Jacob Appelbaum's must-watch 30C3 talk: why NSA spying affects you, no matter who you are

Sunday's Snowden leaks detailing the Tailored Access Operations group — the NSA's exploit-farming, computer-attacking "plumbers" — and the ANT's catalog of attacks on common computer equipment and software — were accompanied by a lecture by Jacob Appelbaum at the 30th Chaos Communications Congress. I have seen Jake speak many times, but this talk is extraordinary, even by his standards, and should by watched by anyone who's said, "Well, they're probably not spying on me, personally;" or "What's the big deal about spies figuring out how to attack computers used by bad guys?" or "It's OK if spies discover back-doors and keep them secret, because no one else will ever find them."

Nominally, Jake's talk is about the details of the spying tools developed by the NSA, but the talk goes well beyond that. The meat of the talk is the analysis of the legal framework under which these are developed and what the consequences to the wider world are.

The development and hoarding of vulnerabilities in widely used systems represent a risk to everyone who relies on those systems — not just people the NSA want to spy on. Even if you trust the NSA, you need to know that every bug the NSA keeps secret is a bug that might be independently discovered by another agency you don't trust — or a criminal group — and used to attack you. Not because you're a special target, but because an untargetted attack aimed at the whole Internet happens upon you and turns your computer into something that spies on you to sexually exploit you or clean out your bank-account or just sell off all your World of Warcraft stuff.

To drive home this point, Jake details a secret NSA exploit from its catalog, and points out that another speaker at 30C3 had actually independently discovered that exploit and disclosed it at the same event. The lesson: anything the NSA discovers and doesn't patch will be discovered by someone else and exploited.

Jake discloses the way that the NSA determines which targets are fair game for deeper scrutiny, including having your mobile phone in close proximity to an existing target, like Jake himself. To drive home the point, he switches on his phone and says, "Right, anyone who's phone is on now is on the list now."

Beyond the political and technical messages, Jake's speech is great for the details of the spycraft disclosed in it — the fact that Iphones are completely compromised and can be successfully attacked 100 percent of the time (Jake suspects that this suggests collaboration on the part of Apple) and the fact that Wifi can be intercepted and compromised from eight miles away and that the NSA might use drones against Wifi.


30c3: To Protect And Infect