FOXACID Philosophy (and Edward Sandiego, I mean, Snowden)

From the “can not believe I didn’t cover this previously” deparment. Schneier has an excellent analysis of the Nut Sanctuary Abroad’s approach to caution and paranoia. Specifically:

Internally, the FOXACID “pick an explot any exploit” system uses a sophisticated internal risk-benefit calculus to pick which exploit to use. Not just using public exploits against a savvy target, but e.g using vulnerabilities that will soon be patched in higher-risk situations.

This still leaves the question of “where do they get hordes of skilled hackers to do the exploiting.” Yes, lots of hackers sell out, but even in a country where the malignant tentacles of national security are all-pervasive — most people know better.

Anyway, the solution turns out to be flow charts. Lots of really big flow charts.

If something’s weird, stop. If you spot a personal firewall, stop. Essentially, they did for hacking what McDonalds did for hamburgers.

This also ought to tell you something about how much they care about being caught… willing to stop because someone has a copy of McAfee? I’m guessing that means the hack just gets punted upstairs to someone that knows what they’re doing. So it’s kind of like tech support, except in reverse…

Schneier also gets within a hair’s breadth of McLuhan’s “secrecy is impossible at electric speed” by the end. If he’s right that *all* the NSA’s operations will come out eventually, we are in for one hell of an interesting ride.

Snowden has started meeting people:

The gathering was photographed by… wait, Wikileaks has a photographer and a Getty connection? First diplomats and now this! They’ve almost gone mainstream.


“Snowden explained this to Guardian reporter Glenn Greenwald in Hong Kong. If the target is a high-value one, FOXACID might run a rare zero-day exploit that it developed or purchased. If the target is technically sophisticated, FOXACID might decide that there’s too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FOXACID might run an exploit that’s less valuable. If the target is low-value and technically sophisticated, FOXACID might even run an already-known vulnerability.

We know that the NSA receives advance warning from Microsoft of vulnerabilities that will soon be patched; there’s not much of a loss if an exploit based on that vulnerability is discovered. FOXACID has tiers of exploits it can run, and uses a complicated trade-off system to determine which one to run against any particular target.

This cost-benefit analysis doesn’t end at successful exploitation. According to Snowden, the TAO — that’s Tailored Access Operations —
operators running the FOXACID system have a detailed flowchart, with tons of rules about when to stop. If something doesn’t work, stop. If they detect a PSP, a personal security product, stop. If anything goes weird, stop. This is how the NSA avoids detection, and also how it takes mid-level computer operators and turn them into what they call “cyberwarriors.” It’s not that they’re skilled hackers, it’s that the procedures do the work for them.

And they’re super cautious about what they do.

While the NSA excels at performing this cost-benefit analysis at the tactical level, it’s far less competent at doing the same thing at the policy level. The organization seems to be good enough at assessing the risk of discovery — for example, if the target of an intelligence-gathering effort discovers that effort — but to have completely ignored the risks of those efforts becoming front-page news.

It’s not just in the U.S., where newspapers are heavy with reports of the NSA spying on every Verizon customer, spying on domestic e-mail users, and secretly working to cripple commercial cryptography systems, but also around the world, most notably in Brazil, Belgium, and the European Union. All of these operations have caused significant blowback — for the NSA, for the U.S., and for the Internet as a whole.

The NSA spent decades operating in almost complete secrecy, but those days are over. As the corporate world learned years ago, secrets are hard to keep in the information age, and openness is a safer strategy. The tendency to classify everything means that the NSA won’t be able to sort what really needs to remain secret from everything else. The younger generation is more used to radical transparency than secrecy, and is less invested in the national security state. And whistleblowing is the civil disobedience of our time.”

%d bloggers like this: