Friday, September 20, 2013

CSEC presents Hackfest

Nope, not a photoshop this time. It's CSEC, the Canadian government's version of the NSA, presenting a hacker conference for computer security enthusiasts this November in Quebec. [h/t Lux ex Umbra
Events scheduled for Hackfest Strikes Back include :
And a panel discussion : "How can researchers make money selling vulnerabilities? Should they or is it extortion?"

A talk titled Why the NSA should have every vulnerability by now explains :
"High budgeted intelligence organizations, such as the NSA, will not help fix vulnerabilities, only find as many as possible. The intention is to use these vulnerabilities for offensive operations and fixing them is counter-intuitive to that goal."
Difficult to escape the irony here.

In 2006 CSEC was entrusted with overseeing the global encryption standards process for 163 countries. CSEC handed those keys to the NSA, which promptly used them to insert vulnerabilities and backdoors to allow them to spy on foreign companies and governments. The NY Times quotes an NSA memo on how they pwned CSEC:
"... beginning the journey was a challenge in finesse. After some behind-the-scenes finessing with the head of the Canadian national delegation and with C.S.E., the stage was set for N.S.A. to submit a rewrite of the draft … Eventually, N.S.A. became the sole editor.”
And now CSEC presents workshops and panel discussions on the efficacy and ethics of profiting from those same backdoors and vulnerabilities. 

Update : Dear CSEC : Stop bullshitting us.
When Clapper was asked by the US Congress if the NSA spies on Americans he said no.
When CSEC was asked, CSEC chief John Forster answered :
“CSEC does not direct its activities at Canadians and is prohibited by law from doing so."
which completely ignores Part C of CSEC's own 3-part mandate in law [emphasis mine] :
1. to provide technical assistance to CSIS and Canadian law enforcement agencies;  
2. to assist CSIS under s. 16 of the CSIS Act; and  
3. to assist CSIS and Canadian law enforcement agencies by intercepting the communications of a Canadian/person in Canada that is subject to a CSIS warrant or authorization from law enforcement agencies.


Boris said...

Awesome. I somehow doubt the CSEC will host talks on benefitting from the Snowden-grade vulnerabilities in the NSA! I mean, the NSA essentially reflects its business...

Anonymous said...

"Hide yo Apache, hide yo SSH cause they backdoorin’ everybody out there"

What a joke. Apache and SSH are open source software. Any backdoors will be discovered and removed.

A lecture entitled "Remove yo Microsoft, remove yo Apple, remove yo Google" would be more meaningful from a security perspective.

West End Bob said...

Gotta give thanks to Edward Snowden and Glenn Greenwald of The Guardian for bringing this topic to the fore.

Well, for some of us, anyway . . . .

Purple library guy said...

I'm with anonymous--stick to the open source. GPG (Gnu Privacy Guard, the open source PGP implementation) should be okay too, for instance.

Anonymous said...

Here's a suggestion for a CSE talk re Snowden's leaks - Why did the NSA think normal rules of secure systems engineering did not apply to them?
It's their sheer incompetence that is in some ways the larger issue here. These are the guys in charge of all this info?

Anonymous said...

CSEC is only the main sponsor of the event... and a malware backdooring apache doesn't have anything to do with open source...

Blog Archive