NSA Using Cyberattack for Defense

These days, it's rare that we learn something new from the Snowden documents. But Ben Buchanan found something interesting. The NSA penetrates enemy networks in order to enhance our defensive capabilities.

The data the NSA collected by penetrating BYZANTINE CANDOR's networks had concrete forward-looking defensive value. It included information on the adversary's "future targets," including "bios of senior White House officials, [cleared defense contractor] employees, [United States government] employees" and more. It also included access to the "source code and [the] new tools" the Chinese used to conduct operations. The computers penetrated by the NSA also revealed information about the exploits in use. In effect, the intelligence gained from the operation, once given to network defenders and fed into automated systems, was enough to guide and enhance the United States' defensive efforts.

This case alludes to important themes in network defense. It shows the persistence of talented adversaries, the creativity of clever defenders, the challenge of getting actionable intelligence on the threat, and the need for network architecture and defenders capable of acting on that information. But it also highlights an important point that is too often overlooked: not every intrusion is in service of offensive aims. There are genuinely defensive reasons for a nation to launch intrusions against another nation's networks.

[...]

Other Snowden files show what the NSA can do when it gathers this data, describing an interrelated and complex set of United States programs to collect intelligence and use it to better protect its networks. The NSA's internal documents call this "foreign intelligence in support of dynamic defense." The gathered information can "tip" malicious code the NSA has placed on servers and computers around the world. Based on this tip, one of the NSA's nodes can act on the information, "inject[ing a] response onto the Internet towards [the] target." There are a variety of responses that the NSA can inject, including resetting connections, delivering malicious code, and redirecting internet traffic.

Similarly, if the NSA can learn about the adversary's "tools and tradecraft" early enough, it can develop and deploy "tailored countermeasures" to blunt the intended effect. The NSA can then try to discern the intent of the adversary and use its countermeasure to mitigate the attempted intrusion. The signals intelligence agency feeds information about the incoming threat to an automated system deployed on networks that the NSA protects. This system has a number of capabilities, including blocking the incoming traffic outright, sending unexpected responses back to the adversary, slowing the traffic down, and "permitting the activity to appear [to the adversary] to complete without disclosing that it did not reach [or] affect the intended target."

These defensive capabilities appear to be actively in use by the United States against a wide range of threats. NSA documents indicate that the agency uses the system to block twenty-eight major categories of threats as of 2011. This includes action against significant adversaries, such as China, as well as against non-state actors. Documents provide a number of success stories. These include the thwarting of a BYZANTINE HADES intrusion attempt that targeted four high-ranking American military leaders, including the Chief of Naval Operations and the Chairman of the Joint Chiefs of Staff; the NSA's network defenders saw the attempt coming and successfully prevented any negative effects. The files also include examples of successful defense against Anonymous and against several other code-named entities.

I recommend Buchanan's book: The Cybersecurity Dilemma: Hacking, Trust and Fear Between Nations.

Posted on February 22, 2017 at 6:21 AM • 104 Comments

Comments

wiredogFebruary 22, 2017 6:32 AM

Of course now the Chinese and others know about the penetrations by the NSA and can counter them, making the US more vulnerable. Thanks for blowing the operation Mr. Snowden!

PhFebruary 22, 2017 6:41 AM

But if the Russians penetrate USA networks in order to enhance their defensive capabilities the dung hits the fan.

Don't do unto others what you don't want to be done to you.
The old adage still goes.

JOFebruary 22, 2017 6:53 AM

Interesting. I wonder what measures they take to make sure they aren't just hitting a honeypot and therefore the data they collect is merely misdirection. While they are keeping a close eye on the "future" targets and the discovered vuln targets, they are then spending less resources on the *actual* target of which they are unaware.

dimFebruary 22, 2017 7:55 AM

Another proof that Snowden is a traitor and a criminal who succeeded, unbelievably, to rally behind him people who believe in things unrelated to his treason - privacy and human rights. The damage that he caused to the national security of America and its allies is beyond precedent.

Let's hope that Trump's new buddy Putin will extradite Snowden's ass to US so he can face the court of justice instead of lurking in Moscow while sending self-righteous tweets.

Littel FishFebruary 22, 2017 8:25 AM

Ahah. Now we know where NSA got 'authority' to get into the cyberpants of the Italian judiciary. The Italian justice system is the Number One threat right now. Keeping Sabrina de Souza shtum when she gets there is CIA's vital interest. Can't have a stool pigeon blabbing about CIA command responsibility for the crime against humanity of systematic and widespread torture in secret death camps!

Every Italian and Portuguese NGO involved in this travesty of justice should take the time to run Thor or Fenrir. They'll find NSA there.


http://www.chron.com/news/crime/article/Portugal-to-extradite-ex-CIA-agent-to-Italy-10947207.php

Steve CarrFebruary 22, 2017 8:39 AM

Freedom of speech and freedom of the internet, that net neutral was a way for the government to get there greedy hands on the internet. Stop the Government from spying on everybody. Use the search engine that does not change its results for political reasons and respects your privacy, just good old fashion results that are not tracked. Lookseek.com Have a great day

SteveFebruary 22, 2017 8:45 AM

Before the huffing and puffing about "traitorous" Snowden gets too loud and strident (can you huff or puff stridently? No matter. Stay with me), let me interject that whatever "revelations" we're now getting from his documents, they're now all several years old and, therefore, most likely obsolete.

In fact, I've often wondered how much of the information wasn't deliberately fed to Snowden by the NSA.

Consider this: someone noticed that St. Edward was sniffing around, reported him to superiors, and they decided rather than bust him, they lay a nice big honeypot out for him with a combination of real, hypothetical, and outright fanciful disinformation. He bites, takes it and runs, and the world is misdirected about NSA's real capabilities.

Do I necessarily believe this?

No.

Do I think it's possible?

Maybe. Remember who we're dealing with here. Spooks.

Something to consider before swallowing the next Snowden "revelation" whole, though.

Clive RobinsonFebruary 22, 2017 8:47 AM

There is a lot of hyperbole about "Cyber" and it's mainly the same centuries old shit renamed for modern times.

Take the statment,

There are genuinely defensive reasons for a nation to launch intrusions against another nation's networks

This is what we call "espionage" which is a fancy name for what are criminal activities ranging from theft, breaking and entry throw murder etc. It's predicated on "Do unto others before they do unto you" which is typical illegal reasoning that "Might is right" which goes back to Kings and their supposed "Divine Right".

Look at it this way...

    Your neighbour looks like a criminal type, and you think they might break into your rickety old house. So rather than take measures such as installing locks bolts and window fasteners that will stop any petty burglar you break into your neighbours house. You go through all their posessions looking for anything you can further your suspicious about, and if you can't find anything that means they must be hidding it somewhere so to be safe you place bugging equipment in every room...

If I did that to you it's not the police you'ld be asking for but mental health professionals to have me sectioned.

Further think about the fact that whilst locks, bolts and fasteners work against all burglars you'ld have to break into every house of every person to get the same level of protection. The waste of your resources would be immense. Now imagine how much worse it would be if everybody else tried to break into your rickety old house using the same logic...

Several hundred years ago statesmen started to wise upto this waste of resources and further out of self defence started to pass treaties to "stop the madness", which is why those carrying out espionage in many places are commiting a "capital crime" or worse "primary act of war", or if an agent the capital crime of treason.

The fact that the espionage is carried out from your desk in another country, does not change the nature of the crimes, it just makes them harder to prosecute, thus kinetic action on your home soil more likely...

As the old saying has it "People in glass houses should not throw stones", and the US over dependency on technology makes it the largest glass house on the planet. Have people forgotten the real message from 9/11? A bunch of untrained individuals with primative weapons turned US high tech against the US. That's a war you can not win by trying to hack a meeting where those who attend are without computers or other communications technology and are sitting around a goat shit fire in a cave in a mountain...

SigInt fails badly in asymmetric warfare, it's the boots on the ground of HumInt that would be more reliable, but the US turned from all of that and chucked vast sums on the SigInt etc of the NSA and NRO when a U2 went down. Many analysts will tell you what a waste of money and resources it has been.

That sort of hacking only realy works against a technically sophisticated opponent. Arguably the most technically sophisticated opponents to the US Government are the very same people who supply the technology to the US... It's citizens...

