A far better report is from TechWeek Europe.
Two very important points:
The initial attack was phishing based. The NSA doesn't need to phish, instead they just use direct packet injection instead.
The malcode appears to be a MiniDuke variant.
We don't know who is operating MiniDuke (namely, is it the Russians or is it the Chinese?), but the targeting history suggests that it is not the US/UK, as a significant number of the targets of MiniDuke have been US/UK computers (Think tanks, research institutions), while NSA/GCHQ is largely outward facing.
Thus the headline is WRONG: Quisquater was probably attacked by a nation-state level adversary, but that adversary is probably NOT the NSA/GCHQ.
Any sysadmin worth his salt with an unknown MAC address is going to throw it at Wireshark or a similar database, so "Look for a Mac with this MAC" is quite expected.
The upper 24 bits of the MAC address indicate the manufacturer, and can be even finer:
is Wireshark's list.
QUANTUM is not a fake slashdot page. Rather it is packet injection (which I speculated about months ago here: https://medium.com/surveillance-state/1b5ab05ac74e )
How it worked is they saw their victim visit LinkedIn or Slashdot, identified them based on their account, and then shot an exploit at them using packet injection. So there was no "fake" slashdot page, just an injected exploit packet.
Not only are these two hawking snake-oil, but their "Whitenoise" stream cypher thats the center of their snake-oil (calling it a "One Time Pad" is a lie) is actually already known-broken!
The real frustrating thing is this is exactly who the NSA is supposed to be spying on. Foreign leadership is specifically in-scope.
The problem I have is the methods: if its anything like how Belgicom was hacked (using "QUANTUM", namely, packet injection to exploit a tech's computer and then using the 'lawfull' intercept capability built into the phone switches), this would be something that the US would clearly call a criminal act, and possibly call an act-of-war.
If France, say, hacked AT&T using these techniques to monitor cellphones in Washington DC, "ballistic" wouldn't even begin to describe the US response.
I hope they don't try it in Texas, they might end up with an armed teacher who shoots the simulated shooter...
I doubt the fake ID bust was parallel construction. If they were on to DPR, they would have handled the fake IDs far differently, since this could easily have caused DPR to panic and flee the country.
The interesting question not answered in the complaint is how they discovered Silk Road's server to get an image of it in July.
The private company surveillance is out of control. Facebook and Google record almost every web page you visit (Yes, Facebook LIKEs your taste in porn) thanks to those ubiquitous trackers and advertisers. Data brokers collect information, resell it, repackage it, data mine it, and do all sorts of other skivvy things with it.
The private spying is ALMOST as out of control as what the NSA is doing, and also needs to stop.
Having the companies modify their infrastructure for the benefit of the NSA means although it may be "legal" to tap foreign communications, it means that the US companies are now complicit in attacking their own customers (just not the US customers).
The reputational and economic damage that the NSA is causing dwarfs the few million dollars the companies are gaining. US/UK technology companies now must be considered to be hostile if you are outside of the US/UK.
Web hosting is generally public, providing public facing information. The data of real note is email, internal documents, and other such critical systems. It is that data which should flee the cloud.
And where should the data run? Why inhouse: businesses which need confidentiality (Law firms, and any business with significant international competition) should forget about outsourcing to the cloud at all.
Actual link: http://www.icsi.berkeley.edu/~nweaver/cloud.pdf
The problems with cloud computing security can be summed up in four words: "Lawyers, Guns, and Money" (with apologies to Warren Zevon, my short talk with that title).
And remember, rule #1 of Cloud Computing Operational Security if you actually have confidential information you need to protect: don't use cloud computing.
A strange coda to the story however. DES was NOT weakened by the NSA. The design's subtle tweaks by the NSA ended up being used to counter differential cryptanalysis, and although the key length was somewhat short, it was still uncrackable at the time of development (now its crackable in a day or less).
Because to someone like me, DROPMIRE sounds like a lifecycle attack: building in a backdoor into the commercial product itself at the factory.
If the NSA is using lifecycle attacks, or even if there are just credible rumors of the NSA using lifecycle attacks, US network hardware and security companies are now in the same position that Huawei is in.
The US government has no notion of "its already out there": If a document is classified Top Secret, having it discovered on an unclassified computer is bad, VERY BAD. The easiest cleanup procedure usually is "wipe the whole computer".
It doesn't matter if copies of the document are on the front page of every newspaper in the country, scattered across a hundred flyers, and sent a thousand times to every general, colonel, and corporal in the army, its still classified.
The NSA defines "collection" as when they actually use the data and get some result from it, with the probable unstated admission that it is only "collected" if they use the data, get some result, and ADMIT that they used the data and got the result.
Its the same linguistic BS that allows Obama to say with a straight face that he only launches robot flying assassins against Americans who are an "imminent" threat, with "imminent" being defined in his lexicon as "well, perhaps, kinda sorta, and its too much of a pain to try to capture or do anything like that so lets just send in the robot flying assassins and be done with it"
I'd suspect also that it was 50% AFTER "expenses" which Prenda padded mercilessly. If Mike can get in touch with Mr Pilcher, it might be worth asking about that, since with all the other difficulties, I wouldn't put hollywood-level accounting past the Prendarists.
It is a crime to DISPLAY any quantity of Marijuana, but it is NOT a misdemeanor in NYC to possess very small quantities, just a infraction.
But once they frisk the victim, and remove the pot from the pocket (EVEN THOUGH its clearly too small to be a weapon) it becomes a misdemeanor because now the victim is displaying the pot!
So for most of the 26,000 arrested for pot, their only arrestable crime was a direct result of BEING FRISKED!
More details at the New York Times.