[HN Gopher] Spy agency ducks questions about 'back doors' in tec... ___________________________________________________________________ Spy agency ducks questions about 'back doors' in tech products Author : oblib Score : 358 points Date : 2020-10-28 13:33 UTC (9 hours ago) (HTM) web link (www.reuters.com) (TXT) w3m dump (www.reuters.com) | jchook wrote: | Maybe they reverse-engineered China's hardware backdoors and | don't need additional backdoors now. | lki876 wrote: | Oh come on, any answer but 'no' is yes. Also 'no' is yes. | pulse7 wrote: | "The tactics drew widespread attention starting in 2013, when | Snowden leaked documents referencing these practices." | | So this is what Snowden has done: he "drew widespread attention | to these tactics". Before Snowden they would call you "paranoid" | if you would allow yourself to mention it. Today they can not | call you paranoid anymore. | | And yes, it has hurt US industry reputation. Many don't trust | Intel processors and Cisco routers anymore (among other | products). They actually destroyed computers and internet as we | knew them in the 1990'ies. It is not fun anymore to own a | computer or a phone if you know that NSA can get access to it | anytime they want... and you will never know if they accessed | it... | dancemethis wrote: | They totally still call you paranoid. Snowden unfortunately | meant nothing to the general technology consumer mass. They're | more than happy to defend tooth and nail their jails. See | Discord or Zoom as prime current examples. | | It is ridiculous that he had to go through this just for people | to shake their shoulders and keep on, except for the few that | already were inclined to care. | jacobwilliamroy wrote: | Nowadays the right wing nutbars are actually pro-government | because they think that a large fascist government complete | with secret police and massive surveillance will protect them | from pedophile vampires. No I'm not joking. It's the same | alex jones types who used to be all about neoliberalism and | deregulation. The people who were afraid of "the chip" are | now begging to be tagged because they think it will save them | from human trafficking. That's what happens when Americans | are trapped at home with nothing to do but go on facebook and | youtube: they get indoctrinated into stupid christian | deathcults. | [deleted] | slg wrote: | It is a relatively common belief among non-technical people | in my friend group that Facebook listens to everything you | say within earshot of your phone and later displays ads to | you based on what it hears. That belief still isn't enough to | get those people to stop using Facebook, Instagram, and | WhatsApp. It isn't that people don't think they are being | spied on. It is that people don't really care that they are | being spied on. | | Snowden didn't fail to change things because people didn't | believe him. He failed to change things because he didn't | articulate a compelling enough reason for people to be | fearful of what he revealed. | | If people reading this want to see this changed, we need to | do a better job of showing the real world consequences of | this lost privacy. Talking about theoretical concepts like | lost freedom and privacy isn't enough. You need tangible | examples of how people's lives are made worse by this spying. | inopinatus wrote: | You suggest this is impossible; but I still remember that | time I asked Alexa what colours the Lotus Elise was | available in. For the next few weeks, whenever I went out, | I'd see at least one Lotus parked on the street or at the | mall or driving by. | bdamm wrote: | Similar to my experience of surveying vacuum cleaners on | Amazon, then going to get lunch at Whole Foods where a | clerk appeared suddenly at the checkout I was at to | vacuum up a non-existent mess, with one of the models | Amazon had offered up. The ratio of profit to sales cost | on a high-end vacuum might be similar to a Lotus Elise. | Or maybe it's just confirmation bias. | inopinatus wrote: | If this phenomenon isn't already a PKD short then it | could be a SCP entry. | mpol wrote: | The people at Alexa have been very busy for you :) And | Lotus got a lot of sales as well. | exceptione wrote: | > It isn't that people don't think they are being spied on. | | > It is that people don't really care that they are being | | > spied on. | | Well, my experience is that people care but don't have an | idea on how they could change that. They feel powerless, | have no idea what to do, and they are apathic. They accept | their shackles like they deserve it. They know they are | abused but since they are human, they use coping mechanisms | to continue using apps they believe are actually not so | nice for them. | | Of course they have thoughts like "actually, my picture is | not private anymore", but for their sanity of mind they | carry on because of network effects/ease of use/etc. They | choose to push those thoughts off, as they are outside of | their control. To us, it might sound like they just don't | care. That's wrong! | | At least, that is what I conclude after talking with non- | techies about this stuff. | | I am sure you can sell privacy as a big plus, but you need | to deal with above aspects as well. | darkerside wrote: | People now view going on the Internet as akin to going | outside. Yes, other people can see you, and yes, you have | limited expectations of privacy. No, it's not problematic | that you have police keeping an eye on things. If you have | a problem with that, and you never go outside without your | "disguise" aka VPN, you are operating outside of social | norms (and it's probably not helping anyway). | | This is not a valid judgement on any way. I just think some | people may not realize the way others may perceive and | think about this privacy dilemma. | Jon_Lowtek wrote: | I hear this "the internet is like outside, don't expect | privacy" argument a lot from americans, who i think are | taught some 18th century definition of privacy by their | media, as in "in your private rooms" and not a 21st | century definition as in "about your private data". If | you go to the city there are no agents of third party | marketing agencies keeping notes of your movement and | what items you look at in the stores to profile you. | | Imagine going to the city and there is this trenchcoat | and hat wearing private agent following you all day and | you go into a store and see him handing the salesman a | note and pointing at you, and then the sales guy comes | over to you and says "good day - do you want to buy _red | things?_ and you are like "actually i am looking ..." | and the agent is now uncomfortably leaning into you | conversation, "... for green things". Sales says "sure | this way, please" and the agent is writing "green!" in | his notebook, circling it three times. That is what the | internet is like today. And you look around and everyone | has these agents following them, keeping notes. You ask | someone about it they say "well most people don't even | notice them" or "that is how things are" or "people | shouldn't expect not to be spied on by private | corporations". So you hurry home while from every side | street more agents come and try to follow you until you | have this horde on your track and you hasten into your | door with a crowd outside holding up signs like "buy red | things!" and "green thing is green!" - but you are now at | home so you relax and walk through your hallway to your | room and say "computer: play some _licensed music_ " and | guitar music starts playing and -shocker- there are | agents in your living room, one sitting on your couch | playing the guitar, one is standing in front of your | bookshelf taking notes of its content and another one is | looking through your fridge, then stares directly at you | and holds a sign up: "buy food" | | The internet is nothing like outside. | abvdasker wrote: | Look, my estimation of "general technology consumer mass" is | incredibly low, but I promise you nearly every American adult | knows who Edward Snowden is and probably has at least a vague | idea of what he was trying to communicate. I agree that many | -- maybe even most -- people don't understand the issue very | well, but I think it did have a pretty large impact at the | time and since. | xnyan wrote: | >but I promise you nearly every American adult knows | | If the next thing you are going to say is not "The current | President of the United States", then sadly you are | extremely mistaken because that's the only political fact | you can confidently say that all Americans know (and even | then, it's not 100%). | | Source: A political science degree that I don't use, but | this sad fact is well known. | kevin_thibedeau wrote: | They don't know who he is. American adults are uninformed | about most issues and will just parrot what they're told to | believe in. Mass media paints him as a bad person so that's | his public image. | alexilliamson wrote: | N = 1 blah blah, but my Dad is a West Virginian factory | worker who couldn't name one current Supreme Court | Justice (including the one just appointed), but he has | spoken positively about Snowden for years. | AndrewBissell wrote: | Zero doubt that the common people of this country have | much more affinity for Edward Snowden and anti- | surveillance viewpoints than the psychos at the top | running things. | xkcd-sucks wrote: | Eh Appalachian labor has a history of being on right side | of morals and the wrong side of force | NikolaeVarius wrote: | I dont think this is a given. Not a perfect source, but man | this was depressing | | https://youtu.be/XEVlyP4_11M?t=422 | boomboomsubban wrote: | >but I promise you nearly every American adult knows who | Edward Snowden is and probably has at least a vague idea of | what he was trying to communicate. | | I highly doubt this. In 2015, only 60% of Americans had | some idea of who Snowden was, and only half of those had a | positive opinion of him. I doubt this has improved over the | past five years either. | | https://www.aclu.org/snowden-poll-results | kekebo wrote: | 60% of Americans having some idea of the issues he raised | is assumably a vast increase in awareness of the topic | compared to the time before his leaks became public. | dunefox wrote: | > 60% of Americans having some idea of the issues he | raised | | His comment says an idea of "who [Snowden] was", not of | what he was trying to say. | LinuxBender wrote: | The best example of the Snowden fallout and the apathy | around it was when John Oliver interviewed both Snowden | and many people on the street. People on the street did | not comprehend what NSA monitoring meant and did not care | until John put it in terms they could understand. "So you | are ok with the NSA seeing pictures and videos of your | significant others junk you text (sext) back and forth?" | "Oh, I would be furious if they were seeing that". That | was how nearly every conversation went. | lern_too_spel wrote: | But that is not what the NSA monitoring meant. They do | not get to see pictures of your SO's junk. They do know | who you called and when but not tied to your name. | malaya_zemlya wrote: | according to Snowden, they did: | | https://www.theguardian.com/world/2014/feb/27/gchq-nsa- | webca... | LinuxBender wrote: | Maybe, but they do for sure listen to your calls. I used | their software in a wireless provider. "She" was | fascinating. She could understand any language, dialect, | voice inflection, and so much more. No training required | whatsoever. She listens to all international calls and | flags phrases and key words. | lern_too_spel wrote: | They don't listen to your phone calls either. If they | did, Snowden would have leaked it, and it would have been | a bombshell revelation. If you have information | otherwise, you should blow the whistle. | LinuxBender wrote: | There is no whistle to blow. It is fairly well known that | all international calls into or out of each country are | monitored by bots using speech recognition by the related | agency for each repsective country. This has been the | case for a very long time. Before bots, there were | listening stations with thousands of people monitoring | calls. There would be nothing for Snowden to leak in that | regard. The only place this has been taboo is when the | NSA is doing it within the country. They too use bots, as | there is no way you could hire enough people to listen to | the calls. Only flagged calls are listened to by people. | rmrfstar wrote: | Confirmed in this gem: | | https://web.archive.org/web/20200618030047/https://www.ba | lti... | ChrisKnott wrote: | I am almost certain this has never been reported, I am | also almost certain it is not the case. Can you provide a | link? | FandangoRanger wrote: | This is a bit of a term of art. "They" don't "listen" to | your calls. A computer does. | boomboomsubban wrote: | They do, Snowden and others have leaked it. | https://www.cnet.com/news/nsa-spying-flap-extends-to- | content... | Mediterraneo10 wrote: | > They do know who you called and when but not tied to | your name. | | For a state-level actor (or the mobile provider itself or | those other corporations to which it sells data for | advertising purposes) to identify by name the human being | who is the source of phone calls, is trivial in most | countries today. | nobleach wrote: | I think THAT is where the apathy comes in. THAT is | probably the biggest concern of your average internet | surfer. They think, "I don't trade any high level | secrets... I'm a nobody". So the worst thing they can | conceive is, "but I did send some pics to that person I | met on Facebook. I sure would hate for my significant | other to find out". That's something that can resonate | with a far larger group. Many honestly don't care because | they feel there's nothing they can do. Perhaps they're | right. It's not like the US Gov (or any other) said, "oh, | you caught us.... fine we'll shut down the program" | | I totally agree that it's sad that we're in this place of | apathy. But it's hard to get folks all excited when they | don't believe it'll really affect them personally. | worker767424 wrote: | > only 60% of Americans had some idea of who Snowden was | | It's things like this and people who believe the moon | landing was faked that convinced me universal suffrage | isn't a good thing, and we need some sort of poll test to | make sure people are educated on issues before voting. I | realize the US has a bad history with "literacy" tests, | but it's clear that most people have no business voting. | koboll wrote: | >we need some sort of poll test to make sure people are | educated on issues before voting. | | Okay, now start thinking about what happens when the | political party you like least takes power and starts | rewriting the poll test questions to advantage | themselves. Then perhaps you'll see why this would be a | catastrophically bad policy. | munk-a wrote: | Sorry but no - universal suffrage has been proven | historically to be far less flawed than any of the other | suffrage limits we've ever had - giving everyone, | including the idiots and the deplorables, a voice lets us | see what our society is actually made of and might just | make[1] education a bigger priority in the US budget. | | 1. Future tense because right now the US doesn't have 1 | person 1 vote equivalence for most elections. | kortilla wrote: | > a voice lets us see what our society is actually made | of and might just make[1] education a bigger priority in | the US budget. | | How does that work once the idiots are in charge of the | budget? | | > 1. Future tense because right now the US doesn't have 1 | person 1 vote equivalence for most elections. | | Well it does. The confusion is about what you're voting | for. | munk-a wrote: | > How does that work once the idiots are in charge of the | budget? | | Society collapses and we become a failed state - but | states fail all the time, universal suffrage appears to | minimize the number of states that need to fail. | | > Well it does. The confusion is about what you're voting | for. | | When it comes to voting for president, my vote as a | Vermonter is objectively worth 2.63 times as much as my | friend from Washington - additionally the FPTP voting | approach and winner take-all electoral college causes a | lot of other oddities that make my VT vote essentially | worthless when compared with a resident of PA. | | There are a few ways we break 1 person 1 vote equivalence | and while we can argue whether that's a good or bad thing | you can't argue against it being the case. | kortilla wrote: | > Society collapses and we become a failed state - but | states fail all the time, universal suffrage appears to | minimize the number of states that need to fail. | | Curious claim. Has there been any research that shows | states are less likely to fail with universal suffrage? | | > When it comes to voting for president, my vote as a | Vermonter is objectively worth 2.63 times as much as my | friend from Washington | | See, that's the confusion. You're not voting for | president directly. You're voting for who you want your | electoral college to vote for. In most states if you're | on the losing side of the vote in your state, your | presidential vote literally means nothing. | | Your individual vote in Vermont is not "worth more" than | your friend's vote in Washington because your both just | voting in state level decisions about who the college | should vote for. | | The legitimate claim is about the number of delegates and | (arguably much more important) the number of house | representatives each state is getting. | | Reiterated, there isn't a lack of 1 person 1 vote | equivalence in any elections I know of in the US (e.g. | landowners don't get extra votes). There are just | elections people think are direct democracy when they are | far from it. | RhodoYolo wrote: | > Society collapses and we become a failed state - but | states fail all the time, universal suffrage appears to | minimize the number of states that need to fail. | | The only society's that i can think of that lasted a long | time were society's that didn't have universal suffrage. | The idea of a republic is pretty stupid to be honest. | What you end up with is a bunch of people with completely | different agendas to ensure that every issue gets hotly | debated and when a decision is 'made', barely enforced or | executed on. Additionally, it seems to give rise to | massive paternalism and loss of freedom which is suppose | to be the opposite of what it was meant to do. | outworlder wrote: | > we need some sort of poll test to make sure people are | educated on issues before voting | | In principle, that's a great idea. I mean, we do have to | take driving tests before we are allowed to operate | dangerous machinery. We should be required to take tests | before we are allowed to affect the lives of millions of | people. | | You can have a similar argument for parenthood. Require | classes before people are allowed to bring another human | into their care. Nurses have to, why not parents? | | The problem with that is that these tests/lectures are | defined by other humans. This shifts an enormous amount | of power into the hands of a few. Next thing you know, | you now have a handpicked elite eligible to vote. The US | has historically used this mechanism for segregation. | | Having universal suffrage (which is not yet very | universal in a few countries, US included) at least | allows the average to smooth out outliers. It does create | perverse incentives towards not allowing the population | to get TOO literate, otherwise they will be educated | enough to see through all the BS. | | Collectively, we need to focus on improving education for | everyone and fighting disinformation. World War 3 has | already begun - except it's using words, not weapons. | nkrisc wrote: | That's exactly the argument those who implemented those | maligned poll tests made. They were made to keep the | wrong people from voting on the basis they didn't know | what was best. | | That's why they're a bad idea and should not return. | cmdshiftf4 wrote: | >we need some sort of poll test to make sure people are | educated on issues before voting | | We've decided to go the opposite direction. The US media, | celebrities, big companies, etc. have all decided that a | huge low-information voter turnout > smaller but better | informed voter turnout. | | Indeed, apparently democracy is better when everyone | participates, regardless of whether a vast amount of | those people have the slightest iota of what they're | participating about. | Thinkx220 wrote: | It's comments like this that convince me most programmers | are arogant douchebags. Just because someone has a weird | idea about an event that had almost no direct affect on | the general population doesn't mean we should remove | those peoples ability to have a choice in matters which | will effect them. | | Knowing more than someone else does not make you morally | superior or give you more of a right to have a say in | your own fate. | wolco2 wrote: | If that were the case we would give babies, kids and | teenagers the right to vote. Kids would always vote in a | superhero or ice cream. And chocolate would win in a | landslide. | | We only allow those of a certain age to vote because they | are able to understand and weigh the issues fairly. | | We only allow those of a certain age to be juriors for | that reason. | jlokier wrote: | > We only allow those of a certain age to vote because | they are able to understand and weigh the issues fairly. | | Yes, but we draw a simple, arbitrary rule at a fixed age | because everyone grows older, so it isn't manipulable by | anyone who is motivated to do so. | | If the vote permission line is drawn by more complex | means that gives a different answer for different people, | it becomes a primary target for manipulation, abuse, and | group selectivity. | | For example if it was based on IQ tests or even general | knowledge tests, it is already well understood that these | are heavily biased tests which test for social | background, culture and upbringing, rather than general | intelligence. | | If there's going to be a voter test, it needs to be | extremely robust, something just about everyone has | confidence in to be fair and appropriate. | rapind wrote: | I sympathize with the frustration, but the tests | themselves will just be another attack vector for voter | suppression (history proves this). | | Probably better off spending resources on improving | education and political awareness. | | I personally think that if we aren't going to let someone | vote then we shouldn't ask them to pay tax either. | cmdshiftf4 wrote: | >I personally think that if we aren't going to let | someone vote then we shouldn't ask them to pay tax | either. | | Agreed. | | Conversely I believe that people who haven't paid tax in | a reasonable amount of years, through either not | generating it in the first place, avoision or being a net | beneficiary of state aid shouldn't be offered a vote. | a_t48 wrote: | Frankly that's a horrifying prospect - if I get seriously | injured and have to go on permanent disability, I'd | rather not be (further?) disenfranchised. | | This is the same as saying "I don't believe disabled/poor | people should be able to vote" | cmdshiftf4 wrote: | The disabled aside, no, I do not believe people who are | withdrawing more from their society than they are | depositing should be given a say in the governance of | that society. | RhodoYolo wrote: | you say 'disabled aside' but what about the myriad of | other reasons? Mental health, unemployment, pregnancy | that year, international travel but still a citizen, w/e. | As soon as you start pointing to reasons that a | government can/ can't take away your power to vote you | are screwed as a populace. Not that i have much faith in | the voting system anyways cause' who knows how they count | the votes anyways. It seems the incredibly old voting | machines that they have could easily be hacked by a | nation-state level effort. | autosharp wrote: | Who designs the test? | Broken_Hippo wrote: | I was going to ask the same thing. | | "The issues" vary between people. How many do you | include? Are they just the basic stuff the news covers? | Do you need to know federal, state, and local issues? If | you vote in a federal election, do you need to know | issues in different parts of the country? Wouldn't the | test show the biases of the test makers? | eyepea2007 wrote: | Piggybacking on your point about the general public: | historically something like 25 to 30 percent of people | don't even know who the Vice President of the United | States is...and this goes back to at least the 70s. | Simply asking someone if they know who Snowden is doesn't | really prove much. What percentage of people will just | lie and say they know? | [deleted] | beamatronic wrote: | You could say the same thing about early coronavirus victims. | Nobody learned from them. Look where we are now. | logicallee wrote: | >They totally still call you paranoid. | | People really don't. You can search comments here or | elsewhere, you really won't find anyone calling anyone else | paranoid for suggesting the government is watching everyone, | intercepting communications, listening in on conversations, | whatever. Find me a single example of anyone doing so in the | past 2 years without an immediate reply from someone else | (i.e. somene other than the OP) saying "No. Sorry. Since | snowden you don't get to call anyone paranoid for thinking | the government is listening." | | In fact, quite the opposite I bet if you asked anyone with an | Amazon Echo, "Do you think the government can listen to | private conversations using an Amazon Echo" my guess is most | people would say, "I don't know. If they really needed to, I | guess?" | | Nobody would say, "Of course not. Don't be paranoid." | mschuster91 wrote: | > Many don't trust Intel processors and Cisco routers anymore | | That's Cisco's own fault given that there are rarely more than | 6 months between critical firmware releases that either have | some way of hardcoded backdoor account, remote code execution | or other similar bugs. | colejohnson66 wrote: | It's not Cisco's fault if the NSA has compelled them to add | those "bugs" | SauciestGNU wrote: | It absolutely is. There can be a duty to resist. People get | killed based solely on data collected from signals | intercepts. More people and companies should take the brave | stand Lavabit did, rather than be complicit in oppression | and state-sponsored killings. | colejohnson66 wrote: | While I dislike the NSA as much as practically everyone | else here, I'm not aware of any state-sponsored killings | done by the NSA. Sure, the executive branch _has_ ordered | killings, but the branch is so large, lumping it all | together makes no sense. The NSA, FCC, FTC, EPA, etc. | don't kill. | | Now, you should resist, yes, but _most people don't._ It | takes a _very_ brave soul to resist and hope the Supreme | Court will side with you. Civil disobedience generally | also requires vast public support who would rally behind | you. Practically everyone knows Rosa Parks, but polls | have shown only about 60% of Americans have even _heard_ | of Snowden. Public support is a fraction of that. | | Cisco's executives would also end up being involved in | some _massive_ lawsuits if they shut down the company to | take a stand. Lavabit, OTOH, was _multiple_ orders of | magnitude smaller than Cisco is, and they could afford | the backlash. It also didn't help that Lavabit catered to | tech people who would understand why they shut down. | Cisco, OTOH, is used by virtually every large business; | many of the employees of which would not understand _why_ | they shut down. | wonnage wrote: | You expect the agency responsible for putting secret | backdoors everywhere to be publicizing their state- | sponsored killings? | | The NSA isn't really in charge of the killing part | anyway, that's the CIA/FBI's job | rjkennedy98 wrote: | "Sometimes paranoia's just having all the facts" - William S | Burroughs | Cthulhu_ wrote: | In my country, law enforcement (police) apparently uses or has | used hardware to allow secure / encrypted communications, whose | encryption was supplied by a Swiss company (Crypto AG) which | was secretly owned by the CIA which built in backdoors since | the 70's. | | So basically the CIA and by extension the US government has | compromised their allies' communications. I hope there are | massive consequences, but probably not. | disown wrote: | > Before Snowden they would call you "paranoid" | | No. They'd call you a "conspiracy theorist". By "they", I mean | the news/media would call you a "conspiracy theorist". | AndrewBissell wrote: | It's cool how "conspiracy theories" are always false, because | the instant something which had been dismissed using the term | is confirmed to be true, it's no longer a theory! | warent wrote: | It has always been true that any computer connected to the | internet could be accessed by an unauthorized party, even | before the leaks. Disconnect from the internet and nobody is | getting in, including the NSA. | purplecats wrote: | or rather they're not getting in _or_ out. they might already | be in. as long as both in _and_ out are disconnected, you're | set. | vorpalhex wrote: | A 2g or 3g module is <$100 and easy enough to hide without | RF detection equipment. Plain radio is easier. | | If the NSA has enough of an interest to be intercepting | your packages, they're not going to shy away at adding in a | transmitter or two of their own preference. | robin_reala wrote: | Quite considerably less. This one from Adafruit (hardly | the cheapest supplier) is $30 and has GPS built in too: | https://www.adafruit.com/product/2637 | PenguinCoder wrote: | > Disconnect from the internet and nobody is getting in, | including the NSA. | | That is patently false. | 542354234235 wrote: | > Disconnect from the internet and nobody is getting in, | including the NSA. | | Ah, the "just move to the wilderness and grow your own food | if you don't like the government infringing your | constitutional rights" argument. I want to be able to | meaningfully engage in normal society by buying consumer | goods and connecting them to communications platforms _and_ I | want my 4th amendment rights protected. I really don 't think | that is too much to ask. | lm28469 wrote: | > Disconnect from the internet and nobody is getting in, | including the NSA. | | Wait until they put 5g chips in every single product to make | them "smart". Few people talk about that but I believe it's | the main use case for 5g. Everything will be connected and | you'll have no way to opt out | | > 4G can support about 4,000 devices per square kilometre, | whereas 5G will support around one million | [deleted] | hanniabu wrote: | Hope you have your bluetooth also turned off | imglorp wrote: | And your mic and speaker. And the light sensors while | you're at it. All can be used for exfiltration. | fsflover wrote: | And never use USB devices (see: BadUSB). | redbeard0x0a wrote: | a little interdiction while that new airgapped laptop is | shipped to you and they got you, even though you never | connected to a network | derefr wrote: | Exactly _what_ have they got, if you never connect it to a | network afterward, either? A key-log that never makes it | back to them? | | (I'm presuming here that the laptop is openable, and that | you will do so and physically remove any wi-fi M.2 card | from it -- and associated antennae -- since you won't be | using it. There might be some sort of extra surface-mount | snooper chip left onboard that could replicate the same | function -- but without big antennas, how's it going to | report?) | snypher wrote: | You might not understand the depth to which you can be | exploited. They will simply let you use your laptop and | switch your USB cable, which has a built in 6ft antenna. | | https://en.m.wikipedia.org/wiki/File:NSA_COTTONMOUTH-I.jp | g | _jal wrote: | Perhaps with something like this? | | https://www.schneier.com/blog/archives/2014/03/ragemaster | _ns... | | Or this? | | https://www.schneier.com/blog/archives/2014/03/cottonmout | h-i... | | If you have actually attracted the attention of the NSA, | pulling your NIC is playground stuff. | xxpor wrote: | Ignoring the larger context, but just technologically, | RAGEMASTER sounds freakin' sweet. Like that's actually | amazing. | BlueTemplar wrote: | Researchers have been able to make integrated circuits | emit radio waves. | sroussey wrote: | And it can add a slight flicker that can be used as a | signal and detected from outside. | bayindirh wrote: | > Disconnect from the internet and nobody is getting in, | including the NSA. | | Oh boy. That's some serious delusion in 2020. Wireless cards | and higher end network interface cards are independent | computers. Your processor has another processor (Intel ME and | others) in it. Baseband Management Controllers are also | independent computers on their own right. | | With closed firmware and wireless capabilities, you can never | know what they're doing at a given time. | | Stuxnet reached systems which were seriously air gapped. | Consider a what a laptop with a _witty_ wireless card | firmware can do. | | I'm not getting into TEMPEST attacks and their newer | versions, passive surveillance, etc. | | I've listened tales about Cisco devices which were configured | to isolate and prevent internet traffic but, they _mistakenly | forgot_ to drop some magic packets. Uh. | | --- | | Random facts about this stuff: | | - Your Intel system runs a special version of Minix on its | Management Engine. A version of Minix customized for Intel by | its original developer. | | - There are photos of Cisco devices which were _delightfully | enchanced_ by NSA before shipping to its customer via special | firmware and /or hardware. NSA still retains this capability. | the_only_law wrote: | I'm actually kinda curious if TEMPEST attacks or similar | have been used spy on citizens ever now. | jimbob45 wrote: | Fine, make a Faraday cage around the PC. Are you happy now? | fsflover wrote: | Not enough: https://news.ycombinator.com/item?id=24919589 | [deleted] | shirakawasuna wrote: | I tend to repeat these types of concerns: the number of | powerful and complex black boxes are increasing, with | things like 5G making it even easier to low-key pass | information without us knowing. | | A common counterargument comes up when discussing devices | like smart speakers. Defenders say that the devices are too | low-power and that we would be able to notice power usage | changes and sniff network data being sent if spying were | happening. IMO, this is true to an extent, but also any | onboard preconfigured recognition of certain products could | easily send info back to, say, Amazon servers and you | wouldn't be able to distinguish it from a "false positive" | question to "Alexa". Knowing the extent to which these | capabilities are plausible and/or would have been caught by | now if they existed is, to me, murky. | | This also applies to on-board chips and wireless data. | Would we not notice from power usage and sniffing? | aborsy wrote: | Stuxnet is interesting. Apparently, the US and Israeli | agents threw away a number of USB devices around target | facilities. What do you do when you find a USB stick? Well, | eventually someone working in an air gapped facility picked | up one and used it inside. | | The NSA apparently perfectly aligned 4 zeros days in | Siemens and Microsoft products to spread the malware from | USB into the Iranian LAN (shared printers, industrial PICs | etc). | | The fact that they could choose and align 4 zero days | indicates that the NSA probably has a large list of zeros | days. | thisisnico wrote: | I agree. I'm sure the level of this organization operates | at utilizes teams of their own vulnerability researchers | to provide themselves with the ability to create new and | novel zero-day exploits that are not-disclosed to the big | players. This is Internet warfare. | pilsetnieks wrote: | You know, I've heard so many variations of those "USB | drives in the parking lot" stories, I wonder if that | isn't a cover for something else. Or maybe just someone | covering their asses and not willing to take blame for | something else. | | "USB drives in the parking lot" could be the tech | industry's Korean fan death. | Darkphibre wrote: | > In one test of how well a USB scam can work, Trustwave | planted five USB drives decorated with the targeted | company's logos in the vicinity of the organization's | building. Two of the five "lost & found" drives were | opened at the organization. One of the openings even | enabled the researchers to glimpse software employed to | control the organization's physical security. | https://www.redteamsecure.com/blog/usb-drop-attacks-the- | dang... | | They are used to great effect in pentesting. I think it's | natural to see a drive and think "Oh no, I need to get | this back to a coworker." | russh wrote: | I have a friend who does pentesting and she collects many | cool and interesting looking usb flash drives for this | very purpose. She says "60% of the time, it works every | time." | bayindirh wrote: | Its more nuanced than that. Didn't read the book | completely but read a long report. What I remember: | | - They got exact hardware details and topology of the | centrifuges somehow. | | - They've stolen Realtek's driver signing keys. | | - The virus looks like a simple worm which can infect | other USB devices and doesn't unpack beyond a certain | point if it can't find the SCADA equipment and the | correct device ID & topology (It's like a homing cruise | missile which looks like an RC plane from distance until | it finds its target). | | It's possibly the most sophisticated hacking campaign | when social and technical aspects combined. | parliament32 wrote: | Morality aside, the whole system was a work of art. | firmnoodle wrote: | > - They've stolen Realtek's driver signing keys. | | I have been to Realtek's offices in Hsinchu many times. | While the other efforts may have taken major resources I | don't think getting their private keys would have been | hard at all. Especially back then. IMHO the building and | some people could be easily compromised and I suspect | they didn't really care much about security. | nickbauman wrote: | The hardware-software combination that was used to | compromise the Iranian nuclear facilities was amazingly | old and primitive, though. It truly was a weak link that | I cannot fathom how this wasn't upgraded looong before. I | mean, I guess it just didn't matter that much, after all, | it's _only a uranium enrichment facility, after all._ | What could possibly go wrong? | wh1t3n01s3 wrote: | If anyone is interested in this, or wanna refresh your | memory, you should watch the docufilm Zero Days (2016) by | Alex Gibney (most of his 'movies' are quite interesting) | | https://www.imdb.com/title/tt5446858/ | colejohnson66 wrote: | Book? | peteretep wrote: | > It's possibly the most sophisticated hacking campaign | when social and technical aspects combined. | | It's the most sophisticated one _we know of_ | nostoc wrote: | And it's 10 year old now... | bdamm wrote: | Frankly I expect basically all computers are compromised | at this point. | [deleted] | fsflover wrote: | > - Your Intel system runs a special version of Minix on | its Management Engine. A version of Minix customized for | Intel by its original developer | | Not on all systems. It's neutralized and disabled on my | Librem 15: https://puri.sm/learn/intel-me/. | pulse7 wrote: | When Russian hackers discovered and started using Intel | ME backdoor Intel immediately published (already | prepared?) instructions on how to disable it... | octoberfranklin wrote: | Please stop posting this disinformation. | frickinLasers wrote: | > - Your Intel system runs a special version of Minix on | its Management Engine. A version of Minix customized for | Intel by its original developer. | | I hear a lot about Intel's ME, but not much about AMD's | PSP. I assume it's just as bad. At least we know how to | hobble the ME. | octoberfranklin wrote: | > At least we know how to hobble the ME. | | No, we just _think_ we know how to hobble the ME. | jcims wrote: | Here's a hobby-grade GSM modem dev board you can add to any | 'offline' device for $40. | | https://www.adafruit.com/product/1946 | squarefoot wrote: | There are cheaper alternatives. A basic SIM800 based | board can cost just above $3 on Ebay, probably less on | Aliexpress, or less than $10 for a similar one with | Raspberry PI compatible connections (useable with other | systems as well). Also interesting is the SIM7600 module | which supports 4G LTE down to GSM plus GPS. Also | available in Mini PCI-E boards. | | https://www.ebay.com/itm/191879410081 | | https://www.ebay.com/itm/292237166116 | | https://www.ebay.com/itm/293802495042 | jcims wrote: | Dang i might have to order some, thanks! | autumn_unlaces wrote: | Have you heard of Stuxnet? | Tistel wrote: | They say it's for large scale cloud management, but, think of | worst case scenario: | | https://www.zdnet.com/article/minix-intels-hidden-in-chip-op... | | It seems like a massive waste of chip transistors and R&D with | limited gain. The hidden minix OS runs at a higher privilege than | your host OS. Even if your data is encrypted, any time you | decrypt locally, they can see it. I get it, they are looking for | bad guys, what if the bad guys take over? There will be nowhere | to hide. Yes, I am wearing a tinfoil hat. | remote_phone wrote: | I have a friend that works for a chip company and he said he | couldn't get into details but the amount of back doors in | communication companies and in chips would scare the shit out of | me. | pbhjpbhj wrote: | This anecdote seems consistent with basically all router-modems | having hidden root accounts. I'm not sure if the claim as | written necessarily goes beyond that. | dboreham wrote: | I question this. Actually I'm going to assert this is only true | if your friend is referring to hidden back doors that he | believes exist. I don't believe any employee of a chip company | is aware of a back door knowingly added to their own product | (with one exception see below). | | I say this because NSA seems more clever than that, and because | any scheme to explicitly add back doors is bound to be | eventually exposed. | | Instead they do things like have their former employees and | contractors hired into tech companies, and those folks add | innocuous bugs that can plausibly be denied as back doors. Also | I bet they look for bugs that can be used as back doors, given | access to source code and chip design data, then fail to fix | them. | mschuster91 wrote: | > I don't believe any employee of a chip company is aware of | a back door knowingly added to their own product (with one | exception see below). | | Most if not all ICs above a certain intelligence level have | JTAG, which effectively is a backdoor. All you now need is | (for those chips that support it, in the first place...) a | way to bypass the OTP fuses "preventing" JTAG access - this | kind of vulnerability turns out often enough to be saying | it's commonplace. | pjc50 wrote: | Counterpoint: I actually do work at a chip company and have | never heard of any of this internally. Even from the people | working on secure biometrics. | | Neither of these anecdotes proves anything. | dylan604 wrote: | The first rule of fight club is you do not talk about fight | club. If a chip company was placing back doors into their | products, I doubt it would be something they would talk about | around the water cooler. However, if a back door was | implemented on this level, if some one broke rule #1 and rule | #2 of fight club, then I don't see how it would be able to be | kept quite after that. | duxup wrote: | So we only believe people who claim something is happening | with no proof ... because anyone who doesn't see it | happening just isn't in the special circle of folks doing | it? | dylan604 wrote: | what are you on about? if nobody in the know talks, how | does anyone find out about it? if people are talking | about it, then anyone with any know-how will start to | investigate. if you choose to believe something someone | tells you with no proof, then that's on you. claiming we | do the same thing is a broad brush that i'm not getting | painted on by thank you very much | duxup wrote: | I don't understand what you're saying. | | We had one anecdote saying a thing is happening, the | second from someone who says it isn't. Your post seemed | to indicate that the second post isn't true because maybe | that person just doesn't know about it. | | That seems to refute the second and assume the first is | true. | VRay wrote: | Isn't telling people about this sort of backdoor the sort | of thing that could cause you to commit suicide with | multiple gunshot wounds to the back of your head? I don't | think any anecdotal evidence one way or the other is | worth considering | boomboomsubban wrote: | >Three former senior intelligence agency figures told Reuters | that the NSA now requires that before a back door is sought, the | agency must weigh the potential fallout and arrange for some kind | of warning if the back door gets discovered and manipulated by | adversaries. | | Meaning that before, they were free to plant as many back doors | as they pleased without any concern for the consequences. And | even now, they just need to think about it a bit and warn | somebody, no idea who they tell, if they notice it being used. | | >NSA now asserts that it cannot locate this document | | This is fairly clear proof of either corruption or complete | incompetence. | duxup wrote: | "Meaning that before, they were free to plant as many back | doors as they pleased without any concern for the | consequences." | | Kinda. There apparently is some approval process and such but | I'm not sure everyone at he agency was able to make such | requests in the first place... | | I'm with your gist, I'm just not sure we know how widespread it | really was. I'm not inclined to agree that it must have been | ultra widespread. | boomboomsubban wrote: | We know that just one of the NSA's related programs, Bullrun, | had a budget of $250 million a year from 2011. And by their | own admission this gave them access to "vast amounts of | encrypted Internet data which have up till now been discarded | are now exploitable". Further, their reports mention much | more activity that Snowden did not have clearance for. | | We don't know the full extent of their activities, but it | clearly far surpassed what should be tolerable. | orangepanda wrote: | Y'all reading into it too much. They're under no obligation to | tell the truth. Might as well said "there's no backdoors" but | that's not a PR happy answer. | pbhjpbhj wrote: | Doesn't having a Congress that can't demand the truth by force | of law (ie create an obligation; they of course won't | necessarily get the truth) mean that you're no longer a | democracy. I mean starkly that's an indication that rule of law | no longer stands. | crtasm wrote: | Off topic: anyone know why Reuters always 404s when I click on a | link to it in Tor Browser? Desktop and Android. | charliebrownau wrote: | Goverment + Central Banks + Corporations ARE THE PROBLEM, never | the solution | duxup wrote: | I would expect they do, and I'm not entirely against it depending | on the circumstances around it and so forth. | | To me a 'back door' could range from 'don't fix that bug for a | week' to 'push this update to this user' to some absurd 'hey can | you add this remote desktop client to your code, the password has | to be 1234'. | | By no means is it a light thing to do but I do believe there is a | range of actions that would constitute a 'back door' to me. | | Granted I'm all for more congressional oversight and I'd like to | see MUCH more aggressive congressional action. | programbreeding wrote: | The problem with your first and third examples is that it | leaves it open and vulnerable to anyone other than the NSA. | Like if a "backdoor" is left open for encryption, as soon as | it's discovered then that door is open to anyone. | | The problem with your second example, targeting a specific | user, is that they're doing this without any kind of warrant. | duxup wrote: | I completely agree on all points. | seibelj wrote: | Operate under the assumption that government is reading all of | your text messages, internet history, payment history, and phone | calls. Then when you need privacy, enhance as needed. Even if | privacy technologies like VPN or Tor are compromised, the | government is less likely to reveal in order to keep the fact | they can do it secret. Good luck out there! It's an unfair and | scary world, once you try to do anything non-conformist. | fsflover wrote: | No, you should try to have privacy at all times. Otherwise | those who really need it will be in the minority and easily | hacked. | goatinaboat wrote: | _Even if privacy technologies like VPN or Tor are compromised, | the government is less likely to reveal in order to keep the | fact they can do it secret_ | | That is what parallel construction exists for. Also known as | fruit of the poisoned tree. | dariosalvi78 wrote: | I thought the problem was Huawei... | jdndbfbf wrote: | The director of the NSA lied while under oath to congress, and | nothing happened. As far as I'm concerned, what 3 letter agencies | say publically is irrelevant. | Liquix wrote: | It's an interesting case of cognitive dissonance. Most will | admit when pressed a bit that the CIA/NSA/FBI do not have our | best interests at heart and are out of control. They have | repeatedly lied under oath, lied to congress, lied to the | public, run human experiments on unwitting citizens, collect | data on all of us, etc with complete impunity. | | However many people somehow simultaneously hold the belief that | these agencies should continue to exist, are deserving of our | taxpayer dollars, and are generally Good Guys who happen to do | bad things sometimes. Perhaps it's just too exhausting to | consider the extent of corruption in the USA. | pjc50 wrote: | > Perhaps it's just too exhausting to consider the extent of | corruption in the USA. | | Abolish the (secret) police? | | It's basically the same debate; people need to feel that the | threat from the "protectors" is greater than the threat they | are allegedly protecting against before something gets done. | And, realistically, being spied on by the CIA is fairly low | down the average person's list of problems. Even the citizens | who are most directly threatened by American policing would | prefer dealing with the immediate threat of street violence | and gunshot murders by the police than the distant, nebulous | threat of the CIA plane over the protests. | | Having your _candidate_ spied on by the CIA, FSB, Met police, | or Jim-Bob 's Laptop Repair Shop is more of a problem. | hedgedoops2 wrote: | While the threat (expressed as P(harm)*harm) from XYAgency | surveillance is low or medium, the unmitigated threat from | the things their surveillance practices protect against - | namely, terrorism - is also low. The mitigation effect is | lower still. | | Objectively, even in 2001 terrorism was a negligible risk | compared to everyday risks, and subjectively, there hasn't | been a major terrorist attack for years. The only reason | mass surveillance exists is a rationale by the US state | that "more power is good". This may apply to the US army, | but not to the spies. | | Also, like you say, once the american spies start to (pun | intended) "Interfere in american elections", then the | problem affects everybody with P=1. Personally I could live | with it trump were the only candidate they work against, | but if they do it to trump, they likely do it to others. (I | see no evidence of interference or other abuse of collected | data currently, but I think it's dangerous to give them the | power to collect all this info that can in principle be | abused for selective prosecution and/or blackmail). | | Also, it affects not just politicians, but also corporate | execs, who can be further pressured using the other means | of the state, and who themselves have power the state can | deputize. | | A democracy should have the surveillance powers that are | proportionate to the benefit from these powers and no more. | There is a positive value in minimizing state surveillance | power; this concept seems lost on america. (In fairness, it | seems lost on conservative parties worldwide.) | bulletsvshumans wrote: | I think it's clear that they are out of control, from the | examples you list among others. The harder argument is that | they're not doing it in our best interest. Without good | visibility into their activities (which could very well | inhibit those activities), it's hard to tell which of their | activities are a net benefit to our country. | | My guess is that most Americans would expect that they | sometimes do things that aren't legal, but that generally | they are at least intending to do it with the best interest | of our country in mind. That second part is the primary | reason why they aren't being wholesale shut down, and why | they're able to get away with things like lying to congress. | 542354234235 wrote: | > The harder argument is that they're not doing it in our | best interest. | | I disagree. I think they absolutely _believe_ they are | doing what is best for the country, but without actual | accountability and meaningful outside oversight and input, | I would say it is far more likely they have become | myopically focused. That they are unable to accurately | judge or weigh the effects of persistent surveillance | against one's own citizens and how that negatively impacts | a free and open democracy and a government that feels | accountable to its citizens, vs their own very skewed | perspective of looking at nothing but "threats" and | thinking about nothing but threats, and planning for | nothing but threats. The "everything is a nail to a hammer" | saying comes to mind. | craftinator wrote: | > That second part is the primary reason why they aren't | being wholesale shut down | | Two thoughts: | | 1) Even if most Americans decided they needed to be shut | down, how would we enact that? It seems to me there are | very few people who have that power, and even if a great | majority of us wanted it, we have no way to enact it (and | no way of knowing if it was actually enacted; we could be | told it had been done, but that could easily be an | inscrutable lie) | | 2) If they were actually shut down, what would the people | who worked there do? Highly intelligent, skilled, with low | morals, used to performing nefarious activities; they would | go on to be in shadow NGOs, organized crime, reform under | other names, etc. | mindslight wrote: | > _If they were actually shut down, what would the people | who worked there do?_ | | Prison time, like any other criminal enterprise. | 542354234235 wrote: | This is kind of ridiculous. These are high level | conflicts between equally valid government entities about | how they should operate as well as nebulous questions on | how constitutional law applies. I would assume there are | legal memos, signed authorizations, etc. for what is | going on. We could argue that secret authorizations for | these kinds of things shouldn't exist, but the fact is | they do. If the president authorizes something, and years | later, a court decides this action was unconstitutional, | the employees are not criminally responsible. This isn't | a Nuremburg trial situation where crimes against humanity | are committed under the guise of "just following orders". | This is a case of following orders because the best legal | experts cannot 100% agree on constructional law and how | it applies to different circumstances and different | powers given to the various branches of government. | mindslight wrote: | The straightforward way to eliminate the ambiguity is to | submit the programs to democratic oversight, including by | The People. But instead they've worked hard to do the | exact opposite, going so far as to blatantly lie to | congress. This points to a criminal conspiracy, | regardless of how many employees are working to craft | dubious legal justifications. Usually criminals don't get | to just say "my bad" and walk away after being caught, | and I don't see why higher crimes should carry less | punishment. | dylan604 wrote: | To be fair, Clapper did come back for a follow up, and | basically said, "oops, looks like I was wrong." That's it. | Congress didn't push back, and thanked him for his service. So | looks like Congress is complicit as well. | sonotathrowaway wrote: | Clapper was forced to issue a retraction after Snowden leaked | material showing he perjured himself. He defended his then | answer as the "least untruthful answer" he could give, maybe | that's a term of art in intelligence when you intentionally | suborn oversight. | markus_zhang wrote: | That's pretty much part of their job. | | Their mindset: we own the United States of America, and the | rest of you are just sheep. We are doing shepherd's job and you | don't need to understand it. We are doing wolf's job because | there are wolves at the gate so we better fight back with | bigger teeth. We the people do not include your ordinary sheep, | and only the privileged ones are "people". | babesh wrote: | So the US was exposed for doing what it accused China of doing. | stonepresto wrote: | Root everything. FOSS all the things. Tear everything apart. | | There will always be a BBEG, no matter what part of the world you | are in or what sort of government you live under. | | You are the only one who acts in your best interest. | jankiehodgpodge wrote: | For most people, rooting makes them less secure not more. It | all depends on who you're securing against. | stonepresto wrote: | That's certainly fair, especially if the password is then set | to some variation of "password"... | | Although for some devices if you can root it, you probably | also know methods of securing it. | lucb1e wrote: | Rooting a device does not enable setting a password for it. | You can host sshd without root, or host sshd but disable | root login. Rooting and setting a password, or opening | remote command channels for that matter, are separate | things. Root allows you to shoot yourself in the foot more | than you could otherwise, but you do need to pull the | trigger. | | The default root methods just enable apps to request root, | after which the user gets a prompt. It's like the camera, | microphone, or any other special permission. | [deleted] | fsflover wrote: | > You are the only one who acts in your best interest. | | No, you aren't. And it's impossible to do everything alone. | | https://news.ycombinator.com/item?id=24881988 | stonepresto wrote: | I agree with the second part of your statement, but I think | being alone in acting in your own best interest still holds. | Good projects such as those are a result of many similarly | aligned self-interests. | | I'll admit I was being a bit dramatic, and as you have | pointed out it's certainly more complex than a single | sentence. I was trying to highlight that blindly trusting | another human or organization can leave you vulnerable. | Gaelan wrote: | @dang Can we change the title to include "NSA"? It's silly that | the headline doesn't say which spy agency. | c54 wrote: | Thought this was an article about ducks who are spies[0]... too | bad. | | [0] eg http://agentyduck.blogspot.com/ | Threeve303 wrote: | Spy agency denies performing main purpose for existing. | netsec_burn wrote: | Reminds me of one of my favorite comments on HN (when the NSA | discouraged quickly adopting post-quantum cryptography): | https://news.ycombinator.com/item?id=21587571 | x87678r wrote: | I always assumed there would be insecurities in everything you | buy and if there weren't backdoors it was normal for spooks in | various nations to be able to crack it sooner or later. Using | cloud services makes this even more likely. Does anyone really | think they are 100% safe? | haydonchurchill wrote: | Does anyone really believe that they don't add backdoors? If it's | a major tech / internet business, they require access to a | backdoor. | ChuckNorris89 wrote: | Is anyone actually surprised of a _" we can neither confirm nor | deny"_ type of answer coming from intelligence agencies? | matthewdgreen wrote: | Yes. After the Snowden leaks and Shadowbrokers/Vault7/WannaCry | disasters, the agencies put a lot of effort into reassuring the | public that US technology was trustworthy. This included things | like making public the Vulnerabilities Equities Process [1], | and other work to restore trust in cryptographic standards | agencies like NIST [2]. It also included more public engagement | with industry to report serious vulnerabilities [3]. | | The intelligence community didn't open up like this because | they wanted to be nice. They did it because there was a very | real concern that US industry would be damaged in the eyes of | global consumers -- primarily as a result of our intelligence | agencies being being too aggressive and, frankly, being sloppy. | (It's bad enough to pay for and hoard backdoors, it's another | thing entirely when those backdoors are repeatedly stolen and | leaked for bad actors to use.) | | I guess the news here is that the NSA didn't learn very much | from these episodes, or at least, it no longer feels like it | needs to repair the damage. | | [1] | https://en.wikipedia.org/wiki/Vulnerabilities_Equities_Proce... | [2] | https://www.nist.gov/system/files/documents/2017/05/09/VCAT-... | [3] https://www.thesslstore.com/blog/nsa-microsoft-releases- | patc... | nerdponx wrote: | _I guess the news here is that the NSA didn 't learn very | much from these episodes, or at least, it no longer feels | like it needs to repair the damage._ | | This seems to be a common thread in American political | corruption. After a certain point, the public just doesn't | remember or can't be bothered to care or feels powerless to | do anything. Then you can basically do whatever you want as | long as you stay quiet enough to avoid another wave of media | outrage. | dmurray wrote: | Couldn't they just have said "no we have no backdoors"? NSA | would look good, Congress would look good for asking the | tough questions. When eventually new evidence comes to light | that they do have backdoors, they have the choice then | between continuing to deny deny deny, or pointing to national | security interests. | ChuckNorris89 wrote: | _> Couldn't they just have said "no we have no backdoors"?_ | | No, because once their backdoors are (inevitably) going to | be found/leaked, they'll come off as liars. Plus, if they | would have said no, nobody would buy that or would think | they're asleep at the wheel. | kube-system wrote: | Lying to Congress is also a crime, publishable by prison | time. | atty wrote: | I can't tell from this - is Wyden also against back doors for the | purpose of FBI/law enforcement use? | boomboomsubban wrote: | Quote from Wyden in the article | | >Secret encryption back doors are a threat to national security | and the safety of our families - it's only a matter of time | before foreign hackers or criminals exploit them in ways that | undermine American national security | pulse7 wrote: | In other words: NSA paved the way for foreign hackers and | criminals... | duxup wrote: | It's certainly possible, but I suspect just traditional | bugs and poor software is more likely the cause for such | events. | | Software / hardware industry is PLENTY good at paving the | way all on its own. | boomboomsubban wrote: | The article presents an example where we basically know | that it happened with Juniper Networks. | | As you say, the hardware/software industries have enough | difficulties with security acting on their own. They | don't need the NSA purposely making more holes. | pulse7 wrote: | Maybe they "need" many such "holes" (which are treated as | "bugs") just to make sure that if they disable some of | those "holes" (because hackers/public found it out) whey | still have others ready for the same purpose... | bitxbitxbitcoin wrote: | And likewise, foreign hackers and criminals may have paved | the way for the NSA - which is considered a foreign hacker | and criminal in other jurisdictions. | AndrewUnmuted wrote: | He was the one who got James Clapper to lie and state to | Congress that he was "not wittingly" collecting American phone | records in bulk. Though I do not believe he has ever come out | and explicitly stated his views on the matter, his actions do | suggest that he is against backdoors in all circumstances. | | EDIT: Another reply has provided a quote that shows Wyden's | views on backdoors. He appears pretty strongly against them. | ChrisMarshallNY wrote: | Wyden is great. | | The big issue with backdoors, is that it's only a matter of time, | before they become "front doors." | | Presented for your approval. Imagine, if you will, a software | engineer; probably based in the US, that writes a backdoor into | equipment used to manage a banking transaction network. This is a | fairly natural place to have it, as "follow the money" is a | classic forensic technique. | | Of course, access to this network could net nefarious (probably | non-state) actors a _lot_ of money. | | Said software engineer suddenly quits and buys a Bugatti. | | The back door is now a front door, and it's baked into some | hardware that can't easily be changed, as no one trusts the | patches, now. | staplers wrote: | is that it's only a matter of time, before they become "front | doors." | | Look no further than Plaid banking service. They collect your | banking login information. I guarantee there are blanket | warrants to monitor accounts from multiple agencies. | xxpor wrote: | You don't even need a warrant for that. SARs are a thing. It | could potentially even be considered business records, which | are just subject to a subpoena, not a warrant. The police | have been able to request phone records since forever. | | https://en.wikipedia.org/wiki/Third-party_doctrine | FerretFred wrote: | > ..arrange for some kind of warning if the back door gets | discovered and manipulated by adversaries | | "Hello Support? My computer just popped up a message to say that | a bad actor has taken over my computer; should I reboot it?" ___________________________________________________________________ (page generated 2020-10-28 23:00 UTC)