I wanted to make specific comments about the Appelbaum video but there is so much content there that it makes a comprehensive reply pretty hard. In general I was bothered by some of what he said and wanted to look a little deeper in to some of the information. For example, the first device he mentions at 16:15 is a "Close Access Operations Box" which is essentially a laptop that puts unwanted packets on to a wireless network. He specifically goes out of his way to mention that it runs Linux but the OS is really pretty irrelevant... the software they made on it is what is important. It is kind of a compliment to Linux that they chose not to develop their virus on another platform. What struck me as odd is that the slide in the background indicated what OS's it could target but he didn't actually read it out loud. It is able to target
Win2k
WinXP
WinXP SP1
WinXP SP2 w/ IE5.x/6.x
but even those of us who hate Windows 7 enough to still run XP would at least have SP3 installed (especially since it is a requirement for WPA2). Of course it is entirely possible that their virus has been updated but the talk was given just a few months ago and XP/SP2 has been mostly useless for a lot longer than that. This also gives me the impression that it does not target routers or other network devices which I would have expected since it could provide them enhanced remote access.
At 17:12 he is still speaking about the same device and says that the NSA is sabotaging and undermining American companies and American ingenuity. That really sticks in my craw because frankly I hold American companies as being among the least reputable organizations on the planet. For him to say that the NSA is being naughty to Microsoft is like saying that a junkie once punched a rival gang member in the mouth for no good reason. Ultimately I find the insult to US corporations far less important than the complete annihilation of personal privacy and security.
At 24:32 he is specifically talking about untasked surveillance when he remarks that going to certain web sites if you are Muslim will result in an automatic attack. He ends up never finishing his sentence but the part he does actually say does not make sense. Untasked surveillance would not be able to determine the religious views of a web site visitor and therefore could not launch a religiously motivated attack. If the surveillance had been "tasked" instead then the statement would make sense but then that would exclude a lot of people (unless the NSA is now performing mass tasked surveillance).
There were a number of references to projects with names beginning with "quantum" but it seemed that a number of these required an initial compromise which would grant access for the "quantumthing". There was also mention of BIOS based attacks and even hard drive firmware attacks but no details on exactly how these attacks are carried out. As R_Head mentioned, this sounds like it would require far more than a bunch of packets blasted out on a wireless network.
At 53:04 and 55:42 he is mentioning a number of physical devices ranging from USB implants to implants on internal bus connectors to keyboard implants. Now of course all of these are targeted attacks since it wouldn't make sense that they are putting these in all PC's and laptops by default. Potentially they could
encourage manufacturers to do this for them, but then it wouldn't be implants it would be a backdoor. In any case, the idea that the NSA could intercept your mail and implant these devices exists but certainly doesn't account for a terrorist who decides to walk in to a computer store and buy a computer.
The tempest thing he mentions at 57:58 sounds interesting, but not much more exotic than a 1GHz ham radio with a 1kW amplifier. I imagine that if it had a proper antenna it could do some physical damage but frankly I would think they'd be better off killing people with bullets in a slingshot.
I'm of course not saying that the content of the talk is false, or that it is unimportant... but I wish there was a complete disclosure of how each of these things works and an opportunity to make them ourselves and learn about them.
I also watched the related William Binney video at MIT and wondered why the audience was full of "older" folks who didn't seem to be deeply technical. I also wondered what a "crypto mathmetician" is. It seems Mr. Binney is the only person who uses the term. He says that he was managing 6000 people which to me is an indication that he is
not technical and would not have a deep understanding of the devices and software. He did have a lot to say about the data being recorded but not about the size... he should be able to quote actual numbers on the storage requirements on a year by year basis (even if just rough estimates) and how much is needed for each individual and how much of the data is of US citizens vs. non-US. I have a hard time believing that the NSA's infrastructure (which as he mentions is entirely out of the US) would have enough bandwidth and storage to accommodate the data he says they have. I certainly wouldn't imply that they have no data at all, but I can't believe he is entirely accurate.
The bottom line is that while I can see value in exposing the NSA's poor treatment of people's privacy and security, I wish it didn't have to be so dramatic. I'm not even sure that the sensationalism helps the cause because clearly there are many people who simply believe that it is just fine to be governed by a completely unaccountable group. Unfortunately I think that government and corpocracy will simply carry on until something much more significant happens.
Cheers to clicking submit at 2am in a bad mood. :-)
S.