Bottom line is this. If you put backdoors in, or exploit 0days for your own, they will get out in the wild eventually, and suddenly you have massively weakened infrastructure, corporate, and government security... basically all the things important to national security in general. So while I don't disagree that triple letters need some cool tools to get shit done, I think this function needs some technocratic oversight specifically for this issue.
It's time for a new Church committee.
This seems like a disingenuous statement. I believe many reasonable folks would agree that inserting backdoors is an awful idea.
However, there is no evidence at all which indicates the exploits leaked by Shadow Brokers are intentional backdoors. Mentioning backdoors dilutes the discussion as it makes it seem like there is any sort of relationship with 0-day exploits (Which are the issue at hand).
0-days are going to be in code regardless of who finds them. It would be great to get some clarification on this from the government, but I would be pretty OK if the process looked anything like this:
1. Discover 0-day exploit relevant to mission.
2. Build modular tools to utilize the 0-day.
3. Create detection signatures for the exploit to run against Upstream collected internet communications.
4. If another party is seen using the same 0-day (doesn't matter if it was via leak or independent discovery), have a cutout such as FBI or DHS contact vendor with details to get it patched ASAP.
Many 0-days are built of of multiple bugs. A triple letter may use bug #1 and bug #2 to get a result, but another party will use bug #1 and bug #3 to get a similar result. Back to square one with corporate/government/personal equipment getting hacked reducing overall security.
Traditionally the meaning of “backdoor” has involved intent as well as access. Unlike a basic bug, the system is working as designed but the designer wasn't trustworthy.
This is not true. A backdoor indicates that Microsoft is aware of it (and/or colluded to put it in), but there is no evidence of that. I respect your disagreement with my thoughts on how they should handle 0-days, but re-defining "backdoor" does not seem helpful.
By de facto, I was implying that they both accomplish the same things with almost the same list of pros and cons.
While I know there may be reasons to disagree with that practice, I think it would be a major stretch to say that it meant iOS suddenly had a backdoor.
The 0-day you were not reporting gave you escalated access to iOS devices. If Apple had given you a backdoor, you would have had the exact same access to the device.
Not saying its the same thing, which is why I used "de facto". The government just wants the access. Regardless the hole is intentional or unintentional, if a hole exists, then overall security is weakened
The best solution enables both of these to the maximal extent possible (and has honest discussions about their relative values).
And this seems a little disingenuous. Perhaps there is no evidence so far regarding these particular leaks from Shadow Brokers, but in general the NSA has a history of creating backdoors.
You and I discussed some of this a bit already in one of the older NSA threads:
The idea of "key escrow", used by the NSA in the Clipper Chip's Skipjack algorithm, is really a euphemism for a built-in cryptographic backdoor.
And right there, GP is correct. Either there is evidence to suggest that these were planted backdoors (difficulty: patched out long before the leaks), or there is not.
1. Discover 0-day exploits relevant to mission
2. Build modular tools to utilize the 0-day
3. Do nothing
4. Lose control of 0days, or allow other actors to discover them.
It seems like the NSA is trying to avoid perceptions that they're scanning domestic internet traffic, but that leaves us in the vulnerable position of hacking everyone while leaving our own doors wide open.
I'm curious as to what your response would be to solve this. If it's to scan domestically, then that's a 180 from every other argument point people make against the NSA and domestic operations. That said, they do spend a regular amount of time working with private companies to remedy and solve breaches by nation- state & similar actors. For an example lookup the aurora investigation.
Yes, it's a good thing that very illegal cyberattacks are never done over encrypted channels. To catch the once-in-a-blue-moon hacker who has their bots log in to the mothership with ssh or something, we could just go ahead and let the government write ring-0 antivirus for us.
EDIT: I would agree that without intent to gain access, it's not inserting a backdoor.
Part of the NSA's job is signals intelligence, so they specifically find the vulnerabilities as a means of access. And if that were not the case, they would not have spent the time finding the vulnerabilities, so those 0-days would still exist and be potential attack vectors regardless.
That seems intentionally dishonest, no? If I disagree with a position I'm not justified in intentionally misrepresenting it because I feel morally correct. Unless you're alleging that these vulnerabilities were intentionally placed there, I don't understand why you'd feel the need to say that. Worrying about the effects of stockpiling vulnerabilities seems like a defensible position in and of itself.
That seems fair enough. The NSA needs to exploit flaws, but they can be a bit less evil about it by being ready to fix them if necessary.
That doesn't solve the fact that NSA's competitors could find and exploit the same flaws, or that sometimes it's hard to tell whether any leaks have happened, but it's an improvement.
At the end of it, it's hard to seriously argue that the NSA should stop exploiting computers. It's their role. We need them, just like we need a military. But we can think of ways to reduce the impact without getting in the way of their job.
We have evidence that the NSA has no idea from where or through whom it's leaking. My impulse is to say "you get so many years to use an exploit, maybe more with higher-up approval, and then you must disclose it." Unfortunately, with virtually zero independent oversight of these agencies, I have no faith such rules would be followed.
Disband the CIA, NSA and their 3 letter brothers. Fold personal and funding into the FBI. This doesn't make me a fan of the FBI, but at least there is some transparency. IMO
The general consensus seems to be that Russia was the source of the leaks. The US government knows this, and everyone involved knows who is leaking what, and why. If so, then this is a political move. Is there evidence to contradict this?
I also bet that other countries do the exact same thing, probably even more likely considering the "marble project" source code is leaked.
Also it looks like a hunt for the internal leaker has begun.
Whatever the source, We do still have to deal with the content of the leaks.
The content is what we need to take a very close look at begin to increase and harden our security. Especially senior developers and software architects.
> We do still have to deal with the content of the leaks.
Check out the actual content of the Marble leak. You will find that there is no evidence of your claim. It has been mentioned countless times that the foreign languages seen in the code are gibberish when translated, and are evidently there for testing purposes.
Firstly by saying: isn't it interesting that, if it is Russia who moved the exploits from the NSA employee / contractor to WikiLeaks then they (the Russians) have acted in the service of the global public.
But let's not get distracted.
The source of all NSA leaks is never some rogue employee, or contractor. It's never "The Russians"™ or "The Chinese"™.
The source of NSA leaks is the goddamn NSA.
In that light, the context is to reduce the impact of the NSA's necessary goals.
Higher up in the thread, it was claimed that one of the most feared branches of the intelligence arm of the most powerful government in the world was so incompetent that they had no idea who was behind these leaks, and that there was evidence to support this assertion. I have an open mind, so I was hoping to see this evidence.
That's one half of their job, the other half is to secure government infrastructure from exactly the type of attacks they use on other countries.
The problem there is that it sets up an incredible tension since how do you get the message out about a 0-day in windows to protect your 'own' side without your opponents getting the same message.
I've thought for years that the NSA doing both jobs is silly since one side will inevitably win that argument (as seems to be the case).
It needs to be a separate agency concerned purely with securing government and infrastructure from external threats with a decent firewall between the two sides (and possibly an oversight clearing committee to keep an eye on what both sides are up to).
Over here in the UK we have largely the same problem with GCHQ having a dual mandate.
Force-push a Windows 10 update? That seems like one of the few legitimate usecases of Win10 being a corporate botnet.
American companies get disclosures, foreign companies do not.
US companies like Oracle, MS, Google, etc. have offices all over the world.
They also tend to use various visas to import 10% of their own US based staff (probably a much higher ratio of engineers) from foreign nations.
The US has gotten very wealthy from offshoring, foreign talent, and technical exports, but it causes a massive problem when keeping secrets locally.
What it shows instead is that the NSA and other agencies could not care less about national security as long as they get to hack interesting targets elsewhere.
Is there any evidence other than Snowden's speculation?
Would you say the same of Chinese government hackers and Syran military? If yes, OK. I understand you accept the need for competition in arms. If not, can you explain why?
Doing the least morally right thing always brings more problems than its worth, and that's exactly what NSA does every time it pokes holes into everyone's software.
I'm not OK with the Chinese having slingshots and spears, never mind ICBMs and nuclear warheads. That doesn't stop them, and I'm not offended or shocked that they would be armed.
Regarding cyberwar, I prefer that the Chinese not know how to program computers or even find the "on" switch. I'm not offended or shocked that they manage this and much more.
The same goes for Syria.
No, for the same reason why I'm okay with the US military having nukes but wouldn't be okay with Syria having them.
Obviously it'd be great if we could get by with no military powers having to possess zero-day exploits (or nukes), but so long as we can't be sure no other nations are benefiting from such exploits, it makes no sense strategically to forbid our own governments from doing the same.
Or do you consider America to be special and that it deserves these powers more than other countries? Personally I don't think it's competent to hold them because it has an ongoing history of using its weapons to destroy other countries, property and lives. If I had to choose who wins the arms race, I would prefer a less hostile country like China or Germany to have them instead of America. But really, why not nobody? Exploits are offensive weapons, not defensive ones.
Correct. Same goes for any nation. Since there's no way to be sure that other nations aren't developing zero-day exploits, not developing exploits of your own does nothing more than put you at a disadvantage.
> Or do you consider America to be special and that it deserves these powers more than other countries?
Yes. I know this seems to be a rather unpopular opinion with the HN crowd these days, but the US absolutely deserves to have better military capabilities than nations like Syria or China. (As for Germany, I'd also be mostly okay with them possessing exploits; as they're a democratic nation who I generally trust to act in the best interests of their citizens. I cannot say the same for Syria or China.)
> But really, why not nobody? Exploits are offensive weapons, not defensive ones.
That'd be great, but unfortunately it's not a realistic option. So long as one nation possesses and benefits from zero-day exploits (even secretly) then it makes no strategic sense for any other nation to intentionally put themselves at a disadvantage by not developing exploits of their own.
> If it ever leaks, they can send the target
> company the report.
You can't treat cyberweapons like normal weapons.
The analogy is not that you come up with a secret bomb design and drop it on the target, but that to use your bomb you must send the full Top Secret designs for the bomb to every target, hoping that they voluntarily use it to blow themselves up instead of writing the design down & using it against you.
The way to protect against this is probably to have constant security audits. But these are expensive, so the situation is that there will always be exploitable computers and software, especially when a nation-state adversary is doing the exploitation.
The solution is what it's always been: Political control. We have terrifying weapons, and what keeps them at bay is aligning the incentives of our politicians so that the calculus of employing them is more costly than keeping them unused. (Unfortunately this may not be possible with cyberweapons, because unlike real weapons, there is no death and destruction as a side effect.)
You mean, if they become aware of it leaking. Exploits can leak and be utilized without anyone being aware of it, for years. It's not like you see a mushroom cloud on the horizon and your earthquake detectors wobble.
there are plenty legal wiretapping/surveillance alternatives that don't rely on not fixing a compromised worldwide infrastructure.
In the current doctrine, it apparently does.
And it's unlikely that even if MS was secretive that the USG cannot get multiple people working at MS with access.
Which is what exactly? That a spy agency is spying?
>If you put backdoors in, or exploit 0days for your own, they will get out in the wild eventually, and suddenly you have massively weakened infrastructure, corporate, and government security
I don't agree with putting in backdoors, but I don't see how exploiting backdoors by your security agency is so nefarious. That is literally why they were created to do, and this is what every other foreign security agency is doing as well.
>So while I don't disagree that triple letters need some cool tools to get shit done
Sounds like you do.
>I think this function needs some technocratic oversight specifically for this issue.
How about congressional, judicial and executive oversight? Because that's what we have now.
The NSA is supposed to do both defense and offense. The defense came up, for example, when they improved DES to resist differential cryptanalysis (which the public crypto world hadn't discovered yet) before DES was standardized.
But that was a long time ago; at least since 9/11 the offense side seems to have pretty much eaten the defense, as far as we can tell. (See: https://en.wikipedia.org/wiki/Dual_EC_DRBG) I believe this newer strategy is badly misplaced from the standpoint of the security of the American people (and good for the power of security-state insiders).
The way you're framing it presumes SIGINT is in charge and positively welcomes insecure U.S. computers. I'm saying that's bad for us. I've seen others saying the same.
Also, secure computers would not make spying go away, and SIGINT would not be impotent. Its powers are still increasing with, e.g., surveillance of whole populations from the air with high-res video cameras. Comms spying would go back to retail instead of wholesale data collection.
You fundamentally misunderstood my post, whiis causing you to reach strange conclusions. Neither is "in charge." They are two separate entities with separate missions. Some of the systems developed and documented by IA make the job of SIGINT difficult if our adversaries implement them as well.
How would spying from the air have prevented Iran from developing it's nuclear program?
Iran with nukes seems to me a lesser threat to us than an uncontrolled U.S. government.
There is no evidence that anything has changed.
> Iran with nukes seems to me a lesser threat to us than an uncontrolled U.S. government.
Who is suggesting that the government should be uncontrolled? Iran with nukes is a far greater threat than the NSA with 0-days, which is what we're discussing.
But it does beg the question: who's protecting our information from foreign intrusions?
However, I'm not convinced the NSA is the entity for that role. Organizationally, the NSA makes more sense as an R&D entity that discloses to offensive intelligence agencies and defensive security forces.
Defense is arguably part of the FBI mission, however they don't have the NSA's level of skill or resources. The FBI might be able to detect abuse when it gets rampant but I have zero confidence that they would discover any of these exploits themselves. The FBI is mostly cleanup and criminal prosecution.
We need an organization focused on preemptively securing our infrastructure.
> NSA is concurrently charged with protection of U.S. government communications and information systems against penetration and network warfare.
Did you ever hear the tragedy of Stuxnet the wise?
Stuxnet was a cyberweapon so powerful and so well hidden it could use computers to cause nuclear centrifuges to fail.
Unfortunately, others learned from code the worm left behind, then other actors used the same techniques to infiltrate computers everywhere for a year. Ironic. It could save the world from nuclear weapons, but not computers.
The fact that the three letters are continuously failing to understand the long term blowback potential of the programs they start, regardless of initial merit. In this case, instead of spending nearly as much time doing hardening documents, they were busy comprimising everything. The name of almost all of our fuckups in this arena is blowback.
>I don't see how exploiting backdoors by your security agency is so nefarious
When they use them for lawful purposes, such of foreign sigint, ok. With that kind of power though, at a bare minimum I would be concerned about abuses of that power domestically. At a minimum. I could wax on about all the reasons it could be bad for a long time.
>How about congressional, judicial and executive oversight? Because that's what we have now.
That's exactly what I said was needed. A technocratic oversight committe could exist in all branches on this subject. Also, we really don't have good oversight in place. Think about the kind of effects this has on potential oversight bodies...
For example, the chairman on the senate intel committee is about to vote for more oversight of $secretprogram. It's imperative to national security that this program not receive scrutiny, so it's allowed to use these 0days against them, find or plant blackmail material, and exploit that to get the chairman of oversight to not do it.
This is the kind of shit I was talking about having been warning people about. It's not just about the surveillance. Surveillance is always about control, not security, security is just the bullshit they sell the public to not induce outcry.
People's memories are way too short with this kind of stuff because something like this already happened: The CIA hacked the computers of the senate oversight committee responsible for investigating the CIAs record of torture.
To spell it out: backdoors are of course a helpful tool for a security agency, but once the key for the backdoors falls into the wrong hands the potential for misuse is monstrous because, well, the backdoors are in all kinds of potentially critical systems systems, e.g. even in the cellphones of high ranking officials (or in cellphones of their families) etc.
To get the same intel by different means than a backdoor is of course much more expensive. So one needs to find the sweet spot, where the utility as a function of cost and security is maximized. That sweet spot likely does not involve backdoors.
I think it's fairly common for even someone with a cursory knowledge of security to know that backdoors are a bad idea.
The triple letters don't get their power from poor products. Those are going to be around no matter what. I'd rather this just drive a push toward more open source products throughout the network stack. The triple letters get their power, not from poor products, but because of existing oversight of the agencies has been lax in the name of fightin' terror.
When it is legal for gobs of data to be vacuumed up without any court order then they will have power, no matter how much poor software is in the wild.
neh, the world was calling for them to stop trying putting backdoors in security software for a while. To my generation it was the 2007 ecc curve primes. https://www.schneier.com/blog/archives/2007/11/the_strange_s...
to the previous generation it was the clipper.
Snowden really raised awarenes outside the security circles, but this has been an issue long time prior
And we knew about PRISM for a good two years before its public disclosure. Sudden black square over a remote area in Utah in satellite imagery. Pictures of a massive contruct. Coupled with the fact that we knew they needed a place to centralize all of this collected information, it was plainly public how the NSA was operating. No one just wanted to frigging listen until they had a celebrity icon like Snowden to interest them, because we operate on a system of identity politics.
Side note, what black image in a remote area of Utah? If you're talking about the Bluffdale data center, it's been visible on Google maps this entire time IIRC. You can even see historical images of it being built in Google Earth:
I distinctly remember a point when it was not visible. That is how I discovered the plans to build a complex there years ago. This was probably remedied not long after we started catching wind.
I'm sure it would not be difficult for Google, et al. to retroactively "fix" their public imagery data.
I wasn't saying that's when it started. I was saying that's when people stopped viewing "government is listening to everyone" as conspiracy.
> No one just wanted to frigging listen until they had a celebrity icon like Snowden to interest them...
It didn't have anything to do with Snowden's "celebrity". Do you think he was a celebrity before he produced physical evidence? Turns out, no one wanted to friggin listen, until someone had proof.
