Maybe I was a little slow, but at some point I realized that digital security never was, for the most part.
We who work or play in the field of computer security (CompSec) have been trading stories of government intrusion into everything digital. While there is plenty of legend and silly speculation, it’s not paranoia if you see actual evidence. For example, while repairing a used computer someone got third hand, my friend and I encountered a section of wire with a chip inline that he recognized as a short-range transmitter. He showed me the reference numbers on the chip compared against a list of standard electronics parts numbers to prove he was justified in being so animated about this discovery. It had no legitimate computing function. What do you tell the owner? If they believe your report, you gain respect and trust. If not, you become marginalized as a kook. Then again maybe it’s a trap for you, the repairman.
You have to be a little nutty to get involved in computer stuff in the first place. But enough of us faced various forms of harassment from various levels of government that we never trusted anyone without a long informal probation of sorts. The same goes for too many companies involved in computer manufacture, but we reserved our greatest distrust for anyone making money from software. Not in the sense of malicious intent — such as we might expect from government agents — but because the profit motive made folks sloppy. We did place a little hope in security software makers, but no real trust.
While none of us are surprised by reports like this, we are entertained by the back-n-forth verbal shots between spokesmen for government and security software vendors. You learn to suspect that government espionage is like that, but it’s almost worth crowing over such specific revelations as this article offers. Granted, I still believe The Intercept is hiding something themselves, but that’s another story. The point is, this much is documented and we have no reason to doubt what they chose to reveal.
Thus, the recent announcement from Kaspersky about Duqu 2.0 found on their servers is just another exchange of virtual gunfire. It’s hardly new, just another incident in the long term war, and you can be sure we aren’t getting the whole story. At the very least, we learn that you are really very lucky if you can just keep using your own computer for your limited purposes.