>although I don't think the NSA can just install anything on my computer
If it's not connected to a network you are probably right....otherwise 100% wrong, if your a enough valuable target. And just lets say for fun your OS is 100% bulletproof, your +30 firmware's are not.
I doubt it. From operations that went public the attack vectors are known and you can extrapolate something about their capabilities.
Of course they could get access if I were a valuable target, but that might just as well be with a large wrench. But they cannot just take control of any device.
And I think many companies might even have better capabilities. Or defense, since intelligence work is very often about industrial espionage.
You don't even exist to them. The NSA wants to infiltrate nations. They do stuff like hire a friendly foreign nation to quietly buy a security company their target depends on and then exploit that vulnerability from a host in a fourth nation.
Yes and we've seen their shit get leaked over the years. From that we can see clear patterns in what they view as valuable and where they spend their significant, but still limited focus.
With unlimited money and the given job to crack encryption, hack into systems and secure the networks of the wealthiest nation and only superpower on earth atm. It IS pretty much a unicorn, and i am pretty sure they are +20 years in the future technology-wise, and with that:
>>Arthur C. Clarke — 'Magic's just science that we don't understand yet.'
So yes Magic Unicorn describes the NSA pretty well.
Yeah, that's bullshit. For NSA-proof personal tech stack you'd rely more on tamper-evident blocks that's all. Also, security in depth and security through obscurity are much more applicable if you're a person and not an organization. Finally, +20 years head start does not mean much if you distrohop and FOMO into bleeding edge stuff like a tech podcaster.
In case you're genuinely curious, 'NSA-proof' is a portmanteau from NSA and 'idiot-proof'. Distrohopping is when people change (usually GNU/Linux) distributions once a month or so (which is an allusion at tongue-in-cheek conjecture that one can change distributions faster than NSA can break them). Have a good day, fellow human.
How many completely different browsers exist? And how many local exploitable user to root exploits exist in the Apple/Linux/BSD world's? If your a valued target and you are connected to a network you WILL be hacked.
Buddy, I'm not gonna follow this thread anymore because you seem to be baiting me to read you a lecture on OPSEC, security in depth and compartmentalization.
Assuming that time travel is impossible, NSA can't break into something that does not exist anymore. Hence the idea when facing such adversary is to provide them a constantly moving target. Although NSA might be able to break any full disc encryption given enough time, they aren't able to decrypt something that no longer exists.
This principle isn't scalable to every computer system out there and will definitely go against other requirements in most organizations, but if you are an individual, it's not hard to pull it off.
This ignores the obvious. What parts are not changing with a distro hop?
Are those parts vulnerable to the NSA?
I believe due to what was made public, that they do have that capability.
I would suggest more research. If you are actually changing distros every month, that seems like a very manual process, with many points to use an insecure config. I think your time could be better spent hardening a current system.
And yes the NSA could own your box every month (and would) if it suited them.
Check out this link, this stuff is fascinating.
> In some cases, the NSA has modified the firmware of computers and network hardware—including systems shipped by Cisco, Dell, Hewlett-Packard, Huawei, and Juniper Networks—to give its operators both eyes and ears inside the offices the agency has targeted. In others, the NSA has crafted custom BIOS exploits that can survive even the reinstallation of operating systems. And in still others, the NSA has built and deployed its own USB cables at target locations—complete with spy hardware and radio transceiver packed inside.
You pose the questions but do not answer them. Assuming distros are selected purposefully you do get quite a lot of variability. Recompiling the kernel with different hardening options alone makes many exploits impractical.
The threat modeling that you see in this thread is laughable. Nobody has infinite resources, not even NSA. They can't throw all their capability at you alone. In fact they are not even interested in any one individual. They might be interested in some groups of people like "terrorist leadership" but even in that case they don't have the need to hack all people matching that group. So at every step of the decision making process there is a cost benefit analysis. And in the end NSA will only hack some terrorist leaders, the ones deemed sufficiently significant but not any more risky then is necessary.
The amount of meetings and paperwork required for carrying out offensive action is significant and everyone involved is very risk averse. Getting superiors to sign up for an operation against an individual capable of detecting attack and thus risking attribution would only be possible if the proposed techniques can be shown to be extraordinarily stealthy. That requires replicating the system in the lab and rigorously testing methodology beforehand.
Yeah, it is hard to protect organizations from nation states. Because all sufficiently complex systems have bugs and given long enough time persistent attackers will find & exploit these bugs. But that's because organizations have other real-world priorities besides fighting NSA. These organizations can't change protocols overnight and replace core systems just for fun of it.
Individuals actually have an advantage here because they can rotate systems at will and have much higher control over their personal lives than any CEO/CTO/CISO has over their organization. As a result, yes you can raise the cost of an attack against you high enough that NSA won't bother hacking you - either because there are other people who are less protected but hacking them would fulfill the same objective or because your ass gets handed to another agency which is able to present more cost-effective solution.
Your link demonstrates this dichotomy between options that NSA has available for hacking organizations vs individuals. Individuals rarely have well documented procurement processes available for third party auditing you know.
You sir have no clue what you talking about, a payload geter in your ssd-firmware survives your distro-hop and can adapt to every OS (if your information is worth the work). And an encrypted disk...on man i stop arguing, it's obvious that you really don't have a clue.
You just keep talking straight past my points without even trying to understand them. Why bother writing answers at all?
I'm not advocating for installing a fresh OS on an exploited hardware and calling it a day, no matter how hard you try to present my words this way.
The point is to keep any single environment around only for a short period of time so that adversaries don't have enough time for replicating your systems and crafting a targeted exploit chain.
It is not meant to be the only line of defense. You would still harden every system you own, putting particular focus on tamper & intrusion detection (including retrospective analysis).
Couple that with strong compartmentalization (e.g. using different hardware for different purposes, Qubes OS style virtualization approaches) and defense in depth (exploit mitigations, traffic anonymization).
Here, I have spelled it out for you. Feel free to outline how you would approach attacking such individual adversary, even with NSA level team at your disposal. Silent assumptions being that 1) if person's physical location is known, CIA is a cheaper option than NSA and 2) failed offensive operation leaving attributable evidence is considered by NSA worse than missed opportunity.
Wow you change your meaning pretty fast, yes if you trow your laptop away after 1 hour you are pretty safe...well if the laptop is from a secure source...like amazon ;)
If it's not connected to a network you are probably right....otherwise 100% wrong, if your a enough valuable target. And just lets say for fun your OS is 100% bulletproof, your +30 firmware's are not.