Hacker News new | past | comments | ask | show | jobs | submit login
Thousands of computers now compromised with leaked NSA tools, researchers say (cyberscoop.com)
374 points by remx on Apr 23, 2017 | hide | past | web | favorite | 165 comments



Which is exactly what we crazy cookoo conspiracy theorists have been warning about. It's the same slipperly slope we already went through in the 90's crypto wars, but SV gets amnesia when it gets lots of stupid company valuations and forgets all those lessons apparently.

Bottom line is this. If you put backdoors in, or exploit 0days for your own, they will get out in the wild eventually, and suddenly you have massively weakened infrastructure, corporate, and government security... basically all the things important to national security in general. So while I don't disagree that triple letters need some cool tools to get shit done, I think this function needs some technocratic oversight specifically for this issue.

It's time for a new Church committee.


> If you put backdoors in, or exploit 0days for your own

This seems like a disingenuous statement. I believe many reasonable folks would agree that inserting backdoors is an awful idea.

However, there is no evidence at all which indicates the exploits leaked by Shadow Brokers are intentional backdoors. Mentioning backdoors dilutes the discussion as it makes it seem like there is any sort of relationship with 0-day exploits (Which are the issue at hand).

0-days are going to be in code regardless of who finds them. It would be great to get some clarification on this from the government, but I would be pretty OK if the process looked anything like this:

1. Discover 0-day exploit relevant to mission.

2. Build modular tools to utilize the 0-day.

3. Create detection signatures for the exploit to run against Upstream collected internet communications.

4. If another party is seen using the same 0-day (doesn't matter if it was via leak or independent discovery), have a cutout such as FBI or DHS contact vendor with details to get it patched ASAP.


A unreported zero day is a de facto backdoor. The chain you mentioned has similar flaws as the current strategy. Step 3 would be incredibly difficult. It would be similar to detecting a virus signature, which are easily circumvented. The second party can use trivial techniques to change the signature in a way that makes it incredibly difficult to detect.

Many 0-days are built of of multiple bugs. A triple letter may use bug #1 and bug #2 to get a result, but another party will use bug #1 and bug #3 to get a similar result. Back to square one with corporate/government/personal equipment getting hacked reducing overall security.


> A unreported zero day is a de facto backdoor

Traditionally the meaning of “backdoor” has involved intent as well as access. Unlike a basic bug, the system is working as designed but the designer wasn't trustworthy.


> A unreported zero day is a de facto backdoor.

This is not true. A backdoor indicates that Microsoft is aware of it (and/or colluded to put it in), but there is no evidence of that. I respect your disagreement with my thoughts on how they should handle 0-days, but re-defining "backdoor" does not seem helpful.


We can debate the meaning of words, but the goal of a backdoor from the perspective of the government is to gain access to a system. The effect of a backdoor is accomplished through a literal backdoor or a figurative backdoor by hoarding exploits, which both are a detriment of security.

By de facto, I was implying that they both accomplish the same things with almost the same list of pros and cons.


When I worked on jailbreaking tools for iOS devices, we routinely held onto multiple 0-days, waiting for a major iOS release to ensure compatibility.

While I know there may be reasons to disagree with that practice, I think it would be a major stretch to say that it meant iOS suddenly had a backdoor.


I agree that it is not a true backdoor, but I am simply pointing out that the goal is accomplished by hoarding 0-days or creating an actual backdoor.

The 0-day you were not reporting gave you escalated access to iOS devices. If Apple had given you a backdoor, you would have had the exact same access to the device.

Not saying its the same thing, which is why I used "de facto". The government just wants the access. Regardless the hole is intentional or unintentional, if a hole exists, then overall security is weakened


I think a more reasonable approach would be to have a hard time limit on each discovered exploit. Something like 180 days to use it for any missions, after which they must report the exploit and get it patched. This shortens the window for any leaks or independent discovery while still allowing it to be used for important intelligence gathering activities. In turn this will create a pressure to keep finding more exploits as old ones expire, and that in turn will mean more get fixed 180 days later, etc.


I love comments like this, because they acknowledge that there are two valuable things here: (a) collecting sigint via available means & (b) keeping infrastructure secure.

The best solution enables both of these to the maximal extent possible (and has honest discussions about their relative values).


> there is no evidence at all which indicates the exploits leaked by Shadow Brokers are intentional backdoors

And this seems a little disingenuous. Perhaps there is no evidence so far regarding these particular leaks from Shadow Brokers, but in general the NSA has a history of creating backdoors.

You and I discussed some of this a bit already in one of the older NSA threads:

https://en.wikipedia.org/wiki/Bullrun_(decryption_program)

https://en.wikipedia.org/wiki/Dual_EC_DRBG

The idea of "key escrow", used by the NSA in the Clipper Chip's Skipjack algorithm, is really a euphemism for a built-in cryptographic backdoor.

https://en.wikipedia.org/wiki/Clipper_chip

https://en.wikipedia.org/wiki/Key_escrow

https://en.wikipedia.org/wiki/Skipjack_(cipher)


Perhaps there is no evidence so far regarding these particular leaks from Shadow Brokers

And right there, GP is correct. Either there is evidence to suggest that these were planted backdoors (difficulty: patched out long before the leaks), or there is not.


I definitely do not deny any previous instances. I am very against backdoors and will never defend them. But it is an extreme accusation to make against Microsoft in this case without evidence, so the fact that there is no evidence should be stated clearly to ensure people do not get confused.


That's the exact process I'd like to see, but what really happens is more like:

1. Discover 0-day exploits relevant to mission

2. Build modular tools to utilize the 0-day

3. Do nothing

4. Lose control of 0days, or allow other actors to discover them.

It seems like the NSA is trying to avoid perceptions that they're scanning domestic internet traffic, but that leaves us in the vulnerable position of hacking everyone while leaving our own doors wide open.


"It seems like the NSA is trying to avoid perceptions that they're scanning domestic internet traffic, but that leaves us in the vulnerable position of hacking everyone while leaving our own doors wide open"

I'm curious as to what your response would be to solve this. If it's to scan domestically, then that's a 180 from every other argument point people make against the NSA and domestic operations. That said, they do spend a regular amount of time working with private companies to remedy and solve breaches by nation- state & similar actors. For an example lookup the aurora investigation.


>3. Create detection signatures for the exploit to run against Upstream collected internet communications.

Yes, it's a good thing that very illegal cyberattacks are never done over encrypted channels. To catch the once-in-a-blue-moon hacker who has their bots log in to the mothership with ssh or something, we could just go ahead and let the government write ring-0 antivirus for us.


I think you understand that my comment was phrased generically so that the logic applies to multiple scenarios (not just this one).


The only signatures that could ever appear in the open would be from, very specifically, attacks on encryption implementations during startup (heartbleed attacked keepalive for example, so no help there). The attack surface of the application itself will always lie entirely behind the no-visiblity line.


Would it be crazy to say sitting on exploits is effectively "inserting a backdoor"? Maybe it doesn't have a doormat but it certainly still grants you access. To me this would seem against the mission statement of protecting national security when a whole list of them are published, like now...

EDIT: I would agree that without intent to gain access, it's not inserting a backdoor.


Hard to say, that is much more of moral argument rather than one you could argue much based on fact.

Part of the NSA's job is signals intelligence, so they specifically find the vulnerabilities as a means of access. And if that were not the case, they would not have spent the time finding the vulnerabilities, so those 0-days would still exist and be potential attack vectors regardless.


>Would it be crazy to say sitting on exploits is effectively "inserting a backdoor"

That seems intentionally dishonest, no? If I disagree with a position I'm not justified in intentionally misrepresenting it because I feel morally correct. Unless you're alleging that these vulnerabilities were intentionally placed there, I don't understand why you'd feel the need to say that. Worrying about the effects of stockpiling vulnerabilities seems like a defensible position in and of itself.


its a 0day. a bug not intentional. the effect is the same but can and ussually does get fixed(whether timely or not is another thing).


Many of those exploits will be used to knock through a backdoor. I wonder if they use different keys for each one? Fingers crossed they do.


The antidote seems to be for the NSA to maintain a security report for each discovered zero day. If it ever leaks, they can send the target company the report, which explains both what the exploit is and how to fix it.

That seems fair enough. The NSA needs to exploit flaws, but they can be a bit less evil about it by being ready to fix them if necessary.

That doesn't solve the fact that NSA's competitors could find and exploit the same flaws, or that sometimes it's hard to tell whether any leaks have happened, but it's an improvement.

At the end of it, it's hard to seriously argue that the NSA should stop exploiting computers. It's their role. We need them, just like we need a military. But we can think of ways to reduce the impact without getting in the way of their job.


> If it ever leaks

We have evidence that the NSA has no idea from where or through whom it's leaking. My impulse is to say "you get so many years to use an exploit, maybe more with higher-up approval, and then you must disclose it." Unfortunately, with virtually zero independent oversight of these agencies, I have no faith such rules would be followed.


We aren't at war with a country, we don't need spy agencies.

Disband the CIA, NSA and their 3 letter brothers. Fold personal and funding into the FBI. This doesn't make me a fan of the FBI, but at least there is some transparency. IMO


We have evidence that the NSA has no idea from where or through whom it's leaking.

The general consensus seems to be that Russia was the source of the leaks. The US government knows this, and everyone involved knows who is leaking what, and why. If so, then this is a political move. Is there evidence to contradict this?

https://www.nytimes.com/2016/08/17/us/shadow-brokers-leak-ra...


Its impossible now. Wikileaks showed the the cia goes into incredible detail to frame other countries.

https://www.wired.com/2017/03/wikileaks-cia-dump-gives-russi... http://thehackernews.com/2017/03/cia-marble-framework.html

I also bet that other countries do the exact same thing, probably even more likely considering the "marble project" source code is leaked.

http://www.dailymail.co.uk/news/article-4427452/CIA-launches... Also it looks like a hunt for the internal leaker has begun.

Whatever the source, We do still have to deal with the content of the leaks.

The content is what we need to take a very close look at begin to increase and harden our security. Especially senior developers and software architects.


Wikileaks has not shown this, although it seems to be the narrative which some wanted to push regarding the Marble leak.

> We do still have to deal with the content of the leaks.

Check out the actual content of the Marble leak. You will find that there is no evidence of your claim. It has been mentioned countless times that the foreign languages seen in the code are gibberish when translated, and are evidently there for testing purposes.


>Wikileaks showed the the cia goes into incredible detail to frame other countries.

No.


Who cares what nation state actor alledgedly moved the exploits from an NSA employee to WikiLeaks? Why would the medium matter in the least, in the case of hoarding 0days?


I agree with this and want to further add to it.

Firstly by saying: isn't it interesting that, if it is Russia who moved the exploits from the NSA employee / contractor to WikiLeaks then they (the Russians) have acted in the service of the global public.

But let's not get distracted.

The source of all NSA leaks is never some rogue employee, or contractor. It's never "The Russians"™ or "The Chinese"™.

The source of NSA leaks is the goddamn NSA.


We probably need the NSA. It's their job to exploit computers the same way it's the job of the military to apply force. It's difficult to say that we can do without the NSA any more than we can do without a military.

In that light, the context is to reduce the impact of the NSA's necessary goals.

Higher up in the thread, it was claimed that one of the most feared branches of the intelligence arm of the most powerful government in the world was so incompetent that they had no idea who was behind these leaks, and that there was evidence to support this assertion. I have an open mind, so I was hoping to see this evidence.


> It's their job to exploit computers the same way it's the job of the military to apply force.

That's one half of their job, the other half is to secure government infrastructure from exactly the type of attacks they use on other countries.

The problem there is that it sets up an incredible tension since how do you get the message out about a 0-day in windows to protect your 'own' side without your opponents getting the same message.

I've thought for years that the NSA doing both jobs is silly since one side will inevitably win that argument (as seems to be the case).

It needs to be a separate agency concerned purely with securing government and infrastructure from external threats with a decent firewall between the two sides (and possibly an oversight clearing committee to keep an eye on what both sides are up to).

Over here in the UK we have largely the same problem with GCHQ having a dual mandate.


I think the obvious answer here is to go full open-source on the infrastructure. if they can afford to pay engineers to craft exploits, the can afford to pay engineers to fix them.


> how do you get the message out about a 0-day in windows

Force-push a Windows 10 update? That seems like one of the few legitimate usecases of Win10 being a corporate botnet.


> how do you get the message out about a 0-day in windows

American companies get disclosures, foreign companies do not.


What's an 'American' company these days?

US companies like Oracle, MS, Google, etc. have offices all over the world.

They also tend to use various visas to import 10% of their own US based staff (probably a much higher ratio of engineers) from foreign nations.

The US has gotten very wealthy from offshoring, foreign talent, and technical exports, but it causes a massive problem when keeping secrets locally.


Well, that means that if they decided not to leak them they would still be known to others. So that's an excellent argument for disclosing to vendors anything that you do find if you're serious about this whole national security thing.

What it shows instead is that the NSA and other agencies could not care less about national security as long as they get to hack interesting targets elsewhere.


The current enemy is always the source of the leaks. A few months back it was china. The political move is just the finger pointing.


The article you linked only has a single citation for the Russian attribution, which is a Snowden quote: “circumstantial evidence and conventional wisdom indicates Russian responsibility”

Is there any evidence other than Snowden's speculation?


> it's hard to seriously argue that the NSA should stop exploiting computers. It's their role. We need them, just like we need a military.

Would you say the same of Chinese government hackers and Syran military? If yes, OK. I understand you accept the need for competition in arms. If not, can you explain why?


Exactly, if the US army starts raping ISIS females later it can't pretend its barbaric for other armies to do the same, incl. american females in the army.

Doing the least morally right thing always brings more problems than its worth, and that's exactly what NSA does every time it pokes holes into everyone's software.


Yes and no.

I'm not OK with the Chinese having slingshots and spears, never mind ICBMs and nuclear warheads. That doesn't stop them, and I'm not offended or shocked that they would be armed.

Regarding cyberwar, I prefer that the Chinese not know how to program computers or even find the "on" switch. I'm not offended or shocked that they manage this and much more.

The same goes for Syria.


> Would you say the same of Chinese government hackers and Syran military?

No, for the same reason why I'm okay with the US military having nukes but wouldn't be okay with Syria having them.

Obviously it'd be great if we could get by with no military powers having to possess zero-day exploits (or nukes), but so long as we can't be sure no other nations are benefiting from such exploits, it makes no sense strategically to forbid our own governments from doing the same.


So it equally makes no sense for China to forbid itself from using their own exploits? As long as they can't be sure America isn't benefiting from them, they'd better keep up with the arms race.

Or do you consider America to be special and that it deserves these powers more than other countries? Personally I don't think it's competent to hold them because it has an ongoing history of using its weapons to destroy other countries, property and lives. If I had to choose who wins the arms race, I would prefer a less hostile country like China or Germany to have them instead of America. But really, why not nobody? Exploits are offensive weapons, not defensive ones.


> So it equally makes no sense for China to forbid itself from using their own exploits? As long as they can't be sure America isn't benefiting from them, they'd better keep up with the arms race.

Correct. Same goes for any nation. Since there's no way to be sure that other nations aren't developing zero-day exploits, not developing exploits of your own does nothing more than put you at a disadvantage.

> Or do you consider America to be special and that it deserves these powers more than other countries?

Yes. I know this seems to be a rather unpopular opinion with the HN crowd these days, but the US absolutely deserves to have better military capabilities than nations like Syria or China. (As for Germany, I'd also be mostly okay with them possessing exploits; as they're a democratic nation who I generally trust to act in the best interests of their citizens. I cannot say the same for Syria or China.)

> But really, why not nobody? Exploits are offensive weapons, not defensive ones.

That'd be great, but unfortunately it's not a realistic option. So long as one nation possesses and benefits from zero-day exploits (even secretly) then it makes no strategic sense for any other nation to intentionally put themselves at a disadvantage by not developing exploits of their own.


    > If it ever leaks, they can send the target
    > company the report.
Any usage of the exploit by the NSA constitutes leaking it.

You can't treat cyberweapons like normal weapons.

The analogy is not that you come up with a secret bomb design and drop it on the target, but that to use your bomb you must send the full Top Secret designs for the bomb to every target, hoping that they voluntarily use it to blow themselves up instead of writing the design down & using it against you.


Sort of. For example, the NSA developed a way to hotpatch an ethernet adapter's firmware to respond to incoming packets that operate out of band with normal IP packets. Meaning it's a way to communicate with a target computer that's completely undetectable by standard tools. Using such an exploit against a computer isn't typically a risk, because the target you're exploiting isn't sophisticated enough to catch the exploit. And even if they were, and they send their computer to a foreign intelligence agency for extensive analysis, that typically wouldn't confer an advantage to that agency. They were already developing their own exploits to use against us, and there are only so many unique techniques.

The way to protect against this is probably to have constant security audits. But these are expensive, so the situation is that there will always be exploitable computers and software, especially when a nation-state adversary is doing the exploitation.

The solution is what it's always been: Political control. We have terrifying weapons, and what keeps them at bay is aligning the incentives of our politicians so that the calculus of employing them is more costly than keeping them unused. (Unfortunately this may not be possible with cyberweapons, because unlike real weapons, there is no death and destruction as a side effect.)


> If it ever leaks

You mean, if they become aware of it leaking. Exploits can leak and be utilized without anyone being aware of it, for years. It's not like you see a mushroom cloud on the horizon and your earthquake detectors wobble.


> The NSA needs to exploit flaws

there are plenty legal wiretapping/surveillance alternatives that don't rely on not fixing a compromised worldwide infrastructure.


> The NSA needs to exploit flaws

In the current doctrine, it apparently does.


If the 0 day is in an open source project this seems doable but I don't know if the NSA has access to the Microsoft or Cisco source code.


They very likely do have access to the Windows source code. Microsoft does share that with certain governments & educational institutions. I think the Chinese government also has access, FWIW, but it's been a long time since I looked into this.


I got personal access to the Windows source along with many others via the MS MVP program.

And it's unlikely that even if MS was secretive that the USG cannot get multiple people working at MS with access.


MS has a code sharing program. Large government contracts almost always have a code transfer clause in them if nothing else than if the company goes bust or no longer wants to support the product.


True, but blackbox pentesting is pretty common. If a company is informed of a flaw in their XYZ service with details of how the flaw operates, it would probably be enough.


Would it be possible to scan for infected systems if you know the 0-day?


If I recall correctly from some of the Snowden docs, they do have their passive internet taps watch for exploit signatures of foreign adversaries. I don't see why they would not do the same with their own.


>Which is exactly what we crazy cookoo conspiracy theorists have been warning about.

Which is what exactly? That a spy agency is spying?

>If you put backdoors in, or exploit 0days for your own, they will get out in the wild eventually, and suddenly you have massively weakened infrastructure, corporate, and government security

I don't agree with putting in backdoors, but I don't see how exploiting backdoors by your security agency is so nefarious. That is literally why they were created to do, and this is what every other foreign security agency is doing as well.

>So while I don't disagree that triple letters need some cool tools to get shit done

Sounds like you do.

>I think this function needs some technocratic oversight specifically for this issue.

How about congressional, judicial and executive oversight? Because that's what we have now.


> literally why they were created to do

The NSA is supposed to do both defense and offense. The defense came up, for example, when they improved DES to resist differential cryptanalysis (which the public crypto world hadn't discovered yet) before DES was standardized.

But that was a long time ago; at least since 9/11 the offense side seems to have pretty much eaten the defense, as far as we can tell. (See: https://en.wikipedia.org/wiki/Dual_EC_DRBG) I believe this newer strategy is badly misplaced from the standpoint of the security of the American people (and good for the power of security-state insiders).


If the IA department in the NSA were smart enough to figure out every vulnerability that the SIGINT department discovered and got everything fixed, SIGINT would be impotent. Clearly, things like SELinux make SIGINT's job harder, but your suggestion that SIGINT should handicap itself is ludicrous on its face.


Consider a few salient states: the U.S., Iran, Russia, ... If computers worldwide are mostly secure, which see the greatest benefit? If they're a festering pile of vulnerabilities, which see the greatest cost? That's the choice, as U.S. policy, of where you can focus your efforts. It's not a choice of secure U.S. computers and insecure Russian ones.

The way you're framing it presumes SIGINT is in charge and positively welcomes insecure U.S. computers. I'm saying that's bad for us. I've seen others saying the same.

Also, secure computers would not make spying go away, and SIGINT would not be impotent. Its powers are still increasing with, e.g., surveillance of whole populations from the air with high-res video cameras. Comms spying would go back to retail instead of wholesale data collection.


> The way you're framing it presumes SIGINT is in charge.

You fundamentally misunderstood my post, whiis causing you to reach strange conclusions. Neither is "in charge." They are two separate entities with separate missions. Some of the systems developed and documented by IA make the job of SIGINT difficult if our adversaries implement them as well.

How would spying from the air have prevented Iran from developing it's nuclear program?


Well, I said the spying mission of NSA should not override the security of the U.S., and pointed to the contrast between the old sometimes-improvement of crypto standards and the new backdooring of them. You answered that my "suggestion that SIGINT should handicap itself is ludicrous on its face." I don't care if the NSA's SIGINT department does not value our information security; we, the citizens, do. Their narrow departmental interest goes against our interest. The NSA as a whole used to better approximate that interest, back sometime in the 20th century, even if very imperfectly (see Bamford's history). This conversation was missing this point about the NSA's broader mission.

Iran with nukes seems to me a lesser threat to us than an uncontrolled U.S. government.


> The NSA as a whole used to better approximate that interest, back sometime in the 20th century, even if very imperfectly (see Bamford's history).

There is no evidence that anything has changed.

> Iran with nukes seems to me a lesser threat to us than an uncontrolled U.S. government.

Who is suggesting that the government should be uncontrolled? Iran with nukes is a far greater threat than the NSA with 0-days, which is what we're discussing.


The NSA leverages these exploits to spy on foreign nations. That's fine, spies should spy...

But it does beg the question: who's protecting our information from foreign intrusions?


Before this runs the risk of becoming a universally acknowledged truth, is it fine? Actually wasn't "Gentlemen don't open each other mail", also a perfectly reasonable position? In the cyberwar the US already seems to be fighting against its own weapons! Would it actually be much better for a nation like the US to use its knowledge defensively and keep their citizens safe from foreign interference?


I also strongly advocate for information disclosure and collaborating with vendors.

However, I'm not convinced the NSA is the entity for that role. Organizationally, the NSA makes more sense as an R&D entity that discloses to offensive intelligence agencies and defensive security forces.


Isn't that partly the mission statement of the NSA and CIA and FBI?


The CIA and NSA are externally oriented.

Defense is arguably part of the FBI mission, however they don't have the NSA's level of skill or resources. The FBI might be able to detect abuse when it gets rampant but I have zero confidence that they would discover any of these exploits themselves. The FBI is mostly cleanup and criminal prosecution.

We need an organization focused on preemptively securing our infrastructure.


The NSA is actually tasked with that mission:

> NSA is concurrently charged with protection of U.S. government communications and information systems against penetration and network warfare.

https://en.wikipedia.org/wiki/National_Security_Agency


Yes, government defense. Who protects the rest?


That actually overlaps with things like the power grid and ATC, for what it's worth. It's a little bigger than just "government computers".


Private entities protect themselves and their customers, to varying degrees, which is how it has always been.


> I don't see how exploiting backdoors by your security agency is so nefarious.

Did you ever hear the tragedy of Stuxnet the wise?

Stuxnet was a cyberweapon so powerful and so well hidden it could use computers to cause nuclear centrifuges to fail.

Unfortunately, others learned from code the worm left behind, then other actors used the same techniques to infiltrate computers everywhere for a year. Ironic. It could save the world from nuclear weapons, but not computers.


>Which is what exactly?

The fact that the three letters are continuously failing to understand the long term blowback potential of the programs they start, regardless of initial merit. In this case, instead of spending nearly as much time doing hardening documents, they were busy comprimising everything. The name of almost all of our fuckups in this arena is blowback.

>I don't see how exploiting backdoors by your security agency is so nefarious

When they use them for lawful purposes, such of foreign sigint, ok. With that kind of power though, at a bare minimum I would be concerned about abuses of that power domestically. At a minimum. I could wax on about all the reasons it could be bad for a long time.

>How about congressional, judicial and executive oversight? Because that's what we have now.

That's exactly what I said was needed. A technocratic oversight committe could exist in all branches on this subject. Also, we really don't have good oversight in place. Think about the kind of effects this has on potential oversight bodies...

For example, the chairman on the senate intel committee is about to vote for more oversight of $secretprogram. It's imperative to national security that this program not receive scrutiny, so it's allowed to use these 0days against them, find or plant blackmail material, and exploit that to get the chairman of oversight to not do it.

This is the kind of shit I was talking about having been warning people about. It's not just about the surveillance. Surveillance is always about control, not security, security is just the bullshit they sell the public to not induce outcry.


>For example, the chairman on the senate intel committee is about to vote for more oversight of $secretprogram.

People's memories are way too short with this kind of stuff because something like this already happened: The CIA hacked the computers of the senate oversight committee responsible for investigating the CIAs record of torture.

https://www.theguardian.com/world/2014/jul/31/cia-admits-spy...


That's just the time they got caught. We can be sure they do this constantly.


> Which is what exactly? That a spy agency is spying?

To spell it out: backdoors are of course a helpful tool for a security agency, but once the key for the backdoors falls into the wrong hands the potential for misuse is monstrous because, well, the backdoors are in all kinds of potentially critical systems systems, e.g. even in the cellphones of high ranking officials (or in cellphones of their families) etc.

To get the same intel by different means than a backdoor is of course much more expensive. So one needs to find the sweet spot, where the utility as a function of cost and security is maximized. That sweet spot likely does not involve backdoors.


You haven't been a crazy cookoo conspiracy theorists since the Snowden dropped his info. Unless you've got conspiracies on other topics, then maybe.

I think it's fairly common for even someone with a cursory knowledge of security to know that backdoors are a bad idea.

The triple letters don't get their power from poor products. Those are going to be around no matter what. I'd rather this just drive a push toward more open source products throughout the network stack. The triple letters get their power, not from poor products, but because of existing oversight of the agencies has been lax in the name of fightin' terror.

When it is legal for gobs of data to be vacuumed up without any court order then they will have power, no matter how much poor software is in the wild.


> You haven't been a crazy cookoo conspiracy theorists since the Snowden dropped his info.

neh, the world was calling for them to stop trying putting backdoors in security software for a while. To my generation it was the 2007 ecc curve primes. https://www.schneier.com/blog/archives/2007/11/the_strange_s...

to the previous generation it was the clipper.

Snowden really raised awarenes outside the security circles, but this has been an issue long time prior


It was before Snowden. We have had hard facts since the 90's that mass wiretapping and exploitation has been going on thru vehicles like AT&T and Verizon.

And we knew about PRISM for a good two years before its public disclosure. Sudden black square over a remote area in Utah in satellite imagery. Pictures of a massive contruct. Coupled with the fact that we knew they needed a place to centralize all of this collected information, it was plainly public how the NSA was operating. No one just wanted to frigging listen until they had a celebrity icon like Snowden to interest them, because we operate on a system of identity politics.


I don't think anyone worth a damn as far as this subject is concerned would have labeled you a conspiracy theorist. Anyone with an even passing knowledge of security assumed something of this nature was going on. It just logically follows, given the explosion of computers in every aspect of life, that the NSA would be doing this.

Side note, what black image in a remote area of Utah? If you're talking about the Bluffdale data center, it's been visible on Google maps this entire time IIRC. You can even see historical images of it being built in Google Earth:

https://www.google.com/maps/@40.43085,-111.9278303,2900m/dat...


https://en.wikipedia.org/wiki/Utah_Data_Center

I distinctly remember a point when it was not visible. That is how I discovered the plans to build a complex there years ago. This was probably remedied not long after we started catching wind.

I'm sure it would not be difficult for Google, et al. to retroactively "fix" their public imagery data.


I wouldn't rule it out, but I'm left scratching my head as to the motivation why. I remember reading about said data center years ago, before they even broke ground. The location was known at that time, too. If the physical location was of such importance to censor it from satellite images, why then retroactively add those images back in?


Heh, I'm wondering if my memory has muddied a bit and I actually just saw the foundation being laid down, though I'm pretty sure it was black for a while. Either way seeing that sparked my interest and led to me finding out about plans to build a data center, which were largely conjecture and rumor at the time. At that point we really were all a bunch of conspiracy theorists without any hard evidence.


> It was before Snowden.

I wasn't saying that's when it started. I was saying that's when people stopped viewing "government is listening to everyone" as conspiracy.

> No one just wanted to frigging listen until they had a celebrity icon like Snowden to interest them...

It didn't have anything to do with Snowden's "celebrity". Do you think he was a celebrity before he produced physical evidence? Turns out, no one wanted to friggin listen, until someone had proof.


"when people stopped viewing "government is listening to everyone" as conspiracy."

The entire point is that the public isn't listening to the dangers presented beforehand. Yes, now people dont think you're crazy for thinking we are surveilled heavily, but now the equivalent is when I tell people why they put the surveillance in place at all. Typical responses include "but they're just doing it for national security".

If 1/3 of the public only knew half the shit the gov was up to there would be a revolt tomorrow morning. It's deeper and darker than just massive surveillance. My only question for years has been if the public will wake up enough to realize it. With the failing education and financial systems and the propaganda levels turned up to 11, I'm beginning to doubt it.


You're missing the point.

Someone already had proof.

Snowden was the one who managed to bring it to a mass audience. And I love him and respect him immensely for that. But I'm sure he also feels the same disdain that it took him completely destroying his life to convince people that something nefarious has been going on when many clues were already public and just routinely dismissed by people like the other guy arguing with me right now.

Yeah, he gave lots of evidence on programs we didn't even know existed. Like, the full extent of this situation. But we already had enough information to know that we should demand legislation and oversight and that 1984 has all but come true.


There is no evidence of mass wiretapping from AT&T or Verizon even after Snowden. The rest of your post shows you still don't have any idea what PRISM is even after Snowden and the government disclosed it.


I'm well aware of PRISM :-)

You misunderstand me. PRISM is the program, but it needed an HQ! Here is that HQ:

https://en.wikipedia.org/wiki/Utah_Data_Center

Here is one such example of such a wiretapping program under AT&T:

https://en.wikipedia.org/wiki/Room_641A

And there are many more. It just depends on what you call "evidence". Is it your own definition, or are you relying on others to tell you what is and isn't legitimate?

It's quite ironic that you are telling me I don't know what PRISM is when I knew about it long before it reached public, and presumably your own, attention.


You very clearly don't know what PRISM is. According to Snowden's documents, PRISM is the program that brings the FBI's FISA electronic communication wiretaps into the NSA's databases. It has absolutely nothing to do with Room 641A, which also doesn't do what you think it does.


I didn't say it had to do with Room 641A. That was a separate and distinct reply to your allegations over no proof of wiretapping.

Look at the very first sentence:

https://en.wikipedia.org/wiki/PRISM_(surveillance_program)

> PRISM is a secret code name for a program under which the United States National Security Agency (NSA) collects internet communications from at least nine major US internet companies

And here:

> Documents indicate that PRISM is "the number one source of raw intelligence used for NSA analytic reports", and it accounts for 91% of the NSA's internet traffic acquired under FISA section 702 authority." The leaked information came to light one day after the revelation that the FISA Court had been ordering a subsidiary of telecommunications company Verizon Communications to turn over to the NSA logs tracking all of its customers' telephone calls

You're talking out of your ass. Clearly. You can't even do basic research on the most public open knowledge base on the internet.

Just saying there is no evidence of mass wiretapping of AT&T's infra makes you look ignorant as hell.

Next you're going to tell me this is just a fraternity club:

https://vimeo.com/193562415

https://theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-...


Look at Snowden's actual documents. It shows the data is actually collected by the FBI's Data Intercept Technology Unit (https://i.imgur.com/setOJIm.jpg), which is the organization within the FBI that handles electronic wiretaps . The FBI requests data for specific accounts from these companies using FISA warrants and NSLs, but only the data requested via FISA (i.e., for foreigners) are allowed into the NSA's systems.

Room 641A isn't a mass wiretapping system. Once again, see the documents from Snowden. It looks for communications from specific Internet endpoints that are being wiretapped under court order.


I never denied the FBI's role in this?

I never said Room 641A was a mass wiretapping system? Just that it was one example of many such wiretapping initiatives?

I also provided citations showing that this is more than just targeting specific accounts?

You're starting to sound like a shill, that won't do any good if you're trying to convince people of your narrative.


The point is that neither is an example of mass wiretapping, as Snowden's documents showed. What exactly do you think is targeting more than just specific accounts? Be specific.

If we take the upper bounds from the transparency reports from the Internet companies, we can estimate that the volume of data from PRISM is so small that you could fit it on a single rack, and the Utah datacenter has nothing to do with it.

You'll find that I'm a shill on the JFK assassination, chemtrails, mind control rays, and every other conspiracy theory that lacks evidence and has substantial evidence to the contrary.


>> Documents indicate that PRISM is "the number one source of raw intelligence used for NSA analytic reports"

PRISM isn't just some negligible thing to be brushed off. And of course it isn't the only thing they're doing over in Utah. It's one of many sources that all come together at places like this for data analysis. But it's the "big deal" everyone is talking about so it is very relevant to the discussion.

Remember, if there is one there is more. We don't need a comprehensive list of every data center and chokepoint that is under surveillance to understand how prevalent it is based on known data.

Example of mass surveillance:

https://en.wikipedia.org/wiki/ECHELON#Confirmation_of_ECHELO...

Example of mass surveillance:

https://en.wikipedia.org/wiki/DISHFIRE#Scope_of_surveillance

Example of mass surveillance:

https://en.wikipedia.org/wiki/MYSTIC_(surveillance_program)#...

Do I need to give you more or can you take it from here? Do you need more proof than the wiretapping of half a dozen countries' ENTIRE phone calls?

Please do not chalk this up to "conspiracy theory". That is damaging and misleading. You are attempting to group this together with more fringe theories in order to discredit it. Logical fallacy. If you want to continue this discussion I ask that you play fairly and not revert to rhetoric and distraction.


> Documents indicate that PRISM is "the number one source of raw intelligence used for NSA analytic reports"

That's because it contains wiretapping data of specific highly valuable targets. Nowhere in this sentence does it say that it contains mass surveillance because Snowden's documents and the government have shown it does not.

I never said that the NSA doesn't engage in mass surveillance, only that it doesn't do mass wiretapping through Verizon and AT&T or through the Internet companies, as you wrongly believed PRISM did. The reason that distinction matters is that the NSA absolutely should gobble up all communications in a war zone or other foreign area threatening national security. That's what it's there for. Gobbling up and processing domestic communications as your claimed mass wiretapping on Verizon or Google would do is outside the scope of the intelligence agencies, and there remains no evidence that they do that despite multiple leaks. Any claim otherwise is conspiracy theory by definition.


I never said PRISM was the same program that engaged in mass surveillance.

I also never mentioned Google. Your arguments keep starting off by strawmanning my own.

But sure let's talk about Google. You really think Schmidt and friends are clean on this? He is a globalist authoritarian lap dog.

https://wikileaks.org/google-is-not-what-it-seems/

And you're also fundamentally confused about something. See, the NSA does not need direct access to all of this data. They allow/encourage/force various companies to comply with certain data collection and retention practices, and tap into this data when necessary. Why? So that people like you can claim they are not directly surveying their citizens.

All of the data still exists, and is accessed when needed.

It's like if my friend spied on you and reported back to me whenever I asked, but then I come out and say, "Hey mister, I'm not spying on you. I only ask my friend about things necessary to my investigation. If you're being a good dog then this shouldn't even bother you."


> I never said PRISM was the same program that engaged in mass surveillance.

You started off by saying you knew about PRISM because the NSA is building a large datacenter in Utah just to hold PRISM's data.

> I also never mentioned Google.

I never claimed you did. You claimed that PRISM ingested mass wiretapping data. That data would come from Google and other Internet companies according to the documents. My point was that your belief that it is illegally gobbling up all the communications done on Google's and other Internet companies' communications products is baseless.


I'm going to ignore your warping of my words and focus on the interesting bit here: again, Google.

You don't remember when news broke in 2014 that the NSA was snooping on Google's Gmail traffic that was flying around unencrypted within their own network? Google, rightfully embarrassed, subsequently enabled internal end-to-end encryption after the news broke.

Here it is straight from the horse's mouth: https://gmail.googleblog.com/2014/03/staying-at-forefront-of...

So... yeah. Not baseless at all. Meanwhile you have yet to provide a single citation throughout all of this.


I cited Snowden's own documents.

According to Snowden's documents, the NSA used email envelope metadata where at least one side was a foreigner to build a connection graph, similar to pen register metadata collection. It didn't look at the contents, which it would have to do in order to be wiretapping. That program (STELLARWIND, which operated behind the Internet companies' backs, not PRISM, which operated via court orders on specific accounts) ended before Snowden even leaked it. https://www.theguardian.com/world/interactive/2013/jun/27/ns...

Let's recap. You claimed that PRISM is mass wiretapping. It isn't. You claimed that the NSA is mass wiretapping Verizon and AT&T. It isn't. Let's stick to your original claims and see them through to completion. Do you admit you were wrong about PRISM and the telcos?


Citing Snowden's documents would involve actually giving me a link.

I did not say PRISM was mass wiretapping but it is indeed part of the surveillance suite of NSA programs. I did not adequately explain myself in my original post, but I cleared things up afterwards and you are ignoring that completely. You have consistently been framing my arguments in a specific way so that you can attack them in a specific way.

I also don't understand why you think that the NSA was not mass wiretapping both of those telco's major junctions. It's a known thing. It's not some fringe conspiracy theory. The Fed has been tapping phone lines since the very beginning. Not all of them sure, but certainly in a dragnet fashion. This has continued with the explosive growth of information networks into the 21st century. I provided links. I do not need to provide any more on that topic.

I've honestly never encountered someone before who so earnestly believes as you do that these programs are not widespread or dangerous or grossly overstepping their bounds. It's like denying climate change or something.


> Citing Snowden's documents would involve actually giving me a link.

I gave you a link to a slide diagramming PRISM and a link to the document describing the email envelope program that had shut down.

> I did not say PRISM was mass wiretapping but it is indeed part of the surveillance suite of NSA programs.

I understand you now concede that PRISM isn't the nefarious new-datacenter-requiring mass data collection you originally claimed it was, that the actual surveillance itself is carried out by the FBI, and that PRISM just enables the NSA to search the FBI's data collected on specific foreigners with a court order.

> I also don't understand why you think that the NSA was not mass wiretapping both of those telco's major junctions. It's a known thing.

If it's a "known thing," where is the evidence? None of your links claim that the NSA is mass wiretapping the telcos' major junctions. Mass wiretapping Americans would violate the Fourth Amendment (the ACLU successfully sued over phone metadata collection, and collecting voice content would be a much bigger issue), so if you have any evidence at all, present it or be prepared to be labeled a conspiracy theorist.


Here you are again, twisting my words! Amazing. No, I did not say anything like that about PRISM. I said exactly what I said-- that I was not clear enough in my original post, but I clarified myself immediately after in response to you. I wrote that original post in a hurry and did not take the time to read over it like I usually do. And I've already elaborated on how the NSA uses other agencies and businesses as tools for its surveillance, to avoid direct ownership of the information that they can request at any time. Again, STOP twisting my words to serve your narrative.

I gave you links, but I will humor you with another:

https://www.eff.org/nsa-spying

> . . . recently published FISA court order demanding Verizon turn over all customer phone records including who is talking to whom, when and for how long—to the NSA . . .

Oh look! FISA being used to demand all of verizon's phone records! All of them! And what are one of the programs that FISA feeds into? Oh yeah, that's right. PRISM. If you do not consider this to be a dragnet surveillance order, you are just lying to yourself. So there is yet another verifiable source highlighting the scope of PRISM.

here is the relevant court case:

https://www.eff.org/cases/first-unitarian-church-los-angeles...

Do I need to physically take you to Titanpointe to see it for yourself? Here is a link explaining what that is, I already posted it once but clearly you have not been following through and reading these links.

https://theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-...


> FISA being used to demand all of verizon's phone records! All of them! And what are one of the programs that FISA feeds into? Oh yeah, that's right. PRISM

This explicitly isn't PRISM, and this isn't ongoing. Moreover, Snowden's documents showed that this data wasn't used for surveillance. The data was anonymized and a system (not PRISM) was built on top of it that could only perform a limited set of graph queries to find associates of known threats to national security. To deanonymize a node, the government would have to request another court order.

You have once again demonstrated that you don't know what PRISM is, so is it any wonder that I keep calling you out on it?


What isn't PRISM? FISA? No shit. I said it feeds into PRISM. And I did not say it is ongoing. And I think you have a warped view of what surveillance is because a system used to query networks and other identifying information is a dragnet surveillance tool. You just refuse to be wrong here.

And a lot of the hooplah about these immoral dragnet tools is not only the fact that they partially target American citizens (after NSA executives said under oath, in very particular terms, that they do not collect files on American citizens) is that it was being accessed by employees without court orders.

Pre 9/11, maybe you could have made a case about this "anonymization" being legitimate. There were certainly programs in the work that attempted to incorporate homomorphic encryption into their design. But these have been gutted and reformed into what we have today.

You have to wonder, what are these tools being used for? They certainly haven't been publicly attributed to stopping any terrorist activities. If you don't think these systems, put in place by spy agencies with the legal ability to lie about their internal operations, are being used to spy on their targets (which is the general public) then what the hell do you think they are for?


> I said it feeds into PRISM.

It doesn't. That's my point. How many more times are you going to show that you don't know what PRISM is while claiming that you do?

Also, surveillance is, by definition, close observation. Merely having anonymized phone metadata is not surveillance any more than having access to Google Maps satellite imagery without any other data sources to join to. More specifically, it isn't mass wiretapping, which as you recall was your original claim that you have yet to substantiate, instead pointing to this metadata program that I had earlier used to show you that no evidence exists for mass wiretapping of Americans.


People did not read the source material of the Snowden leaks, only the editorialized articles which made unsubstantiated interpretations of what the leaked slides mean. That is probably why you are being downvoted, regardless of the fact that you are entirely correct.


Why do 3 letter agencies need special tools? Who will they be accountable to that these tools are being used ethically?

We already have a bunch of stories of crooked cops using databases to stalk love interests, etc. Then look at the Michael Hastings incident. Imagine how much abuse goes unreported.


SV doesn't get amnesia, it gets younger people reinventing the wheel to "disrupt".


They don't even need to go out into the wild.

https://en.wikipedia.org/wiki/Aldrich_Ames

https://en.wikipedia.org/wiki/Robert_Hanssen

The US intelligence agencies have a less than stellar history regarding moles.


So the tool is getting used everywhere by "kiddies"?

I don't see any discussion about the fact that, if you were the NSA, you'd absolutely want this to happen to muddy the waters for attribution.


What does this have to do with SV company valuations?

Seems like you're pigeonholing a pet issue into something totally unrelated.


No, the people who know how hard good security is, how easy it is for this material to spread around when a huge chunk of your intelligence services are private for-profit contractors, and had completely sane ideas about how weaponized the government's tools were likely to be - were not crazy or cuckoo or conspiracy oriented.

Conspiracy theorists are where 3 million illegal voters, thousands of Arabs dancing on buildings, and the last president being a Kenyan with a falsified birth certificate, all come from.


Tech security has been an afterthought for too long. The core technologies we use are putting us at grave risk in ways we simply cannot imagine. As we now are starting to realize, that all of our digital lives are permanently centrally recorded carries currently unimaginable risks down the road. That we have centralized global social networks carries risks that the majority of people are not able to experience or understand. We're progressing too fast technologically, and there's way too much of a gap between morphing cultural norms and a system of government that will be, by default, always out of date with respect to these evolving norms.

That we connect directly to a worldwide network with minimum consideration for security is very troubling. In decades to come, we'll look back in humility and realize that the manners in which we used technology added grave risks to our health.

In 2017, we are not in the "wild wild west" age of technology. Rather, we are firmly in the dark ages. We're so far away from having an understanding regarding the lack of social maturity in our technological growth that we fail to properly consider the downside risks.

This is a tough nut to crack because technology is simply too good for the majority, even the technically inclined majority. I recall efforts by very very talented folks to build decentralized technologies to help mitigate some of these long term risks, but such efforts will remain firmly at the fringes of intellectual superiority for a long time. Meanwhile, Goliath will simply grow stronger in time, unless there is some major cultural shift. Is there any such shift happening, beyond the fringe?


Poetic, but you shot yourself in the foot in the first paragraph.

"That we have centralized global social networks carries risks that the majority of people are not able to experience"

If the majority of people do not experience the consequences of the risks of whatever-it-is-your-railing-against, if those risks are never realised by the majority, your argument evaporates.


Perhaps the reason most of us don't experience the risks is because the nature of cyber warfare is more subtle than any other form of warfare in history. Social engineers prefer to be undetectable, that means they're doing it right.


Then it's hard to tell where the line between (cyber) warfare and social engineering can be drawn.

Is what Facebook did[1] (does?) warfare? I sometimes like to dabble in hyperbolic alarmism, so I'm inclined to want to say yes.

Maybe it's a sign of progress that we now consider emotional manipulation "war". It's probably less harmful, by all accounts, than slaughtering each other.

1. https://www.theguardian.com/technology/2014/jun/29/facebook-...


I agree on all accounts. Facebook testing emotional manipulation is corporate psyops weapons development.

Marshall McLuhan postulated back in the 1970 about the future of warfare:

>World War I a railway war of centralization and encirclement. World War II a radio war of decentralization concluded by the Bomb...

>World War III is a guerilla information war with no division between military and civilian participation


Cult-driven intellectual authorities believe that designing and firing rainbow glitter embedded bullets of absolute power at rebels is a justified path to social control. Tech such as FB's is misused accordingly.


Point taken. The majority are not able to experience it because it has not happened for the majority, yet. The data is there, the technology to use that data in the future has not been employed.


I used to be right in to the impending doom of the techno-dystopia, but I've stopped worrying about it. Predicting the future is hard.

We don't need a future info-technologically induced dystopia to commit atrocities. A shibboleth[1] will suffice.

From modern times to way back.

Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. Judges 12:6


It would be interesting (although I expect impossible) to figure out how many of those thousands were compromised by the NSA vs those compromised by people who got the tools through the leak. It was nice that Microsoft had already fixed a bunch of them (almost like they were told ahead of time they were coming).

It is also interesting to read the outrage about the tools and the presentations on how to use them. If you have ever read the user's manual for a cluster bomb which no doubt tells you in detail how to maximize the number of people it will kill, you get a sense of how destructive and outrageous war can be. Why should cyber war be any different? And how is it any different to use a zero day to compromise a system than it is to use an architectural feature of a building to bring it down on top of its occupants (other than the obvious loss of life). Exploiting defects in the deployed system to maximize the effectiveness of a munition, not a new thing at all. Just the reality of warfare.

We're pretty clearly already in a form of warfare and it is having visible effects on things like infrastructure and elections. So how do we make the battles visible to the common folks? How do convince Mom & Dad to patch their router so that they don't inadvertently aid the 'badguys' in their quest for dominance on the digital battlefield?

Definitely feels like Phase III of the Internet has begun to me.


> Why should cyber war be any different?

Because we aren't talking about bombs. We are talking about security.

We are concerned about "nuclear proliferation". Why aren't we concerned about the proliferation of these tools? It takes material to make nuclear weapons (obviously nuclear weapons are much more concerning, that isn't my point), but it only takes instructions to create and use security exploits. In this scenario, threats only have power for everyone who knows about them, and that is inherently dangerous. We should put all of our focus into getting rid of security exploits, not creating them.


We are talking about both because they are the one and the same.

I was talking about aggression against an enemy. Bombs, sanctions, cyber war fare. All in service to making the 'other guy' pay the price. In the context of cyber warfare getting rid of your own security exploits and creating them for stuff the 'other guy' uses.

But that gets right to the essence of how this is different. The NSA sought to use a superior knowledge of exploits available in the software their enemies used against the enemy, even tho the same tools can be used on their friends. That is no different than picking up the weapon of an enemy soldier and using it against his own squad mates. Or having the enemy pick up your weapon and use it against your squad mates.

Computers and networks are now (and arguably always have been) weapons of war. Just as cars and the people walking into markets wearing vests full of semtex are. And that is a sad truth because it means becoming a casualty can happen anywhere without warning. And that seems to be what Phase III will be about.


> Definitely feels like Phase III of the Internet has begun to me.

I knew it wouldn't be that semantic web babble nonsense. I really hope it is the realization that infosec is important and we become closer to real engineers that factor in risk. My only fear is that it results in more useless regulatory oversight with marginal ROI.

The recent controls put on zero day sales are a good example. They will do nothing to prevent the proliferation of malware and only punish honest companies helping to secure systems with practical attacks.

It's like how the city I live in (Toronto) just enacted another round of rent control to deal with a lack of affordable housing. Rent control makes people happy by seeming to address the problem but ultimately historically has always resulted in less development of affordable housing by disincentivizing investment rather than helping developers build more buildings cheaper, by reducing red tape.

This is what we need to do with security research. Stop villianizing researching exploits and sending innocent kids to jail and start paying them good money for their (often profitless) energy expenditure.


> It was nice that Microsoft had already fixed a bunch of them (almost like they were told ahead of time they were coming).

Hmmmm.

I wondered for a minute, then remembered that the leak was dropped, encrypted, onto torrent sites.

So there's your "it's out there". And you have a file size.

From there, well, Microsoft is yuuuuge, so it's entirely feasible that some nice person with connections to the leak in question could probably drop "well this and that was in it." From there it's not too much of a stretch to imagine a response team quietly forming to prioritize fixing everything "just in case".

It's entirely possible Microsoft ended up fixing more things than have been disclosed here - I vaguely recall the core leak involved hundreds of GBs of stuff, but that only a part of the data/code actually escaped. If that's true that's almost funny.


> “Shodan has currently indexed more than 2 million IPs running a public SMB service on port 445. ..."

OK, I understand SMB on LAN. But SMB on the Internet? Is that likely accidental?


Or a stupid way to make your data available on the go.


I did Google for "remote SMB". And your point was made in most of the top forum threads. But sure, people like the easy fix.


I have heard the NSA mission in this regard characterized as both defensive, and offensive. Defensive in that they protect our infrastructure (a counter-intel role), and offensive in that they attempt to exploit the infrastructure of our adversaries (and others) for sigint. They trick is finding the right balance, and I don't think there's much hope for agreement on that at the moment. I also find the debate a difficult one to engage in because there are large information asymmetries and much of what we're trying to discuss is obscured by secret courts, classified documents, etc. My impression is that even the people who are tasked with oversight don't get the full picture, so what do we hope to know about it. I've had experiences in industry that I can't talk about that maybe you (in the general sense) haven't had that also inform my views.

Personally, my view is that we should be putting the focus on the defensive side. Protect infrastructure, IP, etc. I believe the reputation of technology in general is harmed by the offensive mission, and US companies disproportionately so. There is now even greater incentives for our adversaries (and friends) to foster development of technologies that compete directly with US products in their own jurisdictions (where they can get a look under the hood).


I like the idea of the agencies being allowed to use a zero-day with some asterisks.

* The zero-day has to be powerful enough to allow the agency to gain full access & remotely patch the zero day -- i.e. if the zero-day gets out, and the agency didn't warn the manufacturer ahead of time and instead used it for its own purposes, it must have the capability to "immediately" scan the internet for the vulnerability and patch it where accessible.

* If the above condition is not satisfied, or if the agency can't/won't dedicate the resources to develop a backup patch, it should be required to alert the manufacturer immediately.

Does this cost more? Yes. Does it limit some of the monitoring capabilities they will have? Yes. The second seems like a pro. The first one seems like a worthy compromise for questionable activity with high potential for collateral damage.


At some point, they'd make the patch, and discover they need access again for some reason. We'd be right back where we started.


"Once installed, DOUBLEPULSAR is a stealthy backdoor that’s difficult to detect and continuously relays new information back to its controller."

Seems to contradict itself? If it's continuously relaying information, wouldn't that make it easy to detect?


I think what that means is that it's difficult to detect on the infected host machine. It's easy to detect at the network level, however.


Depending on the implementation of "continuously", it might not be easy there either. Most hosts have some reason to be on the internet. Therefore, with some cleverness, attack traffic can be hidden within normal, expected traffic.


If it's detectable at all doesn't that make it easy to detect?


shower thought: have them been infected now, or now are known to be infected?


I was about to comment something similar , but then I saw your post. Btw I don't know why people are down voting it.

This is an important point. This research comes after 10 days of the leak. I have been following the leak closely, I've even compiled a list with all the analysis and resources on a gist.

Good guys, bad guys, kids, bored Blackhats, had enough time to practically follow the step by step instructions in order to implant the backdoor. It doesn't take more than 30-40 mins for the first read till a successful exploit.

The short answer is that we have no idea of knowing how many of those were backdoored by the NSA.

Also worth noting is that the leak happened 3-4 months ago. A lot of people had access to this privately.


I was thinking this created great plausible deniability for the NSA.


I am worried about the firmware of Intel processors which I believe have had firmware since the mid-1990s or a bit later. Is this possible and are there tools "in the wild" that are capable of doing this? Does Intel do some sort of checksum to ensure that this cannot happen?


Not sure whether you're referring to CPU microcode or the OS in the management engine.

Microcode is remarkably tiny and heavily encrypted. I've never heard of anyone dropping hints as to what's in it, so if that's permeable at all I get the impression you'd probably have to have some rather nice friends to learn about it.

Regarding ME security, here's some interesting info I found a while ago: https://news.ycombinator.com/item?id=13782508


Thank you. I was thinking about CPU microcode, but the problem would apply to the ME, I'd guess.

Seems to me the CPU microcode could be hackable given NSA or Israeli govt resources.


For more details on this and regular updated on the infection numbers check:https://blog.binaryedge.io/2017/04/21/doublepulsar/


The zero-day NSA Pensionfund congratulates John & Jane Doe to his retirement and wishes him/her a nice golden autumn in his Florida beach villa.


"The sheer number of computers infected with DOUBLEPULSAR is likely the work of amateurish hackers, experts said."

A huge assumption.


Thanks Apple, for not caving to public pressure.


Side topic: How can the free market/enterprise work properly if there are backdoors and zero days all over the place?


Customers start demanding security? Validation of security auditing isn't something I commonly see in purchasing.


If your threat model includes 3 letter agencies, the short answer is that you cannot.


Problem is that the 3-letter agencies tools get leaked and then are open for script Kidd to use. So you're threat model has a dristributive connection to the 3-letters no matter what.


At the very least, they should at least create some honeypots to know when those exploits are being used by others...


Just thousands? I think that is a few orders of magnitude shy...


Good, the will jolt national and global security standards.


Are the added to a popular antivirus list?


shocking news indeed, seems like you need researchers and studies about everything nowadays, otherwise you're called names


"now"




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: