Shadowbrokers show how equation group allegedly gained access to Pakistan GSM network

“From what I understand they have tools to collect CDRs (Call detail record) that are generated on GSM core networks for billing purpose (who is calling who, etc.),” x0rz said. “They are deep into these systems.”

There are more than 1,000 files included in the dump and it’s unknown whether any of the vulnerabilities being exploited remain unpatched.

Read on here

How Europe can avoid to be living in a reality distortion field of ‘security’.

It is fairly surprising, what lately surfaces as being published from the distortion field around telecommunication infrastructure,  some three letter agencies and the German government. Golf-ball shaped architectural elements rais suspicion, “small cylindric white objects” have been seen removed from the neutral grounds of amicable allies’s embassies in Berlin lately, and the rules of conduct for the DoD stemming from 2005 are updated already for the members of that part of the administration in Germany.

The grounds and reasons for current actions given to the general public are at least irritating, too. Any head of state the world over, should expect his or her communication to be under surveillance all of the times (forget Merkel’s mobile already!), maybe with the exception of governments that are not being regarded as threat or being important for any big players (and even in those cases, surveillance will probably take place). The same applies to members of government, MoE and defense, and most probably for all shades of police organizations. Why is it irritating how the official reactions are staged?

Mainly, because the critical points aren’t where they should be pinpointed in all and any of these cases. What governments should be doing it protecting their citizens from threats from foreign surveillance. That they are responsible to shield themselves, especially with all the moneys spent for the BSI and it’s sister organization BND, goes without saying. But that is not, where they should stop: It is, where the real work starts!

Now the US have the unfortunate role of being the scapegoats (I was long pondering, whether this sentence was due, given the chuzpah of how the US reacts to the breaking news), with their head of agency work being shown the door for assuming, the European territories are prey and need not have a voice in things, let alone apologized to.

The elephant in the room is, that these things are happening for all the wrong reasons. The citizens of Germany have elected governments to protect the citizens, not in order to be happy to finance protection of the administration. So, the correct reason for the course of action should be, that the foreign agencies have declared all Germans to be enemies (per definition all foreigners to the US, equalling some 97% of the world population are to be regarded enemies by the NSA, and these so called enemies deserve to be spied upon with no grant of any protection at all – leave alone remorse or apologies for being caught doing so, or even ways of legally object to it).

So when anyone speaks about “America-bashing” when reading or hearing criticism for doing what their agencies do, applying all their intelligence gathering to everybody who is declared enemy by decree, is outing themselves as hypocrite that is turning a blind eye to the disturbing fact, that the nation we all adore is showing behavior of a rogue tyranny in waiting.

Given the motives for the current actions by German government for giving the head of agencies a friendly recommendation to continue his work outside of Germany are wrong, maybe the course of actions is still right?

Many feel it is not. What they say is called for, is a general protection of the public, which seems to be the last point on the ‘list of things to do’. When any cylindrical object is taken off the embassy architecture, does that help? Indeed not, as IMSI catchers and wireless cell surveillance can be easily done mobile. There is a need for counter-action, to stage find-and-destroy missions for any surveillance apparatus of any nation that feels Germany is an enemy (or a good source of industry intelligence). This may include localization of foreign mobile IMSI catchers, devices that “split and duplicate” telecommunication traffic of all sorts, collection of metadata by surveillance-surveillance etc., etc.

There is no excuse for not doing it in the national (and European) interest.

Another overdue course of action is to claim back lost ground on the development of IT and telecommunication devices and systems. Of course, to claw back on the national infrastructure proves to be highly difficult, given that many obvious advantages of globalization are removed from the equation, meaning higher costs and lesser shareholder value. But maybe the shareholder value needs to be paired with national value again – or better still, in unison and under bilateral audit by friendly nations, generating European value.

A setup to develop national infrastructure could be done by developing artifacts with security in mind from the ground up. Auditing can be done at all stages by both own staff and staff of the partner nation (for example France and Germany would come to mind). This would minimize any risk of a ‘contribution’ that might cause a back-door problem. It would cross-fertilize the knowledge and it would make sure, that these bilateral developments would be suitable for both nations (reinstating some of the globalization advantages). If the whole supply-chain and production chain for these mission critical infrastructure were be in the hands of the respective nation with all safety latches closed, the results could actually be convincing (open-sourcing some of it – where not deemed problematic – is an even better idea).

Not too long ago, IT was part of France’s “force de frappe”. So was telecommunication. Under the impression, that Europe was a trusted ally, we, as Europeans, have given up to be alert and nimble. We have succumbed to the songs of the sirens of globalization – and it was a good move to a large extent, economically speaking.

If a trusted partner cancels the trust, and unilaterally cancels the nature of the relationship as well, Europe is well advised to take steps, and do it in a European, not only a national way. France and Germany could lead the steps, and others with a similar technological head-start, like Finland, Latvia, the Netherlands and Greece may like the idea and join in. But Europe needs to grow up and take responsibility. We need to bear in mind, that all the three letter agency agreements are, in the end, bilateral ones, too. The countries of Europe need to recover ownership over their citizen’s data and freedom from being defenseless victims of espionage.

Serious Playstore

If you want to play Spy&Spy, then http://www.nsaplayset.org/ is your playground.

Spion und Spion

 

The inventor of this smallish lookalike “webshop” for the ANT catalogue presents his proof of concept during Defcon: https://www.defcon.org/html/defcon-22/dc-22-speakers.html#Pierce

While the approach is certainly causing some people to laugh out loud, the bitter truth is, that some surveillance systems are becoming readily available for everybody.

 

When dealing with a government or its agencies, their bold approach might be criticized and protested against. But, there is no doubt that many feel a strong desire to look into their neighbor’s private life with no other authorization than commercial interest or pure curiosity. Enforcing any resistance against this requires a lot of work (how would you find out who exactly placed the listening-device in the PCIe slot, the WiFi intercept disguising as a “surge plug”  or the logger into keyboard-cable?) or is plainly impossible.

Building IMSI catchers and GSM surveillance systems ( http://www.nsaplayset.org/twilightvegetable ) out of scrap electronics and a bit of mental sweat means more people can potentially listen in to business or pivate calls, ignoring deliberately the fact that it is against the law of any country.