[HN Gopher] Snowden leak: Cavium networking hardware may contain...
___________________________________________________________________
Snowden leak: Cavium networking hardware may contain NSA backdoor
Author : moyix
Score : 824 points
Date : 2023-09-19 14:24 UTC (8 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| minzi wrote:
| I don't know much about security, especially at the hardware
| level. However, I have a question for those of you that do.
|
| Suppose you were given a healthy budget, a team, and a few years.
| Would you be able to build network hardware that did not contain
| back doors? How healthy would the budget need to be? How skilled
| would the team need to be? I assume you'd have to assume most
| external vendors are compromised and rebuild whatever you needed
| from them. What would that take?
| 6d6b73 wrote:
| Impossible. Sooner or later one of the 3 letter agencies would
| have somebody on your team and they would introduce multiple
| backdoors one way or another.
| c7DJTLrn wrote:
| I don't think it would be that hard. There's RISC-V SBCs out
| there which the schematics are open for. I don't think it's
| correct to assume absolutely everything out there is
| backdoored/compromised. That would be an very difficult
| undertaking and word would get out. NSA target their attacks
| very finely.
| wnevets wrote:
| Snowden also said Russia wasn't going to invade Ukraine in 2022.
| robbywashere_ wrote:
| cmd+F lawsuit 0 results?
| xyst wrote:
| Is this only limited to "USG" products? Or safe to assume UDM
| also impacted?
|
| edit: FUCK
|
| " Quad-core ARM(r) Cortex(r)-A57 at 1.7 GHz"
|
| https://store.ui.com/us/en/pro/category/all-unifi-gateway-co...
|
| People paying premium $$$ for this. UI better redesign and
| compensate users.
| dna_polymerase wrote:
| Cavium provides purpose-built chips used for the ER & USG
| products. The UDM line uses ARM chips, most likely built by
| Annapurna labs.
| whalesalad wrote:
| my edgerouter ER4 has a cavium processor =(
| tamimio wrote:
| Not even surprised, how would it be a surprise? Anyone in
| security field knows that hardware backdoors or even server OS
| memory injected backdoors are a thing and been for as long as
| electronics existed, but some neo-security folks get upset when
| you say most of the "secure" software they use isn't really
| secure, chats like signal, emails like protonmail, or even VPNs,
| assume it's compromised, but will it be worth it to expose that
| cover for what you did?
| squarefoot wrote:
| When I buy something electronic, my approach is "everything that
| is closed and goes online will be used to spy on people". It may
| seem a stretch, but governments can't exercise power over
| something they cannot control, and truly private communications
| would take away some of that control. To me there are no
| conspiracy theories or other strange reasons for being able to
| decrypt any seemingly private information except the will to
| preserve the status quo at any cost, which implies knowing in
| advance what a potential adversary may think or do. I would
| expect every device to be bugged for that reason, including all
| cellphones and computers and associated hardware, from CPUs with
| closed subsystems down to network chipsets with closed firmware.
| There will be no way to ensure private communications until
| someone will find a way to make a device which is 100% open and
| auditable from the operating system to the CPU, from all chipsets
| down to the last screw.
| iballing wrote:
| "100% open and auditable from the operating system to the cpu"
| is the main goal of the Betrusted project:
| https://betrusted.io/
| ramesh31 wrote:
| >"100% open and auditable from the operating system to the
| cpu" is the main goal of the Betrusted project:
| https://betrusted.io/
|
| Hopefully there's a 4G version coming. This seems too good to
| be true.
| RF_Savage wrote:
| The 4G modem is exceedingly unlikely to be audittable.
| Something like srsUE is not welcome on many telcos networks
| and requires some decently beefy hardware to run.
| 0xCMP wrote:
| It's possible to modify it and add a 4G modem, but that
| would probably be third-party.
|
| The creators of the project suggest using your phone's
| hotspot if you need connectivity when not connected to Wi-
| fi (something I heard in interviews they gave).
| Fnoord wrote:
| Which seems to be an iteration of the Precursor (Mobile, Open
| Hardware, RISC-V System-on-Chip (SoC) Development Kit) by
| Bunnie Huang and Sean Cobs
|
| > Part of the purpose of Precursor is to validate the system-
| on-chip (SoC) design we hope eventually to produce as a
| custom ASIC for use in future such products. This SoC, which
| we call "Betrusted-SoC," is meant to be the central pillar of
| security for devices like Precursor. The version of
| Betrusted-SoC used in Precursor is based on a Xilinx FPGA and
| has the following features [...] [1]
|
| As for the person who replied to you requesting LTE: won't
| happen, there's no completely FOSS stack for LTE. Always
| there is closed source firmware due to regulations. Oh, that
| wonderful world of transceivers. If you want FOSS, go wired.
| Tho it seems Precursor found a way to utilize Wi-Fi with a
| FOSS stack?
|
| [1] https://www.crowdsupply.com/sutajio-kosagi/precursor
| archontes wrote:
| It's clear that they feel that way also. The engineer Andreas
| Spiess recently appeared in a briefing on dangerous, anarchy-
| enabling technologies simply for making a youtube video on an
| encrypted messaging protocol over lora mesh networking.
|
| They're carefully watching and cataloging any communications
| technology they can't compromise.
| madars wrote:
| Which briefing was that? Edit: it appears to be this
| https://networkcontagion.us/wp-content/uploads/NCRI-White-
| Pa... ("Network-Enabled Anarchy: How Militant Anarcho-
| Socialist Networks Use Social Media to Instigate Widespread
| Violence Against Political Opponents and Law Enforcement" via
| https://www.youtube.com/watch?v=EAQI2ZSmxPU; thanks to a
| sibling comment)
| SamPatt wrote:
| The guy with the Swiss accent?
|
| What's your source on this?
| dariosalvi78 wrote:
| https://www.youtube.com/watch?v=EAQI2ZSmxPU
| lawlessone wrote:
| TBF that same tech would probably be great for them or
| militaries to have.
| dkqmduems wrote:
| Well advertising is a form of psychological warfare.
| dfc wrote:
| The guy's video was linked to from /r/SocialistRA and a
| screenshot of the link was included in a paper about "How
| Militant Anarcho-Socialist Networks Use Social Media to
| Instigate Widespread Violence Against Political Opponents and
| Law Enforcement." The paper never mentioned Spiess or
| meshtastic. What are we supposed to infer from that?
| s3p wrote:
| It's also hard to distinguish between legitimate security
| threats and scare tactics designed to make us _think_ we 're
| in danger. Remember the Bloomberg Supermicro "bombshell"[0]?
| I still don't know if that was ever confirmed true or false,
| but to my knowledge Bloomberg never retracted it.
|
| [0] https://www.theregister.com/2021/02/12/supermicro_bloombe
| rg_...
| Lammy wrote:
| I still believe it. Wouldn't surprise me if ASPEED were a
| "SIGINT enabled" vendor as well. It would be foolish _not_
| to target the most widespread BMC platform.
| mk89 wrote:
| If that is the case they are doing a pretty s** job spying on
| people, considering the amount of harm being done to children
| (and people in general).
| irreticent wrote:
| I wouldn't say they are doing a bad job spying on people for
| that reason; I think it's more likely that the reason they
| are spying is not to help children/people but rather to
| strengthen their control over the people. Knowledge is power
| and they want to be more powerful than everyone else. I've
| always assumed that the spying wasn't altruistic but more for
| selfish reasons.
| eastbound wrote:
| This. All of this spying, not even being used for security
| ever, ie their goal might as well be general insecurity. It
| feels like their goal is the stability of the social layers,
| no or rare promotion, and maximum impermeability for the
| masses.
| wombat-man wrote:
| For sure, but since a state has basically unlimited resources
| to find vulnerabilities, I'd assume it's possible for state
| actors to reach a target if they are determined enough.
|
| Might as well make it difficult though.
| tromp wrote:
| If I want to do some computation that should not be spied on, I
| can still program it in BASIC on my Sinclair ZX Spectrum. If it
| doesn't fit in its measly 48KB of RAM, I'm probably still safe
| programming it on my Commodore Amiga 500.
|
| Basically, you can only trust things manufactured before "going
| online" became a thing.
| fallat wrote:
| or you know, just don't connect your computer online.
| doublerabbit wrote:
| And ensure it's not by any windows, the case HD LED doesn't
| blink nor does the FAN make any noise.
| tromp wrote:
| Both these computers were fan-less, like nearly all hobby
| computers at the time (clockspeeds were single digit
| Mhz). The Amiga only had a floppy disk drive.
| TacticalCoder wrote:
| Hardware and software backdoors does scale.
|
| Data exfiltration through audio / fan speed / LEDs
| blinking / power draw / etc. simply doesn't.
|
| I think that a discussion about metric shitloads of
| networking gear being compromised is not the place to
| make fun of the few that didn't compromise on security.
|
| There's a place for offline/airgapped devices and private
| keys (PGP keys, seeds, whatever) being generated by
| throwing dice.
|
| If anything all these backdoors do show that
| math/cryptography do work. The NSA's budget may be 100%
| of the US GDP, they still wouldn't be changing Sun's
| gravity or the math behind cryptography.
|
| The joke today is on those who kept making fun of those
| who didn't trade security for convenience.
| 13of40 wrote:
| "If it's technically possible, they're doing it."
|
| It's their job.
| dizhn wrote:
| If it exists, they're buying it. (States)
| AndrewKemendo wrote:
| This is the right approach IMO.
|
| Just assume you're being persistently surveilled - if you use a
| computer or electronics then the likelihood approaches 100%
| over your lifetime.
| phito wrote:
| I try to have this approach, but I find it so exhausting tbh.
| It makes me want to just not use technology.
| flangola7 wrote:
| If you have to take this approach they have already won
| AndrewKemendo wrote:
| You are correct, "they" have won so far unfortunately
|
| Doesn't mean we don't do anything about it, just means we
| have to acknowledge reality
| mbakke wrote:
| I generally hold a similar opinion. However I have two data
| points that suggests back-doors are not available _by default_
| (for my government at least), but that they are aggressively
| bugging (or auditing, lol) devices:
|
| * When I ordered the first generation Raspberry Pi, they were
| stuck in the toll a long time, and when they arrived all the
| warranty seals were broken. Consequently I never really used
| them.
|
| * When I ordered the first generation Google Pixel, before it
| was generally available in my country, it was stuck in domestic
| mail for almost a week. The person who imported them sold and
| sent two phones the same day: the other one arrived after just
| two days and travelled a lot further. I used it regardless as I
| already considered phones a lost cause... (and could not with
| good conscience sell a possibly compromised device).
|
| At this point I don't trust anything sent by mail.
| TheRealDunkirk wrote:
| You act like the NSA has been caught intercepting Cisco
| switches during shipping, and installing backdoored firmware,
| or something. Crazy conspiracy theorists...
| ilyt wrote:
| I just assume I'm not interested enough to be spied upon by
| randoms
|
| > When I ordered the first generation Raspberry Pi, they were
| stuck in the toll a long time, and when they arrived all the
| warranty seals were broken. Consequently I never really used
| them.
|
| If state have means to bug raspberry pi it has means to re-
| seal the box...
| backtoyoujim wrote:
| unless they wanted you to know and feel threatened by it
| phero_cnstrcts wrote:
| > I just assume I'm not interested enough to be spied upon
| by randoms
|
| I believe the fewest are. But constant surveillance is an
| advantage if you need to monitor general opinions or if
| they find you interesting at a later point and want to
| check your history.
|
| So if you talk about burning wood in your stove a lot and
| it later becomes illegal you might have a hard time denying
| you have a stove if they ask you to pay extra carbon
| emission taxes.
|
| Or if you talk about chest pain a lot and later want to get
| a new health insurance you might find that your options are
| mysteriously more expensive than others.
| mbakke wrote:
| > If state have means to bug raspberry pi it has means to
| re-seal the box...
|
| That's a good point that I never made sense of. The most
| likely explanation is simply an oversealouz toll agent. It
| just left a bad taste in my mouth so I didn't want to play
| with them...
|
| I had largely forgotten about it until the Google Pixel got
| stuck.
| 31337Logic wrote:
| Wow. This is massive!!
| I_am_tiberius wrote:
| And people still believe Apple is secure because they say
| themselves. "Nobody" knows what their devices do in reality.
| shoe_meal wrote:
| This is a fascinating revelation for those of us NSA-spotters who
| enjoy hearing tidbits about what they've been up to.
|
| I would love to know more about the technical details of this
| backdoor and how it was used operationally. Though I doubt any of
| us in the general public will ever get to find that out. As
| amazing (and necessary!) as the NSA's work is, luckily for our
| country's safety and security there have been no further Snowdens
| treacherously spilling all the secrets.
|
| To be honest, I am so impressed and humbled by what this
| magnificent agency does that maybe it is time to apply to join
| their important mission, at https://nsa.gov/careers.
| ech0riginal wrote:
| Y'all really need to work on your finesse.
| jdblair wrote:
| Help me out here:
|
| if my network hardware is compromised, but all of my
| communication is encrypted, that leaves... traffic analysis?
| hoovering up the data and storing it to decrypt in the future
| when it becomes feasible? using the router as a foothold to
| attack the rest of my network?
|
| The first two are already happening for data that leaves my LAN.
| Unencrypted data on my LAN is vulnerable, and there is plenty of
| unencrypted traffic on my LAN in practice. Is that the risk?
| jdblair wrote:
| still thinking... if the three-letter-agency has compromised
| the random number generator, then that means all traffic
| encrypted by the router may be easier to crack.
|
| What data is encrypted on the router? VPNs, for one. So a VPN,
| and all the plaintext traffic sent over it, could be made
| vulnerable.
| rwmj wrote:
| On a technical level how would this work? Could it be observed by
| the router occasionally sending packets unsolicited to nsa.gov?
| [joke, obviously it wouldn't send them to a well-known address,
| but to some "unexpected" place] Or maybe when the router has to
| generate a private key [does it?] it would generate one with a
| flaw?
| Filligree wrote:
| The router is most likely also compromised, and will neglect to
| inform you of those packets.
| xmodem wrote:
| Weak or compromised RNG is enough to make most crypto
| algorithms brute-force-able at NSA scale.
| Obscurity4340 wrote:
| Just want to point out that iMessage makes a lot more sense in
| this regard. iMessage is that skeleton key that was requested
| years ago in San Beradino
| apienx wrote:
| "You can't defend. You can't protect. The only thing you can do
| is detect and respond." -- Bruce Schneier
| convivialdingo wrote:
| Looking more closely at this, the backdoor is almost certainly
| based on the back-doored random number generator, Dual_EC_DRBG,
| which is implemented as NIST SP 800-90A.
|
| From Wiki: >>> NIST SP 800-90A ("SP" stands for "special
| publication") is a publication by the National Institute of
| Standards and Technology with the title Recommendation for Random
| Number Generation Using Deterministic Random Bit Generators. The
| publication contains the specification for three allegedly
| cryptographically secure pseudorandom number generators for use
| in cryptography: Hash DRBG (based on hash functions), HMAC DRBG
| (based on HMAC), and CTR DRBG (based on block ciphers in counter
| mode). Earlier versions included a fourth generator, Dual_EC_DRBG
| (based on elliptic curve cryptography). Dual_EC_DRBG was later
| reported to probably contain a kleptographic backdoor inserted by
| the United States National Security Agency (NSA).
|
| From Cavium's NIST FIPS-140-2, Section 3.3 [1] Approved and
| Allowed Algorithms:
|
| The cryptographic module supports the following FIPS Approved
| algorithms.
|
| *SP800-90 CTR DRBG Deterministic random number generation 32
|
| 1: https://csrc.nist.gov/csrc/media/projects/cryptographic-
| modu...
| stephen_g wrote:
| That's a very specific module - one of Cavium's dozens and
| dozens of products.
|
| Hard to tell what it is, more information is needed.
| convivialdingo wrote:
| Well, there's several Cavium devices that support the
| deprecated/back-doored Hash_DRBG.
|
| For example, these devices were validated for the completely
| appropriately named "SonicOS 6.2.5 for TZ, SM and NSA". Gotta
| appreciate the irony.
|
| Cavium CN7020 Hash DRBG
|
| Cavium CN7130 Hash DRBG
|
| Cavium Octeon Plus CN66XX Family Hash DRBG
|
| Cavium Octeon Plus CN68XX Family Hash DRBG
|
| I don't know if that's hardware support or just a software
| validation - but it's still interesting that they validated
| it.
|
| https://csrc.nist.gov/Projects/Cryptographic-Algorithm-
| Valid...
| dfox wrote:
| Except Hash_DRBG is neither deprecated nor backdoored. See
| NIST SP 800-90A Rev. 1 section 10.1.1.1 for description of
| the algorithm.
| convivialdingo wrote:
| Well, true.. the Hash_DRBG hashing algorithm remains. But
| it's rather likely that previous FIPS validations
| occurred utilizing the actual backdoored and deprecated
| algorithm as an input to the Hash_DRBG, rendering it's
| security properties suspect.
|
| In NIST SP 800-90A Rev. 1, the HASH_DRBG section has been
| _significantly_ updated to that effect.
|
| For instance, Appendix E: (Informative) Revisions.
|
| Section 10: Section 10 now includes a link to the DRBG
| test vectors on the NIST website. Sections 10.1, 10.1.1
| and 10.1.2 now include short discussions about selecting
| hash functions to support the DRBG's intended security
| strength. The Dual_EC_DRBG has been removed, and section
| numbers adjusted accordingly.
| dfox wrote:
| The backdoor in DualEC_DRBG only works if there is some
| way for the attacker to directly observe its outputs (eg.
| using that for IVs). If you use it as an inner CSPRNG
| that seeds other faster algorithms the backdoor is
| irrelevant, but well, such a construction is total
| nonsense that only ever makes sense in the FIPS
| certification framework (DualEC_DRBG is ridiculously slow
| and not meaningfully more secure than the other FIPS
| CSPRNGs).
|
| On the other hand, I have the feeling that if you
| instantiate Hash_DRBG with certain classes of insecure
| hash functions (think MD2) the mechanism that protects
| the construction from effects of birthday paradox makes
| it simpler to break the underlying hash function, but for
| this attack to work the underlying hash function have to
| be really bad and this attack is probably impractical
| even for instantiations with MD4, much less the SHA
| variants in the specification.
| [deleted]
| nonrandomstring wrote:
| Another tragic blow to the environment and economy.
|
| We treat these stories as if they were simple matters of politics
| and tech. But the blast radius is huge. When this happened to
| Cisco, and their value dropped to about 7% of the market they
| created, I passed massive dumpsters of Cisco gear in the car
| park, prematurely torn out of racks and consigned to crushing as
| e-waste.
|
| Has anyone done a serious cost analysis of just how hard this
| hits? If a foreign entity sabotaged our industry this way we'd
| take the battle right to them.
| chillbill wrote:
| [dead]
| hnthrowaway0315 wrote:
| Where can I find dumpsters of Cisco gears? I guess they are
| good targets to hack on.
| perihelions wrote:
| How the NSA successfully manage to prevent the _Washington Post_
| and friends from discovering and reporting on this malicious
| backdoor? They 've been sitting on these documents for a decade.
| Are the journalists just that *uncurious* about the deep contents
| of the documents they hold exclusive access to? Was this some
| kind of organizational failing?
| kome wrote:
| mainstream journalists are incredibly unreliable. it's
| absolutely clear to everyone that you cannot trust nyt and
| similar publications. i never read them anyway, and when I do
| come across articles on topics I'm knowledgeable about, i'm
| appalled by how wrong they are.
| bigger_inside wrote:
| exactly. When I read things I KNOW about, it's incredibly
| obvious that the news entertainment business (which WP and
| NYT and CNN and Fox all are) exist to serve the prejudices of
| their audience. A few times I made the mistake to let myself
| be interviewed by a newspaper who wanted an "expert" on
| something (flattering, but meh); something copletely benign
| and harmless, nothing political. They twisted my words to
| serve up stuff that fit what their "normal reader" already
| believed about the world.
| colordrops wrote:
| It's crazy to me that people pay for access to these outlets.
| I wouldn't pay for any content except from individual
| journalists and a few very small outlets, and even then,
| would immediately stop if things ever turn for the worse.
| Workaccount2 wrote:
| Modern journalists are just terminally online twitter heads.
|
| "Why go out or talk to anyone when I can just stay home and
| be on twitter all day!?!"
|
| It's the absolute worst outcome for journalism, and none of
| publications seem to care. If I had a publication the first
| thing I would do is ban twitter use (and probably go bankrupt
| because of it.)
| dylan604 wrote:
| publications probably encourage it so they can slash the
| operating budgets. if people are "staying at home on
| twitter all day", then they don't need office space. if
| they are willing to stay home to be on twitter all day,
| they are probably much younger less
| experienced/credentialed employee so they're cheaper too!
| dylan604 wrote:
| >i never read them anyway, and when I do come across articles
| on topics I'm knowledgeable about, i'm appalled by how wrong
| they are.
|
| I never do that, except when I do. What kind of soapbox are
| you trying to stand on. It looks more like a cardboard box
| collapsing under the weight of your own hubris.
|
| I get the suspicion of news outlets of any kind. It doesn't
| matter what stream the journalists are fished out of, but
| they cannot all be subject matter experts in all subjects.
| This is also an expectation full of hubris on your part.
| pangolinpouch wrote:
| Our media companies are rife with intelligence agents.
| Corporate / State media has no incentive to make you the wiser.
| hangonhn wrote:
| It's quite a bit more subtle than that. News organization
| have their sources that are in the intelligence community.
| They use each other. Sometimes the journalist wants to use
| their sources for information. Other times their sources feed
| them disinformation disguised as information. Other times
| they want a back channel to leak some real information but
| can't be seem as coming from a government source. Being a
| good journalist is hard and often doesn't pay very well.
|
| I'm often remind of PG's essay on corporate PR and the media:
| http://www.paulgraham.com/submarine.html
| the-dude wrote:
| I have no sources at hand, but I understood the FBI/CIA is
| embedded within every major news org in the US.
| ganoushoreilly wrote:
| Wait until you realize their footprints on Wallstreet,
| many of which openly admit their former employment.. Once
| a company man always a company man.. or something.
| throwawayq3423 wrote:
| We live in a world where people believe things with no
| proof (therefore with no reason), but a little humility
| and less certainty might benefit the conversation.
| Clubber wrote:
| The twitter files showed government agencies were
| coercing Twitter into suppressing information. I would
| find it hard to believe they don't also coerce at
| newspapers, particularly with the cozy relationship they
| already have with "anonymous sources" from said agencies.
| throwawayq3423 wrote:
| > The twitter files showed government agencies were
| coercing Twitter into suppressing information.
|
| They very much did not. Twitter's own lawyers when
| pressed in court (the place where there are consequences
| for lying) admitted that nothing in the "Twitter Files"
| cited by Donald Trump actually show that the social media
| platform was a tool of government censorship.
|
| https://storage.courtlistener.com/recap/gov.uscourts.cand
| .38...
| ekianjo wrote:
| > Our media companies are run by intelligence agents
|
| Fixed that for you
| rdtsc wrote:
| WP is a very close ally to the government agencies in general.
| That's where it gets those juicy "anonymous government sources
| claim ..." news. If WP all of sudden wanted to prevent
| democracy from dying "in darkness" as their motto says, it
| would mean to start digging a lot harder going against the
| government as a whole. Don't think they are prepared for it.
| 0xDEF wrote:
| Why are you surprised that backdoors in "boring" non-consumer
| facing hardware didn't get much attention?
| KaiserPro wrote:
| The snowden leak was _huge_ and reverberated for weeks. There
| were lots of followups.
|
| However at the time it was the more sexy things like tapping
| google's fibre and backdoors in cisco's kits that were more
| interesting. This is because the public could understand those
| things and therefore it sold papers.
|
| The difference between "cisco, dell and many other leading
| manufacturers shipped backdoors in their kit" and "cavium the
| small provider you've not really heard of" is large.
|
| Most people reading the snowden stuff will have assumed that
| the NSA had put in backdoors to most things.
| theropost wrote:
| Lack of real journalistic resources - Meta has more
| "journalists" then the Washington Post.
| erdos4d wrote:
| WaPo, NYT, et. al. are tied to DOD and the intel community.
| They are the anonymous sources that provide many of their story
| ideas as well as quotes and sourcing. That doesn't come for
| free.
| denton-scratch wrote:
| I don't think the journos were lazy, and I don't think there
| was an organisational failing. The Guardian, in particular,
| evidently fell out with Snowden and his collaborators; they
| turned on him. I assume that was coordinated with Washpo and
| Spiegel. That is: I think there was a decision made, to stop
| publishing information from the Snowden trove.
|
| I don't know what the reason for the betrayal was. I'm pretty
| sure Alan Rusbridger knows though. He resigned as Editor-in-
| chief shortly after these events.
|
| I don't get why whistleblowers rely on newspaper publishers to
| unpack their leaks for the public; it's not as if the press are
| known for either their honesty or their scruples.
| jstarfish wrote:
| > I don't get why whistleblowers rely on newspaper publishers
| to unpack their leaks for the public
|
| They have an interest in drama and a platform to publish on.
| some_random wrote:
| Snowden leaked a shit ton of documents, the vast majority of
| which had absolutely nothing to do with any kind of NSA
| wrongdoing. Journalists then had to go through and try to
| figure out what these documents actually meant (which they
| frequently misunderstood). Obviously they're still doing it to
| today.
| mindslight wrote:
| As a general rule when criminal conspiracies are taken to
| task, they don't retain a right to privacy for their
| communications that aren't about the criminal conspiracy.
| Rather it all comes out in court. I understand why Snowden
| released the way he did, and given how it kept attention on
| the subject for longer than Binney/Klein it was probably the
| right call. But there should have also been an escrow/intent
| to dump the whole trove raw after some time period.
| 0xDEF wrote:
| >As a general rule when criminal conspiracies are taken to
| task, they don't retain a right to privacy for their
| communications that aren't about the criminal conspiracy.
| Rather it all comes out in court.
|
| That doesn't seem to be true. There are many court cases
| involving criminal conspiracies where you cannot find
| unrelated information about the involved people.
| mindslight wrote:
| "in court" may have been a bit too strong, but police do
| generally have carte blanche to the entirety of someone's
| private life. For most people the police show up,
| confiscate anything that _might possibly_ be evidence,
| damaging it or at least denying its use for several
| years. Never mind what happens to people, who often get
| arrested first and then sorted out later.
|
| Due to the severe corruption of our institutions, the
| investigators in this case are the public. A time period
| of a decade is more than enough time to recall all the
| HUMINT assets that might be harmed by such disclosure.
| some_random wrote:
| Do you really think the entire American IC is a "criminal
| conspiracy", or are you just trying to justify the fact
| that Snowden is an angry and vindictive sharepoint admin
| who simply dumped everything he had access to without
| regard for what was actually in those documents?
| wnoise wrote:
| The only way they're not is by the Nixonian "when the
| President does it, that means it's not illegal" standard.
| mindslight wrote:
| Yes. By the straightforward standards that non-
| governmental criminal conspiracies are prosecuted, a
| large chunk of the NSA is engaged in a criminal
| conspiracy. We don't hold back on prosecuting other
| criminal conspiracies just because their associations
| produce other results like financially supporting their
| communities and coaching their kids' soccer teams.
| c7DJTLrn wrote:
| >Snowden leaked a shit ton of documents, the vast majority of
| which had absolutely nothing to do with any kind of NSA
| wrongdoing
|
| Like how NSA collects a shit ton of data on citizens... the
| vast majority of which has absolutely nothing to do with any
| kind of wrongdoing.
|
| I'm only pointing this out because your comment has a
| negative tone towards what Snowden did.
| freedomben wrote:
| I didn't read anything negative in there. GP might have
| been negative but I don't think there's enough to tell just
| from the post
| sheepshear wrote:
| Making a strawman argument doesn't point anything out.
| 45y54jh45 wrote:
| Well yes, why do you think the noise died after the initial
| hype of Snowden leaking the docs? Do you honestly believe the
| mechanisms of for-profit journalism lets journalists be
| journalists? They got to eat and in this world you don't eat by
| covering yesterdays news.
|
| NSA didn't have to lift a finger. Wait a few weeks and people
| move on to the next story, this should not be a shocking
| revelation to anyone.
| ben_w wrote:
| The British intelligence agencies forced the Guardian to
| literally shred the laptop with the contents while they were
| in the swing of running headlines about the things it was
| revealing.
|
| While the USA and the UK are different, I suspect there was a
| bit more difficult for the NSA than "didn't have to lift a
| finger".
| drak0n1c wrote:
| Closed orgs can take years to find what takes an open source
| crowd mere days. Regardless of organizational competence.
| londons_explore wrote:
| I personally suspect that security services visited the
| newspapers a few days after the leak [1], and ever since then,
| every article has been about stuff that wouldn't be a surprise
| to rival security services.
|
| Sure - it was a surprise to the public. But rival security
| services I'm sure would expect US controlled backdoors in US
| made technology.
|
| [1]: https://www.theguardian.com/uk-news/2014/jan/31/footage-
| rele...
| PKop wrote:
| Some of them are deputies for the state. State-run-media, or
| Media-run-state, whichever you prefer.
|
| The FBI and CIA had agents inside Twitter and Facebook. _Of
| course_ they have them inside news agencies as well. Part of it
| over time is access-media, the ones that play ball get the
| stories and info, the others get weeded out.
| throwawayq3423 wrote:
| The casual nature of stating a completely impossible
| conspiracy theory has been common place online for years, HN
| news used to be immune.
|
| It's illegal for FBI or CIA to actively target a US company.
| Anyone doing so would be fired for cause.
| logicchains wrote:
| It's illegal to lie under oath to Congress, did James
| Clapper go to jail? It's illegal to sleep with underage
| girls, how many people on Epstein's client list went to
| jail?
| chillbill wrote:
| [dead]
| luxuryballs wrote:
| that moment you realize "democracy dies in darkness" is a
| mission statement
| syndicatedjelly wrote:
| Do you think there was a list in the document neatly titled
| "NSA_BACKDOORS_DONT_SHARE" or something?
| hammock wrote:
| More likely an IC plant in the editorial office that said
| "NSA Backdoors Don't Share."
|
| NSA also pays the owner of the Washington Post upwards of $10
| billion for cloud services
| gruez wrote:
| >NSA also pays the owner of the Washington Post upwards of
| $10 billion for cloud services
|
| That's not the only publication that had access to the
| documents. From wikipedia
|
| >the first of Snowden's documents were published
| simultaneously by The Washington Post and The Guardian.
| [...] The disclosure continued throughout 2013, and a small
| portion of the estimated full cache of documents was later
| published by other media outlets worldwide, most notably
| The New York Times (United States), the Canadian
| Broadcasting Corporation, the Australian Broadcasting
| Corporation, Der Spiegel (Germany), O Globo (Brazil), Le
| Monde (France), L'espresso (Italy), NRC Handelsblad (the
| Netherlands), Dagbladet (Norway), El Pais (Spain), and
| Sveriges Television (Sweden).
| dylan604 wrote:
| >More likely an IC plant in the editorial office that said
| "NSA Backdoors Don't Share."
|
| Wouldn't be more likely that a plant would actually _not_
| say that, but rather come up with something else? Seems
| much more likely that a plant would promote some other
| aspect of a leak that would be less damaging as _the_
| story. Or even possibly making part of the document dump
| disappear.
| [deleted]
| Consultant32452 wrote:
| Supposed news organizations openly employ spooks as
| commentators on things like foreign policy.
|
| Journalists knowingly report lies, acting as the mouthpiece of
| the government.
|
| We know at least one news organization had the whole Epstein
| story locked down and they buried it because they were afraid
| they'd lose access to the royal family for future news/puff
| pieces.
|
| You think you hate journalists enough, but you don't.
| what-no-tests wrote:
| > Was this some kind of organizational failing?
|
| No...the organization is behaving exactly as intended.
| TheRealDunkirk wrote:
| In the US, we have this passionate fantasy about Woodward and
| Bernstein and the Post and the Pulitzer and the movie and
| Redford and Hoffman and the Academy Award, about how the Press
| played the part of the "fourth estate" as the Founders
| intended, and rooted out a corrupt politician, and forced him
| to resign. It's all bullshit. The people who broke into the
| Watergate Hotel were CIA, Woodward was formerly CIA, and
| "Deepthroat" was a Deputy Director of the FBI. It was all a
| deep state plot to get rid of Nixon. Any time the deep state
| wants to get rid of a politician, the "press" does its "job" by
| exposing things. When the deep state likes a politician, the
| "press" ALSO does its "job" by covering things up. Look
| absolutely no further than Hunter Biden. The hypocrisy is
| utterly astounding, even to someone who is deeply cynical at
| this point. The rest of the US needs to wake up to the fact
| that the press is just another branch of the deep state, and
| stop pretending that there's ANYTHING useful being fed to us
| through ANY of the large media corporations.
| sofixa wrote:
| > about how the Press played the part of the "fourth estate"
| as the Founders intended
|
| The rest of your post is quite the bullshit (easily probable
| with publicly accessible archives bullshit at that), but this
| is also wrong. The mythological god-like creatures that
| crafted America as their divine powers ordained it didn't
| "intend" for the press to be "the fourth power". That term
| was first used after the US revolution, and in the UK. You're
| just retconing stuff into your mythology, and everyone knows
| that doesn't work and leaves a poor taste.
| TheRealDunkirk wrote:
| I have no idea what you're on about. The Founders of the US
| absolutely intended the press to be the last counterbalance
| on government overreach. It's literally why it's the First
| Amendment. Getting bogged down by terminology is perfect HN
| pedantry. Well done, sir!
| pakyr wrote:
| Wow, the deep state is so powerful that they got Nixon to say
| on tape that he was going to try to get the CIA to falsely
| use national security as an excuse to stonewall an FBI
| investigation. Poor innocent Nixon was no match for their
| telepathic powers.
| TheRealDunkirk wrote:
| Whoosh. You went clean over _my_ head, anyway.
| michaelt wrote:
| I suspect when a trove of documents is big enough, newspaper
| readers lose interest before you run out of documents. I mean,
| even on this tech forum hardly anyone knows who Cavium are, let
| alone your average Washington Post reader.
| [deleted]
| ormax3 wrote:
| sounds like something LLMs can help with, sift through huge
| amounts of documents to summarize and highlight the
| interesting ones
| jstarfish wrote:
| If only. The biggest problems right now are limited context
| size and basic security, including having to share such
| documents with God-knows-how-many third parties.
|
| Tangent, but we use Azure instead of OpenAI due to data-
| retention concerns. To ensure nobody's inputting anything
| classified or proprietary, Legal demanded implementation of
| an "AI safety" tool...so we demoed one that ships all
| prompts to a third party's regex-retraction API.
|
| So you never know who ends up the recipient of your LLM
| prompt, where it's getting logged to, who's reviewing those
| logs, etc. Even some local models require execution of
| arbitrary code, and Gradio ships telemetry data. Uploading
| Snowden's docs into a black box is a good way to catch a
| ride in a black van.
| ormax3 wrote:
| Nowadays even consumer-level hardware can run some decent
| local LLMs, completely offline.
|
| You might want to browse /r/LocalLLaMA/ if "security" is
| an issue for you.
| akira2501 wrote:
| > newspaper readers lose interest before you run out of
| documents
|
| So.. what's your case here? It would be so expensive to host
| and publish the documents that they would be unable to recoup
| their investment based upon lack of interest?
|
| > hardly anyone knows who Cavium are, let alone your average
| Washington Post reader.
|
| Oh.. I don't know.. maybe that's because no one has reported
| on it and explained why it would be important?
|
| There's a lot of circular reasoning present to create excuses
| for an entity that really doesn't need or deserve it.
| elif wrote:
| Maybe the moral of the story is that future snowdens should
| leak to selected law firms instead of selected journalists?
| If there's one organization designed to comb through large
| documents for details and understand the impacts to potential
| parties, it is law organizations. Put 2-3 in time competition
| to make cases out of the documents and it will be a scramble
| race for justice.
| hcurtiss wrote:
| Law firms aren't terribly entrepreneurial. Absent somebody
| paying them their hourly rate, I suspect not a single
| document would be read. Newspapers regularly take risks
| deploying humans to investigate issues without any
| assurance there will be a story at the bottom, but even the
| newspaper business has less appetite for that these days
| (as an aside, I suspect it's that margin that the financial
| investors have exploited -- at the expense of high quality
| reporting).
| hammock wrote:
| >Law firms aren't terribly entrepreneurial.
|
| Personal injury guys are the most entrepreneurial people
| I know...
| [deleted]
| thewildginger wrote:
| That's why other lawyers call them ambulance chasers.
| Their ethics are notoriously questionable.
| iinnPP wrote:
| We're such a weird society when it comes to enforcing
| laws on business. It's all "scummy" behavior.
|
| For examples: Accessibility laws, consumer protection
| laws, and privacy laws.
|
| It's a trivial matter to determine which websites don't
| comply with the easy targets of accessibility. Yet the
| concept of running such a scanner, automatically, and
| charging for corrections, is seen as predatory behavior.
|
| There was an article about grocery pricing with obvious
| collusion, dark practices, and misinformation yet nothing
| is done. Business as usual, people need to understand it
| and work around it. Problem is, it's clearly outside the
| realm of the average intellectual ability.
|
| Predatory behavior is everywhere. I don't feel compelled
| to list even a single example.
|
| If the lawyer chasing the ambulance results in a law
| being followed instead of ignored, that is a positive
| thing.
| ChrisMarshallNY wrote:
| ...and patent trolls...
|
| Just Sayin'...
| asveikau wrote:
| More importantly, there's money out the other end for
| them. The payoff is more questionable for information
| from Snowden leaks. Yes, I guess a journalistic outlet
| can get a big scoop and that drives eyeballs which leads
| to advertisers... But that's pretty different from the
| ambulance-chaser payout.
| kube-system wrote:
| And they make money by going after low-hanging fruit.
| Ever wonder why they advertise 90%+ success rates and
| work on contingency? Because if your case isn't easy, you
| aren't their customer.
| hammock wrote:
| If you are injured in a car accident and the insurance
| company is trying to screw you over, they seem like an
| important advocate
| shortrounddev2 wrote:
| I can't imagine there's any money in it for them
| cbsmith wrote:
| You'd be surprised. Top journalism organizations do this
| kind of thing with tremendous efficiency. The Pandora
| Papers were impressive for exactly that reason.
| yieldcrv wrote:
| All the big leaks should be done this way
|
| The Ashley Madison leaks should have been one name a week
| and making it a big spectacle till this very day!
|
| Same for the Snowden leaks
|
| you can also get bigger bidders for the data by drumming up
| interest and suspense
|
| hackers really suck at marketing, so far.
| ipaddr wrote:
| Then your risk identifying yourself in the Ashley Madison
| leak. You run the risk of not getting your message out in
| the Snowden case. The biggest threat is future publishing
| which is why so many countries broke laws made up charges
| going after Wikileaks.
|
| A wikileak revival scares the most powerful
| yieldcrv wrote:
| It would also be allot of fun
| dr-detroit wrote:
| [dead]
| garba_dlm wrote:
| > Was this some kind of organizational failing?
|
| sure, why not. and while we're on this deluded train: Julian
| Assange's legal problems are not political persecution
| ramesh31 wrote:
| >How the NSA successfully manage to prevent the Washington Post
| and friends from discovering and reporting on this malicious
| backdoor? They've been sitting on these documents for a decade.
|
| Washington Post -> Bezos -> AWS -> Cavium
|
| Pretty simple to understand, really.
| miguelazo wrote:
| Are you kidding? WaPo _serves_ the intelligence community.
|
| >After creation of the CIA in 1947, it enjoyed direct
| collaboration with many U.S. news organizations. But the agency
| faced a major challenge in October 1977, when--soon after
| leaving the Washington Post--famed Watergate reporter Carl
| Bernstein provided an extensive expose in Rolling Stone.
|
| Citing CIA documents, Bernstein wrote that during the previous
| 25 years "more than 400 American journalists...have secretly
| carried out assignments for the Central Intelligence Agency."
| He added: "The history of the CIA's involvement with the
| American press continues to be shrouded by an official policy
| of obfuscation and deception."
|
| Bernstein's story tarnished the reputations of many journalists
| and media institutions, including the Washington Post and New
| York Times. While the CIA's mission was widely assumed to
| involve "obfuscation and deception," the mission of the
| nation's finest newspapers was ostensibly the opposite.
|
| https://www.guernicamag.com/normon-solomon-why-the-washingto...
| pxc wrote:
| The WaPo is relentlessly pro-US and pro-'intelligence
| community' in its writings today, too. It's transparent. Idk
| how it could be missed, even without knowing the history.
| Just read a couple articles about contemporary whistleblowers
| or US involvement in the Syrian civil war or the war in
| Ukraine or whatever.
| mcpackieh wrote:
| > _It 's transparent. Idk how it could be missed,_
|
| Support or criticism for the intelligence community became
| very partisan during Trump's campaign and presidency. Once
| something like this becomes partisan, the average political
| creature loses some degree of rationality for it. The IC
| becomes patriotic good guys, stalwart defenders of American
| democracy standing up to fascism; their past and present
| malfeasance goes unnoticed, forgotten, or simply ignored.
| This is how the WaPo's relentless pro-IC stance could be
| missed; they've been telling a lot of people what they want
| to hear and all people are less critical and suspicious of
| things that support their biases and prejudices.
| wsc981 wrote:
| There was also a German ex-journalist (dr. Udo Ulfkotte) who
| wrote a book about how journalists (in Germany and EU I
| suppose) are "bought" by intelligence agencies like the CIA:
|
| https://www.amazon.in/Journalists-Hire-How-Buys-
| News/dp/1944...
| orangepurple wrote:
| Operation Mockingbird never ended. Full stop.
|
| (2010) https://weirdshit.blog/2010/07/23/cointelpro-operation-
| mocki...
| BlueTemplar wrote:
| Well, COINTELPRO certainly didn't : we've got recent examples
| about how the FBI monitored the Parler group discussions that
| were planning the January 6 2021 United States Capitol rally
| - including convincing some of the most risky elements to not
| participate, and (supposedly) warned Washington law
| enforcement about it well in advance.
|
| Which is fine I guess, as long as it doesn't go into the more
| abusive examples listed.
|
| One thing that jumped at me when (re-?)reading the letter to
| MLK from the FBI : first you have some very informal speech :
|
| "look into your heart", "you are done", "you are [] an evil,
| abnormal beast", "there is only one thing for you left to do"
|
| Then SUDDENLY : "You have just 34 days in which to do it
| (this exact number has been selected for a specific reason,
| it has definite practical significance)."
|
| Lol, talk about a change in tone, I wonder if MLK noticed it
| ? (The specific reason being Christmas, but still...)
| throwawayq3423 wrote:
| Cold war history really broke people's brains. Yes this took
| place in the 1970s, no such thing happens today.
| rdtsc wrote:
| They are now part of Marvell Technology
| https://en.wikipedia.org/wiki/Cavium
|
| Wonder if agreeing to enable NSA backdoors they agreed to be
| compensated when eventually that fact is leaked. "If nobody
| starts buying your chips, don't worry, we will! ... and then
| promptly throw them into the recycling bin"
|
| Also interesting is if Marvell knew their acquired tech had this
| "cool feature".
| [deleted]
| KingLancelot wrote:
| [dead]
| rvnx wrote:
| The agreement with the NSA is more likely like this: "if you
| don't comply, you will get arrested / fined for whatever reason
| (crypto exports issues or failure to comply with the law),
| maybe even by another authority, or journalists may discover
| your little things about X.
|
| If you comply we may help you with some tips occasionally to
| make sure our partnership is working well, or just not reveal
| your trade secrets to your competitors"
| delfinom wrote:
| Yea, people forget we literally have a secret kangaroo FISA
| court being abused to issue "national security letters" with
| rubber stamp that demanded compliance and threatened to throw
| you in jail for resisting and/or talking about it. The
| Patriot Act largely was responsible for it, but even now
| they've wiggled to other avenues since the Patriot Act
| expired.
| bananapub wrote:
| er...what? why do you think any of that has happened?
|
| we already saw this happen in public once with Qwest:
| https://www.eff.org/deeplinks/2007/10/qwest-ceo-nsa-
| punished...
| AdmiralAsshat wrote:
| Happened to Yahoo as well, IIRC:
|
| https://www.theguardian.com/world/2014/sep/11/yahoo-nsa-
| laws...
| [deleted]
| hedora wrote:
| It's happened at least three times. They got Yahoo's CEO to
| [bypass SOX compliance and] hand over access to 500 million
| email accounts. Last I heard, she said they convinced her
| she wasn't allowed to ask corporate lawyers for guidance.
|
| https://www.theguardian.com/technology/2016/oct/04/yahoo-
| sec...
|
| Both she and Yahoo's shareholders suffered greatly for
| complying.
|
| There's also Crypto AG, which was a foreign-owned CIA front
| that spied on US allies:
|
| https://www.theguardian.com/us-news/2020/feb/11/crypto-ag-
| ci...
|
| The Washington Post article is now bullshit-walled, but
| goes into more details.
|
| One of my favorite parts of the story is that the
| intelligence agency handlers needed to make sure they only
| hired incompetent / mediocre engineers and mathematicians
| at the actual company (algorithm and backdoor design was
| done at a US government agency that employed competent
| people).
|
| One day, a brilliant woman applied for a job. She aced the
| interview, and there were concerns she might be too smart,
| but upper management hired her on the grounds that the
| interview results were probably spurious. She was just a
| woman, after all.
|
| She ended up exposing and fixing their backdoors pretty
| quickly, which caused a huge containment problem for them.
| dylan604 wrote:
| > Last I heard, she said they convinced her she wasn't
| allowed to ask corporate lawyers for guidance.
|
| To me, anyone purporting to be an official government
| employee advising you that you cannot speak to an
| attorney throws up so many red flags, that I just can't
| imagine it being anything but sinister.
| hedora wrote:
| If an official government employee is already apparently
| breaking the law and also threatening you personally, you
| need to ask yourself whether they'll worry about
| continuing to break the law in order to make good on
| their threats.
|
| Note that none of the people that coerced Mayer into
| breaking the law have been disciplined or even named, so
| I guess they didn't need to worry about such things after
| all.
|
| I've heard EFF and corporate lawyers advise people to
| never speak to law enforcement under any circumstances.
| The reason is that the police are allowed to lie about
| their intentions and the facts of the case, and if you
| say something that is incorrect, you can be prosecuted
| for lying to them.
|
| So, for example, they can spew a bunch of lies and trick
| you into incorrectly speculating ("Since Jim was waving
| that gun at you, then I guess he really did buy it after
| all"), and then later, you need to prove (probably
| without the benefit of a recording) that it should have
| been clear to the officers that it was just speculation,
| or you go to jail.
|
| Their advice boiled down to politely and repeatedly
| respond with "I want my lawyer". At least one court has
| ruled that failing to respond at all to a question (even
| after repeatedly asking for a lawyer) means that you're
| now responding (perhaps with body language) and the
| interrogation is therefore admissible.
| zzo38computer wrote:
| It is they will need to make the police not so bad.
|
| Make it illegal for police to lie about their intentions
| and the facts of the case (although perhaps they should
| be permitted to hide some of the facts of the case
| (although they cannot hide what you are actually accused
| of, or anything like that, if they are actually arresting
| you (since otherwise they should have no authority to
| arrest anyone)), and anyone (whether police or not)
| should always be permitted to claim "I don't know").
|
| If you lie (or make a mistake) to the police while you
| are being interrogated, that should not be illegal
| (although making a false police report (while you are not
| being interrogated) would still be illegal).
|
| Furthermore, any claim they make that, if valid, would
| not authorize them to do what they are doing to you,
| makes what they are doing illegal in that instance. For
| example, if you ask them if they are police and they say
| they are not police then they have no authority to arrest
| you (although they can still make a citizen's arrest (for
| situations where that is permitted, so, not necessarily
| all of the things that the police might arrest you for),
| or to call some of the police other than themself (using
| the methods that ordinary people would use, not the ones
| reserved for police), etc.
|
| This isn't even half of enough to fix the problems with
| police, but it is a start.
| halyconWays wrote:
| If it's sold in a Western nation, the NSA has a backdoor in it,
| and probably everyone in the Five Eyes. If it's sold anywhere
| else, China has a backdoor in it.
| keyme wrote:
| China *also has a backdoor in to. FTFY
| one_shilling wrote:
| Very impressive work by the NSA, if true. Both from a political
| and technical perspective. It's good to know that our
| intelligence services are doing what they're supposed to, and
| doing it well.
|
| However, as interesting as this revelation is, it's unfortunate
| that Snowden decided to defect to the Russians and share his
| stolen cache of top secret documents with them and China, using
| Western journalists as ideological cover. I look forward to the
| day when he is brought to justice for treason.
| oaththrowaway wrote:
| I see a spot on the boot you forgot to lick...
| Freestyler_3 wrote:
| You can't hold it against someone that they don't want to be
| tortured/killed.
| empath-nirvana wrote:
| Nobody was going to torture or kill snowden. His risk was
| prison, no more.
| wnoise wrote:
| After Guantanamo, that's not a risk I'd like to take.
| oaththrowaway wrote:
| Nobody gets tortured or killed in prison?
|
| Regardless of your thoughts on the guy, nobody deserves
| what Assange has gone through in custody. Same with
| Manning.
| mullingitover wrote:
| This is the thing that rubs me the wrong way about Snowden -
| had he stayed and faced the music as a true whistleblower, he
| would've earned my respect for sticking to principles and
| acting as a loyal citizen acting in the interest of the
| country, even in the face of persecution.
|
| He did not do that. Instead, he's living a comfortable life in
| the bowels of a country that is committing vicious, daily war
| crimes. I don't hear him make a peep about kidnapped Ukrainian
| children, or the civilians that Russia tortures and kills. He's
| not a principled activist who's suffering for the cause of
| freedom at any cost, he's now just a loyal Russian citizen who
| opportunistically committed a massive act of espionage a long
| time ago.
| xcdzvyn wrote:
| I think this is _incredibly_ rich. Snowden is undoubtedly on
| the US ' "really, really naughty" list -- would you,
| personally, sit back and be imprisoned for the rest of your
| life (and possibly be tortured), or live comparatively freely
| elsewhere?
|
| > I don't hear him make a peep about kidnapped Ukrainian
| children, or the civilians that Russia tortures and kills.
|
| Can you really not see why that would be a bad idea? He's
| kind of tied up here, if he doesn't want to end up dead by
| _somebody 's_ hands.
|
| > opportunistically committed a massive act of espionage a
| long time ago
|
| How exactly do his past actions go from heroic to a "massive
| opportunistic act of espionage" because of his actions in the
| present?
| agent_788365 wrote:
| Snowden's past actions were never heroic, that is just spin
| manufactured by journalists with a vested interest in
| constructing a narrative.
|
| He's been arrogantly self-serving from the start, and it's
| rather disappointing that some people still haven't grown
| out of their juvenile phase of blind hero worship.
| oaththrowaway wrote:
| > He's been arrogantly self-serving from the start
|
| Maybe if he was as self-serving as you thought he'd
| continue to live a comfortable life while destroying the
| rule of law that we pretend to have instead of having to
| abandon his home and never again be able to see his
| country or friends again?
| oaththrowaway wrote:
| Was he not living a comfortable life in the bowels of a
| country that was committing vicious, daily war crimes when he
| lived in the USA? We kill/displaced over a million civilians
| in Iraq, not to mention the mess we left in Afghanistan. The
| carnage we've unleashed with drone warfare, CIA black sites,
| Guantanamo Bay, ect...
|
| Yes, Russia are the bad guys, but we have done some truly
| heinous things as well. Snowden revealed a little of the
| crimes we commit and you're ready to wash him away because it
| hurts your position that we are somehow morally superior to
| other countries?
| monocasa wrote:
| As a contractor he didn't qualify for whistleblower
| protections at the time.
|
| He would just be in solitary confinement for the rest of his
| life, and there's a much better chance the leak to the public
| would have never been completed in the first.
| mullingitover wrote:
| I see no evidence that merely being convicted of treason is
| enough to get you thrown in a solitary cell forever.
| There's a long list of plain old convicted spies[1], and
| they just went to regular, run of the mill prison. I would
| like to see the evidence that Snowden would be treated any
| differently.
|
| And again, I'm not saying he would've been protected as a
| whistleblower, just that he had to choose one or the other:
| take his chances as a martyr for freedom, or escape all
| consequences and with them, his legacy as a respectable
| historical figure. He chose the latter.
|
| [1] https://en.wikipedia.org/wiki/List_of_imprisoned_spies
| jklinger410 wrote:
| Shilling indeed.
| miguelazo wrote:
| Being stranded in Moscow because the State Department cancels
| your passport while you're en route to Ecuador = "defection"?
| Cute.
| phatfish wrote:
| I doubt Russia cared much about a cancelled US passport. If
| they felt he was not worth something to them they would have
| made sure he was out of Russia.
|
| Personally I don't think it was intentional on his part to
| get stuck in Russia, just a bad error. But he is certainly
| living there by their "good will" now, and it shows in his
| public behaviour.
| miguelazo wrote:
| Russia may not care (doubtful), but _the airline will not
| even let you board_.
|
| Not trashing your host is probably wise, but given his
| experience with the US government, he probably no longer
| subscribes to the naive worldview that Putin (or Xi) are
| uniquely bad, just bad in their own ways and responding to
| the world with their nation's interests (and their
| legacies) in mind.
| CodeArtisan wrote:
| Also this
| https://en.wikipedia.org/wiki/Evo_Morales_grounding_incident
| hammock wrote:
| Earlier this year, a man was sentenced to prison for six years
| for stealing Ubiquiti data that the NSA also apparently can
| steal.
|
| https://www.justice.gov/usao-sdny/pr/former-employee-technol...
| acdha wrote:
| Leaving out the extortion part makes it very hard to read your
| comment as being made in good faith.
| hammock wrote:
| Learn about Qwest if you think NSA doesn't also extort to get
| what they want: https://www.eff.org/deeplinks/2007/10/qwest-
| ceo-nsa-punished...
| RecycledEle wrote:
| It all contains back doors.
| andy_ppp wrote:
| Presumably the NSA are in and out of everything in ways people
| haven't even thought of yet. Back doors are great but I'm not
| convinced they need them!
| dr-detroit wrote:
| [dead]
| colatkinson wrote:
| Mastodon link for those so inclined:
| https://ioc.exchange/@matthew_d_green/111091979256440306
| JanSolo wrote:
| The tweet seems to imply that the entire Ubiquiti Networks line
| of network hardware could be compromised. That's a shame; I was
| thinking of installing some in my house. I'm sure that Ubiquiti's
| customers will not be happy if they find out that the US Govt can
| access their private data.
| hedora wrote:
| So, Marvell bought the company that backdoored all my Ubiquiti
| gear.
|
| Since it was never working as advertised, do I contact them or
| Ubiquiti to get my refund / warranty replacements?
| snoman wrote:
| It's an interesting thought experiment to wonder if consumer
| protections extend to defects from state sponsored acts of
| espionage.
| some_random wrote:
| In a world where local PD can kick my door in, shoot me in the
| face, and the news will report that I had it coming because I
| own a gun, I find it hard to care that the IC can burn a
| technical access backdoor to access my private data.
| Aachen wrote:
| Integrated circuit?
| davikr wrote:
| Intelligence community
| sneak wrote:
| Ubiquiti is all cloud based. If the government wants in to your
| auto-updating ubnt hardware, it's just a simple court order
| away. They don't need a backdoor.
| anderiv wrote:
| It may be auto-updating by default, but that can be trivially
| disabled. Likewise, their cloud connectivity/management is
| optional. I'm running without issue multiple air-gapped Ubnt
| networks using their self-hosted controller software.
| fyloraspit wrote:
| Yeh but it is still closed source, no? I guess if it is air
| gapped that could be fine, but we are talking mid level
| network gear here, so for 99% of its use, it isn't air
| gapped. It is enabling broader connectivity. So you would
| have to trust the closed source software at some point.
| sneak wrote:
| If it's airgapped, what do you care about it being
| backdoored?
| blueridge wrote:
| I was also going to move to Ubiquiti but decided to go with
| Peplink instead based on recommendations from:
| https://routersecurity.org/
|
| https://www.peplink.com/products/balance-20x/
| Astronaut3315 wrote:
| Some specific Ubiquiti gear uses Cavium SOCs, but certainly not
| all. The UDM Pro uses an Annapurna Labs SOC and my old
| EdgeRouter-X was Mediatek.
| sneak wrote:
| Unifi stuff auto updates from the vendor, which is subject to
| US law.
|
| The SoC manufacturer is irrelevant.
|
| If the USG wants in, it's just a click away in any case.
| drexlspivey wrote:
| Trying to understand what crypto is the network hardware itself
| performing? TLS is end to end, even if you run a VPN on the
| router the keys were not generated there probably
| slt2021 wrote:
| crypto doesn't matter if chip itself has backdoor that will
| grant root access on some "magic" packet
| dna_polymerase wrote:
| Crypto matters for exactly this reason. All my internet
| traffic passes through unsafe middle-boxes, it is TLS and
| DH that make sure I can pass through untrusted middlemen
| without them knowing what is going on.
| slt2021 wrote:
| Cavium chips are installed on security appliances (lol):
| think Palo alto firewall, fortinet firewall, F5 Big-IP
| etc.
|
| they will see your traffic in plain text by design
| irreticent wrote:
| If everything is encrypted then you're safe... until you
| decrypt the data on a machine with a backdoored CPU.
| RationPhantoms wrote:
| If you're not under the threat cone of nation state
| surveillance (like trying to exfiltrate the radar-asborbing
| paint formula on the F35) then I wouldn't be too concerned.
|
| "That's not the point! It's about privacy!"
|
| Sure. I'll choose it ignore the fact that our civilization is
| somehow still functioning in a post-nuclear world.
| tinco wrote:
| It's not about privacy, it's about security. If there's a
| backdoor in a HSM or network interface, that backdoor can be
| used by others as well. That might start with foreign nation
| states, but might eventually leak to regular private persons
| or entities as well.
|
| A backdoor is an extra attack vector with often very
| unfavorable properties that you as a user are unaware of.
| jimkoen wrote:
| > If you're not under the threat cone of nation state
| surveillance
|
| The average reader may be surprised by how far this cone can
| extend in some circumstances.
|
| It has been established that the NSA conducts industrial
| espionage [0], under the cover of national security [1]. To
| what degree the term "national security" narrows down the
| scope of any surveillance measures is likely unfamiliar to
| the laymen, but an NSA representative gave a short
| description on the agencies views to that regard in 2013:
|
| "The intelligence community's efforts to understand economic
| systems and policies, and monitor anomalous economic
| activities, are critical to providing policy makers with the
| information they need to make informed decisions that are in
| the best interest of our national security." [1]
|
| While it affirms that it does not steal trade secrets, the
| NSA reserves the right to pass on critical information about
| economic developments towards policy makers, who then can use
| this knowledge in their decision making.
|
| Notable examples of industrial espionage conducted by the NSA
| consisted of spying on EU antitrust regulators investigating
| Google for antitrust violations [1], alleged espionage of
| business conducted by brazilian oil giant Petrobas [2],
| international credit card transactions [3], SWIFT [4], and
| the infamous allegations of espionage against european
| defense company EADS [5].
|
| It's noteworthy that this short list only comprises cases
| that got attention of the media, the actual list of targets
| in europe was much higher, about 2000 companies in europe,
| many of them defense contractors.[5]
|
| So, to summarize, it may be much easier to fall into this
| cone, than one would assume. The agency is also at odds with
| it's own claims as this this excerpt from a Guardian article
| [2] clearly shows:
|
| "The department does not engage in economic espionage in any
| domain, including cyber," the agency said in an emailed
| response to a Washington Post story on the subject last
| month. [...] "We collect this information for many important
| reasons: for one, it could provide the United States and our
| allies early warning of international financial crises which
| could negatively impact the global economy. It also could
| provide insight into other countries' economic policy or
| behavior which could affect global markets."
|
| But he again denied this amounted to industrial espionage.
| "What we do not do, as we have said many times, is use our
| foreign intelligence capabilities to steal the trade secrets
| of foreign companies on behalf of - or give intelligence we
| collect to - US companies to enhance their international
| competitiveness or increase their bottom line." [2]
|
| To me these statements are mutually exclusive: How is
| providing policy makers with insights from foreign politics
| and possible industrial espionage (i.e. not necessarily
| actual technologies, but research objectives of foreign
| companies) not giving an advantage to domestic companies, if
| those policy makers act appropriately?
|
| [0]https://theintercept.com/2014/09/05/us-governments-plans-
| use... [1]https://www.cnet.com/tech/tech-industry/nsa-spied-
| on-eu-anti...
| [2]https://www.theguardian.com/world/2013/sep/09/nsa-spying-
| bra... [3]https://www.spiegel.de/international/world/spiegel-
| exclusive... [4]
| https://www.spiegel.de/international/europe/nsa-spying-
| europ... [5] https://www.theregister.com/2015/04/30/airbus_us
| _german_inte...
| p337 wrote:
| > How is providing policy makers with insights from foreign
| politics and possible industrial espionage not giving an
| advantage to domestic companies, if those policy makers act
| appropriately?
|
| Let's imagine OpenAI was a Russian company operating mostly
| in secret. This RU OpenAI _secretly_ discover and use
| GPT-4-like technology, and show promise that they are not
| done innovating. While these LLMs are often overhyped,
| these recent innovations no doubt present a policy issue,
| right? I 'd say there are legitimate national security
| reasons to know about that technology, not just about
| making money or making a better product for cheap.
|
| The distinction being made is that the NSA may steal data
| related to this, but they aren't just giving it to Google
| to make Bard better. They are getting intel and giving
| lawmakers the tools to fund research, write policy, or
| whatever else our elected representatives deem beneficial.
| Any side action or under the table dealings would make this
| distinction meaningless of course. So, for the example
| above, if we started funding departments to research the
| threat of LLMs/AI, inform the public of the issue, and
| inform companies that their data is being pillaged to train
| AI... that is all very different from just stealing a cool
| new widget design and getting it to market first.
|
| I think there's no debating that this is morally gray, but
| I think it's a few steps off of what other nation states
| are doing by stealing tech and implementing it in "private"
| companies. It's certainly worthy of criticism, but I think
| it's unhelpful to bucket it with the other type.
|
| If the LLM example isn't your thing, it also makes a lot of
| sense for the NSA to steal information related to
| weapon/defense tech, even if developed by a private
| company, and even if we use what we stole to implement
| countermeasures. I can't honestly be morally outraged about
| invading the privacy of someone developing tools of war
| against you. Fwiw, I wouldn't blame Russia or China for
| trying this against the US gov or defense contractors
| either, but it's not like I'd be happy about it. My point
| is that that is not so much economic espionage or corporate
| espionage as much as it is just plain old espionage. It
| saves lives and protects American hegemony - which I
| recognize may be counter to many people's ideal situation.
|
| It's a nuanced thing. When you take two morally
| questionable things and reduce them down to both just being
| bad, the ones doing the worse things benefit. E.g. "all
| politicians lie" is a handy phrase for truly corrupt
| politicians because the ones who make small mistakes or
| half-truths are in the same bucket as them, and the outcome
| is apathy for the issue rather than being upset at all of
| it. Kinda the classic whataboutism trope - not to imply you
| are doing that, but just to say that's where it often
| leads.
| jimkoen wrote:
| So we're evaluating the US policy on international
| espionage on constructed examples now?
|
| > Let's imagine OpenAI was a Russian company
|
| Nevermind that they're not and that Russia can't
| currently develop these models, due to lack of silicon.
| All targets I mentioned, with the exception of the
| brazillian oil company we're in european states, at the
| time (and still!) closely allied with the US.
|
| > The distinction being made is that the NSA may steal
| data related to this, but they aren't just giving it to
| Google to make Bard better.
|
| How would you even know at this point? Who controls the
| NSA? There haven't been any leaks since the Snowden
| revelations and there likely won't ever be any again,
| since Snowden could only make his move due to some
| misconfigured/outdated network quota control software.
|
| Hell you can't even FOIA information about these
| policies, and agencies will go so far to withhold
| evidence in court when it concerns espionage! And soon as
| a court case involves this information, the court recedes
| from the public and is held in secret.
|
| My hostility against US policy is by no means anywhere
| above the european average, but when it comes to public
| statements about surveillance, I have no reason to trust
| the US Government. The Bush administration has proven
| that it is possible to flout the US constitution on a
| massive scale with just 10-12 people. At this point I
| can't blame people putting forward some crazy conspiracy
| theories about the deep state or qanon, because the US
| gov has given no indication to be believably concerned
| about compliance with their own laws.
| irreticent wrote:
| The NSA has been caught lying before (see: the Snowden
| leaks) so I wouldn't trust them to be forthcoming about
| their industrial espionage, if they are engaging in it. Of
| course they'd deny it.
| slackfan wrote:
| Sure. See you in the gulag, comerade
| RationPhantoms wrote:
| Oh please, the United States is so incredibly armed, my
| death will likely come at the hands of some misplaced
| right-wing militarized fascist group performing mass
| murders under the guise of "Freedom" and "A return to the
| constitutional purity of the US".
| digging wrote:
| I mean, that more or less describes most police
| departments in the country. And they are spying on you.
| slackfan wrote:
| I've been promised that that was going to happen any day
| now since the wrong person got elected back in 2000.
| Nearly a quarter century on I am beginning to suspect
| that somebody was overstating something, I can't quite
| put my finger on what though...
| cpursley wrote:
| Comrade is of Latin origin. In Russian, tovarisch is the
| correct term. At least get it right if you're trying to be
| edgy.
| slackfan wrote:
| Sounds like I hit a nerve?
| MSFT_Edging wrote:
| Gulag is just Russian for prison.
|
| The US currently has about 1.2M people in their gulags,
| comrade*
| slackfan wrote:
| Gulag (gulag) is the acronym for "Glavnoe upravlenie
| ispravitel'no-trudovykh lagerei" which translates to
| "Head management office of correctional work camps". And
| if you're going to go for all incarcerated, the number is
| actually somewhere in the 2.1mil range in the US, because
| hey, jails are a thing.
|
| Sorry that you're wrong on all three points.
| runeofdoom wrote:
| And if you are in a position where nation-states are a likely
| adversary, you'd best assume that _all_ commerically
| available hardware is compromised.
| isykt wrote:
| 100% agreed. If you're concerned about privacy, being tracked
| online by corporations is a bigger concern than the the NSA.
| If you're the target of an NSA investigation, you're already
| fucked. Changing your network equipment is not going to help.
| Minor49er wrote:
| On the contrary, changing equipment may actually help quite
| a bit when dealing with the NSA. The 2016 documentary "Zero
| Days" which was centered around the creation of Stuxnet
| showed that the NSA targeted specific hardware models to
| look for security holes. They had to buy matching hardware
| themselves and rigorously try to break it which took time
| and wasn't trivial to do
| sschueller wrote:
| A Mann is being executed in Saudia Arabia for tweeting a
| negative tweet about the government to his tiny following.
| Not exactly someone who thinks they are a target of a nation
| state.
|
| [1] https://www.hrw.org/news/2023/08/29/saudi-arabia-man-
| sentenc...
| RationPhantoms wrote:
| Not sure if this a joke but SA is the exact country I would
| expect to utilize spyware against its citizens.
| MSFT_Edging wrote:
| With how good of friends SA is with the US, its likely
| all they need to do is ask nicely for some dirt on an
| alleged dissident.
| tltimeline2 wrote:
| wasn't ubiquiti totally compromised in that breach a couple of
| years ago?
| stephen_g wrote:
| That was an insider trying to extort the company by
| pretending to be an outside hacker. He then posed as a
| whistleblower to try and throw investigators off the trail.
| [deleted]
| tristor wrote:
| No. It turns out that breach was faked, effectively. It was
| done by manipulating Brian Krebs. He's since issued a mea
| culpa (although a somewhat weak one):
| https://krebsonsecurity.com/2022/08/final-thoughts-on-
| ubiqui...
| stephen_g wrote:
| Pretty sure only the EdgeRouter and some of the older Unifi
| Security Gateways use Cavium chips. Most of the newer stuff
| (like the Dream Machine line) I don't think are anymore. None
| of the Unifi APs did either I don't think (the U6 ones have
| Mediatek chips in them)
| slau wrote:
| Annoyingly, the ER4 uses the Cavium Octeon III. I have a few
| of those in production.
| stephen_g wrote:
| Yeah, I have one at home too, so I really want more detail
| on what the exploit is (I wonder if if is perhaps IPSEC
| specific, like an RNG flaw since they talk about VPN and
| encryption appliances, or it could be something to do with
| Cavium HSMs and unrelated to the network processors).
| inferiorhuman wrote:
| Some of the EdgeRouter stuff (ER-Lite, ER-4) use Cavium SoCs.
| The ER-X uses a MediaTek SoC.
| colordrops wrote:
| Ubiquiti has many other problems besides this. The worst is
| their vendor lockin, where even basic network operations are
| not possible if you happen to have any non-ubiquiti hardware in
| your network. You should stay away.
| georgebashi wrote:
| Can you provide an example of this issue? This has not been
| my experience.
| colordrops wrote:
| People are misinterpreting me, thinking I mean that it's
| not even possible to intermingle equipment. That is not the
| case.
|
| The specific issue I ran into was that I had a non-ubuiqiti
| router and AP on my network, and there was absolutely no
| way to set firewall rules on the Ubiquiti gateway for any
| clients connected through the non-ubiquiti equipment. This
| should obviously not be a problem. The gateway provided
| those clients IP addresses through DHCP and they are in its
| ARP table, so it should be supported.
| Freestyler_3 wrote:
| I ran UBQT hardware with mikrotik router and third party
| firewall. UBQT replaced old frankenstein hardware that had
| the worst channel management etc. Everything got so much
| better, customers issues dropped to almost zero (sometimes
| was hundreds of issues a day) We always had other vendor for
| part of the network, and that had no impact.
| tssva wrote:
| I have a mix of Ubiquity and non-Ubiquity equipment and have
| no problem achieving not only basic but fairly complex
| networking operations.
| ricktdotorg wrote:
| okay, so assuming the US gov can access my private LAN data due
| to my use of the Ubiquiti USG as router/firewall, USG wifi APs
| etc, of what form would this data exfiltration take? can we
| please explore/explain how this "compromise" would happen in
| real-life.
|
| if i were sniffing for outbound WAN traffic as root on the
| unix-like that the USG run, would i see the exfiltration
| traffic? or is this [supposedly/apparently] happening at a
| lower layer that an OS can't see i.e. some kind of BMC or BIOS
| layer?
|
| wouldn't such traffic also have to navigate the
| varieties/restrictions of DOCSIS etc? or are they also
| compromised?
|
| is the worst-case scenario here some kind of giant C2 network
| with _waves hands_ tons of compromised lower-than-OS mini
| pieces of firmware exfiltrating data over _waves hands_
| compromised network providers hardware into the giant NSA AWS
| cloud?
| mrweasel wrote:
| I'm currently replacing my network equipment with Mikrotik, not
| because I believe it to be safer than Ubiquity, but because
| then at least it's made in the EU.
|
| But now I'm thinking: Is it better that the US is spying on me
| in Europe, vs. having EU governments do it? I feel like I'd be
| somewhat more safe from the US, compared to if my own
| government decides to spy on me. Maybe I should look into
| Chilean network equipment, I can't imaging that they'd have
| much interest in my online activities.
| manmal wrote:
| Europe doesn't make that many chips (unfortunately), chances
| are high there's US/Chinese components in there too. Since
| your network hopefully sees mostly encrypted traffic anyway
| (even if you're running Plex on the LAN, that should use
| SSL), I'd be more concerned about HW in desktops, notebooks
| and tablets.
| Freestyler_3 wrote:
| Other countries spy on you and sell it to your own country.
| BlueTemplar wrote:
| In democratic countries we also have rights against
| (unjustified) spying by our governments. Sounds like a better
| long-term plan for everyone is to make them work. Especially
| when even the ideal equipment won't do much against metadata
| spying by ISPs and cellphone carriers...
| isykt wrote:
| I think in order to address this question, we need to know
| more about your threat model.
|
| Are you a journalist working in a sensitive/dangerous area?
|
| Do you often participate in discussions with dissident
| groups?
|
| Do you frequently access content that is illegal in your
| jurisdiction?
| owenmarshall wrote:
| > But now I'm thinking: Is it better that the US is spying on
| me in Europe, vs. having EU governments do it? I feel like
| I'd be somewhat more safe from the US, compared to if my own
| government decides to spy on me.
|
| https://en.wikipedia.org/wiki/Five_Eyes
|
| > In recent years, documents of the FVEY have shown that they
| are intentionally spying on one another's citizens and
| sharing the collected information with each other, although
| the FVEYs countries claim that all intelligence sharing was
| done legally, according to the domestic law of the respective
| nations.
|
| So in practice, it's entirely irrelevant: your data will end
| up Hoovered up by someone, coated with a veneer of legality,
| and provided back to your government to act on (or not).
|
| Don't be too interesting to your government, I guess?
| BlueTemplar wrote:
| None of these are EUropean countries.
| andreasley wrote:
| I think at this point it's pretty safe to assume that all of
| the well-known network hardware is compromised.
| kome wrote:
| a good reason to buy huawei stuff ahaha
| tristor wrote:
| Huawei stuff is proven to be compromised, just not by NSA,
| instead by China.
| throwaway67743 wrote:
| It was never proven to be compromised though. GCHQ
| concluded after many years that they were sloppy, not
| malicious. All of the fear mongering by the US is what
| gave everyone the impression they were compromised.
| tristor wrote:
| I'm getting downvoted for saying something negative about
| China... as you do. :waves: Howdy wumao!
|
| Here's a link to one such article proving that Huawei
| networks are backdoored:
| https://www.cnet.com/tech/mobile/us-finds-huawei-has-
| backdoo...
|
| And an original source article in WSJ:
| https://www.wsj.com/articles/u-s-officials-say-huawei-
| can-co...
| NorwegianDude wrote:
| That's not proof, that's just an accusation. Huawei even
| offered up source access to customers as a way to prove
| that they didn't do that.
|
| Not saying they don't do such things, but the evidence is
| lacking.
| RockRobotRock wrote:
| People who disagree with me must be paid actors! I don't
| even disagree with you, it's just really cringe-worthy.
| tristor wrote:
| I'd usually agree, except when it comes to saying
| anything critical of China on the Internet, my statement
| is very true. The wumao is a real thing, and they're
| pervasive within online tech.
| RockRobotRock wrote:
| Well your comment isn't greyed out or flagged, so they
| must be on vacation today :)
| Aachen wrote:
| The first link depends on the second. The second requires
| some sort of sign up to read, but archive.is works as
| proxy https://archive.ph/Dov1N
|
| The proof amounts to essentially one sentence spoken by
| an unnamed source
|
| > U.S. officials said Huawei has built equipment that
| secretly preserves its ability to access networks through
| [lawful intercept interfaces]
|
| but I understand that source confidentiality is useful so
| if WSJ trusts that, perhaps so should I. Not sure I'd
| then go so far as to independently say it has been
| "proven" when all that I truly know is that someone else
| believes someone else who has a commercial interest in
| saying this. It's probably true but that's not the same
| thing
| NorwegianDude wrote:
| Isn't that just the US speaking in order to get more
| control? How is it proven? I've never seen any evidence
| of that, but there has been much evidence that the US
| does what they blames others of doing, like this and
| Cisco.
|
| At this point it seems the US is accusing others for
| doing bad things because that's what they themselves do.
|
| Huawei was growing really fast, threatening both Apple
| and Google. Then the US said it was not safe while trying
| to sabotage both smart phone sales and mobile networks
| sales. The US pressured allied countries to not choose
| Huawei for 5G, and didn't let companies work with them.
|
| Huawei was also willing to compromise by giving network
| operators acces to source code.
|
| Is Huawei bad? I don't know, and I've yet to see any
| evidence. Does the US do exactly what they are accusing
| other for? Yes, that has been proven multiple times.
|
| We live in a day where we talk about privacy and
| security, while giving large corporations full control
| over our iOS and Android devices. How useful is e.g. E2E
| encryption really when the os itself has a direct
| connection to the mothership?
| BlueTemplar wrote:
| China has a LOT to gain from industrial espionage, is
| extremely well known for its industrial espionage, and
| also happens to effectively own EU telecoms (the 5G thing
| was like a decade too late).
|
| It would be _astounding_ if they didn 't take advantage
| of this.
| DiogenesKynikos wrote:
| To my knowledge, no proof has actually been publicly
| presented for this claim. There have been a few stories
| that didn't pan out (like the one that boiled down to,
| "Huawei devices have telnet installed"), but no actual
| evidence of backdoors has come to light yet.
|
| This is despite the fact that Huawei has been under an
| extraordinary level of scrutiny for years. British
| intelligence was given extensive access to Huawei's
| hardware and code, as a condition of Huawei equipment
| being installed in the UK. We know from Snowden that the
| NSA hacked into Huawei HQ, but there's no indication that
| they found any evidence of backdoors. And despite running
| a global campaign to convince/pressure other countries
| not to use Huawei, the US hasn't publicly unveiled any
| evidence of Huawei backdoors. British officials have even
| admitted that the UK's decision to ban Huawei was based
| on pressure from the US, not evidence of wrongdoing.[0,1]
| This all makes me think that the US, UK et al. don't
| actually have proof of backdoors.
|
| 0. https://www.theguardian.com/technology/2020/jul/18/pre
| ssure-...
|
| 1.
| https://www.euractiv.com/section/politics/short_news/uk-
| bann...
| bigger_inside wrote:
| a CIA claim isn't "proof". I've never seen anything to
| prove it, just imperialist hysterics
| bhouston wrote:
| It is fair to think that if the CIA is compromising US
| companies, then China is likely doing the same to Chinese
| companies. To assume otherwise is wishful thinking.
| rakoo wrote:
| China is way less dangerous to me than the NSA
| Aaronstotle wrote:
| How is the NSA personally dangerous to you?
| lcnPylGDnU4H9OF wrote:
| Compared to any TLAs in China, the NSA is far more likely
| to take action against a US citizen for a thing that
| citizen chose to say. It's likely there's a low amount of
| actual danger but it's greater than that of what China
| poses.
| MSFT_Edging wrote:
| If you live in the US, you're under US federal
| jurisdiction.
|
| Unless you're regularly traveling to China or unearthing
| info that can seriously harm China, they're not going to
| send anyone after you.
|
| I rather be spied on by a foreign government than my own.
| [deleted]
| MaKey wrote:
| Where is the proof?
| kube-system wrote:
| Chinese law requires Huawei to cooperate with their
| intelligence agencies.
| DiogenesKynikos wrote:
| That doesn't prove anything. You're just saying that
| Huawei could theoretically be compromised, but the above
| commenter asked for evidence.
| kube-system wrote:
| They are compromised in terms of governance, and their
| legal environment _is_ the proof of this.
|
| Nobody has ever claimed that Huawei devices have
| backdoors. The issue is that the supply chain is
| compromised by legal means, not the hardware or software
| currently being shipped has technical vulnerabilities.
| DiogenesKynikos wrote:
| > Nobody has ever claimed that Huawei devices have
| backdoors.
|
| Just a few comments up in this thread, someone claimed
| definitively that Huawei equipment has been proven to be
| compromised, meaning backdoored.
|
| > They are compromised in terms of governance
|
| We don't have any known examples of Huawei being forced
| by the Chinese government to compromise its equipment.
| This is still a wholly theoretical discussion. In
| contrast, we know that the US government has inserted
| backdoors into American (and not just American)
| equipment, and is able to secretly compel companies to
| comply with US spying.
| Aachen wrote:
| As does the USA, so we shouldn't be using Windows or
| Yubico either, or virtually any other software/hardware
| from any other vendor because there's few countries that
| let you do illegal-over-there things without having a
| mechanism to force you
|
| It's a "pick your poison" situation, not a "they've got
| national security letters and so you can't trust them"
| one
| kube-system wrote:
| This is why security is not a "one size fits all"
| exercise. The first thing you must do is define your
| threat model.
|
| The reason the Chinese government doesn't want to build
| their telecom system on Cisco hardware is the same exact
| reason the USG doesn't want to do the same with Huawei
| hardware. Because neither government is delusional enough
| to think that parts/service/updates wouldn't be
| immediately sanctioned in times of war.
|
| The US and China are already sanctioning each other's
| tech. The risk of building critical infrastructure on it
| is obvious.
| DiogenesKynikos wrote:
| > The US and China are already sanctioning each other's
| tech.
|
| It's not symmetrical. Since Trump, the US has been
| extraordinarily aggressive in its use of sanctions
| against Chinese companies, whereas China has been very
| reluctant to retaliate directly.
|
| The US has sanctioned hundreds of Chinese tech companies.
| China has only recently begun to retaliate in kind, but
| has so far only sanctioned a few US companies (Micron is
| the only prominent example that comes to mind).
| HideousKojima wrote:
| Since the Snowden leaks (and honestly since long before)
| it's been safe to assume that if a nation state has the
| means and motive to commit <insert form of illegal
| surveillance here>, then they will.
| ElectricalUnion wrote:
| If anything, you probably need several layers of
| different, non-aligned country vendors to have some Swiss
| cheese model security. So some Huawei stuff, somewhere,
| as long as it isn't only Huawei stuff.
| slt2021 wrote:
| checkpoint firewall (Israel), PAN/fortinet firewall (US),
| and huawei firewall (china) daisy chained - should keep
| each other in sync and provide defense in depth :D
| J_Shelby_J wrote:
| lmao it's like using a multi-hop VPN to hop through
| multiple jurisdictions, but in your own home!
| phatfish wrote:
| Network designs i have seen often include this for much
| the same reason. A perimeter firewall is from one vendor
| and an internal firewall is from another. If there is a
| security issue with one device the other should not be
| effected in the same way.
| arecurrence wrote:
| This is a great idea in that they'll likely also patch
| their stuff when they discover the other team has
| exploited it.
| tekeous wrote:
| I wonder if MikroTik would be compromised- they're Latvian
| and don't necessarily have to bow to the NSA.
| ElectricalUnion wrote:
| Several MikroTik routers use marvel hardware underneath. So
| marvel might be compelled to backdoor the hardware for the
| NSA.
| chinathrow wrote:
| > have to bow to the NSA
|
| You don't have to bow in order to be compromised. You can
| be compromised without even knowing it.
| HideousKojima wrote:
| I assume by default that any hardware from any NATO nation
| is compromised by the NSA and other Western intelligence
| agencies. I also assume that any Chinese or Russian
| hardware is compromised by their respective intelligence
| agencies. And I assume that the NSA and other Western
| agencies are constantly trying to get backdoors into
| Chinese hardware (and I assume the Chinese are trying the
| do the same to ours). You're basically screwed no matter
| what.
| ok123456 wrote:
| Buy products that are compromised by both, and let them
| battle it out. Sort of like the inverse of the plot of
| the movie hackers.
| some_random wrote:
| Why would the NSA need to strong arm MikroTik to implement
| a backdoor when they can pay ~10k for an 0-day to do the
| exact same thing?
| irreticent wrote:
| Because zero day vulnerabilities are usually patched when
| discovered by the vendor. They're completely different
| than an intentional backdoor.
| pizzalife wrote:
| There's been plenty of remote 0days in MikroTik's products.
| At one point people were paying a pretty penny for them.
| somehnguy wrote:
| I think it's worth noting that these vulnerabilities
| affected devices which had their management page open to
| the internet, which is universally known as a bad idea.
| At least the ones I've seen.
|
| There is a big difference between an exploit affecting
| _all devices_ vs a subset which requires a specific not-
| best-practice configuration. Regardless, still good to be
| aware they exist.
| lowkeyoptimist wrote:
| Joking? LOL
|
| https://thehackernews.com/2023/07/critical-mikrotik-
| routeros...
| [deleted]
| smolder wrote:
| MikroTik has come up in their slides before, yes...
| paganel wrote:
| > they're Latvian and don't necessarily have to bow to the
| NSA. reply
|
| The majority (I'd say all) of the Eastern-European
| countries that are also NATO members do in fact bow to the
| US, and thus to the NSA/FBI/the Secret Service.
| greenie_beans wrote:
| i've always assumed they were the least secure of all my
| networking hardware
| [deleted]
| ilyt wrote:
| Flashing openWRT on some boxes is probably your best bet;
|
| Or, alternatively, treat your LAN/WiFI like public internet and
| don't send anything unencrypted thru it
| WhereIsTheTruth wrote:
| Why now? Looks like Snowden is being weaponized, wich might
| indicate that he is still part of the group he is denouncing, is
| he a psyop? What's the goal?
| r721 wrote:
| From one of Twitter replies:
|
| >... this is not new... It states in the article that this
| thesis from Jacob R. Appelbaum was released March 25, 2022. The
| only thing that makes these 'new' (?) is that electrospaces
| discussed September 14th
|
| https://twitter.com/vxunderground/status/1703995620250325405
|
| Electrospaces article discussion:
| https://news.ycombinator.com/item?id=37562225
| WhereIsTheTruth wrote:
| My question was why is it relevant today, specially after Arm
| going public, is the Mi6 trying to cover himself by
| denouncing the NSA?
| r721 wrote:
| Matthew Green is a well-known cryptographer, apparently he
| read Electrospaces piece, and noticed a thing which is
| interesting from a cryptography angle. So he posted a
| thread on Twitter, moyix submitted it here and people
| upvoted it to #1. Where is the supposed conspiracy?
| azinman2 wrote:
| If your threat model is Nation states, then you probably have a
| lot more to worry about than this chip, including compromising
| employees which is way easier, cheaper, and more effective.
| Havoc wrote:
| The risk impact isn't just nation states though. Intentionally
| weakened hardware makes you more vulnerable across the entire
| threat actor spectrum. Any of them could stumble across it
| whether through skill or luck.
| fidotron wrote:
| On a technical level this wouldn't be too surprising. Cavium
| hardware has things like configurable/programmable in hardware
| hashing of packets which can then be used by the (much slower,
| but in the Cavium case numerous) CPUs to decide how to handle it.
| Their SoCs contain enough that hiding something on there would
| not be impossible, and using the hashing/routing etc. that
| enabled performance requires trusting blobs from Cavium.
| declan_roberts wrote:
| The intelligence agency enjoyed a supremely underserved SURGE in
| popularity during the Trump era because they were seen as an
| enemy of Trump.
|
| Let's all get back to reality now. They LIE and influence US
| politics to preserve their operations (not political, it's self-
| preservation).
|
| If you see something like "100 former intelligence agents sign
| letter saying ..." then run, RUN!
| ChrisArchitect wrote:
| [dupe]
| ChrisArchitect wrote:
| More discussion earlier over here:
|
| https://news.ycombinator.com/item?id=37562225
| moyix wrote:
| Thanks, I missed that! It looks like the previous discussion
| didn't touch on the Cavium news, though.
| [deleted]
| 2OEH8eoCRo0 wrote:
| Do we need to do this every day?
| ReactiveJelly wrote:
| Every fucking day until democracy kicks in.
| codexb wrote:
| Democracy gave us the NSA
| [deleted]
| miguelazo wrote:
| No. Allen Dulles and the rest of the fascists gave us NSA.
| [deleted]
| NelsonMinar wrote:
| For anyone wondering "what's the big deal" it's worth remembering
| the NSA has a bad track record of keeping their own hacking tools
| secure. https://en.wikipedia.org/wiki/The_Shadow_Brokers
|
| It infuriates me the NSA actively works to undermine American
| security. Their brief is to protect us, not plant backdoors and
| then lose the keys.
| auntie_sam wrote:
| An extraordinary and superb act of commercial infiltration.
| Hearing news like this makes me proud to be an American - thank
| you, NSA!
| throwfaraway398 wrote:
| Original source from march 2022 :
| https://pure.tue.nl/ws/portalfiles/portal/197416841/20220325...
| page 71, thanks to wikipedia
| zimmerfrei wrote:
| More interestingly, Cavium (now Marvell) also designed and
| manufactured the HSMs which are used by the top cloud providers
| (such as AWS, GCP, possibly Azure too), to hold the most critical
| private keys:
|
| https://www.prnewswire.com/news-releases/caviums-liquidsecur...
| BlueTemplar wrote:
| [flagged]
| amluto wrote:
| ...which is really weird. At least Google and Microsoft are
| quite outspoken about their in-house secure element technology.
|
| If nothing else, at Google/Amazon scale, I'd be concerned about
| a third-party HSM losing data.
| teepo wrote:
| Time to leverage IBM Cloud KYOK model. You need level 4
| especially if you're using 3rd party: FIPS 140-2 Level 4
| certified HSM
|
| https://cloud.ibm.com/docs/hs-crypto?topic=hs-crypto-faq-
| bas...
| jhallenworld wrote:
| It's not surprising because who wants to make their own FIPS
| 140-2 level 3 compliant key store device?
|
| Also, the Cavium one was the fastest one on the market the
| last time I looked at this. Thales, Safenet and IBM also had
| them..
| bbarnett wrote:
| Gotta be better than Utimaco HSM cards. I've worked with
| them, and have issues with them throwing false low power
| alarms, and wiping for no reason.
|
| And tech support is horrible, incompetent.
| amluto wrote:
| Google? Titan appears to meet FIPS 140-2 level 1.
|
| I find the levels bizarre. Chromebooks are highly exposed
| to physical attack. Keys in the cloud are not nearly as
| exposed. Yet people seem okay with level 1 for chromebooks
| but apparently want level 3 in the cloud?
|
| I'd rather see a level 1 or level 2 _auditable_ cloud
| solution, with at least source available.
| fireflash38 wrote:
| Level 1 is pretty easy to meet IIRC. It's 2-4 that are
| hard, with pretty much no Level 4 certified ones on
| market I believe?
| jhallenworld wrote:
| The IBM one for z was level 4 I think..
|
| Yes: https://www.ibm.com/docs/en/cryptocards?topic=4768-o
| verview
| joezydeco wrote:
| Ayup. We use AWS CloudHSM to hold our private signing keys for
| deploying field upgrades to our hardware. And when we break the
| CI scripts I see Cavium in the AWS logs.
|
| Now I gotta take this to our security team and figure out what
| to do.
| d-161 wrote:
| The Intel Management Engine always runs as long as the
| motherboard is receiving power, even when the computer
| is turned off. This issue can be mitigated with
| deployment of a hardware device, which is able to disconnect
| mains power. Intel's main competitor AMD has
| incorporated the equivalent AMD Secure Technology
| (formally called Platform Security Processor) in virtually
| all of its post-2013 CPUs.
|
| https://en.wikipedia.org/wiki/Intel_Management_Engine
| Ylian Saint-Hilaire, principal Engineer working on remote
| management software including hardware manageability:
|
| https://youtu.be/1seNMSamtxM?feature=shared
|
| https://github.com/Ylianst
| supriyo-biswas wrote:
| I'd be surprised if you get anything more than generic
| statements about how they take security very seriously and
| they are open to suggestions, but avoid addressing the
| mentioned concerns directly (and this applies to all cloud
| providers out there, not just AWS).
|
| I'm sure a few others here would like to see their response
| as well.
| DyslexicAtheist wrote:
| wouldnt such a backdoor invalidate all promises made by
| external audits e.g.
| https://cloud.google.com/security/compliance/offerings and
| more importantly wouldn't it violate safe harbor agreement
| with the EU or whatever sham this safe-harbor was replaced
| with?
| joezydeco wrote:
| We've had other issues with our CloudHSM instance,
| especially with the PKCS1.5 deprecation on January 1. And
| their support has been pretty dismal. Not expecting much
| from them at this point.
| baz00 wrote:
| AWS support is pretty fucking terrible generally. We're a
| very high rolling enterprise customer and it's pretty
| obvious that some of their shit is being managed by two
| guys in a shed somewhere who don't talk to each other.
| ta988 wrote:
| The famous one poke bowl team. Saved costs on pizzas.
| tormeh wrote:
| Another satisfied user of AWS Glue, I see. On a scale of
| 10 to "I have no mouth and I must scream" how much do you
| hate their error messages?
| IntelMiner wrote:
| As someone who was IN AWS premium support, I got the
| distinct impression they had no idea what they're doing
|
| I was a Linux Sysadmin for a decade. They initially hired
| me to work on the "BigData" support team
|
| Then after hiring threw me into CI/CD instead. I told
| them I don't know python or ruby and would be a terrible
| fit
|
| I asked if I can join the Linux team. EC2 is bread and
| butter, that's easy stuff
|
| "Oh we're actually shutting that team down soon. I'll
| move you into containers instead"
|
| Spoiler: they didn't "shut down" the Linux group
| baz00 wrote:
| Thank you for this. Next time AWS try and tempt me over
| to them I'll tell them literally fuck off. Not up for
| those games.
| wdb wrote:
| Using AWS Greengrass?
| robertlagrant wrote:
| Hate Greengrass; Love joy.
| hhh wrote:
| Greengrass was so bad we built an entire edge platform.
| baz00 wrote:
| Never even heard of that one!
| SV_BubbleTime wrote:
| It's a cloud to edge system. Like hosting some of your
| stuff on the edge, think like a cloud that lives inside
| your factory.
|
| It confused me when researching it.
| wdb wrote:
| Imagine doing a job interview they ask do you know AWS.
| Sure, I know AWS, and explain what you built with
| Greengrass, Lambda's, RDS etc. and then get rejected for
| not knowing AWS lol
| amaccuish wrote:
| AWS Client VPN and Ubuntu 22.04... Need I say more?
| OBFUSCATED wrote:
| What issues are you having?
| TavsiE9s wrote:
| Have you had the pleasure of working with Azure? I'll
| take AWS any day over that dumpster fire.
| PcChip wrote:
| We work with Azure and don't have any major complaints
| about it - what were your issues?
| SV_BubbleTime wrote:
| We selected AWS for very modest needs, but sometimes I
| glance over at Azure and wonder if the grass is greener.
| I'll take your word on it though.
| seadan83 wrote:
| As someone that is deciding between AWS, Google and Azure
| - could give an outline of some of the Azure painpoints?
| Are there any blogs or other articles that outlines what
| your concerns would be?
|
| I'm pretty aware of how painful it can be to configure
| AWS well, IAM roles, the overly large eco-system that we
| won't need and unmitigated complexity to configure it
| all. It's not comforting to think Azure is worse yet.
| Sylamore wrote:
| I work on and off with both, AWS may be more feature
| complete in some areas but Azure is frankly easier to
| work with for me, I can actually get support on issues I
| have from Microsoft. And while I've generally only done
| so from the large enterprise account perspective,
| Microsoft is way more open to feature
| requests/enhancements than Amazon is. I don't have any
| experience with GCP so I can't speak on that.
| jiggawatts wrote:
| They're just different. People like the devil they know.
|
| The Azure Resource Manager system is much easier to use
| than the fragmented mess that is AWS.
|
| The problem with Azure is that they're still catching up
| to AWS. They have fewer products and the quality is
| worse.
|
| Really basic issues will remain unaddressed for years.
| theamk wrote:
| Nothing?
|
| I mean, you are already in US-based cloud, so if NSA is
| interested, they will just request information directly, no
| backdoors needed.
|
| (This is a good test for your security team, btw: if they say
| anything other that "we do nothing", you know its all
| security theater)
| joezydeco wrote:
| Very good point. That was the consensus from our team, so I
| think we're okay.
|
| Ironically, the data we're securing is _because_ of US
| government requirements. So if the government wants to spy
| on itself, who are we to say?
| garfieldnate wrote:
| But being able to request it and having a built-in backdoor
| for anyone with a key are different things. It has happened
| before that the Chinese government figured out network
| equipment backdoors that were put in for the US government.
| All your company secrets are there for the taking for
| anyone with the resources to figure out that backdoor.
| Especially now that people know it exists. Shouldn't this
| at least start the clock on expiring this hardware?
| datavirtue wrote:
| Nobody cares. If caring gets in the way of easy money.
| Spoiler...it does.
| catchnear4321 wrote:
| more accurately, nobody (with sufficient agency to act)
| cares.
|
| you wouldn't be cynical if you didn't care, or felt able to
| do anything about it.
| milesward wrote:
| Not Google..
| zimmerfrei wrote:
| Certainly Google (and Oracle and AWS):
|
| https://www.marvell.com/company/newsroom/marvell-enables-
| ent...
| progbits wrote:
| I'm not saying you are wrong but I can make a website which
| claims some cloud provider uses my hardware too. Their
| website is irrelevant. Do we have a Google (or AWS/...)
| page regarding this?
| iancarroll wrote:
| > Note: Currently, all Cloud HSM devices are manufactured
| by Marvell (formerly Cavium). "Cavium" and "HSM
| manufacturer" are currently interchangeable in this
| topic.
|
| https://cloud.google.com/kms/docs/attest-key
| progbits wrote:
| Thanks.
|
| Also, not great, hope the hyperscalers can diversify
| this.
| api wrote:
| Is there anyone here who actually thought cloud provider HSMs
| were secure against the provider itself or whatever nation
| state(s) have jurisdiction over it?
|
| It would never occur to me to even suspect that. I assume that
| anything I do in the cloud is absolutely transparent to the
| cloud provider unless it's running homomorphic encryption,
| which is still too slow and limited to do much that is useful.
|
| I would trust them to be secure against the average "hacker"
| though, so they do serve some purpose. If your threat model
| includes nation states then you should not be trusting cloud
| providers at all.
| jacquesm wrote:
| Lots of people believe that. They believe truthfully you can
| get to the level of AWS, MS, Google, Facebook or Apple whilst
| standing up to the nations that host those companies. I've
| walked into government employees in the hallways of tiny
| ISPs, I see no reason to believe at all that larger companies
| are any different _except_ for when easier backdoors have
| been installed.
| BlueTemplar wrote:
| The really concerning part is to be STILL believing that
| after the Snowden scandal, after everybody has seen the
| slides that explain in detail how the NSA sends an FBI team
| to gather data from (then, in 2013) Microsoft, Yahoo,
| Google, Facebook, PalTalk, YouTube, Skype, AOL, Apple (and
| Dropbox being planned).
|
| Also how Yahoo first refused but was forced to comply by
| the Foreign Intelligence Surveillance Court of Review.
|
| https://www.electrospaces.net/2014/04/what-is-known-about-
| ns...
|
| (Note that supposedly, "the companies prefer installing
| their own monitoring capabilities to their networks and
| servers, instead of allowing the FBI to plug in government-
| controlled equipment.")
| mobilio wrote:
| And for Yahoo this was reason why Alex Stamos resign:
| https://arstechnica.com/tech-policy/2016/10/report-fbi-
| andor...
| luxuryballs wrote:
| I always just tell people to lookup "Lavabit" to learn
| everything you need to know.
| byteknight wrote:
| To save others a goog:
| https://en.wikipedia.org/wiki/Lavabit
|
| > Lavabit is an open-source encrypted webmail service,
| founded in 2004. The service suspended its operations on
| August 8, 2013 after the U.S. Federal Government ordered
| it to turn over its Secure Sockets Layer (SSL) private
| keys, in order to allow the government to spy on Edward
| Snowden's email
| rvba wrote:
| > He also wrote that in addition to being denied a
| hearing about the warrant to obtain Lavabit's user
| information, he was held in contempt of court. The
| appellate court denied his appeal due to no objection,
| however, he wrote that because there had been no hearing,
| no objection could have been raised. His contempt of
| court charge was also upheld on the ground that it was
| not disputed; similarly, he was unable to dispute the
| charge because there had been no hearing to do it in.
|
| Land of the free...
| eightysixfour wrote:
| I don't know how many believe it and how much is willful
| ignorance. The big cloud providers make big mistakes but
| how many trust their organizations to do better against a
| nation state level actor?
|
| The underlying architectures of our systems are not secure
| and much of the abstractions built on top of them make that
| insecurity worse, not better.
|
| For nation state level issues, the solution likely isn't
| technical, that is a game of whack-a-mole, it will take a
| nation deciding that digital intrusions are as or more
| dangerous than physical ones and to draw a line in the
| sand. The issue is every nation is doing it and doesn't
| want to cut off their own access.
| enkid wrote:
| If your threat model includes the nation state where you
| physical infrastructure is, you're hosed.
| vasco wrote:
| I mean in the end everything is people just like Logan Roy
| said in Succession. Cryptography or any software
| protections are the same. It's a great quote that is very
| true:
|
| > "Oh, yes... The law? The law is people. And people is
| politics. And I can handle of people."
| jhugo wrote:
| "I can handle of people"? Cannot parse.
| dralley wrote:
| I think that was a mobile typo. The quote is just "I can
| handle people"
| vasco wrote:
| That's exactly what happened!
| PeterStuer wrote:
| Addendum: if your threat model includes any nation state
| that has significant ties to the nation state that hosts
| your physical or transit infrastructure, you're hosed.
| Obscurity4340 wrote:
| How might this apply or what are the implications of
| Signal given its US jurisdiction?
| Natanael_L wrote:
| Signal relies on the client program to not be compromised
| to keep conversations secret
| outworlder wrote:
| > If your threat model includes the nation state where you
| physical infrastructure is, you're hosed.
|
| True. But even if you trust your nation state 100%, having
| a backdoor means you now have to worry about it falling
| into the wrong hands.
| jacquesm wrote:
| Even if you trust your nation state 100% having a
| backdoor means it has already fallen into the wrong
| hands. That's because 'nation state' is not synonymous
| with 'people running the nation state'.
| api wrote:
| Literally hosed. There's a funny jargon term "rubber hose
| cryptography" that's used to refer to the cryptanalysis
| method where you beat someone with a rubber hose until they
| give you the key. It's 100% effective against all forms of
| cryptography including even post-quantum algorithms.
| ipaddr wrote:
| You would be surprised that for a percent this would not
| work. Some even like it. Some have a deathwish and want
| to be a martyr. Some people blow themselves up to further
| a cause. Also put under heavy stress memories of keys
| cannot be recalled at times.
|
| It's probably slightly less effective than threatening to
| kill family members but probably more than threat of jail
| time.
|
| Either way you require someone alive and with mental
| awareness. The mind reading tools found in science
| fiction hasn't been developed yet.
| jacquesm wrote:
| We're talking about normal people, not psychopaths.
| l33t7332273 wrote:
| Terrorists are generally highly altruistic, not
| psychopaths.
|
| It's a lot easier to blow yourself up(or to spread
| ideology which encourages it)for a cause that you believe
| is helping people, in particular _your_ people.
| jacquesm wrote:
| The terrorists that blow themselves up and that blow
| other people up are usually misguided brainwashed angry
| young men. It's nothing to do with ideology, everything
| to do with power. Or did you think blowing up schools
| full of girls is something people genuinely believe helps
| their people, to give just one example?
|
| Ordinary people just want to be left alone. Old guys
| wishing for more power will use anything to get it,
| including sacrificing the younger generations.
| l33t7332273 wrote:
| > did you think blowing up schools full of girls is
| something people genuinely believe helps their people
|
| It absolutely is something that they think helps their
| people, yes.
| jacquesm wrote:
| No, it's something that a bunch of old guys with issues
| told them helps their people.
|
| Beliefs stop when they are no longer about yourself but
| about how _other_ people should live. Especially when
| those other people loudly protest that this is how you
| think they should be living. Killing them is just murder,
| not the spreading of ideas.
|
| But hey, those human rights are just for decoration
| anyway.
| l33t7332273 wrote:
| > it's something that a bunch of old guys with issues
| told them helps their people
|
| I don't understand why you said "no" before this; I
| believe this agreed with what I'm saying.
| rangerelf wrote:
| It doesn't matter, something will be found that will
| coerce them into talking. Nobody is an island. Everyone
| has a breaking point, if it's not rubber hoses, it's
| socks full of rocks, or it's bottles of mineral water, or
| any number of methods. Don't think for a second that
| someone hasn't thought of a better way to get information
| out of somebody else.
| aborsy wrote:
| This would not work well, because you can't do it in a
| secret manner. Overuse of the rubber hose cryptography
| will become known, and there will be public backlash.
| eastbound wrote:
| Seems like the NSA is threatening everyone of arrest
| (=state-organized violence) if they don't secretly give
| them keys, and Snowden revealed it, and there is no
| public backlash.
| dmayle wrote:
| That's actually not true. It can do nothing about M of N
| cryptography. (That's when a key is broken up such that
| there are N parts, and at least M (less than N) are
| required to decrypt. It doesn't matter how many rubber
| hoses you have, one person can fully divulge or give
| access to their key and it's still safe.
| jacquesm wrote:
| Sure, so you hit all of the people that have all of the
| pieces. Problem solved.
| saalweachter wrote:
| Or you publicly announce you're hitting 1 of the N people
| with the rubber hose until M-1 of the other people send
| you their key fragments.
|
| It's not like these keys are shared among disinterested
| strangers who have no attachment to each other.
| kyleplum wrote:
| That situation just requires a longer hose
| gabereiser wrote:
| and more beatings.
| snoman wrote:
| Or M hoses.
| hn_version_0023 wrote:
| I always giggle a little when really smart people forget
| _thugs_ exist and do what they're told. If that includes
| breaking the knees of M people to get what they're after,
| then M pairs of knees are gonna get destroyed.
|
| This isn't hard to understand, but it's easy to forget
| our civilization hangs by a thread more often than any of
| us care to admit.
| MichaelZuo wrote:
| Any organization that is really really serious about
| security will obviously keep at least N-M +1 folks, along
| with their family, in other countries.
|
| Which is a much much higher bar to clear for any would be
| rubber hose attackers.
| solardev wrote:
| Your secrets aren't really safe unless Xi and Putin each
| have part of your key personally memorized.
| __alexs wrote:
| I think you can probably get away with only breaking one
| pair of knees and sending a video of it to the other
| people.
| solardev wrote:
| Youtube would delist that before they could all see it
| though.
| sofixa wrote:
| You know there are other ways to have a video and send it
| to people than YouTube, right? You can just email a link
| from dropbox or gdrive, or an attachment, or send a
| WhatsApp/Telegram/etc. message, send a letter with a USB
| drive, etc.
| solardev wrote:
| Yes. It was just a dumb joke :/
| actionfromafar wrote:
| Are we deep enough in the thread for the customary
| reminder that each measure makes it incrementally harder
| to attack a system?
|
| (Including a system of people.)
|
| Even nation state adversaries don't have infinite
| resources to allocate for all opponents.
| ibejoeb wrote:
| I don't remember the provenance of the quip, but
| somewhere at a def con or a hope, I heard, "The point of
| cryptography is to force the government to torture you."
| jacquesm wrote:
| They're perfectly ok with that, and depending on where
| you live this may happen in more or less overt ways. If
| the government wants your information, they will get your
| information. Your very best outcome is to simply rot in
| detention until you cough up your keys.
| ibejoeb wrote:
| Now that I think about it, I'm pretty sure it was a
| session about root zone security, and Adam Langley was in
| the room. I was thinking, damn, kinda sucks to be the guy
| that holds Google's private keys. They want _someone 's_
| information, so they let you rot...
| jazzyjackson wrote:
| power in numbers
|
| can't torture us all!
| Randomizer42 wrote:
| That's hyperbole
| LinuxBender wrote:
| This probably works if each person has a cyanide+happy
| drug pill or a grenade and is willing to sacrifice
| themselves and the rubber-hoser(s). I think that requires
| a rare level of devotion. This process must also disable
| a simple and fragile signalling device to let the others
| know what's coming.
| pixl97 wrote:
| Lets say for example
|
| Bob, Jon, and Tom have pieces of the key. Bob and Jon are
| in the US and arrested over and commanded by a court to
| give up the key. Tom is the holdout. The US will issue an
| international arrest warrant, and now Tom can never
| safely fly again or the plane will be diverted to the
| nearest US friendly airport where they will be
| extradited. So, yea, "safe" is very situational here.
| BurningFrog wrote:
| Doesn't Tom's key fragment have to be on a disk somewhere
| for things to work?
|
| That's the actual weak link to attack.
| wsc981 wrote:
| I feel the same and Snowden kinda said as much regarding
| phones. To assume each phone is compromised by state level
| actors.
| TheRealDunkirk wrote:
| I mean, there's a reason that the government was involved
| with setting up the first cell networks. No assumptions
| need to be involved. They ARE all compromised.
| RF_Savage wrote:
| Lawful intercept has always existed in phone networks.
| Just that one cannot use that in non-allied nations.
| TheRealDunkirk wrote:
| You're missing the point. It was designed to be
| transparent to interception efforts up front, so you
| can't tell if you're being surveilled, lawfully or not.
| johnklos wrote:
| It's interesting to consider the people who, with the very
| same set of facts, come to completely opposite conclusions
| about security.
|
| For instance, Amazon has a staff of thousands or tens of
| thousands. To me, that means they can't possibly have a good
| grasp on internal security, that there's no way to know if
| and when data has been accessed improperly, et cetera. To
| others, the fact that they're a mega-huge company means they
| have security people, security processes and procedures, and
| they are therefore even more secure than smaller companies.
|
| For one of the two groups, the generalized uncertainty of the
| small company is greater than the generalized uncertainty of
| the large. For the other, the size of the large makes certain
| things inevitable, where the security of smaller companies
| obviously depends on which companies we're talking about and
| the people involved. More often than not, people want to
| generalize about small companies but wouldn't apply the same
| criteria to larger companies like Amazon.
|
| There's a huge emotional component in this, which I think
| salespeople excel at exploiting.
|
| It fascinates me, even though it's a never-ending source of
| frustration.
| bowmessage wrote:
| See the Cryptographic Control Over Data Access [0] section
| here for one answer to this problem.
|
| [0] https://cloud.google.com/blog/products/identity-
| security/new...
| BlueTemplar wrote:
| That's nice, but the only reasons that public clients would
| use a well known bad actor from a rogue state is laziness /
| incompetence.
| numbsafari wrote:
| I believe this is why the government of Singapore appears to
| fund a lot of work on homomorphic encryption.
|
| Even when you are a nation state, you still have to worry
| about other nation states.
| arter4 wrote:
| Especially when you are a nation state.
| lokar wrote:
| Cloud HSM services have always been understood as a
| convenience with limited real world security, without even
| considering nation state threats.
| dclowd9901 wrote:
| I think there's such a thing as plausible deniability here.
| We didn't know for certain so we weren't culpable, but now
| that it's public record, we really have to do something about
| it or risk liability with our customer data.
| ipaddr wrote:
| The cloud act ensures this
| TheRealDunkirk wrote:
| > If your threat model includes...
|
| At my Fortune 250, our threat model apparently includes --
| rather conveniently and coincidentally -- everything! Well,
| everything they make an off-the-shelf product for, anyway. It
| makes new purchasing decisions easy:
|
| "Does your product make any thing, in any way, more secure?"
|
| "Uh... Yes?"
|
| "You son of a bitch. We're in. Roll it out everywhere. Now."
| Macha wrote:
| Ahh, I've been there. I'm sure no concern is given for
| usability of the result.
|
| Welding your vault shut may make it harder for thieves to
| break in, but if your business model requires making
| deposits and withdrawals, it's somewhat less helpful.
| lazide wrote:
| Luckily, all but tiny portion of security products have a
| door you can open if you ask support nicely enough you
| didn't know about before. So you can still get your stuff
| after you weld the door shut.
| calgoo wrote:
| And then when there is a security issue you ask them share
| the log files from all their spyware and suddenly half the
| stuff needed is not there because we did not get that
| module.
| lazide wrote:
| Or 'oh, that feature hasn't been rolled out yet, expect
| it in 6 quarters.'.
| jdwithit wrote:
| This reminds me of our own security team, who as far as I
| can tell do nothing but run POC's of new security tools.
| And then maybe once a year actually buy one, generating a
| ton of work (for others) to replace the very similar tool
| they bought last year. Seems like a good gig.
| Bluecobra wrote:
| And the sad/funny thing is that said tool would probably
| do diddly squat if one employee falls for a social
| engineering/phishing attack.
| hiatus wrote:
| There's no thought given to if the cost to secure the thing
| outweighs the risk of exposure?
| TheRealDunkirk wrote:
| I'm not privy to those discussions, but it certainly
| doesn't feel like they're happening. We implement every
| security "best practice," for every project, no matter
| how big or small. We have committees to review, but not
| to assess scope, only to make sure everything is applied
| to everything. Also, we have multiple overlapping
| security products on the corporate desktop image. It
| feels EXACTLY like no one has ever tried to gauge what a
| compromise might cost.
| [deleted]
| amenghra wrote:
| You don't need to think about this in a binary fashion. You
| can split your trust across multiple entities. Different
| clouds, different countries, or a mix of cloud and data
| centers you own.
| w7 wrote:
| Is this not just related to the Dual_EC_DRBG and other tainted
| RNG issues we've known about, and mitigated, for years?
|
| You can see discussion on this going on as far back as 2015,
| explicitly in regards to what "SIGINT enabled" means and Cavium:
| https://www.metzdowd.com/pipermail/cryptography/2015-Decembe...
|
| Am I missing something here? People are talking as if there is
| some new backdoor that's somehow avoided detection. Did everyone
| just miss this discussion in 2015?
|
| Discussion of the "Sigint Enabling Project" goes as far back as
| 2013 on HN itself.
| AndrewKemendo wrote:
| Genuinely, at this point you should just assume 100% of your
| electronics are compromised by someone. If it's not a government
| (yours or otherwise) then a corporation will fill the gaps (while
| in most cases also giving it to those governments)
|
| You should assume you have no privacy anywhere in your life.
| eimrine wrote:
| I have a laptop with no communications functioning and I'm sure
| it is not compromised. The proof of it is openly stored the
| wallet.dat file with no any password.
| AndrewKemendo wrote:
| Is the idea to challenge someone to prove you wrong?
|
| Or are you suggesting that there no way for one of the
| aforementioned groups to recover your data remotely should
| they have a focused desire to recover it?
| ZoomerCretin wrote:
| I'm looking forward to someone explaining to me why Chinese
| telecom equipment should continue to be off limits. Is the
| problem that we are afraid of possible Chinese backdoors, or that
| Chinese telecom equipment isn't backdoored by the NSA?
|
| An interesting question I'd like answered: Are the TPM 2.0
| modules that Microsoft is requiring for Windows 11 installs
| similarly backdoored?
|
| https://www.theverge.com/2013/6/6/4403868/nsa-fbi-mine-data-...
|
| I think it's a safe assumption that all American microprocessors
| have backdoors.
|
| What does this mean for OpSec? If I am a dissident (or garden-
| variety cyber criminal), how do I evade my online activities
| being tracked by a sufficiently determined team at the NSA? We've
| known (or have assumed to know) for years that CPUs produced by
| AMD, Intel, and Apple have backdoors. If my machine lacks any
| personally identifying information, only interacts through the
| internet through a network device that uses a VPN and encrypted
| tunneling, then I should be fine in spite of CPU/OS backdoors.
| However, using a VPN with encrypted tunneling doesn't seem to be
| enough if my router also has a backdoor, and the data or
| encryption keys can be intercepted and tied to the personal
| information I've given my ISP.
|
| Where do we go from here? Do I need a Loongson-based PC and a
| Chinese router on top of an encrypted VPN? Obviously we have to
| assume that these are all backdoored as well, but that shouldn't
| matter as my activities don't likely won't make me a target of
| the PRC.
| jacknews wrote:
| I'm extremely sure it's far from the only one, and the practice
| is not limited to the US govt.
| AtNightWeCode wrote:
| At the end of the day. We need cryptography that is
| understandable. There is absolutely zero need for the complexity
| in this field that exists today.
|
| And we need something better than just private keys.
| belter wrote:
| Ok the claim is the CPU was compromised and they were using ARM
| based tech. Is then ARM compromised? Cavium is now Marvell
| Technology.
| Fnoord wrote:
| > Ok the claim is the CPU was compromised and they using ARM
| based tech.
|
| MIPS and ARM.
|
| And Linux MIPS doesn't even have DEP and ASLR.
| monocasa wrote:
| Or other elements of an SoC. Biased RNG would be a good bet.
| moyix wrote:
| ARM just licenses the ISA and provides some reference designs.
| Individual manufacturers can (and often do) add their own
| extensions and design the actual chips.
| greatNespresso wrote:
| I wonder, how would one find out such backdoors at the CPU level?
| And also, are Snowden's leaked documents archived somewhere?
| pwarner wrote:
| Maybe there's something sinister here, or maybe Cavium and other
| similar network chips can be used for sigint, as well as many
| other things. Basically these are chips designed to look at every
| packet and can be programmed to take action on them. One could
| program a chip like this to find all the packages from user X and
| send an extra copy over to user Y (NSA). It's possible all this
| tweet means is that these NP chips are powerful and flexible
| enough to perform sigint. I wonder if this is like saying Intel
| CPUs can be used to evil things. Or C. Of course it's possible
| there is a back door, but that seems like the less likely
| scenario.
| samgranieri wrote:
| So in real life terms, what does this mean for people that own
| USG3s? If you're so inclined, replace it? Or not use the VPN
| feature in the Unifi admin console?
|
| Personally, I just forward all WireGuard traffic to another
| computer on my network and use https://github.com/burghardt/easy-
| wg-quick to setup a simple VPN.
| stephen_g wrote:
| We don't know which types of Cavium products may have
| vulnerabilities, which models or what the nature of it is
| (could be only applicable to certain features, sounds like
| possibly related to VPN acceleration).
|
| So absolutely no way to know whether anything _needs_ to be
| done or not, unless you expect you're at risk of a nation state
| actor having a reason to specifically target you, in which case
| it'd be wise to stop using it.
| BlueTemplar wrote:
| What kind of people ? Your average person can't do squat if
| targeted by a state actor anyway (except complaining to their
| own state about it, and let them sort it out).
|
| It's another thing when it comes to resisting surveillance
| capitalism :
|
| https://web.archive.org/web/20180919021829/https://www.alexr...
|
| It's completely disproportionate that Hollywood is making
| people lose control of their own computers because they are
| worried about _copyright infringement_ !!
|
| That a boycott of Intel and Ryzen CPUs, "Trusted" Platform
| Modules, and Windows (8+) also probably makes the job of
| NSA/CIA/FBI harder (because they have likely backdoored them)
| is just a bonus.
|
| (Of course there's also a potential failure mode that some much
| more hostile actors might get their hands on some of these
| backdoors, but it doesn't seem worth worrying about it until we
| get a high profile example of that happening ?)
|
| Of course if you have the responsibility of, say, protecting
| your non-US company from industrial espionage, the situation is
| very different.
| einvolk wrote:
| I feel so proud to be part of a nation that goes to such
| remarkable lengths to protect its citizens! Go go USA!
___________________________________________________________________
(page generated 2023-09-19 23:00 UTC)