveillance-catalogue/
======
throw23001
I have seen this discussion evolve from the early 90's from overwhelmingly
freedom loving, rational and logical to now scaremongering, feeble
justifications and often just self importance.

Isn't it time to have something like the Hippocratic Oath that commits
developers to some ethical standards and not engage in activities that may
have negative consequences for humanity in general.

The problem with Snowden is not what he has done but what thousands or maybe
hundreds of thousands of others have not. And the way the freedom loving
media, the EU and the US has treated him apart from being shameful doesn't
help potential whistle blowers.

Given what we now know about the level of sophistication and ever growing
number programs at play there needs to be more activism against the groups and
individuals who enable this. And also more oversight of the level of
involvement of security agencies and other vested interests in open source.

~~~
vox_mollis
Developer ethics are definitely an issue.

But if you want to really see evil, take a look at the infosec community.
"White Hat" is effectively equivalent to government contractor now. Infosec
people readily sell 0days to governments or fronts for governments without
hesitation. They unquestioningly collaborate with law enforcement on
victimless crime cases, so long as the money is good.

Yes, this is a gross generalization. But any doubts of this generalization can
easily be remedied by attending RSA or BlackHat and talking to the other
attendees. CCC and Defcon may be a slight step up, but not by much.

In any other community this wouldn't be all that disgusting, except the
_fundamental_ roots of the community are ostensibly in creatively and
intelligently circumventing authority - and now they're rarely more than
collaborators.

~~~
pdkl95
> attending RSA

Colbert, during his talk[1] at RSA:

    
    
        If you're attending this conference, it is your business to prevent
        security breaches, and that means learning enough about hacks,
        exploits, and leaks to scare your clients into hiring you again
        next year.
    
        [very subdued "ha-ha-only-serious" laughter]
    

[1]
[https://www.youtube.com/watch?v=f7gGtVScrQo](https://www.youtube.com/watch?v=f7gGtVScrQo)

------
cryoshon
So, let's get this out of the way: will the people who are going to argue that
the US is not a police state please step forward and address this damning
evidence? The only way we know about this stuff is by someone deciding to play
outside the rules and inform the public directly.

The security services and police are wildly out of control and have been
intensely surveilling and scrutinizing the content of innocent people's
communications without any oversight. This clearly doesn't make us any safer,
as there have been two terrorist attacks on US soil during the era in which
these totalitarian abuses have happened, so that argument can be discarded.

In short, we don't have security (nor could we ever have perfect security),
and they've taken our liberty without our permission. Disgusting abuse of
democracy. How can people attend a political rally or do any political
activity when they know that their attendance and discussions are going to be
analyzed for weaknesses by a malevolent third party?

~~~
miguelrochefort
Some people (including me) simply don't believe that a right to privacy makes
any sense. If anything, we believe privacy to be the cause of some of today's
most important problems.

You people seem to speak as if the right to privacy is unquestionably good,
and don't bother justify your beliefs. Surely, no progress can be made this
way.

~~~
pdkl95
I'm glad your have been able to live a life free from problems such as
stalkers, domestic abuse, or gender or sexuality issues. Other people are not
as privileged.

It would be _nice_ if we could live in an open society, but the _reality_ is
that discrimination and abuse still exist. Insisting that everybody forget
about privacy is not only going to get some people _killed_ and many others
_fired_. Insisting that privacy is bad is effectively telling any minority
that they have to stay "in the closet" if they want to keep their job and not
be harassed by the bigots in society.

That's just the practical issues. A stronger argument for privacy is best
summed up by Jacob Appelbaum's observation in Citizenfour:

    
    
        What people used to call liberty and freedom we now call privacy.
        And we say, in the same breath, that privacy is dead.
    

We have the _freedom_ to decide what we want to disclose publicly.

Of course, you still believe in privacy. If you really think privacy doesn't
make any sense, post your name, address, bank account numbers, social security
number, and any email addresses you've used. None of those items are "secret"
information (like a password). I could list a lot more things, but you should
get the idea.

~~~
miguelrochefort
> I'm glad your have been able to live a life free from problems such as
> stalkers, domestic abuse, or gender or sexuality issues. Other people are
> not as privileged.

There is zero correlation between the values I hold in this discussion and
what best serves my personal interest. I have the capacity to completely
detach myself from my arguments in a way that leads to a lack of bias. I am
morally and intellectually selfless.

Legislation should never arise from anecdotes or personal preferences. Would I
be abused or stalked, the fact that transparency is inherently superior
wouldn't change.

> It would be nice if we could live in an open society, but the reality is
> that discrimination and abuse still exist. Insisting that everybody forget
> about privacy is not only going to get some people killed and many others
> fired. Insisting that privacy is bad is effectively telling any minority
> that they have to stay "in the closet" if they want to keep their job and
> not be harassed by the bigots in society.

There is no debate to be had about the fact that pain will be involved in the
transition to a transparent society. Of course it won't be easy. However, it
would be unreasonable to ignore the biggest problem of our time just because
of a short-term friction. Like any form of investment in life, there are
short-term drawbacks.

Human reasoning is weird as it understands a loss to be worse than a lack of
gain. Loss aversion is the reason why we don't change things, which is the
reason we can't get nicer things. People have no idea how much they're missing
by trying to preserve "their" privacy.

We're all "in the closet" in some regards. We're also all bigots. We must
force people out of their closet. We must expose bigotry. Only then will
things start to improve.

> We have the freedom to decide what we want to disclose publicly.

Quoting the Bible would have had the same effect.

> We have the freedom to decide what we want to disclose publicly.

Actually we don't. Should I have the right to erase something from your brain
because you saw something I didn't want you to see? Of course I'm not
suggesting that we should coerce people into doing anything they don't want to
do, but a person's actions shouldn't be protected by any external entity. At
the end of the day, an honest person has a lot more to gain by exposing
themselves to the world instead of keeping things to themselves. IoT,
Wearables, Big Data, AI are all concrete examples of how data gathering can
improve people's lives.

> Of course, you still believe in privacy. If you really think privacy doesn't
> make any sense, post your name, address, bank account numbers, social
> security number, and any email addresses you've used. None of those items
> are "secret" information (like a password). I could list a lot more things,
> but you should get the idea.

Privacy and Transparency are not games you can play alone. They're inherently
social. The society is built on top of expectations of privacy. For example,
there is some information that I legally couldn't disclose, even if I wanted
to. Likewise, my identity is only secured by archaic methods of
authentication, which completely breaks if my password gets known. Private key
cryptography is not a technology we should build sensitive systems on top of,
and it will quickly be destroyed once P = NP gets proven and applied.

Your question is like asking a person to not wear a seat belt in an unsafe
car. I might not think that humans should wear seat belts forever, yet I still
wear one when I drive my car every day.

Fast-forward 1000 years in the future. Total transparency. Ask a person
whether they'd like to keep their name, address, bank account numbers, social
security number, email address (assuming these things still exist which they
won't). Surely, that person would refuse to make this information private as
doing so would make his life miserable considering all the benefits this used
to enable.

The least I can ask from people is to discuss this issue seriously, and not
just accept privacy to be the solution to all of our problems. This whole
obsession with privacy is just a distraction.

~~~
wkw3
> I have the capacity to completely detach myself from my arguments in a way
> that leads to a lack of bias. I am morally and intellectually selfless.

The easiest person to fool is yourself.

I've read Brin's Transparent Society as well, and I agree that a functioning
society along those lines would be much, much healthier than we have now.
However, this article is about the privacy-erasing tools used by the powers
that be, whose very existence was secret to those on the outside until now.
I'll surrender my privacy just after they do.

------
littletimmy
Jesus Christ that's invasive!

