Our target is using a network. We need access to that network. The sysadmin has the keys to the kingdom. The sysadmin uses Facebook. Through QUANTUM INSERT, we own anybody who uses Facebook. So we just need to figure out the IP address of the sysadmin.
If they use unencrypted telnet we just hack the account and grab the telnet server's IP address whitelist. With our resources and capabilities, this is so easy that someone should write a script to automate it and do it in bulk.
If they use SSH, we do it be listening to the connection. Even though we can't decrypt communications, we can figure out which IP addresses sysadmins are logging in from.
But it's not just us who are hacking routers. We can also hack the hackers ... and the rest is redacted. Shame. That would have been REALLY interesting.
Jesus. There's really no way to fight it other than going full RMS, is there? Who knows how many zero-days the NSA is sitting on for all major browsers. I wonder if they can attack sites that implement full end-to-end HTTPS.
I personally consider SSL little more than a placebo at this point. Moxie Marlinspike showed at Defcon 19[1] that SSL is easily compromiseable using upstream certificate authorities. He created Convergence[2] as a potential solution to it. But nobody's using it.
I went full RMS in 2007. Uncomfortable at first, but it's really the only way to stay unmonitored. Consider avoiding the gross anti-social bits of his personality, but don't throw the baby out with the bathwater.
Brilliant, just what I was looking for, all I could find was information on a scheme where they intercept computers and bug them with radio transimitters[1]. Can anyone tell me why the two codenames are so similar? It would seem that they're wildly different exploits.
> Can anyone tell me why the two codenames are so similar? It would seem that they're wildly different exploits.
A previous article, "How the NSA Plans to Infect ‘Millions’ of Computers with Malware" [0], linked to "a classified list" [1][2] of the various "QUANTUM*" programs entitled "There is More Than One Way to QUANTUM".
If I'm understanding your question correctly, the table in [1] and [2] should illustrate the (similarities and) differences.
So the NSA targets the personal online accounts and personal computers of sysadmins who just happen to work at major network providers. These are people who have done absolutely nothing wrong, other than being in the way of an out of control agency.
Unless you have a seriously depressing sex-life, it's hard for a single agent to seduce 100s or 1000s (or more) clerks based on recorded behaviour of the entire connected part of the human race for the past few years in a few minutes.
So it's worse in one way because of scale.
In general spies break laws, that's what's make them special. It's why it's "ok" to torture spies, or kill them, or hold them in a hole -- they're not considered soldiers, when (if) they're caught, they are treated as scum (or as we say these days, as terrorists).
I don't think anyone's saying: "Oh, we're mighty miffed you've stolen all our data. We'd be ok with you just coming over on foot, seducing a few, killing a few, and stealing our military and industrial secrets."
No-one's ok with that either. As for the American People, they are (rightfully) miffed because their so-called foreign intelligence services, that are supposed to break laws only abroad, are violating privacy on a scale that makes the Stasi look like child's play.
If a US agent seduced me and installed a back door on my computer to access the networks I have access to -- and I found out -- I'd be mighty upset about that, too. And I'd try to help counter intelligence get hold of the perpetrator. But that's not bloody likely to happen, is it?
Now, we pretty much know that any value target (network, and by extension admin) is reachable in a few keystrokes. The effort needed is minimal, to quote Sarah Connor: "No one is ever safe."
What kind of question is that even? If you'd told me before the Snowden/NSA scandal that the NSA or GCHQ were _blackmailing_ clerks, I'd have called it spy fiction.
To my knowledge, it was only publically proven that the Russians use these tactics, but the US?
And now you are telling me that the NSA compromising the informational integrity of thousands of sysadmins is not surprising since they already used unethical TV-drama bullshit in the past?
This raises so many questions. Do you have examples of the NSA blackmailing a clerk?
"To my knowledge, it was only publically proven that the Russians use these tactics, but the US?"
I've always found it more likely that if any country has been proven to be using these tactics, then Occam's razor states that they all are (if they can afford to).
Intelligence agencies may be answerable to governments in theory, but human nature (as well as game theory) show that lack of independent oversight leads to manipulation of the rules. Doesn't matter what country you come from, if you can get away with something with little risk of detection, let alone retribution, you do.
This is why laws exist, and why it's inexcusable that any sector of any government should be immune to them.
> To my knowledge, it was only publically proven that the Russians use these tactics, but the US?
This is a very strange belief. I mean I prefer living under US rule to living under Russian rule but the idea that the US has clean hands is laughable. I'm curious -- did you grow up inside the US? I've found that perceptions from inside the US reality-distortion bubble are very different from perceptions even a few hundred kilometres away.
