Thursday, July 17, 2014

Implications of Quantum Capabilities, TAO, and other nasty tricks

From the just in case you weren't paying attention file...I know I haven't been keeping up on my reading for quite some time.

Original source article here.

A comprehensive internal presentation titled "QUANTUM CAPABILITIES," which SPIEGEL has viewed, lists virtually every popular Internet service provider as a target, including Facebook, Yahoo, Twitter and YouTube. "NSA QUANTUM has the greatest success against Yahoo, Facebook and static IP addresses," it states. The presentation also notes that the NSA has been unable to employ this method to target users of Google services. Apparently, that can only be done by Britain's GCHQ intelligence service, which has acquired QUANTUM tools from the NSA.
 ...and, of course, Bruce Schneier clued me in that I missed it.  And because the article that led me to that one is hugely important it is.

Now, yesterday I wrote about why 'they' do it, with 'they' being a reference to certain group of bad guys.  The question today is...well, not why the NSA does it, we know the answer there, but rather how certain are you that they (the NSA) are only doing this stuff to the bad guys?  Because, to be honest, a lot of the monitoring tools sound like there are targeted at normal citizens.  Or at least the widely used internet services that vast segments of the internet citizenry frequent.  The list of sites and the tools to exploit them are not only the domain of bad guys, but regular people all over the world.  While I'm sure that people with bad intentions use those sites too, I would expect a bit more cloak a dagger than just hiding in all the noise in plain sight (or site?) on Facebook, Yahoo, Twitter and YouTube.  However, I suppose, it is easier to poison the waterhole rather than track the 'critters' as they move through the woods.

I think that one of the most worrying aspects of this type of information is that when my peers and colleagues talk about this vulnerability or that vulnerability, that there exists a whole host of exploits and things that we DON'T know about.  In fact, even the vendors don't know about; as opposed to quietly know about and are working on a fix, but haven't mentioned publicly yet.  It is not just the governments that are keeping these things a secret, but to a certainty the bad guys have their own bag of tricks they are not keen to share (but are very willing to sell).

Other people making choices for me...

Now this list of compromises has caused me to think and notice on Facebook that videos that people share of cute and funny things have started playing automatically.  I used to have to click on something to make it play, which I was happy with.  I really hate the fact that someone else at some point in time decided that I automatically want to play and see every video of a cat or dog doing something odd, strange, cute, or funny.  I did learn that you can turn this functionality off, by the way.  Again, the assumption that you want to opt-in unless you specifically opt-out is maddening.

There can be a myriad of reasons why I may not want to drink at the massive bandwidth firehose that characterizes many popular sites these days; first among them is that I don't trust every bit of eye-candy left out there.  This list of government tools and capabilities is foremost among them.  An old trick by bad guys is to leave something out in the open that lures you to interact with it and suddenly the trap is sprung.  Greek story of the Trojan horse, anyone?  Variations of this trick come in all forms.  Think vendor conferences and a vendor booth with fish bowl of free USB memory sticks...complete with a chuck of stealth malware to infect your system when you plug it in.  Old trick, by today's timeline measured in internet speed, almost certainly a derivation of Ludicrous Speed.

Internet warning labels anyone?

I really like the trend in various state's legislation that requires the caloric content of restaurant menu items to be posted with the item itself.  It allows me to make a choice.  Now, obviously, like most people, I may choose to have that high calorie dessert once in a while, but at least I know the implications of my choice.

We really need some legislation to require the choices be left to the individual when it comes to internet content...maybe some warning language like on cigarette cartons.  "This link cannot be guaranteed to be safe.  Clicking it may have dire consequences, including allowing your government or a foreign government or an evil hacker organization to follow your every move."  I would have no problem with any elective setting to turn off such warnings and allow all content to flow automatically based upon user choices.  User choice being a key concept here.

Of course, all these government tools and compromises could be a major part of the reason of why we don't have such legislation...heck, they could even rig the polls that might sample public opinion as to whether we feel it would be a good idea or not.