Documents obtained by hackers from the Italian spyware manufacturer Hacking Team confirm that the company sells its powerful surveillance technology to countries with dubious human rights records.
Internal emails and financial records show that in the past five years, Hacking Team’s Remote Control System software — which can infect a target’s computer or phone from afar and steal files, read emails, take photos and record conversations — has been sold to government agencies in Ethiopia, Bahrain, Egypt, Kazakhstan, Morocco, Russia, Saudi Arabia, Sudan, Azerbaijan and Turkey. An in-depth analysis of those documents by The Intercept shows Hacking Team’s leadership was, at turns, dismissive of concerns over human rights and privacy; exasperated at the bumbling and technical deficiency of some of its more controversial clients; and explicitly concerned about losing revenue if cut off from such clients.
Hacking Team has an unusually public profile for a purveyor of surreptitious technology, and it has drawn criticism because its malware has shown up on the computers of activists and journalists. Most of the countries identified in the leaked files have previously been connected to Hacking Team by human rights researchers working with computer forensics experts. The company has long denied any implication in human rights abuses, regularly pointing reporters to a policy on its website that says it only sells to governments, investigates allegations of human rights abuses and complies with international blacklists.
But the company has never confirmed its client list, nor has it given an example of an instance in which it cut off a customer because of human rights concerns.
Some 400 gigabytes of emails and documents released by hackers Sunday night show that while the company makes sure to sell only to government users, except in rare cases, the legal use of the technology is left up to those governments to determine.
The emails show that Hacking Team has relied on a biannual analysis of the countries it can legally sell to, conducted by a global law firm, Bird & Bird. The reports, going back to at least 2013, analyze the current restrictions in Italian law under which Hacking Team would be barred from selling its software, Remote Control System, or RCS.
The reports note countries currently under sanctions, and also summarize the concerns of international human rights groups — “not entailing any legal assessment on our part” — for many of Hacking Team’s clients.
Occasionally, the company asks for specific review — in 2013, for example, it asked Bird & Bird to review Bahrain, which has been consistently criticized for human rights offenses since pro-democracy protests began there in 2011. The report found that there were no set restrictions under Italian or international law that would limit exports of RCS to Bahrain. However, it noted that human rights groups and the European Union had, on multiple occasions, observed “policies and actions in violation of human rights and in particular violations of freedom of expression and association.”
Seeing “opportunity” where others see repression
Previous research identified Bahrain as using software made by one of Hacking Team’s prime competitors, FinFisher, to go after Arab Spring activists. When those allegations surfaced in 2012 and FinFisher was in the hot seat, Hacking Team’s account manager sent around the link with a smiley face: “rumor has it, there’s an opportunity in Bahrain…” Indeed, Bahrain’s Ministry of Defense bought RCS in 2013, and remained a client in 2015. The company also appears to have been in talks with the country’s intelligence agency, in partnership with another the surveillance tech provider, the U.S.-Israeli company Nice Systems.
The emails and reports confirm that the company avoids selling to countries under sanction, but is always evaluating possibilities. In a May email, CEO and co-founder David Vincenzetti writes of a potential deal in Libya: “I’m skeptical, it’s a failed state, we can ask for authorization but I really don’t know if it is a blacklisted country.”
Syria, he notes in another email, is one place Hacking Team should break its habit of not commenting on clientele. “Syria is the most vicious, visible and known by the public example of a dictator committing a protracted never ending manslaughter using ignoble tools,” Vincenzetti commented. Nonetheless, emails show that in 2011, before the uprising against Bashar Al-Assad began, the company was still looking for business there.
“The Syrian person from Lattakia telephoned me and I explained our product a bit,” wrote Mostapha Maana, Hacking Team’s account manager for the Middle East, in Italian in April 2011. “He told me that the situation in Syria is calm and advised me to go and see him this week. He said that the product could be very interesting especially after the mess that’s happened lately.”
The company’s first concern when human rights concerns emerge in the press is to reassure others that the technology’s effectiveness has not been affected by the exposure. Hacking Team generally seems to view legal frameworks for the products’ use as the responsibility of the government client. One executive noted that a speech on legal issues would go over well in “Washington or Prague, but I don’t think Arab clients take care of legal issues in using our product.”
On a mailing list that Vincenzetti maintains — commenting on foreign affairs and sharing generally right-wing and hawkish angles on Russia, China and technology news — he refers to privacy advocates and journalists as “ideological hardliners.”
In an email to colleagues responding to a Slate piece last year on spyware, Vincenzetti lamented that “the ‘protect privacy, at_any_cost’ theme is somehow dominant today.”
For “activists working for no-profit organizations … directing their efforts towards small, possibly foreign, technology companies is easy; directing their efforts toward local agencies is hard and risky,” he wrote in another email. “I have a question for you all: PLEASE NAME a single really ‘democratic’ country, a country which does not violate anybody’s rights and has a TOTALLY clean human rights record.”
The emails detail the company’s response to some high-profile allegations of wrongdoing, a few of which are laid out below.
Turkey: All options on the table, until they weren’t
In the summer of 2013, Wired reported that an American citizen had been targeted by what appeared to be Hacking Team software linked to Turkey. At the time, Hacking Team’s U.S. spokesperson Eric Rabe declined to comment on the company’s relationship with Turkish authorities, but in an internal email, the company’s executives discussed meeting with Turkish authorities at a trade show to discuss the allegations.
“The result: no cooperation at all. They categorically deny any involvement in the case. I told our people to insist and to explain them that such media exposures are not beneficial for anybody,” Vincenzetti wrote. “All options are on the table, that is, we could well decide to stop supporting them.”
Vincenzetti does not specify which agency is the client, but the Turkish client in Hacking Team’s records for that year is the Turkish National Police. (Internal emails also show that “Kamel Abed,” whose name had appeared on various appearances of malware, was indeed a name invented by Hacking Team.)
Another email discusses plans to meet with the client in Milan and discuss the incident. Whatever scolding occurred in that meeting, Turkish National Police remained a Hacking Team client as of this year.
Ethiopia: “700k is a relevant sum”
Last year, researchers with the Citizen Lab at the University of Toronto identified traces of Hacking Team spyware on the computers of Ethiopian journalists living in Northern Virginia. Ethiopia’s government is ranked as one of the worst in Africa for press freedom, and regularly targets journalists under anti-terrorism laws.
The researchers believed that the journalists, who worked for Ethiopian Satellite Television (ESAT) — a network run largely by expatriates and seen as close to opposition parties — had been attacked by Ethiopia’s Information Network Security Agency, or INSA. (The Citizen Lab researchers included Morgan Marquis-Boire, First Look Media’s director of security and co-author of this article.) At the time, the Ethiopian government’s spokesperson in Washington denied using Hacking Team’s products, telling the Washington Post that Ethiopia “did not use and has no reason at all to use any spyware or other products provided by Hacking Team or any other vendor inside or outside of Ethiopia.”
Then last March, Citizen Lab again published evidence of Hacking Team’s malware, this time in an attachment to an email sent to Neamin Zeleke, ESAT’s managing director. The Ethiopian spokesperson said the county “acts in compliance with its own laws and with the laws of nations.”
Hacking Team refused to confirm its clients but repeated that the company investigated alleged human rights abuses. However, Rabe told the Washington Post, “It can be quite difficult to determine facts, particularly since we do not operate surveillance systems in the field for our clients.”
Emails and internal records clearly show that the incident set off a debate within the company about whether the bad press and potential exposure of Hacking Team technology was worth it.
“[Citizen Lab] found the source of the attack because these geniuses used the same email address they had used in the previous attack to send the doc with the exploit,” the chief technical author wrote in Italian, referring to the Ethiopian clients. Vincenzetti ordered them to temporarily suspend the account.
But the follow-up investigation appears to have consisted of a terse email to their INSA contact stating, “would you please give a detailed explanation regarding the following allegations?” with links to reports.
INSA’s representative replied that Zeleke was targeted as a member of Ginbot7, an opposition political party that the Ethiopian government declared a terrorist group in 2011. “To us, Nemene Zeleke is one of the top leaders of a terrorist organization, not a journalist,” the INSA agent wrote.
Hacking Team seemed placated, but still irritated. Chief Operating Officer Giancarlo Russo wrote to other executives that it “seems that from a legal point of view they are compliant with their own law.”
Rabe, meanwhile, argued that “the issue is their incompetent use of HT tools. They can argue about whether their target was a justified target or not, but their use of the tool several times from the same email address, and in repeatedly targeting and failing to get access is what caused the exposure of our technology.” (Indeed, emails to Hacking Team’s support system show clients complaining about the leak.)
Daniele Milan, Hacking Team’s operations chief, weighed in favor of closing the account, saying that INSA’s “reckless and clumsy usage of our solution caused us enough damage.”
“But I know that 700k is a relevant sum,” he adds in Italian in another email.
The executives eventually decided to reinstate Ethiopia’s license. In May, after a few weeks’ back-and-forth, the company proposed a new contract with more on-the-ground training and supervision — “additional services” that a business development executive noted could add hundreds of thousands of euros to the country’s bill.
Morocco: A national security ally
Hacking Team emerged in the international press in 2012, when a fake document was used to implant malware on the computers of journalists who were critical of Morocco’s government, at the time facing protests inspired by the Arab Spring. Activists and researchers have long suspected the malware originated with Hacking Team and have continued to work to link the attack to Remote Control System. Just this month, researchers traced malware to IP addresses associated with the Conseil Supérieur de la Défense Nationale, or CSDN, described as a council of Morocco’s various security agencies. (Marquis-Boire was involved in that research.)
As usual, Hacking Team publicly declined to name its clients. The Moroccan government has protested the spying allegations loudly, even filing a lawsuit this spring against activists who prepared a report recounting first-hand experiences of the journalists and activists who had been targeted.
Company emails and business records show that Hacking Team has indeed been selling to the Moroccan government at least since 2010, and still does, using a company called Al Fahad Smart Systems, based in the United Arab Emirates, as a middleman. The invoices reference CSDN as well as the domestic spy agency Direction Générale de la Surveillance du Territoire, or DST. In April of this year, the company was pitching its services to the Royal Moroccan Gendarmerie.
There is no apparent record that the company asked its Moroccan clients about targeting journalists or opposition. When the story about Moroccan journalists first broke in 2012, internal emails among executives stressed that the articles did not definitively show it was Hacking Team’s malware.
Morocco continues to be an important client. Vincenzetti recently sent around a Financial Times article headlined, “Spectre of ISIS used to erode rights in Morocco,” with the comment, “NOT REALLY.”
“The King of Morocco is a benevolent monarch,” Vincenzetti wrote in the email to a few colleagues. “Morocco is actually the most pro-Western Arab country, national security initiatives are solely needed in order to tighten stability.”
“A sandwich vendor” for Sudan
In June 2014, a U.N. panel monitoring the implementation of sanctions on Sudan began asking Hacking Team for information about alleged sales to the government there. Hacking Team ignored the panel’s letter for months. Eventually, in January of this year, when prodded about the inquiry by Italian authorities, Hacking Team embarked on a campaign of evasion.
Internal records show that in 2012, Sudan’s National Intelligence and Security Service in Khartoum paid a total of 960,000 euros for Remote Control System. Emails confirm that Hacking Team cut off the account’s service on November 24, 2014.
During a training session for the Sudan intelligence service in January 2014, a Hacking Team engineer noted that none of the people attending the training “is enough prepared for the product usage. The main problem is the lack of basic computer usage, followed by a complete lack of English: 90% of them had problems just for typing a username on a keyboard and serious difficulties in moving the mouse.”
In November, Russo wrote that Sudan was “unofficially suspended, on-hold.”
“We’re discussing with the [Italian] ministry the limitations on exports to various countries and this is the most sensitive at the moment,” he wrote.
In response to the United Nations panel, the company responded this January that they were not currently selling to Sudan. In a follow-up exchange, Hacking Team asserted that their product was not controlled as a weapon, and so the request was out of the scope of the panel. There was no need for them to disclose previous sales, which they considered confidential business information.
In internal emails, the company debates the mission of the panel. “It looks like their focus is to trace every single armament,” wrote Russo, the chief operating officer. “We absolutely need to avoid being mentioned in these documents.”
A lawyer consulting for Hacking Team insisted that they should argue that the panel had no jurisdiction over them. “If one sells sandwiches to Sudan, he is not subject, as far as my knowledge goes, to the law,” she wrote. “HT should be treated like a sandwich vendor.”
The U.N. disagreed. “The view of the panel is that as such software is ideally suited to support military electronic intelligence (ELINT) operations it may potentially fall under the category of ‘military … equipment’ or ‘assistance’ related to prohibited items,” the secretary wrote in March. “Thus its potential use in targeting any of the belligerents in the Darfur conflict is of interest to the Panel.”
Negotiations with Italian authorities were ongoing throughout the spring, with the U.N. proposing to sign a confidentiality agreement, but by early June, the last emails available, the standoff did not appear to have been resolved.
Italy’s export ban
Last fall, the Italian government abruptly froze all of Hacking Team’s exports, citing human rights concerns. After lobbying Italian officials, the company eventually won back the right to sell its products abroad. But emails connected to the incident show that the company’s reputation for sales to sketchy places has harmed its business, even before this latest leak.
The document, from the Ministry of Economic Development, does not specify a source or specific countries, but states that the ministry had information about Hacking Team’s “possible uses concerning internal repression and violations of human rights.” As a result, it was applying a “catch-all” provision of an export law to block Hacking Team’s products.
Hacking Team quickly deployed all of its top government connections — Italian clientele, internal records show, including the Carabinieri, or military police, and the prime minister’s office — to lobby against the order. They brought pressure to bear from investors and funders, including Milan’s regional government.
The export hold could quickly destroy the company, CEO Vincenzetti warned in an email to Russo, the chief operating officer. “We have about two million in funds, we ‘burn’ about 500k a month. We would need the money for liquidation, not bankruptcy.” Customers could sue for breach of contract, and as the principal individual shareholder, with about 32 percent of the company, his personal assets would be on the line, Vincenzetti wrote.
The company composed two letters that Vincenzetti sent around to influential contacts, “one version more polite, and one a bit more ‘from the gut,’” as one employee described them.
“With determination and perseverance, I have always served the country, and I am certain that my company could be called a flower in the buttonhole of Italy,” Vincenzetti wrote. “I never would expect that our work could be considered somehow suspect; I would never have believed I’d have to explain to 40 employees — who every day deepen their efforts to improve our software, proud to be able to contribute in their own small way to the fight against criminality — that that same country considers their efforts, in sum, lowly instruments of potential danger to the country.”
Emails detail meetings with top military officials, who intervened with the Ministry of Economic Development. The company would soon be regulated under new European Union rules for the Wassenaar Arrangement, an international export-control framework that labels intrusion software like Hacking Team’s as a “dual-use” product, or one that can be put to both military and civil aims. In November, the order was revoked, and negotiations began to give Hacking Team a one-time “global license” for exports to countries that had signed on to the arrangement, rather than the deal-by-deal approvals that the Italian authorities originally proposed.
In the heat of the negotiations, Vincenzetti railed against bureaucrats, activists and others in emotional missives to executives and business confidantes.
“Those who are destroying our company are half men, they are cowards, they are blind, they don’t even live a real life,” he wrote. He suggested the mafia might even be behind the Italian government’s actions. But, he said, “they’ll have to physically kill me to stop me.”
Correction: A sentence in this story originally made erroneous reference to “South Sudan” as a Hacking Team spyware client. The client, in fact, was the Republic of Sudan, sometimes referred to as “North Sudan.” Jul 9, 10:25 am ET
Dual standards, yay!
http://arstechnica.com/security/2015/07/hacking-team-orchestrated-brazen-bgp-hack-to-hijack-ips-it-didnt-own/
Heres Morgans New Engadget Piece…
http://www.engadget.com/2015/07/09/how-spyware-peddler-hacking-team-was-publicly-dismantled/
Just going to ping this subject again! :)
Useful Idiots
08 Jul 2015 at 1:24 pm
http://www.pcmag.com/article2/0,2817,2487369,00.asp
The response time for patching the previously 0-day Flash vulnerability that HT was using is unusually suggestive to me… almost as if they already knew about the bug and had the patch ready to roll out?
Thanks very much for the update, I’m much relieved.
So, to sum up, an extremely powerful cyber-weapon is now loose on the internet, able to be compiled and employed by any criminal actor or rogue state. We’re going to see this weapon turned against the very people who presumed to use it against us, but we will also see it used against us by very bad people…
Right…it’s almost like Hacking Team shouldn’t have been developing and deploying it to every corner of the globe, isn’t it?
https://www.muckrock.com/news/archives/2015/jun/23/cia-can-give-specialized-equipment-other-agencies-/
Under EO 12333, the CIA may provide “specialized equipment, technical knowledge, or assistance of expert personnel” to other federal agencies. In emergency cases when lives are endangered, the order authorizes the CIA to give the same assistance to local law enforcement agencies.
As a public executive order, the text of EO 12333 has been public since its signing. But the order requires intelligence agencies to develop more specific implementation procedures, which are approved by the Attorney General. Until their release under the FOIA lawsuit, the CIA’s implementation procedures for EO 12333 remained secret.
first time i’ve been able to post on this story…
https://www.aclu.org/blog/speak-freely/new-docs-raise-questions-about-cia-spying-here-home
A key CIA regulation — titled “AR 2-2″ — governs the conduct of the CIA’s activities, which include domestic intelligence collection. AR 2-2, which has never been publicly released before, includes rules governing a wide range of activities, including surveillance of U.S. persons, human experimentation, contracts with academic institutions, relations with journalists and staff of U.S. news media, and relations with clergy and missionaries.
http://arstechnica.com/security/2015/07/massive-leak-reveals-hacking-teams-most-private-moments-in-messy-detail/
“Security researchers have also scoured leaked Hacking Team source code for suspicious behavior. Among the findings, the embedding of references to CHILD PORN CODE related to the Galileo.”
https://cdn.arstechnica.net/wp-content/uploads/2015/07/hacking-team-code.png
Holy crap. They were planting kid porn on people.
Great article/post/reporting.
Time to review once again:
Trovicor — Germany
Hacking Team — Italy
Gamma Group — UK
Amesys — France
Blue Coat Systems — US
http://www.projectpact.eu/privacy-security-research-paper-series/%231_Privacy_and_Security_Research_Paper_Series.pdf
WaPoo is reporting this:
http://www.pcmag.com/article2/0,2817,2487369,00.asp
The response time for patching the previously 0-day Flash vulnerability that HT was using is unusually suggestive to me… almost as if they already knew about the bug and had the patch ready to roll out?
It would be ironic if some real hackers started oppressing HackingTeam.
Wow. All United Airlines flights grounded. NYSE stopped trading in all securities. It’s shaping up to be a bona fide “Fire Sale”, as one of those Die Hard movies put it.
My guess is that government-sponsored companies paying huge bounties for zero-day exploits so they can use them in privatized spy operations instead of reporting them isn’t actually turning out to be such a great security model for the world after all. Who knew!
The quote “I have a question for you all: PLEASE NAME a single really ‘democratic’ country, a country which does not violate anybody’s rights and has a TOTALLY clean human rights record.”
SAYS it all!
Its time for all “democratic” countries to have an Arab spring.
“destroying our company”
now that’s real professionalism in communications. well done!
.~.
Thank you to the authors of these three pieces on Hacking Team and their cronies. I find Vincenzetti and his cohorts absolutely sickening. They have no consciences, none whatsoever.
“After lobbying Italian officials, the company eventually won back the right to sell its products abroad. But emails connected to the incident show that the company’s reputation for sales to sketchy places has harmed its business, even before this latest leak.” Also, considering the blurb Christian C. Holmer posted, all I can say is that if they close up shop, good riddance. I also hope that other reprehensible businesses also are forced to stop selling their perverted, intrusive products.
Wake up folks!!!
“Fascism should more appropriately be called Corporatism because it is a merger of state and corporate power.”
Benito Mussolini
Time to start removing the corporate Congress from office & defunding the NSA & the Police Surveillance state, to pre 9-11 levels & force them to comply with the law & impose jail time for non compliance under USC Title 18 Sec. 241 & 242 (Google it) .
Disclaimer: Be advised it is possible, that this communication is being monitored by the National Security Agency or GCHQ. I neither condone or support any such policy, by any Government authority that does not comply, as stipulated by the 4th Amendment of the U.S. Constitution.
The Constitution is a thing of the past. ..
Cora, Morgan,
May I have the link to the evidence on South Sudan please? CitizensLab only shows Sudan, and your article likewise features Sudan, and your links appear to be manuals. Let me know if you want me to email you for it.
I suspect that was just an inadvertent error, probably a result of them trying to get this article out fast. I didn’t see any other references to South Sudan, only Sudan, in either the article (other than that one in the listing which didn’t include Sudan, which is the big hint it was just a mistake), or the documents on the server themselves. NISS isn’t fairies and posies either though..
(although, and I’m not trying to be antagonistic, it’s probably not unreasonable to wonder if the NISS wasn’t using this at times against people not in Sudan?)
You do realize that because there are both border disputes and proxies in conflict between the two Sudans, that asserting Sudan in one place and South Sudan in another implies that the software is being sold to both sides of an armed conflict? In any case, if it’s a typo, it should be corrected, if not, I’d like the reference.
It’s Sudan, as the UN is worried about Darfur.
And the UN is not worried about the South Sudan civil war?
It’s just Sudan (I double-checked the document sources), but also I do. I think the mistake might be in thinking that HT is the only ‘company’ that ‘offers’ these ‘solutions’, although I am actually pretty sure you have enough of a clue, from what I’ve read of your comments, to know that it’s not — and even if it were one of only a few, there are so many other ways for the other side to be doing the same thing (in-house or via open-source solutions available via exploit-db and/or packetstorm, various toolsites, and their ilk, that it’s virtually guaranteed they’re both doing this to one another, under some guise or another. Which doesn’t make any of it okay, just probably inevitable. Honestly I think if both HAD be customers that might have actually worked MORE in HT’s favour (not that anything could make what they do less excruciatingly nasty (and their code ain’t pretty either)).
Generally if a technology is being pushed, one shouldn’t care who is using it. If you do care, then chances are probably nobody should be using it. Of course someone always will though, as long as it exists. The problem is so multipronged, though, that it can’t even be put down to selling stuff like this for money. People make it, people enjoy the challenge, people enjoy the profit, and someone will always want it (even if they have to learn how to do it themselves). Seems to me it’s a genie bottle issue. Or more accurately a technological Pandora’s box. And this even though I consider myself a scientist and ‘do’ technology.
tl; dr: While HT may not have been selling something to S. Sudan, chances are if NISS was using something, so was S. Sudan’s ‘security agencies’ and if they weren’t, you’d better believe they would’ve been trying to. And there’s always going to be someone willing to do it, whether they go local or buy it from a company in Italy. Maybe that’s what we need to focus on (and I don’t mean via Wassenaar, which imho is just another way to help enable a global police state-level power imbalance).
Sorry, bit all over the place, just doing a bit of a brain dump on the subject.
Even more reason why the authors should change it if it is a mistake. They are quite literally accusing a sovereign state of a crime they aren’t committing, and that just feels very dangerous when people are dying in war there. It may be a lot of fun to mock President Reagan for confusing Mauritius with Mauritania (it really was a lot of fun) but Mauritius and Mauritania weren’t in a permanent state of war with each other and with themselves.
The world has forgotten the Sudan both north and south, and people are dying without dignity and without memory as a result. Tens of thousands of people. World War II gave the world a bias towards abhorring atrocities of commission. Central Africa increasingly seems like a crime of omission by the PTB including the media and new media. With funding for an impending famine in S.Sudan at 13% and rationing already in place, an atrocity of omission is in progress. And I’m using that word knowing that you’d rather use it sparingly. The ICG published earlier this year that while the world fixated on Gaza, on Syria, on #Bringbackourgirls, between 50,000 and 100,000+ people died in a war nobody was covering with the count unknown because the war was literally so brutal people abandoned their dead without counting them. Among the violence the press did cover, not even in Syria was the death toll so high so fast, making it the most brutal war in 2014.
I have nothing much to say to that, as I feel you’re mostly spot-on. I will slightly contend that calling things crimes of omission suggests a desire for impeachment of sovereignty and intervention that I generally have a hard time with, on principle, largely because I have a difficult time believing NATO or the US (and that’s generally who most Westerners would assume ought be involved and most non-Westerners assume Westerners* mean when they say intervention is called for) can really ‘intervene’ in anything without their own interests winding up being the real intervention, and breaking down native structures, business and culture, most of the time. But maybe I’m misunderstanding your intentions, and if I am, then I apologise.
[On an unrelated side note… Interesting. You really *have* read my comments, if you remember that comment I made about the use of the word ‘atrocity’. I’ll take that as a compliment. I pay attention to your comments as well. ;)]
[* I am using Westerners here to include pretty much anybody that is in any of the *-eyes and a few others that aren’t, generally about 50 or so countries, and not ‘Eastern culture v Western culture’ (I’d put some Asians in this category, for instance). It’s probably an overly fuzzy usage, but it’s an easier shortcut to use it than attempting to delineate what I really mean. I wish I had a better word for what I do mean though; anything I come up with doesn’t sound right to me, even ‘Westerners’].
(And yes, I absolutely agree they should fix it in the story; it’s somewhat bothersome in a journalistic sense that they haven’t. Sometimes I find myself wondering whether the story authors actually read the comment sections of their own articles; your comment wasn’t even nested or late.)
nb, I don’t think I outright came out and said I consider what HT does as repulsive… mostly because they’re not the good guys and they seem to believe they are. Frankly they’re no better or worse, technologically, than someone that considers themselves a ‘blackhat’ selling malware. The difference is the latter knows what they’re doing and generally acknowledges it. What always bothers me more is when people/places like this label themselves ‘the good guys’ and think there’s a positive differentiation in their favour.
BTW, just replied to your XKS reply: https://firstlook.org/theintercept/2015/07/02/look-under-hood-xkeyscore/#comment-146361
We’ve corrected the reference to South Sudan, thanks for the heads up.
I am putting this out -would like to see if anyone can decrypt this.It appeared in todays NY Times comment section on the Data Security Report.I am leaving the name and town of the person out, the rest of the letter is verbatim as it appeared.(you could go to ny times and find the name ect. but I ask you do not.)
“There are cryptographic systems that are *provably* unbreakable by *any* entity.Use one of those.Problem solved.Don’t believe me?Here is my name,SSN,DOB,current address,phone number,bank routing and account number,and mother’s maiden name.Good luck:
5177253a543542763b2a2e5a2c465f437b532a292f7d2d2f477e4b744858
437573515954246361753e54423b3d3d59657d6b5f345424323a47422841
74712d47276a61237b4729403870384e3c5174514a40243b217338742346
53776616e363e4e256a0a ”
As I was typing was thinking maybe this was a hoax..However any body out there think it may not be?I would really like to see if what he states is true.Please note I am new to this arena of cyber world and want to learn more.So for me this is and would be a learning experience.Let me know……..
AFAIK, the only *provably* unbreakable by *any* entity cipher is a one time pad. If that’s what it is, he’s or’d his information with a 4096 bit random number, and therefore guessing the random number is the only key. But since it is random, guessing some other random number can equally produce somebody else’s name,SSN,DOB,current address,phone number,bank routing and account number, and mother’s maiden name, or not. In fact for some guesses, what you will get starts with, “Friends, Romans, Countrymen, lend me your ears,” followed by your neighbor’s aunt’s maiden name and then Lloyd Blankfein’s bank routing number.
It’s basically monkeys with typewriters when somebody uses such a cipher.
It’s also not practical unless you have a courier who can carry the random number to the recipient.
True, OTP is demonstratibly unbreakable, provided the key is random. But strong non-OTP assymetric as well as non-asymetric cryptography, although theoretically breakable, require thousands of universe lives to achieve the tiniest of probabilities of cracking the key. That is, if the crypto is properly implemented (e.g. no backdoors, i.e. open source). So unless the NSA has a quantum computer, it cannot break Tor, Tuecrypt, dm-crypt/LUKS. Acually the Snowden leaks seem to corroborate just that.
I’m going to make this comment even though I’ve made it before: The NSA has so many mathematicians and computer scientists working in their universe that they can open source their crypto-technology internally many times better than people doing such technology on the outside. Just keep that in mind.
Agreed. And I think people vastly underestimate their capabilities when it comes to crypto. If (I believe it was anon) hadn’t mentioned ‘random’ as part of the OTP I’d have had to object, but I’d like to add — not just random but *long*.
Incidentally, in regards to underestimating capabilities: ECC.
Not really precisely on-topic but wrt internal open-sourcing there’s another benefit to it, for the NSA: Once you’ve been ‘in’ the ‘in-group’, you’re almost certainly always going to value having been in the ‘in-group’ when it comes to that level of access (and to be jealous of it if you’re not). Being an elite among a group of elites does a whole heck of a lot to solidify long-term loyalty, and that absolutely works in their favour when it comes to getting the best of the best. I don’t think that’s an accident. Endless resources, challenges, competition, access to great minds: not easy to find for a cryptographer not willing to get into bed with the feds.
More on Hacking Team
https://www.schneier.com/blog/archives/2015/07/more_on_hacking_1.html
HACKING TEAM CRISIS PROCEDURES
Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team’s “crisis procedure,” it could have killed their operations remotely. The company, in fact, has “a backdoor” into every customer’s software, giving it ability to suspend it or shut it down — something that even customers aren’t told about.
To make matters worse, every copy of Hacking Team’s Galileo software is watermarked, according to the source, which means Hacking Team, and now everyone with access to this data dump, can find out who operates it and who they’re targeting with it.
It’s one thing to have dissatisfied customers. It’s another to have dissatisfied customers with death squads. I don’t think the company is going to survive this.
Tags: breaches, cyberweapons, hacking, malware, privacy, surveillance
Posted on July 7, 2015 at 5:30 PM
THIS is one of the most nuisance files in the Windows operating system. God help you if anyone is able to tweak it in your system. Clamav always mark it up as a virus.
There have been some hardware modifications in laptops during the past several years that have reduced the users’ ability to control their hardware. Earlier the wifi, microphones and speakers could be switched on or off by sliding hard switches. Now they are controlled by the function keys that may or may not actually do their job or may be easily overridden by software commands. In fact, the microphone doesn’t even have a function key to switch it off! Manufacturers of laptops must get back to providing hard switches to peripheral devices for better user safety. Linux users can of course mess around with files in the /dev/ directory to confuse the terrorists and other people trying to hack into their systems.
Those switches better have an LED to show that they are really off … otherwise, how would you know if the switch works? How’d you make General? Gotta think these things all the way through, you know …
LED’s can be tweaked. In fact, the camera can be easily switched on with the LED suppressed. I use Johnson’s Band-aid on the camera as it has a pretty good glue that lasts for a month.
Electrical tape (black) is better (and less visually distracting — plus bandaids might show ambient light levels (pedantic)). Use a little piece of paper on the bit that covers the lens. Or get a black Sharpie and cut out a piece of only the sticky part of a Post-It note having covered it with black sharpie if you use the camera often (a better solution if your computer happens to get overheated a lot, since the glue from a band-aid and electrical tape will leave more of a residue if the machine gets hot).
Are you saying the red LED might be faked? What. Is. This. World. Coming 2?
(I use duct tape)
Usually the internal and external mics and speakers are on different circuits, and the externals will only work with an external mic/headphones/speaker plugged in. For the cautious it’s a better choice to probably just ask a talented techie to remove or disable the internal connectors. This is all assuming a laptop. A desktop is easier (you can just remove the soundcard assuming it’s not onboard).
I’m sure “Hacking Team” have no idea on how to set up a server.
You see what they want you to see.
You hear what they want you to hear.
Oh Anonymous you are so Anonymous …
A flower in the butt-hole of Italy, indeed
That deserves a chuckle.
If sharp sophisticated technically competent companies can be hacked what chance do any of us have?? Digital communication simply can’t be made safe and encryption that might work is so complicated hardly anyone can use it properly. No matter how much you like digital socializing and communicating with your mother or watching movies, the internet is primarily a tool of control over us all by authoritarian government. The internet is not our friend nor is using it good for us in any way.
Secure communication is entirely possible; it just needs time and enough support. Current OSs such as Windows and Linux will always struggle to achieve real security, but “capability”-based systems like seL4 could be used to create rock-solid secure systems, in which the only weak points are the human users.
The “capability” model has been round for decades, but remained obscure because people just weren’t motivated enough about security. –Until now?
Part of the problem is the reliance on software that 99.9% of us are basically incapable of understanding. I for one would never trust a piece of software that I did not have a hand in designing and coding. But all is not lost. Really secure – NSA proof – communication is possible using relatively straightforward encryption techniques that use one time pads, together with good communications security discipline (keeping the messages short). The key to security in such a system is the secure interchange of the keys, something that is possible only by physically placing the material in the hands of the recipient. That, of course limits its utility.
The Ghost in the machine needs ghostbusters.
The Intercept and others are busting the players.
I view it stated that everything I have and do on my computer is seen by the spooks.
I now keep an inked journal.
Great Job !! ? you guys are freaking Awesome!!
There must be some control on the software that government agencies install in their machines. They have a lot of personal information, and by installing unverified and untested programs they expose that information to other hackers. If they need information they should contact NSA. I don’t see this as a big crime against the Constitution, but this is definitely a criminal behaviour as far as safeguarding the country is concerned. Imagine the situation if Navy Seals are allowed to wear suicide vests on their own or carry head-cutting tools in their pockets. The same situation is happening allowing law enforcement to buy their own commercial software. Director NSA must immediately impound all the computers containing such illegal software and jail the persons responsible.
In 2011 Hacking Team praised their Remote Control System as a useful spying tool to fight the “war of the future” against potential terrorists who “organize themselves throught the cyberspace”.
https://machtelite.wordpress.com/2015/07/06/hacking-team-the-war-of-the-future-promotion-video-2011/
Now that we know their clients its pretty obvious that RCS is in fact a tool that helps repressive regimes terrorize their own people.
It helps any regime (or non-regime) terrorize its people. It has no cognizance of ‘repressive’ or not, and it has no consideration for semantic differences.