We don't deny altering hardware. In fact, if we (likely) install backdoors into hardware used by foreign intelligence targets; but don't worry, we're not interested in the casual user. As the US Government relies on commercial hardware, we make sure that only the US Government can access the backdoors. We're angry that this was made public, and we can't prove that it jeopardizes human lives.
It also sheds some new light on the "China-hardware is bad for you" media campaign that was run right before Snowden happened. It seems that not buying American means keeping the American intelligence community out of ones network.
But I guess you _actually_ can't trust the Chinese either. That doesn't leave many hardware vendors for heavy-duty network equipment to choose from.
Sure you can. The Chinese are 10,000 miles away and don't really care about Western domestic politics. It might be different if you are an arms or pharma company, but for the average citizen concerned about civil liberties, you really can trust the Chinese in this case.
China cares a great deal about Western politics. Their two biggest markets are the United States and Europe.
Check out the Chinese support of Hillary and Bill Clinton.
There has been a ton of illegal Chinese money all over US elections for decades. Read up on the scandals from the 1990's revolving around this, or the Chinese money that flowed to Hillary in 2008.
Obama.com is (was?) even owned by a money bundler out of China.
Or check out the Chinese hackers that targeted the Romney & Obama campaigns.
It is not about you and the government, but rather about hackers that found out and are digging for these government approved exploits/backdoors/what-have-you.If they do alter piece by piece different bit of hardware then O.K. but somehow I doubt thats how this works, would be too work intensive and sloppy - error prone.
This reminds me of a story about a TOR developer who suspected her keyboard from Amazon was intercepted and implanted, because the redirection was included in the delivery log. Seems quite likely it was, in light of Glenn's latest slides release.
The Dulles area is known as a hub for US spook-agency headquarters and activities.
It's not obvious tho that this is suspicious - there's also a big airport there and it could be just a shipping facility. I guess the argument is that it is an unnecessary detour if it could have gone right to Alexandria.
I'd like to see (a) other CA shipments, say non-computer items, to Alexandria - and whether they go via Dulles and (b) a followup indicating whether Shepard found anything of interest.
How much hardware is actually made in the USA anymore? Most HW is manufactured in Taiwan, China, Korea, Thailand, Malaysia or maybe Mexico. I used to work for a router manufacturer that manufactured all of its equipment in Taiwan and Mexico. When we shipped to someone in Europe(for example) we shipped directly from Taiwan to Europe, not through the US. So I have to wonder how much of this stuff the NSA could actually get their hands on.
The other question I have is what happens when there is an RMA, or the equipment is sent back for repair? Might someone notice that it's been tampered with? We need more specifics to really understand what was going on here. So many questions, no real answers.
This is not based upon any particular knowledge or expertise, but upon many years of casual observation, general news reporting, and anecdote from friends and whomever: Given their position as well as long-standing ties both politically and militarily as well as economically, I have to -- in my own mind -- seriously question the independence of anything of real interest to the U.S., that's happening in Taiwan.
I don't mean that the Taiwanese aren't their own people with their own interests; nonetheless, I would expect to find their various systems rather thoroughly and effectively infiltrated.
Again, I don't have any real knowledge in this regard. I'd welcome more knowledgeable comments in response to mine.
I get the feeling that if every router was being intercepted, that picture would look more like a giant series of assembly lines rather than three people casually sitting around a Cisco box.
Guess I should've been clearer: any equipment they're interested in that ships from the US is at risk. They don't need to go after all equipment. They only need to go after equipment being shipped to backbone providers abroad, and specific targets they are interested in that are "tough to crack."
Further, if one believes that TAO is limiting themselves to terrorists buying Cisco equipment, I have a bridge to sell you. That's absurd considering they produly boast about their economic espionage, their spying on activists such as Wikileaks supporters and other "radicals," and their partners bragging about how they DDoS IRC chat rooms of hacktivists.
I don't expect them to be limiting themselves to terrorists - they're a foreign intelligence agency. I expect them to be gathering info on foreign governments, militaries, etc. (along with spying on terrorists).
I've written about the NSA porno article before, so I'll just post the link to that thread[1]. The TLDR is that Greenwald seems to have left a good deal out of his reporting in order to both sensationalize and avoid discrediting his own argument. I haven't read his new book; maybe he addresses it in there.
No, but that's their justification the vast majority of the time. They don't limit it to foreign governments or militaries either. They do engage in economic espionage, fact. They do single out anyone they don't like which isn't limited to terrorists in these campaigns: "radicals", among them Wikileaks supports, fact.
Stewart Baker has discredited himself[1], his opinion is worth jack shit frankly. I wouldn't trust anything he says, not only because he was behind many of these programs as council but also because of Eben Moglen's interactions with him during the almost-prosecution of Phil Zimmerman, and suggest you do the same.
That the documents are 'sensationalized' is the favorite refuge of NSA goons: when Keith Alexander's comment about collecting it all became public, SEXINT, PRISM, etc. He talks about all of those and leaves no doubt that this characterization is horse shit after the third chapter.
Wow, thanks for accusing me of being an NSA goon. For the record, I said the reporting was sensationalized, not the documents.
On the economic espionage front, I really don't care if the NSA spies in order to shape national policy. Things get a lot murkier when intelligence agencies spy and then hand off that data off to private companies. Huawei was caught red-handed using stolen source code from Cisco[1]. Cisco probably lost millions because Huawei was able to undercut them and skimp on R&D costs. Frankly, I don't want any foreign companies willing to steal trade secrets managing the same internet backbones I conduct business on, just like China probably doesn't want their internet backbones running on American equipment. If there is evidence that the NSA has been handing Huawei source code to Cisco, or any kind of data to any private organization for that matter, in order to gain a competitive advantage, then Greenwald has yet to show it.
You can consider Stewart Baker's opinion to be worth jack shit, but apparently Glenn Greenwald, Ryan Gallagher and Ryan Grim thought his opinion was good enough to quote extensively for the SEXINT article that they wrote. But that's not even the point - they could have been quoting Glenn Beck for all I care. The issue is that they quoted him very selectively in order to not discredit their argument. That wasn't even the first time: right off the bat they omitted slides from the PRISM presentation in order to make the argument that the NSA had direct access to Google/Yahoo/Microsoft/etc.[2] I can see in the PDF file for Greenwald's book that he still extensively cites the Boundless Informant slides, despite the fact that they've been thoroughly discredited[3]. I'm honestly curious - did he mention that part in the book?
The Washington Post silently corrected their initial reporting without issuing a public statement[4][5], and as far I know Glenn Greenwald has never issued any retractions. I'm sure that there's probably plenty of interesting information in the Snowden cache, but I don't trust most of the reporting up until now.
Sorry for the wall of text, but I quoted verbatim from the book below.
>Wow, thanks for accusing me of being an NSA goon.
I didn't accuse you of being an NSA goon. Stewart is definitely one though.
> If there is evidence that the NSA has been handing Huawei source code to Cisco, or any kind of data to any private organization for that matter, in order to gain a competitive advantage, then Greenwald has yet to show it.
What does that have to do with anything? Why is NSA interested in “energy,” “trade,” and “oil” in the PRISM slides? Why is the NSA spying on “heads of international aid organizations, foreign energy companies and a European Union official involved in antitrust battles with American technology businesses.” Why are they “monitor[ing] the communications of senior European Union officials, foreign leaders including African heads of state and sometimes their family members, directors of United Nations and other relief programs [such as UNICEF], and officials overseeing oil and finance ministries.”
The answer is simple:
"When the United States uses the NSA to eavesdrop on the planning strategies of other countries during trade and economic talks, it can gain enormous advantage for American industry. In 2009, for example, Assistant Secretary of State Thomas Shannon wrote a letter to Keith Alexander, offering his “gratitude and congratulations for the outstanding signals intelligence support” that the State Department received regarding the Fifth Summit of the Americas, a conference devoted to negotiating economic accords. In the letter, Shannon specifically noted that the NSA’s surveillance provided the United States with negotiating advantages over the other parties."
It's economic espionage no matter how you spin it. When NSA believes it's pertinent to the "national interests" of the USA, not the "national security" they'll take it.
>You can consider Stewart Baker's opinion to be worth jack shit, but apparently Glenn Greenwald, Ryan Gallagher and Ryan Grim thought his opinion was good enough to quote extensively for the SEXINT article that they wrote.
Two quotes shooting himself in the foot by acknowledging and defending the program is hardly extensively quoting him.
>they omitted slides from the PRISM presentation in order to make the argument that the NSA had direct access to Google/Yahoo/Microsoft/etc.
That was the Gellman and the Washington post that claimed that, without question. The Guardian article framed it as a question. Greenwald never had to issue any retractions.
And just fyi, Gellman is still sticking to the direct access accusations. And Greenwald now thinks that he's right, because analysts can query without staff intervention at Google et al.
I'll quote verbatim from the book:
The companies listed on the PRISM slide denied allowing the NSA unlimited access to their servers. Facebook and Google, for instance, claimed that they only give the NSA information for which the agency has a warrant, and tried to depict PRISM as little more than a trivial technical detail: a slightly upgraded delivery system whereby the NSA receives data in a “lockbox” that the companies are legally compelled to provide.
But their argument is belied by numerous points. For one, we know that Yahoo! vigorously fought in court against the NSA’s efforts to force it to join PRISM—an unlikely effort if the program were simply a trivial change to a delivery system. (Yahoo!’s claims were rejected by the FISA court, and the company was ordered to participate in PRISM.) Second, the Washington Post’s Bart Gellman, after receiving heavy criticism for “overstating” the impact of PRISM, reinvestigated the program and confirmed that he stood by the Post’s central claim: “From their workstations anywhere in the world, government employees cleared for PRISM access may ‘task’ the system”—that is, run a search—“and receive results from an Internet company without further interaction with the company’s staff.”
Third, the Internet companies’ denials were phrased in evasive and legalistic fashion, often obfuscating more than clarifying. For instance, Facebook claimed not to provide “direct access,” while Google denied having created a “back door” for the NSA. But as Chris Soghoian, the ACLU’s tech expert, told Foreign Policy, these were highly technical terms of art denoting very specific means to get at information. The companies ultimately did not deny that they had worked with the NSA to set up a system through which the agency could directly access their customers’ data.
Finally, the NSA itself has repeatedly hailed PRISM for its unique collection capabilities and noted that the program has been vital for increasing surveillance. One NSA slide details PRISM’s special surveillance powers. Another details the wide range of communications that PRISM enables the NSA to access. And another NSA slide details how the PRISM program has steadily and substantially increased the agency’s collection. On its internal messaging boards, the Special Source Operation division frequently hails the massive collection value PRISM has provided. One message, from November 19, 2012, is entitled “PRISM Expands Impact: FY12 Metrics”.
Such congratulatory proclamations do not support the notion of PRISM as only a trivial technicality, and they give the lie to Silicon Valley’s denials of cooperation. Indeed, the New York Times, reporting on the PRISM program after Snowden’s revelations, described a slew of secret negotiations between the NSA and Silicon Valley about providing the agency with unfettered access to the companies’ systems. “When government officials came to Silicon Valley to demand easier ways for the world’s largest Internet companies to turn over user data as part of a secret surveillance program, the companies bristled,” reported the Times. “In the end, though, many cooperated at least a bit.”
[...]
The Internet companies’ claim that they hand over to the NSA just the information that they are legally required to provide is also not particularly meaningful. That’s because the NSA only needs to obtain an individual warrant when it wants to specifically target a US person. No such special permission is required for the agency to obtain the communications data of any non-American on foreign soil, even when that person is communicating with Americans. Similarly, there is no check or limit on the NSA’s bulk collection of metadata, thanks to the government’s interpretation of the Patriot Act—an interpretation so broad that even the law’s original authors were shocked to learn how it was being used.
> I can see in the PDF file for Greenwald's book that he still extensively cites the Boundless Informant slides, despite the fact that they've been thoroughly discredited[3]
How is that? That has nothing to do with whether the US records are correct.
> How is that? That has nothing to do with whether the US records are correct.
I have no idea how Greenwald brought up the issue of Boundless Informant in his book, I just know that I saw slides in his PDF showing the US and Poland (maybe more - I forget). In that series of articles, they seemed to make pretty clear that the program was showing where the collection came from, not where the targets were. So, for example, the numbers from Norway represented communications collected "to support Norwegian military operations in conflict areas abroad, or connected to the fight against terrorism, also abroad". Same with Germany, France, Spain and Italy (I'm probably missing some). When it comes to the US numbers, I don't see that it's that big of a leap to take the same statement that the Norwegian intelligence service made, and replace all instances of "Norway" with "US".
> That was the Gellman and the Washington post that claimed that, without question. The Guardian article framed it as a question. Greenwald never had to issue any retractions.
From the article published in The Guardian[1]:
The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.
...
With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.
With regards to the provider's denials, I don't see anything evasive about them:
Google: "I'm not sure what the details of this PRISM program are, but I can tell you that the only way in which Google reveals information about users are when we receive lawful, specific orders about individuals -- things like search warrants. And we continue to stand firm against any attempts to do so broadly or without genuine, individualized suspicion, and publicize the results as much as possible in our Transparency Report. Having seen much of the internals of how we do this, I can tell you that it is a point of pride, both for the company and for many of us, personally, that we stand up to governments that demand people's information." [2]
Microsoft: "We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it." [3]
Facebook: "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday.
When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law. We will continue fighting aggressively to keep your information safe and secure."[4]
AOL: "We do not have any knowledge of the Prism program. We do not disclose user information to government agencies without a court order, subpoena or formal legal process, nor do we provide any government agency with access to our servers." [5]
Every one of them is very clear: the NSA needs a court order to get user's data, and they have only complied with orders for specific users.
The two statements from The Guardian are referencing the documents themselves. If you want to talk about out of context, you missed the headline and the multiple paragraphs framing it as a question of what the providers say versus what the NSA documents say.
"Direct access," these are the NSA's own words. The Guardian ran the providers statements versus what the NSA documents said. That's a fact. That's why there are no retractions in The Guardian's story, and as Soghoian says they don't actually deny "direct access" in those statements, legally. What's likely is that the companies allow them to run informal searches to narrow the data down.
As for the "court order," they're just talking about a FISA court order which only "allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization," which they readily ignore, and it's more like a general warrant because NSA relies on self-reporting. As Snowden indicated, and LOVEINT showed, analysts can just use bullshit justifications and cover it up. And if they targetted a U.S. citizen, according to their own documents, it's "not a big deal."
Yes - they denied it... because it was false. "Direct access" is not the NSA's own words, they were The Guardian's/The Washington Post's words. The slides themselves say "Collection directly from the servers of these U.S. service providers...", which we later found out means "provided under court order directly from the providers". The Guardian article goes on to say:
"When the FAA was first enacted, defenders of the statute argued that a significant check on abuse would be the NSA's inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies' servers."
That is a blatant lie. The companies receive court orders - they have the ability to challenge the court order in the same way that they would challenge a subpoena or search warrant by going back to the court. If the FISA court doesn't agree, there's still a higher court to appeal to. There has yet to be a retraction of The Guardian's statement.
> As for the "court order," they're just talking about a FISA court order which only "allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization,"
You're mixing up programs now. That quote comes from an ODNI statement[1] about the FISA Section 215 metadata collection (I'm not going into that one now - that's a whole different mess, and IMHO that program is rightly controversial). The PRISM slides repeatedly indicate that this collection under FISA Section 702, which gathers content and which has a whole different set of legal requirements. Most prominently, people collected on under 702 must be reasonably believed to be outside the US and not an American citizen/green card holder/etc. The Snowden trove has yet to show any general warrant style orders related to PRISM.
I think the LOVEINT example actually works in favor of my argument - there was a small group people doing illegal stuff at NSA; they got caught; as a result, they don't work there anymore. You could go on to ask why the DOJ didn't prosecute, and I wouldn't fault you for questioning - I don't know the answer to that one. But citing LOVEINT to justify limiting the NSA's capabilities is kind of like saying "this cop fired his weapon and killed an innocent civilian, so we need to disarm the entire police force."
You're right, partly. Either way, NSA ha(d|s) direct access to Yahoo and Google's internal networks with MUSCULAR and various other WINDSTOP programs that have collected many more records than MUSCULAR, without requiring warrants whatsoever. Arguing over why The Guardian didn't retract is just splitting hairs at this point, because they did include the slide that claimed "direct collection from the servers." Then there's also UPSTREAM. PRISM is hardly the smoking gun in these long chain of events. And again you're right, I did mix up the 215 blurb.
I simply cannot fathom how the NSA could hope to intercept and physically mess with every single piece of $10 to $10,000 router sold.
If true, and I have a hard time believing it is not, either this is done at the design level (and not just on router chips), or only for big ticket backbone and/or enterprise equipment.
It doesn't have to be every $10 router. Plant one compromised router at each router factory, check when primary target X, Y or Z orders routers, intercept that shipment and hack each router.
I'm not sure how much is shipped directly from the over seas manufacturer to the customer. However, the NSA could be intercepting RMA hardware as well.
What are the hidden router capabilities being exploited here? What piece of COTS hardware couldn't be exploited by an attacker with unlimited physical access to it prior to delivery?
Indeed. Somehow a story about NSA tampering with devices after manufacture is being twisted into "all commercial products are deliberately backdoored". If you actually use logic, these are separate issues.
Actually, if anything, the story is proof that the routers are not backdoored from the start, otherwise why would they have to intercept shipments?
Actually, if anything, the story is proof that the routers are not backdoored from the start
Let me preface my response by saying I think there are probably more non-malicious (accidental) vulnerabilities than intentional backdoors.
Schneier has seen many of the original documents, and his constant refrain is that NSA programs are robust -- that they have multiple totally unrelated ways to accomplish any one goal. Quoting one of his articles:
"First and foremost, the surveillance state is robust. It is robust politically, legally, and technically. I can name three different NSA programs to collect Gmail user data. These programs are based on three different technical eavesdropping capabilities. They rely on three different legal authorities. They involve collaborations with three different companies. And this is just Gmail. The same is true for cell phone call records, Internet chats, cell-phone location data."
Rumors about this have been around for a long time but as far as I know, nobody has proven anything.
The safest guess right now is that if an American intelligence agency wants to infiltrate your corporate network, they'll take the IPMI route. With that they probably wouldn't even have to rely on a backdoor but could use the existing security holes.
If you have the ability to insert backdoors on widely used hardware with no realistic alternative implementations, without anyone other than a very select few (who all have plenty to lose if they reveal anything) knowing about it; AND the only thing you'll use it for is National Security (preventing someone from building a nuke to drop on your country), why would you NOT go through with it?
How can we protect ourselves from this type of interception? It seems impossible. Why would any non-american customers buy US made devices? Any protections that are added can/will be bypassed if the US gov gets physical access (or even remote).
Just about the time of the previous revelation of computers from outside the US being intercepted by TLAs, my new Lenovo was delayed for a long time in some customs facility (according to UPS tracking).
Software is not a concern as I blew away the preinstalled and put a relatively trusted OS on. But hardware - I haven't had time to look into it but I'm still wanting some sort of guide on what to look for after unscrewing the case.
The scary part is that blowing away the OS install won't save you completely. There are BIOS, firmware attacks, to name a couple. Take a look at the following link with information about persistent root access via hard drive firmware hacking. Even if you reinstall the OS, your box will continue to be owned:
I wish they posted more details surrounding the implants, what they can do, and how they work. Knowing this would help us detect when devices were compromised.
"Do you mean a car designed in the US and built in China, or a Japanese car built in Ohio?" I'm pretty sure that given how few choices of mainstream hardware there are you are screwed no matter what you buy.
I've started doing the same. Of course, I wouldn't be shocked if either or both of the following were true:
1. Other countries collude with America in this practise;
2. Other countries are also practising this.
Open source is a potential solution to this problem. It doesn't guarantee security (heartbleed anyone?), but it does allow anyone, anywhere, any time (assuming capability) to verify. My router runs Open-WRT, so I feel safer.
Thinking about this more, there's a little problem for those living in "the land of opportunity": given that the government has access to all communication via its dragnet, they're aware of your purchase and can intercept it at customs. Now you might try to be smart and buy it in person while on holiday. But remember, the airport NSA can take it off your without reason and of course do what they want to it.
We don't deny altering hardware. In fact, if we (likely) install backdoors into hardware used by foreign intelligence targets; but don't worry, we're not interested in the casual user. As the US Government relies on commercial hardware, we make sure that only the US Government can access the backdoors. We're angry that this was made public, and we can't prove that it jeopardizes human lives.