Clive RobinsonFebruary 22, 2017 8:57 AM

@ JO,

I wonder what measures they take to make sure they aren't just hitting a honeypot and therefore the data they collect is merely misdirection.

You can spot most honeypot networks with what looks like a "skiddy" ping attack because those running honeypots don't put the resources to make them realistic therefore there is a lack of "delta" in the system. I've mentioned how to do this quite a long time ago on this blog and I've subsequently thought up otherways to achive even better knowledge on the suspect systems with other attacks that either look even more like inept attacks or have very low visability.

Clive RobinsonFebruary 22, 2017 9:12 AM

@ Steve,

let me interject that whatever "revelations" we're now getting from his documents, they're now all several years old and, therefore, most likely obsolete.

From a technical perspective they were very old when Ed Snowden collected them, let alone released them. Many of the technical techniques were well known outside the IC long before. In fact there is a very high chance that the IC actually did not invent the techniques.

This became especially clear with the later release of the TAO catalog. There was nothing new or original in it, and it was very very far behind techniques that were very much in the public domain.

There is a myth of "Omnipotency" surrounding the US IC especially in technical matters. As I said at the time they were behind the curve when the TAO catalogue was current.

Spuds McEnzieFebruary 22, 2017 9:38 AM

What's really cool is how the U.S. can use other countries botnets as a conduit through which to attack. So they can make it look like an attack came from North Korea, when really it was puppet master "Uncle Sam" who was pulling the strings. Kind of like when your older brother would hold you down and make you hit yourself repeatedly while asking, "why are you hitting yourself?" Just remember who invented the internet. All other countries are "remote extensions".

Concerned CitizenFebruary 22, 2017 9:50 AM

Is offense really a good defense? Whatever the NSA has been doing it has not been effective in protecting the government's most valuable secrets as seen by the OPM hack, the DNC hack, and the Snowden leak itself. The original sin here is putting offense in front of defense. No one wants to do defense because it is difficult and unglamorous so instead we pour money into expanding offensive capabilities and call it defensive. This strategy is not working. Worse, setting the precedent that government sponsored espionage via network intrusion is an acceptable practice sets up our own government as a legitimate target for others. And we are exquisitely vulnerable. The US is more heavily reliant on digital technologies than any other country, yet we continue to ignore our own glass house and throw stones upon others in hopes no one will notice. Pure folly!

Ross SniderFebruary 22, 2017 10:12 AM

Turns out that signals interception is useful for espionage and intelligence? Who knew?! Not sure I'd call this a new revelation.

I'm also not sure I would agree we can't learn anything new from the documents.


The "new" thing to learn from Snowden is that everyone is a surveillance target and the capabilities of intelligence far outstrip the operational defenses of everyday citizens.

H DumptyFebruary 22, 2017 10:15 AM

@Clive Robinson

>If I did that to you it's not the police you'ld be asking for but mental health professionals to have me sectioned.

"Sectioned"? Is this UK euphemism for getting someone involuntarily committed to a mental institution? (I don't suppose you were talking about being cut into pieces. :) )

Ross SniderFebruary 22, 2017 11:30 AM

Ben Buchanan is a Wilson Center Global Fellow and a Postdoctoral Fellow at Harvard University's Cybersecurity Project, where he conducts research on the intersection of cybersecurity and statecraft. His first book, The Cybersecurity Dilemma, was published by Oxford University Press in 2017. Previously, he has written on attributing cyber attacks, deterrence in cyber operations, cryptography, election cybersecurity, and the spread of malicious code between nations and non-state actors. He received his PhD from King's College London in the Department of War Studies, where he was a Marshall Scholar, and earned his masters and undergraduate degrees from Georgetown University.

Just some context: the guy contributes to the Wilson Center.

The book is obviously interesting. The intersection of cyberwarfare, sovereignty, national security and international law needs far more study.

It's just inappropriate to recommend his book based on the idea it adds something new to the Snowden Documents.

WaelFebruary 22, 2017 11:47 AM

Hmm ... a book recommendation! I have a digital stack of unfinished books... But what's an extra line on a zebra?

The computers penetrated by the NSA also revealed information about the exploits in use. In effect, the intelligence gained from the operation, once given to network defenders and fed into automated systems, was enough to guide

And of course the adversary who's reading this won't adapt their defense strategy to alter the reality of the extrapolated information? Chances are they're doing the exact same thing, and that's being optimistic :)

parkrrrrFebruary 22, 2017 2:16 PM

Does anyone else think the code names in the quoted section look like something out of Charlie Stross's Laundry Files series, or is that just me?

AndrewFebruary 22, 2017 2:23 PM

Seems legit, Russians and Chinese also attack US networks and screw elections in order to increase their own defense capabilities.
Probably the whole world is "increasing their defense capabilities" these years...

Martin BonnerFebruary 22, 2017 2:46 PM

@H Dumpty:

"Sectioned" is indeed a UK term. It means "detained under section 2, 3, 4, or 5 of the Mental Health Act 1983" (I have a friend who, among other things, does this for a living.)

Dirk PraetFebruary 22, 2017 3:16 PM

@ Martin Bonner

I have a friend who, among other things, does this for a living.

Is there any way we could interest him in doing some pro bono work at the White House, Washington DC?

My InfoFebruary 22, 2017 5:24 PM

☕☕☕☕☕

Great. Now the Mormons who work at the NSA'a new Utah Data Center near Saratoga Springs are free to sabotage my IoT coffee pot in the middle of the night.

☕☕☕☕☕

Sancho_PFebruary 22, 2017 5:26 PM

@Wael

”And of course the adversary who's reading this won't adapt their defense strategy to alter the reality of the extrapolated information?”/i>

Err, no, no worries.
The term “intelligence” might be misleading in this context, as @Clive gave a hint at.
Our Masters Of The Universe forgot to lock their own door before hiding under the neighbor’s bed.
Seems unbelievable, but their adversary must be below that intelligence level.

NSA stands for “Not Securing America”.
Even after Snowden they do not understand that insecure is insecure.

Miss FireFebruary 22, 2017 6:21 PM

Well now, if the `cat **` isn't out of the bag?

Do we still really need vindication after all this time?

Since when do attacks 'only get better' ?

I always thought of them as only 'getting worse'.

What kind of drastic change would have to happen for man, any man; to denounce this kind of opportunity?

It quite frankly has no other choice but to be done as: somebody has to do it. Can you trust that we (the united states) are not the only 1's (doing IT)?

I'll tell you what, let's make a deal: I have the official capacity right here and now to turn it all off. Does that sound alright to you?

There's a trick though,

you first.

John SmithFebruary 22, 2017 6:25 PM

"The NSA penetrates enemy networks in order to enhance our defensive capabilities."

Oh, please. I was born at night, but not last night.

An LEO penetrates a protester's skull with a baton in order to enhance the protester's capabilities.

A CIA interrogator penetrates the rectum of a black site prisoner in order to enhance the prisoner's defensive capabilities.

Why are you peddling this pig slop for the naive, Bruce? Then again, you're the "security expert" who had no idea who ex-NSA Bill Binney was.

rFebruary 22, 2017 6:33 PM

This is why I don't think like ab or clive, the hardware level as per OSeye definition is not solvable as easily as a re-entrant solution is.

We still have (vulnerable) anonymity for the mean times ahead.

== Anonymous ==February 22, 2017 7:09 PM

@Miss Fire

I'll tell you what, let's make a deal: I have the official capacity right here and now to turn it all off. Does that sound alright to you?

There's a trick though,

you first.

Rules of engagement?

Adiwu ChanFebruary 22, 2017 8:12 PM

@Clive,

SigInt fails badly in asymmetric warfare, it's the boots on the ground of HumInt that would be more reliable

Asymmetric like not fussing about Layer 1 ?

We're under symmetric attack, who could've thunked it?

Anyways I'm off for Shore leave.

trentFebruary 23, 2017 5:29 AM

Anyone who thinks that foreign intelligence agencies didn't know about this prior to Snowden is ... curious.

The foreign agencies we worry about are certainly engaged in exactly the same thing, at exactly the same time. They certainly have protracted conflicts hacking, diagnosing, re-hacking, hardening, all the same servers.

> This system has a number of capabilities, including
> blocking the incoming traffic outright, sending
> unexpected responses back to the adversary ...

