
Your USB cable, the spy: the NSA’s catalog of surveillance magic (2013) - lisper
http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/
======
marcolinux
From the article: ''But why stop at network data? The NSA also uses some
fairly exotic tools to grab computer video, keyboard strokes, and even audio
from inside more difficult-to-reach places by using passive electronic devices
that are actually powered by radar. These devices, charged by a specially
tuned continuous wave radio signal sent from a portable radar unit (operating
at as little as 2W up to as much as 1kW of power in the 1-2GHz range), send
back a data stream as a reflected signal, allowing the NSA’s operators to tune
in and view what’s happening on a computer screen or even listen to what’s
being said in the room as they paint the target with radio frequency energy—as
well as giving a relative rough location of devices within a building for the
purposes of tracking or targeting.''

I call BS on this one, everybody knows radar cant go through cars/walls. It
would be a too big of an equipment to be of any practical use.

~~~
UnoriginalGuy
You misread it.

They have EM bugs placed close to target sites. But these bugs have to be
powered/recharged, so the NSA use focused radar to power the bug itself.
Information is then sent back down the radar signal by modulating it.

EM spying is very real[0] and documented. "The Thing"[1] from 1945 actually
uses some of the principles they're discussing here, they're just combining it
with Tempest. Nothing they're describing is science fiction, it is very
possible.

[0]
[https://en.wikipedia.org/wiki/Tempest_(codename)](https://en.wikipedia.org/wiki/Tempest_\(codename\))
[1]
[https://en.wikipedia.org/wiki/The_Thing_(listening_device)](https://en.wikipedia.org/wiki/The_Thing_\(listening_device\))

~~~
fapjacks
Yes! The Thing was actually the first instance of this kind of device, well
ahead of its time. There was an article some time ago on HN about the Dutch
company which had an opportunity to examine it and reverse engineer it.
Something like "Project Easy Chair" I think.

------
devy
That's why USB Kill programs [1] important.

[1]
[https://github.com/hephaest0s/usbkill](https://github.com/hephaest0s/usbkill)

~~~
colejohnson66
Couldn't you be held in contempt of court for doing something like that?

~~~
rconti
They'd probably have to prove you were doing this because of a pending
investigation against yourself. What if you were just using it because you
didn't want Zee Germans (or some other personal adversary) getting access to
your data?

------
DyslexicAtheist
IMO the bigger question remains: What activities and innovations are their
within logistics-industry that ensure integrity of a shipment en-route? If a
shipment can be intercepted (without a court order and without the package
recipient knowledge) then logistics and freight forwarding technologies have
some catching up to do. We learned from the Gemalto hack last year that NSA
intercepted a list of SIM card encryption keys presumably due to a weakness in
Gemalto's supply chain. There was a similar story with CISCO equipment being
tampered with.

It would be incredibly interesting to learn what Gemalto and CISCO have
meanwhile managed to come up with in order to tighten their supply chain and
ensure their clients they don't receive compromised equipment.

~~~
arca_vorago
So I recently learned that registered mail is pretty much the highest quality
way to ship anything, with full per-node tracking. This was gleaned after some
prodding of some people in a law firm who were discussing shipping woes
between fedex, dhl, and certified mail, when someone said "What about red-
mail"? I had never heard of red-mail (actually registered mail, called red-
mail for the red tags, vs the green certified mail tags), but it was explained
to me that at least for some governmental purposes, it is the only acceptable
way to ship documents and other things.

To me, if I want full "evidence custody chain" style logs of device location,
for physical equipment, that would be the way to go. Now, the real question
is, how much would you really trust the government mail program vs a NSL or
interdiction for implant vs a private company vs a NSL or interdiction for
implant. I think there is room for discussion there, but I would tend to side
with the government one, because the company will have very little recourse,
but the gov entity is likely to be staffed by bone-headed gov employees, who
are surprisingly good at bad policy pushback when compared to their private
counterparts. Perhaps I'm wrong on that though. Sometimes I find interesting
insights into IT by listening to lawyers...

~~~
wang_li
Unless you have an unsubvertible agent carrying the item, you cannot rely on
tracking info. How do you know that the tracking data is actually correct and
how do you know that the eight hours it spent sitting in a warehouse in
Kentucky weren't eight hours used to install malware?

~~~
nickpsecurity
U.S.P.S. security is good enough on average that intelligence types have been
known to use it for classified information. There's so many envelopes going
through that USPS security people mainly look for stuff that really stands out
in shape, smell, etc. You blend in, then targeting you requires knowing what's
on the envelope. Put a countermeasure on that variable to get a decent bit of
transport security.

------
rwmj
I'm guessing that two way RF communication != "little risk of detection".

Anyway, this is the sort of thing I'd expect the NSA to be doing against
specific targets. And I'd expect the targets to have equally sophisticated
countermeasures.

~~~
bitwize
Sometimes the countermeasures are quite simple: a policy of "don't plug
outside USB devices into the facility's PCs" can get you pretty far.

~~~
liotier
> a policy of "don't plug outside USB devices into the facility's PCs" can get
> you pretty far

A policy of "inject hot glue into exposed USB ports" gets you further.

~~~
dzdt
And where do the keyboard and mouse plug in?

~~~
liotier
The authorized cables go through a hole in a secure enclosure that does not
expose ports. Physically securing the computer is essential - if only to
restrict access to mass storage by anyone with a screwdriver.

~~~
nickpsecurity
"Have screwdriver, cable, and laptop. Can bypass all INFOSEC."

This slogan should indeed never happen.

------
ck2
So I've lost track now.

In 2016, is the NSA operating inside the USA at all?

Are they doing it without warrants?

~~~
imglorp
Yes, because the public allows it.

[https://www.eff.org/nsa-spying/timeline](https://www.eff.org/nsa-
spying/timeline)

------
edge17
Maybe this is a dumb question, but within the whole of the intelligence
community, who/how many people actually see how big the surveillance operation
is? Is it just the one guy at the top of the NSA that knows about all the eyes
and ears in the kingdom? I would imagine, based on compartmentalization, the
people involved in individual parts of all the machinery only have limited
knowledge of the other things going on.

~~~
AndrewKemendo
No single person, has full purview and that is by design.

Even the President likely doesn't know every program comprehensively, not for
lack of access but because it's so large that it would be hard to get all of
it in such detail.

~~~
edge17
I'm not following... I would assume at the very least the top guy at the NSA
has a full view of all operations.

As the top intelligence officer, I would assume it's his job to know where all
the tentacles are?

~~~
AndrewKemendo
Well, to be clear the DIRNSA is not the "top intelligence officer."

Technically that role is held by James Clapper as the Director for National
Intelligence (DNI).

It's also more complicated than just appointing someone as the head of
"Intelligence" because most of the directors of the Intelligence Agencies
guard a lot from each other so they don't get resources nabbed.

Prior to the formation of the DNI role, the "Top Spy" was the Director for
Central Intelligence (DCI) AkA Director of the CIA - who had outsized pull and
purview.

Today there is a push and pull between the DNI and DCI, at the presidential
level.

Long story short, it's complicated and very very large.

------
lisper
I submitted this story at the same time as another one, which is more timely
and arguably more relevant:

[https://news.ycombinator.com/item?id=11358724](https://news.ycombinator.com/item?id=11358724)

This story was linked from that one.

~~~
nickpsecurity
They don't have the skills to pull that off. I'd help them if they wouldn't
lock up the I.P.. That they would and try to circumvent competition with
patent suits is the reason I haven't jumped in to help them. Whatever they do
will eventually be used against users of their products but everyone else
first. ;)

There's already stuff in CompSci and industry that can stop all of these
attacks which they could straight up buy. Some of it is very low-overhead to
enforce critical properties. That they haven't implemented any of that plus
keep making common mistakes reinforces my decision that they're not capable of
high-assurance security. So, their mechanisms will raise a baseline but not be
adequate for intended opponents.

------
cat-dev-null
Another reason OS peripheral firewalls and firmware IDS need to exist because
right now, IO is a welcoming attack surface.

~~~
monocasa
How do you create a firmware ID system that provides anything meaningful?
Wouldn't an hostile device simply spoof another device's IDs?

~~~
cat-dev-null
Your questions seem to conflate two things: nonrepudiation (which includes
integrity) of firmware and A3E for I/O.

\- Treat firmware like a file, save hashes of them in a public-key signed
baseline db. Basically hash everything that can be dumped and throw alerts if
anything in the targeted policy changes. (Tripwire for firmware)

\- Thinking about it again, v2: end-to-end encryption is needed from
driver/app through to device silicon. Key management might require "pairing"
would be an initial secret provided separately (like the security model of an
Entropy Key, but perhaps not a burned-in secret). Given that most actual
drivers are proprietary anyhow, consider today's drivers as [http://](http://)
when [https://](https://) everywhere is needed to defend against bus-sniffing.

[http://www.entropykey.co.uk/](http://www.entropykey.co.uk/)

