Forgot your password?
typodupeerror
United States Government Privacy Your Rights Online

Glenn Greenwald: How the NSA Tampers With US Made Internet Routers 347

Posted by samzenpus
from the try-it-now dept.
Bob9113 (14996) writes "According to Glenn Greenwald, reporting in The Guardian: 'A June 2010 report from the head of the NSA's Access and Target Development department is shockingly explicit. The NSA routinely receives – or intercepts – routers, servers, and other computer network devices being exported from the US before they are delivered to the international customers. The agency then implants backdoor surveillance tools, repackages the devices with a factory seal, and sends them on. The NSA thus gains access to entire networks and all their users. The document gleefully observes that some "SIGINT tradecraft is very hands-on (literally!)".'"
This discussion has been archived. No new comments can be posted.

Glenn Greenwald: How the NSA Tampers With US Made Internet Routers

Comments Filter:
  • by mr_mischief (456295) on Monday May 12, 2014 @04:47PM (#46983447) Journal

    Surely the NSA can touch anything that Customs does.

    • One cannot help but wonder what would happen if Router manufacturers put in smaller EPROMS, and Onboard RAM; to reduce costs of course.
    • by WarJolt (990309)

      You think the NSA really needs customs to help them spy on US citizens? They really don't have to be that clever about it.

  • by CBravo (35450)
    we were innocent and naive. Now you can only trust open source.
    • Re:First (Score:5, Insightful)

      by dougmc (70836) <dougmc+slashdot@frenzied.us> on Monday May 12, 2014 @04:54PM (#46983539) Homepage

      You can't trust open source either.

      Devices like these often have "binary blobs" that aren't open source and could contain backdoors (one of the reasons RMS has been rallying against them, but probably not the primary reason), but even more fundamentally than that, it would be naive to assume that the NSA can't hire programmers to contribute to these projects and that they can't be good enough at what they do to make a backdoors that would pass a code review without being detected.

      That said, at least with open source you have the chance to find such things, so there is that. But either way ... I think we're screwed.

      • Re:First (Score:4, Insightful)

        by fustakrakich (1673220) on Monday May 12, 2014 @05:08PM (#46983725) Journal

        I think we're screwed.

        Only if you keep on reelecting the same old crooked politicians over and over again. The NSA can't control who you vote for.

        • Re:First (Score:5, Informative)

          by machineghost (622031) on Monday May 12, 2014 @05:16PM (#46983793)

          Does it really matter who we vote for, as far as the NSA is concerned? Any "electable" candidate will just let the NSA keep doing what they're doing.

          Even if someone like Al Franken got elected president by some miracle (which is not going to happen) he still couldn't do much unless people also elected a whole bunch of Al Frankens/Rand Pauls to Congress. And that just isn't going to happen (there's a reason why those two are such outliers).

          Ultimately the only way we'll ever end NSA malfeseanse (or CIA malfeseanse for that matter) is if we can somehow expose what they do. Without that, we'll change politcians but they'll stay the same.

          • Re: (Score:3, Interesting)

            by fustakrakich (1673220)

            Al Franken? No thanks [opensecrets.org]! Besides, he thinks the NSA is a-okay...

          • by jovius (974690)

            Not really. The actually influential positions are outside of the democratic reach. They are "too important" to be decided by random public, unless the public can be made to believe the necessary agenda. Besides to be a successful politician one has to sell oneself in many ways, and sacrifice friends. The wall would come about quite quickly otherwise. People in the highest circles have hardly any principles. In the end it's all about power and interests. The intelligence services are in the core.

          • by Arker (91948)
            "And that just isn't going to happen (there's a reason why those two are such outliers)."

            The reason is that people like you that ought to know better keep repeating such nonsense. Franken and Paul are only 'outliers' in the context of Washington DC and the deep state - in terms of the country they are essentially mainstream at this point. The media works tirelessly day and night to prevent us from figuring this out, however, and one of their most effective tools is silly little tropes such as the one I quot
          • 1) Anti-Establishment candidates are often marginalized by the establishment, by civil methods and later by authoritarian ones depending on the threat and how authoritarian. Example: Ghandi. MLK. The extreme repression was their strength; the wise establishment doesn't empower their enemies.

            2) If you can elect somebody, they are a minority and unless it is a dictatorship they can't do anything on their own. Continued marginalization and undermining them with their base as they are forced to compromise to g

          • by dougmc (70836)

            Ultimately the only way we'll ever end NSA malfeseanse (or CIA malfeseanse for that matter) is if we can somehow expose what they do

            ... and this has already happened, with new stuff coming to light all the time.

            And so far, most people don't really seem to care. Not enough to do anything about it, anyways.

          • Re:First (Score:5, Informative)

            by houghi (78078) on Monday May 12, 2014 @06:39PM (#46984681)

            Exposing is not the issue. They need to be convicted. They already HAVE been exposed.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          The NSA can't control who you vote for.

          YET.

        • by dougmc (70836)

          I think we're screwed.

          Only if you keep on reelecting the same old crooked politicians over and over again. The NSA can't control who you vote for.

          1) who knows how far NSA has its fingers into everything. If they've hacked the voting machines ... perhaps they *can* control who we vote for.

          2) it doesn't have to be the NSA. They may have the most resources and the most support from our government, but China could do similar things. And the part about getting back doors into open source software doesn't require a government agency at all.

          The most recent poster child of vulnerabilities that nobody noticed was of course Heartbleed, but who knows how man

        • Re:First (Score:5, Interesting)

          by penguinoid (724646) <spambait001@yahoo.com> on Monday May 12, 2014 @07:45PM (#46985225) Homepage Journal

          The NSA can't control who you vote for.

          And you know this how? You know for a fact that the NSA can't 1) Dig up information on a candidate, that will cause them to (legitimately) lose the election. 2) Donate, or encourage others to donate, to campaigns such that they legitimately lose the election. 3) Frame the candidate for something, that will cause him to lose your vote. 4) Actively eliminate a candidate, eg an "accident", causing you not to vote for them. 5) Change your vote, such that "your" vote becomes a vote for a different candidate?

          Full paranoia mode: and occasionally they release a few people like Snowden, to air a select portion of their dirty laundry and make us believe that we know what the NSA is doing. Remember when they were nicknamed the No Such Agency, think they gave up on that level of secrecy rather than just have the current NSA as their public interactions branch?

          Now excuse me while I go add a few more layers to my tin foil hat.

      • Re:First (Score:5, Informative)

        by Grishnakh (216268) on Monday May 12, 2014 @05:13PM (#46983775)

        You can't trust open source either.
        Devices like these often have "binary blobs" that aren't open source

        No, you CAN trust open source. If it has a binary blob, then by definition, it is not open source.

        it would be naive to assume that the NSA can't hire programmers to contribute to these projects and that they can't be good enough at what they do to make a backdoors that would pass a code review without being detected.

        That's still better than closed-source code that you can never inspect. Also, any such contributions will be recorded and tracked. Serious open-source projects like the Linux kernel don't accept anonymous contributions; they have to be signed off by someone. Also importantly, if you look at the Linux kernel, you'll find most contributions (esp. in an area where a backdoor could have a real impact, not places like USB joystick drivers or whatever) come from programmers working for well-known companies, not from random people on the internet.

        • Addressing both your comment and the grandparent comment: this distinction of allowing non-free software is part of what distinguishes the older free software movement from the younger open source movement. RMS has been talking and writing about this critical distinction for years.

          Consider the following from "Why Open Source misses the point of Free Software [gnu.org]":

          The idea of open source is that allowing users to change and redistribute the software will make it more powerful and reliable. But this is not guaranteed. Developers of proprietary software are not necessarily incompetent. Sometimes they produce a program that is powerful and reliable, even though it does not respect the users' freedom. Free software activists and open source enthusiasts will react very differently to that.

          A pure open source enthusiast, one that is not at all influenced by the ideals of free software, will say, "I am surprised you were able to make the program work so well without using our development model, but you did. How can I get a copy?" This attitude will reward schemes that take away our freedom, leading to its loss.

          The free software activist will say, "Your program is very attractive, but I value my freedom more. So I reject your program. Instead I will support a project to develop a free replacement." If we value our freedom, we can act to maintain and defend it.

          In other words, open source won't endorse software freedom for its own sake. That movement was designed to never raise the issue of software freedom in order to promote a developmental methodology thought to lead to more reliable, more powerful programs. That methodology is fine as far as it goes (everyone likes powerful robust programs) but as we're seeing with the Snowden revelations, that methodology doesn't go far enough. RMS realized this very early on and has been providing ethical counterarguments since the open source movement began (older essay [gnu.org], newer essay [gnu.org]).

          This difference explains what we're seeing in the very different approaches taken in Linus Torvalds' fork of the Linux kernel versus the GNU Linux-libre fork of the Linux kernel [fsfla.org]. Linux-libre's distinction is that this fork removes the blobs that come with the Torvalds fork of the Linux kernel. Torvalds includes nonfree code meant to make the kernel run on more hardware which places a high value on convenience at the cost of software freedom. Linux-libre values software freedom instead. As a result, Linux-libre doesn't run on as much hardware and might not take advantage of everything modern hardware can do, but one gains a system they are allowed to fully inspect, share, and modify—software freedom. Linux-libre lets users make sure the software does only what that user wants that program to do. RMS, as recently as his recent responses to /. questions [slashdot.org], encouraged readers to reverse engineer hardware in order to fully document hardware ("The parts of Linux we need to replace are the nonfree parts, the "binary blobs". [...] The main work necessary to replace the blobs is reverse engineering to determine the specs of the peripherals those blobs are used in. That's a tremendously important job -- please join in if you can."). This work leads to increased support for fully free operating systems, including fully free support in Linux-libre.

          Increased security is one of the things you get with the pursuit of software freedom for its own sake. I think RMS very much recognizes the security enhancements that come along with Linux-libre and why his org [gnu.org]

      • Re:First (Score:4, Insightful)

        by Obfuscant (592200) on Monday May 12, 2014 @05:39PM (#46984063)

        That said, at least with open source you have the chance to find such things, so there is that.

        Even with "open source" you still have to get the source code to your spiffy new router. Then you have to do a code review to see what's there. Then compile it, then get the libraries and try to link it, then try comparing the binary just to find out that it will have natural differences from what is installed in the router IF you can extract the binary once it has been flashed into it. (Do many firmware-upgradeable routers have an "extract" function, or only "install"?)

        So, if by "chance to find such things" you really mean "install your own code that will overwrite anything that isn't supposed to be there", yes. But to actually FIND the backdoors you need to extract the binary and decompile it anyway. The source may be a guide to what you expect to see, but with optimization and compiler tricks the source may not be all that helpful.

      • Isn't it still possible to have a trustworthy firewall as separate hardware, that can inform you if there are any inappropriate data transfers? It would seem like an important tool to have if only for virus/malware analysis.

  • Nice job NSA (Score:5, Insightful)

    by cbybear (256161) on Monday May 12, 2014 @04:52PM (#46983513)

    You just single-handedly killed the entire US tech industry. You murdered trust. No one will ever trust US hardware again.

    • Re:Nice job NSA (Score:5, Insightful)

      by joe_frisch (1366229) on Monday May 12, 2014 @04:59PM (#46983613)

      The problem is that even if this is a lie, the NSA has done enough that it will likely be believed. Once some lines have been crossed, its difficult to claim that others have not been. There are lots of companies with a huge financial interest in damaging the reputation of US equipment, so one can expect a constant flow of stories - some true some not.

      Yes the NSA has done grave damage to US tech industry. They likely have also drastically weakened our national defense by creating / allowing / obscuring weaknesses in our cyber defense. I don't think it was intentional, just people applying 20th century ideas to 21st century conflicts. The sort of thinking that causes great nations to become quaint has-been's.

      • by Paul Fernhout (109597) on Monday May 12, 2014 @06:36PM (#46984633) Homepage

        "just people applying 20th century ideas to 21st century conflicts."

        All too true. Although the results may be far worse than becoming a "quaint has-been". To expand on your point:
        http://www.pdfernhout.net/reco... [pdfernhout.net]
        "Likewise, even United States three-letter agencies like the NSA and the CIA, as well as their foreign counterparts, are becoming ironic institutions in many ways. Despite probably having more computing power per square foot than any other place in the world, they seem not to have thought much about the implications of all that computer power and organized information to transform the world into a place of abundance for all. Cheap computing makes possible just about cheap everything else, as does the ability to make better designs through shared computing. ... There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based approach to using such technology ultimately is just making us all insecure. Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all."

        And also on intelligence specifically:
        http://www.phibetaiota.net/201... [phibetaiota.net]
        "A failure to realize this irony will produce ever greater problems down the road as we develop ever greater technologies that can become ever greater amplifiers of destructive impulses (including self-replicating nanotech and biotech) or ever greater inhibitors of constructive impulses (like pervasive surveillance to enforce arbitrary unhealthy norms as a "war on the unexpected"" [see Schneier]). So, how can we have an intelligence community in the 21st century that is truly worthy of the name? How can we have an intelligence community that truly helps prevent misadventures that waste trillions of US dollars while millions of US children grow up in poverty and tens of millions of US citizens lack access to health care or even adequate nutritious food?"

        And:
        http://pcast.ideascale.com/a/d... [ideascale.com]
        "As with that notion of "mutual security", the US intelligence community needs to look beyond seeing an intelligence tool as just something proprietary that gives a "friendly" analyst some advantage over an "unfriendly" analyst. Instead, the intelligence community could begin to see the potential for a free and open source intelligence tool as a way to promote "friendship" across the planet by dispelling some of the gloom of "want and ignorance" (see the scene in "A Christmas Carol" with Scrooge and a Christmas Spirit) that we still have all too much of around the planet. So, beyond supporting legitimate US intelligence needs (useful with their own closed sources of data), supporting a free and open source intelligence tool (and related open datasets) could become a strategic part of US (or other nation's) "diplomacy" and constructive outreach."

        "Good will" is an important resource. Slowly the USA has been squandering what goodwill it including from WWII. Fortunately, good will can be a renewable resource depending on the political choices the USA makes going forward.

        For example, imagine how much goodwill the USA would have right now if we had given the people of Iraq US$6 trillion dollars (US$300

    • Re:Nice job NSA (Score:5, Insightful)

      by amiga3D (567632) on Monday May 12, 2014 @05:02PM (#46983667)

      You mean that Chinese manufactured US hardware? They have to ship the crap here for the NSA to backdoor it because it's made in China. My question is do they take out the Chinese backdoors or do they leave those in with the NSA backdoors?

      • what they have, then, is a 'garage'. right? its two backdoors right next to each other: the chinese one and the nsa one.

        where I come from, 2 back doors right next to each other = "a garage"

        and so, we have been letting our citizens install routers with built-in garages... garages big enough to, uhm, drive a truck thru.

      • My question is do they take out the Chinese backdoors or do they leave those in with the NSA backdoors?

        That doesn't matter. We now know that the NSA has backdoors in them. We highly suspect that the Chinese also have backdoors in them.

        The question is how long it will take the other nations to start their own chip fabrication plants and build their own routers / switches / etc.

        Since nothing from us can be trusted (even by us) then they should be building their own stuff which they can trust more than our stu

        • by amiga3D (567632)

          I've started raising pigeons to communicate with friends. It's pretty cool, you see you take a message and fold it and attach it to the pigeons leg with a band and he flies off to home with it. Just have to watch for the hawks.

    • You just single-handedly killed the entire US tech industry. You murdered trust. No one will ever trust US hardware again.

      Not single handedly. The FBI seizing domain names of legal foreign companies, and arresting foreign nationals that never came to US soil sure helped.

    • Re:Nice job NSA (Score:4, Informative)

      by c0d3g33k (102699) on Monday May 12, 2014 @05:23PM (#46983881)

      Your statement if altered slightly to reflect the perspective of the NSA and the US government might actually provide insight into the reason behind the outlash against Edward Snowden. One would presume such tampering isn't done wholesale because doing so on an industrial scale is not feasible. Yet. And because ubiquitous tampering would be detected by security researchers so the majority of devices on the market should remain untampered with. Tampering is most effective when done in a targeted manner depending on who will own the routers in question. Maintaining a baseline level of trust that is actually justified is very important, otherwise this technique wouldn't work. Mr. Snowden's revelations have destroyed all trust, thus undermining the ability of the NSA to ride on the back of that trust to engage in targeted spying.

      This is why it baffles me that people can so readily point to entities like Startpage and Duck Duck Go as trustworthy just because they say so. Their claims may indeed be accurate for the vast majority of those using their services, but it's easy to imagine that particular searches can be scrutinized on demand if there is an interest. In other words, they can't be trusted based on their claims alone, even if they themselves believe them to be true.

      It seems to me the only rational approach is to assume that nothing can be trusted and and act accordingly. Assume that whatever you are doing online is being observed by someone or anyone and don't communicate about genuinely private things, because they will no longer be private.

    • No one will ever trust US hardware again.

      No one will ever trust US citizens again.

      I expect we'll be getting blacklisted soon from working on projects in foreign countries.

  • What a travesty.

  • by niftymitch (1625721) on Monday May 12, 2014 @05:00PM (#46983629)

    This is to be expected.... what is the real scope of this?

    I believe that a router on the way to a German auto maker is not targeted. OK I want to believe.

    I believe that a well managed site will audit and reload software. I believe that additional system admin audits behind and in front of the
    hardware are justified.

    For the NSA (Never Say Anything) to snoop does not bother me but they are not the only TLA in the game today.

    The internet has not been friendly for a gosh long time nothing has changed.

    • Who says it's just firmware? Working examples of chip level modifications are in the open.

    • by Noryungi (70322)

      Only possibility is to home-build all your systems, using nothing but individual parts, bought from several different suppliers, preferably from factories not based in the U.S. or China. Difficult, but not impossible.

      Finally, once machine has been built, install nothing but open-source software, such as Quagga or OpenBGPD, PfSense and FreeNAS, for instance, including auditing the code yourself.

      And even then, you are not safe, since Vupen and other delightful guns-for-hire are busy selling NSA zero-day explo

      • unless you build CHIPS, you can't build a fully trustable computer anymore. maybe using 30 yr old chips, but not any modern chips.

        its easy enough to put firmware and microcode in almost any chip.

        would you trust a nic chip? it has firmware and its rom is closed source. cpus? they have closed source 'errata' microcode and even what's deep inside an intel chip is not for you or I to see.

        pc's bios? yeah, right. like you can trust that.

        basically, nothing is trustable anymore. maybe that 30 yr old trs-80 i

      • So buy everything from Samsung? Everything else is either an American company or made in China.

  • by jafac (1449) on Monday May 12, 2014 @05:02PM (#46983661) Homepage

    Security researcher and Tor developer, Andrea Shepherd, found something fishy:
    http://www.techdirt.com/articl... [techdirt.com]

    • that is almost guaranteed to be bogus.

      why? do you REALLY think that the world' 'greatest' spy agency would be so sloppy as to have the mail system (any mail system) log 'route-arounds' that look suspicious?

      really? REALLY??

      anyone that powerful will have built-in ways to suppress any mail log records. in fact, if you ordered from dell, my GUESS is that dell is in bed with the bad guys and any 'special firmware' that might have to be installed for user X will be done BY dell AT dell, never having to give an

      • Nah, if they did it at Dell it would have been leaked by now.

      • Two things:

        1) According to the picture on the tracking thing, this was not a Dell, it was a Lenovo Thinkpad, which is a Chinese company, which Chinese company probably does not install "special firmware" for the NSA.

        2) However, the picture actually doesn't say it is a Lenovo Thinkpad, it actually says it is a Lenovo Thinkpad KEYBOARD. I guess I haven't dismantled a Thinkpad lately, but it doesn't make as much sense to me to intercept a keyboard as it does to intercept a computer.

  • Ah yes because the NSA says me so. You know what i think ? I think NSA told us to distrust other vendor because they have no back door in them.
  • NSA's message (Score:5, Insightful)

    by fgouget (925644) on Monday May 12, 2014 @05:18PM (#46983831)

    NSA's message:

    Beware: we're doing it to them so they could be doing it to us.

    Of course they could not go public with part one to they only publicized part two.

  • by viperidaenz (2515578) on Monday May 12, 2014 @05:32PM (#46983973)

    Now they've been found out it's going to hurt USA's export market.

  • by nomad63 (686331) on Monday May 12, 2014 @05:36PM (#46984031)
    You need to be one to understand one. US, especially the international cyber security related ranks of government, were worried about the security of networks, operating on Chinese made Huawei brand routing equipment. Has anyone give it a thought "why" ? Because, they were doing the same thing to the US manufactured equipment and up until Huawei undercut Cisco prices and made inroads to the US networks, they didn't say anything. I am just laughing why people are getting so upset at this point in game. Your privacy and mine as well, is no more than a joke.
  • Sorry, I've given up on all this Spy vs. Spy nonsense. Frankly I'm surprised that there hasn't been a story where the NSA employes pixies who spread magic fairy dust on the Internet Tubes and the secret encryption keys float magically in the air. Sure, a lot of what Snowden took possession of and released was most likely based in fact but a lot of it is starting to sound a bit more ridiculous. If this article has even 1% of credibility I would have thought that any security firm outside the US would have

  • So, as a business I ness US made routers so the chinese slave labor me out of the market, but in my home I need chineese made routers so the NSA isn't hacking my local computer.

    Or I just get both, and put them back to back, and hope the US NSA never cooperates with the chineese NSA [equivalent]

    • here's your solution: buy a US router and a china router. put them in parallel (on their inputs) and on their outputs, use a local AND. only pass packets that are produced by both and reject all differences.

      (I'm kidding, but maybe only half kidding..)

  • by Anonymous Coward on Monday May 12, 2014 @06:21PM (#46984489)

    I work for a company that ships laptops, desktops, and routers to customers overseas and I'm going to say that there are some really weird things going on in transit that I can't explain. Particularly with international shipments, but not necessarily exclusively. I've personally heard from numerous customers who've had there systems seemingly opened in transit. Not just the packages, but the actual cases. They don't even always do a good job of re-connecting and re-sealing everything. Its obviously the cases that have been opened too as snap-style pieces are left disconnected (hard drives). No amount of vibration or force will cause a disconnect.

    While I've suspected something like this I've never attempted to have a customer take a hash of the disk image and compare it to a before-shipment hash. Given this is a problem I think I might just go ahead and start doing this. The problem now is actually finding a customer who is going to be able to repeat the process on the other end.

  • by erroneus (253617) on Monday May 12, 2014 @06:37PM (#46984647) Homepage

    ... I just can't imagine how anyone would be offended or in the least bit concerned over this.

  • by Karmashock (2415832) on Monday May 12, 2014 @10:21PM (#46986283)

    If I'm a foreign buyer for this stuff... say a bank in Germany that wants to build a data center... I can't buy American stuff anymore. That's a huge blow to US tech.

    Look... I'm okay with pulling this crap against brutal dictatorships. But I suspect they're just doing it to anyone they're even vaguely interested in... I have to assume that because there's so much double talk and evasion on the issue along with apparently no oversight or auditing.

    If this sort of crap continues then the companies are at they very least going to have to use protected shipping methods that guarantee no tampering. A guard going with the shipment 24 hours a day from the factory to the delivery location would be an example.

    And of course, any organization or customer that is responsible to data security is going to have increasing trouble trusting US businesses with anything.

    This is incredibly damaging. The NSA needs to do their job without destroying the US tech industry in the process.

It is impossible to travel faster than light, and certainly not desirable, as one's hat keeps blowing off. -- Woody Allen

Working...