Somehow I doubt Al Qaeda is using Juniper, but our allies (read: economic adversaries) are.
I hope the companies listed -- Dell, Cisco, Juniper, IBM, Western Digital, Seagate, Maxtor, et al -- are happy with themselves. The government's mantra has historically been similar to that of Microsoft's: embrace, extend, extinguish. The US Government is no different and they'll happily throw every company under the bus for the smallest advantage over their adversaries.
America's rivalry with China is continually climbing higher and higher, and we're getting dragged along whether we like it or not. The unshakable intertwining of private and public industries, the scorched-earth economic policies where private industry is consumed for the benefit of the public, the unlimited spying powers -- all to stay ahead of China.
The real kicker is that this kind of spying power compounds on itself -- as soon as we get Juniper gear exploited then we can move onto infiltrating Seagate's intranets, and then we can use Seagate exploits to more easily dig into hard-drives accessible by us/in custody by us. We may never be able to make a distinction between which tech companies have been exploited and which are wilfully/maliciously passing vulnerability information to the US Government.
>I hope the companies listed -- Dell, Cisco, Juniper, IBM, Western Digital, Seagate, Maxtor, et al -- are happy with themselves.
I'm not going to say that these companies are fantastic. I'm just not, but I will say that perhaps this isn't really their fault.
Let's say that BIND has a critical vulnerability that allows people to snoop on the requests made. Does that make the ISC guilty of giving the NSA access to every BIND DNS server on the internet?
The question is whether these exploits are accidents or the result of companies giving in to pressure from the NSA.
If the Snowden revelations are to be believed, at least some of the exploits were the result of giving into NSA pressure.
But the problem with this is that it breaks the chain of trust that a company has with it's customers. Once you know the NSA is applying pressure secretly to force some vulnerabilities to remain open, how can you know they aren't doing that with any given vulnerability.
My guess is that it's all of the above. You're talking about a massive, compartmentalized organization.
I'm sure that different groups approach their data acquisition activities with multiple channels, if for no reason other than to prevent other NSA people from knowing about to what they are doing.
AQ doesn't buy directly from Juniper (I think), but they definitely use networks which are Juniper powered (at least based on the Juniper sales volumes I saw going to Middle Eastern carriers). The point would be to attack a carrier in a foreign country, then use that to attack their users (who may be AQ).
This new information puts American companies at even more risk of lost sales since given two companies, American Company and Foreign Company, the NSA is always going to have a massive advantage in penetrating the American company to get as much information they want to produce these backdoors. Whenever they fail to remotely access the company networks containing the IP for all the equipment they want to target, they have many more options available to physically access the network of these companies, possibly going as far as having a mole working at the companies, exfiltrating the IP they need to produce the tools in the catalog or even deliberately putting in backdoors.
This is probably the most damning information I've seen of NSA activities. This is anti-American activity since it clearly harms US economic interests. This coupled with the policy that spying on foreigners is fair-game is enough reason to give any foreign government or company enough reason never to purchase equipment from US tech companies.
As an engineer in the US, this makes my blood boil. I really hope that this new information generates more interest in open-source network software and hardware.
Planting moles in foreign organizations is the explicit purpose and core competency of foreign intelligence agencies. It's only inside the US where that activity is (supposed to be) forbidden.
You should assume that the US intelligence community is already doing this to foreign tech corporations and has been forever.
That's exactly my point. It was supposed to be forbidden domestically and that added trust to US-made technologies. However, now that we've learned that US companies are completely fair game, the level of access the government has to domestic companies via moles, NSLs and other acts of espionage, we should assume that domestic companies are far more compromised than foreign companies. This assumption is not only reasonable but the responsible assumption to hold if you are a foreigner.
I think that's an issue with services based businesses like SaaS/PaaS/cloud providers. You're also making an assumption that national affiliation matters in a global company.
With hardware companies, I doubt there's much of a difference. Getting a mole placed in a foreign company is totally achievable, just a different set of motivators for the mole. Actually, you don't need to compromise an OEM computer or network manufacturer. Just pay off a contractor in the supply chain who manufactures key parts.
Even in the case of services/cloud, I doubt it matters. If the NSA hacked the chancellor of Germany's personal phone, what makes you think that they haven't compromised German cloud providers as well?