I grew up in Germany during the 90s. Our view was that, while the US doesn't have the figurative "clean hands" (insert vague reminiscence of some half-knowledge about things that happened South America), they were rather "civilized" about things.
I DO REALIZE NOW that this was of course a distorted picture of reality, which I think dawned on me around the time the illegal rendition/secret torture prison affair of the CIA came to light.
However, compared to the Americans, the Russians were never _too_ discrete about the rough practices of their intelligence agencies. This is what I was refering to: To the current state of my knowledge (which, admittedly I did not update with even a Google search) there are publically known instances of the Russians crushing private individuals by inserting HUMINT into their lives, whereas I don't know of any example involving an American service.
Maybe this is also why the Belgacom hack was so shocking to me. I had not previously thought that they (NSA GCHQ) would take apart some poor schmuck who happens to work at the wrong company just to gain access.
On a more general note, to me it just seems that bringing down the power of a governmental intelligence agency on an innocent bystander for the sake of a "shortcut" is unethical.
That's never what these sorts of comparisons imply. It's more of an "it's not different to something else... so if you actually cared about the principle of the thing rather than harms to your specially-empathizable in-group, you would have been angry all along, rather than just starting now. Thus, your anger is not particularly selfless, and your battle-cry does not deserve to be rallied around."
Technique #3 - 'TOPIC DILUTION'
4. Use a straw man.
10. Associate opponent charges with old news.
The problem with the Gentleman's guide is that (on purpose) it is hard to distinguish someone who disagrees with you, someone who is trolling (a little bit), and someone actively using it.
So common for wrongdoers to resort to such rationalization to justify their wrongdoings.
To help in snapping out of the cultic mindset, replace "country" with "organization". For instance, Scientologists had the same mindset with their Snow White Operation.
Obviously, I don't know the answer but I don't think it's too far-fetched to imagine that an agent of one government (e.g. a female KGB agent working in the U.S.) might attempt to seduce someone in a privileged position (in other words, "with access to specific desired information") in another country's government (e.g. a male physicist working at LLNL).
And, immediately after having written the above, I suddenly recalled a few portions of the SF86[0] and, based upon their existence, I'm inclined to believe it happens much more than what I would initially have expected.
Fact that they casually speak of logging significant amount of connections is alarming. SSH targeting methodology would only work if you have ability to monitor significant portion of electronic communications.
Since majority of traffic logging capabilities of no such agency is coming from US itself and few close allies we collaborate on intelligence with* you can estimate that Sys Admin SSH technique is most useful in US itself and aforementioned close allies. Thus I would expect this to disproportionally affect Google as opposed to let's say Baidu.
* I am making an assumption here, please let me know if it is unwarranted.
My assumption would be that most of the intercept capabilities are in Africa, Middle East, and Southeast Asia. A lot of Africa uses (or used to use) satellite links for internet which you'd expect to be tapped and there's undersea cables around there that had a rash of weird breakage over the past few years.
Incidentally, those are areas where China has a strong economic development interest so you have another well funded government as a adversary that's known to target routers and such.
So far as admin SSH, once you reach a certain size you generally stop letting admins ssh in from random places and require VPNs (often with crypto tokens), if only because it gives you a easy chokepoint to disable access when you fire people. From what I've seen those most likely to use direct SSH or telnet are small companies (including regional/emerging telcos) that have a handful of people actually running things.
Google "Boundless Informant" and "Room 641A." Most of abilites are in the U.S. and more is collected there than in most of the countries. Why? "Becase we can."
Room 641A (and associated points around the US) are a very minor part of the publicly known infrastructure operated by the NSA.
This is a organization that has nuclear submarines (see also SSN-23) outfitted to tap cables and runs intercept stations (Pine Gap, Menwith Hill, etc) around the world positioned for satcom coverage. If you can get most of what you want from a handful of colo rooms in allied countries then why bother with submarines, satcom stations, and satellites that spy on other satellites?
Clearly they feel that the value and scope of information gathered from intercepting communications that take place outside of (and not crossing) allied countries justifies the expense.
> So far as admin SSH, once you reach a certain size you generally stop letting admins ssh in from random places and require VPNs (often with crypto tokens), if only because it gives you a easy chokepoint to disable access when you fire people. From what I've seen those most likely to use direct SSH or telnet are small companies (including regional/emerging telcos) that have a handful of people actually running things.
Well, we don't really know enough about collaboration between tier1/2 and intelligence services, but I think it's reasonable to assume that any large network provider that has close financial ties to the US or NATO countries provides intel to the "NSA machine". I'm not sure about Russia and China (along with China-friendly neighbours). I would guess getting data is a high priority, and that NSA would go to great lengths to get taps in -- but what or how they do it I wouldn't know. Bribery and/or running a telco or two sounds reasonable given the (large) budgets, and mission statement(s).
I am completely torn between really wanting to work for the NSA because they have the ability to do really awesome analysis like that with huge amounts of data, and being deathly terrified. Nothing in that article should be a surprise to me, or anyone else who can half-guess the NSA's capabilities, but it is still shocking to read. For some reason, knowing that the NSA has information on literally everyone stored in some database isn't that frightening to me, but seeing specific details that they could have (and probably do have) is very scary.
Yup. Unfortunately, I'm one of those foreign alien nobodies, so I can't. Also, most US-ians are totally cool with the NSA spying on me, just not on them. shrug
The scene[1] in Good Will Hunting where Matt Damon tells the NSA to beat it is probably in line with how a lot of us feel. Interesting work, but the end result is too much to live with.
That isn't how bureaucracies work. The parent can't join the NSA and hope to advance if they (openly) hold views fundamentally contrary to those of their superiors.
I believe there is a notable and recent case of how this actually plays out. What was it? Towden? Mowden?
As amazing as Schindler's actions were, they ultimately had little effect on the overall scene, such was the scale of it. He fought the monster and survived, not fought the monster and brought it low.
Schindler saved a thousand people through some pretty ballsy actions. But for scale, the battles of Stalingrad, Leningrad, and Moscow each had total casualty rates for both sides of 1-2 million people apiece.
"He who fights with monsters should look to it that he himself does not become a monster. And when you gaze long into an abyss the abyss also gazes into you."
Power at the NSA would be concentrated towards the most shameless bastards. It's not really within the power of random employees/contractors/grunts to fix. Snowden would be the example to follow here, but you really have to work outside the box.
This is kind of off-topic, but I don't know where else to ask.
Have we seriously entertained using "OSS" licenses that would prevent NSA & co. from using them?
I know Douglas Crockford has his "don't be evil" JSON license that got everybody's knickers in a twist. And I know OSI has a nice page on why field of use restrictions are bad.
However... I wonder if these pre-Snowden viewpoints credibly consider an organization that uses the software community's tools to conduct targeted attacks on that community. I mean, these documents suggest a much scarier attack on software developers than, say, putting the Linux kernel in a TiVo or whatever they changed in the GPLv3.
On the other hand, maybe FOU restrictions are still bad on principle. What do you all think?
This is an amusing suggestion... do you really think the people who are bugging just about every line of communication in existence and subverting every possible method of secure communication and storage give two shits about the terms of software licenses?
In the US, sovereign immunity doesn't exempt the federal government or its employees from criminal prosecution, and there are statutes on the books that explicitly waive immunity for civil cases that arise as a result of contract disputes (among other things).
Suppose you wrote MediaWiki, by yourself, and thus had the authority to change its license. Further suppose you did so, adding in restrictions like you mentioned that forbid the NSA from using it.
Now, assume you found out, via a leak of some of these classified documents, that they were using it -- in violation of your license -- and you decided to sue.
Having seen some of the excuses they've come up with before (and assuming that you have as well, which seems like a reasonable assumption), why wouldn't they simply argue that the software applications they use internally are classified, that disclosure of such would be detrimental to national security, and, because of that, your case should be thrown out (like they have argued so many other times)?
The only juche I know of is the north korean one[1], guessing this is just a random joke, just wanted to ask in case there's an alternate meaning I'm missing?
hahaha, I hadn't heard that. Sounds quite funny actually, definitely feels like an NSA worker wearing an EFF t-shirt would have to understand the irony of their situation.
It sounds like international security is being run by 10 year old wannabe anonymous members.
Yep. Replace "wannabe anonymous members" with "wannabe hardass" or "war hawk" and you have the essence of the US approach to international relations.
So while childish language for childish actions bothers me, so does the act of trying to class-up childish behavior with the well worn flavor of political rhetoric that acts like whatever bullshit getting peddled is reasonable and responsible.
I feel like this is the geek version of some Michael Mann film, where the subtext is "COPS ARE JUST LIKE CRIMINALS." I'm already terrified that evidently any random GS-11 can grab SIGINT data at will; now I find out that they've got a red-black version of LiveJournal that reads like a Ritalin-addled script kiddie with SCI clearance. Fucking 'ell, no wonder we're fucked.
"I have seen George Bush and he is a stupid Texan hillbilly."
"I have seen Ronald Reagan and he is a demented old man with no brain."
----
These "jokes" appear to belittle the people with real power, in the public's mind. It makes the people feel better. They make them appear harmless. It is a complete mistake to do this. It helps the powerful to spread these jokes, it does not help the people.
"oh he won't harm us, he's stupid. He wouldn't be evil, he has no brain. He wouldn't spy on the world, he's just a kid"
That kid? No, the enemy is the people who hired him, gave him no oversight, had no auditing or controls on internal information and encouraged him to continually exceed his authority.
Include the team of shameless government managers, many who swore an oath to uphold and defend the constitution, turning this operation and all these databases over to a third party and these kids.
No – the enemy is the American people, collectively and individually responsible for the actions of their government. How you sort that out internally is not really my concern :)
A form of institutionalized secrecy concealed and locked away behind a highly-trained, tightly-regimented, hierarchical, ideological organization of indoctrinated, unquestioning personnel (recruited directly from high school, with the incentive of financing an over-priced education that would otherwise be out of reach, which would serve as a catalyst for a career of employment in jobs that will not hire anyone without practical experience), all bristling with automatic weapons, mechanized artillery, naval artillery, supersonic airplanes, 500 lb laser-guided bombs, self-guiding nuclear weapons and a vast logistics infrastructure to keep it all running. An organization that doesn't obey laws. Indeed, an organization designed with the express purpose of overriding the laws of every other country on earth. But yes, let's act within the boundaries of civilian law to ask for permission to make this complex ask for permission before not asking for permission.
Oh wait, this thing without a name is funded by a civilian political system filled with politicians that lie to me and don't listen to me, who are bribed by large, faceless, private, for-profit corporations that don't pay taxes, and make all their money providing logistics and equipment to the personnel that guard the institutionalized secrecy which disinforms me of its own existence, and it's all paid for by my taxes, which I get thrown in jail for refusing to pay.
...BUT I SURRRE ASKED FOR IT!!! I GET WHAT I DESERRRVE! WHEEEEEEEEEEEEEE!!!
If this is true, we can assume the computers of all but the very most careful and dutiful admins have been pwned. I'm flabbergasted even looking at my own laptop, the element of trust in any of my own hardware is gone.
You could presumably log some such packets in iptables -- but that assumes you actually receive duplicate packets. If NSA owns a router between you and the target for spoofing, there's no reason that router need to relay the "correct" packet. I know a lot of the text on these attacks states something along the lines of "replies before the legitimate packet arrives" -- I'm just not certain it's that simple in practice.
edit2: Perhaps a logging dns resolver (to track "strange" ip changes) coupled with an iptables rule that uses contrack and logs INVALID packets is a start?
At first reading, I thought the redacted part was about how to tell if _your_ router was compromised but on closer reading, it looks like it covers routers owned by others that the NSA have cracked but they want to know if the Chinese or anyone else has done the same.
It's interesting how this is boils down to existing malware strategies but with a how to. They're probably not going to type this stuff up in a wiki anymore going forward, shift to in-person training and word-of-mouth.
Are there really companies out there where sysadmins are allowed to use i-Diot or W-inDiot products on non-free hardware?
I like the NSA, because they show the world how stupid most computer users and especially the "geeks"are that do not see how ridicolous it is to show of a big apple logo on a speaker desk.
This is too many words for inherently trivial ideas that are all based on the magic assumed already to be in place and readily available. But mostly it's the tone and triviality of what's being discussed. It's all a script-kiddie level.
I find your view interesting. it's one shared by many people. It's almost a misconception, a mistake which actully helps those with the real power.
These are the questions that this brings up, which I find interesting.
What makes us think that techies in government departments are different from techies in other places?
What makes us think that pictures of kittens and internet memes are only acceptable for open source freedom hackers, and not people working for the government and private companies?
What makes us think that the internal messaging systems of secret organisations should not be trivial, human and sharing humour?
What makes us think that if someone thinks they are helping and protecting their country in their mind that they are morally wrong and have a criminal personality (James Bond Villain) because they are systematically abusing the law?
Thank you for posting the PDF link. For the life of me, I have NO IDEA why sites still try to push hacked together PDF viewers on us when there are tools already on my system. I really thought this site was just broken.
If you're going to provide a TL;DR for others, it's best to read to the end first... telnet was used as an early example, but the writer went on to explain how to target ssh too.
They have resources, though every technique in this paper is very simple. There are some incredibly talented people out there, and not all of them work for the NSA.
Our target is using a network. We need access to that network. The sysadmin has the keys to the kingdom. The sysadmin uses Facebook. Through QUANTUM INSERT, we own anybody who uses Facebook. So we just need to figure out the IP address of the sysadmin.
If they use unencrypted telnet we just hack the account and grab the telnet server's IP address whitelist. With our resources and capabilities, this is so easy that someone should write a script to automate it and do it in bulk.
If they use SSH, we do it be listening to the connection. Even though we can't decrypt communications, we can figure out which IP addresses sysadmins are logging in from.
But it's not just us who are hacking routers. We can also hack the hackers ... and the rest is redacted. Shame. That would have been REALLY interesting.