Try to tell me with a straight face that a hostile state hacker encountering this gives up with a "well I guess that didn't work". They know, of course they know, and they're doing the same back.

Clive RobinsonFebruary 23, 2017 6:28 AM

@ trent,

Anyone who thinks that foreign intelligence agencies didn't know about this prior to Snowden is ... curious.

In part it comes about from the idea of "American Exceptionalism" and is the same delusion winning generals are known to suffer from when it comes to planning for the next war (think Maginot Line, and modern day US Carrier fleets).

Which brings us to your point of,

They know, of course they know, and they're doing the same back.

Actually they are probably not "doing the same back" except in the broadest sense. What they will be doing back will be something different, it may be better it may be worse but it will be different. Worse it can be said with a degree of historic certainty that better or worse we probably will not have detected it all[1], or even some of it. To see why look up the full history of Theramin's "Thing" AKA the "Great Seal Bug". Likewise the tricks the Russian's did to the IBM selectret typewriters that even though sent via "Diplomatic Pouch" still got interdicted on the way to the US diplomatic ligation in Moscow etc.

[1] Why not all? Well at the fundemental level there are two things to consider firstly "Redundancy" and secondly "Complexity" in not just the information theoretic sense, but in the whole computing stack from the quantum physics layer upwards through the human layers. Which means that the attack potential exceeds defense resources even for the NSA [2].

[2] Which does not mean all systems can be attacked. It becomes a question of issolation and mitigation. Whilst "air gapping" is not sufficient you can move up to "energy gapping" (think air gap in a SCIF). But this still leaves the problems of supply chain poisoning and black bag jobs through to the MICE susceptibility of humans. These can not be prevented but the various classes of attack can be mitigated in a number of probabilistic ways. So if you are aware of the attack class type you can take some measures.

cphinxFebruary 23, 2017 6:50 AM

I see people say all of the time that the OPM, DNC, and other big Government breaches were "catastrophic" and that a "good offense clearly isn't a good defense" and [insert other bon-fire type shouts here].

It's like a bunch of political pundits running around tooting their ridiculous whistles in a sea of other pundits tooting whistles.

I'm not sure if it was on this blog or another where someone said "cybersecurity is extremely hard to get right while extremely easy to get wrong". This is the entire point here...

Defense in cybersecurity is never an impenetrable barrier; it's a means to make that barrier time consuming and expensive to break, that's your deterrent. When it's Nation State vs. Nation State, it's an inevitability that the barrier will be broken.

Of course the NSA has a great offense which undoubtedly gives them access to things that make our defense better. That's how this works. But at the same time, if they prevent 99.98% of all attacks but miss one, that one miss is all you hear about, because pundits love blowing their stupid whistles.

rFebruary 23, 2017 7:02 AM

@cphinx,

worse than that it's:

In the face of nuclear weapons and interconnects,

this IS(information security) Shore'ing up one's defenses

Understand, that your standing in standing either up or back down the reference to ROE never precludes 'self defense'.

If you had the chance to disarm your foe, or even the opportunity to attempt it; wouldn't that be more important than the ability to pull an intercontinental holistic trigger?

We can spare lives by spearphishing your deeployees; they get lonely out there and lonelyness makes one do sad desperate things ask the Israeli soldiers clicking on Hamas front women.

Paid played and plaid.

Hen can get mad! Or QQ all that hen wants but the reality is glaring. Don't let the butt hurt get you.

We (The US-crowd(not the in-crowd)) exist in a democratic environment, accept that it is within the interest of every other competing sovereign interest to defame discredit disseminate and leak every aspect of an operation like this.

And also to develop attacks and defenses in kind and of kind.

It's a form of disarmament pressure that can be placed upon democratic nations as a whole, don't let the leakers slander what at this point is beyond a given but a practical requirement.

Would you prefer that we relax our position and allow China or Iran to control international media with their Deeply Learned Twitter Bots?

Would it stop there?

How would Saudi Armaco feel if we left the lights on with nobody watching the boundaries and hacktivity ?

It's not busyness as usual when I want to put you out of busyness.

cphinxFebruary 23, 2017 7:15 AM

@r

I agree.

One thing I've always enjoyed thinking but never took the time to discuss with anyone... is the fact that: at least our pundits are talking about the DNC being hacked, Snowden uncovering mass surveillance operations, and OPM clearance records for the last 30 or so years being stolen. Aside from OPM and especially the DNC, that's all low-lying fruit.

There is a reason that certain countries exploits are very rarely known. And even when they are [Stuxnet] it's still not *certain* who the actual creators are.

Too many people get their priorities in the cybersecurity discussion out-of-order. The DNC, OPM, and [insert other bad breaches here] didn't stop Democracy and even if at all barely slowed the process down. The value of these events as Political rallying calls are higher than the value to an opposition Nation State.

It's when Certificate Authority servers at the Pentagon or electrical grids in California or Metro Rails in D.C. start shutting down that we have big problems. Maybe they are already penetrated with APT's... or maybe our system is working for now.

Clive RobinsonFebruary 23, 2017 10:31 AM

@ cphinx,

I see people say all of the time that the OPM, DNC, and other big Government breaches were "catastrophic" and that I see people say all of the time that the OPM, DNC, and other big Government breaches were "catastrophic" and that a "good offense clearly isn't a good defense" and [insert other bon-fire type shouts here]. and [insert other bon-fire type shouts here].

You are conflating two seperate things and making what is in effect a strawman argument.

1, The OPM etc breaches were catastrophic.

2, A good offense clearly isn't a good defense.

It just so happens both are true but are seperate.

The OPM attack happened due to appaling mismanagment, and resulted in little or no defense, worse much of the data stored should not have been in the database system in the first place. Much of the mismanagment was due to supposed "efficiency" for cost savings done on compleatly obsolete systems.

The idea that you can obtain defence by offence when you have no idea who might attack you and when is ludicrous. From a simple resource perspective a unit of resource used for defence is effective against many attackers. The same unit of resource used in offense is only effective against one entity that might or might not have been going to attack you. If they were not then it was a totaly wasted unit of resource...

As long as people chose not to understand this then resources are going to be squandered. Worse such offence attacks can as the US loudly trumpeted some time ago, --during "China APT"-- could be treated as an initial act of war and thus elicit a kinetic or worse response.

People who don't think it through, bang the drum or call to the flag, might think they are "being strong" and "sending a message" but in reality are just walking to the beat of war hawks and the profiteers in the MIC. Perhaps it should be mentioned that one of the major reasons the US economy is in such dire straights, is it is borrowing money from abroad to pay for the wars that those behind the MIC have profited from greatly and the US citizen has lost by greatly. It's such stupidity that made Donald Trump a creditable candidate to many who were significantly hurting due to the war profiteers.

vas pupFebruary 23, 2017 11:00 AM

@all:
They are also prepared for asymmetric response:
Russian military admits significant cyber-war effort:
http://www.bbc.com/news/world-europe-39062663
According to Mr Giles, the Russian military decided to prioritize information warfare after the 2008 Russia-Georgia conflict. The country's security apparatus drew lessons from its "inability to dominate public opinion about the rights and wrongs of the war", he said. Commenting on Mr Shoigu's remarks, former Russian commander-in-chief Gen Yuri Baluyevsky said a victory in information warfare "can be much more important than victory in a classical military conflict, because it is bloodless, yet the impact is overwhelming and can paralyze all of the enemy state's power structures".
And their pool recruiting from:
http://www.bbc.com/news/technology-38755584
And how obsolete are old tricks:
http://www.bbc.com/news/magazine-38846022

albertFebruary 23, 2017 11:13 AM

Given that Snowdens 'revelations' are obvious prior art, and non-technical, the only important takeaway from his adventure is the fact that the IC was, and still is, unlawfully spying on American citizens. There is not now, and never has been, proof that US 'national security' was seriously damaged. So he is now a convenient whipping boy. We need a continuous supply of enemies to keep the War Machine going. We'll need another one soon. Iran is being dusted off, and readied for the World Stage. In the meantime, douchebags will continue to prattle on about retribution, and ignore the important facts.

Re: Important Facts. @Clive made critical observation: "...the US over dependency on technology makes it the largest glass house on the planet....".

This is -especially- true of the US military. It's reliance on computer technology is probably the highest in the world, and this makes it the most vulnerable. While Internet security is important, I hope the USMIL has super cyber-defense capabilities for its own systems. We all know how fragile our civilian infrastructure is. A two-pronged attack CIV/MIL systems would be devastating for any country, but especially US.

Anyone remember the mainframes of yore? Remember the glass-enclosed cases containing an abacus with the sign "In case of emergency, break glass"?

A word or two to the Wise...
. .. . .. --- ....

WinterFebruary 23, 2017 11:30 AM

@Clive
"The idea that you can obtain defence by offence when you have no idea who might attack you and when is ludicrous. "

Anyone who has even cursory looked at medieval warfare, even a Monty Pyton movie, should be aware of the functional difference between a walled castle or town and an offensive army.

You cannot protect the civilian population with offensive forces.

vas pupFebruary 23, 2017 3:13 PM

@Ph:
"Don't do unto others what you don't want to be done to you."
That is the first step only. Then, do unto others what they did to you - by reciprocity.
@Winter:
"You cannot protect the civilian population with offensive forces." You are right, but who really ever cares about civilian population interests of which are almost always substituted by so called historic missions (ideology, geopolitics, world leadership, etc.)of political elites(elected or not) or/and fueled by interests of military-industrial complex (or its analogy in pre-industrial)era. Unfortunately, civilians (and low-ranking military guys) are just pawns easily sacrificed in bulk in big geopolitical games without ever being asked. Politicians like to declare their own goals as desires of the most[American, Russian, Chinese, German, Japanese, French etc. - select any out of the list] people, but do they ever conduct mass survey and support their statements based on survey results? I am not talking about small supportive groups which sometimes first in line supporting war, but last in line to sacrifice their life in real combat.
I have a dream: in a future less-than-lethal weaponry will finally become primary tool for resolving conflicts (inside and outside the country). Aikido as modus operandi.

rFebruary 23, 2017 8:34 PM

@cphinx,

I think you and I are in absolute agreement here. I don't think I've felt threatened at all by the reality of this 'DMZ' since the reality of IT truly sunk in.

@vas pup,

Likely I enjoy your postings more than you enjoy mine, thank you for those links.

65535February 23, 2017 10:51 PM

@ Concerned Citizen and Clive

“Is offense really a good defense? Whatever the NSA has been doing it has not been effective in protecting the government's most valuable secrets as seen by the OPM hack, the DNC hack, and the Snowden leak itself. The original sin here is putting offense in front of defense. No one wants to do defense because it is difficult and unglamorous so instead we pour money into expanding offensive capabilities and call it defensive. This strategy is not working…” – Concerned Citizen

That is a logical statement. I agree with your over all thrust in your post. It true and “offensive defense” or “defensive offensive” can be twisted to gain more budget dollars for the NSA. The out come of the OPM hack is not fully know – and probably for a good reason.

“You are conflating two seperate things and making what is in effect a strawman argument.
“1, The OPM etc breaches were catastrophic.
“2, A good offense clearly isn't a good defense.
“It just so happens both are true but are seperate.

“The OPM attack happened due to appaling mismanagment, and resulted in little or no defense, worse much of the data stored should not have been in the database system in the first place. Much of the mismanagment was due to supposed "efficiency" for cost savings done on compleatly obsolete systems.” -Clive

That is a fair statement. Clive distilling of the term “Cyber” into “Espionage” or good old “spying” is accurate. The fact the NSA is using spy on a mass scale due to a fluke in communication lines in the USA is no reason to massively spy on everyone - including it own citizens.

The NSA customers are now down to local police and their spy cruisers. Such nation spying weapons are dangerous and generally over kill. The fact the NSA took its eye off of the ball, so to speak, and did not defend against the political blunders involved in the OPM hack is not and excuse to mass spy.

Next, the “BIOS” level of attack should have been seen by the NSA. It is clear that moving “bios” and other micro-controllers to China is a clear mistake. It give China and that region tremendous power over low level computing and “out of band” management holes. The NSA know it and should help to defend it citizens against those types of attacks.

In short, Concerned Citizen and Clive have the best arguments. Buchanan's book paints a picture of "great work" by the NSA which is dubious at best.

I would even say the NSA and it tentacles don’t deserve ever increasing budgets and power. I say the NSA needs a 20 percent budget cut until its mission is truly focused on defense of the USA it citizens and allies citizens.

The NSA knows the budget system so well that it is playing to sides of the fence with its “offensive defense” or other agenda. Until the OPM hack is cleaned up the NSA budget money could be better spend on different area of the defense systems including mundane tasks such as strengthening the OPM and Air Traffic control systems, not to mention the out of control surveillance cameras and networked DVR recorders – which seem to be doing more damage than good.

65535February 24, 2017 1:22 AM

Thanks a lot all knowing NSA for the heads-up on the King slayer admin malware infections.

http://archive.is/AX7yM

and

http://www.eventid.net/evlog/

See: Krebsonsecurity[dot]com and his “How to Bury a Major Breach Notification”
I am confident most of can find Krebs on Security and that article.

Possible infected company adiministrators:

[from archive.is captured client page of eventid dot net]:

Here are just some of the companies from thousands that have subscribed to www.eventid.net:

Communication
Consulting
Education
Entertainment/Media
Financial
Government
High Tech
Manufacturing/Energy/Health
Military
Retail
Various
Besides these, there are over 250 subscribers that hold the Microsoft MVP title.
Subscription information
* * *
Communication
AT&T
British Telecom
MCI
Telefonica

Consulting
All Covered
Deloitte and Touche, Netherlands
Deloitte and Touche, Sweden
EDS
Unisys

Education
Arizona State University
Association of American Universities
Boston University
California Institute of Technology
Columbia University, New York
Cornell University
Dale Carnegie
DeVry
?cole Polytechnique de Montr?al
Georgia Institute of Technology
Harvard Business School
Harvard University
Indiana University
McGill University
Michigan State University
MIT
Pennsylvania State University
Purdue University
Rhodes College
Rochester Institute of Technology
Ryerson University
Ohio University
University of California, Los Angeles
University of California, San Francisco
University of Chicago
University of Florida
University of Hawaii
University of Illinois
University of Kansas
Universit? Laval
University of Maryland
University of Massachusetts Boston
University of Michigan
Universit? de Montr?al
University of Nevada, Reno
University of New Hampshire
University of New Orleans
University of North Carolina
University of Rhode Island
University of San Francisco
University of Southern California
University of Washington
University of Waterloo
Western Washington University
Yale University
Entertainment/Media
BBC
CBC
Cirque du Soleil
Disney
Indie Music
Hearst
Lucas Film
NBC
Reuters
The Miami Herald
Financial
ADP
AIG
Bank of New York
Bank of Sacramento
Chase Paymentech
Chart Bank
CIBC
Citigroup
Commercial Bank of Florida
Fannie Mae
First City Bank
Fortis Bank
Golf Savings Bank
Home Federal Bank
Humboldt Bank
ING Direct
Janus
KPMG
Maritime Life
MidAmerica Bank
National Bank
Northeast Bank
Omni National Bank
PayPal
PeoplesBank
Scotia Bank
Securicor
Somerset Valley Bank
Thomson
Toronto Dominion Bank
United Nebraska Bank
Wells Fargo
Government
BNL
Centers for Disease Control and Prevention
Citizenship and Immigration Canada
City of Ottawa
Environmental Protection Agency
Federal Housing Finance Board
Government of Alberta
Government of Quebec
International Broadcast Bureau
Los Alamos National Laboratory
NASA
National Institutes of Health
National Resources Canada
New York State
Princeton Plasma Physics Laboratory
The State of Colorado
The State of Indiana
The State of Maine
The State of Minnesota
The State of Ohio
The State of Oregon
The State of Washington
U.K. Police
United States Department of Agriculture
United States Department of Justice
United States Department of Labor
United States Department of the Treasury
U.S. Courts
High Tech
ADIC
Aelita
Ask Jeeves
Autodesk
Baan
BMC
Cirrus Logic
Cisco
Computer Associates
Dell
Dolby Laboratories
EMC
F5
Fujitsu
Global Knowledge
Honeywell
HP
IBM
IKON
Intel
Intuit
Konica Minolta Canada
Micron
Microsoft
NCR
NetIQ
Oracle
Quest Software
SAS
Sybase
Symantec
Thawte
UbiSoft
VMWare
Manufacturing/Energy/Health
Abbott Laboratories
AGFA
AltaGas
British Petroleum
Bacardi
Boeing
Bosch
Budweiser
California Steel Industries
Cargill
Carlsberg
DAP
Daimler Chrysler
DuPont
Ecolab
Ericsson
Exxon Mobil
Fairmont Hotels
Ford Motor Company
GE
GM
Halliburton
Honda
Lockheed Martin
Marathon Ashland Petroleum
Maytag
Northrop Grumman
Parker
Pfizer
Praxair
Purina
Renault Ireland
Rockwell Automation
Saab
Siemens
Sulzer
Texas Instruments
Military
Defense Logistics Agency
Department of Defence, Australia
Department of Defense Computer Forensic Laboratory
NATO
Space and Naval Warfare
US European Command
US Air National Guard
US Army
US Army Corps of Engineers
United States Department of Defense
United States Military Academy at West Point
US Coast Guard
United States Marine Corps
US Navy
US Air Force
United States Strategic Command
Virginia Military Institute

Retail
IKEA
Office Depot
Home Depot
HMV UK
Sears
Various
Amgen
Amnesty International Canada
AVIS Denmark
American Red Cross
International Trademark Association
ISO
Red Cross Canada
The Gallup Organization
United Nations

[end of eventid company list]

Great job NSA! /not

rFebruary 24, 2017 5:29 AM

@65535,

You know, about that attack: most everything I've seen about it paints a picture of trojanization and or backdooring. After a move like that, the easiest and likely the best kind of modification to an event log filter/parser would be to blind it somehow.

Considering how aggregated and complete your list/response is, I'm curious: are/were you one of the users of it?

rFebruary 24, 2017 5:34 AM

Also,

We don't know whether they notified any companies OOB like Boeing GE or Haliburton, they may have while leaving the rest of us vulnerable and wondering.

What the NSA is charged with protecting "National Security", is sort of ephemereal isn't it?

;-)

rFebruary 24, 2017 5:48 AM

@65535,

They're not going to give up their offensive stance, it's just not going to happen. For them to start pushing true security (secure software, secure hardware) would open themselves up to the same problems we are already facing now with reverse engineering and counterfeiting. Sure, they could make the whole world secure but then they would lose signals, everytime they would improve resistance to an attack those mitigations could be copied and spread worldwide only making their 'job' considerably harder than it is now. This is why we see (or don't) redteams and the science of omni, if they take a larger defensive stance than recon and sabotage it would do nothing to address the other layers that leak. It's the same game, only expontentially more difficult and costly.

I'm not condoning what they're doing, I'm rationalizing (not stretching) it within the constraints of what I view as reality. Security is a HUGE field, they run a grey/dual-hat operation and you want them to become white hat in a reality where it in full honesty and practicality likely does not exist?

Do you ever wear white?

It stains most easily, let them do what they're doing; it's not 100%. We can keep right on mitigating and circumnavigating them as we've been, there are no leaks really coming out of the other groups - you don't find that suspicious or curious at all?

That's like saying Mossad doesn't exist, close your eyes. Our institution is vulnerable to both the public and outside influence let's thank god that we have any information at all at this point and make a bid to nudge it/them/us back into the correct stream.

Like @Bruce has been saying, they/us/we need more technologists more thinkers more questioneers.

I hope what was done with Kingslayer was something ignorant, like an outright trojan; you'd better all hope it wasn't something far more intelligent like a small programmed event overflow a heap double free or a blind spot.

Clive RobinsonFebruary 24, 2017 7:20 AM

@ r, 65535,

For them [NSA] to start pushing true security (secure software, secure hardware) would open themselves up to the same problems we are already facing now with reverse engineering and counterfeiting.

You need to follow the logic a bit further.

As I've mentioned a few times the NSA are not realy that much further up the road than academia and industry these days, unlike times long past. Further certainly much more harm to their "mission" has been done by academia and industry than insider whistle blowers (arguably this blog has hurt them quite a lot more technicaly than several of the whistleblowers have).

Thus it's fairly certain that many countries SigInt Agencies even in supposed third world level countries have put their more interesting information systems beyond what the NSA can achive on the wire with "collect it all". I won't say they have become irrelevant in that, but it's now the scraps from poor SigSec / OpSec behavior, not the "window into leaders minds" it once was. Thus I suspect that for all the noise about "collect it all" they are still into the more resource intensive "directed attacks" ranging from interdiction / supply chain poisoning, NOC / agent insiders, Black bag jobs and even wet work to get that "window into lraders minds" view.

Which leaves the question of the ROI on "collect it all", aside from the obvious "pork" you are left with smokescreen / diversion and the alterative realisation that the target focus is now not "State Level" but corporations and citizens...

Thus "We have seen the face of the enemy and it is us." and the first drawings of the noose around our necks has happened on our journy down to a distopian Orwellian future...

PatriotFebruary 24, 2017 4:22 PM

@Bruce Schneier

The NSA penetrates enemy networks in order to enhance our defensive capabilities.

You're an extremely intelligent individual and your massive positive reputation was hard earned, but your post this time shows something that could almost be called gullibility.
When the NSA found tons of American computers made into zombies in a botnet they didn't disinfect them or warn their owners, they just stole the botnet and used it to attack their political enemies. Yes of course they will steal source code for Russian spying software, but they will use it to spy on Americans not to make Americans more secure. The article is basically saying "kill all US citizens and all foreign citizens and foreign armies, as a way of defending the US military" but applied to cyberspace instead of meatspace.

@wiredog

Of course now the Chinese and others know about the penetrations by the NSA and can counter them, making the US more vulnerable. Thanks for blowing the operation Mr. Snowden!

& @dim
Another proof that Snowden is a traitor and a criminal who succeeded, unbelievably, to rally behind him people who believe in things unrelated to his treason - privacy and human rights. The damage that he caused to the national security of America and its allies is beyond precedent.

Let's hope that Trump's new buddy Putin will extradite Snowden's ass to US so he can face the court of justice instead of lurking in Moscow while sending self-righteous tweets.Is that you Mr. Clapper? Russia and China already knew that you were trying to hack them and steal their spyware and repurpose it for domestic spying. Sorry to break it to you.

@65535

That is a fair statement. Clive distilling of the term “Cyber” into “Espionage” or good old “spying” is accurate. The fact the NSA is using spy on a mass scale due to a fluke in communication lines in the USA is no reason to massively spy on everyone - including it own citizens.

The NSA customers are now down to local police and their spy cruisers. Such nation spying weapons are dangerous and generally over kill. The fact the NSA took its eye off of the ball, so to speak, and did not defend against the political blunders
What a epheumism. They aren't "spying" on Americans, they are actively undermining national security such as NIST standards and outright sabotaging American hardware and software.

@r

Sure, they could make the whole world secure

When they can't even keep their collection of zero-days that they had US companies like Juniper put put in their hardware/software under threat of physical violence(kidnap and false imprisonment to any IT workers refusing to help enable CALEA backdoors)? If they can't secure their own Equation Group servers, do you think they're so omnipotent that they could secure the world? They're nothing but a bunch of dumb brutish thugs who threaten to kill anyone who tries to sell secure products to US citizens. No skill, no morals, no scruples, no purpose but the persecution of political dissidents and the oppression of anyone critical of the USG.

everytime they would improve resistance to an attack those mitigations could be copied and spread worldwide
You think that all medical knowledge and medicines/instruments on Earth should be dextroyed since it could be used to make Russians healthier?
only making their 'job' considerably harder than it is now.
They aren't even trying to do their job anyways. Their job is to make Americans mode secure but they do everything they can to make Americans as vulnerable as possible. As for "harder" what a joke. They coerce smart people into stripping out all security measures, under threat of violence. Cave-men with guns could do what they do.
Do you ever wear white?

It stains most easily


Which is why they're paid around a hundred billions of dollars a year from taxpayers to overcome that difficulty. Instead they take that hundred billion USD and use it to sabotage American cyber-security with their BULLRUN program, and bribe NIST to recommend all American businesses to use broken ciphers (clipper chip, now dual curve elliptic cipher).

@65535

arguably this blog has hurt them quite a lot more technicaly than several of the whistleblowers have
It hurts the NSA for US national security to be hardened instead of weakened? So the NSA is an enemy of the state in otherwords.

rFebruary 24, 2017 5:22 PM

@Patriot,

You're making the same assertion I am but not as lightly, wearing a flag on your chest so proudly is almost brazen - you sound angry. I was angry once now I'm just meh, I know what I have to do and what my friends have to do.

Ranting about code cutters isn't going to change anything in the face of the gnu world order and the false store fronts .org.. .

Like you, I'm pissed - I was part of the OPM breach. Why? It's not like they've ever cut me a check, I'm blacklisted for having an open mind and curious nature. No big deal, my heart is in the right place and yours may be also.

Anyways, let's get the scissors out for the meaner times:

When they can't even keep their collection of zero-days that they had US companies like Juniper

Do we/you/I know that? We know there's a) Tia, b) Tao, and what's missing?

A reflexive honey pot?

put put in their hardware/software under threat of physical violence(kidnap and false imprisonment to any IT workers refusing to help enable CALEA backdoors)?

Refresh my memory on lavabit, I don't think that's exactly how it went down.

If they can't secure their own Equation Group servers

Do we/you/I know that?

They're nothing but a bunch of dumb brutish thugs who threaten to kill anyone who tries to sell secure products to US citizens.

What products? You have knowledge of secure aparatii ?

You think that all medical knowledge and medicines/instruments on Earth should be dextroyed since it could be used to make Russians healthier?

What? Lol no.

They aren't even trying to do their job anyways. Their job is to make Americans mode secure but they do everything they can to make Americans as vulnerable as possible.

And you know this how? You have proof? Evidence? Simple examples of slacking off is not grounds for dismisal per se, evidence is used in court for conviction of crimes - not instant assumptions of that's what's actually going on. The leaks are partial, but you are not impartial look at your response. I sympathize with you being pissed but I don't think it's like that at this point and that's my opinion based on the rationalizations and realizations I've made and come to.

They're not making us "as vulnerable as possible", if that were the case they wouldn't give any recommendations at all.

They coerce smart people into stripping out all security measures, under threat of violence. Cave-men with guns could do what they do.

What threat of violence?

Which is why they're paid around a hundred billions of dollars a year from taxpayers to overcome that difficulty. Instead they take that hundred billion USD and use it to sabotage American cyber-security with their BULLRUN program, and bribe NIST to recommend all American businesses to use broken ciphers (clipper chip, now dual curve elliptic cipher).

Let's put this into perspective, if what you say IS true then I think you need to recognize that their "interests in sabotage" far exceed just American softwares. NIST likely had far reaching subversion, there's other things too.

But don't think for a second that they're not watching us here, as a shadow entity us making movements in the public space affects them.

We cast shadows and ideas and as we evolve they are forced to evolve also, from our tools our ideas our defenses. Don't expect for a second that there aren't shadows out there basking in the perpendicular angle of any reality we cast.

The day is long, and everything we say is left here for others to mine for tidbits - disinformation or knot - we build each other and we build upon each other - any shadow entity out there would be wise to be doing the same thing.

So what if your mindset is that type of thing is a bottom feeder, I'm not going to judge them at this point based on information that I do not have.

Sure, I like you: have ideas. But I don't think that any group composed of a semi-random sampling of american 'patriots' like you me bruce or anura would be hell bent on complete malice in general. You would stand up, I would stand up, Anura would stand up, @Bruce would stand up.

As for the rest of your comments to the others I skipped them, I'll let them weigh in on responding before I offer up more dword debauchery there.

I thank you for your time and your response, they're part of a military system - my problem at this point is the subletting of the jobs to corporate and private interests.

rFebruary 24, 2017 5:39 PM

@Clive,

I understand the slippery slope, it's an unfortunate conundrum at this point.

But what are we to do if not converse about it? If not comprehend it? If not alert others to it?

If it wasn't them who else is there? Who else would be there?

I think that's the only aspect of what they're doing that even gives them a 'smidge' of the defensive err.

That's it, as sad and as weak and as horrible as that is.

They're recon, I recognize it - I may not entirely accept it but I do not have to.

My hands are bound by the ineffectiveness of my voice, our voice.

All one can do is plot and scheme and hope that he's taken enough precautions and thought far enough ahead that he can eek out some sort of private world for his thoughts.

It's unlikely to happen though, interdictions supply chain poisoning - everything we do leaks.

If I investigate something on ali baba I'm flagged, if I check it out of the local library - I'm flagged.

Get my drift? You know exactly what I'm saying and we both know that no matter how indecent it is if we don't have any sort of fireline to firewall us from the el rando's we're even worse off than we are now.

Put my weapons down? I did, I was given a long time ago a cold hard look at the perpendicular angle to which I view my own interests and they view some of ours. I'm free to research however, why? Because I saw the long game a long time ago and maybe they knew it, I don't know I can only assume.

I sit here more than enough to pique anyone's interests into my curiosities, no big deal. I've amendments for that (for now I suppose). But those certainly don't protect me from the collusion of GCHQ or BND. What about the GRU or Mossad?

Or the Chinese? OPM really scared me, for more reasons than I think you've all pieced together.

Maybe I've taken the bait, who knows but my voice doesn't change. There are things well beyond our control or anyone elses, and the only way to stop human nature is to start stopping humans - for the most part - I'm far against that.

rFebruary 24, 2017 5:45 PM

What I mean is, they're on the easy road.

It's a financial burden and I would like to believe that they do (for the most part) what they can and where they can and most unfortunately however they can.

Black bag jobs? Likely only in extreme cases one could hope.

Security is beyond NP hard, can we secure ourselves without securing everyone else?

<oi>And in comes little Miss iLE to respond.</oi>

rFebruary 24, 2017 5:47 PM

Companies pouring billions into open source technology, what?

To be shared with North Korea?

To be shared with Israel?

To be shared with whom free-of-charge but not a backdoor or beacon?

Don't get your hopes up, proliferation is the game.

It's pro life.

rFebruary 24, 2017 6:50 PM

But, like you said: asym beats sym pressure.

At the Boston Marathon that cold hard reality was written in stone with some half-crocked pressure cooker backpack toting maniacs that just barely escaped the full aspect of symmetric multilayer OSeye deeep packet inspection.

Maybe what we need are more analysts, maybe what we need are more eyes and ears?

That's the race condition, the current condition of our race.

Where do we draw the line in our own inhumanity?

You want more security?

Go buy a gun.

Miss iLEFebruary 24, 2017 7:07 PM

@r

We once used shoe leather to collect intelligence, the old-fashioned way. During WWII, we had no organized computer networks like the modern Internet, and tapping or tracing phone calls was hit-or-miss. It took Alan Turing's genius to crack the German and Japanese codes.

The trouble is that NSA is lazy, and lacks a culture of personal responsibility for the consequences of their actions. They want no hindrances to siphoning up and sharing at will all data online. Too many of the policies pushed by NSA are some sensitive but not really classified "thing of ours" just like La Cosa Nostra. In fact the same policies that benefit NSA also benefit organized criminal networks of identity thieves.

Osama bin Laden had a plain old ordinary PC, unconnected to the Internet, and he sent and received electronic correspondence on thumb drive by courier. Simple but completely adequate to foil NSA, just like any Mob boss downtown any large city.

We need to go back to the old-fashioned spy tradecraft. Microdots printed on paper, ciphers like Bruce's Solitaire, dead drops, lock-picking, black-bag jobs, minute retrievable dead-drop audio bugs or hidden cameras with no radio signature, that sort of thing. City cops already have a lot of that stuff.

It's time to move on. NSA must decrease; CIA must increase.

our human raceFebruary 24, 2017 7:09 PM

That's what thing all their spying can't see, our hearts. Boston is proof of that if they knew anything before hand they outright failed to hact.

Was it due to a lack of information?

Was it complicity?

Was it duplicity?

Only the pre-cleared and competing interests know for sure, for the rest of us it's just pork bellies and bacon until our questions cement in our minds as thick and as jumbled as rocks in our head.

rFebruary 24, 2017 7:16 PM

@Miss iLE,

Attacks only get better, the NSA will decrease as more and more ML/DL & computer 'assisted' targetting comes 'online'. The CIA will always have it's heals dug into reality more than the NSA even if it's more or less(more or less) vulnerable to the same misdirection as the NSA.

Certainly we're under symmetric attacks as human beings, just don't let people lie to you and tell you that it's only the NSA doing it.

