This article states the NSA developed an exploit for a product made by a Chinese networking and telecommunications firm. Honest question for HN readers inside the US: does anyone seriously have a problem with this? In my mind it falls squarely within the NSA's mission, i.e. this is we pay them to do! Question for HN readers outside the US: can you credibly claim your intelligence agencies aren't trying to do the same thing?
For those thinking about whether such things could be used inside the United States. Of course they can. So can all the equipment and weapons the military buys. And it's happened before! The gun in the Fort Hood shootings was bought and paid for by US tax dollars and it was used to kill a civilian. So this raises the question, is the military to be trusted with weaponry it needs for its defense mission even though they could be used in the US? Similarly, is the NSA to be trusted with exploits it needs for its SIGINT mission? Interesting question. An infantryman could go rogue at any time and use his service weapon against US citizens and someone at the NSA could use an exploit for personal gain, but on the whole I believe the system accounts for these possibilities in a reasonable and controlled way.
If this information is true, it seems a little crazy to me to be propagating it since there isn't really a domestic/whistleblower angle. At least, no more of a domestic angle than the military developing a new missile. Some of Snowden's disclosures are responsible for starting a productive civil liberties debate in the United States, there's no denying that. But these disclosures are ones of a different color in my opinion.
Are you serious when making this comment ? "does anyone seriously have a problem with this? In my mind it falls squarely within the NSA's mission, i.e. this is we pay them to do!"
So, I guess you are fine the US Military keeping and maintaining ready-to-fire, nuclear weapons, at pointed targets all around the world, just because "they are paid to do so" ? With this kind of logic we will never get rid of the nuclear deterrence theory, and we'll keep that shadow over our heads until someone actually pulls the trigger one day. But it's ok, because "they are paid to do so" ?
In the US "what we pay them to do" is vernacular for "it's their assigned job" or "it's what we asked them to do". I admit it's a bit of a weird phrase but its not actually referring to money. To your point: if the claim is that we're asking our military or our intelligence agencies to do things that aren't effective, then let's have that debate. Nuclear force reduction and end illegal surveillance? Sure. Nuclear disarmament and shutting down our SIGINT mission? Not so much.
This is why the people responsible (i.e. commanding officers, if the war crime was under orders) are tried, and the people committing them have to deal with processing it.
Several thousand Japanese soldiers, the vast majority of which were not command staff, were tried for war crimes. About 1000 were sentenced to hang, and many more were sentenced to life in prison or long prison terms.
> Nuclear disarmament and shutting down our SIGINT mission?
I assume you missed the excellent post about "Everything in Dr Strangelove was true" a couple of days ago ? Maybe that will make you think twice about how safe it is to actually have nuclear weapons.
But that's a different topic.
Back on your original post, my main issue with what you wrote is that you seemed to justify something intolerable just because "people are paid for that".
Most people are good. You're born good. You are friendly and welcoming and like to make friends. But ultimately we grow up and fall victim to the tragedy of human condition. We form tribes, we alienate others, we hold grudges, we harbor prejudice. You can't just go around with a happy-go-lucky attitude when it comes to life. There are bad people out there. I think dropping bombs on people is wrong. I do not, however, have a problem with keeping a ton of pre-aimed nuclear weapons armed and ready. I'm all about our nations defense. People can't fuck with us, they'll lose. It's a deterrent.
kids care first and foremost about themselves, like adults do, but worse.
I had seen 10 years old killing a dog with wooden spears just for fun(or curiosity or whatever crazy reason), cutting the tail of reptiles or just smashing them with stones. Or beating , insulting, humiliating other kids for the same reasons.
Not that far from Romans wondering how much time it will take for a Lion to kill a slave.
I did not argue on that point, but I tend to agree with you there. Kids are usually way worse than adults in regard to how they treat people around them. Maybe it's because they don't realize the harm that they do, or they don't understand responsibility in the same way an adult does. Education is what makes them behave and understand how they can hurt other people.
You only notice the bad. Go look for some good in people: you'll find it. But you're not wired to look for good, by default. You do have to work at it.. doesn't mean that people aren't good. Just that you haven't noticed yet.
(Hint: this viewpoint will probably change for you when you have your own kids one day, if you do ..)
Except that deterrence does not really work. There are weapons out there who are in the hands of people you do not control, and who knows, one day they may turn out crazy and launch a nuclear strike on the US. And because of their condition, they won't care less about total annihilation (they'll be safely in a bunker anyway) of their country and citizens as long as they can harm your country.
So, deterrence only works if your opponent has something TO LOSE. That's the whole concept, and the limits of the concept. That's why people get nervous about North Korea (and their elite who lets their own people starve to death), no matter how many nukes you have in your backyard to deter them from doing anything. There are some cases where it won't work.
PS: during the Cuba crisis, some nuclear russian submarines were THAT close to launching a strike on the US (2 of the 3 people in place were in favor of doing it until the 3rd one managed to calm them down), and they were sensible people who knew very well what it would mean for their mother country as well in terms of retaliation. Again. Deterrence is really a weak theory.
As long as the programs are 1) targeted against actual threats and 2) controlled by judicial oversight, I don't think there is a problem. The reason people are reporting on it is probably because there is currently little to no reason to believe 1 and 2 actually occur in practice when it comes to the NSA.
Right now, it is absolutely in the public interest to reveal the shrouded capabilities of an agency that has in so many respects gone totally rogue in their pursuit of absolute security for themselves and their elite patrons. Their purported ends definitely do not justify their excessive means.
Milton Friedman was onto something when he said this:
>To deny that the end justifies the means is indirectly to assert that the end in question is not the ultimate end, that the ultimate end is itself the use of the proper means. Desirable or not, any end that can be attained only by the use of bad means must give way to the more basic end of the use of acceptable means.
In a free society, such a means must withstand the test of Constitutional, Congressional, Judicial, and ultimately, Popular review. When they rebuild their credibility with some actual accountability and transparency, then they can expect to see the decision making calculus in editing rooms change.
Honestly, I view the TAO disclosures as proof that we don't need an internet-wide dragnet. They have so many tools at their disposal for targeted access that I think they should do things the "old fashioned" way: establish probable cause, receive an ordinary search warrant from regular judges, and then do their snooping.
That's probably terribly naive about how the TAO exploits are actually used, but it's what I'd be comfortable with.
RE: responsible disclosure: I think since they're from 2008, it's less damaging than anything current.
While I certainly understand the idea that reporters should avoid disclosing sources and methods there are two things that warrant further consideration. First Bruce Schneier as a security researcher has knowledge of a vulnerability. A vulnerability is a vulnerability and this is one we know at least one actor is exploiting. He has a responsibility to report this. This takes me to what I think is the most interesting part of this whole Snowden situation. We now know with certainty that everything can be subverted. All those theoretical and academic ideas are being actively exploited by at least one actor. If we assume NSA as the high watermark its only a matter of time before less resourced nations and well resourced or placed companies start doing the same. Now that we know roughly the price to surveil the world I don't know how we ever put that back in the box.
From your tone it sounds like you think such a vulnerability is so obvious that it shouldn't even be mentioned as such. Regardless of how defenseless any device is to an attacker with physical access, the point of Schneier's article was to
>discuss how the exploit works, how we might detect it, how it has probably been improved since the catalog entry in 2008, and so on
Do you have a specific issue with this approach to the leak? After all, if such exploits are so obvious and predictable from an attacker like the NSA, it is probably prudent to consider how to defend against them no?
The US can't claim that it's unacceptable for China to plant backdoors in its hardware, but its perfectly fine for the US to do so.
Well, actually, they can claim that, and they do. But it takes a fair amount of mental acrobatics to reconcile this contradiction unless you've been firmly indoctrinated in the notion that the US are the "good guys" and the Chinese are the "bad guys".
> Question for HN readers outside the US: can you credibly claim your intelligence agencies aren't trying to do the same thing?
I am an HN reader outside the US and I don't understand why does this matter, at all? Extending your views we might end up killing people for different views, because somewhere else is customary to do so.
I can see that your world view is disrupted: In order for you to have a cause, you need a villain, like in the movies, to justify your actions. But this is not Hollywood and doing something illegal, unethical and ultimately unacceptable says that we can't trust you among other things.
NOTE: Implying that someone is doing something illegal, and knowing that he is doing it, are two totally different things. Also, to answer your question, even if my country's agency did that, I would still find the action of installing remote backdoors repulsive.
Admit it! The Greek navy wants a carrier battle group. And one of those nifty titanium submarines for tapping into underwater fibers. Lust in the heart is just as great a sin!
With comments and attitudes like this, how can the rest of the world trust US tech companies to secure users privacy ? Apparently if you are outside US your data is fair game for everyone.
I'm an outsider, living in a country that has a serious record in the "violating human rights for political purposes" department.
I seriously do have a problem with the US military having this capability. The fact that there is no way to detect this intrusion, and little that can be done to protect against it - completely eradicates all value that I might obtain by having such a router technology in my midst.
Do you - seriously - think that having a top-secret, answers-to-nobody government agency whose primary purpose is the subversion of technology is a good thing?
Because I'll tell you something: the existence of the NSA is degrading to all technology innovators, everywhere. The NSA is doing to computers, what Big Pharma has done to medicine - made it so untrustworthy a subject that it turns a lot of people off the very real benefits that can be obtained.
Yes, I do have a problem as an outsider with the NSA having this capability. I also would have a problem if the local government had this capability. I do not believe that a free people deserve to have their technologies subverted for the purposes of the few...
Which makes me think. What is the general outcome of iterated prisoners dilemma depending on what level of information is available to involved agents about the actions of other particular agents? If it is known what agents did what in the last iteration the choices would probably become different. If you know that others will become aware of your actions you will be different etc. It stops being prisoners and become just game theory from there.
Well, I certainly hope that more of them will move towards Tit-for-Tat with forgiveness (and that forgiveness will win out in the end), if that's what you're saying.
This kind of comment always makes me smile. Half-assed complaints that people make because no one gives a crap about what happens in the world unless it personally affects them. In my opinion it's as simple as "do you think it's good to spy on people?". And if you truly care and your answer is no then you will go out of your way to make it stop. Half measures don't change anything.
I care deeply about what happens in the world and I also think countries having intelligence agencies is ok. This may seem contradictory to you but I don't think it is. I recognize that there are people who do not believe spying is ok, a sentiment most famously summed up by "gentlemen do not read each other's mail." Based on how that doctrine worked out, I simply can't support it. I'm willing to have that debate though.
There's nothing half-assed about it. To my mind, half-assed is saying "spying is bad and we should stop doing it".
If we stop, how do we make everyone else stop? We can't. So we're not living in a world without spying, we're just living a world where we're at competitive disadvantage to other entities spying on us.
Yet, somehow, dozens of governments that do not spy, because they do not have either the resources to do an effective job of it, or they do not have a mandate to do it, manage to continue to operate. The economies they govern continue to operate. Some of them very prosperously.
Spying by the US government could be cut back VERY sharply and do the US no harm, especially against those governments that are both friendly and that cannot support an effective spying mechanism against the US.
There is a ton of Hobbesian bullshit floating around here. We'd be cheating on all our treaties, too, just because some countries do that, if this whole "state of nature" bullshit actually applied.
> dozens of governments that do not spy, because they do not have either the resources to do an effective job of it, or they do not have a mandate to do it,
Which countries are these? As far as I can tell, every country in the UN has an intelligence agency. Which would mean they spy on somebody, and "effectiveness" seems like a bit of a weasel-y standard.
Which, these days, buys fewer than 5000 active duty personnel. Total. Including officers, enlisted, logistics, medics, etc. This is a speed bump between Putin and Riga. It is symbolic, to show Latvia could contribute some personnel to joint operations. Some parts, like the air force, are probably below minimum table stakes and are completely militarily ineffective.
I expect the signals intelligence effort to be proportionate and be similarly militarily relevant.
Let's say you have a sack of potatoes for that IE 'sploit. Now you have to target it, plant it, exfiltrate data, analyze the data, and provide a context for it among other data gathered, store the data and the analysis, etc.
Compare this to Latvia spending a serious fraction of the military budget keeping, maybe, a couple obsolete, militarily irrelevant, and expensive to maintain Russian helicopters flying. There is a level below which simply saying that you have an air force, or signals intelligence, amounts to nothing of any significance.
Many many nations are in that condition, or are able to do no more than haphazardly tap their own switches and harass some dissidents.
The scale at which the NSA operates is commensurate to that of a navy with a dozen carrier battle groups. Even China cannot put an air wing on one antique (ok, "vintage") carrier. Nobody on the whole planet operates the way the NSA does. The people of the US have vast scope to change that before it even comes close to affecting a balance of effectiveness versus actual adversaries, never mind being in all our supposed freinds' pants.
By diverting the resources currently used for hacking towards securing. Instead of spending billions in discovering (or injecting) vulnerabilities, why not spend money in fixing and securing infrastructure for all?
* Publish a list of vulnerabilities to manufacturers first and, in time, to public.
* Make an open-source scanner that reports (to the user) vulnerabilities in user's hardware / software.
* Spread awareness about security to the general public. This includes making them aware of the above two, as well as low-hanging fruits such as "stronger passwords", "don't reuse passwords", etc.
* Have regulatory bodies that shame / ban manufacturers that don't publish security updates. I am not a fan of regulation, but this is much more appropriate regulation than banning manufacturers for designing round-corners around screens.
* Create an agency where white-hat hackers can independently submit their findings and sponsor their work.
These are just the top off my head; would love if someone criticizes them.
There are some interesting ideas in here. Comments:
* Even private vulnerability research venues don't reliably publish to the public. When vendors pay bounties, they often keep the vulnerabilities quiet.
* NSA already does security awareness. For instance, they publish a highly-regarded series of documents on secure standard configurations for Unix and Windows systems.
* NSA can't regulate industry; they have no such authority.
* You're really comfortable with the idea of NSA outbidding private venues for vulnerabilities? (Note that the USG already does sponsor "white hat hackers" through the DARPA grant system).
First of all, fuck you. It is because of people like you that believe we should be permanently at war that we are permanently at war.
Second of all, no, the world should not be run by these warmongering generals trying to destroy each other. That is not how humanity is going to improve. The only way the world is going to improve is if all these military assholes are lined up and shot and never allowed to run the world again.
Oh I see, your confusion is because you don't see industrial sabotage and espionage as acts of war. To you it's somehow a friendly thing that superpowers do to each other. You've swallowed the latest military propaganda remarkably well, congratulations.
Good thing I didn't say they did. I referenced Huawei USA as to highlight there are indeed domestic facets to this story. I am going to guess given your comment you can with authority detail what devices are and are not backdoored. If you cannot I don't see what your comment is meant to convey other than that 100% of Huawai hardware has not been subverted.
Don't start this tactic of distorting someone's commentary again, the last time you decided to respond to me you went about aggressively making up bull-cock as if that is what I wrote. When it was pointed out and asked of you to address the subject instead of bringing up unrelated rubbish you only dug in changing to a belittling tone.
Overall I would rather you not respond to me at all. Thanks.
Your comment doesn't make any sense unless you believe NSA backdoors all the Huawei devices. NSA's implants aren't limited to Huawei; Cisco and Juniper implants have already been disclosed. I figured you believed they were backdooring all of them; after all, you also believe "you have NSA affiliates like Palantir mucking about with firms like Hunton & Williams. Teaming up to do attack work on generally anyone who opposes the persons who make up the facade that is US Chamber of Commerce".
I don't care who you want to reply to you or not. You're writing to the thread, not just to me, and vice versa.
How on Earth are you parsing my comment where highlighting a Chinese hardware maker's US arm is stating that 100% of the hardware has been backdoored by the NSA? I didn't even mention the agency. Just US domestic operations of a Chinese hardware maker.
I was nice enough to cite the persons and companies involved in that previous thread, including the detained Barret Brown. You addressed his drug use without the topic at hand that he reported on? I mention an article written by Michael Hastings that referenced Brown, and you insert bullcrap as if I said intel agencies killed him? You went on further to bring up Monsanto and Nickelback?
I ask you to not engage me anymore for a reason. You are a prick, tptacek. You are a prick.
I think the misunderstanding is this: targeted compromise of individual units, post-installation (tptacek), vs. compromise of all units of one or more models in the factory (you).
"compromise of all units of one or more models in the factory (you)"
_What_
I never mentioned anything like that. tptacek suggested that is what I meant, I directly said that was not. I've said I think subverting or weakening hardware/software for surveillance would be bad thing, not that the NSA has backdoored 100% of Huawei's products. I asked tptacek to stop making distortions because of this right here. I am running out of different ways to state this, why is is tptacek a primary source for what others say?
Back onto the comment I responded to initially, Chinese hardware makers do sell to the US so methods to subvert their devices do have US domestic ramifications. This would be contrary to what parent comment suggested.
Sorry, I didn't mean to put words in your mouth. I did say "one or more models in the factory," i.e. not 100%, because you clearly stated you didn't mean that. I just thought it wasn't completely clear that you weren't both talking about compromise in the factory. I guess I misunderstood you.
No problemo. On the topic of TAO I highly doubt subversion at the factory. Though I do believe the monolithic designs of the day from Samsung and Apple surely delight intel agencies like the NSA. Must shorten delays in redirecting shipments substantially!
It's not the most positive exchange but I have yet to have one with him that didn't result in the insertion of distortions or focus on the people carrying a message instead of the message. This was made clear with Hastings and Brown themselves being focused upon instead of the content of their articles.
After things like Nickelback started to be brought up.. I stopped believing responses were being made in good faith. Fast forward to now and apparently I am saying 100% of that maker's devices are backdoored by the NSA, any other interpretation "doesn't make sense."
While I acknowledge this is a public forum I would hope tptacek would also acknowledge I asked him not to engage me anymore previously, before he announces the forum's open presence as his mandate to respond.
It's the difference in mindset between having a discussion versus an argument.
In one case you are more likely to work for a mutually beneficial outcome, in the other it's a zero sum game where distorting your opponent's views becomes a common rhetorical tactic.
I'm not going to make grand claims, I just saw a lot of the latter from you recently.
No, that's not accurate. If you and others are having a discussion based on false premises, correcting those premises does in fact move the discussion forward.
I think many systems commercial and otherwise will be open to exploitation. I don't necessarily object to the NSA or another government's intel service hunting those bugs either to protect against or to exploit. I do object overall to the creation of exploits or the weakening of systems.
In the absence of a perfect system of governance I feel we should default to not giving unspeakable power to a concentrated few. The slides on the tools were leaked out of a for-profit firm that contracts for the NSA, next the tools themselves like music industry cohort MediaDefender[0] had happen to them? Or even worse a leak of a database the tools sift through like the Assad regime's BlueCoat[1] logs on political/sexual/religious targets?
Another US firm Palantir was itself tangled in a scheme Glenn Greenwald reported pre-Snowden regarding the targeting of political activists via a solicitation of work through Hunton & Williams made by the US Chamber of Commerce[2]. I can't trust the US intel community as far as I can toss it when conflicts of interest are apparent at every level of clearance given to contractors. So I will probably frown upon most alphabet boys exploitation of capabilities.
Considering the scale of funding the NSA and other government agencies enjoy, I think that any focus on "cyber warfare" is going to lead to a "weakening of systems". But this is inevitable when you give state actors a monopoly on extralegal means. Like you said, the onus should be on a robust system of legal and regulatory restraints on this power, which is what the Snowden leaks and others have shown we definitely lack.
Does anyone know the process that took this leak from the Snowden dumps to Schneier's site? Did Schneier seek consensus from the the other recipients that he should release this particular information? Did Schneier unilaterally decide to release this?
Regarding the article, I think it is fascinating proof of the lengths that state-level actors will go through to backdoor their targets.
So you need access to the router first with enough power to force a firmware update. What would surprise me is if there are vendors immune from this kind of APT. Given the money and talent invested in those hacks, bricking a whole cargo container of router doesn't seem out of reach, dissolving it in acid or other potentially destructive reverse engineering.
If they own the vendor source code then it is even easier, but the mere fact that it is a router/firewall and not an off the shelf Dell pc is of little importance.
For those thinking about whether such things could be used inside the United States. Of course they can. So can all the equipment and weapons the military buys. And it's happened before! The gun in the Fort Hood shootings was bought and paid for by US tax dollars and it was used to kill a civilian. So this raises the question, is the military to be trusted with weaponry it needs for its defense mission even though they could be used in the US? Similarly, is the NSA to be trusted with exploits it needs for its SIGINT mission? Interesting question. An infantryman could go rogue at any time and use his service weapon against US citizens and someone at the NSA could use an exploit for personal gain, but on the whole I believe the system accounts for these possibilities in a reasonable and controlled way.
If this information is true, it seems a little crazy to me to be propagating it since there isn't really a domestic/whistleblower angle. At least, no more of a domestic angle than the military developing a new missile. Some of Snowden's disclosures are responsible for starting a productive civil liberties debate in the United States, there's no denying that. But these disclosures are ones of a different color in my opinion.