NSA roundup (and social engineering, Schneier quotes, engineering education)

Thanks to an increase in “global interdependence,” we now live in what the NSA calls “the golden age of SIGINT.”

You know, it’s funny — ages ago, probably writing under the influence of Cuban intelligence, Philip Agee wrote that the famously aggressive spies of the Communist states were actually far less aggressive than the West.

But we’ve never actually had data to back that up… until now.

It turns out that the NSA has trojans “implanted” in FIFTY THOUSAND computers worldwide… all waiting silently to be activated in a time of need. [1] I wonder if that’s why #badBIOS is designed like, well, a very stealthy electronic cancer?

Similarly, they have “covert, clandestine, or cooperative” accesses at 20 high speed optical cable points worldwide… and yes, there’s a nice convenient map where. Notably, EVERY SINGLE PACKET going to or from Australia is tracked by the NSA!

(there are also 3rd party liason relationships with more than 30 countries, not listed.)

Don’t get me wrong. The Russians, Chinese, and Israelis are no slouches either, and I would be interested to see a similar map for their operations.

But, when you look at the “American mindset,” as exemplified by Ford, Wal-Mart, McDonalds, and the entire business of WWII war production… nobody does “you’ve gotta be shitting me” scale quite like the Americans. (Even if it does compromise quality, that’s not the point — it’s like poker strategy, as long as you win more than you lose it’s OK.)

Of course, this mindset lends itself nicely to more MORE MOAR, and surprise! the NSA wants more power. [3] Does anyone ever want less?

That last doc also has a few more neat statements… like one way they’re working on crypto? BULLRUN is indeed standard policy. “Influencing “the global commercial encryption market through commercial relationships, human spies and intelligence partners in other countries.”

Plus, driving “the state of the art for high performance computing to maintain pre-eminent cryptanalytic capability for the nation.”

As for overseas crypto developers, like, say, Germany, or Brazil’s new efforts? The NSA believes it must ““counter indigenous cryptographic programs by targeting their industrial bases with all available Sigint and Humint” — human intelligence, meaning spies.”

Oh, and the US official reaction to all this? Give the NSA another $75 million… to stop future Snowdens.[2]

[1] http://www.nrc.nl/nieuws/2013/11/23/nsa-infected-50000-computer-networks-with-malicious-software/

[2] http://arstechnica.com/tech-policy/2013/11/house-intel-bill-adds-75-million-to-nsa-budget-to-stop-future-snowdens/

[3] http://www.nytimes.com/2013/11/23/us/politics/nsa-report-outlined-goals-for-more-power.html
PDF: http://freesnowden.is/wp-content/uploads/2013/11/2012-2016-sigint-strategy-23-feb-12.pdf

Social engineering:

READ THIS QUOTE. Critical for understanding why people in the covert business act the way they do. (“You guys talk more and say less than anybody.” –Estabrooks, to an intelligence man)

Also critical for understanding why when German journalists started investigating the US presence in Germany, they found the American spies far more talkative than the German ones.

“I cloak [keep people from reading me] through what I think is the best strategy ever: giving information. Using the truth or true situations to assure someone of their incorrect premises or lead them away from the ones you don’t want them to make.

If you don’t give information, that doesn’t make your more subtle readable signs any less readable. But if you give people a context or excess information, then you can start piecing together a picture of you that you want, you Agree with.”

http://www.reddit.com/r/SocialEngineering/comments/1r949i/teach_me_how_to_cloak_when_people_try_to_read_me/cdku71j

Schneier quotes:

“One of the most important things we’ve learned from the Snowden documents is that NSA surveillance is robust: technically, legally, and politically. I can count three different ways the NSA has to get at Google user data, for example. Those three different ways use different legal authorities and different technical capabilities. What this means is that any law that targets a particular program or a particular legal authority is likely to be ineffective.”
http://www.reddit.com/r/IAmA/comments/1r8ibh/iama_security_technologist_and_author_bruce/cdkoqcs?context=3

“The two things that interest me the most right now are packet injection attacks from the backbone and traffic shaping by maliciously using BGP. The first one because I know the NSA is doing it, and the second because I believe it is doing it.”
http://www.reddit.com/r/IAmA/comments/1r8ibh/iama_security_technologist_and_author_bruce/cdknufo?context=3

Engineering education:

An engineering education teaches you to ignore social issues… is anyone surprised that the people who could actually create change are taught to perish the thought?
http://spectrum.ieee.org/tech-talk/at-work/education/engineering-education-may-leave-students-apathetic-about-social-issues

Advertisements
%d bloggers like this: