Regin: Another Military-Grade Malware

Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater.

EDITED TO ADD (12/10): More information.

Posted on November 25, 2014 at 6:57 AM • 103 Comments

Comments

Nicholas WeaverNovember 25, 2014 9:15 AM

Kasperski is confirming this as the malcode used in the Quisquater attack.

Wired states that it is "similar" to the Belgacom (known GCHQ program), while the Intercept identifies it as Regin (and provides a link to the presumed VirusTotal upload involved in the investigation of Belgacom).

There are also numerous other features that suggest NSA/GCHQ:

Regin is a complex, modular malcode framework which has a multi-stage bootstrap process to start up (or remove itself) and stores its later-stage modules on disk in encrypted virtual file systems.

Its designed as a plug-in architecture, where you have the base malcode and then programmable plugins for specific tasks. We know the NSA uses this sort of architecture for their malcode: UNITEDRAKE and STRAIGHTBIZARRE are specific frameworks for modular malcode referred to in the ANT catalog.

Its probably written by English speakers, and uses some NSA-like codewords internally (including all-caps), including LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH, U_STARBUCKS, 'shit', and initializing a CRC with 31337.

It injects a new root certificate into the target's certificate store.

One captured module was specifically to target Errikson GSM basestations/control systems, and logs indicate it was being used against Afghanistan.


So yes, this not only appears to be NSA/GCHQ's malcode framework, but this malcode does appear to have been used to target NATO allies (Belgium, Germany) and NATO allied citizens (Quisquater).

BenniNovember 25, 2014 10:32 AM

Spiegel gets its grip on Regin:

http://www.spiegel.de/netzwelt/netzpolitik/trojaner-regin-ist-ein-werkzeug-von-nsa-und-gchq-a-1004950.html

We should not call it Regin. We have to call several components of it Straitbizarre and Unitedrake that were published in the ANT catalogue by Spiegel.

"Regin" is an NSA malware, Spiegel says. And it can be "upgraded" with plugins. For example, there is a plugin to make it spy on phone networks. And there are plugins that make it jump air-gaps. It saves the data locally, waits until an administrator plugs in an usb stick, and then it spreads to the stick of the admin and from there, it searches for another computer, until it finds a connection from which it can upload.

Regin is operated over a clone of the tor network and it gets deployed via Quantum Inser. 25% of all infections are telecommunication providers.

GCHQ has access to the Quantum Insert Method. And Spiegel notes that it had previously revealed that NSA had access points at Deutsche Telekom and the provider Stellar. Asked by Spiegel, Deutsche Telekom says that they know Regin for a long time. in Austria, where Regin was deployed, there is the Opec. Spiegel revealed that Opec was attacked from the NSA by Quantum Insert...

Xor, The God of Binary OperationsNovember 25, 2014 10:35 AM

@Nicholas Weaver


Its probably written by English speakers, and uses some NSA-like codewords internally (including all-caps), including LEGSPINv2.6, WILLISCHECKv2.0, HOPSCOTCH, U_STARBUCKS, 'shit', and initializing a CRC with 31337.

shit is an NSA codeword?


Clive RobinsonNovember 25, 2014 11:02 AM

@ Bruce,

Whilst I can understand your skepticism over what may or may not have happened to Prof Quisquater, there is little doubt that the British via GCHQ and other agencies do spy on our European "allies", in the same way both the French and Italians have spied on the UK.

Primarily it has been for the economic National Security involving the arms industry. I myself have seen it at work first hand where the French were quite deliberatly interfering with a contract finalising demonstration of communications equipment. We tracked the French "diplomates" down and aranged for the host nations military police to pick them up on tresspass and espionsge activities. It used to be so common it was like a game. Unfortunatly it occasionally had very serious outcomes including death/murder and the downing of aircraft and ships etc.

It was well known that one major German electronics manufacture was "at it" in the telecoms industry in one way or another. For instance quite some years ago to get a phone approved for use in Germany, you had a choice, use the line chips from the manufacture or get forced through every imaginable hoop to try and get aproval. It was further known that the chip had a "defect in it" which alowed the microphone to be remotely accessed. I once asked one of the aprovals inspectors, why with the known defect any phone that used it got an automatic pass, he smiled and winked and said "economic security"...

Also how do you think all the inside information for Stuxnet was obtained, by reverse engineering? Short answer very very unlikely, especialy with the longterm espionage by UK security forces on the company, the informtion was well known long prior to the Stuxnet idea came about.

What has got the NSA and GCHQ's "panties in a wad" was the likes of the EU Nessie program, in which they in effect became bystanders or at best "bit players" which made their usuall "standards manipulation games" much more difficult to "finesse" (have you ever wondered why the NSA uses a term from British Bridge players, for a particular kind of sneaky misleading hand, as the name for their standards manipulation games?).

It's not at all surprising to find that various continental europeans in the telecomms and computer and communications industries are being watched by the UK. It is after all the fundementsl key stone of the "special arrangement" that the US value so highly.

As I've mentioned befor I've been subject to monitoring by a UK agency, that was thankfully fairly inept and thus were easy to "set up" to "show their hand". Untill I demonstrated it, the directors of the company I represented had assumed it to be so unlikely as to not be credable. The look of shock, horror and rage that rapidly crossed one of the Directors faces when they saw the evidence would have been funny if it was not so serious.

As for the likes of the frameworks that this "intelware" is written for, don't make the mistake of thinking it's a US idea, it's almost certainly been cooked up as a collaborative effort amongst the various Five Eyes intel organisations. Interestingly, it is actually quite likely that the NSA is the "poor cousin" in this relathionship. The reason is "job opportunities" as a gifted "black hat" job opportunities are considerably better in the US with other organisations than the NSA who have a comparative shortage of such people. The same is not as true for the UK, thus the security services tend to have better access to the cream of such people.

So keep an open mind on things and unlike the usuall aproach, only rule out that which you definately can...

BenniNovember 25, 2014 11:48 AM

More on Regin:
https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/

"The malware, which steals data from infected systems and disguises itself as legitimate Microsoft software, has also been identified on the same European Union computer systems that were targeted for surveillance by the National Security Agency."

"The Intercept has obtained samples of the malware from sources in the security community and is making it available for public download in an effort to encourage further research and analysis. "

BenniNovember 25, 2014 11:58 AM

Ooops....

"In the coming weeks, The Intercept will publish more details about Regin and the infiltration of Belgacom as part of an investigation in partnership with Belgian and Dutch newspapers De Standaard and NRC Handelsblad."

(To download the malware, click here.....)


Ten years of developing... And all suddenly in vain.....

ChrisNovember 25, 2014 12:45 PM

This one is seriously important!

This is a serious threat and not by small amount
Spewing out that you agree its not going to help.
What is important is to find how it infects on l1 l2 l3 l4 l5 l6 levels
This can in my opionion be only a few ...
- Israel
- Germany
- Iran
- China
- Uk
- Canada
- USA
Russia anywhere between above...

Still very intresting malware !!!
Remember this is of winbl0ws not android or ios

so all mitigations toward all levels needs to get out rapidly

Bob S.November 25, 2014 12:51 PM

The Register et al are laying the blame on NSA/GHCQ/Five Eyes. Likely they are right. Apparently it didn't appear in the USA or England. That's a hint.

The theme I am see is from lowly Podunk PD cops to the highest levels in government and corporations those granted any significant power or authority now feel free to do what poor slobs like us would without doubt be sent to prison for decades.

I am talking about everything from cops shooting dogs and unarmed teenagers to the US government assassinating American citizens. In the middle of murder, mayhem and torture are vast mass surveillance and tracking measures that are absolutely prohibited by law for Joe Sixpack. But when "they" do it all they must say is "it's legal", whether it is or not, whether a judge says so or not, and that's all there is to it.

We all know the difference between right and wrong. Indeed if you asked an average five year old about some of the atrocities going on now, they would know right from wrong.

I think we all need to insist governments and corporations foreign and domestic be held accountable for doing what is right, and what we all know is flat wrong.

It's a matter of principle, and not about some Orwellian interpretation of the fine print.

ChrisNovember 25, 2014 1:05 PM

well it wont help to mitigate the threat if you are on internet
and a malware goes directly towards an ip

But using a totally crazy aproach here you dont have dns at al
and only accept connections to certain by you fixed ip via fireawall
then that is ok.

Well sounds crazy but it works quite well
Then at least the trojan can not upgrade it selfe to levelx
Since there is no way out to internet.

I hate this approach but I use it sometimes
I am though paranoid

All this is easy to do in VM-:s just a different template

TJ WilliamsNovember 25, 2014 1:14 PM

The fact that Prof. Quisquater is the only _reported_ cryptographer to have been hacked may be a collateral effect of using Belgacom services.

However, more cryptographers and scientists may have been targeted because they potentially have information of direct interest for NSA/GCHQ, they just may have not noticed.

Regarding the use of codewords and dirty words: why is GCHQ called GCHQ ?
Because all other 4 letter words were taken...

AlexNovember 25, 2014 1:20 PM

There are a lot of RAT tools like this out in the wild, probably installed on more then 90% of the Windows computers. Either made by states or by cyber criminals (GameOver or others Zeus variants) they all take complete control of the victim computers without visible traces.
Acting at OS level as rootkits with valid certificates, they are completely hidden and can provide everything from camera and microphone control to keyloggers and air gap routines.
All antiviruses don't even report anything suspicious, they are very hard or impossible to detect even for a professional with the proper tools. You can recon abnormal behavior like small delays because disk swapping of a screen capture or blue crash screen or network traffic during some idle period, still extremely hard to isolate the binaries (they also have auto-erase on detection attempts, for example).
Basically, anyone can be framed with some child photos or some other kind of documents, anyone can be made vulnerable as they make use of zero-day entries.
My belief is that they moved the focus of installing such things from internet to back-doors in operating system and hardware (routers, BIOS, CPU etc). So nothing you can do to protect anymore.

BenniNovember 25, 2014 1:48 PM

"The fact that Prof. Quisquater is the only _reported_ cryptographer to have been hacked may "

No. Quisquater told the press that several others of his colleagues were attacked too.

http://www.pcworld.com/article/2093700/prominent-cryptographer-victim-of-malware-attack-related-to-belgacom-breach.html

"It’s not clear what the attackers were after, but Quisquater said he wasn’t the only target. Other cryptographers were targeted in attacks with the same source, but with different vectors, he said."

Furthermore, attacking academic cryptographers is a top priority of NSA. At least that is what whistleblower Binney said at the german parliament:

Question: Can somebody who works on cryptography in germany be targeted by NSA?
Binney: Yes, NSA does that. But journalists are attacked too in order to get their sources. Cryptographers are prime targets for NSA.

https://netzpolitik.org/2014/live-blog-4-anhoerung-im-nsa-untersuchungsausschuss/

ChristianNovember 25, 2014 2:28 PM


I like the comparison of William Binney of surveillance to American civil war.

It is like in the past.
Through secret services a line is drawn in the sand and anyone who is on the wrong side is not deemed to deserve full rights (surveillance) , is a subhuman (Nazi regime / collonialism) or even a slave.

We survived slavery two centuries ago! We survived facism in the last century!
Are secret services our new threat to survive this century? They appear to be power hungy and capable of countless atrocities. Reading the news they seem to be capable of spawning more terror and more wars. And doesn't the incentive exist for them to do so? Wars and terror after all represent arguments for them to demand more power!

JacobNovember 25, 2014 4:32 PM

An extremely important fact about Regin, albeit not getting the spotlight it deserves, is that although at least 3 major anti-malware vendors (in the US, in Russia and in Finland) had a fairly detailed info about it for years(!), they all came out trumpeting its existence and capabilities within a couple of days of each other.

I've been wondering about this.
Then, in a response to a tweet directed at Mikko Hypponen ""We first encountered Regin nearly six years ago in early 2009,” … why wait so long to talk about it?"

he replied enigmatically:
"Then with the later Regin cases, when we were able to connect the dots, we couldn't talk about it for other reasons"

Can a major Intelligence Agency influence the AV detection and disclosure of state-sponsored malware, weighing so heavily on 3 companies residing in such different jurisdictions?

AldritchNovember 25, 2014 4:49 PM

Funny, no one's spotted the linux version. I submit there isn't one: too much risk of detection due to idiosyncratic user customization and concomitant attention to the workings. If any target justified the increased risk of exposure, TAO would design a bespoke attack. Servers and individual victims subject to "interdiction" would be handled by tampering with BIOS. Other attacks would focus on specific applications.

NSA is a dog-and-pony show. They can do without what's actually needed as long as they have some crowd-pleasing samples to induce demand for their product. Though they're often high-value targets, Linux users are too much trouble.

FluffytheObeseCatNovember 25, 2014 5:38 PM

"Can a major Intelligence Agency influence the AV detection and disclosure of state-sponsored malware, weighing so heavily on 3 companies residing in such different jurisdictions?"

If the political/military leadership in those jurisdictions were sharing the benefit of the intelligence gathered, why not? You would expect they'd all place similar pressure on private entities within their spheres of influence.

Regarding a piece of malware like this on an EU system in Belgium? There are clear potential benefits to the Five Eyes perhaps, just none that they'd likely want to share with Russia. There isn't much reason why that would result in publicity though. The Russians might not particularly care about our traditional practice of dicking with our Continental allies. They might not consider it worth their while to allow any actions that reveal the extent of their knowledge of how we operate. Certain actors' quiet knowledge (sans publicity) could persists for years.

The public is not very important to the doyens of the Deep State. Not in any society. We're a nuisance, not a client. A particularly despised cash cow.

Xor The God of Binary OperationsNovember 25, 2014 9:48 PM

@Jacob

I've been wondering about this. Then, in a response to a tweet directed at Mikko Hypponen ""We first encountered Regin nearly six years ago in early 2009,” … why wait so long to talk about it?"

Because he wanted to avoid lying, since he for "couldn't talk about it for other reasons". But what he is saying is in direct conflict with F-Secure response to "Bits of Freedom" in November 1st, 2013.

Their response to "Bits of Freedom" can be seen here:
https://www.f-secure.com/weblog/archives/00002636.html


By the way, interestingly on this page...
https://www.f-secure.com/en/web/labs_global/about-labs

...F-Secure states (under "Policy on detecting spying programs developed by various governments") that:

We would like to state this for the record, as we have received queries regarding whether we would have the guts to detect something obviously made by a known violent mafia or terrorist organization. Yes we would.

Now of course above statement is formulated to sound more like "yes we would detect something made by mafia or a terrorist organization".

Anyway, what is probably going on is that F-Secure gets their marching orders from a government (Finland) that is in bed with US and UK.

That is why we had the case with "Flame", that Bruce Schneier wrote about here:
https://www.schneier.com/blog/archives/2012/06/the_failure_of_3.html


Note that F-Secure and others had samples of Flame; they just didn't do anything about them.

JonKnowsNothingNovember 26, 2014 3:15 AM

@Jacob @Xor The God of Binary Operations

It is likely that all the major antivirus companies have been cooped by their national security services for a long time. A really long time.

It's statistically not possible that they never once encountered a QUANTUM hack given what we know about the millions of computers, of all types, that have been targeted and the owners who have been tasked and their friends of friends of friends on the chain-link who get tasked too. (3 hops plus 6 degrees or less)

There is currently a nasty bug in the new Norton Security program (2015) that they've known about for months. It prevents "some" systems from shutting down - for 20 min to 6+ hours. There are others that reboot every 20 minutes or so. There are machines that have no issues and shut down normally or do not reboot, but there are others that take a very long time for shutdown or are no longer stable enough to stay on line. The Norton folks have acknowledged the /bug but there's no eta and no workaround and no explanation. They claim they missed it in testing... I don't think so.

I think they tripped dormant NSA-style implants on many machines. And part of their problem is that they cannot say what it is they stumbled into due to NSL (US National Security Letters) or other restraints (eg FISC orders).

It's a wonder that they are allow to pretend to catch anything at all and we know that companies are moving away from preventative blocking to reactive cleanups as there's more money in re-claiming systems from what they cannot block with the NSA and malware companies using Crypting Services as the main defeat. But even if they do a cleanup they will still be sitting on the same NSLs that prevent them from notifying the tasked-targets that they have such implants.

Given the extensive list of what we now know (JTRIG/QUANTUM/ANT) and the decades of complicity by the entire computing industry - software and hardware - the AV industry certainly knows much more than they are willing to take the risk to tell us.

They just hope no one notices that they have a big FAIL marked on their foreheads - for which as General Hayden said, they will willing send a drone for a visit should they get out of line (We kill people based on metadata).

It's like seeing the images of the Cisco Routers being reflashed and not ONCE did Cisco look to see why a mega-dollar router crashed at a client's? They didn't once notice that someone had changed their firmware or loaded something up in their bios doing a post mortem on a dead router? Not even a tiny look see to see what failed? And we know that such systems crashed - because the NSA knew before Cisco that the router was bricked.

Not even plausible deniability will work anymore. Better to go with what we know... they messed the entire system up and what they haven't messed up, corporate greed will finish off.

jonNovember 26, 2014 3:37 AM

If Jean-Jacques Quisquater is a target, then why not Bruce...

Bruce must have already been co-opted. remember those weird postings way back? A side effect of mind-control techniques. Bruces wife might be A nsa spy

fajensenNovember 26, 2014 7:46 AM

@Bob S.

If "they" were doing "the right thing" - properly, one might add - there would not be a need for secret laws, secret courts and secret jails.

tomNovember 26, 2014 7:57 AM

Anti-virus companies are bragging about how long they have known about Regin, not realizing this makes them look like total jerks in the eyes of their infected clients.

However there are little clients and big clients -- and nobody is a bigger client of an AV company than the govt.

So who gave them the green light to all go forward simultaneously? Well, they were told to wait on disclosing this particular trojan until a complete replacement for Regin was available and deployed.

Parts of it were becoming obsolete as newer OS for microsoft, apple, phones replaced older devices.

TLAs with unlimited budgets would always have a replacer under development in case the current model gets exposed. That replacer might use analogous architecture concepts, and phishing never really changes.

In fact, like Kapersky lab said, they already found a 'magnet' computer with 4-5 of these systems happily co-existing.

So yes, you can free up some hard drive space by cleaning out Regin but otherwise not gain any ground.


Jean-Jacques QuisquaterNovember 26, 2014 9:20 AM

I'm also skeptical. Not sure at all that this blog is written by Bruce. Please give me a proof. Remotely everything is possible. Skeptical is the best possible posture for people working in security (Is my password secure? I'm skeptical. Is AES secure? I'm skeptical. Is Bruce serious when he is saying he is skeptical? I'm skeptical).

Yes, there are many traces that I was targeted and attacked by a malware like regin but I'm not alone at all. My name was cited because at that time (February 2014) I was a well-known cryptographer (in Belgium), not at all because I was alone to be targeted. I received several direct and indirect proofs but I don't want to comment it here.

Let's continue to be skeptical. Security is at that price.

skeptical Jean-Jacques QuisquaterNovember 26, 2014 9:25 AM

Not sure at all that Jean-Jacques Quisquater wrote his last comment. I'm skeptical.

NedNovember 26, 2014 9:42 AM

@Bruce

Have you been aware that the NSA whistleblower Binney said at the German Parliament that cryptographers are prime targets for NSA, as referenced by Benni above? Does that still leave you skeptical?


@Jacob

"Can a major Intelligence Agency influence the AV detection and disclosure of state-sponsored malware…?"

I guess you pose this as a rhetorical question since the answer is obvious from what you wrote before posing it.

Another illustration - what to make of the fact that, as of today, the 'Best Overall/IT/Corporate Security Blog" - Naked Security, the source of 'award-winnig security news' by Sophos, have yet to even mention this particular malware disclosure? Should we infer they are so compromised that everyone should ditch their free AV/security tools for Android and Mac?

JonKnowsNothingNovember 26, 2014 10:14 AM

I have no "proof" that anyone is tasked (eg targeted), Jean-Jacques Quisquater, Bruce Schneier or anyone else.

What we do know is that the NSA/GCHQ have a program: "I HUNT SYSADMINS". We also know from that they DO target Engineers and people with inside knowledge of internet infrastructure as reported with video TREASUREMAP.

http://www.spiegel.de/international/world/snowden-documents-indicate-nsa-has-breached-deutsche-telekom-a-991503.html

https://firstlook.org/theintercept/2014/09/14/nsa-stellar/

video: Chokepoint http://vimeo.com/106026217

What we do know is they have a very strong interest in tasking anyone that can lead them further inside organizations that have NOTHING to do with terrorism. They just want all the data, all the time, on demand, real time, held forever

In the USA, the longest retention period is held by the FBI at 30 years. The 2 years retention they are currently demanding from the ISPs and the 2 year retention by the NSA are fake limitation periods. It's 30 years, real-time, on demand.

I would be very surprised if Bruce Schneier was NOT a target. I would also not be surprised to find everyone who has ever read or commented on his blog are also targets.

Wouldn't you target dissidents, like those who post here, if it was your job? I sure would and I would be sure to know what you fed your dog and/or cat, not to mention what time you left the house for work or when you were at home so your work place and home was available for "cleaning".

No one questions the janitor you know... even when they are carrying large bundles of black garbage bags.

jonNovember 26, 2014 10:27 AM

yup, this blog is like a giant honeypot to expose hot targets. Bruce is like the Edward Snowden of the security community.

Clive RobinsonNovember 26, 2014 10:36 AM

@ Ned,

Should we infer they are so compromised that everyone should ditch their free AV/security tools for Android and Mac?

No because they are all of those platforms are just as insecure as each other. On the --very big and unlikely-- assumption that the perps have only made a Windows malware, how long would it be before like other malware writers they see the tiping point on the ROI of other platforms?

But there is a further question we should be asking of AV vendors, which is not "were they complicit?" But "was their level of complicity such that they actually aided the agencies?".

That is was it just the AV companies turning a blind eye, or was it the AV companies actually putting in backdoors the agencies could use, either directly in their product or letting them have copies of updata signing keys?

Personally I asumed many many years ago that the AV companies were by no means upto the job of stoping malware authors, and were at best reactive only to malware that was "obvious" in nature.

The solution is to have two entirely seperate computing platforms one for private work and one open for all commers. The private platforms kept entirely airgaped even from each other. The open ones protected as best as possible that are used for "near harmless" web browsing and never to have PII or any kind of financial information on them.

Back then in the mid 1990s I was considered "paranoid" by many including my bank that was trying to shove "online banking" down my throat. The rest as they say is history, I was not paranoid but "cautious", they however at best were "reckless".

But even on this blog when I've said you need to use encryption on entirely seperate computers that don't ever get connected to communications systems I was in effect questioned as though I might be paranoid... some of those commenters are still here, I wonder what their view is today?

Nick PNovember 26, 2014 12:09 PM

This blog is Bruce's blog and nothing else. Bruce has also taken risk of prison time by publishing classified information that hurts Five Eye's mission. His only call for action was hitting them politically and with pervasive security/encryption at every layer. His commenting policy attracts many people sharing diverse ideas, some technical. A number seemed to end up in products or something later, indicating good quality.

Even if he was compromised, he continues to keep the blog up and it has more methods of stopping nation-state attackers than anywhere else. Exactly what the NSA wants, right?

WaelNovember 26, 2014 12:31 PM

@Clive Robinson,

But even on this blog when I've said you need to use encryption on entirely seperate computers that don't ever get connected to communications systems I was in effect questioned as though I might be paranoid... some of those commenters are still here, I wonder what their view is today?
I concur. This is one example of agreement as a reply to @sadclown666. I had other similar posts that your paranoid Excellency thought were still too weak ;)

By the way, it's OK to be paranoid. Being paranoid is not only OK, but also inevitable, given all the news we've been seeing lately. As an old saying goes: After you've been burned by hot soup you blow in your yogurt...

GrauhutNovember 26, 2014 1:15 PM

I am shure this blog is abused as a honeypot, but i dont mind, i am a sysadmin, tor user, a friend of network freedom and a friend of peace. I am on many of their lists and thats ok.

More attacks, more attack logs. :)

@keiner ""shit" is the alias for NSA..."

Now that you mentioned this, 31337 is not an alias but a well known RAT port, does somebody know for whom the hall of fame rat pack actually works? Since the duqu oo c com module appeared i ask myself how many old school hackers are now cashing in...

JustinNovember 26, 2014 1:28 PM

"entirely seperate computers that don't ever get connected to communications systems"

Didn't the Iranians have entirely separate air-gapped systems that they used to control the PLCs that ran their centrifuges? Yet they got infected with Stuxnet...

Similar malware could target air-gapped systems that run crypto---before the internet was popular, computer viruses used to spread on floppy disks. To be really secure, you would need to have two air-gapped systems---one that does crypto and only crypto, and a separate one to work on the plaintext of your encrypted files.

But your working system still wouldn't be trustworthy... because you can't trust an untrusted computer system that receives or works with untrusted data or programs from the outside---all you can do is try to make sure it doesn't have the opportunity to leak any secret information out.

GrauhutNovember 26, 2014 1:57 PM

@Clive @Wael @All Reg. "economic security"...

Does somebody know how much .gov malware aquired econ intel ends up in systems like Blackrocks Aladdin? Or BoEs cbest? Cbest smells a little like "If GCHQ does not deliver we will have some DIY work to do" because of econ sec... ;)

WaelNovember 26, 2014 3:17 PM

@Justin,

But your working system still wouldn't be trustworthy... because you can't trust an untrusted computer system that receives or works with untrusted data or programs from the outside---all you can do is try to make sure it doesn't have the opportunity to leak any secret information out.
Here is a somewhat brief description of high level design for a specific use-case.

JacobNovember 26, 2014 3:37 PM

From mashable.com:

"But until now no one has publicly disclosed details of this cyberespionage campaign. Why?

Symantec's Thakur said that they had been investigating Regin since last year, but only felt "comfortable" publishing details of it now.

Raiu, the researcher from Kaspersky, said they had been tracking Regin for "several years" but rushed to publish the report after a journalist contacted them last week asking for comments about Regin, indicating a competitor was about to come out with their own report.

For Prins, the reason is completely different.

"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."

Mikko Hypponen, a renowned security expert and chief research officer for F-Secure, said that while they had detected some parts of Regin since 2009, they were not at liberty to discuss their discovery due to confidentiality agreements with customers
who asked them not to publish details of hacks they suffered.

@dakami @jeremiahg In our case, "other reasons" means customer confidentiality. Not governments trying to shut us up.

— Mikko Hypponen (@mikko) November 24, 2014

Both Symantec and Kaspersky denied having ever been asked by anyone, including governments, to withhold information related to Regin. "

WaelNovember 26, 2014 3:47 PM

Regin: Another Military-Grade Malware
I understand what military grade security may mean. Military grade Malware? How is that different from other types? Stealth? Command and Control? Just wondering what makes a piece of Malware "Military Grade".

GrauhutNovember 26, 2014 4:00 PM

@Wael A salad bowl is not enough! In an infosec environment you need a full metal Darth Vader helmet! :)

eelus.com/wp-content/uploads/2014/03/Vader_1.jpg

WaelNovember 26, 2014 4:46 PM

@Grauhut,

[...] metal Darth Vader helmet!
Now that's the Galaxy-Class protectionware needed to fight Military-Grade crapware :)

GrauhutNovember 26, 2014 4:52 PM

@Wael "Paranoid Answer: 100%"

One doesnt need to be paranoid to see that there is a very short and possibly pretty legal data path from the NSA to Blackrock when it comes to econ sec.

The FED is part of the President's Working Group on Financial Markets, aka Plunge Protection Team, so they may request data from .gov agencies and they use Blackrocks Aladdin system to hedge their bad bank portfolios. Now calculate the hops. Add one for the DoC OES.


"The heads of Executive departments, agencies, and independent instrumentalities shall, to the extent permitted by law, provide the Working Group such information as it may require for the purpose of carrying out this Order."

"The primary near-term security concern of the United States is the global economic crisis and its geopolitical implications. FEBRUARY 2009
INTELLIGENCE COMMUNITY ANNUAL THREAT ASSESSMENT"

The "extent permitted by law", how much is this, in times of an economic crisis, that is officially recognised as a number one security threat... ;)

JonKnowsNothingNovember 26, 2014 7:42 PM

@Jean-Jacques Quisquater

In that respect the biggest honeypot is likely linkedIn.

iirc The "I HUNT SYSADMINS" documents show they target anyone on LinkedIn that has any tech background info. They select through the LinkedIn system to find anyone that has SysAdmin or similar wording on their resumes.

From LinkedIn with a bit of Google-fu, they know a great deal about you before they even have to open an official query.

Once you have been IDed by them, you get added to their database of SysAdmins that they can target now or later. They keep a stable of names at the ready. From that point, you will be tracked through every job you ever get.

The advantage of Hunting SysAdmins on Linkedin, is: YOU tell them everything that they want to know about you... For Free.

And if they successfully get an implant onto your system - since you, as a SysAdmin, have the "keys to the kingdom" ... Bob's Your Uncle.

Of course they can target the folks drinking coffee at Starbucks too and get the implant carried home that way. It just takes a bit longer to filter up through the system to the SysAdmin.

LinkedIn is the NSA's phone home directory.

Dirk PraetNovember 26, 2014 8:13 PM

@ Jacob

@dakami @jeremiahg In our case, "other reasons" means customer confidentiality. Not governments trying to shut us up. — Mikko Hypponen (@mikko) November 24, 2014

I do understand the confidential nature of the relation between a customer and vendor/service provider as well as the rigid legal contracts with which it is informed (NDA), but this really is a weak excuse that raises ethical questions. Is an MD not going to violate medical secrecy when he finds a patient to be infected with a lethal and highly contagious disease ? Even under the seal of confession in Catholicism, there are limited cases where portions of a confession may be revealed to others, beit with the penitent's permission and always without actually revealing his/her identity.

F-Secure - and all others for that matter - could easily have incorporated Regin's signature (or parts thereof) in their AV products without mentioning any name or source whatsoever. You don't have to be paranoid to know for a fact that none of them are going to publish anything without government consent for fear of reprisals. The only real question here is why Symantec decided to go public with it after all. Perhaps they're just losing customers faster than a cheetah leaving a salad bar and some genius in marketing came up with this idea to restore faith in the integrity of the company and the quality of their security solutions.

BenniNovember 26, 2014 8:14 PM

One reason NSA had developed an interest in quisquater may be this:

Well who are the people who work at NSA? Here is some clue:
http://cryptome.org/2014/09/nsa-crc/nsa-crc.htm

"The CRD was a private independent think tank dedicated to help NSA with cryptological projects. Co-located at Princeton University's John von Neumann Hall. the site had been led by a professor of mathematics at Cornell University" "Selected as CRD's first director was Dr. J. Barkley Rosser, fifty, a professor of mathematics at Cornell and a specialist in numerical analysis. Chosen as his deputy, however, was Dr. Richard A. Leibler, forty-four, a five-year employee of the Puzzle Palace and a chief architect of Project Focus. A former mathematician with the Sandia Corporation who had also taught, at various times, at the University of Illinois (where he became friends with another math professor, Dr. Louis W. Tordella), Purdue, and Princeton, Leibler was primarily interested in probability and statistics. He apparently enjoyed what he once referred to as "our lonely isolation in Princeton."

And now, what does a Princeton mathematics professor reply, when you ask him: "What is the most important task in national security?"

Jep that is clearly work like this: http://goo.gl/Gs1AXv

And soon a hacker group is ordered to deliver all articles from this author to the mathematics group at NSA before they land on preprint servers or journal homepages...

Note that when Binney says: "Cryptographers are prime targets" then that means every university with a computer science department has one, or several prime targets...

In germany, they developed their interests in research topics long ago. In 1970, BND and BVs liked it to plant bugs in the homes of nuclear physicists in germany: http://www.spiegel.de/spiegel/print/d-50110016.html That was forbidden. Now they search through every email that contains the word "atom" http://www.spiegel.de/spiegel/vorab/anwalt-klagt-gegen-durchleuchtung-von-e-mails-durch-den-bnd-a-960203.html BND wanted to sue wikileaks after it published ip's from BND servers. It turned out that from these IP's wikipedia was edited. Especially of BND interest were apparently Instanton solutions of Yang Mills theory.... https://wikileaks.org/wiki/Die_Deutsche_Telekom_und_ihr_Kunde_BND If BND wants to be up to date with these topics, it has to get its information somewhere. And that somewhere is probably most easily obtained by bugging laptops of physicists....

fajensenNovember 27, 2014 4:04 AM

@Aldritch ... Funny, no one's spotted the linux version

Maybe they did. No one exactly mention which types of "Ericsson GSM Control Systems/Basestations" that a module exists for.

A large number of Ericsson systems are built on top of a customised and heavily regression tested SUSE Linux system. The new Ericsson AXE-301 platforms, for example, use an AXE-301 "Classic" VM on top of SUSE Linux to run it's about 30-years old Erlang application software.

The management system is one (1!) Windows Server "Blade" and manglement wanted all the hardware to be identical, no variants*.

This design of course means that there is less of a need for a Linux Version.

If the system management server is borked, then "they" will have access to things like the "Lawful Interception Interface", which can copy & redirect all traffic and things like MPLS to override routing tables. At the time we argued a lot about why the heck one could not just run the damn Windows Server inside a VM on a Linux-Only blade (like the Erlang stuff).

Maybe this was "why"; "they" needed a PC-like OS with PC-like "chips".

*) This really caused a lot of development trouble because instead of being able to boot straight up with a Linux-BIOS, we had to tap-dance around many, many quirky BIOS screw-ups just to be able to keep a persistent memory area through reboots. This is used to hold the call-database e.t.c. so the system can crash and reboot in 6 seconds, and not drop active calls. "Fast restart" was how we made it reliable.

fajensenNovember 27, 2014 4:28 AM

@Dirk Praet
@dakami @jeremiahg In our case, "other reasons" means customer confidentiality. Not governments trying to shut us up. — Mikko Hypponen (@mikko) November 24, 2014

This makes perfect sense when the customers are indeed the NSA et. al. which are strictly speaking not "governments". Spin-Speak!

Anti-virus software sniffs through and classifies all of your stuff, it monitors emails and network traffic in general, running processes, often it controls the boot process, and it even has a convenient interface for loading new functionality.

The target installs this software and even pay for it's operation and maintenance!

Anti-virus software is the perfect global back-door; Of Course an NSA or GCHQ or BND would stoop to handing over suitcases full of EUR-notes in hotel room's to "own" the major brands.

But I suspect that they haven't even done that. I believe that the TLA's simply send a list of requirements, they got a price back, a commercial contract was drawn up, and surveillance and "non-detection"-capabilities were built into the products sold as "securing the users data" - while doing the opposite all along!

The rats, quislings and snitches are Everywhere! Like in the DDR!!

65535November 27, 2014 4:58 AM

I am at the bottom of the thread. Most of my points have been covered by others. I will make my comments short.

“Now that you mentioned this, 31337 is not an alias but a well known RAT port... “ – Grauhut

Yes, that is a known port for the infamous Black Orifce RAT. It’s also the “leet” trademark.

https://en.wikipedia.org/wiki/Back_Orifice

I think Winter points to the Symantec paper which indicates 31337 is initialization vector [or seed] for the Command and Control Server infrastructure [it is more artifacts which give us clues].

"…ICMP: Payload information can be encoded and embedded in lieu of legitimate ICMP/ping data. The string‘shit’ is scattered in the packet for data validation. In addition, CRC checks use the seed ‘31337’…”

Page 12 of Syamantec white paper:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf

I would also say this is really customizable "attack platform" using mostly P2P communications, encryption, utilizing layered or non-standard routing. "Regin" looks and feels like a Nation State Sponsored project. Instructive is the P2P network – which maybe experts like Nick or Clive could look at as a viable alternative to Tor.

There are a lot of RAT tools like this out in the wild…Either made by states or by cyber criminals (GameOver or others Zeus variants)… -Alex.

You got that right. Ratters have been running victim’s computers for relatively long time. With take-down of ~15 People in the last week I am wondering if Nation States [Caugh… NS@/GCH@ ] are feeling some competition.

@ Clive, Benni, Jacob, Xor The God of Binary Operations, JonKnowsNothing, Tom and others:

'...there is a further question we should be asking of AV vendors, which is not "were they complicit?" But "was their level of complicity such that they actually aided the agencies?".That is was it just the AV companies turning a blind eye, or was it the AV companies actually putting in backdoors the agencies could use, either directly in their product or letting them have copies of updata signing keys? …I asumed many many years ago that the AV companies were by no means upto the job of stoping malware authors, and were at best reactive only to malware that was "obvious" in nature.” –Clive


Exactly!
This has the stench of Antivirus Vendors [Including Microsoft] and Certificate Authorities turning a blind eye to bogus certificates!

“All the stage 1 modules for 64-bit systems were signed with fake digital certificates. The two fake certificates are identified are supposed to [belonging] to Microsoft Corporation and Broadcom Corporation…” –Kapersky Lab

See Kapersky’s white paper page 6:
https://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

My take is “Stage 1” is important to the entire RAT Attack Network to function [By now the new makers or new versions of this platform probably don’t need to use bogus certs anymore].

Nation States that frequently use bogus Certificates to infect victims computers will eventually shoot themselves in the foot [or shoot their respective governments in the head]

This is out right fraud [and forgery]. These certificate are the pillars of our IT trust model [as a stamp of authenticity – for code signing and financial transactions].

Can you imagine going to a large bank like Ch@se and withdrawing $1.0k in bills and taking that money on a trip to a foreign country – only to be alerted that your bogus bills were not acceptable in said country? Worse, making an international call to Ch@se to demand a reimbursement for the bogus bills – only to be told “Sorry, but we cannot help you – all I can say is we operate within the law.”

That would anger you and cause you [and your friends] to withdraw all of your money – possibly sparking an run on that bank.

Bogus Certificates are a huge danger to our economic well being!

[Next]

“I'm also skeptical. Not sure at all that this blog is written by Bruce… Yes, there are many traces that I was targeted and attacked by a malware like regin but I'm not alone at all. My name was cited because at that time (February 2014) I was a well-known cryptographer (in Belgium), not at all because I was alone to be targeted.” - Jean-Jacques Quisquater

For the record you and your associates were targeted? Yes?

I will let Nick answer it:

“This blog is Bruce's blog and nothing else. Bruce has also taken risk of prison time by publishing classified information that hurts Five Eye's mission. His only call for action was hitting them politically and with pervasive security/encryption at every layer. His commenting policy attracts many people sharing diverse ideas, some technical. A number seemed to end up in products or something later, indicating good quality. Even if he was compromised, he continues to keep the blog up and it has more methods of stopping nation-state attackers than anywhere else.” –Nick P

I agree.

We understand that this blog is a target for the intelligence community. Thus, you post with care and take your chances [excuse all of my poor grammar and spelling errors – I don’t post often].

Clive RobinsonNovember 27, 2014 6:47 AM

@ Wael, Grauhut,

I agree a salad bowl is no good, whilst it will reflect from those above, what about attacks from below where it will behave like a parabolic dish with a focus point around about your primative "monkey brain" to make you act before you can think...

Even the Darth-Vader is not going to be enough, you need a full body suit, like a Dr Who Cyberman, or for those who can only get the "economy model" a medieval "iron maiden", just remember to knock the spikes out first or it'll be on the "aftermarket sales" list befor you can blink ;-)

WaelNovember 27, 2014 7:14 AM

@Clive Robinson,

a focus point around about your primative "monkey brain"
Primitive Monkey Brain! Lol.

AldritchNovember 27, 2014 8:29 AM

@fajensen, thanks, v. apposite and consistent with Ericsson's behavior. Ericson plays ball. They billet their share of NOCs and hold still for illegal US surveillance of Swedish citizens. What you describe, that kind of seemingly perverse requirement imposed by management, it's a smoking gun. It would have been simple enough to tamper with SUSE, given Novell's heavy-handed sponsorship. So that's how Beatrice Ask is able to play dumb. So much for Sweden's vaunted neutrality!

Clive RobinsonNovember 27, 2014 9:22 AM

@ Wael,

Primitive Monkey Brain! Lol.

Ouch, on rereading it sounds insulting which it was not ment to be...

By "primitive monkey brain" I mean the "medulla oblongata" which sits between and connects the higher levels of the brain to the spinal cord. Thus would be about where the focal point of a metal fruit/salad bowl would be.

It is also responsible for several critical autonomous nervous system functions without which you are very very quickly dead (it's why it's also known as "the snipers peach" because if a bullet goes through it you don't even twitch you just drop). Recent experiments with magnetic fields have indicated that it can be stimulated to cause involantry actions, such as speeding or slowing the heart rate.

It's supposedly the oldest part of the brain and is found in the likes of "hag fish" and that other aquatic vampire type the lamprey which is just realy nasty. In the "lower orders" it's also known as the,"reptilian brain" but in the primates it is somewhat more advanced hence "monkey brain".

Interestingly you can survive and to a certain extent thrive without your cerebal cortext / upper brain and it's higher order functions. There was a chicken[1] that had had the top of it's head choped off with an axe, and survived as a "freak exhibit" for quite some time, with it's owners feeding it a liquid food from an eye dropper... So if you are ever asked how long a headless chicken runs around for you can answer "oh at least a year and a half".

[1] Mike "the headless" chicken, http://en.m.wikipedia.org/wiki/Mike_the_Headless_Chicken.

Xor, The God of Binary OperationsNovember 27, 2014 10:05 AM

@Anura


Aren't NAND and NOR the Gods of binary operations?

I kicked'em out and took over. MUHAHAHAA

WaelNovember 27, 2014 10:35 AM

@Clive Robinson,

Amazing story about the headless chicken! I heard another one about a severed human head that was kept alive for sometime. Regarding the "Primitive Brain", I didn't understand the reference but was sure it wasn't an insult. I thought of other references which I'll not explain ;)

Clive RobinsonNovember 27, 2014 11:06 AM

@ Wael,

I thought of other references which I'll not explain ;)

Hmm, I wish you hadn't said that, now all I can think of are certain insects and arachnids who's lower brains keep them mating, even though the female has eaten the other brain and most of the body. It makes the "getting run over by a bus" option [1] appear that much more desirable ;-)

[1] Another joke with "three" old men in it, only one of which had ambition. There was a time in the dim and distant past where the Friday Squid page would see jokes and other amusing things posted (ask Nick P about the implants in aircraft) to lighten the mood for the weekend.

WaelNovember 27, 2014 12:15 PM

@Clive Robinson,

Hmm, I wish you hadn't said that [...] now all I can think of are certain insects and arachnids who's lower brains keep them mating,
Right on! That's what I was thinking :)

@Nick P,
What's with the "the implants in aircraft"? Tell me , tell me!

WaelNovember 27, 2014 2:51 PM

Oh well, Nick P being from the south is probably out for the day deep frying a turkey in peanut oil and baking some sweet potatoes :)

Nick PNovember 27, 2014 4:34 PM

@ Wael

"Oh well, Nick P being from the south is probably out for the day deep frying a turkey in peanut oil and baking some sweet potatoes :)"

Nah. I tend to visit my dear auntie who makes whatever she feels like it. :)

"What's with the "the implants in aircraft"? Tell me , tell me!"

I have no idea what [specifically] he's talking about. Most aircraft related talk was serious. If it involved something exploding then I may know what he's talking about.

Dirk PraetNovember 27, 2014 5:20 PM

@ Wael

Amazing story about the headless chicken! I heard another one about a severed human head that was kept alive for sometime.

"The X Files: I Want to Believe" movie from 2008 is partly inspired by a 1940s Russian documentary titled "Experiments in the Revival of Organisms", in which a scientist claimed to keep a severed dog's head alive by using a machine called an "autojector". The original documentary can be seen in its entirety at the Prelinger Archives here.


WaelNovember 27, 2014 5:32 PM

@Dirk Praet,

"The X Files: I Want to Believe"...
I watched all of the X-Files episodes and movie. Will watch the link you sent tonight. Thanks!

GrauhutNovember 27, 2014 5:50 PM

@65535 "Bogus Certificates are a huge danger to our economic well being!"

There are lots of things that are dangerous to economies. Even if there are counterfeit passports and money we are still allowed to travel... We cannot afford to stop using certs, so the economy is not in danger.

Nation state quality: How do you find out if a weapon produced by a member of a military indutrial complex is used officially by a military / agency or unofficially by a "private" interest group? The borderline is foggy there.

GrauhutNovember 27, 2014 5:58 PM

@Clive Sometimes my monkey brain is a real rebel! It likes those questions most that receive the fewest answers... :)

WaelNovember 27, 2014 7:22 PM

@JonKnowsNothing,

The advantage of Hunting SysAdmins on Linkedin, is: YOU tell them everything that they want to know about you... For Free
Fight fire with fire; third Order thinking ;) You can also tell them everything you want them to know about a person you don't like. Here is what you do: Find a person you don't like. Create a nice fake profile, say John Smith. Add an impressive set of skills, such as: 20 years experience in the field, speaks several languages, the works.
An example profile:
-------------------
John Smith:VP of Engineering, Acme corporation
Years of experience: 45. I worked in the field for 45 years, I understand all my customers needs, they are all happy.
--------------------
You get the picture...

You then find your "Victim", let's call him Jack. Send him an invite to connect. When he connects, chat with him and give him a few good recommendations, such as:
I knew Mr. Jack for sometime now. He is one of the best customers I had. He has a good taste and knows his stuff real well. Then ask Jack to recommend you as well.

Then, Bang! You change your profile description to the following:

John Smith: Head pimp of the county
Expertise: New York: 1986 - 1989: Increased the number of staff (prostitutes) to 17. Revenue increased 15% year over year.
San Fransisco: 1999 - 2001 Branch Manager, drug dealer. Sold recreational drugs to executives. The gap in time is because I had to do a dime (10 years) in a maximum security prison. It was a 25 year sentence, but I escaped thanks to Jack who assisted me.
Los Angeles: 2001 - 2003. Dotcom bust deteriorated business. Had to cut costs and think outside the box. Introduced the concept of crackwhores. Jack was my first customer. Boy, does he have a good taste! He kept my business alive for 10 years!

Then sprinkle a few SysAdmins here and there. You hit two birds with one stone!

Don't actually do this -- it maybe "illegal"...

WaelNovember 27, 2014 10:42 PM

@Dirk Praet,
I watched the video link. Luckily it wasn't as gross as I anticipated. I'll withhold my comments until I check with my brother. This is his area of expertise... But I do find a couple of things peculiar.

65535November 27, 2014 11:45 PM

“…lots of things that are dangerous to economies. Even if there are counterfeit passports and money we are still allowed to travel…” –Grauhut

It depends.

Ask DPR of silk road about counterfeit passports and the current charges pending. Ask the Secret Service about counterfeit bills and you will find the SS takes aggressive action when said bills are found.

If you are big enough to “get-away-with-it” you do - if not you don’t. In the whole the system is tilted against the little guy.

MatijadminNovember 28, 2014 3:39 AM

Regin reads backwards nigeR. Interesting. Is this trojan an evolutionary product from nigerian e-mail scam? :>

Clive Robinson November 28, 2014 3:53 AM

@ Nick P,

If it involved something exploding then I may know what he's talking about.

Yes, not a singular something, and "allegedly" exoloded for a deflationary experiance ;-)

@ Grauhut,

Sometimes my monkey brain is a real rebel! It likes those questions most that receive the fewest answers... :)

And it is that "curiosity" that solves many of mankinds problems ;-)

There is a story a out primates, In that if you give a chimp a camera it will pull/smash it apart, get bored and chase one of it's peers. If however you give it to a gorilla it looks at it politly, examins it and hands it back. If you give it to an orangutan it looks at you politly, then if it thinks you aprove, it examins it, takes it apart and, before handing it back, like the fabled watchmaker, it changes the order of the parts to see if it improves things. Give it to a human the say thank you, look at the size of the manual, and if more than a page or two, put it on a shelf to gather dust....

You can not help but feel on this evidence, the majority of humans are over the evolutionary hump where curiosity is concerned.

@ Wael,

From what I recall Mike the Goat was moving back to CA or some such and would thus be working in "horn mode" at best till things settle.

Mind you when you said,

Oh well, Nick P being from the south is probably out for the day deep frying a turkey in peanut oil and baking some sweet potatoes :)

My first thought was you were indicating he had become an investigatory journalist and was going after some Deep South politico with Presedential pretensions and their "PR Babes"...

Which shows just what a jaundiced attitude I have with regards what passes it's self off as "Democracy" ;-)

AnuraNovember 28, 2014 4:54 AM

@Clive

"Which shows just what a jaundiced attitude I have with regards what passes it's self off as "Democracy" ;-)"

Well, many Americans will respond "We aren't a Democracy, we are a Republic" as if that has any meaning. I spend a good deal of time pondering how to completely redesign our entire system of government to minimize the influence of money while maximizing the influence of the people, and remaining practical. I think about election systems like approval voting, MMP, IRV, and CPO-STV (my favorite for electing representatives, although I'm considering how to improve it). But it's purely academic; any attempt to fix our system will not even get consideration by the public, and you will get a response of "That's not what the founding fathers wanted." I say good, to hell with the Founding Fathers; I don't want their envisioned pseudo-aristocracy. But even if I could convince the public, how the hell can you expect to convince the politicians to vote themselves out of office?

WaelNovember 28, 2014 6:04 AM

@Clive Robinson,

My first thought was you were indicating he had become an investigatory journalis
I would have been proud of myself if that's what I meant :) Funny! Two things:
- So what's Military-grade Malware in your view, since no one answered that?
- Seems @Nick P forgot about the reference to the "implant in the plane". Can you jiggle his memory further?
From what I recall Mike the Goat was moving back to CA or some such and would thus be working in "horn mode" at best till things settle.
For those not in the "know", when Mike the goat corresponds from his mobile device, he changes his name to "Mike the goat (horn equipped)". @Mike the goat, if you're in California I'll buy you a cup of coffee :)

Clive RobinsonNovember 28, 2014 7:20 AM

@ Anura,

It would appear that you and I share a common ponderance. My thoughts are we should actually give our "legislators" real work to do, by making every law and I realy do mean every law, have a ysunset clause, by which it has to be brought back into the legislature and properly publicaly debated every three or five years otherwise it lapses. Secondly I want a "non of the above" voting box such that we can "democraticaly" send the idiots back to be replaced or restate their political aims. Thirdly why oh why do we still vote for "monkeys in suits", electronic voting would if done properly --which is an open debate-- enable us to vote on substantive issues of interest not greasy vain representatives on the take from any dirty mac wearing lobyist pimping for the likes of the Kock Brothers and their criminal enterprises and behaviour.

Oh and in the US it's time to bring in criminal penalties for the "representatives" that do things like bring the government into disrepute by voting to block time limited actions. If they feel that strongly then alow the courts to make the decision. Also bring in strong legislation on campaign funds to limit them down to the point where politicos don't have to go cap in hand to the "monied king makers" that are thus those who set the real financial / power agender.

What I'm in favour of is small changes every so often, not major changes, imagine the fun of trying to explain Proportional Representation to a first past the post electorate, with the tag line, that's how you will be voting next month...

@ Wael,

I'm sure Nick P remembers, but you need to re read what I said, the implants were not part of the aircraft fabric... just in it when the deflatory experiance happened.

thevoidNovember 28, 2014 7:40 AM

@anura

I say good, to hell with the Founding Fathers; I don't want their envisioned pseudo-aristocracy.

there is one founding father you may still be interest in: thomas paine.
probably the only one who was a true man of the people, and one of the most
important (since washington used his writings to inspire his soldiers).

BJPNovember 28, 2014 8:40 AM

@Anura

"To hell with the founding fathers" sentiment pretty much guarantees any attempts to change things will come to naught. Most of us are quite happy with this system and will fight any effort to make it more subject to the momentary whims of the masses. Scotland's failed independence vote sums it all up: as soon as they voted no, the buyer's remorse started within a week and more than 50% would vote yes. Give it another week and it probably cycles back to no. We don't do things that way and we never will.

@Clive

Could you please elaborate on "voting to block time limited actions"? I'm trying to guess what you mean and I've come up with several diametrically opposed interpretations.

Nick PNovember 28, 2014 10:14 AM

@ Clive

Nicely worded.

@ Wael

Clive was referring to this incident when two implants were onboard an aircraft simultaneously without any safety analysis on environmental hazards. It became one of the more memorable trips for the passengers.

JonKnowsNothingNovember 28, 2014 12:00 PM

@Clive

(snip)
It would appear that you and I share a common ponderance. My thoughts are we should actually give our "legislators" real work to do, by making every law and I realy do mean every law, have a ysunset clause, by which it has to be brought back into the legislature and properly publicaly debated every three or five years otherwise it lapses. Secondly I want a "non of the above" voting box ...
(snip)

While it's an admirable thought that elected representatives should actually enforce and maintain laws, they are unfortunately subject to "persuasion" by the security services and anyone who is adept at twisting a phrase.

We hear nearly every day a version of this question being used to justify nearly everything that is happening. Even in the last few weeks before the elections in the USA representatives and potential representatives where spouting variations of the below:


If we halt what we are doing and there is another disaster like 9/11 (or even bigger than 9/11) and that disaster could have been stopped had we kept those programs, are you willing take responsibility for all the deaths and all the destruction.
Are you willing to put your name on the order that said “stop”?


As they don't recognize that the above is not a question or understand why it's so hard to answer without "self-incrimination", you cannot expect the representatives to do anything with their "little grey cells" other than follow their nose-rings as they are pulled along by the NSA and every other entity that has something the agencies want done - especially if what the agencies want done is: illegal, un-ethical or in-humane.

The rest of us however, are using our "little grey cells" just fine.

WaelNovember 28, 2014 3:49 PM

@Dirk Praet,
Here is my brother's take on the Russian experiment video link:
-----
There are few things about the video.
1) When an organ is properly removed from a body, it can be kept alive if perfused with an adequate media that contain oxygen and nutrient and the proper electrolytes and hormones. It is not surprising that the dog’s heart and lung were functioning outside his body.
2) When an animal loses significant amount of blood, such as the exsanguination of the dog in the video, the sympathetic branch of the autonomic nerves system starts to fire. This increased drive of the sympathetic system translates into increased heart rate and frequency of breathing initially until a critical amount of blood is lost. AT that point the heart slowly decreases its rate of beating until it reaches asystole (stops beating). Such scenario was not noted in the video. This may be secondary to the camera not focusing on the details of the hemodynamics at that time or maybe they only took few frames of the experiment and not a detailed account second by second. In terms of the device being used to monitor the heart rate and respiratory function, I have to admit that I have never seen it before. It’s a technology that I never used or saw before. Therefore, I do not understand its limitations.
3) It is known that some people shortly after they are pronounced dead (can be brain dead, but the heart still beats), they maintain a phenomenon known as “spinal reflexes”. This phenomenon simply refers to the fact that mammals do not need their brain to initiate some reflexes. The most common one in humans is the knee jerk reflex (when a doctor uses a hammer to strike the knee and observes the leg extension). In terms of the decapitated dog’s head, it’s a bit more complex. In order for the brain stem to stay alive, it will need a media, such as an oxygenated blood. But it will also need the proper blood pressure to maintain perfusion. The blood pressure was not being monitored in that video. Maybe the camera didn’t focus on the devise measuring blood pressure. But theoretically, a mammal may maintain some sort of spinal reflexes for some period of time. I’m not an expert in dog physiology and anatomy, so I can’t explain how a dog can lick his lips after it was wetted with acidic acid. Acidic acid can induce a nociceptive response (pain). Pain can also induce a spinal reflex (similar to a human accidentally grapping a very hot cup of coffee, a human first pulls his hand away fast then feels the heat of the cup later. This is a protective mechanism. The spinal cord sends a signal to the hand to quickly away while the brain is still processing the harmful signal). But once a head is severed, it is near impossible to reattach it again. There are many major and minor blood vessels and nerves that will need to be reattached. As far as I know, we do not have this type of Start Trek technology…yet.
4) The final experiment in the video is somewhat interesting. This is similar to cardiac bypass surgery (open heart surgery). In order for the surgeon to operate on the heart, the heart must be empty of blood and not moving. The way we are bale to accomplish this in the operating room is to place two cannulas in a large vain and in a large artery. As the name suggest, we then are able to bypass the heart and lungs and deliver the blood to the rest of the body, especially the brain. When the surgery is done, we slowly allow the heart and lung to take over and gradually wean the patient off of the bypass machine. The bypass machine is simple a pump that provides the driving pressure for the blood and an oxygenator that replenish the venous blood with oxygen and removes the metabolic waste. Please note that this is an extreme over simplification of the process and it takes doctors years and years after medical school to be comfortable with this procedure. Actually, the bypass machine is operated by a perfusionist, someone who specializes in operating this machine (not a doctor). Few things must be noted that were not observed in the video.
a) The body must be cooled down before transfer to bypass to lower metabolic rate and minimize chances of neurologic damage. I didn’t observe cooling of the dog.
b) The body can’t be drained completely of blood. That means that some blood will remain in the vessels. If this is a room temperature body, the blood will start to clot. Clots can migrate to the brain and induce neurological damage. Actually, that’s is the biggest side effect of bypass machines; patients get clots to the brain and can develop neurological damage. This dog remained dead at room temperature with stagnant blood in his system.
c) Pumping blood back into a stopped heart is usually not enough to restart the heart. Some times calcium needs to be given. On many occasions epinephrine (adrenaline) also needs to be given to restart the heart. Also, an electrical shock may need to be applied to the heart to restart the beating mechanism and reset the heart circuitry. Maybe the scientist in this video took all these steps, but the person behind the camera didn’t focus on them or they were omitted for one reason or another.
So here is my conclusion. If the proper steps are taken and all conditions are optimized, then this video is simply an early experiment in a routine bypass surgery, which takes place every day in almost all hospitals that are equipped to handle cardiac cases.
If, on the other hand, this video represents all the steps that were taken, then I have severe doubts that it’s real.
This is just my opinion.
----

My brother didn't have the time to post himself and sent me an email instead.

AnuraNovember 28, 2014 5:38 PM

@Clive

My biggest problem with the current systems is it puts too much power into too few hands. For example, what happens for a bill to get passed? Well, first it has to go through committee. Now you have a nice small group of appointed individuals that need to be convinced to vote on it - so now they can all put their own terms for voting in favor of a bill, while lobbyists and campaign contributors are telling them what they would like if they want their support. After a bill makes its way to this incredibly corruptible process, it goes to the desk of a single person who basically decides whether it should even be voted on. At this point, a select group of individuals negotiate and bargain for what they want, even if it significantly changes or adds things to the bills. This process is where most of the corruption occurs in the United States. I think the goal of any reform, which is guaranteed not to happen, is to minimize the power of any individual.

I posted my ideas somewhere else, but don't want to pollute this thread with a wall of text, so here is a copy-paste of how I would redesign the system, given the chance.

http://pastebin.com/ScS3QVm0

@BJP

I don't think our current system is immune to brash legislation, as we saw with the patriot act, more importantly it prevents anything that the public actually wants by putting power in the hands of a few individuals who care more about politics than the country itself. While it's impossible to fully get money out of politics, this system basically amplifies the power of money.

AnuraNovember 28, 2014 8:21 PM

I should also note that the biggest problem today is that the system seems backwards; the politicians don't listen to the people, the people listen to propaganda peddled by politicians and their donors. More parties can help to mitigate that problem, but I'm not sure that it is solvable. An informed public composed of independent thinkers is a great idea in concept, but not very realistic. I think the best we can do is encourage dissent against commonly held beliefs, and have media that presents more than just the "Democrat and Republican" sides to any debate.

Propaganda is the worst enemy of any society. When you have rampant propaganda, you end up with extremism. We've seen this in Vegas with a couple that killed two police officers and opened fire in a Wal-Mart, the militias ready to go to war over grazing rights, and today we saw someone open fire on government buildings and attack the Mexican embassy. It's scary, it's direct result of both cold-war propaganda (responsible for the belief that anything government does is inherently bad) and right-wing media pushing irrational fear instead of informed debate, and it's gone on for a long time without any sign of easing up. This rampant fear-mongering and propaganda is the worst thing to happen to this country, and is being done solely for profit. It's disgusting, and if I had my way the people responsible would have their assets siezed before being permanently exiled as enemies of the people.

FigureitoutNovember 28, 2014 9:05 PM

Anura
but I'm not sure that it is solvable
--It isn't, not now at least. Firstly, you need to either take a class or participate in an exercise that has a group of people that try to establish a democracy. It's hilarious! And you'll see why it slides so quickly into failure unless you have stellar leaders and the people themselves are stellar "do-ers". No it devolves into petty high-school clique making and other petty behavior due to people not getting their way b/c their ideas weren't agreed on.

The *only* way forward is organizing w/ neighbors, then expanding outwards to the greater local community that way, w/ a plan that people want, delivered by likable people (who are genuine and honest). Centrally a gov't like the federal gov't for 330+ million people is a massive fail, and purely academic masterbation. If the whole world was a bunch of small countries like Europe or even smaller, and not unified into EU, you would have a lot of small countries not capable of putting all these resources into war, and more cooperation and people actually feeling like they have a voice; maybe...

BenniNovember 29, 2014 11:46 AM

Antivirus companies are funny. They really care for security, that means national secority, or NSA:

http://mashable.com/2014/11/25/regin-spy-malware-nsa-gchq/
But until now no one has publicly disclosed details of this cyberespionage campaign. Why?

For Prins, the reason is completely different.

"We didn't want to interfere with NSA/GCHQ operations," he told Mashable, explaining that everyone seemed to be waiting for someone else to disclose details of Regin first, not wanting to impede legitimate operations related to "global security."

Clive RobinsonNovember 29, 2014 12:09 PM

@ Wael,

With regards "military grade malware" it's no where even close by my reasoning....

If you think of the civilian police, their job is --supposadly-- to keep the peace whilst projecting lawful authority, this should not require anything even close to "lethal force" or any other tactic where lives could be endangered.

The military are there to use lethal force if required usually be kinetic means, their job is not to project lawful force, but military force, and this usually --but does not have to-- involve the destruction of infrastructure and the deaths of opposing military forces. Most nations for the defence of their own troops have signed up to various international treaties ob war. which do not allow civilian "non combattonts" to be targeted, and limits the types of weapons that can be used against an enemy (which is why you have the curious situation where LEO's are allowed to use "dirty ammunition" such as expanding and exploding rounds, and various diblitating chemical / physiological weapons whilst the military are not.

Thus in theory, a police officer who wounds or kills an individual is subject to the full criminal and civil sanctions, whilst a member of the armed forces is not provided certain constraints have been obayed (see "rules of engagment" yellow cards etc).

However there is a third group paid for via taxation and these are the so called "intelligence agencies" of whom a small number of officers and contractors are responsible for espionage activities that could easily include "black bag" and "wet work" jobs. The legal status for such activities are dubious at best, which is why most nations reserve the ultimate sanction for agents/spies betraying their nation and officers / contractors even if they do have diplomatic status.

Now I cannot see --from what has been said-- that this malware is to produce results equivalent to a "kinetic weapon" which kind of qrules out "military" equivalence. It is for the purpose of surveillance on "foreign soil/ subjects" which puts it fair and square in the "intelligence / espionage" camp.

Thus I would call it "high level 'cyber-espionage' malware" not "military grade malware"...

WaelNovember 30, 2014 12:52 AM

@Clive Robinson,
I would agree with your description. I always thought Military-grade malware is connected with sabotage and reconnoissance. It says nothing about its "quality".

WaelNovember 30, 2014 12:56 AM

@Nick P, @Cluve Robinson,

Clive was referring to this incident...
Oh, so it's a movie plot! Pretty funny. Next time I travel, I'll take a small water ballon with me and see what happens.

WaelNovember 30, 2014 8:34 PM

@Grauhut,

Sometimes my monkey brain is a real rebel! It likes those questions most that receive the fewest answers... :)
And you and I thought we like bananas because they are delicious, eh?

Clive RobinsonNovember 30, 2014 10:39 PM

@ Wael,

And you and I thought we like bananas because they are delicious, eh?

Oh come on... we all've guessed why ;-)

Like so many "all American kids" you read the X-men and other comics and watched the Incredible Hulk". And in those same formative years you heard that Bananas were radioactive, and put two and two together, and "munched a bunch a day" (TM) to become "Radio Active Man".

But like all kids when doing these "recreational herbal activities" you thought you were stronger and could do it without getting hooked... But you were wrong you now have cravings on an epic scale you are addicted and can not go past the fruit isle without getting the "cold sweats".

Trying to cure yourself in a perverse experimental way you also became addicted to chillies and just the smell of Mexican food gives you more cold sweats.

It got so bad you had to find a way to hide it, so moved to CA and started your own "fusion food house" where you make strange brew sauces with emacerated bananas and ghost chillies to rub into the likes of "croc tail" have turned dangerous animals into more than hand bags... and has caused some wanabe Hollywood type to come up with a new TV series "LA Tails of Fire".

How's that for an intro / seed for a Movie Plot?

WaelNovember 30, 2014 10:48 PM

@Clive Robinson,

How's that for an intro / seed for a Movie Plot?
Sounds like a commercial to me :) What are you doing up at 4:39AM? Heard some noise in your cave?

Clive RobinsonNovember 30, 2014 10:50 PM

@ Wael,

P.S. I was going to add,

    And a doddery old fool who owns Fox heard the title through his ill fitting hearing aid and thought it was "LA tales of Ire" and would be an even bigger smash than "Hoolywood house wives"

But then thought "no that would make it to real" to believe ;-)

WaelNovember 30, 2014 11:16 PM

@Clive Robinson,
It's also amazing that you talk about "hearing aids" when I talk about "hearing noises in the cave"... Won't ask @Nick P again, it's just a coincidence to him....

WaelNovember 30, 2014 11:55 PM

@Clive Robinson,

Heard some noise in your cave?
Ouch, on rereading it sounds insulting which it was not meant to be...
Your dead tree "cave"; your library, that is... So I don't make you look like a "trogladite". There... We're even. Monkey see, monkey do :)

Clive RobinsonNovember 30, 2014 11:55 PM

@ Wael,

I'm not exactly "up", due to long term problems with my spine, hips, knees and ankle joints, I've ended up on crutches and further due to overdoing it I've got rotator cuff issues from lifting my not inconsiderable mass with one arm. This has given me a form of bursitis in my shoulder which in turn means quite unpleasent pain on rolling over in my sleep. And due to other medical issues I can not safely take anti inflammatory drugs as they mess with the "rat poison", and just to make life more fun I'm also over sensitive to CNS pain killers such as opiates and their analogs and get hallucinations and other problems, one of which was quite nasty in the past (vomit in the air ways). As has been said in the past "Nobody ever died of pain, but plenty have died of pain killers", so I prefere to use meditation rather than medication, but it does not work in deep sleep.

And so the old Catch 22 problem with blood clots, which usually precludes any thing other than life threatening surgery might get solved with a new(ish) drug which is good, but eye wateringly expensive (over 5USD/tab).

But as it's me.... a new Catch 22 problem arises, if they have to opperate on the rotator cuff, I will not be able to use the shoulder and thus the crutches for a minimum of a quater of a year... which in turn will cause the return of an old problem, compression on the nerves, which in turn means not being able to stand up or walk safely (or at all)... So whatever they decide I'm in for months of physiotherapy, and with my luck, what's the betting I get the physio who looks like a turkish wrestler, not the charming young ladies that float up the corridor as though like the godesses of ancient times they have winged sandles at their ankles.

Some people get a life of having "bouquets of roses" thrown at them, me being an engineering type get "bags of spanners" instead. But painful as it might be to get hit repeatedly with a bag of them, tools don't wilt, so it gives me the time to build other tools to think with so there is a bit of silver in those "thunder heads" my head gets stuck in due to being so tall.

Thankfully bursitis in the shoulder, although being the most common form, does not get silly names like "house maids knee" or "students elbow" that other forms do. Apparently bursitis of the shoulder is most commonly seen in athletes but I guess "athletes shoulder" would get associated with "athletes foot" in the "less fit minds" and would put them off getting out of the couch in fear of scaley sores on their shoulders instead of the preasure sores on their butts :-)

Clive RobinsonDecember 1, 2014 1:00 AM

@ Wael,

You should know by now "noises in the cave" is not classy, it implies an Egor type wandering about the place. Where as "Bats in the Belfry" is much more classy, just think of the female leads such as Anjelica Huston in "Addams Family values" and Fenella Fielding in the classic british "Carry on Screaming" to see why ;)

thevoidDecember 1, 2014 6:31 AM

@Clive

And due to other medical issues I can not safely take anti inflammatory drugs

have you tried raw garlic? it's an anti-inflamatory (as well as anti-{fungal,
parasitic,viral,bacterial}), and i've used it for that purpose myself. to
administer, i usually crush a clove and mix it with something like mashed
potatos, but it needs to be raw. it's best with basil, which makes it more
palatable, and keeps 'garlic-breath' away.

actually the first time it had an anti-inflamatory effect for me, it was not
the reason i took it, and though i had heard of that fact, was still somewhat
surprised. (it was a toothache, so the difference was noticable).

Clive RobinsonApril 11, 2015 4:27 AM

@ the void,

Sorry I missed your post untill now.

It's funny that you mentioned garlic, due to previous work connections with Korea and having Korean friends, I do munch on raw garlic from time to time. My favourite is to mash it up in olive oil and spread on warm pitta bread often with corrianda to give it a bit of bite.

You may or may not know the UK "establishment" is finally waking up to the "antibiotic issue" whilst UK researchers have been beavering away looking for other solutions. Well whilst the use of phages is receiving some interest, also old and acient remadies are being revisited. In the news a few weeks back was an article about a two thousand year old remady has been found to be astoundingly effective against MRSA and other Hospital aquired infections that account for a big chunk of hospital mortalities. And the remady is based on garlic and other herbs...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.