Unlike Snowden's disclosures of mass surveillance, this is not whistleblowing.
Mass surveillance, such as recording and correlating cell phone location data or searching all emails, is immoral and unconstitutional, and it's good that the extent of it was revealed.
Doctored USB cables do not enable mass surveillance since they have to be physically delivered to specific subjects. Assuming they're delivered based on some sort of probable cause, they are a legitimate law enforcement technique.
Revealing details of legitimate practices does no good. To the extent that revealing them encourages the NSA to resort to less legitimate practices, it's harmful.
"Revealing details of legitimate practices does no good"
Seriously? Excuse me for being harsh, but that statement is preposterous and shows a contempt for civil liberties, freedom of speech in particular, and ignorance of security principles.
There is no such thing as technical practices being intrinsically "legitimate" or not without reference to who's doing them and for what reason. If by some fluke a government someday used a technique to pursue a person suspected of a crime, did so legally, and with moral justification (not a victimless crime), then it is legitimate on that occasion - but how would you propose to assure us that the same tehcnique can never be used by anyone else or in any other situation? There is no basis for any such assumption; the same knowledge, skills, devices and so on will also be used by illegal, immoral and other actors at any opportunity (notably including NSA and LEAs). Therefore it is legitimate to expose, and discuss how to defeat these and anything else that might compromise anyone's security.
Saying "shut up about it because someone might have a legitimate use for it" is like saying that science should stop because there are bombs, or that lock picking techniques should still be kept from the public. Such fallacies have been debunked at least since the 19th century.
"To the extent that revealing them encourages the NSA to resort to less legitimate practices, it's harmful"
Another fallacy. If we stop would-be terrorists from bringing guns into a building, are we then responsible for their resorting to mortars? How about, the NSA and other state actors should restrain their conduct to respect people's rights, regardless of their tricks being revealed.
Yes, this "list of techniques" revealed by the German newspaper Der Spiegel is another thing that will be someday used against Snowden in a U.S. court...
Reason I say that is because as long as we're operating under the assumption that the U.S. will have a branch of the government somewhere that is able to engage in cyber-conflict activities (offensive or defensive), those cyber conflicts will be dependent upon weapons with which to fight them.
Even those who are mistrustful of NSA ever looking at domestic data seem to at least be aware that U.S. networks are constantly under attack (e.g. the Aurora attack on Google, countless attacks on U.S. defense contractors), and that it might be good for the U.S. to have similar capability.
And now the list of secret (cyber-)weapons is out for the whole world to see.
Contrast what would happen if this was a top-secret military weapons program (like, say, a stealth helicopter). How would the spy who leaked it have been treated?
Reading between the lines of the 30C3 talk, and the fact that none of this is credited to Snowden by Der Spiegel, I'd say there is a chance that another "whistleblower" is out there.
You're not punishing the organization though, they'll exist regardless. You're punishing anyone who relies (knowingly or not) on the services provided by that organization.
Or put differently, would you force an electric company to shut down operations for 3 days if they were discovered to be overcharging their customers?
That would be one way to get an electric company to stop overcharging their customers. That would not be an optimal choice. What you shouldn't do is just make the electric company pay back the customers what they overcharged, and have that be the end of it.
The electric company overcharging all its customers is also not an apt analogy. Some people are harmed by pervasive surveillance more than others. Also, most people are hardly even customers. The NSA's main benefit to me, for example, a person living in California, is probably in the tips they give to the DEA. I'm certainly not worried about being invaded by Russia or bombed by terrorists.
USB lacks DMA but that's basically a moot point. There are so many USB drivers that aren't well tested or even well written that the attack surface is just huge. You might as well have DMA from USB, wouldn't really make matters that much worse.
It's really quite hard to stop admiring the technical lengths the NSA has gone to to exceed their constitutional bounds - radar-powered devices for snooping is genius!
Do you really think that tailored custom devices for spying on particular people of interests exceeds their constitutional grounds?
Would you object to the NSA or CIA planting bugs that record audio or video on targets of interest outside of the United States? Does that exceed their constitutional grounds? How about if they supplied these to law enforcement agencies which had valid search warrants?
I have plenty of concerns about the constitutionality of certain NSA programs (such as collecting metadata on everyone, regardless of prior suspicion or search warrant), and some of the techniques they use (tapping all of Google's fiber traffic between data centers, putting backdoors in international standards), and I find these revelations technically fascinating, but I don't find any fundamental constitutional issue with them using clever, advanced technology for spying on valid targets.
> Do you really think that tailored custom devices for spying on particular people of interests exceeds their constitutional grounds?
Do you really think that an agency that practices unconstitutional mass surveillance (or unconstitutional anything) would never use these recently revealed capabilities unconstitutionally?
No, but I don't think that the fact that they have such capabilities is, itself, evidence that they have used it unconstitutionally.
I think that it's important to distinguish between behavior that is bad (unconstitutional, illegal, or immoral) and behavior which is acceptable. Saying "It's really quite hard to stop admiring the technical lengths the NSA has gone to to exceed their constitutional bounds" implies that the USB cables equipped with radios are themselves unconstitutional, or must be used in ways that are unconstitutional, and that's not the case.
It's important when having these kinds of discussions to keep in mind the legitimate, legal, constitutional work the NSA does as well. Not everything they do is illegal or unconstitutional, and spreading the outrage from the bad work to the good helps no one at all.
Outrage at Dual EC DRBG is absolutely well founded. Outrage at mass metadata collection is absolutely well founded (though there is a bit more of a debate to be had there, because metadata is something that a third party must necessarily have in order to route your calls/packages/packets/emails properly, and so doesn't exactly fall under your personal effects that are fully protected by the fourth amendment; I believe that mass metadata collection is still immoral, but the constitutional argument is harder to make). Outrage at secret courts with no oversight, and national security letters that forbid even revealing details about exactly what and how much information the government has access is absolutely well founded.
But getting outraged because spies create spy gadgets is, well, kind of silly. Get outraged when they plant these gadgets on innocent targets, on political targets, on allies, on economic targets, sure. But there should be no reason to get outraged at their mere existence.
As far as I know, none of the NSA's practices have been ruled unconstitutional. At best, the courts have sent mixed signals, and the collection of metadata was explicitly decreed constitutional by a precious Supreme Court ruling.
IrateMonk is especially troubling - it installs itself on hard disk firmware, and supports all the major manufacturers: Western Digital, Seagate, Samsung etc. Now that it's known to exist, it's just a matter of time until some enterprising malware author will do the same...
These attacks have all been well understood as possible within the security community for years. People have demonstrated firmware exploits at security conferences and things like Microsoft's secure boot were explicitly designed to prevent this kind of threat.
Put another way, if you found that an intelligence agency had cool lock-picking tech would it change anything? Maybe it's surprisingly fast, leaves fewer traces, etc. but … it's not exactly a secret that they're in this business and this kind of thing is far less troubling than wide-scale surveillance because it still requires explicitly targeting specific people.
The callsigns have been there for a long time - only two or three weeks ago there was some guy who ran Linux on his harddrive. Literally. I think even the #badBIOS affair might have had its roots in a NSA black op gone bad... and nothing's off the radar anymore, these days.
Honestly, I wouldn't be surprised if there's a leak of a satellite with microwave/RF radar able to penetrate and fry electronic equipment in a centimetre-fine location.
GS pay scale tops out in the low six figures, so to get around that they go through firms like Snowden's Booz Allen Hamilton. Now that a comprehensive picture of mass surveillance has emerged, an ethically unbothered engineer would be wise to recognize his or her increasing scarcity when negotiating salary.
For years there have been many in the industry that have pointed out how few of the design and manufacturing practices have had any serious thought to security. Things like BIOS vulnerabilities, driver firmware, etc. have been known for decades. I suppose there is some small consolation in being able to say, "I told you so."
The lengths they are willing to go for spying seem to be as broad as their creativity. So basically, the NSA would read minds if it weren't for the technical hurdles... which they will probably overcome before we find out. We're going to need an idiom to replace "tinfoil hat" soon.
"Jones had already concluded the Germans used code names which were too descriptive. He asked a specialist in the German language and literature at Bletchley Park about the word Wotan. The specialist realised Wotan referred to Wōden and might therefore be a single beam navigation system."
> The Black Chamber’s sophisticated hacking operations go way beyond using software vulnerabilities to gain access to targeted systems. The Chamber has a catalog of tools available that would make James Bond’s Q jealous, providing Chamber analysts access to just about every potential source of data about a target.
> In some cases, the Black Chamber has modified the firmware of computers and network hardware—including systems shipped by Cisco, Dell, Hewlett-Packard, Huawei, and Juniper Networks—to give its operators both eyes and ears inside the offices the Chamber has targeted. In others, the Black Chamber has crafted custom BIOS exploits that can survive even the reinstallation of operating systems. And in still others, the Black Chamber has built and deployed its own USB cables at target locations—complete with spy hardware and radio transceiver packed inside.
> [...]
> Either way, the altering of systems’ firmware or hardware gives the Black Chamber the ability to install backdoors that can survive a total operating system wipe and re-installation. One BIOS attack, called SWAP, was developed by the Black Chamber to attack a number of types of computers and operating systems by loading surveillance and control software at boot-up. SWAP uses the Host Protected Area on a computer’s hard drive to store the payload and installs it before the operating system boots.
> [...]
> An implanted wireless device is the Black Chamber’s go-to approach for dealing with “air-gapped” networks—networks that don’t have an Internet connection for security reasons. There are a number of other implanted devices that the Black Chamber has in its TAO arsenal, including USB and Ethernet implants that can transmit short-range radio signals and more robust implanted hardware for longer-range transmissions. These radio links create a shadow Internet that allows the Black Chamber to move data out of an adversary’s network and into its TURMOIL and X-KEYSCORE collection system.
> [...]
> But why stop at network data? The Black Chamber also uses some fairly exotic tools to grab computer video, keyboard strokes, and even audio from inside more difficult-to-reach places by using passive electronic devices that are actually powered by radar. These devices, charged by a specially tuned continuous wave radio signal sent from a portable radar unit (operating at as little as 2W up to as much as 1kW of power in the 1-2GHz range), send back a data stream as a reflected signal, allowing the Black Chamber’s operators to tune in and view what’s happening on a computer screen or even listen to what’s being said in the room as they paint the target with radio frequency energy—as well as giving a relative rough location of devices within a building for the purposes of tracking or targeting.
> Hacking smartphones
> The 2007 Black Chamber wish book for analysts also includes a number of software tools that allow data to be stolen from a variety of smartphones and dumb cell phones. One software hack, called DROPOUTJEEP, is a software implant for Apple iOS devices that allows the Black Chamber to remotely control and monitor nearly all the features of an iPhone, including geolocation, text messages, and the microphone and camera. (Researcher and developer Jake Appelbaum, who helped write the Spiegel article revealing the documents, said separately this week that the Black Chamber claims DROPOUTJEEP installations are always successful.) Another package, called TOTEGHOSTLY, does the same for phones based on the Windows Mobile embedded operating system.
> [...]
> But these aren't the only way the Black Chamber can get to cell phone data. Also in the bag of tricks are a number of wireless monitoring devices, as well as “networks in a box” and other gear that can pose as cell towers and networks—intercepting devices as they enter an area and grabbing up their voice, data, and SMS traffic. A "tripwire" program called CANDYGRAM can send out alerts whenever a cell phone hits a specified cell tower.
> Old tricks, new tricks
> It’s important to note that the exploits in the documents are largely over five years old, so they don’t necessarily give a complete picture of what the Black Chamber is capable of today. That doesn’t mean that these techniques are no longer in circulation—given the stubbornness of Windows XP, many of the exploits developed for older Windows platforms may have years left in them, and some of the adversaries the Black Chamber is trying to monitor don’t have Fortune 500 hardware refresh rates.
>One BIOS attack, called SWAP, was developed by the NSA to attack a number of types of computers and operating systems by loading surveillance and control software at boot-up. SWAP uses the Host Protected Area on a computer’s hard drive to store the payload and installs it before the operating system boots.
Won't the much maligned UEFI Secure Boot in Windows 8 stop this?
Nope, SecureBoot is built into the BIOS not hardware so if you can rewrite the BIOS you can have it just load whatever payload off of the HPA sidestepping SecureBoot until it comes time to start the boot loader.
Mass surveillance, such as recording and correlating cell phone location data or searching all emails, is immoral and unconstitutional, and it's good that the extent of it was revealed.
Doctored USB cables do not enable mass surveillance since they have to be physically delivered to specific subjects. Assuming they're delivered based on some sort of probable cause, they are a legitimate law enforcement technique.
Revealing details of legitimate practices does no good. To the extent that revealing them encourages the NSA to resort to less legitimate practices, it's harmful.