Major NSA/Equation Group Leak

The NSA was badly hacked in 2013, and we’re just now learning about it.

A group of hackers called “The Shadow Brokers” claim to have hacked the NSA, and are posting data to prove it. The data is source code from “The Equation Group,” which is a sophisticated piece of malware exposed last year and attributed to the NSA. Some details:

The Shadow Brokers claimed to have hacked the Equation Group and stolen some of its hacking tools. They publicized the dump on Saturday, tweeting a link to the manifesto to a series of media companies.

The dumped files mostly contain installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with names used in Snowden documents, such as “BANANAGLEE” or “EPICBANANA.”

Nicholas Weaver has analyzed the data and believes it real:

But the proof itself, appear to be very real. The proof file is 134 MB of data compressed, expanding out to a 301 MB archive. This archive appears to contain a large fraction of the NSA’s implant framework for firewalls, including what appears to be several versions of different implants, server side utility scripts, and eight apparent exploits for a variety of targets.

The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I’ve found in either the exploits or elsewhere is newer than 2013.

Because of the sheer volume and quality, it is overwhelmingly likely this data is authentic. And it does not appear to be information taken from comprised systems. Instead the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code­—the kind that probably never leaves the NSA.

I agree with him. This just isn’t something that can be faked in this way. (Good proof would be for The Intercept to run the code names in the new leak against their database, and confirm that some of the previously unpublished ones are legitimate.)

This is definitely not Snowden stuff. This isn’t the sort of data he took, and the release mechanism is not one that any of the reporters with access to the material would use. This is someone else, probably an outsider…probably a government.

Weaver again:

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps­—which are easy to modify­—the most likely date of acquisition was June 11, 2013. That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks as the NSA furiously ran down possibly sources, it may have accidentally or deliberately eliminated this adversary’s access.

Okay, so let’s think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it’s a signal to the Obama Administration: “Before you even think of sanctioning us for the DNC hack, know where we’ve been and what we can do to you.”

They claim to be auctioning off the rest of the data to the highest bidder. I think that’s PR nonsense. More likely, that second file is random nonsense, and this is all we’re going to get. It’s a lot, though. Yesterday was a very bad day for the NSA.

EDITED TO ADD: Snowden’s comments. He thinks it’s an “NSA malware staging server” that was hacked.

EDITED TO ADD (8/18): Dave Aitel also thinks it’s Russia.

EDITED TO ADD (8/19): Two news articles.

Cisco has analyzed the vulnerabilities for their products found in the data. They found several that they patched years ago, and one new one they didn’t know about yet. See also this about the vulnerabilities.

EDITED TO ADD (8/20): More about the vulnerabilities found in the data.

Previously unreleased material from the Snowden archive proves that this data dump is real, and that the Equation Group is the NSA.

EDITED TO ADD (8/26): I wrote an essay about this here.

EDITED TO ADD (9/13): Someone who < a href="http://xorcat.net/2016/08/16/equationgroup-tool-leak-extrabacon-demo/">played with some of the vulnerabilities.

Tags: , , , ,

Posted on August 16, 2016 at 10:43 AM242 Comments

Comments

Alan August 16, 2016 10:52 AM

Why do I feel that the Shadow Brokers might shortly suffer a rash of inexplicable fatal accidents? Messing with the NSA or CIA seems less advised than messing with the mob.

Lou Herford August 16, 2016 11:16 AM

Interesting analysis from Snowden:

“This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast.”

Dave August 16, 2016 11:30 AM

I had a chance to look at the files on Cryptome. What Cryptome is showing right now only seems to be a subset of the 301 MB file.

Those files seem to be text files showing how to use the various tools. There are some python programs but very basic stuff a good analogy would be a Torpedo without the warhead.

They do not actually have any “tools” or “implants” they are just guides.

It’s my understanding that the NSA has an automated process for deploying Malware on the internet. If you do something that sets off a red flag then the ip address and mac address gets added to a targeting computer. This happens when you go to a specific website, call a phone, or text an individual already in the targeting computer.

If this is real, my thinking would be these are tools used to train individual red team members. It doesn’t mean the NSA was hacked it could be a lapse in security where (training materials) were stolen.

I would bet a lot of money the NSA itself was not hacked.

Mandoch August 16, 2016 11:37 AM

When these things happen, I find it fascinating to watch which companies scramble to comply with the NSA by rapidly shutting down the accounts used by the “perpetrators” to publish information and which companies leave the accounts open until a court order tells them otherwise. It says a lot about who’s who and what they really stand for when the chips are down.

Closed accounts so far:
-Tumblr (https://theshadowbrokers.tumblr.com/)
-Github (https://github.com/theshadowbrokers/EQGRP-AUCTION)
-Dropbox (https://www.dropbox.com/s/g8kvfl4xtj2vr24/EQGRP-Auction-Files.zip)

Sam August 16, 2016 11:39 AM

@Dave

a good analogy would be a Torpedo without the warhead

Well … good? At least a partly responsible disclosure then: it’s much better than having a pile of Equation-Group-quality exploits floating around in the wild for anyone to use.

Clive Robinson August 16, 2016 11:51 AM

@ Alan,

Why do I feel that the Shadow Brokers might shortly suffer a rash of inexplicable fatal accidents?

You are presupposing that the Shadow Brokers are,

1, Civilians
2, Identifiable
3, Available
4, Unprotected

It may well be that they are military / IC of a country that has decided it’s time to double down on the current US Gov Encumbrents hypocrisy and misatribution.

There has not realy been any real evidence presented on the Sony Pictures, Bangladeshi bank heist or DMC hacks, just rabid finger pointing.

Then there is the preceding China APT etc, from a non US perspective one has to wonder just how much room under the bed the US has for REDS. It all looks like a reheat of the old fifties and sixties “Red Scare” “un-american” nonsense.

If it is the IC / Mil of another nation turning the screw on the US –which the 1million BTC might suggest– then we are going to need a realy comfortable sofa and a large supply of Cool-Aid and Coors along with a big supply of pizza and popcorn 😉

Dennis August 16, 2016 11:53 AM

@Dave:

“If this is real, my thinking would be these are tools used to train individual red team members. It doesn’t mean the NSA was hacked it could be a lapse in security where (training materials) were stolen.”

This is what Snowden says about the hack (in a nutshell: it’s probably a hacked proxy hop server and it’s happened before):

NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy. What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

Alex Mora August 16, 2016 11:54 AM

Something about this reminded me of Sneakers(1992)

Then:
Dick Gordon: National Security Agency.
Martin Bishop: Ah. You’re the guys I hear breathing on the other end of my phone.
Dick Gordon: Only No, that’s the FBI. We’re not chartered for domestic surveillance.
Martin Bishop: Oh, I see. You just overthrow governments. Set up friendly dictators.
Dick Gordon: No, that’s the CIA. We protect our government’s communications, we try to break the other fella’s codes. We’re the good guys, Marty.
Martin Bishop: Gee, I can’t tell you what a relief that is… Dick.

Now:
Dick Gordon: National Security Agency.

Martin Bishop: Ah. You’re the guys I hear breathing on the other end of my phone.

Dick Gordon: Officially, only if your making international calls, otherwise, that’s the FBI. Or maybe it’s the Brits or New Zealand, we spy on people in each others countries to all the time and “share” the information to get around the fact we were not officially charted for Domestic Surveillance.

Martin Bishop: Oh, I see. You also overthrow governments? Set up friendly dictators?

Dick Gordon: No, that’s the CIA. Though they are a little off their game these days. They’ve been trying to overthrow Syria for years. Might have to due with everyone with some common sense leaving to protest the mass application of torture.

We at the NSA spend most of our time sifting through a mountain of noisy and mostly useless information, which at least makes us look busy, which is important because after that Snowden fiasco we are a household name. We used to talk about protecting our government’s communications, but the people in our government can’t follow basic security advice.

Don’t worry Marty, all you need to know is were from the government and were here to help.

Martin Bishop: Gee, I can’t tell you what a relief that is… Dick.

boseman August 16, 2016 11:57 AM

it’s much better than having a pile of Equation-Group-quality exploits floating around in the wild for anyone to use.

It’s better to have the knowledge shared. A legitimate response by the networking hardware developers would be to study them, develop some kind of workaround, then close the exploits.

We all know by now, sometimes that is much easier said than done. But, more shared knowledge is better despite the temporary risks.

/b/paradise August 16, 2016 12:10 PM

Lots of fascinating tidbits in the dump itself. In no particular order: (1) network profiling permits arbitrary unsupervised surveillance with no audit trail – in case you ever believed that crap about complying with applicable laws and regs. (2) It seems that even simple things like using non-default ports for your services can make you a harder target. (imagine what a little idiosyncratic compiling can do) (3) the tunneler, made executable with one click, is really going to advance the information freedom of the world, if ya get my drift. (4) Oh to be a fly on the wall when they think through the hugest implication of the dump, and PANIC.

r August 16, 2016 12:14 PM

I haven’t looked at the stuff, I was paranoid about the trolls when I first saw it (translate.google.com), I think it’s funny how the trolls now used github – and were censored – I guess that answers my question: why not?

That aside,

Are these datatypes the type capable of being obtained through a honeypot?

It could’ve been a staging area, a forward asset that was compromised?

(so far, it IS a relatively small trove)

r August 16, 2016 12:19 PM

/b/paradise said:

non-default ports for your services can make you a harder target. (imagine what a little idiosyncratic compiling can do”

+3

However, uniqueness can be an identifiable factor.

These are all points made (roughly) in the analysis.

Harvey August 16, 2016 12:26 PM

@/b/paradise:

Yup, a few other nuggets I’ve stumbled across so far: the code they use to disable password checking when compromising telnet (really, in 2013?) or ssh in EXTRABACON; the technique they use to exfiltrate text data as binaries in Netprofiler; the script they use to automatically set up a default Apache server to stage an attack…

ALexT August 16, 2016 12:27 PM

Few random thoughts…

It would see obvious that the 1mn bitcoin price tag is some sort of joke – there is simply no way anyone would be able to do cash about 10% (give or take, there is probably no consensus as of the total amount in actual circulation)

I am the only one who never heard of http://sxnc.com.cn/ ? Are the only serving the Chinese market ?

tian tian August 16, 2016 12:42 PM

To those who are suggesting that this is an innocuous responsible disclosure, I think you guys need to download the full version. Follow the links from their twitter account to the pastebin message to the mega.nz upload. As well as the config files, there are binaries and fully working exploits in there.

Vesselin Bontchev August 16, 2016 12:44 PM

Some observations:

1) The auction is an obvious scam. A Tullock lottery, really? And no determined time limit, either. Gimme a break. Nobody does this in real life.

2) The “stuff” (at least the freebe) looks real. Some are still unpatched 0days, even after so many years. The names match the ANT catalog, the file dates predate the leak of the ANT catalog. I definitely believe that this is NSA stuff.

3) The quality of the programs is shit. Did they use interns to write the programs using the exploits or what?! Using Python and the “[+]” notation, plus snarky remarks in some messages, too. How very 177t.

4) The text doesn’t read like Russian English. More like Chinese English. Although it could be simple misdirection, of course.

5) This doesn’t seem like an insider leak a la Snowden. It seems mostly like stuff discovered on an NSA-hacked appliance. Remember, the opponents of the NSA aren’t exactly stupid, either. Stuff gets discovered all the time.

Oh, and in totally unrelated news, the NSA website is down. Only the front page works (and even that times out occasionally); all the links point to non-existent pages.

/b/paradise August 16, 2016 12:47 PM

@r (12:14) see last night from the squid thread, somebody already ran the dump through the malware yara rules [see for yourself if you don’t trust them, https://github.com/Yara-Rules/rules ] There is no sign of tampering. And the sources, Cryptome and mega, are no honeypots.

r August 16, 2016 12:50 PM

@Mr. Bontchev,

Non-cached access here (my mother-in-law’s PC has never been there), even the main page displays:

Invalid URL
The requested URL “[no URL]”, is invalid.

Reference #9.f111cb8.1471369730.9a8d2

r August 16, 2016 12:52 PM

@/b/

I believe you/that, I was careful about the ‘news article’.

By the time (yesterday just before noon?) I clicked the github it was down.

Dave August 16, 2016 1:10 PM

@ Dennis

NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers

This would explain how to get the implant (code), but not sure that gets you the tools themselves or the directions how to use the tools. I mean what Snowden is describing is a MITM attack on existing passive collection. Now a hack of a staging server ok I could see that and that makes sense. If TAO and its red teams are trained to erase all implants when they are done (why have the directions on anything you hack to begin with) I mean one would think they reside on the computer of the RT member only.

In my mind maybe this could be tools used for supply side interdiction.

Just a theory

(1) Bad actor buys a computer, server, firewall, or router.

(2) Device shows up at location NSA uses to install implants

(3) Device goes back on DHL or UPS truck mid shipment

(4) Actor gets computer NIB (with implant)

It’s possible this is a toolkit used in supply side interdiction that just got out into the wild?

What is very clear is we are now in a public game of attribution diplomacy for the LUZ!

Raindance August 16, 2016 1:40 PM

I’ve been browsing through the exploits, finding it all quite amusing until it suddenly hit me: “the exploits of today are the PhD theses of tomorrow and the next day blah blah bah.” There is something very wrong about the fact that the 0-days behind these exploits have probably been developed somewhere abroad by a bunch of different mercenary security firms, bought with USD tax money and/or plagiarized from the tools used by countries that want to hack us, stolen again from us by those very countries that want to hack us, doxed, and ultimately used by script kiddies from around the world to design the ransomware that will grace an office work station near us in the next few days. It seems just wrong that we’re all paying for the privilege with our tax dollars.

Bystander August 16, 2016 1:44 PM

This is pretty interesting.

As it hasn’t been linked yet, here is a comment of someone who played a little with the material provided.

yoshii August 16, 2016 1:58 PM

To everyone here at this site and forum…

Please substantiate (back up with supporting information) all claims whenever possible, to avoid illogical sensationalism and the disruptive intellectual fallout that accompanies mismanaged propagation of information.

Opinions and hunches aren’t facts. And hyping people up with claims that might not hold up to scrutiny when the evidence finally comes is not a good idea.

Times are tense enough without accidental or intentional instigators.
This is just a fair request.

Dali La August 16, 2016 2:09 PM

From Nicholas Weaver’s article

“This scenario would have the NSA, after the Snowden revelations, practicing some incredibly awful operational security. Why should the NSA include five different versions of the same implant on a system used to attack other systems on the Internet? Let alone implants which still have all the debugging strings, internal function names, and absolutely no obfuscation?”

It looks like the NSA is suffering a bit of an image problem, shifting from Neo to Mr Bean within a couple of years.

PerryD August 16, 2016 2:15 PM

I admittedly don’t know a lot of the details, but it seems that this might have been taken from an employee laptop that had been stolen or lost (or maybe bought at government auction).

AJWM August 16, 2016 2:26 PM

Relying on the file timestamps­ — which are easy to modify­ — the most likely date of acquisition was June 11, 2013.

There are newer files than that. For example, Firewall/OPS/userscript.FW has a file timestamp of October 18, 2013. And, not to rely on file timestamps, that file itself has an internal change history suggesting changes made on or after June 11:

# 6/11/13 -- Modified layout of disk so TPATHS have been updated...
# 7/25/13 -- Removed blockme rules and added in support for BG3121 as we move to merge
# 8/18/13 -- Updated paths to match the new directory structures

Not that this proves anything either, the provenance and chain of custody of this stuff is questionable.

Rabbid Honeypotting August 16, 2016 2:28 PM

@Dennis

NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy. What’s new? NSA malware staging servers getting hacked by a rival is not new.

and @Vesselin

5) This doesn’t seem like an insider leak a la Snowden. It seems mostly like stuff discovered on an NSA-hacked appliance. Remember, the opponents of the NSA aren’t exactly stupid, either. Stuff gets discovered all the time.

I have more respect for the NSA’s skills and workflow protocols to agree with this. Likewise I don’t think Schneier should have presumed it was a group. That sounds like the thing I could have seen if Snowden hadn’t taken immediate credit. I.e. rabid egos presume that only a ‘group’ could do something so monumental.

Amplifier August 16, 2016 2:36 PM

@Raindance

I’ve been browsing through the exploits, finding it all quite amusing until it suddenly hit me: “the exploits of today are the PhD theses of tomorrow and the next day blah blah bah.” There is something very wrong about the fact that the 0-days behind these exploits have probably been developed somewhere abroad by a bunch of different mercenary security firms, bought with USD tax money and/or plagiarized from the tools used by countries that want to hack us, stolen again from us by those very countries that want to hack us, doxed, and ultimately used by script kiddies from around the world to design the ransomware that will grace an office work station near us in the next few days. It seems just wrong that we’re all paying for the privilege with our tax dollars.

Ain’t america grand?

Speculator August 16, 2016 2:41 PM

@yoshiee “Opinions and hunches aren’t facts. And hyping people up”

Anyone capable of being hyped up by comments in an (mostly) unmoderated thread with anonymous posts is someone who has a serious risk of dying on their way to work in the morning, even if they aren’t trusted by their government to operate something as dangerous as a motor vehicle.

Max August 16, 2016 2:51 PM

“The equation group” is the name used by Kapersky. Not saying that Kapersky is the leaker, but it’s possible that this didn’t come directly from the Russian government. Maybe it’s a leak of a leak of a leak. Stuff gets around.

WhiskersInMenlo August 16, 2016 3:22 PM

Given the dates these are “Pre-WindowZ-10”, now I am curious
if any apply to Win-10.

The future of patches for anything other than Win-10 now has a
a limited life. So these may be almost worthless to the big boys.

If the tools were for a NIB system in transit install then the list
of new in box operating systems needs to line up with tools.
Time alone says they do not.

Same time issue is true for Apple and even Linux where a year or two
would present an interesting set of changes and new set of exploit
challenges.

For those that have looked at the bits are there strong
clues that anti virus tool vendors could jump on quickly?

Exploit of php and web services — will we see a spate of bug fixes?

My personal expectation is one or more individual noticed that
knowledge of exploits is double edge and the rusty sharp edges
run all the way down the handle.

Groups like the DNC are embarrassed and have enough power
to illuminate the flawed thinking of some TLAs and adjust their budgets.

Groups like the DHS may have grokked the reality that homeland
security depends on defect free software (OK much improved).

Awareness of the Vulnerabilities Equities Process in the news
might have triggered less embarrassing back door disclosures.

Congress women have been embarrassed i.e.:
Nancy Pelosi: DCCC hacking brought on ‘obscene and sick calls’
Her rolodex is full of good non random numbers:
She served on the Appropriations and Intelligence Committees, and was the
ranking Democrat on the Intelligence Committee until her election as Minority Leader

Now should I allow myself to succumb to curiosity and download
this pile of risks.

Andre Gironda August 16, 2016 3:28 PM

It’s more-likely that the data was stolen before 2013 and that the dates were modified to look like they were stolen around the time Snowden started talking to reporters.

Nicholas Weaver August 16, 2016 3:38 PM

A couple of interesting notes:

I’ll bet the other file is real and a threat: Do what we want or we dump the rest of this data.

There is a huge amount missing even if this was captured from a staging server: the obfuscators. The implants themselves are unobfuscated and unstripped. IN installing them the attacker would need to modify them to remove such tells and obfuscate the code itself. No such tool appears present.

Moreso, many of the exploits only work from within an institution. EXTRABACON, for example, requires ssh and SNMP-read access to the firewall, so you first need to exploit the sysadmin’s computer and from there attack the firewall. So where is the code for that?

A good example of the quality is the EXTRABACON exploit, which is a reliable exploit for Cisco devices:
https://xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/

At the time it was a zero day, and it may STILL be a zero day?!?

Susan August 16, 2016 3:39 PM

To me this smells like a Snowden leak. It’s just a bit of too much coincidence that this leaked with his disappearance and those cryptic keys. Also it makes a lot of sense. He sure had all those files. The dates match. Russia might have forced him to release this material, who knows.

Nicholas Weaver August 16, 2016 3:41 PM

Also, the date is at least 2013: there are bits there, like version strings etc, that only existed in 2013 or late 2012 at most. If someone has a historical listing of MAC address allocations the Firewall/BARGLEE/BARGLEE3100/Install/LP/maclist file could also confirm this, its a list of every ethernet mac address and the company which owns it.

double cheese August 16, 2016 4:13 PM

An interesting aspect of the code (which has already been highlighted by previous leaks) is that most of the exploits have been designed as extremely simple to use point-and-click solutions. They include step by step instructions (and even echo useful cut-and-paste options!) for users to append to their commands in the terminal. Although there obviously must be plenty of talent in the NSA, clearly not all operators are regarded as the brightest of sparks or entrusted with any degree of autonomy.

“To me this smells like a Snowden leak.”
This couldn’t be further removed from a Snowden leak. Snowden acted on ideological grounds, putting his life at risk and making his identity known to reveal the gross abuse of a governmental institution that had gotten out of control, acting against the interests of its own people. This leak is anonymous, includes a trove of exploits with no significant socio-political context, is apparently attempting to profit from the sale of exfiltrated data, does not involve the press partners that have worked with Snowden in the past, and would only seem to benefit a country that currently bears a grudge towards the USA about cyber-attack attribution.

Grauhut August 16, 2016 4:51 PM

@Clive: Lots of popcorn, because of “it’s time”? 😉

Did you work with me? Have we talked since 2013? Please recontact me securely, or talk to @bartongellman. It's time. https://t.co/AKmgF5AIDJ    
— Edward Snowden (@Snowden) August 3, 2016

Ross Snider August 16, 2016 5:19 PM

@Schneier

More interesting to me is Snowden’s speculation that the release is part of the escalation over the DNC hacks – a warning that further escalation on the US’s side will result in the disclosure of information implicating US intelligence in manipulating elections.

Of course such a disclosure would be nothing new, but as big breaking stories tend to unfold widespread public understanding of this could be a major ‘soft power’ blow to US legitimacy.

Grauhut August 16, 2016 5:19 PM

@double cheese: “Snowden acted on ideological grounds, putting his life at risk and making his identity known to reveal the gross abuse of a governmental institution that had gotten out of control, acting against the interests of its own people. This leak is anonymous, includes a trove of exploits with no significant socio-political context, is apparently attempting to profit from the sale of exfiltrated data”

What if Snowden just wanted to say #nevertrump+#neverhillary ?

Maybe he felt the Bern and hated to see him get f*cked… 😉

“Look, this how it feels to be sold. It’s time to pull the plug. They don’t get these tools. Time to burn them, no pasaran!”

Marcos Malo August 16, 2016 6:12 PM

I agree with others regarding the selling of the info: it’s a joke. They could have made that clearer by putting it on Kickstarter. I highly doubt they expect anyone to make a serious bid.

Jonathan Wilson August 16, 2016 6:35 PM

I do hope that any currently-unpatched exploits that are used by these pieces of malware get picked up on and fixed (assuming the programs they affect are still receiving security updates that is)

65535 August 16, 2016 7:13 PM

If this indeed a true hack of the NSA then the agency has grown fat, dumb and happy.

The NSA has not be fighting true Nation State Adversary’s such as the Russian and Chinese hardened indigenous cyber weapons facilities. The NSA has been working with the Facebook and other social media to identify soft targets including kiddy porn, vice drug busts, economic theft of trade secrets an so on [Not to mention spying of NATO allies].

I believe that it’s now time for the NSA to have true congressional oversight. Barring true congressional oversight, a 35% cut in the NSA’s budget would be the only thing to gets its attention – and move resources from watching naked teen selfies to real “National Security” threats.

r August 16, 2016 7:36 PM

@Susan, CC: 65535

“To me this smells like a Snowden leak. It’s just a bit of too much coincidence that this leaked with his disappearance and those cryptic keys. Also it makes a lot of sense. He sure had all those files. The dates match. Russia might have forced him to release this material, who knows.”

What you’re saying would make the assertion they’re making about hacking the ‘NSA’ not a lie. I suppose they could’ve discovered a deadman’s switch (as was surmised about tweets prior) and figured out how to force the issue.

Snowden tweeting about on-goings now would give him deniability if someone else wrestled the mechanism from a resting state, that might explain why it was deleted – the whole “speculation of my demise” being untrue.

We all know he didn’t catalog everything he had taken possession of.

Winston Smith August 16, 2016 7:40 PM

@ross snider

“More interesting to me is Snowden’s speculation that the release is part of the escalation over the DNC hacks – a warning that further escalation on the US’s side will result in the disclosure of information implicating US intelligence in manipulating elections.”

The consequences and potential fallout of proof of IC manipulation of U.S. elections is simply salivating. May the truth prevail.

@double cheese

“To me this smells like a Snowden leak.”
This couldn’t be further removed from a Snowden leak. Snowden acted on ideological grounds, putting his life at risk and making his identity known to reveal the gross abuse of a governmental institution that had gotten out of control, acting against the interests of its own people. This leak is anonymous, includes a trove of exploits with no significant socio-political context, is apparently attempting to profit from the sale of exfiltrated data, does not involve the press partners that have worked with Snowden in the past, and would only seem to benefit a country that currently bears a grudge towards the USA about cyber-attack attribution.

Well said! Very well said, indeed.

Skeptical August 16, 2016 7:55 PM

I haven’t looked at the material of the dump itself, not that my views on it would be worth very much.

Nor do I have anything beyond a description of more plausible scenarios to add to the inevitable connection-to-Snowden question given aspects of timeframe.

Lots of plausible scenarios include no involvement by Snowden. Of course, a few plausible scenarios do – I mentioned a “two-track” approach being logical for Snowden, one involving the release of earlier materials that contained relatively little operational material (“relatively”) and then a covert track that involved the actual release of acutely harmful information. There are others. But at present, there’s really not much say on the matter. Maybe, maybe not. I wouldn’t be inclined to bet unless given very good odds.

Regarding Snowdeen’s idea as a shot across the bow of the US in any significant way: Very unlikely.

There’s no signal here. This is the equivalent of a Russian jet doing a flyby of a Navy missile destroyer. The destroyer tolerates it, avoids an incident, and emerges without any significant differences in the estimate of enemy capabilities.

If anything, it would be a domestic signal: don’t be afraid of the NSA, the Russian Bear is more than a match.

I view this as an attempt to burnish Putin’s imagine as a strong leader, even as he lays the groundwork should the US utilize its cybercapabilities to respond in kind or, within the same domain, using different tactics to achieve the desired punishment.

It may be that Putin’s ego demanded a better show of strength after the clamor that arose in the United States.

Of course, it could also be a gift from the PRC to North Korea – and the PRC did via Snowden, have access to various points of potential access to NSA servers, sensors, or implants within its territory. The North Koreans hate to lose face; perhaps this is their revenge for whatever might happened to some of their projects post-Sony.

But to the United States Government? Unless this reveals a penetration of a nature that casts doubt on the rest of its network infrastructure and capabilities – which would be a rather brash thing to show – I don’t see how it changes much. This doesn’t alter the balance of power between any two states.

As to a Russian threat to show the US attempted to influence an election, this would be clumsy way to deliver that threat. It would be more psersuasive delivered in person, with sufficient evidence. And the Russian warning would be this: we didn’t cross the line, because you did the same to us, so if you take action beyond anything we did, then you are escalating things.

Or it could be as simple as their information ops people receiving a bag of goods to use to cast attention back towards the nefarious NSA and away from the cuddly CozyBear and FancyBear.

I’d say at this point – absent discovery of something of real significance in there that would alter the analysis – this is not a warning to the US but domestic politics and/or domestic face-recuperation, nothing more.

For all we know, frank talks between the Russian and US governments regarding the DNC document dump have already occurred and reached, one hopes, a resolution of the rules of the road on the matter of political campaigns.

supersaurus August 16, 2016 8:23 PM

my perverse-o-meter is pegged today: suppose it is some subtle scam run by the NSA itself? “help…help…just look at this awful hack perpetrated upon us…we need more money and power…”

Winston Smith August 16, 2016 8:30 PM

@Skeptical

I read your post. Did you ever consider that maybe this doesn’t involve Russia at all, but rather, in-fighting among U.S. TLAs?

65535 August 16, 2016 8:35 PM

@ supersaurus

“help…help…just look at this awful hack perpetrated upon us…we need more money and power…”

That’s my secondary though in my post. The solution is no more money for the duplicitous spies at the NSA. In fact, a reduction of funds is in order.

Sorge August 16, 2016 8:39 PM

Sometime after the invasion of Iraq, the СВР РФ canceled the gentleman’s agreement on mutual forbearance for clandestine operations. They’ve since been doing intel not just to counter US covert action but to expose US criminality. This disclosure is consistent with that approach: these files are a smoking gun for state acts that are illegal in US municipal and conventional international law. That doesn’t mean the Russians did it. The SCO is now a de facto alliance and Eurasia has technical capacity coming out its ears. Eurasia is out to do what the Church and Pike committees tried and failed to do: get the US permanent government under control. They’ve got the support of the entire international community including unbought elements in the US satellites.

The international community understands that in the US rule of law has been superseded by a state of exception involving crimes against humanity and peace: legally, that means acting like the Nazis. The Russians lost 20 million lives that time so curbing US Nazi tricks is a vital interest of the Russian state. For that reason containing the US threat to peace ultimately falls to them. The world would much prefer suasion to the alternative.

Wael August 16, 2016 8:39 PM

It’s none of the above (and I read nothing above, so take it with a grain of salt.)

During the Cold War era, superpowers used to have proxy wars. You know, get some little countries to fight together and test the weapons. Now, Cold War over, Cyber space in…

It’s the start of direct cyber war! Can’t trust the little countries with those sort of weapons…. It’s evolution (not that I believe in it) in action. We’re heading towards a Taste of Armageddon, as @Dirk Praet will tell you!

May the source be with you…

Azalo August 17, 2016 12:18 AM

@Yoshii

There hasn’t been many proclamations of fact here other than the dump itself and the blogpost depicting EXTRABACON in action.

I miss the silliness and irreverence of the older hacker groups. Too many people are far too serious these days with the endless gender politics shaming. Can’t express ourselves without being demonized as childish or hateful in some manner. It sucks. Especially poisonous for creative communities of all stripes, including the hacker community.

Eliot Lear August 17, 2016 12:20 AM

Let’s call this release embarrassing, but I very much doubt that policy makers will take it into account when considering sanctions against Russia. No organization, not even the NSA, is entirely isolated. The NSA assuredly has multiple levels of security, depending on the sensitivity of the subject matter. We all knew that such code existed. I would expect them to have done a better job at firewalling the crown jewels, such as communications within foreign administrations.

A smaller release of more sensitive information would have sent a stronger message, and that such a release didn’t happen leads me to believe they didn’t get very far in. And even if they did, the idea that a policy maker would be blackmailed about information that wasn’t personally about them doesn’t really ring true.

ianf August 17, 2016 12:51 AM

@ Susan: […] Russia might have forced him to release this material, who knows.

Whatever that leak was (and I’m not about to get into it & deliver YA IMO EMO about it), it was NOT as you say “forced out” of Ed Snowden. The day that the Russians force anything out of him is the day when he has started “helping the authorities with their enquiries.” We’d hear about if from his trusted contacts—and they are legion—in the West, and the whole blogosphere would be abuzz. Neither that, nor its illegitimate offspring Twitterverse is abuzz over THAT now. Besides, his mere presence there (thanks to Comey & Obama) is an asset for the Tsarist Rodina Reborn, or the Russian Federation as they insist on calling it outward. So quit spreading shallow conjectures that are nothing but your own prejudices, or you don’t know what. Or, if you ABSOLUTELY must, go for the innermost, hitherto heavily guarded secrets of your preteen-to-late-adolescence that we all know you have, and would benefit from unburdening them here. There.

    [OT Assuming Susan is your real name, did you know that real-life sisters Nancy and Jessica (Decca) Mitford wrote letters to one another addressing each other as “Susan?” Nobody knows why, but one biographer’s theory is that they’ve seen a film in the 30s, where some actress was so emphatically addressed, and both then took it up to remind themselves of the giggles they got out of it. Think about it instead, real life Susan!]

What happened Wael, did you eat a whole can of sardines for breakfast, complete with their heads? Acc. to old Jewish folk wisdom, that’s where phosphorus gathers, which raises the recipient’s IQ (and look at the roster of science Nobel laureates now from that perspective!)

PS. try Atlantic wild haddock next, apparently most trace P per unit of weight, but tell the fishmonger to LET THE HEAD BE, otherwise what would be the point besides strictly culinary ones.

Wael August 17, 2016 1:01 AM

@ianf,

My favorite fish is Red Snapper. Plaice, if I happen to be in the UK.

Are you in or out, on the other thing & JJ?

P/K August 17, 2016 2:40 AM

This new leak got a lot of attention in the US, but what people in the US probably haven’t noticed, is that over the past few years, several similar very embarassing NSA documents were leaked in Europe, for example NSA tasking lists of French en German government officials and reports about eavesdropping on European heads of state (listed here: http://electrospaces.blogspot.com/2015/12/leaked-documents-that-were-not.html ).

These documents were also not attributed to Snowden, so they seem very similar to what has happened now with the Shadow Brokers leak. We don’t know whether they all come from one source (not being Snowden), or who is behind them, but it is worth considering that this latest leak is just one of a series.

Couldn'tPossiblyComment August 17, 2016 3:25 AM

I find it intriguing that we’re so quick as a group to attribute government behaviour to this. Has this very blog not been quick to point out in the past that we’re in an era of large corporations, capable individual actors, and big money in lots of other arenas outside that of governments?

The Soros leaks indicate that there are likely a number of large well-funded groups who seek to enact major change, topple governments, and the like. I’m just saying it’s best to avoid the guesswork unless attribution really can be made. It doesn’t make the Russia/China assertion incorrect – just that if there’s a space where almost anyone could act, it’s the Internet, no?

The timing does appear to be political/diplomatic. It’s another very inconvenient leak at a very inconvenient time. It’s easy to assume that politics is the realm of the government, but it does not have to be.

balaganski August 17, 2016 4:42 AM

Can anyone please explain “like I’m five”, why is everybody talking about governments here? What kind of evidence is there that could attribute this action to any government at all?

tyr August 17, 2016 4:43 AM

Well Rus TV today says that russians are moving
onto an Iranian airbase and the Chinese are going
to back the Assad government with aid.

So this may be a diversionary ploy (ala OJ trial)
to keep the media busy so they don’t notice that
Hintons curse is coming back to haunt the geniuses.

@ Clive

+1

Clive Robinson August 17, 2016 4:46 AM

@ Wael,

Plaice, if I happen to be in the UK

Ahh flat fish… Do you know that flatfish (Soleidae) start as ordinary fish when hatched (lava), and become flat later in life?

What happens with the “Dover Sole” is the left side of the fish goes down as the left eye migrates to the right side which becomes the top.

Most flatfish are edible and have a delicate “buttery” flavour, however care is needed in cooking as it’s easy to over cook, thus they are often “oven cooked” as a “parcel” of some kind.

One problem with some flatfish is they become intermediary hosts for seal lung worm (they are red about half a mm in diameter). Before cooking the worm cyst can be spotted in the fillet by holding it up to a light, as the fish flesh is translucent and the worm not. And before anybody asks, no I have no idea if the worms can effect humans that eat the fish raw.

Jessica B August 17, 2016 5:06 AM

@ Clive R

“start as ordinary fish when hatched (lava), and become flat later in life?”

reminds me of a key member of this comments section!
not you of course!

Tying in with secret messages in plain text shared in public as our friend Snowden has done on twitter recently, and discussed in Friday Squid.
I was waiting for someone to make reference to the film A Beautiful Mind which is a nice example of taking that to the logical end point of seeing messages in everything and going mad.
Quite tragic really.
As Mark Twain said, give a man a hammer and everything starts looking like a nail. We can use that argument for attribution to political ends, hyperbole speculate

Wael August 17, 2016 5:14 AM

@Clive Robinson,

Do you know that flatfish (Soleidae) start

I think I do! Do you know that the fish got split in half too? See the footnote. Lol

Before cooking the worm cyst can be spotted in the fillet by holding it up to a light,

Holy Sh*t! Do you rember I said that you’ll never be on the list? You can forget it now! 🙂

CallMeLateForSupper August 17, 2016 6:48 AM

I like the last three (as of 17 AUG) of Snowden’s tweets:

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So…

The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You’re welcome, @NSAGov. Lots of love.

I think “love and kisses” would have been so much warmer. ;-}

fajensen August 17, 2016 6:50 AM

@Clive Robinson … then we are going to need a realy comfortable sofa and a large supply of Cool-Aid and Coors along with a big supply of pizza and popcorn 😉
Remember to also stack up on dried foodstuff, kerosene, warm blankets and maybe some solar cells or a small generator for when the power goes out and in the case that some of those “Dumb AI” logistics centres loose their collective memory over which goods are stored where for whom.

Maybe a dome-type tent for the living room to keep warm and comfy in too :p.

CallMeLateForSupper August 17, 2016 7:29 AM

@Clive

“[…] we are going to need a realy comfortable sofa and a large supply of Cool-Aid and Coors along with a big supply of pizza and popcorn.”

Maybe we can trade: I’ll put up five cases of Coors if you’ll put up one case of Bass Ale.
I’d defer to the pizza and popcorn of your choice though.

Skeptical August 17, 2016 7:39 AM

Tit-for-Tat and Russian Mirror-Imaging

This could also be viewed as a bit of tit-for-tat, with respect to the unveiling of the FSB and GRU operations against the DNC. Following the very public arrest of several SVR deep non-official cover officers in the US, one might remember that Russia made a very public arrest of a CIA officer in Moscow, complete with photographs of that officer being “physically secured for his own safety” and being somewhat ignominiously relieved of a wig.

Such a thesis would also fit a theory that the Russian agencies involved viewed the DNC penetration as “the usual game”. Public exposure of such operations also form part of that game, from time to time, or so it seems anyway, and of course, so does the usual in-kind reprisal from the other side.

Although the FSB/GRU operations were revealed by a private US company, I would guess that Russian analysts are prone to reading such actions as directed by the US Government, as in their own country they might find it impossible to believe anyone could release such information without the permission or at the direction of the relevant authorities/powers. So, it’s plausible they viewed the public exposure of the FSB/GRU ops as deliberate on the part of the US Government; the allowed spread of samples of their tools to various US friendly cybersecurity companies as deliberate; and this is a reprisal, an effort to maintain a level engagement with the adversary and thus not lose the initiative.

Moreover, this thesis fits well with the apparent time-stamps on the material, which seem almost designed to foster debate about whether Snowden was or was not involved. Since Snowden is viewed as an embarrassment to the US Intelligence Community, such an effect would magnify the desired effects of public exposure here as reprisal.

What Is Troubling

If the foregoing is true, then this might indicate a lack of understanding by key actors within Russia of what the United States found unusually problematic: not the espionage itself, which was likely viewed as an opportunity by the Americans for counterintelligence (one might also ask whether the Russians, being well aware of that, might have used the putative intelligence gathering on the DNC as misdirection for another purpose, such as assessing US counterintelligence or attempting penetration of a different target).

Of course, it may also be to Russia’s advantage to foster an impression that they do not understand and perhaps avoid reprisals for the information operation by undertaking actions that favor a thesis that the Russians view this as business as usual. In turn this permits the Americans, in their role as the more enlightened party, to avoid instigating a cycle of escalating reprisals on the basis of what they can see to be a cultural misunderstanding.

What May Not Be Troubling

The Russians are not monolithic, and while this may be tit-for-tat by a particular Russian intelligence agency, it may not be indicative of a lack of understanding by other key actors in the Russian Government.

Where Plans By Committee Come Together

Then again, a confluence of motives might explain the action. Russian intelligence agencies may approve of the tit-for-tat nature of the exposure. Russian information operations may view this as another move in an ongoing campaign to sow doubt and confusion about US Intelligence capabilities and thereby blunt full US exploitation of a US strength. Russian diplomats and other figures may view this as buttressing the narrative that they simply viewed prior actions as normal conduct.

And there might be the hope that this could influence the mind of a deliberative, risk-averse US President, lowering his confidence level that certain options likely to be presented to him are likely to be effective, hindering his ability to predict the consequences of certain reprisal actions for the DNC leaks.

Then Again…

It’s plausible that actors other than the Russians are responsible, which is an assumption upon which all of the foregoing rests.

But nothing here alters the calculus of how the US should respond to Russian attempts to influence the US Presidential election. The only question for the United States is how their response best fits a larger strategy.

President Obama said at one point that he does not need a George Kennan. I never entirely bought the line, seeing the obvious contours of grand strategy in his foreign policy approach, but I would imagine his view on the most prudent course of action vis-a-vis Russia has modified substantially: still pragmatic, but understanding the limits imposed on Russia’s ability to cooperate in what most view as their own self interest.

Skeptical August 17, 2016 7:44 AM

Although…

Did Snowden’s encrypted tweet precede the leak by a period of time? I haven’t seen the tweet, nor read anything about it other than a brief mention of its existence. But if it in fact occurred, and if the occurrence was rare, and if it occurred relatively shortly before this leak, then that’s yet another data point to consider.

Mohamed Asker August 17, 2016 8:41 AM

I am so relieved this is starting to finally come out what I mean by that is whats really going invasion of privacy and me being a targeted Individual for 3 years now I dont even remember whaat having privacy feels like anymore but I hope this doesnt happen to anyone else in future and all the clues point to these agencies God bless this country and may God forgive those who are runnning this underground secret police

Tatütata August 17, 2016 9:11 AM

I’m not sure about the real identity and motives of the disclosers.

I note this:

The 2014 military operation in Crimea came on the heels of the Sotchi games.

Now that the circus in Rio is winding up, there is an accumulation of Russian troops and equipment on the border with Ukraine. Much is made of the fact that the heavy equipment is marked with a stencil showing “H-2200”, which is an oversize indication destined to the Russian railways. This is taken as proof that the staging is real and intentional, and decided by the Kremlin, since the materiel had to be marshalled from a distances.

A coincidence?

Could this be the sign of a concerted effort? If yes, expect a surge in the output of the Great Russian Troll factory (RT, comment mills, etc.)

BTW, how equipped are the TLAs to deal with their old foes? Did they see any of this coming?

The Chessmaster Speaks August 17, 2016 10:46 AM

You might think the Russians made fools of Fort Meade because they’re getting too big for their britches. You are wrong. There are wheels within wheels. Follow, if you dare, into Skeptical’s shadow world of fantasy spycraft.

With his wonted sceptical scepticism Skeptical parrots the ‘Russia did it’ DNC cargo cult. But then Skeptical thinks Anna Chapman, Kuschenko’s kid from ‘Fake Street,’ with her laminal denti-alveolars and tits-on-a-stick, is a deep cover mole instead of a celebrity backchannel.

Take this level of helpless noob ignorance, slather on hours of obsessive mental masturbation vaguely suggesting innumerate pop-sci game theory, and you have… fanfare the guy who daydreams of being Obama’s Kennan.

But wait, think about it, it makes sense! Obama wouldn’t know what to do with a real Kennan, who concluded that the USA should be broken up for the good of the world. Obama is dumb as a bag of hammers – his mom sent him to Columbia for intensive coddling when he washed out of Occidental, then it took Alwaleed bin Talal’s bucks to grease him into Harvard. Obama really only rates a skeptical.

Now back to the warez.

Derek August 17, 2016 11:13 AM

@ Max, “”The equation group” is the name used by Kapersky. Not saying that Kapersky is the leaker, but it’s possible that this didn’t come directly from the Russian government. Maybe it’s a leak of a leak of a leak. Stuff gets around.”

that name is kinda funny if you think about it. it’s like calling other people “spelling bee champions”.

Dave August 17, 2016 11:17 AM

The Russians also went into Georgia in the middle of the Beijing Games!

Putin’s MO is wait till everyone is looking the other way then pounce.

There is a lot of troubling evidence that Putin has plans to challenge Nato, probably on multiple fronts. He is also gaining influence selling advanced arms to client states worldwide and expanding his intelligence networks/partnerships.

Quotes:

Garry Kasparov:(Russian Politician/Activist)”The language of strength is all Putin understands”

Leon Panetta:(Defense Secretary) : “Russia, Putin Respect Strength, Not Weakness”

Bob Menendez:(Committee on Foreign Relations): “Putin ‘only understands strength”

This isn’t even about Putin it’s really how Russia has always viewed the West dating back to Stalin and pre cold war days! When we show weakness they test limits.

“Appeasing the aggressor only makes him more aggressive” (13 Days)

But just look at some of the things Russia has been doing.

https://www.theguardian.com/world/2014/jul/16/russia-reopening-spy-base-cuba-us-relations-sour

http://www.dailymail.co.uk/news/article-3656494/Is-Moscow-preparing-new-Cold-War-Russia-agrees-build-spy-base-Nicaragua-prepares-deploy-missiles-Polish-border.html

http://www.businessinsider.com/map-europe-divided-nato-russia-2016-7

http://www.nytimes.com/interactive/2015/12/24/world/asia/russia-arming.html?_r=0

http://www.cnn.com/2016/06/13/politics/nato-battalions-poland-baltics-russia/

http://www.nytimes.com/2016/07/01/world/europe/russia-fires-dozens-of-military-officers-in-baltic-region.html

http://time.com/4280169/russia-nuclear-security-summit/

Derek August 17, 2016 11:23 AM

@ Jessica B, “As Mark Twain said, give a man a hammer and everything starts looking like a nail. We can use that argument for attribution to political ends, hyperbole speculate”

It’s interesting how quickly everything is attributed to Russia in recent months, which is in stark contrast to two years past when almost all deeds were quickly attributed to Pacific Rim. Snowden seems to think foreign policy has the say.

Derek August 17, 2016 11:33 AM

@ Winston Smith, “I read your post. Did you ever consider that maybe this doesn’t involve Russia at all, but rather, in-fighting among U.S. TLAs?”

The auction, the english, the release and the whole act itself, everything seems too deliberate. It’s gotta be another whistleblower. I suspect Snowden knows this.

TheShadowBroker August 17, 2016 12:01 PM

for bid Send Btc at this adress and Enter your e-mail adress in comment : 1DVm58QvyRksyRtzHvbo6UyEt4fZYMWXFQ

tracpot August 17, 2016 12:22 PM

When I unpacked the free files – the 300 meg tarball, after I’d seen the scripts posted on Cryptome and wanted to see the binaries they refer to – one thing that I thought was interesting is that the Egregious Blunder exploit,

Firewall\EXPLOITS\EGBL\egregiousblunder_3.0.0.1

triggered the Microsoft anti-malware engine, which classified it as a variant of the Linux slapper worm.

That’s the only binary I see triggering detection so far.

Clive Robinson August 17, 2016 12:24 PM

@ Fajensen,

Maybe a dome-type tent for the living room to keep warm and comfy in too :p.

Mad as it may seem I can tick all the equipment boxes (I still do ham expiditions to hills and mountains). Also the food, as due to being in and out of hospital rather to much for anyones liking, I have no idea when I’m going to be laid up at home for three or more weeks.

However the most important thing that will kill most people rather quickly is loss of water supply…

Few realise just how much water they use a day. Did you know many people waste more water cleaning their teeth than they drink in a day? Then there is the 9lt of water you use every time you flush, most people do that six times a day. Oh and the 50-90lt for a shower or 120-250lt for a bath…

At a minimum of 120lt a day that’s an 1/8th of a tonne or about the same weight as a grown adult male, which is a lot to carry every day.

Anyone who goes camping on a regular basis knows that humping a five gallon container of water even a few hundred meters is not something you want to be doing every day.

With care and a little thought you can cut down your daily water usage to a little under 10lt. However you still have the problem of steralising it… One way is to boil it which needs about 1KW/hour.

A few years ago I did some experiments using a wood burning stove with a water jacket heater on the flue and feeding the flue gases through a filter scruber/cooler into a three Kw petrol generator supprisingly you don’t need that much dry fire wood. Your main loss of energy from the wood is the tars that end up in the scrubber. However if you know your chemistry you will realise that those tars are of much more use for things other than burning. I worked out I would need about four cubic meters of wood for the winter and about two for summer. With better battery technology (which Elon Musk is working on) and more efficient LED lighting that will come down by around 10%. The problem is of course “growing the fuel” for which “copising” is the most efficient and a lot lot safer than logging.

I won’t go into “dry toilets” some have delicate stomachs but mixed with foliage and vegtable waste it will compost down with sufficient heat to kill the bulk of harmful bugs, so it’s safe to use to fertilize food crops. You can also use certain types of digester first to extract further fuel gases…

With luck you will get enough rain water from your roof in temprate zones for your annual needs. You can then use the “waste water” from showering etc to turn into “grey water” you can use for irrigation.

xyz223425 August 17, 2016 12:46 PM

These are Russians.

Since months there is a “hacker group” that e.g. hacks into Medvedev’s phones and puts the data partially on the internet, and partially sells it in auctions: https://b0ltai.org/

Among their hacking targets are not only private photos that Medvedev makes from his helicopter, but they also hacked the development department of the russian defense ministry: https://b0ltai.org/2015/08/

and then they wrote that they sell this stuff (containing details up to the thickness of the walls and the quality of the concrete at Crimean military facilities or data about their missiles) online. The “group” said that they would give the russian FSB a discount….. The nature of their data shows that this is the NSA. And the reason for this leak was also clear: It was probably their method to say: “We know everything about you, even the thickness of the walls of your facilities, and we could have, if we had wanted, use this to bomb you at any time. So there is not real thread to russia from the US, otherwise we would have attacked long ago”. Additionally, they wanted to clean corruption a bit…

After their DNC hack, the US discussed whether to impose additional sanctions on Russia.

Now the russian government hacks the NSA back, and in revenge sells NSA’s tools online…..

The dates of the files are such as if they wanted to say: “We know what you do since a long time and we have more…”

They are behaving like children in a sandpit…

The amount money they want also shows that they are desperately in need for cash…

They should put all this stuff online instead….

This software entirely belongs to public domain. Especially the parts that contain exploits…

In the end, activities like this will have to be UN regulated some day. There will always be a need to hack people that are in a different country.
But this should then be somehow controlled, like a police search warrant for example. What they do is in fact not much else than a foreign state organisation sweeping through your office. Domestically, states have regulations when such things can be done. One needs this to be regulated internationally.

Gerard van Vooren August 17, 2016 12:53 PM

@ Skeptical,

“Did Snowden’s encrypted tweet precede the leak by a period of time”

AFAIK you are the first who came up with the Snowden “hash” tweet. That tweet has been bothering me a bit. The hash must be about something but only Snowden and his cabal know exactly what it’s about. Then again, if the hash was about unlocking this particular secret, the NSA would jump right on it and this time they would show the actual facts instead of the “facts” they have been spreading around to “prove” their points, assuming the NSA has the blob that Snowden copied. Which makes me skeptical to the assumption that Snowden could be behind this leak. But I still wonder what the hash is all about.

werfgmkui August 17, 2016 12:56 PM

@tracpot:”Linux slapper worm”

Then they are really irresponsible. This thing was discovered in eastern europe, is similar to an apache virus, and replicates itself on private pc’s. That is not really an application for intruding a single target pc.

So they really want to target as many home users as they can get…

Feezing_in_Brazil August 17, 2016 1:25 PM

@Sorge

The Russians lost 20 million lives that time so curbing US Nazi tricks is a vital interest of the Russian state.

Well, on a not-so-minor nitpick, the Ruskis lost more than that number of lives to Stalin. Don`t forget that.

NSA Noob August 17, 2016 1:35 PM

Is there an glossary of NSA terms? I was looking through scripts in the /scripts folder and I had trouble fully understanding them. In part this is because they sometimes reference programs that were not part of this release but in part it is because there is jargon and abbreviations I don’t comprehend. For example, what does “OP” mean…it doesn’t mean “original post” so does it mean “operation” or something else? What about “pix” is that pictures or some other meaning in this context?

Those scripts are in English but I need a translator…

Wael August 17, 2016 1:35 PM

@keiner,

120 kg? An “grown adult male”? Only in the USA… 😀

Hop in on the “Sh*t” list. I have an open slot! How could you say that? Units are wrong, country is wrong? goddamn, say something that makes sense, dude! This is so much unlike you 🙂

Bystander August 17, 2016 1:39 PM

There has been a lot of talk about whodunnit, motivation, the usual cabal and other things.

I am curious on these things that might (and will) happen now – if they find a buyer or not – as the apparently usable toolkit to attack Cisco routers is now in the wild.

Someone might use it for his own purpose – not necessarily spying.
This could be an individual or an organization.

Will there be a fix/patch to harden firewalls/routers against this and who will publish it?

How will the NSA handle this?
The mission to protect the US should not be forgotten, on the other hand a tool would be lost (but also for enemies who might be/are using it right now).

Sorge August 17, 2016 2:05 PM

(1) Indeed @Freezing, my friend, I shall always remember your totally irrelevant nitpick, although I have no idea what your point could possibly be in emitting this random brain fart that has nothing to do with anything. (On the other hand, you, Freezing, must also not forget that Latvian women have sex more than twice a week!)

(2) Your totally irrelevant nitpick happens also to be full of shit. The toll is 2-3M in the gulags + 1M in the terrors + 5M in the famine/kulak liquidation: <9M.

Clive Robinson August 17, 2016 2:06 PM

@ Columbu,

What are the odds somebody else just happened to pick that number? Zero.

Err no it’s 50:50 as to if you use one number or it’s inverse mod the field size.

You should look up two’s complement,

https://en.wikipedia.org/wiki/Two's_complement

It’s not realy evidence, many asembler level programers store the additive inverse if subtracting a constant as on some CPUs “add” is one or two clock cycles faster than the “sub”.

Alex Mora August 17, 2016 2:19 PM

Since I can’t see any see any sound method of attribution for the people that obtained or leaked this ATM, I am thinking about the implications of the leak for the NSA.

Regardless of who the leakers are, the NSA will be feeling the ripples from this.

They have aired a chunk of the NSA’s attack catalog, and from initial replies here at least some of the payload is legit(Thx Nicholas Weaver), passes by a security scan(Thx tracpot), and some methods are at least unpatched if not zero days. Kudos to those who provided early feedback that are sandboxing this stuff.

While the powers that be will have gained new tools since 2013, the exploits from this will have been in use for some time, probably before and after 2013. This may have left an identifiable trail in old log data that will allow people to connect the dots. That can expose the US Gov. to attribution for actions over the last few years. This will probably lead to some red faced diplomats in China, but they know the US has been trying to hack their pants off for years. Since they have raided us for things up to and including F-35 schematics, I don’t think it will change much on that front. I suspect that more damage will come from targets in allied and neutral countries.

Winter August 17, 2016 2:35 PM

@Clive
“You can then use the “waste water” from showering etc to turn into “grey water” you can use for irrigation.”

Showering? Using a damp cloth once a week is enough if the alternative is dehydratation.

A human needs about 2 liters of water a day in temperate zones to survive and enough rain to grow food. All the rest is luxury.

Clive Robinson August 17, 2016 2:41 PM

@ keiner,

Only in the USA… 😀

Shhhsh, they might realise that XXL is not a childs size.

@ Wael,

Units are wrong, country is wrong? goddamn, say something that makes sense, dude!

Well 120Kg is ~265lb or 530 small –by US portion sizes– steaks. Does that make more sense?

Oh and as for lists, I did not know you had one, you don’t strike me as a Nixon type unlike that 😉

Wael August 17, 2016 2:55 PM

@Clive Robinson, @keiner,

But you said 120 liters and @keiner said 120 kg — units don’t match, material doesn’t match. Then I saw this:

about the same weight as a grown adult male, which is a lot to carry every day.

How I missed it, I don’t know! @keiner, get off the list, my bad. Now I get the humor.

I don’t really have a list, and if I do, it doesn’t last too long. I don’t hold a grudge neither here nor in the real world.

Clive Robinson August 17, 2016 3:02 PM

@ werfgmkui,

That is not really an application for intruding a single target pc.

Ever hear of “fire and forget targeting”?

If you don’t know where the target is, but you know how to recognise it, then you go down the Fire and Forget route.

To this end your malware has three parts,

1, Replicator.
2, Seeker / Recogniser.
3, Payload.

As with most malware the replicator “reaches out” in all directions. But unlike most malware that drops the payload, the seeker / recogniser makes a choice of carry on replicating or drop the payload. Unless it drops the payload it clears up behind it’s self. Eventually it will either find the target or die out. Stuxnet and other variants showed some or all of these capabilities.

Columbu August 17, 2016 3:23 PM

@Clive, yes, as you imply, this particular constant is in practice how it’s done, traditionally, in the unclassified code that people have seen. But users with substantial resources can rethink all sorts of things – especially when they recall the tainted Dual EC Ps & Qs. For them there are are lots of 32-bit integers. There are lots of binary expansions of irrational numbers.

tracpot August 17, 2016 4:37 PM

@werfgmkui

Detected as a variant of slapper != slapper. What was interesting to me was that of all the tools only one triggers detection. I hope the detection will improve on these – they’re clearly unknown tools at this point.

Slapper was a linux only worm to begin with, no longer relevant to current releases. What’s interesting is that it looks as if the Fortigate products may have remained vulnerable for some years after the vuln was patched in most production systems. That’s the danger of relying on a vendor to address the codebase in a product. It applies to Juniper and Cisco as well – the Juniper Netscreen universal password and IPSEC vulnerabilities disclosed last December reek of TLA insertion.

From the contents of the folder and instructions it looks as if EGBL was intended to be directed toward one firewall at a time. None of what I’m seeing is directed toward PCs at this point. It’s intended to pop network security appliances that are in use at governments and businesses.

I hope the auction bit is released soon as well. It will be interesting to see if the stuff that we still can’t see is similar in date or newer, and thus targeting current in-production gear.

HumanoidAlert August 17, 2016 5:00 PM

SoS comments section best on the Internet!

Disinfo specialists (paid)
Disinfo specialists (volunteer)
Retiree bloviators (out of touch for a decade or more)
Paranoid schizophrenics
Actual knowledgeable people with something to say

But how to figure out who is what?

No matter, the entertainment is well worth the time spent reading!

Dirk Praet August 17, 2016 7:30 PM

@ Wael

We’re heading towards a Taste of Armageddon, as @Dirk Praet will tell you!

We’re not quite there yet. This is more like a new Spy vs. Spy episode from Mad Magazine. I’m going with Ockham instead of evil Russians hacking the NSA, i.e. yet another insider who walked off with a flash drive full of data a couple of years ago and has at some point sold it off to some 3rd party that has an axe to grind with the NSA. Why would the FSB/GRU possibly waste a stash of perfectly good zero days just to p*ss off some folks in Fort Meade? Surely there are cheaper and more efficient ways to do so.

yup August 17, 2016 7:54 PM

@Daniel, @Dirk Praet

Vendor response will be the place to look for signals leaking out over the noise of this whole mess

Joe K August 17, 2016 8:13 PM

@NSA noob, again: “Is there an glossary of NSA terms? I was looking through scripts in the /scripts folder and I had trouble fully understanding them. In part this is because they sometimes reference programs that were not part of this release[…]”

The following list could be useful, too:

https://musalbas.com/2016/08/16/equation-group-firewall-operations-catalogue.html

From that page: “This post aims to be a comprehensive list of all the tools contained or referenced in the dump.”

@attribution speculators, for whatever it might be worth:

https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/#vulnsattribbitcoins

In the rapidly evolving face of American politics, with several political leaks at play, the notion of a new breach or leak stealing news cycles is certainly feasible. Either to bury a previous story, or to add more weight to a string of stories that may embarrass a political party.

As for what particular story the source of the Equation Group material might be seeking to bury, the authors of the above piece apparently have a particular leak-event in mind. But it seems to me that the one they favor (Soros/Open Society Foundation) is far from the only conceivable target for burial.

r August 17, 2016 8:14 PM

@Dirk,

I don’t know, #1 to distract – maybe you’re right about it would galvanize a response so might be self defeating for Russia. Also maybe to let them know they’ve got more. I can’t see the NSA operating with anything less than 2 specific exploits per platform incase one gets burnt.

LAUGHINGSTOCK August 17, 2016 9:36 PM

Thanks much for these links and concomitant drollery.

from https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/#vulnsattribbitcoins

  • Some world-class gaslighting, needling NSA’s insider-threat paranoia
  • Remember all the disembodied internet voices yelling RESISTANCE IS FUTILE! NSA IS ALL-POWERFUL! Well, “These exploits would only be valuable against a remote target over the Internet if the firewall was severely misconfigured, making the vulnerable services Internet addressable. While certainly valuable, the initial impression that these exploits were for remotely compromising firewalls is now drastically overstated.”
  • Hey, Comey, you mackerel-snapping fanatic, whaddaya know, those front doors you wanted, Here ya go! Happy now?

from https://www.cs.uic.edu/~s/musings/equation-group/

-Blowing more big holes in NSA’s mystique. Not just legally and morally but even technically they are klowns. Defund them, and mob and raze Fort Meade.

Boop August 17, 2016 10:06 PM

@LAUGHINGSTOCK

The NSA does have a legit job to do, and there’s nothing particularly sinister about these tools. I get having severe hatred of the practice of mass surveillance the agency pioneered and perpetuates, but that doesn’t mean the NSA doesn’t have a legit job to do.

Wael August 17, 2016 10:07 PM

@Dirk Praet,

I’m going with Ockham

I’ve gone with him a few times. Rarely disappointed me.

We’re not quite there yet.

And when we’re there, there’ll be those who tamper with the machines.

gordo August 17, 2016 10:22 PM

Some anagrams:

  • Sauron as ‘Our NSA’
  • Strider as ‘Red Stir’
  • Mordor as ‘Mr Door’

The Eye of Sauron Is the Modern Surveillance State
Tolkien, not Orwell, understood today’s spying best.
By David Rosen and Aaron Santesso | Slate.com | 2013-07-17

  1. All-Seeing Is Not All-Knowing
  2. The Enemy Controls the Plot
  3. The Louder the Noise, the Fainter the Signal

http://www.slate.com/articles/news_and_politics/jurisprudence/2013/07/tolkien_v_orwell_who_understood_modern_surveillance_best.html

Andrew August 17, 2016 10:34 PM

Noone mentioned the most important thing here.

Looks like some bad guys have profited of NSA backdoors and zero days all this time. They have exposed us all.
Another proof that backdoors should not exist.

r August 18, 2016 1:28 AM

Since my paranoidea delusions lead me to squack like a lost carrier I’m going to drop one more theory:

COVER.

keiner August 18, 2016 1:35 AM

@Dirk Praet

But Mr. Snowdens analysis of the issue is not so tech-fixated, more on the political context of the Dem party hacks, their attribution to Russia, as a nice try to influence US-elections. Would be perfect to counter this by Russia with some leaks on the influence the USA on elections in, let’s say, Germany? Or the UK? In 2017 there are elections in Germany, btw., so perfect timing to deliver such a story, bit by bit, over the next months. 😀

Clive Robinson August 18, 2016 2:08 AM

@ r,

I can’t see the NSA operating with anything less than 2 specific exploits per platform incase one gets burnt.

I suspect they don’t put more than one exploit on a machine at any time, for several reasons.

It would appear from one analysis that the quality of the code analysed is low, and contains atleast one memory leak… Which means at some point it will run out of memory and thus will call attention to the fact that something has changed.

Likewise if exfiltrating data the change in traffic might well raise red flags with sysadmins.

The point is that they would expect the machine to become suspect at some point. At which point the machine might well get chucked out, have an OS etc upgrade or worst of all get examined in some way that will result in the exploit code getting known.

What I would expect those experienced in covert APT to do is exploit another machine in the vicinity of the first machine so that they have close if not direct access to re-exploit the first machine at a later point in time. Think of it like playing a game of chess, you have to think a couple of moves ahead to be even a mediocre player.

Now the real question is are the NSA / TAO / Equation group, actually as good as mediocre play?

If you look at the hierarchy, I know the NSA are good at somethings, however nothing in the TAO catalogue impressed me. As I indicated at the time it left me underwhelmed with the feeling they were third raters at best, living off other peoples work some decades old. From what some are saying the Equation group don’t even make it to third rate…

That is they are a bunch of script kiddies clothing themselves in others “hand me downs” and like the fabled Emperor of old “parading around in their underware” under the illusion they have the finest of suits.

Thus the real question is “Where the hand me downs come from?”.

Clive Robinson August 18, 2016 2:16 AM

@ Wael,

I’ve gone with him a few times. Rarely disappointed me.

That nearly caused me to spray the room with tea… Perhaps you want to rephrase that B-)

keiner August 18, 2016 2:53 AM

@Clive Robinson

If I have to do a job, I choose a solution that is straight-forward, robust and has limited chance to fail much much more often than the latest hi-tech stuff from the the soft-hardware Kamasutra that makes some other techie stand there open-mouthed for some days when he looks at my solution (an event not even considered a good option for a malware implant to spy on your allies or whoever…)

Short version: Implants are not there to make you “WWWWOOOOWWWWW!!!1!eleven” for months…

Clive Robinson August 18, 2016 3:36 AM

@ keiner,

Short version: Implants are not there to make you “WWWWOOOOWWWWW!!!1!eleven” for months…

On that you and I agree.

However my point was that the way the code has been written the script files etc are realy shoddy. If you employed someone who turned out work like that, you would probably drop them before the end of the probationary period.

To avoid drawing attention to it’s self APT code needs to be first and foremost “not buggy”. A memory leak is known to have a bad ending one way or another usually reasonably quickly so it’s not good for APT exploit code.

Thus “Why waste a good zero day with a poor implementation?”

One answer is “Not only is it not APT code, they also have so many zero days they don’t care if they throw them away”.

Does that realy sound or feel right?

JL August 18, 2016 3:45 AM

“I miss the silliness and irreverence of the older hacker groups.”

They were not silly, they were brutal yet humorous by the standard at the time. I do not think there are any ‘modern’ hacker groups. The ‘modern’ hacker groups are people with a business, an ideological or a military interest, these people actually get paid for example. And are on average probably much older as well, hence maybe the choice of words for silliness ?

What i’m saying, stop comparing them, it will brighten up your day. I prefer to not use the words hack and hacker if it ain’t silly or artistic. I don’t see Equation Group making crazy demo’s to show off their abilities.

I remind us all hack and hacker are to be synonym with artistery and silliness with this demo that set a whole new level

https://github.com/joncampbell123/dosbox-x/wiki/Demoscene:Unreal-by-Future-Crew-(1992)

… ehr, now i come to think of it, a top hacking group which got hacked, it’s kind of silly, no ?

Clive Robinson August 18, 2016 3:45 AM

@ All,

One person looking at some of the code found a constant of “DECAFBAD”.

When I read it I had to smile, and wonder how long before people notice it’s also a website of a successful author and computer scientist.

How long do people reckon it’s going to be before he has to issue a disclaimer?

keiner August 18, 2016 4:33 AM

@Clive Robinson

Never heard of Cisco equipment failing due to NSA implants on the large scale, but would be interesting to learn, if you had some info on that…

An decaf IS bad. Know somebody always programming with variables such as “nonsense” and alike. Dunno if it helps to make code more readable 😀

Wael August 18, 2016 5:41 AM

@Clive Robinson,

Perhaps you want to rephrase that B-)

I’m afraid to do so. May come out worse 🙁

LAUGHINGSTOCK August 18, 2016 7:15 AM

@Boop, “But they have a legit job to do…” As I recall, there were earnest voices in the DDR Ministerrat saying that about the Stasi. But then the public busted in the doors and ransacked the place, and we’re none the worse for it, Are we?

NSA’s a cancer. Not just on the US, on the world. We’re going to cut it out and you’ll be fine.

Liquor A. August 18, 2016 7:24 AM

Has anyone considered that this may be a leak by the NSA itself? There has been a lot of speculation that various hacking tools would be attributable to the USA. Now this leak has been published, with what sounds to be the worst of their tool inventory (i.e. stuff they probably have replaced) along with an ‘unknown’ blob, any NSA hack that goes wrong and is discovered can now plausibly deny attribution because ‘the tools were stolen’.

BJ August 18, 2016 7:49 AM

@Jacob, concerning speculation on the insider leak option, I found it interesting that the grammar associated with the leak was “poor” English, but the punctuation was pretty spot on.

Grauhut August 18, 2016 8:21 AM

@All

If you look at the Shadowy Sauron, one of the better resulting questions is imho:

Why does the NSA still prefer RC5/6 and Salsa20 over AES?

Just coding history?

The code we can see now is highly modular, so there is no obvious cause to think its because of non updatetable server side services.

Dirk Praet August 18, 2016 9:13 AM

@ Wael

And when we’re there, there’ll be those who tamper with the machines.

More specifically, it will be those who, banging the drums of war, in past and present sent off to the battle fields the children of the little people, all while making sure their own offspring was exempted.

Daniel August 18, 2016 10:01 AM

@Clive

One answer is “Not only is it not APT code, they also have so many zero days they don’t care if they throw them away”.

Does that realy sound or feel right?

No. What sounds and feels right to me is the insider angle. In makes sense that when an exploit is first discovered the programmer creates a test server as prototype for his superiors to be able to demonstrate that it works and that the project is worth spending money on. So he creates sloppy and buggy code because he has not been authorized by his bosses to spend the time to develop the full tool. That’s the way the process normally works (a) proof of concept (b) prototype (c) full tool.

So if an insider walked off with the code from such a test server that would fit the known data points. Of course none of what I said is not proof but the insider angle is an equally plausible theory at this stage.

Like @Dirk many posts above I have a difficult time understanding why any TLA would throw away undiscovered zero days to make some kind of political point. Those zero days are too valuable—if nothing more than counterespionage purposes–to simply toss aside.

Nobody Servant of the Many Faced God August 18, 2016 10:59 AM

Having read all the comments, and the major news stories, and given it a few days…

The big news story does remain: Russia used hacking to majorly interfere with the US Presidential election on behalf of a very unpopular and unscrupulous candidate. That is a profoundly bad thing.

I do not think the full implications of that has really hit everyone yet. What matters is when those in the US and allied governments understand just how bad that is.

That puts Russia as a very dangerous threat to the core of democracy.

In the eyes of military, intelligence, and diplomatic leadership.

It certainly did not help that Trump, the supported candidate in this attack, followed up that attack with outlandishly Putin and Russia praising statements. He even went so far as to imply that if he were President he would allow Russia to invade Crimean states and ignore the NATO treaty.

This hack and its’ release of sensitive information followed the exact same MO. I have seen Snowden, Dave Aitel, and others opinions on this – that this was Russia, and they did it to follow up on the DNC hack and disclosure of information – and how these opinions have made their way through many articles.

I believe, as these journalists and pundits also have been convinced, that this “theory” is as profoundly sound as the “theory” that Russia did, indeed, perform the DNC hack and follow that up with the massive release of information through Wikileaks.

(It was also very bad that Assange, the Wikileaks founder and primary spokesperson, showed himself strongly as siding with Russia, against the US, and specifically, against the Democrat Party of the US.)

The shit has hit the fan and it has thoroughly covered Russia.

I am not talking about “public opinion” here. What they have done is stab not just “military, intelligence, and diplomatic” forces of the US in the eye and back. They rammed a stick right into the eye of the core of the Democratic Party.

That, ultimately, sends a strong “fuck you, we are dangerous and a severe threat” message to the heart of every politician.

Russia, meanwhile, is very much outpaced by US intelligence. Clearly, they are arrogant and bold.

They have an extremely fragile economy.

Trump is a loser party, a very loud loser, and one who has only severely exacerbated their situation for them. While the Republicans have applauded them, you better believe their base secretly hate them. And they are the ones who will stay in that side of US power when he has failed at his mission.

Worse, the Democrats will find themselves in power.

And that will be a place of power where their main adversary who hurt them the worse, who, as they say “most wanted them dead and really tried to do it”, is Russia.

This was a desperate, arrogant, highly deluded, and absolutely idiotic series of moves by Russia.

On many levels. Not the least of which is there is a very good reason why nations do not normally expose their hand. That is, their hand of knowledge of what their adversary intelligence is doing.

Yet again, they have laid down their hand.

It may appear to be good to those not in their adversary’s intelligence. But, that is just because no one else has been so stupid to also fold and show their hand yet. Russia has an unbelievably crap hand. This puts them entirely at a loss.

As for loss of zero days, that is meaningless. Yes, zero days are expensive, but for all anyone knows this loss was already well known. That would almost never be said. One particular small set of version of one particular subset of Cisco appliance is not even the tip of the very large iceberg of what you can guarantee US intelligence owns.

What the NSA knows now is that Russia owns all the zero day that was associated with those applications. From 2013. Which means they can now go back and know for a fact that any information obtained from those in Russia controlled areas is highly likely to be contaminated.

On the debate of whether this was hacked or whether this was stolen via “human intelligence”, I do agree with those who have stated this likely was stolen by human intelligence. Russia has more here today then they did even in the Cold War. If anyone anywhere thought both Russia and China did not already known what Snowden knew and was able to give up, they certainly did not remain in that thought after he showed how easily he knew it, and how easily he could exfiltrate it.

As for bizarre mind games in all of this? It does not matter. The evidence is persuasive to the people who matters that Russia did it.

That Russia was behind both attacks and both disclosures.

(What could the US expose of Russia, one of the most thoroughly corrupt and treasonous regimes on the planet. Believing the US and allies are incapable of still playing that very same game and far better is insane. If you believe Anonymous and other big named hacker groups and companies have not secretly been US fronts, well… Russia and China certainly do not and never would. Lulzsec, is one extremely good example reeking of evidence of that. Multiple major intelligence disclosures reek of a disinformation project on a very grand and absolutely diabolical scale.)

(And those are the exact sort of “mind games” that are not just known to be played by allied intelligence, but are common place, everyday. In the most rare and elite of counterintelligence circles.)

But, the parties at play here, from the core power base of US Government, to their strongest allies, including all NATO parties, to all “former Soviet satellite countries”, and who knows who else — not a few competitors in the oil business, and pretty much every nation not on the Shia side of matters where Russia firmly stands… have many hands they can play.

They have plenty of time to play them.

And they are the sorts to make those decisions and work them out behind firmly closed doors.

Doors Russia has absolutely no access to.

Nobody Servant of the Many Faced God August 18, 2016 11:11 AM

@Clive Robinson

1, Civilians

2, Identifiable

3, Available

4, Unprotected

What I immediately see what I read that is “CIA…U”. That is, a ‘wink wink’ of some manner, to that poster. That poster was definitely not CIA. CIA of any stripe would be extremely hesitant to make such a statement even undercover, and they would already be very sold on the idea that this was government.

Robert Hanssen used a name with “CIA” in it in hopes Russia would be persuaded that maybe he was CIA instead of FBI. This is because he knew CIA did often use names (there are quite a few) with CIA in it. And he surmised Russia knew this as well.

Kind of like how it has been pointed out that the CIA has a penchant for using middle names as nicknames, or deviations from middle names. (Albeit many undercover groups do this, it helps give a little extra layer of cover when people attempt to background said names. But with some groups it becomes a “wink wink”. A “I know you know, but do you know I know” thing.)

It may well be that they are military / IC of a country that has decided it’s time to double down on the current US Gov Encumbrents hypocrisy and misatribution.

Russia is behind all of this. True or not? That is the end result already.

There is no way for Russia to get out of that. Even if they set up some of their criminal pawns they love to use and left them dead with appearing smoking guns.

Which is not a tactic they like to use.

They are like your serial killer who can not resist taunting cops with notes.

That is Russia’s MO.

They like to be gangsters, not spies.

They say, “We did not do it”, and then put on a big grin and smile for the camera with their whores and their money.

Once a conspiracist, a spy, a person of the shadows, a group of the shadows becomes a gangster, reveling in the public attention? They are no longer able to go back.

They have just lost all their power, becoming the patsy, the fall guy, for the real power brokers.

Who have the power of invisibility, and know how to use it.

albert August 18, 2016 11:25 AM

@Clive,
“…How long do people reckon it’s going to be before he has to issue a disclaimer?…”

It depends on how many idiots visit his website.

@Anyone,

-10 on the political commentary. The MSM BS is tiresome parroting.

That said, as difficult as it is to wade through the BS, there are some opinions concerning the actual subject of the post that are worth reading.

. .. . .. — ….

Wael August 18, 2016 11:28 AM

@Nobody Servant of the Many Faced God,

Just out of curiosity, is your choice of handle related to Joseph Campbell’s “The Hero with a thousand Faces”? it’s a clever choice of words. Hard to believe it’s a coincidence, but I could be wrong…

“Follow your bliss” — same author, “The Power of Myth”

Clive Robinson August 18, 2016 11:38 AM

@ Grauhut,

Why does the NSA still prefer RC5/6 and Salsa20 over AES?

I can think of several reasons, but one in particular is very historical.

As others are noting the key selection code in some of these tools is to put it politely defective and produces a short range of keys. It’s a bit like the old DES 56bit to 40bit transformation for export code.

The result was the NSA with a lot of finances could buy technology that put 40bit keys in the “possible to brute force” range early on.

This reduced key range or key ranges with both strong and weak keys was a US Mil policy prior to the NSA being formed. As I’ve indicated before the NSA appear to have done this severl times in the past, and probably dod similar to AES by introducing many time based side channels in “practical” implementations. In fact the last time I looked the NSA approval of AES was for “data at rest” only in their own equipment.

Thus I fully suspect that their implementations of RC5/6 and Salsa20 actually produce a mixture of weak keys/ranges and network visable time based side channels.

The reason being that whilst these tools may work against lower sophisticated targets, using them against the NSA would not provide much in the way of secrecy, and possibly a “time signiture” that traffic analysis would pick up quickly.

There is an old military saying that people should keep in mind and that’s “Don’t leave ammunition for the enemy”.

r August 18, 2016 11:55 AM

@All,

To add on-to what @Clive just said, I wouldn’t want to spread an NSA quality AES implementation around in extractable assembly either. Also AES may be hard to implement across the board (per variant platform/chipset) where ChaCha/DES (+arm mips alpha sparc ppc cell ia64 aa64 ia32) may have already been ported and are relatively simple + effective (enough).

Exploits can be patched, a leak of a quality cypher is far more dangerous where they’re concerned I’d think.

Skeptical August 18, 2016 12:00 PM

Actually… I’m going to revise.

As a threat from the Russian Government against US actions, it is far too vague. Threats have to be reasonably clear as to the consequences that will be suffered if the target fails to do – or to refrain from doing – what the threatening party demands.

But here there is neither clarity as to consequences nor clarity as to the demand. Nor can a 2013 breach of this nature – unless there’s something very special about the data – possibly be intimidating to the US.

The Russians don’t need to demonstrate that they’ve penetrated US networks previously; the US is well aware of it, and in fact named them as an adversary in cyberspace with the most depth and capability.

Nor would it make sense for Russia to merely threaten to expose US interference in a foreign election – if this leak demonstrates such knowledge (which I highly doubt), then they’ve already told the US they know, in which case the better move would be to expose it and undercut a US retaliatory action for the DNC info op.

An exception to this might be in an instance where the exposure would harm Russia as well – suppose the US interfered in Turkey’s elections, and Russia exposed this. Erdogan’s position would be strengthened, his ties with the US weakened, but it’s unclear that Russia would benefit from a domestically empowered Erdogan that feels more vulnerable. Indeed that might be a substantially dangerous situation for Russian interests, as Erdogan might act with less restraint in Syria, and the US might be less able to persuade him otherwise – while still being obliged to defend Turkey as part of NATO.

So the threat would be… “we haven’t exposed this because it’s in our interests not to, but if you hurt us badly enough, we will; and as a proof of will, we’re sacrificing some useful intelligence to demonstrate this knowledge.” But – this seems far-fetched, to say the least.

Perhaps we’re attributing too much unity and rationality to the Russian Government, though. It’s known that the Russian Government employs skilled technicians of loose affiliation with the Government to conduct certain cyberespionage and cyberoffensive operations. Those same skilled technicians may, perhaps, also work on the side for less political causes.

In other words, the command structure may be sufficiently decentralized for a person or group to – for reasons having little to do with the considered interests of the Russian Government – leak such data for reasons of their own. Pride, perhaps, after the debacle of the DNC penetration? Learning that you were owned a year ago, having your goods passed around Western cybersecurity companies, and potentially exposing an important client (the Russian Government, and related entities) to serious blowback, can’t be considered a very good day. In fact, that kind of thing seems like it could entail humiliation and fear, depending on the position of the individual/group (if an official unit, less so – if unofficial or quasi-official, more so).

The size of the pie in Russia is shrinking – unexpected arrests and removals are happening – this may not be a good time to be seen as vulnerable.

So… a bid to regain credibility and patch up one’s reputation with current and potential customers? “Sure, we lost the DNC operation – not our best work. But here’s something from a few years ago that we can show without compromising anything current of our own that shows some real skill…”

Maybe.

But there’s another possibility. This would make sense as a threat if you wanted to demonstrate that a known breach in 2013 included much more than has been published, and that if X happens, then more will be published.

So in this alternative, an organization like Wikileaks – or a supporter – is concerned about possible US retribution for its witting cooperation with Russian interference in the US election process. How to forestall retaliation? Deterrence by denial? Unlikely to be feasible. Deterrence by punishment? How much did Snowden really walk away with? How much does he owe – or thinks he owes – Wikileaks for his current refuge?

Snowden is someone who thought the US would pay Hong Kong gangsters to kill him. Would it be difficult for someone trusted, someone close to him, from Wikileaks to persuade him of a dire threat to that organization? And if so – would he be willing to provide a piece of a puzzle to enable some of the extra leverage he squirreled away to be unearthed, unlocked, and used for protection?

If that’s the case, one would assume a message was communicated to the US Government via alternative means regarding the meaning of this leak. Perhaps that meaning is to be found in a tweet; perhaps it was delivered more directly by a trusted intermediary.

Then again… perhaps Snowden simply trusted the wrong person – also associated with Wikileaks, also with a paranoid approach to the US Government (perhaps narcissistic, and with delusions of grandeur as well) – with some of his insurance policy, and that person unlocked a bit of it for the same reason. Indeed, perhaps such a person is currently in need herself, or himself, of additional friends and leverage in the world. What a way to gain that. A hero again, and with buried gold somewhere besides.

In both cases – whether Snowden or a trusted person who betrayed that trust – one would expect Snowden to downplay the potential harm to the US from this particular leak.

I’m increasingly inclined towards one of the above two (or three I suppose) possibilities. I wouldn’t rule out it being a sanctioned action by the Russian Government, but it’s a very peculiar one if so.

In any event – all complete speculation on my part. Perhaps someone simply cracked a third party with this stuff in storage – allegedly individuals involved with a NSA operation in Greece practiced sloppy tradecraft. Perhaps this was part of the take, and perhaps the take was in turn taken by another third party, who desired to stir the pot for purposes of their own.

But I cannot see any possibility under which this leak was a wise decision by the leaker. Even as a kind of cracker advertisement it doesn’t make much sense. Who wants to hire the guy who just waved a red flag in front of the Five-Eyed creature that glimpses the streams of light coursing between the continents 50 fathoms deep with as much difficulty as one might have finding that email lost somewhere in one’s inbox.

Then again, there’s a lot I don’t see. But speculation can be a fun game.

Andrew August 18, 2016 12:03 PM

@Grauhut
I’m thinking at others too:
– maybe their decryption capabilities are highly exaggerated and they know that simple good old algorithms are still safe in practice, despite theoretical “attacks”… plus ex filtrated data wont worth the effort of breaking it.
– the sboxes in AES may be part of some anti-viruses signatures (their code is obfuscated / encrypted anyway, but who knows, maybe when it’s decrypted temporary in memory and could be scanned)
– maybe hardware AES is backdoor-ed.

Otherwise yes, they have similar length for a different implementation… I’d still choose RC6 too.

Marcos Malo August 18, 2016 12:07 PM

@Tatütata

Clues can be spoofed. Governmental agencies are reliant on contractors that they might not control firmly (or be the sole customers). I imagine this is just as true of Russian intelligence agencies. The cyber espionage contractors might not be (probably aren’t) “legitimate” government contractors and listed on stock exchanges.

All of this to say that attribution will be uncertain and speculatory, even by those with all the clues and the expertise to interpret them. They can make educated guesses at best.

Any official attribution by the NSA or the FBI is most likely politically motivated–aligned with political goals. Any accuracy of the accusation will be coincidental/incidental.

Anyway, that’s my speculation: that we’ll never get beyond speculation.

Dirk Praet August 18, 2016 12:13 PM

@ Wael

Just out of curiosity, is your choice of handle related to Joseph Campbell’s “The Hero with a thousand Faces”?

Err, you must be the only person in the world who hasn’t been watching Game of Thrones. It’s the god of the Faceless Men, a cult of highly skilled assassins in Braavos.

@ Clive

There is an old military saying that people should keep in mind and that’s “Don’t leave ammunition for the enemy”.

That’s not what the Germans did when they where chased out of North Africa by Montgomery. They left a huge stockpile of 9mm ammunition, which the Brits later used against them as sten gun ammo. But I’m sure you already knew that. I totally hated the sten, which was part of my equipment during my military service.

Wael August 18, 2016 12:21 PM

@Dirk Praet,

Err, you must be the only person in the world who hasn’t been watching Game of Thrones.

Accurate diagnosis! I heard of it, but never watched it.

black noise August 18, 2016 12:27 PM

@Nobody Servant of the Many Faced God, you have no idea whether Russia hacked your ‘democracy.’ You can’t support your assertions and your stupendously lame argumentum ad verecundiam makes you sound like a conformist party dupe.

Anyway, who cares who hacked your party apparatchiks? Your democracy is fake – or were you in a coma while the DNC crushed its dissidents and stole their votes? And when Bush’s cadre stole Ohio in 2004? And when Anthony Kennedy negated your votes in 2000?

Spare us your belief, parroted from nameless ass-kissing journalists and pundits who can’t even open a terminal. You’ve blown all credibility with that gee-whiz Ludlum fanfic nonsense.

r August 18, 2016 12:43 PM

@Marcus Malo (Marshmallow)

“The cyber espionage contractors might not be (probably aren’t) “legitimate” government contractors and listed on stock exchanges.

All of this to say that attribution will be uncertain and speculatory, even by those with all the clues and the expertise to interpret them. They can make educated guesses at best.

Any official attribution by the NSA or the FBI is most likely politically motivated–aligned with political goals. Any accuracy of the accusation will be coincidental/incidental.”

Block 1) eg. paid trolls.

Block 2) paid trolls will not have the same opsec as fsb.

Block 3) I don’t believe this, but the argument can be made that denying a hactivist motive IS political in itself.

Gilly Blake August 18, 2016 12:45 PM

“Who wants to hire the guy who just waved a red flag in front of the Five-Eyed creature that glimpses the streams of light coursing between the continents 50 fathoms deep with as much difficulty as one might have finding that email lost somewhere in one’s inbox.”

You should put that up for the Bulwer-Lytton Contest. That there is some shitty writing.

Clive Robinson August 18, 2016 12:46 PM

@ Dirk Praet,

They left a huge stockpile of 9mm ammunition, which the Brits later used against them as sten gun ammo.

Yes, the sten was a terrible weapon sometimes called “the plumbers delight”. As you know that particular type of “blowback” reload mechanism was quite dangerous.

A later version the SMG also used a very similar design and even on single shot you used to get double taps with it. Worse was when a round did not go off, you got a hard stoppage that was difficult to clear unless you had a steel rod to ram down the barrel. For my sins my “personal weapon” was the SMG even though I was on the shooting team and had an SLR with my name on it (as the double leaf sight etc was my own personal property). However the less than inteligent stores staff used to issue what was “nearest to hand” with the result the carefully setup sights used to get tampered with, thus I had to set it up over and over again 🙁

r August 18, 2016 12:46 PM

@Wael,

I don’t watch GoT either.

@All,

Am I the only white male alive that is offended by the proliferate use of cracker?

Clive Robinson August 18, 2016 12:51 PM

@ Dirk Praet, Wael,

Wael is not the only one who does not watch “The Game of Thrones”.

When the trailers for the first series came out I was left with the “what a load of horseapples” feeling, that I get with a lot of stuff from the Rupert the bear (faced liar) Murdoch empire.

Nobody Servant of the Many Faced God August 18, 2016 12:53 PM

@Skeptical

This is part of a severe escalation of global cyber conflict. There are also two major but often hidden undercurrents here to factor into the analysis of “what is coming”.

One, is that the US has shown no teeth to the world in the attacks it has suffered. I am not talking blame politics here, but gangster politics, national defense politics. Street politics. OPM, Sony, years of compromise which have been made public by Russia and China. And no teeth.

Inaction encourages further action.

The second factor, the other hidden current here, the ‘elephant in the room’, is that everyone does know the US is the most aggressive nation in the world in technical intelligence. So, China and Russia can both assume in regular intelligence analysis paranoia that the US hears and sees all, having thoroughly compromised them. And in this case, we more cynical observers can comment, “they are surely right”.

But, this matters only in that it gives an excuse for inaction. It is best intelligence tactic to keep your cards close to your chest.

But, it is not best strategic interest at this time.

You have to show there is a price to pay for such actions. Or, you will be making your self be shown as weak.

This is the exact opposite tactic the US has taken with physical attacks. Everyone is scared of the US in those regards. They are your “bugs”, your “moonie”, they are unpredictable and extremely violent in those regards. Case closed.

But, cyber? Weak.

Street slang, they are anyone’s bitch.

As for “who did it”, Snowden did not do it. While your far fetched theory is not unworthy of working out, it quickly fails on numerous points to worth mentioning. As these are obvious points, I will observe that you likely drop that possibility. Unless you have an agenda to prop it up.

Most importantly, for all intents and purposes, it does not matter who did it. Russia did it. That is what everyone believes, and they believe there is hard, conclusive evidence for it.

I believe it. It is Russia’s intelligence MO. It does not take much reflection for anyone familiar with their major public intelligence actions to note this.

They did this in Ukraine, and are doing it still. They make actions that are clearly from them, which they then weakly deny. Many such actions, but notable, on the cyber front, are the actions against their power plants that scream “Russian military intelligence”.

They have done this in their assassinations, globally.

Even where they are good at maintaining their conspiracies, they show themselves as all too willing to fuck it up for the glamor of being a gangster. Anna Chapman, media star. Spy? Not much of one. Media star. This is how Russian politics works.

They throw journalists down elevator shafts. They run terrorists operations to blame terrorist enemies and show their hand. They assassinate a guy with radioactive material that is practically an equivalent of a Russian government cryptographic signature.

They have their military in Ukraine facebooking, and prance around showing off their capacities for electronic warfare in military outfits that merely have Russian obvious identifiers taken off, but tell everyone “Russian military”.

Snowden, actually, in his comments on this issue showed himself as he is, an activist. I would argue that while that showed balls and heart, it also was unnecessarily dangerous for him to do.

One can point out that he does love the limelight, and that certainly is a factor in this, at least, apparently. If one wishes to be a meaningful critic.

Like Russia, Snowden is doing a John Gotti strut for the cameras. I think he is going native, in that way. Russia culture is all about that.

They practically openly kill and defraud even European businesspeople who go there, and use their FBI, the FSB, to do it. No ramifications. They glory in this crap.

Look at Putin. He is practically wearing a tshirt flaunting that he was KGB and corrupt.

He surrounds himself with KGB cronies. The people love it. He is their Ivan the Terrible, a bad ass, a rock star gangster on the world stage.

It helps them forget that they aren’t working on their industry, on the economy, and are relying as much on their oil and gas as a middle eastern desert country.

He is a nationalist and a patriot, even if he is running the country into the ground.

This, for Russia, is exactly akin to why kiddy hackers do this kind of thing.

For the lulz, the wowz. Impressing the boys and the girls.

These are bad chessplayers.

Like any flaunting gangster, they don’t care about tomorrow. They are living for today, and constantly getting away with it — they believe they will never suffer any repercussions or ever have to take responsibility.

Heck, in the media, and surely in their people’s eyes, Russia is a superpower again. Back and better and bigger and badder then ever before.

Only, economically? Trivial.

Which makes the posturing all the more delicious for them.

Rational? Very, very rare when criminals are rational. Very slippery slope even the smartest of them make their home on.

Bad criminal, good criminal — rule breaker. Breaking the rules that they should follow to avoid terrible consequence.

The way they are running their state, definitely they fall under that category.

(Is the US in the same boat in many ways? Absolutely. But irrelevant to Russia’s behavior. And unlike Russia, the US does have a strong economy. Even if there are several core weak spots with very scary, slippery slope. But, irrelevant to the behavior and position of Russia. If Russia is merely even copying the US, that is even worse of an idea for them to do so. And humiliatingly sad.)

Freezing_in_a_Gulag August 18, 2016 1:50 PM

@Sorge

I can only compliment your superior manners. Your nick is German but you are signaling to be Russian. Small wonder your passionate, grumpy, response, in defense of the indefensible.

I bid you peace.

Signed: Just_Freezing

Wael August 18, 2016 1:53 PM

@r,

Am I the only white male alive that is offended by the proliferate use of cracker?

Perhaps you should take your beef to the chief of staff! 1:30 – 1:50

albert August 18, 2016 2:27 PM

@Clive,
“…from the Rupert the bear (faced liar) Murdoch empire….”

Did you mean ‘bare’, or is this a reference to the “Family Guys” Stewie, and his teddy bear named Rupert? (Which runs on a Fox TV channel here in the US)

+1 either way, Rupert -is- as dangerous as a bear.

. .. . .. — ….

jfgunter August 18, 2016 4:01 PM

“Dark Territory” tells of diverse US cyber attacks in the Bosnian war. I had not known how early the US went offensive. Interesting book which traces gov’t involvement back to Reagan’s having viewed the film “Sneakers”, then “War Games” and asked the generals how realistic they were. They didn’t have a clue, and were slow to take cyber war seriously.

ianf August 18, 2016 4:03 PM

That makes four of us, I can’t think of a worse horse shit than Game of Thrones. Up there with phantasy, Harry Potter, all these teenage/ vampire/ slasher movies, Tolkien, Ayn Rand, and that show whose protagonists sport neon turds taped to their foreheads.

Oh, and I had read Campbell in a critical edition with pointers to parallel narrative tropes in movies. Gave wide berth to the Bliss title, as too NewAgey for me.

Somebody Else August 18, 2016 4:56 PM

@Nobody

He surrounds himself with KGB cronies. The people love it. He is their Ivan the Terrible, a bad ass, a rock star gangster on the world stage.

Well, if his reign extends from 16 to 160 years, we can just call him Lestat. Or maybe Vladimir is already a better name for a vampire.

Term limits are f’n awesome.

What Could Possibly Go Wrong August 18, 2016 5:06 PM

@Marcos Malo

Clues can be spoofed. Governmental agencies are reliant on contractors that they might not control firmly (or be the sole customers). I imagine this is just as true of Russian intelligence agencies. The cyber espionage contractors might not be (probably aren’t) “legitimate” government contractors and listed on stock exchanges.

Good points, that I see as related in spirit to the news of the day about the DOJ and privatized prisons. It’s a teeny bit surprising the GOP supports the privatization of prisons and national security. Their libertarianesque political stance seems to have lost track of the libertarian detail that police and national defense are the key exception to the ‘as much privatization of government as possible’. Of course there is that whole torture thing too. Perhaps with any luck Trump will damage the GOP enough for the libertarians to take its place (I still have my fantasies).

r August 18, 2016 5:15 PM

@somebody else,

Where term limits and term lengths are concerned, I still think we have work to do.

The biannual cadence distracts from the purpose of the floors and the offices, and 8 years is a nice limit for the big boy (or girl) but due to the rigidity of it I think it can actually cause problems for those coming into a situation they only have an outsiders view on. I think there’s another point to make against 8 years but it’s not bubbling up from my cauldron at the moment. Why should we limit those doing a good job if the people WANT them in office? It’s curious to me, I would nerf legacies like father to son – husband to wife – maybe force co-operation and disallow galvanized/unipolar representation? I don’t know, just some things to think about.

Playing With The Fabric Of Democracy August 18, 2016 5:39 PM

“Why should we limit those doing a good job if the people WANT them in office?”

Corruption. Also, the same principle as decentralization- If the new person gets hit by a bus, you have a more decentralized set of ability to draw from. Since you wouldn’t directly draw on the term-limited person, that person would merely be an advisor to whomever you do choose. If those people WANT them in office for good reasons, they can surely gather enough financial resources to fund an advisor position for the actual person in office.

Don August 18, 2016 5:43 PM

@r
what is cracker? i know americans have a lot of strange words they believe are actually english and imagine everyone else in the world uses them also

(not suggesting your are guilty of being american or guilty of inventing words and claiming they are english – i just find this malady is usually the case when i come across a bizarre word or phrase
Americans are definitely the most illiterate race/culture I’ve come across)

@ All

this blog becomes SO boring when it stops being about security and
instead becomes a rant about politics. There is more to life than
the american election and the imaginary foes called from Rus Land

r August 18, 2016 5:53 PM

@Don,

I’ll try to keep this short as it’s OT.

Cracker: poor white ‘trash’. It originated in the south about landless(?) whites.
Cracker: blaaaaaaaaaack hat hacker. I take offense to it on these grounds too, as I don’t think too many people asked the PC crowd how revengineer’s would feel about being camped on by malicious inter-networking practices. I think if you can modify someone’s program you can use it however you want – so long as you don’t capitalize eg. sell access to it. It’s free access to education, curiosity – cracking software is the real concept behind rooting your phone – if you have the skills you should have the rights no matter what. (Locality considered)

r August 18, 2016 5:59 PM

@Don,

We are not resource starved on PCs, de-criminalization of r/e work would encourage the remainder of the community to promote responsible coding and deployment processes eg. signatures and validation – secure programming – secure devices etc. I have absolutely zero problem with research, so long as it doesn’t or isn’t intent on damaging others. Intent is hard to prove though, especially in the electronic realm so I understand why things are ever-so-slightly backwards.

a August 18, 2016 6:11 PM

We are not resource starved on PCs, de-criminalization of r/e work would encourage the remainder of the community to promote responsible coding and deployment processes eg. signatures and validation – secure programming – secure devices etc.

This isn’t quite the WinTel hell of the 90s these days. Given the presence of the ability to do the same research with slightly different, but fully open hardware and software (beaglebone black and gnu/linux) why not just invest the intellectual research efforts in that direction? If there were no other direction your research could take, i.e. due to some MS-Windows 90s style PC domination, I’d be more supportive of your position. But there are now readily available alternatives to the most orwellian of walled gardens.

I have absolutely zero problem with research, so long as it doesn’t or isn’t intent on damaging others. Intent is hard to prove though, especially in the electronic realm so I understand why things are ever-so-slightly backwards.

It’s also that ‘damage’ is nuanced. Companies and shareholders would consider better competitors in the market to be ‘damaging’ to their ability to maintain market dominance, and ‘damaging’ to their profits. Research about their products would seem to directly lead to that, and I’m sure if they could use ‘damage’ as an argument in court, they’d use it exactly like that.

r August 18, 2016 6:12 PM

https://yro.slashdot.org/story/16/08/18/2213257/how-the-us-will-likely-respond-to-shadow-brokers-leak

I’m not sure I’d respond symetrically or not. There’s no reason to respond packet for packet (in this case), all it would do is risk more detection.

Kaspersky had previously stated there would be more information coming forward about Equation and then we got ^_^

If the contents of the auction are legit, the USG may be risking a) funding terrorists, b) getting into a bidding war and c) assuming they’re dated giving up more teq.

I’m not expecting any response, other than maybe tightening up the belt2.

r August 18, 2016 6:16 PM

@a,

“It’s also that ‘damage’ is nuanced. Companies and shareholders would consider better competitors in the market to be ‘damaging’ to their ability to maintain market dominance, and ‘damaging’ to their profits. Research about their products would seem to directly lead to that, and I’m sure if they could use ‘damage’ as an argument in court, they’d use it exactly like that.”

The other thing, ‘nuanced’ about our positions is:

Do you mean damage to companies?
Damage to shareholders?
OR
Damage to consumers?

r August 18, 2016 6:21 PM

@a,

“But there are now readily available alternatives to the most orwellian of walled gardens.”

There are are there? Then I guess everyone can stop development because we already have open alternatives available for everything from cars and tractors to home, voip and cellular phones. Not to mention other various forms of office hardware and software.

Bewary of the ‘nothing to see here’ line.

r August 18, 2016 6:24 PM

If I wasn’t putting a gun in the back of Cambodians, do you think I could get them to knit all my sweaters?

Coercive motivation can be very motivating.

a August 18, 2016 6:26 PM

actually I was making the multiplicity of interpretations of the word ‘damage’ point to you.

Likewise, I don’t suggest anyone stop development. The more development and competition, the cooler stuff we’ll all have sooner rather than later or never.

r August 18, 2016 6:32 PM

@a,

I realized you made such a broad statement after I re-read it, you’re right though my outlook could be dated (and biased) too. I haven’t exactly lead the most straight-and-narrow life and affording high(er) education thus far has been a dream. But, thankfully my lack of comprehension in that statement may add to the emphasis.

Thank you. 🙂

r August 18, 2016 6:36 PM

@a,

To whit, arguable: companies partake in hari-kari by not auditing and being more responsible where time-to-market is concerned.

If gun and vehicle manufacturers were held to the same light standard as software companies cars and guns would explode at random.

a August 18, 2016 6:39 PM

can you imagine what the ferengi print would read from a gun manufacturer if it weren’t for government regulations that preclude such sillyness? lol

r August 18, 2016 6:46 PM

@a,

“can you imagine what the ferengi print would read from a gun manufacturer if it weren’t for government regulations that preclude such sillyness? lol”

‘Use at your own risk.’ ?

That’s the best I’ve got, your point is well taken.

r August 18, 2016 6:51 PM

@a, Don

More to the argument I was making about reverse engineering and self-auditing:

As an American, I have a constitutional right to be secure in both my person and my effects. Reverse engineering, fuzzing, probing, decapping, SDR and voltage analysis all fall under that clause in my book.

r August 18, 2016 7:01 PM

@a, Don,

If companies like Apple or Google or general motors have a problem with tampering and research they should build a more secure product.

The 90’s were a revolutionary time for software, shareware companies started to create nerfware that was missing whole sections of code so subversion of key checking algos wasn’t possible in certain softwares. The technologies exist, there is a market, and it IS valid research – homomorphic encryption – per-mutatative meta and oligomorphism – encrypted execution – signing and verification… The only reason we don’t see more of these technologies is because there’s a drive for the lowest bottom line products with the highest markup available. There are responsible strong technologies out there, these companies and products are just driven out. It’s unfortunate.

AUSTISTIKI August 18, 2016 7:29 PM

Probable victims of NSA interference who should be looking for newly-discovered IOCs from this leak:

  • Elements of the Italian judiciary involved in the Imam rapito kidnap/torture case

  • Erdogan, to investigate US complicity in the Turkish coup

  • Hungary and Slovakia, considered by the US to be insufficiently hostile to Russia

  • CySEC, as collateral damage in the US attack on Russian foreign investment

  • Olafur Hauksson’s banking prosecution committee

  • The Armenia Ministry of Energy and Natural Resources, pressure point for US destabilization efforts

  • The Swiss Chinese Chamber of Commerce

Wael August 18, 2016 8:17 PM

@Grauhut,

For the lulz, one text…

There are six occarances of the string ‘AES’, just like there are six occarances of the name you addressed this to (upto this point.) How strange! 🙂

Nobody August 18, 2016 8:46 PM

Another good article with opinion from fmr nsa and counterintelligence on Russian hacking:

http://observer.com/2016/08/vladimir-putin-has-already-won-our-election/

Whether you like it or not, the fact remains that from the US perspective Trump getting elected is a danger to national security at this point.

One opinion this author cites from a DC voice states that this is the ‘biggest counterintelligence threat faced since the early cold war’.

For extreme critics of the US here, who are unlikely to favor Trump or Russia, step back and consider how this may change the global environment in ensuing years.

@austiski

Good article for anyone wondering about how wacko in anti-americanism Turkey is getting:

http://www.foxnews.com/world/2016/08/18/turkish-media-all-in-on-anti-americanism-in-wake-failed-coup.html

All the world needs is more craziness in the middle east.

As for IOC, the Russians dont care about that or they would have released everything.

Do you think Russia is not completely pwned by the US? Putin’s government is much to busy with profit through corruption to even bother with their own security. They are counting on the ability to invade their former stolen nations again to make up the slack.

A pipedream only possible if Trump is elected. Which never had any chance of happening.

DNC hack, bribery, covert funding, or anything else wouldnt let that happen.

Grauhut August 18, 2016 8:54 PM

@Clive: The ammu argument is of cause valid, but aes is open ammu, nothing to hide…

Another funny question in this case is: Why would someone try to send the NSA to a predictable witch hunt by throwing this kind of fire cracker, binding a lot of their resources?

Sun Tsu…

"A military operation involves deception. Even though you are competent, appear to be incompetent. Though effective, appear to be ineffective."

The shadow brokers could act in some kind of “drunken monk” kung fu style, means the real kick follows the funny and attention binding drunken dance…

Grauhut August 18, 2016 9:04 PM

@Wael: Three of them in each main frame and raw. Either they hacked openssl or they are on this computer. This is so frightening! 😀

P.S.: Even one LuL! 🙂

Wael August 18, 2016 9:13 PM

@Grauhut,

Either they hacked openssl or they are on this computer. This is so frightening! 😀

You’re such an optimist — LuL3+3 😉

haha August 18, 2016 9:23 PM

@Nobody

Good jokes!

In socialist America, election solely kill citizen opposition. But in capital Russia, dissent only crushed after free election.

What a couple of countries!

Grauhut August 18, 2016 9:40 PM

@Wael: You are so right, i think i will do some forensics on my recordings tomorrow! Need to find out who else! 🙂

Don August 18, 2016 10:19 PM

@r

thankyou for your insightful response and for extrapolation in a meaningful direction.
You are one of those small handful of posters here its apparent would be great value in human company. Value your presence here

@io
thankyou. when Bruce posts something here just the smallest bit political, i feel many commenters on this blog need reminding, that the US elections are NOT world elections. Give someone an centimetre (mention NSA here) and they take a metre (start attributing to Russia and talking about nothing else but…zzzzzzzzzzzz) Can we get back to the NSA exfil and content of the data etc please?

Many Americans need reminding of the following

  1. Thanksgiving and the 4th day of the Seventh Month are not international holidays
  2. Only one country in the world knows or cares about the game apparently called baseball. Just one.
  3. The upcoming national elections in the land mass aka country near Mexico and Canada, are only national. Not world elections. Not international. There are also other things on the calendar that year

r August 18, 2016 10:19 PM

@haha,

While I laughed at your joke, I’m not sure it was actually funny; maybe just Borat funny – I don’t know.

I can’t help but wonder how

https://en.wikipedia.org/wiki/Pussy_Riot

fits into your presentation. Were they a CIA funded group like how the KGB loved the Beatles? Was the intent to infiltrate the Russian prison system and gain access to вор в зако́не/Vory?

Clive Robinson August 18, 2016 11:41 PM

@ Don,

Whilst the US elections might be national due to the MIC looking for profit they do have very real world wide consequences.

What is worse is the US is starting to hit the buffers, due to the fact it has resource issues that can not keep up with the demand of US middle class lifestyles. Thus you find all manner of sins hiding under the skirt of US exceptionalism. Which is why many regard the US as a “bandit state”, especially with the clauses in the secret trade treaties that the current incumbent is trying to force through as his legacy.

One thing that you might want to consider for your list is that the US needs to get rid of the requirment that all US Presidents must be native born. It flies in the face of common sense on all sorts of levels and has already become a significant issue in that it may well have given us Donald Trump as a candidate.

r August 19, 2016 12:37 AM

@Playing With The Fabric Of Democracy,

Thank you for humoring me enough to respond to that and offering up an alternative.

What do we do then about Congress and the Senate?

MartinP August 19, 2016 7:15 AM

I mean what makes you so sure that behind DNCleaks is the FSB?

I am not convinced! Just because many people say so that is no proof!

AUSTISTIKI August 19, 2016 8:08 AM

@Nobody, “Whether you like it or not, the fact remains that from the US perspective Trump getting elected is a danger to national security at this point.”

That is just so adorably naive I wanna kootchy-kootchy-coo you under your chin. Like every previous postwar president, if Trump or Clinton or Jill Stein makes one false move, Marine One will throw a rotor and they will crash in flames. CIA ran your country the same way with Vegetable-in-Chief Ronald Reagan and with credential-free empty suit Barack Obama. When JFK showed signs of insubordination to his CIA handlers, CIA shot him. When Carter annoyed CIA they treasonously prolonged the captivity of the Teheran Embassy hostages to make him lose. A US President has less workplace discretion than a fry cook at MacDonalds, thanks to CIA impunity. So don’t listen to washed-up perv John Schindler, for chrissakes. His advice is even more embarrassing than his unwelcome dick pics. (Look him up.)

As for Turkish anti-Americanism, yeah, maybe CIA shoulda thought of that before trying to knock it over. Putin corruption? Putin himself is incorruptible, as people who have been there know. That’s what drives CIA up the wall.

Nobody Servant of the Most High August 19, 2016 10:17 AM

@Somebody Else

‘Putin & term limits are good’

Yep… it is easy to make that argument, systems without term limits & tyrants go hand in hand. Historically speaking.

@Don

this blog becomes SO boring when it stops being about security and

instead becomes a rant about politics. There is more to life than

the american election and the imaginary foes called from Rus Land

Don, I work in the industry. Dave Aitel works in the industry (and I have known him for a good long time). Snowden, even still, one could say works in the industry. Schneier works in the industry.

The best coverage of the matter has been through an industry mag, Ars Technica.

Reality is computer security is deeply entwined with intelligence, law enforcement, politics, and many other areas. Especially with intelligence. Both are information technology fields. You can literally say.

Same thing with media: books, newspapers, news and other periodicals, and even down to visual media and interactive media, such as games and cinema.

My statements did not state “America is good and Russia is bad”. My statements stated that these hacks have severely stirred the water. To accurately sum them up. The global political waters, the global stability waters.

I did state this was a horrible strategic move by Russia. I believe the blowback they will receive on this tremendous, and I argued why.

But, my comments were technical.

That is, it was like saying they made a terrible chess move.

It is objective.

This is a show. Biggest show on earth. Get your whiskey and beer, get your popcorn, you have a front row seat. Let us see what happens when ‘this whole shithouse gets lit on fire’.

The entire old global structure is cracking at the seams.

Be ahead of the curve.

Get your finger out of the cracks of the dam and run far enough away to be safe.

Where you can enjoy what comes next.

Nobody Servant of the Many Faced God August 19, 2016 11:12 AM

@AUSTISTIKI

…’you are naive,CIA runs the USA’…

Au contraire, senor. On the ‘I am naive’ part.

Your entire argument “proving” I am naive hinges on mine stating the CIA does not run the USA.

But, I did not state that the CIA does not run the USA, because it is as irrelevant to what I was saying as the weather on Jupiter right now is irrelevant.

This is faulty logic. It is the common “shortcut from thinking out matters” logical fallacy often termed the strawman fallacy. Attack something else to disprove the point.

But, you believe my point, as any critic would. All my points.

You just did not understand what I stated.

I will summarize, briefly, in bulletpoints:

1) the power base in America believes Russia hacked the DNC & Russia hacked the NSA & furthermore that the NSA hack and disclosure is tied to the DNC hack

Whether Russia literally did do this is completely irrelevant to what I stated, to the analysis I posted

Do you disbelieve the American powerbase believes and will continue to believe Russia did these things? If you do, then you may disagree and argue why you do not believe this.

But if you even argue that they are liars and do not believe it, but will act and speak as if they believe it now and in the future? Then, you still agree with what I stated.

2) I stated that the powerbase believes this and I defined the powerbase putting intelligence first. Who will be, in the powerbase, the most ardent and confident about this? US intelligence.

As for your argument that the CIA was really behind the Turkey coup, that is not implausible. They may have been. Again, irrelevant to what I was stating. In that instance, I can understand more closely why you were confused. But, had you understood the principles of cold and objective analysis of human behavior based on filling in the equation of variables of ‘what people believe’, then you would not have so been so blinded to what was being stated.

Had you been practiced in considering all angles, and not just your preferred angles, you would have understood my analysis.

@MartinP

I mean what makes you so sure that behind DNCleaks is the FSB?

I am not convinced! Just because many people say so that is no proof!

If that response is directed at my posts, please see the above in this post, and note that my statements were neutral as to whether or not the charge is literally true or not. But, the analysis looks at the conclusion, which I do believe we can have very high confidence in, which is that the powerbase in the US does now and will in the future consider it true: that, a., Russia did perform the DNC hack and related disclosure, and that, b., Russia did perform the NSA attack and related disclosure.

Why this kind of analysis is useful and important is because actions people take in the future can be determined by the beliefs they hold.

In regards to the literal, which is an useful but entirely unrelated argument, ‘did Russia literally, really, perform the DNC and NSA hack and the related disclosures associated with both’? That is a much more complex question.

For many reasons, that certainly is a very useful problem to tackle.

And that problem certainly does have value in attempting to solve in terms of “predicting future behavior”.

But, an analysis assuming that the USA powerbase will believe this is Russia and does now, is also very important.

And that is the only analysis I attempted in my posts here.

Quite simply.

AUSTISTIKI August 19, 2016 12:06 PM

@Nobody, No, what you said was, a Trump presidency is a danger to national security. Then you made up a bunch of new stuff that had nothing to do with the old stuff.

So, you work in the industry! Tell us more. Because I am not one of those evil Russian hackers who would take advantage of people’s cognitive frailties to effect a massive breach of national security information or anything, We’re all friends here!

Nobody August 19, 2016 12:31 PM

This is part of a truly landmark hack. That is what my posts was about.

Whether Russia really did do it or not… really, neither here nor there for this. I have largely left that for others to discuss. I do believe that it is highly likely they did do it, but we do not have access to truly conclusive evidence. What is important is that the American powerbase does now, and will in the very likely future, deeply believe Russia did do this.

Nobody contested me on that, and I see no reason why anyone would, even from the deepest critic of USA to the most crazed fanatic.

And that is certainly important.

This supposition certainly does imply that people do act and speak according to what they believe.

Now exactly predicting what such a deep felt belief will blossom, now, and in the future, is impossible for us mere mortals. But, we do know that the depth and strength of the momentum of these activities can be very well and easily reasoned to be simply enormous.

What we have going on here is Russia interfering powerfully in the US 2016 Presidential election.

What I did not point out is in many ways, this interference was well thought out, as we have come to expect from Russia. In fact, I seemingly stated otherwise. Because I do state as I do believe that Russia did put thought behind this, but it was regardless a very bad move for their part.

As noted, Trump will not win. Clinton will win. Their strategy was entirely contingent on Trump winning. Their strategy was to aid Trump in winning. But, not only did they “bet on the wrong horse”, they miscalculated how certain these activities were to backfire.

Instead of aiding Trump, they crippled him. They put Trump’s ties to Russia in the spotlight. Their actions encouraged Trump to speak his true mind and heart on Russia, and those beliefs were exposed to the American public. Guaranteeing to decimate even further his minimal chances to win in the first place. Far worse, all of this was entirely predictable, had Russia properly performed their homework.

Like so many Russia direct action operations over the decades, and certainly not unlike many US, Israeli, British and other major national intelligence agencies, the blowback is much worse then the intended reaction.

It was a really stupid blunder.

Will the US reaction and likely series of reactions be just as terrible? Probably, much more so.

It might be further noted that this certainly ties into global affairs tightly, and goes far beyond the interests of Russia right into the heart of the Middle East conflict. Which is where the US and Russia are effectively facing off, across every nation therein. With Russia on the side of the Shia, and the US on the side of the Sunni. With Russia opposed to Israel, and with US siding with Israel.

There is a huge backstory here. But, that this is core computer security, and core international politics, are both true. That this is deeply important to understand today is certainly very true. If you wish to understand even the general jist of the wind which will blow in the not so distant future.

We can not say where that wind will blow, entirely, but we can say, “In the Middle East, at the very least”. And we can not say what that wind entirely will bring. But, we can say that is one powerful, very, very powerful wind that is now set in motion.

Enough to cause the perfect storm.

r August 19, 2016 12:46 PM

@Nobody,

Not to stroke our ego’s, but we don’t know how many moves they are (or aren’t) ahead. Any ideas present contingency or alternative paths moving forward. There is no garantee Trump losing wasn’t the intent – look at how quickly turkey is galavanizing. The more the Hammer and Sickle strike the harder the metal, the harder the resolve. They may be counting on a sweeping middle eastern movement to the east away from the west. We just don’t know what the future will bring.

See: free analysis’ here.

It also presents a thermostat considering the minds this site may/not attract.

@FSB, any inputs ? 🙂

The fat lady isn’t singing, please let’s cancel the headliner.

Tatütata August 19, 2016 12:51 PM

Bruce Schneier: (Good proof would be for The Intercept to run the code names in the new leak against their database, and confirm that some of the previously unpublished ones are legitimate.)

They seem to have done just what you were suggesting:

The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.

Daniel August 19, 2016 12:51 PM

The coverage in the news media is really terrible and frankly it is sad that Bruce links to such bad coverage. Attribution is difficult. What is not difficult is whether or not there were live zero days on they day the data dump happened. And there was. Period. That is a fact that is not disputable. So why on earth is the media, including the articles Bruce links too, still hedging on this fact and quote vendors who say “we are looking into it.”? They have looked into it. They have found there were zero days. Why is that so difficult to report. The facts are the security bulletins already published by the vendors.

Nobody August 19, 2016 12:55 PM

@AUSTISTIKI

@Nobody, No, what you said was, a Trump presidency is a danger to national security. Then you made up a bunch of new stuff that had nothing to do with the old stuff.

The “new stuff” is the context you separated from my response nullifying entirely what I was saying.

Sure, you could snip out a statement, distorting what I was saying, to make me say what you want me to say, which, in this case, is the ‘trump presidency is a danger to national security’.

You do not seem to understand there is a difference between saying ‘the trump presidency is a danger to national security’ and ‘the American powerbase is saying and believing the trump presidency is a danger to national security’.

I will be clear one more time, and clear even on this specific point, which is not one that interests me much: I simply do not know, my own self, whether or not Trump would really be a threat to US national security if he were elected.

Is that plain enough to you?

The reason for this is not the least because Trump is a true wild card. Yes, he has people on his payroll in important positions who are also on Russia’s payroll. Yes, I believe he sees Russia hacking the DNC as a windfall and a good thing. Yes, I believe Trump stated an atrociously poor statement when he effectively said that if he were President he would very likely not honor the NATO treaty specifically in regards to Russia invading ‘once Soviet held territory’.

But, Trump is double minded, a flip flopper, and someone who leaps before he looks. He is as much of a “wild card” as one can get.

Finally, yes, I did recommend an article by a former NSA officer who also worked in US counterintelligence, at a site which has a default disclaimer, “the owner of this publication’s father-in-law is Donald Trump”. But, I did so in the context of pointing out that he well covers the historical matters present in these hacks, and the likely impact.

I leave it to the reader to perform multiple, even contradictory, source analysis. Read that, and read Alex Jones, if you must. But read as many different, even contradictory views as possible. Get practiced in holding open many contradictory theories without deciding on any single one until the actual hard and conclusive evidence makes that one known.

In this case, the hard and conclusive evidence I was presenting from that article was not “Donald Trump is an absolute surefire threat to US national security, if he is elected”. But, “this article shows compelling evidence that the US powerbase, specifically, intelligence, believes Donald Trump’s presidency would be a threat to national security”.

It is a subtle, but all important difference.

America has plenty of corruption. Every nation does. People should judge nations from a globalist perspective. That is my belief. Americans and Russian people are equally deserving to have the best life possible. A Russian person is not less valuable then an American person, nor the other way around.

Some nations, like some people are better off then others. Russia and the US, both have severe problems, it is too difficult to state which is worse, and there are far too many contexts to consider in such simplistic statements.

Not the objective of my statements.

r August 19, 2016 12:57 PM

@All,

Forgot to post this earlier:

https://motherboard.vice.com/read/researcher-grabs-cisco-vpn-password-with-tool-from-nsa-dump

Something interesting inside of it may help narrow the originating leak window:

“Cisco officially stopped selling PIX products back in 2009.”

“According to Al-Bassam, the tool references PIX versions 5.2(9) up to 6.3(4). However, Brian Waters said he carried out his test on hardware running the 6.3(5) version, implying that the attack may work on other versions of PIX than those listed in the tool’s code.”

Not to give away any ideas, but I can’t imagine them not watermarking their own code. Maybe rolling back the tapes (if they have them) would help.

Nobody August 19, 2016 1:02 PM

@Daniel

‘Attribution is hard, nobody should be jumping the gun’.

Daniel, I am not jumping the gun on attribution. I doubt Schneier is, either.

Because anyone familiar with forensic attribution issues, especially in regards to nation state behavior, knows just how iffy that is.

In fact, one statement I like to make is that one really scary thing about nation state direct action cyber attacks is once they are made, it is easy for an enemy to take those attacks and forge them making further attacks on their behalf.

And we all know that the US certainly got into the Vietnam War exactly because of such false information via Gulf on Tonkin. And the US got into WWI because of a forged letter.

We do not have absolutely conclusive evidence on any nation state attack, just about.

There is only “motive, means, and opportunity”. Which is a great and useful phrase. And it then creates “forensic signatures” and “forensic methods of operation”. But, all of these things can be, if one gets very literal about it, a ‘castle made of sand’.

One falsehood propped up by another.

Burn before reading.

@r

Not to stroke our ego’s, but we don’t know how many moves they are (or aren’t) ahead. Any ideas present contingency or alternative paths moving forward. There is no garantee Trump losing wasn’t the intent – look at how quickly turkey is galavanizing.

I do totally agree and appreciate that comment.

CallMeLateForSupper August 19, 2016 1:26 PM

@Don
“2. Only one country in the world knows or cares about the game apparently called baseball. Just one.”

On behalf of Japan, you are full of beans.

@r
“What do we do then about Congress and the Senate?”

Um… Your slip is showing. The Senate is part of Congress.

r August 19, 2016 2:20 PM

@What street is Canaduh on?

Haha, those three countries slipped my mind too. It’s funny how Americentric we can all be huh?

I guess the public education system works wonders huh? @CallMeLateForSupper

r August 19, 2016 2:23 PM

@Nobody,

Actually, considering nsa.gov is still offline – they may be thoughroughly investigating the cough weapons leak. They may not want to use any other exploits in the meantime due to a diswant to feed the Russian(?) trolls anymore cough information… which would mean that potentially our understanding of the Turkish media situation is limited currently.

r August 19, 2016 2:27 PM

@Nobody,

I really do believe Turkey and the financial chokehold is the real target, everything else is just chaff to keep us occupado – the olympics are going, the DNC & DCCC, the election… it’s all a tightening of the screws. How much can our intelligence hope to accomplish when the Russians switched to paper?

Intecept the Russian postal service?

Playing With The Fabric Of Democracy August 19, 2016 2:34 PM

@r: “What do we do then about Congress and the Senate?”

6 year term limits sound about right to me. We could try starting with 10 if that’s easier to achieve politically. Though getting it discussed more is an important first step.

r August 19, 2016 2:44 PM

@Playing,

6 & 4 would allow a complete change over every 12 years. It would also help remove the every 2 years we have this annoying and confusing bs in our lives.

Poke fun at me all you want folks, what can we really accomplish when we only have two out of four years when our system isn’t worried about being re-elected?

They have to worry about their jobs too yanno. 😛

JimmyComeLately August 19, 2016 7:19 PM

@ r, “They have to worry about their jobs too yanno. :P”

Jobs? you mean like giving speeches at a rate of $1 Million a pop? ask the Clintons.

@ r, “Actually, considering nsa.gov is still offline”

can’t they just boot it back up? whats the hold up?

@ Nobody, “This is part of a truly landmark hack. That is what my posts was about.”

IMHO, it’s not a hack. It has all the hallmarks of a whistleblower.

Dennis August 19, 2016 7:31 PM

@ Nobody, “As noted, Trump will not win. Clinton will win. Their strategy was entirely contingent on Trump winning. Their strategy was to aid Trump in winning. But, not only did they “bet on the wrong horse”, they miscalculated how certain these activities were to backfire.”

I don’t think they are “banking” on either side winning.

The recent trend has been the attack on our moral high ground of status quo. The idea or exposure that a group of “King Makers” exists as permanent cons (and libs) in our society to rig commoner’s games, has been raised by the ex-communistic regimes as a smear on American and Western European neo-liberalism and the moral high ground of liberty and freedom.

David August 19, 2016 7:41 PM

@ Don, ” Only one country in the world knows or cares about the game apparently called baseball. Just one.”

I don’t think it’s fair to give a sport a nationality. Baseball is professionally supported in USA, but don’t assume every American cares about baseball. Likewise, baseball is gospel in a great many South and Central American nations.

Countries dont play sports. People do sports.

Eric August 19, 2016 7:59 PM

@ Nobody Servant of the Many Faced God

re: “Game of Thrones”

You know a series is bad when it relies on the pr0n factor. Virtually every female in the series, save the fugly ones and under aged, went naked atleast once.

This goes the same for book writers.

Wael August 19, 2016 9:33 PM

@r,

The fat lady isn’t singing, please let’s cancel the headliner.

Haven’t you heard:

Aaaaaakh khoooooooo khaaaaaaa uuuuuuh ahem ahem ahem…?

That, my deer friend, is the sound of the fat lady clearing her throat, before she sings. That’s not scary, though! It’s not really over until someone has morned the rest of us… And that’s what’s really scary!

r August 19, 2016 9:39 PM

@jimmyComeLately,

At this point, this is no longer whistle blower material. This is and I’m going to get myself in trouble for this, but this is arms, this is weapons, a whistle blower would not have dropped a cache like this on the unprepared masses. Unless that auction contains who what where when and all we saw was with, there is really no excuse for going the irresponsible route.

ianf August 19, 2016 9:45 PM

Reliance on naked flesh onscreen is in itself not the discerning factor whether some storytelling is bad, but in the Game of Thrones (the first + one more episode that I’ve seen to learn what it is about) it was used to cover dumpster truck-sized narrative holes, absence of any kind of logic even within its perverted fantasy world, and pretence that it recounts some profound amalgamated legend of Yore. I’d think nothing of it if it only weren’t for the hordes of predominantly young female TV reviewers who seem to find the prospect of being rogered on an altar by a wild-boar-masked chained slave alluring(?).

Tatütata August 20, 2016 1:29 AM

r: “Actually, considering nsa.gov is still offline – they may be thoughroughly investigating the cough weapons leak.

“XKCD on the CIA hack”

here and there

Hillary's Neurologist August 20, 2016 6:45 AM

Nobody said:

Another good article with opinion from fmr nsa and counterintelligence on Russian hacking:

http://observer.com/2016/08/vladimir-putin-has-already-won-our-election/

Whether you like it or not, the fact remains that from the US perspective Trump getting elected is a danger to national security at this point.

The hypocrisy is too much for me to stand. Wikileaks was the HERO of the left during the Bush administration, back when they were releasing Iraq videos handed to them by “Chelsea” Manning. Now, suddenly, Julian Assange is an agent of the Kremlin out to destroy America? You can’t make this stuff up.

The left has always denied there was any communist subversion in America during the Cold War — a figment of McCarthy’s imagination they tell us. Now we have the “Observer” telling us about how Washington was virtually controlled by a cabal of commies in the 40’s and how, if we’re not careful, America will be swamped with Putin’s commie agents again. I had to do a double take to ensure I wasn’t reading an article from the John Birch Society (circa 1965). This is EXACTLY the kind of stuff they published back then.

Politics does funny things to people’s rationality. We have the left in America (who have always been huge fans of communism in general) telling us we need to be scared to death of Russia subverting us from within. We have people telling us (with straight faces) that Trump is an agent of the Kremlin and has Kremlin “staffers” on his advisory team. All of this because Trump said he doesn’t want to go to war with Russia. It’s all ludicrous, of course, but that doesn’t matter in times like these.

The left tells us Trump doesn’t know shit about foreign policy (and I agree), but are paradoxically trying to paint him as some mastermind working in secret with Russia. You can’t have it both ways. The truth is that Trump probably can’t even find Russia on the map.

What’s really at the heart of this comedy is the Democrats are just pissed that Clinton’s shenanigans have been exposed. They are simply trying to deflect attention away from it by reviving an old enemy that strikes fear in most Americans over 40: Russia. They will do anything they can to stop the public from asking about the emperor’s new clothes (Clinton cash, Clinton’s felonious e-mail server, Clinton and the DNC’s conspiracy to screw Bernie Sanders, the murder of Seth Rich, George Soros telling Hillary how high to jump, etc.). They are just angry that the dirty laundry of Clinton and the DNC are out there for the world to smell, so they have to invent an even more odious enemy. They need their boogie man and they need him now.

If the Kremlin had hacked Trump or the RNC, Russia would be lauded as heroes by the same people telling us “we must strike Russia” now. Do not even try and argue that I am wrong.

Oh, and the disclaimer at the bottom of the Observer article was priceless:

“Disclosure: Donald Trump is the father-in-law of Jared Kushner, the publisher of Observer Media.”

Now for my conspiracy: I think Trump is not an agent of Russia, but is actually an agent for the DNC put there to arouse populist sentiment, say outrageous things, and to discredit the Republicans. It has worked and will win the election for Clinton (perhaps the most dishonest and crooked politician in American history).

Grauhut August 20, 2016 7:09 AM

@Hillary’s Neurologist: The problem is the decline of the “Democracy Show” format from theatrical niveau to soap opera! 🙂

The good old political-journalistic mass media propaganda complex is broken up by internets social media and the more digital natives work in the news biz, the harder it gets.

Those new generations know the importance of theire social credibility capital an they have no gifts to give when it comes to likes an followers.

ianf August 20, 2016 5:15 PM

David: “Countries dont play sports. People do sports.

As far as I know, the sport of baseball is the closest that both Japan, and the Cuba-Cubans, have to a national religion. I.e. neither sumo nor voodoo, respectively.

Ted August 20, 2016 5:50 PM

https://www.us-cert.gov/ncas/current-activity/2016/08/20/Cisco-Releases-Security-Updates

Cisco Releases Security Updates
Original release date: August 20, 2016

“Cisco has released security updates to address vulnerabilities in several products. Exploitation of some of these vulnerabilities could allow an unauthenticated remote attacker to take control of an affected system.”

“Users and administrators are encouraged to review the following Cisco Security Advisories and apply the necessary updates”

Gary August 20, 2016 11:04 PM

@ ianf, “As far as I know, the sport of baseball is the closest that both Japan, and the Cuba-Cubans, have to a national religion. I.e. neither sumo nor voodoo, respectively.”

Sports are supported thru national and or local government budgets or funds funnelled through various NGOs, so in essence it is part of a national policy. A nation can decide, thru its committee of governors, which particular sports they budget for. This is very important to promote a sport because without money to support a sporting career path from prodigy to player to coach, pay for equipments, coaching, and scouting, athletes cannot develope to the best of their abilities.

Professional teams can pick up most of the athlete development process as part of its business strategy, but in countries like USA much of the early scouting and training of young athletes is done thru public schools, atleast until high school. It various from sports to sports and country to country, but the general idea is the same and connected in one way or another.

Sporting is not only a big money business, a national pride, but also part of a social engineering paradigm.

r August 20, 2016 11:30 PM

@Gary, ianf

North Korea is big on big game hunters: interntional banks.

The joke is, South Korea populatized StarCraft.

kekeke

CallMeLateForSupper August 21, 2016 5:19 PM

Equation Group Initial Impressions – Aug 17, 2016 • Stephen Checkoway
“I decided to take a quick look at some of the “cyber weapons” this morning and I’m pretty underwhelmed by their quality.”
https://www.cs.uic.edu/~s/musings/equation-group/

I like the title BoingBoing used for its heads-up about it: “The Equation Group’s sourcecode is totally fugly”

ianf August 23, 2016 3:48 AM

      More clearing up backlog from what feels like a month, though it’s from like a week ago.

    @ Winter

    “[…] Showering? Using a damp cloth once a week is enough if the alternative is dehydration.

    LUXURY. We were so poor we didn’t have a cloth to damp us with. Occasionally our mother licked us clean behind the ears IF she had enough saliva left over from selling it a spit at a time to punters in the Market Square. And I know what I’m talking about, ’cause I’m one of these previously uncovered here Yorkshiremen, remember?

    @ Dirk Praet

    … the drums of war, in past and present sent off to the battle fields the children of the little people, all while making sure their own offspring was exempted

    An irony of the ongoing trend to robotize offensive Western warfare in Iraq, Afghanistan, Pakistan, Yemen, is that absence of physical enemy troops on the ground makes the bombed/ predator-drone’d populations there vehemently anti-Western, and prone to support the “export” of their thirst for revenge to the West any which way they can. But of course, it looks good on the teleprompter when the military “kill ratios” are in the range of 1:250000 affected combatants, as it sounds more like any low-attrition-rate conflict, than as a “proper” war.

    ADMINISTRIVIA @ Gary

    ’tis not the place for such deliberations, and, anyway, you may well be older than me, but as one writer to another, I think that you should develop this your apparent ability to deliver perfectly bland printable copy on uncontentious subjects such as (here) “sports’ place in a society” further, package it nicely, and offer to news organizations at a discount. They always look for filler pieces, and can not get away with the usual Lorem ipsum no mo.

    Nobody August 23, 2016 6:56 AM

    Looking like definitely was an insider, probably even posing as “Shadow Brokers” (as opposed to the theory they passed these files off).

    http://www.theregister.co.uk/2016/08/23/nsa_hack_auction_looks_written_by_an_english_speaker_linguist/
    http://arstechnica.com/security/2016/08/hints-suggest-an-insider-helped-the-nsa-equation-group-hacking-tools-leak/

    So, a contractor or employee took this stuff in 2013, and what, is that the latest stuff they took? And they are just floating around, where (the States, probably), posting stuff? Sending stuff off to now discredited Applebaum and others, finally attempting to pose as Russians via this Shadow Brokers gag? Bizarre. They must like their adrenaline rush and looking over their shoulder.

    I do think “the Shadow Brokers” meant to come off as Russian and they intended to tie this into the DNC hack. Maybe they just wanted to ride on the publicity coattails of it all, to stay relevant.

    @JimmyComeLately

    @ Nobody, “This is part of a truly landmark hack. That is what my posts was about.”

    IMHO, it’s not a hack. It has all the hallmarks of a whistleblower.

    I did not disagree, by “the hack” I meant the DNC hack, but also this, which seemed related. And, sideways, both as a social hack in terms of the media presentation of the data.

    @Hillary’s Neurologist

    The left has always denied there was any communist subversion in America during the Cold War — a figment of McCarthy’s imagination they tell us. Now we have the “Observer” telling us about how Washington was virtually controlled by a cabal of commies in the 40’s and how, if we’re not careful, America will be swamped with Putin’s commie agents again. I had to do a double take to ensure I wasn’t reading an article from the John Birch Society (circa 1965). This is EXACTLY the kind of stuff they published back then.

    The article is by a former NSA and counterintelligence officer.

    They very often are like folks that were in 1965’s John Birch society.

    I think “the left” was not ‘copying and pasting’ that editorial into their new mindset. I would actually point out that Clinton is pretty damned conservative on foreign policy, also.

    Trump really does have a number of people on his payroll who are also on Russia’s payroll. This became further big news this weekend as his chief stepped down. And, Trump’s statements regarding Russia and this hack have definitely been way, way over on Putin’s ass kissing side.

    FYI, as for myself, I am not left nor right.

    I am liberal, personally, and liberal on many domestic issues, but very conservative on many foreign policy issues. However, this is a deep over simplification.

    I do not vote. I despise mindless politics I see on both sides of the fence, through do bother to read from both outlets. To me, both groups seem like mindless herds. I am often disgusted at the patent intellectual dishonesty I see from both groups.

    They both act like retarded babies when out of power, and spare no lie no matter how grievous and obvious.

    @AUSTISTIKI

    CIA ran your country the same way with Vegetable-in-Chief Ronald Reagan and with credential-free empty suit Barack Obama. When JFK showed signs of insubordination to his CIA handlers, CIA shot him. When Carter annoyed CIA they treasonously prolonged the captivity of the Teheran Embassy hostages to make him lose. A US President has less workplace discretion than a fry cook at MacDonalds, thanks to CIA impunity. So don’t listen to washed-up perv John Schindler, for chrissakes. His advice is even more embarrassing than his unwelcome dick pics. (Look him up.)

    As for Turkish anti-Americanism, yeah, maybe CIA shoulda thought of that before trying to knock it over. Putin corruption? Putin himself is incorruptible, as people who have been there know. That’s what drives CIA up the wall.

    Well, then, that makes two NSA officials commenting on the story who had dick pic tragedies.

    Didja know that one?

    I won’t name the other one, because I know and like him. And only reason I even mention it, is because of the irony… and because most of what you read about him is bullshit cover stories.

    People think because someone says they worked here or there, they really did. Yet, just last year a guy who had been a major “former CIA” on primetime news for years was outed as never being CIA at all.

    How much worse is it when you have a false background put there by well resourced intelligence?

    As for naive, my whole background is false, anyone attempting to research it is in for a giant maze with a drunken, angry minotaur right in the middle of it. I work with folks I have known since high school who wear masks as part of their job.

    None of them will ever tell you they don’t do social media, because there is a huge farm out there creating family and school photographs and keeping live entire societies of “real” people standing right in for them.

    But, you are not the idiot you pretend to be, or you would be using somewhere the word “the” before your usage of the word “CIA”.

    And you have a real eye to specific historical details, even if you did dose on that gravy of bullshit thick with your JFK conspiracy theory.

    Always helps to dollop on an alien conspiracy, 911 conspiracy, or some other dim witted crock of shit conspiracy theory to help bring down your appearance of professionalism a notch or two.

    After all, no American government person would ever spout of any of those crazy conspiracy theories.

    But, the CIA is a pretty weak group. Even you didn’t try and say the US is now run by the CIA.

    Hard for anyone to claim they run anything, as you just saw a few years ago, their head get chased out because of a skirt scandal coughed up by the FBI.

    And it is the FBI beating down on Clinton.

    The Bush Administration lost 50 million emails, and who even remembers that? But, Clinton’s “email scandal” makes the frontpage every single day.

    Even if the CIA did kill JFK, which is very far fetched, what would they have earned from that? Kennedy was not pulling out of Vietnam, and LBJ did not go back into Cuba.

    Putin really is playing himself as Czar, and the FSB and SVR, aka, the old KGB fun club, really is mixing business with pleasure for personal profits. Czar means Caeser, btw. Exactly where that word comes from. Estimates of his personal wealth range from 1 billion to 500 billion.

    Though, his country is largely meaningless and powerless for anything but an useful diversion and pawn in the Middle East. Putin’s capital is impressive, but merely because he stole his nation’s industries and put them in his own pocket. Russia is way down on the GDP list of nations.

    And yeah, the best conspiracy theory of the season is and always has been that Trump is playing all of this game to wreck the election so Clinton wins.

    Hillary Clinton is your Andy Kaufman, and Donald Trump is your Tony Clifton.

    But, yeah, ‘everything is under control’. Just not by anything with a name given out yet.

    Greatest show on earth, as the song goes.

    https://www.youtube.com/watch?v=mNBdD5aVMTc

    FabianRODES August 26, 2016 2:08 AM

    Thanks Bruce for this paper.

    I was wondering why is there no detection performed in antivirus signatures to inform customers (private nor company) that they have been hacked using those tools.

    For example, SECONDDATE add in the code binary code the pattern “ace02468bdf13579”, it’s not complicate then when the exec files (.exe .dll and more) is scanned to detect that it was altered

    I have question Kaspersky antivirus which response by the negative on such a point (see exchange on KasperskyLab forum )
    I would be very interested on your opinion about the subject of such APT detection by mass antivirus solutions.

    Best regards
    Fabian, Lille/France

    Leave a comment

    Login

    Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

    Sidebar photo of Bruce Schneier by Joe MacInnis.