[HN Gopher] Spy agency ducks questions about 'back doors' in tec...
___________________________________________________________________
Spy agency ducks questions about 'back doors' in tech products
Author : oblib
Score : 358 points
Date : 2020-10-28 13:33 UTC (9 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| jchook wrote:
| Maybe they reverse-engineered China's hardware backdoors and
| don't need additional backdoors now.
| lki876 wrote:
| Oh come on, any answer but 'no' is yes. Also 'no' is yes.
| pulse7 wrote:
| "The tactics drew widespread attention starting in 2013, when
| Snowden leaked documents referencing these practices."
|
| So this is what Snowden has done: he "drew widespread attention
| to these tactics". Before Snowden they would call you "paranoid"
| if you would allow yourself to mention it. Today they can not
| call you paranoid anymore.
|
| And yes, it has hurt US industry reputation. Many don't trust
| Intel processors and Cisco routers anymore (among other
| products). They actually destroyed computers and internet as we
| knew them in the 1990'ies. It is not fun anymore to own a
| computer or a phone if you know that NSA can get access to it
| anytime they want... and you will never know if they accessed
| it...
| dancemethis wrote:
| They totally still call you paranoid. Snowden unfortunately
| meant nothing to the general technology consumer mass. They're
| more than happy to defend tooth and nail their jails. See
| Discord or Zoom as prime current examples.
|
| It is ridiculous that he had to go through this just for people
| to shake their shoulders and keep on, except for the few that
| already were inclined to care.
| jacobwilliamroy wrote:
| Nowadays the right wing nutbars are actually pro-government
| because they think that a large fascist government complete
| with secret police and massive surveillance will protect them
| from pedophile vampires. No I'm not joking. It's the same
| alex jones types who used to be all about neoliberalism and
| deregulation. The people who were afraid of "the chip" are
| now begging to be tagged because they think it will save them
| from human trafficking. That's what happens when Americans
| are trapped at home with nothing to do but go on facebook and
| youtube: they get indoctrinated into stupid christian
| deathcults.
| [deleted]
| slg wrote:
| It is a relatively common belief among non-technical people
| in my friend group that Facebook listens to everything you
| say within earshot of your phone and later displays ads to
| you based on what it hears. That belief still isn't enough to
| get those people to stop using Facebook, Instagram, and
| WhatsApp. It isn't that people don't think they are being
| spied on. It is that people don't really care that they are
| being spied on.
|
| Snowden didn't fail to change things because people didn't
| believe him. He failed to change things because he didn't
| articulate a compelling enough reason for people to be
| fearful of what he revealed.
|
| If people reading this want to see this changed, we need to
| do a better job of showing the real world consequences of
| this lost privacy. Talking about theoretical concepts like
| lost freedom and privacy isn't enough. You need tangible
| examples of how people's lives are made worse by this spying.
| inopinatus wrote:
| You suggest this is impossible; but I still remember that
| time I asked Alexa what colours the Lotus Elise was
| available in. For the next few weeks, whenever I went out,
| I'd see at least one Lotus parked on the street or at the
| mall or driving by.
| bdamm wrote:
| Similar to my experience of surveying vacuum cleaners on
| Amazon, then going to get lunch at Whole Foods where a
| clerk appeared suddenly at the checkout I was at to
| vacuum up a non-existent mess, with one of the models
| Amazon had offered up. The ratio of profit to sales cost
| on a high-end vacuum might be similar to a Lotus Elise.
| Or maybe it's just confirmation bias.
| inopinatus wrote:
| If this phenomenon isn't already a PKD short then it
| could be a SCP entry.
| mpol wrote:
| The people at Alexa have been very busy for you :) And
| Lotus got a lot of sales as well.
| exceptione wrote:
| > It isn't that people don't think they are being spied on.
|
| > It is that people don't really care that they are being
|
| > spied on.
|
| Well, my experience is that people care but don't have an
| idea on how they could change that. They feel powerless,
| have no idea what to do, and they are apathic. They accept
| their shackles like they deserve it. They know they are
| abused but since they are human, they use coping mechanisms
| to continue using apps they believe are actually not so
| nice for them.
|
| Of course they have thoughts like "actually, my picture is
| not private anymore", but for their sanity of mind they
| carry on because of network effects/ease of use/etc. They
| choose to push those thoughts off, as they are outside of
| their control. To us, it might sound like they just don't
| care. That's wrong!
|
| At least, that is what I conclude after talking with non-
| techies about this stuff.
|
| I am sure you can sell privacy as a big plus, but you need
| to deal with above aspects as well.
| darkerside wrote:
| People now view going on the Internet as akin to going
| outside. Yes, other people can see you, and yes, you have
| limited expectations of privacy. No, it's not problematic
| that you have police keeping an eye on things. If you have
| a problem with that, and you never go outside without your
| "disguise" aka VPN, you are operating outside of social
| norms (and it's probably not helping anyway).
|
| This is not a valid judgement on any way. I just think some
| people may not realize the way others may perceive and
| think about this privacy dilemma.
| Jon_Lowtek wrote:
| I hear this "the internet is like outside, don't expect
| privacy" argument a lot from americans, who i think are
| taught some 18th century definition of privacy by their
| media, as in "in your private rooms" and not a 21st
| century definition as in "about your private data". If
| you go to the city there are no agents of third party
| marketing agencies keeping notes of your movement and
| what items you look at in the stores to profile you.
|
| Imagine going to the city and there is this trenchcoat
| and hat wearing private agent following you all day and
| you go into a store and see him handing the salesman a
| note and pointing at you, and then the sales guy comes
| over to you and says "good day - do you want to buy _red
| things?_ and you are like "actually i am looking ..."
| and the agent is now uncomfortably leaning into you
| conversation, "... for green things". Sales says "sure
| this way, please" and the agent is writing "green!" in
| his notebook, circling it three times. That is what the
| internet is like today. And you look around and everyone
| has these agents following them, keeping notes. You ask
| someone about it they say "well most people don't even
| notice them" or "that is how things are" or "people
| shouldn't expect not to be spied on by private
| corporations". So you hurry home while from every side
| street more agents come and try to follow you until you
| have this horde on your track and you hasten into your
| door with a crowd outside holding up signs like "buy red
| things!" and "green thing is green!" - but you are now at
| home so you relax and walk through your hallway to your
| room and say "computer: play some _licensed music_ " and
| guitar music starts playing and -shocker- there are
| agents in your living room, one sitting on your couch
| playing the guitar, one is standing in front of your
| bookshelf taking notes of its content and another one is
| looking through your fridge, then stares directly at you
| and holds a sign up: "buy food"
|
| The internet is nothing like outside.
| abvdasker wrote:
| Look, my estimation of "general technology consumer mass" is
| incredibly low, but I promise you nearly every American adult
| knows who Edward Snowden is and probably has at least a vague
| idea of what he was trying to communicate. I agree that many
| -- maybe even most -- people don't understand the issue very
| well, but I think it did have a pretty large impact at the
| time and since.
| xnyan wrote:
| >but I promise you nearly every American adult knows
|
| If the next thing you are going to say is not "The current
| President of the United States", then sadly you are
| extremely mistaken because that's the only political fact
| you can confidently say that all Americans know (and even
| then, it's not 100%).
|
| Source: A political science degree that I don't use, but
| this sad fact is well known.
| kevin_thibedeau wrote:
| They don't know who he is. American adults are uninformed
| about most issues and will just parrot what they're told to
| believe in. Mass media paints him as a bad person so that's
| his public image.
| alexilliamson wrote:
| N = 1 blah blah, but my Dad is a West Virginian factory
| worker who couldn't name one current Supreme Court
| Justice (including the one just appointed), but he has
| spoken positively about Snowden for years.
| AndrewBissell wrote:
| Zero doubt that the common people of this country have
| much more affinity for Edward Snowden and anti-
| surveillance viewpoints than the psychos at the top
| running things.
| xkcd-sucks wrote:
| Eh Appalachian labor has a history of being on right side
| of morals and the wrong side of force
| NikolaeVarius wrote:
| I dont think this is a given. Not a perfect source, but man
| this was depressing
|
| https://youtu.be/XEVlyP4_11M?t=422
| boomboomsubban wrote:
| >but I promise you nearly every American adult knows who
| Edward Snowden is and probably has at least a vague idea of
| what he was trying to communicate.
|
| I highly doubt this. In 2015, only 60% of Americans had
| some idea of who Snowden was, and only half of those had a
| positive opinion of him. I doubt this has improved over the
| past five years either.
|
| https://www.aclu.org/snowden-poll-results
| kekebo wrote:
| 60% of Americans having some idea of the issues he raised
| is assumably a vast increase in awareness of the topic
| compared to the time before his leaks became public.
| dunefox wrote:
| > 60% of Americans having some idea of the issues he
| raised
|
| His comment says an idea of "who [Snowden] was", not of
| what he was trying to say.
| LinuxBender wrote:
| The best example of the Snowden fallout and the apathy
| around it was when John Oliver interviewed both Snowden
| and many people on the street. People on the street did
| not comprehend what NSA monitoring meant and did not care
| until John put it in terms they could understand. "So you
| are ok with the NSA seeing pictures and videos of your
| significant others junk you text (sext) back and forth?"
| "Oh, I would be furious if they were seeing that". That
| was how nearly every conversation went.
| lern_too_spel wrote:
| But that is not what the NSA monitoring meant. They do
| not get to see pictures of your SO's junk. They do know
| who you called and when but not tied to your name.
| malaya_zemlya wrote:
| according to Snowden, they did:
|
| https://www.theguardian.com/world/2014/feb/27/gchq-nsa-
| webca...
| LinuxBender wrote:
| Maybe, but they do for sure listen to your calls. I used
| their software in a wireless provider. "She" was
| fascinating. She could understand any language, dialect,
| voice inflection, and so much more. No training required
| whatsoever. She listens to all international calls and
| flags phrases and key words.
| lern_too_spel wrote:
| They don't listen to your phone calls either. If they
| did, Snowden would have leaked it, and it would have been
| a bombshell revelation. If you have information
| otherwise, you should blow the whistle.
| LinuxBender wrote:
| There is no whistle to blow. It is fairly well known that
| all international calls into or out of each country are
| monitored by bots using speech recognition by the related
| agency for each repsective country. This has been the
| case for a very long time. Before bots, there were
| listening stations with thousands of people monitoring
| calls. There would be nothing for Snowden to leak in that
| regard. The only place this has been taboo is when the
| NSA is doing it within the country. They too use bots, as
| there is no way you could hire enough people to listen to
| the calls. Only flagged calls are listened to by people.
| rmrfstar wrote:
| Confirmed in this gem:
|
| https://web.archive.org/web/20200618030047/https://www.ba
| lti...
| ChrisKnott wrote:
| I am almost certain this has never been reported, I am
| also almost certain it is not the case. Can you provide a
| link?
| FandangoRanger wrote:
| This is a bit of a term of art. "They" don't "listen" to
| your calls. A computer does.
| boomboomsubban wrote:
| They do, Snowden and others have leaked it.
| https://www.cnet.com/news/nsa-spying-flap-extends-to-
| content...
| Mediterraneo10 wrote:
| > They do know who you called and when but not tied to
| your name.
|
| For a state-level actor (or the mobile provider itself or
| those other corporations to which it sells data for
| advertising purposes) to identify by name the human being
| who is the source of phone calls, is trivial in most
| countries today.
| nobleach wrote:
| I think THAT is where the apathy comes in. THAT is
| probably the biggest concern of your average internet
| surfer. They think, "I don't trade any high level
| secrets... I'm a nobody". So the worst thing they can
| conceive is, "but I did send some pics to that person I
| met on Facebook. I sure would hate for my significant
| other to find out". That's something that can resonate
| with a far larger group. Many honestly don't care because
| they feel there's nothing they can do. Perhaps they're
| right. It's not like the US Gov (or any other) said, "oh,
| you caught us.... fine we'll shut down the program"
|
| I totally agree that it's sad that we're in this place of
| apathy. But it's hard to get folks all excited when they
| don't believe it'll really affect them personally.
| worker767424 wrote:
| > only 60% of Americans had some idea of who Snowden was
|
| It's things like this and people who believe the moon
| landing was faked that convinced me universal suffrage
| isn't a good thing, and we need some sort of poll test to
| make sure people are educated on issues before voting. I
| realize the US has a bad history with "literacy" tests,
| but it's clear that most people have no business voting.
| koboll wrote:
| >we need some sort of poll test to make sure people are
| educated on issues before voting.
|
| Okay, now start thinking about what happens when the
| political party you like least takes power and starts
| rewriting the poll test questions to advantage
| themselves. Then perhaps you'll see why this would be a
| catastrophically bad policy.
| munk-a wrote:
| Sorry but no - universal suffrage has been proven
| historically to be far less flawed than any of the other
| suffrage limits we've ever had - giving everyone,
| including the idiots and the deplorables, a voice lets us
| see what our society is actually made of and might just
| make[1] education a bigger priority in the US budget.
|
| 1. Future tense because right now the US doesn't have 1
| person 1 vote equivalence for most elections.
| kortilla wrote:
| > a voice lets us see what our society is actually made
| of and might just make[1] education a bigger priority in
| the US budget.
|
| How does that work once the idiots are in charge of the
| budget?
|
| > 1. Future tense because right now the US doesn't have 1
| person 1 vote equivalence for most elections.
|
| Well it does. The confusion is about what you're voting
| for.
| munk-a wrote:
| > How does that work once the idiots are in charge of the
| budget?
|
| Society collapses and we become a failed state - but
| states fail all the time, universal suffrage appears to
| minimize the number of states that need to fail.
|
| > Well it does. The confusion is about what you're voting
| for.
|
| When it comes to voting for president, my vote as a
| Vermonter is objectively worth 2.63 times as much as my
| friend from Washington - additionally the FPTP voting
| approach and winner take-all electoral college causes a
| lot of other oddities that make my VT vote essentially
| worthless when compared with a resident of PA.
|
| There are a few ways we break 1 person 1 vote equivalence
| and while we can argue whether that's a good or bad thing
| you can't argue against it being the case.
| kortilla wrote:
| > Society collapses and we become a failed state - but
| states fail all the time, universal suffrage appears to
| minimize the number of states that need to fail.
|
| Curious claim. Has there been any research that shows
| states are less likely to fail with universal suffrage?
|
| > When it comes to voting for president, my vote as a
| Vermonter is objectively worth 2.63 times as much as my
| friend from Washington
|
| See, that's the confusion. You're not voting for
| president directly. You're voting for who you want your
| electoral college to vote for. In most states if you're
| on the losing side of the vote in your state, your
| presidential vote literally means nothing.
|
| Your individual vote in Vermont is not "worth more" than
| your friend's vote in Washington because your both just
| voting in state level decisions about who the college
| should vote for.
|
| The legitimate claim is about the number of delegates and
| (arguably much more important) the number of house
| representatives each state is getting.
|
| Reiterated, there isn't a lack of 1 person 1 vote
| equivalence in any elections I know of in the US (e.g.
| landowners don't get extra votes). There are just
| elections people think are direct democracy when they are
| far from it.
| RhodoYolo wrote:
| > Society collapses and we become a failed state - but
| states fail all the time, universal suffrage appears to
| minimize the number of states that need to fail.
|
| The only society's that i can think of that lasted a long
| time were society's that didn't have universal suffrage.
| The idea of a republic is pretty stupid to be honest.
| What you end up with is a bunch of people with completely
| different agendas to ensure that every issue gets hotly
| debated and when a decision is 'made', barely enforced or
| executed on. Additionally, it seems to give rise to
| massive paternalism and loss of freedom which is suppose
| to be the opposite of what it was meant to do.
| outworlder wrote:
| > we need some sort of poll test to make sure people are
| educated on issues before voting
|
| In principle, that's a great idea. I mean, we do have to
| take driving tests before we are allowed to operate
| dangerous machinery. We should be required to take tests
| before we are allowed to affect the lives of millions of
| people.
|
| You can have a similar argument for parenthood. Require
| classes before people are allowed to bring another human
| into their care. Nurses have to, why not parents?
|
| The problem with that is that these tests/lectures are
| defined by other humans. This shifts an enormous amount
| of power into the hands of a few. Next thing you know,
| you now have a handpicked elite eligible to vote. The US
| has historically used this mechanism for segregation.
|
| Having universal suffrage (which is not yet very
| universal in a few countries, US included) at least
| allows the average to smooth out outliers. It does create
| perverse incentives towards not allowing the population
| to get TOO literate, otherwise they will be educated
| enough to see through all the BS.
|
| Collectively, we need to focus on improving education for
| everyone and fighting disinformation. World War 3 has
| already begun - except it's using words, not weapons.
| nkrisc wrote:
| That's exactly the argument those who implemented those
| maligned poll tests made. They were made to keep the
| wrong people from voting on the basis they didn't know
| what was best.
|
| That's why they're a bad idea and should not return.
| cmdshiftf4 wrote:
| >we need some sort of poll test to make sure people are
| educated on issues before voting
|
| We've decided to go the opposite direction. The US media,
| celebrities, big companies, etc. have all decided that a
| huge low-information voter turnout > smaller but better
| informed voter turnout.
|
| Indeed, apparently democracy is better when everyone
| participates, regardless of whether a vast amount of
| those people have the slightest iota of what they're
| participating about.
| Thinkx220 wrote:
| It's comments like this that convince me most programmers
| are arogant douchebags. Just because someone has a weird
| idea about an event that had almost no direct affect on
| the general population doesn't mean we should remove
| those peoples ability to have a choice in matters which
| will effect them.
|
| Knowing more than someone else does not make you morally
| superior or give you more of a right to have a say in
| your own fate.
| wolco2 wrote:
| If that were the case we would give babies, kids and
| teenagers the right to vote. Kids would always vote in a
| superhero or ice cream. And chocolate would win in a
| landslide.
|
| We only allow those of a certain age to vote because they
| are able to understand and weigh the issues fairly.
|
| We only allow those of a certain age to be juriors for
| that reason.
| jlokier wrote:
| > We only allow those of a certain age to vote because
| they are able to understand and weigh the issues fairly.
|
| Yes, but we draw a simple, arbitrary rule at a fixed age
| because everyone grows older, so it isn't manipulable by
| anyone who is motivated to do so.
|
| If the vote permission line is drawn by more complex
| means that gives a different answer for different people,
| it becomes a primary target for manipulation, abuse, and
| group selectivity.
|
| For example if it was based on IQ tests or even general
| knowledge tests, it is already well understood that these
| are heavily biased tests which test for social
| background, culture and upbringing, rather than general
| intelligence.
|
| If there's going to be a voter test, it needs to be
| extremely robust, something just about everyone has
| confidence in to be fair and appropriate.
| rapind wrote:
| I sympathize with the frustration, but the tests
| themselves will just be another attack vector for voter
| suppression (history proves this).
|
| Probably better off spending resources on improving
| education and political awareness.
|
| I personally think that if we aren't going to let someone
| vote then we shouldn't ask them to pay tax either.
| cmdshiftf4 wrote:
| >I personally think that if we aren't going to let
| someone vote then we shouldn't ask them to pay tax
| either.
|
| Agreed.
|
| Conversely I believe that people who haven't paid tax in
| a reasonable amount of years, through either not
| generating it in the first place, avoision or being a net
| beneficiary of state aid shouldn't be offered a vote.
| a_t48 wrote:
| Frankly that's a horrifying prospect - if I get seriously
| injured and have to go on permanent disability, I'd
| rather not be (further?) disenfranchised.
|
| This is the same as saying "I don't believe disabled/poor
| people should be able to vote"
| cmdshiftf4 wrote:
| The disabled aside, no, I do not believe people who are
| withdrawing more from their society than they are
| depositing should be given a say in the governance of
| that society.
| RhodoYolo wrote:
| you say 'disabled aside' but what about the myriad of
| other reasons? Mental health, unemployment, pregnancy
| that year, international travel but still a citizen, w/e.
| As soon as you start pointing to reasons that a
| government can/ can't take away your power to vote you
| are screwed as a populace. Not that i have much faith in
| the voting system anyways cause' who knows how they count
| the votes anyways. It seems the incredibly old voting
| machines that they have could easily be hacked by a
| nation-state level effort.
| autosharp wrote:
| Who designs the test?
| Broken_Hippo wrote:
| I was going to ask the same thing.
|
| "The issues" vary between people. How many do you
| include? Are they just the basic stuff the news covers?
| Do you need to know federal, state, and local issues? If
| you vote in a federal election, do you need to know
| issues in different parts of the country? Wouldn't the
| test show the biases of the test makers?
| eyepea2007 wrote:
| Piggybacking on your point about the general public:
| historically something like 25 to 30 percent of people
| don't even know who the Vice President of the United
| States is...and this goes back to at least the 70s.
| Simply asking someone if they know who Snowden is doesn't
| really prove much. What percentage of people will just
| lie and say they know?
| [deleted]
| beamatronic wrote:
| You could say the same thing about early coronavirus victims.
| Nobody learned from them. Look where we are now.
| logicallee wrote:
| >They totally still call you paranoid.
|
| People really don't. You can search comments here or
| elsewhere, you really won't find anyone calling anyone else
| paranoid for suggesting the government is watching everyone,
| intercepting communications, listening in on conversations,
| whatever. Find me a single example of anyone doing so in the
| past 2 years without an immediate reply from someone else
| (i.e. somene other than the OP) saying "No. Sorry. Since
| snowden you don't get to call anyone paranoid for thinking
| the government is listening."
|
| In fact, quite the opposite I bet if you asked anyone with an
| Amazon Echo, "Do you think the government can listen to
| private conversations using an Amazon Echo" my guess is most
| people would say, "I don't know. If they really needed to, I
| guess?"
|
| Nobody would say, "Of course not. Don't be paranoid."
| mschuster91 wrote:
| > Many don't trust Intel processors and Cisco routers anymore
|
| That's Cisco's own fault given that there are rarely more than
| 6 months between critical firmware releases that either have
| some way of hardcoded backdoor account, remote code execution
| or other similar bugs.
| colejohnson66 wrote:
| It's not Cisco's fault if the NSA has compelled them to add
| those "bugs"
| SauciestGNU wrote:
| It absolutely is. There can be a duty to resist. People get
| killed based solely on data collected from signals
| intercepts. More people and companies should take the brave
| stand Lavabit did, rather than be complicit in oppression
| and state-sponsored killings.
| colejohnson66 wrote:
| While I dislike the NSA as much as practically everyone
| else here, I'm not aware of any state-sponsored killings
| done by the NSA. Sure, the executive branch _has_ ordered
| killings, but the branch is so large, lumping it all
| together makes no sense. The NSA, FCC, FTC, EPA, etc.
| don't kill.
|
| Now, you should resist, yes, but _most people don't._ It
| takes a _very_ brave soul to resist and hope the Supreme
| Court will side with you. Civil disobedience generally
| also requires vast public support who would rally behind
| you. Practically everyone knows Rosa Parks, but polls
| have shown only about 60% of Americans have even _heard_
| of Snowden. Public support is a fraction of that.
|
| Cisco's executives would also end up being involved in
| some _massive_ lawsuits if they shut down the company to
| take a stand. Lavabit, OTOH, was _multiple_ orders of
| magnitude smaller than Cisco is, and they could afford
| the backlash. It also didn't help that Lavabit catered to
| tech people who would understand why they shut down.
| Cisco, OTOH, is used by virtually every large business;
| many of the employees of which would not understand _why_
| they shut down.
| wonnage wrote:
| You expect the agency responsible for putting secret
| backdoors everywhere to be publicizing their state-
| sponsored killings?
|
| The NSA isn't really in charge of the killing part
| anyway, that's the CIA/FBI's job
| rjkennedy98 wrote:
| "Sometimes paranoia's just having all the facts" - William S
| Burroughs
| Cthulhu_ wrote:
| In my country, law enforcement (police) apparently uses or has
| used hardware to allow secure / encrypted communications, whose
| encryption was supplied by a Swiss company (Crypto AG) which
| was secretly owned by the CIA which built in backdoors since
| the 70's.
|
| So basically the CIA and by extension the US government has
| compromised their allies' communications. I hope there are
| massive consequences, but probably not.
| disown wrote:
| > Before Snowden they would call you "paranoid"
|
| No. They'd call you a "conspiracy theorist". By "they", I mean
| the news/media would call you a "conspiracy theorist".
| AndrewBissell wrote:
| It's cool how "conspiracy theories" are always false, because
| the instant something which had been dismissed using the term
| is confirmed to be true, it's no longer a theory!
| warent wrote:
| It has always been true that any computer connected to the
| internet could be accessed by an unauthorized party, even
| before the leaks. Disconnect from the internet and nobody is
| getting in, including the NSA.
| purplecats wrote:
| or rather they're not getting in _or_ out. they might already
| be in. as long as both in _and_ out are disconnected, you're
| set.
| vorpalhex wrote:
| A 2g or 3g module is <$100 and easy enough to hide without
| RF detection equipment. Plain radio is easier.
|
| If the NSA has enough of an interest to be intercepting
| your packages, they're not going to shy away at adding in a
| transmitter or two of their own preference.
| robin_reala wrote:
| Quite considerably less. This one from Adafruit (hardly
| the cheapest supplier) is $30 and has GPS built in too:
| https://www.adafruit.com/product/2637
| PenguinCoder wrote:
| > Disconnect from the internet and nobody is getting in,
| including the NSA.
|
| That is patently false.
| 542354234235 wrote:
| > Disconnect from the internet and nobody is getting in,
| including the NSA.
|
| Ah, the "just move to the wilderness and grow your own food
| if you don't like the government infringing your
| constitutional rights" argument. I want to be able to
| meaningfully engage in normal society by buying consumer
| goods and connecting them to communications platforms _and_ I
| want my 4th amendment rights protected. I really don 't think
| that is too much to ask.
| lm28469 wrote:
| > Disconnect from the internet and nobody is getting in,
| including the NSA.
|
| Wait until they put 5g chips in every single product to make
| them "smart". Few people talk about that but I believe it's
| the main use case for 5g. Everything will be connected and
| you'll have no way to opt out
|
| > 4G can support about 4,000 devices per square kilometre,
| whereas 5G will support around one million
| [deleted]
| hanniabu wrote:
| Hope you have your bluetooth also turned off
| imglorp wrote:
| And your mic and speaker. And the light sensors while
| you're at it. All can be used for exfiltration.
| fsflover wrote:
| And never use USB devices (see: BadUSB).
| redbeard0x0a wrote:
| a little interdiction while that new airgapped laptop is
| shipped to you and they got you, even though you never
| connected to a network
| derefr wrote:
| Exactly _what_ have they got, if you never connect it to a
| network afterward, either? A key-log that never makes it
| back to them?
|
| (I'm presuming here that the laptop is openable, and that
| you will do so and physically remove any wi-fi M.2 card
| from it -- and associated antennae -- since you won't be
| using it. There might be some sort of extra surface-mount
| snooper chip left onboard that could replicate the same
| function -- but without big antennas, how's it going to
| report?)
| snypher wrote:
| You might not understand the depth to which you can be
| exploited. They will simply let you use your laptop and
| switch your USB cable, which has a built in 6ft antenna.
|
| https://en.m.wikipedia.org/wiki/File:NSA_COTTONMOUTH-I.jp
| g
| _jal wrote:
| Perhaps with something like this?
|
| https://www.schneier.com/blog/archives/2014/03/ragemaster
| _ns...
|
| Or this?
|
| https://www.schneier.com/blog/archives/2014/03/cottonmout
| h-i...
|
| If you have actually attracted the attention of the NSA,
| pulling your NIC is playground stuff.
| xxpor wrote:
| Ignoring the larger context, but just technologically,
| RAGEMASTER sounds freakin' sweet. Like that's actually
| amazing.
| BlueTemplar wrote:
| Researchers have been able to make integrated circuits
| emit radio waves.
| sroussey wrote:
| And it can add a slight flicker that can be used as a
| signal and detected from outside.
| bayindirh wrote:
| > Disconnect from the internet and nobody is getting in,
| including the NSA.
|
| Oh boy. That's some serious delusion in 2020. Wireless cards
| and higher end network interface cards are independent
| computers. Your processor has another processor (Intel ME and
| others) in it. Baseband Management Controllers are also
| independent computers on their own right.
|
| With closed firmware and wireless capabilities, you can never
| know what they're doing at a given time.
|
| Stuxnet reached systems which were seriously air gapped.
| Consider a what a laptop with a _witty_ wireless card
| firmware can do.
|
| I'm not getting into TEMPEST attacks and their newer
| versions, passive surveillance, etc.
|
| I've listened tales about Cisco devices which were configured
| to isolate and prevent internet traffic but, they _mistakenly
| forgot_ to drop some magic packets. Uh.
|
| ---
|
| Random facts about this stuff:
|
| - Your Intel system runs a special version of Minix on its
| Management Engine. A version of Minix customized for Intel by
| its original developer.
|
| - There are photos of Cisco devices which were _delightfully
| enchanced_ by NSA before shipping to its customer via special
| firmware and /or hardware. NSA still retains this capability.
| the_only_law wrote:
| I'm actually kinda curious if TEMPEST attacks or similar
| have been used spy on citizens ever now.
| jimbob45 wrote:
| Fine, make a Faraday cage around the PC. Are you happy now?
| fsflover wrote:
| Not enough: https://news.ycombinator.com/item?id=24919589
| [deleted]
| shirakawasuna wrote:
| I tend to repeat these types of concerns: the number of
| powerful and complex black boxes are increasing, with
| things like 5G making it even easier to low-key pass
| information without us knowing.
|
| A common counterargument comes up when discussing devices
| like smart speakers. Defenders say that the devices are too
| low-power and that we would be able to notice power usage
| changes and sniff network data being sent if spying were
| happening. IMO, this is true to an extent, but also any
| onboard preconfigured recognition of certain products could
| easily send info back to, say, Amazon servers and you
| wouldn't be able to distinguish it from a "false positive"
| question to "Alexa". Knowing the extent to which these
| capabilities are plausible and/or would have been caught by
| now if they existed is, to me, murky.
|
| This also applies to on-board chips and wireless data.
| Would we not notice from power usage and sniffing?
| aborsy wrote:
| Stuxnet is interesting. Apparently, the US and Israeli
| agents threw away a number of USB devices around target
| facilities. What do you do when you find a USB stick? Well,
| eventually someone working in an air gapped facility picked
| up one and used it inside.
|
| The NSA apparently perfectly aligned 4 zeros days in
| Siemens and Microsoft products to spread the malware from
| USB into the Iranian LAN (shared printers, industrial PICs
| etc).
|
| The fact that they could choose and align 4 zero days
| indicates that the NSA probably has a large list of zeros
| days.
| thisisnico wrote:
| I agree. I'm sure the level of this organization operates
| at utilizes teams of their own vulnerability researchers
| to provide themselves with the ability to create new and
| novel zero-day exploits that are not-disclosed to the big
| players. This is Internet warfare.
| pilsetnieks wrote:
| You know, I've heard so many variations of those "USB
| drives in the parking lot" stories, I wonder if that
| isn't a cover for something else. Or maybe just someone
| covering their asses and not willing to take blame for
| something else.
|
| "USB drives in the parking lot" could be the tech
| industry's Korean fan death.
| Darkphibre wrote:
| > In one test of how well a USB scam can work, Trustwave
| planted five USB drives decorated with the targeted
| company's logos in the vicinity of the organization's
| building. Two of the five "lost & found" drives were
| opened at the organization. One of the openings even
| enabled the researchers to glimpse software employed to
| control the organization's physical security.
| https://www.redteamsecure.com/blog/usb-drop-attacks-the-
| dang...
|
| They are used to great effect in pentesting. I think it's
| natural to see a drive and think "Oh no, I need to get
| this back to a coworker."
| russh wrote:
| I have a friend who does pentesting and she collects many
| cool and interesting looking usb flash drives for this
| very purpose. She says "60% of the time, it works every
| time."
| bayindirh wrote:
| Its more nuanced than that. Didn't read the book
| completely but read a long report. What I remember:
|
| - They got exact hardware details and topology of the
| centrifuges somehow.
|
| - They've stolen Realtek's driver signing keys.
|
| - The virus looks like a simple worm which can infect
| other USB devices and doesn't unpack beyond a certain
| point if it can't find the SCADA equipment and the
| correct device ID & topology (It's like a homing cruise
| missile which looks like an RC plane from distance until
| it finds its target).
|
| It's possibly the most sophisticated hacking campaign
| when social and technical aspects combined.
| parliament32 wrote:
| Morality aside, the whole system was a work of art.
| firmnoodle wrote:
| > - They've stolen Realtek's driver signing keys.
|
| I have been to Realtek's offices in Hsinchu many times.
| While the other efforts may have taken major resources I
| don't think getting their private keys would have been
| hard at all. Especially back then. IMHO the building and
| some people could be easily compromised and I suspect
| they didn't really care much about security.
| nickbauman wrote:
| The hardware-software combination that was used to
| compromise the Iranian nuclear facilities was amazingly
| old and primitive, though. It truly was a weak link that
| I cannot fathom how this wasn't upgraded looong before. I
| mean, I guess it just didn't matter that much, after all,
| it's _only a uranium enrichment facility, after all._
| What could possibly go wrong?
| wh1t3n01s3 wrote:
| If anyone is interested in this, or wanna refresh your
| memory, you should watch the docufilm Zero Days (2016) by
| Alex Gibney (most of his 'movies' are quite interesting)
|
| https://www.imdb.com/title/tt5446858/
| colejohnson66 wrote:
| Book?
| peteretep wrote:
| > It's possibly the most sophisticated hacking campaign
| when social and technical aspects combined.
|
| It's the most sophisticated one _we know of_
| nostoc wrote:
| And it's 10 year old now...
| bdamm wrote:
| Frankly I expect basically all computers are compromised
| at this point.
| [deleted]
| fsflover wrote:
| > - Your Intel system runs a special version of Minix on
| its Management Engine. A version of Minix customized for
| Intel by its original developer
|
| Not on all systems. It's neutralized and disabled on my
| Librem 15: https://puri.sm/learn/intel-me/.
| pulse7 wrote:
| When Russian hackers discovered and started using Intel
| ME backdoor Intel immediately published (already
| prepared?) instructions on how to disable it...
| octoberfranklin wrote:
| Please stop posting this disinformation.
| frickinLasers wrote:
| > - Your Intel system runs a special version of Minix on
| its Management Engine. A version of Minix customized for
| Intel by its original developer.
|
| I hear a lot about Intel's ME, but not much about AMD's
| PSP. I assume it's just as bad. At least we know how to
| hobble the ME.
| octoberfranklin wrote:
| > At least we know how to hobble the ME.
|
| No, we just _think_ we know how to hobble the ME.
| jcims wrote:
| Here's a hobby-grade GSM modem dev board you can add to any
| 'offline' device for $40.
|
| https://www.adafruit.com/product/1946
| squarefoot wrote:
| There are cheaper alternatives. A basic SIM800 based
| board can cost just above $3 on Ebay, probably less on
| Aliexpress, or less than $10 for a similar one with
| Raspberry PI compatible connections (useable with other
| systems as well). Also interesting is the SIM7600 module
| which supports 4G LTE down to GSM plus GPS. Also
| available in Mini PCI-E boards.
|
| https://www.ebay.com/itm/191879410081
|
| https://www.ebay.com/itm/292237166116
|
| https://www.ebay.com/itm/293802495042
| jcims wrote:
| Dang i might have to order some, thanks!
| autumn_unlaces wrote:
| Have you heard of Stuxnet?
| Tistel wrote:
| They say it's for large scale cloud management, but, think of
| worst case scenario:
|
| https://www.zdnet.com/article/minix-intels-hidden-in-chip-op...
|
| It seems like a massive waste of chip transistors and R&D with
| limited gain. The hidden minix OS runs at a higher privilege than
| your host OS. Even if your data is encrypted, any time you
| decrypt locally, they can see it. I get it, they are looking for
| bad guys, what if the bad guys take over? There will be nowhere
| to hide. Yes, I am wearing a tinfoil hat.
| remote_phone wrote:
| I have a friend that works for a chip company and he said he
| couldn't get into details but the amount of back doors in
| communication companies and in chips would scare the shit out of
| me.
| pbhjpbhj wrote:
| This anecdote seems consistent with basically all router-modems
| having hidden root accounts. I'm not sure if the claim as
| written necessarily goes beyond that.
| dboreham wrote:
| I question this. Actually I'm going to assert this is only true
| if your friend is referring to hidden back doors that he
| believes exist. I don't believe any employee of a chip company
| is aware of a back door knowingly added to their own product
| (with one exception see below).
|
| I say this because NSA seems more clever than that, and because
| any scheme to explicitly add back doors is bound to be
| eventually exposed.
|
| Instead they do things like have their former employees and
| contractors hired into tech companies, and those folks add
| innocuous bugs that can plausibly be denied as back doors. Also
| I bet they look for bugs that can be used as back doors, given
| access to source code and chip design data, then fail to fix
| them.
| mschuster91 wrote:
| > I don't believe any employee of a chip company is aware of
| a back door knowingly added to their own product (with one
| exception see below).
|
| Most if not all ICs above a certain intelligence level have
| JTAG, which effectively is a backdoor. All you now need is
| (for those chips that support it, in the first place...) a
| way to bypass the OTP fuses "preventing" JTAG access - this
| kind of vulnerability turns out often enough to be saying
| it's commonplace.
| pjc50 wrote:
| Counterpoint: I actually do work at a chip company and have
| never heard of any of this internally. Even from the people
| working on secure biometrics.
|
| Neither of these anecdotes proves anything.
| dylan604 wrote:
| The first rule of fight club is you do not talk about fight
| club. If a chip company was placing back doors into their
| products, I doubt it would be something they would talk about
| around the water cooler. However, if a back door was
| implemented on this level, if some one broke rule #1 and rule
| #2 of fight club, then I don't see how it would be able to be
| kept quite after that.
| duxup wrote:
| So we only believe people who claim something is happening
| with no proof ... because anyone who doesn't see it
| happening just isn't in the special circle of folks doing
| it?
| dylan604 wrote:
| what are you on about? if nobody in the know talks, how
| does anyone find out about it? if people are talking
| about it, then anyone with any know-how will start to
| investigate. if you choose to believe something someone
| tells you with no proof, then that's on you. claiming we
| do the same thing is a broad brush that i'm not getting
| painted on by thank you very much
| duxup wrote:
| I don't understand what you're saying.
|
| We had one anecdote saying a thing is happening, the
| second from someone who says it isn't. Your post seemed
| to indicate that the second post isn't true because maybe
| that person just doesn't know about it.
|
| That seems to refute the second and assume the first is
| true.
| VRay wrote:
| Isn't telling people about this sort of backdoor the sort
| of thing that could cause you to commit suicide with
| multiple gunshot wounds to the back of your head? I don't
| think any anecdotal evidence one way or the other is
| worth considering
| boomboomsubban wrote:
| >Three former senior intelligence agency figures told Reuters
| that the NSA now requires that before a back door is sought, the
| agency must weigh the potential fallout and arrange for some kind
| of warning if the back door gets discovered and manipulated by
| adversaries.
|
| Meaning that before, they were free to plant as many back doors
| as they pleased without any concern for the consequences. And
| even now, they just need to think about it a bit and warn
| somebody, no idea who they tell, if they notice it being used.
|
| >NSA now asserts that it cannot locate this document
|
| This is fairly clear proof of either corruption or complete
| incompetence.
| duxup wrote:
| "Meaning that before, they were free to plant as many back
| doors as they pleased without any concern for the
| consequences."
|
| Kinda. There apparently is some approval process and such but
| I'm not sure everyone at he agency was able to make such
| requests in the first place...
|
| I'm with your gist, I'm just not sure we know how widespread it
| really was. I'm not inclined to agree that it must have been
| ultra widespread.
| boomboomsubban wrote:
| We know that just one of the NSA's related programs, Bullrun,
| had a budget of $250 million a year from 2011. And by their
| own admission this gave them access to "vast amounts of
| encrypted Internet data which have up till now been discarded
| are now exploitable". Further, their reports mention much
| more activity that Snowden did not have clearance for.
|
| We don't know the full extent of their activities, but it
| clearly far surpassed what should be tolerable.
| orangepanda wrote:
| Y'all reading into it too much. They're under no obligation to
| tell the truth. Might as well said "there's no backdoors" but
| that's not a PR happy answer.
| pbhjpbhj wrote:
| Doesn't having a Congress that can't demand the truth by force
| of law (ie create an obligation; they of course won't
| necessarily get the truth) mean that you're no longer a
| democracy. I mean starkly that's an indication that rule of law
| no longer stands.
| crtasm wrote:
| Off topic: anyone know why Reuters always 404s when I click on a
| link to it in Tor Browser? Desktop and Android.
| charliebrownau wrote:
| Goverment + Central Banks + Corporations ARE THE PROBLEM, never
| the solution
| duxup wrote:
| I would expect they do, and I'm not entirely against it depending
| on the circumstances around it and so forth.
|
| To me a 'back door' could range from 'don't fix that bug for a
| week' to 'push this update to this user' to some absurd 'hey can
| you add this remote desktop client to your code, the password has
| to be 1234'.
|
| By no means is it a light thing to do but I do believe there is a
| range of actions that would constitute a 'back door' to me.
|
| Granted I'm all for more congressional oversight and I'd like to
| see MUCH more aggressive congressional action.
| programbreeding wrote:
| The problem with your first and third examples is that it
| leaves it open and vulnerable to anyone other than the NSA.
| Like if a "backdoor" is left open for encryption, as soon as
| it's discovered then that door is open to anyone.
|
| The problem with your second example, targeting a specific
| user, is that they're doing this without any kind of warrant.
| duxup wrote:
| I completely agree on all points.
| seibelj wrote:
| Operate under the assumption that government is reading all of
| your text messages, internet history, payment history, and phone
| calls. Then when you need privacy, enhance as needed. Even if
| privacy technologies like VPN or Tor are compromised, the
| government is less likely to reveal in order to keep the fact
| they can do it secret. Good luck out there! It's an unfair and
| scary world, once you try to do anything non-conformist.
| fsflover wrote:
| No, you should try to have privacy at all times. Otherwise
| those who really need it will be in the minority and easily
| hacked.
| goatinaboat wrote:
| _Even if privacy technologies like VPN or Tor are compromised,
| the government is less likely to reveal in order to keep the
| fact they can do it secret_
|
| That is what parallel construction exists for. Also known as
| fruit of the poisoned tree.
| dariosalvi78 wrote:
| I thought the problem was Huawei...
| jdndbfbf wrote:
| The director of the NSA lied while under oath to congress, and
| nothing happened. As far as I'm concerned, what 3 letter agencies
| say publically is irrelevant.
| Liquix wrote:
| It's an interesting case of cognitive dissonance. Most will
| admit when pressed a bit that the CIA/NSA/FBI do not have our
| best interests at heart and are out of control. They have
| repeatedly lied under oath, lied to congress, lied to the
| public, run human experiments on unwitting citizens, collect
| data on all of us, etc with complete impunity.
|
| However many people somehow simultaneously hold the belief that
| these agencies should continue to exist, are deserving of our
| taxpayer dollars, and are generally Good Guys who happen to do
| bad things sometimes. Perhaps it's just too exhausting to
| consider the extent of corruption in the USA.
| pjc50 wrote:
| > Perhaps it's just too exhausting to consider the extent of
| corruption in the USA.
|
| Abolish the (secret) police?
|
| It's basically the same debate; people need to feel that the
| threat from the "protectors" is greater than the threat they
| are allegedly protecting against before something gets done.
| And, realistically, being spied on by the CIA is fairly low
| down the average person's list of problems. Even the citizens
| who are most directly threatened by American policing would
| prefer dealing with the immediate threat of street violence
| and gunshot murders by the police than the distant, nebulous
| threat of the CIA plane over the protests.
|
| Having your _candidate_ spied on by the CIA, FSB, Met police,
| or Jim-Bob 's Laptop Repair Shop is more of a problem.
| hedgedoops2 wrote:
| While the threat (expressed as P(harm)*harm) from XYAgency
| surveillance is low or medium, the unmitigated threat from
| the things their surveillance practices protect against -
| namely, terrorism - is also low. The mitigation effect is
| lower still.
|
| Objectively, even in 2001 terrorism was a negligible risk
| compared to everyday risks, and subjectively, there hasn't
| been a major terrorist attack for years. The only reason
| mass surveillance exists is a rationale by the US state
| that "more power is good". This may apply to the US army,
| but not to the spies.
|
| Also, like you say, once the american spies start to (pun
| intended) "Interfere in american elections", then the
| problem affects everybody with P=1. Personally I could live
| with it trump were the only candidate they work against,
| but if they do it to trump, they likely do it to others. (I
| see no evidence of interference or other abuse of collected
| data currently, but I think it's dangerous to give them the
| power to collect all this info that can in principle be
| abused for selective prosecution and/or blackmail).
|
| Also, it affects not just politicians, but also corporate
| execs, who can be further pressured using the other means
| of the state, and who themselves have power the state can
| deputize.
|
| A democracy should have the surveillance powers that are
| proportionate to the benefit from these powers and no more.
| There is a positive value in minimizing state surveillance
| power; this concept seems lost on america. (In fairness, it
| seems lost on conservative parties worldwide.)
| bulletsvshumans wrote:
| I think it's clear that they are out of control, from the
| examples you list among others. The harder argument is that
| they're not doing it in our best interest. Without good
| visibility into their activities (which could very well
| inhibit those activities), it's hard to tell which of their
| activities are a net benefit to our country.
|
| My guess is that most Americans would expect that they
| sometimes do things that aren't legal, but that generally
| they are at least intending to do it with the best interest
| of our country in mind. That second part is the primary
| reason why they aren't being wholesale shut down, and why
| they're able to get away with things like lying to congress.
| 542354234235 wrote:
| > The harder argument is that they're not doing it in our
| best interest.
|
| I disagree. I think they absolutely _believe_ they are
| doing what is best for the country, but without actual
| accountability and meaningful outside oversight and input,
| I would say it is far more likely they have become
| myopically focused. That they are unable to accurately
| judge or weigh the effects of persistent surveillance
| against one's own citizens and how that negatively impacts
| a free and open democracy and a government that feels
| accountable to its citizens, vs their own very skewed
| perspective of looking at nothing but "threats" and
| thinking about nothing but threats, and planning for
| nothing but threats. The "everything is a nail to a hammer"
| saying comes to mind.
| craftinator wrote:
| > That second part is the primary reason why they aren't
| being wholesale shut down
|
| Two thoughts:
|
| 1) Even if most Americans decided they needed to be shut
| down, how would we enact that? It seems to me there are
| very few people who have that power, and even if a great
| majority of us wanted it, we have no way to enact it (and
| no way of knowing if it was actually enacted; we could be
| told it had been done, but that could easily be an
| inscrutable lie)
|
| 2) If they were actually shut down, what would the people
| who worked there do? Highly intelligent, skilled, with low
| morals, used to performing nefarious activities; they would
| go on to be in shadow NGOs, organized crime, reform under
| other names, etc.
| mindslight wrote:
| > _If they were actually shut down, what would the people
| who worked there do?_
|
| Prison time, like any other criminal enterprise.
| 542354234235 wrote:
| This is kind of ridiculous. These are high level
| conflicts between equally valid government entities about
| how they should operate as well as nebulous questions on
| how constitutional law applies. I would assume there are
| legal memos, signed authorizations, etc. for what is
| going on. We could argue that secret authorizations for
| these kinds of things shouldn't exist, but the fact is
| they do. If the president authorizes something, and years
| later, a court decides this action was unconstitutional,
| the employees are not criminally responsible. This isn't
| a Nuremburg trial situation where crimes against humanity
| are committed under the guise of "just following orders".
| This is a case of following orders because the best legal
| experts cannot 100% agree on constructional law and how
| it applies to different circumstances and different
| powers given to the various branches of government.
| mindslight wrote:
| The straightforward way to eliminate the ambiguity is to
| submit the programs to democratic oversight, including by
| The People. But instead they've worked hard to do the
| exact opposite, going so far as to blatantly lie to
| congress. This points to a criminal conspiracy,
| regardless of how many employees are working to craft
| dubious legal justifications. Usually criminals don't get
| to just say "my bad" and walk away after being caught,
| and I don't see why higher crimes should carry less
| punishment.
| dylan604 wrote:
| To be fair, Clapper did come back for a follow up, and
| basically said, "oops, looks like I was wrong." That's it.
| Congress didn't push back, and thanked him for his service. So
| looks like Congress is complicit as well.
| sonotathrowaway wrote:
| Clapper was forced to issue a retraction after Snowden leaked
| material showing he perjured himself. He defended his then
| answer as the "least untruthful answer" he could give, maybe
| that's a term of art in intelligence when you intentionally
| suborn oversight.
| markus_zhang wrote:
| That's pretty much part of their job.
|
| Their mindset: we own the United States of America, and the
| rest of you are just sheep. We are doing shepherd's job and you
| don't need to understand it. We are doing wolf's job because
| there are wolves at the gate so we better fight back with
| bigger teeth. We the people do not include your ordinary sheep,
| and only the privileged ones are "people".
| babesh wrote:
| So the US was exposed for doing what it accused China of doing.
| stonepresto wrote:
| Root everything. FOSS all the things. Tear everything apart.
|
| There will always be a BBEG, no matter what part of the world you
| are in or what sort of government you live under.
|
| You are the only one who acts in your best interest.
| jankiehodgpodge wrote:
| For most people, rooting makes them less secure not more. It
| all depends on who you're securing against.
| stonepresto wrote:
| That's certainly fair, especially if the password is then set
| to some variation of "password"...
|
| Although for some devices if you can root it, you probably
| also know methods of securing it.
| lucb1e wrote:
| Rooting a device does not enable setting a password for it.
| You can host sshd without root, or host sshd but disable
| root login. Rooting and setting a password, or opening
| remote command channels for that matter, are separate
| things. Root allows you to shoot yourself in the foot more
| than you could otherwise, but you do need to pull the
| trigger.
|
| The default root methods just enable apps to request root,
| after which the user gets a prompt. It's like the camera,
| microphone, or any other special permission.
| [deleted]
| fsflover wrote:
| > You are the only one who acts in your best interest.
|
| No, you aren't. And it's impossible to do everything alone.
|
| https://news.ycombinator.com/item?id=24881988
| stonepresto wrote:
| I agree with the second part of your statement, but I think
| being alone in acting in your own best interest still holds.
| Good projects such as those are a result of many similarly
| aligned self-interests.
|
| I'll admit I was being a bit dramatic, and as you have
| pointed out it's certainly more complex than a single
| sentence. I was trying to highlight that blindly trusting
| another human or organization can leave you vulnerable.
| Gaelan wrote:
| @dang Can we change the title to include "NSA"? It's silly that
| the headline doesn't say which spy agency.
| c54 wrote:
| Thought this was an article about ducks who are spies[0]... too
| bad.
|
| [0] eg http://agentyduck.blogspot.com/
| Threeve303 wrote:
| Spy agency denies performing main purpose for existing.
| netsec_burn wrote:
| Reminds me of one of my favorite comments on HN (when the NSA
| discouraged quickly adopting post-quantum cryptography):
| https://news.ycombinator.com/item?id=21587571
| x87678r wrote:
| I always assumed there would be insecurities in everything you
| buy and if there weren't backdoors it was normal for spooks in
| various nations to be able to crack it sooner or later. Using
| cloud services makes this even more likely. Does anyone really
| think they are 100% safe?
| haydonchurchill wrote:
| Does anyone really believe that they don't add backdoors? If it's
| a major tech / internet business, they require access to a
| backdoor.
| ChuckNorris89 wrote:
| Is anyone actually surprised of a _" we can neither confirm nor
| deny"_ type of answer coming from intelligence agencies?
| matthewdgreen wrote:
| Yes. After the Snowden leaks and Shadowbrokers/Vault7/WannaCry
| disasters, the agencies put a lot of effort into reassuring the
| public that US technology was trustworthy. This included things
| like making public the Vulnerabilities Equities Process [1],
| and other work to restore trust in cryptographic standards
| agencies like NIST [2]. It also included more public engagement
| with industry to report serious vulnerabilities [3].
|
| The intelligence community didn't open up like this because
| they wanted to be nice. They did it because there was a very
| real concern that US industry would be damaged in the eyes of
| global consumers -- primarily as a result of our intelligence
| agencies being being too aggressive and, frankly, being sloppy.
| (It's bad enough to pay for and hoard backdoors, it's another
| thing entirely when those backdoors are repeatedly stolen and
| leaked for bad actors to use.)
|
| I guess the news here is that the NSA didn't learn very much
| from these episodes, or at least, it no longer feels like it
| needs to repair the damage.
|
| [1]
| https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Proce...
| [2]
| https://www.nist.gov/system/files/documents/2017/05/09/VCAT-...
| [3] https://www.thesslstore.com/blog/nsa-microsoft-releases-
| patc...
| nerdponx wrote:
| _I guess the news here is that the NSA didn 't learn very
| much from these episodes, or at least, it no longer feels
| like it needs to repair the damage._
|
| This seems to be a common thread in American political
| corruption. After a certain point, the public just doesn't
| remember or can't be bothered to care or feels powerless to
| do anything. Then you can basically do whatever you want as
| long as you stay quiet enough to avoid another wave of media
| outrage.
| dmurray wrote:
| Couldn't they just have said "no we have no backdoors"? NSA
| would look good, Congress would look good for asking the
| tough questions. When eventually new evidence comes to light
| that they do have backdoors, they have the choice then
| between continuing to deny deny deny, or pointing to national
| security interests.
| ChuckNorris89 wrote:
| _> Couldn't they just have said "no we have no backdoors"?_
|
| No, because once their backdoors are (inevitably) going to
| be found/leaked, they'll come off as liars. Plus, if they
| would have said no, nobody would buy that or would think
| they're asleep at the wheel.
| kube-system wrote:
| Lying to Congress is also a crime, publishable by prison
| time.
| atty wrote:
| I can't tell from this - is Wyden also against back doors for the
| purpose of FBI/law enforcement use?
| boomboomsubban wrote:
| Quote from Wyden in the article
|
| >Secret encryption back doors are a threat to national security
| and the safety of our families - it's only a matter of time
| before foreign hackers or criminals exploit them in ways that
| undermine American national security
| pulse7 wrote:
| In other words: NSA paved the way for foreign hackers and
| criminals...
| duxup wrote:
| It's certainly possible, but I suspect just traditional
| bugs and poor software is more likely the cause for such
| events.
|
| Software / hardware industry is PLENTY good at paving the
| way all on its own.
| boomboomsubban wrote:
| The article presents an example where we basically know
| that it happened with Juniper Networks.
|
| As you say, the hardware/software industries have enough
| difficulties with security acting on their own. They
| don't need the NSA purposely making more holes.
| pulse7 wrote:
| Maybe they "need" many such "holes" (which are treated as
| "bugs") just to make sure that if they disable some of
| those "holes" (because hackers/public found it out) whey
| still have others ready for the same purpose...
| bitxbitxbitcoin wrote:
| And likewise, foreign hackers and criminals may have paved
| the way for the NSA - which is considered a foreign hacker
| and criminal in other jurisdictions.
| AndrewUnmuted wrote:
| He was the one who got James Clapper to lie and state to
| Congress that he was "not wittingly" collecting American phone
| records in bulk. Though I do not believe he has ever come out
| and explicitly stated his views on the matter, his actions do
| suggest that he is against backdoors in all circumstances.
|
| EDIT: Another reply has provided a quote that shows Wyden's
| views on backdoors. He appears pretty strongly against them.
| ChrisMarshallNY wrote:
| Wyden is great.
|
| The big issue with backdoors, is that it's only a matter of time,
| before they become "front doors."
|
| Presented for your approval. Imagine, if you will, a software
| engineer; probably based in the US, that writes a backdoor into
| equipment used to manage a banking transaction network. This is a
| fairly natural place to have it, as "follow the money" is a
| classic forensic technique.
|
| Of course, access to this network could net nefarious (probably
| non-state) actors a _lot_ of money.
|
| Said software engineer suddenly quits and buys a Bugatti.
|
| The back door is now a front door, and it's baked into some
| hardware that can't easily be changed, as no one trusts the
| patches, now.
| staplers wrote:
| is that it's only a matter of time, before they become "front
| doors."
|
| Look no further than Plaid banking service. They collect your
| banking login information. I guarantee there are blanket
| warrants to monitor accounts from multiple agencies.
| xxpor wrote:
| You don't even need a warrant for that. SARs are a thing. It
| could potentially even be considered business records, which
| are just subject to a subpoena, not a warrant. The police
| have been able to request phone records since forever.
|
| https://en.wikipedia.org/wiki/Third-party_doctrine
| FerretFred wrote:
| > ..arrange for some kind of warning if the back door gets
| discovered and manipulated by adversaries
|
| "Hello Support? My computer just popped up a message to say that
| a bad actor has taken over my computer; should I reboot it?"
___________________________________________________________________
(page generated 2020-10-28 23:00 UTC)