It is worthwhile to apply the same scepticism for placement of attribution as was applied with the Sony hack. In the latter many security analysts question NK attribution based on the similarity of code argument given by the US -- pointing out that the code base was in the wild for a long time, could be purchased on black market or reverse/reengineered after picking up the malware from a vulnerable machine.
Shouldn't we also assume that this malware, having been in the wild for "10 years", could have simply been modified and thrown into the NSA tool chest? When applying the same level of scepticism from the Sony hack, nothing in this article represents real proof to counter relevant arguments against US attribution.
Regardless, the Spiegel assumptions or slant is worthy if for nothing else than to teach everyone the issues with attribution, whether applied to greater or lesser evils.
Spiegel might have done better to call it a GCHQ tool used by the NSA.
You are suggesting that a tool that has been around for 10 years was picked up and used by NSA/GHCQ. Even if we grant that, the sophistication level is a bit more than "simply modified". When is a fork no longer a fork because the code base has been modified/improved?
With your argument, one could go back as far as they wished - NSA takes an idea from academia and implements it, then we just say 'oh well, it was the univeristy who came up with it, not NSA as they only used it'
Basically what cyphunk is saying is: how do we know that this was used by the NSA? More precisely: how does Spiegel know to say "clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance"?
We have something out in the wild (Regin) which contains a component (QWERTY) which was leaked in the Snowden documents, however it is quite possible that both descend from a common non-NSA source (Putative) such that:
P (non-NSA)
/ \
Q R (non-NSA)
(NSA)
Furthermore it is possible that in fact P = R, and that Q was derived from Regin rather than the other way around. Lots of possibilities are out there. We don't really have proof that P = Q and that therefore R also belongs to the NSA.
The issue is that we can attribute malicious attacks to R, and the article seems to be suggesting that therefore we should attribute these to the NSA. The reply by cyphunk is saying that this is a dangerous logical leap.
My question was concerning attribution. Though debatable lets assume still the original was not theirs and they remixed it. Even if they made massive changes turning into their own beast allowing us to call the Snowden version significant we are still left with the question of: Are all the attacks over the past 10 years attributed to this general varietal, their attacks? Without full knowledge attribution is like a blind taste testing of different vintages of wine.
Also I think the remixed and implemented idea from academia applies less. It would be more like taking the paper from one journal, changing a few paragraphs and publishing it in another. And assuming these journals had a policy of publishing without names, how can we know who the author is in all prior journals when we eventually find a way to attribute one author to one journal?
>> "It is worthwhile to apply the same scepticism for placement of attribution as was applied with the Sony hack."
Just playing devils advocate here.
The alternative is to do as the USG did and immediately jump to conclusions based on not that great evidence. If they don't give others the benefit of the doubt why should we give it to them?
Displaying a lack of intellectual rigor in response does not garner any respect from people that can think. The quickest way to get people smart to tune out is to engage in a political mudslinging contest lacking real content.
I agree and this is what I was hinting at with the last point. I think in the end there is no way to update our understanding to a world filled with acts of conflict that are difficult to attribute. We've lived in an attribution luxury until now. So this Hippocratic of attribution will probably continue. I do think in the end the public will just learn to take attribution with a grain of salt.
This is why I think cyberwarfare represents one of the most fascinating areas of exploration for political science students. In addition to the collective psychological affect from attribution complexity (further discussion if interested https://medium.com/@cyphunk/the-nature-of-conflict-is-changi...) there is also the breaking down of the 2 state/coalition actor assumption. The actor could be from a known state enemy, an unclear enemy just disturbed by your trade/sanctions policies, some activists with a cause or a bunch of people from b/chan doing it for the lulz. The absurdity of the US response and attempt to protect some lousy hollywood comedy only illustrates this change of environment all too clearly.
There are also additional clues pointing to Regin being a Five Eyes tool: In the QWERTY code, there are numerous references to cricket, a sport that enjoys extreme popularity in the Commonwealth.
Given the relative popularity of cricket in the US vs. the rest of the world, it's more likely that this was written outside the NSA.
I know GCHQ contractors (BAE Detica, funded as a part of the "Mastering The Internet" tender) had a hand in at least some of it; it's not unreasonable to guess it might've been that module, as that does link it? (Although of course, that's just a guess, and doesn't really tell us anything particularly new or useful.)
Not that I think nation-state malware is, you know, strictly cricket. (Quite the opposite, I've always said it was an irresponsible and reckless path, all the way back to the 1998 era.)
Update: It seems Australia's DSD was likely a better guess in this particular instance - more to come from the authors soon. (Which leaves that Detica module currently unaccounted for. I don't know what that could be yet.) Of course, they're all Five Eyes, and at least US and UK have both used it, so I wouldn't be too surprised to see CAN/AUS/NZ too.
