For whatever it's worth it to any of you to know this, TAO is one of the worst kept secrets in infosec. As I understand it, there are several active, well-regarded software security experts on Twitter that come from TAO. There are even conspiracy theories that some of them still work for TAO as industry sleepers. If you had asked a software security person 5 years ago to name an NSA hacking program, there's a decent chance some of them would have said "TAO".
Out of curiosity, do you ever give pause when looking to hire people with that type of background? If they are hired, are some projects off-limits to them?
I know those sound like loaded questions, but they seem relevant if you have clients that are adverse to being targeted by the NSA. These days, mainstream companies like Google and Yahoo would arguably qualify.
On the other hand, I imagine employees with that type of background would be very beneficial in context of government and defense industry contracts.
This information now justifies having shipments sealed in a way that shows that they have been tampered with. Any foreign entity ordering goods from these companies now has an incentive to visit the shipping location and place their own identifying tape (that is frequently changed) on the packaged equipment and possibly GPS tracking devices on the shipment as well to be able to determine if they are diverted away from a reasonable shipping path to make unscheduled stops.
I would love to see someone start performing a large scale analysis of shipping paths using GPS tracking devices to create algorithms that flag certain shipping paths as anomalous. Offering services and creating products that guarantee shipping security is now a legitimate market to create a startup for.
> I would love to see someone start performing a large scale analysis of shipping paths using GPS tracking devices to create algorithms that flag certain shipping paths as anomalous.
And maybe that will be the nature of the first solutions or mitigations for this breakdown. Not tamper-proof, but tamper-evident, in the physical and digital worlds. You could then at least judge whether you should continue to trust the delivered item and/or its delivery path.
Yes, I think this must be the most interesting part of the report:
In one internal graphic, they replaced the text of
Microsoft's original error message with one of their own
reading, "This information may be intercepted by a
foreign sigint system to gather detailed information and
better exploit your machine."
Does Microsoft's error reporting mechanism even use SSL?
Do you think the NSA doesn't either have Microsoft's private certs or has broke then already? I can't be bothered to find a source right now, but they already have all MS source code- so there's that too.
The technique can literally be a race between servers, one
that is described in internal intelligence agency jargon
with phrases like: "Wait for client to initiate new
connection," "Shoot!" and "Hope to beat server-to-client
It would be interesting to build a tool that watches out for duplicate-but-different SYN/ACK and DNS answers.
What would be much much more interesting is to see the wall ONE of the HN members has made, that connects all the tiny pieces of leaks to a grand picture. Using the same tools they use to track us, "maths", or topological data analysis to precisely reveal who, what and how things connect.
If the one amongst us is ready, please post what you collected, I am sure everybody is as curious to see what there is. It's not just journalists who study the NSA revelations, but there are also hobbyists or simply some curious and innocent computer scientists (let's not say hackers here).
I don't know but the more billion dollar businesses that are complaining the more likely something is going to be done (let's not forget who funds elections). Maybe they gamed Google and Yahoo so well cause their "new" computers from Apple, Dell or whoever are being routed by UPS or Fedex to them first. Nothing would be too surprising at this point. Either way they should and hopefully will get a proper outing and when their names start getting ran through the press that's going to be xx more pissed off corporations.
It is reassuring to see that the US is not falling behind in the spy vs spy arms race. Technology is making it easier and easier to conceal conspiracies or national security initiatives. If applied judiciously, this is a valuable asset. There is the danger of misuse, as with many US government assets: nukes, chemical weapons, and guns, to name a few.
Maybe someone would espouse this opinion if they were in the military?
There has been no evidence that the USA is falling behind in any spy related activities, and the article starts with examples of how they were disrupting residential garage door openers and then goes on to things like exploiting individuals at a belgium based corp, or the mexican government, a supposed ally.
Why does this make you reassured?
The potential for misuse when it comes to nukes and chemical weapons also have the distinct and likely possibility that someone would catch them, this means that they generally will only use those weapons when it is actually needful.
This technology is very likely impossible to detect by all but the biggest actors, and therefore has a HUGE potential for abuse. I am NOT reassured.