In short, Quantum Insert, (rather QUANTUMINSERT), is essentially a Man in the Middle attack, where the NSA (or GHCQ in this case) injects code (potentially zero days) into the response to the http request. The network of servers that perform the injection and interception is apparently codenamed QUANTUM, and has nothing to do (to our knowledge) with Quantum Computing or Quantum Cryptography.
I don't understand why timings are critical to the operation of the system. Wouldn't packet filtering + transparent proxying work just as effectively? Is this a TCP sequencing attack of some kind?
Presumably they don't have the capability to filter or modify packets passing through the exchange. So when they see target's computer opening a connection, they have to generate a reply faster that reaches the computer before LinkedIn's server replies.
But if they don't have the capability to modify packets, wouldn't the original LinkedIn packet get through as well? Perhaps the OS might ignore it, but it seems like it would show up in some cases.
TCP packets have a sequence number and if the sequence number is less than the receiving computer is expecting, the kernel will discard the packet. In fact, since so many people are behind DHCP, the discarding is probably going to happen at that level, and the actual computer will never see the second packet.
This makes the most sense. The idea is to hijack the connection and insert packets into the stream which override the original packets, due to arriving first. That's why latency matters so much.
I would assume the original packets get dropped as duplicates at the router level, but if they do get through to the end user's computer there would be a way of detecting that this attack is underway.
Hmmm, I wonder if there's a way to monitor for this on an OpenWRT router? I'd _guess_ since that's where the IP address for most people's home internet (and many people's work internet) terminates - that you'd be able to detect it there (and it isn't likely to be filtered/dropped by routers further up the chain in my ISP)?
No, networks are dumb. They do not detect duplicates that would require vast storage! Unless you have a tcp (eg http) proxy on the route you will be the one filtering the duplicates.
Routers operate on the Internet Protocol layer (level 3), which have no state (or anything considered a duplicate). TCP is a layer above (level 4) and that has sequence ids.
I'm skeptical that there is no infrastructure in place to prevent this, but if you're right, it really should be possible to make a home router plugin (for, say, OpenWRT) to detect this spoofing. This plugin could then be used to gather data on how prevalent this attack is, which would be quite interesting. Because as I see it, there is really no reason to believe this is just used for Tor exclusively.
It's easily detectable. You could put a firewall rule to mark it and log it to syslog as this can happen at the kernel level. You will although get lots of false positives as you get duplicate sequence ids anyway in the normal course of things as things timeout and resend connections they think are lost.
Linkedin does not make any attempt to force you onto https, so no reason to worry about it. Any site that redirects you to https from http could have that redirect hijacked I guess too. Presumably they just have a list of people and can wait to hack them until next time they visit slashdot or linkedin.
Hmm, I just tried going to that link in Chrome and Firefox on a MacBook Pro -- Still takes me to an https. Also, doing an "inspect element" on a couple of images on there show me "https://static.licdn.com/..."
All the other links on that page (about, etc) do go to http://-only pages, but at least the links you provided and their static resources all go over https.
...presumably you have 'nothing to hide', then. Previous poster must be one of those kiddie porn obsessed al-qaeda terrorists, worthy of being Quantumed whereas you are good.
The more I read about these attacks, the more I wonder if these spies consider themselves completely above the law.
Which law would govern or moderate their behaviour here in spying on politicians and companies in allied countries? Where are the boundaries, or is anyone of interest a potential target? Is all data fair game for GCHQ/NSA?
A lot of people, especially in law enforcement, don't believe that the law should apply to "the bad guys". Of course, it doesn't exactly occur to them that the reason the law is designed to apply to everyone equally is to ensure that being put in the "bad guy" bin, and the corresponding consequences, is not just up to an individual's judgment.
I can imagine that in extreme cases it is useful to have people who follow their own judgement rather than a fixed set of rules. The problem here is that these spies place practically no value on the rights of the public. Which means their judgement continually works against the public interest. Now this could be due to stupidity or corruption, but either way, it's not what you want from people who think themselves above the law.
There is simply too much money to be made in knowing where someone lives and in what bank accounts, 401k, and IRA accounts his net worth is stored. This person will not just die, my friend. This person will be died.
I strongly suspect, that like most cops – they honestly believe they're "doing the right thing", and at the same time that "those laws don't apply to us while we're doing our job".
Having said that, as a "non-US person" it's been both a sobering realisation and an extended moment of "well _duh!_" in the wake of the Snowden revelations.
Part of me agrees that if _I_ were an American taxpayer, the NSA is doing exactly what they're paid for - invading non-US-citizens privacy on the grounds that maybe it'll help protect American interests.
Any expectation of "reasonable restraint" on their invasive prying is, in retrospect, completely foolhardy on my part.
Even expecting the US legal/political system to rein them in based on "fairness" or "good manners" or even "basic human rights" is also stupidly over optimistic.
The _only_ possible parties who might work in _my_ interests here, are organisations like the EFF (who I doubt have anything like the power needed to effect major change to organisations like the NSA, FBI, CIA, and FISA) - or businesses directly financially affected my loss of trust - Microsoft/Google/Yahoo/Facebook/Apple/Dropbox (the directly implicated PRISM participants) as well as less blatantly complicit but now highly suspect companies like Amazon, eBay/PayPal, Dell, HP, LinkedIn, Twitter, FourSquare, Instagram, Pintrest, all of whom I'd be foolish to assume haven't already caved to the sort of requests Lavabit refused to, and to a lesser but equally valid extent - any company hosting infrastructure in any of the Five Eyes nations. While I don't doubt that China, Germany, Brazil, Russia, and everybody else also have well funded agencies tasked with invading the privacy of their non-citizens (as well as their own citizens to a greater or lesser degree), it's likely that Australia, Canada, New Zealand, and The UK all have access to the tools and expertise of what's likely to be the most advanced digital attacker on the planet.
My personal goal now is to reduce my reliance on US and Five Eyes based internet companies, both directly financially where I'm paying for the service, and all the indirectly financial ways I allow them to monetize me - hello adblock, hello no-script, hello self destructing cookie addon, helle better privacy addon (and goodby LSO cookies), hello private browsing windows everywhere… As somebody who uses Google Analytics extensively at work, I _hate_ it when people do exactly what I'm doing - but financially hitting the only organisations with any power to change domestic US policy to better align with my interest is the only sensible option I have. (Coupled, of course, with implementing/promoting strong crypto, secure anonymity, and internet service and protocols that make metadata and network analysis much less useful and as resistant as possible to the massive-scale "hoover up everything on the backbones" type surveillance we now know is already happening.)
For sure - and a great many celebrated entrepreneurs, startup founders, and fortune 500 C*Os…
I suspect many of us are somewhere on that spectrum between Scott F Fitzgerald's "The test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time and still retain the ability to function.", and George Orwell's Doublethink: "The power of holding two contradictory beliefs in one's mind simultaneously, and accepting both of them..."
(For me, I feel most deeply my own hypocrisy about traffic laws - while on my motorcycle on empty backroads, "those speeding laws don't apply to me!" while taxi drivers failing to indicate and running red lights around town deserve the full force of _those_ laws, of course… I sometimes suspect I'd be a lot wealthier if I channeled that personal hypocrisy along a more Zuckerbergian or AirBNB-like YCombinator-approved "ask for forgiveness later" attitude towards other company's terms of service – instead of just feeding my own adrenaline addiction…)
I searched on OPEC as the current or former employer. None of these, as far as I can tell, are actually employed by OPEC. One is a liason from the Iran national oil ministry with a private profile, so the name isn't revealed in the search.
Without an account I can only see the first 5 of the ~300 hits. But Yasser Mufti looks like an OPEC employee to me, he's listed as the chairman of the board of governors. Maybe he's technically on Aramco's payroll, but I think that would be nitpicking since OPEC is funded by member companies.
It is if the problem is to get the public to STFU and forget. Which it usually is, to people of McCain and Alexander's ilk.
And by the way firing Alexander would be almost liking giving a cop paid vacation for shooting someone. He was going to retire in a few months anyway, and if he was to be fired he would almost certainly retain his very, very good military retirement.
And then he'll work as a do-nothing name on the masthead consultant at some private equity or think tank.
Because they aren't the ultimate targets. They're trying to get their credentials, access and capabilities, so they can then go after whoever they're really interested in without having to ask, bribe or compel the company.
Open question whether their ultimate targets are terrorists or "everybody."
Everybody with enough financial net worth to make sure he does not just die but will be died. Strange transactions on your accounts, my friend. The balance is almost gone. Is that why you have had an accident?
Because they need to get hold of all information possible. They must know where you live. They must know what your net worth is. They must know in what bank and other accounts you are holding this net worth. They must know what other freelance crooks work at these banks. All of your financial holdings form a bounty on your head. At some point, you will not die. You simply will be died.
I think it is safe to say that, like the vast majority of known browser exploits, the injection mechanisms here also relied on javascript as a necessary component.
Thus this is another example of the potential risks to your users when designing websites that are noscript-unfriendly.
FYI, NoScript is the 4th most popular add-on for firefox.
Seems like there is an opportunity for as art and honorable network device (cpe like a router, maybe also doing normal router/firewall, but maybe a standalone IDS) which, in combination with network services, can detect and optionally report this kind of molestation of packets to the user and maybe the community. DNS is the vector for many of these, and that is easy.
Snowden has basically exposed the UK/US contempt for basic human rights and the systems that support them. How can we be free while these monsters are operational? They must shut down immediately and taken away for trial in every country whose laws they have violated...
Something similar happened to me. One day I got a call from a wrong number. The next day a letter addressed to my neighbor showed up in my mailbox. Very suspicious.
I have no idea how you could make that logical jump. I think it's more likely you own a smartphone and have applications installed that have enough privileges to siphon all your call history and then your data is up for grabs by anyone who wants it. Do you read the privileges required by the app before clicking install?
I love how utterly useless our intelligence agencies have become in the face of even the most basic encryption. Encrypt things at rest and on the fly with mutating keys and you defeat them. It's actually quite reassuring.
I'm more interested in the inserted malware code package itself -- and how widespread it is among LinkedIn accounts -- than a routine MITM by GCHQ known to be sitting with permission on the internet backbones of BT (REMEDY Remedy), Verizon Business (DACRON), and Vodafone Cable (GERONTIC), Global Crossing (PINNAGE), Level 3 (LITTLE), Viatel (VITREOUS) and Interoute (STREETCAR).
Der Spiegel says they have located a Mach engineer in India on the receiving end of QI. Hopefully he had the sense to unplug from the internet before the malware could get wiped.
I wonder if GCHQ re-used some code from Flame. Might be some work here for Kapersky Labs.
How do you know if LinkedIn look a like spam mails was a quantum trying to insert malicious code? I have gotten similar targeted look a like LinkedIn links.
That is how they end up stealing your bitcoins too. All of these QUANTUM INSERT computers have now been targeted at getting hold of your wallet keys. Your money will be gone.
Staying in the banking system will not help either. The sum of the balances of your holdings in the banking system forms a bounty on your head.
They know who you are. They know where you live. And they damn well know how much money there is to be made in dying you.
You will not die. You will be died.
Do not hold any monetary values anywhere without them knowing where it is, because that amounts to money laundering, you criminal terrorist!
https://www.schneier.com/blog/archives/2013/10/how_the_nsa_a...
In short, Quantum Insert, (rather QUANTUMINSERT), is essentially a Man in the Middle attack, where the NSA (or GHCQ in this case) injects code (potentially zero days) into the response to the http request. The network of servers that perform the injection and interception is apparently codenamed QUANTUM, and has nothing to do (to our knowledge) with Quantum Computing or Quantum Cryptography.