Does no one else find it deeply distressing that all our tech has been so completely co-opted by outside agents? How can we live this lie that we are free while every day we see how we are controlled and watched?
eh? This is just the game now. If anything its theoretically liberating. Now all it takes is some smarts to do things as opposed to a massively centralised power.
It's part of the shadowy arms race that's been taking place for the last few decades in cyber space. The public has been kept mostly in the dark about it; either because the details are too technical and/or the stakes are ambiguous. Unfortunately it's lead to a world where every country says "if they're doing it then we have to, because if we don't they will have capabilities we don't." Legal barriers, liberties, and rights are damned when the security of our technological society is at risk. It's really concerning.
What does that even mean? Your comment is effectively devoid of meaning. What are you proposing exactly? What "technology" has been co-opted by the oligarchs and plutocrats?
if you want to see what these powerful people use to protect their coms check the FIPS and NIST standards documents. the public has access to the ~same crypto algorithms that government agencies use. outside of NSA and a handful of other organizations who have the technical ability to safely DIY, its the only reasonable way to pick crypto tech.
crypto is widely used and easy to get access to. at this point, there is very little that can be done to put this genie back in the bottle. there are open chat networks that can provide e2ee with forward secrecy even if some compromised devices are present (XMPP/OMEMO). many clients support routing your chats over tor so nobody can tell which server you are using.
not only can you go completely dark with off-the-shelf android apps and a non-google ROM, you can do it for free.
Maintaining the capability to infiltrate systems by exploiting software flaws and running a dragnet surveillance state two very different things and it's perfectly possible to have either one without the other. It just so happens that in the US the NSA runs both so they tend to get conflated.
If you’re making the statement in relation to this article; not at all. Very few people would be targeted by something like this. The cost to develop and maintain is too high to risk a leak. If I worked in a high-security environment, I would be paranoid - but not about malware, more about being harmed.
They could always tap your phone, read your mail, follow you, find out some secret about you .... no matter what nation / time.
It's not the tools that worry me. Those will advance with technology and just like non governmental tech, it will progress no matter if we like it or not.
Oversight, rule of law, and etc is where it is at to determine the end result.
Call me old fashioned but the idea that my democratic country has intelligence agencies making tools like this (or this one...) is not worrisome at face value to me. I would expect them to do so.
Agreed. I want them to have the capability. I also want them to use it properly and only where appropriate and consistent with law. Maintaining access to potentials adversary's systems is fine and necessary since they're doing it to us. CPB potentially (I haven't heard any allegations but who knows what they do with it in the back room) loading malware onto people's phones is not fine.
I kind of agree - but still worry - because of two things. First technology changes the economy of spying. At some point quantity becomes quality. Second it can be now done with near perfect deniability.
>> They could always tap your phone, read your mail, follow you, find out some secret about you ...
I think this is a false equivalency. It was the case that you could be targeted, but this would be one case and a lot of resources were bound by this one case. Now, the process can be automated in such a way that everyone can be targeted simultaneously without much overhead.
The main problem is not that you could be targeted (like you said, that was always the case), but that everyone could be a target.
The amount of false positives they get from their data analysis and the lack of legal recourse against further targetted surveilance and being at the mercy of law enforcement because you're perceived as a threat...
Now think ahead to maybe democratic institutions failing or just failing enough that someone can use that infrastructure to subvert democracy and capture up dirt on all their opponents, cementing their power.
Intelligence services are supposed to be bound by laws and under strict oversight, because frankly history is full of the horrors that emerge when they’re left to their own devices. I think it’s good to focus on the rule of law, but worrying about he direction of technological change and application seems wise too. I’d at least like a broad discussion of it before we’re st the point of having “hue checks” at the barrel of a Dominator gun.
> We found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server. Targets were related to nuclear energy, telecommunications, IT, aerospace and R&D.
Seems like they have bigger fish to fry. I would loathe to think this being employed on boring run-of-the-mill Windows users who like to Skype grandma and play Solitaire & Tetris, use Internet Explorer as their main browser etc
Of course, man. I grew up with the Apple ][ and C64 and we all saw a future where small businesses and creative people would make zany, informative, cute newsletters to advertise their wares.
Our parents and teachers prepared us for a world mostly like the one that existed in 1980, but some of the icky parts like bookkeeping were ameliorated by the 6502.
We went online a little bit, but mostly to goof around, trade some software and maybe sometimes discuss and flame, but it was always a tiny part of life, about the footprint on our time as the card game UNO. An interesting diversion, but certainly not a daily activity, much less a dependency.
Of course, older now, we realize there was much more brewing behind the scenes: Corporations had been leveraging Freud's psychological principles to make us rabid consumers. Cold War paranoia created an arms race. American military hegemony had been cruising to a head.
We plugged on, amused we had internet in college, but still found time to play music, party, ride bikes, etc. Suddenly around 2000, networking fused the military and commercial nature of American life into the portable mega-mall of cookies.
But with all this communications technology, why only use it when sitting at our Pentium II's? Let's get everyone carrying cell phones -> surveillance capitalism.
What to do? Opinions vary. Many people will argue whether we can legislate our way out of it. I like to believe we can empower ourselves and not drink the Kool-Aid as heavily by making choices to stay offline, not use Amazon, support local businesses. I live my life that way.
However, we are not rational. I will convince very few people through my (sporadically, ha!) clear-thinking. Plastic, celebrity merchandise will emerge from the factories, from the chemical plants, from Hollywood, from Saudi Arabia, from the fractured wells below our plains.
So, yes, yes and yes, I still recall the joy of plotting large, clunky GR mode pixels on the apple in off-kilter pink and green colors to make a flower. I miss hearing trackers simulate analog through careful timing of the PC speaker. I still dream of families rolling up their expenses in Excel.
I wanted all of this tech to be used for cute, cozy, cheerful families and towns. To see it weaponized around me, to fear not exactly my own government, but hacking groups hired by Ireland-based corporations, foreign insurance agencies and hospitals trying to steal my identity each time I simply look up rock videos from the 1990s is sad and distressing. It's humanity out of control.
It's very astute that you mention "living a lie." We are coming face to face with it through numerous channels. According to Freud, we have humungous darkness in our unconscious. With persistent media and industrial exploitation of these impulses, it's getting harder to ignore.
I believe religions in the past attempted on some level with varying tactics and degrees of success to confront this. However, the demands on our everyday reality have shifted. We can see through most religions's tactics and where we can not, our purview is heavily obscured by cultural noise, such as anecdata, fake news, etc.
I maintain the best thing to do now is empower ourselves through understanding the history of the last 100-200 years and what the ideals of freedom and privacy mean as we "transistorize" the world around us. This empowerment demands a certain kind of clarity which can be difficulty to find, but if anyone wants to talk about it, get in touch.
I expected our AI overlords to be robots and talking computers.
I didn't expect AI to be a set of algorithms used to subtly manipulate peoples' thinking in such a way they don't even notice. Orwell would have had a field day with surveillance capitalism.
What is interesting about Kaspersky is how little Russian state malware / spying tools they find / report on at least in comparison to what they discussion about such software from other countries.
Interesting, but not all that surprising. At this point it's fair to assume most security research institutions are co-opted to some degree by intelligence agencies.
You are correct on most being co-opted but they don't yell from the rooftops like Kaspersky does that they are fully independent. I have loads of emails from Kaspersky explaining how they aren't yet their actions don't support their PR.
They, Kaspersky, have sent out lots of emails to partners and resellers saying how they are independent of Russian government melding which isn't exactly the most honest read of the situation.
Comments like this, from Kaspersky PR, are interesting don't you think?
"Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be treated as guilty merely due to geopolitical issues."
That part is about what Kaspersky says. That part is okay.
The more curious part is the other part: What Kaspersky does, or does not. You, for example, do not say "here are links to Avast's web site for 2/5/10/20 Russian threats that Avast detects and Kaspersky doesn't". All you do is link to more innuendo and suspicion.
In this age of databases that suspicion ought eventually to show up in database records.
Not really surprising but also not necessarily a bad thing. If Russian companies blow the whistle publicly on "western" backdoors and security researchers elsewhere blow the whistle on Russian backdoors we're all better off, aren't we?
That seems like a matter of survival. Expose your local non democratic host nation who is already known for dealing out retribution outside their own borders, and there will be consequences....
Kaspersky doesn't even have to have anyone tell them that for there to be an impact.
Kaspersky's analysis and information they choose to share may be accurate (and let's be clear I'm sure they also don't share some western tidbits if "asked"). At the same time some of their data, simply due to their location, we can assume their choices on what / how they share is skewed. That's not a recrimination directed at the individuals there, just a recognition of a fact of life for them.
Just like US AV vendors don't find US state malware / spying tools. That's the game I guess, but let's not act like Kaspersky are an exception, they're playing by the same rules as everyone else.
As an end user you should consider if your AV vendor's country of origin is compatible with your own interests.
First of,so what? Why don't you also mention why FireEye and Crowdstrike aren't finding western APT groups. They don't even properly track and document western actors and their TTP!! At least kaspersky names and tracks russian intelligence (e.g.: what CS calls apt28 and FireEye calls Sofacy is named Turla by Kaspersky). Unless of course you're saying american and british actors pause no threat to anyone.
Second, not true at all. Plenty of apt groups have been written up by secure labs that are russian state associated.
We found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server. Targets were related to nuclear energy, telecommunications, IT, aerospace and R&D.
Great. So because the NSA has crappy security (contractors!) the democratic West has just weakened itself against autocratic regimes that seek to control their people.
People that care about self-government and individual freedom have to start to recognize that the NSA - with its democratic controls and checks and balances - is far superior to an autocratic or dictatorial spy agency. And we only get to choose one.
It's not unusual to have secrets in government. Oversight and having a process is key, and that's a much, much deeper rabbit hole as to whether that system is working or not.
Obviously the 99% approval rate is the result of extreme due diligence and strict submission criteria practiced by the covert agencies.
On a more serious note, the above could be true, though I believe there is plenty of evidence of approved warrants that should not have been. That would rather undermine the thesis.
The win rate is misleading for a simple reason: The requests the FISC receives are not a random or representative sample of all cases in which the executive branch believes it would benefit from a warrant. The number and type of government requests are responsive to the level of oversight the court exercises—just as a plaintiff’s decision to litigate is responsive to changes in the law. Because it is costly to make an ex parte application (in time, resources, and reputation) and because the executive has long-running knowledge of how the FISC treats applications, there is little reason to expect agencies to submit losing requests. And while the rarity of ex parte proceedings might make this outcome seem unprecedented or extraordinary, other ex parte proceedings—like those for Title III wiretaps and delayed-notice warrants—display equally lopsided results: the government “wins” almost 100% of the time.
Surveillance warrants of any kind -- FISA or otherwise -- are granted in secret, with no argument from the target. It'd be pretty stupid to do it any other way.
Richard Clarke talks about his belief that stuxnet had numerous checks in place to limit collateral damage: "it very much had the feel to it of having been written by or governed by a team of Washington lawyers."
I think that purposefully built malware will have those checks hard coded into them in order to limit exposure. Will there be programatic flaws that cause it to spread farther? Yeah, that can happen. Q&A always is the first thing that gets cut.
I would suspect that the usage of more open ended tools/implants will have scope applied/enforced at the human layer. You don't want an employee going wild and knocking over everything just because they have a new 0day.
Except they don't act like a democratically controlled spy agency. They routinely hide their internal memos stating their perceived legal authority from Congress who is in charge of oversight and the source of that legal authority.
Compare to China and Russia who imprison and kill journalists and Interpol leaders, and have no democratic oversight.
If you don’t like the way NSA is governed, change it. That’s the power of a democratic system. But when the choice is between autocratic and democratic intelligence agencies, the choice is clear.
Better than the worst isn't a favorable comparison. And there's been attempts but they lie and dissemble at every opportunity to the oversight committees. Remember when they tried to redefine the word 'collect' to mean when they actually looked at the information so they could say they don't 'collect' information on american citizens? Or that gathering information on every call you make isn't surveillance because they don't collect the contents of the call as well?
And senior congressional officials, including people like Feinstein, Grassley, Burr, Schiff, and Warner, are effectively briefed on all intelligence matters. Not every member of congress is. America did a decent job after Watergate implementing supervision of intel.
NSA is probably not perfect, but it's better than the alternative. You know the old quote "Democracy isn't a great way to govern but it's better than the alternatives" -- probably fair to say "Western intelligence agencies aren't perfect but they are the best way we know to navigate today's surveillance economy and secure democracies."
The problem is as much oversight as there is they intentionally dissemble and use twisted definitions when testifying before the congressional oversight committies. In 2013 the claimed their PRISM and associated wide scale surveillance activities didn't 'collect' information about or surveil american citizens because respectively they didn't task or view the information and didn't listen in on the actual content of the conversations. It's impossible to properly oversee an organization that is that circumspect with the people overseeing them.
64 comments
[ 4.1 ms ] story [ 123 ms ] threadEither we work out a democratic way to self-govern these technologies, or oligarchs and plutocrats end up controlling them.
crypto is widely used and easy to get access to. at this point, there is very little that can be done to put this genie back in the bottle. there are open chat networks that can provide e2ee with forward secrecy even if some compromised devices are present (XMPP/OMEMO). many clients support routing your chats over tor so nobody can tell which server you are using.
not only can you go completely dark with off-the-shelf android apps and a non-google ROM, you can do it for free.
It's not the tools that worry me. Those will advance with technology and just like non governmental tech, it will progress no matter if we like it or not.
Oversight, rule of law, and etc is where it is at to determine the end result.
Call me old fashioned but the idea that my democratic country has intelligence agencies making tools like this (or this one...) is not worrisome at face value to me. I would expect them to do so.
Nitpick: consistent with moral, ethics and/or human rights
Most of the stuff that [A-Z]{3} does is lawful (if only legitimized post-facto) but not nearly half as often does it fulfill the other criteria.
I think this is a false equivalency. It was the case that you could be targeted, but this would be one case and a lot of resources were bound by this one case. Now, the process can be automated in such a way that everyone can be targeted simultaneously without much overhead.
The main problem is not that you could be targeted (like you said, that was always the case), but that everyone could be a target.
Now think ahead to maybe democratic institutions failing or just failing enough that someone can use that infrastructure to subvert democracy and capture up dirt on all their opponents, cementing their power.
Seems like they have bigger fish to fry. I would loathe to think this being employed on boring run-of-the-mill Windows users who like to Skype grandma and play Solitaire & Tetris, use Internet Explorer as their main browser etc
Our parents and teachers prepared us for a world mostly like the one that existed in 1980, but some of the icky parts like bookkeeping were ameliorated by the 6502.
We went online a little bit, but mostly to goof around, trade some software and maybe sometimes discuss and flame, but it was always a tiny part of life, about the footprint on our time as the card game UNO. An interesting diversion, but certainly not a daily activity, much less a dependency.
Of course, older now, we realize there was much more brewing behind the scenes: Corporations had been leveraging Freud's psychological principles to make us rabid consumers. Cold War paranoia created an arms race. American military hegemony had been cruising to a head.
We plugged on, amused we had internet in college, but still found time to play music, party, ride bikes, etc. Suddenly around 2000, networking fused the military and commercial nature of American life into the portable mega-mall of cookies.
But with all this communications technology, why only use it when sitting at our Pentium II's? Let's get everyone carrying cell phones -> surveillance capitalism.
It's starting to all come together for me as I re-watch The Century of Self: https://www.youtube.com/watch?v=DnPmg0R1M04
What to do? Opinions vary. Many people will argue whether we can legislate our way out of it. I like to believe we can empower ourselves and not drink the Kool-Aid as heavily by making choices to stay offline, not use Amazon, support local businesses. I live my life that way.
However, we are not rational. I will convince very few people through my (sporadically, ha!) clear-thinking. Plastic, celebrity merchandise will emerge from the factories, from the chemical plants, from Hollywood, from Saudi Arabia, from the fractured wells below our plains.
So, yes, yes and yes, I still recall the joy of plotting large, clunky GR mode pixels on the apple in off-kilter pink and green colors to make a flower. I miss hearing trackers simulate analog through careful timing of the PC speaker. I still dream of families rolling up their expenses in Excel.
I wanted all of this tech to be used for cute, cozy, cheerful families and towns. To see it weaponized around me, to fear not exactly my own government, but hacking groups hired by Ireland-based corporations, foreign insurance agencies and hospitals trying to steal my identity each time I simply look up rock videos from the 1990s is sad and distressing. It's humanity out of control.
It's very astute that you mention "living a lie." We are coming face to face with it through numerous channels. According to Freud, we have humungous darkness in our unconscious. With persistent media and industrial exploitation of these impulses, it's getting harder to ignore.
I believe religions in the past attempted on some level with varying tactics and degrees of success to confront this. However, the demands on our everyday reality have shifted. We can see through most religions's tactics and where we can not, our purview is heavily obscured by cultural noise, such as anecdata, fake news, etc.
I maintain the best thing to do now is empower ourselves through understanding the history of the last 100-200 years and what the ideals of freedom and privacy mean as we "transistorize" the world around us. This empowerment demands a certain kind of clarity which can be difficulty to find, but if anyone wants to talk about it, get in touch.
In the meantime, I highly recommend anyone interested watch The Century of Self: https://www.youtube.com/watch?v=DnPmg0R1M04
I expected our AI overlords to be robots and talking computers.
I didn't expect AI to be a set of algorithms used to subtly manipulate peoples' thinking in such a way they don't even notice. Orwell would have had a field day with surveillance capitalism.
Comments like this, from Kaspersky PR, are interesting don't you think?
"Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it's disconcerting that a private company can be treated as guilty merely due to geopolitical issues."
This tells some of it but I would recommend you do some checking yourself. https://www.theregister.co.uk/2018/05/15/kaspersky_labs_anno...
The more curious part is the other part: What Kaspersky does, or does not. You, for example, do not say "here are links to Avast's web site for 2/5/10/20 Russian threats that Avast detects and Kaspersky doesn't". All you do is link to more innuendo and suspicion.
In this age of databases that suspicion ought eventually to show up in database records.
Do you have some source/stats on that? It seems plausible, but I haven't really seen this mentioned anywhere before.
Kaspersky doesn't even have to have anyone tell them that for there to be an impact.
Kaspersky's analysis and information they choose to share may be accurate (and let's be clear I'm sure they also don't share some western tidbits if "asked"). At the same time some of their data, simply due to their location, we can assume their choices on what / how they share is skewed. That's not a recrimination directed at the individuals there, just a recognition of a fact of life for them.
As an end user you should consider if your AV vendor's country of origin is compatible with your own interests.
Second, not true at all. Plenty of apt groups have been written up by secure labs that are russian state associated.
Great. So because the NSA has crappy security (contractors!) the democratic West has just weakened itself against autocratic regimes that seek to control their people.
People that care about self-government and individual freedom have to start to recognize that the NSA - with its democratic controls and checks and balances - is far superior to an autocratic or dictatorial spy agency. And we only get to choose one.
On a more serious note, the above could be true, though I believe there is plenty of evidence of approved warrants that should not have been. That would rather undermine the thesis.
Stanford law review https://www.stanfordlawreview.org/online/is-the-foreign-inte...
The win rate is misleading for a simple reason: The requests the FISC receives are not a random or representative sample of all cases in which the executive branch believes it would benefit from a warrant. The number and type of government requests are responsive to the level of oversight the court exercises—just as a plaintiff’s decision to litigate is responsive to changes in the law. Because it is costly to make an ex parte application (in time, resources, and reputation) and because the executive has long-running knowledge of how the FISC treats applications, there is little reason to expect agencies to submit losing requests. And while the rarity of ex parte proceedings might make this outcome seem unprecedented or extraordinary, other ex parte proceedings—like those for Title III wiretaps and delayed-notice warrants—display equally lopsided results: the government “wins” almost 100% of the time.
How is that?
> with its democratic controls and checks and balances
Its what?
I tried not to smile at that, and I failed. Pretty sure nothing is 'checking' them from collecting data on every U.S. citizen.
Richard Clarke talks about his belief that stuxnet had numerous checks in place to limit collateral damage: "it very much had the feel to it of having been written by or governed by a team of Washington lawyers."
https://www.smithsonianmag.com/history/richard-clarke-on-who...
I think that purposefully built malware will have those checks hard coded into them in order to limit exposure. Will there be programatic flaws that cause it to spread farther? Yeah, that can happen. Q&A always is the first thing that gets cut.
I would suspect that the usage of more open ended tools/implants will have scope applied/enforced at the human layer. You don't want an employee going wild and knocking over everything just because they have a new 0day.
Thus avoiding detection as much as possible. It's why the flu strain that kills everyone within an hour doesn't spread very far.
[0] https://www.washingtontimes.com/news/2014/jul/31/cia-admits-...
If you don’t like the way NSA is governed, change it. That’s the power of a democratic system. But when the choice is between autocratic and democratic intelligence agencies, the choice is clear.
https://slate.com/news-and-politics/2013/07/nsa-lexicon-how-...
And senior congressional officials, including people like Feinstein, Grassley, Burr, Schiff, and Warner, are effectively briefed on all intelligence matters. Not every member of congress is. America did a decent job after Watergate implementing supervision of intel.
NSA is probably not perfect, but it's better than the alternative. You know the old quote "Democracy isn't a great way to govern but it's better than the alternatives" -- probably fair to say "Western intelligence agencies aren't perfect but they are the best way we know to navigate today's surveillance economy and secure democracies."
American bot.
> Our product can completely remove the related to this attack malware.