The entire point is that the public isn't listening to the dangers presented beforehand. Yes, now people dont think you're crazy for thinking we are surveilled heavily, but now the equivalent is when I tell people why they put the surveillance in place at all. Typical responses include "but they're just doing it for national security".
If 1/3 of the public only knew half the shit the gov was up to there would be a revolt tomorrow morning. It's deeper and darker than just massive surveillance. My only question for years has been if the public will wake up enough to realize it. With the failing education and financial systems and the propaganda levels turned up to 11, I'm beginning to doubt it.
Someone already had proof.
Snowden was the one who managed to bring it to a mass audience. And I love him and respect him immensely for that. But I'm sure he also feels the same disdain that it took him completely destroying his life to convince people that something nefarious has been going on when many clues were already public and just routinely dismissed by people like the other guy arguing with me right now.
Yeah, he gave lots of evidence on programs we didn't even know existed. Like, the full extent of this situation. But we already had enough information to know that we should demand legislation and oversight and that 1984 has all but come true.
You misunderstand me. PRISM is the program, but it needed an HQ! Here is that HQ:
Here is one such example of such a wiretapping program under AT&T:
And there are many more. It just depends on what you call "evidence". Is it your own definition, or are you relying on others to tell you what is and isn't legitimate?
It's quite ironic that you are telling me I don't know what PRISM is when I knew about it long before it reached public, and presumably your own, attention.
Look at the very first sentence:
> PRISM is a secret code name for a program under which the United States National Security Agency (NSA) collects internet communications from at least nine major US internet companies
> Documents indicate that PRISM is "the number one source of raw intelligence used for NSA analytic reports", and it accounts for 91% of the NSA's internet traffic acquired under FISA section 702 authority." The leaked information came to light one day after the revelation that the FISA Court had been ordering a subsidiary of telecommunications company Verizon Communications to turn over to the NSA logs tracking all of its customers' telephone calls
You're talking out of your ass. Clearly. You can't even do basic research on the most public open knowledge base on the internet.
Just saying there is no evidence of mass wiretapping of AT&T's infra makes you look ignorant as hell.
Next you're going to tell me this is just a fraternity club:
Room 641A isn't a mass wiretapping system. Once again, see the documents from Snowden. It looks for communications from specific Internet endpoints that are being wiretapped under court order.
I never said Room 641A was a mass wiretapping system? Just that it was one example of many such wiretapping initiatives?
I also provided citations showing that this is more than just targeting specific accounts?
You're starting to sound like a shill, that won't do any good if you're trying to convince people of your narrative.
If we take the upper bounds from the transparency reports from the Internet companies, we can estimate that the volume of data from PRISM is so small that you could fit it on a single rack, and the Utah datacenter has nothing to do with it.
You'll find that I'm a shill on the JFK assassination, chemtrails, mind control rays, and every other conspiracy theory that lacks evidence and has substantial evidence to the contrary.
PRISM isn't just some negligible thing to be brushed off. And of course it isn't the only thing they're doing over in Utah. It's one of many sources that all come together at places like this for data analysis. But it's the "big deal" everyone is talking about so it is very relevant to the discussion.
Remember, if there is one there is more. We don't need a comprehensive list of every data center and chokepoint that is under surveillance to understand how prevalent it is based on known data.
Example of mass surveillance:
Do I need to give you more or can you take it from here? Do you need more proof than the wiretapping of half a dozen countries' ENTIRE phone calls?
Please do not chalk this up to "conspiracy theory". That is damaging and misleading. You are attempting to group this together with more fringe theories in order to discredit it. Logical fallacy. If you want to continue this discussion I ask that you play fairly and not revert to rhetoric and distraction.
That's because it contains wiretapping data of specific highly valuable targets. Nowhere in this sentence does it say that it contains mass surveillance because Snowden's documents and the government have shown it does not.
I never said that the NSA doesn't engage in mass surveillance, only that it doesn't do mass wiretapping through Verizon and AT&T or through the Internet companies, as you wrongly believed PRISM did. The reason that distinction matters is that the NSA absolutely should gobble up all communications in a war zone or other foreign area threatening national security. That's what it's there for. Gobbling up and processing domestic communications as your claimed mass wiretapping on Verizon or Google would do is outside the scope of the intelligence agencies, and there remains no evidence that they do that despite multiple leaks. Any claim otherwise is conspiracy theory by definition.
I also never mentioned Google. Your arguments keep starting off by strawmanning my own.
But sure let's talk about Google. You really think Schmidt and friends are clean on this? He is a globalist authoritarian lap dog.
And you're also fundamentally confused about something. See, the NSA does not need direct access to all of this data. They allow/encourage/force various companies to comply with certain data collection and retention practices, and tap into this data when necessary. Why? So that people like you can claim they are not directly surveying their citizens.
All of the data still exists, and is accessed when needed.
It's like if my friend spied on you and reported back to me whenever I asked, but then I come out and say, "Hey mister, I'm not spying on you. I only ask my friend about things necessary to my investigation. If you're being a good dog then this shouldn't even bother you."
You started off by saying you knew about PRISM because the NSA is building a large datacenter in Utah just to hold PRISM's data.
> I also never mentioned Google.
I never claimed you did. You claimed that PRISM ingested mass wiretapping data. That data would come from Google and other Internet companies according to the documents. My point was that your belief that it is illegally gobbling up all the communications done on Google's and other Internet companies' communications products is baseless.
You don't remember when news broke in 2014 that the NSA was snooping on Google's Gmail traffic that was flying around unencrypted within their own network? Google, rightfully embarrassed, subsequently enabled internal end-to-end encryption after the news broke.
Here it is straight from the horse's mouth:
So... yeah. Not baseless at all. Meanwhile you have yet to provide a single citation throughout all of this.
According to Snowden's documents, the NSA used email envelope metadata where at least one side was a foreigner to build a connection graph, similar to pen register metadata collection. It didn't look at the contents, which it would have to do in order to be wiretapping. That program (STELLARWIND, which operated behind the Internet companies' backs, not PRISM, which operated via court orders on specific accounts) ended before Snowden even leaked it. https://www.theguardian.com/world/interactive/2013/jun/27/ns...
Let's recap. You claimed that PRISM is mass wiretapping. It isn't. You claimed that the NSA is mass wiretapping Verizon and AT&T. It isn't. Let's stick to your original claims and see them through to completion. Do you admit you were wrong about PRISM and the telcos?
I did not say PRISM was mass wiretapping but it is indeed part of the surveillance suite of NSA programs. I did not adequately explain myself in my original post, but I cleared things up afterwards and you are ignoring that completely. You have consistently been framing my arguments in a specific way so that you can attack them in a specific way.
I also don't understand why you think that the NSA was not mass wiretapping both of those telco's major junctions. It's a known thing. It's not some fringe conspiracy theory. The Fed has been tapping phone lines since the very beginning. Not all of them sure, but certainly in a dragnet fashion. This has continued with the explosive growth of information networks into the 21st century. I provided links. I do not need to provide any more on that topic.
I've honestly never encountered someone before who so earnestly believes as you do that these programs are not widespread or dangerous or grossly overstepping their bounds. It's like denying climate change or something.
I gave you a link to a slide diagramming PRISM and a link to the document describing the email envelope program that had shut down.
> I did not say PRISM was mass wiretapping but it is indeed part of the surveillance suite of NSA programs.
I understand you now concede that PRISM isn't the nefarious new-datacenter-requiring mass data collection you originally claimed it was, that the actual surveillance itself is carried out by the FBI, and that PRISM just enables the NSA to search the FBI's data collected on specific foreigners with a court order.
> I also don't understand why you think that the NSA was not mass wiretapping both of those telco's major junctions. It's a known thing.
If it's a "known thing," where is the evidence? None of your links claim that the NSA is mass wiretapping the telcos' major junctions. Mass wiretapping Americans would violate the Fourth Amendment (the ACLU successfully sued over phone metadata collection, and collecting voice content would be a much bigger issue), so if you have any evidence at all, present it or be prepared to be labeled a conspiracy theorist.
I gave you links, but I will humor you with another:
> . . . recently published FISA court order demanding Verizon turn over all customer phone records including who is talking to whom, when and for how long—to the NSA . . .
Oh look! FISA being used to demand all of verizon's phone records! All of them! And what are one of the programs that FISA feeds into? Oh yeah, that's right. PRISM. If you do not consider this to be a dragnet surveillance order, you are just lying to yourself. So there is yet another verifiable source highlighting the scope of PRISM.
here is the relevant court case:
Do I need to physically take you to Titanpointe to see it for yourself? Here is a link explaining what that is, I already posted it once but clearly you have not been following through and reading these links.
This explicitly isn't PRISM, and this isn't ongoing. Moreover, Snowden's documents showed that this data wasn't used for surveillance. The data was anonymized and a system (not PRISM) was built on top of it that could only perform a limited set of graph queries to find associates of known threats to national security. To deanonymize a node, the government would have to request another court order.
You have once again demonstrated that you don't know what PRISM is, so is it any wonder that I keep calling you out on it?
And a lot of the hooplah about these immoral dragnet tools is not only the fact that they partially target American citizens (after NSA executives said under oath, in very particular terms, that they do not collect files on American citizens) is that it was being accessed by employees without court orders.
Pre 9/11, maybe you could have made a case about this "anonymization" being legitimate. There were certainly programs in the work that attempted to incorporate homomorphic encryption into their design. But these have been gutted and reformed into what we have today.
You have to wonder, what are these tools being used for? They certainly haven't been publicly attributed to stopping any terrorist activities. If you don't think these systems, put in place by spy agencies with the legal ability to lie about their internal operations, are being used to spy on their targets (which is the general public) then what the hell do you think they are for?
It doesn't. That's my point. How many more times are you going to show that you don't know what PRISM is while claiming that you do?
Also, surveillance is, by definition, close observation. Merely having anonymized phone metadata is not surveillance any more than having access to Google Maps satellite imagery without any other data sources to join to. More specifically, it isn't mass wiretapping, which as you recall was your original claim that you have yet to substantiate, instead pointing to this metadata program that I had earlier used to show you that no evidence exists for mass wiretapping of Americans.
We already have a bunch of stories of crooked cops using databases to stalk love interests, etc. Then look at the Michael Hastings incident. Imagine how much abuse goes unreported.
The US intelligence agencies have a less than stellar history regarding moles.
I don't see any discussion about the fact that, if you were the NSA, you'd absolutely want this to happen to muddy the waters for attribution.
Seems like you're pigeonholing a pet issue into something totally unrelated.
Conspiracy theorists are where 3 million illegal voters, thousands of Arabs dancing on buildings, and the last president being a Kenyan with a falsified birth certificate, all come from.
That we connect directly to a worldwide network with minimum consideration for security is very troubling. In decades to come, we'll look back in humility and realize that the manners in which we used technology added grave risks to our health.
In 2017, we are not in the "wild wild west" age of technology. Rather, we are firmly in the dark ages. We're so far away from having an understanding regarding the lack of social maturity in our technological growth that we fail to properly consider the downside risks.
This is a tough nut to crack because technology is simply too good for the majority, even the technically inclined majority. I recall efforts by very very talented folks to build decentralized technologies to help mitigate some of these long term risks, but such efforts will remain firmly at the fringes of intellectual superiority for a long time. Meanwhile, Goliath will simply grow stronger in time, unless there is some major cultural shift. Is there any such shift happening, beyond the fringe?
"That we have centralized global social networks carries risks that the majority of people are not able to experience"
If the majority of people do not experience the consequences of the risks of whatever-it-is-your-railing-against, if those risks are never realised by the majority, your argument evaporates.
Is what Facebook did (does?) warfare? I sometimes like to dabble in hyperbolic alarmism, so I'm inclined to want to say yes.
Maybe it's a sign of progress that we now consider emotional manipulation "war". It's probably less harmful, by all accounts, than slaughtering each other.
Marshall McLuhan postulated back in the 1970 about the future of warfare:
>World War I a railway war of centralization and encirclement. World War II a radio war of decentralization concluded by the Bomb...
>World War III is a guerilla information war with no division between military and civilian participation
We don't need a future info-technologically induced dystopia to commit atrocities. A shibboleth will suffice.
From modern times to way back.
Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. Judges 12:6
It is also interesting to read the outrage about the tools and the presentations on how to use them. If you have ever read the user's manual for a cluster bomb which no doubt tells you in detail how to maximize the number of people it will kill, you get a sense of how destructive and outrageous war can be. Why should cyber war be any different? And how is it any different to use a zero day to compromise a system than it is to use an architectural feature of a building to bring it down on top of its occupants (other than the obvious loss of life). Exploiting defects in the deployed system to maximize the effectiveness of a munition, not a new thing at all. Just the reality of warfare.
We're pretty clearly already in a form of warfare and it is having visible effects on things like infrastructure and elections. So how do we make the battles visible to the common folks? How do convince Mom & Dad to patch their router so that they don't inadvertently aid the 'badguys' in their quest for dominance on the digital battlefield?
Definitely feels like Phase III of the Internet has begun to me.
Because we aren't talking about bombs. We are talking about security.
We are concerned about "nuclear proliferation". Why aren't we concerned about the proliferation of these tools? It takes material to make nuclear weapons (obviously nuclear weapons are much more concerning, that isn't my point), but it only takes instructions to create and use security exploits. In this scenario, threats only have power for everyone who knows about them, and that is inherently dangerous. We should put all of our focus into getting rid of security exploits, not creating them.
I was talking about aggression against an enemy. Bombs, sanctions, cyber war fare. All in service to making the 'other guy' pay the price. In the context of cyber warfare getting rid of your own security exploits and creating them for stuff the 'other guy' uses.
But that gets right to the essence of how this is different. The NSA sought to use a superior knowledge of exploits available in the software their enemies used against the enemy, even tho the same tools can be used on their friends. That is no different than picking up the weapon of an enemy soldier and using it against his own squad mates. Or having the enemy pick up your weapon and use it against your squad mates.
Computers and networks are now (and arguably always have been) weapons of war. Just as cars and the people walking into markets wearing vests full of semtex are. And that is a sad truth because it means becoming a casualty can happen anywhere without warning. And that seems to be what Phase III will be about.
I knew it wouldn't be that semantic web babble nonsense. I really hope it is the realization that infosec is important and we become closer to real engineers that factor in risk. My only fear is that it results in more useless regulatory oversight with marginal ROI.
The recent controls put on zero day sales are a good example. They will do nothing to prevent the proliferation of malware and only punish honest companies helping to secure systems with practical attacks.
It's like how the city I live in (Toronto) just enacted another round of rent control to deal with a lack of affordable housing. Rent control makes people happy by seeming to address the problem but ultimately historically has always resulted in less development of affordable housing by disincentivizing investment rather than helping developers build more buildings cheaper, by reducing red tape.
This is what we need to do with security research. Stop villianizing researching exploits and sending innocent kids to jail and start paying them good money for their (often profitless) energy expenditure.
I wondered for a minute, then remembered that the leak was dropped, encrypted, onto torrent sites.
So there's your "it's out there". And you have a file size.
From there, well, Microsoft is yuuuuge, so it's entirely feasible that some nice person with connections to the leak in question could probably drop "well this and that was in it." From there it's not too much of a stretch to imagine a response team quietly forming to prioritize fixing everything "just in case".
It's entirely possible Microsoft ended up fixing more things than have been disclosed here - I vaguely recall the core leak involved hundreds of GBs of stuff, but that only a part of the data/code actually escaped. If that's true that's almost funny.
OK, I understand SMB on LAN. But SMB on the Internet? Is that likely accidental?
Personally, my view is that we should be putting the focus on the defensive side. Protect infrastructure, IP, etc. I believe the reputation of technology in general is harmed by the offensive mission, and US companies disproportionately so. There is now even greater incentives for our adversaries (and friends) to foster development of technologies that compete directly with US products in their own jurisdictions (where they can get a look under the hood).
* The zero-day has to be powerful enough to allow the agency to gain full access & remotely patch the zero day -- i.e. if the zero-day gets out, and the agency didn't warn the manufacturer ahead of time and instead used it for its own purposes, it must have the capability to "immediately" scan the internet for the vulnerability and patch it where accessible.
* If the above condition is not satisfied, or if the agency can't/won't dedicate the resources to develop a backup patch, it should be required to alert the manufacturer immediately.
Does this cost more? Yes. Does it limit some of the monitoring capabilities they will have? Yes. The second seems like a pro. The first one seems like a worthy compromise for questionable activity with high potential for collateral damage.
Seems to contradict itself? If it's continuously relaying information, wouldn't that make it easy to detect?
This is an important point. This research comes after 10 days of the leak. I have been following the leak closely, I've even compiled a list with all the analysis and resources on a gist.
Good guys, bad guys, kids, bored Blackhats, had enough time to practically follow the step by step instructions in order to implant the backdoor. It doesn't take more than 30-40 mins for the first read till a successful exploit.
The short answer is that we have no idea of knowing how many of those were backdoored by the NSA.
Also worth noting is that the leak happened 3-4 months ago. A lot of people had access to this privately.
Microcode is remarkably tiny and heavily encrypted. I've never heard of anyone dropping hints as to what's in it, so if that's permeable at all I get the impression you'd probably have to have some rather nice friends to learn about it.
Regarding ME security, here's some interesting info I found a while ago: https://news.ycombinator.com/item?id=13782508
Seems to me the CPU microcode could be hackable given NSA or Israeli govt resources.
A huge assumption.