
Hacking Team, Computer Vulnerabilities, and the NSA - nerdy
https://www.schneier.com/blog/archives/2015/09/hacking_team_co.html
======
PhantomGremlin
Schneier didn't discuss what is IMO the biggest reason for NSA not to report
vulnerabilities: it's "pissing into the wind", it's futile. When 10
vulnerabilities are reported and fixed, 11 new ones are quickly found. The
vulnerabilities are overwhelming us.

Back around the year 2000 Microsoft was being beaten up for all the
vulnerabilities in their software. So in 2002 Bill Gates announced
"Trustworthy Computing".[1][2]

    
    
       Microsoft Chairman Bill Gates announced a
       major strategy shift across all its products,
       including its flagship Windows software,
       to emphasize security and privacy over new
       capabilities. 
    

In 2014 Microsoft finally threw in the last towel, folding the group they
formed into other units. They gave up. Microsoft lost not because they were
incompetent, but because the problem is too big to attack in a conventional
manner.

I don't know what the answer is, but we need to approach things very
differently. To quote Dr. Peter Venkman: "the usual stuff isn't working".

[1] [http://www.foxnews.com/story/2002/01/16/bill-gates-
announces...](http://www.foxnews.com/story/2002/01/16/bill-gates-announces-
microsoft-strategy-shift-toward-security-privacy.html) [2]
[https://en.wikipedia.org/wiki/Trustworthy_computing](https://en.wikipedia.org/wiki/Trustworthy_computing)

~~~
flyryan
This is why I have an issue with Project Zero. You will NEVER patch all the
0days. There are only a few bugs that I've seen that were so impactful
(Heartbleed for example) that it made a massive impact to release and patch
it. And as you implied, patching an 0day often publicizes a new vulnerable
attack surface with new bugs to follow.

The real way to fix security issues isn't to find new exploits and expose
them. It's to architect new ways to prevent whole families of exploits from
being possible. I've only really seen Project Zero do one sort of
recommendation in this way. Outside of that, I don't feel that them finding
0days and releasing them is actually a significant improvement on security
because they aren't even close to plugging all of the holes (or even enough to
really make a difference).

------
tptacek
There's a fourth reason NSA wouldn't have tipped off every vendor impacted by
HT exploits: because they have no business breaking into commercial
vulnerability research teams networks, grabbing their exploits, and burning
them. It is in fact probably unlawful for them to do so (those actions having
as they do an impact on US F-500 companies that use --- for better or worse
--- tools from companies like HT to evaluate their own security).

This is a positive comment, not a normative one. I don't know how I feel about
entities busting up companies like HT, but I do think I know that the world
would be better off without companies like HT.

~~~
bediger4000
I salute your sentiment: the world would be better off without companies like
HT.

 _It is in fact probably unlawful for them to do so_

I realize that the patriotic employees of the NSA work within a legal
framework, and seemingly pride themselves on doing so. But they haven't
bothered to share that framework with the rest of us. So my first response was
to snicker to myself, and that's unfair to you.

Also, Hacking Team was Italian, not US, so would it really be illegal to slurp
up all of HT's exploits? That is, if you want to stay within the bounds of the
law, if not the bounds of ethical behavior.

~~~
tptacek
I tried to acknowledge that HT is jurisdictionally complex; they are probably
allowed, under the same charter that allows CIA to conduct HUMINT missions, to
attack Italian security companies (modulo treaties, I guess). The issue though
is that those attacks have direct impact on US companies, who (again) may rely
on HT products for "zero day pentesting" (among other things).

~~~
HiYaBarbie
> _they are probably allowed, under the same charter that allows CIA to
> conduct HUMINT missions, to attack Italian security companies_

They are definitely _not allowed_ , under the _Constitution_ , to monitor
everyone, but they do it anyway. You know this too.

So why do you discuss legislation as if it mattered to the NSA, when their
actions show it clearly doesn't?

~~~
ikeboy
The NSA consists of many parts. Some people within it breaking the law does
not mean that laws don't matter there.

~~~
HiYaBarbie
Look, the NSA as an organization, as a whole, is blatantly violating the
Constitution, which is supposedly the most sacrosanct law of the nation.

The fact that they don't care about what laws say doesn't get any clearer than
that.

The fact that no one from NSA has gone to jail for the NSA violating the
Constitution shows.. well, pretty much that the government doesn't bother
punishing itself for violating its own laws.

To be fair, that _would_ be kind of silly, after all.

~~~
ikeboy
Has any court ruled NSA actions to be against the Constitution?

~~~
ionised
[http://www.reuters.com/article/2015/05/07/us-usa-security-
ns...](http://www.reuters.com/article/2015/05/07/us-usa-security-nsa-
idUSKBN0NS1IN20150507)

[http://www.freedomwatchusa.org/federal-judge-rules-
against-n...](http://www.freedomwatchusa.org/federal-judge-rules-against-nsa)

[http://edition.cnn.com/2013/12/16/justice/nsa-
surveillance-c...](http://edition.cnn.com/2013/12/16/justice/nsa-surveillance-
court-ruling/)

~~~
ikeboy
The first one doesn't say anything about constitutional issues.

 _The appeals court did not rule on whether the surveillance violated the U.S.
Constitution._

The second link has a ton of links. The first one is only referring to a
preliminary injunction; i.e., it found that "there's a good chance the
plaintiff will win", but did not find in favor of the plaintiff. As far as I
can tell, all the other links there are about the same ruling.

The third link is talking about that same ruling, again:

 _A federal judge said Monday that he believes the government 's once-secret
collection of domestic phone records is unconstitutional_

Emphasis on _believes_ ; that was not a judicial finding that the government
violated the constitution.

He didn't even order the government to stop:

 _However, he put off enforcing his order barring the government from
collecting the information, pending an appeal by the government._

What happened on appeal?
[http://www.cadc.uscourts.gov/internet/opinions.nsf/ED64DC482...](http://www.cadc.uscourts.gov/internet/opinions.nsf/ED64DC482F286F1785257EAF004F71E8/$file/14-5004-1570210.pdf),
or a more readable summary here
[http://www.bloomberg.com/news/articles/2015-08-28/u-s-
appeal...](http://www.bloomberg.com/news/articles/2015-08-28/u-s-appeals-
court-sends-nsa-collection-challenge-back-to-judge) and
[http://www.ibtimes.com/nsa-phone-surveillance-ruling-
reverse...](http://www.ibtimes.com/nsa-phone-surveillance-ruling-reversed-
court-sides-national-security-agency-klayman-v-2073190)

------
codezero
While I wouldn't put it past the NSA – why would we assume the NSA had
infiltrated Hacking Team?

~~~
rnovak
I think it's a fairly safe bet that they did, and I'll explain why I believe
this.

1\. The NSA has access to more info on both good crypto and broken crypto

2\. Hacking Team's software & infrastructure were clearly vulnerable,
otherwise they wouldn't have been hacked

3\. Leaked docs show that NSA hacks everyone they possibly can, to get as much
information as they possibly can.

It's really not a big leap to assume that NSA infiltrated Hacking Team's
infrastructure, if anything I would think it's harder to believe they _wouldn
't have_.

So if some Joe Schmoe broke into Hacking Team's system, I think it's pretty
reasonable to assume that NSA did as well

But just so I can understand what you're saying, why do you think it's a big
assumption?

Edit: Formating.

~~~
codezero
Thanks for this, I agree it makes sense that they would have, I was just a bit
disappointed that Bruce didn't enumerate any of this in his post. In fairness,
all of this stuff is probably "duh" to him, and his normal audience, but it's
not so obvious to everyone.

Here's another thought: what if the NSA hacked Hacking Team, and they were
also the ones to release all the data publicly.

Re: #3 – do you have any links to that info? (I'm not challenging you to prove
what you said, I'm just curious, if you don't have anything readily available,
I'll Google search like a good Internet commenter :))

~~~
rnovak
I think it would be hard to go through everything, but off the top of my head:

[https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/...](https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/index/assoc/HASH0127/fe6ee959.dir/doc.pdf)

Quote:

    
    
           For the past decade, NSA has lead an
           aggressive, multi-pronged effort to break widely
           used Internet encryption technologies
    
    

Their Motto:

    
    
          "We penetrate targets' defences."

~~~
PhantomGremlin
_" We penetrate targets' defences."_

That would more likely be a GCHQ or MI5 or MI6 motto than an NSA motto.

A quick bit of Googling finds that the "PTD" in the slides refers to GCHQ's
Penetration Targeting Defences unit. So it's their motto. Which explains the
spelling.

------
ewass9000
If you do not realize that we have always been monitored, usually without a
legal vehicle, by government agancies, you are just too young. If you believe
for one second that the NSA is more of a threat than the ultimate climate
created by the aggregation of every set of data collected by ISPs, Cloud
service providers, app makers, and social media, please start thinking and
researching just a few more steps ahead. Attacks will be patched, the NSA will
decrypt in real time until someone finds a way to embarras them. The natural
growth of company driven data theft and distribution can only result in an
environment with revoloutionary sceintific achievement and statistical
analysis that poses unpresidented virtual and physical threats to individuals
and groups. The simple fact is our users have been slowly trained to implement
and act upon concepts and technology they do no understand. When a person that
can hardly type can watch a video online with explicit instructions on how to
hijack a cell phone, but easily use too much power and suspend service in an
area, what do we really change when housese burn and heart attack victims die
because they have no 911 service?

------
NullCharacter
Schneier apparently doesn't even know what the NSA stands for (National
Security _Administration_?) and yet seems it's safe to assume that they had
infiltrated Hacking Team, and then proceeds to make a whole bunch of
judgements and follow-on assumptions based off that first baseless assumption
all while pandering to his userbase.

Well done, Bruce.

~~~
linkregister
I don't think a little typo ("Administration") weakens his argument. I think
this post is more of a thought experiment than a serious analysis of what most
likely happened.

Though I agree that over the past few years, Schneier's posts have been less
substantial in analysis and contain more "thought experiments". I enjoyed his
blog way more when it was restricted to the subject he has expertise in, i.e.
cryptography.

~~~
NullCharacter
I don't really think he was going the thought experiment route. He seems to
genuinely believe what he writes. For example:

"The NSA was most likely able to penetrate Hacking Team's network and steal
the same data. The agency probably did it years ago."

Nothing too ambiguous about that assertion.

------
benmmurphy
It would be interesting to know if the NSA has explicit special access or has
infiltrated the bug reporting programs for important vendors. Are browser bugs
or iphone bugs important enough that the NSA has some guy in Apple or Firefox
feeding them bug reports on the side?

~~~
codezero
Bugzilla was recently owned by an unnamed, unknown source, giving that source
access to many zero day browser exploits for what was apparently many months.
So yes, someone is doing this.

