Authors: Bruce Schneier
economics of software development:
This is even worse with embedded devices and the Internet of Things. Bruce Schneier
(6 Jan 2014), “The Internet of Things is wildly insecure—and often unpatchable,”
Wired
, http://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem.
how the NSA and GCHQ think:
James Ball, Julian Borger, and Glenn Greenwald (5 Sep 2013), “Revealed: How US and
UK spy agencies defeat internet privacy and security,”
Guardian
, http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security.
We know the NSA:
These four points were made in this document. Danielle Kehl et al. (29 Jul 2014),
“Surveillance costs: The NSA’s impact on the economy, Internet freedom and
cyberspace,” Open Technology Institute, New America Foundation, http://www.newamerica.net/publications/policy/surveillance_costs_the_nsas_impact_on_the_economy_internet_freedom_cybersecurity.
the White House tried to clarify:
Michael Daniel (28 Apr 2014), “Heartbleed: Understanding when we disclose cyber vulnerabilities,”
White House Blog
, http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities.
Stuxnet, used four zero-days:
Ryan Naraine (14 Sep 2010), “Stuxnet attackers used 4 Windows zero-day exploits,”
ZDNet
, http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347.
agency jargon NOBUS:
Andrea Peterson (4 Oct 2013), “Why everyone is left less secure when the NSA doesn’t
help fix security flaws,”
Washington Post
, http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws.
it discloses and closes:
David E. Sanger (12 Apr 2014), “Obama lets N.S.A. exploit some Internet flaws, officials
say,”
New York Times
, http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html.
Kim Zetter (15 Apr 2014), “Obama: NSA must reveal bugs like Heartbleed, unless they
help the NSA,”
Wired
, http://www.wired.com/2014/04/obama-zero-day.
how to make NOBUS decisions:
There have been some attempts. Andy Ozment (2–3 Jun 2005), “The likelihood of vulnerability
rediscovery and the social utility of vulnerability hunting,” Workshop on Economics
and Information Security, Cambridge, Massachusetts, http://infosecon.net/workshop/pdf/10.pdf.
They’re inherently destabilizing:
Robert Axelrod and Rumen Iliev (28 Jan 2014), “Timing of cyber conflict,”
Proceedings of the National Academy of Sciences of the United States of America
111, http://www.pnas.org/content/early/2014/01/08/1322638111.full.pdf.
Backdoors aren’t new:
This is a nice nontechnical description of backdoors. Serdar Yegulalp (13 Jun 2014),
“Biggest, baddest, boldest software backdoors of all time,”
Tech World
, http://www.techworld.com.au/slideshow/547475/pictures_biggest_baddest_boldest_software_backdoors_all_time.
the US government is deliberately:
James Ball, Julian Borger, and Glenn Greenwald (5 Sept 2013), “Revealed: How US and
UK spy agencies defeat Internet privacy and security,”
Guardian
, http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security.
Guardian (5 Sep 2013), “Project Bullrun—classification guide to the NSA’s decryption
program,”
Guardian
, http://www.theguardian.com/world/interactive/2013/sep/05/nsa-project-bullrun-classification-guide,
http://cryptome.org/2013/09/nsa-bullrun-2-16-guardian-13-0905.pdf.
One of the NSA documents:
US National Security Agency (2012), “SIGINT Enabling Project,” http://www.propublica.org/documents/item/784285-sigint-enabling-project.html.
The NSA also pressured Microsoft:
Lorenzo Franceschi-Bicchierai (11 Sep 2013), “Did the FBI lean on Microsoft for access
to its encryption software?”
Mashable
, http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor.
Deliberately created vulnerabilities:
Jesse Emspak (16 Aug 2012), “FBI surveillance backdoor might open door to hackers,”
NBC News
,
http://www.nbcnews.com/id/48695618/ns/technology_and_science-security/t/fbi-surveillance-backdoor-might-open-door-hackers.
Ben Adida et al. (17 May 2013), “CALEA II: Risks of wiretap modifications to endpoints,”
Center for Democracy and Technology, https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf.
Bruce Schneier (29 May 2013), “The FBI’s new wiretap plan is great news for criminals,”
Foreign Policy
, http://www.foreignpolicy.com/articles/2013/05/29/the_fbi_s_new_wiretapping_plan_is_great_news_for_criminals.
Government-mandated access:
Susan Landau (2011),
Surveillance or Security? The Risks Posed by New Wiretapping Technologies
, MIT Press, http://mitpress.mit.edu/books/surveillance-or-security. New York Times
(21 Sep 2013), “Close the NSA’s backdoors,”
New York Times
, http://www.nytimes.com/2013/09/22/opinion/sunday/close-the-nsas-back-doors.html.
Ericsson built this:
Vassilis Prevelakis and Diomidis Spinellis (29 Jun 2007), “The Athens affair,”
IEEE Spectrum
, http://spectrum.ieee.org/telecom/security/the-athens-affair.
Something similar occurred in Italy:
Alexander Smoltczyk (5 Oct 2006), “Eavesdropping on La Bella Vita: Listening quietly
in Italy,”
Der Spiegel
, http://www.spiegel.de/international/spiegel/eavesdropping-on-la-bella-vita-listening-quietly-in-italy-a-440880.html.
John Leyden (14 Apr 2008), “Preatoni breaks silence over Telecom Italia spying probe,”
Register
, http://www.theregister.co.uk/2008/04/14/telecom_italia_spying_probe_update.
Chinese hackers exploited:
Bruce Schneier (23 Jan 2010), “U.S. enables Chinese hacking of Google,” CNN, http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html.
every phone switch sold:
Susan Landau (23 Mar 2012), “The large immortal machine and the ticking time bomb,”
Social Sciences Resarch Network (republished Nov 2013 in
Journal of Telecommunications and High Tech Law
11), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2028152.
NSA regularly exploits:
Lawrence Lessig (20 Oct 2014), “Institutional corruption and the NSA: Lawrence Lessig
interviews Edward Snowden at Harvard Law,”
LeakSourceInfo/YouTube
, http://www.youtube.com/watch?v=DksIFG3Skb4.
Bermuda phone system:
Ryan Devereaux, Glenn Greenwald, and Laura Poitras (19 May 2014), “Data pirates of
the Caribbean: The NSA is recording every cell phone call in the Bahamas,”
Intercept
, https://firstlook.org/theintercept/article/2014/05/19/data-pirates-caribbean-nsa-recording-every-cell-phone-call-bahamas.
Another objective of the SIGINT:
US National Security Agency (2012), “SIGINT Enabling Project,” http://www.propublica.org/documents/item/784285-sigint-enabling-project.html.
NSA influenced the adoption:
Craig Timberg and Ashkan Soltani (14 Dec 2013), “NSA cracked popular cellphone encryption,”
Washington Post
, http://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html.
a backdoored random number generator:
Dan Shumow and Niels Ferguson (21 Aug 2007), “On the possibility of a backdoor in
the NIST SP800-90 Dual_EC_PRNG,” Microsoft Corporation, http://rump2007.cr.yp.to/15-shumow.pdf.
Matthew Green (18 Sep 2013), “The many flaws of Dual_EC_DRBG,”
Cryptography Engineering
, http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html.
D.W. (18 Sep 2013),
“Explaining weakness of Dual_EC_PRNG to wider audience?”
Cryptography Stack Exchange
, https://crypto.stackexchange.com/questions/10417/explaining-weakness-of-dual-ec-drbg-to-wider-audience.
the NSA masquerades:
Ryan Gallagher and Glenn Greenwald (12 Mar 2014), “How the NSA plans to infect ‘millions’
of computers with malware,”
Intercept
, https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware.
The UK’s GCHQ can find:
Glenn Greenwald (14 Jul 2014), “Hacking online polls and other ways British spies
seek to control the Internet,”
Intercept
, https://firstlook.org/theintercept/2014/07/14/manipulating-online-polls-ways-british-spies-seek-control-internet.
just better-funded hacker tools:
Bruce Schneier (21 May 2014), “The NSA is not made of magic,”
Schneier on Security
, https://www.schneier.com/blog/archives/2014/05/the_nsa_is_not_.html.
Academics have discussed ways:
Nicholas Weaver (13 Mar 2014), “A close look at the NSA’s most powerful Internet
attack tool,”
Wired
, http://www.wired.com/2014/03/quantum. Matt Brian (20 Jun 2014), “Hackers use Snowden
leaks to reverse-engineer NSA surveillance devices,”
Engadget
, http://www.engadget.com/2014/06/20/nsa-bugs-reverse-engineered.
one top-secret program:
Bruce Schneier (4 Oct 2013), “Attacking Tor: How the NSA targets users’ online anonymity,”
Guardian
, http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity.
technology that allows:
We have learned a lot about QUANTUM since my initial story. Nicholas Weaver (13 Mar
2014), “A close look at the NSA’s most powerful attack tool,”
Wired
, http://www.wired.com/2014/03/quantum. Claudio Guarnieri (24 Jan 2014), “The Internet
is compromised,”
Medium
, https://medium.com/@botherder/the-internet-is-compromised-4c66984abd7d. Der Spiegel
(30 Dec 2013), “NSA-Dokumente: So bernimmt der Geheimdienst fremde Rechner,”
Der Spiegel
, http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-105329.html.
Der Spiegel (30 Dec 2013), “NSA-Dokumente: So knackt der Geheimdienst Internetkonten,”
Der Spiegel
, http://www.spiegel.de/fotostrecke/nsa-dokumente-so-knackt-der-geheimdienst-internetkonten-fotostrecke-105326.html.
Chinese government uses:
Nicholas Weaver, Robin Sommer, and Vern Paxson (8–11 Feb 2009), “Detecting forged
TCP reset packets,” Network and Distributed System Security Symposium (NDSS 2009),
San Diego, California, http://www.icir.org/vern/papers/reset-injection.ndss09.pdf.
Hacking Team sells:
Morgan Marquis-Boire (15 Aug 2014), “Schrodinger’s cat video and the death of clear-text,”
Citizen Lab, Munk School of Global Affairs, University of Toronto, https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text.
Morgan Marquis-Boire (15 Aug 2014), “You can get hacked just by watching this cat
video on YouTube,”
Intercept
, https://firstlook.org/theintercept/2014/08/15/cat-video-hack. Cora Currier and Morgan
Marquis-Boire (30 Oct 2014), “Secret manuals show the spyware sold to despots and
cops worldwide,”
Intercept
, https://firstlook.org/theintercept/2014/10/30/hacking-team.
there are hacker tools:
Airpwn (27 May 2009), “Airpwn 1.4,”
Sourceforge
, http://airpwn.sourceforge.net/Airpwn.html.
Techniques first developed:
Tom Simonite (19 Sep 2012), “Stuxnet tricks copied by computer criminals,”
MIT Technology Review
, http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-computer-criminals.
software that Elcomsoft sells:
Andy Greenberg (2 Sep 2014), “The police tool that pervs use to steal nude pics from
Apple’s iCloud,”
Wired
, http://www.wired.com/2014/09/eppb-icloud.
once-secret techniques:
Mobistealth (2014), “Ultimate cell phone monitoring software,” http://www.mobistealth.com.
Stuxnet’s target was Iran:
Jarrad Shearer (26 Feb 2013), “W32.Stuxnet,” Symantec Corporation, http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99.
computers owned by Chevron:
Matthew J. Schwartz (12 Nov 2012), “Cyber weapon friendly fire: Chevron Stuxnet fallout,”
Information Week,
http://www.darkreading.com/attacks-and-breaches/cyber-weapon-friendly-fire-chevron-stuxnet-fallout/d/d-id/1107339.
industrial plants in Germany:
Robert McMillan (14 Sep 2010), “Siemens: Stuxnet worm hit industrial systems,”
Computer World
, http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems.
failure of an Indian satellite:
Jeffrey Carr (29 Sep 2010), “Did the Stuxnet worm kill India’s Insat-4B satellite?”
Forbes
, http://www.forbes.com/sites/firewall/2010/09/29/did-the-stuxnet-worm-kill-indias-insat-4b-satellite.
Internet blackout in Syria:
James Bamford (13 Aug 2014), “Edward Snowden: The untold story,”
Wired
, http://www.wired.com/2014/08/edward-snowden.
a technique called DNS injection:
Anonymous (Jul 2012), “The collateral damage of internet censorship by DNS injection,”
ACM SIGCOMM Computer Communication Review
42, http://www.sigcomm.org/sites/default/files/ccr/papers/2012/July/2317307-2317311.pdf.
public revelations of the NSA’s activities:
Ian Bremmer (18 Nov 2013), “Lost legitimacy: Why governing is harder than ever,”
Foreign Affairs
, http://www.foreignaffairs.com/articles/140274/ian-bremmer/lost-legitimacy.