It boggles my mind how we as a republic can allow for this. Basically, someone
attacked us a long time ago, and now politicians just have to say "we're
keeping you safe" and we allow them to do ANYTHING they want.

This will not end well for anyone who is not in power.

~~~
chinathrow
> This will not end well for anyone who is not in power.

Or the other way around.

~~~
harryf
Historically the other way round, while much celebrated (4th July, Bastille
day) tends to be the statistical anomaly

~~~
cryoshon
[https://en.wikipedia.org/wiki/Nicolae_Ceau%C8%99escu](https://en.wikipedia.org/wiki/Nicolae_Ceau%C8%99escu)

[https://en.wikipedia.org/wiki/Romanian_Revolution](https://en.wikipedia.org/wiki/Romanian_Revolution)

I don't know the exact dates that are relevant here, but as recently as the
late 80s people were bucking totalitarian oppression via violence.

~~~
logfromblammo
Bouazizi's fire ended up burning quite a few government officials, even
outside of Tunisia.

By my count, it started six rebellions, prompted five government reforms, and
Libya's Qaddafi got brutally murdered in public. Libya, Syria, and Iraq are
still in a state of civil war.

So more recently than the late 80s. As recently as right frickin now.

[https://en.wikipedia.org/wiki/Arab_Spring](https://en.wikipedia.org/wiki/Arab_Spring)

------
dogma1138
The only surprising thing here is just how out of date the catalog appears to
be when compared to the current offerings from these (and many other) vendors.
Most of these products have brochures and commercials on the vendor website
and social media pages they aren't overwhelmingly classified.

~~~
mike_hearn
The lack of any information about the Hailstorm device is notable. Hailstorm
is the version that can break 3G/4G connections, supposedly. Breaking GSM is
not anything remarkable because GSM was designed on the assumption that cell
site simulators didn't exist. But 3G authenticates the tower. Whatever
Hailstorm is doing, it's not just taking advantage of a missing design
requirement, it's actually subverting the crypto itself.

Unfortunately it seems there's nearly nothing public about it.

~~~
EthanHeilman
3G uses the KASUMI or A5/3 cipher which was shown to be easily broken in in
2010 (two hours on a PC via a related key attack):

>we have actually simulated the attack in less than two hours on a single PC,
and experimentally verified its correctness and complexity. Interestingly,
neither our technique nor any other published attack can break MISTY in less
than the $2^{128}$ complexity of exhaustive search, which indicates that the
changes made by the GSM Association in moving from MISTY to KASUMI resulted in
a much weaker cryptosystem. -
[http://eprint.iacr.org/2010/013](http://eprint.iacr.org/2010/013)

This is actually far worse than cell site simulation because it is a passive
attack and so is totally undetectable. You could just setup recording
equipment, hide them in a van and start decrypting conversations. Given how
much weaker KASUMI is from MISTY is seems possible this was a backdoor
engineered by an intelligence agency. If so, it certainly tells the lie to
NOBUS (no one but us).

Odd how the GSM association always generates breakable ciphers.

~~~
mike_hearn
As far as I know the 2010 attack isn't applicable to actually deciphering 3G
in the real world. From the paper:

"However, the new attack uses both related keys and chosen messages, and thus
it might not be applicable to the specific way in which KASUMI is used as the
A5/3 encryption algorithm in third generation GSM telephony. Our main point
was to show that contrary to the assurances of its designers, the transition
from MISTY to KASUMI led to a much weaker cryptosystem, which should be
avoided in any application in which related key attacks can be mounted"

The changes from MISTY to KASUMI were justified by the designers, they weren't
random. The reasons were to make it easier to implement in hardware, and more
efficient. They explicitly stated they thought the changes wouldn't make it
more susceptible to related key attacks. I am skeptical it's the result of IC
manipulation.

Additionally Hailstorm is supposed to work against 4G connections and those
use AES instead of Kasumi.

I suspect Hailstorm is not doing anything more sophisticated than jamming
3G/4G frequencies to force a downgrade.

------
lifeisstillgood
A society where only police have access to everyone's data is a police state.

A society where everyone has access to everyone else's data is free, but
uncomfortable.

A society where everyone has privacy is either behind us, or in front of us,
as we choose.

------
escapologybb
I couldn't see where the checkout button was, maybe AdBlock had blocked that
element?

~~~
ethbro
It's a known tracking cookie.

------
enginn
In terms of the complexity here, it is quite substantial, and for the lay
person to cache all the multi-layered exploits in their head is unexpected.
It's disgustingly complex and multi pronged ex-filtration of data that has no
bounds.

This industry is 1000 years ahead of the common UNIX neck beard / basement
dweller type who probably owns no more than $10,000 worth of kit, but uses
that kit on orders of magnitude more advanced levels than the catalog
presented here.

If it is the case that 'they' are 1000 years ahead of us in terms of ex-
filtration and their budget is apparently limitless, then this allows the
citizen to dream of many strategies to avoid, overcome, and render such ex-
filtration useless.

One strategy which I will announce (a public one I will give away because
bragging in public forums is apparently safe) is to compartmentalize a digital
life. A frustratingly common motif is the "Person A stores their life on their
phone" and thus we have a central store of data about person A.

Bad OPSEC, you cry? Well the lay person is not familiar with spycraft terms
like OPSEC and such a term has only flourished in use in recent times because
of Snowden. Infact a great many spycraft terms have gained widespread use,
like OSINT for example, which were so rare, that you would be red-flagged as a
spy if you searched for those terms, or were using them in everyday
conversation.

All that is needed is for the lay person to acknowledge that unless a spy-vs-
spy tactic is employed, then it really is a disgusting grab fest for all one's
data. Annoyingly this can lead to arms-race type scenarios where a citizen
attempts to 'beef up' their digital life, and the cost can be substantial, and
potentially turning citizens into digital Winston Smiths, which is never good,
and the surveillance can be said to have failed.

Compartment-ed computing is but one of a whole cornucopia of techniques and
strategies to reverse the Panopticon on itself though...

------
saiya-jin
wait, random example for CYBERHAWK - "Takes 4-10 mins for download; Saved and
dialed numbers, missed calls, SMS data, pictures, calendar, sound files all
consolidated into one report" \- how is it possible?

~~~
gosub

        > Cyber Hawk exploits over 79 cell phones
    

i would say: unpublished exploits and backdoors

~~~
eli
Or the 79 cell phone models with no security in the first place. Lots of
phones 10+ years ago didn't really bother.

------
draw_down
The blurb at the front says some of these things are in use by US government,
some aren't. So why does the government's internal catalog list things the
government doesn't use? Who would buy those things if they weren't in use? I'm
not trying to make a point here, I'm confused.

~~~
wavefunction
Police departments, US state-level LE departments, the wealthy and powerful,
other countries and likely corporations come to mind

~~~
draw_down
But the first two are part of the government, so anything they use is by
definition in use by the government. Would the other groups get the catalogue?
I would think not since it's supposedly internal to the US government...

------
fit2rule
This is a real orgy of authoritarianism, folks.

I once knew someone who has contributed to this catalog. Their justification
for participating in this heinous orgy of totalitarianism, was, simply: "I
hope your children and loved ones are safe". 'twas the last I had to do with
them - I cannot be friends with someone who justifies the creation of these
devices, nor their continued application to society. Especially when they
invoke terror to justify the crime.

------
csseinpoont
1 point by lolyololol 0 minutes ago | edit | delete

Having an open discussion about state surveillance is essentially impossible
on hacker news given moderation policy, liberal use of banning, astro turfing
and corresponding up and down voting and flagging that occurs. HN Mod policy
is to claim they take such claims seriously but nothing changes and those who
complain too loudly get banned

~~~
cryoshon
Can you provide examples?

