
Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic - joseflavio
http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/
======
tlb
Unlike Snowden's disclosures of mass surveillance, this is not whistleblowing.

Mass surveillance, such as recording and correlating cell phone location data
or searching all emails, is immoral and unconstitutional, and it's good that
the extent of it was revealed.

Doctored USB cables do not enable mass surveillance since they have to be
physically delivered to specific subjects. Assuming they're delivered based on
some sort of probable cause, they are a legitimate law enforcement technique.

Revealing details of legitimate practices does no good. To the extent that
revealing them encourages the NSA to resort to less legitimate practices, it's
harmful.

~~~
mpyne
Yes, this "list of techniques" revealed by the German newspaper _Der Spiegel_
is another thing that will be someday used against Snowden in a U.S. court...

Reason I say that is because as long as we're operating under the assumption
that the U.S. will have a branch of the government _somewhere_ that is able to
engage in cyber-conflict activities (offensive or defensive), those cyber
conflicts will be dependent upon _weapons_ with which to fight them.

Even those who are mistrustful of NSA ever looking at domestic data seem to at
least be aware that U.S. networks are constantly under attack (e.g. the Aurora
attack on Google, countless attacks on U.S. defense contractors), and that it
might be good for the U.S. to have similar capability.

And now the list of secret (cyber-)weapons is out for the whole world to see.

Contrast what would happen if this was a top-secret military weapons program
(like, say, a stealth helicopter). How would the spy who leaked it have been
treated?

~~~
intslack
That's assuming that these documents were given to Appelbaum by Snowden or
Poitras:

[https://twitter.com/ggreenwald/status/417325532980580353](https://twitter.com/ggreenwald/status/417325532980580353)

Reading between the lines of the 30C3 talk, and the fact that none of this is
credited to Snowden by Der Spiegel, I'd say there is a chance that another
"whistleblower" is out there.

------
adolph
I was surprised by the USB cable thing, but then I remembered:

\- Apple's Lightning Digital AV Adapter: [https://www.panic.com/blog/the-
lightning-digital-av-adapter-...](https://www.panic.com/blog/the-lightning-
digital-av-adapter-surprise/)

\- Bunny Huang on Micro SD processors:
[http://www.bunniestudios.com/blog/?p=3554](http://www.bunniestudios.com/blog/?p=3554)

\- Commercially available wireless on SD cards:
[http://www.eye.fi/](http://www.eye.fi/)

USB lacks DMA right?
[https://en.wikipedia.org/wiki/DMA_attack](https://en.wikipedia.org/wiki/DMA_attack)

~~~
MertsA
USB lacks DMA but that's basically a moot point. There are so many USB drivers
that aren't well tested or even well written that the attack surface is just
huge. You might as well have DMA from USB, wouldn't really make matters that
much worse.

------
choult
It's really quite hard to stop admiring the technical lengths the NSA has gone
to to exceed their constitutional bounds - radar-powered devices for snooping
is genius!

~~~
lambda
Do you really think that tailored custom devices for spying on particular
people of interests exceeds their constitutional grounds?

Would you object to the NSA or CIA planting bugs that record audio or video on
targets of interest outside of the United States? Does that exceed their
constitutional grounds? How about if they supplied these to law enforcement
agencies which had valid search warrants?

I have plenty of concerns about the constitutionality of certain NSA programs
(such as collecting metadata on everyone, regardless of prior suspicion or
search warrant), and some of the techniques they use (tapping all of Google's
fiber traffic between data centers, putting backdoors in international
standards), and I find these revelations technically fascinating, but I don't
find any fundamental constitutional issue with them using clever, advanced
technology for spying on valid targets.

~~~
a3n
> Do you really think that tailored custom devices for spying on particular
> people of interests exceeds their constitutional grounds?

Do you really think that an agency that practices unconstitutional mass
surveillance (or unconstitutional anything) would never use these recently
revealed capabilities unconstitutionally?

~~~
codex
As far as I know, none of the NSA's practices have been ruled
unconstitutional. At best, the courts have sent mixed signals, and the
collection of metadata was explicitly decreed constitutional by a precious
Supreme Court ruling.

~~~
intslack
Not exactly, you have to stretch pen register authority pretty far to extend
it to the NSA's bulk programmatic uses.

[http://www.lawfareblog.com/2013/11/problems-with-the-
fiscs-n...](http://www.lawfareblog.com/2013/11/problems-with-the-fiscs-newly-
declassified-opinion-on-bulk-collection-of-internet-metadata/)

------
rottenfool
IrateMonk is especially troubling - it installs itself on hard disk firmware,
and supports all the major manufacturers: Western Digital, Seagate, Samsung
etc. Now that it's known to exist, it's just a matter of time until some
enterprising malware author will do the same...

~~~
acdha
These attacks have all been well understood as possible within the security
community for years. People have demonstrated firmware exploits at security
conferences and things like Microsoft's secure boot were explicitly designed
to prevent this kind of threat.

Put another way, if you found that an intelligence agency had cool lock-
picking tech would it change anything? Maybe it's surprisingly fast, leaves
fewer traces, etc. but … it's not exactly a secret that they're in this
business and this kind of thing is far less troubling than wide-scale
surveillance because it still requires explicitly targeting specific people.

------
dmishe
NSA surely attracts some top talent, do they pay that well?

~~~
zachrose
GS pay scale tops out in the low six figures, so to get around that they go
through firms like Snowden's Booz Allen Hamilton. Now that a comprehensive
picture of mass surveillance has emerged, an ethically unbothered engineer
would be wise to recognize his or her increasing scarcity when negotiating
salary.

------
jdbernard
For years there have been many in the industry that have pointed out how few
of the design and manufacturing practices have had any serious thought to
security. Things like BIOS vulnerabilities, driver firmware, etc. have been
known for decades. I suppose there is some small consolation in being able to
say, "I told you so."

------
elif
The lengths they are willing to go for spying seem to be as broad as their
creativity. So basically, the NSA would read minds if it weren't for the
technical hurdles... which they will probably overcome before we find out.
We're going to need an idiom to replace "tinfoil hat" soon.

------
noonespecial
_Monkeycalandar? Candygram?_ The names are ridiculous. It's like the whole
place is staffed by 12 year olds who loved the "Spy Kids" movies.

~~~
Luc
Computer generated, of course. Though I have no doubt a person has the final
say, screwing with the otherwise perfect randomness.

See also
[https://en.wikipedia.org/wiki/Battle_of_the_Beams#X-Ger.C3.A...](https://en.wikipedia.org/wiki/Battle_of_the_Beams#X-Ger.C3.A4t)

"Jones had already concluded the Germans used code names which were too
descriptive. He asked a specialist in the German language and literature at
Bletchley Park about the word Wotan. The specialist realised Wotan referred to
Wōden and might therefore be a single beam navigation system."

------
aaronem
Seriously! [1]

> The Black Chamber’s sophisticated hacking operations go way beyond using
> software vulnerabilities to gain access to targeted systems. The Chamber has
> a catalog of tools available that would make James Bond’s Q jealous,
> providing Chamber analysts access to just about every potential source of
> data about a target.

> In some cases, the Black Chamber has modified the firmware of computers and
> network hardware—including systems shipped by Cisco, Dell, Hewlett-Packard,
> Huawei, and Juniper Networks—to give its operators both eyes and ears inside
> the offices the Chamber has targeted. In others, the Black Chamber has
> crafted custom BIOS exploits that can survive even the reinstallation of
> operating systems. And in still others, the Black Chamber has built and
> deployed its own USB cables at target locations—complete with spy hardware
> and radio transceiver packed inside.

> [...]

> Either way, the altering of systems’ firmware or hardware gives the Black
> Chamber the ability to install backdoors that can survive a total operating
> system wipe and re-installation. One BIOS attack, called SWAP, was developed
> by the Black Chamber to attack a number of types of computers and operating
> systems by loading surveillance and control software at boot-up. SWAP uses
> the Host Protected Area on a computer’s hard drive to store the payload and
> installs it before the operating system boots.

> [...]

> An implanted wireless device is the Black Chamber’s go-to approach for
> dealing with “air-gapped” networks—networks that don’t have an Internet
> connection for security reasons. There are a number of other implanted
> devices that the Black Chamber has in its TAO arsenal, including USB and
> Ethernet implants that can transmit short-range radio signals and more
> robust implanted hardware for longer-range transmissions. These radio links
> create a shadow Internet that allows the Black Chamber to move data out of
> an adversary’s network and into its TURMOIL and X-KEYSCORE collection
> system.

> [...]

> But why stop at network data? The Black Chamber also uses some fairly exotic
> tools to grab computer video, keyboard strokes, and even audio from inside
> more difficult-to-reach places by using passive electronic devices that are
> actually powered by radar. These devices, charged by a specially tuned
> continuous wave radio signal sent from a portable radar unit (operating at
> as little as 2W up to as much as 1kW of power in the 1-2GHz range), send
> back a data stream as a reflected signal, allowing the Black Chamber’s
> operators to tune in and view what’s happening on a computer screen or even
> listen to what’s being said in the room as they paint the target with radio
> frequency energy—as well as giving a relative rough location of devices
> within a building for the purposes of tracking or targeting.

> Hacking smartphones

> The 2007 Black Chamber wish book for analysts also includes a number of
> software tools that allow data to be stolen from a variety of smartphones
> and dumb cell phones. One software hack, called DROPOUTJEEP, is a software
> implant for Apple iOS devices that allows the Black Chamber to remotely
> control and monitor nearly all the features of an iPhone, including
> geolocation, text messages, and the microphone and camera. (Researcher and
> developer Jake Appelbaum, who helped write the Spiegel article revealing the
> documents, said separately this week that the Black Chamber claims
> DROPOUTJEEP installations are always successful.) Another package, called
> TOTEGHOSTLY, does the same for phones based on the Windows Mobile embedded
> operating system.

> [...]

> But these aren't the only way the Black Chamber can get to cell phone data.
> Also in the bag of tricks are a number of wireless monitoring devices, as
> well as “networks in a box” and other gear that can pose as cell towers and
> networks—intercepting devices as they enter an area and grabbing up their
> voice, data, and SMS traffic. A "tripwire" program called CANDYGRAM can send
> out alerts whenever a cell phone hits a specified cell tower.

> Old tricks, new tricks

> It’s important to note that the exploits in the documents are largely over
> five years old, so they don’t necessarily give a complete picture of what
> the Black Chamber is capable of today. That doesn’t mean that these
> techniques are no longer in circulation—given the stubbornness of Windows
> XP, many of the exploits developed for older Windows platforms may have
> years left in them, and some of the adversaries the Black Chamber is trying
> to monitor don’t have Fortune 500 hardware refresh rates.

It's long past time.

[1]
[https://news.ycombinator.com/item?id=6991227](https://news.ycombinator.com/item?id=6991227)

------
jenniferk
>One BIOS attack, called SWAP, was developed by the NSA to attack a number of
types of computers and operating systems by loading surveillance and control
software at boot-up. SWAP uses the Host Protected Area on a computer’s hard
drive to store the payload and installs it before the operating system boots.

Won't the much maligned UEFI Secure Boot in Windows 8 stop this?

~~~
MertsA
Nope, SecureBoot is built into the BIOS not hardware so if you can rewrite the
BIOS you can have it just load whatever payload off of the HPA sidestepping
SecureBoot until it comes time to start the boot loader.

