Big corporations are, by definition, large complex organizations. There is legal, executive management, developers, ops, etc. Hypothesizing about their actions as a singular entity can over simplify things. I don't know about the specifics in the article, but as a general rule there are a number instances where an intelligence agency may approach only a developer, an ops person, or someone in legal to obtain what they want instead of showing up and serving the corporate entity with a NSL. Saying the organization as a whole could provide data exfiltration much more efficiently by other means, does not rule out the possibility that other techniques could be used instead for various non-technical reasons.
You didn't respond to the substance of his objection. The problem with the "NSA backdoor" hypothesis is that it doesn't make logistical sense: it requires the NSA to already have installed software on the victim's computer. If the NSA has installed software on your machine that it can control, you are going to, in the parlance of our times, "get Mossad'd".
Of course, of course, this is unlikely to be an NSA backdoor. But maybe .... </CK_LOUIS>
i dabbled in this api way back in the past so i may be wrong about its capabilities.
skype used to be EXCELLENT at working in most networks, including "locked down" corporate ones. Network admins used to find it notoriously difficult to "ban" on networks.
so relying on skype to exfiltrate info may serve two purposes:
1) use another program's capabilities instead of reinventing the wheel.
2) hide the fact that some random program is doing network access.
skype could be one of a range of data exfiltration mechanisms with different levels of obfuscation.
> it doesn't make logistical sense: it requires the NSA to already have installed software on the victim's computer.
Well, if you have any of the closed-source companies' software on your system (and by definition, that is +/- 310mio citizens, in the US alone), you are sure to have NSA backdoors on your system. Such backdoors certainly do not require manual intervention for them to be exploited on large scale.
No one outside of the software provider can audited the code, and presumably even they haven't audited the code. Recently there was the source code backdoor that was suspected to had been placed inside Juniper routers by the NSA. If I remember correctly, it wasn't found because it was hidden on a high right column.
The Juniper backdoor was a bit particular in that it was known that the code in question had been developed and distributed by the NSA. It's more of a stretch to accuse every single vendor of proprietary code in the USA of building NSA back doors into their products. It would require the knowing assistance of tens of thousands of people across those companies.
My point was that you don't actually know, and you don't technically need all the vendors. Just the big ones, and there's not really that many. Even more to the point, you don't even need all of the big ones, just the ones on the biggest network, which honestly probably just one vendor on the whole network due to volume purchase discounts and interoperability concerns.
But more to the point, you don't know what's going on in closed source code. It's trust. However the trust can, and has been violated in the past (whether by the provider or by a third party is immaterial). You just don't know. Now that doesn't mean that open source software is immune. I seem to remember there was a backdoor found in the Linux kernel a few years ago. These things happen, but at least it's easier to audit.
Can you give an example of one of these instances? I've heard of this sort of thing outside of the U.S. (James Bond bribes East German clerk to get the microfilm), but I haven't heard of domestic agencies doing this in the U.S.
Isn't it already disclosed in the Snowden documents that Skype has received NSLs?
$600k to a particular airline employee, $1 million for a single parcel worker (this was over a few years).
Also there is the various NSA efforts to insert people into the encryption standards process, as well as use cooperative sources within companies to insert vulnerabilities in the commercial encryption systems:
Also the FBI/Yahoo email program was apparently done by just the CEO, a lawyer, and a few members of the email team. The security team wasn't informed, nor the board.
The DEA program is pretty shocking and a great example, thanks for sharing!
The second one sounds more like an interdiction program, where vulnerabilities are inserted into the devices (this is a thing that was in the Snowden documents). The document gives no details. The highlights on the side are from an NYT journalist, not source material.
I disagree that the last example is an example of that. It's still unclear what the scanning was doing.
First of all, Skype is Microsoft. Second, they're well known to collaborate already. If NSA wanted a Skype feed, they could have it server or client side.
This. It could well have been a backdoor that predates the "superpeer" change MS introduced right after acquisition. Skype was already under pressure from European authorities at the time, to provide intercept capabilities; European criminal networks (mafia etc) were early adopters and everybody knew it.
That collaboration looks like the same mechanism used to adhere to warrants, subpoenas, and NSLs. Do you think that any internet service in the world doesn't have similar mechanisms to comply with law enforcement requests in their home country?
I think you are misleadingly using the word "collaboration".
I also think you have failed to understand the article correctly; there is no reference to client side collection. Take another look.
NKW gave a nice summary of some recent actions. For more historical examples, I highly suggest any of James Bamford's excellent books on the NSA. _The Puzzle Palace_ is a massive tomb, but a very good read. I haven't had a chance to read _Shadow Factory_ yet, but it is in my pile.
