Business Week on The Cyberwar Arms Race

I've been using the phrase "arms race" to describe the world's militaries' rush into cyberspace for a couple of years now. Here's a good article on the topic that uses the same phrase.

Posted on August 8, 2011 at 6:13 AM • 60 Comments

Comments

Richard Steven HackAugust 8, 2011 7:09 AM

I mentioned this article in the post on "Is there a hacking epidemic" back on July 22, to wit:

And the corruption of the security industry goes on:

Cyber Weapons: The New Arms Race
http://www.businessweek.com/printer/magazine/...

Companies that are developing zero-day exploits for profit and targeting anyone at all.

And someone at the FBI said Anonymous actions were "unacceptable"?

Posted by: Richard Steven Hack at July 22, 2011 7:21 PM

The main thrust of that article is how a bunch of security companies are basically fueling this arms race at the behest of the military and intelligence agencies. They're developing even more ways to compromise IT security everywhere and getting paid for it while groups like Anonymous which actually demonstrate with basic exploits the poor security of national and corporate IT systems get chased by the FBI.

I'd like to see Anonymous and Lulzsec take down a few more of these outfits a la HBGary Federal. And this time get into their development servers rather than just their Web and email servers, pry out these offensive hacking tools and spread them all over the Internet to level the playing field.

Clive RobinsonAugust 8, 2011 9:31 AM

On reading the article I spotted a comment made by Dave Aitel (founder of computer security firm Immunity),

“This stuff is more kinetic than nuclear weapons,”

That made me think 'What world are these clowns living in.'

One of the reasons China is developing not just it's own operating system but many apps is because it is obvious to any body who cares to look that the OSs and apps developed or augmented by the major commercial software houses are in effect beyond redemption from the security perspective.

What amazes me is the lack of "security mindset" most of these companies exhibit even when it is their major cause for existence.

Take RSA for instance, what an earth were they thinking?

However from the recent quaters figures it looks like it had a minimal impact on RSA's bottom line...

Oh and what about the likes of SAP and Oracle, the data their software holds is often the "crown jewels" of the organisations business operations...

I suspect that in the WASP nations with the short sighted very short term view from the politicos down, nobody is about to consign 99% of the most used business software to the bin. Nor do I assume that the majority of businesses are going to give up the (supposed) "competitive advantage" that they think the flashy but flaky online software gives them, whilst conveniantly ignoring it has a history of alowing others to rape their data repositories.

So where do we go from a security perspective?

One soloution might be to get rid of the short term thinking chancers in walnut corridor and replace them with those who are somehow tied to the longterm interests of the companies they manage.

Another soloutions might be "outsource the whole deal to the Chinese" then atleast we know who is stealing our data, and they then have a shared interest in stopping others stealing it.

Althogh the above para is ment to be sarcastic, we should remember that many organisations have already outsourced their companies IT solutions to the likes of India and many software houses have outsourced software development to India and other countries who realisticaly are only one or two steps away from being involved in a very real bombs and bullets kinetic war.

David CowanAugust 8, 2011 11:15 AM

> And someone at the FBI said Anonymous actions were "unacceptable"?

Bruce, are you implying that citizens ought to be able to do anything we authorize our military to do? Should Lockheed have to share their missile designs so anyone can build *and use* a nuclear warhead? If you think it's a good thing that the public at large (both home and abroad) can't buy and use the most destructive kinetic weapons, why would cyber weapons be any different?

Furthermore, "taking down" HBGary makes for good theatre, but it is not actually as meaningful as it first sounds. If it's hard but still possible to hack into their network, does that really mean that their products don't work? The answer is no, unless you think it's pretty easy to develop a HACK-PROOF infrastructure (which I know you don't think).

Brandioch ConnerAugust 8, 2011 11:37 AM

That article is heavy on the hype and very light on the details.

"Either way, these zero days are militarized—they’ve undergone extensive testing and are nearly fail-safe."

Nice emotional sentence there. Too bad it doesn't mean anything.

"People who have seen the company pitch its technology—and who asked not to be named because the presentations were private—say Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems."

So I'm thinking a combination of NMAP and web site traffic statistics matched against IP addresses.

"To deal with the Code War, which amounts to a constant state of threat, governments and companies can always try to develop their own technology."

"Code War"?
Heavy on the hype. Light on facts.

And it fails the most basic test - if these are such terrible threats ... that can be mitigated with a simple software patch ... why are we NOT seeing such patches for our own systems?

Why leave OUR cities so vulnerable just to be able to strike at THEIR cities (when they use less technology than we do)?

Nick PAugust 8, 2011 1:02 PM

@ Brandioch Conner

"Why leave OUR cities so vulnerable just to be able to strike at THEIR cities (when they use less technology than we do)?"

That's the question security professionals have been asking NSA & DOD for years. The unspoken answer is that their ability to strike their enemies is more important than the safety of large numbers of Americans. They've probably framed it in their mind as some kind of all-or-nothing game where the whole country goes up in flames if the enemies get their hands on "secure" computing technology.

Hence, they must keep the real secure systems to themselves, leave us with hardening guides, and develop exploits that work on arbitrary systems, domestic and abroad, hardened or not. It's a sick game.

Note: A perfect example of this stance is TEMPEST and EMSEC. Look them up. Governments have been using emanation attacks to compromise secret data for decades. The TEMPEST standard shows how to shield computers to prevent many EMSEC issues and reduce risk of others. Academics have recently reinvented emanation attacks & sophisticated crooks may be using them on high value targets. All modern systems are at risk. Yet, the TEMPEST standard is still classified & TEMPEST-protects systems are controlled items. Only NATO governments & contractors are allowed to have these protected PC's. The rest can't even read how they are built. Why? Presumably it makes it harder for NSA to spy on people & might allow enemies to build EMSEC-safe PC's. Does this justify putting 300 million people and billions of $$$ of I.P at risk? No, but they continue to do so.

Nick PAugust 8, 2011 1:49 PM

@ Richard Steven Hack

I hope those companies' security is really good. An Ocean's Eleven grade attack against a firm to steal their exploit software would be worth the investment. I'm not posting details for obvious reasons but I think I already have a recon phase worked out that would provide enough info for a snatch-and-grab & prevent the cops from getting there. The initial concept takes about two weeks of prep & the recon effort would cost under $50k.

Increasing the time & sophistication, a processional job using combined physical and digital attacks would take a few hours and cost under a million. The attack can be done in such a way that most employees think nothings wrong: they think the extra people screwing around in the offices are DOD auditors or maybe even beefing up security. They say these kits sell for about a million a year each. What would various governments pay to have all of them? A mil or two investment to get $20-30 mil per country in return? Groups like the Russian Business Network have that kind of money...

I'm truly concerned that these companies may be building an arsenal that they will inadvertantly hand to our enemies in the future. Nation states & high end criminal groups like RBN would certain want dozens of sploits and tens of millions of dollars in weapon sales. The risk is very high here. So, I hope they're employing security measures that rival those of a typical military base because they're going to need them.

Richard Steven HackAugust 8, 2011 2:03 PM

Clive: One solution might be to get rid of the short term thinking chancers in walnut corridor and replace them with those who are somehow tied to the longterm interests of the companies they manage."

Heh, as you well know, that is even less likely than replacing all the existing software in the world. :-)

David Cowan: "are you implying that citizens ought to be able to do anything we authorize our military to do?"

Since you ask: Yes.

"Should Lockheed have to share their missile designs so anyone can build *and use* a nuclear warhead?"

Since you ask: yes.

"If you think it's a good thing that the public at large (both home and abroad) can't buy and use the most destructive kinetic weapons, why would cyber weapons be any different?"

Well, possibly because so-called "cyber-weapons" can't really vaporize several million people in several seconds, to start.

Second, for someone talking about "good theater" below, suggesting that I'm saying everyone should own a nuke is fairly dramatic.

And yes, if everyone owned a nuke, I wouldn't have to deal with quite a few idiots in this world. So there is an upside to that.

But of course, living in the real world, not everyone will even own a gun, let alone a nuke, so your hyperbole is irrelevant to my point.

"Furthermore, "taking down" HBGary makes for good theatre, but it is not actually as meaningful as it first sounds."

This statement isn't as meaningful as it first sounds.

"If it's hard but still possible to hack into their network, does that really mean that their products don't work? The answer is no, unless you think it's pretty easy to develop a HACK-PROOF infrastructure (which I know you don't think)."

First of all, I never suggested their products "don't work" (although I wouldn't be surprised if some of them didn't, since several of them appear to be "vaporware" intended to drum up business.)

What I - and many others - question is what some of their products were apparently intended to do precisely because they appear to be intended to defeat computer security for the benefit of certain groups and corporations. In short, HBGary Federal was selling the same "cyber-weapons" you feel are not a good idea.

Since you have a problem with "cyber-weapons", I would think you'd be interested in whether HBGary Federal and the other companies cited in the article are in fact developing those same "weapons".

However, it appears to me your main complaint is my "leveling the playing field" remark. From which I take it that you work for one or more of these companies and feel that selling "cyber-weapons" for a profit to any corrupt corporation or government in the world - which includes the US government - while keeping them out of the hands of those who would resist such corruption is beneficial to society at large.

Interesting argument. Well, no, actually it isn't.

I actually don't have a problem with anyone developing any technology and handing it off to anyone - in the abstract. In the real world, there are certain people who need to go down and others who need to be able to enable that. As I've said before, I don't see much distinction between a group that will blow up a civilian bus and the US military who will bomb a neighborhood full of civilians on the spurious excuse that they can't send in troops to deal with the half dozen "bad guys" in one building - something US cops do on a daily basis - especially considering that the "bad guys" are only trying to get the US troops out of THEIR country which was invaded and destroyed for the same spurious reason ("we had to get the 'bad guys'").

So personally, however theatrical and shotgunning and ineffective in real terms Anonymous is, I'd prefer them to have 0-day exploits and "cyber-weapons" than some corporation or government. Contrary to popular belief, there are limits to the damage "anarchy" can do, while there are few limits to the damage a much larger and more organized corrupt corporation or state can do.

So you pick one side of that fight, and I'll pick the other.

And despite my use above, I find the term "cyber-weapons" to be hyperbole as well. Stuxnet was malware or maybe sabotage, little more. It wasn't "war", even though it was intended to damage a country's nuclear energy program.

"War" would be blowing up Natanz, not damaging some centrifuges. And the people behind Stuxnet are perfectly intent on doing just that when they decide they can get away with it, regardless of the cost to US military and civilians and Iranian civilians, as long as it profits those same military-industrial and security-industrial complex corporations that are developing these so-called "cyber-weapons."

So if Anonymous wants to use a "cyber-weapon" - or just plain old SQL injection - to expose that corruption, I don't have a problem with it.

Nick PAugust 8, 2011 3:05 PM

@ RSH

"Nick P: Shhhhh!!! You're exposing my future business model! :-)"

It's all yours pal. I'd rather not be targeted by the entire NATO military industrial complex. Sure I might have a defensive gambit or three, but it's just too much stress. Besides, I'd like to have a bit more fun in the States before retiring to the Caribbean, Bangkok, or New Zealand. ;)

Oh, btw, I got a new bittorrent client you might like to try. Many people like uTorrent because it's light and fast. Well, one group got rid of its extra unnecessary features and made an even lighter one. Check out Halite client if you haven't yet.

@ all OFF TOPIC

This discussion somehow made me remember to check on what In-Q-Tel was up to these days. I often joke to friends or clients that I "can get the same stuff the CIA uses." It's actually more true than a joke, but not as elite as it sounds. A long while back, CIA created a venture capital firm called In-Q-Tel to invest in companies building what they need. The idea was to make the tech's dual-use so the investment would be recovered by sells to non-government organizations.

Needless to say, they built a lot of cool shit and you might have used some of it. Most of these solutions only benefit big enterprises or are way to expensive. However, I found a few that are really cool and might be useful to individuals and SME's.

My new favorite VDI or thin client solution
http://www.teradici.com/pcoip/...

Free for personal use Remote Teamwork, Video, etc.
http://vsee.com/

And I should mention 3VR video analysis because their product is just cool as hell. Additionally, one of those companies developed a super-resolution image enhancement that turns blurry images into readable ones, even in real time. I can no longer say "those CSI scenes are bullshit"... (sighs)

I also found out they funded VeraCode. Submit your code for quality check & it's in the hands of the CIA. Surprise! Hey, I think I got a new idea for covert intellectual property theft. Well, I guess it's not really "new", is it? ;)

Brandioch ConnerAugust 8, 2011 3:23 PM

@ Nick P,
"The unspoken answer is that their ability to strike their enemies is more important than the safety of large numbers of Americans."

I don't buy that. If it was a legit threat, I'm sure they'd worry about defense first and retaliation second.

Particularly since retaliation could involve physical attacks.

Imagine that it was a legit threat. And the bad guys took out a power grid. And people died. And we retaliated with our military.

And then it was revealed that the only reason anyone here died was because the government knew about the vulnerability and refused to notify the vendor to patch it.

It's all about the hype.

Richard Steven HackAugust 8, 2011 4:13 PM

Nick P: Halite is Windows only, apparently. In any event I only use Bittorrent on occasion, and KTorrent in openSUSE is good enough.

"I'd rather not be targeted by the entire NATO military industrial complex."

Why? They can't get Gaddafi, they damn sure can't get me, I'm a much smaller target. :-)

"I'd like to have a bit more fun in the States before retiring to the Caribbean, Bangkok, or New Zealand. ;)"

My business plan IS fun in the States! If you like your work, why retire? And you won't find me in any of those countries because I don't like excessive heat. About the only place I know that I can tolerate is San Francisco.

Reminds me that I just watched that whacked-out cyberpunk movie "Johnny Mnemonic" with Keanu Reeves (and the smokin' hot Dina Meyer) the other night. Classic line: "'I want room service!"

Brandioch: "And then it was revealed that the only reason anyone here died was because the government knew about the vulnerability and refused to notify the vendor to patch it."

Yeah, but the only way that would be revealed would be if Anonymous dug out the documents. The government would never admit it on its own - and the news media would never print it without permission.

It's not JUST about the hype. It's about justifying striking the US (alleged) "enemies". Nick thinks they care more about attacking enemies than defending. That's true, but not in the way he thinks. They withhold mitigation because that ENTICES enemies to attack - thus justifying the US response, which was the end goal all along.

You can always start trouble if you want to. All you have to do is: 1) push someone into attacking (i.e., Muslims), or 2) let an attack by a "real enemy" - whom you created via 1) - take place (i.e., 9/11), or 3) just fake it: the Gulf of Tonkin incident or the Lavon Affair.

This whole "China is the enemy - cyber and physical - we have to get ready to nuke 'em - digitally or physically" crap is just a self-fulfilling, self-serving prophecy intended to make sure the military-industrial complex never runs out of enemies to justify its profits.

This scam has been going on since the nation state first came into existence, but has reached its zenith in the US.

Nick PAugust 8, 2011 4:25 PM

@ Brandioch Conner

"I don't buy that. If it was a legit threat, I'm sure they'd worry about defense first and retaliation second."

NATO countries spend several billion dollars a year on TEMPEST shielding alone. I'd say they think it's a legit threat. That leaves the question: if it's that important, why aren't American companies allowed to defend themselves when nations are attacking them (Operation Aurora)? Additionally, high assurance systems, provably secure against malware or subversion, are classified as a munition under export control laws. Makes it nearly impossible to recover an investment & hence only defense contractors build them & only government & defense contractors can buy them. Again, why can't Americans buy American-built technology certified to be immune to malware, tamper resistant & free of covert information leaks?

They build it, buy it, sell it to allied governments, and then tell me neither I nor my companies can have it. Then they say we're vulnerable across the board to cyberattacks, we need to do something about it, and we must give control to them so they can protect us. If their goal is making our infrastructure secure, then their actions are 100% inconsistent with it. However, actions like banning secure PC's make a lot of sense if they just want government assets to be secure & want easy access to most American's (and foreigners') computers. Do you really doubt this is NSA's intention? Clipper chip, massive phone call vacuuming, Echelon, banning export of over 40-56bit keys, putting a subverted ECC RNG in Windows 7... and you think they want to "secure" our computers from unauthorized information leaks or compromises? Get real dude.

"And then it was revealed that the only reason anyone here died was because the government knew about the vulnerability and refused to notify the vendor to patch it."

They're *stockpiling zero days* right now. The specific companies are in Bruce's link. Stockpiling zero days = intentionally leaving vulnerabilities in Americans' systems so you can hack your enemies who use those same systems. If anything catastrophic happens because of one of those vulnerabilities, the government would be ethically responsible. Their behavior here is consistent with my above claims. They need to be building secure PC's for Americans & stockpiling 0-days for enemies' technology. Instead, they are forcing us to use insecure platforms, banning secure products from common use, and stockpiling 0-days that target us and foreign states.

Yeah, Conner, just keep thinking they care about you or want your stuff to be secure. Look at all the collateral damage the US/Isreali designed Stuxnet did with zero-days just like these. Look at all the data breaches that have occurred because those high assurance products aren't available to most businesses. Look at actions like these & continue to believe they care about our security. Just keep dreaming. Maybe you wont wake up to a government-caused nightmare. I won't bet it.

Brandioch ConnerAugust 8, 2011 5:32 PM

@Nick P,
"NATO countries spend several billion dollars a year on TEMPEST shielding alone. I'd say they think it's a legit threat. That leaves the question: if it's that important, why aren't American companies allowed to defend themselves when nations are attacking them (Operation Aurora)?"

Wasn't "Operation Aurora" accomplished through regular cracking practices?

Why worry about TEMPEST when regular cracks will get you everything you want?

"Their behavior here is consistent with my above claims."

I don't see that. What I do see is a lot of hype about the "threat" and how devastating it would be.

Now, the simple explanation for that is so that vendors can sell products to the government and provide high paying jobs for ex-government people.

"Look at all the data breaches that have occurred because those high assurance products aren't available to most businesses."

Most of those data breaches seem to have occurred when basic security practices were not followed and used existing exploits. Not because the crackers used TEMPEST technology.

NZAugust 8, 2011 7:19 PM

My standard question: we do have a secure and free OS. Why is it _never_ mentioned in articles like this?

@Nick P
It seems that Halite is unrelated to uTorrent. Am I missing something?

Nick PAugust 8, 2011 8:46 PM

@ Brandioch Conner

You've missed the key points of my post. I brought up Operation Aurora because it shows our companies are being targeted by nation states' hackers. Only high assurance systems can defeat remote attacks by this level of attacker. These systems exist but the government doesnt let us have them. Further, govt creates obstacles & restrictions to developing such systems.

Point: we have secure systems, very sophisticated enemies, and US govt wont let vulnerable US companies use said secure products. Additionally, many of these A1/EAL7/Type1 platforms cant prevent entire classes of online attacks. We cant use them but gov can. Hence, US government promotes govt security and insecurity for the rest of us.

Nick PAugust 8, 2011 8:49 PM

@ NZ

It was inspired by utorrent. Its similar in that its minimalist, small, uses little memory during operation, and has good performance. People who like lightweight bt clients like utorrent might like it more. Thats all.

Nick PAugust 9, 2011 1:37 AM

@ NZ

Are you sure you're looking at the right one or did you see some abandon notice I missed? I just loaded up this homepage...

http://www.binarynotions.com/...

...and the last release was August 2010 and last snapshot mentioned in forums was April 2011. It seems they're still operational. The review Clive posted indicated they've dropped support for WinXP to a degree because it's having issues but the software works perfectly on Win7. (Presumably, I'd say the author has a Win7 PC.) Either way, their source is Boost license so others could improve it as needed.

I could see a client this size making for an excellent covert bittorrent appliance or seedbox appliance. Could use a VM or a cheap embedded PC with resource usage rates this low. (I bet that new $25 computer I heard about might even be able to run it. :)

@ Clive Robinson

I appreciate the link. I'll be applying those optimizing guides soon.

Brandioch ConnerAugust 9, 2011 8:18 AM

@Nick P,
"I brought up Operation Aurora because it shows our companies are being targeted by nation states' hackers."

Okay.

"Only high assurance systems can defeat remote attacks by this level of attacker."

No. Again, because those attackers seem to be getting through using standard cracking techniques. They are not using TEMPEST technology. They're using social engineering and SQL injections and such.

"These systems exist but the government doesnt let us have them."

Again, the attacks are succeeding because the victims failed to follow basic security practices.
Not because the attackers used technology that the government is restricting access to.

The current articles are more hype than fact. This is because the vendors are looking for lucrative government contracts. The government officials are supporting the hype because they will receive lucrative jobs with those vendors in the future.

Nick PAugust 9, 2011 3:56 PM

@ NZ

I know. I was relying on information in the support forums which mentioned a code revision done in 2011. I found further evidence the project is alive & the author is just really busy on his thesis.

http://www.binarynotions.com/forum/viewtopic.php?...

http://www.binarynotions.com/forum/viewtopic.php?...

So, no worries. ;) As for the ARM system, the idea was to port it to ARM & some dedicated OS. I'd probably have it running like a console app & the GUI on my Windows machine, with status & commands flowing back and forth. (It's an easy way to build dedicated appliances on cheap stuff: eliminate the GUI altogether! ;) The main dependencies are Boost and libtorrent. Worst case is that I would just use what I see in Halite to trim down another BT client for the appliance.

Nick PAugust 9, 2011 3:59 PM

@ NZ again

A further look gave some promising information. For libtorrent on embedded system...

"libtorrent is a feature complete C++ bittorrent implementation focusing on efficiency and scalability. It runs on >>>embedded devices

...seems to be a piece of cake. And Boost already runs on Linux and BSD. So, a bittorrent daemon with console and GUI control on a $25 PC is doable. Yay! :)

Clive RobinssonAugust 9, 2011 6:10 PM

@ Nick P,

I know I should get out more (the Dr keeps giving me high strength vit D tabs) but...

"So, a bittorrent daemon with console and GUI control on a $25 PC is doable. Yay! :)"

Why?

GabrielAugust 9, 2011 7:35 PM

@moderator: Sorry, not trying to go off topic or too far with sarcasm, although I was trying to reflect on the mindset Clive mentioned, particularly how our shortsightedness, that is so stubborn to get rid of politically and economically, is feeding into all aspects. This includes security, since, who is going to care until is costs? The same CEOs making lousy decisions that have been selling out the value of not just their companies but also of this country, to the detriment of all, are the same ones making the decisions regarding security.

So taking all the sarcasm out, even after a financial meltdown, the "stakeholders" making the decisions haven't changed their ways. Short sighted profit motivations drive a race to the bottom that creates massive debts and government liabilities (in addition to weakening regulations). Unlike even the time of the Depression, the masses are unmotivated to demand true change, even turning on each other; whereas during the Depression there was a strong public demand for change that at least drove something to happen. Due to this environment, I just don't see how anyone is going to push for substantial change in security practices. I don't see any strong and meaningful federal regulations for security practices, information assurance, and privacy taking hold anytime soon, since it will be another "intrusion of the governments into our (corporate overlords') lives". I don't even think self interest is enough, as long as an executive can bail out with a golden parachute should their security blunders take down their company.

I hope this is a little more clear as a cynical rant than it was as a sarcastic rant.

Nick PAugust 9, 2011 8:41 PM

@ Gabriel

Your view on the situation is actually similar to a few regulars here, esp. me. With no political or commercial demand, strong security and privacy will not take foot. Its even worse when u add the strong demand for the opposite by politicians and big data hungry companies.

Nick PAugust 9, 2011 8:46 PM

@ Clive Robinson

A small, cheap, BitTorrent appliance and u say why? Is it that hard to imagine? First reason is that it isolates a risky, CPU hungry app from my main PC. Second is its a cheap way to do that. And i imagine some people would love a disposable PC that could perform copyright infringing downloads through a far away internet connection or act as an anonymizing relay.

Just sayin... ;)

GabrielAugust 9, 2011 9:09 PM

@nick p: I suPpose some in our government feel that the best defense is a good offense. That type of thinking makes sense in some circumstances, like destroying all of your enemy's air forces first, before they get off the ground. But for infrastructure? Sabotage? Espionage? What good would it be to take out our enemy's powerplants, if he can do the same to us? Especially if it becomes like a western style draw, to see who draws first?

Clive RobinsonAugust 10, 2011 4:35 AM

@ Nick P,

"I'd imagine some people would love a disposable PC that could perform copyright infringing download through a far away internet connection or act as an anonymizing relay"

Well yes but why waste the 25 bucks?

Just bot somebody elses PC, I know "It's not the American way" but it's what the Chinese, Russians and just about every one else does, failing that drive round to Bruce's house and use his open wifi ;)

GabrielAugust 10, 2011 6:13 AM

@Clive: what was on the hd of that pc you bought? Or did they wipe it before they sold it? :)

I can think of some uses for a small $25 computer. Low power and potentially disposable applications, such as sensors and MANET relays. High volume deployments and low cost thin clients/ frontends. But I agree it won't replace someone's desktop.

Clive RobinsonAugust 10, 2011 7:30 AM

@ Gabriel,

"What was on the hd..."

Hmm not sure which thread you are refering to.

But yes I've been known to buy quite a few second hand PC's and strip them. Likewise second hand HDs.

You would be surprised just what you would find on them. Ignoring the private stuff in the good old days a second hand HD would give you a nice bunch of licence keys you could "sell on" (not illegal if the person who sold you the drive/computer had obayed the licence conditions) and before befouling the registry became the norm you could often lift software packages back into an archive that would correctly re-instal.

But usually, I'd strip them back to the metal as it were and reformat the HD and ensure there were no nasties before selling them on.

I and a friend used to pay about 10GBP for per PC when buying from businesses doing an upgrade cycle. Strip them down for bits etc and sell on for around 150-200GBP or 100GBP as a refurb (OS re-install and case clean).

It was surprising how some people (usually businesses) would pay more for second hand OEM replacments (especially DELL) than for new "no name" parts...

GabrielAugust 10, 2011 8:09 AM

@Clive: "Just bot somebody elses PC, I know "It's not the American way" ". Didn't know if the typo was meant to say buy or bought.

Regarding OEM: just look at how many folks take their car to the dealer, even when it costs more. They probably think Dell must know better. Even info systems departments at some organizations think you better get software from a vendor, rather than the same thing from free open source distributions. So this means paying for RHEL licences instead of CentOS. Somehow, being from a vendor is more secure according to them.

Nick PAugust 10, 2011 12:09 PM

@ Gabriel

He meant to say "bot" as in "botnet" as in remote control via an exploit. And I see your imagination is likewise brewing with just how many things you could do with a piece of technology with these specs and price.

Raspberry Pi
http://www.raspberrypi.org/?page_id=2

@ Clive Robinson

Yeah, I *could* do that. However, that's more likely to be noticed by the owners & law enforcement. Using an open wifi is actually legal, so any debate would be over what I used it for. Botting someone's computer is an instant felony & my IP address is going to be logged from it somewhere because the packets have to get back to me somehow. Compare that to a long-distance antenna, an open (or closed... ;) WiFI, and disposable PC near that device to act as my relay. It's better in both legality & anonymity..

Clive RobinsonAugust 10, 2011 2:09 PM

@ Nick P,

"And I see your imagination is likewise brewing with just how many things you could do with a piece of technology with these specs and price."

Don't get me wrong I can think of many many uses. Some years ago I used PC104 cards with dual network interfaces and a modified Wifi adapter to do an insider attack. Basicaly you lift the floor identify your targets network cable and either vampire tape it to passivly listen in or cut and splice to impersonate the user (because way to many protocols authenticate the channel not the transaction).

The nice thing about "headless" working is that you end up using the "Unix philosophy" of software development. You write a backend and a front end for any given application on the assumption the UI runs on one device and the actual guts of the program run on a different device.

The front end UI is generaly of limited "often used" functionality whilst the command line backend gives a knowledgable user full power of all the functionality.

NZAugust 10, 2011 3:30 PM

@Nick P

I didn't find gitorious repo, it's somewhat more alive (last commit in January 2011).
As for ARM port: _clean_ C++ code usually ports OK, Boost seems to portable as well (although I have no first-hand experience), libtorrent relies on Boost.Asio, so it should work also. Porting Windows GUI is hard :)

GabrielAugust 10, 2011 8:49 PM

@Clive, Nick. Ahh yes sorry I get it now. Not enough sleep lately :). Of course Nick brought up the legality, good way to rack up federal offenses, unless you're behind the magical 7 proxies (ahh memes). Of course you could buy the 25 dollar pc and put it behind a Starbucks or open wifi, and then control it via a VPN. If you get caught, well say you are doing remote sensor research for a security project.

Nick PAugust 11, 2011 10:45 AM

@ NZ

I ended up with pretty much the same assessment. I didn't plan to port the Win GUI parts, though. I was just going to look at that code & reuse snippets (or ideas) from it to build a GUI in GTK, Qt or something similar.

@ Gabriel

You're starting to get the idea, now. ;) The more important part of it, though, is that using this relay ensures you don't get caught. You're physically far from the relay. It might also be programmed to only broadcast wireless signals during a session where you're connected. You'd see anyone near the area that looks like investigators. That's the point of this relay scheme.

Also, this provides a real, measurable sense of protection and anonymity. This is in contrast to schemes like Tor and a bot because who knows what they might be able to do to trace the IP packets back to your PC.

GabrielAugust 11, 2011 8:24 PM

@nick: if they even want to have a prayer at keeping tor anonymous, they'll need some way of tunneling encryption over it. Of course, how can you do that without giving the destination (outside of tor) your ip address? The problem with the exit node is all too well known. I'm sure at least half of them are intelligence collectors for someone. I could see tor being more useful if the destination sites were part of tor, such as a site controlled by people you trust on the outside. That way, the last hop wouldn't have to decrypt the message, only the destination ip.

Nick PAugust 11, 2011 8:45 PM

@ Gabriel

There's numerous problems with Tor, including the subverted exit node issue. That's why I like my solution better. They pretty much have to physically be there to begin a tracking or identification process. Multiple relays can be used if necessary, even optical ones they won't detect easily. (Google Free Space Optics) The point is that you can deploy such a wireless relay at any residential or commercial hotspot, moving around quite often. It is very hard (and expensive) for them to trace you unless you're right in the open.

(Note: better leave your cell phone at home too)

Richard Steven HackAugust 12, 2011 12:30 AM

Nick P: Your concept of the tiny PC as a relay interests me. It's similar to a concept I had for a "proper hacking infrastructure" intended to prevent one's IP being traced back to one's physical location.

In my scheme, you set up a "data center", i.e., PCs with Internet access in some safehouse somewhere.

Then you set up a second one across town which is accessed from the first by point-to-point wireless, not over the Internet.

When you actually hack, you access the first data center via wireless from a mobile location, i.e., your laptop in a car or preferably a van (so no one can see you using the laptop wirelessly - lots of cops stop when they see this these days.)

When you hack, you go to a location where you can park for a good length of time without being noticed - say, a movie theater parking lot.

You access your first data center, then go out over wireless to the second data center.

Then you go out of the second data center over the Internet into a randomly selected PC from one of your botnets which is your TOR proxy.

From the TOR exit system you go into yet another randomly selected botnet PC. From THAT PC, you access your target system.

Anyone tracing you back from the target has to hit the first innocent user's PC, then go through that to the TOR exit node, then compromise all the TOR proxies to get the entrance node - which is another innocent user's PC - then back track to your second data center, then find the wireless link and track that to your first data center, and then track the wireless signal to you.

Which won't happen because both of your data centers have security monitoring and the minute anything funky happens on either of those systems (or the safehouses they're in), the wireless connection is cut (and possibly the entire system automatically wiped).

At the very least the wireless IP connection data, which is the critical info, is wiped. No need to wipe the entire disk. So what if they find incriminating data on the data center PCs? They can't find YOU. And as long as you haven't left your fingerprints or DNA on those PCs, they can't even identify you.

And in addition, of course, you've put software on the innocent users PCs to do the same - anything funky happens, the connection is cut and the relevant IP data is erased.

If those "innocent user" botnet PCs also happen to be corporate - or better yet, military - PCs, the establishment of LE access and chain of custody will take even longer.

Even better if they're overseas...in a Chinese gaming casino.

Those $25 PCs (I've been saving articles on them since I first saw them) could come in handy for remote relays to lengthen the distance between you and the data centers even more.

With the right antennas - or WiMax if we ever see it here - those data centers could be in two different cities with enough relays.

Of course, there could be latency issues with all the relaying, the TOR proxies, etc. It might be unusable. But you're not gaming, you're hacking. If you're hacking right, you don't need fast responses because you haven't been detected.

They could also come in handy for situations like Clive was talking about. One of the Syngress "Steal This" books talked about a small PC with wired and wireless ports dual booting both Windows and Linux which could be implanted in a target site and used to allow wireless access to a wired network. It was a PC the size of a small router or a netbook. The $25 PC would presumably be even smaller and easier to conceal. They could even be concealed inside another PC, tapping a free power supply connector.

RobertAugust 12, 2011 1:28 AM

@RSH

The problem with fancy combinations of proxies, Tor, Wifi and unusually configured arrangements of hardware and software, is that it produces a unique hack signature. So although you might be impossible to trace, your hack signature is unique and this signature contains metadata that can ultimately finger you.

Say for instance your hack computer uses a highly secured Linux kernel to avoid LEO's targeting you with Trojans. That fact alone identifies you as one of only, maybe 1000 people in any particular city. If I cross correlate non-hacker uses, within that city, to other known users with that exact "highly secured" software configuration, than I'm down to maybe 10 people.

Add a little traditional police foot work, and before you know it, your collar is being felt.

Nick PAugust 12, 2011 11:08 AM

@ RSH

It would work & it's similar to something I came up with in the past. The offshore thing in particular: I once designed an anonymous remailer scheme that bounced messages through countries in such a way where each country was a non-cooperative jurisdiction to the one it got the mail from. The exit node was usually Chinese or in Hong Kong.

The problem with your particular scheme is that it's simply too expensive. This is why I switched gears & looked for a cheaper way. The cheap way turned out to be residential & corporate wifi connections (not big companies with good security appliances). The relay would be connected wired to an internal network or wirelessly to a hotspot. Then, I'd connect over a point-to-point wired or wireless link. So long as I can see the target w/out being visible myself, I can ensure nobody is trying to track me. (They're going to be moving at some point.)

The bigger security measure is that I only use the same access point for a short time. If I run out, I start randomly reusing them. I would have hundreds before I ran out so finding me would be quite expensive.

Another scheme I came up with was using virtual private servers in offshore countries. Could buy them anonymously, turn them into proxies and connect to them over someone's residential wifi. So long as drugs or certain kinds of porn aren't involved, the hosting providers in a few countries are very uncooperative with LEO requests. Panama, Hong Kong, China & recently Venezuela come to mind. This would let you use the same Internet connection for long periods of time, swapping the relay occasionally. The price is almost $100 per month, though. It can be more if you want a guaranteed amount of bandwidth, like 10Mbps.

Nick PAugust 12, 2011 11:20 AM

@ Robert

"it produces a unique hack signature"

Your hack signature is produced by your toolset mainly. The only further signature this would add is latency & that the Tor network was being used. Since this "signature" exists for ALL Tor users, it's useless. Hence, the anonymity scheme produces no useful signature.

"Say for instance your hack computer uses a highly secured Linux kernel to avoid LEO's targeting you with Trojans. That fact alone identifies you as one of only, maybe 1000 people in any particular city. "

You're talking out of your ass. There's no way to look at an arbitrary IP packet & know the exact kernel configuration of the source PC. At best, certain parameters & behavior will tell you if it's a specific, known networking stack or OS version (see OS fingerprinting). But they don't know that you're using a specific "highly secured Linux kernel." You should really read more about network security before you post nonsense like that.

"Add a little traditional police foot work, and before you know it, your collar is being felt."

First remotely sensible thing you've said. Except, "traditional police work" even performed by the mighty FBI only catches a few hundred hackers a year, less for top notch hackers, in a country with tens of thousands of them. And most of them arean't using high grade anonymity schemes. Knowing this, should hackers be scared of them? I shudder to think of what would happen to me if I was using offshore relays over vanilla looking SSL & the FBI decided to sift through TB of global data (that they don't have) to try to figure out which few MB was me. Why, they might be at my door in mere decades!

Note: I'm not using any anonymity schemes & not doing black hat stuff these days. So, personally, I care even less. :)

lost in darknessAugust 13, 2011 7:26 AM

This is really a question for Dr. Schneier--and any other wise man out there. In the various articles about the Chinese Cyber menace, perhaps especially the Vanity Fair article, the message that comes across is that the Chinese are diabolically clever, except in one thing. They always forget to hide the breadcrumb trail over the Internet back to their computer in mainland China. Why are the Chinese so smart in everything except hiding their tracks?

Maybe it's not so simple?

Is it really possible, as in the case of Aurora 2010, for the NSA to do an ex-post-facto traffic analysis and follow the trail of breadcrumbs to two universities in China, with two possible suspects? Is this technically possible? How? Wouldn't it require thousands of terabytes of data to be stored from all over the Internet? Since the analysis was done months after the fact.

Why is there no discussion of false flag stuff when it comes to the breadcrumb trails leading back to China?

Moreover, just how easy/hard is it to spoof your trail so as to defeat traffic analysis?

The point of all this is that one of the pictures doesn't fit in the series, but I'm not too sure which picture it is. Too stupid. Wise man where are you to answer this question?

Nick PAugust 13, 2011 12:25 PM

@ lost in darkness

"this is really a question for Dr. Schneier"

We'll gladly take a stab at it. That way Bruce can focus on more important, harder issues that deserve his expertise.

"Is it really possible, as in the case of Aurora 2010, for the NSA to do an ex-post-facto traffic analysis and follow the trail of breadcrumbs to two universities in China, with two possible suspects? Is this technically possible? How?"

Yes. It would take a series of analyses. You're really just looking at the IP's to determine a source computer. Then, you look at that computer to see if anyone was relaying through it. Follow the breadcrumbs & they lead to the University. The NSA might already know its IP's & stuff as it would be a source of hackers. Then, depending on how it's set up, you do remote software analysis or have an insider figure out which machines did it. The latter seems easier.

So, is this hard? Yes. Impossible? Far from it. The Stuxnet/Natanz job required *much* more resources, inside activity, etc. They pulled it off.

"Why is there no discussion of false flag stuff when it comes to the breadcrumb trails leading back to China?"

There is and there isn't. Many article that talk about "cyberattacks" source to China mention that many hackers use Chinese machines as relays. This tidbit justifies two things: (1) can't be sure the Chinese are the source; (2) if they aren't, they might be being framed. However, the US Govt knows for sure that the Chinese have been hacking our classified & commercial networks for decades to steal intellectual property, the lifeblood of an advanced economy. Additionally, numerous people in the military-industrial complex are fearmongering cyberwar with enemies like China to justify billions of dollars in future contracts. Both have incentives to demonize China to further their agenda's.

"Moreover, just how easy/hard is it to spoof your trail so as to defeat traffic analysis?"

For batch processing (e.g. email), pretty easy. Networks like Mixmaster and other anonymity schemes can defeat traffic analysis. However, it is obvious you are using it. For interactive traffic, it's much trickier. For anonymity, you need many relays with carefully controlled timing. For interactivity, you need little latency & fast traffic. These are diametrically opposite. That's why Tor, the main interactive anon scheme, is SLLOOOWW.

I already posted a good scheme or two for moving the breadcrumbs in a desirable direction, but large international breaches make that unworkable. There's ways to do it but they're really hard at that level if the group you're hiding from is the NSA & they have tools like Echelon.

lost in the darknessAugust 14, 2011 4:07 AM

@ Nick P

Thanks very much. You must be one of the wise men that were Dr. Schneier alternatives.

Some further questions, if you don't mind:

1. You say that in the notional NSA ex-post-facto traffic analysis you're really just looking at the IP's. Now, are these the IP's embedded in the packets, or are these taken from log files on various Internet nodes? I assumed the second since any hacker worth his salt (or chop suey) would be putting false IP source addresses in his packets (isn't that what spoofing is all about: please, be simple; I'm having trouble passing the which picture doesn't belong in the series test). But doesn't access to historical Internet node routing data imply gazillions of terabytes of data stored and mined? What am I missing?

2. Next, if there's a problem with this why aren't the perps using a safe house in, say, Kiev--or Santiago Chile or Capetown SA? Does it make any difference?

3. Yes, the Stuxnet hit was professional, but the requirement, if we assume that the main initial vector was USB sticks and that the SCADA mapping didn't happen through initial penetrations of the network, was for inside humint. Someone was compromised.

4. With respect to China's stealing intellectual property for decades, isn't the downside risk for the Chinese that they steal a poison pill that literally or figuratively blows up in their faces? That's the famous Russian gas pipeline blow all over again. How would they take such a thing into account? Theoretically the only way would be to redo all the research to check it, all the development, all the engineering specifications.

5. What's the significance of timing issues when you use multiple relays--so the packets arrive in the proper order?

6. As for Tor, if I were an intelligence service, I'd be a main provider of Tor nodes. Wouldn't you?

7. Let's assume that the Chinese are in fact doing the hacks and that they know that they're being traced back to China. They spend a lot of cleverness on getting data and assembling it and exfiltrating it. Why are they doing it in such an 'in-your-face' way? Why don't the Americans stop them? Surely there are ways to monitor suspect IP addresses--since the Chinese evidently don't bother to cover their tracks--and to block them. Is it that the Americans are doing the same thing to the Chinese?

8. It is said that the Russians, French and Israelis also have major campaigns of cyber espionage. Why is it that only the Chinese are singled out? Is this the marketing of big contracts all over again?

Thanks very much.


RobertTAugust 15, 2011 6:44 AM

@lost in the darkness

I know that a lot of hackers intentionally relay through China because the Great China Firewall (GFC) is a resource that can be used by those knowledgeable with its functioning.

I've also heard that Chengdu and ZhangJaing are particularly popular spots to spoof as the originating location because of the presence of many Chinese hackers (professional and otherwise) located in these regions.

I think a third reason is that even when the Chinese ISP's co-operate and give the names of the internet users, the US officials have to deal with reams of data in Chinese. This character based language presents logistical issues to overcome before further advancing.

lost in darknessAugust 15, 2011 7:10 AM

@ RobertT

It's becoming a little clearer. Not everything that's ascribed to China may be from China--it might be a setup/false flag op.

But similarly, why don't the Chinese spoof their own source IP addresses so as to appear to be coming from Paris, Tel Aviv, St Petersburg--or Ft. Meade?

Didn't someone say something once about a 'wilderness of mirrors'? Now, who might that have been...?

Richard Steven HackAugust 15, 2011 4:11 PM

Lost: I think the issue is whether the Chinese authorities have any motivation to prosecute anyone in China hacking the US. I don't see any. So a Chinese hackers has little motivation to conceal himself to the degree a US hacker should.

Plus - if what they said in the Batman movie is true :-) - China won't extradite anyone. So unless they're prepared to prosecute something which presumably is not a crime IN CHINA, the odds of anyone in the West getting a Chinese hackers prosecuted is basically zero - short of sending Batman into China.

Also, there is cost. The cost of a major prosecution is an issue for the DoJ. The cost of prosecuting a Chinese hacker would be astronomical, and the odds of getting a conviction would be way out of line with the usual 98% conviction rate here in the US - mostly because all of the threats based on rats would probably not be viable.

Although less so, I imagine much the same considerations exist in Eastern Europe, Russia, Malaysia and in certain other areas.

I don't know how easy it would be to hack a North Korean computer network to bridge into the US, but that would be even more fun trying to get a prosecution.

Robert: I agree with Nick P. Having a unique hack signature is irrelevant.

Also, while I may have failed to mention it, there is no way I'd use the same machine for both hacking and non-hacking activity. So the hack machine, despite possibly being uniquely identifiable, remains as anonymous as I do. The most intel anyone could possibly get out of that would be which penetrations it was involved in - provided those penetrations were in fact detected at all.

Also, the longer the chain of connections - and especially if some of them are randomized via botnet TOR systems and other means - not only does it take longer to unravel, it offers many more ways of compromising solid evidence. So even if one is caught by some fluke, most of the evidence is so bad a good attorney will have something to work with.

At worst, if you did ten penetrations before being caught, probably eight of them won't be provable - reducing your charges considerably.

Of course, that's little comfort if you go away for even one charge. My scheme is intended to insure one NEVER gets caught by conventional IP tracking methods. Getting caught is simply not an option, so whatever method is used, it must be as close to certain as possible.

Nick P: Sure, my way is expensive. Security usually is. But if you're not making a ton of money hacking, why do it? :-)

Actually, it's not that expensive either. The "data centers" are just PCs stashed somewhere. High-powered PCs aren't necessary for hacking. And where they're stashed could be really cheap. The only requirement is an Internet access for at least one - and that could be wireless to some open access WiFi.

So we're talking about maybe three $1-2K PCs in total under your direct control (outside your home desktop and laptop which are never used for hacking.) Plus whatever it costs to stash the two data center PCs, which could be a few hundred bucks a month. Plus the ISP access, trivial.

Just about any credit carder script kiddie could afford this system.

The only high powered facility needed would be a cluster for password cracking - maybe $25 in machines (one would never use the online services, of course.)

If you have a botnet, you can run your own TOR system using the bots. So you're not relying on third parties that might be LE nodes.

I wouldn't rely on virtual servers in other countries for one reason: what I would be hacking would be very high value stuff. When the US comes calling on those ISPs, they won't be looking for drugs or porn but major IP and even military intelligence breaches. That would motivate the US to put considerably more pressure on those ISPs than they would for mundane criminal stuff. Too risky.

Plus I want everything more or less under my control. The only risk there is the use of the botnets - and with enough of them (a very small botnet of a couple hundred machines would be adequate) I can always shift between them if one craps out.

The worst case scenario is as follows: You're in the middle of a penetration of a high value target - meaning major corporation multi-hundred-million dollar IP or US military technology - when the pen is detected. The FBI, Secret Service and US military and even the NSA all mobilize dozens of agents immediately to track back the pen. They start from the penetrated system using a still open Internet link. How fast can they unravel the chain of connections while the links throughout the chain are still open - without compromising their investigation by revealing they are tracking or compromising the evidence chain?

I say they couldn't do it - especially if each system along the way is being monitored for precisely any such breach of security - especially the two data center PCs which are the last line of defense between you and your laptop.

And even if they do, the last 2 or 3 links are wireless, so they will need to field IN YOUR CITY a mobile search team with wireless tracking capability and pinpoint your location without being seen themselves until they close in for the arrest. Not impossible, but very difficult if one sets up the situation wisely.

hopeAugust 15, 2011 6:29 PM

@Richard Steven Hack, true that, I wouldn't use 2.4ghz though maybe use some pirted frequnecy(need a frequnecy anylzer, less collosions and stuff), and do mass compression burst.

The leo could proable use source routing in revese and bounce of fixed routers on the inet. Awhile ago download a batch script that could pin point ip down to the meters(wish I new how it worked thought), if it isn't wireless you stuff I susppose

RobertTAugust 15, 2011 8:18 PM

@RSH
Talking about exotic hacking setups, the one I remember most used a powerline modem, installed inside the desktop power supply. this linked via the powerline to a Free space optical link mounted on the roof (20 floor building).

Physically the hacker could have been anywhere between 1km and 10km . The guy added tamper detection so he knew when the setup was discovered.

lost in darknessAugust 16, 2011 3:01 AM

@RSH & RobertT

RSH, most of what you are discussing assumes that the motivation is $. I was wanting to get enlightened concerning State-sponsored Cyber espionage. What's bothering me is the ease with which the hacks are definitively ascribed to China. For all I know the ascriptions are correct, but I was wanting to clarify how easy it is for

a. The Chinese to cover their tracks

b. Others to frame the Chinese.

RobertT: What ingenuity!

Richard Steven HackAugust 16, 2011 12:00 PM

RobertT: Interesting setup. This is sort of what I mean by "data center PCs" - they're just machines of whatever size and capability needed stashed somewhere accessible remotely by the hacker who is himself mobile. The more hidden, the better.

That makes it necessary for investigators to not only track the IP, but to actually physically FIND the machine to be able to forensically check it and track the connection to the next level. They'd have to use a hand held radio frequency tracker to find the machine via its wireless radio signal - pretty much how they caught me! :-)

That's where these tiny $25 PCs come in - although I suspect they'd be not powerful enough to do actual hacking through. But they'd be good for relays as Nick says.

Hell, it would be hard to find a stashed netbook and they'd be perfectly good for hacking through them.

Hope: Yes, I vaguely remember that effort to pinpoint IPs. Of course, you have to grab the IP to do that - so between spoofing and cutting the connection and wiping the IP data on intrusion this should be made difficult.

Good idea to use off-brand wireless frequencies, too.

Lost: Actually, a lot of what the Chinese are doing IS money-based: the acquisition of intellectual property. They're doing this on the physical level as well, with numerous cases of Chinese nationals physically penetrating US corporations or bribing US corporate employees or running business cons on US corporations to acquire valuable IP.

Which is why the Chinese government has no motivation to pursue Chinese hackers - they're serving the national interest at "leveling the playing field" both commercially and militarily.

Which is why Chinese hackers don't worry about being found and prosecuted.

Which is why it's not hard to pinpoint the intrusions as being Chinese.

Most countries are doing the exact same thing as the Chinese, but it's not politically correct to frame France as the great national enemy - let alone Israel which is REALLY doing this sort of thing. There are just more Chinese to do it.

Clive RobinsonAugust 16, 2011 5:31 PM


@ Robert T,

"this inked via the powerline to a Free space optical link mounted on the roof."

The problem with this is if you know the aproximate optical frequency, you can spot the reciever very easily using "optical TEMPEST" techniques. Which is little different than finding CCTV cameras via 100% internal reflection you see so often with "red eye" in photos and "rabits caught in headlamps".

My prefered option would be to take the output of a low power 2.5GHz wifi card and put it via a 3db pad into a pasive double balanced mixer, and use a couple of GHz as the LO at upto 20dbm via another pad. At the output of the mixer put an aprropiate dc-daylight match filter to select the appropriate mix output then using that much loved trick of the amature radio world of a 27dbm PA and 10db LNA switched by diodes and quaterwave lines put it into a 10db vertical colinier or equivalent omnidirectional antenna.

As it's DSSS you could even put it out in the TV band either at the edge or underneath the carrier of a local TV station.

Some of these tricks have worked well for Pirate Radio in the UK much to the anoyance of OfCom in NI and Comreg in Eira.

RobertTAugust 16, 2011 10:08 PM

@Clive R
"My prefered option would be to take the output of a low power 2.5GHz wifi card a....put it into a 10db vertical colinier or equivalent omnidirectional antenna."

I agree there are good RF techniques but the big advantage of optical links is that nobody is looking for them. Same thing with powerline networks. For the case in question the Host PC was part of a cluster of PC's in a University, so having some funny optical setup on the roof of an EE department id not unusual, it is probably last years Masters project or some research thingy. So nobody is going to touch it, nor would anyone getting a "cat's eye" reflection immediately assume that this was any part of a hacking setup.

Even if you discover the powerline network your still only half way there because normally I would assume it was part of a wifi bridge, so I'd waste a lot of time looking for a high gain antenna wifi setup.

BTW the best way I've found to hide high gain wifi is to use a standard satellite dish but replace the Tx/Rx electronics with a USB wifi card where the wifi card is put inside the old antenna RX module. Seeing old satellite antennas hanging at odd angles is not at all unusual.


RobertTAugust 16, 2011 10:23 PM

@RSH

For around 500RMB ($80USD) you can buy whitebrand cell smart phones that have Android OS with say a single 1Ghz ARM cortex core and wifi and naturally 3G /2G. If you added a 300mm * 300mm solar cell ($100) you could generate about 200Whours power per day. which is plenty to power a smart wifi (cell phone) relay like this.

I'm not sure that $25 will buy you anything useful, at the moment, but prices keep falling so maybe in 5 years...

Richard Steven HackAugust 17, 2011 12:58 PM

RobertT: The $25 was in reference to the small PC that someone has coming out. It will probably cost more initially, but if it took off (which I find unlikely actually) it could conceivably get nearly that price point.

The phone idea is good, I didn't know they got that cheap, I assumed most smart phones were in the neighborhood of a netbook.

I agree with you that the advantage of optical and powerline links is that it's unlikely anyone would look for them. However, in the case where one of my relays has been compromised, it's possible the nature of the link would be revealed and so the next step LE would take is look for the relevant hardware. So one would have to take pains to disguise the nature of the link.

And this new WiFi mesh technology obviously would come in handy for this sort of thing:

Non-profit Group Releases Open Source Mesh WiFi Network Software
http://hothardware.com/News/...

Having a mesh setup and hopping between them at random during hacking would make RF tracking those final wireless links a bit harder. They'd probably need an aircraft with SIGINT capability rather than a van with RF tracking gear to sort out the relevant signals. And if you "swarmed" the mesh with automated fake sessions you could bury your real hacking signal.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..