State-sponsored backdoors have been mainstreams for decades. Practically every major piece of software and hardware that's not open source has a backdoor embedded.
Even popular anti-virus programs on Windows have been jimmied to allow state-sponsored malware through
> Practically every major piece of software and hardware that's not open source has a backdoor embedded.
[citation needed], and I mean a credible one with evidence, not tinfoil-hat raving.
Yes, we know that three-letter agencies look for, and probably have a stash of, zero-days for covert access. And they also do physical attacks wherever possible (like fiber taps at Google's datacenters). But those are two very different things from backdoors built in with the cooperation of the vendor. And despite how many people on the Internet treat "companies build in gov't backdoors" as just unquestioned fact, I've never actually seen any proof.
I dunno. Before Snowden, a lot of nasty stuff that we now take for granted the intelligence community does, was seen as "tin foil hat." After Snowden, I no longer doubt the possibility of any realistically imaginable attack, ie, assume that if they have the physical ability to do it, you should assume they do it and are not stopped by any ethical concerns.
Our intelligence apparatus has cried wolf too many times, in terms of denying they do something and then it turns out they do it, to be trusted anymore. They've lost the benefit of the doubt and if they don't want people believing all the tin foil hat things, maybe they should stop doing so many of them.
> Before Snowden, a lot of nasty stuff that we now take for granted the intelligence community does, was seen as "tin foil hat."
This is true, but using it as a justification for "And therefore, my theory about what the intelligence community is doing is correct and does not need evidence" is a non sequitur fallacy that has become depressingly common in recent years. You still need evidence for individual allegations.
To show you what I mean, suppose I were to say, "The NSA has a constellation of mind-control satellites built with help from the lizard men!", and then responded to the deserved skepticism with "A lot of things that used to be tinfoil hat theories we now know to be true thanks to Snowden, so this is too!". That's obviously fallacious reasoning, but it's exactly what people are doing when they toss around allegations of backdoors with no proof. Again: there's no shortcut around the need for evidence.
> After Snowden, I no longer doubt the possibility of any realistically imaginable attack ie, assume that if they have the physical ability to do it, you should assume they do it and are not stopped by any ethical concerns.
I agree completely, but that's not what I, or the person I replied to, was talking about. The issue I was addressing in my comment was whether their backdoors are being built with the knowledge and cooperation of the vendors, which is very much unknown. Attacks like taps on cables are orthogonal to what I was saying.
There's merit in just pondering. This is a message board not a legal proceeding. What you're saying isn't totally orthogonal. I'm often surprised at how terrible modern software is. I suspect they actively subvert and displace popular software that they can't hack. Most hacks are probably generic exploits of library code. I imagine they economized. They wanted Total Information Awareness. I can't prove any of this; It just seems sensible. He's doing a red team analysis. It's not of the same form of thought. You can't invalidate it with the arguments you're making except for in some logical domain or something. It's not a true/false statement. It's not even fuzzy.
I agree! And I don't mind pondering, as long as it's clearly marked as such. I do mind statements like "Practically every major piece of software and hardware that's not open source has a backdoor embedded" presented as established fact when they are not.
A vulnerability is a back door. The only problem I have with that statement is it's exclusion of open-source software. It's got more back doors embedded in it than closed-source software.
Jimmy: a short crowbar used by a burglar to force open a window or door.
He didn't necessarily say it was collusion but I suppose it's fair to clarify. It seems narrow to suggest it's just a stash of 0-days. I suspect they've been heavily yet covertly involved in the popular software tool-chains and computing hardware.
Not what I said. I said "realistically imaginable attack" ie ethics is the only thing hypothetically stopping them, not lack of fantasy technology. See if you can come up with a counterexample that actually meets that hurdle.
Mind control satellites and lizard men are both so far away from our current science and technology that even assuming the NSA could be a few years ahead, it's not worth considering. If there really were mind control sattelites or similar precursor technology available or in research today, and there were lizard men who had a history of being good at working with those and willing to sell their skills, then I would agree that it's plausible they're doing it.
Also, I'm more interested in the /practical/ applications of this knowledge of whether the intelligence community does a certain thing X, not the philosophical certainty of whether they do a thing X. You lock your doors because someone /might/ break in /maybe/, not because you're certain John Doe is planning on doing so at 4:30am tonight. Even if no one ever does, it's certainly technically possible, so if locks are cheap it's a reasonable tradeoff, even if you'll never be sure if they really helped.
You're probably right though that I'm moving the goalposts around! :-) I'm not trying to have a formal debate, just idly shooting the shit on the net, so I'm OK with that.
Intel Actice Management Technology fits the bill[1]. An out of band processor on select chips. Most likely it's on all the chips and only activated for consumers on the vPro and certain Xeon models.
Yes, but I wouldn't class that as building in a backdoor to a specific "major piece of software and hardware" or software and hardware range, I would class it as industrial sabotage on a more subtle and general scale. Equally pernicious but not the claim that is being made.
The pedantry around here can be infuriating sometimes. You take issue with my strictly true comment, and ignore Analemma_'s comment upthread (every product) which is strictly false.
The clue is in the name. It's a library, it is both the work of one company and used in many products, which is why it is suspected that it was targeted. You're both right. GP is not being pedantic.
Regarding PRISM cooperation, I'm not sure where your doubt is coming from there.
http://imgur.com/a/wRKtL
The slide was explicit, and is now many years out of date so without doubt the number of providers has increased. The means by which these provider agreements are reached is well known (National Security Letters) as is the fact that organizations are fully barred from disclosing their existence.
It was fiber taps between Google Datacenters overseas. The implication being that if your location history, emails, photos, secret diary, or what have you is transferred overseas at any point then you automatically have no more rights to privacy than a suspected terrorist.
If everything has a backdoor, then why would NSA need to stockpile 0-day bugs? Why would they need such a big TAO division? If they had a backdoor they would just use that.
"If everything has a backdoor, then why would NSA need to stockpile 0-day bugs? Why would they need such a big TAO division? If they had a backdoor they would just use that."
That argument is not true. Spy non-fiction taught me that intelligence services sort of rate their capabilities on what intel they can bring plus how secret they must remain. The idea being a capability might be so good and so hard to replace that you only use it on highest-risk cases that nothing else works on. Additionally, lower clearances will have greater number of infiltrators. They should see less than higher clearances to reduce damage of leaks. Further, I predicted that the tools themselves were developed in Special Access Programs (SAP's) that compartmentalized away from even TS clearances then selectively released to them. Sentry Eagle et al confirmed my prediction.
You can actually see the bullshitting in progress if you look at that. Each level of clearance is told something different with the lower levels often getting lied to with only highest getting the truth. In one case, it was implied they were attempting to use supercomputers against crypto then TS/SCI version said they got companies to backdoor it. Quite the difference. ;)
The GP post claims that every closed-source product is perpetually backdoored. If this were true, then there would be no way to detect backdoor access, and no way to deny it short of going 100% open source, which is simply not possible for large corporations.
What you describe is how intelligence services actually work to develop and protect real tools for access. What the GP claims is a fantasy in which such work is not necessary.
"The GP post claims that every closed-source product is perpetually backdoored. "
I agree that's a crap claim. Tried to provide alternative that showed situation is almost as bad as crap claims like that with 0-days. What overlap I did see was the emanation threat. That secrets leak out of any device and TEMPEST protection of them is illegal means that they are all backdoored for that in practice. Good news is it's a highly-specialist attack only a few countries know how to do that requires targeting and close proximity. Other good news is that smartcards and EM compatibility testing reinvented some defensive practices.
