Two New Snowden Stories

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom and other companies.

EDITED TO ADD (9/18): Marcy Wheeler comments on the second story, noting that the NSA uses this capability to map MAC addresses.

Posted on September 15, 2014 at 2:25 PM • 36 Comments

Comments

FabianSeptember 15, 2014 2:42 PM

If you noticed from the slides, most of this information is Unclassified. TreasureMap is mostly just data collected from trace route data,WHOIS and BGP advertising. No one seems to be screaming about the TOR mapping, the UC's help in obtaining data, or Akamai's data input. The fact that Lumeta maps the internet every year or so doesn't get news coverage.

Clive RobinsonSeptember 15, 2014 3:45 PM

It needs to be said NZs GCSB has never regarded it's self as under the NZ Goves control.

When NZ said no to nukes, the GCSB seniors activly passed data on the "No Campaigners" directly to the NSA and they forwarded it onto other US TLAs. The GCSB tried to put the frightners on the NZ Politicos but they stood their ground. It has been pointd out that if the GCSB had been doing it's proper job then the French would have been caught putting a limpit mine on a ship in an NZ harbour, which was an act of war under international law. It has been joked in more recent times that CNN provides better intel than the GCSB.

Whilst Snowden is correct that the NZ PM knows, what he does not mention is that the NZ Gov has no control of the GCSB which is effectively run by either the NSA or GCHQ "advisors" both of whom have had offices in the GCSB HQ directly adjacent to the supposed "Directors" office, and sit in on important meetings... The reason the NZ PM gets told anything stems back to the embarrassment caused by the Kim Dotcom issue a few years ago. But it's kind of a lord and master to forlock tugging servent relationship, the GCSB says "the dog has crapped on the library carpet, go clean it up" to the PM, who dutifully tugs the fetlock and scurries off to clean up the mess...

The original reason that NZ was made one of the 5-Eyes was it's usefull geographic position. It would appear that neither the NSA or GCHQ has trusted them from day one, hence the advisors.

Anonymous CowardSeptember 15, 2014 4:09 PM

@Fabian

I see a lot of TOP SECRET. Where is it unclassified. Also, if it were unclassified, would that change anything?

The additional things that Treasure Map does is to try to map all end user devices. It's also across many different taps and mediums, including telecom, radio, satelite and internet. Finally, not only is the data different, but the adversary is too. That's why people are screaming.

Anonymous CowardSeptember 15, 2014 4:11 PM

@Clive

If you watch "The Moment of Truth" you realize what is being said by both Assange and Amsterdam are saying: not only are the surveillance problems, but there's culture and law export from the US. They are catching on.

fissuremenderSeptember 15, 2014 4:49 PM

The 5-Eyes and the company are in the spotlight but what about others who aren't? Is there any info on countries that have not been covered by these reports so far? Say, Italy or Czech Republic or Bulgaria?

Anonymous CowardSeptember 15, 2014 7:07 PM

@fissuemender

Agreed, much of the conversation seems to be focused on the leaks we do have but not the fact that there is a global cyberintelligence war (which is resulting in the average joe's virtual casualty).

Prinz von der SchemeringSeptember 15, 2014 8:09 PM

@fissuremender and Anonymous Coward

The reason why the 5Eyes are being targeted for criticism and condemnation is twofold: a) they have made a major issue of the matter of governments putting their citizens under surveillance (the Cold War was filled with that sort of rhetoric from "the West"), and b) they alone of all the nations of the world, have both the intent (to put everybody under surveillance) and the power to carry out that intent.

Heck, what is wrong with everybody? The Cold War only ended less than three decades ago. When I was growing up the Second World War had only ended three decades ago, and there were still echoes of it in everyday life, never mind politics (or bollix).

'nuff sed?

Name (required)September 15, 2014 8:35 PM

Click The Moment of Truth for the YouTube video. Glenn Greenwald speaks first, then
59:11 Edward Snowden joins in and speaks
1:17:45 Julian Assange is introduced to speak
1:35:57 Kim Dotcom speaks (briefly) on his web encryption platform incl. vid.conf.
1:37:26 Bob Amsterdam (high profile intl. I.P. lawyer) is introduced to speaks

If nothing else, watch Assange.

Bob S.September 15, 2014 8:40 PM

The Australian PM adamantly demanded adopting new laws to vacuum "meta data" of Australians. He made some remark to the effect it was necessary for the defense of the country. Now this about NZ.

I tend to agree with suggestions here that the NZ and maybe AU intelligence apparatus is under control of NSA more than elected officials.

Especially interesting is the movement in NZ for an entirely new "Anti-Surveillance" Party. Heck it would get my vote just on the name.

I'm not a fan of the NWO conspiracy, but stuff like this sure adds fuel to the fire. Why does NSA need all the electronic data of New Zealand? And Australia? It seems a bit imperial.

And let's not kid ourselves, if they get the "metadata" they get the whole haystack.

BenniSeptember 15, 2014 9:35 PM

On Snowden's article I think this is the most funny line:

"you’ll find that the XKEYSCORE system offers, but does not require for use, something called a “Five Eyes Defeat,” the Five Eyes being the U.S., U.K., Canada, Australia, and yes, New Zealand. This might seem like a small detail, but it’s very important. The Five Eyes Defeat is an optional filter, a single checkbox. It allows me, the analyst, to prevent search results from being returned on those countries from a particular search.Faced with reasonable doubts, ask yourself just what it is that stands between these most deeply personal communications and the governments of not just in New Zealand, but also the U.S., Canada, the U.K., and Australia? "


If they exchange nude photos, then I wonder, how often they un-check that box....

That they are using Xkeyscore to get filesharers is interesting. But that is why one should use retroshare http://retroshare.sourceforge.net/ or gnunet https://gnunet.org/ for that.

regarding their breach into german providers, i already said this
https://www.schneier.com/blog/archives/2014/09/friday_squid_bl_441.html#c6678594
this
https://www.schneier.com/blog/archives/2014/09/friday_squid_bl_441.html#c6678600
this
https://www.schneier.com/blog/archives/2014/09/friday_squid_bl_441.html#c6678610
and this
https://www.schneier.com/blog/archives/2014/09/friday_squid_bl_441.html#c6678605

I find the line ""Cisco discovery protocol"" in the treasure map programmost interesting, since for some reason they seem to single out Cisco. Probably they are searching for cisco explicitly because they know best how to place bugs in cisco routers. Or because most cisco routers get nowadays manipulated by interdiction on shipment. Then nsa just has to find them later on the internet, and they can send their orders to the manipulated firmware...

Brian DellSeptember 16, 2014 2:04 AM

"XKEYSCORE.. is not limited to or even used largely for the purposes of cybersecurity, as has been claimed, but is instead used primarily for reading individuals’ private email, text messages, and internet traffic."

PRIMARILY for non-"cybersecurity" "purposes"? There's no chance this isn't a bit of an overstatement?

"... that solitary checkbox, the Five Eyes Defeat. One checkbox is what separates our most sacred rights from the graveyard of lost liberty."

If only "one checkbox" "separates our most sacred rights from the graveyard of lost liberty" then why haven't we heard about it, this "Five Eyes Defeat", before Snowden revealing it this week?

Let's not forget the various dubious claims Snowden has made:
- Claimed, without any evidence, that the CIA successfully bribed the Geneva police and judiciary
- Claimed that his salary was $200K until Booz said it was $122K. Has also repeatedly insisted that he was a big shot, saying earlier this summer that he "was actually functioning at a very senior level."
- Called Reuters reporter Mark Rosenball a liar after Reuters ran a story that contradicted some of Snowden's statements
- On June 24 of this year, a Council of Europe question for Snowden was "Can you be more precise about what internal actions you took and what kind of replies you got?" and Snowden's reply was "I am working with the NSA in regard to these records and we’re going back and forth, so I don’t want to reveal everything that will come out because there’s still an ongoing debate. But what I can say is that... I went many colleagues... and also vertically: to supervisors, to managers, to directors, to people who worked above me... as well as the Office of General Counsel and the Office of Compliance..." This reply does not pass the smell test, as it is hard to believe that Snowden isn't revealing evidence that exposes the NSA as liars out of deference to his, more than a year after his flight from the U.S., wanting to continue a "back and forth" with the NSA, as if he's engaged in ongoing negotiations with his former employer so can't make them look like liars.
- Said he has "to screen everything before releasing it to journalists" and that he "carefully evaluated every single document I disclosed to ensure that each was legitimately in the public interest. There are all sorts of documents that would have made a big impact that I didn't turn over." Later told a NYT reporter that before flying to Moscow, he gave all the classified documents he had obtained to journalists he met in Hong Kong, and did not keep any copies for himself. After that, however, Snowden contradicted himself, telling NBC News that he divested himself of everything before transiting RUssian not by giving it away but "by destroying the material." How do you destroy what you've already given away?
- In Hong Kong Snowden told Guardian reporters that he checked into the Mira Hotel upon arrival in Hong Kong on May 20 and hardly ever went out. The WSJ fact checked this with Mira Hotel staff and found that he did not check in to the hotel until June 1.
- Both Snowden's ACLU lawyer and his Kremlin-connected lawyer in Russia said the story in Kommersant about Snowden meeting with Russian diplomats before leaving Hong Kong was "false" yet just days later Putin himself admitted to the advance meeting. Snowden was also observed on CCTV cameras entering the Hong Kong tower where the Russian consulate is located.
- According to Snowden, "I was ticketed for onward travel via Havana—a planeload of reporters documented the seat I was supposed to be in—but the State Department decided they wanted me in Moscow, and cancelled my passport." Aside from contradictions with Greenwald and the NYT about the timing of the ticketing, the facts are that Snowden's passport was revoked by State more than 20 hours before Snowden left Hong Kong, as State had moved within a couple hours of Justice unsealing the indictment on Friday, June 21.
- Earlier this summer Snowden claimed that he lives "a surprisingly open life" in Russia and is recognized when he goes to computer stores yet none of the people who recognized him have come forward
- Snowden recently claimed that the NSA "bricked" a single router in Syria in 2012 and this was the reason Syria's internet went down. The claim is implausible since 1) the Assad regime shut down the Syrian internet locally or nationally on a number of occasions and on each occasion a government attack was kicking off. It would be a huge coincidence if the NSA brought down the Syrian net just when Assad wanted them to. 2) Renesys noted on the day of the biggest outage (that Snowden is presumably referring to) some "blocks survived today’s Internet blackout in Syria, but 12 hours after the onset, they, too are off the air." This 12 hour spacing doesn't fit with Snowden's story of the NSA bringing down everything by virtue of a one-off mistake and then failing in its efforts to bring it back. 3) Mobile phone coverage and interprovincial land line calls were lost at the same time. It stretches credulity to believe that a single router failure could have this effect on telephony. We're not supposed to notice that Snowden has shifted the blame from a Russian ally, Assad, to the U.S. while Snowden is under Russian sanctuary?

IncrdulousSeptember 16, 2014 8:35 AM

@Brian Dell, "another pundit"

Snowden's information has been vetted by many. What about yours? It sounds fabricated out of whole cloth. Say we can't believe him about these minor details of his life on the run, which he rightfully may choose to obscure to protect himself and his allies: How much less should we believe the allegations that you pull out of thin air or the random allegations thrown at him by parties that have every interest in smearing him and who do such disinformation on a regular basis?

Minor contradictory evidence is found about everything on the internet. NOTHING you say contradicts any important Snowden reporting, which the government doesn't even bother to contradict at this point.

Bob S.September 16, 2014 8:38 AM

Re: "If only "one checkbox" "separates our most sacred rights from the graveyard of lost liberty" then why haven't we heard about it, this "Five Eyes Defeat", before Snowden revealing it this week?" ~Brian Dell

Now you and whole world has heard about it. Is there any alarm or even concern voiced by relevant corporate executives or political officials?

No.

Indeed, we may never hear a peep from them if this and similar announcements are made daily on the homepage of every news agency in the world.

There is something very drastically amiss in the world of electronic communication. The appearance is governments and corporations have become a vast criminal conspiracy dedicated to harvesting the haystack. They fight, among themselves, for every last tidbit of data.

In other times and places government and corporate executives would be prosecuted and sued to oblivion. Stringent laws would be passed and enforced.

Instead all we hear is the sound of silence.

Can you hear that?

Nils says hi from SwedenSeptember 16, 2014 9:13 AM

Attacks on Snowden's credibility are beside the point. Of course he's going to throw up smokescreens right and left, he's evading a totalitarian state. I don't care who's helping him defend the right to privacy.

If it's Russia, that's fine, because Russians from Putin on down know more about jus cogens than US apparatchiks trained to legal ignorance. If it's CIA, as some maintain, that's fine too, because the only remaining pluralism in the US police state is elite pluralism, and CIA retains a lonely few law-abiding civil servants.

BenniSeptember 16, 2014 9:48 AM

@Brian Dell:
"Let's not forget the various dubious claims Snowden has made:
Has also repeatedly insisted that he was a big shot, saying earlier this summer that he "was actually functioning at a very senior level."

Lol, I remember there is this photo of Snowden and general Hayden.

http://www.washingtonpost.com/news/post-nation/wp/2014/08/13/that-time-edward-snowden-and-gen-michael-hayden-took-a-photo-together-wearing-smiles-and-tuxedos/

Although Hayden is a communicative person, I guess the NSA chief does not make a self portrait with some low level employee. This photo proves that Snowden indeed WAS "functioning at a very senior level", and it shows Brian Dell's comment to be pure disinformation.

Nice try NSA, perhaps you should use better sockpuppets next time...


fissuremenderSeptember 16, 2014 10:40 AM

To clarify, my point was that I somewhat envy the citizens of 5-Eyes countries. Why? Because you have at least some info on what you government and corps do. I cannot say the same about my country government; I have only assumptions.

CallMeLateForSupperSeptember 16, 2014 11:12 AM

I simply assumed NZ was doing Kiwis to the very tune that all the other "Eyes" were - and are - playing; I wasn't tuned in to things NZ. We have seen - in the cases of US, GB, CA and AU - that the price of admission to Five Eyes is vacuuming and sharing everything you can, so the idea that NZ would get a free pass strikes me as illogical.

Time after time, over past year, the tension between a breaking story about an NSA shag-nasty and public/congressional/legal reaction to it brought to my mind a book that I had read in the 1960s: "I. Claudius" by Robert Graves. The central figure was a sociopath who ultimately managed to elbow his way onto the emperor's throne. Finally! he could have whatever he wanted. And he wanted much. He fancied a certain maiden, but she was out of reach because she was not of legal age, could not consent. (Never mind that 1) she had a boyfriend and 2) she *would*not* consent to the old man even if she legally could.) So the letch changed the law to lower the age of consent. Then he had her, in the Biblical sense.

Claudius' predation was legal but wrong. Indescriminant breaching of privacy might be legal but it is wrong.

Random AlSeptember 16, 2014 11:21 AM

@Brian Dell
A problem with your analysis is that you seem to be automatically assuming an intent to mislead the public?

Maybe the intent for some of his statement was to mislead those he felt are chasing him.

For example, what was told by Snowden and his lawyers regarding what he did and did not do in Hong Kong could indeed have been lies. But if he actually felt that his life was at risk, he may have given misleading statements in an attempt to make it more difficult for the government to trace him.

And he may have claimed to have destroyed everything simply because he felt that he was being chased because of the documents.

It's risky to try to determine the character of a person from statements like this, without taking into consideration factors such as the context or the aim of the speaker.

meSeptember 16, 2014 12:10 PM

Couple of things jumped out at me regarding TreasureMap:

1. Cisco config database - How complete is this? Are routers leaking them in some fashion? Note it parses interfaces and descriptions.

2. Mac addresses - where are they coming from? I understand Microsoft embeds mac addresses in all office docs for automatic xkeyscore extraction. Mac addresses are a real key in tracking documents to their source. How is treasuremap acquiring them? Wifi collection is mentioned. I gather there is a low level protocol inherent in wifi which exposes macs. Is wifi detectable from space? Or drones?

Name (required)September 16, 2014 4:31 PM

It is important to call more attention to what Assange says starting at 1:20:20 of the Moment of Truth panel discussion. Listen to his whole 16 minute speech to grasp his warning about the coming changes to civil society (so try to find or create those 16 spare minutes:). While it's mostly accepted that Assange has trouble conducting himself with women, he is not known for flakiness outside that storyline, AFAIK (a little overt paranoia would obviously have to be taken in stride by any reasonable person dealing with the founder of Wikileaks!). Assange is, imho, a modern visionary, being given the typical visionary treatment by those he offends: all governments, especially those that tax the status quo (us), if I may be faintly indelicate. I say we are blessed to still have such far-seeing people who are willing to step up and announce themselves while knowing the dangers.

I have an abiding sense that not only do the vast majority of people not grasp what is going on these decades, but no 'pundit', professor, politician, news anchor or public expert does either. Yet I don't believe no one understands. Some modern "think tanks" are highly secretive. [I can claim no knowledge, only a deep sense that current world systems are evolving towards cascading, calamitous failures, just a little bit like in that semi-famous EM Forster short story, The Machine Stops]. There's no convincing evidence to the contrary; this should be seen to matter more.

AlanSSeptember 16, 2014 6:30 PM

@Brian Dell

Ah, so Snowden is a liar (unlike Hayden, Alexander, et al.), no one was or is engaged in illegal surveillance, nothing to worry about, move along people?

Read the piece by Julian Sanchez in Just Security today: Reading Jack Goldsmith’s STELLARWIND Memo (Part II) in which he analyzes a memo that was obtained by EPIC under a FOIA request filed long before anyone had heard of Snowden. Sanchez takes apart the bogus legal and 'technical' arguments used by the Bush administration to justify secret NSA data collection from the Internet backbone in violation of the 4th Amendment. 

Nick PSeptember 16, 2014 8:43 PM

@ Brian Dell

You got links to back the claims up? It helps in a forum like this, esp in a polarized debate. I'm in the middle saying his domestic leaks are heroic whistleblowing, while most foreign op leaks clearly cross the line. I also thought he might be bullshitting about himself a bit. I wrote it off as a combination of OPSEC & potential self-promoting lies. Of course, many of the claims we were concerned about checked out to a degree later so my only gripe left is foreign op leaks.

Just dawned on me that he could've leaked domestic to everyone & foreign ops to just Congress. I'd still consider that whistleblowing. Many of them had been deceived and denied access to ability to make informed decisions. A Congress seeing how powerful NSA truly is might rein them in. If he delivered it on the floor of a closed Congress session, the foreign stuff would still be hidden from those not cleared to see it & he'd be legally clear thanks to a Constitutional clause. I doubt he'd want to personally show up, but he could even do it by proxy, physical mail, secure email, etc.

@ AlanS

I think that's a weak case to make. It's focusing on stuff they've already dominated in public debate. The fact that they promised metadata, then collected *data*, is more useful. That they're auto-collecting all kinds of American *data* + targeted attacking American data, both without probable cause or warrant, is clearly a violation of 4th Amendment. That they don't count it as collection unless they read it doesn't change this. Plus, we have plenty of instances of them reading it and one major instance of them loosing it. The latter fails on their legal requirements, common sense, and the reasonable professional test. A combination of Congressional and criminal investigations with jury trials could leverage these small things to ensure they have no moral or legal high ground. From there, they are negotiating for scraps of information with reinstated GAO oversight and onsite auditors.

ThothSeptember 16, 2014 9:44 PM

I am rather skeptical on how much NSA trust GCHQ and vice versa let alone if any of the Five Eye members actually trust each other .... or should we reword as Five Agencies. I think this Five Eye group is more of an agreement between spy agencies and not Governments or nations and one thing we have figured out so far is that most Governments have little to zero control over their spies since they would reply to their "Bosses" that everything is TOP-SECRET and their "Bosses" should know nothing least it leaks as a fear factor to prevent those decision makers from knowing the actual details.

Those who have absolute control over the military and that includes spies (both are bundled together) is the true ruler of the country, not the head of state or prime minister. History have shown us how dynasties have rise and fall and most of the reasons are due to military based activities.


The TruthSeptember 17, 2014 12:09 AM

Any person supporting mass surveillance is a corporate / government shill. Nothing more needs to be said.

Please don't feed the NSA trolls. Please.

anonCowardessSeptember 17, 2014 1:47 AM

There were a lot of pentagon folks that spoke out that the entire Navy Intelligence was ALL british folk, and that they were allowed to be there for all briefings, even the no share NOFORN stuff.

To even try and support the compartmentalizing, let alone the minimalization of info sharing is pushing the envelope of credibility to comedic proportions.

But go for it, patriots and paid fusion center employees.
Next, they will come for you, since you are the weakest link it the deniability chain...

Brian DellSeptember 17, 2014 3:59 AM

"This photo [of Snowden with General Hayden] proves that Snowden indeed WAS 'functioning at a very senior level'. "

No, it doesn't. I live in Canada and have shook hands with the Prime Minister twice. Means nothing beyond that I can tolerate his company for long enough to do that. I find it remarkable that you refer me to a link which quotes Snowden boasting "I would sit down with the CIO of the CIA, the CTO of the CIA, the chiefs of all the technical branches. They would tell me their hardest technology problems, and it was my job to come up with a way to fix them," as if that helps his credibility. The two most senior people in an organization with more than 20K employees turn to one man, Edward Joseph Snowden, to solve "their hardest technology problems" yet no one has ever been in a reporting relationship with this "very senior" person? "Very senior" but you can't identify a single person who has ever been junior to him?

Note that it is only bloggers like Schneier and some local media that are calling attention to his "Five Eyes Defeat" checkbox. If Snowden still had credibility, you'd see the major papers running with this. But they're not, are they?

Nick PSeptember 17, 2014 7:24 AM

@ The Truth

"Any person supporting mass surveillance is a corporate / government shill. Nothing more needs to be said."

You should get out more. Read comments on sites covering NSA in a positive or neutral way. You'll see plenty of Americans supporting the program. Actually, there could literally be *millions* of Americans supporting mass surveillance for our security based on extrapolating what I've seen. It's why I've damn near given up on a political solution.

@ Brian Dell

I agree that the photo proves nothing. The source indicates it was some gathering. Various analysts would try to speak to or pose with their boss. And Hayden was quite respected so it's even more likely.

Still, though, where's the links backing up your Snowden assertions? People aren't going to spend 20-30 minutes Googling it all.

Rolf WeberSeptember 17, 2014 9:16 AM

Nice to see that Snowden's dubious claims are discussed here. I can contribute a very, very obvious one. It was from the very beginning of the revelations:

"We've got PRISM, which is a demonstration how the U.S. government co-ops U.S. corporate power to its own ends. Companies like Google, Facebook, Apple, Microsoft — they all get together with the NSA and provide the NSA with direct access to the backends to all of the systems you use to communicate, to store your data, to put things in the cloud, and even just to send birthday wishes and keep a record of your life.
And they give the NSA direct access so that they don't need to oversee so they can't be held liable for it. I think that's a dangerous capability for anybody to have, but particularly an organization that's demonstrated time and time against that they'll work to shield themselves from oversight."

Not only that the fact itself is untrue. There is and there never was such a "direct access". It is contradicted by a lot of facts, including the PCLOB's report on FISA 702 and the declassified files about the Yahoo! case. Last but not least Snowden himself backpedalled from the claim.

But it's not just the fact itself. Maybe he was fooled by the documents, just like the press. But he claimed more. He claimed the companies would do it voluntarily, and he claimed he would know their motivations. How do you call this?

BTW, this contradicts another (here discussed) Snowden claim, the claim he worked as an analyst at "senior level". It is virtually impossible that an analyst, let alone on the "senior level", would misrepresent the PRISM program that badly like Snowden did.

Another BTW, Snowden also misrepresented the BOUNDLESSINFORMANT slides. Quite similar story. This wouldn't have happened to an analyst.

65535September 18, 2014 8:40 AM

@ Clive

“…NZ Gov has no control of the GCSB which is effectively run by either the NSA or GCHQ "advisors" both of whom have had offices in the GCSB HQ directly adjacent to the supposed "Directors" office, and sit in on important meetings...” – Clive

That type of relationship is unacceptable. It shows how far these intelligence agencies will go to twist arms.

I would call it a case of racketeering – no different than any other crime syndicate. If the average Joe were caught doing this he his cronies would end up in jail.

IRATEMONKEYSeptember 18, 2014 12:20 PM

I have a desktop computer, call it PC-A that in the past I have on at least three separate different occasions reformatted from scratch (with at least a one pass zero using killdisk) the HDD each time before installing Windows 7 64-bit onto the PC-A.

The very first thing I would do after reformatting the PC and reinstalling Windows would be to install TrueCrypt 7.1a and then do a full disk encryption on it before doing anything else. (including before installing any device drivers or connecting it to the network, etc)

Those who have used TrueCrypt full disk encryption knows that it forces you to burn a rescue disk before using FDE. Since I don't want to waste a disc each time, I've always downloaded and used WinCDEmu to bypass that TC requirement.

However, recently, (and I tried this on three separate occasions, each time totally starting from scratch) when I reformat,wipe and after reinstalling Windows on PC-A, I notice that when attempting to install WinCDEmu that right after I click install, I get a weird error stating that "Microsoft Register Server has Stopped Working" and details show a "BEX" error related to DEP, referencing WinCDEmuContextMenu.dll_unloaded

I have made absolutely ZERO hardware changes, no BIOS or firmware upgrades. Every time I have used the exact same Windows 7 DVD-ROM to install the OS via the bootable disc, the disc itself is fine with no scratches. I have also consistently used the exact same version of WinCDEmu and checksum it each time to make sure there is no bit-rot or file integrity issues. I do the same for TrueCrypt and use the exact same version of TrueCrypt. As a matter of fact, since I've done the exact same procedure so many times and I know TrueCrypt will ask for to burn a rescue disk, the very very FIRST thing I do after a fresh install of Windows 7 is to install WinCDEmu 3.6 even prior to installing TrueCrypt itself.

I even tried the SAME Windows 7 64bit DVD bootable disc on another computer (call it PC-B) that I have that is airgapped and never connected to the network at all, and used the EXACT same version of WinCDEmu resting on the exact same external usb storage medium with no problems and don't get the error messages.

So, my procedure is EXACTLY the same, nothing has changed. Prior to the suspected infection, I had at least THREE different times used the same procedure with the exact same software and on the exact same hardware configuration (PC-A) and never had any issues or errors.

Now, after the interdiction, I still use the exact same procedure, exact same hardware, exact same software and yet I get the persistent error messages. As a means of test/control, I even tried the exact Windows DVD install disc and the exact version (checksum) of WinCDEmu 3.6 on TWO seperate computers, one that is airgapped and another one that is not airgapped and neither of them have any issues nor give the error messages.

And on the infected machine, when I try to proceed with the FDE and encrypt the host protected area, it will not work. It seems to work but the next time I reboot the computer to do the "test", it does not recognize my password even though I am 100% sure the password is correct. In addition, the harddrive is a standard Seagate HDD, and this is all commodity hardware, but when I mounted the harddrive to a different machine, it would not correctly recognize it and I would have not been able to have access to it to clone the drive or extract any data. It seems to only work when mounted on the original device.

This is something I've never encountered before. Since I do at least a "one pass zero" to wipe the entire harddrive each time prior to reinstalling Windows, since there has been no hardware changes, and since I always install WinCDEmu prior to making any changes to the newly installed computer OS (prior to connecting to the Internet, or updating drivers, or installing any other application, etc) the only thing that can possibly explain this bizarro behavior is that I've been interdicted and attacked by an advanced persistent threat such as the NSA.


SWAPSeptember 19, 2014 10:45 AM

I would not have caught this had circumstances not converged:


1) I am a bit OCD when it comes to reformatting computers. I tend to do it way more often than necessary. However, repetitive motion develops muscle memory. When you've been doing something Nth times, and on the Nth+1 and subsequently every time after that something has changed, you easily take note.

2) After installing Windows 7 from the same DVD each time (for consistency sake) the first order of business is always to install WinCDEmu and then TrueCrypt 7.1a. Of course doing install I don't have any other usb or connections, the PC doesn't have even have wifi functionality, and no Ethernet cables are plugged in. I could see how I might have gotten an error message if I had messed around in msconfig/services.msc/gpedit.msc or had installed other software or had updated or installed firmware, BIOS, and operating system and software drivers, but none of these are the case.

3) The really odd thing is this, seeing how I was unable to make a clone of the drive (even using hardware methods), as a test I mounted it to a different computer to see if it would let me install Windows 7 onto that harddrive. Using the boot-able Windows 7 disc, it would boot to the first initial Windows 'energy logo' screen (right before the screen where you choose to install or upgrade Windows, etc) and it would merely stay there for 60 seconds or more... just hang there and do nothing at all. Then when it finally got past that part, after at least about 60 seconds, it would get to the install/upgrade screen, I choose to do a fresh install, and it reports back to the disk is not bootable and that Windows can't be installed on this disc (even though it is recognized by Windows and in the BIOS).

4) So on one of the tests, I got impatient and abruptly cut power to the computer while it was stuck at the Windows bootup screen (prior to the install/upgrade options screen) on that test computer, then the next time I power cycled it and tried to restart/ turn it on, it would not do anything at all, as if the BIOS was damaged or acting like had the power been cutoff during the flashing of a BIOS.

How is this possible? Can the DVD-ROM drive's firmware itself be infected? If there is a firmware malware on the infected HDD, and I mount it to another clean machine, and try to install Windows 7 from DVD (the DVD obviously can't be contaminated) how could it possible get the chance to jump from the harddrive or the harddrive's firmware onto the BIOS or other components of the other computer?

Here are two screenshots:

image.bayimg.com/0a91bdcdb399dbf4322f89582af86f3cf70998db.jpg

image.bayimg.com/b42874a45ecde2e24940d33511c7ba81a560e407.jpg

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.