Feeds

back to article PRISM snitch claims NSA hacked Chinese targets since 2009

PRISM snitch Edward Snowden now claims to have data which proves the NSA has been hacking hundreds of civilian targets in China and Hong Kong since 2009. Public officials, businesses and students as well as the Chinese University of Hong Kong were among the targets in the former British colony, Snowden told the South China …

COMMENTS

This topic is closed for new posts.

This post has been deleted by a moderator

Bronze badge

Re: Conspiracy theoriest right all along

Just as bugs routinely creep into open source without being noticed, security holes can creep into open source without being noticed.

5
3
Stop

Re: Conspiracy theoriest right all along

@ Eadon, re. open source.

As we know, closed-source (proprietary) software forces its users to trust the vendor when claims of security and freedom from back doors are made.

Your statement is based on the fact that open source software, by publishing the source code, makes it possible for anyone to inspect that source code, and thereby uncover security or other issues in the software, right?

This may sound like a pretty sweet deal, but it isn’t.

Publishing source code only provides the POSSIBILITY that it will be inspected or audited. It’s virtually impossible to find reliable audit information for an arbitrary piece of open source software.

That leaves the user to trust that the software was reviewed, that the reviewer possessed the skills required to conduct the audit, and that the reviewer’s audit was rigorous and complete.

In other words, whether open or closed source, you're basing your decision on trust. You're better off using Wireshark than being a poster child of the Khomeini Effect - the True Believer who shouts "Open source or die!", without considering practical realities.

6
3
Anonymous Coward

Re: Conspiracy theoriest right all along

Publishing source code only provides the POSSIBILITY that it will be inspected or audited. It’s virtually impossible to find reliable audit information for an arbitrary piece of open source software.

Thanks for stating my exact thoughts. Don't get me wrong - I like a lot of Open Source software and have been a long time user of Linux, but glib assurances are my pet hate (along with the inevitable "you have the code, so go fix it yourself" answer that end users receive when they have the nerve to point out a deficiency of ask for a feature).

Maybe also remark that making a secure system which passes all sorts of white hat tests doesn't make a secure system in practice if it's implemented using insecure comms..

3
0
Silver badge

Re: Conspiracy theoriest right all along

Spearchucker is quite correct here Eadon. Ken Thompson provides a nice introduction titled Reflections on Trusting Trust, it's a quick read and well worth the time.

3
0
Bronze badge

@WatAWorld

...bugs routinely creep into open source without being noticed

Yes, as a contrast, with proprietary software bugs don't creep into the code ... until they get spotted actively exploited in the wild.

1
0
Silver badge

Re: Conspiracy theoriest right all along @ AC 10:48

I have to agree with both sides on this, but I tend to support Eadon's point of view.

It is indeed only a possibility that the inspection would be done, but it can be done, and as all projects store their code in publicly available source code control systems (Git, Subversion, CVS or the like), it should be possible to work out when bits of code made it into the source tree. This is not a glib assertion, but a real possibility. Couple this with the fact that in order to have changes accepted to the primary code-tree of most OSS projects, any rogue must convince the moderators of the project to trust them in the first place.

The mere fact that there are these controls will dissuade some rogues from attempting it, although it is always possible for a skilled programmer to code something that looks innocuous to a cursory inspection that does something other than it's stated purpose.

I'm sure that if a back-door was to be found in, for example, the Linux kernel, that there would immediately be a rush of people and organisations who would commit serious effort into auditing the code, and anything found would be expunged very quickly, and the rogue exposed.

Contrast this to close source, and even if it were proved that such a back door existed in a product, any audit would be at the vendors discretion, and if they are complicit in the back-door, you haven't a chance in hell of doing anything about it.

It really annoys me when someone knocks back the "you have the code, so go fix it yourself" statements. OK, I know that not everybody has the skills, and often the statement is made in a harsh way, but at the end of the day, there is no compulsion on the code maintainers to do anything when there is a perceived deficiency. Often they are working on their own time and expense.

What is being pointed out by the "fix it yourself" statement is that maybe, just maybe, users should take some responsibility and contribute in some way (time, money, equipment etc.) to a project, rather than just whingeing. Too many users of Free software feel that the fact they are using it entitles them to some special access to the maintainers, almost as if they had bought it!

With the current state of Free Software, any free support you get will absolutely always be of greater value than the money you paid for it, even it it does not fix the problem!

3
0
Black Helicopters

Another conspiracy theory for you...

Since anyone can commit code to an open source project, it's easier for governments to deliberately introduce security vulnerabilities into the code-base by paying / corrupting a contributing developer to do so on their behalf.

0
1
Bronze badge
Black Helicopters

Re: Conspiracy theoriest right all along

Unless you're using the version of Wireshark that ignores traffic with the Evil Bit set (RFC 3514).

1
0
Silver badge

Re: Another conspiracy theory for you... @YARR

It is not the case that anybody can commit code to an open source project. Open source projects to not run like open access Wikis.

Most projects are moderated, so any change has to be agreed by the moderator. For example, I challenge you to get a fix into the Linux kernel without having to convince Linus that it is worthwhile.

1
0
Alert

Cisco ? This is Huawei calling ..

.. because if there's going to be trapdoors in the internet backbone then by god, they'll be honest god-fearing capitalist trapdoors. We'll have none of this commie crap thank you.

18
0
Bronze badge
Unhappy

Express incredulity

Having worked on a backbone (back when OC48 was considered fat), I call B.S. on this.

Hacking a backbone router is theoretically possible (if the operator is dumb), but what on earth are you going to do with the traffic? You can't wiretap it off to some system you control without creating huge flows of data that are bloody obvious to even the dumbest operator.

You could theoretically enable flow reporting (e.g. NetFlow), but that only tells you source IP/port and destination IP/port and traffic volume, not the all so important contents. Also, any competent operator should spot this.

The FBI got away with Carnivore because it put the boxes on the backbone and captured the traffic locally (and with the co-operation of the ISP in question). Doing so without the co-operation of the ISP strikes me as stretching credulity beyond breaking.

7
1

This post has been deleted by its author

Re: Express incredulity

I think we'd be talking about fibre taps leading off to very specialised passive bit snarfers, not NetFlow and the like. No science fiction there, and as another comment said, traffic sampling would help identify targets for more focussed snarfing where NetFlow might suffice.

5
0
Anonymous Coward

Re: Express credulity

Yes, but if the ever-expanding STC/ILETS worldwide MoU 'lawful enforcement' DPI systems have an inbuilt Trideaworks backdoor to the NSA (à la CryptoAG), this could easily explain the Layer 8 access to all our private data?

2
0
Bronze badge

Re: Express incredulity

@Yes Me

Fibre splitters are hardly hacking, and unless you do it in the middle of nowhere they're bloody obvious. Even if you do it in the middle of nowhere you can often spot the loss of light

2
0

Really...

See

http://www.theregister.co.uk/2007/04/25/optical_hacking/

and also the bit

The scenario of optical hacking might appear like the fodder from Hollywood hacksploitation flicks rather than a practical threat. However, Infoguard said that in 2003 an illegal eavesdropping device was found attached to Verizon's network. Investigators probing the hack reckoned it was motivated by an attempt to access the quarterly statements of a mutual fund company. The perps were never identified.

Draw your own conclusions.

5
0
Anonymous Coward

Re: Express incredulity

Hacking a backbone router is theoretically possible (if the operator is dumb), but what on earth are you going to do with the traffic? You can't wiretap it off to some system you control without creating huge flows of data that are bloody obvious to even the dumbest operator.

I haven't looked at this of late (because I no longer live in ISP land), but I recall a huge fuss about some creativity with BGP routing that caused most Internet traffic to go through the US although that was not the most efficient route. It may be worth examining the BGP map for other such hotspots - I wouldn't put it past the US to install some "help" elsewhere on the planet.

This would give you intercept without too much trouble.

As for data tapping slowing down traffic, that's very much past tense, I have worked with wirespeed data taps (10GB ethernet) which were capable of analysing data real time (they are used in corporate fraud detection exercises). As WAN speeds tend to be lower, this sort of kit is capable of filtering an entry/exit point of a whole nation.

2
0
Silver badge
Meh

Yeah, but no but yeah

I've always operated under the expectation that everything I do on the net is discoverable, somehow.

Therefore: no Faceberk, etc.

3
0
Silver badge

Re: Yeah, but no but yeah

But it's important to create a Faceberk profile with regular innocent/mindless activity, or they'll think you're trying to hide something and put you under closer scrutiny.

11
0
Anonymous Coward

Re: Yeah, but no but yeah

Unless your in college, what and where you post in forums is just as dangerous, if not more so, than what we post in FB.

"Ten years ago on13th June 2013 05:07 GMT you posted on dissident website theregister.co.uk using userid Winkypop."

"Would you like to come clean about what other dissident websites have you been posting to?" you're questioner asks, while patting a 2" thick stack of paper.

Who knows, the way things are going in 10 years one or the other of either the "left of center*" nytimes.com or "right of center**" Wall Street Journal wsj.com may well be considered dissident websites.

* left of center by US standards, right of center by EU standards.

** right of center by US standards, right wing by EU standards.

2
1
Silver badge
Headmaster

Re: Yeah, but no but yeah

Wow - using *both* "your" and "you're" incorrectly in the same message! Impressive!

3
0
Anonymous Coward

Re: Yeah, but no but yeah

Wow - using *both* "your" and "you're" incorrectly in the same message! Impressive!

Pats on stack of paper and opens a dossier.

"Now, let me see, hmm. On Thursday June 13th, you were being overly pedantic. Correct, but pedantic. ADMIT IT. YOU ARE A GRAMMAR NAZI. WE HAVE YOUR MEASURE. WE HAVE THE EVIDENCE. CONFESS...

Or, of course, you could collaborate with us, and maybe we won't make you correct college student papers that will drive you insane with their spelling. Bwahahahaa"

Or something like that. Needs a cat somewhere.

2
0
Anonymous Coward

Re: Yeah, but no but yeah

a la Agent Smith: "... What good is a phone call if... you're.... un....able.... to.... speakkkk?"

0
0
Silver badge
Mushroom

Oh ffs. The Merkins spy on the Chinese. THe Merkins spy on the Russians, the Iranians, the Israelis, the British, everybody. The Chinese spy on the Merkins, the British, the Iranians, everybody. Everybody spies on everybody.

And to paraphrase Yes, Prime Minister: we know they spy, and we know they know we spy; we know they know we know they know, and although they all probably certainly know that they all probably spy, they don’t certainly know that, although they probably spy, there is no probability that everyone else certainly doesn't know everyone spies.

2
0
Anonymous Coward

whats in a name...

Mr Snowden, if that is his real 'ex-cia' name, might be said to now be at the 'pinnacle' or 'peak' of his career...?

Odd name for an American though....rearranging letters does lead to wonder at 'Ned Nose Drawn' maybe 'pinocchio' springs to mind?

0
2
Black Helicopters

Re: whats in a name...

D'aw, Nerds Owned.

0
0
Bronze badge
Paris Hilton

"However, Chinese military targets apparently weren’t among those shown in the data and there’s no additional info in the story about exactly what level of access these attacks gave the NSA."

My guess is that all military, political or diplomacy related chatter went to dedicated departments and not mixed up with general stuff.

1
0
Anonymous Coward

"If the locals rally around Snowden in big enough numbers as a kind of cause celebre of free speech then it may become even trickier for Washington to displace him."

Huh? If the American government respected the wishes of their people they would not have done the PRISM program to begin with.

Snowden will be hammered down hard; if nothing else, as an example to anyone else who is thinking of circumventing OPSEC in the future. How many signatures of support did Bradley Manning get? I admire Snowden's conviction, but a list of names on a petition will not stop the fury of the US Gov after being embarrassed and shamed in front of the world.

5
0
Anonymous Coward

I hope the snitch is correct

The Chinese have been hacking U.S. targets for at least that long.

0
1
Bronze badge
Paris Hilton

Apologies to all ...

... I know quite a lot of my posts are about the detriment of UK (un)civil servants but are we really seeing the rise of a publicly funded class that operates to the detriment of the public?

Is there any correlation between financial crashes and public expenditure on public servants?

(There seems to be a social phenomena on the go and I accept my observations might be faulty.)

0
0
Bronze badge

ROFLMAO!

Want to know what is so funny?

The *only* people who didn't know this is the public of the world.

The PRC knew it far too well. So did the US of what the PRC was doing.

Don't know, nor care, who started it, but it's like the hottest part of the cold war right now online.

As part of my network security role, I reviewed the daily intelligence briefs on known threats and actors. Due to those readings, I'd learn of a new attack in the works and, in phishing instances (many were phishing or spear phishing, targeted on DoD personnel), I'd adjust our mail filter to trap them.

In one instance, I went on vacation and checked my webmail at the base. I saw over 300 attacks and climbing in the logs, so I made an international call to my partner and inquired if he saw it and if it was the attack warned about.

It was. After significant examination of the quarantine, there were zero false positives.

A five second regex entry defeated the most effective and successful PRC cyber unit.

One interestingly enough, who I knew the name, address, phone number, photographic image of the commander and his girlfriend's picture, address, phone number and place of work. As well as said commander's work address.

No, I'll not reveal the source. I don't want to be sitting in the cell next to Manning. But, it was totally laughable.

I'll give the PRC due credit, they have folks who speak fluent American. They're incredibly clever. Worse, they have people who think outside of the box, whatever that thing is.

I'd still be doing that job, but my father started to ignore both his medications and congestive heart failure. So, I returned home from my contract, after I retired from wearing tree looking clothing.

A much preferable employment. Nobody tried to kill me, save on the highways, I didn't try to kill anyone. In short, a parent's paradise. Peace and quiet.

Save when a round came tumbling through my car window one morning, but then, that nation recently permitted a gun shop to open. With predictable results.

No, not an increase in armed robberies, an increase in idiots shooting and thinking that lead dissolves after passing some imaginary boundary or something.

Well, good night all, or good day to you across the pond. It's insanely late here and I need my four hours of sleep. Have to take my father to his first doctor's appointment after a lengthy hospitalization and rehabilitation.

And get a referral to have his hand and wrist x-rayed for a possible fracture after I helped him up after he fell after a dialysis session. Probably nothing, but his discomfort is something worthy of concern, as I've witnessed him being hit flat on by a backhoe bucket and thrown two meters (had to translate over ten feet in American here), whereupon he got up, picked up his shovel, looked at the cab with resolve and the operator ran off and wasn't to be found for three days.

Now, I'm uncertain if the crepitus I felt was due to his osteoarthritis or due to a significant mechanism of injury, my hand grasping his to help him up.

I suspect it's simple bruising, due to his last bone density scan.

But, one cannot be certain with geriatric patients.

Something I learned in my years visiting villages as a US military serviceman, running a small clinic. Wearing a green hat that didn't hide the sun, was heavy when it rained, was worthless as a hat for anything but parades.

A badge it was, one that proved that we were slightly smarter than a bag of hammers and incapable of quitting.

2
0
Bronze badge

semper wotsits?

0
0
This topic is closed for new posts.