Even if it's not Russia, the release of the hacking tools gives weight to the argument that nsa/fbi should not be able to demand companies to create a back door in their products.
> Apple: If we're forced to build a tool to hack iPhones, someone will steal it.
State-sponsored backdoors have been mainstreams for decades. Practically every major piece of software and hardware that's not open source has a backdoor embedded.
Even popular anti-virus programs on Windows have been jimmied to allow state-sponsored malware through
> Practically every major piece of software and hardware that's not open source has a backdoor embedded.
[citation needed], and I mean a credible one with evidence, not tinfoil-hat raving.
Yes, we know that three-letter agencies look for, and probably have a stash of, zero-days for covert access. And they also do physical attacks wherever possible (like fiber taps at Google's datacenters). But those are two very different things from backdoors built in with the cooperation of the vendor. And despite how many people on the Internet treat "companies build in gov't backdoors" as just unquestioned fact, I've never actually seen any proof.
I dunno. Before Snowden, a lot of nasty stuff that we now take for granted the intelligence community does, was seen as "tin foil hat." After Snowden, I no longer doubt the possibility of any realistically imaginable attack, ie, assume that if they have the physical ability to do it, you should assume they do it and are not stopped by any ethical concerns.
Our intelligence apparatus has cried wolf too many times, in terms of denying they do something and then it turns out they do it, to be trusted anymore. They've lost the benefit of the doubt and if they don't want people believing all the tin foil hat things, maybe they should stop doing so many of them.
> Before Snowden, a lot of nasty stuff that we now take for granted the intelligence community does, was seen as "tin foil hat."
This is true, but using it as a justification for "And therefore, my theory about what the intelligence community is doing is correct and does not need evidence" is a non sequitur fallacy that has become depressingly common in recent years. You still need evidence for individual allegations.
To show you what I mean, suppose I were to say, "The NSA has a constellation of mind-control satellites built with help from the lizard men!", and then responded to the deserved skepticism with "A lot of things that used to be tinfoil hat theories we now know to be true thanks to Snowden, so this is too!". That's obviously fallacious reasoning, but it's exactly what people are doing when they toss around allegations of backdoors with no proof. Again: there's no shortcut around the need for evidence.
> After Snowden, I no longer doubt the possibility of any realistically imaginable attack ie, assume that if they have the physical ability to do it, you should assume they do it and are not stopped by any ethical concerns.
I agree completely, but that's not what I, or the person I replied to, was talking about. The issue I was addressing in my comment was whether their backdoors are being built with the knowledge and cooperation of the vendors, which is very much unknown. Attacks like taps on cables are orthogonal to what I was saying.
There's merit in just pondering. This is a message board not a legal proceeding. What you're saying isn't totally orthogonal. I'm often surprised at how terrible modern software is. I suspect they actively subvert and displace popular software that they can't hack. Most hacks are probably generic exploits of library code. I imagine they economized. They wanted Total Information Awareness. I can't prove any of this; It just seems sensible. He's doing a red team analysis. It's not of the same form of thought. You can't invalidate it with the arguments you're making except for in some logical domain or something. It's not a true/false statement. It's not even fuzzy.
I agree! And I don't mind pondering, as long as it's clearly marked as such. I do mind statements like "Practically every major piece of software and hardware that's not open source has a backdoor embedded" presented as established fact when they are not.
A vulnerability is a back door. The only problem I have with that statement is it's exclusion of open-source software. It's got more back doors embedded in it than closed-source software.
Jimmy: a short crowbar used by a burglar to force open a window or door.
He didn't necessarily say it was collusion but I suppose it's fair to clarify. It seems narrow to suggest it's just a stash of 0-days. I suspect they've been heavily yet covertly involved in the popular software tool-chains and computing hardware.
Not what I said. I said "realistically imaginable attack" ie ethics is the only thing hypothetically stopping them, not lack of fantasy technology. See if you can come up with a counterexample that actually meets that hurdle.
Mind control satellites and lizard men are both so far away from our current science and technology that even assuming the NSA could be a few years ahead, it's not worth considering. If there really were mind control sattelites or similar precursor technology available or in research today, and there were lizard men who had a history of being good at working with those and willing to sell their skills, then I would agree that it's plausible they're doing it.
Also, I'm more interested in the /practical/ applications of this knowledge of whether the intelligence community does a certain thing X, not the philosophical certainty of whether they do a thing X. You lock your doors because someone /might/ break in /maybe/, not because you're certain John Doe is planning on doing so at 4:30am tonight. Even if no one ever does, it's certainly technically possible, so if locks are cheap it's a reasonable tradeoff, even if you'll never be sure if they really helped.
You're probably right though that I'm moving the goalposts around! :-) I'm not trying to have a formal debate, just idly shooting the shit on the net, so I'm OK with that.
Intel Actice Management Technology fits the bill[1]. An out of band processor on select chips. Most likely it's on all the chips and only activated for consumers on the vPro and certain Xeon models.
Yes, but I wouldn't class that as building in a backdoor to a specific "major piece of software and hardware" or software and hardware range, I would class it as industrial sabotage on a more subtle and general scale. Equally pernicious but not the claim that is being made.
The pedantry around here can be infuriating sometimes. You take issue with my strictly true comment, and ignore Analemma_'s comment upthread (every product) which is strictly false.
The clue is in the name. It's a library, it is both the work of one company and used in many products, which is why it is suspected that it was targeted. You're both right. GP is not being pedantic.
Regarding PRISM cooperation, I'm not sure where your doubt is coming from there.
http://imgur.com/a/wRKtL
The slide was explicit, and is now many years out of date so without doubt the number of providers has increased. The means by which these provider agreements are reached is well known (National Security Letters) as is the fact that organizations are fully barred from disclosing their existence.
It was fiber taps between Google Datacenters overseas. The implication being that if your location history, emails, photos, secret diary, or what have you is transferred overseas at any point then you automatically have no more rights to privacy than a suspected terrorist.
If everything has a backdoor, then why would NSA need to stockpile 0-day bugs? Why would they need such a big TAO division? If they had a backdoor they would just use that.
"If everything has a backdoor, then why would NSA need to stockpile 0-day bugs? Why would they need such a big TAO division? If they had a backdoor they would just use that."
That argument is not true. Spy non-fiction taught me that intelligence services sort of rate their capabilities on what intel they can bring plus how secret they must remain. The idea being a capability might be so good and so hard to replace that you only use it on highest-risk cases that nothing else works on. Additionally, lower clearances will have greater number of infiltrators. They should see less than higher clearances to reduce damage of leaks. Further, I predicted that the tools themselves were developed in Special Access Programs (SAP's) that compartmentalized away from even TS clearances then selectively released to them. Sentry Eagle et al confirmed my prediction.
You can actually see the bullshitting in progress if you look at that. Each level of clearance is told something different with the lower levels often getting lied to with only highest getting the truth. In one case, it was implied they were attempting to use supercomputers against crypto then TS/SCI version said they got companies to backdoor it. Quite the difference. ;)
The GP post claims that every closed-source product is perpetually backdoored. If this were true, then there would be no way to detect backdoor access, and no way to deny it short of going 100% open source, which is simply not possible for large corporations.
What you describe is how intelligence services actually work to develop and protect real tools for access. What the GP claims is a fantasy in which such work is not necessary.
"The GP post claims that every closed-source product is perpetually backdoored. "
I agree that's a crap claim. Tried to provide alternative that showed situation is almost as bad as crap claims like that with 0-days. What overlap I did see was the emanation threat. That secrets leak out of any device and TEMPEST protection of them is illegal means that they are all backdoored for that in practice. Good news is it's a highly-specialist attack only a few countries know how to do that requires targeting and close proximity. Other good news is that smartcards and EM compatibility testing reinvented some defensive practices.
> Even if it's not Russia, the release of the hacking tools gives weight to the argument that nsa/fbi should not be able to demand companies to create a back door in their products.
Not really.
iOS already, today, for no other reason than to prevent downgrades, verifies every firmware upgrade/restore with an Apple server, which sends back a per-device signature. Technically, it would not be difficult for Apple to have that same server authorize a special spy firmware only for specific device IDs. The only way this could result in a mass compromise is if Apple were hacked, but hacking Apple already gets you that - the hard part isn't writing code to spy on people (especially if you've hacked them and thus have full iOS source code), it's signing it.
This is different from exploits for code vulnerabilities, where there's always at minimum a secret (the location of the bug) that can't get out, and in some cases going from there to a working exploit is also difficult.
At worst, if Apple went beyond compromising that one phone and set up an ongoing process to compromise phones as requested by law enforcement - then there might be some sort of online portal, and maybe it could be hacked either directly or by stealing a legitimate agency's credentials. Maybe then the spy system could be used by unsympathetic governments against their enemies, though only by stealthily submitting individual requests; there would be no way to exfiltrate something from law enforcement that would compromise everyone. I don't think that's what most people are thinking when they talk about a back door "getting out" or whatnot.
Personally, I agree with Apple's refusal to create and sign a spy firmware on ethical as well as pragmatic grounds. But there's a lot of misinformation about the issue.
>iOS already, today, for no other reason than to prevent downgrades, verifies every firmware upgrade/restore with an Apple server, which sends back a per-device signature.
Are we pretending now that the government couldn't MITM and fake the response? I think they've proven they can MITM pretty much ANYTHING their hearts desire.
> Are we pretending now that the government couldn't MITM and fake the response? I think they've proven they can MITM pretty much ANYTHING their hearts desire.
Only if they have Apple's private keys or can break RSA...
That is not how TSS is set up though. "Special" restores are heavily audited so many would be aware that it occurred. who knows how easy it would be to keep that contained.
Further, if people are paranoid of this, a crowdsource based mitm restore server could be setup (similar to saurik's) to watch the hashes and block restore + alert the user if a firmware file is about to be installed with a different hash than what it should be.
Except the FBI explicitly said Apple could work on and execute the backdoor internally and destroy it after use. It would never need to come out of their secure facilities.
So I don't think this was the strongest argument for Apple. A better one is that once the US can compel Apple to do this, what's to stop Russia, China from demanding the same thing?
When the back door is created, it cannot be destroyed. FBI had tons of other phones they wanted to access [1]. Hacking one phone would set a precedent that Apple would have to hack numerous other phones.
It is so simple to steal software, just like NSA's hacking tools were stolen.
If NSA cannot keep software safe, why can you think that Apple can? I think it's unreasonable to require Apple to have a higher level of security than NSA effectively has.
> When the back door is created, it cannot be destroyed.
If the "backdoor" in question is a malicious signed OS update, then it can absolutely be destroyed. There are plenty of reasons to avoid backdoors without imbuing them with mystical qualities like the inability to delete them.
And then recreate, and redestroy it for each of the >100 law enforcement requests in NY alone. Etc. Etc. Though the FBI says that, Apple pointed out in their brief that the reality of what that kind of situation would look like was absurd.
What's to stop the FBI from repeating the same process in the future? Fighting future orders would be much harder after precedent is established.
Remember that after James Comey talked about spending "a lot" to get into the San Bernadino phone, he wanted a way into the phones that "doesn't involve spending tons of money in a way that's un-scaleable."[1]
While the tech industry like to cast aspersions about the FBI and how idiotic they are, I think this perception is wrong. I don't think they could possibly have access to the resources they do and be stupid. They may not always understand fully the technology they're working with, but I'm quite sure there are resources within their reach that would quickly set them straight where required. I'm sure at the very least they could create a GUI interface using Visual Basic to track their IP address.
> 2). The FBI is malicious and lying...
I'd like to believe they're neither but the more time goes on, the more my goodwill towards them fades... and while they're not the NSA, the doubt the NSA has cast on Government Agencies has tainted that with the "guilty by association."
I can't believe they're incompetent, I do believe they (largely) do what they do with good intent, I think their strategy is short sighted.
That leaves me asking the question: Have they lost sight of the future repercussions of the actions they take today or are they actively considering the future repercussions when making policy today?
If they're actively considering the future repercussions of policies they're making today, that is the greater cause for concern because they're actively making policy that ensures the state's ability to monitor (and in effect, censor) the future population - counter to the first and fourth amendments.
> While the tech industry like to cast aspersions about the FBI and how idiotic they are, I think this perception is wrong. I don't think they could possibly have access to the resources they do and be stupid.
I responded to an FBI call for recruits to staff up their cybercrime divisions after 9/11, and was in their recruitment pipeline for two and a half years.
Based on my experiences during that period, I have no problem believing that they are stupid.
>I responded to an FBI call for recruits ... and was in their recruitment pipeline for two and a half years.
Dude! Just nine more months and they would have completed your SSBI and you could have been forwarded to the next stage!
God, it's like you don't want to put your life on hold for multiple years while an impersonal bureaucracy methodically sorts through your entire personal history.
What stops them from doing it now? What about Apple being willing to hop in bed with the US government affects whether they would with Russia or China, or whether either of them would ask for this from Apple?
Even if they wouldn't "hop into bed" with other governments, if they had hopped into bed with the US govt. they would have lost revenue in those other markets, which would be likely to view Apple products as backdoored by the US government.
As a multinational company, it's in Apple's interests to maintain a 'no backdoors' strong privacy stance, or it will both lose foreign markets (that are afraid of US/other nation's backdoors) and have to contend with increased requests from various governments for backdoors/audits (they got backdoor access, why can't we?), and the associated revenue lose.
That's not the point I was challenging (which I couldn't highlight and quote because Safari in the iPad apparently decided I didn't need that ability). I was challenging the idea that cooperating with the US government somehow makes it easier for, or in any way affects the ability of, other governments to demand cooperation with their own programs. I was not saying there wouldn't be consequences for Apple doing so, or that they should have.
I don't, and said nothing of the sort. I said that their decision to cooperate with one government is independent of their decision to cooperate with another. Thus, cooperating with the US does not mean they can't tell Russia and China to go fuck themselves if they asked for the same thing.
Money, more specifically the desire for it, knows no bounds. Apple is a multinational corporation whose goal is to deliver value (read: money) to shareholders. The idea of political boundaries meaning anything is a quaint notion that I feel was true only long in the past, if it ever was.
I'm not saying Apple is evil, merely that multinational corporations don't have to care about political boundaries.
Lets forget the argument, that this sets a dangerous precedent for a moment... Even if you assume the strictest possible processes, even if you assume only the most genius techs working on a backdoor like this: In the end the people implementing and operating a backdoor are just people like you and me. People make mistakes no matter how good the skills and processes are. And if this mistake happens, as it will happen invariably, the backdoor is out in the open and usable for adversaries with even more malicious intent.
I don't think calling a thief putting up hacking tools for the highest bidder "another Snowden" is particularly accurate. (I realize this was the article title and am not complaining about the post here. I fault whomever crafted the original title.)
I'm also saying that (or at least putting the idea out to test drive it) it's a good time for us to shift our language to talk about things that, in some deeper way, are politically and civically just.
"my point is that his intentions were clearly pure regardless."
I would tend to concur, but we don't know that.
Also - intentions are not that important. Manning's motivations I surmise were probably innocent, but his incredible naivte of releasing gigabytes of information of information when he didn't even know what the contents were ... were seriously damaging. Tons of undredacted cables in there meaning a number of Afghan and Iraqi citizens helping the US were needlessly put at risk, for example.
Listen, I don't mean to dismiss the kind of sober thinking you are putting forward here. There is a reality to these sorts of actions that, for the perhaps most optimistic or utopian among us, bears repeating mention of.
However, this:
> Tons of undredacted cables in there meaning a number of Afghan and Iraqi citizens helping the US were needlessly put at risk, for example.
...reads to me like a celebration of opposite day in the bizarro world.
Manning did nothing to put these people at risk; the state put them at risk with its murderous and greedy tendencies and foreign policy errors.
Announcing someone's name and affiliations, in the case of a decent, non-violent, dare I say "everyday" person does not in any way put them at risk.
It is only because these people are touched by the long finger of empire that the appearance of their name in a text file is compiled into danger.
Manning's heroism tends toward ending that empire and making these people (and those in a similar role in generations to come) safer and freer.
"It is only because these people are touched by the long finger of empire that the appearance of their name in a text file is compiled into danger.
Manning's heroism tends toward ending that empire and making these people (and those in a similar role in generations to come) safer and freer."
This is ideolgically anarchist and ridiculous.
There is no 'Empire'. There is just 'stuff you, as a citizen vote for'.
Have you ever been outside the Western World + Japan? Do you know how crazy it is out there?
Do you know how instantly things would collapse without the international framework we have today?
Are you too young to remember the Cold War? Do you realize that it's still going on, that Russians are grabbing territory and they still have 3 000 nuclear weapons pointed at us and, just a few months ago Putin bragged, over dinner, that he could 'wipe out the USA' in 45 minutes?
This is not a video game.
US foreign services do extremely important work in the world, and if you'd read the cables that Manning released, you'd see how true that is, and also how mundane most of it is relative to your anarchist hyperbole.
Manning swore an oath to serve the interests of his people selflessly, instead, he naively, and selfishly released information which caused a lot of damage and could have caused a lot more damage.
It would be one thing if Manning were some intellectual, knew what he was doing with conscience, but he was a very low level private - with severe social and identity problems, thinking that somehow he had 'answers'. I think that he thought he was doing the right thing, but he's severely deluded.
And by the way - I am not American.
Also - I should add - that the person who released the photographs from Abu Gharib - and caused the big scandal/uproar was definitely in the category of 'whistle blower' and did the right thing.
It's hard to know how to respond to your comment as whatever logic it may contain is camouflaged by ad-hominem presumptions (if you'd read the cables that Manning released, you'd see...) and impossible-to-take-seriously fear mongering ("3 000 nuclear weapons pointed at us").
I remember the cold war. And I thought that the government did the best thing it was able to do. Did the governments of both the USA and USSR behave childishly? Yes. Were they operating in a short-term feedback loop? They sure were. Did they, perhaps against the odds, avert a nuclear holocaust, at least for 40 years? Yes in fact they did.
But that's really not the point.
As I've said elsewhere, my argument (and I think the argument you see coming from much of the HN community) is not that government has always been unnecessary, but that it is being deprecated.
It doesn't matter that this one human leaked these troves of information; the internet will always tend toward making them available regardless of which individuals happen to be involved with the particulars.
Government secrets aren't merely immoral, they're increasingly impossible.
So all of your nostalgia about worldwide wars being "the international framework we have today" is just completely irrelevant. The internet will not abide government, and human evolution will continue to be the internet.
"I assert that, whether someone agrees or not, Snowden was doing something that was actually right."
Yes, Snowden did 'something' that was right.
But Snowden also did 'other things' that were wrong.
Snowden released information on how the NSA spies on adversaries, like Putin, who has 3 000 nuclear warheads pointed at us.
There is no 'public good' in that information, it's basically treason.
Which is the odd paradox about the Snowden revelations - there was a lot of info that arguably was in the 'public good'.
But if you save a baby and kill a baby in the same day ... you still go to jail.
The fact that Snowden released tons of data that had little to do with NSA domestic surveillance really changes the tone and nature of his crime, and it's not good to see so many come to his defence because he also 'saved a baby' the time that he 'killed a baby'. It really ads an odd dimension to the story.
Perhaps Chelsea Manning is a better comparison. Perhaps not so well intentioned or forward thinking but rather a protest outburst against a perceived regime.
Chelsea Manning risked even more, was rewarded far less, and successfully liberated far more of the data belonging to the public. Very little of what she revealed passes any sort of common sense test about what is rightly held secret by a public entity, but rather showed that the government keeps secret anything that is politically dangerous for the narrative it tries to maintain.
I see nothing but good intentions. Forward-thinking? Maybe you're right there, at least in terms of her own well-being. Perhaps she was counting on us for more than we're willing to do in terms of rescuing her from a life of torture at the hands of the state.
Chelsea Manning took vast numbers of documents she never read and then sent them to a stranger on the Internet who happened to have branding congenial to her politics.
I think the handling of the Snowden leak was also irresponsible and, from the vantage point of doing the most public good with the disclosure, has for the most part been a fiasco (notice how much more we learn about the contents of these documents after attacks and incidents become public?). But Snowden's leak handling was surgical compared to the shitshow surrounding the Manning leak.
For my part (and I know you already know this from our many past discussions on the matter), I simply don't think there's anything sacred about government secrets in the first place, so I have no qualms with someone liberating them.
When they reveal evidence of war crimes (or even just everyday corruption and slop), then I think the disclosure is all the more to be celebrated.
Yes, and; while Snowden gives conference talks from exile, she's facing charges and indefinite solitary confinement as punishment for a suicide attempt.
Naive and misguided, perhaps, but you really can't argue she didn't risk (and lose) far more while basically trying to do the right thing.
If we lived in the same moral universe as them, they would be doing the right thing. The thought does give me pause, from time to time.
But the point is not to redeem Manning's actions in a utilitarian sense. The facts are that she saw something (war) she found unconscionable, she wanted to do something about it, and she sacrificed about as much as she possibly could without dying-- maybe more, now that she's one of the least free people on the planet. It's not that hard to comprehend a moral philosophy where she does actually deserve points for effort.
If you're asking me to just look at utility, it's very hard for me to get around the fact that the book is still being written. I can see the argument that indiscriminate leaking causes damage, and damage to well-functioning systems is bad, but I can also see the argument that the historical record is full of state secrets kept for banal or evil reasons and the proper functioning of the current intelligence apparatus may be doing more harm in a human sense than could possibly be justified, if we just knew it were happening.
The irony is that ultimately, I just have to trust that there are enough people with good hearts working in the system that if something unconscionable is going on, it won't stay secret for long. So in these circumstances I'm actually much more worried about not judging by intentions enough, lest the well-intentioned decide to stay home.
I'm not sure I follow. I'm granting the possibility that the outcome of her leak was ultimately negative, but that's not related to her intentions, nor to whether or not her intentions are morally or practically relevant.
Edit, I guess I'm thinking of the opposing question: Is there information that someone in Manning's position could get which, if it exists, any system which created it or kept it secret should not be allowed to exist, let alone have the authority of law?
Intentions matter, then. But maybe we're talking past each other?
> People who bomb abortion clinics also believe they're doing the right thing. We need to be careful about judging actions solely by motivations.
The second sentence may not be true, but is unrelated to the first, which illustrates more that we need to be careful about judging actions solely by accord with the alignment to the actors' view of "the right thing" than anything else.
Regarding selective disclosure, at least Snowden and Greenwald made an attempt to keep people from getting killed. There's a big difference between leaking methods and leaking the identities of assets.
"and successfully liberated far more of the data belonging to the public."
This is completely false.
The information Manning released absolutely did not belong in the public domain. Period.
Governments, like any other private entity are allowed to keep confidential information.
Much of what manning released was private conversations between state department officials and their counterparts in the Middle East. The damage could have been much worse.
It's really sad to see so manny people think that 'individual privacy is paramount' but then can't grasp that other actors, including state actors, don't have reasonable rights to privacy.
I'm actually reasonably certain that the New York Times vs United State indicated that newspapers are completely within their rights to publish this information:
And there's a slight difference; government employees (including the military) are paid by the taxpayer, and government operations (such as military strikes) are also tax-funded, and a degree of transparency is supposed to come with that. If the government was a for-profit entity, you might have a point, but at least right now, it (officially) is public, and the above case and FOIA are there because of it.
I understand that there are cases where the government cannot release stuff to the public, and I'm not disputing that Manning overstepped her bounds, but I don't think it's naive to expect some degree of transparency from public, (not private) entities.
The entire essence of the concept of a Republic (vs. e.g., a Monarchy) is that government is literally a public matter (Latin: res publica) not a private entity or someone's private property.
So, I disagree with your conclusion even when restricted to the realm of reasonable classification - I don't think that everyday communications from state actors, acting on the public behalf, are reasonably considered classified, and neither does the FOIA.
But, for my part, I will go even further. I think that:
> Governments, like any other private entity are allowed to keep confidential information.
Is just wrong. I don't think that, in this day and age, it's a good idea for governments to keep anything secret. At all. And I'm pretty absolutist about that. And I think that's a reasonable information-age policy. And I think that governments will begin to adopt it or look silly for refusing to do so.
> It's really sad to see so manny people think that 'individual privacy is paramount' but then can't grasp that other actors, including state actors, don't have reasonable rights to privacy.
This is exactly my belief. I cannot grasp - or rather have grasped and cast away in disgust - the idea that "state actors [have] reasonable rights to privacy." They don't.
is the government really a "private entity"... and if it can be described as such, is it "like others"?
> It's really sad to see so manny people think that 'individual privacy is paramount' but then can't grasp that other actors, including state actors, don't have reasonable rights to privacy.
(assuming you mean "do have") in what way does the state have "reasonable rights to privacy"? who determines what's "reasonable"? doesn't state privacy hamstring the citizenry's oversight and regulation of their own government?
If the government is able to keep secrets from us, then we cannot give informed consent on whether their governance is appropriate or not for our nation's citizenry.
Uninformed consent is hardly consent at all, and our elected class ought often be reminded that it is we that they answer to, and not the other way around.
"If the government is able to keep secrets from us, then we cannot give informed consent on whether their governance is appropriate or not for our nation's citizenry."
This is completely false - and there is not a single state in all of the history of the world wherein this was the case.
Oversight - yes.
All public information - no.
If you have ever worked with a team of more than 5 people, you'd realize that your statement cannot hold true. Do you really think that every email, every correspondence, every bit of government data should be public?
Should Barack Obama have to do everything on a 'live cam' so that every citizen can see his every move and word?
Should the Nuclear Launch codes be 'public information' ???
Of course not!
Government agencies have absolutely no obligation to release any information unless it falls under the auspices of 'freedom of information' (which is a good bit of data) - and then various levels of clearance.
We have other people in government: elected officials, oversight committees, and judiciary, NSA, FBA - to keep an eye on one another.
The information released by Manning was 100% within the bounds of information that the government can keep private.
Private conversations between state officials and diplomats are definitely not something that should be published.
In 40-50 years or so, the US eventually releases pretty much everything, you can read what the US Diplomat to Libya said to Gaddafi if you want then. But not in real time.
Yeah, I'm not suggesting that every scrap of paper needs to get released if it isn't practicable, but secret, billion-dollar plus programs should simply not exist, ever; this includes (in my opinion) NSA surveillance, the Manhattan Project, et al.
"Governments aren't (supposed to be) private entities."
Governments are not 'private entities' but they certainly can have 'private information'.
It's really quite difficult to debate this with you guys.
If you can't imagine that diplomats can't have private conversations with their counter parts, that bureaucrats can't have private conversations with employees - then I have nothing to say to you.
Once you accept that there is a lot of information that should not be publicly available, both 'secret' and 'mundane' (HR records etc..) - then you accept the government can keep private information - and then it becomes a matter of how that is regulated: oversight by congress, committee, judiciary - and access to information wherein it's appropriate.
And once you accept that - you accept that Manning's release was totally immoral and unlawful. There is nothing in his cable releases that should have been released - though you could debate the release of the video of reporters dying in friendly fire.
> If you can't imagine that diplomats can't have private conversations with their counter parts, that bureaucrats can't have private conversations with employees - then I have nothing to say to you.
Just to be clear: I think many people here believe that "diplomats" and "bureaucrats" are subject to deprecation. You are holding on to the notion that the government is going to keep existing (and bungling society, economy, and environment) alongside the internet, but it's perfectly reasonable to surmise that this is not so.
Government has been a necessary evil for a stage of human evolution that is now coming to a close. And it will wither with a whimper, not a bang.
So, per your directive, it may just be that you have nothing to say to us.
I feel as though I've been sent to sit in the corner with a dunce cap for daring to criticize a piece of journalism that equates releasing NSA spy tools on the black market with government whistleblowing.
If you re-read the post a little more carefully, that's a reference to the ANT leak, followed by a "well, it could maybe be the same person" about the malware auction.
Seems more likely to me that the ANT leak gave the auctioneers an idea what to look for to exfiltrate once they got hold of an NSA staging server.
When an article's title is misleading or linkbait, the HN guidelines call for it to be changed. Alas we can do nothing about misleading titles in the big wide world, but we can at least tend to our little corner of the internet.
I had the same thought, but I'm thinking that the person(s) auctioning the stuff aren't the same person(s) that obtained it in the first place.
It was taken years ago, and just now found its way to the auction block. I think there is an interesting story about the intervening years we are missing.
Where by evidence for another NSA leaker, Bamford means literally no evidence. The fulcrum of his op-ed rebuts an argument nobody is making --- that Snowden himself disclosed this cache of exploit tools.
The prevailing narrative, one echoed by Snowden himself, was that this was likely taken from a staging server: a machine somewhere out on the Internet used as a pivot point for attacks. Snowden claims (I don't know with how much authority) that a compromise of one of those staging servers is not without precedent.
Nothing in this entire piece refutes or even engages with that narrative.
What evidence is there for another NSA hacker? Proof by narrative. The narrative says that the NSA is impenetrable, except for inside threats. Therefore it was an inside threat.
Proof by narrative is the slippery slope whereby the state becomes a religion.
It's borrowed from religion and used in the modern state. In the old testament, whenever the chosen people were defeated, the only reason could be that someone was making sacrifices to the wrong god somewhere. The proof was that god would have been with them on the battlefield otherwise.
It's why, in Stalinist show trials, political enemies are made to confess for crimes of sabotaging production, because the narrative says that the production process is perfect in the Soviet Union and the only way that quotas would fail to be met is because of reactionary saboteurs. Fallacious or not, each additional conviction reinforces the state's narrative.
Really? It seems to me like it's key to pro-mass-surveillance people's support for the "collect it all" approach - and for key escrow schemes in particular. And it ties into the VEP discussions as well.
Oh look, here's Nicholas Weaver on Lawfare making a very similar point about vulnerability disclosures:
"How is NSA changing the equities process now that "someone stealing the NSA's tools" has to be explicitly included in the threat model? Previously, equities calculations generally relied on the probability that someone else might independently discover and exploit a vulnerability. How does this calculation change when the NSA's own tools might be stolen, without detection? Is there a policy on what to do when the NSA knows that their tools are compromised?"
I don't know what our beliefs about key escrow have to do with the reality that NSA's "impenetrability" isn't part of the prevailing narrative. Among experts, the gauge on NSA is trending strongly towards "clownshoes".
Most on hacker news or security twitter or slashdot or whatever would agree that the NSA has serious vulnerabilities and have terrible policies/practices, but the narrative being pushed to the average american via the usual channels is most assuredly that the NSA is infallible (or that it's only fallible due to pesky things like privacy).
This article is on Reuters, which means it wasn't meant for people who know what elliptic curves are, it was meant for people who still call Comcast to restart their router. Given that, I think it's safe to say there's a distinct narrative being pushed here where it's heavily implied that leakers are the main threat to the NSA's security.
I didn't say they were mutually exclusive; that is also a rebuttal to an argument nobody is making. I'm saying they're orthogonal to the question of who's responsible for leaking these NSA tools.
I think this subthread is pretty clearly about the predominant narrative concerning the NSA and how this article plays into that (regardless of who actually is "leaking" it), I was responding to the discussion around your statement of:
> "The NSA is impenetrable" is not and was not the prevailing narrative, to say the least.
The ''reality'' is that proponents of key escrow solution (and the "collect it all") approach have consistently made the assumption that intelligence agencies are able to protect the keys and data. The impenetrability is so deeply a part of their narrative that it's not even discussed. The cost/benefit analyses are very different if you assume that adversaries are likely to get access to any information our government collects.
I'm not interested in your reasons for opposing key escrow, if only because I think key escrow is stupid also, as does literally every expert I have ever talked to in my career.
Our opinions about key escrow have nothing to do with whether Russia hacked an NSA staging server, or another leaker inside NSA is behind the leak.
I don't really know how to respond to this. Paraphrasing this conversation so far:
tptacek: "The NSA is impenetrable" is not and was not the prevailing narrative, to say the least."
me: I disagree; it's part of the narrative that pro-surveillance people use to support things like "collect it all" and key escrow
tptacek: I don't understand what our beliefs about key escrow have to do with the narrative
me: explains again what you're missing about how this relates to the pro-key-escrow (and more generally pro-mass-surveillance) narrative
tptacek: everybody agrees key escrow is stupid, and our opinions about key escrow have nothing to do with things that you weren't discussing like where the leak came from
me: hmm ...
It's almost like you're trying not to hear what I'm saying.
OK, one more try.
If all the experts you talk to are against key escrow, why do pro-mass-surveillance folks keep proposing it? They see the tradeoffs differently. And why's that? One reason is that the stories they tell about why it's a net positive have the underlying assumption that there's not a significant risk of they keys being compromised. Conversely and when opponents of key escrow tell stories about the potential downsides if the keys are compromised, proponents downplay this as a risk.
> It's almost like you're trying not to hear what I'm saying.
Perhaps because what you're saying is/sounds off-topic? Basically it amounts to "some (pro-mass-surveillance) folks propose X because Y". Even if that's true, so what? To repeat the GP, this has nothing to do with whether Russia hacked an NSA staging server, or another leaker inside NSA is behind the leak.
Sigh. Try reading the thread again, starting with 'tptacek's comment that ""The NSA is impenetrable" is not and was not the prevailing narrative, to say the least."
Hell, large parts of HN seem to believe this. No amount of shitty PowerPoint, terrible Java Enterprise(TM) desktop apps and outdated open source software with extra functionality hacked in seems to convince people otherwise.
This may be a case where your security industry experience works against you. I'm not sure the average US citizen doesn't believe that the NSA is so well guarded that the only threat with what they do is corruption and inside actors.
Do we have any polls on this? I don't trust people involved in the computer industry to necessarily have views that conform to the average person with regard to this, and the media all have narratives they would like to put forth, but none of them necessarily have to conform to reality.
What they're _planning_ is not relevant. What matters is whether they're competent enough to keep such keys secure. (Such as by not allowing malicious actors to get copies of them.)
What is relevant is that they are demonstrably _not_ competent.
You don't think the relative attack surface of two classes of machine is relevant? Are "they" (the tailored access division) going to be in charge of safeguarding the keys?
No, you missed it. The point that Bamford made is that he personally got to grep the Snowden leaks for the ANT catalog a few years ago, and this stuff wasn't in there. But this stuff is real and we have it now. Which means the ANT catalog was released by "another snowden".
You're now rebutting a point that the article isn't making by saying it's rebutting a point no one is making!
Nobody implied Snowden released it or was even suspected of releasing it, including Bamford. He is challenging the narrative that it was Russian hackers, because of the other, non-Snowden leak evidence.
Can go either way. I can see Snowden doing it as well.
File times just a few months away from when Snowden fled is interesting. It is still too close to the date that looks suspicious.
One way to interpret is that Snowden inspired someone else there who was dissatisfied with the job or the what NSA was doing. The other is that Snowden try to modify the files to make it seem like it was not him.
Him mentioning that "staging servers have been compromised" before can also be interpreted as him preparing the stage of releasing this and hoping everyone would read that statement at face value.
Snowden's own theory, if you're curious, is that after his leaks the NSA burned all their staging servers and started over, cutting off access to anyone who compromised the existing servers.
What doesn't make sense about the staging server idea, which seems to mean a command and control server, is why there would be a bunch of different tools for unrelated exploits on the same server.
A staging server isn't a C&C server. Anyone who's ever broken into sites as a teenager or done pentesting for their career understands the concept: it's a shell on a server unrelated to you or your business, which you can log into from anywhere, and on which all your tools are built.
You typically don't run your exploits from your own machine, both because you don't want a single network hop between you and your target, and because your tools may be inconvenient to run on your own machine.
Conjecture: this is done via automated scripts that check for vulnerabilities and then execute the appropriate exploits on them, a la Metasploit. It's a comprehensive binary (or a few of them) that is supposed to be deleted when the work is done. :P
What do you think "tailored access" is? Look at some of the better known former NSA hacking-division people in industry: they were all at NSA in their early 20s.
Then look at the unbelievably shoddy quality of these tools. Are you arguing also that they might themselves not be part of NSA's repertoire? Because I could make the same "opposite of tailored" argument about the tools themselves.
I meant tailored access literally. I assume that the name "Tailored Access" comes from the idea that access is tailored, i.e. custom fit for the specific task at hand.
> In addition, if Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination.
Why would this be bad for Russians (if this was indeed the Russians)? We can/should assume that Russia has it's own methods of infiltrating systems. The value of this data to them would be knowledge of how it's done, not necessarily hoarding and replicating how the NSA does it. If anything, having vendor's patch exploits that they're not using, but their enemy is, would be a great chess move.
The longer the russian's know or have the exploits without the NSA knowing they've been compromised, the longer they can hold it against them. -- Imagine you've hacked a bank network vs robbing a single bank, and every week you take 1 penny from all users without anyone knowing, and do this for 3+ years... you'd get a lot more than a one-off bank robbery... That's the long game that Russia would play - milk it for every ounce of use, and keep it totally secret.
They get nothing from exposing it, hacktivists on the other hand get a lot more, and are more boastful about their exploits.
Hold what against them? The exploit? That makes no sense.
The Russians do not use the exact same set of tools that the NSA does. Sure, they may have discovered some of the same exploits, but the two do not have the same "toolbox" strictly speaking. Releasing a set of tools used by the NSA doesn't mean that Russia loses access to the systems that they have compromised...
To be honest, it's very difficult to have a clear view on whether is makes sense to call the Russians on this or not. We know too little and we speculate to much :-)
Plus, for a USA agency, it goes without saying that when shit hits the fan it's either Russians, Chinese or Aliens not necessarily in that order.
Yes, this Bamford argument doesn't make much sense either. It seems to imply that the Russians and Americans are working from the same set of vulnerabilities. I don't know anyone who does this work professionally who thinks that's likely to be true.
Do people really think this "auction" is legit? That people can seriously bid on these tools? The whole thing plainly sounds like a big joke for maximum attention. There is no real intention to sell the tools, at least not this way. The terms of the auction are ridiculous; no one with enough money to make a serious bid would risk losing it all like that.
Perpetuating the meme that this is a serious auction is dangerous and faulty journalism. It is a publicity stunt to embarrass the NSA. Let's not get hysterical and pretend that some third world terrorist country could obtain the NSA's cyber capability by bidding all of their petro-dollars in this farce.
Snowden has a theory that Russia had these tools for a long time, the auction has nothing to do with it, and it's political signaling related to the DNC hacks. Worth a read:
It's inevitable that there are, or were, or will be, other Edward Snowdens working at NSA. Persons who find that the Agency's mission no longer sits well with them.
The question is: who are they working for?
Snowden was working for the American People, and upholding the US Constitution.
To draw from some relevant if non-US history, Kim Philby's interests did not lie with his nation's subjects, despite his aristocratic pedigree.
Yup, I always thought that the bigger risk was that there were other much less ethical or patriotic versions of Snowden in the NSA who could/would leak data and not go public at all. Putting up the machinery to spy on foreign nations is a sort of 'attractive nusiance', pointing that same machinery to spy on US citizens too magnifies the attractiveness tremendously.
I worked for the NSA for four years and left last year because being there bothered my conscience. Lots of smart and nice people, but I just didn't want my life's work contributing to their mission. I left a secure position with great benefits and went off to be a 1099 at one of the credit card companies. Less job security but I no longer have the burden of knowing my work is supporting something I'm strongly against.
Thank you for your principled approach to life. I wish we had more of you on our side!
(What is "our side?" I, similarly, have refused to work for defense industry, TLA agencies, etc, because I see them as net negatives to our society - this is the side I'm on)
He's had a very clear impact. Before Snowdon thinking that the NSA was collecting data on EVERYONE was a conspiracy theory. It was "crazy". Post-Snowdon it's a proven reality. Snowdon showed how far a clandestine agency with very little oversight can go. The answer, it controls EVERYTHING, it's been proven that not only have they spied on high up allied politicians (bad, but maybe excusable) they also spied on OUR OWN.
Snowdon showed us there's this agency, with a virtually unlimited budget that can control the politicians that control the world... and they are beholden to no one, the law is a rubber stamp.
Worse, even when it was demonstrated that they outstepped the boundaries of our laws... things have remained unchanged.
Snowdon showed us the truth, then left it up to us to do something about it. Unfortunately, no group of people has so far mustered up any change. That's our own failing.
Ha! Same here. This is exactly why I wish more (overtly) political stories weren't flagged so quickly as of late... 9/10 the HN commentary really is superior.
>Which is why I click through to the HN comments before the article about 9/10 times.
If you determined whether an article was clickbait or not based on HN comments, you wouldn't read anything, ever.
I'm skeptical that this community has a handle on what "click-bait" is. Anything that isn't written in the precise style the commentor enjoys, or isn't as information dense as a commentor would like seems to gain the label.
Bamford's expertise in espionage is pretty similar.
There seem to be two plausible explanations for the Shadow Brokers release.
1. The doctrine of the US govt in cyberwar is proportionate response. This is either preemption or escalation on behalf of Russia. This assumes the attribution of Russia for Democratic political hacks are accurate.
2. This is further activity by whomever leaked the ANT catalog to Applebaum.
The Shadow Brokers are going to be difficult to attribute technically. Attribution is based more on your theory about what's happening the Russian covert escalation.
Once a useful zero-day has been discovered by an adversary, it may make sense to give up using it so that one's own side's computers are not vulnerable.
My guess is that the NSA has excellent methods for detecting DNS exfiltration and the recent tools are at least a decade old technology.
What's interesting is the disinformation value of intentionally releasing the tools, but to understand that we'd have to know who the intended adversary was.
"In addition, if Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale."
No not all Russia was recently accused of hacking the DNC in the US, so it would a perfectly logical for one state actor to say to another "you do it too and here is evidence." Is that not so obvious?
I'm sure the work was solid, yet not his. To weave him into this story with that stupid tagline "the most dangerous man on the Internet" with the insinuation he was some kind of hacker... is garbage journalism.
I haven't been specifically saving URLs on this, but it's a pattern of behaviour that's been discussed at length on the internet more than once.
Given that, I'd effectively be googling and then picking the articles that best suited my current beliefs on the topic, so honestly you'd be better informed by googling and then reading until you have your own beliefs. (this is not meant to be a disguised lmgtfy, I genuinely think you'd come out worse informed if I tried)
Can't speak for OP, but that's probably it. After the whole cluster that blew up around him the community seems very split in their opinion of him now.
> A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.
If there's anyone still questioning the results of Snowden's move, here you have it. The Reuters opinion is stating that this data is potentially being using against us. If the perception that the NSA doesn't collect for the public good becomes broadly accepted, change can be achieved at a political level.
To me it wasn't clear in the auction description if it's possible to increase a previous bid.
- If it's not possible, then the only strategy is to bid as late as possible: Suppose Group A bids $1000, Group B bids $1001. To win the auction Group A would have to transfer another $1002, making a total investement of $2003. Group C on the other hand only has to commit a total investement of $1002 to win at this point. Since the duration of the auction isn't known you would wait for everyone else to make a bid first, since the person to bid last is in the advantage. If everyone does that, this becomes the ultimate waiting game.
- If on the other hand it is possible to increase one's bid by just transfering the difference, then this is a tullock auction[1]: a classical example from game theory where the only rational strategy is not to bid at all (unless you are completely sure that nobody else will bid. As soon as you have two bidders, both behaving rationally would lead to both committing an infinite amount of money, one of them losing it all).
So just from a game theory standpoint nobody would actually bid in this auction. Add to this the very likely possibility that the public leak contains all data they have and that this auction is a scam, and this isn't attractive at all.
...It's like they have no idea what "Evidence" actually means, or frankly what the hell Snowden actually did; it wasn't selling hacking tools on the black market!
Please don't comment like this here, regardless of how you feel about Edward Snowden. We detached this subthread from https://news.ycombinator.com/item?id=12337485 and marked it off-topic.
Edit: you've been posting a lot of unsubstantive, inflammatory comments about political topics. That's not what this site is for, so please stop.
It's the delivery, not the message. You tried to use sarcasm in a forum where it can't be too subtle to work (also, Poe's law is alive and well here). I imagine you would have received multiple upvotes instead of downvotes if you had taken a different approach.
Point well taken. Imagining Edward Snowden as my playful pathetic little brachiocephalic puppy dog stinking up his pew and being swatted on the nose with NEWSPAPER just made me giggle. I'll keep my GAS-lighting jokes to myself. Especially when it comes to LEAKING sensitive material...
That's steganography not cryptography and generally considered to be the red-headed bastard step child of actual intelligence work. Don't be ridiculous.
Its some 4chan racist idiot's idea of a red herring.
Making sure a message doesn't contain identifying words/phrases/idioms/slang and making sure it cannot identify you through statistical analysis are not steganography and both are things I would expect any security expert (you know, like the people working for the NSA) to do if they want any hope of remaining anonymous.
Without any science behind it or having first hand access to the source for the tools used to identify such words/phrases/idioms you're just amateurishly putting lipstick on a pig.
With how much caution they are taking against a nation-state adversary, I think it a bit short-sighted to think that this is just "a racist idiot's idea of a joke".
There is a large body of science behind author identification, with lots of academic papers, talks at hacker conventions, etc. I'm surprised you missed it. If the NSA did use authorship identification software, would it be unreasonable to believe that a privileged leaker would have access to such a tool? I believe that it is more likely than not a joke, but it has the same effect as a right handed person signing their name with their left hand... unless they have a habit of making "In Soviet Russia..." jokes - then they're screwed.
Clearly the harsh reaction to Snowden has done nothing in this case. I wonder what the reaction would be if Snowden would have been treated like a whistleblower and not a traitor?
Largely because Snowden is outside the political reach of the US for the moment, and the USG realizes it would be counterproductive to throw a public temper tantrum about it.
If he hadn't fled it's quite likely he would have faced the same kind of treatment as Thomas Drake and William Binney, if not harsher.
Good point. It's hard to take anything at face value in a situation like this (other than the working code itself that was released). In particular: everything in the corresponding manifesto could be complete nonsense or misdirection.
"It’s one more reason why NSA may prove to be one of Washington’s greatest liabilities rather than assets." WOW, never though I'd read that on something like Reuters, he put his foot down.. :s
The DNC is claiming a Russian Hack with wonderful support from the media. Reuters, for instance, gave over $1m to the Clinton Foundation.
When the FBI accused the N. Koreans of the Sony hack, at least there was some credible evidence conjoured up. Obama used an executive order to apply more sanctions on NK even though there were voices saying it was still inconclusive.
But now we are expected to believe the DNC has been hacked by the Russians in partnership with Trump.
Seth Rich, supposed DNC leaker gets shot in the back.
And now this.
The DNC stabs Russia in the back - Bill was happy to accept $500,000 for a speech in Moscow and the Clinton Foundation $millions just before Hillary authorized a major Uranium deal.
I sound crazed writing this, like I'm something from InfoWars. This election cycle is standing the world on its head. Be very careful who you believe.
It is "smoke and mirrors", but in completely different sense, which is clear now:
Russians have been known for a long time (whole Cold War) for being able to sacrifice one, less important spy to distract enemy's attention from more valuable one.
Now think about Snowden in this context: few years ago NSA must had been sniffing around, looking for a leak.
Suddenly, one of their employes takes few laptops with secret data and runs, ending up in Russia. NSA is furious, but on the other hand their alertness goes down. Few years later it turns out that there's still someone leaking their secrets.
Seth Rich was shot by the FBI, in order to make it _look_ like the DNC shot him.
"supposed leaker" is really stretching it. there has been zero evidence to it other than wikileaks insinuating he was, which is a bit of a shitty thing for them to have done considering now everyone is focused on that aspect rather than about who actually murdered him.
> Apple: If we're forced to build a tool to hack iPhones, someone will steal it.
> FBI: Nonsense.
> Russia: We just published NSA's hacking tools
https://twitter.com/csoghoian/status/765785340892372992