I'm so sick of all this conspiracy theory nonsense. If PRISM means Apple supplies data directly to the NSA there's no need for a MITM attack. I mean what's the argument? Plausible deniability?
> Never attribute to malice that which is adequately explained by stupidity.
A programmer screwed up. It happens every day.
I'm reminded of Chesterton's madman:
>The madman’s explanation of a thing is always complete, and often in a purely rational sense satisfactory. Or, to speak more strictly, the insane explanation, if not conclusive, is at least unanswerable; this may be observed specially in the two or three commonest kinds of madness. If a man says (for instance) that men have a conspiracy against him, you cannot dispute it except by saying that all the men deny that they are conspirators; which is exactly what conspirators would do. His explanation covers the facts as much as yours. Or if a man says that he is the rightful King of England, it is no complete answer to say that the existing authorities call him mad; for if he were King of England that might be the wisest thing for the existing authorities to do.
[...]
Nevertheless he is wrong. But if we attempt to trace his error in exact terms, we shall not find it quite so easy as we had supposed. Perhaps the nearest we can get to expressing it is to say this: that his mind moves in a perfect but narrow circle. A small circle is quite as infinite as a large circle; but, though it is quite as infinite, it is not so large. In the same way the insane explanation is quite as complete as the sane one, but it is not so large.
[...]
If we could express our deepest feelings of protest and appeal against this obsession, I suppose we should say something like this: "Oh, I admit that you have your case and have it by heart, and that many things do fit into other things as you say. I admit that your explanation explains a great deal; but what a great deal it leaves out! Are there no other stories in the world except yours; and are all men busy with your business? Suppose we grant the details; perhaps when the man in the street did not seem to see you it was only his cunning; perhaps when the policeman asked you your name it was only because he knew it already. But how much happier you would be if you only knew that these people cared nothing about you! How much larger your life would be if your self could become smaller in it; if you could really look at other men with common curiosity and pleasure; if you could see them walking as they are in their sunny selfishness and their virile indifference! You would begin to be interested in them, because they were not interested in you. You would break out of this tiny and tawdry theatre in which your own little plot is always being played, and you would find yourself under a freer sky, in a street full of splendid strangers"
So you're still deriding ideas like this as "conspiracy theory nonsense," even after extensive documentation that the NSA is, in fact, surreptitiously introducing security holes in software?
Personally I've adjusted my Bayesian priors a bit.
Extensive documentation does not exist. It's all conjecture and speculation.
We know the NSA spies on foreigners, we know they have relationships with tech companies to make that spying easier and therefore have access to all that information. We don't the extent of domestic use. We know they collect phone metadata. We know they have infiltrated software abroad, they deny having done it domestically. There's just a whole lot we don't know.
Here's something I do know: the government is not infallible. In fact, just the opposite. Sure Snowden revealed a lot about the NSA spying programs, but he also revealed another salient fact: their background check process was a joke. Like every other government agency they display an incredible degree of incompetence.
Sleeper agents at Apple inserting bugs into code in order to bypass security checks as part of some grand scheme to infiltrate the communications of millions of Americans... it's not even a good idea on the face of it, but even if they tried to pull this off they'd screw it up somewhere along the way. Human beings make mistakes. You guys are giving way too much credit to the NSA.
> extensive documentation that the NSA is, in fact, surreptitiously introducing security holes in software?
I've seen speculation to that, but not "extensive documentation", at least from the perspective of simply breaking all hardware.
Buying descriptions of existing vulnerabilities is not "introducing" them. Nor is haranguing companies into leaving in known vulnerabilities (though that is bad enough).
Even things like asking companies to use Dual EC DRBG is not "introducing security holes" in the way we understand it, as EC DRBG is actually secure against all adversaries except NSA.
Like, I'm re-reading the Guardian article now and it talks about the NSA "using supercomputers to brute-force encryption" as a strategy... hardly a jumping testament to the massive brokenness of the Web.
Going further to read the actual list of NSA practices helps confirm this a bit too.
For starters if you look at the description of their SIGINT Enabling Project it states that "To the consumer and other adversaries, however, the system security remains intact." (emphasis mine), which seems to be hinting at Dual EC DRBG (or at least, Snowden doesn't seem to have leaked any other NSA technologies that are broken only to NSA but resistant against other adversaries).
The one blurb I could find about deliberately introducing vulnerabilities had a very important caveat which everyone leaves out: "Insert vulnerability into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" (again, emphasis mine). The Guardian somehow left that out of their description of that bullet, I'm sure it was just an oversight.
In other words this is not mass introduction of simple exploitable but a seeming formalization of the types of corporate-government partnerships that led to things like the Siberian pipeline sabotage, to be used in specific targeted operations. Indeed the Guardian seems to confirm that in their description of the NSA Commercial Solutions Center.
Even Snowden has spoken up in support of the concept of targeted operations by U.S. intelligence agencies, so I'm not sure why this should be surprising; it's the kind of stuff we expect the U.S. to do to gear going to Iranian nuclear weapons facilities or Syrian C2 bunkers.
So even if we give the NSA credit for surreptitiously breaking crypto around the world, this particular method does not appear to match their style or even their own internally-held methods. It seems like the kind of thing NSA would take advantage of without revealing it, but not the kind of thing they'd intentionally add to a non-targeted iPhone. And, if they did add it, they'd add it to the flashed image, not the source, à la "Reflections on Trusting Trust".
> Never attribute to malice that which is adequately explained by stupidity.
A programmer screwed up. It happens every day.
I'm reminded of Chesterton's madman:
>The madman’s explanation of a thing is always complete, and often in a purely rational sense satisfactory. Or, to speak more strictly, the insane explanation, if not conclusive, is at least unanswerable; this may be observed specially in the two or three commonest kinds of madness. If a man says (for instance) that men have a conspiracy against him, you cannot dispute it except by saying that all the men deny that they are conspirators; which is exactly what conspirators would do. His explanation covers the facts as much as yours. Or if a man says that he is the rightful King of England, it is no complete answer to say that the existing authorities call him mad; for if he were King of England that might be the wisest thing for the existing authorities to do. [...] Nevertheless he is wrong. But if we attempt to trace his error in exact terms, we shall not find it quite so easy as we had supposed. Perhaps the nearest we can get to expressing it is to say this: that his mind moves in a perfect but narrow circle. A small circle is quite as infinite as a large circle; but, though it is quite as infinite, it is not so large. In the same way the insane explanation is quite as complete as the sane one, but it is not so large. [...] If we could express our deepest feelings of protest and appeal against this obsession, I suppose we should say something like this: "Oh, I admit that you have your case and have it by heart, and that many things do fit into other things as you say. I admit that your explanation explains a great deal; but what a great deal it leaves out! Are there no other stories in the world except yours; and are all men busy with your business? Suppose we grant the details; perhaps when the man in the street did not seem to see you it was only his cunning; perhaps when the policeman asked you your name it was only because he knew it already. But how much happier you would be if you only knew that these people cared nothing about you! How much larger your life would be if your self could become smaller in it; if you could really look at other men with common curiosity and pleasure; if you could see them walking as they are in their sunny selfishness and their virile indifference! You would begin to be interested in them, because they were not interested in you. You would break out of this tiny and tawdry theatre in which your own little plot is always being played, and you would find yourself under a freer sky, in a street full of splendid strangers"