Hacker News new | past | comments | ask | show | jobs | submit login
Glenn Greenwald: The NSA tampers with US-made routers (theguardian.com)
317 points by not_dirnsa on May 12, 2014 | hide | past | web | favorite | 136 comments

So RMS was right after all, OpenSource gives you visible security where proprietary products are encumbered with all sorts of unwated and even dangerous "features".

my 2c

Yeah, but you'd presumably need to have open source hardware shipped to you, right? And then you'd still need to inspect the hardware / software as shipped, right? RMS was right about a lot of things, but remember that his most important ideas are still waiting on lots of other things to happen first before they become practical.

Not perfect but the alix boards[1] ship with a full board schematic. They also ship with the source code for the bios and some information that would help you write your own. All the major open source router projects work on them. 6f2 even supports 3g modems so you can multi-home your connection.

I know it is not perfect (you still have to trust the AMD chips and so forth) but it seems a lot better than just buying a linksys and hoping it works with OpenWRT.

[1] http://pcengines.ch/alix.htm

Unless you're willing to 10x your integration costs by building a reliable verification process --- something that even specialists in hardware verification don't actually have --- and then painstakingly applying it to every piece of equipment you receive, full board schematics don't help you. For that matter, "free software" and "open source" are probably providing a false sense of security.

For some hardware attacks, like transistor-level dopant mask swaps, there isn’t any reliable way to detect them, not even optical inspection (because the layout is unchanged) nor functional testing (because passing BIST and external benchmark results can be faked). See the paper from UMass: https://people.umass.edu/gbecker/BeckerChes13.pdf

Since the “detection” I’m referring to is already extremely difficult before the chip even leaves the legitimate chip manufacturer’s facility, what hope could someone have of opening a modern IXP-scale router and determining if any of the zillion chips inside has been trojaned by double-0-mailman?

I think we're operating from the assumption that the fab is itself not compromised; if you think it might be, you're right, all is lost. But I think we're converging on the same point: all is lost anyways.

I know you're a noted security researcher but it seems like you're write about security as if it were a binary "secure or insecure".

How do your comments in this thread relate to the fact that nothing can ever be perfect, and different degrees of sophistication in security can only ever reduce the probability of an attacker's success, or the percentage of attackers that make it through everything?

This raises an interesting point about "tamper revealing" methods of security. Open source, publicized hashes of executables, even key exchange protocols, all of these prevent attacker tampering by making it more likely attacks (or even just bad code) will get noticed. They don't strictly prevent tampering, they discourage it.

Take DHKE. It "defends" against MITM. But it doesn't strictly prevent it. An attacker could perform the protocol with both Alice and Bob separately, then guard the line and tamper with any communications on that channel that attempt to confirm the shared secret. The attacker couldn't win against a determined Alice and Bob, though, because A&B could theoretically use other channels, or even publicly broadcast some confirmation of the shared secret. So the smart attacker is "probably discouraged" from the noisy MITM.

But how many key exchange implementations actually use separate (availability ensuring) channels to confirm no one is in the middle? It's prohibitively expensive to verify no one's attacking something that no one ever attacks.

But then again, things no defender verifies are attractive to attackers. And some attackers are willing to get noticed 9 times out of 10 to land the one payout. "Tolerance for getting caught" is not always zero, that's another variable that complicates our Nash equilibrium here...

Do we even need to trust a router? Seems better to just use encryption for everything and trust nothing in the middle, only the endpoints. Serious question.

It's a good question, but also a begging question.

On the one hand, yes: keeping security out of the middle of the network and pushing it to the endpoints is something that The End To End Argument In System Design predicted several decades ago, and is (to my eyes) clearly the right design principle for this problem.

On the other hand, the endpoints doing the encryption are also going to be COTS equipment sourced from major industrial centers and acquired at a scale that probably precludes individual hardware verification, at least at the price point that enables their widespread deployment today.

There are things you can do in an evil router that encryption and integrity protection don't mitigate.

Adding unique delay variance patterns for packets from a specific set of packets (source address, payload type etc). This makes it easier to detect and follow interesting traffic.

You can also copy certain packets, divert packets, inducer errors (to cause resend that in turn triggers repetitions in higher layers that might be usable for info leakage from the protection mechanism.

The router really is your friendly, silent mitm helper gnome.

You have to trust that router delivers your packet to an endpoint. Encryption doesn't prevent that. And unless you're delivering extra packets to mask your control packets, it's trivial for the router to make drop decisions on packet flow data.

But dropping packets is not supposed to harm because it can happen anyway for various reasons. And a malicious router dropping packets is guaranteed to get some attention sooner or later.

It depends on the drop it causes. If it only increases the drop rate for certain streams than detection will be harder to notice. And of course the perf counters can't be trusted thus making the detection harder.

Just because you can't do something perfectly doesn't mean you shouldn't do it all

"And then you'd still need to inspect the hardware / software as shipped, right?"

Of course not. Just a small handful of people would have to scrutinize it and keep up a credible threat of catching out any skullduggery. These things are mass produced. The efficiency benefits of design-once/copy-many also translate into audit-once/benefit-many.


NSA has a program of intercepting shipments to targets and silently replacing the gear with identical (but backdoored) equipment. There's even a catalog of the equipment they have ready-made replacements for and a price sheet (presumably for internal cost accounting) that leaked a few months ago.

Like many private-sector security consulting companies, they also do security research - looking for vulnerabilities accidentally left behind by naive programmers. They leaked a catalog of exploits written for vulnerabilities discovered (or bought) but not disclosed. Failure to disclose these is a violation of its mission to protect the security of US infrastructure, but I can't say I'm surprised that an intelligence agency that pays hackers has some exploits to show for it.

Aside from doubt cast onto the validity of NSA's advice on cryptography standards, there is not evidence that NSA actually introduces backdoors into the design of mass-produced products.

If you're not interesting enough for the NSA to physically intercept your package from, say, Cisco, (or, for the more cynical, ask Cisco to put the "special" version of IOS on your router) your inspection of the gear says nothing about what's running on an apparently identical unit headed for a foreign government.

Granted, "only" targeting a handful communications companies may well give them access to most of the world's communications, but this "NSA is deliberately backdooring everything" business is vastly exaggerated from the evidence.

Like I said below, you can improve a situation without outright fixing it.

I'm well aware of the program you're refering to. Have you seen some of the unit costs? That doesn't even include operating costs. The US is already near-bankrupt! Intercepting shipments with look-alike models doesn't really scale to mass surveillance, which is kind of a key point.

That depends on the specific equipment intercepted and backdoored.

With a router on a key network segment, you're bulk-exploiting a large sector of the population (though there may be other means of doing this).

Generally, device interdiction doesn't scale, it's the sort of targeted surveillance Schneier more-or-less is supportive of.

Tell me how you propose to verify that the circuitry inside the chip hasn't been invisibly tampered with?

Tell me how that question relates in any way to the statement I was making.

Stating that "...you'd still need to inspect the hardware/software as shipped..." seems to suggest that it's necessary to check each and every unit of a given design. I was just addressing that part of the parent comment directly, along with it's general bias towards what can't be done as opposed to what can.

I wasn't trying to suggest that open codebases are a silver bullet -- but you can improve something without having a complete and comprehensive solution.

Open-source designs (for software or hardware) aren't a complete solution. You need to regularly audit the end-result, lest the compiler/fab add unwanted nasties to your design.

This doesn't do anything. NSA is intercepting specific shipments. Unless you happen to be a target of the same program, what you're auditing is not the same as what the target received.

We might want to move to mostly FPGA-based or similar reconfigurable systems, where what we perceive as hardware is more easily audited.

OR we might want to go back to shopping anonymously "offline", hoping that the NSA will not bother backdooring every device on the market.

What bitstream is the FPGA currently configured with? The one in flash? Really? What's to say the bitstream made it to the FPGA correctly? Can you tell? What if it reconfigured itself [1]?

There's some research [2] into using authenticated, encrypted bitstreams, but even if the implementation matches the theory (and after all, it's crypto, we know how that goes...) this only reaches the same level of security as a fixed-configuration ASIC, since FPGAs are vulnerable to the same nefarious fab attacks as ASICs.

1: http://www.cmpe.boun.edu.tr/caslab/publications/selfreconf_f...

2: http://www.saardrimer.com/sd410/papers/bsauth.pdf

FPGA bitstreams are big, sometimes even big enough that you couldn't fit another bitstream in hardware anywhere. What's more, making even a small change to the bitstream and re-synthesising tends to completely change how the design is laid out in hardware - so launching an attack that targets a specific bitstream, like most of the obvious nefarious-fab attacks, isn't much good.

Nobody has time to do that. Ultimately you have to trust someone, thus this is more a political problem than a technical one.

You have to trust someone, but we can move in either direction along the spectrum from "I have to trust all of these many people and if any of them is untrustworthy I'm boned" to "I have to trust some of these many people and if all of them are untrustworthy I'm boned". There are both technological and political elements to any solution here.

Regularly? Almost any major software/hardware project changes iteratively over time. You just have to audit the changes between major releases, which for firmware, are typically very irregular.

Also, just transitioning to a more open process with an open codebase has the effect of "keeping them honest". Once the code is out there, they have no way of knowing who might be scrutinizing it and have no chance to retroactively cover something up.

This is why it's such a big deal when companies make a commitment to openness (the real kind -- not the buzzword kind). It's a statement of being willing to forego most of the dirty tactics that being closed source allows and to playing a fair(er) game.

Open source is not the whole story either. A decade ago I felt pretty smug with GNU/Linux; these days it has become such a large target that you can no longer ignore the countless non-open components in every system. And with things like heartbleed it's not clear that we're even defended against stochastic attackers, never mind intelligent ones. (apologies for beating the freshest dead horse)

The topic keeps coming up from time to time to time, since it's not a straightforward thing to fix, but only manifests itself with publicity. I've written a few comments before as to what I see are some of ultimate contours:




Open source depends on someone looking at the code. If Heartbleed proved anything, it is that most open source projects are pretty thinly funded and manned, and very few users ever bother to look at the source.

Also those which have broken architecture and bad attitudes toward end-users. OpenSSL fits this label, but so do KDE and GNOME, IMO. Systemd as well, among the reasons I regard it so critically.

RMS is (almost) always right.

Just not always particularly pragmatic. Or agreeable.

His track record of rightness is what pisses off his detractors most.

His track record of rightness is what attracts his supporters most.

RMS reminds me of Ignaz Semmelweis. He is correct, but people stick their fingers in their ears and try to reject what he is saying because of how he delivers his message and because they are not comfortable with the implications of what he is saying.

Being idealistic doesn't at all detract from the real practical progress that he and the FSF have made in the past 20+ years.

He knows exactly what he's doing when he takes a hard line. Being weak-spirited and compromising isn't a very good way to get noticed.

The NSA is intercepting shipments of routers, and installing their own... stuff in them. I don't know if the stuff is hardware or just software/firmware.

How would 'open source' protect you from this? If the 'stuff' is firmware, then reflashing your own firmware after you get the device would protect you from it, but it doesn't particularly matter if the firmware you flash is open source or not. If the 'stuff' is hardware, then only someone inspecting the insides who's qualified to detect such hardware would protect you, and it's still got not much to do with open source.

Wouldn't it be even easier to tamper with open source devices? Since one essence of open source is that it is modifiable?

Not unless you are only downloading pre-compiled binaries.

Some linux distributions, for instance, try very hard to only every download source from the internet, and compile it locally. This is very slow (some things can take a very long time to compile).

Gentoo is one such distribution.

What downloaded binaries? The question was, is it really useful to have the source and schematics for the chips on your hardware, if NSA (as described in the article) is modifying the hardware during shipping, so you don't really know if the chip you have does what it's supposed to.

Hardware based rootkits can do pretty much everything to an OS running on that, and be undetectable from that OS.

So stay away from routers that are Made in China and Made in USA - what's left?

Is there a country small enough without a world domination agenda, yet large enough to not be swayed by bullying from U.S, China etc.? It's time to start a router manufacturing business there...

There are basically three sovereigns left in the world. You've listed two, and the third is where Snowden ran. Everywhere else has chosen to give up on the idea of ultimate state security in favor of economic cooperation, and has therefore lost a bit of self-determination and will be easily subverted by agents of the three.

The takeaway from Snowden's revelations shouldn't be that we need a sacrosanct place for trustable manufacturing / hosting / development. It's that all of these "hypothetical" subversions are actually continually taking place on an institutionalized scale by many parties, and to have any hope of having anything ever being autonomously secure (rather than ultimately ruled by informational superemperors), we really need to get serious about stomping out reliance on centralized authority/closed source/trusted hardware/etc.

...perhaps the answer is to layer everything behind interleaved stacks of these sovereign's hardware.

That way, you can count that any traffic is known to them all, and thus avoid surprise.

The NSA routinely receives – or intercepts – routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers.

So not only routers.

So that means that if you buy and use the router in the USA, your router will be clean, but if the routers get shipped overseas they are corrupted?

It's not all overseas hardware; it's probably just a few targeted customers. This has been going on since the cold war.

Speculative hearsay with no hard evidence.

What's your source? Mine is the CIA.

"Contrived computer chips found their way into Soviet military equipment, flawed turbines were installed on a gas pipeline, and defective plans disrupted the output of chemical plants and a tractor factory." ~ https://www.cia.gov/library/center-for-the-study-of-intellig...

Well being inside the USA doesn't protect you from receiving modified equipment, it has been reported that the NSA will, for certain "Persons of interest", intercept hardware in transit and compromise it.

Sounds like yet another manufacturing market for Germany to take up.

NSN makes routers. However, you don't see the German state or key German companies actually doing anything about the NSA. Complaining, yes, doing no.

That probably means the NSA and other US intelligence and military are so far in the Germans' pants it's really not possible for the Germans to have meaningful autonomy.

Even nominally neutral Austria is a wholly owned subsidiary: http://www.ceiberweiber.at/index.php?type=review&area=1&p=ar...

You could use a MikroTik Routerboard.

You could also install their RouterOS on an old PC of yours however you won't have too much fancy hardware acceleration. Should be fine for home use though.

Perhaps Switzerland. Doesn't meet the "large enough" definition, but they are very pro-privacy and anti-snooping.

Labor is crazy expensive there though.

They were. What they are now: people living in a landlocked country in the middle of a huge economically-integrated entity (the EU) on which they are fully dependant. Check what's happening with banking laws (until recently, the holiest of all Swiss taboos)... short story: from now on, if the EU says jump, Switzerland can only ask "how high?"

> It's time to start a router manufacturing business there...

Or install pfsense on an old PC and hope for the best

You'll not only have to manufacture them, you'll also have to make sure the shipping isn't routed through any country with a creepy spy agenda.

The country that gave us Nokia?

One can dream.

Finland is a young country. It didn't exist before 1917.

Though not technically behind the iron curtain, Finland was largely a Soviet client from the end of WWII.


Subtract the time Finland spent under Soviet domination, and then subtract its years in the EU, and Finland has only been a truly independent actor from 1917-1939 and then from 1991-1995.

It doesn't seem reasonable to compare EU membership to Soviet domination - apart from the values involved, just thinking about the degree of intervention or control.

I'm making no criticism of Finland. The parent was looking for a technologically advanced country to step up and be to networking gear as Switzerland (was) to banking.

I pointed out that Finland is in a more precarious position than people realize.

I am not surprised by the hypocrisy of the US government here, but where is the proof? He doesn't directly link to the June 2010 report to back his claims. While I trust him, the critical thinker in me despises not being able to check sources.

> Yet what the NSA's documents show is that Americans have been engaged in precisely the activity that the US accused the Chinese of doing.

Only points to the generic page http://www.theguardian.com/world/the-nsa-files Couldn't he be more specific?

Maybe the reason you're not surprised is because you've heard this story before.

We learned last year that the NSA has an "interdiction" operation to intercept hardware en route to its destination and install monitoring devices or malware.

For example, here's a Der Spiegel article from December 2013 [1]:

  If a target person, agency or company orders a new computer or related
  accessories, for example, TAO can divert the shipping delivery
  to its own secret workshops. The NSA calls this method interdiction.
  At these so-called "load stations," agents carefully open the package
  in order to load malware onto the electronics, or even install hardware
  components that can provide backdoor access for the intelligence
[1] http://www.spiegel.de/international/world/the-nsa-uses-power...

I think he's releasing the specific documents tomorrow some of the coverage on this story noted today.

Is anything safe? I mean, at this point, would it be too much to assume that given that the NSA has so much brain power (mathematicians) working for them, that they have not already cracked most encryption schemes we trust? I am not being a conspiracy theorist, I am genuinely curious.

Consider that the CIA's internal policy is to treat every computer you touch as if it's been compromised. Even the ones at your desk in the CIA.

Remember that airgapped, inside a Faraday cage computer deep in the vault in Mission Impossible where that analyst was typing a report? They really have those buried away for the Uber Top Secret, don't give this to Russia/China stuff.

So, if even the spy agencies don't trust anything here at home, you think they might know something we don't. Trust nothing, it's all already compromised, seriously.

I think it's more about complexity than actual case-history: modern machines are so complex in both hardware and software, they're basically un-auditable.

You have programs executing code compiled by other programs on top of programs booted by special programs embedded in hardware chips built with circuits as small as atoms. You can barely detect unauthorised operations at the very top layers (and at huge cost in terms of effort), everything underneath the OS is basically a black box for all intents and purposes... and you can't trust a black box.

Russian FSB (formerly KGB) has reverted back to using typewriters for this very reason.

Even those are compromised. Key tap patterns can be recorded and calculated. You need to have a zero electronics, faraday cage room in order to start to trust things.

This is why the NSA does their own chip fabrication. Although probably only used for crypto gear not server chips. I wonder what they do for the servers in the Utah DC.

»To protect against secret surveillance, Snowden said, we need to make encryption a part of everything we do. "The bottom line is that encryption does work," he said. "We need to not think of encryption as an arcane, dark art, but as basic protection for the digital world."«

from http://motherboard.vice.com/read/the-bottom-line-is-encrypti...

The other element of his encryption comment: the problem is that end-point security is so weak that encryption often isn't effective. That may mean key "exfiltration" (theft), or simply having cleartext access to content.

Schneier addressed this in his recent Stanford lecture on the NSA and Internet security. Long, > 1 hour, but very much worth viewing.

A reasonable assumption to make, and one which I would live by if I had really top-secret information.

However, I doubt it. There are plenty of clever mathematicians not working for the NSA...

Instead I believe they mostly focus on methods to find flaws in implementations of encryption schemes, possibly with the help of some theoretical breakthroughs and formal automated reasoning, because it is so much easier. Even the people working at NSA are lazy ;-)

My opinion:

If everything was broken, then why did they go through so uch trouble in the lavabit case?

It's not out of the realm of possibilities for intelligence agencies to let soldiers die rather than risk divulging their actual capabilities.

But I personally don't see much of a (self-determination-ful) way forward other than making the assumption that some public key crypto works (ie one way functions exist), and building secure systems based on it.

It's not out of the realm of possibilities for intelligence agencies to let soldiers die rather than risk divulging their actual capabilities.

Not just soldiers, witness the Coventry Blitz.

> In his 1974 book The Ultra Secret, Group Captain F. W. Winterbotham asserted that the British government had advance warning of the attack from Ultra: intercepted German radio messages encrypted with the Enigma cipher machine and decoded by British cryptoanalysts at Bletchley Park. He further claimed that Winston Churchill ordered that no defensive measures should be taken to protect Coventry, lest the Germans suspect that their cipher had been broken.[1] Winterbotham was a key figure for Ultra; he supervised the "Special Liaison Officers" who delivered Ultra material to field commanders.[2]

> However, Winterbotham's claim has been rejected by other Ultra participants and by historians. They state that while Churchill was indeed aware that a major bombing raid would take place, no one knew what the target would be.[3][4]

> Peter Calvocoressi was head of the Air Section at Bletchley Park, which translated and analysed all deciphered Luftwaffe messages. He wrote "Ultra never mentioned Coventry... Churchill, so far from pondering whether to save Coventry or safeguard Ultra, was under the impression that the raid was to be on London."[5]

> Scientist R. V. Jones, who led the British side in the Battle of the Beams, wrote that "Enigma signals to the X-beam stations were not broken in time," and that he was unaware that Coventry was the intended target. Furthermore, a technical mistake caused jamming countermeasures to be ineffective. Jones also noted that Churchill returned to London that afternoon, which indicated that Churchill believed that London was the likely target for the raid.[6]

Source: https://en.wikipedia.org/wiki/Coventry_Blitz#Coventry_and_Ul...


1. Winterbotham, F. W. The Ultra Secret, London, Weidenfeld & Nicolson, 1974 ISBN 0-297-76832-8; also London, Futura, 1975, ISBN 0-86007-268-1

2. Ray, John, "The Night Blitz", Cassel & Co 1996, ISBN 0-304-35676-X p. 155

3. "Defending Coventry" (http://www.historiccoventry.co.uk/blitz/defend-cov.php). Historic Coventry.

4. Hunt, David (28 August 1976), "The raid on Coventry", The Times: 11

5. Calvocoressi, Peter (1981). Top Secret Ultra. New York: Ballantine Books. pp. 85–86. ISBN 0-345-30069-6.

6. Jones, R. V. (1978). Most Secret War: British Scientific Intelligence 1939–1945. London: Hamilton. p. 149. ISBN 0-241-89746-7. This book was also published in the US under the title The Wizard War.

All that being as it may (because you're right), don't let that detract from the larger point about the tension between using intelligence products (like a tip-off about a bombing raid) and protecting the sources and methods of those intelligence products for the future.

The British were paranoid about this; if they wanted to attack a tactical target where the Germans would think "there's no way they could have known about this, our codes must be broken", they'd always send a decoy scout or something out first to "accidentally come across" the secret target.

The Americans did similar things; when Adm. Yamamoto was shot down, his flight was duly "detected" by a reconnaissance plane first, even though the Americans knew full well when it was taking off and where it was going.

Another example: the search for the Malaysia Airlines plane was hampered because regional governments were reluctant to release their radar information because it would reveal their systems' capabilities to other regional governments.

Because that was the Justice Department and not the NSA? Any government is not one coherent entity.

Parallel construction.

Devil's advocate: Cost/benefit. Snowden already knew they'd be grabbing everything that they could on him. Why spend potentially million(s) dollars cracking the encryption when you can get it cheaper with a court order?

imho it was as a show of force. To deter anybody in a similar situation from taking the same stance against the U.S. government in the future.

The relentless legal troubles of the lavabit case closely mimic the troubles of Joseph Nacchio (who refused NSA wiretapping while he was CEO of Qwest) [0]

[0] http://en.wikipedia.org/wiki/Joseph_Nacchio#Qwest


You're assuming that they are crackable, some are but it's not a gauranty that they all are. Snowden slack of capture suggests that properly used encryption is still good.

Korea, Japan, Russia, China, India and Brazil will all be spending tons more on encryption. The most fatal flaw in all of this is that I expect they will have their own secure protocols in the next couple decades and what's really ironic, our former "enemies" may do a better job.

Remove "Patriot Act" or the fascist law obligation of any American to collaborate with 3 letters agencies by force.

It converts any American worker in a spy of the Government.

Not everything that is wrong is fascist.

No, but forcing absolute adherence to the will of the state is pretty much the definition of Fascism.

"The NSA has been covertly implanting interception tools in US servers heading overseas..."

Which is Somewhat Ok, given the NSA charter.

What is the more interesting question - Is this limited to "US servers heading overseas..?" I mean we already know that NSA intercepts Laptops, Keyboards and such routinely for special "people of interest" within the US. Does it do the same i.e. routinely and indiscriminately bug routers even within the US?

Excuse me? How is that somewhat OK? I don't give a damn about the NSA charter or even the constitution which so many people seem to bring up in hopes of justifying mass surveillance of civilians abroad - is mass spying on foreign civilians really OK at this point? Pre-emptively setting up infrastructure for surveillance without any warrants, in a sovereign state?

What about enterprise customers? Is it still "OK" if they carry out economic espionage?

Surely laws should only be considered if the situation in question relates to an american?

This is all about economic/corporate espionage, not "homeland security." Customers overseas are already realizing that.

This is an understated threat to US IT companies.

There is a difference between having the ability to spy and using it en mass without warrants. Tampering with routers gives the NSA the ability to spy.

The question of whether or not data is being collected illegally should not be confused with the ability of data to be collected.

You have a point. However, something really rubs me the wrong way about them having the ability to spy on every person. They are actively going out of their way to set up future channels of spying, without the consent of customers who bought the router in question.

