Inside the shadow world of commercialised spook spyware Western and Chinese high-tech companies are competing aggressively to sell, install and manage intrusive and dangerous internet surveillance and communications control equipment for the world’s most brutal regimes, a six-month investigation has found. During 2011, investigators from Privacy International, a London-based NGO, …
No, the question is: Do we want spy infrastructure installed and controlled by US, UK and our allies, or by the Chinese?
Embargos and boycotts will just hand the field to the opposition - just as the arms embargo on South Africa gifted them some of the best arms industries in the word. An arms embargo can only work for as long as it takes to build a factory.
I've seen what western governments think of their citizens' rights to things like privacy, freedom of expression, public demonstration, investigative journalism and fair use, and frankly they're not any better than the Chinese.
At least China doesn't have any legal jurisdiction over us, therefore they don't pose the threat of prosecution and/or being kicked off the Internet for saying the wrong thing or visiting the wrong Website. I'm sure Chinese ideology poses a great threat to the 1% elite who own all the power and wealth, though, but AFAIAC it doesn't pose much of a threat to me, nor I suspect the rest of the 99%. We might even end-up better off. I doubt they could do a worse job than the bailed-out bankers who've destroyed our society thus far.
Let them spy away, and good luck to them. I'd trust them sooner than I'd trust the corporate-owned governments of the west, any day.
"No, the question is: Do we want spy infrastructure installed and controlled by US, UK and our allies, or by the Chinese?"
The question is precisely do we want it and (if we do not) *who* does?
The answer is anyone who fears their *own* people.
Any bureaucrat who simply *must* know everything, about everyone, forever. The capability is *grossly* disproportionate to the threat it *claims* to combat. And all of these products will have a "threat" that they *claim* to handle.
Stated like that it is seen not so much as a policy but more a psychosis. I've called it a data fetish, but this is nowhere near as harmless as most fetishes.
IN OBAMA!
I must not doubt. Doubt is the mind-killer. Doubt is the little-death that brings total obliteration. I will face my doubt. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the doubt has gone there will be nothing. Only surveillance and military detention will remain.
...Said National Security Profit Center Terrist Man'facturing Activ'ties being owned, staffed and operated by the Brownest Noses and Shirts Ever Spawned by the Corporatized NeoSocietal Mentality (and a few other Necessary Bits).
F a d e to b-l-a-c-k. And that is all. 0{:-(o<
A home-brew, buggey base 64 pseudo-implementation is enough to deter casual drive-by's, which many see as good enough.
If you want tomsething that stands up to a focused and concerted attack you need to use software that has a decent security protocol (that means a robust orchestration of hashing, assymetric and symmetric encryption, coupled with something like hardware-based key management and challenge/response).
Skype's appeal is its low cost and convenience, not its security.
I think the next few decades may well be remembered for the colossal (if clandestine) cat and mouse game between privacy and free communication, vs invasion and censorship.
Unfortunately it's not as clear cut as the people vs nasty dictator. There are so many actors with different agendas involved - from governments to private enterprise to political groups to the average Joe - that it becomes a God awful mess. I think most people except some need for criminal investigation to understand and deal with new technology. But before you know it the mantra of [protect the children / stop the terrorist] has become a de facto excuse for prying into every aspect of our lives (can you prove you haven't got any Reds under that bed?)
The sad thing is the spread of technology that allows so many cultures and ideas to interact - which would be seen as an obviously good thing to any humane person - is seen by a minority 'in control' as a technology that must be lashed down and tamed least the average person starts to get the idea that most of us are pretty much the same and perhaps we could do things differently. You know, in much more cooperative way.
But then turkeys never vote for Christmas do they.
I call salesman bullshit on a lot of these claims. Real time https breaking - bullshit, why are so many certificate issuers getting hit? That's the route. For Skype etc it's likely a trojan. They'd love you to think they can break the crypto rather than bug the pc, and pay for it accordingly. I guess being legally obliged to hand over crypto keys is just a cunning cover for them being able to crack it all anyhow.
That's their job. I imagine the "decrypting HTTPS" claim from the CTC rep, when nailed down, would become something like "well, we put a trojan on the client machine, and then...". Obviously once an endpoint's been compromised, you don't need to break the crypto.
In fact, as nearly everyone reputable in infosec points out all the time, the crypto is rarely what you want to attack. It's much easier to go through people and procedures. So yes, attacking or suborning the CAs; and also getting users to install malware, and breaking into machines through unpatched vulnerabilities, and so on. The mundane stuff is much easier to package as a fancy surveillance kit and sell to fat-wallet unethicals.
If CTC had found a new vulnerability in SSL/TLS, or in common browser implementations, or in one of the commonly-used crypto primitives, they wouldn't be selling it at a trade show. The Chinese government would have kept it to themselves.
But as King was careful to note, what's important aren't the specific claims; it's that there are a lot of these firms trying to peddle invasive tech (even if much of it is nothing but common-or-garden rootkits with a fancy UI slapped on top) to J Random Despot (and J Random Corporate Spy, and J Random News Outlet, etc).
So much for https then... though that was at least vaugely secure.
Skype might be still unbroken since they said accounts had been hacked.
That's not the same as intercepting an active encrypted conversation.
PGP I still have faith in for now.
But what about the very dodgy Tor network ?
If I was in charge at NSA I'd trying to fill Tor with back doors.
One wonders if the NSA could tap into fiber and comms sats in the 90s what are they doing today ?
was with Microsoft's Windows OS. They "helped" Microsoft design the security portions of Windows, including adding a backdoor with two keys label "NSAKEYS", although Microsoft denies that the two addresses are a backdoor.
But, as insecure as Windows is, a deliberate back door really isn't necessary.
This book covers the NSA's activities in good detail up to the late 2000's, including the AT&T wiretapping. It's a really good read and gives you an idea of how much the US laughs at the idea of privacy.
http://www.amazon.co.uk/Shadow-Factory-Ultra-Secret-Eavesdropping-America/dp/0307279391/ref=sr_1_1?ie=UTF8&qid=1322747180&sr=8-1
If there was a reference to Apple or Google swimming down the bottom of the ocean to tap fiber and selling the capability to the highest bidder, this forum would have hundreds of posts. It is a little disheartening that people take this sort of institutional, pan-government sponsored attack on privacy for granted.
Personally, I'm not surprised that this goes on in developed nations; I don't like it, but our privacy has been lost to corporate oligarchies for quite some time now. What scares me about this article is the proliferation of this tech to any regime on the face of the earth.
It's not just Big Brother anymore, it's all of his little despotic newphews.
I'm really not very surprised to read that there are companies making money offering high tech spying kit to repressive regimes. It's just an extension of the traditional arms market where unscrupulous dealers would sell their high tech arms to whoever would pay them big money for it in a shadowy market dominated by spooks and former military personnel. Now, they're doing the same with high tech information gathering equipment that can be used just as effectively as arms to control and suppress. The only thing that puzzles me is that the name Dick Cheyney hasn't yet reared it's head in the investigations into this. I'd be shocked if Halliburton doesn't have a division devoted to just this kind of stuff.
would, almost certainly, be to look for a booster/repeater station. On Transoceanic links there will be a good number of these- and you can guarantee that they're not going to be well defended aside from being really hard to get to.
So deploy a specialised ROV, Diver, etc. Go to booster station. Open booster. Plug into booster's circuitry.
All it needs is either a booster or someone who works at the booster manufacturer's factory to leak the schematics. Even vague details (e.g. is it running under pressure or in a housing?) from an engineer make it easier to break into.
There is one very important fact that we seem to be glossing over here: the PI representatives received all of this information from sales people. Snake oil peddlers have mostly been chased out of the defensive security industry, so guess where they have ended up? Does this field ("commercialised spyware") give the impression of competitiveness based on technical merit? Or, more probably, just a race to the heights of exaggeration and depths of greed? Is there really a significant number of brilliant engineers with no moral qualms willing to work for middling salaries on such dubious products?
None of the technical claims presented are new or significant. Given the extremely poor security posture of most targets (using Skype, ridiculous password choices, etc), even amateurs will succeed most of the time. This is especially true of amateurs who happen to be governments or their contractors, and can do such things as invade physical spaces and telecommunications hubs with impunity.
Just watch them try to help you attack a reasonably defended target, then you will realise why they have to sell so hard.
I'm going to be very interested to see the output from their investigation in more detail when it all goes live. That is if it all goes live.
Also if this is what is being peddled around on the commercial market now then what do you suppose those agencies that pioneered all this technology are using now...
with, for example, a man-in-the-middle attack based upon telco sited Deep Packet Inspection with use of abused digital certificates. yes I think I could masquerade as any given neutral bit of the internet and watch the early negotiation handshake of VPN tunnel setups etc. I'm pretty sure I could dump a RAT or two on at least 10% of your enterprise pointy-headed-bosses, unless they were **really** security paranoiacs cognisant of advanced persistent threats. And that's just the threat from the behavioural advertising industry I'm talking about!!!
"Is there really a significant number of brilliant engineers with no moral qualms willing to work for middling salaries on such dubious products?"
I doubt if the brilliant engineers who developed the atomic bomb got stock options and massive salaries; there are lots of people who would do work like this just for the challenge. Also, it's not like the dodgy defence industry can't afford to pay top dollar either; their customers (governments) can just squeeze the oppressed masses a bit harder to pay the bill.
It seems an awful lot of expense and trouble to go through, given one putatively has government levels of cash to call upon.
Wouldn't it be simpler to just float a company to buy up ISPs and install sniffers on the hardware, or to fund co-location outfits with black-hat techs on staff?
I'd have thought the cost of running a physical brute force attack on a submarine cable would have most people looking at the suggester of this idea with an expression several degrees to the south of "askance".
Well first of all, satellite telephones have been intercepted by amateurs probably since the 1980s. Back then many phone circuits were analogue C-Band transmissions. There still are some. There's also easily available software to decode Inmarsat transmissions.
As for Trojan horse software. I don't know if you have followed the developments in Germany. Just like with anything in IT, there's a _huge_ difference between advertisements and reality.
GSM decryption has been proven to work. There are a lot of talks about it on Chaos Communication Congresses. With enough effort you can surely decrypt it in real-time. The main problem for amateurs is the hopping sequence, however if you can spend enough money you can simply monitor all channels.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
