Hacker News new | past | comments | ask | show | jobs | submit login
How the NSA Plans to Infect “Millions” of Computers with Malware (firstlook.org)
326 points by uptown on Mar 12, 2014 | hide | past | web | favorite | 175 comments



After a while all these news items about the NSA and GCHQ can seem a bit too much, but not if we take a step back and really understand the enormity of it all.

The NSA and its cohorts set up fake Facebook websites, spoof security certificates, secretly record webcam streams, vacuum up everything they can lay their hands on etc.

Meanwhile the CIA coolly wipes hundreds of documents from the machines of those who are investigating it, and when caught, threaten their overseers with criminal charges.

Given the scale of their operations, tens of billions of dollars in budgets and how many years they've been at it (this article essentially talks about what the NSA was doing in 2009), is it now futile to think that govt. agencies around the world can ever be expected to turn the clock back?

I mean, really, is there any possible reality that involves the NSA/GCHQ deleting the mountains of data they have surreptitiously recorded? And unplugging or reversing the hundreds of traps, backdoors, viruses, intercepts, decoys that are aimed at common citizens?


In the UK, we did manage to get the identity cards scheme killed and all the data collected destroyed. Admittedly it was still in the pilot stage.

The key to effective political action is getting all the other existing politically active groups to realise that they don't want to do politics under surveillance either. Everyone from the NRA to the NAACP should oppose this.

Talk about guns on the internet? It's trivial to keyword match make and model names, and the NSA can presumably correlate this back to home addresses. They already have the database of who the gun owners are if they were to want to confiscate them.

Remind nonwhite people about the FBI's attempts to blackmail MLK. http://www.theguardian.com/world/2014/jan/07/fbi-office-brea...

Everyone should understand that this infrastructure can and will be used to interfere with domestic politics, not to mention being used to attack democracy abroad (see 20th century South American history). You cannot support a system that is unjust to your enemies and assume smugly that it will never be turned around on you (Diane Feinstein passim).


Offtopic, but I've always been surprised there wasn't more uproar over the passage of the Real ID Act. Basically a sneaky way to turn your state-issued driver license into a national ID card.


The tragic thing is that some of the Baltic states (eg Estonia) have shown nifty ways to make ID cards benefit the public, having keypairs on the card and application integration etc. But this is only useful IF we can trust the system won't be abused - which at the moment we really can't. In the west an ID system would be primarily used for making immigrants second class citizens and turning everyone into immigration enforcement vigilantes.


This. There's a vicious cycle of government inefficiency, privacy advocacy, and all-around distrust that keeps happening over and over again, reinforcing memes and justifying a lot of backwards thinking.


Could it happen? Sure, but the State would have to agree to it. I am pretty sure the majority would not do that. Now, a State to State registry would likely happen.


Yes it's called a revolution at which point we storm the bases and burn the data centres and monitoring stations to the ground.

But, as Huxley was so keen to point out, that's not going to happen when people are staring at Honey Boo Boo and Hollyoaks.


During a revolution, those organizations would be burning their own data because when those organizations lose power the data becomes a liability rather than an asset to them. It becomes evidence of their crimes.

When the Berlin Wall fell, the Stasi began burning and shredding everything they could. German citizens stormed their buildings and much of the documents were saved, so that the crimes of the Stasi could be documented for prosperity.

http://en.wikipedia.org/wiki/Stasi#Recovery_of_the_Stasi_fil...


This time they'll just encrypt everything.


Yeah, and destroying the key will be much easier than destroying paper by the ton.


So when you storm the barricades make sure that you keep the electricity on, so that all those disks and data will be decrypted at that moment.

(And remember in your home and biz life, if you do whole disk encryption, you need to hibernate or shut down to get your disk/data back into its encrypted state.)


I fear that this will never happen. In the best case scenario that I consider realistic, the TLAs will sense their impending doom well in advanced and will safely and quietly destroy all the data that might incriminate them of anything. This destruction might be punishable, but I think it is more likely that we will never even realize that it occurred.

The only way to take out a TLA and seize the incriminating data is swiftly and without warning. With warning times on the order of minutes, I don't think this is possible politically or otherwise.

The best we can hope for is to shut them down, and the best we can do afterwards is punish those responsible in absence of specific evidence against them (but I don't think that we have the guts necessary to do that. However as a real-world example of that sort of response, consider the show trial and execution of Nicolae Ceaușescu: http://en.wikipedia.org/wiki/Nicolae_Ceau%C8%99escu)


Revolution is a tool of limited usefulness, and violent ones very often put something back in that is just as bad as what they ejected (see also: the KGB).


It's more complicated than that.

   ----->[ good times ]---->[ hard times ] ---> [fascism] --\
      ^                                                     |
      \-------------------[revolution] <--------------------/
Revolution merely starts the cycle again. We'll always end up with the KGB, Stasi, NSA, GCHQ, CIA etc so you have to deconstruct society regularly to flush it out.

We're stuck in a pretty long loop at the moment just verging on hard times.

Edit: the "good times" above is optional.


Luckily, our founding fathers built in a way to achieve the same effects as a revolution without any violence.

If you were to start an armed insurrection, the government would be totally justified in ending you. Not a smart decision given today's level of technology. It was through sheer luck that the American revolution worked at all: the British commanders were so incredibly incompetent that they checkmated themselves.


Hasn't there been enough evidence that the system the founding fathers built in has been compromised to the point of irrelevance?

What you have today is an illusion of the freedom and the "equal and impartial justice under the law".

http://www.popehat.com/2013/12/23/burn-the-fucking-system-to...


You're probably right. I think the Feinstein/CIA spying episode currently unfolding shows that the intelligence services have flipped the fuckit bit, and they don't even try to make it look like they're subject to Congressional oversight. They do still say they're subject, which I guess is something; they just don't try hard anymore to hide what they do.


> They do still say they're subject, which I guess is something

Nope, it's meaningless. What else are they going to say?

"It's exactly what it looks like! We just don't give a fuck about you or your rights, and in fact, we're an important part of the police state springing up all around you. When you're thinking of rebelling, remember we know where you live, where you are, and pretty much everything else about you! Stay in line, peasant!"

That would be fairly accurate, but they're not going to say it. Doesn't the propaganda just keep going anyway, even in North-Korea?


No, there isn't. Democracy might not be great, but it is orders of magnitude better than not-democracy. The main function of democracy is to keep true tyrants out of power, and it's very effective at that.


I would call the system in UK, US more of an elected dictatorship than a democracy, as the politicians are not representing anyone other than their corporate buddies.


>I, for one, continue to be excited about our drone overlords.

Genuine question: why do hackers and obviously smart persons believe in this cargo-cult "founding fathers" concept? As if some guidelines set by some 18th century guys are the be all end all in running a state or even mean much after centuries of "interpretation" and changing conditions (including technology).

Case in point 1: most of the things people now enjoy, from women's voting to the abolishment of child labor, to work safety laws, to the end of seggregation, were achieved by long, hard, struggles, protests and even martyrs (just like in Europe, for example), and not by some "founding fathers" decree.

Case in point 2: an armed population then was a major counterbalance against a corrupt government, being effective almost at the same level as the government's forces (as evident in tons of revolutions and stuggles around Europe for example). Today? Not so much. So this naive belief on the "right to bear guns" for this purpose is mostly BS cargo-cult.


One of the values of a constitutional democracy is supposed to be that it reduces the impact of the "tyranny of the majority". That is to say, that it reduces the likelihood that a simple majority of people will trivially be able to oppress minority populations. This works by setting up a base set of rules that cannot be violated even if a majority of people in the democracy want to. In order to change or amend these rules, a much higher bar must be met.

However this idea of restrictions placed on a democracy to keep the majority from oppressing minorities is worthless without actual rules. How do you perform the initial population of this set of specially privileged rules then?

Think of it like a problem of bootstrapping trust. A pure democracy cannot be trusted (as a pure democracy trivially allows/enables the oppression of minorities), but non-pure democracies must be conceived and implemented somehow. Can you trust a constitutional democracy that was created by a pure democracy? Arguably no, since the pure democracy cannot be trusted. Can you trust a constitutional democracy that was created by a small set of arbitrary people? Again arguably no, since arbitrary people pulled from the general population wouldn't be any more trustworthy than a pure democracy. Can you trust a constitutional democracy created by a small set of particular people? If you trust those particular people, then perhaps you can trust the constitutional democracy created by them.

People want to trust their government, which leads to them wanting to trust in broad terms the general concepts and ideas that this particular founding group had.

Personally I think it's all shit. A constitutional democracy does not resolve the tyranny of the masses, it only pretends to. Democracy itself is nothing more than "might makes right" combined with a primitive notion of MAD (with anarchy and civil war being the boogieman, rather than nuclear war). Constitutional democracy is good for little more than lying to ourselves to make ourselves feel better about democracy.


Since you seem to have thought about this quite a bit, do you happen to know something you think works better?


There are a few interesting proposals that I've heard over the years, but to answer your question truthfully, no. I've grown to accept that this isn't a situation I can resolve, only a situation I can hope to survive.

I view the current situation as not unlike being locked in a hotel room. In the main room is a hungry tiger. In the bathroom, is a pissed off cobra. You're locked in there so you have to pick your poison, but the last thing you want to do is mistake "the worst choice, but better than the alternative" with a satisfactory situation. I don't have a better suggestion than democracies, but that sure as hell doesn't mean that I trust democracies. I'll sleep with the cobra (with one eye open), but I sure as hell won't praise the merits of sleeping with a cobra just because that tiger looks hungry.


I think belief in the "founding fathers" comes down to a faith in systems design or the idea that there exists in theory a system which some sufficiently brilliant folks may devise which addresses the enduring human problem of "how do we all live together and get along" in some optimal way. The American system bequeathed to us by the so called founding fathers and refined over more than two centuries was an experiment that its participants and sponsors have largely portrayed as ideal, or at least flawed but superior to others, and always improving.

When a "geek" or systemically-thinking person wakes up politically, having realized that much is going deeply wrong, the first thing he or she is likely to do is to consult the founding documents which most of us were taught in civics class or for our various merit badges comprise the guide and inspiration for our civil governance. Seeing obvious departures from the design, it is not hard to seize onto the idea that to correct things we merely need to return to the design and follow the rules. Indeed that might improve things.

The difficulty of the various struggles to implement substantial changes is hardly an indictment of the system laid out by the founding fathers. Conservatism is the rule. It is wise to temper the passions of the people for radical changes which they may press to address temporary needs. The ultimate success of campaigns to extend suffrage, abolish child labor, end slavery and segregation, and even to rollback prohibition testify to the effectiveness of the system devised. It presumably worked as intended in those instances. It failed to prevent a war between the states, the death of 600,000 men, and much other injustice in more recent times.

One can find much wisdom and value in the writings, thinking and dialog that went on at the founding of the United States and surely a measure of nonsense too. It seems clear however leaders of that time sought to grapple with the problems of governance and cooperation sincerely and with a great deal of intellect and ability. They treated these issues as matters of vital importance in a way that seems quaint and removed from our decadent era -- that is unless you live in one of the many countries lacking material comforts, safety and political stability.

The problems they sought to address have not changed much since then. Human beings are what they are, technology not withstanding.

America is and remains an experiment on many levels. Ben Franklin's remark coming out of the constitutional convention about "A republic, madam, if you can keep it" is relevant today. This surveillance business could be the end of it. So could imperial overstretch and fiscal profligacy precipitating a collapse. Its also possible that the very different demographics of the country two and a half centuries after its founding render it simply ungovernable in the way or fashion imagined by the founders.

With particular regard to the Constitution and its merits, I believe I paraphrase Lysander Spooner in saying, it either has failed to prevent tyranny or in fact provides for it. If it is so, then the verdict would be the same either way. I am not certain I have better proposition but I do not have a blind faith that in order to cure our ills all we need to do is exhibit greater fidelity to the Constitution.

https://en.wikipedia.org/wiki/No_Treason


Firstly, your "founding fathers" - ha now there's a joke. Do you think anyone respects those amendments? Nope. If they thought that, you wouldn't be stocked up with weapons.

And we all know how effective that technology is at ending all those pesky terrorists with their zip guns and IEDs...


Don't be defeatist.

A key problem I see, that I used to have, and learned from my mistake, is that the checks and balances system works.

Yes, you see the executive branch overstepping its bounds. Lots of people getting picked up. However, the judicial branch is finding the charges untenable.

It's not easy nor automatic, and costs a lot of time and research and arguing, but those amendments are still pretty damn strong. Arguments directly to them are handled in the Supreme Court all the time.

There are some dings against the 4th as of late, but don't give up and invest the time and research and arguments. Put your focus on the judicial branch and increase their power to put down bad behavior by the executive branch.


..you mean realist?

also, Brennan was sworn in on the consitutions without the bill of rights

http://www.theguardian.com/world/us-news-blog/2013/mar/08/jo...


And we all know how effective that technology is at ending all those pesky terrorists with their zip guns and IEDs...

Those people have been indoctrinated since birth to see us as evil invaders. Some of their religions have baked in the idea that it's good to die in order to kill invaders. And we've sometimes acted like an evil invader. (See Blackwater atrocities, etc.) It's an invalid comparison because our population isn't motivated in the same way.

It's easy to become disheartened with the current state of affairs, but history has shown that ignoring reality doesn't work. Setting aside the question of ethics, the reality is that an armed revolution in America probably can't happen. And besides, there are plenty of other options to explore.


"Those people have been indoctrinated since birth to see us as evil invaders ... our population isn't motivated in the same way"

It doesn't take religion or "indoctrination since birth" for people to see an invading army as evil - it just takes an invasion.

If your country were occupied by foreign armies, you might want to fight back too - or at least you shouldn't be surprised if others do.


Calling the people who have a beef against us for occupying their country "those people" and thinking they are in any deep way different from us is a big red flag for lack of understanding. That kind of thinking goes a long way toward explaining how we could blow a couple trillion dollars fighting people who haven't got a single aircraft, artillery piece, or armored vehicle.


" And we've sometimes acted like an evil invader. (See Blackwater atrocities, etc.)"

Blackwater!? That we were there at all was an invasion based on a lie and a tragedy of convenience. 9/11, strong connection to Afghanistan and a Saudi/Yemen family ... let's invade Iraq! I think we're still searching for the real weapons of mass destruction in Iraq.

https://en.wikipedia.org/wiki/Iraq_and_weapons_of_mass_destr...

https://en.wikipedia.org/wiki/Plame_affair


There isn't a time since WW2 when America wasn't viewed as an evil invader. It really depends on whether you've got the business end of a weapon pointed at you or not.


Actually its been remarkably effective in other countries, have you been reading the news? Our own soldiers have not been terribly effective at pacifying unrest, and the locals have nothing but rifles etc.


It's kind of interesting to think about. Remember the hullabaloo just after the Boston bomber lit off the bomb but wasn't caught yet? Imagine all of that societal rage focused on a small group of people who have started an armed conflict and killed a few policemen, and you can imagine how quickly that group will be annihilated.


When I think about Dorner or the Boston bombers, I think about how much chaos they caused, and the fact that they evaded regional manhunts for days while accomplishing their goal. To contrast your observation: Imagine what a group of dedicated, intelligent agents could do to stir things up.


And now you know exactly why the NSA is doing what it is doing: to protect the oligarchy from exactly an uprising against it from within.

There is no terrorist. The system, the agents of the USG have won the coup on freedom.

They now exist only to preserve their power, and this is the reason why apologists for the deep state are worse than fools


Yeah, you suppose one person - easy to find and contain. But a diffuse population of unrest? Impossible.


I'm really, really trying not to be snarky or offensive here, but does anybody else think people using the phrase "founding fathers" sound like a part of a cult?


It's a phrase that we in the US grew up with. It means something in our mythology.


George Washington was a British commander too, as a Colonel in the British Army.


We need a tax revolution. Every single citizen should refuse to pay taxes until a rebuild of the system is done.


I think you might want to add an intermediate state, of [ Possibly Very Bad Times ] as a possible consequence of revolution before returning to Good Times. It's not a quick fix, not a panacea.


It should also be noted that revolution sucks majorly.


I don't know if history supports the assertion that [revolution] leads to [good times]. I mean maybe on average, and maybe in the long run. However it seems to me the suffering the original government caused is dwarfed by the suffering of a violent revolution. Also that things don't improve as much as expected after the revolution, and that it can just end up a worse government, or lead to more conflict.


There is a relevant theory on the topic: https://en.wikipedia.org/wiki/Strauss%E2%80%93Howe_generatio...


Bureaucracy survives revolutions, and often flourishes, as the bureaucats know how to get things done and more importantly how to exert control. Security orgs especially.

Consider Mr. Putin's past as an example.

If you work with government, you'll observe this first hand. The second echelons of management that are "professional" staff run the day to day operations, and can often bend or break political directives.


Just a nitpick. It was Cheka(ЧК) and NKVD that were the scary secret police in the bad years of USSR. KGB as an agency didn't exist yet.


Everything is how it is because that's how it's supposed to be. It's the old "Dragon is dead, long live the Dragon" phenomena. It's because of human weaknesses - greed, lust for power, etc. Whatever we do it will always come full circle. And then it will begin again.


Let's say we do that and then what? The NSA/GCHQ decides to build a fully decentralized spy network. Millions of nodes connected all over the place; a botnet of spying. Sound familiar?


Cut the cables. All of them. Leased, backbone, local loops.

Poison the routing tables.

Jam the wireless.

Take out root DNS.

I cringe slightly at quoting Firefly but it's similar in nature: "If your quarry goes to ground, leave no ground to go to."


Or posting on HN and Reddit.


Yes, it is possible. Stop being defeatist, you're doing NSA/GCHQ propaganda for them for free.


>for free

How do you know r0h1n is doing this for free?


I don't, but it's a general good ethical principle to Assume Good Faith in the absence of other information.

http://en.wikipedia.org/wiki/WP:AGF


Recently I had been operating under "Assume it is being done, unless you can come up with a really good reason[0] of why it would not be done"

[0] Such as it is physically impossible or prohibitively expensive.


Yes. All of that usually happens when totalitarian regimes fall. These systems are made and run by people, so they can be remade or disbanded if they are no longer wanted.

For now it's probably useful to concentrate upon emphasising how illegal/unconstitutional all of the above activity is and that the buck has to stop somewhere. Someone has to be held accountable.


Don't be so melodramatic. There are solutions.

Also, they don't "vacuum up everything they can lay their hands on." According to this article, they exploit on the order of tens of thousands of systems and have a control system to pull data and recordings from targeted users.


If you combine this article with the dozens of others from the past ~year, the vacuum analogy is not at all hyperbolic.


Two NSA bulk collection programs have been outed: the NSA collects call log metadata to this day, and they used to collect email headers from unencrypted email deliveries entering or leaving the US until a few years ago. The remaining articles about NSA data collection have been about targeted programs.

Though I disagree with some of their methods, they are not vacuuming up everything they can get their hands on by a long shot, and spreading ggp's view distracts from solving the problems with what they are doing.


> The remaining articles about NSA data collection have been about targeted programs.

Cut the crap.

* XKeyscore: NSA tool collects 'nearly everything a user does on the internet' [1]

* NSA collecting phone records of millions of Verizon customers daily [2]

* NSA taps Skype chats, newly published Snowden leaks confirm [3]

* NSA collects millions of text messages daily in 'untargeted' global sweep [4]

* Optic Nerve: millions of Yahoo webcam images intercepted by GCHQ [5]

I'll quote:

> Sweeps up emails, social media activity and browsing history

[1]: http://www.theguardian.com/world/2013/jul/31/nsa-top-secret-...

[2]: http://www.theguardian.com/world/2013/jun/06/nsa-phone-recor...

[3]: http://arstechnica.com/tech-policy/2013/07/nsa-taps-skype-ch...

[4]: http://www.theguardian.com/world/2014/jan/16/nsa-collects-mi...

[5]: http://www.theguardian.com/world/2014/feb/27/gchq-nsa-webcam...


Reread the source documents.

XKeystore isn't a data collection program. It is a system for retrieving data and metadata already collected through data collection programs like PRISM.

I mentioned the Verizon program in my previous post. As I said, it is one of only two NSA domestic bulk collection programs that Snowden's documents have revealed, and it's the only one that is ongoing.

* The Skype chat collection is targeted, not bulk, according to Snowden's documents.

* The SMS program neither contains domestic data nor contains SMSes written by people. According to the document, it contains only automated SMSes. You're right about this one being bulk collection. I meant to write "bulk domestic data collection," and I didn't, so you are right that what I said was wrong. I didn't mean to mislead, only to correct the lunatics who continue to assert the government is doing things it is not, making the rest of us US privacy advocates look crazy by association.

* Optic Nerve is neither an NSA program nor does it contain domestic data. It contains data from Yahoo webcam traffic passing through the UK's borders according to the documents.


You may have missed the fact that other "five eyes" intelligence agencies conduct broad sweep data collection on US citizens, which is usually then shared with US agencies (the GCHQ Webcam program mentioned notes that it isn't clear if that program is shared with the NSA, but it also notes NSA documents protocols for dealing with webcam footage).

You'll note the NSA statement on this program was very carefully worked:

The NSA declined to respond to specific queries about its access to the Optic Nerve system, the presence of US citizens' data in such systems, or whether the NSA has similar bulk-collection programs.

However, NSA spokeswoman Vanee Vines said the agency did not ask foreign partners such as GCHQ to collect intelligence the agency could not legally collect itself.

A suspicious person might wonder why the spokesperson said the NSA "did not ask foreign partners" for intelligence it could not legally collect itself. Perhaps it is because they don't need to ask? We already know that intelligence sharing between the five eyes is very open (eg GCHQ used XKeystore to run the Yahoo program somehow), so it seems likely that the NSA has access to GCHQ intelligence on US citizens without asking for it.

I'm not entirely sure why your acknowledgement of the phone metadata tapping program makes it less of an issue, either!


A suspicious person might think a lot of things. In this case, a suspicious person was actually in their document systems with access to all the program info and didn't leak anything to confirm those suspicions.

Pointing out that I already mentioned the call log collection doesn't make that collection any less of an issue, but that's not why I pointed it out. The context is earlier in the thread.


> I mean, really, is there any possible reality that involves the NSA/GCHQ deleting the mountains of data they have surreptitiously recorded?

They will: it costs a lot of money to keep data alive.

And it is a shame, NSA data for research purpose should be put under the UNO protection: - it holds lower bits of informations interlaced with the "big data" like how flu is propagating; - we could analyse causality chains and propagation of ideas (the impact of culture); - we could see corruptions effects, measure it and decide if it worths the price; - we can record the variation and evolution of natural langage/style;

These data are a treasure, the should be opened after X years, but for economic reason, they will be deleted.


Seems terrible, but it's only the beginning of the Anglosaxon leadership demise. Historically, empires usually fail from inside...


You don't have to get them to delete it. Just defund them so they can't afford to do it in the future. The data will be worthless pretty quickly as it ages.


One word for you: sedition. Its gonna happen.


" Sedition often includes subversion of a constitution ..." https://en.wikipedia.org/wiki/Sedition

Ah, so that's the NSA's game.


Remember, Microsoft is part of this plot, even if they have "plausible deniability". Microsoft is giving NSA access to lists of vulnerabilities Windows has many months before Microsoft even begins to work on a fix. They are in effect helping NSA break into many computers, even if they are up to date.

http://www.bloomberg.com/news/2013-06-14/u-s-agencies-said-t...

Every single one of these vulnerabilities could be seen as a backdoor, except Microsoft can have plausible deniability, since they are not actually putting a backdoor in the OS themselves - they're "just telling NSA about the vulnerabilities that exist".

If something like CISPA passes, which NSA keeps pushing for, this capability will expand dramatically, as all companies will be forced to give these vulnerabilities to NSA, but not to "protect us" and for cyber "security", as they keep claiming when they try to promote laws like these, but for offense. They will hoard every single one of them, and then use them in such automated systems to infect millions of computers.


No. None of this is accurate.

Microsoft gets information about vulnerabilities from the same sources as everyone else. They outspend every other software vendor by something like 4:1 on outside software security consultants. If they are in a privileged position regarding WinAPI software vulnerabilities at all, it is a marginally privileged position. No security person working at Microsoft would tell you they were confident that outsiders weren't holding severe, exploitable vulnerabilities back.

NSA, meanwhile, is as competent at sourcing vulnerabilities as any organization on the planet. They have internal research teams that generate them that are presumably competitive with any private research team, and they apparently purchase vulnerabilities like everyone else --- not from Microsoft, but from research teams that sell vulnerabilities.

Microsoft gives pre-release information about vulnerabilities to lots of different organizations; for instance, the IDS and network security vendors get pre-release info to create signatures. This program is, IIRC, over a decade old.

NSA is a dual-role organization; it also houses the USG's center for defensive technology expertise. It is the opposite of surprising that NSA would have the same relationship with Microsoft as, say, Symantec would.

Finally, CISPA does nothing resembling what you claimed it does. CISPA is opt-in; it cannot be used to force a company to disclose anything. CISPA is about incident data, not vulnerabilities. It is already lawful to share vulnerability information with the government. The gray area in data sharing is non- anonymized incident data, which can be covered by any of 10+ different regulations that make even IP-level metadata risky to share for collaborative defense.

CISPA is an extraordinarily short bill; you can simply read it instead of taking my word for it.


Nothing you've uttered refutes the point - that Microsoft hand over vulnerabilities to the NSA, and delay fixing them. Read the docs.


You read the docs. http://technet.microsoft.com/en-us/security/dn467918

This is a publicly disclosed, publicly available program. Implying that it's somehow a government conspiracy is lying.


Feel free to cite the document that shows Microsoft delaying fixes for NSA.


The only official response from Microsoft that I can find is in reply to a question from Bloomberg [1] on this question. Frank Shaw, lead communications for Microsoft, responded by email to the question that, according to Bloomberg, information regarding 0day or other exploits are provided to a number of government agencies as an "early start", prior to public announcement.

The original email text is unavailable as far as I can see. It of course makes perfect sense that, at least under certain circumstances, and this was the sense of limit inferable from the email, that government agencies should be given the opportunity to assess whether the item being notified about has some security implication.

The claim is made by Bloomberg, by reference to "two unnamed government officials", that Microsoft is aware that such information might be applied for reasons not primarily connected to domestic defensive security. But this is only an unsubstantiated assertion.

The number of potential exploits that are known only to Microsoft at the time of notification to those agencies would be, at a lazy guess, somewhat proportional to their exploit assessment man hours, compared to the overall exploit discovery effort. I would think that would be the much smaller proportion.

1. http://mobile.bloomberg.com/news/2013-06-14/u-s-agencies-sai...


Do your own homework, you know how to use Google - so go use it .. a simple query "Microsoft collaborates with NSA" turns up enough reading material .. of course, unless you don't want it to be so easy to enlighten yourself on the issue, in which case no document is going to convince you of your position.


These guys are focusing narrowly on your choice of words ("delay fixes"). It was outed by the Guardian that Microsoft actively circumvents the security of some major products (Outlook, Skype) for the NSA. The Guadrian never released the Snowden doc for Microsoft collaboration [0]. Therefore, we don't the specifics of how. We just know that Microsoft backdoors its products for the federal government without telling its customers.

"Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal;" [1]

[0] https://twitter.com/ggreenwald/status/355391355939340288

[1] http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-c...


No, you just introduced an entirely different concern than the one introduced by the thread. The root comment suggests that Microsoft arranges to provide NSA with vulnerabilities that they deliberately do not patch so as to maximize their value to NSA. There is no evidence that anything like this has ever happened.

Your message is a red herring; I could debate your conclusions, but what would be the point? I'm sure you've got 10 more red herrings up your sleeve.


My message is not a red herring. I did not make any conclusions of my own for you to debate. I was trying to add context (note that I replied to fit2rule, I wasn't challenging you). I quoted the Guardian and gave the reason there is no public Snowden document on the Microsoft NSA issue. Therefore, we don't know the specifics of their collaboration/cooperation. I do not dispute what you said about delayed patches, but it is meaningless without that context.

To be fair, there is not much daylight between: 'The root comment suggests that Microsoft arranges to provide NSA with vulnerabilities that they deliberately do not patch' and what the Guardian reported about Outlook. At least to me, but I'm not a security expert. Is it not considered a 'vulnerability' if Microsoft hands over the keys so to speak?

Also on a side note, it is rude to call me out like you did. I don't have herrings up my sleeves. I don't care about internet points. I just wanted to contribute more information to the discussion.


No, that would not be considered a "vulnerability" in the sense used on this thread.


Is the user more - or less - vulnerable to an attack? You're quite the pedant, whoever you are ..


I'll happily accept this as an admission that you don't have a source to back up your original (extraordinary) claim. Thanks.


Hey, so you don't understand words. I get it. Thats quite a vulnerability you've got there.


I love seeing Tptacek being proven wrong as much as the rest of us; but this is just weak.


I have no idea who Tptacek is, but - is it really so hard to pay attention? Microsoft collaborates with the NSA. Its in the docs, its been news for months.


I'm a little slow, my Googling skills suck, and I've been living under a rock for... let's just say "months". Can you spoon-feed me the exact article, line, and phrase where you got this idea that Microsoft delays fixing vulnerabilities at the NSA's behest?


For something so obviously well known you seem to have difficulty providing evidence of your specific allegation (microsoft giving NSA advance notice of unpatched zero days.)

I don't doubt it happens, so much as I expect extraordinary claims be backed with extraordinary evidence.



I don't understand. Does the way your argument work rely on people not having read the other comments on this thread? Because neither of those two articles back up the claim made about NSA and Microsoft, and both appear to describe a publicly-known documented program run by Microsoft. And, both of those points have already been made on the thread.


This.

Very frustrating as I work with a Microsoft-oriented company at the moment. Any mention of this to their architectural team results in nothing short of "mwuhahaha you're talking shit". There is some weird universal trust there that really makes no sense at all.

To add insult to injury they don't log, don't have an IDS and don't have a clue stick to hit themselves with.

Their funeral!


MS's program to provide information on upcoming security issues to large customers isn't anything sinister. It's an obvious step to achieve a better overall security by allowing larger users to mitigate damage before a patch is available.

You can spin it as a secret NSA-program, but I don't think that's very useful as this program does legitimately help a ton of users.

(Not that it really would excuse things, but I'd be very surprised if intelligence agencies don't have people inside companies like Microsoft anyways.)


I disagree.

I've worked for a few large European financial orgs over the years and MS will not disclose issues early to them despite begging and piles of money. We're talking 50k+ employees here.

However DoD connected companies like Lockheed Martin, Boeing and Raytheon are right in there without an invite.

You just get the feeling there's something off when relationships are made like that.


As if having an IDS would make a difference.


You're right - it wouldn't but at least it'd look like they gave a crap.


Probably because they don't care about any of that. They probably care about releasing products and making clients happy.

Also, mwuhahaha you're talking shit.


And this is why I'm glad my main OS is linux.

Not impossible for NSA to get in but a lot more difficult.


I seriously doubt linux presents a challenge for them. Think about all the web servers that are linux, you think they don't have an army of experts that can pwn those OS's?


> Think about all the web servers that are linux

None, unless you install them and activate them? What sort of desktop distro comes with pre-configured webservers?


I think you misunderstood the GP. He means that the internet runs on linux, so the OS is a high-value target. Thus, it is reasonable to assume that the intelligence agencies have collected some as-of-now-unknown-to-the-public vulnerabilities for libraries that are typically used with Linux.


While Linux is probably slightly harder for a sophisticated attacker (and a lot harder for a unsophisticated one), a lot of your protection probably comes from the fact that they spend most of their time targeting the 98% of the desktop software base- that isn't Linux. Of course maybe their server oriented efforts make this moot.


The most vulnerable part of a server is the fact that it's a server.

It's a lot easier to attack the website running on the server and escalate from there then attack the OS directly.

So the vulnerability would have to be in something that both servers and desktops have in common.


> I use Ubuntu, take that NSA!

You're cute.


Close... It's Arch though.


So the only thing the NSA has to do is hack/convince/rendition/break-into-house a single person who holds a package signing key, and then they can MITM your pacman updater and have you as well.

And there's enough people with such a key to choose from: https://www.archlinux.org/master-keys/.

(I run Arch as well, but I have no such illusions of security.)


Or just employ people to contribute to some of the many popular upstream projects to slip in a vulnerability or two.

Edit: not to discredit Linux of FLOSS, at least there is the possibility to analyse the source code.


As i said not impossible but at least we're not giving the NSA information about vulnerabilities months in advance of us fixing it.

Where there's a will there's a way especially if you have billions of dollars in funding and the freedom to do so i just aim to make it as difficult as possible.


Is running Linux all you can do to make it as difficult as possible?


No obviously not.

There's a lot of things you can do to protect you privacy but it all starts with a good choice of OS and hardware.

If the foundation is compromised there's no point in anything else you do to protect your privacy.

Edit: Yes Arch it's not particularly security conscious I choose to compromise some security to stay on the bleeding edge now that could mean that I get some bad code sometimes but that also means that it gets fixed sooner too.

Having a rolling release system that you can mold to your needs is worth it for me.


I'm not trying to bash Arch, but it never looked like a particularly security-conscious or focused distro. To me it looked like it's about being cool and bleeding edge and Gentoo with binary packages... and I have a faint recollection of seeing some rather unimpressive packaging, though that was long time ago.

So it runs on i686 and amd64 only. How do you select "good" hardware?


In an ideal world it would be open source hardware where you can review anything from the circuit diagram to the firmware.

However since there's no such thing you will have to choose who you trust.


The NSA, breaking into US computers, is violating the Third Amendment, in my opinion.

No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law.


Interesting angle.

Perhaps if research were to show that "soldier" could be more broadly interpreted to mean "agent of security," you could really get some momentum going for this line of though. After all, we aren't required to keep other pieces of security enforcement in our homes, such as turrets on the roof controlled by the government.

Keep it up.


There is a "War on terror" going on, as governments are very keen to point out all the time.

Who fights wars on behalf of their governments...

Ok, reasoning is a bit simplistic and technically inaccurate depending on your definition of "war" (congress approved etc.) but I do like hoisting by own petards.


At the time when this was written, there was a clear distinction between times of peace and war.

Nowadays, especially from the start of the "War on terror", this distinction has been artificially demolished; one of the consequences is that there is way more leverage to wark around laws (and to do many other nasty things).


I grant that funding for the War on Terror has taken place. But I also don't think that a real, formal declaration of war has been approved.

So, is the USA at war or not? I suspect (but I'm only 52% certain) that we're not at war.

The follow-on questions (after "are we at war or not?"): In what state are we? What are the legal ramifications of this half-at-war-state? Why hasn't the US Congress declared war since WW2? Is there some consequence to declaring war or not declaring war that they're trying to avoid?


The US is in a state of war, under the "Authorization for Use of Military Force Against Terrorists" act (2001).

In particular, Section 2(b)(1): SPECIFIC STATUTORY AUTHORIZATION- Consistent with section 8(a)(1) of the War Powers Resolution, the Congress declares that this section is intended to constitute specific statutory authorization within the meaning of section 5(b) of the War Powers Resolution.

This has been tested under law[1]. Notably, that the US was in a state of war wasn't even considered worth arguing, just if that state of war provided justification for indefinite detention.

[1] http://en.wikipedia.org/wiki/Hedges_v._Obama


I wasn't referring to a formal state of war (although somebody pointed out that it may exist), but to an informal one.

Under a certain perspecive, paradoxically, an informal state of war is worse than a formal one, because it's more subtle - it goes under the radar.

There has been a big shift in mindset towards accepting offensive practices as normal, which would not be accepted in a clear state of peace, or at least, which would force a much stronger opposition.

Mass surveillance? It's accepted, we're at war. Unaccounted (mass) murder of foreign civilians? It's accepted, we're at war. Torturing suspects? It's accepted, we're at war.

Except, we're not at war.


There is no requirement, either under the Constitution or under laws of war, for any sort of formal declaration. And, there as an "authorization of military force" against al Qaeda and the Taliban. There certainly isn't some magic I DECLARE WAR requirement.

> Why hasn't the US Congress declared war since WW2? Is there some consequence to declaring war or not declaring war that they're trying to avoid?

Its an outdated concept.


I seem to recall that we've got laws that make some crimes have a greater penalty during "time of war", which I assume means declared war.

How do you mean "outdated concept"? Are there no more wars? Are their no different legal penalties or obligations during war any more? Because I'm told that the USA has been in wars since 2001 at least. What are the consequences to me, and to my government of outdating an official declaration of war?


"There is no requirement, either under the Constitution or under laws of war, for any sort of formal declaration."

Given that the constitution explicitly gives congress "the power to declare war", I'm not sure this is entirely reasonable. That said, I don't think it's unreasonable to say the AUMF count, either.


Oh, so we are at war with a government that has been completely disbanded and a loose network of terrorists whose leaders are either dead or imprisoned. Next you'll be telling me that we are at war with Germany, Japan, and Italy.


Where in the article did it say they were breaking into US computers? What's described in the article isn't as obviously illegal as that.


I think this would be an extension of wiretapping, not soldiers taking residence forcefully in a home.


No. Malware is way more intrusive than wiretapping, it can affect your software. Implanting a chip into your brain to control your thoughts would be the extreme version of it.


"Way more" intrusive doesn't conflict with "extension". It's just a more spirited adjectival phrase.

Seems to be that what's described -- fake servers to watch traffic, turning on a mic to listen, turning on a camera to watch -- are all in spirit extensions of an intel agent sitting at an AT&T operator's switch and plugging into a line to listen to a conversation. Particularly that mic one.

My contention was simply that it doesn't track that malware on a computer is anything like a soldier demanding to use someone's home as a bunk house.


> My contention was simply that it doesn't track that malware on a computer is anything like a soldier demanding to use someone's home as a bunk house.

I don't disagree, and IANAL, but there is a case to be made here that the spirit of the Third Amendment is to prevent military, or military-esque actors, from commandeering civilian property. On the other hand, in writing that, I realized there is something called commandeering and there are probably interesting relevant cases to go over to find whether or not that has any sense.


An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.

Will all the conspiracy theorists come out of the woodwork, please. We need your help.


And I can't even keep Evolution from needing my password every few minutes.


Hi. My conspiracy theory is that Satoshi Nakamoto is the NSA.

You're welcome.


Hi, Michael. Both of us are now in a labelled graph database of identities, were the label signifies how strong the connection is. Right now it's 2/10, but by responding to you it's now 3/10. And if you (yes, you) are reading this comment, assume that you just got a 1/10 label to me [1].

You're welcome.

1: More efficient representations probably exist. Maybe we are all uniquely indexed in some database cluster in Utah. I'd call it BACON-BINLADIN.


That's strange. If ever I tried to build a botnet with millions of nodes I'd surely be thrown in prison for years at least. Probably decades. But if I've learned anything in my short time on this planet, it's to always commit your crimes behind the corporate or government veils. Preferably both.

Edit:

https://prod01-cdn02.cdn.firstlook.org/wp-uploads/2014/03/ha...

Mirror: http://i.imgur.com/JbLqxAY.jpg

Fuckin' hell. I think we can consider the internet more than owned. More like bent over and pounded.


> GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to “legal/policy restrictions.” A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns that performing “active” hacking attacks for surveillance “may be illegal” under British law.

Wow, finally a limit on what GCHQ thinks that they are allowed to do! Now can the NSA be prosecuted for these actions when done in the UK? #notgonnahappen


At some point, laptops, displays, and handheld devices started carrying built-in microphones and cameras as a feature. Perhaps the new feature is devices that don't have these things? To use a mic or camera, you'd explicitly have to plug it in and could physically unplug it later.


Better then, to have hardware switches similar to the iPhone lock switch.

I'd welcome that in general! Make the switch open up the camera app directly, and a similar one for the mics; binding it to your phone or recording app, depending on what you prefer.

Make each switch a LED which -if they are- signals ON-state as the screen is turned on or off.

Edit: And incoming call screen would have to reflect the mic being off, in which case flicking the switch would accept the call.


Already underway.

See http://time.com/10115/google-project-ara-modular-smartphone/ and similar projects.


Through all of the news articles and the analyses I have read, I still don't understand how exactly all of this works. I understand the MITM concept, but the Man-On-The-Side parts boggle m:

"When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive."

Where is the security hole? My network card? OS? Browser? But then there are so many layers in there. Is it a specially malformed ICMP packet? Or is it a vulnerability in the OS's RPC functions? It's one thing to exploit a vulnerability in Java or Flash, but just using "malicious packets"?


It seems to me that they are sending out packets identifying themselves as facebook. If you're not using SSL this is expected to be possible. If you are using SSL to communicate with FB then it's likely that the NSA has the private keys for FB's SSL certificates.


Right, I think this is referring to a technique described in some of the earlier info releases, where the agency intercepts requests and send a fake response before the real one arrives, and ditching the real response. I'm not clear on the details - it may rely on spoofing the server's IP, falsifying DNS replies and/or manipulating data in transit.

What interests me more, and what the above poster may be asking about is this part: "By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer".

This implies a true drive-by exploit - one not requiring any user interaction. Most of the Windows malware is actually installed by the user - they're tricked into clicking something, thinking it's anti-virus, funny video, "accelerate your internet" or some other innocuous thing. The no-user-action exploits generally have been workable only for plugins, particularly Flash or Java, which the user has allowed to run without any filters.


Yup, your second paragraph nails it. But even then, it boarders on XSS or some hybrid injection attack which would rely on a vulnerability somewhere else up the stack. The way I understood a lot of this article, I'm lead to believe that their able to monitor/intercept a target's requests, imitate the web server and send replies which are so meticulously malformed that they are able to infect the target system.

Like I said in my post and which you echo in your third paragraph, it's one thing to trick users into downloading and running binaries or to exploit a plugin, but it's another thing to imagine malformed packets breaking the security of an entire system.


Since they see everyone as a potential threat, taint their data so that everyone appears to be that threat. Millions of us could increase the signal-to-noise ratio in their collected data by using a bot to perform random human-like web searches and visits.

If 100 people are searching for <insert bad thing here>, the government has actionable surveillance data. If 100 thousand or 10 million are searching for it in ways that are indistinguishable from a human, then that data becomes unreliable and is no longer actionable.

Adding email to this would strike a fatal blow. Someone could figure a way to create a secure layer to inform a client when a given email being sent was fake, and thus suppress it visually. Soon from the government perspective everyone would be cheating on their spouses and spouting extremist views and plotting this or that.

This would result in an increase in liberty by proving to the government that it should fear its people, if only because its sophisticated surveillance tools now confirm that all the people are evil.


Has anyone looked into doing this? Meaning has anyone started building anything like this? I would be interested.


All of this sounds like excellent operational technology. I don't understand all the outrage here. If you sit down and ask yourself, "What kind of technology would I build if I wanted to infiltrate government/military networks of technologically sophisticated adversaries?", this is basically what you'd end up with. This is exactly the sort of thing I would expect the NSA to spend their time on.


I don't think the majority of people are outraged that a spy organisation spies. The things that have got most people rattled are:

a) The breadth of the spying, including many, many innocent people.

b) The long-term storage of data, likewise.

c) Deliberate weakening of security standards we all rely upon.

d) The fact it's all happening without democratic debate.

If instead of the above, they threw innocent people's data away, targeted their intrusions, engaged with the democratic mechanisms, and used their expertise to improve internet security, a lot of people would be much happier.


Exactly. So much of the article is about capabilities with little context for how broadly it is applied. Even the "millions" in the title is just about the server capacity for managing the infected computers, and later they admit that the actual number of computers is an order of magnitude less.


