74 comments

[ 2.7 ms ] story [ 131 ms ] thread
It would be interesting to know if the NSA has explicit special access or has infiltrated the bug reporting programs for important vendors. Are browser bugs or iphone bugs important enough that the NSA has some guy in Apple or Firefox feeding them bug reports on the side?
It would make sense for them to. Though, they would have to be quick to utilize the vulnerabilities before they got patched, unlike those found in-house.
Bugzilla was recently owned by an unnamed, unknown source, giving that source access to many zero day browser exploits for what was apparently many months. So yes, someone is doing this.
While I wouldn't put it past the NSA – why would we assume the NSA had infiltrated Hacking Team?
Agreed, this article is based on that huge assumption with no evidence provided.
I think it's a fairly safe bet that they did, and I'll explain why I believe this.

1. The NSA has access to more info on both good crypto and broken crypto

2. Hacking Team's software & infrastructure were clearly vulnerable, otherwise they wouldn't have been hacked

3. Leaked docs show that NSA hacks everyone they possibly can, to get as much information as they possibly can.

It's really not a big leap to assume that NSA infiltrated Hacking Team's infrastructure, if anything I would think it's harder to believe they wouldn't have.

So if some Joe Schmoe broke into Hacking Team's system, I think it's pretty reasonable to assume that NSA did as well

But just so I can understand what you're saying, why do you think it's a big assumption?

Edit: Formating.

Thanks for this, I agree it makes sense that they would have, I was just a bit disappointed that Bruce didn't enumerate any of this in his post. In fairness, all of this stuff is probably "duh" to him, and his normal audience, but it's not so obvious to everyone.

Here's another thought: what if the NSA hacked Hacking Team, and they were also the ones to release all the data publicly.

Re: #3 – do you have any links to that info? (I'm not challenging you to prove what you said, I'm just curious, if you don't have anything readily available, I'll Google search like a good Internet commenter :))

I think it would be hard to go through everything, but off the top of my head:

https://snowdenarchive.cjfe.org/greenstone/collect/snowden1/...

Quote:

       For the past decade, NSA has lead an
       aggressive, multi-pronged effort to break widely
       used Internet encryption technologies

Their Motto:

      "We penetrate targets' defences."
"We penetrate targets' defences."

That would more likely be a GCHQ or MI5 or MI6 motto than an NSA motto.

A quick bit of Googling finds that the "PTD" in the slides refers to GCHQ's Penetration Targeting Defences unit. So it's their motto. Which explains the spelling.

It is a bit odd that Schneier was stating it as an obvious fact despite no evidence. Of course, the NSA had and has great incentive to compromise them, as well as the ability to do so, but it's still an empty claim (even if it's probably a true one).
Keep in mind also that I think he has access to more documents than we have. He made this statement a while back[1]:

      I am reviewing some of the documents Snowden has
      provided to the Guardian. Because of the delicate
      nature of this, I cannot comment on what I have seen. 
[1]http://www.technologyreview.com/news/519336/bruce-schneier-n...
For whatever it's worth: I do not believe --- and this is an opinion I think is shared by lots of people in my field --- that Scheier has any special insight into the software and network exploitation capabilities of NSA. Schneier is a writer first, then a policy guy next, then an academic/standards-group cryptographer. Information security is a huge field with lots of subfields, and nobody specializes in all of them.

My take on this post on his blog is that it's probably a stretch for him to be analyzing the Hacking Team story in any depth.

Didn't Schneier have access to the Snowden docs, though?
It's an assumption to me, simply because there were no facts or evidence presented. This is purely speculation based on what Bruce thinks the NSA might have done. I wouldn't be surprised if it turns out the NSA had breached them prior to this, though.
For probably more than 95% of the Fortune 500, vulnerability intelligence that is years out of date is more than sufficient to own up those firms' entire enterprise networks. The half-life of most software vulnerabilities is long. Simple IT problems like inventory remain unsolved in the real world.

So the same logic suggests that NSA has owned up every company of any real size in the world.

Could NSA do that? Absolutely yes. Did they? I doubt it. I do not see how NSA secures a single extra headcount by illicitly hacking every US and/or European company, and securing additional headcount is literally the core mission of NSA.

I think this discussion could get convoluted really quickly, because I bet 100% of the companies in the Fortune 500 have a different definition of what their "enterprise" network consists of, and how it's organized.

I can say that I used to work for one, and our departments' network was literally air gapped (not joking). Internal systems could not reach out, and no one could reach in. It was impossible for us to work remotely, because even a VPN wasn't set up. There was no physical connectivity.

But there's a difference between Hacking Team and every company on the Fortune 500: Hacking Team was in the Exploit business, they literally made money selling weaponized exploits to US enemies, and possibly allies.

If anything, I think that's literally the NSA's directive in collecting foreign intelligence.

Meaning, I believe if there was one foreign business that the NSA would spy on (and lets face it, I don't know that many), I think Hacking Team would absolutely be at the top of their list, purely for logical reasons.

But.....I also completely admit that my statement was an assumption, a "bet". I'm not guaranteeing anything, and I really don't care. I'm just over here, arm-chair quarterbacking this shit, haha.

I've done in the life immediately previous to my current one a fair bit of enterprise netpen work, and I have never seen a large enterprise network that had anything effectively airgapped. Getting onto a single desktop, in my experience, is virtually a gameover guarantee for any reasonable definition of "gameover".
No data diodes or equipment like that?
> But just so I can understand what you're saying, why do you think it's a big assumption?

Are you serious? Because there's no proof or mention of it anywhere. You're making an assumption based on literally nothing more than "well obviously, based on what I've read on the Internet, they could have done it so they must have". You're bending facts to fit a worldview, something I'm sure you yourself detest elsewhere in life.

This is like Russell's Teapot but for the NSA. You're shifting the burden of proof to someone who now has to prove a negative.

There's no proof or mention that they didn't. There never will be, ever. Yet we have to make decisions, even in the absence of evidence pro or con. Given that they don't disclose "wittingly" what they do, given their mission, and given what appears to be their interpretation of their mission as revealed by Snowden and others, we have to assume the "worst" within the realm of possibility.

They did it, until they show me otherwise.

This is another point: the NSA really wants everyone to think they can, and have penetrated everything. It bolsters their image if people make these assumptions. This is one of the reasons I try not to assume the worst, especially when that's what they want you to do :)
Let's remove the hyperbole and call a spade a spade.

So, you want them to prove a negative? Just trying to be clear.

They haven't even denied breaking into the HT Network. Should they be accused, would they?

I bet a dime-to-a-dollar that should they be accused, they'd release a non-statement to the press:

"We cannot comment on...."

Facebook hadn't denied it either. Perhaps they are to blame.
is it facebook's mission statement to provide foreign intelligence to US agencies?
It's an assumption, but I'm asking why it's a big assumption.

We know that the NSA spied on Google, Yahoo, and Microsoft, and those are our own (US) companies.

Hacking Team produced weaponized exploits/crypto/stuffs and sold it to US enemies and allies.

Having read through the documents, I assert that it's a small/likely/reasonable assumption.

It's literally the NSAs mission statement to defend the US against foreign intelligence.....how is Hacking Team not a perfect example of an appropriate target for them?

Did the NSA spy on google or did they spy on information passing through googles network? How much "interesting" intelligence would likely be found on HT's network?

As for defense, they obviously didnt pass along what they found. If securing US networks was the reason for hacking, they completely failed to accomplish their goal.

I really think that's a distinction without a difference. For all intents and purposes, they spied on google. If you consider the fact that Google considers consumers to be more product than client, the distinction matters even less. But to your other point:

This is the NSA's mission statement:

      The National Security Agency/Central Security Service 
      (NSA/CSS) leads the U.S. Government in cryptology that 
      encompasses both Signals Intelligence (SIGINT) and 
      Information Assurance (IA) products and services, 
      and enables Computer Network Operations (CNO) in order 
      to gain a decision advantage for the Nation and our 
      allies under all circumstances.
And again, considering that HT sold weaponized crypto to non-allied countries, it's by definition "interesting" intelligence (in relation to the NSA).

Also, I'm quite sure that the language in that statement indicates more of an offensive role than defensive, since that's usually what "advantage" signifies.

Even if their purpose was defense, the way our Government is set up, it's defense of the government, not the governed, so you can't say with any confidence that they didn't patch internal systems that mattered to them.

That's an interesting point that the NSA may also be secretly bin patching government systems, but not a theory I've seen expounded much.
I think a US asset could have been targeted by their software. Or Hacking Team sold to a country with a bad standing in Israel.

Then the software becomes a direct threat to their agents/allies overseas and it needed to be neutralized. That is the kind of competition you do not want as a state actor.

I also think Gamma International was the victim of a foreign intelligence agency. I don't believe the privacy-minded hacker Robin Hood stories anymore.

Schneier didn't discuss what is IMO the biggest reason for NSA not to report vulnerabilities: it's "pissing into the wind", it's futile. When 10 vulnerabilities are reported and fixed, 11 new ones are quickly found. The vulnerabilities are overwhelming us.

Back around the year 2000 Microsoft was being beaten up for all the vulnerabilities in their software. So in 2002 Bill Gates announced "Trustworthy Computing".[1][2]

   Microsoft Chairman Bill Gates announced a
   major strategy shift across all its products,
   including its flagship Windows software,
   to emphasize security and privacy over new
   capabilities. 
In 2014 Microsoft finally threw in the last towel, folding the group they formed into other units. They gave up. Microsoft lost not because they were incompetent, but because the problem is too big to attack in a conventional manner.

I don't know what the answer is, but we need to approach things very differently. To quote Dr. Peter Venkman: "the usual stuff isn't working".

[1] http://www.foxnews.com/story/2002/01/16/bill-gates-announces... [2] https://en.wikipedia.org/wiki/Trustworthy_computing

Definitely agree.

In terms of raw "national security" net gain, it's likely it would be more useful if kept secret and used offensively than if it was revealed and patched. Vulnerabilities are dime a dozen. Patching one zero day says nothing of the 10 more that are floating around at any given time.

This is why I have an issue with Project Zero. You will NEVER patch all the 0days. There are only a few bugs that I've seen that were so impactful (Heartbleed for example) that it made a massive impact to release and patch it. And as you implied, patching an 0day often publicizes a new vulnerable attack surface with new bugs to follow.

The real way to fix security issues isn't to find new exploits and expose them. It's to architect new ways to prevent whole families of exploits from being possible. I've only really seen Project Zero do one sort of recommendation in this way. Outside of that, I don't feel that them finding 0days and releasing them is actually a significant improvement on security because they aren't even close to plugging all of the holes (or even enough to really make a difference).

There's a fourth reason NSA wouldn't have tipped off every vendor impacted by HT exploits: because they have no business breaking into commercial vulnerability research teams networks, grabbing their exploits, and burning them. It is in fact probably unlawful for them to do so (those actions having as they do an impact on US F-500 companies that use --- for better or worse --- tools from companies like HT to evaluate their own security).

This is a positive comment, not a normative one. I don't know how I feel about entities busting up companies like HT, but I do think I know that the world would be better off without companies like HT.

I salute your sentiment: the world would be better off without companies like HT.

It is in fact probably unlawful for them to do so

I realize that the patriotic employees of the NSA work within a legal framework, and seemingly pride themselves on doing so. But they haven't bothered to share that framework with the rest of us. So my first response was to snicker to myself, and that's unfair to you.

Also, Hacking Team was Italian, not US, so would it really be illegal to slurp up all of HT's exploits? That is, if you want to stay within the bounds of the law, if not the bounds of ethical behavior.

I tried to acknowledge that HT is jurisdictionally complex; they are probably allowed, under the same charter that allows CIA to conduct HUMINT missions, to attack Italian security companies (modulo treaties, I guess). The issue though is that those attacks have direct impact on US companies, who (again) may rely on HT products for "zero day pentesting" (among other things).
> they are probably allowed, under the same charter that allows CIA to conduct HUMINT missions, to attack Italian security companies

They are definitely not allowed, under the Constitution, to monitor everyone, but they do it anyway. You know this too.

So why do you discuss legislation as if it mattered to the NSA, when their actions show it clearly doesn't?

The NSA consists of many parts. Some people within it breaking the law does not mean that laws don't matter there.
Look, the NSA as an organization, as a whole, is blatantly violating the Constitution, which is supposedly the most sacrosanct law of the nation.

The fact that they don't care about what laws say doesn't get any clearer than that.

The fact that no one from NSA has gone to jail for the NSA violating the Constitution shows.. well, pretty much that the government doesn't bother punishing itself for violating its own laws.

To be fair, that would be kind of silly, after all.

Has any court ruled NSA actions to be against the Constitution?
How does it matter?
If years after the Snowden revelation, no one has gotten a court to rule that blatant widespread constitutional violations took place at the NSA, you might want to reconsider your claim that there were blatant violations.
You're disingenuous so I'll just not bother anymore.
You're stating that the organization "as a whole" is "blatantly" violating the Constitution. Don't you see why your statement is being challenged? It's largely baseless. At most, a small number of programs that the NSA has used have been shown to maybe be unconstitutional.
> You're disingenuous so I'll just not bother anymore.

We've banned this account for repeatedly violating the HN guidelines.

That is complete horseshit and you know it. I just made a statement and a decision. He's free to disagree with my assessment, and I'm free to not give a fuck. We're both free to move on with our lives.

But then you decide to ride in on your High Horse to save the day!

Earlier you reprimanded me for saying "shut up", which is just fucking retarded to begin with, and you're engaging in a double standard because his posts were clearly not "substantive" (and thus against the arbitrarily enforced rules).

Just so you know, whenever you ban someone for calling things as they are, and trying to get people think for themselves, you're essentially supporting your own enslavement.

You're probably a psychopath yourself, of course, but most likely not protected from the potentially perpetual tyranny the world will slide into if sanity doesn't spread widely enough.

The first one doesn't say anything about constitutional issues.

The appeals court did not rule on whether the surveillance violated the U.S. Constitution.

The second link has a ton of links. The first one is only referring to a preliminary injunction; i.e., it found that "there's a good chance the plaintiff will win", but did not find in favor of the plaintiff. As far as I can tell, all the other links there are about the same ruling.

The third link is talking about that same ruling, again:

A federal judge said Monday that he believes the government's once-secret collection of domestic phone records is unconstitutional

Emphasis on believes; that was not a judicial finding that the government violated the constitution.

He didn't even order the government to stop:

However, he put off enforcing his order barring the government from collecting the information, pending an appeal by the government.

What happened on appeal? http://www.cadc.uscourts.gov/internet/opinions.nsf/ED64DC482..., or a more readable summary here http://www.bloomberg.com/news/articles/2015-08-28/u-s-appeal... and http://www.ibtimes.com/nsa-phone-surveillance-ruling-reverse...

Also, even if someone at the NSA carried out a program that violated the Constitution, there still wouldn't be jail time. That's not how the Constitution works.

The Constitution is strictly a metric by which courts decide what laws are allowed to say. It binds Congress, not other government workers. And there's generally a presumption that a law is legal until decided to be unconstitutional in court, otherwise people would be afraid to do their jobs.

> Also, even if someone at the NSA carried out a program that violated the Constitution, there still wouldn't be jail time.

It is true that such would be unlikely to be prosecuted, especially if it was authorized from above (and, depending on how it was authorized, there might even be a legal defense -- while ignorance of the law is not a defense, reasonable reliance on legal representations of those responsible for enforcing the law can be), but there is a specific criminal statute that applies to government employees acting deliberately contrary to Constitutional rights (deprivation of rights under color of law, 18 USC Sec. 242.) And an unconstitutional program might also violate the criminal provisions of FISA.

So its not impossible for them to end up in jail, just unlikely for them to prosecuted.

> That's not how the Constitution works.

Sure, the Constitution itself doesn't provide criminal penalties, but there (as noted above) are statutory provisions creating criminal liability for government officers that use their position to deny people Constitutionally-protected rights.

> The Constitution is strictly a metric by which courts decide what laws are allowed to say. It binds Congress, not other government workers.

This is not, in fact, true. Government actions by actors other than Congress, and not justified by appeals to statute, can be decided on Constitutional grounds, both negative (Constitutional limitations) and positive (questions of whether positive authority is granted.)

Some parts of the Constitution, by their own terms, bind Congress directly (but even these have often been construed as more general restrictions on government power even when not exercised through Congress.)

> but there is a specific criminal statute that applies to government employees acting deliberately contrary to Constitutional rights (deprivation of rights under color of law, 18 USC Sec. 242.)

Thank you for that. I think this would come under the "reasonable reliance on legal representations of those responsible for enforcing the law". Is the fact that a (later-to-be-declared-unconstitutional) law allows something itself a defense? I would strongly expect that to be the case, so to the extent that NSA programs were authorized by the Patriot act, even if said act is unconstitutional, workers would be immune.

In any event, following a later-declared-unconstitutional law does not seem to qualify as "deliberately contrary to Constitutional".

>Sure, the Constitution itself doesn't provide criminal penalties, but there (as noted above) are statutory provisions creating criminal liability for government officers that use their position to deny people Constitutionally-protected rights.

Fair enough.

>Government actions by actors other than Congress, and not justified by appeals to statute, can be decided on Constitutional grounds, both negative (Constitutional limitations) and positive (questions of whether positive authority is granted.)

If an action isn't warranted by statute, why would a court consider Constitutional issues at all? What about https://en.wikipedia.org/wiki/Constitutional_avoidance

Could you give an example?

(It can also bind other legislators, not just Congress, and can bind anyone after a court ruling, but that shouldn't get to criminal liability except insofar as that statute you mentioned above).

Is it still a reason when the NSA clearly don't care whether they break the law?
You're missing the point. Behind the scenes? Sure. But Schneier is asking why NSA didn't break into HT and then burn all their exploits with the vendors. That's not a behind- the- scenes hack.
I'm pretty sure you're completely missing the point. Any time somebody suggests something is "against the law" in a discussion about the NSA practises we need to remind ourselves that they really don't care whether they break the law. They do it nakedly, in public, with live television coverage and there are no consequences.

The NSA is a criminal organisation. I don't say everything they do is crime or that is there sole raison d'etre just that they don't care about the rule of law. The law is something that they don't need to worry about at all.

Does anyone really dispute that? "I gave the least untruthful answer I could..." Lying under oath. No consequences for that crime or any other.

No respect for the rule of law.

Please don't miss that point, the rule of law is the point, it is a necessary condition for a civilized society and MOST ESPECIALLY the government needs to be bound by it.

You're right to point out that the NSA doesn't give a fuck about the law, but..

> the rule of law is the point, it is a necessary condition for a civilized society and MOST ESPECIALLY the government needs to be bound by it

You seem to be overlooking the fact that the organization that makes the laws is, by definition, above them. The government is not bound by its own laws any more than a King or Emperor by his, back in the day.

The reason why you see crimes go unpunished is that people with political power and/or connections are effectively above the law.

One thousand times NO. The rule of law applies to all equally. This the ideal insofar as it is agreed that our current implementation does not achieve that it is an agreed deficiency. The president murders their spouse, expect them to be charged. By definition the rule of law applies to all. The End. Period. The price of freedom is eternal... etc.
> One thousand times NO. The rule of law applies to all equally.

This is just your cognitive dissonance talking.

You can say "NO" a million times, but Bradley Manning was just imprisoned without trial (and tortured for months.. years?), even though Habeas Corpus was supposed to apply.

> The president murders their spouse, expect them to be charged.

Why would you expect that? If the president murders his spouse, he's probably reasonably sure he'll get away with it. Otherwise he probably wouldn't.

> By definition the rule of law applies to all.

That's what we're trained to believe.. so many TV shows and movies show police officers risking their lives in fighting crime and courts being fair and just and all, but have you ever dealt with the court system? Did you get justice?

You've probably heard of "plea-bargaining", right? http://www.truth-out.org/news/item/12556-overwhelming-use-of...

People are blackmailed into accepting a punishment for something they haven't done, to avoid the potential life-ruining punishment for whatever outrageous bullshit they're charged with (that they haven't done either).

And you insist that everything is fine?

Maybe this will clarify things: https://www.youtube.com/watch?v=BNIgztvyU2U

You have to accept the rule of law is a worthy ideal to find any real or imagined example of its infringement a problem. To give up on it, to give up on the ideal, to stop raging against the violation of that ideal is to give up on Freedom.

I won't.

I can't tell what you're trying to convey. You may just be trolling, of course.

"The rule of law" sounds good and all, but you have to differentiate between laws that are only detrimental to us, and laws that would actually correspond to morals: 1) Don't aggress against others, 2) Don't violate others' property rights.. and those are the only two laws you need.

Now we've got like hundreds of thousands of laws, and they're mostly just meant to benefit the ruling class (and their cronies) at our expense.

The "If You Were King" video clearly shows there is no such thing as a "good ruler". That applies to governments too (because politicians are our modern-day rulers).

But in case you really need it, here's some additional clarification: https://www.youtube.com/watch?v=ngpsJKQR_ZE

You talk about "freedom", but do you know what it means?

No not really. As a US Soldier, you sign away 100% of your constitutional rights when you voluntarily sign the contract.

So many civilians get this wrong it isn't funny, but the only code that applies to US military members is the UCMJ (uniformed code of military justice), of which Bradley (now Chelsea) Manning was a member of.

Source: I'm a US Army veteran and learned all about this.

Burning exploits is more or less directly industrial espionage/sabotage. The NSA seems to avoid engaging in economic battles unless it's a direct policy goal (stuxnet) or furthers their mission of gathering secrets.
Schneier apparently doesn't even know what the NSA stands for (National Security Administration?) and yet seems it's safe to assume that they had infiltrated Hacking Team, and then proceeds to make a whole bunch of judgements and follow-on assumptions based off that first baseless assumption all while pandering to his userbase.

Well done, Bruce.

I don't think a little typo ("Administration") weakens his argument. I think this post is more of a thought experiment than a serious analysis of what most likely happened.

Though I agree that over the past few years, Schneier's posts have been less substantial in analysis and contain more "thought experiments". I enjoyed his blog way more when it was restricted to the subject he has expertise in, i.e. cryptography.

I don't really think he was going the thought experiment route. He seems to genuinely believe what he writes. For example:

"The NSA was most likely able to penetrate Hacking Team's network and steal the same data. The agency probably did it years ago."

Nothing too ambiguous about that assertion.

Says "NullCharacter", the respected authority on all matters security.

Teach us more.

I definitely never claimed to be anything more than someone who thinks making bullshit assumptions based on other bullshit assumptions is, well, bullshit.
Look, there is probably 500M "generalist thinkers" like you on the internet. The value of your opinion is zero - "0".

The value of the opinion of that other guy that you mentioned is way more than zero - he gets invited to conferences, publishes in peer-reviewed journals, publishes free security software etc. So, people actually listen to what he says.

Haha wow. Schneier fan, are we? Did I touch a nerve? The hilarious thing is you don't even know who I am or what I do. You have no fucking clue.

How dare someone think critically. Not on your watch.

No it's just funny when a random person on internet claims that they are better because they "think critically". My point is, you are not a special snowflake. You are one of 500M that think that they are smarter than others. You are not.

Basically, you are just like a 4-year old begging for attention. You will get some, but unlike 4-year old, it will wane quickly. All the best!

In the words of XCKD: The important thing is you've found a way to feel superior. Good for you!
If I were on Reddit, I would say something like "I feel massive now", but I am not, so I won't :) BTW no hard feelings, mate, all is good. I don't mean no harm to anyone.
Insulting people only serves to weaken your argument. BTW, your statements are an appeal to authority.
If you do not realize that we have always been monitored, usually without a legal vehicle, by government agancies, you are just too young. If you believe for one second that the NSA is more of a threat than the ultimate climate created by the aggregation of every set of data collected by ISPs, Cloud service providers, app makers, and social media, please start thinking and researching just a few more steps ahead. Attacks will be patched, the NSA will decrypt in real time until someone finds a way to embarras them. The natural growth of company driven data theft and distribution can only result in an environment with revoloutionary sceintific achievement and statistical analysis that poses unpresidented virtual and physical threats to individuals and groups. The simple fact is our users have been slowly trained to implement and act upon concepts and technology they do no understand. When a person that can hardly type can watch a video online with explicit instructions on how to hijack a cell phone, but easily use too much power and suspend service in an area, what do we really change when housese burn and heart attack victims die because they have no 911 service?