Hacker News new | past | comments | ask | show | jobs | submit login
Inside TAO: Documents Reveal Top NSA Hacking Unit (spiegel.de)
197 points by Suraj-Sun on Dec 29, 2013 | hide | past | favorite | 28 comments

For whatever it's worth it to any of you to know this, TAO is one of the worst kept secrets in infosec. As I understand it, there are several active, well-regarded software security experts on Twitter that come from TAO. There are even conspiracy theories that some of them still work for TAO as industry sleepers. If you had asked a software security person 5 years ago to name an NSA hacking program, there's a decent chance some of them would have said "TAO".

Out of curiosity, do you ever give pause when looking to hire people with that type of background? If they are hired, are some projects off-limits to them?

I know those sound like loaded questions, but they seem relevant if you have clients that are adverse to being targeted by the NSA. These days, mainstream companies like Google and Yahoo would arguably qualify.

On the other hand, I imagine employees with that type of background would be very beneficial in context of government and defense industry contracts.

This information now justifies having shipments sealed in a way that shows that they have been tampered with. Any foreign entity ordering goods from these companies now has an incentive to visit the shipping location and place their own identifying tape (that is frequently changed) on the packaged equipment and possibly GPS tracking devices on the shipment as well to be able to determine if they are diverted away from a reasonable shipping path to make unscheduled stops.

I would love to see someone start performing a large scale analysis of shipping paths using GPS tracking devices to create algorithms that flag certain shipping paths as anomalous. Offering services and creating products that guarantee shipping security is now a legitimate market to create a startup for.

> I would love to see someone start performing a large scale analysis of shipping paths using GPS tracking devices to create algorithms that flag certain shipping paths as anomalous.

And maybe that will be the nature of the first solutions or mitigations for this breakdown. Not tamper-proof, but tamper-evident, in the physical and digital worlds. You could then at least judge whether you should continue to trust the delivered item and/or its delivery path.

Total Information Awareness for the little guy.

They actually use the their sniffing capabilities to capture error reports sent by windows... Then use that info to target the machine. What an advantage.

Yes, I think this must be the most interesting part of the report:

  In one internal graphic, they replaced the text of 
  Microsoft's original error message with one of their own 
  reading, "This information may be intercepted by a 
  foreign sigint system to gather detailed information and 
  better exploit your machine."
Does Microsoft's error reporting mechanism even use SSL?

Do you think the NSA doesn't either have Microsoft's private certs or has broke then already? I can't be bothered to find a source right now, but they already have all MS source code- so there's that too.

Why would I ask the question if I thought that they certainly didn't have those private keys?

It is an interesting question regardless - can anyone at my ISP read these error reports, too?

A... Genuine Advantage!

  The technique can literally be a race between servers, one
  that is described in internal intelligence agency jargon
  with phrases like: "Wait for client to initiate new
  connection," "Shoot!" and "Hope to beat server-to-client 
It would be interesting to build a tool that watches out for duplicate-but-different SYN/ACK and DNS answers.

What would be much much more interesting is to see the wall ONE of the HN members has made, that connects all the tiny pieces of leaks to a grand picture. Using the same tools they use to track us, "maths", or topological data analysis to precisely reveal who, what and how things connect.

If the one amongst us is ready, please post what you collected, I am sure everybody is as curious to see what there is. It's not just journalists who study the NSA revelations, but there are also hobbyists or simply some curious and innocent computer scientists (let's not say hackers here).

Are you calling someone out, specifically?

If the answer or "yes," don't reply.

UPS, Fedex, DHL and Dell have some explaining to do.

"We got a National Security Letter. End of explanation."

"We got a National Security Letter."

They can't even say that. Instead they are legally obligated to say "We didn't get a National Security Letter" (even though they did, and acted on it).

That has not worked too well for the Internet companies. These guys are just as guilty in this.

Not worked too well how? No revenue loss. No government penalties. Allowed to freak out at government spying with righteous anger on behalf of the customer.

I dunno, looks like as a business everyone has made it through a-ok.


Clearly your unfamiliar with the rest of the world. They have all pretty much said your screwing up our business.

And you expected them to say...?

I don't know but the more billion dollar businesses that are complaining the more likely something is going to be done (let's not forget who funds elections). Maybe they gamed Google and Yahoo so well cause their "new" computers from Apple, Dell or whoever are being routed by UPS or Fedex to them first. Nothing would be too surprising at this point. Either way they should and hopefully will get a proper outing and when their names start getting ran through the press that's going to be xx more pissed off corporations.

> (let's not forget who funds elections)

Defence contractors? Telcos? Hollywood? Pharmaceutical companies?

The big tech companies most of us talk about here are in the minority when it comes to lobbying, from what I understand.

And now Amazon also loses some customers.

I think a few defectors from Amazon Prime would be more than made up for by Amazon's CIA contract(s).

It is reassuring to see that the US is not falling behind in the spy vs spy arms race. Technology is making it easier and easier to conceal conspiracies or national security initiatives. If applied judiciously, this is a valuable asset. There is the danger of misuse, as with many US government assets: nukes, chemical weapons, and guns, to name a few.

Maybe someone would espouse this opinion if they were in the military? There has been no evidence that the USA is falling behind in any spy related activities, and the article starts with examples of how they were disrupting residential garage door openers and then goes on to things like exploiting individuals at a belgium based corp, or the mexican government, a supposed ally.

Why does this make you reassured?

The potential for misuse when it comes to nukes and chemical weapons also have the distinct and likely possibility that someone would catch them, this means that they generally will only use those weapons when it is actually needful.

This technology is very likely impossible to detect by all but the biggest actors, and therefore has a HUGE potential for abuse. I am NOT reassured.

Where is the link to the documents?

I don't guess that all of this has been corroborated?

Maybe I'm missing something but all of the stuff in the article and several things in these threads aren't in the cryptome pdf listed below.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact