Ha ha ha “Security to be Free” ha ha ha
February 20, 2015 9:17 AM   Subscribe

The Great SIM Heist
American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys.
In all, Gemalto produces some 2 billion SIM cards a year.
posted by adamvasco (82 comments total) 30 users marked this as a favorite
 
It's really amazing this isn't bigger news.
posted by odinsdream at 9:19 AM on February 20, 2015 [1 favorite]


It's really amazing this isn't bigger news.

I'm amazed Lenovo's Superfish compromise isn't also in the news, which has basically been an easy way for the Chinese government to read all kinds of SSL traffic. Not a good week for privacy.
posted by a lungful of dragon at 9:22 AM on February 20, 2015 [6 favorites]


It's amazing to me this, the Lenovo thing, and the massive $1 billion bank heist Kapersky reported aren't bigger news, but I'm guessing there are national security concerns about scaring people too much or playing into political intrigue being bandied about in the press rooms.
posted by saulgoodman at 9:28 AM on February 20, 2015 [7 favorites]


Surely this...
posted by leotrotsky at 9:29 AM on February 20, 2015 [7 favorites]


But what about ISIS???!11 And did you see Kim Kardashian's new armpit?
posted by Behemoth at 9:34 AM on February 20, 2015 [22 favorites]


CDMA 4 LYFE
posted by clarknova at 9:34 AM on February 20, 2015 [5 favorites]


Also worth pointing out that this was made possibly by extensively spying on civilians, in addition to whatever harm it will result in.
posted by ethansr at 9:41 AM on February 20, 2015


Jeez, is there no end to the Snowden cache. It's unbelievable how deep it goes.
posted by dhruva at 9:50 AM on February 20, 2015 [5 favorites]


It's amazing to me this, the Lenovo thing, and the massive $1 billion bank heist Kapersky reported aren't bigger news, but I'm guessing there are national security concerns about scaring people too much or playing into political intrigue being bandied about in the press rooms.
saulgoodman

Not sure what you mean. All three of those stories were on the front pages of at least the New York Times and the BBC and I haven't checked other major publications but I'm sure they're covering them as well.

There's not some black out media conspiracy. It's being covered; whether people care is a different story.
posted by Sangermaine at 9:51 AM on February 20, 2015 [6 favorites]


I think the problem is that people don't understand. We here at Metafilter know what SIM encryption is, and what SSL is, and why adware is a bad thing. The average citizen doesn't really understand those things, they seem alien and foreign. Also there's a big collective shrug, "oh yeah of course that computer stuff isn't secure but I don't care as long as I can watch my Netflix".

The promise of the cypherpunk revolution was strong, mathematical security for our communications. It has failed.
posted by Nelson at 9:55 AM on February 20, 2015 [5 favorites]


It's being covered; whether people care is a different story.

For what it's worth, what I meant by "bigger story" is that, this should be the level of constant 24-hour coverage, trials, massive transparency programs to re-issue private keys and affected cards. There should be a huge outcry. Of course there won't be, as we have been sadly shown from all the previous NSA coverage.
posted by odinsdream at 9:55 AM on February 20, 2015 [3 favorites]


There's not some black out media conspiracy. It's being covered; whether people care is a different story.

It's being covered, but it's not being sensationalized. What the press chooses to sensationalize or not makes a big difference in people's level of engagement with an issue.
posted by saulgoodman at 9:57 AM on February 20, 2015 [22 favorites]


"Security to be free" was meant to be a Mad Magazine fold-in.

(Interactive link because we need a pleasant derail.)
posted by dances_with_sneetches at 9:57 AM on February 20, 2015 [1 favorite]


Consider the difference between the coverage on these issues and Ebola, for example. When the press loses its shit over a story, people sense it, and their ears perk up.
posted by saulgoodman at 9:58 AM on February 20, 2015 [3 favorites]


It's being covered, but it's not being sensationalized. What the press chooses to sensationalize or not makes a big difference in people's level of engagement with an issue.

This.
posted by odinsdream at 9:58 AM on February 20, 2015 [4 favorites]


(Also, it's not suggesting a conspiracy to acknowledge there are editorial decisions made in the process. If you've ever been an editor, you know there are all sorts of discussions about what to cover and how in news rooms. To suggest that people are discussing their editorial choices is not in any way to suggest a conspiracy, except in the same tortuously incoherent universe where choosing not to blurt out any random idea is "self-censorship" rather than good judgment.)
posted by saulgoodman at 10:02 AM on February 20, 2015 [2 favorites]


I also think that there's a big disconnect between what MeFi and more tech-minded people online believe and what the general populace believes on this issue. It's not about ignorance, I think a lot of people buy the "it's for national security" justification and are okay with these kind of practices, so pointing them out isn't going to be some great truth that shocks them into action.

I think this disconnect significantly hinders the ability to reach people on this issue, since the persuaders are starting from assumptions that many don't share. Note I'm not saying the national security line is right, just that I think it's a lot more powerful than the way it's treated here and elsewhere online and that needs to be understood to address it.
posted by Sangermaine at 10:03 AM on February 20, 2015 [2 favorites]


I think the problem is that people don't understand. We here at Metafilter know what SIM encryption is, and what SSL is, and why adware is a bad thing.

Any system where a third party holds your cleartext keys in escrow is inherently insecure. The end. Forever.
posted by clarknova at 10:03 AM on February 20, 2015 [6 favorites]


I've got to give props to Gemalto. As is mentioned slightly in the article the US Government is a huge customer. The fact that they still had to be hacked to get the keys says a lot about them. It would have been so easy for them to be pressured on any of those contracts to provide the keys as a condition of the contract.
posted by Runes at 10:04 AM on February 20, 2015 [13 favorites]


Sigh.
Well, I mean, I really must be crazy now. How was this NOT known, or at least assumed, already?

Sometimes I really think people do not understand the basics of technology enough to realize that almost everything you do is observable (except for the few things inside your own head that don't cause sympathetic externalizations, i.e. micro-expressions).

Some days I try to talk to people about privacy and security and they will respond like 3 year olds trying to play hide and seek with an adult. The adult knows at least enough about proprioception (the awareness of ones self) to be better at it, plus having years of possible practice to have a massive advantage over the child.

I happen to think it is a "good" thing that at least an identifiable (vaguely) group is doing these things. At least then you have some basic idea of where it is coming from and the possible motivations. I guess I just take comfort in at least that small bit of information. I would not say I trust them, nor do I believe they are benevolent or at all in line with my own individual interests (or the interests of any group other than the ones who provide their paychecks, nominally).

This was the techno-dystopian future I was promised, after all.
posted by daq at 10:06 AM on February 20, 2015 [2 favorites]


It would have been so easy for them to be pressured on any of those contracts to provide the keys as a condition of the contract.

Yeah, but the first rule of spy-craft is leave no witnesses and tie up all loose ends.

If a civilian without security clearance (or a whole lot of good blackmail leverage) knows that you have the keys, what's to stop them from squealing (or having the information extracted through interrogation or other means)?

You hack and steal something because a) it's valuable, in and of itself, and b) the advantage of your target not knowing you have it. Encryption keys are useless once your target knows you have them.

And upon a quick google search, this story pops up from 2013.

It seems that you didn't really need the keys to begin with...
posted by daq at 10:12 AM on February 20, 2015


All three of those stories were on the front pages of at least the New York Times and the BBC

I've been watching the NYT's US homepage pretty carefully since this story broke on the Intercept. Perhaps I missed something, but I haven't seen anything more than the subdued, tiny-type headline that's running right now, "Chip Maker to Investigate Claims of Hacking by N.S.A." I guess technically this is giving the story the (absolutely minimal) front-page treatment but it's pretty clear that the Times ignored it completely for around the first 24 hours and is now featuring at least three dozen or so other stories far more prominently. The editorial message is hard to mistake.

This is how they bury stories that they know they can't just spike entirely, and it is truly disturbing.
posted by RogerB at 10:13 AM on February 20, 2015 [2 favorites]


I use the NYT app and it's on the Top Stories feed there. Can't speak to the website.
posted by Sangermaine at 10:16 AM on February 20, 2015


Interesting tweet from the reporter, Jeremy Scahill.
Gemalto shares plummeted $500m today. When I first informed its PR rep about the massive hack, she said she'd look at my email after lunch
posted by Nelson at 10:24 AM on February 20, 2015 [7 favorites]


Evidently nobody feels like they can get elected/throw somebody out of office on this news, so it will be ignored in favor of the new outrage of the day. (Probably something racist.)

Though it is a Friday afternoon, so maybe there will be a dump of documents when nobody is paying attention and then everyone can forget about it in favor of Oscar buzz. Problem solved, keep moving, nothing to see here.
posted by fifteen schnitzengruben is my limit at 10:28 AM on February 20, 2015


At first my brain processed this as SIMMs not SIMs and I was really confused about who was still using SIMMs...
posted by MrBobaFett at 10:28 AM on February 20, 2015 [1 favorite]


Could Gemalto sue the US and British governments?
posted by orme at 10:28 AM on February 20, 2015 [1 favorite]



It's really amazing this isn't bigger news.


Its reached the furthest corners of the world. I'm so glad you posted this adamvasco as I wasn't sure whether it was an FPP or not but the news has a whole bunch of people I know gobsmacked. And has billions of dollars worth of implications. Poor Gemalto. Here's why:

Gemalto supplies Vodacom with bank card in South Africa

Etisalat, the UAE's leading telecoms company, is harnessing mobile NFC solution for corporate access control from Gemalto, the world leader in digital security. The solution enables Etisalat's management to securely access its head office and facilities with a single tap of a mobile phone on a contactless reader.


Gemalto Predicts a Payment Revolution in Africa
Ain't gonna happen with you babe

Gemalto, a global digital security provider, has unveiled that LeKiosk, French distributor of digital magazines, has deployed its Netsize direct and online operator billing solution. The solution enables one-click mobile payment for digital magazine downloads to be charged directly to end-users regular phone bill.

Is Gemalto going to sue for loss of reputation, brand equity, billions in business, and the possible destruction of the entire mobile money industry?
posted by infini at 10:29 AM on February 20, 2015 [5 favorites]


How do you bring a case to a secret court?
posted by a lungful of dragon at 10:30 AM on February 20, 2015 [2 favorites]


And that's just last one months' news.
posted by infini at 10:33 AM on February 20, 2015


How do you bring a case to a secret court?

I could tell you, but then I'd have to kill you put you in solitary confinement in a military prison for the rest of your life.
posted by clarknova at 10:34 AM on February 20, 2015


I'm not being snarky, I'm curious. How do you sue a spy agency from another country for effectively destroying your business?
posted by a lungful of dragon at 10:38 AM on February 20, 2015


> How do you bring a case to a secret court?

Well, you file a case in the European Court of Human Rights. Like this.

That court case will be very interesting, and will likely serve as a template for how similar cases will play out.

It's kinda important for everyone to realize that it's unlikely that spies spent all that effort _only_ on #Gemalto. If it was worth doing..

Here's a great piece by the same author on the subject. Very relevant with this and the Equation group.
posted by yeahwhatever at 10:40 AM on February 20, 2015 [1 favorite]


It seems that you didn't really need the keys to begin with...

That hack only works on maybe 25% of mobile devices, and you need to actively communicate with each targeted device. You also need to decrypt the key after you trick the target device into giving it to you.

With bulk access to SIM encryption keys, NSA/GCHQ can intercept and record encrypted traffic, then decrypt it later using a key they already have on file. They don't need to actively target or attack any given device in advance. The pool of potential targets is bigger, the risk of detection is much smaller, and less effort is required overall.

Of course, the more techniques they have available to them, the happier the security agencies will be -- if one technique doesn't work against a given target, maybe another one will. I'm sure they have even more phone hacking methods we don't know about yet.
posted by twirlip at 10:41 AM on February 20, 2015 [1 favorite]


I think it's going to be hard to get people in the US to care much about this, because it doesn't have a lot of apparent effect inside the US. We've known for quite some time that the big telcos will pretty much happily let any law enforcement agency with non-Crayon-based letterhead into their networks to spy on anyone they want. They didn't need SIM keys to spy on Americans; they could just plug right into the central switches.

If Americans weren't sufficiently riled up by that, it's hard to see anyone giving much of a damn about the NSA (in fairness, GCHQ with a presumptive technical assist from NSA when it came to the electronic B&E) spying on foreigners, given that spying on foreigners is their actual job. And the reaction to the domestic spying was pretty 'meh' at best. It might, however, further damage the ability of the US (and UK) to get cooperation on intelligence activities with other governments, so I wouldn't say it's a shrug-off event in the long run.


For all of us who are users of cellphones, simply slapping the intelligence agencies really isn't the desired solution, though. The fact that the NSA and GCHQ stole the keys is a lot less important than the fact that they were able to do so at all. That's the real problem. There's no reason to think that NSA is more than a year or two ahead of the average Russian crime syndicate, and they are probably even less far ahead of the other "APT" groups (who are probably, at least in some cases, other countries' cyberintelligence agencies, e.g. China's or perhaps North Korea's). It is even possible—we can argue about the likelihood—that there are folks around who are more advanced than NSA. For all we know, the NSA/GCHQ weren't the only ones with their fingers in the Gemalto cookie jar; they're just the ones who got caught.

In this particular case, the solution isn't some sort of regulatory reform to the intelligence agencies involved, it's realizing that leaving communications security open to a bunch of profit-driven corporations who are always going to see security as a very negotiable cost center to be minimized wherever possible, is a mistake. Companies like Gemalto are never not going to get hacked, because getting hacked is the only reason why they have security in the first place; the level of security they're going to implement is the bare fucking minimum that it takes to stay in business.

We need a different structure for managing communications infrastructure, and in particular for managing the supply chain of sensitive keying materials; one that doesn't depend on corporations who are always going to cut corners and beg forgiveness when it inevitably bites us all in the ass. Unfortunately, the people who are probably best placed to do that are the exact same people who demonstrated the limitations of the current system—agencies like the NSA and GCHQ. So instead, we're going to have to muddle along and work something else out, and I'm expecting it's going to be a long and ugly row to hoe.
posted by Kadin2048 at 10:41 AM on February 20, 2015 [13 favorites]


If you want to feel more uncomfortable about the state of GSM security, check out this DEFCON talk. The speaker builds and demos an IMSI-catcher (the same type of device as the Stingray surveillance tool used by the police and military) out of an instant messaging toy with reflashed firmware. Not only does it collect cell phone IMSI data (which can track where a phone was used), but it also can ask phones to send their phone calls in a decrypted form for easy eavesdropping. And it seems to all be technically legal with an amateur radio license.
posted by mccarty.tim at 10:43 AM on February 20, 2015 [1 favorite]


So much for me "being up on burners, playa."

In all seriousness, this is a serious level of "oh shit!" Basically, I think it's safe to assume that modern intelligence agencies have been able to intercept anything they want on any modern (read: digital) phone for a while now.

Scary.
posted by zuhl at 10:47 AM on February 20, 2015


So a GSM SIM uses the same key to encrypt its data in transit every single time? I guess I expected them to use a different key periodically.
posted by Tehhund at 10:51 AM on February 20, 2015


In all seriousness, this is a serious level of "oh shit!" Basically, I think it's safe to assume that modern intelligence agencies have been able to intercept anything they want on any modern (read: digital) phone for a while now.

Anyone who knows enough to ask the question should probably have been assuming that for quite a while, but this is certainly yet another piece of solid evidence that it's the case. Even on the slim chance that your device isn't individually compromised, the rest of the network pretty well is.

I've been thinking about this a lot. Surveillance is a little bit like inverse herd immunity. As long as a sufficient subset of devices and people are compromised, everyone's compromised.

We're fucked.
posted by brennen at 11:02 AM on February 20, 2015 [3 favorites]


I have just always assumed that all telecommunications, whether by land-line or cellphone, and all email and internet activity are inherently insecure just on the basis that they head off into a black box of wires and technology run by unknown parties on their way to their destination. To assume otherwise seems . . . . . foolishly optimistic. Unless you can control every step of the communication process, from design and manufacture of the device used and up, I don't know how you could ever expect anything better unless you are using one-time pads or some-such to encrypt your messages.
posted by fimbulvetr at 11:08 AM on February 20, 2015 [1 favorite]


The trouble with everyone using encryption designed by experts is that it provides a predictable means for everything to be owned.

"Everyone says RSA is the best." "Oh well let's use RSA then." "Elliptical curve is better." "Oh well let's just adopt this NIST recommendation then."

The problem isn't mathematics, or the intelligence of encryption designers. Back in pre-history tribes used to make long, long walls that started out far, far apart. They would drive animals between these walls. The animals were unaware that the walls converged in the distance.

Still works.
posted by Twang at 11:15 AM on February 20, 2015 [5 favorites]


I've got to give props to Gemalto. As is mentioned slightly in the article the US Government is a huge customer. The fact that they still had to be hacked to get the keys says a lot about them

You might want to temper your props with the fact that Gemalto's Chairman was on the Board of Directors for In-Q-Tel immediately previous to taking his current position.
posted by rhizome at 11:19 AM on February 20, 2015 [5 favorites]


The trouble with everyone using encryption designed by experts is that it provides a predictable means for everything to be owned.


I agree that using standard encryption has its potential downsides, but compared to amateur cryptographers trying to roll their own encryption schemes, it's a hell of a lot better.

I've dealt with amateur crypto a few times, and it's terrible. Crypto is hard, few people are going to get it right the first time.
posted by dragoon at 12:05 PM on February 20, 2015 [3 favorites]


One angle about this situation that I haven't seen brought up a lot is the proliferation of Stingray devices in recent years (with the exception of mccarty.tim's comment above)

The standard line (from the DOJ, since local PDs are required to sign NDAs so that they can't even talk about the devices they're deploying on their own communities) is that this is legal and constitutional, your data and calls are encrypted, so don't worry, police are just using these devices to locate individual mobile devices.

Well, if Stingray devices MITM encrypted traffic but somebody has all the keys, what's stopping someone from just planting one near a Muslim community center, or an anti-police demonstration, and hoovering up all traffic from mobile devices in the area for later decryption? And how would we ever find out, given what we've heard lately about the push to use parallel construction to find a "clean" (not unconstitutional) source for data collected unconstitutionally, and the fact that the Feds have been instructing the departments that have these devices to lie about them in court?
posted by cobra_high_tigers at 12:54 PM on February 20, 2015 [2 favorites]


I usually use Google News to take the temperature on stories, and one thing I notice is a lot of weasel-wording from the major outlets, like "probes alleged report of hacking", and "citing documents provided by Snowden" as if they using a VT100 and weren't able to load inline .gifs or something.

In between "ISIS Ate My Baby" stories, @CNN just tweeted "A new privacy scare has surfaced for cellphone users around the world" and linked to the CNN Money site, which contains the same weasel words, and of course has links to all the relevant ticker symbols.
posted by RobotVoodooPower at 1:16 PM on February 20, 2015 [4 favorites]


The choice for a news organization between highlighting a technological privacy hack that's difficult to explain to the average person or militants literally setting people on fire is a pretty easy one even before you consider any desire to sweep NSA stories under the rug.
posted by double block and bleed at 1:39 PM on February 20, 2015 [1 favorite]


I am always amazed when I talk to my very progressive friends about topics like this...they are amused. AMUSED. I don't get it. It might be the great-nerd divide...like..."I just don't want to understand why these tech-nerds are abuzz". The thought that, any phones with these SIM cards are accessible no matter what the owner does, should frighten everyone. I think that it is no longer unreasonable to believe that all American technology has been compromised by the NSA in some fashion.
posted by zerobyproxy at 1:45 PM on February 20, 2015 [3 favorites]


Forget it, Jake. It's Sim City.
posted by I-baLL at 1:59 PM on February 20, 2015 [7 favorites]


a technological privacy hack that's difficult to explain

Is it difficult? Imagine moving into a new house or apartment, and the locksmith who resets the locks ends up cutting two keys: one for you, and one for someone else you don't know, who can go into your home at any time without your knowledge, let alone permission. Maybe that other person is with law enforcement, but more likely it ends up being a professional thief who is with organized crime and who uses the second key to steal your stuff, like your bank account details. That seems like a fair enough description of the problem, and perhaps not too difficult for everyday people to relate to.
posted by a lungful of dragon at 2:00 PM on February 20, 2015 [5 favorites]


Well, none of the technical difficulty of the subject matter theories explain why what's probably one of history's biggest bank heists barely got five seconds of fame, while we spent a whole summer news cycle once freaking out about random rich blonde women going missing on vacation.
posted by saulgoodman at 2:06 PM on February 20, 2015 [2 favorites]


Actually, if this list is accurate, that recent Kapersky thing probably tied history's biggest bank heist. I haven't seen a single headline touting that fact, for example.
posted by saulgoodman at 2:09 PM on February 20, 2015


Tehhund, ephemeral keys are generated, but the key exchange is encrypted with Ki, so if you capture a phone's traffic and have cracked or otherwise obtained its Ki value, you can simply decrypt the key exchange.

The sad thing is that most SIMs have been crackable on consumer hardware for over a decade now. Not to mention that the encryption algorithm itself has flaws that someone with NSA's compute resources can easily exploit. Having Ki for a hundred million SIMs just makes it possible to run a wide scale dragnet rather than having to target specific devices.

Where this is truly useful is for state actors who have satellites in orbit with the capability of hoovering up a nation's worth of mobile communications. Everybody else is stuck with relatively localized attacks, at least if they haven't found the CALEA access.

Luckily, nothing is stopping the privacy minded from using RedPhone, TextSecure or similar encrypted voice/SMS services. (I lurve TextSecure for its ability to work over plain SMS)
posted by wierdo at 2:17 PM on February 20, 2015 [2 favorites]


Gemalto also makes other smart-card related things. Including access cards (used by military's and governments around the world).

I'm not sure why the attackers would only limit their attacks to the SIMs they make.
posted by el io at 3:19 PM on February 20, 2015 [2 favorites]


And it seems to all be technically legal with an amateur radio license..

No, a thousand times no. An amateur radio license confers absolutely no rights to do anything outside the amateur radio bands, and creates particular responsibilities to ensure that you do not.

As for any conspiracy theories about why this story may not be getting the prominence one feels it deserves in the MSM: while I can't speak for all the MSM, those outlets whose news operations I do know are sufficiently uncertain about the details of crypto to be cautious in reporting complex, single-source stories like this until theyve checked (and they were checking, this morning). If there is some top-down sinister squelching force, nobody I know who works in those news operations has ever encountered it.
posted by Devonian at 4:13 PM on February 20, 2015 [1 favorite]


Imagine moving into a new house or apartment, and the locksmith who resets the locks ends up cutting two keys: one for you, and one for someone else you don't know, who can go into your home at any time without your knowledge, let alone permission.

Yes, they're called "maintenance", it's a part of living in many apartments.
posted by indubitable at 4:21 PM on February 20, 2015 [2 favorites]


Um, to follow up what sounds like needless one-liner snark, you could say that regular people are pretty inured to the idea of key escrow, even if that's not the name they use for it.
posted by indubitable at 4:26 PM on February 20, 2015 [2 favorites]


who can go into your home at any time without your knowledge, let alone permission.

Yes, they're called "maintenance", it's a part of living in many apartments.


Up here at least, except for an emergency (which in this analogy would stand in for a warrant), you must be given 24 hours notice before the landlord or their agent can open your door. So the 'key that anyone else could have' stands up as an analogy.

Frankly, this is terrifying. What point is there in encrypting anything, as a private citizen, if all the hardware is already compromised?
posted by feckless fecal fear mongering at 4:32 PM on February 20, 2015


What point is there in encrypting anything, as a private citizen, if all the hardware is already compromised?

That's a happy side effect (happy to those involved in this bullshit at least) of this coming out. They'd rather no one encrypted anything ever.
posted by downtohisturtles at 4:42 PM on February 20, 2015 [2 favorites]


Without this, the security services would have had to go to the telcos and demand data feeds from their trunk, which would have required approval from a judge, a process which they tell us has stringent safeguards of an unspecified nature, and cannot be done willy-nilly unless they have a very good reason (which they don't have to share with the public, for reasons of national security).

Even if they hadn't hacked Gemalto, there's no reason to expect that the security services didn't have a rolling general warrant to hoover up all traffic from the trunk, one being automatically reauthorised on expiry because we're under siege by terror itself. The main thing this would change is to give US/UK/allied spooks the ability to operate abroad, to tap the communications of apparatchiks in Beijing, MEPs in Brussels or cryptoanarchists in Reykjavík.
posted by acb at 5:31 PM on February 20, 2015 [1 favorite]


What point is there in encrypting anything, as a private citizen, if all the hardware is already compromised?

Who are you trying to protect yourself from? At the moment, if the NSA or GCHQ really wants to spy on you, they will probably find a way. And yeah, that is terrifying and extremely dangerous, because it means we have all the technological infrastructure for a police state, and not a lot of political opposition to using it.

On the other hand, encryption is still providing you with some degree of protection from other attackers, such as ordinary criminals or random hackers, who don't have NSA-level access or resources. According to the article, in the early days of cell phone technology, "Anyone could buy a cheap device from RadioShack capable of intercepting calls placed on mobile phones." Even the flawed encryption we currently have means we're not likely to return to a time when someone can snoop on your phone calls using simple off-the-shelf equipment.

Meanwhile, a lot of smart people are very interested in designing and building better, more secure systems. It's an arms race, and well-resourced state actors like the NSA will probably continue to have the advantage in the medium term (which is one reason why better encryption is not a panacea). But the situation is not as hopeless as you suggest.
posted by twirlip at 5:35 PM on February 20, 2015 [1 favorite]


The way this story has been vanished in the American media has REALLY amazed me and made me rethink my opinions regarding the degree of control the government wields over the media. It's impressive in a terrible and spooky way. I'm familiar with Chomsky's writings on the media, and the history of things like Operation Mockingbird, ... etc... , but it's different watching it work in real time.
posted by Auden at 6:07 PM on February 20, 2015 [2 favorites]


At the moment, if the NSA or GCHQ really wants to spy on you, they will probably find a way.

The difference is that with the Gemalto hack the Intelligence Community has unfettered access to everything, rather than having to choose targets and decrypt each device separately. It's the difference between a typhoon and an eye-dropper.
posted by rhizome at 6:14 PM on February 20, 2015 [1 favorite]


Who are you trying to protect yourself from? At the moment, if the NSA or GCHQ really wants to spy on you, they will probably find a way. And yeah, that is terrifying and extremely dangerous, because it means we have all the technological infrastructure for a police state, and not a lot of political opposition to using it.

The key is scalability. There's a difference between them being able to spy on you if they really want to (say, if you're a mafia kingpin or Emmanuel Goldstein) and them getting all your data for free, along with that of everybody else, just in case you later turn out to be of interest in some way. The former is more or less inevitable, given state-level actors; the latter is not, and is far more frightening.
posted by acb at 6:17 PM on February 20, 2015 [3 favorites]


The difference is that with the Gemalto hack the Intelligence Community has unfettered access to everything

No, the Gemalto hack "only" gives access to GSM encrypted calls, they'd still need to individually attack your phone with a software/hardware exploit to, for example, read your PGP encrypted email (assuming you decrypt it in that device).
Good encryption exists and works, this story being yet another case of NSA subverting rather than breaking it.
posted by Bangaioh at 6:28 PM on February 20, 2015 [2 favorites]


The bank heist was probably business as usual occult payroll.
Don't worry the ultra rich won't suffer, they will be safe.

In the future there will be no accidental meeting, someone will just come for your money, they know where and how much you have, they know what you have to hide, they know what you don't have, they watch you from your TV, listen from your phone, watch you with your phone, use radar on your house, for the fun of it. Private security agents and criminals have unlimited access to all security cameras. Tyco, who is the real owner? Do the cartels, through "legitimate" laundered investments own security companies who subcontract for government? It all may as well be the case because all is hacked, all is known by any one with access, or a basic skill set. Our governnment knows it all, why isn't crime over? This whole revelation shows us to be criminally complicit, in a criminal world.

People buy security systems just like Little Red Ridinghood visits with the wolf.

Cell phones carry all kinds of programs, I knew one guy with a weaponized phone, He had a program that could cause dread and depression, interesting all the apps you can get these days.
posted by Oyéah at 7:22 PM on February 20, 2015 [1 favorite]


I think it is time to realize that we are not moving towards the all knowing all seeing police state as we have already got there.
There is no secrecy. There is no privacy. Admittedly this police state for most of us is quite benign at the moment but already activists on many fronts are being targetted and their lives are being made uncomfortable. Our masters are just flexing their muscles at the moment and pulling the strings of complient political whores and getting their lackies is MSM to turn a blind eye and under report or even ignore the excesses of their police and security forces. War is a profitable business whether its against brown people on the other side of the world or you the people. Totalitarianism is closer than we think. There will still be room for the armchair warriors like us to protest and harrumph but should we try and turn those thoughts into actions they will have us neutralised very fast indeed as they now have all the information they need to apply the choke chain.
posted by adamvasco at 7:24 PM on February 20, 2015 [1 favorite]


Friday, Feb 20, 2015
Washington Post:

Top Stories:

1: PM Update: Chilly night, then snow and sleet changing to rain on Saturday

2: Winter storm to bring hazardous mix of snow and sleet to D.C. area on Saturday

3: The Islamic State threatens to come to Rome; Italians respond with travel advice

4: What 'The Imitation Game' didn't tell you about Alan Turing's greatest triumph

5: Three's company: Venus, Mars and a skinny moon converge
posted by Auden at 7:49 PM on February 20, 2015


No, a thousand times no. An amateur radio license confers absolutely no rights to do anything outside the amateur radio bands, and creates particular responsibilities to ensure that you do not.

So, apparently Paget was transmitting on the European GSM frequencies, which overlap with US Ham frequencies. As well as broadcasting the appropriate call sign every x minutes as required. Paget also (from my understanding) had some legal assistance from the EFF to ensure everything was kosher. There was a bunch of work to ensure that the law was complied with.

Oh yeah, also, the information transmitted was not encrypted (it's a basestation option to turn off crypto, which Paget did, to help comply with HAM regulations). Watch Paget's speech (I did), it's quite entertaining/informative.

/derail
posted by el io at 8:07 PM on February 20, 2015 [2 favorites]


The collapse is near, this is not a chicken little idea. If the banks can be hacked, they will be, we will be. Just like Wikileaks showed us our diplomatic corps was hacked, it showed us therefore, some manual cures for the problem. We are suckers for automation, we won't give it up now. How does one bank in a sieve, with all the fish flopping about? It is well beyond the fishbowl. When do they start pushing the red buttons for us? Wait, they started fixing that a while back.

Grow your gardens, keep a place outside the city. What a joke. What entity wants to know every last blinking note ever written, or that ever will be? I think the singularity has been evoked and currently has favorites. You know, and someone is smoking on Mars. Ha ha ha the trick is to make yourself unpalatable. The time traveling Monkey-on-A-Stick farmers are on the way with freezer ships. They threw the seeds of life in the oceans five minutes ago, their time, and have gone to lunch, BRB.

The disaster is so huge, it is difficult for people to grasp the severity. As resilient as human life is, we are way too close to the top of the food chain. Maybe the Middle East knows something we are too fat headed to, maybe they are simplifying things along tribal and idealogical lines, to make clean fiefdoms ahead of the collapse they have planned for the pesky west. Maybe it is obvious to more pragmatic sorts, anyway.

Keep in mind a lot of my thinking is metaphoric, rather than delusional.
posted by Oyéah at 9:10 PM on February 20, 2015


Don't dis on the importance of Mars and the Skinny Moon, that is one of my favorite spring things when those planets hang like bangles out over the lake.
posted by Oyéah at 9:13 PM on February 20, 2015


He had a program that could cause dread and depression, interesting all the apps you can get these days.

Metafilter has an app now?
posted by wierdo at 9:16 PM on February 20, 2015


import android.app.Activity;
import android.os.Bundle;
import com.phonegap.*;

public class MetafilterApp extends DroidGap {
@Override
public void onCreate() {
super.loadUrl("http://www.metafilter.com");}}


Now it does.
posted by clarknova at 12:49 AM on February 21, 2015 [3 favorites]


what's stopping someone from just planting [an IMSI catcher] near a Muslim community center, or an anti-police demonstration, and hoovering up all traffic from mobile devices in the area for later decryption?

Nothing, and it's been happening for a while.
posted by yoHighness at 8:02 AM on February 21, 2015 [1 favorite]


"The trouble with everyone using encryption designed by experts is that it provides a predictable means for everything to be owned.

"Everyone says RSA is the best." "Oh well let's use RSA then." "Elliptical curve is better." "Oh well let's just adopt this NIST recommendation then."

The problem isn't mathematics, or the intelligence of encryption designers. Back in pre-history tribes used to make long, long walls that started out far, far apart. They would drive animals between these walls. The animals were unaware that the walls converged in the distance.

Still works.
"

What does this comment actually mean?

People should use crypto designed by experts. It is safe and when experts find flaws in some of the methods they make those flaws known and thus people change methods. There's a reason why the NSA has to steal keys and such and that's because a lot of crypto actually does work.
posted by I-baLL at 8:42 AM on February 23, 2015 [1 favorite]


I've dealt with amateur crypto a few times, and it's terrible. Crypto is hard, few people are going to get it right the first time.

Very true. But it can be done, Voynich is proof positive.
posted by Twang at 8:21 PM on February 23, 2015


I've dealt with amateur crypto a few times, and it's terrible. Crypto is hard, few people are going to get it right the first time.

Isn't there a story —  possibly apocryphal — about the OpenSSL crypto library being written initially by someone who wanted to learn the C language?
posted by a lungful of dragon at 9:25 PM on February 24, 2015


You might be thinking of PHP.
posted by rhizome at 9:44 PM on February 24, 2015


Someone else make an FPP about the drama being unfolded by AlJazeera regarding other nation's agencies and their intelligent hijinks.

In the meantime, this is as good as place as any to ask this question. When they have gotten to the point that they have real time control over your tweet or your access to a website, and you can sit there and watch their shenanigans, one wonders what is going through their minds regarding all this?

By this I mean all the news being spilled about all the leaks and all the knowledge now available to the public.

Would it have any impact at all on curbing their actions or sending them in hiding again or are they so well spread out and so powerful given their reach and spread and technological abilities that they don't care to pretend anymore or even need to hide their capabilities and capacities? That they can pinpoint and spear one specific amoeba out of the wriggling billions? And this makes them god?

Just wondering...
posted by infini at 4:09 AM on February 25, 2015


No, the Gemalto hack "only" gives access to GSM encrypted calls, they'd still need to individually attack your phone with a software/hardware exploit to, for example, read your PGP encrypted email (assuming you decrypt it in that device).

Yeah, about that: a key on the SIM card is used to push software updates
"Each SIM card gets its own OTA key, typically used to remotely install updates. Manufacturers can send a binary text message directly to the SIM card, and as long as it's signed with the proper OTA key, the card will install the attached software without question."
posted by rhizome at 12:27 PM on February 26, 2015 [2 favorites]


Voynich is proof positive.

Current theory is Voynich probably is natural language in a dead script.
posted by clarknova at 9:57 PM on March 7, 2015 [2 favorites]


Voynich is proof positive.

No, it's not, for several reasons: first because it's not clear that it's an encrypted message—it could be a steganographic message, could be random gibberish, etc.; second because it could be an instance of a one-time-pad or book cipher, which are not particularly hard to use and are impossible to break if used once, the difficulty comes with their repeated use and with key management as part of a cryptosystem, which the Voynich Manuscript isn't evidence of per se; third, it's somewhat unfair to call the unknown author of the Manuscript an "amateur", if indeed it is a true ciphertext—the Italian Renaissance could have been a rather hostile environment for cryptographic systems and served as motivation for someone to put some serious effort into what was then, and remains, a very hard problem.

It is not especially difficult for an amateur to encode a single message in a secure fashion, if you allow one-time pads. You just need a random source (26-sided die or equivalent, bingo balls, etc., suitable for randomly choosing an alphabetic letter), a conversion table (a 26x26 matrix for quickly doing MOD26 addition without tedious letter-number conversion, i.e. A+A=B, A+B=C, B+B=D, etc.), and your plaintext. For each letter you roll the die and write down the rolled value and then look at the chart, writing down the ciphertext. It's quite quick, actually. Where you separate the professionals isn't in the message encipherment, it's with how you then transmit the key to the destination. That's the hard part. And generally speaking, it's not the algorithm that is difficult, it's the implementation.
posted by Kadin2048 at 11:09 AM on March 8, 2015 [3 favorites]




« Older The Sun sets on "Fox News of the North."   |   Jose Mourinho 46 Minute Documentary Newer »


This thread has been archived and is closed to new comments