Replicating the NSA's Gadgets Using Open Source 47
An anonymous reader writes "Wireless security researcher Michael Ossmann asked himself: 'Could I make the gadgets that the agency uses to monitor and locate mobile phones, tap USB and Ethernet connections, maintain persistent malware on PCs, communicate with malware across air gaps, and more, by just using open source software and hardware?' In this podcast he shares his insights on what to use — and how — to duplicate hardware devices found in the ANT catalog."
No surprise here (Score:1)
In abstract: technology is repeatable
I also wouldn't be surprised if some of the trinkets and software he's looking at were initially made by plugging together a few open source projects just like he's doing. The beta and release models probably have anything with an oppressive license removed, but internal alphas tend to be kludged together from anything available.
Re:No surprise here (Score:5, Interesting)
Indeed. My greatest use of Open Source, freeware, shareware and other kinds of "free" software is "what if"-type questions. They would be difficult to answer if all that existed were paid-for commercial solutions that you were then tied into.
Do we need Smoothwall in our large school? Hold on, let me bash out a squid + DansGuardian + iptables setup on an old office machine - look, it does roughly this. Great, should we buy the "commercial" product or is this more-than-enough for what we need (and I usually get both answers over time, depending on where I am)? Actually had one school use my box for 5 years rather than pay Smoothwall nearly a grand a year for updates.
Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.
My last one was digital signage. The school I work for had Powerpoints exported to MP4, then put onto a USB stick and plugged into an LG TV with looping turned on. Looked horrible but did the job. They knew it was the bare-bones and were looking for an all-in solution.
I put in a Xibo box as a test and asked if that was closer to what they wanted. Overnight, the LG TV become attached to a PC running Xibo Client. We've tested it running over RDP from a VM and even off a Raspberry Pi. It's bridged the gap between "an old TV showing something" and "stupendously expensive site-wide digital signage system" nicely. And in fact will probably be as far as we go. If we end up having ten displays showing more than 3 or 4 different schedules, I'll be amazed and it will indeed be time to move to a more commercially-supported package. But for now? A £100 TV and £25 for a RPi box with appropriate cabling. Seems to do the trick quite nicely.
We were going to buy a helpdesk system (don't quite know why). Stuck GLPI on, nobody's ever complained and I've been using GLPI for nearly 10 years in various places.
The beauty of open-source stuff is that you can prototype for free, find out whether there is some element that you will NEED to pay for (i.e. better customisability, more scalability, commercial support, etc.) and not worry about the licence interfering at any point. When you throw it all out, or push a working system into wider deployment, the licensing doesn't really affect you. The only point is does affect you is when you try to commercialise it yourself.
My first reaction upon being asked to do something is "Can I find a bit of free/open software that will do that?". If I can, then we can judge our real needs and requirement. If I can't, nothing lost - and it probably is something that takes a lot of commercial backing to make viable, but at least I know that.
Especially in schools, some bits of free/open software are ubiquitous precisely because they are "good enough" - GIMP, Irfanview, Audacity, Blender, etc.
And when prototyping anything, I tend to find someone's already beaten me to it, and usually by cobbling together open components.
Even the open-source projects, most of the time someone's just cobbled together a lot of other open-source projects and their functionality and just lumped them into one convenient package or written a front-end that relies on dozens of other projects in order to reduce the strain.
If the NSA *AREN'T* using open-source (or some agency-equivalent in a private secure codebase) in a modular manner to build both hardware and software for their "one-off" kinds of devices, then they really need to pull their finger out.
Re: (Score:1)
Actually had one school use my box for 5 years rather than pay Smoothwall nearly a grand a year for updates.
Nearly a grand a year is barely nothing. Especially for firewall updates. Thats what, 10 hours of your time over the course of a year? Did you do 10 hours a *year* to support your solution? If so you don't value your time enough.
Cobbling together open-source stuff is great, but it has to be a cost benefit analysis. 1 grand a year is peanuts for a product, support and updates.
Re:No surprise here (Score:5, Interesting)
£100 (GBP, notice, not USD) per hour in a school (note, UK schools are schools, for children, not universities or colleges)? You must be kidding.
And beside that, the box ran maintenance free for 5 years. The only changes we ever made were to block specific things we suddenly decided now needed to be blocked (and thus would have the same cost on the Smoothwall solution).
That was one of the points that stopped us buying - the fact that we'd not needed to maintain the "prototype" machine and it has just kept running. There was even a "what happens if the box dies" plan that never went into action because, well, it's still running now for all I know.
Please note also that Smoothwall will often charge a lot more - i.e. for a 19" rack mount box to install this junk on, and initial purchase price. The last quote I saw for a similar-size school this year was £9000 all-in for the first three years.
Given the 2 hours to build it (even compiling Squid from scratch to do transparent proxy properly), the other stuff it did, and the old office server it was running on, I work that out at £4500 an hour. If I was earning that, I wouldn't be working for Smoothwall or schools...
Re: (Score:1)
Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.
Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office. The discussion's been had a thousand times. LO might work for you and your students, but don't pretend that it's an apples-for-apples replacement.
My last one was digital signage. The school I work for had Powerpoints exported to MP4, then put onto a USB stick and plugged into an LG TV with looping turned on. Looked horrible but did the job. They knew it was the bare-bones and were looking for an all-in solution.
I put in a Xibo box as a test and asked if that was closer to what they wanted. Overnight, the LG TV become attached to a PC running Xibo Client. We've tested it running over RDP from a VM and even off a Raspberry Pi. It's bridged the gap between "an old TV showing something" and "stupendously expensive site-wide digital signage system" nicely. And in fact will probably be as far as we go. If we end up having ten displays showing more than 3 or 4 different schedules, I'll be amazed and it will indeed be time to move to a more commercially-supported package. But for now? A £100 TV and £25 for a RPi box with appropriate cabling. Seems to do the trick quite nicely.
Maybe I'm missing something, but it seems they had an simple solution, and you made it complicated. Perhaps you should have simply had them export the PowerPoint to a series of images, since those would have cycled nicely from the LG TV o
Re: (Score:1)
Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office.
That may (or may not) be true, but the question was why they couldn't use it everywhere, not why everyone can't use it. I personally haven't used Microsoft Office in over a decade and never missed it. Does that make me dumb, too?
Re: (Score:1)
That wasn't his assertion.
He said:
It worked for his students, but nobody could think of a single reason why they couldn't use it everwhere. If that's true, they're dumb.
I personally haven't used Microsoft Office in over a decade and never missed it. Does that make me dumb, too?
This is the internet, and everyone's a special
Re: (Score:2)
Whoops, we're out of MS licenses and we bought a load of netbooks - there you go, have LibreOffice. While you're there, tell me what's wrong with it and why we couldn't just use that everywhere. Nobody ever came up with an answer to that, which really makes me question why we pay MS for Office.
Nobody? Are the people at your school dumb? There are plenty of reasons that LibreOffice is inferior to Microsoft Office. The discussion's been had a thousand times. LO might work for you and your students, but don't pretend that it's an apples-for-apples replacement.
And there's plenty of reasons why it is also superior to Microsoft Office, but don't let that get in your way.
The only real compelling reason to continue using Microsoft Office is if you are tied to a specific feature set, plugin, etc used and supported by Microsoft Office. Most everything can be ported over with minimal effort.
laws of physics Yes, laws of your state, No (Score:3, Insightful)
Yes, but anything messing with a cell phone is illegal unless you are above the law (law enforcement, Government etc.) It is even illegal to have a police scanner or radar detector in some (police) states.
Re: (Score:2)
Yes, but anything messing with a cell phone is illegal unless you are above the law (law enforcement, Government etc.)
Not your own cellphone for proof of concept surely?
Re: (Score:1)
You must be new around here. Let me be the first to welcome you to the United States of America.
National Security (Score:5, Insightful)
If the NSA does it, hey that's national security and they are allowed to do anything.
If you do it, you're going to be spending the rest of your life in a 10' cube for national security.
Comment removed (Score:4, Interesting)
Lets make problems worse. (Score:4, Interesting)
Why bother trying to solve problems, lets just make them so much worse.
OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" can get their hands on it, and use it to cause all sorts of problems.
If you are concerned about your privacy giving these tools to the public is just a bad idea. Sure the black hat argument, if we break in then they will have to fix it and make it more secure... But can they really always do that, Not all software and PC's are equal in security needs.
But that is like saying we should all drive armored cars, carry guns, and live like a military personal because there are some kids who just want to destroy things because they can and makes them feel like a big man.
Re: (Score:3)
instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public
False dichotomy. Some believe that the only way to do the first thing is to do the second thing, not just in the interests of disclosure but also simply education. How are you going to learn to defend against the attacks without the attacks to practice against?
No, This is the First Step in Fixing the Problem (Score:3, Insightful)
OK yes the NSA did a lot of illegal things and used/misused tools to gather information that they shouldn't have, and they have a problem being a secret organization of having the correct checks and balances to keep them in place.
So instead of putting brain power into figuring out how to make such organizations more trustworthy and deserving to be trustworthy. Lets just take all their tools and tricks and give them to the general public. Where any kid with some free time and the trendy hatred of "The Man" c
Re: (Score:2)
> If you are concerned about your privacy giving these tools to the public is just a bad idea. Sure the black hat
> argument, if we break in then they will have to fix it and make it more secure..
I think you believe your own straw man.
What is being assaulted here is the relative bubble the NSA operates in. You see, if the NSA develops a tool, that is them. Its tradecraft, its keeping us safe, its under control. They have it, we have no proof anyone else does. No "real" problem...just an "academic" pro
Ok wait, hang on (Score:4, Insightful)
Is there any evidence of this "air gap malware" crap? Yes I remember there was a preliminary story on Slashdot... I don't remember any followup, any proof, just some wild ass speculation.
Is there any evidence that such a thing actually exists?
Re: (Score:3)
It is audio exfiltration, not audio infection. Not very oh-my-god stuff here.
Re: (Score:3)
The claim made was reinfection via audio. However, as I said, I've seen no proof. Nor, for that matter, any proof on the audio exfiltration malware. Just the one sensationalist preliminary article and no followup.
Hence why I'm interested if there is actually any more information, or if this is just more Internet echo chamber where one unfounded report becomes an Absolute Truth(tm).
Re: (Score:2)
Re: (Score:3)
"If you used 1kHz at the top of the audio range it would basically be inaudible. "
But it might annoy some teens, an added bonus.
Re: (Score:2)
Air gap espionage I thought that was the pet project of the CIA, with MK Ultra suspected as still running as an off balance sheet semi-privatised but fully politicised entity, undoubtedly doing some very strange things, with some very strange people. Not so much cooperating with the NSA but in competition with them. One wanders if the NSA will start shifting some research efforts into that whole mind control area, as that is one remaining area that have as yet failed to tap.
Podcast Spam (Score:4, Insightful)
Please be careful (Score:2)
NSA has weakened national security (Score:2)
I'm wondering when somebody in congress will initiate legal action against the NSA for weakening national security.
It's generally acknowledged by now that the NSA has intentionally weakened various cryptographic algorithms, including AES. I'm responsible for various WAN links at my organization, and they use AES-256 IPSec tunnels to secure the traffic. That traffic is extremely sensitive in nature. The NSA may have intended to only allow themselves to crack this encryption, but how am I supposed to know th