How the Government Hacks You: Chapter 1

Chapter 1: An Introduction to Government Hacking

Surveillance is the bread and butter of government agencies that monitor foreign and domestic threats. And it's not like they hide the fact that their eyes are on absolutely everyone. In the U.S. alone, three major government agencies conduct warrantless wiretapping. The public knows this because they've been brought in front of Congress, testified in courts of law, and had communications with elected officials who defend the practice of spying on citizens of their own country to achieve their goals.

In theory, the NSA only wiretaps American citizens when they think there's a foreign terrorist threat involved. Which could mean anything, since there are no external checks and balances if there is no warrant. That's why they conduct a massive amount of surveillance on U.S. soil and have done so for over two and a half decades.

The FBI isn't nearly as picky, however. They go after domestic terrorists with the broad brush handed to them by The Patriot Act. They even go after library records. They were also caught committing widespread warrantless wiretap violations by the same court that approved their tactics for another year. The Patriot Act is a blank check that just keeps on giving.

Of course, the FBI can share that data with any law enforcement agency that they see fit if they suspect outside influence. Most often, that means the CIA. Not that they really need to 'share', since the CIA enjoys the same minimization of wiretap procedures for section 702 data. They're no stranger to a little bit of domestic spycraft, in the name of 'rooting out international espionage'.

That's all public information, all widely reported on, and all backed up by testimony in a court of law. Mind you: That's just three agencies in a single country; a country that claims to be the 'home of the free'. What has been documented in less liberal countries, some of which will be covered in the next few chapters of this book, is far more harrowing.

These days, wiretapping is just the tip of the iceberg. Governments around the world use a variety of methods to spy on 'persons of interest' (in other words, anyone they like), and their tools are far more sophisticated than the spying phone apps and commercially available software that the public is familiar with.

In this series, I'll be talking about government hacking techniques as they're used throughout the entire world. Because the focus is on declassified information, public records, and provable theory rather than any technique or activity that could be deemed part of an 'ongoing operation', no particular government should be too upset that these techniques are being discussed.

The topics that are covered in this series will scale in complexity. That means we'll cover the basics together, and then build upon the reader's knowledge as we progress. So whether you're a professional in the hacking or spycraft game or a complete novice to the more technical side of government hacking programs, you should get something out of the topics discussed.

Speaking of topics, here's how they'll be covered:

Real-world hacking efforts that most governments use are based on the level of 'interest' or 'threat' a target has… they start with general tools for mass surveillance, then get more specific as they narrow down their scope. With that in mind, I'll start by describing the broadest net they have available: Mass hacks and surveillance techniques. Then I'll move on to group or organizational hacks and surveillance techniques. Finally, I'll drill into highly tailored (and often costly in both time and equipment) individual hacks and surveillance techniques. By covering things in that order, the reader will get a glimpse into the mindset of government-spying priorities.

Now that you know what themes we're going to be talking about, let's get into what's at stake.

Privacy VS Safety

Putting aside any accusations of corruption or personal gain for the moment, the publicly stated reason that governments spy on people is to keep the majority of their citizens safe. One of the more recent statements about why the United States spies on their allies is quite telling:

“The U.S. government should collect foreign intelligence to fulfill its most important role, which is to protect the security, liberty, and well-being of its citizens. Collecting intelligence on our allies is sometimes necessary to fulfill this obligation, because what allies do and what happens within their borders can and regularly does have a major impact on Americans. Let's remember what being a U.S. ally actually means: that American citizens are committed to defending these countries with their resources and ultimately with their lives. So, since our allies see fit to ask us to defend them, we have a reasonable interest in knowing what they are up to.” - Elbridge Colby - Department of Defense

As a former DoD Deputy Assistant, Mister Colby contends that if a country is obligated to defend someone, that creates a reason for the country to spy on those whom it may need to protect.

And that's exactly the attitude that many governments have around the world. That policy broadly applies to foreign powers as well as their own citizens. In the eyes of most governments, safety trumps privacy. This is made clear in the body of their laws.

In the U.S., it's the 1994 Communications Assistance for Law Enforcement Act (CALEA) that intentionally weakens digital encryption on communications to allow for government wiretapping (in conjunction with FISA and The Patriot Act, allowing for warrantless wiretapping, of course). In the EU, it's the Council Resolution on Encryption, which 'suggests' that there need to be backdoors to bypass encryption for police and security agencies. In the U.K., it's the Regulation of Investigatory Powers Act 2000 (RIPA) that states that suspects must surrender all encryption keys and passwords to authorities, as well as the upcoming Online Safety Bill which gives the government the right to monitor and block any content they deem 'unsafe'.

Similar policies are being passed all over the world that limit encryption, allow for warrantless wiretapping, allow the government to block sites and resources, and force people to hand over passwords. It's all a matter of public record, as seen clearly in the links above. The right to privacy is rapidly slipping away from most of humanity, being replaced by security statutes.

Why? The most common reasons in recent years have been terrorism, and protecting the helpless (the infirm, children, the exploited, etc.). The impact of The Patriot Act alone, not only on the U.S. but abroad, has been staggering. In the name of chasing terrorists, everything from travel to the right to privacy has been impacted… for nothing. And that assessment isn't personal, that is the result of an official U.S. government review board's factual investigation of the surveillance statutes (also known as Section 215):

“We have not identified a single instance involving a threat to the United States in which the telephone records program made a concrete difference in the outcome of a counterterrorism investigation. Moreover, we are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack. And we believe that in only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorism suspect. In that case, moreover, the suspect was not involved in planning a terrorist attack and there is reason to believe that the FBI may have discovered him without the contribution of the NSA's program.”

The broadest anti-terrorism law in history resulted in 192,499 National Security Letters (NSLs) being issued by the FBI and only a single terrorism conviction that law enforcement already had overwhelming evidence to prosecute. In fact, those hundreds of thousands of NSLs found exactly 54 crimes: 17 money laundering cases, 17 immigration cases, and 19 fraud cases in addition to the 1 terrorism case that was already in the bag.

An NSL involves the warrantless siphoning of all of a target's phone records, digital records, bank records, and a stream of their live digital actions. There is no requirement for that information to ever be destroyed. Arguably, the time taken to request and analyze the lives of nearly 200k people could have been spent doing a well-targeted, real-world investigation, which should have resulted in far more than 54 arrests.

And yet, elected officials around the world continue to pass these laws and continue to sell out privacy in the name of false security. They don't address the policies that create terrorism, human trafficking, and child abuse. To many politicians, those things are just the cost of doing business on a global scale.

Governments Hacking Companies and Individuals

Generally speaking, governments cast a broad net to capture as many victims as possible, and only then narrow down their search to individuals based on the results. The most famous example of this technique is PRISM.

PRISM is a U.S. government Internet surveillance program that collects personal information and correspondences from the major tech companies based in North America (Facebook, Google, and Apple to name a few). The full scope of such a program is hard to grasp, involving hundreds of millions of people and years of content and metadata for each of them. Whistleblower and former NSA analyst Edward Snowden said this about why he had to leak information about the NSA data collection scheme:

“I can't in good conscience allow the US government to destroy privacy, Internet freedom, and basic liberties for people around the world with this massive surveillance machine they're secretly building.”

To think that other countries don't have their own mass data surveillance systems would be naive. Thanks to Snowden, it is now publicly known that the U.K. has the Tempora monitoring system which scrapes data from undersea fiber optic cables. Of course, the U.S. has its own version of this upstream data collection. The E.U. has been struggling with the privacy aspects of such activity. They were forced to admit that U.S. companies cannot be considered secure as far as handling E.U. data.

Mass data gathering on domestic targets is 'great' as far as some governments are concerned. But when a government really wants to single out an individual, they tailor their bait quite specifically. One of the more recent examples of a government targeting key individuals with their hacking is via FinSpy.

FinSpy is a commercially available, professionally developed spyware suite that is used by governments all over the globe to spy on people. How the government hacks you, an individual starts with highly tailored spyware such as this. The Egyptian government targets pesky human rights activists with this technique. But it only really hit mainstream media when an American was targeted by the Ethiopian government.

Governments using programs like FinSpy are examples of conscious, no-holds-barred spying on single individuals within the borders of their own country. They collect personal data, GPS locations, habits, calls, texts, and more. So let's call it what it is: Targeted domestic surveillance, often upon citizens. This goes far beyond simple spying phone apps, and into the realm of Big Brother.

As we cover topics such as the three levels of government interest, government botnets, and resonance attacks, it will be difficult to distinguish this completely factual, public-record-backed account of what's happening in the world from science fiction. Many people will prefer to think that these things only happen in spy thrillers, even with the government accounts sitting right in front of their noses.

If that happens, I ask that you come back to this introduction and carefully go through the links. Remind yourself that these are facts… indisputable facts, the vast majority of which have been confirmed by the governments involved, and the rest supported by overwhelming evidence.

The 'Cowboy' Nature of Government Hacking

The reason why these complex and all-encompassing surveillance programs are possible is because of the culture present within many government hacking operations. Snowden discussed some of what he saw as an NSA analyst in three-time Pulitzer Prize winner Barton Gellman's book, 'Dark Mirror' :

“T-shirts, jeans, bleached hair, green hair, earrings, meme shirts, memes posted all over your cubicle.” - Edward Snowden - Former U.S. government analyst

Which would be fine in and of itself, even if it breaks some of the government organization's standards for professionalism. But as GQ pointed out in their expose of the inner workings of NSA hacker squads, those traits were accompanied by incredible toxic masculinity and adolescent empowerment fantasies. The 'whatever it takes' attitude combined with the warrantless nature of some of their work meant that checks and balances were few and far between.

This is in line with demographics collected by HackerOne from a bug bounty competition. The typical hacker is young, and male, and over two-thirds of them are motivated by money/fun/challenge. It's an all-or-nothing kind of crowd, testosterone-fueled, and results-oriented.

Those statistics apply globally, with little variation in age, sex, or motivation from country to country. China, Russia, and the U.S. are where the major government-oriented hacking groups are found, and none of them are known for their restraint, oversight, or adhesion to international standards.

Setting the Stage

It is inevitable, when talking about any hacking activity, that a hint of distrust enters the picture. After all, a hacker's job is to gain access to information that they shouldn't have, and manipulating the public would certainly make future campaigns to exploit the public trust much easier.

So part of my job is to make the reader understand exactly where this information is coming from and reassure you that my only 'agenda' is to share factual information. You will find hundreds, if not thousands of links to government papers, journalist accounts, and videos in this book.

Still, you deserve to know something about the person compiling those facts. With that in mind, a brief version of my biography will be reprinted in any digital version of this work produced in serial formats. And an extended version will be stated for the record, here and now.

Something that should put readers at ease: I live my life publicly. What that means is that I make no attempt to hide who I am or where I've been. I use no proxy service that hides my location (unless it's to check the regional censorship status of data). I use my real name on social media, and my CV is available without reservation. It might be strange to think that a former security and network tester lives in a transparent bubble like that, but it is the only way to experience the world unfiltered. So I am who I am everywhere, at all times.

My qualifications: I was a graduate of Porter and Chester Institute because their EE program was one of the only ways to get a network administration job with only one year of higher education. I moved to Silicon Valley and was a SysAdmin for companies that no longer exist, having been bought, sold, and absorbed by Fortune 500 entities.

As a freelancer, I performed network and security testing on an ad hoc basis. My programming skills were (and remain) pitiful outside of shell scripting and a little Perl. On the security side, I primarily made my name as a dumpster diver, a social engineer, and a physical entry guy. On those counts, I was very, very good.

Needing to get my head straight, I became a night manager at a bookstore for a while, which is where I rekindled my love for writing. Then I got back into tech while simultaneously working on my real estate license. I fell in love with my partner at a convention in San Jose, and in 2006 I moved to the U.K.

After a few years of tech writing, call center work, and more freelancing, I discovered uTest. In 2010, I was their Performance Tester of the Year, which was likely the peak of my technical skills and achievements. I went on to become a CISM-holding nonfunctional test manager at Deloitte for a number of years. My security testing skills came back to the forefront, and I got my CISM certification to help make it apply at a modern corporate level. While all of that was both eye-opening and rewarding in equal measure, consulting effectively finished my long burnout process. After a brief venture trying to start up a new company, I swore off active tech roles and became a full-time writer.

Which is how I landed this gig. For those who follow the money: I get paid by the word, and I'm being fact-checked. That's why there are in excess of two dozen links to government sources, industry specialists, and large newspapers in this Intro alone. So I have no incentive to lie, and every incentive to relate factual information… because I don't get paid for revisions.

In my life, I've held Secret clearance with two major governments. I've worked with security agencies, with government organizations that vet and produce identity documentation, and with law enforcement. I did not always agree with those entities and absolutely became a pain in their ass from time to time. But I stand by my work, which (on the security side) was in line with what most would call 'ethical hacking' and more general network engineering.

So at this point, some readers may trust me. And that's fine. But please continue to do your own research as we document and discuss how the government hacks you. But please use neutral sources as much as possible. Partisan news organizations and niche social media sites are not 'research'. Use international media, court documents, legal proceedings, and scientific journals as much as possible. You just want the facts, no bias.

If nothing else, I hope the result of this book is a renewed interest in public disclosure of matters relating to privacy, security, and government oversight.

Topics Moving Forward

This book, or series of articles if you're reading it as part of a blog, is meant to be nearly (or fully) novel-length by the end of it all. Though I'll reserve judgment on actual word count estimates, there's certainly enough information out there to achieve such a goal. Here are the topics to be covered in future chapters or articles:

Introduction - What you just read. General themes and trends that will interest people in the contents of the series. Topics include privacy, government hacks of groups and individuals, establishing the 'cowboy' nature of government hacking culture, and talking about the author's background to establish identity.

Three Levels of Government Interest - Covering the concepts of mass or public surveillance measures and hacks, business or group level infiltrations, and individuals that have been singled out as special cases.

Back Doors - The not-so-secret government agreements that are in place with router manufacturers, telecommunications companies, and the like. How intentional back doors left open for governments allow them to gain special access to both phone networks and Internet service providers.

Social Media Analysis - A brief primer on how social media allows governments to track large-scale activities, monitor protest groups, and flag topics that they consider at odds with their own goals.

Destroying Encryption - The multiple ways that governments have already defeated weaker private encryption efforts and the legislation that removes powerful encryption from the hands of private citizens.

Government Botnets - Covers the use of botnets to inject malware into the systems of entire industries or regions. This can be used to key log raw information, track clicked links, monitor internal communications, and later manipulate or destroy data.

Warrantless Wiretapping - Our first step into the 'group' level of surveillance, talks about the ease of getting a group warrantless wiretap order, keyword and key phrase monitoring, open-ended expiration, the laws that make it possible, and some groups impacted.

Rowhammer - One of the most devastating, under-the-radar security attacks of our generation. This bit-flipping attack has implications for the storage and processing of data, even on so-called 'protected' systems. The countermeasures are few, and the applications are broad. Used most often as a corporate or organizational attack method.

Laser Listening Systems - One of the most common and reliable ways to spy on entire meetings or offices is by turning a pane of glass into a giant microphone. Details and countermeasures.

Resonance Attacks - The first of the more 'personal' attacks that are focused on specific individuals. By monitoring audio resonance via a planted microphone, or by hacking an existing microphone, government hackers can gain access to a lot of information. Coil whine monitor attacks, 'lamp phone' attacks and the like will be discussed.

Garbage Day - The lowest-tech, but often highest-yielding attacks on individuals come from what they recycle and throw away. By collating information on buying habits, recycling patterns, store and receipt information, and chosen brands, they can profile individuals and run them through a pattern database to track movements, likely political affiliations, level of activism, and the like.

GPS Tracking - Whether via phone hacks, service provider cooperation, or vehicle-attached devices, tracking the location of an individual is trivial these days. We will talk about the accusations of 'stealing' government devices if found and removed, and current legislation.

IoT Hacks - Some of the weakest security and encryption are on Internet of Things devices. They're being used by the government as backdoors into home and small business networks, which will be probed in depth.

Conclusion - A summary that will also talk about the implications of everything we've learned.

If these topics are of interest to you, I hope to see you again soon. Until then, stay safe out there.

Stay tuned for Chapter 2: Three Levels of Government Interest on the Hoody Privacy Hub.