http://rt.com/usa/nsa-greenwald-malware-infect-382/


Yet more previously secret surveillance operations waged by the United States National Security Agency were made public Wednesday morning thanks to leaked documents supplied by former NSA contractor Edward Snowden.

The files — published first by The Intercept this week and dissected over the course of a 3,000-word article attributed to journalists Glenn Greenwald and Ryan Gallagher — bring to light a number of previously unreported programs undertaken by the secretive US spy agency, including operations that have given the NSA the potential to infect millions of computers around the world by relying on malicious software that’s sent to targets through surreptitious means.

In recent years, however, the NSA has reportedly made adjustments to these operations that enable them to by carried out automatically without the direct aid of human spies — a decision that experts say is undermining the internet as it is known today,

“Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process,” the journalists wrote.

That automated system named "TURBINE," they said later, is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”

http://rt.com/files/news/23/7e/60/00/2.jpg

(continues on link)

I thought something was up. Either that or after my last WinXP update I was notified that WinXP would no longer be supported after April 16th so they put in some crash program to force me to update.

If you're not the government, creating a botnet from millions of compromised PC's means you're going to spend the rest of your life getting raped in prison. If you're the government, creating a botnet from millions of compromised PC's means you're just "skirting the rules" or "working in a gray area."

Edward Snowden has become probably the most important whistleblower of all time, and he's living in exile in Russia while the government continues to break every law in the book with impunity. The fact that nobody has been prosecuted for this any of this yet is just absurd.

If you're not the government, creating a botnet from millions of compromised PC's means you're going to spend the rest of your life getting raped in prison. If you're the government, creating a botnet from millions of compromised PC's means you're just "skirting the rules" or "working in a gray area."

Edward Snowden has become probably the most important whistleblower of all time, and he's living in exile in Russia while the government continues to break every law in the book with impunity. The fact that nobody has been prosecuted for this any of this yet is just absurd.
That's the problem with getting the government to prosecute itself.

"Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive." - C.S. Lewis

"When any government, or any church for that matter, undertakes to say to its subjects, This you may not read, this you must not see, this you are forbidden to know, the end result is tyranny and oppression no matter how holy the motives." - Robert A. Heinlein

"Advocates of capitalism are very apt to appeal to the sacred principles of liberty, which are embodied in one maxim: The fortunate must not be restrained in the exercise of tyranny over the unfortunate." - Bertrand Russell

I think the thrid one best applies, but all are applicable.

That's the problem with getting the government to prosecute itself.

I imagine a large part of the problem has to do with VERY tight restrictions on the number of people with the authority to prosecute the federal government itself. Who exactly DOES have the legal authority to prosecute in cases like this...just the Attorney General, or someone else too? Who has the authority to convene a grand jury or appoint a special prosecutor for this kind of thing? I really wish someone had the guts to try EVERYONE in the agency for conspiracy, as well as trying everyone in leadership positions for the millions of counts of thousands of crimes that they have committed.

Orly?

I'm on Linux do I have to worry?

Orly?

I'm on Linux do I have to worry?

Yeah, guess I'm gonna have to start re-edumacating myself. Know a link that I can start gaining knowledge of how Linux works? If not it is good. Just a search away. Sigh. I've really wanted to avoid doing this.

Orly?

I'm on Linux do I have to worry?

Yes, I believe you do have to worry, based mainly on Bruce Schneier's conclusion a few months back that if the NSA wants to get into your box, it's going to find a way. (BTW, you should check out his blog at https://www.schneier.com/! Not only is he extremely knowledgeable, but he's also one of the good guys, so he always has something interesting to say.) Linux isn't Swiss cheese like Windows, and it's not the low-hanging fruit, but most distributions are not really hardened...and Linux users might be more interesting targets for the NSA as well (on average). The grsecurity patches can help a great deal by making entire classes of exploits near-impossible to pull off, but they require constant out-of-tree maintenance and come at a significant performance cost (which is why they aren't in the mainline kernel). It's also difficult to know whether subtle backdoors might exist in such a complex codebase, despite it being open source. For an example of how subtle a previous attempt was, read this (and other articles on the subject): https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/ OpenBSD on the other hand is a very security-focused alternative OS out of the box, but the tradeoff is that basically nothing works out of the box, and as soon as you make something work, you've probably compromised a good bit of security. ;)

Plus, almost nobody uses SELinux or AppArmor to their full potential, and it's difficult for any distribution to ship with perfectly secure yet "still working" defaults for various daemons, etc. Zero-day Javascript/browser exploits can be used to run arbitrary user-level code, and if they're combined with a zero-day privilege escalation exploit, "all your base are belong to us." While one-stop-shop remote root exploits are pretty rare, zero-day exploits in general are quite common, and you can bet the NSA knows about them and writes exploits before most people have installed the patch. It helps to have software that checks for warning signs of rootkits, but a smart enough rootkit could probably undermine those too. (All of this is aside from the danger of targeted attacks: If the NSA develops an interest in you in particular and you have sshd running, you'd better have a best-of-class password...)

Paranoid speculation: Now that we know the NSA has compromised SSL in theory and practice, it's probably only a matter of time before they find ways to perform man-in-the-middle attacks that recognize Linux kernel DL's and corrupt the images en-route. (Hopefully I didn't give them any ideas.) Hopefully modern package management systems checking longstanding signing keys and everything would catch that, but I'm nowhere near knowledgeable enough to say it's impossible to circumvent. Hopefully I didn't just give them any ideas, but I'm sure they've thought of it already if I have.

Oh yeah, and are you running an Intel processor with Intel AMT Technology/vPro? If you are, there's already a hardware backdoor on your system. Can you turn it off in the BIOS? Well...sort of...? You can get it to tell you it's off, but forgive me for not being utterly convinced.

Yes, I believe you do have to worry, based mainly on Bruce Schneier's conclusion a few months back that if the NSA wants to get into your box, it's going to find a way (btw, you should check out his blog btw at https://www.schneier.com/!). Linux isn't Swiss cheese like Windows, and it's not the low-hanging fruit, but most distributions are not really hardened...and Linux users might be more interesting targets for the NSA as well (on average). The grsecurity patches can help a great deal by making entire classes of exploits near-impossible to pull off, but they require constant out-of-tree maintenance and come at a significant performance cost (which is why they aren't in the mainline kernel). It's also difficult to know whether subtle backdoors might exist in such a complex codebase, despite it being open source. For an example of how subtle a previous attempt was, read this (and other articles on the subject): https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003/ OpenBSD on the other hand is a very security-focused alternative OS out of the box, but the tradeoff is that basically nothing works out of the box, and as soon as you make something work, you've probably compromised a good bit of security. ;)

Plus, almost nobody uses SELinux or AppArmor to their full potential, and it's difficult for any distribution to ship with perfectly secure yet "still working" defaults for various daemons, etc. Zero-day Javascript/browser exploits can be used to run arbitrary user-level code, and if they're combined with a zero-day privilege escalation exploit, "all your base are belong to us." While one-stop-shop remote root exploits are pretty rare, zero-day exploits in general are quite common, and you can bet the NSA knows about them and writes exploits before most people have installed the patch. It helps to have software that checks for warning signs of rootkits, but a smart enough rootkit could probably undermine those too. (All of this is aside from the danger of targeted attacks: If the NSA develops an interest in you in particular and you have sshd running, you'd better have a best-of-class password...)

Paranoid speculation: Now that we know the NSA has compromised SSL in theory and practice, it's probably only a matter of time before they find ways to perform man-in-the-middle attacks that recognize linux kernel DL's and corrupt the images en-route. (Hopefully I didn't give them any ideas.) Hopefully modern package management systems checking longstanding signing keys and everything would catch that, but I'm nowhere near knowledgeable enough to say it's impossible to circumvent. Hopefully I didn't just give them any ideas, but I'm sure they've thought of it already if I have.

Oh yeah, and are you running an Intel processor with Intel AMT Technology/vPro? If you are, there's already a hardware backdoor on your system. Can you turn it off in the BIOS? Well...sort of...? You can get it to tell you it's off, but forgive me for not being utterly convinced.

Le sigh.........back to basics....

http://img.gawkerassets.com/img/18589c19d7oeujpg/original.jpg

I thought something was up. Either that or after my last WinXP update I was notified that WinXP would no longer be supported after April 16th so they put in some crash program to force me to update.

CERT just issued an advisory to not use iE on XP. I always thought that OS sucked anyway.


Yeah, guess I'm gonna have to start re-edumacating myself. Know a link that I can start gaining knowledge of how Linux works? If not it is good. Just a search away. Sigh. I've really wanted to avoid doing this.

Go to the Ubuntu site and download an iso for their live CD. Then burn it to disk and go into your BIOS and set your CD/DVD player to boot off CD first. Reboot and you will be running Linux. This will let you try it out without installing it. You should have the option to boot the live CD or install when it first comes up.

http://www.ubuntu.com/download/desktop

It works a lot like windows if you install a desktop or developer version. if you download a server version, you just get a command prompt and you will hate life :D But, yeah - to get the power from it, you need the command prompt. bring up a terminal window and type "man man".

UNIX systems are much more secure than Micro$haft crap, but they have their own issues. For example, it was just announced that the TLS module was flawed and security vulnerability. make sure you have the latest version.

There are many flavors of unIX and you can custom build a system to meat your needs by custom picking software.

There is a uber secure version of UNIX called SELINUX that doesn't have a root account and has extra access control measures.
The bad news is that the NSA wrote it, so it's probably backdoored.


http://www.youtube.com/watch?v=xRX6ZI_P-LA


http://www.youtube.com/watch?v=0KYsv1aVEQM&list=PLT98CRl2KxKH_XV3tD1QibZfn9prjlM97

-t

Le sigh.........back to basics....

It's not SO bad. You're still a lot more secure on Linux than Windows, relatively speaking. I just wanted to make it clear that Linux users shouldn't be overconfident or think they're invincible, because there are still a lot of attack vectors that can be and sometimes are exploited. There's no such thing as 100% security...just increasing levels of security that make it increasingly less economical to compromise your system.

CHEAT SHEETS!

http://www.nixtutor.com/linux/all-the-best-linux-cheat-sheets/
(they come in t-shirts and wallpapers too...)

-t

does anybody remember a State department sponsored attack which affected Americans' computers? It was on many news outlets, I think there were pop up warnings on Google search results, or something like that. I need to find that article.

And if I remembered correctly, it was intended to target Iranians

Go to the Ubuntu site and download ....

Thanks -t. +rep.

This has been going on quite a while, nothing new .. Just being announced.. Months ago, even with double virus protection; I could not access my e mail. And my computer continued running all the time. I couldn't access my e mail, because the e mail program was already in use.

But where they suck, is they collect everyone's data; but they can't find anything they need afterwards.

If the NSA was so damn smart at spying and tracking, how come they can't trace location of approx. 175 smartphones in the 235 passengers in the missing jet?

CHEAT SHEETS!

http://www.nixtutor.com/linux/all-the-best-linux-cheat-sheets/
(they come in t-shirts and wallpapers too...)

-t

I also want to take this moment to encourage prospective Linux users: It's not all command line hell either. ;) You'll use a GUI for most things, and many normal day-to-day things are even easier in Linux than Windows, because you have your pick of several desktop environments (some of which are more drag-and-drop customizable than Windows) instead of being stuck with just one that may or may not be to your liking. (The Linux world is experiencing times of upheaval as far as desktop GUI's go though, due to newer tablet-centric GUI's like Gnome 3 and Ubuntu's Unity.) Most of the time, you'll only use the command line because:
a.) You already know a command by heart that's quicker than going through GUI's
b.) Something went wrong, and you were given a command line solution (because it's more widely applicable)
c.) You're trying to do something power-user-y
The hard part with Linux is that when things go wrong, they can go really, REALLY wrong...like, say your wireless Internet isn't working (because the proprietary firmware can't be legally distributed with the distribution), and you can't get online to ask for help with it...or your X server (the framework supporting the GUI) breaks, and you're dropped into a full-screen shell with no idea what to do. If you can access your wireless Internet from your distribution's LiveCD, you won't have to worry about the first problem at least, and things are getting a lot better with the second problem too (unless you're trying to use proprietary graphics drivers in Debian Sid or something)...but both of them happened to me back when I first started with Linux in 2007, and that sucked for a new user. ;) Also, while it's extremely easy and relatively secure to install free/open source software from a distribution repository with signed packages, it's more of a pain to install something outside the repository from source (because it requires command line usage and can lead to dependency hell), and you need Wine to run Windows .exe files (and malicious .exe files can at least compromise your home directory if they're aware of Wine, although they'd need to use a privilege-escalation exploit to compromise your whole system).

it's more of a pain to install something outside the repository from source (because it requires command line usage and can lead to dependency hell)

if you're up for a challenge, try installing/compiling cc (the C Compiler), or WORSE TeX sometime! <insert evil cackle here>

-t

•c.) You're trying to do something power-user-y

http://read.pudn.com/downloads36/ebook/115143/Linux%20Power%20Tools.pdf

-t

Lol. You two speak in another language. I'm just gonna upgrade my windows. Sheesh.

Say what... Just who does the nsa work for?

If an employee was caught sabotaging all the company PCs/Servers, they would be terminated, keys and ID taken away and then immediately escorted out of the building with their personal property stuffed in a cardboard box. And then they'd probably be prosecuted, ...but not in this case.

Maybe ww3 is a reasonable cleansing procedure after all when the unrest finally hits the fans...

Hey, what are we all doing in this fast-moving basket, and just where are we headed?

Lol. You two speak in another language. I'm just gonna upgrade my windows. Sheesh.

He was being scary on purpose. :p I started off years back by reading the Wikipedia articles on Ubuntu, Linux distributions, Gnome, and KDE to get a sense of what some of the big pieces of OS software were in the Linux world. Windows is easier to talk about, because it's a monolithic piece of software where there's no clear distinction between the kernel, the window manager, the desktop environment, etc. It's all just Windows. Talking about Linux requires more terminology and Brand Names (like another language) due to the seemingly overwhelming number of choices you have for distributions, components used by distributions, and the design priorities used for each. It's not so much a single product as an entire family of products that mix and match the Linux kernel with other free software projects. After a while you can get an idea of what's what, why some people prefer this over that, etc. If you just want to dive in and get a taste of something non-Windows, a good first choice in the past has always been Ubuntu, but Linux Mint might be easier and more familiar nowadays. Just download a LiveCD or LiveDVD, burn it, and boot to it. It'll be slow as molasses, since it's running the OS off a disc, but it lets you feel around inside the OS and get a taste for what it's like without having to install anything first.

if you're up for a challenge, try installing/compiling cc (the C Compiler), or WORSE TeX sometime! <insert evil cackle here>

-t

The one time I made compiled and installed TeX in SunOS it went off without a hitch, but I never used it because I liked LaTeX better, and I have installed LaTeX scores of times with nary a blip.

The one time I made compiled and installed TeX in SunOS it went off without a hitch, but I never used it because I liked LaTeX better, and I have installed LaTeX scores of times with nary a blip.

Hear that girls of RPF? Gunny's into latex. ;)

It's so comforting to realize that not only did Snowden have the courage to leak these documents, but has not folded the disclosure process either under legal threats from the US, or in cutting a deal with Russia (Putin's original exile proposal). Had Snowden turned himself in with the docs, absolutely none of this would have ever surfaced, and the DOJ would have been free to win the info war, painting him as a terrorist mastermind.

So the dripfeed of tyranny tidbits has continued to erode the facade of respectability around the NSA and government surveillance operations. This dripping will keep the cult of the omnipotent state on the defensive and reeling for months to come.

Okay, I'm seriously in the process of adding FreeBSD to my Netbook. Does that offer other advantages?

Of course either way I don't assume it's secure, but I think both options have many Hardening tools to tighten up the system.

Okay, I'm seriously in the process of adding FreeBSD to my Netbook. Does that offer other advantages?

Of course either way I don't assume it's secure, but I think both options have many Hardening tools to tighten up the system.

Note that FreeBSD and OpenBSD are two different operating systems. FreeBSD (https://en.wikipedia.org/wiki/FreeBSD)'s security is probably comparable to Linux's overall (similar security features, smaller codebase, but fewer eyes on it), although it might have an edge "out of the box" compared to some of the more convenient Linux distros (simply due to having less software installed and fewer services enabled). Their focus in the past has been speed, but now it's slower too, so I'm not sure what tangible advantages FreeBSD still holds (advocates may disagree though).

OpenBSD (https://en.wikipedia.org/wiki/OpenBSD) is the OS that focuses on security über alles, and it formed after its project leader Theo de Raadt had a falling out with NetBSD developers back in the day (NetBSD's focus is on absolute portability btw, and it's better-suited to odd devices than x86 desktops). The OpenBSD developers take out of the box security VERY seriously, to the point where virtually everything is disabled by default. Unfortunately, practically any piece of software you install will technically add vulnerabilities, especially as you change the configuration to make things actually work.

Still, OpenBSD has two significant advantages: First, it has a smaller, more carefully crafted codebase that's regularly audited for security. (Linux on the other hand grows more organically as contributors add more and more features and hardware support.) Second, it automatically applies the proactive techniques used by the Linux PAX patches (now part of mainline Linux) and the grsecurity patches (not mainline) to make entire classes of exploits much harder to pull off. That can probably make the difference between a browser Javascript exploit that *can* or *can't* be combined with a privilege escalation exploit to root your box. The downsides are it's slower than Linux, it supports fewer hardware devices, it's probably not as easy to install as large a variety of free/open source software as under Linux (especially Debian-based distributions), and a lot of things are likely to require more configuration to get them to work...and unless you're a security expert, that can be a hard thing to do right. (I'm not a security expert either.)

If you want to get serious about this kind of thing, you might also want to have a look at Snort (https://en.wikipedia.org/wiki/Snort_%28software%29) (a Network-based Intrusion Detection System, or NIDS) and OSSEC (https://en.wikipedia.org/wiki/OSSEC) (a Host-based Intrusion Detection System, or HIDS). I really wish I knew of a good sysadmin book that taught how to set up and administrate secure systems all in one go...particularly a modern book versed in modern software and the kind of sophisticated attacks that state-level attackers like to use. I guess it would have to be several thousand pages though to give a comprehensive overview as well as the ins and outs of specific common software.