Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
notepad0x90 3 days ago

You're making assumptions that are not taking into account all the other capabilities revealed in the Snowden leak and several other prior leaks. The name "Tailored Access Operations" alone should tell you something. They still have presence in all the large tech company's networks (with cooperation from them of course), and they are able to access critical servers like MTA's. The shadowbroker leaks are also another glimpse into their historical capabilities.

You're assuming that despite their budget not having changed meaningfully, no repercussions against anyone from the historical leaks, the continued renewal of the patriot act and unchanged mission of the intelligence community orgs that somehow they've wound down. That they've stopped R&D and tailored access ops.

You're also assuming that tailored access is not used to facilitate, correlate and enrich traffic decryption.

You look at things from your perspective where decrypting traffic alone is all too important. If you can see all the metadata, why would you do that? If you hoard 0 days and sophisticated implants what's the advantage? I mean half the time comms alone aren't enough, you want access to internal networks, documents that will never get transmitted over the network,etc.. smartphone telemetry data from a large group of targets. They're not interested in decrypting traffic to grandma visiting facebook, they want to know who's downloading tails, who's using signal, who's committing to interesting git repos, who the source of some journalist is, what people a politician has been messaging on whatsapp. Once targets are identified they can be implanted, or have their traffic selected for decryption.

But I think i get what you're saying, that most of the traffic they capture is encrypted. That much I agree, that has changed. But whether they can decrypt it on-demand, that is tough to speculate, whether they need to? That's what I'm disagreeing with. If their goal was that one-time traffic decryption, perhaps that has been curtailed with the prevalence of TLS and CT logging. But metadata alone is sufficient to select a target, and all the evidence suggests that even if they can't readily implant targets, they can successfully perform targeted MITM attacks, even with typical non-mTLS/non-pinned TLS setups.

monerozcash 3 days ago | parent [-]

>You're assuming that despite their budget not having changed meaningfully, no repercussions against anyone from the historical leaks, the continued renewal of the patriot act and unchanged mission of the intelligence community orgs that somehow they've wound down. That they've stopped R&D and tailored access ops.

That's not at all what I'm assuming. I'm stating that the environment has become much more hostile to them, reducing their capabilities because all the super low hanging fruit is gone. The part where they're able to hack almost anyone they want hasn't changed.

>You look at things from your perspective where decrypting traffic alone is all too important. If you can see all the metadata, why would you do that?

Metadata lets you select a target sure. Having full content takes as they used to allows you to easily find new targets by simply matching keywords, that particularly cool capability has practically disappeared post-Snowden.

>they want to know who's downloading tails, who's using signal, who's committing to interesting git repos, who the source of some journalist is, what people a politician has been messaging on whatsapp

I don't think this really reflects what the previously leaked files suggest their main interests to be.

>what people a politician has been messaging on whatsapp

Whereas before they'd have been able to get that information off the wire together with the message content (for all messages, in real time!). Now? They actually have to actively compromise Facebook to get that for a single user.

It's also worth noting that the previously leaked NSA documents seem to suggest that the NSA was not particularly busy breaking the law by hacking American companies.

> even if they can't readily implant targets, they can successfully perform targeted MITM attacks, even with typical non-mTLS/non-pinned TLS setups.

Because of CT, such MITM attacks will not work without creating noise that's visible to the whole world.

notepad0x90 2 days ago | parent [-]

You've made really good points, I get what you're saying now. They can't do simple keyword searches over unencrypted traffic anymore. But even in 2010 lots of important traffic was over https, and anyone worth their salt used https for important things. I don't think even back then they were hoping for incidental intercept of unencrypted traffic. That was just icing on the cake, the main purpose as I understood was metadata mining, and not just the internet but phone calls and sms as well. As far as tailored access, there is lots of speculation there, and they're well within their rights to hack servers outside of the US. I don't think any information as to what organizations they compromised has ever been revealed, but they certainly had the capability and it is only reasonable to presume they improved upon that capability. But they can have the capability and not choose to wield it, but really doesn't sound like their M.O.

> I don't think this really reflects what the previously leaked files suggest their main interests to be.

I strongly disagree. I wish i had the time to compile evidence to back that up but plenty exists if you look it up. Matter of fact, I recall some of NSA's leadership oppose things like backdooring encryption or apps because they don't need it, and it only hurts the nation's security.

monerozcash 2 days ago | parent [-]

> But even in 2010 lots of important traffic was over https, and anyone worth their salt used https for important things.

In 2010 almost all messaging traffic on the internet was plaintext (or using badly broken encryption). Telephony? Hah.

These days nobody even uses regular phone calls or SMS, except US-based android users.

> That was just icing on the cake, the main purpose as I understood was metadata mining, and not just the internet but phone calls and sms as well

Metadata mining was just the fallback when they absolutely couldn't legally capture the content, or were not able to do so for logistical reasons. If you hack China Mobile and get access to all the call content, you'll still have a hard time sending that to the US. Metadata? Much easier.

These days even metadata collection has been gimped, most of the interesting metadata is encrypted. When I text someone, the NSA can see an encrypted connection from my phone to Apple. They can not feasibly see who that message goes to. They might not even be able to tell that I sent a message at all.

> I don't think any information as to what organizations they compromised has ever been revealed, but they certainly had the capability and it is only reasonable to presume they improved upon that capability

TSB leaks include tons of such information. Snowden leaks include some specific cases too, like Gemalto. Although just for the sake of accuracy I'm not sure which of these are actually TAO and which are other similar teams inside the NSA, but as I recall at least the TSB stuff seems to primarily originate from TAO.

There have also been a bunch of public and non-public incidents attributed to the Equation group (almost certainly NSA TAO) by the private sector.

I think these capabilities were already so good a decade ago that it would be hard to significantly improve upon them, you just slap in new exploits and keep doing what you're doing.

>I strongly disagree. I wish i had the time to compile evidence to back that up but plenty exists if you look it up. Matter of fact, I recall some of NSA's leadership oppose things like backdooring encryption or apps because they don't need it, and it only hurts the nation's security.

I was trying to suggest that the NSA is mostly interested in spying on foreign governments and maybe sometimes catching terrorists, not exactly "they want to know who's downloading tails, who's using signal, who the source of some journalist is".

notepad0x90 2 days ago | parent [-]

Alright, well in the interest of a conclusion, I'll say that you made really good points, I've changed my opinion on some but not all of the topics.

> "they want to know who's downloading tails, who's using signal, who the source of some journalist is"

They don't care about random people doing those things, but if someone with a known terrorist cell association is in the US talking over signal. Or if someone is visiting extremist sites using tails, they'd want to know (and they can using metadata available today). They're not interested in home-grown terrorism or law enforcement, but all other matters of national security don't neatly fall into "foreign vs domestic" buckets. Even if it is all happening outside of the US, the servers Signal uses might be in the US for example.

monerozcash 2 days ago | parent [-]

Yeah, the specific capabilities and operations of intelligence agencies like the NSA are a topic I’ve spent far too much of my life obsessing about. Fortunately, mostly because I’ve been paid to do so, but I should really find better things to do with my free time than rehashing work stuff in HN comments.

I think we broadly agree on the details, and whatever differences remain are probably mostly attributable to us looking at the topic from slightly different angles. There's probably not much more we could usefully address on this topic via HN comments, so it is probably a good time to conclude :)

If the story behind the shadow brokers leaks is of interest to you, I dumped some details in a reply to a now-flagged thread. It's quite the rabbit hole if you want to dig into it, especially with the whole Hal Martin situation https://news.ycombinator.com/item?id=46186975

notepad0x90 a day ago | parent [-]

Agreed, enjoyed the discussion either way, and thanks for the OSINT rabbithole.