That's the poison apple.

Even if the NSA was shutdown tomorrow, anyone with any sense knows 'that the show must go on'.

SKLFebruary 24, 2017 10:03 PM

@north korean VX attack

if this is true, this would make him, I think, only the second human being to die from this particularly nasty and particularly controlled substance; the other one being one of the Apocalyptic Aum-Shinriyko cult in Japan who couldn't quite put the pieces back together, IIRC.

no joke, but, a well known toxin, just a far less-clever attack than polonium, understandable in the context of the disparity between the two countries' resources, the interesting things, of course, are to what extend did this individual have to go to provoke such an attack in an international airport?

SKLFebruary 24, 2017 10:12 PM

but also (I cut myself off accidentally) the women's actions as shown on the CCTV footage could quite nearly have been suicidal; such is the fanatical devotion of the personality cult, equalling anything of Radical Islam (which you read about every day) or the LTTE (who actually invented suicide attacks and who I had some very interesting, but non-hostile--medical humanitarian and journalistic--types of encounters when in-country before the 'end' of the war there.)

proof is, really, if there's the technology (and the bar is getting lower and lower everyday), pretty much any such operation can be undertaken unless the person is under a ridiculous amount of security protection (as in the case of POTUS and many, but surprisingly not that many, world leaders--I've myself always been shocked that nobody's tried to whack a Supreme Court Justice, given the emotional salience of the things that they deal with, for extremists both on the Right and on the Left), all it really takes, I guess, is a modicum of connections, some DIY knowhow, and huge balls.

wonder what the chances were, really, of that chick making it out alive though after wiping somebody with a towel impregnated with VX? I'd say "surprising" in my (medical) opinion

PatriotFebruary 25, 2017 12:50 AM

@r

When they can't even keep their collection of zero-days that they had US companies like Juniper

Do we/you/I know that? We know there's a) Tia, b) Tao, and what's missing?
Look up shadow brokers leak if you don't believe me. They can't even keep their own zero days away from the public, so of course they can't keep all data away from state sponsored hackers.

put in their hardware/software under threat of physical violence(kidnap and false imprisonment to any IT workers refusing to help enable CALEA backdoors)?

Refresh my memory on lavabit, I don't think that's exactly how it went down.


Not just Lavabit, anyone providing any IT services to Americans is required to make it easy to hack. Every single ISP and mail provider has to log everything the Americans do and make it trivial to get at that data per CALEA. Anyone who refuses to so sabotage American security will be kidnapped and if they struggle they will be murdered.
If they can't secure their own Equation Group servers

Do we/you/I know that?


Unless the Shadow Brokers are an NSA front invented to make everyone underestimate the NSA.
They're nothing but a bunch of dumb brutish thugs who threaten to kill anyone who tries to sell secure products to US citizens.

What products? You have knowledge of secure aparatii ?


For many years, all encryption not backdoored with a Clipper Chip. Nowadays, anyone who refuses to serve malware to their customers to replace the non-backdoored encryption, e.g. secure email providers threatened into serving up malicious java/javascript to defeat their own security for the NSA because the NSA are too stupid to do it themselves even with a hundred billion dollars of American taxpayer funding.
You think that all medical knowledge and medicines/instruments on Earth should be dextroyed since it could be used to make Russians healthier?

What? Lol no.


Yet you just said that everyone should have insecure, virus laden computers since if Americans had security Russians might get it too.
They aren't even trying to do their job anyways. Their job is to make Americans mode secure but they do everything they can to make Americans as vulnerable as possible.

And you know this how? You have proof? Evidence? Simple examples of slacking off is not grounds for dismisal per se, evidence is used in court for conviction of crimes - not instant assumptions of that's what's actually going on. The leaks are partial, but you are not impartial look at your response. I sympathize with you being pissed but I don't think it's like that at this point and that's my opinion based on the rationalizations and realizations I've made and come to.

They're not making us "as vulnerable as possible", if that were the case they wouldn't give any recommendations at all.


I have proof. Their recommendations are worse than nothing at all.
I also have proof of mens rea.
They coerce smart people into stripping out all security measures, under threat of violence. Cave-men with guns could do what they do.

What threat of violence?


Towards the brains behind Lavabit if they refused to go out of their way to decrease the security of their own customers.
Which is why they're paid around a hundred billions of dollars a year from taxpayers to overcome that difficulty. Instead they take that hundred billion USD and use it to sabotage American cyber-security with their BULLRUN program, and bribe NIST to recommend all American businesses to use broken ciphers (clipper chip, now dual curve elliptic cipher).

Let's put this into perspective, if what you say IS true then I think you need to recognize that their "interests in sabotage" far exceed just American softwares. NIST likely had far reaching subversion, there's other things too.

But don't think for a second that they're not watching us here, as a shadow entity us making movements in the public space affects them.

We cast shadows and ideas and as we evolve they are forced to evolve also, from our tools our ideas our defenses. Don't expect for a second that there aren't shadows out there basking in the perpendicular angle of any reality we cast.

The day is long, and everything we say is left here for others to mine for tidbits - disinformation or knot - we build each other and we build upon each other - any shadow entity out there would be wise to be doing the same thing.

So what if your mindset is that type of thing is a bottom feeder, I'm not going to judge them at this point based on information that I do not have.

Sure, I like you: have ideas. But I don't think that any group composed of a semi-random sampling of american 'patriots' like you me bruce or anura would be hell bent on complete malice in general. You would stand up, I would stand up, Anura would stand up, @Bruce would stand up.

As for the rest of your comments to the others I skipped them, I'll let them weigh in on responding before I offer up more dword debauchery there.

I thank you for your time and your response, they're part of a military system - my problem at this point is the subletting of the jobs to corporate and private interests.
My bad for assuming that it was all common knowledge. Several links to proof from widely different sources posted. If they will retaliate against me for bringing truth to light then so be it. As long as I got the otherwise hidden truth out to at least one other person who'll run with it then it should be worth whatever illegal persecution I fall victim to.

wrt about your point that they're hurting Russians as much as they're hurting Americans and that therefor it's justified...
1. a doomsday machine would hurt Russians. Is it okay to kill all Americans to kill all Russians?
2. Then N in NIST is for "national", not "global". So they're poisoning the well of Americans but not Russians.

I'm sorry for the disrespect, it's just a very passionate issue to me. I enjoyed our discussion but moreso the idea that this is news to a lot of people and that countless readers will discover the deep-rooted corruption and that maybe some of them will be in positions to change laws.

PS

If I investigate something on ali baba I'm flagged, if I check it out of the local library - I'm flagged.

Get my drift? You know exactly what I'm saying and we both know that no matter how indecent it is if we don't have any sort of fireline to firewall us from the el rando's we're even worse off than we are now.Encryption works. Use Tor. Once a certain critical mass is reached it will be infeasible to flag so many people, and you're already flagged anyways if you've read this blog, or LinuxJournal; http://m.linuxjournal.com/content/nsa-linux-journal-extremist-forum-and-its-readers-get-flagged-extra-surveillance

PS

Companies pouring billions into open source technology, what?

Many-eyes-make-every-bug-shallow. Easier to audit src than bin. Still need a clean compiler and build environmeng, but noone said security is easy.

PS

Maybe what we need are more analysts,
There are already about a hundred thousand people who can spy on everyone with impunity, often for "LoveInt"(stalking). Do you want links to where these agencies themselves admit to such abuses? The government coined the term because the practice was so common that they no longer got bothered by it, even thinking it harmless and funny. Since you want proof for everything I'll spite you by citing WikiPedia and popnews sites https://wikipedia.org/wiki/LOVEINT https://www.washingtonpost.com/news/the-switch/wp/2013/08/24/loveint-when-nsa-officers-use-their-spying-power-on-love-interests/ https://www.cnet.com/news/nsa-offers-details-on-loveint-thats-spying-on-lovers-exes/ http://abcnews.go.com/blogs/headlines/2013/09/loveint-given-immense-powers-nsa-employees-super-cyber-stalked-their-crushes/
Not exactly obscure conspiracy theory blogs.