Juniper were making good inroads into the corporate firewall market at the expense of Checkpoint. It'll be interesting to see whether this sees a move back to Checkpoint as the firewall product of choice.
After all these years of free software proponents advocating for open source BIOSes and getting mocked for their supposed impracticality, we see the truth.
NSA is not exploiting or pre-backdooring the BIOS, it's just reflashing it with an malicious payload to keep the system infection alive. No amount of open source anything would make them unable to do this.
The things that make it difficult to do this are only obstacles to adversaries that don't have access to Intel's secret keys. If you have those, by design you can both bypass secure boot and reflash the BIOS with whatever code you like, and the very same restrictions that stop normal users from doing those things also make it impossible for them to detect that it's happened. The NSA has an entire well-funded division dedicated to helping enable eavesdropping by retrieving information like those keys.
Those security features are genuinely only useful for stopping people from installing Linux and open BIOSes. They can only protect computers from their users, not from the NSA.
The only way trusted computing secures your computer is if you install a TPM chip with your own certificate and constantly verify that it is active. If it runs software signed by Microsoft or Apple, it's useless against a state agent.
Presuming, of course, that the TPM wasn't backdoored (or even just had keys held in escrow where the NSA could reach them), which would be more or less impossible to verify.
But is that the point? Maybe the solution is not to try to prevent someone else from manipulating your computer. Maybe the better approach is to give the user full control of her computer, including the BIOS.
For reasons that fall far short of evading intelligence agencies, the user should be able to flash her own BIOS whenever she wants.
Better and more choices in open source BIOS solutions might help in this regard.
In my opinion, it is precisely the notion that the user need never control her BIOS that was used to try to maintain IBM's monopoly on the PC, and later to maintain Microsoft's monopoly on the PC OS. Whatever the motivation might be, I would welcome a renewed focus on making the BIOS open and something that a user can choose, just as she chooses her own bootloader and OS.
Why? From the article, they seem to have broken into equipment the same way that "security researchers" would do. They just keep the information for themselves instead of selling it to the vendor, a security company, or the black market.
Any pen-testing company has a big list of tools that it keeps internally for breaking into things. Did anyone think that the NSA wouldn't have as big a list of its own?
The NSA has a lot more resources than independent security researchers, and it takes a lot more resources to find vulnerabilities when the software is closed source. If it had been open source, those vulnerabilities would have been much more likely to have been found by independent security researchers as well, and then patched.
Assuming that the "independent security researchers" were being paid to do it by someone with wholly good intentions, sure.
But lots of open-source software have giant vulnerabilities sitting around for years because no one skilled in the art has done the drudge work of going through the code looking for bugs. High-status projects like OpenSSL or qmail will always have a sufficiently large community of researchers constantly combing over them, but the assumption of "well, it's open-source, so someone must have looked through it for security holes" self-fails because everyone assumes someone else did the hard work and often no one does.
And if "people looking through the code for exploits" is the measure of a secure code-base, then Windows is the most secure platform ever. Vast numbers of very very qualified (read: expensive) people have looked through that source code specifically to find security holes.
What exactly is your argument? That closed-source is more secure than open-source, because there are no 'guarantees' that the open-source project gets the security audit it needs?
Hogwash.
There is no guarantee that just because something is closed-source, its going to be 'safer' or necessarily 'more secure'.
Billion-dollar security industries have risen because Microsoft won't/can't fix its bugs.
You might wish I had said that closed-source was more secure than open-source, but I didn't say that.
However, I am pointing out that the argument of "open-source is more secure because lots of security researchers worked hard to find all the bugs" necessarily leads to the conclusion that Windows is the most secure thing ever. Armies of people have looked at that, both internally and externally.
I also said nothing whatsoever about "guarantees." But the idea that the very expensive labor needed to look through a code-base for vulnerabilities somehow shows up for free merely because a project is open-source is deeply flawed.
I did not claim that Windows was the most secure thing ever. I was just giving the logical result of "the most audited code is the most secure code."
Yes, lots of people have looked at the Linux kernel. Looking at something doesn't make it more secure. In fact, Linus has to spend some of his time dealing with assholes who decide the best way to submit pull requests is by making petitions on change.org to get Linux to change its RNG.
If right now a thousand PHP developers decided to look at qmail's source to look for bugs, djb would just think "oh shit, now I have to deal with that today." You need people highly skilled in the art. The most high profile open-source projects can muster that for free, but by definition most open source projects cannot be the most high profile.
You know those are Eric Raymond's words, not Linus's, right?
I didn't say that closed-source was more secure. I did, however, point out the problems with the statement open-source is more secure because it's more audited. Those problems are 1: if "auditing" is the measure of security, then Windows wins everything, hands down, game over, everyone else go home; and 2: you are assuming that the expensive labor is showing up for free. They will for some projects, but not for most.
(Also, lots of security bugs aren't because there have been insufficient eyeballs looking at a problem, but because the eyeballs looking at the problem are insufficiently skilled.)
I'm not entirely certain on what metric you are using to say Windows is more secure because it has had more eyeballs. I would assume the fair metric is eyeball hours per line of code, which I would assume is much lower for Windows than for Linux. There are probably many parts of the Windows codebase that, once written and demonstrated to be working, have probably not received any real attention since. With Linux and other popular open-source programs, their lines of code have probably been reviewed by every serious senior software engineer that have decided to get involved in those codebases for one reason or another.
There is no reason to think that the eyeballs looking at the Windows source code (i.e. Microsoft employees) are any more skilled than those in the open source community looking over Linux source code. There are probably many parts of the Windows codebase that was written by junior engineers, given the OK by a senior engineer if the code worked and didn't look obviously broken. Much of that code probably hasn't been combed over since because it would only be combed over by the few people that have access to it and the fewer still number of people who have both access and a reason to comb over it because it's part of a task they are currently assigned to work on.
I'm sorry but I don't think this argument holds any water.
Not once has there ever been a single organization that writes software where the product automatically becomes more secure by virtue of it being 'closed source'.
Quite frankly I've seen far more of the opposite. When the software WAS closed source, more often than not we see this being used as an expressway to cut corners! Things like "Nobody will ever do X", or, this is safe because "Who will try that!"
And then there's my personal favorite: Where you get a company where all of the programmers are too stuck up in their own world to even realize that their product is completely dangerous and bug-ridden with issues because their code is NEVER scrutinized in the public eye!
There's a much bigger reason why code is way better off as open source in the long run:
Public Ridicule, Public Oversight, and Community Integration.
All of these things stop people from basically writing what boils down to 'speculative garbage'!
You'll still get the odd-ball where one guy from the NSA might find one exploit -- but I think that the cost of that issue alone definitely does not outweigh the earlier gains from open sourcing code.
I think that's true for only a subset of the claimed catalog. The article claims "the catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000". I suspect all of the ones with a cost are with the consent of the manufacturer, as why would there be a charge for an internally developed exploit?
I don't know how to quote on HN but here's what they say in the article.
"Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station" -- a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones -- costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million."
The NSA must have an enormous pile of unkown exploits to facilitate all that. I wonder how they prevent other US agencies and government networks to be vulnerable to the exploits the NSA uses itself, or if they even bother trying to do that.
Leaving pretty much the entire IT infrastructure vulnerable seems like a very dangerous strategy.
> Leaving pretty much the entire IT infrastructure vulnerable seems like a very dangerous strategy.
From NSA's perspective? I'm not so sure. A severe attack on US infrastructure would probably mean just more money and more legal power thrown at NSA to "fix it". Then NSA will continue to do what they've done so far - put most of that "security" money, into offensive capabilities. So the cycle will continue, as the systems remain vulnerable.
It is fascinating that if they just would inform vendors on their security vulnerabilities and have them patched, that this would probably make us more secure than the eavesdropping they can do with the exploits.
A big assumption that lots of bug-hunters make, that "this is one of the last bugs, and once fixed, the product will be much more secure." But there are always more bugs. If you assume that are more exploitable bugs beyond the one you are fixing now, it means that the vendors and customers have to spend time and money patching things, and won't really be any more secure afterwards.
Also "if I found it, so can The Bad Guys" is something that applies to individuals and small research teams. It's not necessarily the case that when the NSA finds something that other people are going to find it, too.
Also, unlike most security researchers, the NSA has the resources to monitor if other people are exploiting the vulnerabilities they found.
I'm not saying that the country wouldn't be safer if the NSA disclosed these vulnerabilities to vendors. I'm only saying that many of the common heuristics that researchers assume as true may not be, and especially not when applied to the NSA.
True but trivial. It's much more instructive to pay attention to the rate at which vulnerabilities are discovered. For e.g. qmail that rate is very close to zero per decade. For less secure products the rate varies over time; some researchers have noted a sort of "honeymoon" period that protects new code. Packages that don't in some sense eventually "settle down" after that period ends might ought to be replaced. Or perhaps they are important or unimportant enough to mitigate their vulnerabilities through other means.
We don't know what we are missing. The Iranian NSA may miss what we found. But it still is a dangerous game that is being played. Leaving the doors open and watch them closely. Or they just don't care for most organisations being compromised.
That's the idea -- it's OK to pour hundreds of millions of dollars into offensive operations, but defensive operations? Nope, we can't be too quick to put up the walls otherwise our enemies will learn of our 'defensive' techniques and do the same.
Furthermore it's an inevitability that our adversaries learn of these offensive techniques, so attempting to keep them a secret is simply a race against time -- and I don't think that's a race we can win. At this point we're arrogantly exercising recklessness and negligence on the hope that we can stay ahead of the wave.
This allows them to also spy on the US government, which can provide them with valuable information as well. They cannot advertise that the hardware is insecure without giving up their position and capabilities.
The damage that this does to US software and hardware manufacturers and service providers like hosting companies is incalculable. The NSA is providing a strong ongoing incentive to buy your hardware offshore and host your servers offshore. As an American entrepreneur I'm horrified by the long term implications of this. It seems for all the mathematicians they employ they're unable to see that the long term cost of these programs far outweighs the short term benefits.
The NSA also got Huawei's stuff too. I highly doubt a Chinese company was cooperating with the NSA. Really,it seems like the NSA just went after market leaders and developed exploits against those systems. As far as this article suggests, they had no internal help in doing so.
Not using US equipment probably does little. The solution is to make secure equipment that is harder to exploit. Moreover, the argument can be made that if the NSA can find these issues, so can others that the US government considers a threat to national security.
You don't think similar conditions apply to overseas manufacturers? That equipment made by companies in, say, France is considered sacrosanct by the French government?
This is effectively a weapons system, and any country with budget can build the same system or better. To stop the NSA would be unilateral disarmament, without reason to expect others to cut back on their infowar programs.
Or you know maybe we can demand that this unit actively try to help these companies improve the security of everything in the catalog so that we are all secure. Knowingly allowing vulnerabilities to persist in equipment that a US citizen or US corporation purchases from companies like Juniper Networks or Cisco is akin to leaving them unprotected and defenseless against malicious adversaries.
We're not asking for disarmament. We're asking for de-weaponization by retasking the TAO and the unit that produces these products to work on defensive activities instead of offensive activities. For a long time many, except those considered tin-foil hatters, viewed the NSA as fundamentally providing a useful service to protect Americans and American companies. Now it's clear the tin-foil hatters were right and that the NSA is essentially an offensive organization and that even American citizens and companies are victims of those offensive capabilities.
So essentially an internal, military-grade Metasploit.
It's not surprising that NSA would develop and maintain a strong repertoire of exploits for popular infrastructure. What else did you think an organization tasked "to produce foreign signals intelligence information" was doing with all those computer security experts on staff?
Is there evidence that NSA was planting backdoors or that US tech firms were cooperating? Isn't it more likely that NSA was simply discovering (and possibly purchasing) 0-days just like everyone else?
They can do that with foreign equipment just as easily. Switching to non-US hardware is just irrational.
I do love how even in the most secretive of government organisations, there's still some guy who sits around on company time badly photoshopping the intel inside logo to mockingly promote their goals.
If I was the NSA right now, I would be "leaking" tons of fake, and fantastic, stories about myself in order to discredit any legitimate concerns.
I can imagine the talking heads now "well what else were these conspiracy theorists wrong about? Personally I'm glad somebody is out the protecting our freedom."
From the reporting, it looks like they had official documents with an actual price list for various exploits, along with details about what they entailed ("rigged monitor cable", "USB nubs"). What exactly do you consider to be 'verified'? Alexander or Clapper standing up and owning up to it? Good luck with that...
This article appears to derive its facts entirely from the mystery catalogue. If, hypothetically, the catalogue was drawn up by a bored NSA intern as an April Fool's joke, this article doesn't provide any solid proof to dispute that notion.
There is little Jake Appelbaum (one of the listed authors of this piece) won't do or say for media attention and public credibility.
Documents would be plausible. "Trust us, we've read them" from someone widely known to lie and steal is another matter entirely.
Entirely unsubstantiated rumors on the internets suggest that Jake got a talk pulled this week from the CCC hacker conference presently underway in Hamburg (which he keynoted last year) that was due to explore his motives and relationship with the US government, as he is the only US citizen publicly affiliated with Wikileaks and has not yet been charged, arrested, or imprisoned (and Wikileaks has not really done anything damaging to the US government since CM/Cablegate).
You've made a number of accusations toward Appelbaum, a well respected researcher, without providing any evidence. This generally is a sign that someone is acting in bad faith.
Care to provide sources, or does the person asking me not to believe everything I read expect me to take his claims on faith and "entirely unsubstantiated rumor"?
He's only well respected outside of the security research community. Those inside know him better than that.
> This generally is a sign that someone is acting in bad faith.
Indeed, this is why many people directly affected by his harassment, backstabbing, and general underhanded techniques employed in his pursuit of fame and glory choose to ignore him rather than directly and publicly address his treachery.
Unfortunately, that means his past goes unreported.
I hold lay opinions of my reputation in little regard, so I (unlike many friends of mine) have no issue saying what I know.
It's all hearsay by the time it gets to you, though, as I'm the first hop away with many of these reports. I'm not interested in opening myself up to a libel suit.
For a general impression of his behavior, please go review his own posts on the noisebridge mailing list archives. Don't take my word for it.
He hasn't been charged or arrested per se, but he quite regularly talks about other forms of intimidation he undergoes. Laptops confiscated, apartment broken into, phone calls, border detainments.
Also, there were two other reporters who filed that story, and it is showing up in a reputable journalistic source - Der Spiegel. I am inclined to believe it, given the very specific details they have highlighted about TAO and ANT.
What motivation would he have to lie about documents also possessed by Glenn Greenwald and Barton Gellman? I'm sure Glenn would gleefully point out misinformation. And Ed Snowden is in constant contact with them.
This sorts news makes me shake my head.
The scammers are trying to get in, the NSA is in, and now every other state security organisation will feel if they don't try to get in they will be falling behind.
All I want is to do is keep clients safe and out of all this cross-fire.
With a proper oversight regime and individualized warrants, I can see this being an acceptable use of NSA power. With the absurd degree of intrusive latitude the NSA possesses now, it just makes it easier for them to violate civil liberties on a massive scale. Very few people can avoid being compromised by backdoors in these devices and companies, the same way very few people can avoid the physical threat of government aggression. The difference is that the latter has a far more robust system of controls to ensure it is used judiciously and ethically. Until the former has the same, we need to do everything we can to limit or invalidate the NSA's power.
This article feels like it may be somewhat misleading around the use of the term "back door".
If the NSA has infact backdoored all of those products, kudos for keeping it quiet for this long!
if however these products have vulnerabilities in them, like all software does, and the NSA have access to these vulnerabilities (like numerous other people do), it's not quite as devious.
In that case they didn't have a super-secret backdoor installed with no-one noticing, but in fact discovered that the window wasn't locked, and kept that a secret.
I hope the companies listed -- Dell, Cisco, Juniper, IBM, Western Digital, Seagate, Maxtor, et al -- are happy with themselves. The government's mantra has historically been similar to that of Microsoft's: embrace, extend, extinguish. The US Government is no different and they'll happily throw every company under the bus for the smallest advantage over their adversaries.
America's rivalry with China is continually climbing higher and higher, and we're getting dragged along whether we like it or not. The unshakable intertwining of private and public industries, the scorched-earth economic policies where private industry is consumed for the benefit of the public, the unlimited spying powers -- all to stay ahead of China.
The real kicker is that this kind of spying power compounds on itself -- as soon as we get Juniper gear exploited then we can move onto infiltrating Seagate's intranets, and then we can use Seagate exploits to more easily dig into hard-drives accessible by us/in custody by us. We may never be able to make a distinction between which tech companies have been exploited and which are wilfully/maliciously passing vulnerability information to the US Government.