Can mac users be spied on using PROMIS software?
 

I've read this article about PROMIS software and this made me concerned:

http://users.cyberone.com.au/myers/bugs.html

I'm not really into conspiracies and never thought much of people who said that Windows was designed to become popular so that the government could spy on you. I thought they were exaggerating and being paranoid.

But after reading this and having things spelled out how this PROMIS software works, I realize they are right.

Where does that leave mac users? The article says that mac users can be spied on too: those using Mac OS 9.0 up ..... and then it says for better protection switch to mac (or unix)???

Does anyone have the dirt or insider's information or expert opinion on this?

It could be true, but I doubt it. The thing about secrets is that they tend to be exposed over time. This secret, if it were to be effective, would have to be known to a significant number of government employees over a significant period of time. Eventually, one or more would attempt to use the information to their benefit, and any back door would be exposed.

I think it's more likely that governments pay close attention to known vulnerabilities and they may develop ways to exploit them for their purposes.

They openly admit it. Microsoft AND MACINTOSH. Read this article:

http://www.washingtonpost.com/wp-dyn...010801352.html

And it's LEGAL too or it's about to be made legal.

Illegal spying about to be made legal

NSA spying argued in court hearing

Look at all the links about "NSA and Windows":
Search "Microsoft" "Spying" "NSA"

Another article:
Why NSA computer spying puts Americans in danger

NSA and Microsoft worked together on Windows Vista security

There are tons of articles on this.

Now we know Microsoft Windows and Vista are compromised (99% certain).

What about the status of Macintosh?

I don't care about Windows; I don't use it much, but I use Macintosh all the time.

This is scary.

This book by Ben-Menashe came out in 1992. So the secret about PROMIS software has been known since then. I bet you though the government has done nothing about it.

For all we know, all of our computers can be linked to this PROMIS software (through the operating systems) and we have been spied on for years and years - not just by the US government but by Israel.

I believe this PROMIS software still is in place.

Collaborating with the NSA on the Mac OS X security configuration guide is a long way from installing a back door for the NSA.

Assume Apple did install a back door for the NSA. What would happen? First, there would need to be a number of NSA and Apple employees who know about the back door. This number would need to grow well beyond the initial few who devised it, if the back door were to be used.

Ever hear of Area 51? It's a super secret facility that the government denied existed. It's in the desert. In the middle of nowhere. Everybody knows it's there. The same thing would happen with a back door, only worse. At Area 51, armed guards authorized to kill are able to keep everyone literally miles away from the base. With an OS, everyone has access to it. No one can stop you from examining every byte if you've got the expertise, the time, and the inclination. There are lots of people who are looking for ways into lots of operating systems, and if they thought there might be a back door, they'd look for one. If there was one, they'd find it.

They found it with Windows and it was even named appropriately NSAkey or something like that. It's in one of the links. Microsoft denies that that has anything to do with it and say the "NSA" part refers to it being "NSA-approved". Do you believe that?

I'm wondering if someone who is computer-savvy has found something similar with Macintosh or is it a case of not wanting to tell even if they know?

The writer of the article in the OP has asserted that they have also put this backdoor into macintoshes, not just Windows-based PCs.

The article talks quite in detail about Area 51 actually.

Please read the article in the OP before commenting because the article lays it all out how this PROMIS software has 'infected' everything. I don't know much about computers at all but this article certainly has me worried.

I just quickly checked "Promis" in Search and found that the company is still going strong. This means the PROMIS software is still in use.

It seems 'they' have even killed people over this; in the article it says an investigative reporter who was investigating the Inslaw case and the government connections mysteriously died. Also Maxwell mysteriously died. It seems the lawyer who was representing Hamilton got off very lightly when he was retired by his law firm and paid off to not work on this case.

Those 'tin-foil hat-wearers' were right all along! We are being spied on through our computers.

I'm not saying that the NSA isn't comprised of a bunch of jack booted brown shirts. I'm just saying that putting a back door in an operating system isn't the best way to go about spying on people. It's more likely to backfire than accomplish any of their goals.

How would it backfire? It seems like they have been doing it for decades and now they have made it legal and this applies retrospectively too.

What is a better way of spying on people except to read their electronic communications: emails, history of browsing, everything else that you do on a computer?

The article shows how beneficial the PROMIS was in tracking people's movements just by looking at their payments of electricity bills, phone usage etc ... you would get a whole lot of useful information as well by looking directly at the target's computer.

This information came out in 1992 when Ben-Menashe's book came out. There were no repercussions as far as I know. Things continued on as usual. Some people caught it and mentioned it on messageboards. I read these postings but dismissed them as they weren't fleshed out - they were just posted as rumors. Now that I have read the article and read some relevant links, I can see the evidence for myself that there is a lot of substance to the rumors.

And a computer EXPERT has found the backdoor and confronted Microsoft with it. It's in one of the links. Microsoft continues to deny it however.

It would backfire for many reasons and in many ways. The NSA isn't immune to political realities, nor are its computers 100% free of vulnerabilities. A backdoor found in commercial operating systems would mean that government computers could be compromised easily and stealthily if the information got into the wrong hands.

You don't need a backdoor to read emails, bills, credit card information, etc. All you need is a court order, and that is risk free.

Government computers ARE compromised. There was the news recently that a hacker hacked into the computers controlling an electric grid somewhere. This is only the tip of the iceberg. Did you read the whole article? It's not just the USA, it's the whole WORLD that's being spied on, these PROMIS-infected computers are everywhere; the writer claims it's one of the things that brought down the Soviet Union or something like that.

And no you don't need a court order anymore. Did you read the link where it says they have legalized the computer spying? And made it legal retroactively?

The "Enemy of the State" movie was not 'fictional'; it's been 'fact' for a long time now.

Here is another article about NSA and the trapdoor built into Windows:

http://www.heise.de/tp/r4/artikel/5/5263/1.html

WHO IS BEHIND THE THIRD KEY?

At the end of the article they say they were lucky to find the key in time because the next batch of computers put out by Microsoft makes it impossible to find these backdoors.

Here is the article in the OP again:

http://users.cyberone.com.au/myers/bugs.html

Look these people aren't fooling around or trying to play nice; if you read the whole article, you will see that people who have come too close to uncovering this or have been involved in some other way have mysteriously died. This is a high-stakes game. The PROMIS software is an invaluable tool for certain parties.

Just another wedge inserted as big brother pries open the door to your privacy the better to watch over you. There was a lot of discussion about the requirement for a "back door" when modern methods of encryption became impossible to break in reasonable time spans. For a while anyway, PGP could not be exported, not even into Canada. I suspect the ban on exporting it was lifted when the backdoor was installed to NSA's satisfaction. It's been there for quite a while, in other words. Why the sudden shock and awe?

The sudden shock and awe for me at least is because I haven't come across concrete evidence for this before now. Just rumor and conjecture. As I've said I'm pretty ignorant about computers so don't keep up with the latest news. Also I thought macintosh was safer or above doing this sort of thing. Everyone knows how popular Windows has been relative to mac. If I had come across proof that Windows had been working hand in hand with the NSA it wouldn't be as shocking, but I also find that mac (and linux) are in the same boat i.e. operating systems are vulnerable to being spied on; and that mac (anyway, don't know about linux) has been actively working with the NSA in developing this backdoor. I thought mac was more independent, more lone wolf guy, anti-government canoodlling ...

... It makes a lot of sense to me now what's been happening; things like Microsoft making big inroads to China; remember the meeting between Gates and the President of China? They want to spy on the Chinese as well and it looks like they can.

And I had a quick search in the forums here for PROMIS and found no posts or threads about it. Mine is the first. So if this is so well-known and there is no need for shock and awe, where are the messages about it? I would have thought if this was to be discussed on the net, it would be on a messageboard like this one.

Anyway this thread is a kind of a warning as well as an attempt to dig out more information from 'insiders' or those not connected but knowledgeable about this - I'm looking for a "Yes, this is true; this is how the NSA spies on you; Windows has the NSAKEY and mac has ......." or "We've been aware of Ben-Menashe's claims since they came out and this is where mac stands on the issue ..."

Now I'm beginning to think mac is somehow deep up to its elbows in collaborating with the NSA in enabling it to access people's computers through the backdoor/trapdoor or whatever you want to call it. The reason? I don't know why. Maybe they were 'persuaded' to do so or they wanted to 'help' them out.

It's good to air this and let everyone know what's going on especially as there is information straight from the horse's mouth on this available on the net: see the link in the OP.

What is surprising to me is the LACK of shock and awe over this. I've only come across mutterings about this before; one-line statements that Windows allows the government to spy on you, that's all ... this is the first time I've seen the story about this all laid out.

Also I wanted someone to explain the ambiguous message quoted in the OP about macs where it says macs can be spied on and then it says macs are safer ... this part is confusing to me; the writer seems to contradict himself there a little.

You're not likely to get it. Just a guess, but NSAKEY sounds like a Registry entry. Anyone could make one, and it doesn't necessarily mean that the PC is compromised. As for the Mac, if there is a back door and somebody finds it, my guess is you'll hear about it as the first true Mac virus. Soon after that, Apple will close the hole.

As far as the OP Ari Ben-Menashe doesn't exactly look like a reputable source.

As far as that's concerned, you can never prove that any system is 100% secure, partly because they aren't, and partly because you can't prove a negative. You can't prove that something can't be broken into.

In a sense, he's correct if there is no back door. Macs are safer than PCs, but that certainly doesn't make them 100% safe, so it's possible that somebody could be spying on Mac users through their computers. Likely? I don't think so. Remember that for this back door to be useful, they'd also need back doors for every router performing NAT, as well as a way to disable applications like Little Snitch. The degree of difficulty seems likely to exceed any potential benefits. Not that logic would get in the way of such an effort. ;)

Hmm...
 

I am not one for conspiracy theories, so I want to add my cynical 2¢:

The code base may be large, but it is likely to be relatively easy to determine the bits which would be relevant to the 'trap-door'. Especially for people involved in security companies who search for flaws in their day-to-day work.

I realise that there are indeed restrictions on the strength of cryptographic algorithms which can be exported. It typically enforces a maximum key-length (e.g. 256 bits).

However, to encrypt something with 1024 bit strength, you simply have to chain four encryptions together (with four different keys). That is, encrypt data with key 1, encrypt result with key 2, encrypt that result with key 3, and encrypt that result with key 4. Result has effectively been encrypted with a 1024 bit key*.

* this assumes the intermediate results have no discernable structure. If they did, then the resulting strength would only be equivalent to four times the original key length (e.g. using a 258 bit key instead of a 256 bit key).

This chaining is exactly how TripleDES works - an encryption, followed by a decryption, and then a final encryption. And DES has no backdoor (although people did suggest this was possible when it was invented, it has been analysed in great detail by a lot of people and shown to contain a number of steps which make cracking it very difficult, and moreover does not contain a backdoor).


So we are to assume that the foreign intelligence agency allows arbitrary access to its systems from any computer...? And even if it were that case, the fact that the 'back-door' seems to rely on a single hidden key (i.e. the password) and that key is known (it's the one in the DLL*), everyone should be able to access everyone else's computers.

Correct me if I'm wrong, but this hasn't happened yet!

And changing the DLL (or rather the second key in the DLL) would close the 'trap-door'.

*another caveat: if the key in the DLL is the encrypted password, for example, then the computer being accessed has to either encrypt the password typed in, or decrypt the stored one. Both require use of the same key, and that key has to be stored on the computer. But the real killer is that the encryption/decryption has to be by the computer being accessed. Since the majority of computers don't have "hardware security modules" (although some now do courtesy of the Trusted Platform Group), their memory contents can be read at all times and thus it would be possible to discover the secret key.

Then there's the issue of network traffic. For the backdoor to work (if it even exists) the computer has to be connected to the Internet. And internet traffic can be analysed (at the very least to detect 'suspicious' traffic).

I cannot believe that every piece of software or hardware that can analyse network traffic has been developed to ignore traffic sent using this 'backdoor'.

Basically, I am saying that if such a back-door existed, enough is known to actually use it, and using it could be trivially detected.


Current developments in automatic utility metering are specifically intended to prevent the utility company from being able to learn 'private' information such as normal usage patterns, and therefore prevent them from determining when current usage is not normal (e.g. when a guest is staying).

The most likely backdoor is the PROMIS software itself, (and not the operating system). That would use the internet for its database access, and backdoors could easily be part of the design of _that_ software. Isn't that what those articles are all about? (especially the paranoia part, eh?)

You're right. Two backdoors: the first backdoor is the one built into the operating system. This backdoor allows the NSA to spy on you. Then there is the second backdoor built right into the PROMIS system itself. This enables anyone with a key to the backdoor to spy on the spooks (NSA) themselves.

That's the bigger implication: the NSA and by default ALL US government agencies including the Defense department etc can be spied on by a third party who has access to the keys. These are the people who developed the software from the start.

But a third key was found in the Windows OS; whoever has access to this third key can spy on Windows users. You can bypass the NSA altogether if you have access to the keys and directly spy on computer-users.

Why hasn't the government done a thorough clean-out and removed the PROMIS software now that they know it's not secure? What they're doing instead is spreading the breach of security to individual users of computers and the internet.

Paranoia? Do you believe the NSA when it says that it is only helping Apple and MS systems be more secure against spying by lending them a hand?

Why would a spy agency have an interest in making individual users' computers more secure against spying?

It's like expecting a robber to help you make your house more secure against robbery by telling the robber the location of your safe and the lock combination and asking them to set a new combination for it.

EatsWithFingers:

I hope you're right. This does make sense to me.

Well, yes, that's one of the good techniques for making your system(or your house) more secure - you hire someone who knows where the insecure areas are... right?
So, yes, I would believe the NSA (on that point). Leaving trapdoors that can't be detected by any means? That's a huge stretch with today's network security tools. (even a huge leap for paranoia to put any belief in every freak who wants to post a blog on the internet). I mean, if you can't trust your own government agencies, who can you trust? ( :D ) Anyway, if you must have an attitude, try something other than paranoia - (they'll come after you if you do that, you know!)

Wow. All I have to say is: Woah. Calm down.

This reminds me of the conspiracy saying that men really didn't land on the moon and only made doctored photos and videos to show everyone.

Do some more research.

The NSA did not program OS X. They merely wrote, as the article says, a security configuration guide to configure your firewall/user accounts/etc. You can read it here:
http://www.nsa.gov/snac/downloads_ma...ID=scg10.3.1.1

The PROMIS software is NOT any form of malware. It's a encrypted database system developed by Inslaw software that the government uses to protect top-secret documents.

NSAKEY is indeed just a simple registry entry, like the hundreds of other entries listed there.

Also, Ari Ben-Menashe is a complete liar:
http://en.wikipedia.org/wiki/Ari_Ben-Menashe

Yes, it is from Wikipedia, but all of the sources are cited on the bottom. You can verify the article yourself, if you want.

"spinner of tangled yarns" - yeah, that seems right!

Ben-Menashe is not a complete liar. I don't see it as black and white. Many of his claims have checked out: see Vanunu, Maxwell, Iran-Contra etc.

Anyway this is turning into a political argument which it wasn't intended to be ... I just wanted to know how secure the computer system is for macs. It looks like it's a case of backing the data up and being aware that anyone can spy on your computer if you use the internet.

And I believe man landed on the moon :)

oops, what happened? Sorry wrong thread for some reason.

.
As I recall, the NSA has publicly posted a number of excellent guidelines to system security. (You’re welcome to search and download those.)

I do not have an inbred trust of government agencies, particularly those dealing in the intelligence field. However, in this instance I am actually inclined to believe that the NSA’s involvement is benevolent.

Why? A vast number of American companies are, in one way or another, involved as providers to the military sector. The NSA has a vested interest in keeping those systems secure.

Which means closing, rather than opening, back doors.

What ThreeDee writes seems to confirm that.

-- ArcticStones
.

This is the stupidest thing I have read in weeks, period.

I won't get into the NSA debate, since that's all over the Internet, but C is not some kind of impenetrable cryptic construct. Typical conspiracy theorist stuff, taking one or two pieces of disturbing truth and then freaking out like a defective toy robot.

I'd love to see the inside of this guy's apartment. I wonder how many deadbolts are on his door.

http://content.imagesocket.com/image...oil_hat2a8.jpg

.
Macuserhere, one little matter of protocol: Unless these articles are public domain, they should not be quoted at such length. Rather, copyright material should be linked to, summarised, and/or quoted briefly.

:) ArcticStones

I don't agree. I think the NSA is spying on us and the NSA in turn are being spied on. I also think NSA is aware of this and for political reasons doesn't do anything about it. As I've said it's mostly a matter of politics what you believe. Suffice it to say, I've read all these articles by this guy, Myers, pertaining to this, plus articles by others about PROMIS (Bollyn is one author), and because they all agree with each other on the basics, I tend to agree with them. I think that inaccuracies such as C+ being a complex language or not* really doesn't change the substance of the theories in the main article, and dwelling on them and pointing them out as the basis of one's skepticism is like looking at the speck of sand in a bucket of pebbles and saying the presence of sand disproves the bucket is full of pebbles.

And I guess that people with the ability to know whether macs can be spied on, mainly experts who work for Apple, would not divulge this for obvious reasons. They want to protect the company and not reveal things that would make its customers lose confidence in their product (although we don't have much choice anyway, and also Apple may not have had a choice either). Anyway, I just threw that out there as I thought it might spark some interesting discussion by Apple 'insiders' who could give details about the security of macs or how to make them more secure and clear up that ambiguity about macs in the last part of the article in the OP. But it seems to have sparked off more of a political debate than a technological debate so perhaps I was better off posting this in a technologically-minded conspiracy forum in the first place.

* And Linux being open source (more eyes can pick up anomalies than fewer ones can) does make it less likely for the software to have been compromised. That makes me have faith in that system although I wouldn't have a clue as to how to operate that software.
.

There is always paper and pencil. ;)

Or use Linux and keep clear of the random-number generator Dual_EC-DRBG.

Backdoor to Vista

I've narrowed the backdoor to this random number generator:
random number generator.

Look at the date of that blog entry and the date of the Wired article; it seems this issue is very current.

Do macs use this random number generator? And what are the implications of the new macs that have the option of switching to a Windows OS?

Another article about NIST and the random number generator:

NIST encryption standard may have NSA backdoor
Why is NIST/NSA pushing an inferior logarithm onto computer makers?

I'd prefer OpenBSD for a maximum security platform.

http://www.openbsd.org/index.html

From that link:
Essentially, this is what I said in post # 12. In this case, Netscape had to close the hole, whether or not it was due to an NSA backdoor.

There will always be the possibility that some one could be spying on you, and they may or may not be using computers to do it. If you're worried that somebody might be, get a router and use Little Snitch. That will add a couple of difficult layers of defense for them to penetrate.

Open source intelligence. Interesting concept. Do you really think they would knowingly share/leak information to a third party which they probably wouldn't even share with another government department? Disinformation maybe.

Let me say this:

Any computer can be spied upon, no matter what. Even with some super-complex firewall, anti-intrusion programs, etc, even if there is no actual NSA backdoor, someone is always going to find a way in. Security programs just make it harder for someone to hack into your system. There are possibly many other flaws and holes to exploit. It might be pretty difficult to find them, but it is possible.

Oh, and:
What exactly is the NSA trying to find by spying on us? They can easily go through government files and find our SSN, credit card numbers, etc. without having to hack into our computers.

It seems this goes much deeper than I gave credit. We're through the looking glass here, people...

Re: The technological debate
 

Agreed, the technological side of this debate is the interesting one. The rest is as much smoke & mirrors, opinions & conjecture as anything else. Also: I take what you said about the NSA above for granted. We live in an Age of Transparency -- and that is particularly true of digital aspects of our world.

Then again, I assume that all my digital communication passes through NSA filters (without attracting interest), be they word or phrase trigger filters or whatever.

I really do wish that I had the prerequisite knowledge to go into the technological side of this. But I don’t, so I readily admit that what I have ventured so far is mere conjecture. I’ll be reading with fascination the thoughts of those of you who are qualified do so.

Thanks for well-organised posts and links to a wealth of material on the subject! :)

-- ArcticStones

Considering that AES 128 is approved by the NSA for classified documents up to Secret, and AES 256 is approved for Top Secret, I consider it highly unlikely that these security measures have a backdoor for NSA or any other US government agency. Even if they did, the secrecy of the ability to do so would be so valuable that it could be utilized only extremely rarely such that only a handful of people in the world would be at risk of being compromised by such measures.

Is this really something that needs to be debated?

AT&T domestic spying

Uncle Sam trying to protect it's stool pidgeons

COINTELPRO

Yellow Dots on my resume?

Does NSA have a back door? Who cares! They can spy on us whenever they want.

Well, I certainly would like to know more about the relevant technologies, any inherent security weaknesses in my OS of choice, and what I can (or cannot) do to make my system more secure.

Maybe a back door isn't really needed, after all. From Wikipedia: Doesn't this imply that no matter how secure AES itself may be, it can be defeated in a de facto sense if the security incorporated into the computer has any unauthorized access "holes" at all? As previous posters have stated in different words, there is no absolutely certain firewall.

"The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"
-Dennis Huges, FBI.

I've heard this quote in many different forms...but Mr. Hughes (if he really exists ;)) will get credit this time.

I guess my "who cares" statement wasn't meant to disregard your quest for knowledge Arctic...but more to say that if they want to spy, "they" will find a way...and they have been finding ways.

I've read that it's possible to monitor one's activity by monitoring emitted radiation from CRT monitors. I'm not sure if anything similar exists for LCDs.

Monitor's flicker reveals data on screen

Seeing through walls

I wonder how many bit encryption was cracked. As far as I know, AES 128 and 256 have never been cracked, although the systems they protect have been, on rare occasions, by methods other than defeating the encryption.

Personally, if it were that important to me to breach someone's encrypted computer, I would probably use a small camera to monitor the keyboard for the password, or some other way that would be far, far easier than trying to break the encryption directly.

Apparently, it is AES 128, and in a matter of just seconds!

From their paper <http://people.csail.mit.edu/tromer/papers/cache.pdf>:
It's also probably worthwhile to note that this is freely disseminated, common knowledge stuff that the powers that be don't really care about. I understand that historically, "they" have actively suppressed encryption/decryption info they really don't want the public to know about.