Home > Privacy, Security > Jacob Applebaum: To protect and infect Jacob Applebaum: To protect and infect Thom Holwerda 2013-12-30 Privacy, Security 18 Comments Jacob Applebaum‘s detailed technical 30c3 talk about the NSA’s tools. Just watch this. Naming and shaming of just about every major technology company. This will blow your mind. About The Author Thom Holwerda Follow me on Twitter @thomholwerda 18 Comments 2013-12-30 7:51 pm ddc_ I haven’t watched this yet, but I am quite certain I won’t be surprised a bit. And I don’t really understand why the news item reads as if the scale of the disaster would not be obvious by now… 2013-12-30 10:58 pm umccullough I haven’t watched this yet, but I am quite certain I won’t be surprised a bit. And I don’t really understand why the news item reads as if the scale of the disaster would not be obvious by now… I’m a cynic too, and expect the NSA to be everywhere, but some of the stuff they’ve built and are regularly deploying is still a bit crazy. Watched the video this morning and it mostly just makes me angry. 2013-12-31 9:37 am ddc_ You know, it’s pretty obvious that if there is something to be abused, it will be abused. I couldn’t predict all of that stuff either, but mostly because I couldn’t predict any utility of some of this stuff (eg. that energy beam). But the fact that they would work hard to abuse everything they may find utility in is pretty obvious IMO. And by “they” I mean all the intelegency services and all the state authorities everywhere on Earth in every timeframe. I bet FSB of Russia did its best to make every possible tool of a kind before they knew NSA’s tools. And right now all of them (including NSA) are working hard to extand their tools beyond those already known to the public. This is a serious threat not only to privacy and personal security of innocent people, but also to the whole western civilization and its principles. I hope this threat will be countered. (Though I don’t see it happenning). I think it would be nice if the chain of events that includes this video and previous leaks would at some point include FCC demading that every firmware’s (BIOSes, broadband OSes, video and network cards’ firmwares, etc.) source code be fully disclosed and easily replaceable by end users for every single device sold in US. Indeed, this particular overzealous abuse of state’s power is not the first one, not the only one ongoing and definitely not the last one. The only way to defend people against it is to (at least) legaly secure both right and ability of anyone to counter it in a reasonable way. 2013-12-31 9:49 am Kochise You know, it’s pretty obvious that if there is something to be abused, it will be abused. rule34 the NSA way ? Kochise 2013-12-31 12:01 pm mistersoft Yep. And though I always agreed with the broad ‘free software’ principles of RMS, I’ve always thought he either went just a smidgen too far – or was slightly more dogmatic than necessary. But no, he was 100% right, (I’m still ‘OK’ with existense of some proprietary softwares at the local and function specific level), but OS’s and BIOS’s, Firmwares, both Home and Infrastructure routers and other network equipment – need to be running OPEN and regularly inspected code. For OS’s – it needs to at least be the boot code, network stacks (wired and all varieties of wireless) and security code – other stuff and applications could maybe remain closed. Not the kernel though Would pressure from consumers on the Microsoft’s and Apples ever force them to change at all? Pressure from angry corporations or even non-UK non-US governments then? Edited 2013-12-31 12:02 UTC 2013-12-31 1:10 pm bitwelder Yep. And though I always agreed with the broad ‘free software’ principles of RMS, I’ve always thought he either went just a smidgen too far – or was slightly more dogmatic than necessary. But no, he was 100% right… Besides, especially on subjects like these where there are strong interests involved, you sometimes just need to ask 1000 to receive 100. 2014-01-01 2:06 am WorknMan but OS’s and BIOS’s, Firmwares, both Home and Infrastructure routers and other network equipment – need to be running OPEN and regularly inspected code. Honestly, I don’t think it would matter that much in regard to the network stuff. If you’re sending something across the wire, it’s eventually going to end up on somebody else’s server, where the NSA and their ilk will have free reign of that data. It would be like sending something through snail mail, taking great pains to make sure nobody has access to the contents of the package before you send it, but when it passes through the post office, then it’s there for anyone to inspect. Better to make sure you encrypt anything that’s super-sensitive with open source tools, and just assume the rest of it is publicly accessible information (which it pretty much is anyway). Basically what I’m saying is that when it comes to physical stuff, you don’t really have to protect ALL of it (for example, you wouldn’t set up a security system to make sure nobody steals the lawn chairs off of your back porch) – just the stuff that is most valuable. I’m basically the same way with ‘digital’ stuff. Edited 2014-01-01 02:08 UTC 2014-01-01 9:07 am ddc_ Specially crafted firmware may compromise your encryption efforts. 2013-12-30 9:46 pm firstname.lastname@example.org Basically he’s saying the NSA has information on pretty much everyone, that they’ve made sure they have access to pretty much every computer in the world, and they’ve got some pretty unbelievable tricks up their sleeves. Like intercepting parcels and installing devices and software on computers and components – including at the bios/firmware level. They can piggyback information onto your computer when you connect to websites, sabotage connections, and corrupt downloads. They’ve also persuaded companies to leave exploits and backdoors in their hardware/software and keep them secret – leaving the door open not only for the NSA but also malicious hackers. I’m not sure if I followed it correctly, but I’m pretty sure Mr. Applebaum said they could utilize your wireless device even if it’s suspended. There’s also legitimate american security experts and reporters getting their homes raided and/or ‘black bagged’ (infiltrated and their devices compromised), and being imprisoned. So, yeah, nothing beyond what we would expect from the NSA. There is the whole thing about their 1kw microwave generators at close range though, and the potential health concerns associated with that. 2013-12-30 10:39 pm Ultimatebadass BRB, looking suspiciously at all usb cables around the house. Also, I’m fucking watching you, keyboard… 2013-12-30 11:43 pm Boomshiki If only there were a website somewhere where people wrote articles on this sort of stuff… 2013-12-31 3:06 pm Carewolf You can http://www.spiegel.de/international where most of the new information were leaked first a few days ago. 2013-12-31 3:18 pm crystall This stuff is downright scary. No, actually it’s worrisome. Two thoughts occurred to me: first of all we’ve been taught that security through obscurity doesn’t work; we have to re-learn that part, security without transparency (at the software, firmware and even hardware level) is impossible as long as the NSA or organizations with similar resources are sabotaging commercial products. Transparency must also be extended at the political level, that’s inevitable otherwise the problem will never be solved. Seeing the government agency of a democratic country use traditionally seen only in dictatorships goes a long way to show how public scrutiny and check-and-balance countermeasures are fundamental to prevent abuse. The second thing is: this extends way beyond the NSA or the US. Everything shown in the video is built out of off-the-shelf components, in many cases with the complicity of the vendors. If the NSA can do so then pretty much any other nation-state can and obviously criminal organizations too. The implications for worldwide security are enormous. 2013-12-31 3:45 pm Verenkeitin What I find most incredible in all this is the implication that some of that stuff actually works somewhat reliably. Just imagine the challenge of combining everything Facebook, Google, Yahoo and others know about you (or think they know about you). Unless they co-operate fully and implement NSA defined APIs, the NSA must write its own interpreters for what ever data formats these companies use in communication between their data centers. Presumably its trivial for NSA to get internal secret documentation for everything, but keeping that massive collection system from producing mountains of complete data garbage is till a huge engineering challenge in it self. Then there’s the fact that some of that precious data is complete BS to begin with. For example, Google+ apparently thinks that everybody you have ever send an email has some meaningful connection to you. The hardware exploit stuff is even more incredible. Major product lines of big companies for sure, but what about all the cheapo laptops/phones/tablets gobbled together from the cheapest parts of the week with what ever firmware and driver versions compile and sort of work together? I’m not a hardware person, but remotely exploiting a random collection of hardware running any OS sounds like nonsense on the level of destroying an alien space ship with a computer virus like in movie ‘Independence day’. If half of this stuff works half as well as claimed, the NSA must have come up with the proverbial silver bullet of computer science. 2013-12-31 3:48 pm SeeM In a late 1981 security agenda simply took control of the country. We’re still facing consequences. Those guys (and women) were everywhere and gained so much power, that they survived trough democratic reforms just fine. It took entire generation to somewhat undo their job, but no high level head was ever put on trial and loose, thus no one suffered consequences. So I assume we have to let them go, bury under nice graves and hope to have a better life without them. 2013-12-31 7:54 pm friedchicken You know, the more I learn about what the NSA is doing, the more I feel they’re the ones I need to be protected from. If anyone is terrorizing my “privacy” & “freedom”, it’s them. I’m sure just sharing that opinion flags me, which is case in point. 2014-01-01 7:10 am bigdog Yep, that video blew me away. Completely. 2014-01-01 11:16 am unclefester I’ve always been suspicious about how startups such as Facebook could ever get seed funding. They make very little money and are never likely to make a reasonable profit. The only obvious explanation is that they are set up to gather data.