Jacob Appelbaum's must-watch 30C3 talk: why NSA spying affects you, no matter who you are

Sunday's Snowden leaks detailing the Tailored Access Operations group -- the NSA's exploit-farming, computer-attacking "plumbers" -- and the ANT's catalog of attacks on common computer equipment and software -- were accompanied by a lecture by Jacob Appelbaum at the 30th Chaos Communications Congress. I have seen Jake speak many times, but this talk is extraordinary, even by his standards, and should by watched by anyone who's said, "Well, they're probably not spying on me, personally;" or "What's the big deal about spies figuring out how to attack computers used by bad guys?" or "It's OK if spies discover back-doors and keep them secret, because no one else will ever find them."

Nominally, Jake's talk is about the details of the spying tools developed by the NSA, but the talk goes well beyond that. The meat of the talk is the analysis of the legal framework under which these are developed and what the consequences to the wider world are.

The development and hoarding of vulnerabilities in widely used systems represent a risk to everyone who relies on those systems -- not just people the NSA want to spy on. Even if you trust the NSA, you need to know that every bug the NSA keeps secret is a bug that might be independently discovered by another agency you don't trust -- or a criminal group -- and used to attack you. Not because you're a special target, but because an untargetted attack aimed at the whole Internet happens upon you and turns your computer into something that spies on you to sexually exploit you or clean out your bank-account or just sell off all your World of Warcraft stuff.

To drive home this point, Jake details a secret NSA exploit from its catalog, and points out that another speaker at 30C3 had actually independently discovered that exploit and disclosed it at the same event. The lesson: anything the NSA discovers and doesn't patch will be discovered by someone else and exploited.

Jake discloses the way that the NSA determines which targets are fair game for deeper scrutiny, including having your mobile phone in close proximity to an existing target, like Jake himself. To drive home the point, he switches on his phone and says, "Right, anyone who's phone is on now is on the list now."

Beyond the political and technical messages, Jake's speech is great for the details of the spycraft disclosed in it -- the fact that Iphones are completely compromised and can be successfully attacked 100 percent of the time (Jake suspects that this suggests collaboration on the part of Apple) and the fact that Wifi can be intercepted and compromised from eight miles away and that the NSA might use drones against Wifi.

30c3: To Protect And Infect

Notable Replies

  1. Saw part two yesterday and Jesus HC all revealed things it makes it pretty obvious that the paranoid weren't so. Cory I'm sure you are within a few hops to applebaum have you checked your firmwares?

  2. nofare says:

    What the information imparted by Appelbaum drives home is the fact that the NSA can compromise individual as well as telco level systems in multiple ways. A must watch. Utterly mind boggling.

  3. achbed says:

    Not "can". Does. In a drive-by fashion. To the entire Internet. If you're using Yahoo, you've been exploited. If you use CNN for news, you've been exploited. These are the only ones he mentioned, and they're not even "tasked" (ie, specific) targets. So imagine what other sites they're doing these attacks on. And the result of these attacks is the world's largest botnet. Not to mention that they have owned botnet C&C servers as well, but have made sure not to shut them down. They really are prepping to create a digital nuclear war with China and Russia (who are doing the same things).

  4. I'm sure this is gripping, convincing "required viewing"... For approximately .07% of the population. It's virtually Greek to everyone else.

    I exaggerate, a bit. I'm sure the percentage of people capable of understanding an endless stream of acronyms and insider programming jokes is closer to the percentages of say, Kinsey Scale 6s or full-blown alcoholics in the general population (maybe 10 -- 13%). My point is that most of us will have to wait for the zippy, "plain English" Upworthy-type video before this information is very helpful. I'm not saying it isn't important, just that it isn't digestible.

    The irony is that people like me -- relative illiterates -- are probably less likely to be shocked by these revelations. We don't understand the processes all that well, so we've never labored under a false sense of superior knowledge or infallibility. For instance, I never bothered with struggling to keep my facebook profile "secure." I knew going in that I couldn't keep up with the endless changes, or anticipate the next way the site would (obviously) be misusing my personal info. While watching the video, I amused myself with the conceit that the one audience member who kept claiming to be unsurprised was really just some dummy like me, who had wandered into the wrong conference room.

  5. nonfer says:

    at just over an hour it is a commitment. personally i looked for (and could not find) the statement that appelbaum claimed poitras made about the nsa retaining '15years' of surveillance data.

    think he was drunk?

Continue the discussion bbs.boingboing.net

11 more replies