In Which I Collide with Admiral Rogers

Universe does not explode.

Photo here.

EDITED TO ADD (5/15): Commentary. There are some funny buddy-movie suggestions.

Posted on May 14, 2015 at 1:30 PM • 58 Comments

Comments

Bruce SchneierMay 14, 2015 2:04 PM

I should have asked him to sign my private key.

More important: Later in the day Admiral James Winnefeld Jr, the Vice Chairman of the Joint Chiefs of Staff -- the second highest-ranking military officer in the US -- gave a surprisingly good answer to a question I asked about attack capabilities vs security. It was on the record, and I am trying to get a copy of the video to transcribe. I will post it as soon as I can.

ArchonMay 14, 2015 2:04 PM

Was this photo immediately followed by one subject body-slamming the other? :)

BJPMay 14, 2015 2:13 PM

I personally love the authentication fail wherein their tweet attributes the (unofficial, per my memory) @Bruce_Schneier RSS feed as the individual in the photograph.

82de478ea93bdd87May 14, 2015 3:12 PM

A perfect opportunity to put an NSA ANT implant on you, I would say...

Now seriously, I would accept to some degree the current surveillance state IFF we are allowed to develop, build and use encryption tools against it. A different matter would be if we are denied this fundamental right, as may happen in the United Kingdom soon.

Being optimistic I see the surveillance state as a good opportunity to improve our security measures and provide some acknowledgement to projects like Qubes OS and OpenBSD that are working hard and silently to make the world better.

GweihirMay 14, 2015 3:23 PM

Nice. It is definitely important to keep talking to the other side.

DeanMay 14, 2015 3:27 PM

Eh, he looks like a nice guy. Rogers doesn't come up on my "ack" radar much, though. Scanning his resume on wikipedia, I also don't see the sort of disturbing defense contracting links some of these guys have.

No 'dead eyes' sort of look about him, lol. "Is it a human, or a shark", lol, thing.

Like Cheney or Clapper. :P

BeepeepeepMay 14, 2015 3:48 PM

I wish he'd say something about the legal landscape scaring away the best and brightest from cybersecurity. The wealth of untapped talent out there is astounding. The problem is only going to get worse if there isn't a course correction in the legal landscape to stop treating the explorers, the good Samaritans, and the researchers all as potential terrorists.

The Feds wanted to use the law to stop hackers. Well, they succeeded in scaring away many who have the soul of the explorer...

BeepeepeepMay 14, 2015 3:56 PM

(Cont. from above)

For crying out loud, a 14 year old boy was recently charged with felony hacking for guessing his teacher's password correctly and changing her computer's background to one of two men kissing. The charge being levied by the sheriff's office as opposed to a Federal entity, but I still view the Feds as indirectly culpable. They created the hysteria surrounding hacking and much of the uneducated masses now treats it as if it's black magic. A public statement by the NSA's PR arm clarifying that a harmless prank shouldn't be treated like a "cyberfelony" would go a long way.

ThomasMay 14, 2015 4:02 PM

@ Beepeepeep

> A public statement by the NSA's PR arm clarifying that a harmless prank shouldn't be treated like a "cyberfelony" would go a long way.

But if they do that, how will the silence the next Aaron Swartz?

DeanMay 14, 2015 6:33 PM

@Beepeepeep

Yeah, I agree in a sense. Hackers are like Delta Force/SAS/SBS sorts. The US military was extremely rigid when Delta Force was attempted to be started, to bring SAS/SBS quality special forces to the US Military. Probably, that has changed a lot in years since.

I have seen really hard core vulnerability researchers who either came from government, or who went on to work at least for defense contractors. Obviously, many defense contractors have had brilliant, very unorthodox sort of thinkers. But the whole mindset of being very rigid, orders based, is the exact opposite of the independent thinking required for extraordinary reverse engineering activity required for finding significant security bugs consistently.

I know they have tests which find these sorts in the military, for special programs, but a lot of these sorts would never join the military nor intelligence in the first place. (And what would have to happen is they would want to profile significant security researchers.)

Managing that sort of individual is also extremely difficult.

There are exceptions to the rule, for sure. But they are exceptions.

And even the exceptions can be difficult.

Not really thinking, however, that these sorts are out of whack these days. There are ample jobs for them and very necessary places in corporate.

Bad morale is one of the worst problems. With my generation, there was Vietnam. But this generation has the Iraq War. I think the later was much worse, morale wise. It would be hard for such people to even want to join something that was capable of producing that kind of disaster.

The actions post-911, revealed by a variety of sources, including Snowden also really put a damper on such individuals being willing to engage with such organizations.

But this is not twenty years ago when there were a bunch of hackers without anything to do.

And even these days, pot smoking, rock music listening, people who work all night and telecommute and have green mohawks and pierced lips and noses can find defense contracting jobs. Just they tend to pay pretty sucky, from what I have heard.

BeepeepeepMay 14, 2015 6:57 PM

@Dean

The profiling of security researchers is also a problem that scares away security researchers. Given the heavy privacy-focus with many researchers and the public ignorance on what the actual implications are to be profiled by intelligence agencies outside of the "no fly" list, it greatly complicates things. I know I sure as hell am terrified of going far enough to do things like put together a winning Def Con CTF team as I know I'd be profiled by intelligence agencies of which I do not know the consequences.

DeanMay 14, 2015 8:02 PM

@Beepeepeep

The profiling of security researchers is also a problem that scares away security researchers. Given the heavy privacy-focus with many researchers and the public ignorance on what the actual implications are to be profiled by intelligence agencies outside of the "no fly" list, it greatly complicates things. I know I sure as hell am terrified of going far enough to do things like put together a winning Def Con CTF team as I know I'd be profiled by intelligence agencies of which I do not know the consequences.

I am going to say winning defcon CTF team should not be your goal. You should be more specific. That is not real world. In fact, the desire to "do it" for attention is an extremely unhealthy desire for that kind of business you are talking about.

I think your concern about that sort of thing is a good indicator.

If you want to do red team, network penetration work, that is fine for that kind of thing. A lot of flash, sell to the customer. That kind of competitiveness. Then be a consultant. Work for corporations. More fun then database programming I bet.

But that is very different sort of work then what you are talking about.

If you want to do intel work, I think you should study that field. See if you like it. Pick up some books. Spy Wars is a good one. Movie wise, 'Tinker Tailer Soldier Spy'. Death Note (actually), not spying but that exchange through it all is exactly the same sort of exchange you see in real work. Deceiving Hitler is a good book. ZigZag. The Man Who Was Not There. The Mitrokihn Archives. TV show, The Game (BBC). The Americans. Alliance (kind of). Assets, very good. And books on Ames and Hansson.

Spy Wars is a very good jump start into that kind of mind bending fuckedupness you would want to excel at, though. Book wise.

**THEN***, you won't be dealing with unknown entities so much and have much more clear direction. You won't have paranoia. Stay away from caffiene, btw. It will make you paranoid. This kind of thinking, it can be dangerous for.

Warps your thinking.

Switch to other sugar drinks, if you are big coffee or cola drinker. FYI.

This shit will make you more paranoid, but it will also give you understanding to control that anxiety.

Right now, you sound like you are dabbling. You are rightly scared of the unknown. That is good. But you need to temper that with knowledge. Everyone is scared of the unknown. That feeds anxiety.

They are not wolves. There are wolves out there. But it is a business. A game, actually, "The Game", they call it. You are not going to get mysteriously offed for thinking about such a thing. :/

FYI, hacking and intel go hand in hand. You know hacking, some, it sounds like. So know this shit. Bourne is good tv, but that is not real.

BeepeepeepMay 14, 2015 8:37 PM

@Dean

I'm not sure why you think I'd want to do hacking for attention. That's silly. I'd like to do a competition to test my skills is all.

I admit I am tempted to do intel work as it seems like it'd be fun, but at this point I can't bring myself to do it for multiple reasons:

*Cultural - The spooks I have spoken with in the past have not been amicable to things I view as part and parcel of hacker culture, like file sharing or looking up taboo topics out of sheer curiosity.

I am aware there have been many efforts made within the NSA to change the culture in order to attract more hackers, but I can't imagine the post-Snowden changes would be appealing for potential employees.

*Ideological - I have personal ideologies against the Federal government's perspective on copyright. Obviously spooks aren't trying to catch file sharers, but historical events like spooks focusing on Kim DotCom or The Pirate Bay does not endear me to the profession.

*Parallel Construction - I am aware this problem is far larger than just the NSA, but I am morally against the practice.

*Trust - General Alexander's post-Snowden-revelations response did convince me that he has the best of intentions, but only that. I do not like it that General Alexander implicitly threatened the InfoSec community with combing through all of their personal info if they did not help the National Security community prevent terrorist attacks. The constant word games do not help when I can't trust that we share definitional understanding of colloquial terms.


For me being scared of the unknown, it's more complicated than that. The Federal government is its own worst enemy when it comes to attracting talent. On the one hand they beg for hackers to work for them to improve national security. On the other hand there have been Federal prosecutors that have remorselessly driven hackers to suicide over relatively benign infractions. Aaron Swartz hasn't been the only casualty.

There are so many conflicting signals from the Federal government. Given the current landscape, I've personally determined the risks of ruinous litigation are not worth the benefits of delving much deeper into the field. I do not know what kind of information is passed to prosecutors. They are akin to a blind person trying to drive a car, not caring who is run over as long as he makes it to the finish line. When "wget" has been called a hacker tool by prosecutors, I am terrified of the thought of doing anything that'd have any info on me, no matter how benign I may perceive it, of being passed to one of those sociopaths.

And I'm not under any silly delusion that I'd be offed. I'm not that important and I doubt I ever would be. But I don't know what my information could be used for. I've had my trust betrayed time and time again by entities I've trusted in the past with Google being the most prominent example. Once my information is out there, I have no idea at all how it could be used and I no longer have any control on it. The only way to be safe is not to generate the information in the first place. And if that means intellectually neutering myself by avoiding many topics of research and no longer following my curiosity, so be it.

Loose JacketMay 14, 2015 9:36 PM

@Bruce
>>> "I should have asked him to sign my private key."

Did you mean public key, or is that part of the joke?

DeanMay 14, 2015 10:36 PM

@Beepeepeep

I am not a "spook". I just read a lot and have a good memory, and probably have a few decades on you. And I do stuff "like" what some of them do, so I can relate to some of that stuff. I mean literally. That, supernatural horror, and some other topics, makes me feel normal. :-)

I have worked around some, so I feel confident in my statements. Also run into a few ex-ones, like a neighbor who was ex military intelligence, something he would glibly say is an oxymoron.

*Cultural - The spooks I have spoken with in the past have not been amicable to things I view as part and parcel of hacker culture, like file sharing or looking up taboo topics out of sheer curiosity.
I am aware there have been many efforts made within the NSA to change the culture in order to attract more hackers, but I can't imagine the post-Snowden changes would be appealing for potential employees.

One guy I knew put the difference between NSA types and CIA types thusly: 'NSA types are shoegazers, CIA types are outgoing and personable".

The guy who said that is one of the top 20 hackers in the past twenty years. He also has worked deep at a defense contractor.

I have not read most of the books out there on the NSA. I have read a lot on KGB, CIA, Mossad, FBI, and others. Army counterintelligence. Only people I have known from the NSA left early. My understanding is they were not typical for NSA, at all.

Typical for NSA seems like pretty much people that went high school, then college, then into the NSA. I mean that its' self says a lot. There's linguists, but they kind of break that mold. Defense contractors of that sort. More comfortable in buttoned up long sleeve shirts, shirt tucked in, belt kind of people. Probably they wear loafers at home.

But comparing that sort to the other sort is absurd. Totally different animals.

There are a lot of different people.

Someone getting antsy about you file sharing or whatever else you are talking about reminds me of defense contractors. They are not really "in". But they have to take rigorous lie detector tests, drug tests. Not being really "in" makes them very paranoid. Like they might be watched at any minute and second guessed on trivial stuff no one cares about. You can tell them from a mile away. Real shoe gazers. They reek spy, and that kind of spy.

*Ideological - I have personal ideologies against the Federal government's perspective on copyright. Obviously spooks aren't trying to catch file sharers, but historical events like spooks focusing on Kim DotCom or The Pirate Bay does not endear me to the profession.

Weird, not much comment there... I use netflix and hulu and such. Did file sharing many years ago. Don't have strong beliefs about it.

Do not really think about it at all.

I take it you probably don't have much of a career yet, so not much salary. Can't really judge. When I didn't make much money, like the FBI, relied on all sorts of hacked stuff.

(Yeah, the FBI used to use pirated copies of software because their it was so underfunded.)

*Parallel Construction - I am aware this problem is far larger than just the NSA, but I am morally against the practice.

Law enforcement.

Mostly DEA cases is what I have seen. A lot of them I think are despicable. But you admit breaking rules to get stuff done, too. :/

That is not spying though, not intelligence. Spies don't arrest people, even counterintelligence spies rarely - very, very rarely - do that. That isn't intelligence at all. Yeah, cops were given intelligence data, so guess that was confusing...?

But, yeah? Very big thing. Spies are very different from cops. Sometimes I have read of special agents in fbi moving to counterintelligence. And they can fuck it up really bad if not very well trained out of that mindset. Cops arrest people. Spies do other shit.

...

You have to do your homework if you want to get into that stuff, or even entertain the thought. Otherwise, forget about it.

Don't be lazy and just go by rumors and what people on the internet say who also never met anyone, don't do anything remotely similar (except maybe something like using drugs illegally and that, poorly), stuff like that.

Spies actually break the law and get away with it, foreign spies anyway. Part of the job.

It is about mind fucks and diversions, getting information, chasing the big stories, manipulation. Mind games. Mental chess and go.

If you mean by "spy" FBI cop hacker, very different. I do not have much advice there. I don't think you would want to be a cop is why.

Trust - General Alexander's post-Snowden-revelations response did convince me that he has the best of intentions, but only that. I do not like it that General Alexander implicitly threatened the InfoSec community with combing through all of their personal info if they did not help the National Security community prevent terrorist attacks. The constant word games do not help when I can't trust that we share definitional understanding of colloquial terms.

General Alexander and Clapper are dickheads. General Alexander is a soldier, was, though. The "General" in the title gives that way. I don't think that should be confused with spying.

Clapper has the intrigue mindset. But I do not like him. This direction to push domestic surveillance is just stupid. Pushing encryption backdoors is a lose.

Snowden was definitely a spy in what he did, by my book. That was exceptional work. I don't think he had much humanint work before that, though.

I respect him. I don't respect Ames or Hanssen, though. I respect most of the old KGB and related who turned though. They did it for ideological reasons and were right to do so.

I respect their skills, though I respect Philby's skills far moreso. Think he was a naive dipshit ideologically, though. He did not do his homework on the soviet union. Or was a triple agent.

For me being scared of the unknown, it's more complicated than that. The Federal government is its own worst enemy when it comes to attracting talent. On the one hand they beg for hackers to work for them to improve national security. On the other hand there have been Federal prosecutors that have remorselessly driven hackers to suicide over relatively benign infractions. Aaron Swartz hasn't been the only casualty.

What they did to Aaron Swartz was shit. But again you are confusing very disparate agencies, organizations, and individuals. It is all just a big monolith to you, it sounds like. That is not how things work.

That prosecutor was a genuine shit.

But that was that prosecutor and those who went that way. Not everyone. That gets into the same sort of bigotry that racists, sexists, and other bigots get into. Not to be too harsh, but getting worst case examples from **any** group and saying they represent Everyone Of That Group is a strawman argument. It is unfair to everyone else.

If you want to see good and bad cops, watch stuff like Cold Cases Files and Death Row Stories.

The Federal government is its own worst enemy when it comes to attracting talent. On the one hand they beg for hackers to work for them to improve national security.

Again, very very small subset.

A ton of hackers work for defense contractors these days, and there are all sorts. Pot smoking, jeans, shorts, tshirt. No clearance, just NDAs.

Not my scene, but just saying.

When "wget" has been called a hacker tool by prosecutors, I am terrified of the thought of doing anything that'd have any info on me, no matter how benign I may perceive it, of being passed to one of those sociopaths.

No idea what dipshit made that kind of argument, but again, that is cop stuff, and that is some far flung example.

Far from spy stuff.

The only way to be safe is not to generate the information in the first place. And if that means intellectually neutering myself by avoiding many topics of research and no longer following my curiosity, so be it.

Sounds like a safe course of action, though not very exciting. You intimate on here you are commiting some kind of crimes. You were vague about what kinds... except of filesharing. But that stands out.

And your opinions seem very one sided, on a lot of these issues. Very, very stereotypical and the worst sorts of views on government. Which you post about online. You seem to have beliefs about. And to engage in. So you will continue to post on.

I am just suggesting to do your homework.

You talked about the subject like it held something for you, some kind of fire. So, I gave some suggestions. I can't make you watch that stuff or read those books, though.

Can't get any easier then watching what really are very entertaining shows as a start, though. Heh. So, not sure what to say about that.


I get upset about government abuses to. Don't work in government. Tons and tons of computer security jobs, though. Huge field. Niche, very strong demand. They offshore a lot of tech jobs, but security jobs tend to stay onshore. It is a very stable field. If you do your homework.


My own self, you present yourself like your early 20s? I focused on finding "the meaning of life" and such in my 20s. Spent a lot of time hanging out with pot smoking friends. Music. Art.

I was motivated. I read, I studied. Not career wise, though.

I do suggest you mix up your sources, though. Getting all your information from what you know is one particular bent is not going to be healthy for you or anyone. People end up red neck conservatives or daft far left loopy. Or they get mature, get both angles.

Anyway, just some advice. Not to be an old fart lecturing you. I do work in comp sec and have for quite some time. It is not spy work. It is hacking. I secure shit. I find weaknesses and figure out ways to plug them up. One part of the job. The job market is deeply lacking qualified candidates.

If someone is telling you something else, do not believe them. Check out job postings. Terms like computer security, even hacking will bring out a lot. CISSP. Vulnerability. Nexpose.

If that is what you want to get into, then start studying that route. I would suggest forgetting about all the spy stuff, though, if that is the case.

The stuff you are talking about sounds like cop stuff, though.

DeanMay 14, 2015 10:49 PM

@Beepeepeep

Final note: please do not bother replying. I hope you appreciate that I am just trying to help, even if you disagree with me, or do not understand me.

Just spent too much time here today and need to get back to my other activities for some time.

Have to prepare and take my boat out into the ocean this weekend. Going deep sea fishing. Off Baja Meh he co. Lotsa beer to buy. If we do not just end up clubbing.

I appreciate your sharing. It is interesting to hear the opinion of a concerned millenial making their way in the world. C# & Java FTW.

Andrew WallaceMay 14, 2015 11:30 PM

What we all want is privacy for the good guys and no privacy for the bad guys. All that matters is what the criteria is for deciding good and bad. And when the intelligence agencies get it wrong for their to be accountability the public can trust. This issue has been highlighted in this thread. The general pattern of concern regarding intelligence agencies seems to be trust and I think it is important that the NSA and others maintain trust. NSA and others could reach out more to discuss what makes you good and bad and could reach out to the security community of researchers and give assurances that NSA aren't out to get you and are only interested in the bad guys and being a researcher doesn't automatically make you bad. The reason they haven't is they want to keep the bad guys guessing. The collateral damage is that the good guys are also whacked with anxiety and concern. I think it is a careful balance between maintaining trust, keeping the bad guys guessing and keeping the good guys on your side. What we see is that trust being eroded and the good guys such as Bruce speaking out against the NSA. If I was in the NSA and I had good guys asking questions over concerns that I would want to address them. How can the NSA maintain trust while protecting operational security? That is something that can be thought through at the next round table meeting. Nobody said it would be easy and there aren't quick answers, but that is what America pays the NSA and Admiral Rogers to do. Find solutions to tough questions. Maintaining trust and accountability from the outside looking in. I'm not bothered about being snooped on but lots of other good guys are and it should be addressed because part of the war on terror is surely to win hearts and minds of the good guys while keeping the bad guys on the backfoot. The impact of the Snowden documents could be softened if NSA carry out damage limitation, identify the key issues and address them. Snowden has only released low hanging fruit that can easily be counter acted by addressing trust. We know the NSA have sweeping powers and we know what they do. Now that we know the current question is: How is the decision made between good and bad? I know the answer to that but lots don't. Snowden shouldn't have done what he done but now that he has use it to your advantage instead of highlighting the disadvantages. I'll leave those thoughts with you. Andrew

FigureitoutMay 15, 2015 12:31 AM

Bruce
--Since this is tagged w/ "humor", you had your chance to stab him and prove you're a terrorist but you let it slide...damnit c'mon...

Beepeepeep
--There's plenty of books (library will maybe have Bruce's books, or other books on "hacking", electronics, and operating systems, etc.). Be a bit awkward, but if you happen to be close by I can "dead-drop" some books, since your library books are also now digital records thanks to Patriot Act.

There's plenty of technical knowledge you need to know and keep fresh on, basic OPSEC, plenty of math, physics, code. Your brain won't be able to keep it all. There's no excuse to not research, you already posted, so welcome to the club. The reason for my investigation was b/c I mentioned a political revolution to replace current politicos for more real representatives and prosecute some people that never get touched; don't do that or get caught finding a major exploit and you'll be fine.

BeepeepeepMay 15, 2015 12:53 AM

@Dean

I still feel it necessary to respond on a few of your points even if you are not going to respond.


Typical for NSA seems like pretty much people that went high school, then college, then into the NSA. I mean that its' self says a lot. There's linguists, but they kind of break that mold. Defense contractors of that sort. More comfortable in buttoned up long sleeve shirts, shirt tucked in, belt kind of people. Probably they wear loafers at home.

I've heard it was a more relaxed environment than that in the decade following 9/11. I'm under the impression the NSA's culture underwent a monumental shift after 9/11 when the mantra went from "need to know" to "need to share". At least, internally within the NSA.

Someone getting antsy about you file sharing or whatever else you are talking about reminds me of defense contractors. They are not really "in". But they have to take rigorous lie detector tests, drug tests. Not being really "in" makes them very paranoid. Like they might be watched at any minute and second guessed on trivial stuff no one cares about. You can tell them from a mile away. Real shoe gazers. They reek spy, and that kind of spy.

Partly that, yes. By "in" here, I'm assuming you're referring to people who understand the culture of the NSA and know what they should or shouldn't worry about.

Weird, not much comment there... I use netflix and hulu and such. Did file sharing many years ago. Don't have strong beliefs about it.

Do not really think about it at all.

I take it you probably don't have much of a career yet, so not much salary. Can't really judge. When I didn't make much money, like the FBI, relied on all sorts of hacked stuff.

It's moreso the communities that have been torn apart that are where many of my grievances come from, but I don't think this the right topic for me to espouse the nuances of Copyright law and what I do and don't agree with. The main nexus to the NSA that I see Copyright law enforcement being a part of is that XKeyscore was supposedly used to spy on Kim DotCom to preface his initial arrest and Rapidshare's seizure. Separately, at least one of the Snowden docs mentioned the possibility profiling websites like "The Pirate Bay" as a terrorist website because some of the torrents linked to on there led to sensitive documents.

Law enforcement.

Mostly DEA cases is what I have seen. A lot of them I think are despicable. But you admit breaking rules to get stuff done, too. :/

That is not spying though, not intelligence. Spies don't arrest people, even counterintelligence spies rarely - very, very rarely - do that. That isn't intelligence at all. Yeah, cops were given intelligence data, so guess that was confusing...?

But, yeah? Very big thing. Spies are very different from cops. Sometimes I have read of special agents in fbi moving to counterintelligence. And they can fuck it up really bad if not very well trained out of that mindset. Cops arrest people. Spies do other shit.

I don't knowingly break the law to get stuff done. But the more and more I learn about the law, the more I find out that there is next to nothing I can do legally outside of having a lawyer mediate my online actions where I can be certain I won't expose myself to some sort of liability. And so I realize that it's not the law I have to be worried about - it's the prosecutors. Their discretionary judgement is the only thing that matters, and my reaction to federal prosecutors is visceral right now - my trust for them couldn't get much lower.

As for cops arresting people and spies spying, my understanding is a lot of lines were blurred between law enforcement and national security following 9/11. Given that I don't know the extent of parallel construction and given that much of the info the NSA collects is sent to the "corporate store" to be viewable by many entities (including the FBI), I view the NSA's capabilities as being partly available for law enforcement uses.

I don't know the extent of this crossover between law enforcement and national security. I don't have the means of finding out. I am not in a position to be able to make accurate risk assessments for what consequences a given action of mine could have. Being so self-conscious all the time is stressful though.


Don't be lazy and just go by rumors and what people on the internet say who also never met anyone, don't do anything remotely similar (except maybe something like using drugs illegally and that, poorly), stuff like that.

I try not to rely on rumors insomuch that I can verify something. Obviously at some level I have to trust the information available.

What I do know is that Aaron Swartz is dead because of a prosecutor looking to get political points. A prosecutor that is still in a position to drive more people to suicide (seeing as Swartz was his second).

What I do know is that Jeremy Hammond is in jail for a decade largely because the jury was unsympathetic to him because of an exaggerated rant on IRC. And because a prosecutor wanted to set an example to people in Anonymous to try to scare them away. I despise the "head on a pike" method of prosecution.

Jeremy Hammond created the website www.hackthissite.org, which is where I initially learned about the general concepts of hacking in a legal area. I've learned much more since then, but I would not be nearly as knowledgeable as I am now were it not for him. And I know I'm not alone in this.

General Alexander and Clapper are dickheads. General Alexander is a soldier, was, though. The "General" in the title gives that way. I don't think that should be confused with spying.

My understanding is that many spies also spend time on the battlefield. I don't see how him being a soldier would preclude him from having been a spy as well.

What they did to Aaron Swartz was shit. But again you are confusing very disparate agencies, organizations, and individuals. It is all just a big monolith to you, it sounds like. That is not how things work.

I don't know the extent to which there is cooperation between different agencies. But there is interconnection. If the National Security community hadn't fear-mongered hacking to such apocalyptic levels, then lawmakers might not have assigned it such apocalyptic penalties. Aaron might have only gotten a trespassing charge instead of being threatened with decades in jail before being driven to suicide.

But that was that prosecutor and those who went that way. Not everyone. That gets into the same sort of bigotry that racists, sexists, and other bigots get into. Not to be too harsh, but getting worst case examples from **any** group and saying they represent Everyone Of That Group is a strawman argument. It is unfair to everyone else.

The government is not the most transparent entity out there. Its bureaucracies are labyrinthine and multifaceted. Its policies inconsistent. Its competencies seemingly exist as if it were decided by the roll of the dice. I think it quite reasonable to not understand where there is or isn't separation between two different agencies that have such large conceptual overlap.


You're right that it isn't fair. But again - I don't know the level of cooperation between different agencies. I do not know what consequences any action I could take are. And I am reluctant to trust them, so I do not assume good faith.

I wish I could trust them more so that I wouldn't so often feel a gut-wrenching, visceral fear. But I do not have the means to get the information necessary to establish said trust.

No idea what dipshit made that kind of argument, but again, that is cop stuff, and that is some far flung example.

Oh, that's not even the worst example out there. There was the prosecutor for Andrew "Weev" Aurenheimer that compared what he did (used curl to scrape a few hundred publicly-accessible web pages) to blowing up a nuclear power plant.


Sounds like a safe course of action, though not very exciting. You intimate on here you are commiting some kind of crimes. You were vague about what kinds... except of filesharing. But that stands out.

And yet the alternative is entrust my personal life to various entities which I don't currently trust. And the issue is also that I lose all control of my information once it's generated and leaves the wire. I have no ability to meaningfully restrict its dissemination and I have no idea how it will impact my life.

And your opinions seem very one sided, on a lot of these issues. Very, very stereotypical and the worst sorts of views on government. Which you post about online. You seem to have beliefs about. And to engage in. So you will continue to post on.

My views are not as one-sided as you may think. The NSA is in a shitty position. The expectation for Intelligence agencies to be perfect is unreasonable and causes them to take extreme actions such as "collect it all". I do not assume the people who work at the NSA have ill intent. In fact, I like many of the people that work there.

But regardless of intent, I do not trust outcomes that have a nexus to sending information that, after a sausage factory of bureaucracy, could conceivably end up in the lap of a sociopathic prosecutor looking to score more political points by convicting yet another harmless nerd of somehow committing a crime analogous to terrorism.

My own self, you present yourself like your early 20s? I focused on finding "the meaning of life" and such in my 20s. Spent a lot of time hanging out with pot smoking friends. Music. Art.

I was motivated. I read, I studied. Not career wise, though.

I do suggest you mix up your sources, though. Getting all your information from what you know is one particular bent is not going to be healthy for you or anyone. People end up red neck conservatives or daft far left loopy. Or they get mature, get both angles.

Indeed I am in my 20s. The stress I'm often under will likely lead me to a heart attack before the age of 40 though. I was so panicked after the Snowden leaks started that my blood pressure was at a sustained 155/97. Almost every single day since the leaks started several years ago, I've felt heightened anxiety and fear. I viscerally oppose bulk spying - I am constantly terrified, though I know I've not done anything to warrant it. Didn't help the doctor I went to started talking to me of the horrors of McCarthyism.

As for getting information from various sources - I do try. I try to get it from as many sources as possible and then vet what I can. Hell, I've already graduated beyond partisan politics into issues-only.


Anyway, just some advice. Not to be an old fart lecturing you. I do work in comp sec and have for quite some time. It is not spy work. It is hacking. I secure shit. I find weaknesses and figure out ways to plug them up. One part of the job. The job market is deeply lacking qualified candidates.

If someone is telling you something else, do not believe them. Check out job postings. Terms like computer security, even hacking will bring out a lot. CISSP. Vulnerability. Nexpose.

If that is what you want to get into, then start studying that route. I would suggest forgetting about all the spy stuff, though, if that is the case.

I'm a bit more on the technical side of things, so the CISSP isn't appealing to me until I'm forced to learn how to speak in buzzwords. But I do appreciate the sentiment!

The stuff you are talking about sounds like cop stuff, though.

The cops do not have the same resources or legal authorities that the NSA does. My understanding though is that after going through bureaucratic procedures, the parts of the NSA's collected data end up being accessible to parts of the FBI, DEA, IRS, DHS, Secret Service, or any other number of agencies with even the slightest intelligence nexus.

The separation between law enforcement and spying is no longer what it once was. And the lines keep blurring more and more every year. But hell, so long as we never have a McCarthy-type president in my lifetime and as long as Congress will never, ever mandate the NSA to ever use/share more of its data for a stronger law enforcement nexus, then I'll have nothing to fear.


Final note: please do not bother replying. I hope you appreciate that I am just trying to help, even if you disagree with me, or do not understand me

I definitely appreciate you having taken the time to write out your reply and I do appreciate hearing your perspective. I just wish I could find a better way to express my perspective in turn.

Gerard van VoorenMay 15, 2015 2:09 AM

Talking about the Aaron Schwarz prosecutor, Carmen Ortiz [1], it is clear to see she is full of it. She has it all: the political clothes, political fake smile, political hairstyle, flag on the right and shield on the left. People like this lack imagination, lack compassion, and are ambitious. A dangerous combination.

[1] http://en.wikipedia.org/wiki/Carmen_Ortiz

DeanMay 15, 2015 2:34 AM

@Beepeepeep

I am not going to leave you high and dry. Just didn't think there was anything else to say. But sounds like you have a lot of passion on these topics. What I can't figure out is the mixed emotion about the subject.

I think I am missing some key elements of the puzzle that is you.

Thinking about it, two questions.

Question One:

The spooks I have spoken with in the past have not been amicable to things I view as part and parcel of hacker culture, like file sharing or looking up taboo topics out of sheer curiosity.

Tell me about that. You are in your 20s. In college, you said? What spooks did you speak with? Why did you mention filesharing to them? What, on earth, taboo topics? Lol. I mean, maybe something you don't want to say, eh? "Taboo", and all? But... like donkey fucking or something? Summoning revenants? Is this where you got the idea the NSA wants to hire hackers but have a stick up their ass?

Something happened there, and I need clarity on that to understand your perspective.

Question Two:

Why, after all that you are saying, would you ever, ever even begin to entertain the idea of being a hacker for the government?

Dad in military? Brother? Someone in there you, somehow, you got a positive idea about government.

I think you just want to see that someone can understand your concerns and answer them, see you for you who are. Beyond any trifially bullshit appearance. Appreciate your potential capacity.


That is my read on you.

Talk to me, help me figure this out. You sound like you have the confidence you can be someone, do something. But you have some concerns. Totally understandable. Everyone does.

Not sure how much time I will have tomorrow. Stayed up late getting everything ready for this weekend. Exhausted. But I won't leave you high and dry. I get your passion, it is there, and I am listening.

Just don't tell me you have a secret hidden irresistable penchant for women over 70. Okay? Heard that one just a **feeeew** too many times. *GAWK*

Fuck. SRSLY.


- Dean


BeepeepeepMay 15, 2015 11:47 AM

@Gerard

The prosecutor for Aaron Swartz was Stephen Heymann. He was overwhelmingly the worst offender. Carmen Ortiz was just a shitty manager. Stephen Heymann is the one that made Aaron think associating with anyone would get them in the crosshares of Stephen Heymann to be harassed and possibly hurt.

@Dean

Answer 1:

I graduated years ago. I am currently gainfully employed. As for spooks, turns out a fair amount left the agency post-Snowden to work in the tech industry.

Regarding taboo topics, I mean things like researching how bombs work (got a friend who used to work at NASA. Said his inspiration to go into rocket science was following his morbid curiosity by looking up how bombs work back when he was in his teens).

Several other taboo topics? Looking up how to poison someone, how to hide bodies, how to torturer people. Context here is that these topics are all being researched for inclusion in a video game called "Yandare Simulator".

Another taboo topic. ISIS training recruitment videos. I know people who want to download them in order to give them custom subtitles to lampoon ISIS. But they fear downloading the video in the first place will get them put on a list.


Answer 2:

I know some people who are in or used to be in the military. Most of them are nice people and some have been assholes with va gung-ho "arrest all hackers and throw away the key" mindset. In either case, it's clear we grew up in different worlds. Talking to some of them helped get me out of panic mode, but did little to assuage my core concerns and confirmed others.

Part of my concern is that I don't know what the boundaries are. I don't know what is or isn't safe to do. The consequences of crossing the constantly shifting (but invisible) boundary line are ruinous and unforgiving.

If I look at the DoJ, they consider commercial terms of service violations to fall afoul of the Computer Fraud and Abuse Act. If I look at Clapper, he's stated his greatest fear is of teenagers and 20-somethings that have unknown motivations. If I look at General Alexander's rhetoric, he's made allusions to DDOS being one of the greatest threats next to attacks on the infrastructure. If I look at Admiral Rogers rhetoric, he has made statements condemning use of proxies.

And then there's the former FBI agent I talked to at Def Con the other year. He said that if you're so much as doing port scanning on a large scale (even if it's for research purposes), you *will* get a visit from the FBI.

I have no idea what is or isn't safe to do.

DeanMay 15, 2015 1:00 PM

@Beepeepeep

If I look at Admiral Rogers rhetoric, he has made statements condemning use of proxies.

Are you thinking he meant http proxies in that statement? Or are you concerned that Intelligence might believe you are operating as a "proxy" for a foreign nation?

BeepeepeepMay 15, 2015 1:43 PM

@Dean

The context of Admiral Rogers' comment was related to cybersecurity, so no, not a proxy for a foreign nation. And no, I do not believe anyone would consider me a proxy for a foreign nation. That's silly.

DeanMay 15, 2015 2:10 PM

@Beepeepeep

"NSA chief wary of proxies"

http://fcw.com/articles/2015/05/11/nsa-wary-of-proxies.aspx

“One of the trends I look for increasingly in the future … [is] do you see nation-states start to look for surrogates as a way to overcome our capabilities in attribution?” Rogers said May 11 in remarks at a cybersecurity event at George Washington University.

That is about using third parties. Using a third party as a proxy for your attacks would be like China using the Triads or the FBI using the Cosa Nostra.

Like Russia hacks out of Ukraine using organized crime as a cover.

They could hack out of England.

China claims all the time they are used as a launching attack against the US. Not plausible. But what if they were.

What if Russia took the Equation Group code and used it to bring down the economy of Saudi Arabia? Would look like the US did it.

That is what he is talking about.

I thought you got that confused, but was not sure if you were thinking maybe your fear was you being used as a "proxy". Because you were talking about being scared of being misunderstood.

It was difficult for me to understand how you could have thought the head of the NSA was concerned about using web proxies.


BeepeepeepMay 15, 2015 2:24 PM

@Dean

Well that's a small relief. Goes to show me that I need to keep vigilant against clickbait headlines.

And I even believed that as I have absolutely zero idea what is considered a threat. I've had my expectations shattered so many times that I try not to make assumptions on the floor of what constitutes a threat.

DeanMay 15, 2015 3:26 PM

@Beepeepeep

Well that's a small relief. Goes to show me that I need to keep vigilant against clickbait headlines.
And I even believed that as I have absolutely zero idea what is considered a threat. I've had my expectations shattered so many times that I try not to make assumptions on the floor of what constitutes a threat.

In security, you always have to think about threats in terms of being as accurate as possible. A security professional is not a layperson who is worried about threats that are unlikely to happen. You try and be as realistic as possible. That is exactly a problem with some of the US approaches to dealing with the post-911 environment.

That is a vast subject. But to the point: you are overblowing threats against your own self, and extrapolating extraordinary events into common events. I am not sure if that is entirely the source of your anxiety, because I see another problem here.

Another problem is that you picked a thread that deals with a primary security voice meeting with the head of the NSA, and use that thread to talk about your interests in downloading information on explosions, murder, poisons, getting rid of bodies, and downloading ISIS recruitment videos.

Likewise, you have stated that you have stated your interest in such things to federal officers in the past, and have been puzzled at why they were bothered by your statements.

My point is that is risky behavior. You know that, so it is understandable that you have anxiety about it. Maybe you are being misunderstood.

People get that way about social exchanges like making a statement at a party. Of course you can get that way over such exchanges. And your mind likely extrapolates it from there. This is, also, just what you are saying.

This is different from your question about "who is a threat". I am talking about your anxiety problem and probably why you are way over extrapolating security data -- because you are operating in fear when you do it, and not in calm reasoning. Anxiety is normal, but you have to practice and learn how to maintain your reasoning faculties when you have it. That does not come naturally. It requires tremendous effort, practice.

This is just stuff you have said here, in this ultimately short conversation. You probably do this sort of stuff quite a bit. So who knows what might be a source of anxiety in the back of your mind.

I will post again momentarily on a separate problem here: "is it likely anyone considers you a threat."


BeepeepeepMay 15, 2015 3:58 PM

@Dean

Your response shows I have not successfully been able to portray my concerns.

I have previously stated that quite a bit of the section 720 data that the NSA scoops up ends up in a database accessible by the FBI. And from there, it enters the realm of law enforcement.

What are today's tools of spooks become tomorrow's tools of law enforcement. The standard of evidence I have seen from Federal prosecutors on indicting people have been overwhelmingly low to the point of being nonsensical.

I believe a better way to put this is - the "broken window" theory of prosecution is what is currently the modus operandi from my observations.

Another problem is that you picked a thread that deals with a primary security voice meeting with the head of the NSA, and use that thread to talk about your interests in downloading information on explosions, murder, poisons, getting rid of bodies, and downloading ISIS recruitment videos.

Likewise, you have stated that you have stated your interest in such things to federal officers in the past, and have been puzzled at why they were bothered by your statements.

Your response is indicative of my concerns. I care little for personally taking those actions I stated, but I care a great deal about the community that takes part in such actions.

The misfits, the makers, the breakers, the hackers. What you saw as risky behavior in the concept of downloading an ISIS recruitment video or looking up subjects that most people would consider mens rea, I see as someone wanting to make fun of terrorists (and also people who constantly devalue the term terrorist) and people who want to make a video game about a part of Japanese culture (e.g. Yandere).

Context-less, those actions are damning. With context, they are benign. And no system of automated investigation that I'm aware of is able to discern context to such a degree.

That the behaviors are even considered risky is a problem in my eyes.

DeanMay 15, 2015 5:15 PM

@Beepeepeep

Context-less, those actions are damning. With context, they are benign. And no system of automated investigation that I'm aware of is able to discern context to such a degree.

I was about to start with that.

However, I am not stating you are definitely benign. You have indicators that would raise suspicion in anyone who is experienced. I am thinking these indicators are intentionally fraudulent on your part, but I can not be entirely sure.

This is probably why some have reacted towards you with hostility. Because they detect you are sending some kind of challenging message.

Does that mean you probably would make a good terrorist suspect, simply from these statements you have made? No, not yet. But if you are being as straight up as possible, you likely have engaged in significant criminal activity which has hurt others. You likely will continue to engage in that in the future. And as you are particularly focused on authority figures, that may even be substantially harmful behavior.

Terrorist, however? That is a different story. I have spoken to terrorists online before. As well as foreign spies, cops, criminals, all sorts. But, no, you have not given any likely terrorist indicators, besides that your statements on these dangerous interests may be flaunting. Which terrorists most certainly do engage in exactly that sort of speech.

The main terrorist I remember who really struck out in my mind, I talked with him for a very long time. This was before 911. He indicated foreknowledge of a terrorist attack which was impossible for anyone else to know. That is how he eventually signed out of the conversation.

I myself engage in activity that would interest some people. So I know how that is to think in that way. To know you have secrets the other person very much would like to know. And to engage them. To see how smart they are. And to see how smart you are.

This is probably why rapport like this is easy for me with such people.

Because neither of us are who people think we are. At all. And both are confident that we can say very much and never say anything at all. But something always leaks. People want their secrets to be known, especially when they are proud of them.

Like I said, however. I am not a cop. I am not a spook who works for the US Government. I also am not a criminal. Still, I work in some kind of security capacity, and do not present myself otherwise, so I do not get real open admittance and boasts from people.

I do not envy those who have to do that.

BeepeepeepMay 15, 2015 6:03 PM

@Dean

However, I am not stating you are definitely benign. You have indicators that would raise suspicion in anyone who is experienced. I am thinking these indicators are intentionally fraudulent on your part, but I can not be entirely sure.

My intent was to see what the spook reaction to be for those statements of real-world scenarios. I envision in my mind a system of keyword matching for Google searches. And contextless, many search statements are damning.

I participate in the absurd, the edgy, and largely the activity that makes Internet culture what it is. I've never done anything knowingly to harm anyone. I don't have it in me. But pretending to be caricatures of evil or undesirable demographics is quite common.

Also, what have I said that's indicative of criminal activity, or activity that has caused anyone harm? I'm genuinely confused by your statement.

HarryMay 15, 2015 6:30 PM

@ Beepeepeep

If searches are context less, we really have to think thrice before quoting your comments. here. That may have raised Dean himself a flag or two for quoting your comments. Don't you think? I'm going to quote yours anyways

He said that if you're so much as doing port scanning on a large scale (even if it's for research purposes), you *will* get a visit from the FBI.

There was an analogy made about this I heard somewhere long ago. I think it involves intent. Would you be alarmed if you saw a person walking up to every house in your neighborhood and peeked thru the windows or looked funny at door locks? That would reasonably raise enough alarm for you to call the cops on him pre-emptively, I hope. But to put this in equal perspective, would you have called cops on someone for knocking on every door in the neighborhood? bad times to be selling girl scout cookies, yea?

@ Dean

I was floor mates with a student named Muhammed who was learning how to fly a plane way back when way back. Can I say he was a very nice guy? Haven't talked to him since college days and have no idea what he's up to since then. I hope this won't get me on a list, but if you got a time machine you'd already know that bit about me already, so...

DeanMay 15, 2015 7:22 PM

@Harry

What is your point? The term "indicators" is just a psychological term. Everybody does that. It is also a term used in computer security for heuristic malware and malware behavioral analysis. Everybody sizes up everybody, especially in security fields. Just in security fields, and some other fields, you try and break that down and get conscious about what attributes cause you to do that.

If you think I am for widespread domestic analysis of everyone, I am not. It is unnecessary and unconstitutional. It is an extraordinary diversion from what they are trying to accomplish.

BuckMay 15, 2015 7:23 PM

@Beepeepeep

The only way to be safe is not to generate the information in the first place. And if that means intellectually neutering myself by avoiding many topics of research and no longer following my curiosity, so be it.
That is a very dangerous attitude if it becomes too widespread. This sort of intellectual stagnation has been a contributing factor in the collapse of more than one state.throughout history...

@Dean

That is about using third parties. Using a third party as a proxy for your attacks would be like China using the Triads or the FBI using the Cosa Nostra.
That is a real concern given what little is publically known about the attribution problem, along with what is known about how sneaky some malware can be and how vulnerable the endpoints are. Some clever attackers may not be content with using innocent third parties to simply obscure their tracks. Some may attempt to pin the blame squarely on another party in order to stop the investigation there. They may even leverage the endpoint vulnerabilities to uncover people with certain knowledge that could potentially make for more plausible proxies (or patsies)... Presumably, the only method for firm attribution is audio-visual confirmation of key-logger output; or, more difficultly, evidence that the innocent suspect(s) could never have input those malicious commands.

Perhaps:

"Every person with a keyboard is both a potential asset and a threat."
is an allusion to this..?
Voluntary surveillance? Not without honesty and transparency!

DeanMay 15, 2015 7:36 PM

@Beepeepeep

I think, consciously, you missed my first statement of that post. But you responded to it, anyway, showing it registered.

I stated:

However, I am not stating you are definitely benign. You have indicators that would raise suspicion in anyone who is experienced. I am thinking these indicators are intentionally fraudulent on your part, but I can not be entirely sure.

You replied:

I participate in the absurd, the edgy, and largely the activity that makes Internet culture what it is. I've never done anything knowingly to harm anyone. I don't have it in me. But pretending to be caricatures of evil or undesirable demographics is quite common.

Which I take it as is you agreeing with that assessment.

You were putting on an act.

If you were not aware of that act, consciously, I guess I could start to break it down for you. There is really two major strains of acting, and whether people are trained or experienced they tend to do either one of these strains anyway. Acting is a part of everyday communication. We wear different hats, different clothes, act different ways in different contexts.

One strain of acting, you are very aware of all of the little details, consciously, of someone you are attempting to act like. The other strain, you "are the role". Usually there is some kind of mixture of the two.

And you are correct being edgy, acting 'bad' is normal, offline and on. To a certain degree, it is even very basic human behavior, general. To say, "Don't fuck with me, I am crazy", or "I am hot shit".

What I wonder though is what is real. Do you really feel anxiety about the government spying on you? It sounds like you work in something where you work around people who were government.

The IT field is not flooded with ex-NSA... some parts of it might be, I guess.

Point being, I don't think then you would be concerned at all about government surveillance, if that was the case. Unless you worked 'one of those kinds of jobs' where people are paranoid they are always being surveilled to make sure they stay patriotic or whatever the fuck.


DeanMay 15, 2015 7:56 PM

@Beepeepeep

Anyway, a few points on some of the topics you raised. Probably better to be in squid thread, but too often people don't like moving threads. It is related to NSA, I guess.

Do They Perform Context Analysis in Linguistic Analysis

I think we can assume that that kind of analysis is being performed, but it is going to be very poor. You can break up language in meaningful ways to derive context, and there can be some success at profiling people by language. Can it detect people pretending to be something they are not? Yes, but only that.

Getting into these details, however, right away misses the gorilla in the room, however. People actually have a tendency to do what they say. Like the great Hitler scenario. Hitler said what he was going to do. Problem was a lot of people did not pay attention to that.

With belief motivated actors, this is especially true. Their actions and their speech align, like with anyone. They also, more importantly, congregate around others with similar viewpoints. This is a major reason why some consider advocacy of violence by speech highly dangerous, and it is controversial where it is not made illegal.

Merely going by keywords is never going to be very strong. But it probably can help find areas previously unknown. I have to admit this, though I am opposed to widespread surveillance of secret speech. However, I am not opposed to widespread surveillance of speech which has no expectation of privacy. I do not see that conversation come up much directly.

Even that method, however, is very weak. Because, again, the gorilla in the room: terrorists and others that are likely to act out in severe violence based on their belief system will tend to recruit. They have a problem, because their system is a social system. It needs and feeds on advertisement.

Contrast this, for instance, with thieves. Thieves don't need to tell hardly anyone else they are thieves.

Terrorists, be they religious or political by motivation, however are essentially social. Like legitimate political and religious beliefs.

Which means there will always be 'tips of the iceberg' which are not secret, and which are advertised.

Surveillance of open mediums can help find those areas, but largely people work does the best, or targeted searching. If you want to find where conservatives congregate, for instance, you don't need to pick up all of Facebook or all radio channels to do that. It would be tremendously resource killing and diversionary to do that.

But besides these points, how can we know this is being done? Because it is very well advertised its' self. There is a tremendous amount of study published on linguistic analysis. It can not be more obvious but to do that, and this can be pointed out because anywhere language is being processed contextual analysis is being performed and constantly improved on.

That can help legal systems, I definitely think. Kind of a moot point, however, as they will do it anyway. The demand is too great. Just like Google will do it anyway, or Facebook. This is not in and of its' self bad. It is just the natural evolution of technology according to the needs of human beings.

I do not think anyone assumes that contextual analysis is not performed.

Can it be well performed? Of course, not. But like with systems we know of which do this, contextual analysis can definitely help narrow massive gaps.


DeanMay 15, 2015 8:27 PM

@Buck

That is a real concern given what little is publically known about the attribution problem, along with what is known about how sneaky some malware can be and how vulnerable the endpoints are. Some clever attackers may not be content with using innocent third parties to simply obscure their tracks. Some may attempt to pin the blame squarely on another party in order to stop the investigation there. They may even leverage the endpoint vulnerabilities to uncover people with certain knowledge that could potentially make for more plausible proxies (or patsies)... Presumably, the only method for firm attribution is audio-visual confirmation of key-logger output; or, more difficultly, evidence that the innocent suspect(s) could never have input those malicious commands.

:-) I like the way you think, lol.

Yeah, this can open a whole big can o worms.

But impersonation, in many ways, is the name of the game. You either do what you are doing as it is, or you provide some kind of cover for it. Whether spies or burglars or hackers, the professionals tend to be the ones who provide some manner of cover for their unwanted activities to make it appear legitimate.

There is weakness in that, however. If you are a found fake, then malicious intent is proven.

If, however, you do not put much effort into your guise, then your actions can be mistaken for being benign.

Level of sophistication and target is how most attribution is done on national attack levels. Probably why they try and spread out their attacks to also hit at friendly and neutral targets.

Or allowing clearly damaging information mixed in with the disinformation.

But, unfortunately, attribution does not mean much when it comes to starting wars. Like the Gulf of Tonkin incident was real. :P

People are going to attack what they are going to attack, whether they have to conjure that information themselves, or believe a lie they really want to believe.


JustinMay 15, 2015 8:49 PM

@ Beepeepeep, Dean

"Final note: please do not bother replying."
...
"I am not going to leave you high and dry."

Weird.

DeanMay 15, 2015 8:58 PM

@Justin

I definitely have a very weird life, but that ain't it. :/

My impression was the poster was possibly suffering anxiety attacks and at the same time also feeling there really was no possibility for a career in comp sec research. I could help with both, being experienced in all that. But didn't think anything was taking and was moving on. He came back with a lengthy post, and I felt an obligation to respond.

Very often I do just take off from forums, for long periods of time, in mid conversations.

Fact is both scenarios suck without any kind of guidance: getting into comp sec research and dealing with anxiety. Been there, done that, and feel obligated to try and help out others if I see they might want it.

BuckMay 15, 2015 9:17 PM

@Dean

Level of sophistication and target is how most attribution is done on national attack levels. Probably why they try and spread out their attacks to also hit at friendly and neutral targets.
I can agree with you (in this specific context) about target selection, but we still differ on degrees of sophistication... The big problem I see is chained authentication methods in combination with PEBKAC -- what may look like an insider (or script kiddies) attack, may in fact be an easy jumping-off point to acquire more useful credentials. If it's a legitimate user 'misusing' their valid account information from their regular device to gain further access -- how could anybody reliably tell if they've been hacked or not? Just because they've already spoken publicly about their criminal ambitions..? How is this verified??

Geoffrey PMay 15, 2015 9:37 PM

@ Dean

You brought up some very interesting philosophical insights.

If you don't mind me asking, what's your take on Sony Pictures hack?

DeanMay 15, 2015 11:07 PM

@Geoffrey

You brought up some very interesting philosophical insights.If you don't mind me asking, what's your take on Sony Pictures hack?

Why thank you. Hard earned insights. When you deal with weird shit, you either make sense out of it or go crazy. At times, both.

I suppose this is at least partially in reference to this:
http://fcw.com/articles/2015/05/11/nsa-wary-of-proxies.aspx

Which is the link which came up on the "proxies" comment. I do have a lot of comments on "surrogates" and "proxies". :-) So will stick to that context.

Frankly, the case has not interested me much. I just reviewed the wikipedia view of it. So there is mystery sorrounding attribution because: 1) a hacker seeming gang was seemingly involved even claiming some kind of Christian religious and maybe GOP tie? and 2) because there was some evidence found of an insider penetration dating back to around a year before?

I just do not see the mystery. Their language was bad. GOP probably was literally trying to pretend to be more American. Anything but NK. They probably did not really understand the term. Reminds me of when Hanssen used the name "Garcia" hoping the Soviets might read into the "cia" at the end of the Garcia... mixed with typical "lost in translation" crap you can expect from such an isolated regime. Who, btw, has never kidnapped Americans to really understand them. :P

As for an insider, my goodness. You mean NK could actually get someone inside the company? What a shock.

NK should be expected to have that capacity of sophistication on every front. And even to understand the US would be "that pissed" about it, they better distance themselves.

Can anyone prove that kind of thing? Probably not. Not unless you get a mole, which would be a bitch in that regime. One who specifically knew the details of that operation.

But there are plenty of defectors, and I would be surprised if SK, at least, did not have some kind of very distantly operated agents. How dependable they would be, well, the regime is so isolated, and NK isn't so dumb as to be incapable of running double agents.....

As for the mind boggling action of the hax0r group calling themselves "Gd's Apostles" (probably sic, not checking their spelling)... distancing, again - "Distancing" - is as basic of an action as you can get.

I can probably think for a moment and come up with a ton of historical precedents on any of this....

I will tell you that China very often has relied on hax0r tools for their hacks. It is deniable, that is why. I have seen that in the wild, seeing cases from hacks against free tibet sorts of organizations. Could it have just been overly patriotic Chinese operating independently of their government? Yes. But, obviously, you don't want to throw your gold to pigs and dogs... you want to use plausible deniable code a lot.

Why not?

I have also seen a security bug sold to China that ended up hacking a financial firm. Way back when. That shocked me. Did it get attributed to China? No. I could have. I knew the guy who sold it. I knew the guy who discovered the bug. (Two different people, two very different countries.) And I was the American expert who was quoted in talking about the bug. :-)

How can I say that? Cause it is old news. Because no one is going to quote me on that, and it is a highly improbable story.

I was going to add to this thread some slice and dice of the history of "intelligence by proxy". I decicded not to, but will add some here:

Way back when, during the Cold War, you know the KGB used to give arms to both the palestinians and the ira. They did it a lot and were caught in rare instances. They made concern in all of the equipment, to remove all trace of where it came from in case it was caught. But that its' self was signal flares. The efforts involved in such operations must have been huge: you have to ensure the contacts in each respective group kept "the conspiracy" - "maintained the conspiracy" - you had to ensure the delivery was anonymous, at the least. Financing. Everyone involved either could not know, or who did know (for instance, on the delivery ships) had to be kept extremely controlled.

But... Iran, Contra?

There are countless examples of these sorts of things in 20th century espionage, anyway.

When you are running cover, the most Not You things you can do, that is important to know. Critical to know. You are a Christian? Be a Satanist. You absolutely hate drugs? Smoke some crack. You love your wife and hate adultery? Fuck a whore.

Stuff like, yelling the company line does not work. "Oh guys, come on, I swear I am a Marxist, totally, like I wish I could snort coke off Karl Marx's pristine ass".

Analysts and sigops and such - no offense - do not think in these backward ways. They do not have to deal with that kind of thing. Even planners do not, though they may get you may have to "do indecent things while remaining decent". Way different when you can't miss a single skip in rapport.

Two of my favorite examples? From the Holy Motherfucking Bible.

Because you know a hard core Christian is going to use the word "Motherfucking" in between saying "Holy" and "Bible". :-) Totally unnecessary, right??

1) David, when going to get Goliath's sword was almost caught by King Saul, who was chasing him. He pretended to be insane. They left him alone. Evil, right? What a faker. The man who wrote most of Psalms and has a 'heart like God's' lying? To the authorities! WTF.

2) This is one of my favorites. People miss this, though it is 'right there': so evil King Ahab, the nemesis of Elijah was suspicious of attacking an invading force. Maybe he thought, unconsciously, God was trying to 'off him'. So, he went and consulted the prophets. Six hundred prophets. All of them were saying, "Go and attack and you will be successful". Ahab was angry, and said to one, "Why are you lying to me, you always lie to me?" That one then explained, he was brought up into heaven and saw God on his throne sorrounded by a throng of spirits. "How will I convince King Ahab to go to battle so he may end in his death". 'One spirit said one thing, another suggested something else...' 'Finally, one said, I will go and be a lying spirit in the mouths of the prophets'. God said, "Good, that will succeed, go and do it"."

And King Ahab went and took the advice ***he knew was a lie, but so badly wanted to believe*** and went to battle. And was killed.

Moral of the story? A line I was given by my group: "There is no truth, because people believe what they want to believe, based on their preferences".


:-) :-)


Challenging? I hope. Some deep truths hidden in there?

You betcha.

;-)

DeanMay 15, 2015 11:39 PM

@Buck

I can agree with you (in this specific context) about target selection, but we still differ on degrees of sophistication... The big problem I see is chained authentication methods in combination with PEBKAC -- what may look like an insider (or script kiddies) attack, may in fact be an easy jumping-off point to acquire more useful credentials. If it's a legitimate user 'misusing' their valid account information from their regular device to gain further access -- how could anybody reliably tell if they've been hacked or not? Just because they've already spoken publicly about their criminal ambitions..? How is this verified??

Buck, you are continuing to be vague. The close rate of computer crimes is extremely low, however, if you are concerned about that.

Can you be more specific? Are you talking about nation state attribution, or concern about 'everyday people' becoming patsies... or what?

I am not sure how it is for USSS or FBI, but for corporate, the fact is, we just care mostly about closing the way they got in. Usually the attacker is foreign or otherwise not discernible.

It is a very inaccurate science, but there are points about it that tend to be accurate.

For corporate, if there is money loss (directly) involved, companies will just pass it off to the appropriate authorities and often not hear much back.

Forensics, per se, very small part of my 'day job', though I have also engaged in it to create security systems of some solid sophistication. And tend to be very good at it in my 'day job'.

ie, I am damned good at some aspects of it, but will miss some matters people who do it as a speciality do.


BuckMay 15, 2015 11:58 PM

@Dean

Are you talking about nation state attribution, or concern about 'everyday people' becoming patsies... or what?
I'm not talking about either... or anything? Though, I may be concerned with the constant lies and obfuscation and secrecy and so on... Or am I? You can tell me, right..?

DeanMay 16, 2015 12:07 AM

@Buck

I will let you in on some stuff. Because you are always upfront about catching me, but remain polite. You always are nice about "that moment".

If anyone tries to check me out, they literally will find the ties I said they would find.

So, most of them would close anything down. That way. We can insert ourselves into anything.

This is why I can be so "sloppy". There are layers beyond this which require extreme discipline.

I have, at least, two backgrounds, which anyone could find, family wise. Either my parentage was from a DoJ guy tied to really deep FBI counterintelligence... or CIA MIA under Army stricture..... stuff people would have to put together, but that just makes them believe it. None of it is true.

Even if they got to my schooling... like I have said, from high school on up, anyway, that is all very controlled.

And my twenties would be a total mystery. Easily controlled.

I am not joking, about any of this. For me, being multi-layered has been my way of life... since I was in grade school.

Of course, it could be true, I could be cia, army, fbi, doj... or, to look at my very "real" resume post-20s... AF, NSA...

But the truth is I really am not any of that.

Besides that they have provided me a very maze like background, and they provide, obviously, very believable 'past people I have known'... they have many doors which are closed. But, while this can be very difficult to believe, None Of That Is True.

In fact, I can totally see someone investigating me because I worked at "this place" or "that place". And closing down the case.

But... truth be told... we really can insert ourselves into **any** such background investigation. If necessary. And close down any such case.

You can come then to the conclusion that I, and "we", the people I work with... must be "evil". But, I can only assure you, verbally, at this time -- we are not.

No... we watch the watchers. And worse. :-)

They are typically our proxies.

Faith... is part of the problem there that people do not get. Strange comodity, to be sure. ;-)

But it means we very often seem to be doing evil, when, in fact, we are doing good.

Do you want to know why I have assurance in that?

Because? Believe me. I sure do...


BuckMay 16, 2015 12:30 AM

@Dean

I understand the layers and the legends; how the communication bridges are built -- how some may mistake us for others -- and how we are as we present ourselves... I just don't get the (seemingly) pretentious waste of being tied-down to outmoded organizations.

DeanMay 16, 2015 12:36 AM

@Buck

I'm not talking about either... or anything? Though, I may be concerned with the constant lies and obfuscation and secrecy and so on... Or am I? You can tell me, right..?

Actually, I can. :-) :-)

Okay, so, consider: is this thread real? Is Bruce Schneier real? Is Michael Rogers real? :-)

So, ultimately, you have to say "yes" to those three questions.

See, do you ever watch any cinema, at all? Often the main character is in a very difficult position. How to tell the truth when the truth sounds so much... implausible?

But consider: all the shit I have said. And I will say it here. You know, if you can tie it together, sure the hell can automated systems. And here I am. Right?

So, you want to know the truth? I will tell you the truth.

Proof? Not yet, but soon. ;-) I promise.

I am a human being. Mid forties. My coworkers, my company? Angels. Actually, let me put that in quotes, because understanding - disclosure - of angels is very dim. :/ "Angels".

I will first, before continuing, quote Joan of Arc, partially: The Kingdom of Heaven is above all the nations of earth.

The alien mythology, like the evolution mythology which it ties into are "delusions".

The problem is... as solid as reality seems? It is really, for God, 'as if' a dream. The consistency and congruency is just further evidence of how 'hard core' God is.

:/

"We" control everything. And I only put "we" in quotes, because... the world is so 'evil', and it can be so incredibly difficult to perceive from all this complicated mess just how 'in control' everything really is.

...

There are many problems of perception involved in everything. Limitations of language.

I mean, if you have any questions, feel free to ask me.

But, understand, I literally say I am the least, because I really am... I am not nor never will be "management". I am a ground agent. I am Jack Bauer.

Look. It is ultimately about immortality. So, hey, here we go. Do you really even want anything else?

If you want explanations for anything confusing I can provide that. So, I am here. *shrug*.

Like, 'for instance', the jade helm project? That is all about ISIS. The US understands that ISIS has to be attacked by that sort of attack. So, they are preparing for it. In fall, you can expect, they will send those very same resources into that area. To get rid of that menace. And they are, you know.

...

I do apologize we do so much which appears so bad. Not the least of which is this 'death sentence' of a 'prison planet'....

But, holy shit, bro.

I have not forgotten you. WTF.


ROFL!!!

:-) :-)


Fucking humans...


All the limelight....

BuckMay 16, 2015 12:49 AM

@Dean

Is any of this real? Hard to gauge... does it matter? Perhaps... The exchange is real enough to me! ;-)
Though, just who are "we" or "they" or "us" -- and why does everybody have to be so different..?

DeanMay 16, 2015 12:56 AM

@Buck

I understand the layers and the legends; how the communication bridges are built -- how some may mistake us for others -- and how we are as we present ourselves... I just don't get the (seemingly) pretentious waste of being tied-down to outmoded organizations.

Okay, srsly... why does God have me talking to you so much... grrr... did you like die upside down on a cross in a previous life or some shit? Grrr...


Okay.

*whoosh*...

Can't you just wait till like the final symphony and shit? The crescendo? Grr. So nosy.

Okay...

Whatever, I have to answer this kind of thing, so here goes....


Okay, so, everything is temporary. You have to first bear that in mind. That means that... so the Iraq war was to get the US right in there. And to fuck it up. And they had to get into Afghanistan, too. And fuck that up, too.

Why? Who are the two main players? Sunni and Shiite. Shia, whatever. Then, of course, you have to have Israel. And, of course, Christian. And everyone else. :-)

It... is... a show... a symphony... an expression of art.


Like I have said: I am not CIA. I am not FBI. I am not NSA. I am not Army. I am not Air Force. I am not - even - my God - American. None of us are. :-)

But... if anyone looks into us? We can be anyone we need to be.


So... what do you really want to know? Is the thousand years over? Is it just about to begin. Think about it. So, you have a celestial, adversarial being... and they want to survive. And they are many people. Not one. Many people.


What is the point to all of this?

Uh? Immortality. For you.


And yeah, okay, maybe for everyone else. But, consciousness wise.

Think about it.

You probably can get through a "second death" pretty well. But, can everyone?


"Angels"... what do you want to know. So, consider Ezekiel and "the wheel". Imagine this. We actually are smarter then the "future". In fact, there was never any "future" at all. Just a story we started way back when to express our self....

So.... one being could be many. Virtual reality bubbles in reality.

Technology well beyond what anyone could imagine.


And...

Really, that you do not die, and live forever? I think? My own self? You should be kind of grateful for.


But. What else do you want to know? I am incapable of speaking outside of parable. So are they. Should that be surprising? One gospel writer said of Jesus, "He always spoke in parable, and never did not"...


You are alive. So am I. Is there something you wish to ask of me? Please ask now...

I will grant it, if you can believe.

And....?Frankly, :-) I think, unfortunately? You can. :-)

DeanMay 16, 2015 1:09 AM

@Buck

@DeanIs any of this real? Hard to gauge... does it matter? Perhaps... The exchange is real enough to me! ;-)Though, just who are "we" or "they" or "us" -- and why does everybody have to be so different..?

Dude...

Okay, so let us call into account my coworkers. They are not, by nature, with form. So they can appear as anyone. As the "King Ahab" situation explained, one can be at the very least six hundred...

They - not me - they... can be organizations, or anyone.

If they need to create legends, and they do, for comprehension to humans... they can create, at will, any manner of 'paper trail' they wish.

Me? I fucking have to deal with being completely and totally powerless. Just like you. And any other human being.

I can! However. :-) Nowadays. Change my hair color. By dye.

One "angel" can be, however, not just like a thousand "avatars" but entire organizations.

They actually work for us. Because all which was said of "him", was said for all of us. Because we are him. As you know...

'Not I, but Christ lives in me'...

Anyway, srlsy, what else do you want to know?

"Buck" is an older name, do you wish to appear younger?

Our flesh is not how we ultimately are... but I can do that and much else.


DeanMay 16, 2015 1:36 AM

@Buck

I understand the layers and the legends; how the communication bridges are built -- how some may mistake us for others -- and how we are as we present ourselves... I just don't get the (seemingly) pretentious waste of being tied-down to outmoded organizations.

Okay, so you have no form. How do you talk to those with form?

It is a much more difficult question to answer then it can seem.


...


DeanMay 16, 2015 1:42 AM

@Buck

Anyway, the far bigger mindfuck... is how can so much evidence be presented to people which is so fucking false.

IDK. Cause they are assholes?

:-)

Apologies for the mindfucks! Sorry for letting your super experts believe themselves to be smarter then they are!

Seriously. Crucify me or something.


Look. Do you want to live forever or die?

Sorry for outsmarting everyone else?

:/

My bad. Really. I am a horrible person. How bad of me to deceive them.

Sorry guys! You can not live forever. Gosh gollee gee whiz. You totally were not complete assholes.

:-)


But, hey, Buck. You want to see me stick around??

Or... wut...? :-)

I can always talk about my Jim Morrison fetish, if you wish. Lol. John Densmore remains alive, anyway. Lol. He can verify me.....


;-)


BeepeepeepMay 17, 2015 1:03 AM

@Dean

Getting into these details, however, right away misses the gorilla in the room, however. People actually have a tendency to do what they say. Like the great Hitler scenario. Hitler said what he was going to do. Problem was a lot of people did not pay attention to that.

With belief motivated actors, this is especially true. Their actions and their speech align, like with anyone. They also, more importantly, congregate around others with similar viewpoints. This is a major reason why some consider advocacy of violence by speech highly dangerous, and it is controversial where it is not made illegal.

What of comedians? Authors? In-jokes? Morbid curiosity? The context behind Hitler's statements were quite clear. There was no ambiguity in his motive. The context behind many other categories of people though, not so much.

I am part of a community that explicitly doesn't do the stuff we say. The prankster/hacker/maker/breaker community. Bombastic and highly exaggerated language is the mainstay. Terrorist jokes are frequent, and anyone familiar with the community would easily recognize the statements are jokes as opposed to a desire to commit violence.

One of example I mentioned, of someone googling information on poisons that can kill people, how to hide bodies, and other such oddities was working on creating a parody video game about an obsessive ex. Of course, going by keyword searches or even minor context searches could just as easily make someone think "this person is going to murder/has already murdered someone" when the reality is that person is just making a video game starring a Japanese cultural archetype of a "crazy obsessive".

So in this case, where someone is making a video game for a community but is performing Google queries for things that could be indicative of a violent criminal, how does one avoid getting put into the "potential violent criminal" list outside of self-censorship? In the use case of Google searches being freely sifted through by NSA or law enforcement.


Merely going by keywords is never going to be very strong. But it probably can help find areas previously unknown. I have to admit this, though I am opposed to widespread surveillance of secret speech. However, I am not opposed to widespread surveillance of speech which has no expectation of privacy. I do not see that conversation come up much directly.

I'm ok with that in cases like Twitter, but there have been numerous attempts over the years by tech companies and the Feds (NSA included) to try to redefine what "expectation of privacy" even means. Given the fluid nature of its definition, I'm hesitant to agree entirely with this statement.

But besides these points, how can we know this is being done? Because it is very well advertised its' self. There is a tremendous amount of study published on linguistic analysis. It can not be more obvious but to do that, and this can be pointed out because anywhere language is being processed contextual analysis is being performed and constantly improved on.

That can help legal systems, I definitely think. Kind of a moot point, however, as they will do it anyway. The demand is too great. Just like Google will do it anyway, or Facebook. This is not in and of its' self bad. It is just the natural evolution of technology according to the needs of human beings.

I do not think anyone assumes that contextual analysis is not performed.

Can it be well performed? Of course, not. But like with systems we know of which do this, contextual analysis can definitely help narrow massive gaps.

Contextual analysis is almost always limited by the imagination of the programmer or the robustness of the programmer's context model. My "tests" of spooks so-to-speak were trying to determine if they assumed mens rea in statements that some individuals look up on Google. I have neither seen nor heard anything that would lead me to believe that there is a presumption of innocence rather than guilt, which is a distressing concept.

JustinMay 17, 2015 1:58 PM

@Beepeepeep

'My "tests" of spooks so-to-speak were trying to determine if they assumed mens rea in statements that some individuals look up on Google.'

Not a good idea. If you wouldn't say it directly to a cop, don't search it on Google, because anything you search on Google can be used against you in court. NSA picks up stuff like that and shares it with the local cops at those "fusion centers" that have been in the news lately. We (and especially people in your "community") know this. There is no need to "test" it.

If the cops don't like what you're looking up, they will sting you for something eventually. Why set yourself up for a lifetime of investigation and threats of criminal prosecution? Just to prove a point to yourself? Nobody else really knows or cares, and by the time you are charged with something, you are just a common criminal.

TedMay 17, 2015 5:26 PM

"Contextual analysis is almost always limited by the imagination of the programmer or the robustness of the programmer's context model."

contextual analysis is as old as dirt and for good reasons. spy agencies existed long before computer programs.

"performing Google queries for things that could be indicative of a violent criminal, how does one avoid getting put into the "potential violent criminal" list outside of self-censorship?"

i doubt you can. i can only imagine the list keeps on getting longer.

Joe KMay 18, 2015 11:59 PM

@Beepeepeep, @Ted

So in this case, where someone is making a video game for a community but is performing Google queries for things that could be indicative of a violent criminal, how does one avoid getting put into the "potential violent criminal" list outside of self-censorship? In the use case of Google searches being freely sifted through by NSA or law enforcement.

Simple:

For April Fool's 2010, Google added an &evil=true parameter to requests through the Ajax APIs.

Needless to say, "evil=false" is a dead giveaway. Stick with the default.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.