"TOP-SECRET GCHQ documents reveal that the intelligence agencies accessed the email and Facebook accounts of engineers and other employees of major telecom corporations and SIM card manufacturers in an effort to secretly obtain information that could give them access to millions of encryption keys. They did this by utilizing the NSA’s X-KEYSCORE program, which allowed them access to private emails hosted by the SIM card and mobile companies’ servers, as well as those of major tech corporations, including Yahoo and Google."
First, it came for the terrorists, and I did not speak out, because I was not a terrorist.
Then, it came for the muslims, and I did not speak out, because I was not a muslim.
Then, it came for the Dutch, Belgian, and German engineers, and I did not speak out, because I was not a Dutch, Belgian, or German engineer.
If you're an engineer, developer, sales staff, or pretty much anything else, and you work at a company that has something worth stealing, you should think about how this ends. If they don't come for you first, your personal life is now completely fair game for nation state attackers.
They will stop at nothing, they have limitless budgets, they will attack your private life, they will reflash the firmware in components of your personal devices, and they will stalk you. Even when you did nothing wrong, even when your employer did nothing wrong, even when your social graph is in no way linked to anyone who ever did anything wrong.
Just as important, if you're an engineer, developer, or mathematician who works for the NSA or a similar agency, you need to take a long look in the mirror and ask yourself if this is really what you wanted to do when you grew up.
"Just as important, if you're an engineer, developer, or mathematician who works for the NSA or a similar agency, you need to take a long look in the mirror and ask yourself if this is really what you wanted to do when you grew up."
No, don't look in the mirror, waste of time. Walk away from your job.
What, work with some of the smartest people on the planet with a near-infinite budget solving the biggest big data problems out there whilst defending your country from turrists? Sign me up!
The smartest people on the planet are not working at the NSA. Most of what they're doing is just plain old data aggregation and analysis, with a side helping of large scale but ordinary hacking. The type that lots of teenagers have done.
From a technical perspective, the sort of research going on at Google (deep neural nets, etc) is in a whole other intellectual league.
It has been my assumption that Facebook's and Google's core network and security teams are each a large crowd of embedded spies working for various intelligence agencies.
Think about it: You're a NSA/Mossad/MI5 NetOps operative. You can have access to a lot of information without risking your life, get paid by your agency AND google/facebook. What's not to like?
Wouldn't work well. Way too many of these companies key employees are not US citizens and many aren't in the USA at all.
Google, for example, has a large security team in Switzerland, with quite a few German and British employees. The NSA sees itself as a military organisation, it is bound by military rules.
> The NSA sees itself as a military organisation, it is bound by military rules.
What rules would that be? In the military, actively seeking (and using) information you have no right/classification to see is a serious offence. According to articles I've read, not a single NSA employee was disciplined for e.g. spying on their SOs or Exs.
Also: If the NSA doesn't have Swiss and German citizens working for it, it's not a very good intelligence agency. And we know for a fact that it is, at least as far as reach is concerned.
Why would that matter? Intelligence agencies have turned foreign nationals before. And in the case of a US/British cross-over, those intelligence agencies have intelligence sharing agreements.
They do. In fact, there goal is to find fresh college grads who are just good enough to potentially get hired in these firms then send them into the firms as spies.
> Then, it came for the Dutch, Belgian, and German engineers, and I did not speak out, because I was not a Dutch, Belgian, or German engineer.
You should assume that the Dutch, Belgian and German agencies already came for you though. Perhaps they are less competent than the NSA, and maybe one of those countries actually acts morally - but there are over a hundred countries out there. At least one of them has a competent intelligence service and no morals.
"They did this by utilizing the NSA’s X-KEYSCORE program, which allowed them access to private emails hosted by the SIM card and mobile companies’ servers, as well as those of major tech corporations, including Yahoo and Google."
This is not supported by any of the leaked documents. GCHQ certainly had full access to Gemalto's email servers, and several documents refer to information retrieved from there. There is nothing to show that data was ingested into XKEYSCORE and absolutely nothing to show that the employees' personal emails were in XKEYSCORE.
XKEYSCORE holds metadata, it seems. One document that explicitly stated they knew the Thailand employee was emailing PGP encrypted files because of data they retrieved from XKEYSCORE. He then became a target as a result.
But you might do something wrong. Or something innocent you did today may be illegal tomorrow. And when those days come, the NSA is ready and watching.
As other people have stated here, security is a justified means to an end to those who practice it.
I cringe a little bit whenever someone starts on the "first they came for..." monologue. Not because it isn't true, but because it first was used talking about the Jews in WWII Germany. You're effectively playing the Hitler card in a debate that isn't about Hitler.
The US was built in part by this type of security. Chances are things would be very different here if the security professionals over the years made decisions based on moral qualms.
I am playing the devils advocate, but when you look at the senate, it's hard to actually point a finger at the intelligence agencies. This is the world we have made, fear mongering hardly fits into this argument, and certainly adds nothing of substance.
What kicked off this whole thing was Clapper lying to the elected representative about what the NSA was doing. That was the trigger event that caused Snowden to finally leak his cache. So I don't think you can totally blame Congress or the Senate, even though they surely have deep problems.
The US was not built by this type of security. What the NSA is doing only became possible quite recently. It's just in a whole other world to what was previously imaginable.
I understand why that might make you uncomfortable, and I do hesitate to make such comparisons. But, you know who cringes when they hear about the surveillance apparatus that we are building in the Five Eyes countries? Germans.
Yes, this is a valid and timely point. On a side note, I hope that the companies and corporations that will come out of the startup scene in Germany can help to counterbalance the over reaching. There is certainly demand for progress in the direction of personal privacy, and Germany seems well suited to spearhead that movement.
Personally, the biggest take away to this is the invasive targeting of completely innocent and ordinary people simply as a means to get access to things the NSA needed (sim Card keys). We have concrete evidence they nailed peoples personal email accounts and social networks merely as a means to an get crypto keys in mass. Sure, the potential mass surveillance is exceedingly problematic, but thats mainly problematic because of the potential for abuse. Abuse that we either assumed would happen or already had, but as far as I know there was little direct evidence of.
The absolute lowest bar for surveillance seems to be that a government doesn't use it to intentionally target innocent people/ those not in the game (hell, lets lower it even further to be only people the government themselves believe are innocent).[0]
That potentially allows dragnet collection of data if no one looks at it. It might allow hacking just a company's servers to get access to third party data. It probably allows you to spy on foreign heads of state (even if it's a boneheaded move). But it damn well doesn't allow you to go through the personal communications of people who you know have done nothing wrong and aren't even working for someone who has.
[0] This is precisely the woefully low bar Obama has been espousing : “The bottom line is that people around the world, regardless of their nationality, should know that the United States is not spying on ordinary people who don’t threaten our national security and that we take their privacy concerns into account in our policies and procedures,”
I wonder how many years with of jail time Aaron Schwartz's prosecutors would be talking about if this'd been done by a mouthy kid instead of the NSA?
I wonder which non-US country, where the NSA's actions aren't made "legal" by secret FISA courts or acts of (US) Congress, will be the first to start throwing that kind of legal threat at NSA staff responsible for this?</wishful-thinking>
When you hold the Poisoned Chalice of Power you get to decide who is legally justified and who isn't. "Morals" doesn't even factor into things....unfortunately.
Only in a limited way though, the NSA can decide (or at least exert considerable influence over) what's legal in the US - but criminal actions in, say, The Netherlands or any other (non five eyes) country, cannot be "justified" or "excused" legally by another except those countries.
I guess a _lot_ of what goes in in state sponsored espionage happens outside the civilian legal system - at least in "major" countries - but surely there's scope for a criminal trial and civil damages case against NSA/GHCQ operatives when their espionage involves widespread network exploitation and privacy violation of corporate networks and staff. Crimes which would _clearly_ be aggressively prosecuted if committed by Anonymous Skript Kiddies or criminal credit card fraud gangs. Why shouldn't NSA agents be held just as accountable in this case by non US legal systems? Sure, root the embassy network and expect to be held diplomatically responsible if you get caught. Private companies and citizens though? Go to jail just like anybody else.
But if you've been following the Firstlook disclosures, and the response to it from different governments, you'll notice that they don't really want to hold anyone accountable - likely, they are all on it some way or another.
Ireland rushed to retroactively OK british spying. Germany ignored it (with some theatrical "I'm insulted" remarks from Merkel, but no real action).
The assumption that any government out there actually wants to enforce its laws with respect to mass spying against its people is not supported by facts.
> "the document presented in public as proof of an actual tapping of the mobile phone is not an authentic surveillance order by the NSA. It does not come from the NSA database.
> "There is no proof at the moment which could lead to charges that Chancellor Merkel's phone connection data was collected or her calls tapped."
Plenty of spies on all sides have been killed and jailed over the years. If a country can prove a specific person committed a crime. But that's a lot harder to do with tech crimes.
How do you think the world actually works? Do you think that any other intelligence operation this past century didn't target similar people?
Take a look at the cold war, most of the directly tasked targets of US and Soviet intelligence efforts were "small fish" with the right access, anything from a hotel employee to a secretary or a cook or even your hair dresses.
At least with this NSA thing they don't end up with 2 bullet holes at their back of the head at the bottom of a trash chute.
Spy agencies always have and always will operate in such manner really not sure why people still act in any sort of shock this is the most basic trade craft.
No they didn't. There are intelligence operation that you haven't heard of, and this is not an accident. Just because NSA is using brute force and does not care about the collateral damage it does not mean that all of the secret agencies should do the same or doing the same.
I am not concerned about that. It is bad practice to damage security for all because of few. This is all I am saying. It seems like a pretty bad idea to me.
Damage security? They didn't damage the security of the products because of this, if anything you should take of is just how easily these products can be compromised in such manner.
All the NSA did is to steal keys which they can then use to interdict cellular communications, it's not like they put in a weakness by design and then exploited it (which they might have done in other operations but that's a completely different story).
This thing is no different than the digital signatures on the driver used by Stuxnet ("oddly enough" both companies which were compromised were in the same industrial park just a across of a shared parking lot from each other ;)).
Sadly this level of operation is plausible to be committed not only by private intelligence agencies (which we had too many off already) but by crime organizations as well. I've seen case of corporate espionage which were more complex than this one.
Instead of huffing and puffing at the NSA the proper lesson to learn from this is that cellphone carriers should stop relying on SIM card manufacturers in China and India for their encryption.
Heck if the NSA can interdict equipment in transit to tamper with it, how hard would you think does the Chinese intelligence service has to work to go down the street and just demand the keys straight from the source?
It's about a good damn time that people start asking questions on who has access to the private keys which are used in so many day to day operations from the keys used to authenticate your cable modem to the keys in the card reader you swiped your card trough at your local coffee shop. The answer to this should force quite a few people to live in a hunting lodge in Montana for sure.
I in fact would be very surprised to find a single mass used commercial cryptosystem which is actually secure. Because which each and everyone of those the keys to the castle end up being in the hands of the lowest paid employees out there and business practices will always force availability and serviceability over security.
Everything can be compromised. It is just a matter of enough resources(money really). Finding a security bug and actively using it and do not expose it publicly is kind of damaging security because the bug can be used by other organizations as well. Writing Stuxnet is an entire different level. Actively deploying backdoors and compromise entire networks just to get to the target is a lot of collateral damage. Isn't it?
Actually there were certain projects got pushed back like the IDEA from ETH Zurich or ECC from University of Washington and other potentially vulnerable alternatives were promoted. ECC btw. is pretty strong for a very long time, even today, if you don't use the backdoored version...
Eh? the NSA didn't pushed IDEA out, what pushed it is the fact that besides being actually substantially (esp. since 2013) less secure than AES and with poorer performance is that IDEA was a registered trademark and was under a full patent which meant implementing (prior to the patent expiration in 2012) was a nightmare.
I also hope that you don't insinuate that ECC was "invented" by UW since elliptic curve cryptography was known for quite a long time.
By the backdoor I assume you mean the whole NIST curves fiasco, well besides the fact that it was in use almost no where, if you speak to actual mathematicians you'll find out that it wasn't a big deal. The NIST curve was more about performance enchantment than backdooring, altough sadly for NIST and for the NSA it failed at providing both.
The big problems with ECC is that it's extremely susceptible to side channel attacks especially in embedded implementations, and that if you have the capability to use quantum computing for cryptanalysis then to break ECC you'll need only about 25-50% of the compute time/power than you would need to break RSA.
Also since ECC is asymmetric and quite resource consuming it's not really used in encryption as much as you think, sure it's good in any situation where you can use PKI but PKI is rarely used to encrypt actual data. The common uses of PKI are for authentication and initial key exchange data encryption whether it's in rest or in motion is usually based on symmetric encryption.
So I may have missed the details. I thought we knew they hacked Belgacom, but no one mentioned going through employee's personal email and social networks (though in light of this, we can assume they did). If they did mention it and I missed it, sure, nothing new. But the same entire thing then just applies to that instance too.
> While working to assess the extent of the infection at Belgacom, the team of investigators realized that the damage was far more extensive than they first thought. The [ed: NSA] malware had not only compromised Belgacom’s email servers, it had infected more than 120 computer systems operated by the company, including up to 70 personal computers.
I don't remember the reporting on the Belgacom hack mentioning that they were casually querying X-KEYSCORE as they reportedly did here to identify potential targets.
It is gradually recursing backward to "invasive targeting of completely innocent and ordinary people simply as a means to get access more innocent and ordinary people in order to ...etc"
It's worth remembering that some tools are only useful with lots of data about innocent people. Some forms of network analysis fall into this category, I believe.
Lets suppose it actually was a valid defense. But what does that have to do with going through the Facebook and personal email of individual employees to know who to target. That was done up close, in personal, by hand. By any definition, those people had their privacy specifically and intentionally violated by actual human analysts.
The end in this case being the ability to decrypt cellphone traffic. And what will that capacity be used for? Spying on foreign nations? Halting nonexistent terrorist plots? Further secret surveillance of American citizens?
If we judge the means by the ends, I do not believe that their end provides sufficient justification for their means. They appear to believe otherwise, however they fail to offer any evidence for their perspective; as an American, I am feeling ever more alienated from the organizations which were theoretically founded for our benefit.
Decrypting cellphone traffic is also a means. It's a means towards information and human connections and so on. That's the sort of stuff that can make or break an operation.
Did it? Has it? Unknown.
The trouble with intelligence is that it's only effective when done with secrecy and fairly broad latitude to operate. There are few easy answers here.
A fairly broad latitude? If the ends justify the means and yet the ends themselves are kept completely hidden, then the latitude, as you put it, is completely unconstrained. An intelligence agency operating under those principles can literally do anything claiming that it is for the greater good.
In short, it sounds like you are advocating for an agency which can take arbitrary extralegal action at its own discretion, without providing reason or explanation, and without providing any demonstrable benefit to anybody, because it's secret.
Frankly, I find the idea terrifying. I understand that intelligence agencies need some quantity of secrecy and some degree of latitude. Like you have repeatedly stated, there are no easy answers. But that doesn't mean we shouldn't ask the question. What the hell are these people doing, and should we let them continue? What is growing in our intelligence sector -- is it an institution that will be found to have brought the world benefit, like Bletchley Park, or will it be seen to have become a thin facade over a malignant, self-interested organization, potentially culminating in something like a secret police?
We have a secret police now: what else do you call an organization that secretly collects information against the nation's own citizens to be secretly passed along for 'parallel construction'? That kept this policy itself a secret? Theoretically it's as a byproduct of foreign intelligence-gathering, not a primary function, but this frog feels the pot to be plenty hot already.
I agree, except for "now". That's clear from Bamford's books. For example, federal charges against the Weather Underground Organization were dropped in late 1973 after a screwup in parallel construction. In 1973, hardly any civilians had ever heard of the NSA (aka "No Such Agency") and they wanted to keep it that way.
Can you please provide your definition of intelligence?
I would argue that theoretically, a government (or other entity) could use intelligence but use it within a set of moral and/or ethical guidelines that uses a system of checks and balances.
Intelligence is the dirty-but-necessary stuff that makes it possible to accurately guide diplomacy, economic policy, trade, and military action to achieve the desired goals of a nation-state for a minimum of cost. It includes internal security.
Generally, intelligence cannot operate openly, even under a strict set of guidelines. Further, there will always be situations where efficacy runs into guidelines and something has to give. Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand? How about a dozen people's privacy? A hundred? A thousand? A million?
As I understand it, those aren't purely theoretical questions in the world of intelligence.
Would you be willing to violate the privacy of one person to prevent an attack that would kill five thousand?
Why don't we skip the suggestive "thought experiments" and look at some facts instead.
A grand total of 3467 people in the USA have been killed by terror attacks since 1970[1].
In the same timeframe 2091 americans were killed by lightning strike[2] and roughly 102.000.000 died of old age.
Please explain how these numbers justify the NSA's yearly budget of $75 billion dollars, and their documented, ongoing violation of millions of people's privacy.
No. Otherwise police departments would be unable to do anything and would cease to exist. Police operations vary in secrecy but even the most secret eventually stop being so, as there is a need to actually prosecute.
The idea that "spys gonna spy" is one we need to start collectively challenging. Why do we need these organisations at all? If NSA/GCHQ were wound up and their technical specialists re-allocated 80% to domestic law enforcement for computer forensics purposes, and 20% to a new dedicated counter-intel-only organisation, would the sky fall? I doubt it.
It's interesting because last I checked Obama/NSA were saying they don't collect content, only metadata (that harmless, harmless metadata [1]). If that's the case, why were they so interested in the SIM key?!
Because they were useful for targeted surveillance? Not that I agree with the means or the scope, but there's an above board explanation for the desire to get the keys . Suppose you have a handful of phones in Pakistan or Iran you need access to very covertly (e.g. some rogue guy in the ISI where getting caught snooping has major consequences). The least risky way to access his communications is to get the keys. The least risky way to do that is to get them from the broadest source possible(to obscure who you're really interest in) and the one most removed from your target. So there's a legit reason to want the keys, even if your only targeting a few legit targets.
But the means of doing so is truly questionable, even given all their assertions about trust us and we don't look at everyones stuff.
In 2007 I worked with Gemalto when they ported a Java/PKCS #11 Chip & PIN implementation to the .NET Micro Framework/CAPI for Microsoft, who were using it for challenge/response authN on a remote access project for the UK Ministry of Defence. There was a case study of the project on Microsoft.com, but it seems to no longer be there.
Anyway, this sucks because the Gemalto guys I did this with were to this day among the best vendors I've ever worked with. Really awesome guys, smart, and incredibly willing to share what they knew and did. And it's somewhat ironic that Gemalto are trusted by the UK MoD for sourcing their smart card components in Europe.
Personally, my biggest takeaway is that anything centralized is compromised, period.
Any centralized system is such a juicy target that the NSA will compromise it. The only way to avoid dragnet issues is to decentralize and force the NSA to expend resources at the edges.
This doesn't means that you can make an individual target secure. The NSA can always outspend you. But you can prevent the NSA from easily just vacuuming up everybody cheaply.
>>The document noted that many SIM card manufacturers transferred the encryption keys to wireless network providers “by email or FTP with simple encryption methods that can be broken … or occasionally with no encryption at all.”
If that's true, then NSA/GCHQ aren't the only people who could have grabbed a big pile of keys.
I can confirm this. In many cases these keys are exchanged over email with simple DES encryption and a key known to everybody in the business (pretty obvious key BTW). It really boils down to the security procedures in place between the SIM manufacturer and Mobile Network Operators.
I want to chime in to offer the counter. I used to work for Gemalto. I'm not exactly sure which keys you are talking about, but when I was there Gemalto's standard practice for the transfer of the keys mentioned in the article--individual SIM embedded keys--was to use AllynisConnect (which I only mention because it's easily found on Google) to facilitate the transfer of individual SIM keys to the customer. Obviously I'm not going to comment on the details of the cryptography involved, but it was much more considered than "simple encryption methods or no encryption at all."
Notably this mechanism would not protect the keys against an attacker who was inside Gemalto's or the customer's secure network, as seems to be the case here.
I'd be interested in knowing which keys specifically you are talking about.
In many cases you have specific procedures in place for security-conscious MNOs, but some of these procedures are such a pain that you inevitably end up finding workarounds to get the business going, e.g. email or USB tokens between various people who are not supposed to have those keys.
Of course security officers and other officials are not aware of this. Dig through any sales mailbox and you will find CSV files (usually called output files) containing Ki encrypted with simple DES. I let you ask around to learn which DES key is most often used.
Disclaimer: this is not specific to Gemalto.
Unfortunately that is very possible, and of course I can't speak for other companies. I will say that Gemalto has internal access protection for these and other information.
Of course, there are lots of things I didn't have visibility on and it is possible that I am overly optimistic.
Why does there have to be any key transfer at all?
Why are they not generated in a more decentralized manner, at the manufacturer for example?
Why are there servers for the NSA to hack where they can exfiltrate the keys in the first place?
Information minimization and avoiding single points of failures could have prevented this.
This is exactly why Intel's upcoming SGX worries me greatly, too. NSA could get the "key" to all SGX machines and therefore to all applications using SGX to secure themselves properly (ironically enough) [1].
Intel really needs to figure out how to protect the SGX system against such a key robbery, and not by promising to only give access to a couple of employees in the whole company who know a very special hand-shake. Intel needs to modify the SGX system in such a way that you don't have to trust Intel (or anyone hacking Intel) to keep the key secure, even if that means the company not giving itself access to SGX at all (which includes not having the ability to update it).
You mistake the point of SGX. The point of is a reincarnation of treacherous computing. Intel SGX requires remote attestation. This means that YOU, the owner of the device, is not trusted. To have 3rd party keys would mean they would have to trust you. With trust in you, how could it be marketed to the copyright owners? The answer is that it cannot. The point of Intel SGX is to deny ownership of the device to its owner.
But yes, any situation like this where you cannot be trusted means a hacker can gain a higher level of trust than you if they break the security.
SGX does not require remote attestation. Just like all prior TC platforms, it offers remote attestation but there is no requirement that it be used.
By the way, very frequently the owner of a computer is not in fact trustworthy. Situations where that occurs crop up all the time in security engineering.
For example a big use of TC is making Bitcoin wallets that are secure against malware. There are other uses too, like safe outsourcing of private data storage/computation to the cloud.
Yup, cloud is a major motivation for SGX (see e.g. https://www.usenix.org/system/files/conference/osdi14/osdi14... for an example of how it might be put to use). I think it is good idea for making it more difficult for malicious insiders to mount an attack, but any claims of it protecting you from the NSA are laughable given Intel will probably hand over keys to them anyway.
What is problematic here is that the legitimacy of almost all information exchanged in a digital form has been lost almost entirely. How much longer must we presume ignorance in what is really happening? How much longer will the innocent be bullied through technological and psychological means to promote the interests of the current national security apparatus with interests entirely different than the rest of America/World? What happened to Aaron Swartz is only a taste of what is happening to the rest of us who believe these types of activities are unethical and a violation of constitutional law. Do we honestly believe that this isn't being used for insider trading, to capture sensitive medical information, and steal other trade secrets that should be protected by law? Wake up America. We need to stand up against this digital tyranny.
This is not a republican/democrat problem. This is an institutional problem. We need comprehensive reform of both parties and it should be followed by a purging of the existing federal machine.
Interestingly this is about Gemalto, a company with a remarkable history.
Remember times when the USofA wasn't adopting the smart card technology ? Well it had something to do with this chip technology (crypto) being a foreign technology which coincidently was the propriety of the French company Gemplus.
At the turn of the millenium an US investment funds (Texas Pacific Group) managed to find its way in Gemplus capital after a couple denials, which is the start what is known in France as l'affaire Gemplus. To summarize instead of helping to conquer the US market, TPG used its power to change the board of director (and choose Alex Mandl as the head), initiated rounds of layoff and moved the R&D to the US to take control of the sought after technology.
The whole thing is shown to be an operation of the C.I.A. through In-Q-Tel to take control of the chip card technology and possibly insert backdoors before exporting. Slow to react, it takes several years for the french government to create its own version of In-Q-Tel called "Fonds Stratégique d'Investissement" and try to reclaim Gemplus, now Gemalto, by becoming the majority stakeholder with 8% of shares in 2009, a move that happens too late and TPG having gotten what they wanted sells its share a year later.
I always wondered if HSMs are at risk to be compromised at the core (read: the manufacturer) such as those frome SafeNet (in use e.g. with Box.com on their enterprise external HSM plan).
And guess what, Gemalto merged with SafeNet the other day.
While certainly a step in the right direction, the lack of an open baseband remains a huge problem, even with TextSecure. Any smartphone has a whole separate OS running, with access to the system bus and memory, that we generally have zero visibility into. There could be exploitable bugs, there could be actual backdoors, and we just have no idea. If you truly want to secure data, you need to use an airgapped system with hardware that is much more open.
That should be a solvable problem, aren't there tons of operating systems professors and electrical engineers around in Europe that could in principle develop an open baseband chip and operating system? Germany and France should have an interest that their communication can't be trivially backdoored by the NSA.
Main issue is there really no specifications available on many things. Also it's will be nearly impossible to pass certification so no real manufacturer would use it.
If you want more details you may check OsmocomBB site and IRC.
> Germany and France should have an interest that their communication can't be trivially backdoored by the NSA.
Nobody saying that governments don't have trusted hardware with only their own backdoors. In almost every country manufacturer have to provide source code and specs in order to pass certification so gov does have everything needed.
Though it's not help anybody else as it's will never be open.
Modern basebands are sandboxed, from what I understand. Partly because phones kept getting unlocked through exploiting baseband bugs and that messes with carrier subsidies.
The problem with these sorts of on-phone-afterthoughts are that they are just lipstick on a pig.
You are still being tracked (GSM, wifi) and vulnerable to local hacks. Due to the nature of the devices (millions of identical devices are produced for major models), their distribution patterns (model selection led by fashion and price point), their homogeneity (two dominant embedded OS platforms only), their complexity (leading to a very large potential attack surface), and their ubiquitousness (your phone number, IMEI, local physical cell, or email address is probably terribly easy to find) it would be extremely foolhardy to rely upon the security of a modern, commercially available handset.
I'm not sure about hardware RNG, but many if not most phones have sources of 'random' enviornmental data they can use to generate a random number such as cameras and phone movement.
The article specifically cites the mobile phone networks of Iran, Yemen, Afghanistan, and Somalia as targets. One is a state sponsor of terrorism, the other three are places where the US is actively fighting terrorism.
You conveniently left out Iceland, from the very same sentence that is the source of what you listed. As far as I know, Iceland is innocent of terrorism accusations from the US. (OK, benefit of the doubt: maybe The Intercept added Iceland to the article later, or you genuinely didn't see it.)
Anyway, you really think the "bad countries" you named from a 5-year-old document are an exhaustive list of what they've got today? You think the agencies won't scoop up any other countries' keys, including the United States', just in case their metadata graphs later suggest sleeper agents in "the good countries"?
I'm too ticked to make a good argument about morality or lack thereof right now, so I'll just leave it here. They hacked and surveilled non-terrorists to get the keys, and got the keys of at least one "non-terrorist country" (Iceland), so no, I don't find your argument convincing, and I think the parent post's point stands.
From the Intercept article its not clear why this type of data was collected from an Icelandic carrier. The linked graph appears to show 100 IMSI's from Iceland, as opposed to 100,000 from Somalia* and tens of thousands from Afghanistan. It's possible that the Iceland data was acquired incidentally because it happened to come from the same sources that were sending data on more interesting countries. It's possible that there's something of value to be learned in Iceland. I don't know. The Intercept gives us very little context as to the actual products that the intelligence agencies produce. [Edit: Page 11 of this document indicates that the acquisition of keys from Iceland and Tajikistan was unexpected and that those countries were not targeted: https://firstlook.org/theintercept/document/2015/02/19/pcs-h...]
I don't dispute the fact that the US government has intelligence-gathering priorities that don't involve terrorism. I would argue that at least one reason terrorism is discussed is that there are diplomatic consequences to saying one spies on foreign governments. I also agree with the more cynical view, that terrorism is cited as a rationale because terrorism is scary and something opposed by everyone the US is trying to convince.
I believe very strongly that the world would be a lot safer if the US government knew certain things like the intentions of the Russian leadership and the capabilities of the Russian armed forces. Or the state of the Iranian nuclear program and that country's negotiating position. Or what exactly is happening on the ground in the midst of all the chaos in Libya or Syria or Yemen.
The answers to these questions will determine the fate of entire regions of the world.
*A subsequent document puts a later figure for Somalia at 300,000.
In the interest of the fuller picture, thanks for noting that Iceland and Tajikistan were incidental. I don't know that we have a definitive answer from these docs on whether those keys were even saved. Even if not, it's unsettling that an "automated process" turns up keys "not on the list of interest." The article even says the "system failed to produce results against Pakistani networks, denoted as “priority targets” in the document."
I don't know how far I'd be willing to go to effect a hypothetical, unknown increase in safety and control. I do know that the US government and its allies are destroying the reputations of innocent companies, the peace of mind of hundreds of Gemalto/network employees who will now be wondering if they were personally hacked and to what extent, and the human rights of privacy of hundreds of thousands of people who use SIM cards. Is it worth it? I guess we'll never know, and I don't think the spies can truly say either.
Maybe some of that falls on leakers' shoulders too, but in any case it's not very confidence-inspiring that lowly people like Manning and Snowden were able to steal what they did.
How is snowden still producing high-level stuff like this?
Did he really steal info on that many headline-worthy stories all in one go, or does he have fresh sources?
Sometimes this feels like another instance of what I call the "weird al phenomenon", where any person who hears a silly parody of a pop song attributes it to weird al, because "wait, you're telling me there are other song parody writers?"
It's safe to assume that the vast quantities of documentation he liberated have enough newsworthy material in them to last those with access a very very long time.
This is all part of the initial haul. They're checking all the documents one by one to make sure they don't reveal information that would make intelligence agents and others at risk. They've partnered with quite a few media organizations to spread the workload. Amusingly enough, you could say that Greenwald et al. are doing the OpSec the NSA should have been doing in the first place. :)
On that note, I wonder if their compromising of these systems affords the target any sort of immunization from attacks by other actors.
It would make sense that NSA/GHCQ wouldn't want their foreign competitors to share in the prize, and it would also be congruent with their interests to not afford competing actors access to such a prize.
Then again, this notion is likely far too romantic. The reality is probably closer to one where foreign actors have compromised everything just the same.
Sometimes denying data to others is as good as advertising that someone else got there first. So you might want to leave the treasure trove in place so that nobody else figures out you have it.
Intelligence is wheels within wheels within wheels...
Depends how advanced the adversary is. It also depends on if you want to deny them, because you might learn something by watching what they do. Or you might feed them false data and see what happens.
I think one of the big issues here is that for an intelligence agency, good defensive security is essentially silent. There's not a lot of money or political capital in "nothing broke today."
On the other hand, good offensive capabilities, even if kept secret externally, are loud and flashy within the organisation, and come with lots of political capital beyond it.
Because of this asymmetry, I think it's almost impossible for an intelligence organisation to stop its "defense" mission being swallowed by the "attack" one. And so we all end up less free and less safe.
I do sometimes wonder what the world would be like if the NSA took it as its mission to secure the internet and chain of encryption, rather than constantly breaking it. If, for example, they used their resources to seek out vulnerabilities and exploits and fix them.
Maybe such a world is impossible. But I do think there's a valid space for a national cyber defense organisation that runs counter to this trend, that acts to shore up the infrastructure rather than constantly subverting it.
French press is trying to connect Gemalto and NSA. Common denominator is Alex Mandl. He's currently Executive Chairman of Gemalto. Previously, he was in Board of Directors of In-Q-Tel which is a CIA company.
"GCHQ operatives identified key individuals and their positions within Gemalto and then dug into their emails. In one instance, GCHQ zeroed in on a Gemalto employee in Thailand who they observed sending PGP-encrypted files, noting that if GCHQ wanted to expand its Gemalto operations, “he would certainly be a good place to start.”"
> [GCHQ operatives] noted that the use of PGP could mean the contents were potentially valuable.
This good reminder that encrypting everything is important for security. Only encrypting valuable or sensitive information provides information to an attacker on where they should focus their efforts.
You should read "The Crisis of Democracy", in short yes, you are supposed to be apathetic, the people in power get uncomfortable quickly if you take an interest in what they do.
Since the US and British governments operate on the premise of invading the privacy of all citizens without warrant in order to prevent a handful of bad apples, should other countries consider a temporary blanket ban on all US citizens from visiting to their countries in order to make a point?
I know that only 4% of US citizens have passports, and most countries rely on US trade, but still it would certainly send a message?
Simplistic I know but somehow we need to voice our dissatisfaction with the way things are headed. Foreign citizens can't change US policy, only US citizens can vote out their corrupted system.
The privacy of non-US citizens is considered as fair game. We have no comeback presently.
That seems to be the real value in the Five Eyes network.
Each member can undertake surveillance of the domestic communications of the other members, thus absolving the own-state surveillance apparatus from claims of domestic spying. But the poisoned fruit may be (and appears to be) freely shared.
If I receive and use/sell stolen property, I've broken the law even if I didn't steal it.
I would think if anyone could work their way through the "standing" restrictions, it could be shown in court that the NSA violated the Constitution by receiving "stolen" surveillance data.
The reason why we have the 4th Amendment is not because the act of spying is feared (as egregious as that is), it's because of what the government might do with the results. So receiving the data violates at least the spirit of the constitution, and I would think the letter also.
Maybe. Seems to me that there's a bit of an issue with the general operating mode of an intelligence agency. I've said in the past that I wasn't generally overly concerned with stories such as the NSA's reported monitoring of German chancellor Angela Merkel -- which later reports suggest might _not_ have happened -- apparently they're not even totally up on which close national ally heads-of-state they're spying on. But keeping tabs on other countries -- even friendly ones -- yeah, that's part of the basic remit.
But an organize "we'll spy on yours if you spy on ours" arrangement, particularly with a "don't ask for it, we'll just give it to you" understanding. That's violating the intent of legal and constitutional protections every which way.
At the same time, if a talent scout in North Whateveristan gets handed a sheaf of goatskins exfiltrated from the local TCP-over-parchment connectivity provider, the legality of that data's acquisition shouldn't be a hinderence.
But if North Whateveristan happens to be a friend and we're concerned with that the goatskins reveal, then breaking that information to the government (or other friends in slow places) should be possible at some level.
If there's a resolution by law in this, it's likely going to have to require explicit controls over how and when data of a given nation's nationals or residents is provided to that nation. And bars on mass transfers.
Perhaps mandating them outside intelligence services through diplomatic channels?
At least that'll give Wikileaks a sporting chance.
> But an organize "we'll spy on yours if you spy on ours" arrangement, particularly with a "don't ask for it, we'll just give it to you" understanding. That's violating the intent of legal and constitutional protections every which way.
That is exactly my point. And it's horrible, it's the government thuggishly wiping its ass with the Constitution. East Germany would have swooned in ecstasy at all the intelligence porn collected by the NSA.
The NSA is freely admitting to direct domestic mass surveillance at its website which details the extent of the domestic spying, the search, seizure, and indefinite storage of ALL citizen electronic data. The fact that there is no discussion or disagreement of this in the US media and amoung US Citizens is tacit approval given the transparency shown by the NSA Domestic Surveillance Website: http://nsa.gov1.info/utah-data-center/
> Additionally, the spy agency targeted unnamed cellular companies’ core networks, giving it access to “sales staff machines for customer information ...
So these corporations had customers' personal data stolen. I believe they're obligated to inform those customers, and possibly other obligations. (No direct knowledge, just spouting off what I've read during the Target and Home Depot breaches.)
Shouldn't TLS/GPG/OTR/etc have our backs on this anyway (at least on the data-side of it)?
I mean, they can now intercept and read any mobile data traffic, but that traffic usually has layer-specific encryption as well (eg: TLS for banking). Doesn't that cover us? Am I missing something?
It doesn't justify the NSA/GCHQ's actions but the fact these keys could be stolen like that mostly means mobile communications were never really secure in the first place.
I am every day more appalled by the scale of the data breaches we learn about every week.
That has very little to do with this particular attack. The NSA did not attack the proprietary code, which uses standard, open, and publicly-known and documented cryptographic operations, by the way. They compromised the key custodians.
While I agree in principle about open source, using purely open-source software would not have provided any defence here.
> While I agree in principle about open source, using purely open-source software would not have provided any defence here.
In open source software / hardware there wouldn't be "master key" that can't be changed and that have to be used by telecom's. Yeah of course no doubt NSA may penetrate in network of every of them, but it's would be a lot more costly.
Any architecture that requires pre-shared symmetric keys is going to have this problem. The fix is architectural, not open sourcing stuff. From what I understand LTE is significantly better.
When I re-read the parent's post I thought to myself "of course he is being sarcastic!"
But then I saw your post and it made me think. And I believe you are onto something here.
I mean, sure, probably tapping one phone is much easier physically, just connect the wires and you're done. However the point you bring is game-changer.
In ye' olden days spooks were interested in certain persons only, but now it seems that we are all fair game, and so the "easy" way of wiretapping becomes incredibly hard when you want to spy on everyone.
It's basically an scalability problem then. Never saw it that way.
Except more and more, calls are going over VoIP, which is essentially never encrypted. Even calls from one landline to another, even to a neighbor, might end up on VoIP. And in any given call, there are probably multiple resellers. Each with full capability to intercept, redirect, modify, etc. any call. And tech support is often given access to capture any call, as a troubleshooting measure.
Even companies like AT&T, who you'd think with exorbitant prices would always pay for proper direct connections, actually try to find the cheapest bidder in any way possible. For some destinations, they might a list that's 20+ resellers deep.
In short, tapping major connectivity points is probably enough to capture a lot of calls even if you place them from a landline. (Not to mention there's no real security mindset in telecom at all.)
That depends on what network you're using. If you're using a landline from the incumbent local exchange carrier, the probability of a local call going over voip is effectively almost zero. Likewise, for long distance carriers, AT&T, the ex-MCI networks Verizon owns, and the Sprint wireline long distance network (their mobile stuff goes over separate facilities; their long distance network, as well as most of the ex-MCI networks use a platform called the DMS-250, which is very much oriented to non-packet connectivity) generally don't use voip trunks for national traffic. Also, there is no least cost routing operation like on most of the smaller carriers, so there's no need to hit any sort of public network until it reaches the access tandem at your destination, at which point, it definitely isn't exchanged in any sort of IP format.
Internationally, it depends on what carrier they interconnect with and what they want. Generally speaking, I think Verizon will use more IP-based routes (usually to more expensive countries) then the other two.
By contrast, landline service coming from the cable company generally does go over voip, but only within their internal network. For local and inbound calls, it'll still hit some DSx trunks back to the phone network. 1+ long distance traffic, at least on Comcast, is definitely in IP format, and could very well even be hitting the public internet for least cost routing operations.
Back in the day all you had to do was monitor the microwave and satellite links to get all the long haul communications. You didn't have to expose yourself at all.
Now things are the opposite. It is easier to sweep up a bunch of local stuff in the form of cell phone calls but you need a physical connection to tap fibre..
Somebody told me that post-Snowden, the NSA started processing some high-value internal paperwork with fancy typewriters to prevent signals intelligence attacks. Apparently the typewriters have little signatures embedded in each letter that are unique per typewriter operator.
Every typewriter has a unique signature as has every other polygraphic machine (fax, printer, copier). This was a case always, after Media burglary (in the '70!) FBI was collecting Xerox copier printouts to identify where the burglars reproduced the stolen files.
With SS7, widely deployed in Europe and then the rest of the world, probing (tapping) was quite straight forward when the SP complied with local lawful intercept regulations.
The SIM card bit is actually I think a distraction. The real issue should be the means: the NSA/GCHQ intentionally targeted innocent/non government affiliated people's personal email and social networking.
That's different than collecting everyone'ss data and claiming you never look at it unless someone does something to loose their innocence. Orwellian nightmare that that is and probably bullshit, revelations along those lines are not surprising. The systematic targeting of the personal lives of random employees (at least of non-governmental/ non defense industry ones), is new.
No, that's actually the bread and butter of intelligence work. At least it was in HUMINT, if not in SIGINT. You identify individual(s) with access to what you need and then work on/with them. This is not surprising or even controversial (mind you, I am not in any way in favour of such things, just playing the devil's advocate a bit) at all. Hard evidence of dragnet, massive, all encompassing surveillance really is the new revelation that has come out of Snowden leaks including this one. Targeting of individuals (especially if they're foreigners) was always going on.
You aren't surprised that our government is building a massive dragnet blackmail database. Good for you. You aren't alone and like the rest of us you didn't do anything useful with your prediction. What do you want, a gold sticker?
Tell me again why I (or anyone else) should find the fact that you foresaw this outcome comforting -- or relevant at all.
> Rooms can be bugged.
Yeah but they need a warrant, it costs money to bug a room, and they can't decide to retroactively bug every room their target has ever been in. To make things concrete, do you really think none of these powers would have made a difference if they had had them back when they were trying to sink MLK's platform?
There is no shock and surprise. Historically, not all communication has been compromised, because it takes physical effort and risk of detection to open every letter. Secure communication (in the sense of the contemporary normal means of communication) has not been a historically hard-to-get commodity.
First, it came for the terrorists, and I did not speak out, because I was not a terrorist.
Then, it came for the muslims, and I did not speak out, because I was not a muslim.
Then, it came for the Dutch, Belgian, and German engineers, and I did not speak out, because I was not a Dutch, Belgian, or German engineer.
If you're an engineer, developer, sales staff, or pretty much anything else, and you work at a company that has something worth stealing, you should think about how this ends. If they don't come for you first, your personal life is now completely fair game for nation state attackers.
They will stop at nothing, they have limitless budgets, they will attack your private life, they will reflash the firmware in components of your personal devices, and they will stalk you. Even when you did nothing wrong, even when your employer did nothing wrong, even when your social graph is in no way linked to anyone who ever did anything wrong.