
Sysadmins see evidence that they have been hacked by GCHQ [video] - sauere
http://www.spiegel.de/video/nsa-und-gchq-hoeren-telekommunikationsunternehmen-ab-video-1521330.html
======
rdtsc
This is the right way to do it. Great job Spiegel (or whoever worked on this
piece). Putting real people on screen, real faces. Showing emotion, showing
them swallowing knots when they see their names on the screen of "tasked"
engineers.

I think here on HN and other tech and privacy forums we understand what is
happening. Unless there is a reporting like this, it will be a bit harder to
engage a wide audience. Telling the proverbial grandma about "PRISM" or "they
are listening to everyone" is not going to quite work. What works is to do
this -- showing one particular grandma with a name, address, life story and
showing how maybe her recipe for baking cookies is now logged in Utah's NSA's
headquarters in room 5B, on storage node 18Z and so on.

~~~
zz1
Produced by Laura Poitras. (just watch it until the end and you'll get the
other names)

~~~
Ygg2
Ten bucks she is "tasked".

~~~
srslack
Poitras is actually the shadow of this whole story. She was the journalist
Snowden reached out to when Greenwald was unresponsive, was there and filmed
the first Snowden interviews, was responsible for the Bill Binney story in the
NYT a few years back[1] and has been on the US Government shit list for quite
a few years[2].

[1] [http://www.nytimes.com/2012/08/23/opinion/the-national-
secur...](http://www.nytimes.com/2012/08/23/opinion/the-national-security-
agencys-domestic-spying-program.html?_r=0)

[2]
[https://en.wikipedia.org/wiki/Laura_Poitras#Government_surve...](https://en.wikipedia.org/wiki/Laura_Poitras#Government_surveillance)

~~~
rdtsc
I think you might have misread what the gp meant by "tasked". It was taken
directly from the video. In the video "tasking" meaning being selected,
followed (presumably virtually only), monitored and spied on.

------
rdl
Satellite communications providers, especially those offering L-band (mobile)
services, are really the low hanging fruit of the SIGINT world. They're pretty
much only used by "interesting" people due to cost, in areas which are
inaccessible otherwise (non-permissive to HUMINT, etc.)

That they tend to be run by technically incompetent people, using expensive
black box hardware they don't understand, and with multiple levels of
indirection between end user and the Internet (transponders, ground stations,
facilities, virtual network operators, ...) makes it all much more vulnerable.

Combine that with price sensitivity (so subsidized government stuff can be
cheaper, and legal expenses unacceptable), and a highly regulated environment
(ITAR + various spectrum licensing and launch regimes), and it's a perfect
storm.

The only more interesting target would be "satellite comms network dedicated
to high value international payments".

(Disclaimer: I started/ran a satellite communications and wireless provider,
and worked for or with a bunch of others.)

~~~
zz1
> (Disclaimer: I started/ran a satellite communications and wireless provider,
> and worked for or with a bunch of others.)

Which means you are under active and targeted surveillance. Great to see you
put encryption contact info in your profile.

~~~
schoen
rdl has a few other fun reasons to have attracted the Eye of Sauron. Like that
one time when he was the only inhabitant of an entire country.

~~~
zz1
You can't just stop after telling that… Only inhabitant of an entire country?
How can it be?

~~~
schoen
One account is in
[http://works.bepress.com/cgi/viewcontent.cgi?article=1035&co...](http://works.bepress.com/cgi/viewcontent.cgi?article=1035&context=james_grimmelmann)

You might notice some discussion there of what counts as a country.

~~~
zz1
Thank you both!

------
sauere
Stellar PCS is a german ISP company that is specialized in bringing internet
access to inaccessible regions via satellite. Clients include research
stations or oil rigs. In this video you can see a SPIEGEL journalist showing
them evidence that the NSA has hacked their network for the first time.

~~~
hadoukenio
Clearly it's for counter terrorism, and not corporate espionage /s

~~~
zz1
Yes, clearly, yes. Because USA do not have ANY economic interest in Africa and
Middle East, and whatever these countries have as a government it doesn't
change a thing for them. I mean, it's not like they have oil to sell and can
alter the world's economy with a simple statement.

~~~
drzaiusapelord
This, as much as the domestic spying stuff bothers me, this uber-left uber-
pacifist view of things is asinine. China, Russia, Iran, etc aren't stopping
their SIGINT or cyberwarfare programs and neither should we.

I also don't care if Germans are our "allies." 9 months ago Russia and Ukraine
were best friends, now Russian soldiers are blowing away Ukranian civilians
with total impunity. Shit changes. Shit gets real quick. Being at a
information disadvantage can lead to serious consquences.

I think we live in a time too used to peace and as we can see from recent
events, that time is now over. The far left's obsession with pacifism and the
far right's obsession with isolationism are just impractical. This just causes
conflicts that need to happen to be put away and ignored which leads to larger
conflicts later. For example, the US and Iraq should have worked together when
ISIS took Fallujah MONTHS AGO. The US should not have caved into pressure from
the EU and Russia to not take out Assad. Instead, we chose the path of
politics and sticking our head in the sand and an entire region just became
destabilized. On top of it, petty dictators like Putin see our weakness and
use it against us by invading his neighbors, knowing he'll only receive a slap
on the wrist.

Downvote away, but we need SIGINT, now more than ever.

------
malandrew
I'm shocked that they are securing such important routers with a
username/password combination like horizon/h0riz0n. Such a system should be
protected by public and private keys.

~~~
junto
I assumed that this 'customer' was a trojan horse, put there by the NSA.

Well, that's what I'd do anyway.

It goes like this - Stellar gets offered a big hosting contract that they
aren't going to turn away. They don't do any due diligence on this new
customer, and if they did, they probably hit a couple of USG Cayman Islands
dead-ends anyway. They install this company's servers inside their own
network.

Boom... headshot.

~~~
sentenza
You are doing something very important here. Many people forget that the guys
running the show at the NSA are, in all probability, at least as savvy as any
one of us. For this reason, it is always a good starting point to ask oneself
"What would I do if I was in their shoes?".

A prime example of how this thinking can be applied is the TrueCrypt fiasco.
Ask yourself: If you were the group leader at the NSA tasked with TrueCrypt,
would you have your undelings doxx the authors? Would you then try to lean on
the authors?

If I was a group leader at the NSA, I certainly would.

~~~
junto
> Many people forget that the guys running the show at the NSA are, in all
> probability, at least as savvy as any one of us.

Indeed, but I would add that these people are more than just savvy. Many of
these people have been picked out because they are smarter than the average
bear. They've also be brain-washed into the mold to believe that if you aren't
inside, then you are the enemy, or the friend of my enemy, or a potential
"task".

Many of these guys (and girls) are converts - young hackers who have been
caught hacking and have been given the option to serve jail time or join the
cause. Its an easy sell to young impressionable minds who want to be a hacking
James Bond.

More importantly, these guys are hacking targets across the world with a
remit; a licence to hack if you will. If you or I go out hacking random
companies for fun and profit, we'll get a 5am dawnraid knock-knock visit and
spend a couple of years 'rooming with Bubba'.

These guys can do what they want without the fear or stress of that 'Sword of
Damocles' hanging over their heads. They have a free reign, and they are
smart. They also have the feeling that what they are doing is right. That
makes them way more dangerous than you or me.

Thanks the hat tip nevertheless. I grew up in a government security type
environment. These things rub off on the kids. Somehow you learn to evaluate
risk, locations and people very quickly in this kind of environment. I guess
it is useful in some ways. It also makes you a constant analyst, which tires
the brain somewhat, but you see things that others don't.

------
staunch
The reporter said "Develop and task key engineers" means surveillance but I
don't think that's right. Task can be used multiple ways but I think that line
is talking about recruiting key engineers as agents, probably using bribery.

I could be wrong but I thought Ali had an extremely guilty reaction. As if he
was waiting for the reporter to accuse him of being an NSA asset. Which he
very well may be.

~~~
mkal_tsr
So aside from this video, what concrete proof do you have to make your wildly
biased claim that he may be an NSA asset? I love your dripping tone of "I'm
not _saying_ he's an asset, but seriously, look at that guilt on his face.
Again, not directly saying, but look at him." Maybe you're an NSA asset. You
may very well be.

Let's keep personal attacks down and talk about the issue at hand rather than
go for character assassination.

~~~
colinbartlett
There wasn't any personal attacks or character assassination, he or she was
just stating what his or her interpretation of their reactions was.

I actually thought the same. I kept thinking the whole point of the clip would
be that they would see their own names and how they had been recruited. I,
too, thought 'tasked' meant bribed/coerced.

... that's not character assassination, that's just like my opinion, man.

------
zz1
Impressive. However I regret that we don't see when they commented with
"Fuck". Not for the word, clearly, but because the face that went with it
should have been really powerful.

I hope that now sysadmins from all over the world know that they are subject
to NSA surveillance. If you are a sysadmin, please read:

[https://firstlook.org/theintercept/2014/03/20/inside-nsa-
sec...](https://firstlook.org/theintercept/2014/03/20/inside-nsa-secret-
efforts-hunt-hack-system-administrators/)

You could easily be a target for TAO:

[http://www.spiegel.de/international/world/catalog-reveals-
ns...](http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-
doors-for-numerous-devices-a-940994.html)
[https://news.ycombinator.com/item?id=6979457](https://news.ycombinator.com/item?id=6979457)

If you are a sysadmin, they are after YOU.

~~~
spyder
I think we can see that "Fuck" on their face, just look at the big swallows of
the guy and he even says "Oh my god" in the video.

------
WestCoastJustin
Is it really possible to protect yourself and your network from these types of
attacks? Any company with sysadmins or internal security teams is extremely
out gunned against someone like the NSA (it is almost comical) [1]. From the
perspective of a sysadmin, who has worked in startups, small companies, a
university, and several government departments, I can firmly tell you that, we
are not in the same league! Sure we take the yearly security courses, use best
practices, harden machines and infrastructure, but after reading these
articles.. we are sitting ducks. If the NSA is in bed with US based network
gear providers, they can simply own the network and telecom infrastructure
(via build in backdoors), and you do not even know they are there, because
they side step the normal exploit channels [2].

Probably the best way to describe this, is to compare security and pro sports
teams. From what I have read, the NSA is a top tear team winning championships
across the globe, with billions in research and development, and thousands of
highly trained athletes, living and breathing this day in and day out. Yet,
they are matched up against a local beer league who likes to play casually
Thursday nights. Who do you think is going to win?

Go read the "A Look at Targeted Attacks Through the Lense of an NGO" [3]
paper, then put yourself in their shoes. Think about the IT resources a small
NGO with 30-50 employees has. Maybe they have a sysadmin and a helpdesk guy.
They are dead meat. The threats are so vast, spear phishing, target malware
via MITM attacks, etc. It almost seems hopeless. But it is not just the NSA at
the top of the heap, you have lots of foreign governments, which have direct
access to your playing field via the internet.

Think about the resources that Google, Facebook, and Apple throw at security,
then you see something like Operation Aurora [4, 5]. What chance does an ISP
or small business have? None. Personally, it just seems like the entire model
is broken. Yet, nothing seems to change, in that we are all just waiting for
the next zero day to drop, and the cycle continues. All it takes is one
targeted zero day addressed to a normal employee, the attackers gain access to
the network, then move laterally [6, 7]. The odds are further stacked, in that
you have a top tear team against a targeted employee, who doesn't even know
the game.

ps. sorry for the tone of this

[1] [https://firstlook.org/theintercept/2014/03/20/inside-nsa-
sec...](https://firstlook.org/theintercept/2014/03/20/inside-nsa-secret-
efforts-hunt-hack-system-administrators/)

[2] [http://www.theguardian.com/world/2014/aug/13/snowden-nsa-
syr...](http://www.theguardian.com/world/2014/aug/13/snowden-nsa-syria-
internet-outage-civil-war)

[3] [http://www.mpi-sws.org/~stevens/pubs/sec14.pdf](http://www.mpi-
sws.org/~stevens/pubs/sec14.pdf)

[4] [http://www.wired.com/2010/01/google-hack-
attack/](http://www.wired.com/2010/01/google-hack-attack/)

[5]
[http://en.wikipedia.org/wiki/Operation_Aurora](http://en.wikipedia.org/wiki/Operation_Aurora)

[6] [http://g0s.org/wp-
content/uploads/2013/downloads/Inside_Repo...](http://g0s.org/wp-
content/uploads/2013/downloads/Inside_Report_by_Infosec_Consortium.pdf)

[7]
[http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf](http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf)

~~~
atmosx
IMHO it can be done, using UNIX-based operating systems and standard open
source software, if the infrastructure designer takes security _seriously_ and
is committed and knowledgeable.

It's NOT the system administrator's work to _secure the network_. The
ISP/minor IT company should have a security engineer to overview the network,
although some sys-admins are extremely skilled when it comes to security.

There are so many security layers that can be implemented on a Linux/BSD
server that makes the machine virtually un-hackable and IF anyone enters, all
bells and whistles could start cheering.

Examples: GRsecurity[1], IPTables[2], Snort[3], chroots (or jails), VPNs,
malware scanners (clamav, spamassassin), encryption and what-not.

To me securing linux desktops, especially simple ones (e.g. window manager +
basic programs... almost like thin clients) is easy. Securing Windows
XP/7/8/etc is extremely tricky BUT can be done.

Once you do all that, I'm 100% that you're going to be one hell of a target
for anyone. And you really don't trust your team you can always hire people to
test your network's security and improve it.

The most important thing though is having a strict general user policy: What
users can and can not do must be crystal clear with no exception. When a
'tiger team' finds a _secure network_ , they usually target the people not the
infrastructure.

[1] GRsecurity: [https://grsecurity.net/](https://grsecurity.net/)

[2]
[http://www.netfilter.org/projects/iptables/](http://www.netfilter.org/projects/iptables/)

[3] [https://www.snort.org/](https://www.snort.org/)

~~~
bashinator
How would anything you recommend protect you against an attacker who could
(for example) have 3G transmitting keyloggers installed in your last shipment
of laptops?

~~~
atmosx
You choose your hardware carefully and if paranoid enough, you perform
statefull packet inspection on your OpenBSD transparent router to know
possibly what's the reason/content for every connection. Once you tag those
that are standard, you start narrowing things. Again policy is what matters,
if you allow torrents you are making your job extremely difficult.

I know easier said than done. Writing firewall rules/ confug reporting tools
for every computer in the internal part of a network is hard too, that's why
almost no one does it.

~~~
bashinator
3G keyloggers. Data egress is completely bypassing your network. (There are
pwnie express boxes that include a 3G data link for bypassing target networks
when sending results back.) I guess you could add physical scans for
unauthorized radio transmitters to your security routine. Opsec is hard.

~~~
atmosx
Sure, but that's a physical attack: You need someone to install the 3G
Keylogger to your machinery.

I was talking on a keyboard-only level, but even that can be largely mitigate
with proper policies IMHO.

That said, an insider is an achilles heel for every security scheme out there
(e.g. Snowden).

------
johnchristopher
How come Stellar PCS didn't check out the NSA documents that were made public
(I assume the documents the journalist is showing them in the video are those
public PRISM/snowden/TreasureMap docs) for any hints their operations were
compromised ?

Just found this [https://firstlook.org/theintercept/2014/09/14/nsa-
stellar/](https://firstlook.org/theintercept/2014/09/14/nsa-stellar/) which
includes more narrative and GCHQ's involvement.

~~~
zz1
How come so many people are just ignoring all the Snowden files altogether?
How come so little people use encryption, after more than a year that we have
been told "the good news is, encryption works".

Please advocate for change, actively, with the people you interact. GPG, OTR,
TextSecure, Redphone, Signal, decentralized services… If they are complicated,
set them up yourself. And please, urge your representatives to act!

~~~
pdkl95
Unfortunately, some people still don't believe the scope or that the "good
guys" would violate the constitution like this ("Just-World Hypothesis").
Others are still using various permutations of the "If you're not doing
anything wrong..." nonsense.

And at least a few... are _collaborators_.

As PHK cautioned, the NSA/GCHQ/etc can submit patches or comment in
development discussions just like everybody else, and at least some of the
suggestions against using proper crypto are intended to keep the internet in
plaintext.

------
pinaceae
If you're a radical, islamist, leftist, etc. then _maybe_ you're a target for
NSA, GCHQ.

if you're a sysadmin at a telco or infrastructure provider your _definitely_ a
target for the NSA, GCHQ.

let that sink in.

infrastructure these days also means AWS, facebook, youtube, twitter. every
piece, site, offer that might be used by ISIS, for example.

------
andy_ppp
I'd be really interested to know what they did to get the access. Did this guy
have malware installed on his machine? Do we all have Malware installed on our
machines? Is there any way to protect yourself from an adversary as powerful
and competent as the NSA?

~~~
scintill76
The only real proof of "access" I saw, was a single customer's username and
password. That could have been obtained through guessing, or compromising that
customer. So it seems like cautious and competent engineers aren't necessarily
all compromised. I'm open to more evidence though.

The other things seemed to be network topology, IP addresses, and engineer
lists, which are fairly public.

~~~
andy_ppp
His name is on NSA slides, right? He's either working for them or they have
his private key. Really how difficult would it be for the NSA to get that if
they wanted it?

I have no idea but I'm able to believe easily.

~~~
scintill76
Like some others here, I wondered if "task" could mean to recruit.

I basically agree NSA could pwn anybody they want, but there are probably
other considerations such as how obvious they want to be, whether the target
is valuable enough to reveal zero-days nobody else has seen yet, etc. Maybe
it's wishful thinking, but I'd like to believe if you don't do things like
open unsolicited email attachments, you're still pretty safe.

But, perhaps as the lead engineer of an ISP "interesting" people use, nothing
is off the table and he has been pwned repeatedly.

~~~
fossuser
I remember reading about one method where they served up their own versions of
Facebook when requested from a target from compromised hosts that are near
that target as a way to collect credentials.

I forget the name of that method, but according to the documents it was used
to target sysadmins. Though if you use a password manage with unique passwords
for every service that should help protect you.

For more details:
[https://firstlook.org/theintercept/document/2014/03/20/hunt-...](https://firstlook.org/theintercept/document/2014/03/20/hunt-
sys-admins/)

------
jostmey
If I were caught hacking into a private network of computers without
authorization even if I had a "good" reason to do so I would be breaking the
law and throne in jail. So why is the NSA allowed to do the same?

~~~
dredmorbius
Within the US, the NSA operates with legal impunity. It is beyond the reach of
the law. At least so long as it's acting under official mandate -- rogue
agents are apparently sanctioned if pursuing information for personal reasons.
If caught.

Outside the US, NSA operates with the diplomatic and military support of the
US. It's not a matter of an individual hacker, but "an international incident"
should something arise. There's _some_ risk that an agent or operative (non-
agency employee acting on behalf of the NSA) could be caught, but that would
vary by field of operations and relations between that country and the US.

~~~
PeterisP
And for such cases as in NSA, where the actions, though technically illegal,
were clearly intended by the leadership - "sanction" can easily mean an
official written reprimand stating "this is not acceptable", followed by a
cash bonus and a promotion.

------
kbar13
that feel when ~5:15 and the username/password to an account with "deep access
to the network" is horizon/h0r1z0n

~~~
scintill76
I think it was deep access to one customer's network, and probably their own
fault for choosing lame credentials.

------
codemac
Any non-flash version of this video?

~~~
zz1
You can get it in H246 from Vimeo:

[http://vimeo.com/106026217](http://vimeo.com/106026217)

~~~
codemac
Awesome, thank you!

------
dredmorbius
Is there an alternate source for the video? I cannot get it to play at all
under Linux / Chrome.

~~~
sentenza
Here it is on Vimeo:

[http://vimeo.com/106026217](http://vimeo.com/106026217)

Worked fine for me in FF on linux. Might be worth a try in Chrome.

~~~
dredmorbius
Vimeo _does_ work for me generally. I can also download it with youtube-dl.

------
nether
There's this great line in Dataclysm (written by the guy who wrote the OkCupid
blog) about how the NSA recruited from the best math students at Harvard. "The
people spying on us are extremely, extremely smart."

~~~
theoh
Don't we generally assume that the NSA hires math guys for math purposes, not
surveillance purposes?

~~~
peterkelly
What do you think they use the math for?

~~~
theoh
My point is that mathematicians are not necessarily or even probably a good
fit for intelligence analysis ("spying"). I wouldn't describe the stuff NSA
mathematicians ostensibly get up to as spying. See this for example:
[https://www.nsa.gov/careers/career_fields/mathematics.shtml](https://www.nsa.gov/careers/career_fields/mathematics.shtml)

------
ck2
Reminds me of the Google engineer response:

[https://plus.google.com/+BrandonDowney/posts/SfYy8xbDWGG](https://plus.google.com/+BrandonDowney/posts/SfYy8xbDWGG)

------
coalbee
What about 2048 RSA public key cryptography performed on the application
level? Didn't the Snowden leak say the NSA still can't crack 2048?

------
naner
This also illustrates the weakness of using just a password for authentication
to anything of value.

------
dmix
_Requires Flash to watch_ :\

~~~
zz1
Can be done with H264:
[https://news.ycombinator.com/item?id=8316396](https://news.ycombinator.com/item?id=8316396)

------
zby
This crashes my shockwave flash plugin - should I start to be paranoid?

------
Keyframe
They must've known?

------
notastartup
This is the most intense video I ever seen since the Snowden revelations. I
could almost feel Ali's feeling of complete violation. This is absolutely
chilling material.

~~~
thegerman
To see a fellow german talk in my native tongue about learning that he himself
was targeted made this so much more real. We europeans really can't trust the
US anymore. It's so sad. I really liked the idea of that place, but who hacks
their friends?

------
kelas
Enjoyable. A rare opportunity to witness an expression of someone who got
p0wned well beyond his level of comprehension. Look how he strokes his pen in
disbelief, that poor German dude. "I know those switches", Mein Gott.

As of today, there are two kinds of people in the world: those who believe
we're still stuck in post-9/11, and those who realised we are now in post-
Snowden.

There is a third kind who have Facebook accounts, but those are just the
nature's way of saying that Darwin got it right.

~~~
moe
_There is a third kind who still have Facebook accounts, but those are just
the nature 's way of saying that Darwin got it right._

That's a non sequitur.

Having a facebook account or not is an almost negligible factor in the grand
scheme of things.

The kind of information commonly exposed on facebook can be more conclusively
inferred from other information sources.

Do you use a smartphone? Skype? Any search engine?

Does your home internet come out of a plastic router? Do you click on the
little lock icon every time you go to a SSL site, to verify the certificate
hasn't changed? Do you know the fingerprint of the legitimate facebook SSL
certificate?

Think about what any one of the above devices "knows" about you in comparison
to what facebook knows about you.

~~~
kelas
True, true.

The only difference is that somehow Google still maintains a straight face
telling people they are not guinea pigs in their next study. Zuck never had
that option in the first place, their only strategy is to maintain grip on the
population at all costs, and no means are too sleazy.

What you want to try is to shut down your Facebook account and check some
e-mails they will be sending you for months to come... Prepare for the drama.
They will be showing you the cutest photos of your family and closest friends,
saying they're all devastated because you've gone antisocial.

Zuck broke our hearts.

~~~
jmgrosen
Hm, I shut down my account, and I haven't gotten any emails from them...
perhaps they've changed?

~~~
kelas
No, I doubt they have. What's more likely is that you took an option to to
opt-out from any further communication from Facebook, something they
reluctantly offered when all attempts to connect with you emotionally failed.

