|
From iPhone to Cisco Routers – NSA Hacks It All
Everyone should read the SPIEGEL story and check the graphics and docs about the NSA's Tailored Access Operation. They describe the hardware and software tools the NSA uses to break into every level of computing – from your cellphone up to carrier class internet routers. The Apple iPhone for example is, as was to be expected, one of the devices the NSA can crack and silently control anytime it tries.
Jacob Appelbaum, who helped reporting the story, yesterday gave an hour long talk about these NSA abilities. I recommend to listen to it. He rightly points out one of the main issues that even supporters of the NSA spying should have serious headaches about. If the NSA can use the software and hardware bugs in various devices to take control over them then others can do this too. I bet that there are criminals out there who use exactly the same problematic holes the NSA uses for its spying. Such holes should be fixed and not abused.
One aspect that may help top rein in the NSA's totally overdone "collect it all" and "hack it all" attitude is the extreme damage this report will do to the U.S. computer and internet companies. Why would I buy Cisco routers or an iPhone when it is publicly known that these are extremely unsafe devices?
The NSA hacking and spying was the biggest story of 2013. It is also quite likely that further reporting on and the fallout from it will be the biggest story of 2014. Some media try to propagandize that people are okay with this NSA business and that no actions need to follow. Don't let them fool you. People do care and many are already changing some of their online habits. But there has to build even more pressure for real change to come.
My big "thank you"s for this year goes to Edward Snowden for the courage to go public with the NSA interna and to Glenn Greenwald for the excellent management of the drip by drip publication that keeps this very important story alive.
Thank you also to my readers and the commentators here who keep me motivated to continue this blog. Have a good new year in which hopefully no one will spy on you.
@44 Articles such as this show why Greenwald’s stance on public vs. private spying is, at it’s core, naive and dangerous. The idea that state spying is “uniquely threatening” and that the dangers of private spying are somehow softened because corporations have as their motive mere profit-making completely ignores the realities of life in the our increasingly unequal world.
Greenwald is of course saying that corporations on their own do not have the power to jail or kill. This could be debated. What can’t be debated is the fact that corporate power has rarely, if ever, been “alone” and without its hands firmly on the levers of government power. The problem of private wealth corrupting public power has been an issue since this country’s inception. The difference today (and what makes Glenn Greenwald’s pooh-poohing of the dangers of corporate spying so insidious) is that this corruption is quickly becoming the defining feature of our politics and our world.
Greenwald is trying to say that it is serious, but essentially less harmful, for corporations to compile information on their users than it is for the government to gather this same kind of info. But is this not, in fact, where the government is pulling much of their information from? We are not, of course, dealing with a world in which the corporations we deal with on the internet might be a department store or a car company which gather info on our shopping choices. For the most part we are dealing with giants like Google, Apple, Verizon, and Facebook which gather huge amounts extremely personal information about our private lives… and then apparently make this information directly available to the government – a government which is staffed by the same people who staff the corporations. A government which is largely, because of the corrupting influence of campaign donations and lobbying, at work for corporate power. A government which works with these corporations hand and glove to extend both power sector’s reach over our world.
Our public policy is, in the words of John Dewey, “the shadow cast on society by big business.” There is little difference between those in power in the state and corporate world. The fact of the “revolving door” between the nominally “public” sectors of power and the top levels of corporate management shows that not only do these two power centers share essentially the same goals, but are run by the same people. And this is nothing new – it has been true throughout US history. One only has to read General Butler’s “War is a Racket” to see that even an organization as nominally independent as the US military can easily become an extension of private power used to kill across the globe for the profit motive – a motive Greenwald seems to feel is so tempered and reasonable. For those who think that the Iraq War was fought for the oil companies, who do you think the information gleaned from this industrial-strength spying is meant for?
We have plenty of instances to point to of the dangers of this corporate spying. One example was the political repression that occurred during the nationwide crackdown on the Occupy Wall Street movement. We have only to look at FBI documents obtained by the The Partnership for Civil Justice Fund (PFCJ) to see that the crackdown was not lead just by the state, but that corporate interests. Their resources were key to not only defining the “threat” posed by the Occupy Movement, but also in the actual crackdown. It has been public knowledge for some time that corporate behemoths like JP Morgan and Goldman Sachs actually give millions of dollars per year to the NYPD. To suggest that this has no effect on the actions of the NYPD would be like suggesting that the millions pumped into the US Congress via campaign contributions has no effect on the legislation produced there. And this is of course only one example. We could go over the attacks on Anonymous by private corporations like HBGary. I found this intriguing report as well – a veritable clearinghouse of corporate spying against their political opponents: Spooky Business: Corporate Espionage Against Nonprofit Organizations. This laundry list of malfeasance and repression would seem to be ignored by Greenwald – who unfortunately is now every bit a member of the corporate power structure as any high level executive at NBC/GE.
The fact that should not be ignored is this: the “public” security state is now completely in the hands of the “private” corporations through the levers of campaign donations, taxes, grants, and the back and forth of talent and personalities. Ignoring or downplaying this is like ignoring the hand in the glove that is wrapped around our collective necks. One cannot say that, of corporate and government spying, one is more or less dangerous than the other because they are, at their core, the same phenomena – powerful interests using an advantage in technology to coerce and change the behavior of the less powerful. This is no time to try and play down the effects of corporate spying or try and play it off as a tempered phenomena which is just part of the normal state of affairs in a free market economy. This is the time to identify this dangerous collusion and to fight against it.
What about private companies and privacy? We have Google scanning people’s Gmail and collecting search terms; Facebook and others track our movements around the Web. Companies sell our data to marketers. What’s your take on all that?
Greenwald: I think there’s a serious danger posed by large Internet corporations collecting data, but I also think there’s a big difference between the state doing that and private corporations doing it. I mean, the idea that the state can be uniquely threatening is embedded in all of our political awareness. If you look at the Bill of Rights, it limits what the state can do but doesn’t limit what corporations can do, and that’s because, as oppressive as corporations can be, the state has unique powers — like the ability to put you into a cage for a long time, or life, or even take your life; and the ability to take your property; to impose all kinds of taxation; to build weapons that can be used against people around the world — that corporations don’t actually have alone.
And the other thing I would say is that corporations, by the way they’re structured, are geared toward generating profit, whereas states are constructed for a whole variety of reasons having to do with power, which includes profit but extends far beyond it as well. And so corporations that are collecting information about you are likely to use it to do things like sell you to advertisers for targeted advertisements or [sell] other kinds of composite pictures of who you are for a profitable end, whereas the state historically has used surveillance for far more than that, including suppressing political dissent, or punishing people who in any way are kind of deviant of the norm, putting people in check in terms of their behavior. So I think the dangers are more manifold and possibly more severe from state surveillance than from corporate surveillance, even though they’re both a serious concern.
a href=”http://news.cnet.com/8301-13578_3-57613838-38/saving-the-net-from-the-surveillance-state-glenn-greenwald-speaks-up-q-a/”>Full interview on CNET
Posted by: guest77 | Jan 1 2014 20:31 utc | 50
First: I wish you as well as your guests here a good new year!
@neretva
Sorry, but I feel you are beyond your base with your IT related remarks.
IT security is by far more complex than “nsa can get everything no matter what you do and how you do it”.
For a start, their best capabilites are extremely costly in terms of money, human and technical resourcesand other factors. So, yes their best is something they can do, but they can do it only in a few select cases. And John Doe, you, or me will not be those cases.
Another extremely important factor is nottheir capabilities but the weaknesses of the people, of software, and of the current infrastructure. One striking example is that it’s still rather rare to have both, a web server and a client accept and use TLS 1.2 with PFC. The vast majority still use SSLv2, v3, and TLS 1.0 – and, even worse, the usual default values for protocols are between careless and insane.
Next, it’s major factor *what* one wants to do. Within a company network, for instance, it would be quite feasible to have very high security up to the point of virtually excluding any nsa access, no matter what routers, fibers,or proxies they control. If, on the other hand, one wanted to secure a web server that is used by millions of guests every day, some of them from low-tech/poor countries, that would be quite unfeasible; but that would be the case anyway, no matter the nsa.
Perhaps the most important factor – and security risk – are we humans. Not the nsa, not Cisco, not even (lousy) Windoze but us humans, using, for instance the same password for dozens of sites and services, not informing ourselves and not learning but rather expecting some ISP or the government or Santa Claus to “somehow” take care of our IT security.
The Russians are right. Professional players haven’t learned many new things from Snowden. His major effect – and an important one – was to make the situation tangible and relevant to millions and millions and such to create an extended understanding of many important issues and factors, and, but that is more on the political side, to make Jane and John Doe understand that and how badly “our” governments betray us, sell us out, lie to us, work with other governments against us rather than for us, etc.
Last but least the media are to be accused. There *is* lots of relevant information available and there are many security researchers who do a lot of laudable work. But they stay widely unheard because the media, rather than to inform the public, treat IT as sth that is mostly about gadgets and generally don’t inform the public about even extremely important issues.
Next to contributing to a miserable security situation by itself this also has another very damaging effect, namely that lacking important information the users, i.e. billions of people and customers, can and do not form their power demanding improvement from the IT companies.
All in all nsa’s success isn’t that much thanks to nsa’s capabilities but due to many failures and lacks from other parties.
Posted by: Mr. Pragma | Jan 2 2014 23:08 utc | 61
Sorry but listening in at someone using a laser or similar *is* a major op. They need to bring in a team (of which they don’t have unlimited many) and the equipment, they have to observe the target, they have to actually collect the data, etc.
And then, that’s the way large organisations work, those data must be evaluated, stored, analyzed, etc.
Again, I’m sure they can do that and probably they have 50, 100 or even 200 teams out there (and inside for analysis, etc.). But while 200 teams is much for pretty everyone, it’s hardly a drop in the ocean nsa perceives a potential threats and it’s,as I said, limited.
And yes, sure, once they have their “connection” into, say AMSIX or LINX they can grab terabytes every second. Which are just worthless. to have any worth whatsoever, they have to store, filter, search and process those data. Which is a very major undertaking.
Just have a look at any not insignificant internet exchange. Or even just a, say, 40Gb firewall. Those firewall do hardly more than inspecting packets for certain pattern engines. And even for that even specialized network processors like Cavium or Qoriq operate at their limit although they are supported by other specialized chips (packt offload, header flag processing, etc.)
Let me remind you of a simple technical fact. The bus (circuitry to connect chips) speed in high-end systems is just a fraction of what major internet exchanges have in traffic. You thin of super computers? Sorry to disappoint you but that’s not the workload they are designed for; they are typically by ethernet “buses” of 10 or 40 Gb.
The routers in large internet exchanges employ custom chips (ASICS) for a reason. And again, what those routers do is primitive minimal work compared to what the nsa has to do.
Now, it’s a very big difference whether one looks for 50 or for 10000 patterns in a terabit data stream. The difference is not simply a factor of 200, it’s a difference of feasible or not feasible.
Again, no doubt the nsa can eavesdrop on pretty everyone. But, technically speaking, I dare to say that they ca not eavesdrop on *many*.
Now you say “But, hey, they *do* eavesdrop on many. And right you are. BUT: On the vast part of those targets,they can eavesdrop only because of the problems I described above and *not* because nsa is sooo smart and theor computer resources so vast. Nope. They can do it because 90+% of the people use Windoze, because those terrorist sites employ SSL but an old version with a rigged PRG, old and weak encryption, aso.
Let me remind you of another perspective: Many, actually most, sites do not even employ SSL at all. reason: Too expensive. Don’t forget that encryption is a very expensive operation (in terms of precessor cycles). Not having a (very expensive) encryption co-processor ( and the know how to use it, which most admins don’t have) simply comes down to reducing the number of clients you can serve by a factor of 10- 30. So, most web sites rather don’t use SSL and serve, say, 300 clients than using SSL and serving just 20 clients.
The point here is simple: encryption is expensive. Let’s not even talk about the cost of cracking encryption …
At the same though that’s an open invitation to and a very major reason why nsa can easily read almost everything. THAT factor alone is more important than all the vast capabilities of the nsa.
Posted by: Mr. Pragma | Jan 3 2014 2:21 utc | 64
Following on from guest77 … First, one needs to think about the distinction between spying as we used to conceive it ( > economic, dissidents, rivals, etc.: usually targeted towards persons, secret networks, the obtention of specific data, military, etc.) and Total Information Awareness, with its Big Data Collection (BDC), indiscriminate vacuuming up of everything.
Greenwald drawing a line between corporate data-retention and Gvmt. spying is using this distinction, as does Jane when she says “I have done nothing wrong so can’t be shocked by my phone data being collected..”…I feel this distinction obscures.
Clearly, BDC is an endeavor that springs from many sources.
The ‘because we can’ argument is evident – the stuff is there to be gathered and it is not too difficult and acting is highly lucrative. Corps, Gov, Intelligence, law enforcement, etc. love tech stuff, and are often easily impressed and bamboozled, in short it is a HUGE source of revenue for tech (informatics, devices, analysis, defense) types, orgs or branches. In a sense, it was Finance that lead the way by providing an example (Finance was completely changed by the fast interlinked computer, not for the better.) And the work is fascinating!
Secondly, BDC is somewhat (?) linked to cyber-security, cyber-attacks, cyber dominance. If hackers are going to steal the Pentagon’s secret data, Govs. will ‘hack’ as well. Lastly, we might include those who want to study human behavior for purposes of advertising and related (which is itself a kind of control.)
Together, a lot of extremely keen actors.
Now for the Authoritarian aspect. The USA has been cannibalizing its own people more overtly, violently, for some time: prisons, sub-prime scandal, student debt, militarized police, cutting aid, ignoring unemployment, etc. (Plus decay of law, infrastructure, etc.)
High control costs are required in: colonial regimes, very authoritarian states, and highly unequal capitalist ones. The costs of the hard control may be too high, the situation alarmingly unstable (see some colonized places, or cotton production by slaves in the US which was not ‘competitive’) or the control may be vulnerable to rupture in various ways. Note, the USA relies *heavily* on internalized norms, informal rules, thru propaganda, which lead to conformity, submission, passivity: soft control.
BDC -knowing everything about everyone- marries soft and hard control making it exponentially more efficient. That is the crux. Even if confused for the moment? I think one of the aims may be to reduce ‘guard labor’ (very high in the US) which is a cost, one can’t skim off the top. But that is just one point amongst many.
Posted by: Noirette | Jan 3 2014 17:58 utc | 69
|