When I was in middle/highschool -- late 90's-03 -- using a mix of home-made tools, scripts I tweaked, some trojans I hex edited to make work for me...I had almost all of my schools home computers logging into an IRC room where I could use them to DoS attack and easily knock off (especially before few had broadband) anyone -- all my infected IRC clients could also upload, often around firewall/virus protection varying degrees of other trojans that let me print on their computers, watch them on webcams, open their cd-roms... I was young, told most people and really didn't abuse it: and finally learned 'hackers make things, crackers break things' -- but the point is: yes this isn't a surprise, and in many cases the sophistication is not even too deep, but ya like many said: we need this to keep being published so the open community as a whole can understand, and circumvent if need be.


I believe the money quote here is:

  “If we can get the target to visit us in some sort of web
  browser, we can probably own them,” an agency hacker boasts
  in one secret document. “The only limitation is the ‘how.’”


> By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.

Can anyone explain why they need to conceal it as a Facebook server? Why is that essential to infecting your computer? Why can't it just send you the malware, and then redirect you to the real Facebook (since their mission is accomplished anyway)?


It sounds like they are going after a vulnerability in the browser. My guess would be that do a man-in-the-middle attack where they have a device that acts as a proxy so you get YOUR Facebook page, but with an exploit injected into the code.


>"The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet."

"TURMOIL", really? Honestly, is this just an elaborate setup for a new bond film or something, this is getting ridiculous.


>computer servers

I've been seeing this pattern a lot in nontechnical news recently, and have always been baffled as to what other kind of server there is (short of some basic network service implemented purely in logic gates, I guess).


>> computer servers > I've been seeing this pattern a lot in nontechnical news recently, and have always been baffled as to what other kind of server there is ...

In this fast-breaking story, the expression "computer servers" has joined "software program" and "underground tunnel" at the Department of Redundancy Department.


Don't forget putting your PIN number into an ATM machine.


There are servers at restaurants.


also both in and on courts. :)


I don't know about you guys, but to me, the NSA code names seem to be a great source for hostnames. "ssh hammerstein" has a good ring to it, no?


Look, SSH clients are used as selectors.


The obvious solution is to run everything on Temple OS.

I'm only half joking.


Too bad God doesn't approve of a networking stack.


This is exactly why God doesn't approve of a networking stack.

Wake up, sheeple.


I feel guilty of upvoting a joke on HN.

My only comfort is knowing that this one will be buried, and this will be my punishment.


That's a little dramatic, don't you think? :-)


Looks like the comment-parent isn't a native english speaker; a lot probably got lost in translation.


Anyone else find the graphics in the slides as almost too bad, that they aren't believable?


Does anyone have a good guess of how FASHIONCLEFT works? Has it been seen before?


Google reveals http://s3.documentcloud.org/documents/1077764/vpn-and-voip-e... which seem to be slides regarding it.


“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

Really, how does that work Mikko? You don't even have a copy of any malware to make that statement.

All the hyperbole about how this is somehow unique is really getting old. Exploit kit authors have had shitty PHP web applications that accomplish the same task for ages: manage thousands of bots by grouping them together with a point and click management interface. It sounds like, prior to TURBINE, NSA had a single person tasked to oversee every action taken by hand, which is kind of inefficient if you ask me, so it stands to reason they would try to manage that process with technology.

How do you cool yourself First Look when you're reporting on this in 2014? Jeez.


Hypponen said "potentially" and it is an absolutely defensible statement. You go around poking holes in a system, don't be surprised if other people find the holes. You gonna trust the guy who hacked your machine to lock the door behind him on the way out?

>All the hyperbole about how this is somehow unique is really getting old.

The issue isn't that the spooks have developed some superweapon. The issue is that they've signaled intent and means to do mass espionage on citizens, not just at the network level, but at the machine level. This is as if your local law enforcement handed out burglars tools to all their officers so they could get into everyone's homes "to check for drugs". "Eh, burglars tools are nothing special" totally misses the point.


> All the hyperbole about how this is somehow unique is really getting old.

The big news is that the most powerful people on the planet are now using the same script-kiddie techniques against the rest of the world, in secret, without oversight, on an industrial scale.

EDIT: Judging from your github account, you appear to be a developer working on a open-source whistleblower platform. Given that the NSA's efforts would likely be focused on the users applications such as yours, do you not find these revelations to be directly relevant to your goals in developing this software?


Botnets require remote management. This means adding hidden backdoors, with the assumption that they will remain hidden. If such a backdoor becomes known to bad actors, they will exploit it.

Unless you're asserting that adding back doors makes a system more secure.


> Really, how does that work Mikko? You don't even have a copy of any malware to make that statement.

Simple: every process running on a system is a process that can be exploited, especially those processes that involve network communication. The NSA's exploits are processes running on the system they are attacking. They utilize network communications. These processes are open to exploitation by third parties, just like all the other legitimate processes.


Definition of the word 'potential' cited in the Oxford Dictionary.

"Having or showing the capacity to develop into something in the future"

Or alternatively

"Having possibility, capability, or power."

Or in Merrium-Webster:

"expressing possibility ; specifically : of, relating to, or constituting a verb phrase expressing possibility, liberty, or power by the use of an auxiliary with the infinitive of the verb (as in “it may rain”)"

I can see no difficulty in the authors expression of the idea of possibility.


Prediction: If this goes on long enough, NSA (and other entities) will accidentally create Skynet.


Drones fly around, listening to cell traffic and logging call data and the position of phones in the middle east (so called "metadata"). These logs are then fed into a computer, which attempts to find relationships between phones. Which phones regularly find themselves in the same location as other phones? Which phones called other phones? The computer is also fed imperfect information that correlates some phones to the identities of alleged 'baddies'.

When phones are found to have close 'relationships' with phones that have at least at one point been used by 'baddies', sometimes the computer decides that the phone must be executed. It prints out an order, which is passed up the line to the President. The President rubber stamps the order. The order goes back down the line and eventually finds it's way back to the computer. The computer, using the before mentioned drones, locates that phone and informs a drone operator. The drone operator then tells the drone to execute that phone, and any people who may happen to be in the area with it. The drone carries out the execution.

Nothing but a bureaucratic skynet.


That won't happen, because SkyNet is already created. It's their management infrastructure. This proves once more management is evil. (this post is false)


Probably won't need the AI... all it takes is consolidating it into a bunch of easy to use push button setups. Then Milgram style situations occur.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: