Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Startling Array of Hacking Tools In NSA's Armory

samzenpus posted about 8 months ago | from the pick-your-poison dept.

Security 215

littlekorea writes "A series of servers produced by Dell, air-gapped Windows XP PCs and switches and routers produced by Cisco, Huawei and Juniper count among the huge list of computing devices compromised by the NSA, according to crypto-expert and digital freedom fighter Jacob Applebaum. Revealing a trove of new NSA documents at his 30c3 address (video), Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."

cancel ×

215 comments

Sorry! There are no comments related to the filter you selected.

Open source? (-1, Troll)

TWiTfan (2887093) | about 8 months ago | (#45821201)

Are you going to go through every line of code to make sure it's okay, and then compile it yourself?

Re:Open source? (0)

Anonymous Coward | about 8 months ago | (#45821231)

Everybody take one application and let's get 'er done.

Re:Open source? (4, Insightful)

mrxak (727974) | about 8 months ago | (#45821279)

Better check your compiler while you're at it, and your hardware.

Re:Open source? (4, Informative)

jlv (5619) | about 8 months ago | (#45821399)

You don't trust your compiler (and compiler vendor)?
http://cm.bell-labs.com/who/ken/trust.html [bell-labs.com]

Re:Open source? (0)

Anonymous Coward | about 8 months ago | (#45821503)

forget about the compiler, what about the microcode on the processor?

there are millions of applications, hundreds of operating systems, only a handful of processor architectures..

Re:Open source? (4, Interesting)

noh8rz10 (2716597) | about 8 months ago | (#45821717)

NSA does SIGINT, or signals intelligence, and it doesn't matter what computer solution you think you found, they will own you. The only solution is to avoid all computers. Have something important to say? do so in person. An important thing to record? Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.

CIA and FBI do HUMINT, or old-school spying, but from what I've heard their skills here have withered as they've focused on SIGINT themselves.

inb4 encryption - I assume that they can crack any encrypted files, or they wrote the specs in the first place.

Re:Open source? (5, Insightful)

hacker (14635) | about 8 months ago | (#45821847)

Write it down. Heck, even the USPS or FedEx seems to be less compromised - they record the address info (metadata) but I haven't seen anything to imply they've been opening the letters.

They do photograph every single letter and parcel, as well as x-ray scan everything that goes through their facility.

Is that "safe"? I don't know.

Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.

Are they photographing every letter under extreme bright lights, making the container effectively transparent?

Not sure, but it's worth exploring every single one of those questions.

Re:Open source? (1)

noh8rz10 (2716597) | about 8 months ago | (#45821937)

while we're investigating things, I wonder how secure a one-time pad is. obv you would need to decode the message by hand.

Re:Open source? (1)

hacker (14635) | about 8 months ago | (#45822005)

Or hash it with a strong algorithm and use along, non-entropic, unpredictable, rotated salt.

Re:Open source? (1)

hacker (14635) | about 8 months ago | (#45822039)

...use "a long", not "along", damn Mac keyboard! :)

Re:Open source? (0)

Anonymous Coward | about 8 months ago | (#45822487)

...use "a long", not "along", damn Mac keyboard! :)

Important correction, because that was the part of your post that didn't make any sense ;^)

Re:Open source? (1)

egcagrac0 (1410377) | about 8 months ago | (#45822267)

Can they discern written text inside a letter in an envelope, through x-ray scanning? I don't know.

I think there's a "how to make a tinfoil hat for your written correspondence" instructable out there.

Re:Open source? (1)

fisted (2295862) | about 8 months ago | (#45822043)

inb4 encryption - I assume that they can crack any encrypted files, or they wrote the specs in the first place.

Go back to 4chan, and don't forget your tinfoil hat.

Re:Open source? (3, Informative)

hacker (14635) | about 8 months ago | (#45821817)

You should be pointing people to this instead:

"Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers"

http://www.dwheeler.com/trusting-trust/ [dwheeler.com]

Re:Open source? (1)

demachina (71715) | about 8 months ago | (#45822305)

And what about the applications the undercover NSA employees take? They are quite active in the open source community.

Re:Open source? (5, Insightful)

Anonymous Coward | about 8 months ago | (#45821281)

What sort of straw man is that? No one has claimed that it is impossible to sabotage open source software. But the fact that the saboteur would at least have to try to hide it, which is not the case with secret source software, puts them at a huge disadvantage.

Do you leave your front door unlocked because you're not 100% sure that your lock can't be picked?

Re:Open source? (1, Insightful)

TWiTfan (2887093) | about 8 months ago | (#45821365)

At the end of the day, you have to trust someone either way. Saying "It's open source, and therefore more trustworthy," is bullshit--because unless you or someone you trust has went through it line by line, it's functionally little different than trusting a closed-source binary. It's just a false sense of security most of the time.

It comes down to who you trust, not whether their software is open or closed source.

Re:Open source? (2, Interesting)

Anonymous Coward | about 8 months ago | (#45821505)

I disagree. The code is out, anybody can review patches, etc. At least if it is developed in an open manor (ie truecrypt is a fine example of an application we shouldn't rely on as while its code is available its development is not transparent). If something is published that's nefarious you have to make some sort of effort to conceal it, and if its developed transparently as well all the more so. If it is proprietary you have to make zero effort to conceal it.

Re:Open source? (1)

skids (119237) | about 8 months ago | (#45822169)

If it is proprietary you have to make zero effort to conceal it.

Well, you should at least probably ensure you turned on the right compiler options to strip the NSA_BACKDOOR_PASSWORD identifier out of the binary.

Re:Open source? (1)

egcagrac0 (1410377) | about 8 months ago | (#45822393)

All that only helps if you're comparing checksums and compiling your own binaries.

If you're not paranoid enough to do that, you're trusting that the compiler/packager/distributor of the binaries didn't amend the source or have a compromised compiler toolset.

If I were to go about attempting to compromise all the (pick-a-Linux-variant) systems out there, I wouldn't submit my "improved" code to kernel.org, but I might attempt to load a compiler at (distributor of selected Linux variant) with a surreptitious payload (see above comment [slashdot.org] ).

Re:Open source? (1)

Anonymous Coward | about 8 months ago | (#45821615)

Open source has the "nothing to hide" argument so it's not something you can ignore completely.

not really (1)

publiclurker (952615) | about 8 months ago | (#45822479)

Even if someone I've never heard of finds a backdoor and reports it, word will get around to people that I do trust to verify things.

Re:Open source? (-1, Troll)

mrxak (727974) | about 8 months ago | (#45821393)

At least with closed source you can just assume you're compromised, or trust the (known) people who put it out. Open source backdoors, if anybody even notices them (and let's be fair here, the NSA hires way smarter people than your average coder), will appear as accidental bugs, placed there anonymously. Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.

Re:Open source? (4, Insightful)

sjbe (173966) | about 8 months ago | (#45821445)

Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.

You have absolutely no idea where the code came from with closed source. Could be from anyone. Not much different from open source except for the fact that with open source you can at least theoretically examine the code itself even though in most cases that will never happen.

Re:Open source? (1)

mrxak (727974) | about 8 months ago | (#45821541)

The company selling the closed source software is where the code came from. It's their responsibility, it's their business and reputation on the line, and if they're using libraries they didn't develop in-house, it's their job to know how those work too. If they do something bad (and really, it's not that hard to tell if some software is leaking data or accessing files it shouldn't), they'll be the ones held responsible.

By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives. A company can accidentally hire a foreign agent or an NSA plant, but if they do, and it gets out, that company will be held responsible.

Re:Open source? (0)

Anonymous Coward | about 8 months ago | (#45821985)

By its very nature, open source code can be manipulated by anyone, with potentially ulterior motives.

Yes and no. Sure, anyone can download open source code and tinker with it to their evil heart's content. Getting those malicious changes pushed back upstream so that other people will end up with them is another question altogether. Most, if not all, open software projects keep a fairly tight rein on what changes they allow into their repositories, and who from.

(Moral of the story -- get your software from as close to the original project as possible or make sure you trust the intermediaries. And at the very least, verify the hashes/checksums.)

Re:Open source? (2)

swv3752 (187722) | about 8 months ago | (#45822003)

Free Software folks have their reputation too, and often that is the only thing motivating them.

Re:Open source? (1)

Euler (31942) | about 8 months ago | (#45822435)

That closed-source company may _want_ to stand on their reputation. But they can be ordered to backdoor the software against their will and in secrecy. This is no longer a hypothetical argument, and it _is_ harming the reputation of businesses.

This is a great time for competitors of US tech companies.

Re:Open source? (1)

egcagrac0 (1410377) | about 8 months ago | (#45822461)

If they do something bad (...), they'll be the ones held responsible.

Let's review every single EULA I've ever read going back 35 years or so...

The software is provided "as is", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose

They may be responsible, but they're probably not liable and I'm the one who is likely to get injured.

Re:Open source? (3, Insightful)

Anonymous Coward | about 8 months ago | (#45821487)

You may know where the binary came from, but you have no idea where the code came from. And for all you know, neither did the person who signed the binary.

Re:Open source? (1, Informative)

mrxak (727974) | about 8 months ago | (#45821581)

Seeing as how it's the binary you're running, what's the difference? If a company is compromised, they're screwed. People won't buy their software again, they'll know to stop using it. This should make companies careful, and if they're not, they'll get in trouble soon enough. Some anonymous party puts up a clever back door in a patch, what is a user to do then? Whose reputation is damaged?

I am by no means claiming closed source is more secure than open source, I'm saying they're equally insecure. I'm also saying, that at least with closed source, you know who to blame when something goes wrong.

Re:Open source? (1)

Anonymous Coward | about 8 months ago | (#45821879)

Nonsense. It's much easier to hide backdoors and such in the code if it's not open. Open source reduces the chances that no one will spot the problems. It's not perfect, but it doesn't need to be perfect in order to be better, and anyone who claims it isn't a superior option is a damn fool.

Re:Open source? (0)

Anonymous Coward | about 8 months ago | (#45821911)

Open source is no more secure than closed source, for a host of reasons, but at least with closed source, you know where the code came from and can judge it based on that.

How do you know where the code came from with closed source? Just because it says "Microsoft" on the box doesn't mean it all came from Microsoft (whoever he was). Microsoft relicenses a ton of stuff, and while they probably have source to it, doesn't mean they're going through it looking for NSA backdoors. Not to mention the stuff they might put in at a third-party's request (NSAKEY, anyone?).

Sure, if you're not a coder you're going to have a tough time analyzing open source yourself, but there's a world of other people taking a look at it who are likely to speak up if they see something weird. Moreover, there's the "genetic diversity" argument with open source: many many more detail varieties around (different distros and versions of distros, plus mixing and matching of apps between distros and independent application sites) which makes it harder (not impossible, harder) for someone (eg NSA) to target specific weaknesses (but not if there's a system weakness in an algorithm). E.g. if you've done anything to change your standard config (especially if you've made changes, even minor, and recompiled) then an exploit which attacks through e.g. a buffer overflow is more likely to just crash the app/module than successfully implant its payload.

With closed source the attacker can pretty much rely on the target running one of just a handful of easily-determined standard systems, and the payload will have no problem inserting itself.

Not crack-proof, but crack-resistant.

Half a straw man (2, Insightful)

s.petry (762400) | about 8 months ago | (#45822233)

You see, there is a big flaw in your point. _IF_ the only developers were in the US, you may have a better point. OpenSource is not just coded in the US, and the eyes looking at the code are all over. I think for a while you had a level of trust among OpenSource crowds that everyone was equally altruistic and freedom loving. I am pretty sure that when the leaks came out a few years ago about the NSA jacking encryption that trust evaporated pretty quickly.

What you may want to believe is that all of these coders are here doing "Merikah!" great favors, or at least looking the other way because.. you know, "Merikah!". Guys in Germany don't have any devotion to that cause, and won't be complicit.

So now, that level of trust that people had is gone. Not that OpenSource coders are all out trying to screw each other (as we see with 3 letter agencies and closed source companies), but there is a whole lot more scrutiny. As it should be, and like it was 10-15 years ago.

You can _never_ scrutinize closed source code. That point I agree with, and yes we should all assume that closed source systems ship compromised. As with the paragraph above, we used to assume that not very long ago. This is how we started to catch on to how shitty MS was (remember the ACK wars?).

Re:Open source? (0)

Anonymous Coward | about 8 months ago | (#45821435)

Thank you. While it may be harder for spooks to poison the well in open source, it's clearly not impossible. And in any case, they can still change the hardware at the manufacturer or intercept it en route.

This just goes from bad to worse. Now we have to roll our own hardware? Fuck this.

Re:Open source? (1)

gmuslera (3436) | about 8 months ago | (#45821485)

Network effect works. They would hate to put an encryption key in plain text or the channel they use to send the data, or the destination name/address, so putting in a souce code that anyone could eventually see is a big no. Regarding binary packages, if well some distributions could be compromised by secret laws (RedHat at least resides in US) the code release that they must do ensures that other projects can pick the source, recompile it and use them instead (i.e. Centos), and if you trust the distributions packages are signed so is harder (maybe not NSA-level harder, but harder anyway) to do some MITM work to install touched binaries.

Also, some projects like Tor are adding deterministic builds [torproject.org] to validate that the binaries really are what the author says.

Re:Open source? (0)

Anonymous Coward | about 8 months ago | (#45821885)

Have you met the people in charge of serious open source projects? The answer is: Yes, they will.

There will at the least be the line of defense that is the core contributors to an open source project. The nice thing about open source is that even if they are compromised, anyone performing an audit (say, a major government looking for an operating system?) could detect the problem. It doesn't completely negate the possibility a backdoor will be introduced. It is, however, infinitely preferable to using closed proprietary software from the USA. All such software is now reasonably assumed to be compromised by the NSA.

Re:Open source? (2)

Bert64 (520050) | about 8 months ago | (#45822535)

No, nor should you need to.

For anything sufficiently widely used you will have several competing groups looking at it...

With american commercial software you likely only have the vendor and the nsa looking at it...
For something like linux you have not only the nsa, but also several foreign governments looking at it too. While you may not be able to trust a single party, the chance of error decreases when you have multiple parties who have no reason to collude together.

2013 (4, Informative)

Presto Vivace (882157) | about 8 months ago | (#45821213)

2013 is the year that proved your ‘paranoid’ friend right [washingtonpost.com] The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune. Assuming that the technology is not made illegal.

2013 (1)

Anonymous Coward | about 8 months ago | (#45821289)

> The person who can figure out how we can have all our
> tech toys and our privacy too will earn a fortune.

Can't be done. All your toys are possible because it is cheep to copy and store information. If you can afford it, any military can. As long as information is easy to copy, information can not be private.

Re:2013 (2)

CohibaVancouver (864662) | about 8 months ago | (#45821327)

The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune

They'll earn some money for sure, but not a fortune. The public & the bean counters are more interested in low prices than privacy. If your 'private' device is $100 more, everyone will buy the cheaper device.

Re:2013 (1)

innerweb (721995) | about 8 months ago | (#45821465)

It will be made illegal. In many ways it already is. You must submit the key to encrypted material if proper law enforcement asks. Your lines are allowed to be tapped. Your locks are allowed to be broken.

The problem is not the agency, but the paranoid and ruthless people who abuse it. There are many people in law enforcement/intelligence communities who are honest law abiding citizens! There are a few who are not. The question becomes how do we watch the watchers? How do we catch the abusers? I am not sure this will ever be an easy thing to do. Knowledge is the most powerful tool one can have, and for those with an illegal or perverse agenda, the gathering of information provides opportunities to gain leverage over others, advantages in business and political dirt to get what they want. So, they will always try to use the system.

So long as the people who take power (not the elected officials, but the string pullers), have that power, and we the people allow them to, this is how it will be. There is no way at the moment to record anything and expect absolute security. I am not sure your own mind will be safe for much longer. It has always been this way. There is always someone, or a few people conspiring to control as much as possible around them through whatever means, legal, moral, ethical or not to do what they want. Some do it in the name of a god, some in the name of patriotism, some just because it is what they want.

What really needs to be figured out is how to stop these people from doing what they do. I do not think it is possible, as the people stopping them will most likely be those people.

Re:2013 (1)

Anonymous Coward | about 8 months ago | (#45821611)

There are many people in law enforcement/intelligence communities who are honest law abiding citizens!

Mensa is an 'intelligence community'. What you are talking about is the spying industry, and there is no such thing as a honest spy.

Re:2013 (0)

Anonymous Coward | about 8 months ago | (#45821761)

The best way? Don't give them extraordinary powers in the first place.

Re:2013 (-1)

Anonymous Coward | about 8 months ago | (#45822071)

wrong...
100% of LEO's (of whatever level) are corrupt, here's why:
you KNOW that virtually all but the totally clueless kops KNOW who is on the take for what (no matter how trivial, it is AGAINST THE LAW! ! ! that is *all* the 'justification' The They (tm) need to FUCK OUR LIVES OVER FOR NOTHING, but they are immune from 'THE LAW'), whether it is free donuts, testilying, 'sweetening' evidence, railroading the poor/stupid/downtrodden, fixing tickets, jobs for relatives, or even actual bribes, etc, etc, etc... they KNOW who is cooping, who is extorting sex, who is a bully, etc, etc, etc... they KNOW... ...but they don't say shit, do they ? ? ?

us great unwashed are EXPECTED -if not jailed- for NOT turning in our fellow citizens; but piggies DO NOT turn each other in, NO MATTER WHAT, do they ? ? ? if that isn't the very definition of corruption, i don't know what is...

they are ALL corrupt, because they ALL protect the corrupted ones...

piggies are NOT here to 'protect and serve' us li'l peeps, they are here to 'protect and serve' the interests of the korporatocracy...

Re:2013 (0)

Anonymous Coward | about 8 months ago | (#45821535)

Sure, sure, if you can build it all from the ground up... processor, bios, os, apps... then you can have ultimate security (unless of course, one of your own people backdoors you)

btw, the US tried that with Multix, and found that it was too cumbersome to keep the system updated

Re:2013 (1)

jader3rd (2222716) | about 8 months ago | (#45822469)

The person who can figure out how we can have all our tech toys and our privacy too will earn a fortune.

Given how the majority of the population is trying to share every piece of information about themselves that they can online, I doubt that would be true. Security/privacy is too inconvenient.

Re:2013 (1)

skids (119237) | about 8 months ago | (#45822475)

There's no quick tech fix for this. Mostly because the problem is partially cultural. Qualitative trust webs have to be academically validated, then essential behaviors to support them have to be installed in the population. It will take at least decades and most of the work will go completely unrewarded, because our monetary/compensation system is hopelessly corrupt, being that it also needs said fix.

significant intel? (0)

Anonymous Coward | about 8 months ago | (#45821219)

TAO had gathered “some of the most significant intelligence our country has ever seen.”

pure hyperbole. cracking enigma. that was significant. they have provided 0 evidence that what they are
doing now has yielded anything.

Re:significant intel? (4, Insightful)

mrxak (727974) | about 8 months ago | (#45821339)

There is some indication that the NSA is a rampant bureaucracy run by geeks with an unlimited budget who do things just to see if they can, but that doesn't mean they haven't gotten useful information or accomplished anything significant. I'd say the destruction of Iranian centrifuges was a master stroke, personally.

Now, as for their domestic surveillance operations, I'd say it's pretty fair that they've not prevented any terrorist attacks whatsoever. That's the problem with broad collection of data, it's all the harder to sort through for anything useful. It's unfortunate that they're going to keep trying, instead of returning to targeted intelligence gathering.

Re:significant intel? (3, Insightful)

SuricouRaven (1897204) | about 8 months ago | (#45821377)

If they had prevented any terrorist attacks, they'd be shouting it from the rooftops right now in an attempt to win more political support and counter any representatives who question their broad spying progams.

Re:significant intel? (1)

mrxak (727974) | about 8 months ago | (#45821411)

Well, in fact they did claim they stopped terrorist attacks, but that was later determined to be a complete fabrication.

Re:significant intel? (0)

Anonymous Coward | about 8 months ago | (#45821695)

sure, _everybody_ knows about enigma.... now, you can be pretty damn sure that few people know about it at the time (or even 30 years after the fact)
It is the nature of national security to keep it secret, once that the cat(s)'re out of the bag, there is no way to get them back in

This is what cold fjord (1)

Desler (1608317) | about 8 months ago | (#45821235)

Quit yer bitching. Everyone knows only terrorists care about privacy.

Spy tools (4, Insightful)

girlintraining (1395911) | about 8 months ago | (#45821301)

The debate is not whether the spy tools should exist, but how they should be used. The NSA was originally meant to be a support organization that assisted the CIA and other federal agencies in protecting national security interests globally; Hence the name National Security Agency.

What it has become lately, thanks to the Department of Homeland Security and our idiot congresscritters, are lackies for the FBI. The FBI has a terrible record going all the way back to the Prohibition of doing whatever it wants and generally running rough-shod over civil rights. It has long shown signs of institutional corruption and rot. This is the source of the rot in our judiciary at the federal level... and like Midas, everything the FBI touches turns to sh*t.

Re:Spy tools (2)

HornWumpus (783565) | about 8 months ago | (#45821373)

J Edgar dreamed of having files on congress like the NSA does.

Re:Spy tools (1)

Desler (1608317) | about 8 months ago | (#45821407)

What do you mean? The NSA was being used for domestic spying on political adversaries for decades before the Church Committee. It was a major reason the committee was formed.

Re:Spy tools (1)

Charliemopps (1157495) | about 8 months ago | (#45821707)

Exactly, the NSA has more power than any branch of government ever had. Any Judge or political official that opposes them will be blackmailed into submission immediately.

Re:Spy tools (1)

HornWumpus (783565) | about 8 months ago | (#45822085)

My one hope is Snowden got those files. But I doubt it.

The files on Congress, federal judges and the executive branch are the keys to the kingdom. They will never see the light of day.

Dumping those files would complete the Herculean task of cleaning the DC stables.

Re:Spy tools (2)

Desler (1608317) | about 8 months ago | (#45821389)

The NSA has always been like this. The only difference between now and the 70s and earlier is their better tools. The NSA has been an abusive, corrupt organization since its outset. The very things they are doing now is what the Church Committee and FISA was meant to prevent. FISA was not meant to be a rubber stamping of any and all actions of the NSA as it has become.

Re:Spy tools (1)

icebike (68054) | about 8 months ago | (#45821555)

What it has become lately, thanks to the Department of Homeland Security and our idiot congresscritters, are lackies for the FBI.

Wrong on two counts.

NSA is not part of DHS.
The FBI is the foot soldier and sock puppet of the NSA, not the other way around.

Re:Spy tools (1)

roman_mir (125474) | about 8 months ago | (#45821719)

Department of Homeland Security, otherwise known as Schutzstaffel or SS for short.

Re:Spy tools (1)

ducomputergeek (595742) | about 8 months ago | (#45822017)

Actually, it's better to say that the NSA is a support organization of the Department of Defense. And as such are often at odds with Langley since both are competing for the same budget dollars.

Actually you're wrong (0)

Anonymous Coward | about 8 months ago | (#45822025)

The CIA still runs everything at the highest level:

http://www.wsws.org/en/articles/2005/07/fbi-j07.html

"The combining of counterintelligence, counterterrorism and spying into one FBI office linked to the CIA and under the direction of a DNI working directly for the White House represents a major step toward the creation of an American secret police force. "

The FBI are definitely subservient. Don't ever kid yourself.

This is not what should outrage us (4, Interesting)

MikeRT (947531) | about 8 months ago | (#45821355)

The fact is that the NSA needs these tools for the same reason the Army needs weapons ranging from small arms to weapons of mass destruction. It needs tools that let it collect signals intelligence on foreign targets. And yes, that includes our "allies." They do it as much to as we do it to them. It's understood that it happens. Even the British and Canadians wouldn't be shy about collecting Top Secret data on our operations that we want to keep from them if they could acquire it without jeopardizing their highly productive and close relationship with the US.

Americans should be outraged that the NSA is now deeply integrated with federal law enforcement per 9/11 "reforms" that all but created an integrated security state. That puts our rights deeply at risk. Prior to 9/11, the most the NSA could legally do was inform Customs and the Coast Guard that smugglers were en route to US territorial waters or airspace. Now, they're damn near as much of an intelligence arm for law enforcement as the military.

What we need is an iron clad, black letter of the law statute that says that no data the NSA collects on Americans is legally admissible unless the communication was collected abroad, occurred entirely outside of US territory and is specifically of a nature that is dangerous to our national security.

Re:This is not what should outrage us (4, Insightful)

mrxak (727974) | about 8 months ago | (#45821471)

I'd go a step further. It shouldn't just be legally inadmissible, it shouldn't be collectable at all. If it's accidentally collected, it should immediately be purged and the responsible parties prosecuted. If the FBI wants to develop their own NSA-like capabilities for domestic law enforcement, they can do so in a targeted fashion with warrants, but the NSA should be focused entirely on overseas operations, just like the CIA, just like the military. Mixing foreign and domestic all up in one agency is a very bad idea, (I hope) for obvious reasons.

Re:This is not what should outrage us (1)

Transfinite (1684592) | about 8 months ago | (#45821919)

That should apply to any nation. Don't use the NSA equivalents to spy on your own.

Re:This is not what should outrage us (4, Insightful)

gmuslera (3436) | about 8 months ago | (#45821557)

You may be not outraged that your country have weapons. But you should be very outraged that they are using them, in all the world to every innocent people (stripping basically every human of a fundamentan human right), in all the country, and in particular, in you.

If you think that what they are doing is not a crime, try to do the same and get caught, the sun will be a white dwarf by the time you can get out of jail, considering how they are punishing minor ofenses [mmajunkie.com] . If any other country would be doing the same to US, at the same level and deepness, probably a lot of nukes would be flying right now.

Re:This is not what should outrage us (0)

Anonymous Coward | about 8 months ago | (#45821657)

Then they'd just "launder" the information.

Re:This is not what should outrage us (0)

Anonymous Coward | about 8 months ago | (#45821701)

no data the NSA collects

They'd just create a new organization under a different name.

legally admissible

Admissible to whom? They aren't taking people to court; they are just collecting and selling secrets.

unless the communication was collected abroad, occurred entirely outside of US territory

If they routed the information off-shore, they would consider it acceptable to collect. If any party was outside the US (before, after, or during the time of the communication in question), they would consider it acceptable to collect.

specifically of a nature that is dangerous to our national security

They already consider everything to be dangerous to our national security. This is not at all a qualifier.

I agree with what you're saying and trying to do, but we need to remember that these weasels will gladly abuse any loophole they can.

Re:This is not what should outrage us (1)

Transfinite (1684592) | about 8 months ago | (#45822083)

Just make it illegal for any gov body, whose role is protect from foreign interests, to collect or syphon data from a 3rd party, on their own nationals, If they are presently in that nation. From any location in the solar heliosphere. The

Re:This is not what should outrage us (1)

Charliemopps (1157495) | about 8 months ago | (#45821841)

No, the NSA needs to be dismantled and a new constitutional amendment explicitly outlawing this sort of wiretapping on anyone, us citizen or not unless they have a REAL warrant from a REAL judge. Like the man said, They've even compromised Solaris. Which group of Terrorists is using Solaris? This has nothing to do with protecting us, and everything to do with controlling us.

Yawn (0)

Anonymous Coward | about 8 months ago | (#45821371)

How is anything of this surprising or unexpected?

Transparent government (-1)

Anonymous Coward | about 8 months ago | (#45821423)

So.. when does the hope and change start? Is it long enough yet that "blame Bush" is no longer the answer to everything?

Is this one of those fabricated scandals like Benghazi, Fast and Furious, the IRS going after conservatives, the President lying about the AHA, Holder lying in front of congress repeatedly..

Re:Transparent government (1)

noh8rz10 (2716597) | about 8 months ago | (#45821917)

hope and change already happened. Hope peaked and reverted to the mean. Change happened but was largely a downward trend.

Re:Transparent government (1)

ganjadude (952775) | about 8 months ago | (#45822123)

Is this one of those fabricated scandals like Benghazi, Fast and Furious, the IRS going after conservatives, the President lying about the AHA, Holder lying in front of congress repeatedly..

Not at all like those ones, With those ones they just denied it even happened or blames things that had nothing to do with the issues. With this they admit that its happening and dont even pretend to care that they are abusing their power

So outbound UDP is a first thing to block (1)

freax (80371) | about 8 months ago | (#45821455)

For the time being we can start by blocking all outbound UDP data on routers. Unfortunately these hw hacks call nsa over open wifi too. So we'd have to jam wifi in buildings too ..

Re:So outbound UDP is a first thing to block (1)

Mister Transistor (259842) | about 8 months ago | (#45821709)

Yeah, except your Cisco-and-NSA-compromised router with the "if pktaddress=nsa.gov then allow" rule hidden and permanently on will just pass it and not log or tell you anything... As a plus, your Microsoft-and-NSA-compromised systools won't show the traffic, either.

Re:So outbound UDP is a first thing to block (1)

fisted (2295862) | about 8 months ago | (#45822387)

Are these [microchip.com] compromised, too?
I got myself a handful for christmas, which should in combination with a MCU give a known-good network tap.
Problem NSA?

Re:So outbound UDP is a first thing to block (1)

fisted (2295862) | about 8 months ago | (#45822391)

FTFM [microchip.com]

Cisco and Huawei (3, Interesting)

icebike (68054) | about 8 months ago | (#45821493)

Given all the US lobbying against Huawei gear [forbes.com] being used in critical infrastructure [businessweek.com] , it seems odd that the NSA is claiming they have managed to penetrate these routers.

Perhaps while NSA was powning Huawei routers they discovered they were already compromised.

Seems far more likely that in doing so, the NSA penetration was in turn detected and prevented by Huawei, or they haven't been able to penetrate to the extent they have with Cisco routers, and therefore they need to keep these out of critical infrastructure.

Re:Cisco and Huawei (1)

phantomfive (622387) | about 8 months ago | (#45821975)

Sometimes it's difficult to figure out what is going in government with all the different motivations different people have, most of which you don't even know about.

In the Huawei case, it's entirely possible that Huawei's competitors were better at lobbying than Huawei. See also Apple vs Samsung.

Re:Cisco and Huawei (1)

wiggles (30088) | about 8 months ago | (#45822255)

They know the Chinese have managed to penetrate them precisely because they have penetrated them the same way.

Silly me (1)

davide marney (231845) | about 8 months ago | (#45821513)

Silly me, I thought the reason for NSA's existence was to make it HARDER for the bad guys to attack our infrastructure, not easier. Shows how little I know about how Washington "works" for us.

at the risk of sounding paranoid (3, Insightful)

Presto Vivace (882157) | about 8 months ago | (#45821515)

it is difficult to believe that the NSA is the only one doing this, so who else owns my electronic toys?

Re:at the risk of sounding paranoid (1)

Voyager529 (1363959) | about 8 months ago | (#45821625)

so who else owns my electronic toys?

If you have an iPhone/iPad/iPod, Apple.
If you have an Android phone/tablet, Google, and likely Samsung/HTC/Hawei/LG.
If you have a Windows Phone/tablet, Microsoft, and likely Nokia/HTC/Samsung.
If you watch movies on your phone, the MPAA.
If you play music on your phone, the RIAA.
If you have a data plan on your device, then AT&T/Verizon/Sprint/T-Mobile, or your regional MVNO.

Re:at the risk of sounding paranoid (1)

mrxak (727974) | about 8 months ago | (#45821693)

In some cases, the weakening of encryption standards done by the NSA, and various backdoors they've managed to install in systems used by everyone, there may be foreign and criminal organizations that are simply riding the NSA's coattails to compromise your security in the exact same manner.

But you're right, if the NSA has been doing this, so has everyone else. The NSA is just better funded.

Re:at the risk of sounding paranoid (1)

Presto Vivace (882157) | about 8 months ago | (#45821779)

almost all our electronic toys are made in China. It is difficult to dismiss the possibility that they have inserted their own malware into our toys.

Re:at the risk of sounding paranoid (1)

Charliemopps (1157495) | about 8 months ago | (#45821923)

It's irrelevant if others are doing it. We have proof the NSA is doing it. They need to stop. We can worry about everyone else after we get our federal government to obey the law.

What's with the names.. (0)

Anonymous Coward | about 8 months ago | (#45821517)

GODSURGE, IRONCHEF, CANDYWIRE, MONKEYCALENDAR, SOMBERKNAVE, IRATEMONKEY, TOTEGHOSTLY, DROPOUTJEEP

Just append X's as prefixes or suffixes and now we can identify teenage NSA agents or just AI acting like them.

Re:What's with the names.. (1)

mrxak (727974) | about 8 months ago | (#45821713)

A lot of these names probably come off of random word lists, to help disguise the purpose in case foreign agents learn of a code name.

welp (1)

nensondubois (3158339) | about 8 months ago | (#45821523)

Freedom fighter indeed.

Remote BIOS flash? (1)

billcarson (2438218) | about 8 months ago | (#45821539)

So basically no online banking platform can be safe once these exploits are released into the public? I do wonder though how they do it though.

Re:Remote BIOS flash? (1)

Charliemopps (1157495) | about 8 months ago | (#45821945)

Likely they either:
Paid the company that designed it
Bribed someone working for that company
Simply got their own NSA agents hired at the company with the sole purpose of having them write exploits into the code (most likely)

iPhone (0)

Anonymous Coward | about 8 months ago | (#45821673)

What's most interesting about this presentation (some 44 minutes into it) is the claim that NSA can monitor any iPhone they want, ostensibly via some remote mechanism or backdoor.

Re:iPhone (0)

Anonymous Coward | about 8 months ago | (#45822253)

You left out the part where they admitted they did require physical access to the device to initiate the process.....

There goes the economy. Thanks NSA. (1)

tekrat (242117) | about 8 months ago | (#45821697)

Nevermind "thanks Obamacare", now nobody is going to buy *any* technology from a US vendor because it's likely compromised by the NSA.

Just like you don't want to buy from a purely Chinese vendor because it's reporting back to the Chinese version of the NSA.

So, thanks to the NSA and China having a dick-measuring contest on why can spy more, the internet is essentially fucked. No privacy, no e-commerce, hell, no commerce (thanks Target), unless it's all cash.

So the only place you can trust is (ironically), Craigslist!

Where? (0)

Anonymous Coward | about 8 months ago | (#45821749)

Applebaum spoke about why the NSA's program might lead to broader adoption of open source tools and gave a hot tip on how to know if your machines have been owned."

I must have overlooked it. Where, specifically, did these articles state that?

Re:Where? (1)

skids (119237) | about 8 months ago | (#45822559)

Probably it was in the video, because people seem to think everyone has time to watch oodles of video without a posted transcript to skim over, and nobody cares to actually associate their hyperlinks to the text they attach the href to.

Affordable Healthcare Act (0)

Anonymous Coward | about 8 months ago | (#45821767)

Perhaps the feds should have insourced the AHA website to the NSA. Seems like they have the tech and the people that know how to use it. Added benefit, US residents already have a file there. One stop shopping for all your personal information needs!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>