
 Shopping for Spy Gear: Catalog Advertises N.S.A. Toolbox - slashdotaccount
http://spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
======
ihsw
Somehow I doubt Al Qaeda is using Juniper, but our allies (read: economic
adversaries) are.

I hope the companies listed -- Dell, Cisco, Juniper, IBM, Western Digital,
Seagate, Maxtor, et al -- are happy with themselves. The government's mantra
has historically been similar to that of Microsoft's: embrace, extend,
extinguish. The US Government is no different and they'll happily throw every
company under the bus for the smallest advantage over their adversaries.

America's rivalry with China is continually climbing higher and higher, and
we're getting dragged along whether we like it or not. The unshakable
intertwining of private and public industries, the scorched-earth economic
policies where private industry is consumed for the benefit of the public, the
unlimited spying powers -- all to stay ahead of China.

The real kicker is that this kind of spying power compounds on itself -- as
soon as we get Juniper gear exploited then we can move onto infiltrating
Seagate's intranets, and then we can use Seagate exploits to more easily dig
into hard-drives accessible by us/in custody by us. We may never be able to
make a distinction between which tech companies have been exploited and which
are wilfully/maliciously passing vulnerability information to the US
Government.

~~~
EFruit
>I hope the companies listed -- Dell, Cisco, Juniper, IBM, Western Digital,
Seagate, Maxtor, et al -- are happy with themselves.

I'm not going to say that these companies are fantastic. I'm just not, but I
will say that perhaps this isn't really their fault.

Let's say that BIND has a critical vulnerability that allows people to snoop
on the requests made. Does that make the ISC guilty of giving the NSA access
to every BIND DNS server on the internet?

No, it doesn't.

~~~
joe_the_user
The question is whether these exploits are accidents or the result of
companies giving in to pressure from the NSA.

If the Snowden revelations are to be believed, at least some of the exploits
were the result of giving into NSA pressure.

But the problem with this is that it breaks the chain of trust that a company
has with it's customers. Once you know the NSA is applying pressure secretly
to force some vulnerabilities to remain open, how can you know they aren't
doing that with any given vulnerability.

~~~
Spooky23
My guess is that it's all of the above. You're talking about a massive,
compartmentalized organization.

I'm sure that different groups approach their data acquisition activities with
multiple channels, if for no reason other than to prevent other NSA people
from knowing about to what they are doing.

------
malandrew
This new information puts American companies at even more risk of lost sales
since given two companies, American Company and Foreign Company, the NSA is
always going to have a massive advantage in penetrating the American company
to get as much information they want to produce these backdoors. Whenever they
fail to remotely access the company networks containing the IP for all the
equipment they want to target, they have many more options available to
physically access the network of these companies, possibly going as far as
having a mole working at the companies, exfiltrating the IP they need to
produce the tools in the catalog or even deliberately putting in backdoors.

This is probably the most damning information I've seen of NSA activities.
This is anti-American activity since it clearly harms US economic interests.
This coupled with the policy that spying on foreigners is fair-game is enough
reason to give any foreign government or company enough reason never to
purchase equipment from US tech companies.

As an engineer in the US, this makes my blood boil. I really hope that this
new information generates more interest in open-source network software and
hardware.

~~~
casca
Juniper were making good inroads into the corporate firewall market at the
expense of Checkpoint. It'll be interesting to see whether this sees a move
back to Checkpoint as the firewall product of choice.

~~~
midas007
Another reason to consider pfSense (which could use a crowdfunded secaudit
like TrueCrypt).

------
w1ntermute
After all these years of free software proponents advocating for open source
BIOSes and getting mocked for their supposed impracticality, we see the truth.

~~~
wmt
NSA is not exploiting or pre-backdooring the BIOS, it's just reflashing it
with an malicious payload to keep the system infection alive. No amount of
open source anything would make them unable to do this.

~~~
tptacek
In fact, the things that would make it difficult to do this are routinely
criticized by "open source" partisans as tools for suppressing Linux.

~~~
makomk
The things that make it difficult to do this are only obstacles to adversaries
that don't have access to Intel's secret keys. If you have those, by design
you can both bypass secure boot and reflash the BIOS with whatever code you
like, and the very same restrictions that stop normal users from doing those
things also make it impossible for them to detect that it's happened. The NSA
has an entire well-funded division dedicated to helping enable eavesdropping
by retrieving information like those keys.

Those security features are genuinely only useful for stopping people from
installing Linux and open BIOSes. They can only protect computers from their
users, not from the NSA.

~~~
acqq
Exactly. Lavabit example is 100% clear: one user is enough for three letter
agencies to get the court request for all the private keys.

------
fabian2k
The NSA must have an enormous pile of unkown exploits to facilitate all that.
I wonder how they prevent other US agencies and government networks to be
vulnerable to the exploits the NSA uses itself, or if they even bother trying
to do that.

Leaving pretty much the entire IT infrastructure vulnerable seems like a very
dangerous strategy.

~~~
louwrentius
It is fascinating that if they just would inform vendors on their security
vulnerabilities and have them patched, that this would probably make us more
secure than the eavesdropping they can do with the exploits.

~~~
danielweber
It depends on the resources involved.

A big assumption that lots of bug-hunters make, that "this is one of the last
bugs, and once fixed, the product will be much more secure." But there are
always more bugs. If you assume that are more exploitable bugs beyond the one
you are fixing now, it means that the vendors and customers have to spend time
and money patching things, and won't really be any more secure afterwards.

Also "if I found it, so can The Bad Guys" is something that applies to
individuals and small research teams. It's not necessarily the case that when
the NSA finds something that other people are going to find it, too.

Also, unlike most security researchers, the NSA has the resources to monitor
if other people are exploiting the vulnerabilities they found.

I'm not saying that the country _wouldn 't_ be safer if the NSA disclosed
these vulnerabilities to vendors. I'm only saying that many of the common
heuristics that researchers assume as true may not be, and especially not when
applied to the NSA.

~~~
jessaustin
_...there are always more bugs._

True but trivial. It's much more instructive to pay attention to the _rate_ at
which vulnerabilities are discovered. For e.g. qmail that rate is very close
to zero per decade. For less secure products the rate varies over time; some
researchers have noted a sort of "honeymoon" period that protects new code.
Packages that don't in some sense eventually "settle down" after that period
ends might ought to be replaced. Or perhaps they are important or unimportant
enough to mitigate their vulnerabilities through other means.

------
mmaunder
The damage that this does to US software and hardware manufacturers and
service providers like hosting companies is incalculable. The NSA is providing
a strong ongoing incentive to buy your hardware offshore and host your servers
offshore. As an American entrepreneur I'm horrified by the long term
implications of this. It seems for all the mathematicians they employ they're
unable to see that the long term cost of these programs far outweighs the
short term benefits.

~~~
anologwintermut
The NSA also got Huawei's stuff too. I highly doubt a Chinese company was
cooperating with the NSA. Really,it seems like the NSA just went after market
leaders and developed exploits against those systems. As far as this article
suggests, they had no internal help in doing so.

Not using US equipment probably does little. The solution is to make secure
equipment that is harder to exploit. Moreover, the argument can be made that
if the NSA can find these issues, so can others that the US government
considers a threat to national security.

------
f_salmon
This is it.

Literally everything is infected.

Again, either the NSA goes (and you know that won't happen) or information
technology goes or democracy as we know it goes.

Everyone, take your pick now.

~~~
colinplamondon
This is effectively a weapons system, and any country with budget can build
the same system or better. To stop the NSA would be unilateral disarmament,
without reason to expect others to cut back on their infowar programs.

~~~
malandrew
Or you know maybe we can demand that this unit actively try to help these
companies improve the security of everything in the catalog so that we are all
secure. Knowingly allowing vulnerabilities to persist in equipment that a US
citizen or US corporation purchases from companies like Juniper Networks or
Cisco is akin to leaving them unprotected and defenseless against malicious
adversaries.

We're not asking for disarmament. We're asking for de-weaponization by
retasking the TAO and the unit that produces these products to work on
defensive activities instead of offensive activities. For a long time many,
except those considered tin-foil hatters, viewed the NSA as fundamentally
providing a useful service to protect Americans and American companies. Now
it's clear the tin-foil hatters were right and that the NSA is essentially an
offensive organization and that even American citizens and companies are
victims of those offensive capabilities.

------
superuser2
So essentially an internal, military-grade Metasploit.

It's not surprising that NSA would develop and maintain a strong repertoire of
exploits for popular infrastructure. What else did you think an organization
tasked "to produce foreign signals intelligence information" was doing with
all those computer security experts on staff?

Is there evidence that NSA was _planting_ backdoors or that US tech firms were
cooperating? Isn't it more likely that NSA was simply discovering (and
possibly purchasing) 0-days just like everyone else?

They can do that with foreign equipment just as easily. Switching to non-US
hardware is just irrational.

------
confluence
Stallman was right. Again. [http://stallman.org/stallman-
computing.html](http://stallman.org/stallman-computing.html)

Trust nothing. Everything is a lie.

------
K0nserv
Anyone have a copy of the suposed catalog? I didn't find a source in the
article.

~~~
f_salmon
If WikiLeaks had gotten a copy from Snowden, you would have had this catalog
now.

~~~
K0nserv
It is pretty ridiculous that the press is somewhat exempt from providing
sources for their statements.

Wikileaks would have been much better.

------
blhack
How on earth could this possibly be verified?

If I was the NSA right now, I would be "leaking" tons of fake, and fantastic,
stories about myself in order to discredit any legitimate concerns.

I can imagine the talking heads now "well what else were these conspiracy
theorists wrong about? Personally I'm glad somebody is out the protecting our
freedom."

etc.

~~~
1457389
From the reporting, it looks like they had official documents with an actual
price list for various exploits, along with details about what they entailed
("rigged monitor cable", "USB nubs"). What exactly do you consider to be
'verified'? Alexander or Clapper standing up and owning up to it? Good luck
with that...

~~~
sneak
There is little Jake Appelbaum (one of the listed authors of this piece) won't
do or say for media attention and public credibility.

Documents would be plausible. "Trust us, we've read them" from someone widely
known to lie and steal is another matter entirely.

Entirely unsubstantiated rumors on the internets suggest that Jake got a talk
pulled this week from the CCC hacker conference presently underway in Hamburg
(which he keynoted last year) that was due to explore his motives and
relationship with the US government, as he is the only US citizen publicly
affiliated with Wikileaks and has not yet been charged, arrested, or
imprisoned (and Wikileaks has not really done anything damaging to the US
government since CM/Cablegate).

Don't believe everything you read.

~~~
EthanHeilman
You've made a number of accusations toward Appelbaum, a well respected
researcher, without providing any evidence. This generally is a sign that
someone is acting in bad faith.

Care to provide sources, or does the person asking me not to believe
everything I read expect me to take his claims on faith and "entirely
unsubstantiated rumor"?

~~~
sneak
> a well respected researcher

He's only well respected outside of the security research community. Those
inside know him better than that.

> This generally is a sign that someone is acting in bad faith.

Indeed, this is why many people directly affected by his harassment,
backstabbing, and general underhanded techniques employed in his pursuit of
fame and glory choose to ignore him rather than directly and publicly address
his treachery.

Unfortunately, that means his past goes unreported.

I hold lay opinions of my reputation in little regard, so I (unlike many
friends of mine) have no issue saying what I know.

It's all hearsay by the time it gets to you, though, as I'm the first hop away
with many of these reports. I'm not interested in opening myself up to a libel
suit.

For a general impression of his behavior, please go review his own posts on
the noisebridge mailing list archives. Don't take my word for it.

------
Zaephyr
This sorts news makes me shake my head. The scammers are trying to get in, the
NSA is in, and now every other state security organisation will feel if they
don't try to get in they will be falling behind.

All I want is to do is keep clients safe and out of all this cross-fire.

------
1457389
With a proper oversight regime and individualized warrants, I can see this
being an acceptable use of NSA power. With the absurd degree of intrusive
latitude the NSA possesses now, it just makes it easier for them to violate
civil liberties on a massive scale. Very few people can avoid being
compromised by backdoors in these devices and companies, the same way very few
people can avoid the physical threat of government aggression. The difference
is that the latter has a far more robust system of controls to ensure it is
used judiciously and ethically. Until the former has the same, we need to do
everything we can to limit or invalidate the NSA's power.

------
adamors
How did this get submitted when the exact same link was posted 2 hours ago?
[https://news.ycombinator.com/item?id=6979240](https://news.ycombinator.com/item?id=6979240)

~~~
sgift
It seems spiegel.de vs www.spiegel.de wasn't caught by HNs duplicate URL
detection.

------
wepple
This article feels like it may be somewhat misleading around the use of the
term "back door".

If the NSA has infact backdoored all of those products, kudos for keeping it
quiet for this long!

if however these products have vulnerabilities in them, like all software
does, and the NSA have access to these vulnerabilities (like numerous other
people do), it's not quite as devious.

In that case they didn't have a super-secret backdoor installed with no-one
noticing, but in fact discovered that the window wasn't locked, and kept that
a secret.

------
danso
Mostly OT: besides the technical details, I'm interested in seeing the actual
descriptive text for these items. In my mind, the tone would be something
similar to this parody
[http://www.teamfortress.com/sniper_vs_spy/day04_english.htm](http://www.teamfortress.com/sniper_vs_spy/day04_english.htm)

------
jawerty
Can't wait to get Google Glass...

~~~
CamperBob2
To which the NSA's answer will be, "Yo, dawg, we heard you like spying..."

