Hacker News new | past | comments | ask | show | jobs | submit login
The CIA Campaign to Steal Apple's Secrets (firstlook.org)
372 points by lnguyen on Mar 10, 2015 | hide | past | web | favorite | 129 comments

How much longer can this continue? We have American agencies attacking American companies "because terrorism". It's been 13 years since our trauma, maybe now's the time to remove the razor blade from our wrists, look ourselves in the mirror and just carry on. Bad stuff is always going to be in our future — stuff that will increasingly appear preventable between the Internet and a lot of hindsight — but our current solution is only making things worse. The war on terror, like all the metaphorical wars, is really a civil war. It needs to stop now.

Unofficially, politicians has surrendered the "because terrorism" excuse for a while now, as they simply want access to everyones private information in order to see where the problem are going to be. Having the data helps plan and run successful elections, makes it easier to plan ahead, and gives them power over any department which doesn't has similar access.

Imagine being in a political party while private intelligence contractor give you access to all the emails from the other side. You can know where all the activists are at any moment, and what the internal conflicts are, and what areas is focused. What would be your reaction if phones suddenly started to get encrypted?

I don't think they want that. They take this course because "this was preventable!" is very politically disruptive. None of them want to be the guy who voted against mandatory data retention only to play host to an attack on home soil months later. It's sad, but that's the reality.

The history of government spying, at least as far back as J Edgar Hoover, as been about spying on members of the opposition, not about ass-covering. ass-covering is just the current halfway-excuse.

You effectively had that during the latter Hoover years with the FBI. That the headquarters is still named after him is an indictment of the US approach to political corruption.

I'm actually somewhat torn on this.

While I'm against mass surveillance, I think that targeted surveillance can be a good thing. By nature of it being targeted, it is expensive to use on more people than necessary. The kind of spying the CIA would enable through compromising Apple secrets would be restricted to high-value targets if for no other reason than to ensure none of their targets knew they had that capability.

There are bad people out there, and we expect our government to stop them.

Targeted surveillance... like a search warrant?

Somehow we have been doing fine under the constitution for 200 years. Now a dozen men kamikaze a building, and we have to take away everyone's freedom in order to protect them?

F that. Police and the executive branch are just being lazy. Get off your ass, do some human intelligence, investigate leads, and get a warrant if you have probable cause. Otherwise, get the hell out of my email.

When the chances of being killed by police are 55x higher than being killed by a terrorist (or whatever the recent number was) and we want to give the State more power, we are fools.

I remember when they busted Ulbricht thinking, "if they were able to catch someone who seemed by most accounts to be fairly careful (used encryption, Tor, etc.), how come we need dragnet surveillance?" I'd be curious to hear if dragnetting is even effective and if so, what the cost/benefit analysis is when you factor in both financial and ethical costs.

The USA has never needed a search warrant to conduct foreign intelligence. A search warrant requirement is a 4th amendment protection afforded to US citizens. Foreign intelligence does not require courts unless you're trying to get foreign information from US companies (like the PRISM program and the FISA courts).

The FBI (who is responsible for all intelligence conducted in the USA, against foreigners or Americans) is absolutely required to get a search warrant.

The iPhone is one of the most popular phones in the world. Is it that crazy that the CIA is interested in them for intelligence gathering purposes?

I'm fine with the legality foreign intelligence (even if I'm not sure it's the best policy). But what does that have to do with anything? The Snowden disclosures show that they're doing far, far, more: essentially indiscriminant eavesdropping of every possible form of domestic communication.

My point is that you were arguing against targeted collection. Going after individual devices is a scoped and precision form of intelligence collection. You were saying that this type of intelligence isn't targeted and was instead insisting they should have to get a warrant.

The point the original commentor was trying to make is that this type of work is much more preferable to the mass collection that you're referring to from the Snowden documents.

I don't know if inserting backdoors on apps in the development process, before they go out to everyone, counts as targeted collection.

A universe neatly compartmentalized into good guys and bad guys. How wonderfully simplistic. Let's just hope the good guys always wear capes so the government knows who to hire.

I'm strongly opposed to sweeping surveillance, but not even a little bit torn on this story. I'm glad it's now public knowledge, but this is exactly the sort of thing our intelligence agencies should be doing.

Edit to expand on "should be doing": at the very least, they ought to explore such vulnerabilities as a defensive measure since their counterparts in every other State are clearly doing the same thing whenever they have the capability.

I really don't think that "Well, Russia's Doing It!" is a very good justification for clearly unethical, and probably illegal, actions.

The reason for mass surveillance is control of the populace. Mass surveillance clearly doesn't prevent terrorism: most of this 4th-Amendment-violating dragnet surveillance was in place well before the Boston Bombing, and nobody caught the Tsarnaevs.

So, I'm not a little torn, either: the CIA shouldn't be looking to crack iPhones, they should be looking to beef up iPhone security to keep those other nations from doing unethical stuff. Exploiting vulnerabilities for surveillance purposes is a bad thing all around. Close them holes!

Do you think it is illegal or unethical for the CIA to just explore these capabilities, or to develop them and use them only in a targeted way, subject to appropriate oversight?

I'm not a Judge, I'm not even a lawyer (trained in the magical ways of USA law), but I doubt it's unethical for anyone to just explore the possible ways to subvert iOS or whatever. It might be illegal to explore those possibilities, if you're not one of the insiders (there's a difference in how David Petraeus was prosecuted, vs how Thomas Drake was prosecuted). Trying any particular method of subversion might end up unethical, or maybe even illegal, whether you're the CIA or Weev.

I do not believe that the CIA, as it seems to exist today, is capable of doing that manner of subversion in a targeted way, they have gone rogue. I do not think that the CIA allows itself to be overseen. That part of the question is just not possible to answer.

If I understand correctly, you believe that the entire CIA as it currently exists is unethical and illegal. That may be a defensible position but it's an obstacle to discussing any specific action: how could you then support any action by the CIA? If the CIA shouldn't do anything then of course they shouldn't do this.

you believe that the entire CIA as it currently exists is unethical and illegal.

The CIA, as it appears now, does a huge number of unethical and apparently illegal things. It appears to be beyond oversight or control. I do find it really hard to support any action by them, just as I would find it hard to support FSB or MI6 actions. The CIA appears to be a threat to civil liberties and representative democracy in the US itself right now.

But you're falling into a rhetorical trap: just because coffee is hot, you don't wait until the coffee is cold to drink it. You can judge relative degrees of hot, just as we can judge relative degrees of unethicality. It's pretty darn bad to assassinate US citizens without due process, and I'd say due process in public, whether the citizen is abroad or on homeland soil. It's pretty darn bad to torture anyone. It's less bad to attempt to crack iOS to spy on people, and it would be even less wrong to explore the exploitability of iOS. The latter may not be wrong at all. It's completely OK to analyze open source intelligence.

Using "appropriate" and "oversight" in the same sentence is exactly what a smear campaign would be about.

Sorry, I don't follow.

> well before the Boston Bombing, and nobody caught the Tsarnaevs.

They were on the radar but you really can't arrest someone until they do something.

That's not true in America anymore. The USG can detain anyone, for any period of time, for any reason without rights "because terrorism".


Edit:: link for more info

Did you read your own link? That would not have applied to the Tsarnaevs.

Why would it not have applied to the Tsarnaevs?

I did read that link, along with many other linked pages from the original link.

See here: https://www.aclu.org/national-security/president-obama-signs...

And here: http://www.salon.com/2011/12/16/three_myths_about_the_detent...

There does seem to be a lot of debate on this topic regarding the wording of the bill and how it applies to US citizens. However, to me, the wording seems very vague and open to interpretation. Which was likely on purpose.

This doesn't sound targeted:

by manipulating Xcode, the spies could compromise the devices and private data of anyone with apps made by a poisoned developer — potentially millions of people ...

The focus of the security researchers, as described at the CIA conferences, was to target the GID key, which Apple implants on all devices that use the same processors. [...] So, if intelligence agencies extract the GID key, it means they have information useful to compromising any device containing that key.

> The kind of spying the CIA would enable through compromising Apple secrets would be restricted to high-value targets if for no other reason than to ensure none of their targets knew they had that capability.

Just like the intelligence gleaned from breaking German WWII encryption was limited?

If information can be non-invasively extracted, then there is only an operational limit on use. And isn't knowing mass information just as wrong as acting on mass information?

Unless it's a computationally-expensive attack (which are getting more infeasible now that key sizes aren't technically as limited), you run into the encryption problem: either everything being encrypted is okay, or nothing being encrypted is okay.

That's the nature of secrecy.

There are lots of targeted surveillance techniques that don't involve massive federal agencies working to eliminate all possible privacy protections just in case they need to make it easy to spy on anyone, anytime.

There are bad people out there, and some of them work at government agencies.

I could have written that myself, but the problem is that we really have a shadow government, one that is not accountable, not responsible, not regulated, and not in any way representative. If we were really interested in fixing this, we would hold the heinous people of the Bush administration (and even some if not most of the Obama administration) who were responsible for aiding and abetting "terrorism" by playing right into their goals, accountable for their treason through incompetence and stupidity and greed. No other people in the history of our country has ever caused us more damage than the Bush administration.

> It's been 13 years since our trauma

13 years since the latest trauma. The federal government and its propaganda broadcasters have been dwelling on the specter of "terrorism" a lot longer than that. Watch media from before 11SEP2001 and you'll remember the same disproportionate focus and overreaction for many other events.

This machine is much more than a decade old. We're just starting to notice the bubbles at the bottom of the pot.

I never thought I'd say this, but...

Enough with the hand-wringing. Enough with the "somebody needs to do sooooomething!". Just stop. Staaaaahp.

How long has our industry been spying on users? How much money have we made aggressively mining their data? And now, now, "These People Have Gone Too Far!"?


Everyone's got the tools. Everyone's got the knowhow, either themselves or online. Write code or quit bitching.


To the slightly different point given by poster: we have the power to broadcast this message of fearlessness to the populace at large, because we own their media. How hard a social media campaign would it be to overcome the fear and paranoia the .gov and mainstream media use?

Also, note that that same fearless attitude is directly contradicted by very popular social movements right now in certain consumer gaming industries. You're liable to end up with very strange bedfellows and enemies.

>The war on terror, like all the metaphorical wars, is really a civil war. It needs to stop now.

There's too much money at stake for those at the top for this to be stopped. Lucrative contracts for all their buddies whether it's in consultancy or providing military hardware and software.

I mean the fact that congress keep ordering tanks the military themselves have proclaimed loudly that they neither want nor need should be setting off alarm bells everywhere, and yet it seems to just get brushed over.

I think you're missing the real motive for Congress ordering hardware that the military doesn't want.

It's what their constituents want.

They are (by and large) not doing that sort of thing out of some scheming to enrich themselves. They want to be reelected to their next term, and delivering some federal cash and contracts to your district is the perfect way to do that.

> We have American agencies attacking American companies "because terrorism"

Wrong, and selfish.

We have American agencies attacking innocent people everywhere in the world "because terrorism".

Every time I read about a private company being targeted, I remember how simply state-level spies have been compromised. Hanssen[1], for instance, betrayed the CIA over 22 years, for just $1.4M. The info leaked included info on other agents, at least one who was executed.

Or [2], Walker gave crypto info to decrypt Navy messages. For a few grand a month. There's plenty more listed even on Wikipedia. The amounts involved seem... not that high.

Now, sure, Apple almost certainly has higher security. (Quote from the above spy: "KMart has better security than the Navy.")

But with state level resources, do we think employees can be flipped? Or, why is the NSA not getting to grads early on, helping their career, while having them really be agents all along?

I'm on my phone and can't find the reference now, but there was a young physicist that leaked into on atomic weapons purely because he felt the US shouldn't have a monopoly on the capability. The chance that some bright, highly-sought, employee feeling that the US should have spy capabilities is approximately 1.

Is every remotely sensitive employee routinely monitored? Their families? They never get into " life threatening " scenarios? Or embarrassing scenarios that they might feel is the end? (For some, that's as simple as getting a mistress pregnant, and not being able to bear others knowing.)

Just seems like the human employees have got to be compromisable in one form or another, given the resources of the NSA and CIA.

1: http://en.m.wikipedia.org/wiki/Robert_Hanssen 2: http://en.wikipedia.org/wiki/John_Anthony_Walker

> Or, why is the NSA not getting to grads early on, helping their career, while having them really be agents all along?

It would be naive to think that they (and other agencies around the world) aren't already doing this.

Yeah, I kind of assumed this was standard operating procedure, like Anderson Cooper's "internship" at the CIA.

Real spies don't work for money; they work for/against an ideology. Money would actually be a tip-off that they're a spy; if you have high level security clearance, your bank accounts are monitored.

The NSA/CIA/FBI almost certainly do have moles working within the major tech companies. As do the intelligence agencies of China, Russia, the UK, France, Germany and Israel.

Aldrich Ames worked for money - he got over $4 million from the Soviets and betrayed a huge number of Western spies:


Obviously not a real spy!

There is no true Scotsman!

Alrich Ames was eventually busted for spending money that the soviets were paying him.


As many have noted, this does need to stop but it won't. And the problem lies squarely with you and me.

Try this experiment: Ask a group of 5-10 people around you to raise their hands if they've been pissed off at any branch or level of their government. Then ask them to keep their hands up if they've contacted their representatives about that issue. Finally, ask them if the method of contact they used was the phone or written (not email) letter.

I'll bet dollars to donuts that not a single hand will be in the air.

You and I are the problem because we don't hold our representatives accountable. We really only pay attention (and marginal attention at that) during election time by buying into the campaign bullshit. At best we sign an online petition but the politicians barely care about that. They know that its easy even for the most apathetic to click a button. Sure, in cases like net neutrality it can get their attention but I'll submit that what really got their attention was the number of phone calls they were getting.

Yes, I specifically am to blame because I haven't called or written my representatives. That's going to stop. We need to be on the horn with these people frequently. Weekly. When they're in town we need to be in their faces. They said, "If you see something, say something." Well, I see corruption and I'm going to point right at them and tell them. Will you join me?

EDIT: I should add that we need to be contacting them when we approve of the work they're doing. They need data. Most of the feedback they receive is negative (and for good reason) but without positive feedback they're left searching and unfortunately the guys who claim to have the answers are the lobbyists. But remember, there are around 15,000 lobbyists in Washington D.C. but 131,144,000 voters voted in the 2012 Presidential election. I like our chances, if only we get involved.

It is abundantly clear that the deep state will not accept losing these tools. Even if by some miracle someone was elected with a strong mandate to eliminate privacy abuses, the deep state would lie and obfuscate as much as needed to maintain and expand its total surveillance capabilities. We have to accept that the cat is not going back into the box, and that we now need to focus on finding adequate defenses, both technical and social.

Look at the grassroots, bipartisan, loud and successful cry from the public not to enter Syria.

How many months did that work?

It is true that the system must represent the people. If and when it does not - whose fault is it? It can not be the people. We don't design people. We design a system to conform to the people, to communicate with them and to represent them.

Its our fault because we put those politicians in power. Its our fault because we on the whole would rather watch sports, reality tv, play games, etc... than get involved in the running of our country.

And it doesn't even take much. Can you really not spare a 5 minutes once a week to call your representatives? Think about if more people did this. Suddenly those lobbyists voices would get a lot less powerful.

Are not the representatives we get to choose from filtered before we can select them? Aren't the representatives beholden to those who can get them the money to run before we even get to hear that they are running? Aren't the (only two) political parties in consensus on issues in the high finance, insider trading, and foreign investment that bring their kin high rewards and imperialist neo-colonial empire building that makes this growth possible?

Yes we can bother these people about allowing gay people to marry (or not, or whatever) but when can we ask them not to cause revolutions around the world (like now in Venezuela) and then intervene with bombs and 'bring Capitalistic freedom' by fixing American private investment in their resources?

You can make noise about some things, but they either will not last (re Syria) or they will not listen. Other strategic objectives, international agreements and private investment come first.

How are you going to immediately and suddenly alter 300 million people to spend multiple hours a week to sift through the reams of propaganda and PR (whose voices rise above political realities) to come to independent and critical political and social analysis? That's a huge lifestyle change - we can't even get 300 million people to turn off the lights when they exit rooms to save electricity. If people on the whole want to enjoy hobbies, entertainment, family and work instead of being full time politicians and investigative reporters can we snub them for that?

We need a system that can work with people who are busy living their (plebeian) lives but is still able to represent their interests. Someone might say that this isn't possible - but then are they not saying that representative democracy is not possible?

>>Think about if more people did this. Suddenly those lobbyists voices would get a lot less powerful.

No they wouldn't. Lobbyists represent moneyed interests. You don't. You're just one person.

Seriously, you are committing two mistakes here. The first mistake is to assume that your letters and phone calls to representatives actually matter. The second mistake is to assume that your representatives have any power to stop our rogue intelligence agencies, particularly the NSA.

I want to address the second one first, because it's more important. Simply put, the NSA is out of control. They have an extremely sophisticated apparatus in place that has been growing exponentially in complexity and reach since immediately after 9/11, and they have the balls to lie to the Congress about it while under oath. And there are secret courts - secret courts! - that seem to give them blanket approval with absolutely zero accountability. An organization like that cannot be stopped, not just because it's political suicide to try to stop them but also because it would genuinely cause a lot of collateral damage.

But the other point is also worth addressing. The idea that writing or calling your representatives actually affects anything is an illusion. An illusion that must be maintained to keep things stable, but an illusion nonetheless. Because here's what actually happens when they get a letter from you: they skim through it and send you a canned response. That's it. Your opinion does not matter unless you have deep pockets and are an existing or potential donor. This is difficult to accept for some people but it is the reality.

So we shouldn't try? Just give up?

Sorry. I'm not defeatist enough to do that.

No, we shouldn't give up. But the actions you take to get reform change with your understanding of the situation and its barriers. Buying into the current status quo will bring more of the same. That's not to say the only other options are violent. As usual there are options between extremes: radical reform and reevaluation. The first step to this is to speak openly about barriers and the way that things are; about what problems we face and what policies we want and what kind of country we want to be.

If you call your representatives once a week, it's not going to hurt so I encourage you to do so. It's just not necessarily the solution.

Our outrage tanks are being emptied by Internet arguments. Just as Apple's got both ResearchKit and Apple Pay on soda machines, perhaps it could create ActivismKit to balance out the distractions they (and every smartphone maker) enable.

I wish I could believe that letter writing would actually make a difference, but at this point you need either an army or billions of dollars to make them listen.

Why do you think they're spending all their time raising money? So they can campaign to YOU! Obviously it can make a difference if people get involved.

Look; Its going to be hard. Its going to take a long time. So? Isn't it worth it?

>Will you join me?

I wonder how many people are genuinely afraid of raising their own profile in such a way. I'm not American, but I would certainly be partaking in any political action against the actions being discussed here.

Although as it is, I'm very hesitant to even level criticism at the CIA on HN. I'm by no means an important person, but from what we've learned I don't even want to register on the radar of these entities.

Although as it is, I'm very hesitant to even level criticism at the CIA on HN. I'm by no means an important person, but from what we've learned I don't even want to register on the radar of these entities.

I understand where you're coming from, and clearly it's an individual choice, based on one's judgment of risk vs. reward. But let me add that when people choose that position, it just makes it that much easier for these guys to keep doing what they're doing, and getting away with it.

FWIW, I routinely criticize the CIA, NSA, etc. here, on Twitter, on Facebook, etc., using hashtags like #fuckthecia, #fuckthensa, etc. and nothing bad has happened to me as a result.

nothing bad has happened to me as a result

How can you be certain? How many really successful job interviews have you had since you started your one-person campaign, where the hiring company inexplicably dropped you like a hot potato? Do you regularly check your credit rating to see if weird stuff is showing up? Have your bicycle tires quit holding pressure?

I ask the last question because East Germany's Stasi did that sort of thing (https://books.google.com/books?id=GlbAmn_cajYC&pg=PA160&lpg=...). The USA "national security" establishment/"intelligence community" gets unbelievable amounts of money, that they must spend. Why not make and use "smell chairs" or randomly screw with people that openly oppose the deep state?

How can you be certain? How many really successful job interviews have you had since you started your one-person campaign, where the hiring company inexplicably dropped you like a hot potato? Do you regularly check your credit rating to see if weird stuff is showing up? Have your bicycle tires quit holding pressure?

Well, that's a fair point, so maybe I should say "nothing overt and noticeable has happened as a result." Beyond that, I could speculate about really subtle stuff, but that strikes me as a sure road to a level of paranoia that I don't want to engage in.

What level of paranoia is too paranoid, and why?

Three years ago, almost everyone laughed at folks who claimed the NSA was watching everyone. Now, it's an article of faith, and there's some evidence that people have changed behavior because of that faith.

Any sufficiently advanced level of precaution is indistinguishable from paranoia. That East German activist was probably a little puzzled by flat bicycle tires, but probably shrugged it off. What are we all shrugging off today? Stock market weirdness? Oh, that's just HFT, right?

It's known that folks profited off of "top secret" CIA-led coups in the 1950s (http://tuvalu.santafe.edu/~snaidu/papers/coups.pdf), so it's not out of the realm of reason to look at the stock market today to see if the current "intelligence community" is profiting.

What level of paranoia is too paranoid, and why?

That's a good question. Why are you asking? Who do you work for? What are you going to do with this information?!??

Just kidding... it is a good question, and I don't have a perfect answer. I guess I'd say the level of paranoia is too much when you reach the point of diminishing returns... that is, when it turns out that, even if you're right, knowing that doesn't help you because there's nothing you can do about it.

So, maybe an NSA agent sneaks into my parking lot every night and lets a few pounds of air out of my right rear tire. I can't prove that doesn't happen. But what am I going to do, camp out in my truck all night with my pistol at hand, hoping to catch the guy in the act? Not practical. Hire a private security guard? Not practical either. Etc., etc.

Well, look at it this way; the politicians raise money so they can campaign to us, the citizens. So obviously our voice still matters. We're just not using it.

Thankfully, for the most part, its not dangerous (yet) to exercise our right to contact our representatives.

< I'm very hesitant to even level criticism at the CIA on HN.

But that is the exciting part, pretending that the CIA is concerned about you, or even knows that you exist.

I already acknowledged that I'm a virtual nobody to them. I just don't want to be a virtual somebody to them, even if it's just a raised XKeyScore rating.

>Finally, ask them if the method of contact they used was the phone or written (not email) letter.

why should we have to use the phone, or a paper letter, when email is as good, or even better?

Because email is almost too easy. When you take the time to call or write them a letter you're letting them know that you're serious.

What strikes me after this revelation is how unique the United States is, because:

(a) it has dozens of companies that create technology the rest of the world uses, and (b) it has a govt. that secretly works to undermine the technology developed by those companies.

You're not going to hear about many foreign govt's actively hacking their country's software products, simply because they could easily/secretly armtwist cos. into installing backdoors at the beginning. Take China for instance - do we think it needs to hack into, say, Huawei phones or Wechat? I don't think so.

As a foreigner, that is why this "fight" between US software cos. and its govt. is so fascinating. It's made possible through a unique combination of capital, freedom and history. And I hope it remains that way, for the sake of the rest of the world too.

Your example isn't a particular good one. Huawei has been accused of backdooring their products for the Chinese government on numerous occasions, including presentations at DEFCON exposing those backdoors. There are also numerous cases of backdoors in Chinese cell phones.

That's exactly what he's saying: "You're not going to hear about many foreign govt's actively hacking their country's software products, simply because they could easily/secretly armtwist cos. into installing backdoors at the beginning"

But his point was that China's government doesn't attack the company to get those.

How do we know how any putative arrangement of this type has come to be?

Not a peep was made while the intelligence community got in bed with tech companies. It was mutually beneficial and still is.

The only reason you're hearing about this is because it's good PR for Apple, after their intimate relations with the security apparatus were exposed.

Could you point us at that exposure? I'd like to read it.

The implication of the article is that this is some sort of specific attack against Apple. Surely the reality is that the CIA, and pretty much all 3-letter agencies globally, in a concerted and organised way try to break the security of all secure devices. That's a big part of their job - you can't gather intelligence if you can't read it.

The good things in the article are two-fold: firstly, Apple haven't just capitulated and handed over whatever is asked of them, and secondly the documents about the effort don't specifically mention any sort of success which could be interpreted as the agency failing. Of course, if they had been successful I imagine they'd keep as quiet as possible about it.

I think the point of The Intercept releasing this Apple specific info (mostly, there's a bit about Microsoft being targeted as well) is to try to appeal to the large number of Apple customers. I'd love to see some of the other line items in the leaked CBJ document, as there are probably some other targeted attacks documented.

Regarding Apple not capitulating, I'm giving them the benefit of the doubt, and assuming that they're telling the truth, but wouldn't the NSL system mean that Tim Cook couldn't reveal if Apple had been forced to release data?

I'm hoping that he has a personal warrant canary policy, and would just remain silent if asked about something he can't talk about.

"No comment" from Cook would be an interesting standoff. If he were prosecuted for it, that would confirm something NSL-like. But would it be worth it to a CEO to go to jail for a few years for a principle?

There is a good chance that Cook, like anyone else is vulnerable to other charges; and in case he is a saint, they would just make something up. It won't be 'brave champion of freedom Tim Cook takes a principled stand and is persecuted by the NSA for it.' It would be either something like what happened to Joseph Naccio, or worse.

That of course, depends on the strength of said CEO's principles.

This would be, of course, one of the hardest tests of professional principles you could imagine a CEO going through. I personally think Mr Cook would be a good candidate for passing this test, as he seems to have a track record for standing up for what he believes in.

I also have a feeling that the US government would think twice before taking on the Apple PR juggernaut head to head. It would be too closely matched for comfort. Apple probably have greater mind-share than any of the political parties.

As you say, it would be an interesting standoff!

It's a little discomforting that we're hoping that corporations, presumably guided by a profit motive, will defend us against the government formed for the people (though more heavily influenced by other corporations). Even if Apple is trustworthy for a company, I'm not going to enjoy the future in which we pick our favorite companies to enact policy.

Now, this is obviously happening to Google, et al, as well, so a joint action by the captains of industry — an appeal to the public more than the court — will be more effective.

Nothing wrong with "profit motive". Remember:

It is not from the benevolence of the butcher, the brewer, or the baker that we expect our dinner, but from their regard to their own interest. ~~ Adam Smith

That said, I'd personally like to see less power aggregated into the hands of both governments and big mega-corporations. But the big difference between the two, to my mind, is that governments have a near monopoly on "legitimate" use of force, and have lots of men with guns, tanks, bombers, nukes, etc. at their disposal. Corporations mostly lack those things, except to the extent that they collude with the governments.

Yeah, I agree that profit motive is a motive I can work with. I guess libertarianism can be appealing when the government acts like a tumor.

The government's monopoly on legitimate use of force is more relevant in less developed countries. Here, you can do more damage more easily by attacking computer-controlled infrastructure. (Imagine if the NRA was pointed at the real threat? Maybe they'd look a little like Anonymous.)

It's interesting to see Ken Thompson's hypothetical compromised compiler being used for real.


Hah, yeah.

The first bit of the article is very big about compromising XCode, and I couldn't help but think that Lockheed basically just got the .gov to pay them to "rediscover" Reflections on Trusting Trust.

If I'm understanding this right, this article is claiming that the CIA served up [edit: could serve up, not proven they did, see comments below about plausibility] poisoned versions of XCode, which would then be used to make App Store apps that eventually phoned home to Langley with either app-specific data or whole-phone data.

This raises so many questions, among them:

1) What was [edit: would be] the criteria for serving up a poisoned version instead of a real version of XCode to a dev? Was it [would it be] limited to downloadable versions or were DVD software copies affected too? One possibility came to mind: Does XCode come in different flavors based on county of sale/download, language, or a combo of the two? If so, would that be that criteria for their attempt to not target US citizens, by crudely targeting non-US and/or non-English app developer accounts? Because that would be the fakiest attempt yet at trying to claim plausible deniability, since so many apps with mainly American userbases are developed by overseas devs.

2) If a dev had a poisoned version of XCode, how could they not see a mysterious server being pinged during their development of the app? How could Apple not see something amiss during their QA of the app before they pushed it to the store?

3) If I were an evil genius Big Brother no holds barred government, I'd want data from messaging apps, social networks, and geolocation apps most of all, less so from things like single-player games. Thoughts on which apps are likely to be in the top 5 of their wishlist?

4) Does this mean that PhoneGap / Cordova / non-native HTML5 apps really are better? :-)

Say, why did Facebook change to a native app again?

Okay, can't sleep, so:

5) The whole point of this proof-of-concept seems to be to have unsuspecting, innocent devs who build regular boring apps, like Tinder For Dogs or whatever, unknowingly build the app using poisoned XCode. That way, when Mr. Bad Guy eventually installs Tinder For Dogs on his iPhone, the CIA gets a secret backdoor to his entire phone.

But this seems so overly complicated! If the CIA already has a payload that phones home, why didn't they just build their own apps? Why rely on poisoning a dev environment in the vague hope that Mr. Bad Guy will someday download this particular app? What if Mr. Bad Guy doesn't even have a dog?

Also, I wrote above that an intelligence agency would not likely be interested in getting data from something like a single-player game. There's probably nothing useful to learn about there, other than Mr. Bad Guy's high score.

But maybe that dumb game was the Trojan, not the target. Mr. Bad Guy may be too smart to use SnapChat, but perhaps he installed FarmVille or Angry Birds to while away the hours...?

They'll probably attempt to install the bugged XCode at TextSecure, WhatsApp, etc. That way, people are happily using an app from a well known vendor (not CIA Games Company, Inc.) while still being surveilled.

Theoretically speaking, if you were building an PhoneGap/Cordova app binary using a compromised seed of Xcode it would be no different than building a non-PhoneGap/Cordova based iOS app.

So I'm not sure why you are referencing Facebook switching from a WebView-based app to a more native approach.

In addition, if the Xcode installation was compromised nothing should be considered safe on that device going forward.

I was joking about the longstanding native app versus non-native app debate, but thank you for the info. But perhaps if the crucial part of XCode that "phoned home" was not the WebView component but some other component, might that make a difference?

Of course this is all very hypothetical unless someone finds an example in the wild.

They said they created a poisoned version of XCode, not that they were able to serve it up successfully to anyone.

But they sure can serve it successfully. They control the cables through which everyone's internet traffic passes, and when you download a program (such as Xcode) they can substitute it with their poisoned program [1].

I'll quote:

> All it takes is a single request from a victim passing a wiretap for exploitation to occur. Once the QUANTUM wiretap identifies the victim, it simply packet injects a 302 redirect to a FOXACID server. Now the victim’s browser starts talking to the FOXACID server, which quickly takes over the victim’s computer.

... or doesn't take over the victim's computer, but provides a download of a poisoned Xcode.

These motherfuckers have compromised the whole internet.

[1]: http://www.wired.com/2013/11/this-is-how-the-internet-backbo...

True, but Snowden's data haul is at least a year and a half old by now, and some of the files cited in this article date back longer than that.

But I edited my comment to include your point: no hard proof that this technique was used...yet.

Test aspa

The cynic in me feels that this might be part of a PR campaign coordinated between the US govt and US tech companies to try to give the impression of an adversarial relationship between the two.

The article quotes Steven Bellovin: “Their attitude is basically amoral: whatever works is OK.” If you forgot the article, could you tell who this is talking about? The government or the corporations? It seems like it fits both pretty well. The two entities both have a lot to gain from cooperating. Why wouldn't they? Whatever works.

It is certainly in the interests of the government and its spying agencies for the big monopolies to be successful. It must be a comforting thought to them to know that if they bug just Apple and Microsoft, at a stroke they have over 90% of the population under effective surveillance.

At times, I have wondered if the government's murkiest depths are organised enough to have fostered growth and developments in these companies of the future. You know, get their tentacles in sooner rather than later.

It's a shame Apple became so cooperative with the government recently. They agreed to "share cyberthreat info" which could mean zero-days, and maybe much more, which we know how the government will want to use first (hint: not for security).

My guess is Tim Cook agreed for the same reason Microsoft agreed to do the same thing long ago, and now again with the new program - to get government contracts, such as the one where Apple Pay will be used to get federal services and with the plan to use Passbook or whatever as driver license in the future. Apple actually announced this in the very same day they announced it will share cyber info with the government, so it's not even trying to hide it.

I doubt Steve Jobs would've compromised the same way. As we've seen from the leaked Snowden charts, Apple only entered PRISM after Steve Jobs died.

As for Microsoft, I won't even waste my breath. They would sellout anyone for an extra million dollars. They only fight against this stuff when it seems to be publicly damaging them, because they don't want to lose billions of dollars in revenue from abroad because of this issue. So they would have no problem giving US authorities data from abroad, as long as it's still secret. Once it gets public they will "fight hard" against the practice.

I believe Microsoft was one of the few companies to challenge the NSA in the early 2000s. If I recall correctly Ballmer thought that the NSLs would eventually become public and Microsoft needed to be on the right side of history by challenging them.

Interesting twist when Glenn Greenwald/Snowden is now suspected of doing PR for tech companies.

I must have missed that release, do you have any links?

You may have posted the wrong link there. It seems to be a link to @okasaki's comment, which doesn't seem to pertain to the issue you mentioned, and contains no links of it's own.

I assume copypasta error? I'd still appreciate it if you have any links, as I'm trying to map out the various accusations and counter-accusations in the Snowden case. It's a good study in information warfare :-)

"this might be part of a PR campaign coordinated between the US govt and US tech companies" sounds like it pertains to the topic of people suspecting this to be PR, no?

The comment I was asking for references to was:

> Glenn Greenwald/Snowden is now suspected of doing PR for tech companies

Which is not

>a PR campaign coordinated between the US govt and US tech companies

Suspecting PR collusion yes, but on the wrong side.

It's no error.

It was written by Jeremy Scahill.

Glenn Greenwald is the "Co-founding Editor" and the source for the story were the Snowden documents.

Seriously. This isn't even bad. Go to DEFCON and you'll see a ton of people doing this crap. There is a reason a bunch of paranoid people (includes me) bought faraday cages for our phones. Everyone is trying to break in to the little black boxes we carry around with some of our most personal information.

They have ACTUALLY done bad crap. This is normal security research. There is no need to blow normal research and security work out of proportion. Xcode is signed, they can't just modify it and let it go. The OS X updater is also likely secure and maybe they just figured out how to trick their own computers to install a keylogger. Good, but it probably doesn't work that well. And it's fine! It's research!

Lets focus on the actual violations, not the tools. Exploits and social engineering doesn't compromise: people do. Focus on the people who broke the rules which make sure our country isn't manipulated in to an oligarchy.

>Seriously. This isn't even bad....There is no need to blow normal research and security work out of proportion.

Is normal security research done with the goal of finding/creating holes with the purpose of keeping them secret in order to use them as attack vectors without letting the owners of the compromised systems know about the vulnerabilities?

What's bad about this is the purpose of the research (not to discover and strengthen security, but instead to destroy it), combined with the weaponization of it (the entire goal of doing the research is to use the exploits), and the actor carrying out the attacks (the state).

It's obvious on its face why this is alarming.

The difference is that when the intelligence community discovers a hole in US-produced software, they will keep it to themselves to exploit the computers of individuals around the world in various operations of dubious value and/or legality.

At DEFCON, exploits are publicized so that software vendors and algorithm developers are motivated to strengthen the security of what they produce so that the software that all of use is more effective against attackers.

A great ad for Apple's security.

I agree. When the intelligence community has to resort to this, I think the everyman is ok:

>At the 2011 Jamboree conference, there were two separate presentations on hacking the GID key on Apple’s processors. One was focused on non-invasively obtaining it by studying the electromagnetic emissions of — and the amount of power used by — the iPhone’s processor while encryption is being performed. Careful analysis of that information could be used to extract the encryption key. Such a tactic is known as a “side channel” attack. The second focused on a “method to physically extract the GID key.”

Am I missing something? Isn't their targetting of Xcode as massive as if they'd just announced they'd backdoored Gnu gcc?

I mean whether they've backdoored the regular version available to all or only those in use by specific developers, the implication (to me) would be that binaries/applications/etc produced would then be automatically backdoored or at very least weakened?

Disclaimer: I know zip about Xcode or dev in the Apple ecosystem

“Tearing apart the products of U.S. manufacturers and potentially putting backdoors in software distributed by unknowing developers all seems to be going a bit beyond ‘targeting bad guys.’ It may be a means to an end, but it’s a hell of a means.”

The trouble with the means justifying the ends, is that ends are fictions invented to enable the telling of stories. Outside the structures required for stories, there is only ever really the means.

I'd much rather have my iPhone hacked by Anonymous

The CIA? Thought the NSA did this.

Here's their mission statement:

"Preempt threats and further US national security objectives by collecting intelligence that matters, producing objective all-source analysis, conducting effective covert action as directed by the President, and safeguarding the secrets that help keep our Nation safe."

Historically the CIA and NSA have a competitive relationship, they vie for the same funding. I would think pursuing iPhone security would cross into the NSA's domain and that they wouldn't appreciate it, however the CIA has a budget 50% larger than the NSA and I'm sure they'd like to keep it that way by staying relevant.

This is a great argument for "Gentoo Android".

While much of the iOS is Open Source or Free Software, the end-user can't really inspect the source that went into their particular device.

Note that, to the extent that the CIA steals Apple secrets from foreign sources, they may not be violating any US laws. However Apple does the vast majority of its system software development in Cupertino, California.

My next phone is going to be an Android that enables me to completely replace its firmware binary. While this does void the warranty, rather than having to be concerned about potentially skanky jailbreak exploits, one more or less just sets a flag with an Android SDK command-line tool, then you can install your own firmware.

That will be of limited use in protecting me against hardware backdoors, but at least it will let me pretend that America is still The Land Of The Free.

Among the reason I am so adamant about stuff like this, and that I use my real name when I post about it so publicly, is that I am related to Roger Sherman, the fourth signer of the US Declaration of Independence, as well as to William Tecumseh Sherman and George B. McClellan, the two Generals-in-Chief of the Union Army during the American Civil War.

My mother was an active member of the Daughters of the American Revolution; I myself am entitled to membership in the Sons of the American Revolution.

You might want to lookup the Replicant project.

http://www.replicant.us http://en.wikipedia.org/wiki/Replicant_(operating_system)

It looks like the development team could use some new contributors.

    My next phone is going to be an Android that enables me to completely replace its firmware binary.
I'm not aware of a single (modern) phone where you can replace the firmware of the baseband with something open source.

Openmoko Neo Freerunner. Might fall a bit outside of "modern" category though (and of course, operating GSM baseband processor with altered firmware on public networks is illegal)

I actually have two of those, but no 3G makes it far from being modern :)

"My next phone is going to be an Android that enables me to completely replace its firmware binary."

Component firmware and device drivers will still be binary blobs. You need to go a level deeper than that.

Apple should stage some sort of protest. Perhaps they should go on some sort of tax strike.

I don't think it would have any material effect. Most if not all hyper-corporations route transactions off-shore, and hold cash off-shore, specifically to drastically reduce the amount of tax they pay.

Apple is the #3 largest taxpayer in the US, and one of the few companies registered in California instead of Delaware.

No doubt. Nevertheless:


The loophole(s) may have been closed, but I doubt Apple left them voluntarily.

That was the joke.

I don't buy it. I really don't.

We know about the incredibly close ties between silicon valley and the military. We know that the US government collects anything and everything, and that US corporations are complicit (or made to be complicit) in the act.

It is most likely that Greenwald was leaked these documents to create a facade of government-corporate animosity to revive trust in US corporations, all the while there existing a backdoor to facilitate snooping.

The article explains that these are all documents from Snowden. So they're simply taken from the full set that Greenwald has had since 2013, not any kind of new leak.

The Federal Government can make tech firms hand over any data they request. However, they can't stop tech firms from designing their products so that the tech firm never sees your personal data.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact