[adeon]

Is there any reliable source for NSA paying Rovio other than this random bar discussion? Not that I don't believe you or that I'm naive about NSA and the power of money, but I looked around news in 2014 and the accusations against Rovio specifically are a bit different flavor. It seems that Rovio was oversharing data to ad networks (Millennial Media comes up a lot), and NSA likely slurped data from the advertising companies. This bar banter is suggesting that NSA had some kind of arrangement with Rovio directly instead, and Rovio willingly went along.

Or alternatively, do you feel the Rovio employee's blabbering was talking about an actual, real NSA deal with Rovio, or was it more like a bar joke and direct NSA co-operation was not really implied? (e.g. "we know our security is bad, but these ad companies pay us $XX million to not use encryption so it's sorta like NSA pays us to keep it that way sips beer").

I'm interested, because if that is an actual thing that happened, then that's an example of NSA paying a Finnish company $$$ to weaken their security, and the Finnish company willingly agreeing to that. Is it in NSA's Modus Operandi to approach and then pay foreign companies to do this sort of thing?

Your comment is describing it in few words, but to me it sounds like it maybe wasn't implying an actual NSA direct co-operation, more like someone doing bar banter and being entirely serious. But that's just me trying to guess tone.

(I'm Finnish. I want to know if Rovio has skeletons in their closet. So I can roast them.)

[leftcenterright]

from an intelligence perspective, this is business as usual.

- Rovio sold data to ad companies (ad companies primarily based in the US)

- They used AWS (to which of course NSA has legal access)

- Data is not end to end encrypted, all metadata sits on servers in plain text and within AWS even moves from server to server in plain text

How much insight metadata can grant to someone like NSA is still wildly underrated.

- https://www.propublica.org/article/spy-agencies-probe-angry-...

[adeon]

Ah yeah, I saw the propublica as well, it was one of the first articles I found when looking on the topic. I don't doubt at all that Angry Birds data was used by NSA, doesn't seem controversial.

The specific question I am interested in is: Did Rovio knowingly and willingly accept $$$ from NSA (directly or indirectly) to weaken their security? I.e. were they acting as a willing accomplice.

Because that part would be unusual for Finland (well, at least as far as I know). For US companies I wouldn't bat an eye at news like this.

[leftcenterright]

Here is a nice talk by Byron Tau who has also written a book titled "Means of Control" detailing some of these flows covering ad tech companies, data brokers and how government contractors use them and serve as a key player to provide services to intelligence agencies.

- https://www.interface-eu.org/events/background-talk-with-byr...

[leftcenterright]

I think they definitely knew that they are embedding code from US based ad agencies who might either be selling it to the NSA or just doing it in an insecure manner (plaintext protocols).

Mostly in such cases, direct involvement and paying dollars is a clear no-go for the intelligence agencies. They could instead be paying the ad agencies.

Also note that we are talking pre-Let's encrypt and TLS everywhere world, a lot of this traffic was also just plain text making it much easier to harvest.

Some interesting insights from this piece: https://web.archive.org/web/20180719081149/https://theinterc...

[adeon]

Thanks for the resources. Got back to procrastinate on HN and checked the resources (briefly looked at transcript on the video, but found this article more interesting).

I've always assumed that some amount of unencrypted HTTP traffic is going to be slurped into archives, but I've been too lazy to really check an example and how does that look like in the real world. That BADASS system is an example, focusing on phones. I've also run mitmproxy in my home to learn and then I've wondered if the big agencies have something like that but much more scaled and sophisticated.

I've recently got into studying security, deobfuscated code, or decompiling, tried to find vulnerabilities or bad security, in websites and programs. I've found some, although not anything worth writing home about. I found a replay attack in one VSCode extension that implemented its own encrypted protocol, but it is difficult to use it to do real damage. Found a bad integrity check library (hopelessly naive against canonicalization attack) used by another VSCode extension. I've found something weird in Anthropic's Claude website after you log in, but because their "responsible security policy" is so draconian, I don't want to bother trying to poke it to research it further in case I earn their wrath.

Biggest bummer I found that a video game (Don't Starve Together) I had played for a long time with friends does not have any encryption whatsoever for chat messages to this day. (People gonna say private things in video game chats). The other video game I play in multiplayer a lot, Minecraft, has encryption (a bit unusual encryption but it is encryption).

That article gave me a bit of validation that I'm not a nut for giving shits about encryption and security, and being annoyed at ungodly amount of analytics I see in mitmproxy my laptop is blabbering about.

[belter]

Misheard and it was RSA instead of Rovio? The numbers match... :-)

https://www.reuters.com/article/world/exclusive-secret-contr...

[financetechbro]

Perhaps $10M is the standard rate for this type of service?

[adeon]

Lol, yeah, I also learned yesterday that there is apparently, NSA, National Security Authority. No, not the NSA this article is talking about and everyone knows about.

I mean: National Security Authority, "Kansallinen turvallisuusviranomainen", which appears to be some office/people under Finnish foreign affairs: https://um.fi/national-security-authority-nsa-contact-inform...

I will say I got confused a moment yesterday when googling on the topic here because when you put NSA and Finland in the same search, it would get topics about this other NSA that just happens to exist which I had never heard of before, and just happens to be Finland-associated.