Weaponizing the Internet...

By Simon, 20 November, 2013

Here's a gem:

According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone... Which means the rest of us — and especially any company or individual whose operations are economically or politically significant — are now targets. All cleartext traffic is not just information being sent from sender to receiver, but is a possible attack vector.

I was a defense contractor between 1997 and 2000. We built web sites, deployed networks, and generally brought a small section of the DoD into the latter part of the 20th century. I was part of the design and planning team, so we got to do a fair bit of research as well as prototyping and deployment.

One of the things we discovered, back then, was the usefulness of cookies to do things like scan networks behind firewalls. If you could figure out a way to deliver the cookie to the target browser, it would return all sorts of useful data. That was in 1997. One other thing I should mention. Prior to all this, I had founded Coupons.com and CouponNet in 1994, so I was quite familiar with the way online advertising networks worked and how they tracked browsers using things like 1-pixel images that you would never notice (and which, if set up correctly, could also set their own cookies). Add the two together, and you might as well just turn your browser off.

By 1999, we had production SSL proxy servers. The only problem with an SSL proxy is caching encrypted data. It's encrypted differently for every client so it completely defeats the purpose of caching. The only way to actually cache data was to set up a man-in-the-middle attack inside the proxy server. Decrypt, cache, re-encrypt. Back then, we were primarily worried about the security of the cached data. However, the cached data did find a use in discovering employees downloading porn and other stuff on the job which was used to eliminate "dead wood" without the unions pitching a fit. That's about all I can say about it.

Interestingly, NSA did all the official penetration testing for our deployments, and pretty much had access to everything we were doing. Fast-forward to 2013, and I imagine it's actually much worse than this article portrays: