Join 3,512 readers in helping fund MetaFilter (Hide)


Codename: TURBINE. Your computer may already be owned.
March 12, 2014 9:13 AM   Subscribe

Top-secret documents reveal that an elite unit at the National Security Agency has developed technology allowing it to automatically install malware on millions of computers worldwide in what it calls 'industrial-scale exploitation'. TURBINE, developed by the NSA's Tailored Access Operations unit (mentioned previusly here), is a command-and-control suite automating tasks that previously had to be performed manually: Using 'internet chokepoints' and a capability called SECONDDATE, the NSA can perform man-in-the-middle attacks to quietly redirect web browsers to FOXACID malware servers en masse.
posted by anemone of the state (115 comments total) 43 users marked this as a favorite

 
Well, as long as there's no possible way this could go horribly wrong we should be okay.

After all, the US government is completely trustworthy in these matters. Look how well they respect and enforce civilian privacy, for example.
posted by zarq at 9:17 AM on March 12 [15 favorites]


details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.”

Potentially infect? Please. I am assuming that Intel, AMD, and Qualcomm (who make the processors for most mobile phones) have already been forced by successive administrations to put NSA backdoors into all of the silicon. Surely Cisco, Juniper and all the rest have also compromised their gear at the behest of the American government.

Right? I mean the US government accuses the Chinese of forcing Huawei and ZTE of doing the same thing.

The US also accuses the Chinese of copying American technology - why wouldn't they copy this as well?
posted by three blind mice at 9:19 AM on March 12 [6 favorites]


The US government has a very good record of accusing other countries of doing something, and then spinning on its heel and doing the exact same thing.
posted by anemone of the state at 9:21 AM on March 12 [3 favorites]


If only there were a viable party we could all vote for that was against this.
posted by ZenMasterThis at 9:22 AM on March 12 [35 favorites]


three blind mice: "I am assuming that Intel, AMD, and Qualcomm (who make the processors for most mobile phones) have already been forced by successive administrations to put NSA backdoors into all of the silicon. "

Assuming they have, reaching computers en masse would presumably still be difficult. Backdoors usually require individual (one-at-a-time) access -- personal attention. The method discussed in the FPP would allow them to do so.
posted by zarq at 9:25 AM on March 12


Edward Snowden: the gift that keeps on giving
posted by photoslob at 9:35 AM on March 12 [23 favorites]


Ever since I first read "Reflections on Trusting Trust" by Ken Thompson (designer of Unix), I have realized beyond a certain level there is absolutely nothing I can do to ensure that the computer systems I use are secure. Even though I always knew these sorts of things were theoretically possible, the scale of the capabilities the NSA has actually implemented continue to amaze me.

We should be pay more attention to paranoid security researchers. Where there's a security loophole, there's someone who will exploit it.
posted by grouse at 9:35 AM on March 12 [6 favorites]


Potentially infect? Please. I am assuming that Intel, AMD, and Qualcomm...have already been forced by successive administrations to put NSA backdoors into all of the silicon. Surely Cisco, Juniper and all the rest have also compromised their gear at the behest of the American government.

The solution? Buy Latvian.
posted by cosmic.osmo at 9:35 AM on March 12 [3 favorites]


This information is 4.5 years old at this point. Assume that whatever is described as a planned capabiltiy, or as ramping up to scale, is today fully deployed and operational in the wild.
posted by T.D. Strange at 9:35 AM on March 12 [5 favorites]


Open Source Hardware! GNUCPU!
posted by blue_beetle at 9:37 AM on March 12 [5 favorites]


I clicked into a cspan hearing on the appointee to the NSA and Cyber Command Vice Admiral Rodgers. He gave all the right answers to the dems questions about transparency and such. But when the more defensive issues were raised by Senator Graham the term that I noticed as more lively interest was "deterrence" .

The term was bandied about without too much definition but it's clearly is cyber attack. They want to be able to do all the hacker stuff, to the bad guys.

Looking forward the new Router MAD, where the entire net goes down.
posted by sammyo at 9:39 AM on March 12


Assume that whatever is described as a planned capabiltiy, or as ramping up to scale, is today fully deployed and operational in the wild.

I think it more likely that the capability is obsolete and replaced by something much more capable. Thought-controlled data mining or something - honestly, my imagination is not so productive as those working for the NSA, so it's almost certainly worse than I can imagine.
posted by Kirth Gerson at 9:43 AM on March 12 [3 favorites]


Open Source Hardware! GNUCPU!

Even if you were somehow able to manufacture an entire PC's hardware without an interested party figuring out a way to alter it, unless you can review and confirm the security of every line of code for the drivers, the protocols, and the software you install on that machine, it's not going to do you any good.

Take a look at the Operation Orchestra post a while back, and see why the NSA loves open source projects, and how they quash inventions, software, and startups that would make the NSA's job harder.
posted by chambers at 9:45 AM on March 12 [2 favorites]


The least our spy overlords could do would be to make the powerpoint slide look cool, but instead it's a dropshadowed, bevelled, gradienty, useless mess.

called the “Expert System,”
This is a term of art, not something made up by the NSA.
posted by BungaDunga at 9:47 AM on March 12


anemone of the state:The US government has a very good record of accusing other countries of doing something, and then spinning on its heel and doing the exact same thing.

The US has a long record of accusing other countries of doing exactly what they are doing themselves already.

Psychopaths rationalise their actions by telling themselves that "everyone else would do this to me if they had the chance". That's the US in a nutshell - the recent brouhaha in Congress over Chinese hacking was a fine example of psychological projection in action.
posted by pharm at 9:47 AM on March 12 [5 favorites]


I think it more likely that the capability is obsolete and replaced by something much more capable. Thought-controlled data mining or something - honestly, my imagination is not so productive as those working for the NSA, so it's almost certainly worse than I can imagine.

If this info is at all accurate, and the NSA has the capability to defeat VPN crypto in real-time, they almost certianly have the capabiltiy to decode all TOR traffic, trace bitcoin transactions and defeat any currently deployed public encryption. The security game is up, if the NSA wants what you know, they have it.
posted by T.D. Strange at 9:49 AM on March 12


I wonder how relevant this is currently. Browsers have gotten a lot more secure in the last two years, and most of the recent NSA network exploits mention using MITM to popular sites as an infection mechanism. Similar to how the article mentioned spam email becoming less popular, assuming browser based exploitation is in fact more expensive I wonder what infection mechanisms they're targeting now.
posted by yeahwhatever at 9:51 AM on March 12


T.D.Strange:they almost certianly have the capabiltiy to decode all TOR traffic

The available information suggests that they can't crack TOR itself and that fact really ticks them off. Hence having to fall back to browser hacking techniques and the like.
posted by pharm at 9:55 AM on March 12


T.D. Strange: I don't think this article claims that. The NSA articles have repeatedly said things we largely already knew: our endpoint security is awful, but our math seems to be holding up allright. So yes, if you mean they can defeat any of those via a compromised endpoint, but no if you mean the constructs are fundamentally broken.

Back to the topic of the article, I'm happy to see they went to Matt Blaze for comments. The dude is very legit, and is one of the better public security researchers.
posted by yeahwhatever at 9:55 AM on March 12 [4 favorites]


If they are going to this kind of nasty shit the least they could do is clean the other malware off my system. Also if you periodically clean my parent's computer that'd be great too.
posted by srboisvert at 9:56 AM on March 12 [17 favorites]


sammyo: Looking forward the new Router MAD, where the entire net goes down.

Actually, the potential danger (or opportunity al la Gibson's Zero History) is to the financial markets. Gaming order flow is how you'd use such a system to wreck the most amount of damage (or profit) in the shortest possible amount of time.

I mean, if we're considering that this was also deployed as a potential weapon, not just to intercept our nudies.
posted by digitalprimate at 9:57 AM on March 12 [4 favorites]


trace bitcoin transactions

Everyone can trace bitcoin transactions, they're public- that's the point. Keeping your Bitcoin address disconnected from your identity is pretty hard if the NSA is watching, though.

called the “Expert System,”
This is a term of art, not something made up by the NSA.


Actually on reflection this line makes me worry a bit about the article, see the Igon Value Problem.
posted by BungaDunga at 10:05 AM on March 12 [4 favorites]


What next, irl Curious Yellow? The sky is not even the limit with this culture at the NSA.
posted by Slackermagee at 10:12 AM on March 12 [1 favorite]


One day, one of these surveillance back doors is going to be found by a malicious party and exploited so brazenly and catastrophically that it threatens the survival of online commerce. Let's say someone uses it to release a keylogger that watches the physical input stream for numeric patterns corresponding to credit card numbers and then sends a screenshot and a memory dump whenever it finds it. Let's say they use an NSA exploit to get it on every American's PC. This sort of thing is an existential threat to Apple, Amazon, and many others.

I see it almost the same way as the Manhattan Project's concern about atmospheric ignition prior to the Trinity explosion, except in this case, we don't have the certainty of physics to comfort our worries. In fact, we have the opposite: the knowledge that security researchers are highly motivated and capable of finding these things now that they know they exist. No one will destroy the world with spycraft, but they could easily and inadvertently tank the economy.
posted by feloniousmonk at 10:14 AM on March 12 [5 favorites]


I wonder if any of their operations actually promote security anymore instead of undermining it.
posted by Foosnark at 10:15 AM on March 12 [5 favorites]


I'm supposed to be afraid of Vladimir Putin this year, right?
posted by spitbull at 10:25 AM on March 12 [11 favorites]


I just forget. Last year it was Chinese hackers.
posted by spitbull at 10:26 AM on March 12 [5 favorites]


Among several others. Snowden, Manning, and Assange are still terribly, terribly dangerous.
posted by Kirth Gerson at 10:26 AM on March 12 [4 favorites]


Because they threaten the NSA's freedom.

Freedom!
posted by Kirth Gerson at 10:28 AM on March 12 [1 favorite]


So what are the odds this is being distributed via downloads of Popcorn Time?
posted by chavenet at 10:28 AM on March 12


You should check out Jacob Appelbaum's 30c3 talk if you missed the previous article. Appelbaum identifies several characteristics of NSA malware there.

We now need the NSA to get caught using malware against people who obviously pose no threat : journalists, lawyers, activists, celebrities, politicians, etc. Just imagine if someone found a common piece of NSA malware and smuggled a detector into an update at Apple or Microsoft that that warned users that the NSA watched them.
posted by jeffburdges at 10:40 AM on March 12 [5 favorites]


I think that ultimately, as with most human disasters, this will reduce to hubris. The mantra has been "no security through obscurity" since forever, even among technology people who were not specifically crypto or security experts. It seems like these guys said "yeah, well, we're the NSA, we're professionals, we know how to keep a secret, unlike those civilians." Look where trusting these fucking professionals has gotten us. I mean, really.
posted by feloniousmonk at 10:45 AM on March 12 [1 favorite]


Could those of you against this raise your hands a little higher? I'm doing my part and mailing in a list of known troublemakers.
posted by Nanukthedog at 10:46 AM on March 12 [2 favorites]


To echo spitbull's point - the 2013 reports on the Chinese hacking into NYTimes, or into Google, and other activities seems to have diminished since the revelations by Snowden. And it's not that these things are no longer happening, but that those kinds of attacks/espionage is blowback from the NSA's attempts to reduce online security. As Bruce Schneier stated regarding his exploit-of-the-day posts:

The NSA might have a larger budget than every other intelligence agency in the world combined, but these tools are the sorts of things that any well-funded nation-state adversary would use. And as technology advances, they are the sorts of tools we're going to see cybercriminals use. So think of this less as what the NSA does, and more of a head start as to what everyone will be using.

Which means we need to figure out how to defend against them.

posted by antonymous at 10:51 AM on March 12 [3 favorites]


Nanukthedog: "Could those of you against this raise your hands a little higher? I'm doing my part and mailing in a list of known troublemakers."

You missed an opportunity. Should have said, "Could those of you against this favorite this comment?" :D
posted by zarq at 10:55 AM on March 12 [6 favorites]


If only there were a viable party we could all vote for that was against this.

Make it. You'll get my vote.
posted by benito.strauss at 10:57 AM on March 12 [1 favorite]


This is a super-specific article with a ton of technical data and I'm quite amazed. Haven't actually gone through it in detail yet.

A point that needs to be emphasized is that once they have made a back door to your system, any bad guy can take advantage of it if they know how, including really bad non-state actors like the Mafia.

Make sure to keep your off-site backups fresh in case someone locks up your system...!
posted by lupus_yonderboy at 10:57 AM on March 12


> If only there were a viable party we could all vote for that was against this.

After the Democrats or the Republicans, the US Green Party, though a distant third, is probably the most viable US political party. Their platform is rational and has not-so-many things that a reasonable person would object to.

If you are not in a swing state, your vote for R or D is statistically worthless. In that case, if you are dissatisfied, you should be always be voting for the most viable third party. If the Green Party got 5% of the Presidential vote, they'd be eligible for matching funds and (with some pressure from We The People), a seat at the debates. Your individual vote would be maximally effective if directed towards hitting this very achievable goal.
posted by lupus_yonderboy at 11:09 AM on March 12 [19 favorites]


Felonious/Lupus: People keep claiming this (backdoors can be exploited by others), but it's not necessarily true. The most recent samples of govn't malware have encrypted payloads in which we don't know the contents of.

Depending on how the loaders/stagers are structured, the exploits can be encrypted either with an asymmetric system, or even a symmetric system where only particular systems have the keys. For example, if you had a payload where the IEMI concatenated with a secret were the key, this would be very hard to anaylze, even once you had a sample, but would be trivially decrypted by the target.

In terms of the network-based backdoor, other botnets have had success with asymmetric systems where instructions are signed. This is obviously also not a backdoor for organized crime, as the private key is unknown to analysts/other malicious actors.

antonymous: I'm confused as to why you think Chinese espionage is blowback from the NSA's attempt to reduce online security. I don't really think the Chinese are exactly champions of online security -- far more likely they're acting out of self interest. It would be awfully nice if the NSA would take the "defence" part of their mission statement more seriously though.

---

Similar to other Snowden leaks, this leaks capability. Admittedly, this is a fairly Orwellian and concerning capability. I wonder if the leaked documents contain specific targets of these programs. That information would be either incredibly damning, or partially exonerating (more so with other leaks than this one).
posted by yeahwhatever at 11:13 AM on March 12


I think a Green/Libertarian coalition is our best hope. Swallow hard, my lefty friends, and let's put aside our differences over economics. This is more important. So much depends on freedom of speech. The Democrats and Republicans have each put a price on liberty, they're just taking bids from different customers with the same ultimate interests.
posted by spitbull at 11:19 AM on March 12 [5 favorites]


> The most recent samples of govn't malware have encrypted payloads in which we don't know the contents of.

Sure, I'm willing to believe that they use strong encryption, but people have those keys, and other people would be willing to pay top dollar for them.

And such keys are sufficiently small that it's almost impossible to prevent them from being stolen if you have them. Heck, you could write them down on a piece of paper if all else failed.

I'm not sure if the data from your machine is sent back in the clear. Let us hope not, but if it is, that's another possibility for data loss.

But more than that - just because this new back door is locked doesn't mean you can't remove the hinges. Most exploits don't rely on actual back doors, but problems like buffer overflows in well-known code. The existence of a wide-spread trojan/virus that's running on many machines will lead attackers to concentrate on it, and quite likely find an exploit that the NSA didn't spot. And it's not like the NSA will push out a security update once this happens (though I'd love to see the dialog box for that!)

There is no question that once this trojan is on your machine, its security is compromised, even if you discount the NSA's access.
posted by lupus_yonderboy at 11:26 AM on March 12 [1 favorite]


> Swallow hard, my lefty friends, and let's put aside our differences over economics.

I actually don't think there's a huge difference on the formal economic front.

The big gaps are on two things that are very dear to the hearts of both sides - public medicine and worker's rights.

While I certainly think a compromise is possible on worker's rights - unions seem entirely logical from a libertarian viewpoint - it's not so clear that anything could be reached on medical care.
posted by lupus_yonderboy at 11:33 AM on March 12


I think a Green/Libertarian coalition is our best hope. Swallow hard, my lefty friends, and let's put aside our differences over economics.

Yeah no.
posted by aught at 11:39 AM on March 12 [16 favorites]


No, because of the racism thing.
posted by Kirth Gerson at 11:45 AM on March 12 [3 favorites]


Kirth Gerson: "No, because of the racism thing."

I think "Libertarian" is being used here in the traditional sense, not the Tea Party sense.
posted by chavenet at 11:49 AM on March 12 [4 favorites]


antonymous: I'm confused as to why you think Chinese espionage is blowback from the NSA's attempt to reduce online security. I don't really think the Chinese are exactly champions of online security -- far more likely they're acting out of self interest. It would be awfully nice if the NSA would take the "defence" part of their mission statement more seriously though.

My initial intent was to illustrate the different media landscape that existed in 2013, which was China! Iran! Cyber! Bad guy nation-states are doing nasty stuff! That narrative no longer drives mainstream articles on internet security, because those capabilities are not the sole domain of the adversaries of the United States. When I said blowback, I meant that the capabilities of adversaries are improved thanks to the NSA, and it's US companies which feel the brunt of the NSA's decisions.
posted by antonymous at 11:49 AM on March 12


The "traditional sense" that was invented in the 70s by goldbugs and Ayn Rand fanatics?
posted by aw_yiss at 11:51 AM on March 12 [10 favorites]


yeahwhatever: "Depending on how the loaders/stagers are structured, the exploits can be encrypted either with an asymmetric system, or even a symmetric system where only particular systems have the keys. For example, if you had a payload where the IEMI concatenated with a secret were the key, this would be very hard to anaylze, even once you had a sample, but would be trivially decrypted by the target."

That is all good until it's revealed that that the back door has a unsecured back door or that a mistake was made in the crypto (astonishingly easy to do even for professionals).
posted by Mitheral at 12:21 PM on March 12


It seems like it's time for 50s style mail drops and undercover agents swallowing microfiche capsules then being smuggled in false compartments to make a comeback.
posted by fshgrl at 12:21 PM on March 12


The GCHQ sets up the world's largest collection of kiddie porn and the NSA sets up the world's largest botnet. Who are the bad guys again?
posted by ryoshu at 12:22 PM on March 12 [12 favorites]


I am convinced that this sort of activity primarily hurts the USA. The USA is the world's primary innovator and licensor in the information economy, and would disproportionately suffer from a major and concerted attack against the world's information infrastructure. Any benefit it could gain from even total control over the Internet is far less than the risk of such an attack, which is only aided by the NSA's operations. This means the USA should be focusing its efforts on strengthening the information infrastructure, not weakening it.

Until now there has been little or no attempt to balance the costs and benefits of the USA's covert operations. If the the USA executive realises this and reforms its covert operations I have no doubt that Edward Snowden will be seen, in retrospect, to have done more to aid his country's interests than any other figure this century.
posted by Joe in Australia at 12:30 PM on March 12


I wonder if any of their operations actually promote security anymore instead of undermining it.

NSA used to include a fairly open division named the National Computer Security Center (NCSC) that developed a set of standards for COMPSEC informally named the "Rainbow Series" after the covers of the various books, including the Trusted Computer System Evaluation Criteria (TCSEC) aka the "Orange Book" and evaluated products for compliance with it. For several years you could actually order a (free!) set of the Rainbow Books from NCSC (big box, many colored covers as promised). TCSEC's been abandoned in favor of the ISO standard #15408, Common Criteria for Information Technology Security Evaluation. As for NCSC itself it looks like it's been disbanded as well or broken into pieces & given to other agencies like NIST & DHS. Short answer, I don't think NSA does that anymore.
posted by scalefree at 12:32 PM on March 12


First you have to ask whether the NSA has legal right to do this. Where to look? Easy! Their mission statement. Sorry: Mission statement we learn is classified.
posted by Postroad at 12:35 PM on March 12


The GCHQ sets up the world's largest collection of kiddie porn and the NSA sets up the world's largest botnet. Who are the bad guys again?

Let's not forget the ATF ran the fast and the furious campaign by releasing traceable arms into circulation with the Mexican Drug Cartels... Eric Holder deserves his credit too - albeit as small as it is.
posted by Nanukthedog at 12:36 PM on March 12 [4 favorites]


There is no question that once this trojan is on your machine, its security is compromised, even if you discount the NSA's access.

Okay, so the article is way too technical for my mushy head.

How do I know if I have this trojan and how do I get rid of it?
posted by feckless fecal fear mongering at 12:39 PM on March 12


People keep claiming this (backdoors can be exploited by others), but it's not necessarily true.

It depends what the back door is, right? This article discusses certificate-based attacks but it also mentions other techniques in passing. My concern with this is that at some point, you need to be able to reliably penetrate a machine or network, even if you can't get a user to visit Facebook or whatever.

I have no doubt that they went to great lengths to secure the command channel for the malware once a machine has been infected, although as we've seen most recently with OS X, even security libraries are not always secure. Ultimately, a machine with the malware is not as secure or reliable as a machine without it. A machine running the malware described in the article and subject to that OS X bug could potentially have been controlled by anyone who knew it was there, regardless of certificate-based countermeasures.

Additionally, while certificate-based attacks are not exactly a revelation to anyone interested in those things, the knowledge that there is a systematic covert operation to compromise machines using those and other techniques isn't obtained and made public in a vacuum. A media panic that connects something like the Target breach to the fact that the NSA has intentionally weakened worldwide internet security, regardless of the factual merit of the connection, is not hard to imagine at all. It might even be true!

This kind of behavior undermines the credibility of the whole system, and once public trust is gone, you can't get it back with technical arguments. It has to be obvious that the portion of the economy represented by online businesses exists primarily on the basis of credibility. This is a tremendous amount of risk to take on for dubious rewards.
posted by feloniousmonk at 12:42 PM on March 12 [3 favorites]


Joe in Australia I am convinced that this sort of activity primarily hurts the USA. The USA is the world's primary innovator and licensor in the information economy, and would disproportionately suffer from a major and concerted attack against the world's information infrastructure.

Perhaps feature, not bug, depending on what type of distopian paranoia one believes.
posted by digitalprimate at 12:45 PM on March 12


People keep claiming this (backdoors can be exploited by others), but it's not necessarily true.

Well they can be exploited by whoever built them and the NSA is staffed by people, who as far as I know are still free to leave. If you design a physical weapon for a government you can't quit and take it with you. A code-based weapon you sure can. I really, really doubt there is any meaningful oversight of the kinds of people talented and knowledgeable enough to design and build these things. Feinstein? Ha.
posted by fshgrl at 1:04 PM on March 12


The security game is up, if the NSA wants what you know, they have it.

No, this is incorrect.

Look, Snowden is leaking all this presumably for some reason, yes? Right now no one besides people working at the NSA* and Snowden know the full extent of the leak. But Snowden evidently doesn't see it as hopeless, and he gave a talk a couple of days ago indicating that there are real things people can do for personal security, in the form of pervasive encryption.

The NSA's fingers aren't in all pies, not yet. They tried, rather ineffectually I notice, to push their own backdoored encryption standard. That must mean the good algorithms must have power against them. Because there are real things people can do to thwart the NSA's spying, it is actually in their favor for the NSA to be seen as omniscient; people then throw up their hands saying what's the point. If people see the fight as hopeless they'll concede, and that's exactly what they want.

* Let us not forget -- "working for [place]" should in no way abdicate your responsibilities as a human fucking being. Presumably some of these NSA employees have similar concerns that we have. Why do they still do it? Because they have food and shelter to pay for, families to support. There, it is the same old story: people being bribed to undermine globally in exchange for wealth locally. If the job market were better for mathematicians, the NSA wouldn't have so easy a time in making them do these things.
posted by JHarris at 1:07 PM on March 12 [8 favorites]


FOXACID? Are we slowly slipping into whatever dimension Metal Gear Solid takes place in?
posted by Redfield at 1:07 PM on March 12 [3 favorites]


First you have to ask whether the NSA has legal right to do this. Where to look? Easy! Their mission statement. Sorry: Mission statement we learn is classified.

It sounds so exactly like a standard Paranoia hosejob. Oh well, Teela O'Malley's on this nightcycle, might as well settle down with the other INFRAREDs with some Cold Fun and enjoy it.
posted by JHarris at 1:10 PM on March 12


Kirth Gerson: "No, because of the racism thing."

Much as I am loathe to Libertarianism (in the modern US political party sense), and am frankly, a bit upset that my friend claims to be one (though she of the more apolitical libertarian - leave me alone, i leave you alone, sense)...

The fact is part of the trajectory of the US Libertarian movement is due to a specific strain of Libertarianism that embedded itself with racism and "states rights".

I left Libertarianism after moving to Madison when I saw it was more about "guns guns guns" and less about "weed and freedom of speech" etc... That may have been more an issue of the one guy I talked to plus a reaction to the already left-wing side of things here in "77 square miles surrounded by reality."

I still oppose Libertarianism theoretically, and I think there is plenty room for the State, though I don't know how to find a balance that doesn't get right back to the core issue here of "national security" + "regulatory capture"...

BUT what I want to say is that there IS a growing movement of Libertarians who are trying to be more responsible, not as nasty and brutish towards their fellow citizens, who see them as citizens deserving of rights but also have a finer grasp of the power structure than the radical "just dismantle the state and we're all equal" view. One blog that is in this strain is Bleeding Heart Libertarians.

The problem is one of praxis and coalition. You can barely get leftists to agree on shit, how the bloody hell do you get them to work with people with an even more rigt-wing view of economics?

And the shit where you find libertarians and lefties agreeing is quite often the guano-inspired hippie naturalism of anti-vax/truther shit. Not all Libertarians believe that shit, of course, nor do all lefties, but there is definitely a crossover that sort of breeds that sort of thinking.

Leftism in America has a fairly strong Libertarian bent, and that leads it to taking up the wackadoo shit of the Libertarian-Right.

What we need is some form of unified front, I think. It's the only way, but we need to find a way to encourage each other to work on the positives of each side. Be willing to forego certain ideological stances or at least ameliorate them...

You hate any regulation or the state? OK, let's work towards dismantling certain things that are clearly in favor of corps and private interests. The ones we can agree on. We might disagree on others. Let's deal with that after we work on dismantling the nasty shit we can agree on. Let's work on decentralization. If you really want to encourage localism and shit, then start working on making that system/structure a reality. It doesn't exist in a vacuum.

Frankly, the current US Libertarian conception of Freedom is sorely deficient of any particularly dept of analysis of systems. In the same way, the left needs to abandon some things it thinks are "common sense" dogmas. Maybe we can find a way to give communities more empowerment via choice (I mean this in the sense of how some libertarians propose cash payouts for "entitlements" instead of things like food stamps... Tyler Cowen, for example, supports that, believing it gives more respect for the autonomy of the individual in poverty to make their own choices). The problem is that there is a need for education. This is why I say we need to think systemically.

Maker culture, pirates, greens, libertarians, cypherpunks, localism, systems theory... Communal building of local resources, distribution of information and social evolution progress unbeholden to giant mass conglomerates... Finding a balance between those and "The State" (what the state does well), finding out what we mean by "The State" and see if we need to reformulate that concept at this point. I dunno. I dunno. This is some deep heavy shit. All sides are gonna have to swallow hard if this is to succeed in any way.
posted by symbioid at 1:32 PM on March 12 [1 favorite]


Mitheral: "That is all good until it's revealed that that the back door has a unsecured back door or that a mistake was made in the crypto (astonishingly easy to do even for professionals)."

YO DAWG!
posted by symbioid at 1:33 PM on March 12 [3 favorites]


Well they can be exploited by whoever built them and the NSA is staffed by people

If you wanted to do it right, you'd store the private key on a TPM in a machine that's physically impossible to remove covertly. The TPM is a chip that knows your key but will not tell you it (or the rest of the computer); you submit things to it, it signs them, and returns the signature. You'd need to physically attack the TPM to get the key out of it and it's not something you could do with nobody noticing. "Hmm, why did Joe bring a pair of bolt-cutters into the seekrit control room...?"

Plus, the TPM could actually generate the private key onboard, so literally nobody ever knows the key but the TPM.
posted by BungaDunga at 1:45 PM on March 12


So, in (don't hit me) Cory Doctorow's books Little Brother and Homeland, the fictional OS "Paranoid Linux" was used, and I thought a real-world project got started, but the domain seems to have dried up. Whatever happened to that, and is there now a suitable substitute?
posted by xedrik at 1:47 PM on March 12


You're not talking about SELinux are you xedrik? That was the "Security Linux" - of course... brought to you by ... NSA... And I've heard people defending it from the get go and I was always suspect, and these revelations certainly show wy it's valid.
posted by symbioid at 1:56 PM on March 12 [1 favorite]


How a Court Secretly Evolved, Extending U.S. Spies’ Reach

Via Schneier.
posted by homunculus at 2:15 PM on March 12 [2 favorites]


No, it wasn't SELinux. It was "Paranoid Linux", named after the OS in the books. From Little Brother:

Paranoid Linux is an operating system that assumes that its operator is under assault from the government (it was intended for use by Chinese and Syrian dissidents), and it does everything it can to keep your communications and documents a secret. It even throws up a bunch of "chaff" communications that are supposed to disguise the fact that you're doing anything covert. So while you're receiving a political message one character at a time, ParanoidLinux is pretending to surf the Web and fill in questionnaires and flirt in chat-rooms. Meanwhile, one in every five hundred characters you receive is your real message, a needle buried in a huge haystack.
posted by xedrik at 2:21 PM on March 12 [1 favorite]


Thanks for the link - I'd never heard of it... Shame, that!
posted by symbioid at 3:21 PM on March 12


aw_yiss: "The "traditional sense" that was invented in the 70s by goldbugs and Ayn Rand fanatics?"

No, not that one. That one spawned the Tea Party,

The term libertarianism refers to a wide range of differing philosophies, including anarcho-capitalism,[citation needed] libertarian socialism (e.g. mainstream anarchism and libertarian Marxism),[note 1][note 2] and the libertarianism that is commonly referred to as a continuation or radicalization of classical liberalism.[37][note 3][38] These philosophies all share a skepticism of governmental authority and value individual sovereignty, but differ in the extent to which they accept or reject the state and capitalism.
posted by chavenet at 3:48 PM on March 12 [4 favorites]


I guess some 4channers really do have jobs!
posted by turbid dahlia at 4:00 PM on March 12


Probably the closest thing to Doctorow's Paranoid Linux that actually exists is Tails.
posted by zjacreman at 4:26 PM on March 12 [3 favorites]


"I hunt sys admins"?

Bring it, asshats.
posted by sandettie light vessel automatic at 4:28 PM on March 12


If you mock potential allies in advance as irretrievably stupid and/or evil, you must be real sure you've got enough folks on your side already.

There is already plenty of left/libertarian coalition building around the anti-war movement that goes back quite a ways. And yes, I mean in the "traditional" small-l sense, not the Tea Party or even Libertarian Party (which appears up for grabs in many states, although the Paulites seem to have taken the upper hand).

Yeah, the racism thing is real. I don't mean those guys. You gotta have some minimum standards. But on many civil rights issues -- among them reproductive rights, common sense drug laws, and freedom of the press, to say nothing of anti-interventionism abroad, there can be some common ground with some, not all, who identify as libertarian (which if you haven't noticed has become a very widely adopted identity among relatively young people in the last few years).

I mean, the Greens on their own are never going to kick down the gate in any of our lifetimes. The far right (including libertarian far right) has more of a chance, because at the moment they are allied with the Christianists (with whom they mostly disagree except for the racism thing).

And if the racism thing is non-negotiable for hippies, the gun thing is going to be non-negotiable for libertarians, so there's that.

I'm just looking around. The Republicans are the Evil Empire. The Democrats are the Totalitarians With A Heart, all three branches of government are basically subsidiaries of the interventionist-intelligence-military-industrial-carbon-fuel oligarchy, and the people are ground down and distracted by the machines that report on them back to the government.

I don't want to make common cause with Alex Jones. But there's people between him and me who are basically decent and smart people who disagree with me about things that can wait while we save the Republic.
posted by spitbull at 4:47 PM on March 12 [5 favorites]


The cynical might suggest that the racist elements are promoted specifically to prevent forming effective coalitions.

When they literally control all paths of communication, you cannot effectively organize.
posted by mikelieman at 4:55 PM on March 12 [2 favorites]


It used to be one of NSA's mandates was to make communications more secure, particularly for US interests. This sort of malware program actively undermines that mission. It's really dangerous and irresponsible.
posted by Nelson at 4:59 PM on March 12 [1 favorite]


mikelieman, it was ever thus. One of the most influential books ever on my political consciousness was David Roediger's brilliant 1991 effort, *The Wages of Whiteness.*

What a depressing couple of days for America.
posted by spitbull at 5:03 PM on March 12


Replicant OS Developers Find Backdoor In Samsung Galaxy Devices   NSA says Hi! :)

Actually this sheds considerable light on Appelbaum's quote that "Implantation always succeeds on iOS", basically Apple's homogeneity ensures NSA always has maximal access. On Android, there are various open source efforts like Replicant, which complicates things.
posted by jeffburdges at 6:39 PM on March 12 [3 favorites]


*The Wages of Whiteness.*

The Amazon list of reviews include: "Marxist drivel from a tenured malcontent".... It's on my to-read list now.
posted by mikelieman at 7:04 PM on March 12 [1 favorite]


spitbull: "it was ever thus."

Clipper is a good example of this. Secure communications but not in any meaningful sense from the government.
posted by Mitheral at 7:37 PM on March 12


At this point I'm thinking polite, known backdoors like Clipper would have been preferable to the lawless bullshit NSA is injecting in hardware, software, and network protocols. At least Clipper was contained and managed.
posted by Nelson at 7:43 PM on March 12


I'm kind of curious what the international response will be for the long run. With the information revealed so far, it's known that NSA is spying on a number of different targets, including non-US businesses. Which means that NSA spying, along with it's violation of privacy, are also costing other countries money. It's also known that the NSA is doing it through the hardware, software, and network infrastructure of primarily US-based technology companies.

Because of those two reasons, I'm hoping governments, businesses, and individuals in other countries are now pushing even harder to develop local alternatives to these technologies, ones that make it harder for the NSA to gain access too.
posted by FJT at 10:20 PM on March 12 [1 favorite]


You're wrong, Nelson. Clipper would've criminalized privacy. At least now the NSA are the criminals.

We've much work ahead : Add user-friendly end-to-end encryption across the board. End closed source software like Microsoft Windows, Mac OS X, telco bloatware, etc. Adopt open source and more verifiable hardware.
posted by jeffburdges at 12:58 AM on March 13 [3 favorites]


I don't have the energy to be paranoid enough anymore. Never mind what I'm supposed to tell my father.
posted by ob1quixote at 6:14 AM on March 13


Once again, Grrenwald is taking what we know about a situation (i.e. "...reserved for a few hundred hard-to-reach targets") and conflating it with the technical capabilities of the program.
(i.e. "allow the current implant network to scale to large size".) Indeed, there is nothing he quoted directly from any source that says "millions", even though that might indeed be the technical capability, if expanded ad absurdum.

Also note:
"Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”

So, basically they told him about what the situation was, as far as they knew... limited usage... and the expert said that it might be justifiable... but then trotted out the word "millions" and he mentioned "out of control".

But even with that worst-case scenario, could "out of control" be justifiable in a state of war? If you take a look at the infographic that Snowden had, it shows the theoretical targets of this technique as Syria, Iran, and Russia. Seems like something which might very well be justifiable in the event of a full-scale cyberwar.
posted by markkraft at 6:53 AM on March 13


Please do keep in mind that the NSA's mandate still includes having capabilities ready to be used in time of war.

There seems to be a movement to separate the NSA from the military's Cyber Command, which was established only three years ago. Unfortunately, the military's capabilities lag behind the NSA's, which is being used as part of the national defense.

"You don't want to blur the lines as much as you have, but that blurring was out of necessity."
posted by markkraft at 7:03 AM on March 13


If only we had an organization fighting for the fourth amendment as vigorously as the NRA fights for the second amendment.
posted by Monkey0nCrack at 8:04 PM on March 13 [2 favorites]


Zuckerberg phones Obama to complain about NSA spying
posted by homunculus at 10:48 AM on March 14 [2 favorites]


NSA surveillance program reaches ‘into the past’ to retrieve, replay phone calls
posted by homunculus at 10:28 AM on March 18 [1 favorite]


President Obama: Grant Edward Snowden Immunity Now
posted by jeffburdges at 7:53 PM on March 18 [2 favorites]


US tech giants knew of NSA data collection, agency's top lawyer insists: NSA general counsel Rajesh De contradicts months of angry denials from big companies like Yahoo and Google
posted by homunculus at 10:59 PM on March 19 [1 favorite]


Don't Fall For Misleading Story Being Spread By NSA Suggesting Tech Companies Lied About PRISM
posted by jeffburdges at 8:30 AM on March 20


JFK Speech The Monolithic and Ruthless Conspiracy
posted by jeffburdges at 5:26 AM on March 24 [1 favorite]


US Moral High Ground Completely Gone As China Demands US Stop Spying On Its Companies
posted by jeffburdges at 4:13 PM on March 24 [1 favorite]


Los Angeles Police Department Claims EVERY License Plate Is Part Of An Investigation
posted by Joe in Australia at 4:22 PM on March 24 [1 favorite]


The mere fact that ALPR data is routinely gathered and may not --initially or ever-- be associated with a specific crime is not determinative of its investigative nature.
Wow, talk about fishing trips.
posted by Mitheral at 7:05 PM on March 24 [1 favorite]


To be totally clear about this:

The endgame of these sweeping surveillance powers is not democracy, and the political class is largely offering fake reform to make the public feel appeased. Snowden has proved that progress doesn't arise from working within the system.
posted by anemone of the state at 10:47 AM on March 25 [1 favorite]


You should check out Jacob Appelbaum's 30c3 talk yt if you missed the previous article. Appelbaum identifies several characteristics of NSA malware there.

Speaking of Appelbaum: Jake Appelbaum reads his Homeland afterword
posted by homunculus at 4:13 PM on March 25 [1 favorite]


Jacob Appelbaum's keynote at LibrePlanet 2014 : Free software for freedom, surveillance and you
posted by jeffburdges at 11:38 AM on March 27 [1 favorite]


NSA infiltrated RSA security more deeply than thought
posted by homunculus at 6:39 PM on March 31 [1 favorite]


My summary of the research paper from Homunculus' last link:
  1. The NSA promoted the use of a particular random number generator ("Dual Elliptic Curve"), despite the fact that it is less efficient than other algorithms.
  2. This algorithm has two "magic" numbers in it: constants whose choice affects the numbers it generates, and therefore all the encryption that depends on it.
  3. Nobody but the NSA knows how those numbers were selected.
  4. If those numbers were selected maliciously, they potentially give the NSA an easy way to decrypt communications encoded using that algorithm.
  5. The NSA paid RSA, a formerly well-regarded security firm, to select this algorithm as the default protocol in its suite of encryption software.
  6. It turns out that the NSA also got the RSA to include a further option ("Extended Random") within the security suite: the use of longer (and therefore more predictable) sequences of numbers.
  7. Communications encrypted with Dual Elliptic Curves can be decrypted in around an hour on a small computer cluster.
  8. If the "Extended Random" option is enabled the communications can be decrypted in several seconds on a small computer cluster, or around a minute using a laptop.
N.b. RSA will not say whether they were paid to include this option in their software.
posted by Joe in Australia at 9:01 PM on March 31 [3 favorites]


Anarchist and parliamentarian, Iceland's Birgitta Jónsdóttir talks big e-revolution

Glenn Greenwald awarded McGill Medal for Journalistic Courage for Snowden reporting
posted by jeffburdges at 8:42 AM on April 1


jeffburdges: " Glenn Greenwald awarded McGill Medal for Journalistic Courage for Snowden reporting"

You know, he's a good guy and a tenacious journalist, and has been on this case like a pit bull from the beginning. But the McGill Courage award? Have people been sending Greenwald death threats? I ask because the award has traditionally gone to people who have risked or lost their lives in order to get a story.
posted by zarq at 8:52 AM on April 1


Just being murdered makes you unlucky, not necessarily brave. Bravery certainly includes standing up to death threats, truthfully reporting from a war zones, etc., but..

Greenwald cannot know what retribution the U.S. government might take, only that nobody will stand up to them physically. That's bravery.

Only really Russia and the U.S. are famous for around the world assassinating people. Yeah, Israel has assassinated people, and France killed Fernando Pereira, but even Chinese dissidents are relatively safe once they go elsewhere.

It's important to recognize standing up to such pervasive power like this to encourage others to adopt this style of bravery.

Abstractly, Assange warrants the prize more because, while he is clearly a journalist, they can more easily take action against him by claiming he is not, but..  Greenwald is far easier to emulate, especially if you lack the technical knowledge like most journalists.
posted by jeffburdges at 10:05 AM on April 1 [2 favorites]


jeffburdges: "Just being murdered makes you unlucky, not necessarily brave.

̛I'm not speaking of people who were simply murdered, but rather those who were killed for voluntarily covering dangerous events, such as a war zone or anti-government demonstrations in countries where said government is known for cracking down on dissidents by killing unarmed civilians.

71 journalists died in the line of duty last year.

Top 5 deadliest countries for journalists in 2013:
Syria: 28 killed
Iraq: 10 killed
Egypt: 6 killed
Pakistan: 5 killed
Somalia: 4 killed

12 journalists have been killed so far in 2014.

Top 5 deadliest countries for journalists in 2013:
Iraq: 3
Syria: 2
Brazil: 2
Pakistan: 1
Democratic Republic of the Congo: 1

These people actually went out in the field and risked life and limb to report news stories.

Greenwald cannot know what retribution the U.S. government might take, only that nobody will stand up to them physically. That's bravery.

He has quite literally been covering the NSA's encroaches into civilian privacy since 2005. He's been covering Snowden for what, 2 years? Has the US in fact actually done anything to him other than perhaps inconveniencing him or his partner at an airport?

Could they? Sure. Have they?

Only really Russia and the U.S. are famous for around the world assassinating people.

Russia, yes. Who has the US assassinated lately?

It's important to recognize standing up to such pervasive power like this to encourage others to adopt this style of bravery.

I agree. But I don't believe he's risked more than many other journalists to do so.
posted by zarq at 10:39 AM on April 1


Bruce Schneier: The Continuing Public/Private Surveillance Partnership
posted by homunculus at 11:38 AM on April 1 [2 favorites]


A bravery award is not a contest in risk taking either, zarq. It recognizes brave behavior worth encouraging others to emulate.

I'd argue we need more Greenwalds more than we need more war zone reporters, but ignoring that, an award should spread the publicity around to inspire journalists with different risk tolerances.

Also, they draw attention to the award and its past recipients by naming Greenwald now.

Could they? Sure. Have they?

There is a huge difference between merely covering the NSA and actually possessing their classified documents, remember the U.S. carries out airstrikes on downed stealth aircraft.

Who has the US assassinated lately?

Under Obama, over 2,400 people have been killed in over 390 drone strikes, largely run by the CIA. Arguably all these deaths count as assassinations and collateral damage, since we're not engaged in any wars. Yes, we apply special lax criteria for assassinating muslims, but imho Greenwald isn't so safe in say Yemen.

Also, the CIA was once famous for assassinations in Central and South America, maybe still today.

I could not determine that Chauncey Bailey should've anticipated much danger, hence the unlucky comment.
posted by jeffburdges at 12:45 PM on April 1 [3 favorites]


James Clapper Finally Admitted the NSA Used PRISM to Spy on US Citizens
posted by homunculus at 8:52 PM on April 1 [1 favorite]


Russia, yes. Who has the US assassinated lately?

Seriously? Even before we start getting into the unverifiable stuff, the US military has been busily using drone strikes in Afghanistan and Pakistan for the last decade or so to kill people they don't like the look of, alongside anyone who happens to be unlucky enough to be in the vicinity at the time. If that's not assassination, then what is?
posted by pharm at 3:08 AM on April 2 [1 favorite]


Zarq wrote: Who has the US assassinated lately?

It's funny that you should have asked this on a Tuesday, because that's the day for Obama's regular meeting to discuss that week's assassination plans.

Yes, we have come to this: the President of the USA has an event marked off on his diary to plan the coming week's assassinations. It's as if the USA employed official torturers. Oh, wait.
posted by Joe in Australia at 3:31 AM on April 2 [2 favorites]


Andrew “bunnie” Huang and Sean “xobs” Cross want to sell you a laptop you can trust, as mentioned in Appelbaum talk.
posted by jeffburdges at 2:31 AM on April 3 [1 favorite]


Classified NSA Work Mucked Up Security For Early TCP/IP: Internet pioneer Vint Cerf says that he had access to cutting edge cryptographic technology in the mid 1970s that could have made TCP/IP more secure – too bad the NSA wouldn’t let him!
posted by homunculus at 12:54 AM on April 5 [2 favorites]


Money quote from the Vint Cerf article
I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends
I think he's saying NSA were the only ones with the crypto algorithms at the time to do it, but I'd love to see what he was working on then. Honestly I think it's unrealistic that an encrypted Internet would have come to anything in the 70s; munitions export controls would have killed that in the crib.

There's an untold story about why IPSEC has failed. It could be a simple case of the challenge of deploying IP upgrades, goodness knows IPv6 is a morass. But at this point I'm wondering if NSA meddling helped hold it up.
posted by Nelson at 7:11 AM on April 5 [1 favorite]


Edward Snowden and Laura Poitras win Ridenhour Truth-Telling award

The ACLU has indexed all publicly released documented leaked by Snowden, including a full-text search.
posted by jeffburdges at 7:10 AM on April 8 [3 favorites]


Greenwald cannot know what retribution the U.S. government might take, only that nobody will stand up to them physically.

Maybe we'll find out: Reporters who broke Snowden story return to U.S. for first time
posted by homunculus at 1:11 PM on April 11


« Older While CNN is known for its flashy technology displ...  |  In this episode, we follow an ... Newer »


This thread has been archived and is closed to new comments