And honestly, while your point is valid, there's plenty of discussion available online about rubber stamping warrants - and this sort of implanting of surveillance tools just makes it economically/logistically viable for them to spy on everyone.

The question is - do you feel OK about a foreign nation state embedding the ability to invade your privacy? Like you said, they don't have to use it, they just have to be able to use it when necessary. Honestly this sort of hairsplitting is just silly.

>The question of whether or not data is being collected illegally

Is not public knowledge, and the administration fights to keep it that way.

You inserted "mass spying," "foreign civilians," and "pre-emptive." They are nowhere in the evidence around this program. For all you know, NSA is only rerouting shipments bound for legitimate threats.

I wouldn't be surprised if this tool is used inappropriately as well, but there's nothing inherently mass, pre-emptive, or civilian-targeting about it.

As usual, both Greenwald and the Guardian leave out the details which would be important: Namely, whether this is generic tampering with exported kit, or "targeted access operations" of the type explicitly praised by such pro-government luminaries as Snowden and Assange, tampering with kit going to known locations where intelligence is needed.

Now I don't have details on which one this is either, but we do know that NSA has only so many people with the know-how and authority to tamper with devices, implant backdoors, and package it all back up in a factory seal, and that this is accordingly not a skill that can be wasted on a router that might simply end up in a church in Guinea-Bissau.

I'm curious to know if using a different firmware would be a valid way to secure a (potentially compromised) router, or is this kind of tampering done at the hardware level—in some hidden part of a microprocessor?

Most of their catalog boasts things like "survives firmware upgrades" in the features list.

I'm curious about this as well.

It's hard to imagine it's just software, as the router firmware could be validated against the manufacturer's own available on web sites. It could similarly be circumvented via a manufacturer software update (or open source alternative).

On the other hand, swapping out hardware en masse could get expensive, but the NSA has probably spent more for less.

NSA and company probably do it all levels, but any level below the OS is probably preferable because it is less risk of being caught.

Who would you know if they targeted only you with a microcode update for your Intel/AMD CPU that made crypto weaker? All the assembler instructions that you execute are just the same as someone with a proper microcode blob.

ucode blobs are usually signed with strong crypto (RSA-2048 on Intel iirc), so unless the NSA doesn't get the keys or the raw transistor layouts of the CPU in order to look for bugs, no way to mess with the bytecode.

I'm paranoid enough to assume they have both the keys and the layout.

The NSA continues to undermine US businesses, further isolating us from the rest of the world.

So essentially the NSA warned us about China tampering with hardware because they knew how it could be done. They just forgot to mention they'd been doing it already.

Perhaps software and virtual routers are the way to go, especially if any are open source. It would be great if someone with knowledge in this domain could comment on this.

Well part of the problem is nobody makes open source devices or software that do Enterprise-class work. On top of that you need a sales and support team to manage accounts for customers.

Once you have a company designed to create this stuff in an open-source way, virtualized software alone wouldn't change hardware interdiction. If somebody can modify your gear, they can modify the software that runs on your gear. If the hardware was designed to only work with certain signed code, that's another thing... but that would need to be a per-device, per-customer solution, which could get pricey.

For a more practical solution you could use today, I would buy hardware locally, then hide it amongst scrap metal and declare $0 value, and have a trusted courier ship it direct along with a secret receipt. If somebody interdicts, i'd have the courier deliver an erroneous receipt so I know something bad happened.

Until the courier gets served with a NSL

The NSA can probably compromise software easier than hardware. Even for open source, enterprise and telco customers will be using official builds (by which I mean officially NSA-compromised).

You can use Linux as a router. Any Linux distro would work (Debian, Ubuntu, RHEL, SuSE, etc).

I do this at home and work with a Debian router.

There is also pfsense as well.

Switches have reasonably sophisticated hardware to prevent packet collisions which would probably be hard to do away with.

Digilent NetFPGA board, basically plug a bunch of gig-e connectors into a FPGA, upload some ethernet software and away you go. Upload a softcore and run spanning tree on the softcore.

You won't like the price of the board I mentioned. On the other hand, nobody said a dev board with a bazillion extra features you don't want, made in extremely low quantity, is the cheapest possible way to stick a bunch of ethernet PHY to a FPGA (and you could optimize the size of that FPGA if you wanted...)

The point of that provided example multi-ethernet FPGA development board isn't that its the best you could do financially or technologically, but that if you tried to do your own thing and screwed up, its probably difficult to do worse.

As a practical matter having fooled with much smaller and simpler things the price should end up competitive in the end.

The biggest problem is synth takes a long time, god only knows what the CIA and KGB ops embedded in the source, and the IP licenses probably make distribution of the source rather difficult. Its mostly a business/government problem, not a technological problem.

Switches have sophisticated hardware on both low and high ends, but many widely used entry level L3 switches are essentially nothing more than large amount of ethernet NICs connected to single CPU (sometimes with hardware acceleration which usually means specialized DMA engine). This is even more true for routers (some Cisco platforms even have various acceleration hardware that their software simply does not use).

Greenwald is back at the Guardian? I thought he left to do his own thing.

He did: https://firstlook.org/theintercept/

But it appears to have snarled itself pretty thoroughly in its first few months: https://firstlook.org/theintercept/2014/04/14/passover-greet...

He has a book out soon, and The Guardian is publishing excerpts. (It seems fair to say it has a larger audience than Greenwald's new venture.)

I'm watching to see if CSCO takes a hit from this--so far, doesn't seem to be a big issue.

It's not like this is surprising, as such; it's just really bad that these chucklefucks got caught doing it.

(Yes, it's arguably morally wrong and so on, but just from a purely economic perspective, bad show.)

I'm curious to where you got Cisco from, as I can't find in the article where they are mentioned.

Not to say that Cisco isn't in cahoots with the NSA. I totally believe they are, but it's best to level accusations with facts, to lower the SNR, so to speak.

As a point of trivia: most Cisco routers and switches are manufactured in China and are stored in the US as inventory, and are shipped to customers as ordered from the US.

My chain of reasoning is:

  article announces compromise of American networking gear --> Cisco is major American networking gear vendor --> CSCO may suffer cancelled orders because of this
Not 100% certain or anything, but it's a big canary that's trivial to watch. Remember, they didn't actually have to do anything, just suffer from market fears.

Also: Juniper, Brocade, HP, Dell, Arista, NetGear, Apple, Extreme Networks, etc etc etc.

Well, the NSA tampering here at least doesn't happen in the factories...

Even if they don't have physical access to factories I'm sure there are cases where they have (spurious) network access to factories and can replace a firmware blob that goes into routers or other equipment with a slightly different one with their tweaks without anyone noticing without looking really, really hard.

>repackages the devices with a factory seal.

But perhaps with the covert assistance of the factory?

Tamper evident only provides evidence of a home user that hasn't spent time learning how to evade them. You don't need the means to obtain or produce replica seals, but the NSA also has the money to do exactly that. And that assumes by 'seal' the author even meant to imply something as strong as tamper evident.

The article says the "NSA routinely receives – or intercepts – routers, servers and other computer network devices being exported from the US before they are delivered to the international customers." The word"receives" suggests that the manufacturer knowingly sends the hardware to the NSA.

Or the company who prints the seals

If they for some reason had trouble replicating them they could just redirect the seal delivery too...

Or the seal maker?

If you wanted to build an Internet product that could be trusted internationally where and how would you build it?

Unfortunately it looks like one part of the answer that's known is "not in the US."

We have only begin to feel the effects on this massive violation of trust. Unless trust can be restored, the US will become techno-provincial and only trustable with unimportant technologies like entertainment products.

Just read something else he pushed.

He used some pretty strong words against the politicians.

Call Hillary a Neocon and corrupted, but he guesses she will win the next election. Page 5. http://www.gq.com/news-politics/newsmakers/201406/glenn-gree...

Hillary was considered a shoe-in for Dem Pres nominee in 2008 as late as Jan '08, 11 mo before the 2008 election. Keep your speculation in perspective.

When you register WatchGuard firewall it asks all kind of questions which are absolutely strategic. What kind of data it is used to protect, are you in tech or military business etc. And you won't be able to even use it without registration. And they call it security appliance. Lol. How about honestly calling it spy appliance.

I can't help but thinking Intel has something to do with this mission.

I mean think about how many hundreds of thousands of consumer computers come with Intel AMT vPro by default.

"surveillance competition"!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact