In an interview with a German public broadcaster ARD TV, Edward Snowden dismantles yet another defense put out by supporters of president Obama and the NSA that, unlike those evil Chinese, Russian, and other governments who indulge in industrial espionage in order to get American business and trade secrets and thus benefit their own national industries, the US only spies as part of counter-terrorism efforts.
Of course this defense had already sprung leaks with documented reports of the US spying on Brazilian oil companies, Belgian telecommunication companies, and European Union trade organizations. But Snowden expands on that, saying that the German industrial giant Siemens was also a target.
In a lengthy interview broadcast on the public broadcaster ARD TV on Sunday, Snowden said the NSA did not limit its espionage to issues of national security and cited the German engineering firm Siemens as one target.
“If there’s information at Siemens that’s beneficial to US national interests – even if it doesn’t have anything to do with national security – then they’ll take that information nevertheless,” Snowden said in the interview conducted in Russia, where Snowden has claimed asylum.
He did not release any documents that supported his claims. He said that he no longer had any documents, having handed them all over to the journalists he had chosen as his trusted conduits. But he has proven to be reliable so far so it is only a matter of time before a journalistic outlet releases documents supporting the statements made in the interview.
I suspect that those documents will reveal that Siemens is not the only company that was targeted and that he happened to mention that name because it is a German company and he was being interviewed by the German media. It would not surprise me to find that Japanese, Korean, and companies from other major nations have also come under surveillance.
Reginald Selkirk says
About the post title: surveillance != sabotage. You went too far.
Marcus Ranum says
A year ago one of my colleagues got involved in a situation in which there was a data centre (of a European company, the data centre in China) doing manufacturing. They discovered a fat wireless signal running something that wasn’t 802.11 -- something else, encrypted, and tried to figure out what it was by various expedients such as powering down machines, etc. They weren’t able to locate the source of the signal but the effort was shut down after it was concluded that it was probably Chinese intelligence gathering. Now, I wonder if it was the Chinese, or the USA.
And there lies the problem with this kind of activity. We could very easily and reasonably ask why we should believe that Operation TITAN RAIN was a Chinese operation, or an NSA operation. Why should we believe it was the Chinese that broke into RSA, and Google (SHADY RAT) and not the NSA? Was it the Chinese who broke into the New York Times’ systems, or the FBI? Want to know where I’d put my money if you asked me to bet?
By unilaterally choosing to do this, and to do it in secret, the US intelligence community has caused a thorny problem for all high tech american companies -- whether they are trying to sell products abroad, or defend their own networks. Further, we need to defend against justifiable counter-attack in kind. How would you like to be the CSO of a US energy company, if you thought that you might come under retaliatory attack from a foreign power that feels that STUXNET cost them a tremendous amount of money? Suddenly, your defenses, which are oriented toward keeping “normal” hackers out, don’t look so good. How would you like to be the CTO of an American company that builds smart grid control systems and have a potential customer try to lock you out of the running for a mega-$$ contract because you can’t prove there are no backdoors in your product? For domestic consumption we can’t even say “buy American” because “buy American” now means “comes pre-installed with wireless backdoors for the NSA and FBI” -- who in their right mind wants a data center racked full of computers from Dell or HP? And how do you think Dell and HP feel about that?
Marcus Ranum says
surveillance != sabotage. You went too far.
I don’t agree. The methods used to achieve the surveillance required first sabotaging the target’s security.
noastronomer says
Since Marcus mentioned it, it’s probably worth pointing out that Stuxnet was specifically targeted at control systems manufactured by Siemens.
Make of that what you will.
Mike.
CaitieCat says
Not just sabotaging their security, but necessarily doing so in a way that subsequently leaves them vulnerable -- and ignorant of the vulnerability -- to criminal organizations piggybacking on the same methods. A backdoor doesn’t tend to be permanently private, or inherently prevent access by “someone else’s wrong hands”. How long before some hacker finds an old NSA backdoor and uses it to trash the security of some company or government? Drops 256-bit prisonware on the servers, maybe?
Industrial sabotage is a bloody good and accurate descriptor of this particular element of US government criminality.
Marcus Ranum says
How long before some hacker finds an old NSA backdoor and uses it to trash the security of some company or government?
And, if that hacker did it, they’d be breaking US law and would face a stiff sentence if they were caught and convicted. If the NSA broke into 100,000 computers as they are alleged to have, they have broken US law and almost certainly the laws of other countries. That’s a serious issue you can’t just walk away from by having a secret court write you a ‘get out of jail free’ card. Worse, it’s something the US Government itself acknowledged is wrong and criminal back when we were accusing the Chinese of doing it, in 2010-2011.
I do kind of wonder what would happen if a hacker took advantage of USG installed trojan horses and -- if caught -- claimed that they hadn’t compromised the system at all; they just found it that way.
I know for a fact that there are very smart people working to crack some of the bios trapdoors and looking for the remote access hardware. The NSA’s “we didn’t do it” claims are going to ring mighty hollow when people start taking this stuff apart and posting the specs and designs. That’s exactly what happened with STUXNET -- it’s as if the keystone kops at NSA can’t think farther out than what’s right in front of their faces.
Marcus Ranum says
Oh, let me explain a bit more what I meant by that last sentence:
As soon as someone figures out one of these tools and posts the specs, it’ll be ridiculously easy to find them, and they’ll be impossible to conceal -- a retroactive hunt is feasible, and some people have the capability to potentially go back and see when and how the bugs got installed. Depending on how the communications are done, it may be possible to retroactively go back and see how the trojan horses were used. Yes, there are some people who really do have packet-archives going back years, that they can trawl through… The first time someone comes out with a decode of a trojan horse control channel that belongs to an FBI or NSA bug, they’ll have all the standing they need and there’s no way to claim it’s secret because it was actually their data. There is a large body of case law that says a company or person doesn’t have privacy issues about disclosing their own data. Life will get interesting.
Mano Singham says
@reginald,
Actually, that was the title of the Guardian article I linked to.
augustpamplona says
From the article:
What the hell does this mean? USB drives? It kind of sounds like bullshit.
augustpamplona says
Oops, I should have read the next paragraph before posting.
«The newspaper said the technology had been in use since at least 2008 and relied on a covert channel of radio waves transmitted from tiny circuit boards and USB cards secretly inserted in the computers.»
I’m still skeptical. Where’s the hardware? Are you trying to tell me that it’s been out there since 2008 and no one has traced it and produced some example of hardware?
This is not related to BadBIOS, is it?
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
Marcus Ranum says
What the hell does this mean? USB drives?
Radio.
I have a USB 802.11 dongle that more or less completely sits in the USB plug, with just a little bit of plastic sticking out (the antenna) -- it gets its power from the USB. Most computers have internal USB on the motherboard or elsewhere. Firewire, too.
Marcus Ranum says
Are you trying to tell me that it’s been out there since 2008 and no one has traced it and produced some example of hardware?
As I said in my comment above, there are certainly a lot of smart people actively looking for it, now. Until recently there were rumors and incidents but nobody had really credible evidence of such a thing. One of my colleagues was involved for several weeks in tracing a mysterious data signal coming out of a data center. There was a guy a few years ago who bought a laptop and it came with a consumer keylogger pre-installed in it. The problem with the latter incident is that it was hard not to dismiss because anyone can open a laptop case, insert a keylogger, and take a picture of it and say “Ooh!”
Nathaniel Frein says
Marcus Ranum, thank you for giving me the language to articulate these concerns to the people I discuss this with in day to day life.
colnago80 says
How about these apples? More from Snowden.
http://goo.gl/fQHwhl
Jörg says
Video of the interview:
Transcript: http://www.ndr.de/ratgeber/netzwelt/snowden277.html
grasshopper says
Government spying on businesses was greatly facilitated by the breaking of the Enigma codes during WWII.
The Enigma machines were based upon a commercially available encrypting machine developed to protect business and industrial communications. After WWII, by not revealing the fact that the Allies could read encrypted commercial correspondence encrypted by Enigma business machines, the Allied nations could gain privileged information in regard to trade and negotiations.
joe says
They are definitely sabotaging my email, and general comm. Thats surveillace and sabotage, but..Americans are satanists anyway.. See a video on YT by Onerepentant8:
HOMELAND INTIMIDATION