Swiss Report Reveals New Details On CIA Spying Operation (washingtonpost.com) 36
An anonymous reader quotes a report from The Washington Post: The CIA and German intelligence jeopardized Switzerland's historic reputation for neutrality by using a Swiss company as a platform for a global espionage operation for decades, according to a report released Tuesday by members of the Swiss parliament. Investigators concluded that Swiss authorities were aware of, and at times complicit in, an elaborate espionage operation in which the CIA covertly owned and controlled a Swiss company, Crypto AG, that secretly sold rigged encryption systems to foreign governments.
The report marks the culmination of a Swiss investigation launched after the history of the Crypto operation was revealed earlier this year by The Washington Post in collaboration with ZDF, German public television, and Swiss broadcaster SRF. The Crypto operation exploited "Switzerland's image abroad as a neutral state," according to the report, which also said that Swiss authorities had effectively allowed the CIA and its German counterpart, the BND, to carry out "intelligence operations to the detriment of other states by hiding behind a Swiss company." The probe marks the first public accounting by a foreign government of an espionage operation so successful and extensive that a classified CIA history referred to it as "the intelligence coup of the century." The CIA did not respond to a request for comment, and the BND previously declined to comment.
The report marks the culmination of a Swiss investigation launched after the history of the Crypto operation was revealed earlier this year by The Washington Post in collaboration with ZDF, German public television, and Swiss broadcaster SRF. The Crypto operation exploited "Switzerland's image abroad as a neutral state," according to the report, which also said that Swiss authorities had effectively allowed the CIA and its German counterpart, the BND, to carry out "intelligence operations to the detriment of other states by hiding behind a Swiss company." The probe marks the first public accounting by a foreign government of an espionage operation so successful and extensive that a classified CIA history referred to it as "the intelligence coup of the century." The CIA did not respond to a request for comment, and the BND previously declined to comment.
This is why (Score:4, Insightful)
This is such a "duh", that it's difficult for me to find outrage in this case, as much as I'd like to.
The encryption systems you should be using are the ones that the government dislikes.
Re: (Score:3)
...Tell Pompeo that!
He (Pompeo), would rather have you believe that China, Iran, Venezuela and Russia are the enemy.
I can guarantee that if you asked him abiut this, he'll say something to the effect
The United States is the beacon of true democracy...A country with institutions that actually work for the benefit of [all] humanity, unlike the Chinese Communist Party that uses companies like Huawei to spy around the world.
Re: (Score:2)
China, Iran, Venezuela, and Russia (and let's not forget DPRK and Turkey!) are the enemies of personal liberty and democracy. Don't be fooled into thinking they're not just because the US does some truly shady (/immoral/unethical/illegal) shit as well.
Re: (Score:2)
this is my surprised face
started in the 1950s (Score:1)
so take note
BOTH republican and democrat presidents endorsed this
BOTH republican and democrat congresses endorsed this
think of that the next time a news headline says on party is a fasscist ine
Re: (Score:2)
True, but you're fighting against institutional momentum. Silicon Valley companies fawn over the products developed by other Silicon Valley companies, and reject products built elsewhere. Governments have similar biases and tend to trust other governments, but would never trust software built and used by commoners.
Re:OK so no problem then (Score:4, Insightful)
What kind of moron believes that Biden is a socialist?
Even the most leftists politicians leading Western Europe are at most social democrats. Compared to them, Biden is a right wing corporate tool.
Is he seizing the means of production? Last time I checked, he was absolutely opposed to anything that smells of progressivism, let alone collectivism.
Biden is to the right of Obama, and to anyone but an American, Obama is closer to a fascist than to a communist. (Supporter of the health insurance industry, nationalistic to a degree seldom seen outside of the US, enamored of drone assassination, etc.)
Old dupe (Score:3)
Dupe! [slashdot.org]
Well, apparently the news is that now the Swiss parliament has published a report on events that have been reported to the general public 9 months ago, and that the crypto community has known for decades.
So what? (Score:5, Insightful)
The CIA, NSA, USA will just continue the same operations while perpetuating FUD over Huawei and ZTE. There's no punishment to the CIA, NSA, USA because the US has a near absolute monopoly over the military, finance, technologies, and international institutions.
Re: (Score:2)
Re:So what? (Score:5, Informative)
FUD over Huawei?! I thought it was politics, but I did some digging...
After *five years*, Huawei still haven't been able to address severe security concerns the UK had (below is just a subset of problems from the report I link, any one of which would make infosec get up and leave the room). I would imagine *all* agencies have access to a Huawei device within seconds of access.
And note: This is just looking at their cell-tower switch product, with their cooperation:
The report analyzed the use of the commonly used and well maintained open source component OpenSSL. OpenSSL is often security critical and processes untrusted data from the network and so it is important that the component is kept up to date.
In the first version of the software, there were 70 full copies of 4 different OpenSSL versions, ranging from 0.9.8 to 1.0.2k (including one from a vendor SDK) with partial copies of 14 versions, ranging from 0.9.7d to 1.0.2k, those partial copies numbering 304.
Fragments of 10 versions, ranging from 0.9.6 to 1.0.2k, were also found across the codebase, with these normally being small sets of files that had been copied to import some particular functionality.
There were also a large number of files, again spread across the codebase, that had started life in the OpenSSL library and had been modified by Huawei.
And then the bit about memcopy... holy heck...
There were over 5000 direct invocations of 17 different safe memcpy()-like functions and over 600 direct invocations of 12 different unsafe memcpy()-like functions. Approximately 11% of the direct invocations of memcpy()-like functions are to unsafe variants.
There were over 1400 direct invocations of 22 different safe strcpy()-like functions and over 400 direct invocations of 9 different unsafe strcpy()-like functions. Approximately 22% of the direct invocations of strcpy()-like functions are to unsafe variants.
There were over 2000 direct invocations of 17 different safe sprintf()-like functions and almost 200 direct invocations of 12 different unsafe sprintf()-like functions. Approximately 9% of the direct invocations of sprintf()-like functions are to unsafe variants.
These numbers do not include any indirect invocation, such as through function pointers and the like. It is worth noting these unsafe functions are present in the binary and therefore pose real risk.
Analysis of relevant source code worryingly identified a number pre-processor directives of the form “#define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src, count)”, which redefine a safe function to an unsafe one, effectively removing any benefit of the work done to remove the unsafe functions in the source code. There are also directives which force unsafe use of potentially safe functions, for example of the form “#define ANOTHER_MEMCPY(dest,src,size) memcpy_s((dest),(size),(src),(size))”
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/790270/HCSEC_OversightBoardReport-2019.pdf
Re: (Score:2)
The question is how does this compare to Cisco and other Western manufacturers? Is it better or worse or the same?
Also some of it is misleading. 70 different copies could be a good thing, i.e. everything is highly containerised and tested with specific versions before release, meaning flaws are both contained and relatively easily patched. That's best practice.
Re: (Score:2)
All these "discoveries" simple mean that the UK/USA couldn't find any real malicious conducts like those implicating Crypto AG, and they had to resort to doing code reviews and churn out theoretical threats. Calling "unsafe memcpy" means nothing other than heavy optimization if the callers are already protected from malicious inputs. Have these western puppets found any actual threat vector path and went unanswered? Come on, all you show here are proofs of FUDs.
A neutral state??? (Score:4, Funny)
Switzerland's historic reputation for neutrality?? The Crypto operation exploited "Switzerland's image abroad as a neutral state," ???
Do these people not remember the Hundred Days War, also known as the War of the Seventh Coalition, which marked the period between Napoleon's return from exile on the island of Elba to Paris on 20 March 1815 and the second restoration of King Louis XVIII on 8 July 1815???
Re:A neutral state??? (Score:5, Informative)
Switzerland has not participated in a war since then, even though remaining completely impartial turned out to be difficult during times. During World War II, when completely surrounded by Germany and Mussolini's Italy in the south, the Swiss allowed cargo trains through the Alps despite there were rumors that these trains actually transported Jewish people from Italy to Germany.
Reminds me about an old joke about Allied Forces being allowed to overfly Swiss territory:
Swiss air control to allied aircraft: You are approaching Swiss territory. Switzerland is neutral. Turn around.
Allied aircraft: We know.
Swiss air control: Turn around immediately, or we will shoot.
Allied aircraft: We know.
The Swiss shoot.
Allied aircraft: You are shooting too low. We fly higher than that.
Swiss air control: We know.
Re: (Score:3)
Funny, and probably with more than a grain of truth. Being neutral isn't easy, especially when one of the warring powers has your tiny country totally surrounded.
Still, the neutrality was largely respected, and having a neutral party allowed the two warring sides to talk to each other. Also, reaching and enforcing agreements like the Geneva Conventions, and the access of the Red Cross to prisoners of war would have been much more difficult without the involvement of a neutral country.
Of course, the Swiss to
Re: (Score:2)
"Do these people not remember the Hundred Days War, also known as the War of the Seventh Coalition, which marked the period between Napoleon's return from exile on the island of Elba to Paris on 20 March 1815 and the second restoration of King Louis XVIII on 8 July 1815???"
*pulls out Willy Wonka meme* "No, please tell me more."
Every nation should have effective espionage. (Score:2, Insightful)
The world is a bad place and failure to spy is gross neglect of duty to protect the nation.
Re: (Score:1)
The world is a bad place and failure to spy is gross neglect of duty to protect the nation.
Pretty much, it's better than shooting at each other, and if we're going to shoot at each other anyway, it's better to win.
Re: Every nation should have effective espionage. (Score:2)
There was a book written about about this long ago, and two thousand years hasn't made it obsolete yet.
https://suntzusaid.com/book/13 [suntzusaid.com]
So sad (Score:2)
But switzerlands reputation as a neutral country is long lost what with all the american and canadian surnames dotted all around and the banking systems long lost reputation for secrecy by being strongarmed into coplying with fatca. Still the best place to live.
Precendent for all encryption being 'backdoored'? (Score:3)
Old news? (Score:1)
The Actual Report (Score:4, Informative)
Here are links directly to the report.
German: https://www.parlament.ch/centers/documents/de/bericht-gpdel-2020-11-10-d.pdf [parlament.ch]
French: https://www.parlament.ch/centers/documents/fr/bericht-gpdel-2020-11-10-f.pdf [parlament.ch]
Swiss were not neutral, they played both sides. (Score:2)
Black Box Crypto ... (Score:4, Insightful)
... not even once.
If you don't have the source for your crypto you WILL get screwed at some point.
Why is this dragged up again? (Score:2)
If the CIA had all this great intelligence... (Score:2)