Glenn Greenwald: How the NSA Tampers With US Made Internet Routers 347
Bob9113 (14996) writes "According to Glenn Greenwald, reporting in The Guardian: 'A June 2010 report from the head of the NSA's Access and Target Development department is shockingly explicit. The NSA routinely receives – or intercepts – routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users. The document gleefully observes that some "SIGINT tradecraft is very hands-on (literally!)".'"
Re:Most damaging release yet (Score:5, Informative)
Just wait till the markets open tomorrow. NASDAQ down 600-800 points (at least). Nobody sane is going to purchase US-made networking gear for a very long time.
Nah, this won't budge the markets, mainly because this info was released some time ago - and it wasn't limited to router hardware. [forbes.com]
The only reason this is being re-reported is to promote Greenwalds's book. [macmillan.com]
Re:First (Score:5, Informative)
You can't trust open source either.
Devices like these often have "binary blobs" that aren't open source
No, you CAN trust open source. If it has a binary blob, then by definition, it is not open source.
it would be naive to assume that the NSA can't hire programmers to contribute to these projects and that they can't be good enough at what they do to make a backdoors that would pass a code review without being detected.
That's still better than closed-source code that you can never inspect. Also, any such contributions will be recorded and tracked. Serious open-source projects like the Linux kernel don't accept anonymous contributions; they have to be signed off by someone. Also importantly, if you look at the Linux kernel, you'll find most contributions (esp. in an area where a backdoor could have a real impact, not places like USB joystick drivers or whatever) come from programmers working for well-known companies, not from random people on the internet.
Re:First (Score:5, Informative)
Does it really matter who we vote for, as far as the NSA is concerned? Any "electable" candidate will just let the NSA keep doing what they're doing.
Even if someone like Al Franken got elected president by some miracle (which is not going to happen) he still couldn't do much unless people also elected a whole bunch of Al Frankens/Rand Pauls to Congress. And that just isn't going to happen (there's a reason why those two are such outliers).
Ultimately the only way we'll ever end NSA malfeseanse (or CIA malfeseanse for that matter) is if we can somehow expose what they do. Without that, we'll change politcians but they'll stay the same.
Re:First (Score:3, Informative)
The NSA can't control who you vote for.
YET.
Re:Fuck the foreigners Re:What about inbound? (Score:5, Informative)
The NSA's own internal watchdog group found that NSA snooping power was used to spy on 'love interests' of several NSA employees.
If their own internal watchdog group is telling the world that there's something going on here, it's a bold move to claim "all the disclosures released so far have shown government ACTIVELY protecting civil liberties of Americans"
Imagine if an organization such as the ACLU had access to all internal NSA snooping records. Are you telling me that you believe that no civil liberties have been violated by the NSA? Alternatively, are you telling me that we have zero rights because the NSA is allowed to spy on everyone doing anything at any time for no reason at all?
Re:Nice job NSA (Score:4, Informative)
Your statement if altered slightly to reflect the perspective of the NSA and the US government might actually provide insight into the reason behind the outlash against Edward Snowden. One would presume such tampering isn't done wholesale because doing so on an industrial scale is not feasible. Yet. And because ubiquitous tampering would be detected by security researchers so the majority of devices on the market should remain untampered with. Tampering is most effective when done in a targeted manner depending on who will own the routers in question. Maintaining a baseline level of trust that is actually justified is very important, otherwise this technique wouldn't work. Mr. Snowden's revelations have destroyed all trust, thus undermining the ability of the NSA to ride on the back of that trust to engage in targeted spying.
This is why it baffles me that people can so readily point to entities like Startpage and Duck Duck Go as trustworthy just because they say so. Their claims may indeed be accurate for the vast majority of those using their services, but it's easy to imagine that particular searches can be scrutinized on demand if there is an interest. In other words, they can't be trusted based on their claims alone, even if they themselves believe them to be true.
It seems to me the only rational approach is to assume that nothing can be trusted and and act accordingly. Assume that whatever you are doing online is being observed by someone or anyone and don't communicate about genuinely private things, because they will no longer be private.
Comment removed (Score:5, Informative)
Linux-libre is proof of the point, pre-Snowden (Score:4, Informative)
Addressing both your comment and the grandparent comment: this distinction of allowing non-free software is part of what distinguishes the older free software movement from the younger open source movement. RMS has been talking and writing about this critical distinction for years.
Consider the following from "Why Open Source misses the point of Free Software [gnu.org]":
In other words, open source won't endorse software freedom for its own sake. That movement was designed to never raise the issue of software freedom in order to promote a developmental methodology thought to lead to more reliable, more powerful programs. That methodology is fine as far as it goes (everyone likes powerful robust programs) but as we're seeing with the Snowden revelations, that methodology doesn't go far enough. RMS realized this very early on and has been providing ethical counterarguments since the open source movement began (older essay [gnu.org], newer essay [gnu.org]).
This difference explains what we're seeing in the very different approaches taken in Linus Torvalds' fork of the Linux kernel versus the GNU Linux-libre fork of the Linux kernel [fsfla.org]. Linux-libre's distinction is that this fork removes the blobs that come with the Torvalds fork of the Linux kernel. Torvalds includes nonfree code meant to make the kernel run on more hardware which places a high value on convenience at the cost of software freedom. Linux-libre values software freedom instead. As a result, Linux-libre doesn't run on as much hardware and might not take advantage of everything modern hardware can do, but one gains a system they are allowed to fully inspect, share, and modify—software freedom. Linux-libre lets users make sure the software does only what that user wants that program to do. RMS, as recently as his recent responses to /. questions [slashdot.org], encouraged readers to reverse engineer hardware in order to fully document hardware ("The parts of Linux we need to replace are the nonfree parts, the "binary blobs". [...] The main work necessary to replace the blobs is reverse engineering to determine the specs of the peripherals those blobs are used in. That's a tremendously important job -- please join in if you can."). This work leads to increased support for fully free operating systems, including fully free support in Linux-libre.
Increased security is one of the things you get with the pursuit of software freedom for its own sake. I think RMS very much recognizes the security enhancements that come along with Linux-libre and why his org [gnu.org]