The problem: the US can’t promise information security to anyone

I’ll be having more to say about the latest Snowdonian revelations as they apply to macro-politics, probably at the Fistful. In the meantime, the document at Le Monde is interesting from a technical point of view.

They mention attacking a PBX – quite a common issue, because a lot of them are proprietary and not very managed and getting at voice calls is high-value. They also mention some attacks involving hacking the end-user PC (obviously), some others that require physical access, and very interestingly, a couple that involve sensing something from a distance.

Specifically, MAGNETIC, DROPMIRE, and OCEAN involve respectively magnetic emanations from computers, similar things from laser printers, and “optical collection from raster-based computer screens”. The first two fall within what is known as TEMPEST, a NATO term for information leaking from computer systems in the radio spectrum and how to prevent it. The US informed its allies about this, up to a point, and NATO created a standard. (They, in their turn, found out from Sir Peter Wright.)

Either the French were in the habit of letting really secret stuff get into non-TEMPEST machines, or the Americans know more about it than they let on and also more than the French suspect. The French are no fools about this stuff; although 70% of the world’s CAPEX on LTE networks in the last two years was in the States, Alcatel snagged most of it. There are, as they say, huge issues about trust.

OCEAN, though, sounds new and interesting. Something similar, VAGRANT, appears to have been used on computer screens at the French embassy in Washington. Overall, the French missions in the US were targeted with malware (HIGHLANDS), with optical observation (VAGRANT or OCEAN), and with an exploit of their PBX (just PBX).

Which reminds me. Remember these posts? Well, over here, we have a discussion of Pakistani worries about cyberwar/information security. I contend that more guarantees of information security would do the avoidance of nuclear war there nothing but good. It would be great if the US, which is a friend-ish to both sides, could help create confidence.

But of course now they can’t. The SIGINT alliances worked because they were both alliances about intelligence and also about security. That implies limits on what the US (or any party to them) could do. So this turned out being a macro-politics post after all.

2 Comments on "The problem: the US can’t promise information security to anyone"

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.