Leaves us back with the "How do we fix this?" problem. And "how do we find what replaced STRAITBIZARRE"?
I am baffled by the people who decided to disagree with you here. Calling this source code is incredibly dishonest. It's the equivalent of saying "we've published the source code of photoshop" when you've base64-encoded photoshop.exe.
I would love to see the actual source code of regin. What they've actually published is useless to me.
By saying they've released "source code" they're claiming to have somehow got hold of extra information (i.e. done some old-fashioned journalism and got hold of C code or whatever, containing comments and symbols and human information about intent). In fact they've just downloaded a publicly available binary and disassembled it.
And I'd argue that it is a disassembly of a binary compiled from source code.
Source code has the word "source" in it. Unless the original human wrote it directly in assembly without comments or macros (from his padded cell at the asylum, naturally), it is obviously not source code.
"Source code" is generally code you can put into a compiler and get out object code. The term "source" refers to the fact that it is used as input. This is why, for example, the GPL specifies that you must release the original source code in the preferred format for editing — so that people wouldn't release source code generated by disassembly or a source-to-source transformer.
I suppose it all depends on how you define "source code". For me, source code implies that it was authored by a human or automatically generated to mimic human authorship. Any automated translation step that does not result in executable "object code" or "machine language" is "intermediate code".
It may be usable in the same way as source code, but since it was produced as the output of a program that had an input closer to the source, it cannot be the source.
I imagine the compilation process like a stream. The source is the origin of the flow. All changes made there propagate downstream. Some streams are short, like those with M4-processed assembly. Others are longer, with MSIL or JVM intermediate code. Linked libraries are like tributaries; they have their own sources. The end product is a single river, which fans out into a delta for each supported processor architecture as it nears the sea of end users.
How smart would you have to be to insert references to different cultural aspects other than your own to make it look as if it's from another entity? I think it would take at least the smartness of two average people..
I think disinformation is one of the pillars in their line of work. For all we care, they could have written references to whatever is popular in North Korea.
Given that a NSA dev team was well aware that the spyware would be discovered and disassembled at some point in time, it was reasonable to intentionally leave behind evidence that points to countries other than the US. I'm not saying that's what happened, but I'd not take the cricket references too serious either.
Using that logic, what would constitute evidence? That's like the senator in favor of the Japanese interment camps saying that the fact that no Japanese Americans had committed a crime was just even more evidence they were planning something.
But basically, people have already come to a conclusion. If the comments said "go <Virginia sports team>", that'd be considered evidence of made in the USA. And if the comments say " go English sports team " then that's evidence of have in the USA, because obviously comments are misleading.
Why not go recursive? They wrote about cricket because they wanted to frame the Americans, who always write misleading comments to frame the Brits.
Seeing that this is a keylogger, how complex would it be to enable a sort of SSL protocol between the keyboard and a specific application? The computational overhead should be manageable, the connector (USB) wouldn't need to change and there should be a fallback for any applications which doesn't support it. But if crucial applications like mail and the browser programs could use it, it might deliver another blow to security companies.
The way I would implement it is that the keyboard has a switch to enable this SSL type communication. Then the keyboard can perform a Diffie–Hellman key exchange with the current process. As a result any other interaction with the OS would become impossible until that process is terminated - basically disabling all OS related shortcuts etc. This would allow true end to end encryption - even on compromised systems (as long as the kernel code isn't modified to allow accessing the memory of other processes).
If the OS is compromised, then you can't work around that to secure a program inside the OS. You can run the program somewhere else, like on the keyboard itself. Some secure crypto devices have displays, so you can see what you're signing.
The only similar thing I've heard of is the "Secure Attention Sequence" in Windows. That is, pressing CtrlAltDel before entering credentials lets you be sure an application is not mimicking the logon prompt. But of course if the OS is compromised (like by loading a driver that intercepts such keystrokes, like VMware Enhanced Keyboard) all bets are off.
Think about it, the OS is executing all the code for the app, and storing all the memory.
This is also why there is a push for trusted computing. Being able to have your processor, OS, etc be able to verify they are running a trusted configuration is a powerful thing. It makes the owner of the computer in control. (The downside is when the user is not the owner, but would like to be, then they get upset at restrictions.)
"Trusted computing" puts the controller of the trusted infrastructure in control - the owner of the computer should expect that any NSA-approved malware will be considered properly trusted, and being in control of a secure OS doesn't help against attacks coming from the hardware (malware or backdoors on firmware) with direct memory access.
If the operating system is compromised, your application stands no chance hiding its data (including keystrokes) from it. The keystrokes could simply be intercepted after decryption, or even before - if you keyboard controller is that capable, it probably has more than enough space for malware of its own.
as long as the kernel code isn't modified to allow accessing the memory of other processes
This is kind of what the kernel is for, though: if you can't modify the memory of other processes you can't handle IO for them. Hiding data in plaintext from the OS is basically impossible. Nearest you can get is heavy obfuscation (Skype) or communication to a secure hardware bastion (TPMs for DRM or otherwise, ARM TrustZone).
What might be more interesting and useful is secure communication between a remote website and a non-PC device. Kind of like PIN pads, but more user friendly.
Actually I may have been too quick to reply. This might be accomplishable with remote attestation (Intel TXT). I think Intel chips can setup trusted execution areas and provide a hash of the code running. Now, input and output are gonna be tough. You could do encryption to and from the device but then you're essentially running another computer.
It might be easier on a simple DOS like OS, where IO is m can be straightforward and handled by the hardware pretty much.
As a lazy person and Devil's advocate, why does anyone not think that the various intelligence agencies copied the malware? Surely they would have access to some of the best in all their various honeypots be it that they are attacked by everyone and everything.
"Good artists copy, great artists steal."-PP
`Fox IT found Regin on the computers of one of its customers, and according to their analysis parts of Regin are mentioned in the NSA ANT catalog under the names "Straitbizarre" and "Unitedrake".`
Because the US shares intelligence with those governments. In some EU countries it is illegal for the government to spy on its citizens (also see the US pre-9/11), so the US spies on those countries and then relays the info back.
Pre-9/11 this is also how the US worked. The UK spied on the US and the US spied on the UK, thus both subverting national laws, they then shared intelligence with one another (which is legal) and thus the loophole was born.
This is actually the system the US is going back to, it is becoming politically unpopular for the NSA to spy on American Citizens, so GCHQ will likely take over the majority again, the reasons they couldn't after 9/11 was that the workload increase too much in too short a period, and the systems didn't yet exist.
This goes all the way back to ECHELON and Five Eyes. If you look up the ECHELON program, you will find documented evidence of exactly that occurring. There is evidence this and similar programs/agreements has been going on since at least WWII.
Even now, it's well-documented and well-understood that all the first-world allied nations have varying degrees of intelligence-sharing relationships with their SIGINT programs. For example, with the NSA, you have the Five Eyes countries, and also Tier 2 countries like Germany.
I tihnk what also holds them back a little is also the fact it's amazingly hypocritical for them to complain too much, because every industrialized country is spying on every other industrialized country, allied or not. Of course, some are bigger targets than others. The US is obviously the biggest target, but there's smaller scale stuff going on too, as between France and Germany. According to Germany, France is the "evil empire" of industrial espionage perpetrated in part through their SIGINT programs.
The focus on the USA, and the NSA, is misleading. The NSA's role is probably comparable to the US government at large's role in world politics, (biggest, most influential) but all other nations are complicit. I don't intend to sound mean, but I feel like the attitude that so many people had in the wake of the Snowden revelations, that spying on allies was unheard of, unexpected, evil, is breathtakingly naive and historically and contextually unaware, and almost like some kind of twisted expression of the stereotypical American arrogance, that only Americans could commit so great an evil. This is an old, old, old game that has always evolved with technology.
There's nothing conspiratorial about that one. Look up the echelon network and the UKUSA Agreement (both on Wikipedia). It has also been talked about in several books on the topic and discussed openly in the press. It is almost an "open secret" at this point.
Heck you can almost read the above claims verbatim here:
> During the 2013 NSA leaks Internet spying scandal, the surveillance agencies of the "Five Eyes" have been accused of intentionally spying on one another's citizens and willingly sharing the collected information with each other, allegedly circumventing laws preventing each agency from spying on its own citizens
Maybe, but I'm 99.99% sure that wasn't the person above's implication by suggesting it was "just" a conspiracy theory. If it had have been their entire point would be redundant, instead it is likely they were trying to suggest it was a fiction or born out of paranoia.
I wouldn't go so far as to call it a "fact" but based on several leaks, books, and news sources it is likely more fact than fiction.
By the way, my understanding is that it was never as simple as two countries colluding to share raw data with each other; there had to be essentially a "laundering" of the data by turning it into analyzed intelligence, so that an NSA analyst couldn't just explicitly task a selector on a US-resident AMCIT via another FVEY partner.
If you think about it from the lawyers' perspective, it goes something like this:
I(a)) A can gather data on BCITs.
I(b)) A cannot gather data or cause data to be gathered on ACITs.
II(a)) B can gather data on ACITs.
II(b)) B cannot gather data or cause data to be gathered on BCITs.
III) Data gathered via (I(a)) or (II(a)) is lawfully collected.
IV) Lawfully-collected data may be turned into intelligence.
V) A and B can share intelligence that is gathered by lawful means.
Therefore, A can receive intelligence on ACITs and B can receive intelligence on BCITs, so long as they do not derive that intelligence by gathering data or causing data to be gathered on their own citizens.
Now, this was pre-9/11; after that, who knows what gloves came off?
Google "Five Eyes". The Wikipedia article has a bunch of sources to this particular issue in recent times.
Also, IIRC this has been talked about for a long time... I'm pretty sure I read about this practice initially in the 80s/90s, probably in reference to Libyan sponsored terrorism in Europe.
Yes, it has, see [0], [1]. But there are fairly simple reasons why Europe does not close those stations, namely because European nations (including Germany) are doing similar things on their own [2],[3],[4] and also together with the Americans [5], and they generally think it's good that way.
Another point is that enforcing closure of such stations is rather difficult. You can limit these activities by making noise in the public and declaring diplomats persona non grata, but such things come with a diplomatic price.
BTW, your question reminds me of the activities of Интернет исследовательское агентство. According to reports, they like to raise this kind of points, though sometimes more more aggressively (hence the name "troll army").
Many espionage tools are designed by organizations that then sell or license their tools to 3rd parties. Just because the NSA used it doesn't mean they wrote it.
'Some reporters were surprised to learn that the University of Maryland had a "covert" NSA facility operating somewhere on or near the school grounds. [..] "Which facility and exactly where it was Snowden worked is unknown, but the NSA has connections to several university facilities, including the Laboratory for Physical Sciences, the Office of Technology Commercialization and the Lab for Telecommunication Science."'
There are probably hundreds of other organizations which work 'in partnership' with the intelligence community to develop programs which are essentially used to better their espionage and analysis capabilities. Almost all the Virginia/DC/Maryland area's tech companies are employed in one way or another by the federal government, usually for the military or an intelligence agency.
OK, if you believe that there is actually such a thing as "Cyberwar" then this means that the USA has attacked Belgium. Does this give Belgium the right to physically blow up some important American infrastructure? ... or is Cyberwar a type of cold war which would limit the response to some sort of hacking of important American infrastructure?
Assuming all of this is true, and the TPP leaks are indeed what they seem to be - wouldn't the TPP let every corporation outside $COUNTRY sue the government of $COUNTRY for malware? (e.g. for $COUNTRY in Five Eyes)?
Really? Apart from France, do most countries prosecute the author of computer/hacking tools? I was under the impression that the use of the tools is what mattered. Just like BitTorrent itself has been fine, but any hints of using it for copyright infringement get fire.
After all, you could use this malware to spy on your child's use of your PC, which is legal, right?
Nothing like waking up to a story that makes you feel embarrassed by your citizenship. Good job Canada, you're making a Maple Leaf a dangerous symbol all around the world.
When I was a youngster, being Canadian meant that Incould travel anywhere and be fine. Granted, there was a > 50% probability that the other Canadians I would meet were really Americans, but that was nothing. My country had a solid international reputation. Now???
Edit: Sorry, I didn't see it was paywalled (I'm not a subscriber of that site). I now see that it counts your visits and disable itself after a few times. "Private" browsing seems to solve the problem.
But from old memory: Hilux trucks are built amazingly and have awesome reliability. Real, authentic, Hilux trucks are thus valued by freedom fighters/terrorists in Afghanistan. Canada donated a bunch if real Hilux trucks to Afghanistan, and these vehicles had a Maple Leaf logo. People associated the Maple Leaf with the quality of Hilux, to the point of at least one person getting a Maple Leaf tattoo to signify his quality.
My current opinion on government hacking is, that I actually want democratic government to be the biggest meanest hackers of them all.
The alternative, unfortunately, is that either organized crime or non-democratic governments (or a combination of both) would be the biggest meanest hackers.
And hacking doesn't really scale. Mass surveillance just through attacking individuals with malware isn't possible, because of limited "talent" and a fear for exposing the tools, like just happened.
Building backdoors into systems or encryption schemes, on the other hand, isn't exactly hacking but does scale well to undiscriminate spying on millions of people.
The main issue is that intelligence and law enforcement agencies in the western world aren't bound to judicial control as tightly as they should. It also seems that a majority of voters either consent to these powers, or don't care. When politicians want to appear "acting decisively" after terrorist attacks, or foreign hacking incidents, it's not just because they like to do so. They know that, if they don't, voters will disapprove.
Not sure why people vote you down for sharing your opinion. Having said that, your logic is fundamentally flawed. Governments have to either focus on attacking or defending. Focusing on attacking means keeping a lid on vulnerabilities, which weakens the security of citizens and corporations inside their own country. Focusing on defending means disclosing those vulnerabilities in order to protect everybody, which also means those vulnerabilities can't be used in attacks anymore. You can't really have both.
Not disclosing vulnerabilities is not a question of attacking or defending, it's just stupid to keep vulnerabilities open.
I also didn't propose to uncompromisingly favor attack capabilities. I still don't think effective cyber defense is possible on a national level without leading the edge on offensive abilities as well.
I really don't want to explain it a third time, so let me just ask you a question instead: How do you lead the edge on offensive abilities without keeping vulnerabilities/bugs secret? Let me rephrase that: How do you lead the edge on offensive abilities without weakening the security of the people who are paying your salary; the very same people you swore an oath to protect? Please explain to me how that is possible on a technical level. If you can't, or you still don't really understand what I'm talking about, that's fine. Just ask.
---
I'm gonna explain it a third time. (Looks like you don't want to talk to me.)
Having offensive abilities means having one or more remote exploits ready to use. Having remote exploits ready to use means sitting on undisclosed vulnerabilities. Sitting on undisclosed vulnerabilities means weakening the security of the people you're supposed to protect.
It's quite simple, really. You can't remotely attack a computer without remote exploits. I only count remote attacks as "cyber warfare".
Remote exploits work surprisingly well on unpatched systems, stupid users, malconfigured hardware/software and if that doesn't work, maybe it's time for a bit of oldfashioned humint.
I just explained to you why that's not true. Let me try again:
Attacking a computer means finding a bug and keeping it secret until you use it to attack said computer. Defending a computer means finding a bug and disclosing/fixing it so that nobody can use it to attack said computer. I hope it's obvious to you that these two ideas contradict each other.
Please let me know if you have questions. This is very important and not intuitive at all. I'd love to help you understand it better.
Attacking someone who is attacking you is also a form of defense. Please let Sun Tzu know if you have questions. This is very important and not intuitive at all, though I don't particularly care about helping you to understand it better since it's considered common knowledge in the modern era.
I can do this all day: In order to be able to attack somebody who's attacking you, you need exploits available to you. If you have exploits available to you, you're making yourself attackable. Do you really not see the problem here?
The U.S. government, for all its weaknesses, is providing their citizens with freedom and liberties as good or better than most other countries.
The NSA does have democratic oversight. It is controlled by the executive, legislative and judicative branches of the system. That this control is inadequate in our view, doesn't matter for the question whether or not the NSA is part of a democratic system.
Then you have a very limited view of history. Crime, theft and murder used to be extremely more common.
You may be able to defend yourself against your neighbor. What about women and children? What about against multiple aggressors, or ones with better weapons? Turns out, without an effective police force, liberties are distributed a lot less equally...
Steve Pinker explained in a TED talk that hunter/gatherer societies are a lot more violent than modern societies. For example these groups have to launch preemptive attacks against neighbors if only for fear of the other group striking first.
And if your neighbor is bigger and stronger than you? If 100 of your neighbors get together to take your stuff? If 100 of your neighbors independently want your stuff?
At the absolute barest minimum, even disregarding any context, it's better to have to one known entity demanding a share than an unlimited number of unknown ones doing the same.
> "That this control is inadequate in our view, doesn't matter for ... a democratic system."
It absolutely matters. Without those controls you have a democracy in name only. You could quite happily rig elections, arrest opponents, suppress the population etc, while still claiming to be 'democratic'.
> You could quite happily rig elections, arrest opponents, suppress the population etc, while still claiming to be 'democratic'.
There is nothing undemocratic about those thing as long as a majority of people agree to them - though with rigged elections, you might not be democratic for very much longer. "Democracy" is not synonymous with "respecting my values and human rights."
If enough Americans were sufficiently upset about the NSA, it would be gone. They aren't. It's not even a significant election issue.
> "... as long as a majority of people agree to them ..."
That requires that people are informed and able to comprehend the ramifications of their choices. Consider this: Is it still democratic if those who happen to be in charge are busy lying to and hoodwinking a poorly informed 'electorate'?
There's no reason to believe the US government has to make any real effort to make sure voters are misinformed. They seem to manage it just fine on their own.
You're glossing over a huge amount of stuff relating to who does the reporting and how the reporting on the government is done. There's plenty to suggest that the government actively works to keep journalists in line. The Sterling prosecution and James Risen's legal problems spring to mind. The heavy weight of the Espionage Act also comes to mind, as does the very heavy use of "anonymous" or "unnamed sources" these days.
In short, it really looks like some parts of the US government actively work to keep reporting very favorable or non-existent.
Nearly all formulations of democracy are not just majority rule, they also explicitly include protections for the rights of minorities and consider it non-democratic for the majority to vote away the rights of the minority.
edit - This also makes sense from looking at the word. Democracy is rule by the 'demos', which means 'the people', which includes the minority. Rule by the majority is ochlocracy, from 'ochlos', meaning 'the mob'.
If enough Americans were sufficiently upset about the NSA, it would be gone. They aren't. It's not even a significant election issue.
Are we sure of that? Wisconsin Senator Russ Feingold lost his re-election bid. He was the only Senator to vote against the PATRIOT Act in 2001.
Colorado Senator Mark Udall lost his 2012 re-election campaign after being a total gadfly in the Senate Intelligence Oversight Committee.
It strikes me that the NSA is a significant election issue, just not to the voters.
Also, you're kind of arguing about a technicality in the definition of "democratic". Our elected reps often act un-democratically. I hope this is to prevent tyranny of the majority, but I fear that it's just legislative capture.
That omission of a few crucial words from my comment is almost malicious. I didn't say that the inadequacy doesn't matter for the democratic system, but rather that it doesn't matter for the question if the NSA is a part of such a system.
You may be technically and structurally correct, but I think most people care far more about how effective democratic checks and balances are being applied to the NSA (hint: not much) rather than classifying it as part of one type of system or the other.
Are you aware that (h)activists from around the world do not travel to the USA because they fear the consequences, having their equipment seized or being imprisoned?
Do you know why Laura Poitras is living in Berlin right now?
Being a "journalist" is not, and shouldn't ever be, a magic get-out-of-jail-free card. In Brown's own court motions, he agreed that he had threatened the lives and families of FBI agents, and that he had hidden evidence during a warranted search.
I ought to face jail for doing those things. So should Brown.
Unfortunately, that depends on how popular the politician is.
I hope this isn't some weird "because some politicians might get away with obstructing search warrants and issuing death threats, then journalists should be able to get away with it, too." You don't fix a carve-out with more carve-outs.
Canada, and most of the European countries, have successfully prosecuted ordinary people for "hate speech" for saying things that upset people of certain classes.
I don't see where your claim of data manipulation comes from, people have clearly answered the question you were wondering about.
The answer being yes, according to reputable sources, Chomsky would have that liberty of critique in many other countries and in several countries it would appear that he would have more.
On the less serious side, it's like that old joke about American and Soviet journalists, who discuss freedoms and yelling "Down with the USA" at the Times Square and Red Square, respectively. You can do the same at both places without fear of consequences.
What are you agreeing with though? Raverbashing didn't make a statement, he proposed a question. One which has been pretty well answered.
As far as your joke goes however, have you tried standing in Times Square yelling "Down with the USA"? I wouldn't think it would be that safe an enterprise.
There are 45 countries that journalists rank as having better press freedom than the USA.
edit - For comparison, I just looked at the "Freedom of the Press" report by US NGO Freedom House. It has 21 countries with a better rating than the USA.
What difference does freedom make if society is engineered accordingly so that anything but the party line will be lost in the noise? Other than for possible riots, bloodshed and long-term sustainability, is that in any way distinguisable from a "non-free" form of government?
Besides, freedom is only necessary for democracy, not sufficient. So his points all remain valid.
Chomsky is a lot less controversial in a lot of countries outside the US than he is in the US.
I'm sure there are countries where he'd be unable to say what he wants, but there are also a lot of countries (e.g. in Europe) where his political views are reasonably close to mainstream, to the extent where he's no more controversial than the average left wing politician and his main problem would be that he'd be one of many voices saying similar things.
It seems strange to address raver's comment about liberty of critique by saying Chomsky is less controversial in Europe and his views are close to the mainstream.
Th test of a country's liberty is better illustrated by the spectrum of allowed speech rather than whether or not an opinion corresponds with the mainstream. And in my opinion, the spectrum of allowed speech is narrower in the average European country than the US.
"Two men, an American and a Russian were arguing. One said, in my country I can go to the white house walk to the president's office and pound the desk and say "Mr president! I don't like how you're running things in this country!" The Russian said "I can do that too!"
"Really?"
"Yes! I can go to the Kremlin, walk into the general secretary's office and pound the desk and say, Mr. secretary, I don't like how Reagan is running his country!"
How can they provide adequate defenses without having the best offensive hackers? At the very least, penetration testing is an indispensable tool in cyber security.
Also, surveillance of criminal and terrorist organizations without offensive capabilities is impossible.
The NSA have been accused of discovering vulnerabilities in systems and software but keeping them undisclosed so that they can exploit them themselves. A defensive security agency could be actively trying to secure these systems protecting us not just from government surveillance but all types of nefarious hackers.
Again, you seem to not understand how I discriminate between means and their use. Spying on European officials is a problem with oversight, not with capabilities. Arguably, European officials are a lot softer targets than a crime cartel or terrorists in this regard.
> "Spying on European officials is a problem with oversight, not with capabilities."
Snowden has showed this to be absolutely false. "Oversight" has been the nominal preventative for spying on our allies for decades, and it has always failed because these are spy agencies we are talking about. Their nature (and job description) is to do things in secret. You cannot oversee what you cannot see. The NSA has a fundamental incentive to hide as much of its activities as possible, and American politicians have a fundamental incentive to look the other way lest they appear "soft on terrorism" or some such nonsense. What few laws constrain the behavior of the NSA, GCHQ, etc are routinely ignored or "interpreted" to their own favor.
You cannot let the technological genie out of the bottle and expect a close watch on the genie to keep it under control. Mass surveillance technology is a pandora's box that you can't control.
Snowden and others have also shown that other countries' intelligence agencies will happily take over from the NSA and spy on you. For example the Chinese and Russians.
Hacking tools are not mass surveillance technology. Trojans just don't work for that.
And if you can't control how these agencies use their abilities, how do you propose to take these away from them? Adequate oversight is easier to achieve.
Having offensive hackers, and using them for penetration purposes - that is "white hats", is fine by me. Using them for "black hat" purposes is not. That makes them the bad guys.
They should be using their capabilities to increase the security protections they have in place. For example, if they discover a vulnerability, they should work to get it fixed, instead of leaving it there so everyone is vulnerable, just so they can use it to attack others.
I think if you replace 'hackers' with 'guys' you get the basic definition of government: at some point, a nation picks its 'biggest meanest' (i.e. most capable) guy(s) to protect it and maintain order. Democracy just tries to institutionalize this decision and allow a peaceful reëvaluation every so often.
So maybe GP means he wants a well-designed democracy with a strong military, including infosec. Yeah, good idea.
No.. Government is not about picking a better bully than your neighboring nation and beating them into submission.
What government provides is a practically viable method (kludge?) to reaching consensus on issues where other more reliable methods (like science) fail to do so.
Should "we" build up an army and enslave our neighbor nations or should we rather build up and industry and fabricate something all of them want to have (but can't produce themselves) and sell it to them for horrendous prices? Both alternatives have the same effect, but which one is "better"?
Science can't provide conclusive answers here .. so what do we do instead? In the past we'd ask some designated mastermind deriving his legitimacy from god or a certain bloodline and such. These days we tend to vote on who that mastermind should be or create institutions that allow for more direct control by the nations subjects.
But nothing of this has to do with picking a bigger bully. How big of a meanie you (as a nation) want to be is entirely orthogonal to being a government (or a democracy).
It depends on just who you are attacking. Terrorist groups, criminal organizations or criminal individuals are legitimate targets of a cyber attack, just as they could and should be put under conventional surveillance.
If government agencies attack ordinary citizens or companies, without legitimate authorization, than it's not a problem of means or tools but rather a problem with democratic or judicial oversight on these organizations.
Ok, but you omit a crucial step, that I kinda need an answer to further understand.
In order to attack(successfully), they employeed various techniques; from weakening security systems and protocols, to actively endorse weak crypto schemes. What about these? And for the sake of the argument, let's say that they have the best of intentions and they don't plan to use those against law abiding citizens.
You comment here sort of answers my question above. So basically you don't agree with
attacking or weakening crypto/security systems.
The thing is that without those "competitive advantages", I fail to see how they can have an advantage over the bad guys. Playing offense, when the need arises, won't cut it. You're gonna have to "lay the foundations" so to speak, for you to be a successful attacker.
So basically we reach the old, but not so tired, question of how much of your freedom you're willing to sacrifice, for your government to be the "meanest of them all"
Hacking is not the only way to spy on an enemy, especially terrorists or criminals. If such a group is sophisticated enough to evade all but the most sophisticated, ultra-secret bleeding edge attacks, maybe it's time to resort to conventional means. Luckily most such groups aren't. They just began using encryption.
The alternative to offensive hacking is to include backdoors in the encryption technology used by everyone. I think that this is causing more harm than good.
Right on the GCHQ website it states:
"In addition, we are also pleased to announce that GCHQ and MI5 are working with their US partners to further strengthen UK-US collaboration on cyber security ..."
I think it is fair to say they all use the same tools!
What's the feeling on the morality aspect of this? In a way it seems like the same situation as if US designed and manufactured weaponry were used against a US friendly power by some third party - is it analogous though?
Class action might be a solution for US citizens. The problem with malware though is that you end up infecting a whole lot of innocent civilians all over the place, which the people in Den Haag have slightly mixed feelings about. To be honest, I'm a bit disappointed that these cases never end up in international courts. The rules we have in place seem pretty clear to me.
AFAIK there are no widely accepted international conventions that would forbid, say, USA goverment to install malware (intentionally or unintentionally) on a german user's computer; if you can name as specific one then that would make this discussion much more interesting. International law is not particularly restrictive to the rights of governments to attack each other or their citizens if they desire so; the citizens don't have much recourse in international courts if a foreign government accidentally killed them, much less damaged their computer.
Given that you've used Germany as an example, I'd recommend this german podcast to you which explains the legal surroundings in great detail: http://alternativlos.org/25/
The NSA is tasked with doing signals intelligence so I get why they would develop some hacking abilities but you have to wonder where the break over point is with the money they are spending...at some point they are spending enough money that they could actually make a difference in improving our software and infrastructure. I mean, one of the reasons they say that they need these capabilities is because we are so vulnerable...how about actually helping out?
I've been tracking the new downvoting trend for the last week or so. Seems there's a lot of accounts downvoting everything that doesn't coincide with Western Government sensibilities. The recent North Korea and LSD threads (not just my replies, but you can get to the threads from my comment history) are really interesting examples to trudge through and see how many valid replies are sitting at -1 or worse.
I've experienced a couple of really bad downvotes as well lately, and they had definitely no intention of editorial feedback, but it was quite obviously mindless prejudice, almost on the level of /r/politics or /r/worldnews. I wished HN would replace downvotes with a system for short and private annotations, so that people could receive concrete feedback, not something that is vaguely implied by a number. That would also remove the problem that people mindlessly jump on the downvote bandwagon.
And/or, make up and downvotes public. A link from a comment to the list of uppers and downers.
Or make it semi-private, and only the commenter can see the list. But that would just encourage useless activity as commenters selectively out their up and downvotes.
That would be nice, but in practice, there's no commonly accepted clear criteria for what is "political" and what is not, and any attempts to enforce some such criteria would likely bring arbitrary and unfair results.
> I've been tracking the new downvoting trend for the last week or so. Seems there's a lot of accounts downvoting everything that doesn't coincide with Western Government sensibilities.
I'm not sure what new downvoting trend you're referring to, but I'm pretty sure there is no new anti-anti-Western-government trend on HN.
There's a strong cognitive bias toward seeing one's own views as being treated more unfairly. But as far as we can tell, there's nothing so systematic in voting behavior on the site.
fare enough. but wondering what the value down voting brings at all, or if current model of blessing according to activity gives better results than blessing random users or randomly blessing users with N down votes per time or other quantifier. One of the later two would certainly be less cast based. Whereby the cast system of HN is according to "activity" not expertise.
The comment you're complaining about downvotes looks to be at +33 right now. The downvote situation is always in flux, which is one reason why the HN guidelines ask you not to post comments complaining about being downvoted.
I'm going to detach this subthread and mark it off topic now.
your guidance always welcome. i think posting about the community despite requests not to happens because there isn't a thread or forum to discuss administrivia. when people feel something strange or new is happening on the administrative side they are more likely to ask peers what is up rather than email site administrators.
Spoken like a true Stalinist, and so true. It would be complete debauchery. Unless the comments auto-delete after N minutes. This would create a very interesting metric giving insights into psychology at the same time. That is, it would be interesting to explore the relationship between N minutes on downvote thread and number of down vote comments in other threads. With conclusions like "1.2 minutes is just enough downvote-thread time for the individual to feel they released their angst enough while also having a R powered reduction on complaints overall in other threads"
I don't know why HN doesn't do these types of crazy experiments in social/political science. I'd have a heigh day.
I think the problem is the consensus is the NSA/GCHQ use the tool. Your disagreement is whether the NSA/GCHQ originated it. Your comment reads as if you disagree with there being proof of any use, based on the evidence in the article.
There's very little doubt the NSA/GCHQ use the tool.
Whether they originated it, though, is the crux of the issue. Nobody doubts that government agencies undertake cyberwarfare. But the idea that they might have created something that is now being used by nongovernmental parties is the scary thing - it's like saying that the Army lost a cache of weapons now being used by ISIS. (Which itself is true [1], but that's another story.)
Tinfoil hat: Hypothetically, if the Russian government were angry with the US government and wanted to give them a black eye, wouldn't having a Russian security firm announce to the world that the NSA was responsible for Reign be a good tactic?
Not saying NSA wasn't involved as I don't really trust my government, but when I read the article and saw Kaspersky mentioned, that was the first thing that popped into my head.
In this specific case Fox-IT (Netherlands) said the same thing. They based the claim not on the "source code" but on the fact that Regin was part of programs/processes of the NSA department ANT and mentioned in some leaked presentation slide of them (Source: http://www.spiegel.de/netzwelt/netzpolitik/trojaner-regin-is... (German)).
Thinking about infosec companies that publish impactful findings from time to time there is F-Secure from Finland, Fox-IT from the Netherlands, Symantec from the US and Kaspersky from Russia. Does anyone know about important Chinese/Japanese information security companies?
Shouldn't we also assume that this malware, having been in the wild for "10 years", could have simply been modified and thrown into the NSA tool chest? When applying the same level of scepticism from the Sony hack, nothing in this article represents real proof to counter relevant arguments against US attribution.
Regardless, the Spiegel assumptions or slant is worthy if for nothing else than to teach everyone the issues with attribution, whether applied to greater or lesser evils.