It's obvious that all the hardware backdoor "management engines" really are more than conspiracy theory as well, and that such backdoors have hurt national security in America.
Don't you trust Bruce Schneier? https://www.schneier.com/blog/archives/2013/01/the_eavesdroppi.html
Intel also left a way to unrandomize their hardware RNG output, with no technical reason to do so isn't it obvious that the NSA threatened some Intel employee with being disappeared? https://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

@NSA spooks; instead of disappearing me take a look in the mirror, I know that some of you were ignorant of how evil your organization is and will benefit from learning the truth. Be the next Snowden! If you care about your country then blow the whistle on corruption by releasing more documents that prove the crimes your superiors commit!

PatriotFebruary 25, 2017 12:53 AM

PS

@r

don't let people lie to you and tell you that it's only the NSA doing it.

I think that the Golden Shield Project is almost as bad as Project Bullrun.
I'm also against the GRU.
Everyone already knows that PLA/GRU are evil so I don't bother critiquing then.

rFebruary 25, 2017 4:50 AM

@Patroit Shit,

Wow you're foaming at the mouth, I knew rabies was contagious but come on...

Half of what you're saying are just accusations, we really don't know what went on behind shadowbrokers. We aren't really aware of the situation behind it and you really must not understand how the internet is set up (a setup at this point) if the larger concept behind modulating Tor traffic never sunk in.

There's a bigger picture here and your paidtriot reaction could be motivated by slant, I suggest you stick around here for a while for the crowbar of reality to sink in on just how far reaching their programs really are or may be.

There's not really a lot that we know _for sure_ and I think the speculation at this point points to an octopus who sits on top of the world vacuuming up as much as it can with it's ten drills that mine.

It's yours mine and ours that it reaches into as deep as it can, yours? I think you're victim of a spinal tap - it's got you dancin'.

By the way, you made a mess of my mess. Thanks.

Relax, they're not going to jettison you to space - worst case scenario is sedation while your facilities collapse. Ask @My Info.

Dangerous can be medicated away at times.

rFebruary 25, 2017 5:06 AM

The most annoying thing about all of this is?

These sort of hactors practicing SEO 2.0, it used to be link farms...

Then it was refactoring and weights...

Now it's less bump bump bump and more cram push choke.

Don't gag, it's not a gag; these people(?) are serious.

rFebruary 25, 2017 5:23 AM

@PaidBS

Let me show you how to <blocquote>

wrt about your point that they're hurting Russians as much as they're hurting Americans and that therefor it's justified... 1. a doomsday machine would hurt Russians. Is it okay to kill all Americans to kill all Russians? 2. Then N in NIST is for "national", not "global". So they're poisoning the well of Americans but not Russians.

Hurting Russians? There's your leaky in-between word weasels I warn you people about. Content slips out in %20's.

Hurting Russians? This is ethereal ephemereal there's no hurt unless you're water is tainted like mine is or someone infiltrates a silo of suckers.

Am I riling you f***ers? At the risk of sounding astranged (assange, does that assuage you?) how do the omniimpotent make you feel?

Even smaller? More impotent?

Me thinks slow...

I think the sandtrap has you.

Anyways, "they're" not "hurting" per se anyone if this is what they're doing. Humanity is evil, is up to you to decide who you trust with the keys to your house. Do I trust them implicitly? Not for a second don't get me mistaken.

But you need to think long and hard about the ground you stand on and any continental shift that may occur underneath, did you ever get spanked by your mom for jumping up and down on your bed? Did you ever grow up to realize that your father gave you good advice telling you not to?

Can you afford to replace the mattress you sleep on?

Hurting Russians lol, they're no more hurt than we are having to listen to this drivel.

Drooooooooooool...

Yesi the YetiFebruary 25, 2017 5:30 AM

The bar has been lowered for all,

including yes-men.

Metasploit and Cloud Infrastructure for all!

Deduplicate that.

rFebruary 25, 2017 5:35 AM

Assange is a victim of lock in, he's locked into the smallest of venues. How many communication outlets do you think he really has access to?

Trapped like a rat in a cage. His options are limited, the rest of us?

We're still free to make decisions, when where how...

The big one is WHY?

And that, mein freund is aimed straight at one's heart.

rFebruary 25, 2017 5:38 AM

What I find funny,

Is that you think 'loveint' is news.

Popo got you swervin' kid, keep your eyes on the road bro.

And by deduplication: I mean FOCUS.

rFebruary 25, 2017 5:47 AM

A word of advice,

not a single compiler I own is clean.

Not coff not omf not aout not elf.

There's not a linker or stdlib on my computer that I've left unturned.

all of your libs and .a's belong to me.

Because I sed so.

Clive RobinsonFebruary 25, 2017 1:30 PM

@ SKL,

With regards "Venomous agent X" designed by England's ICI is a variation on an organophosphate pesticide (VG sold to farmers etc).

VX has the advantage of also being usable as a binary chemical weapon. The two component parts being considerably less toxic. They can be removed by soap and water or to be sure a wash down with dilute house hold bleach.

Once you know this it becomes clear why there were two women involved and why they immediately went and scrubed down in the washroom.

Their story about being hired by some TV program is thus likely to be compleate BS and actually a realy bad cover story that might in somebodies imagination get then released before an autopsy showed the signs that an organophosphate poison had been used, and most likely in binary form...

The only real question is who ordered the hit, it might not have been his half brother but somebody else. The reason I say this is that the current NK leader appears to have a taste for the dramatic execution like shooting people with artillery / anti-aircraft weapons "to send a message". It would appear this was carried out by people with slightly cooler heads.

AnuraFebruary 25, 2017 2:18 PM

@Clive Robinson

I thought the fact that it was VX told me it there was a good chance that it was Kim Jong-Un sending a message. Just shooting or stabbing him would have resulted in this story fading out of the news from lack of additional details.

rFebruary 25, 2017 5:01 PM

@Clive,

Except for the fact that according to Malaysia there were 4 known North Koreans watching the event from across the errport who then quickly boarded flights.

rFebruary 25, 2017 5:53 PM

@Anura, Clive,

Actually, Anura is onto something here.

Let's give you what I've been filling my brain up with:

https://www.nytimes.com/2017/02/22/world/asia/kim-jong-nam-assassination-korea-malaysia.html

The police say the four North Korean conspirators watched the attack unfold. Soon after, they passed through immigration, had their passports stamped and left the country before the authorities realized Mr. Kim had been murdered. All are now believed to be in North Korea.

I'll drop more when I get the rest of my 40 pages of history that I just re-loaded sorted out for you guys.

rFebruary 25, 2017 6:48 PM

nytimes 02/15:

The news media in Malaysia reported that the police were looking for four male suspects, suggesting that the plot was more involved than initially indicated. It was unclear whether the Malaysian man arrested Thursday was one of the four.

https://www.nytimes.com/2017/02/15/world/asia/kim-jong-un-brother-assassination-north-korea.html

nbc 02/21:

Malaysian police also arrested one North Korean in connection with the attack, and publicly announced the names of four other Northerners it wants to question, but who had left the country soon after the attack.

http://www.nbcnews.com/news/north-korea/kim-jong-nam-death-north-korea-could-lose-rare-friend-n723471

wapo 02/20:

With one North Korean in custody in Malaysia and at least four of his compatriots suspected of involvement,

...

His pronouncement came after Malaysia released information about four North Koreans who had been in Kuala Lumpur for several weeks but left on the day of the attack.

...

The man who has been arrested is 47-year-old Ri Jong Chol,

...

The other four named by Malaysia as suspects are now back in North Korea, having gone to great lengths to avoid going through China — the most direct route — to get home. They appear to have flown from Kuala Lumpur to Jakarta, Indonesia, then to Dubai and on to Vladivostok, Russia, then from there to Pyongyang.
It is not known why they went to such trouble, although China had been protecting Kim Jong Nam, who had lived in quasi-exile in Beijing and the Chinese territory of Macau for about 15 years.

https://www.washingtonpost.com/world/north-korea-says-malaysia-cant-be-trusted-to-investigate-the-killing-of-leaders-half-brother/2017/02/20/7f0cccb4-f740-11e6-be05-1a3817ac21a5_story.html

reuters 02/19:

Four North Korean suspects in the murder of the estranged half-brother of North Korean leader Kim Jong Un fled Malaysia on the day he was attacked at Kuala Lumpur airport and apparently killed by a fast-acting poison, police said on Sunday.

A North Korean man, a Vietnamese woman and an Indonesian woman have been arrested already in connection with the death of Kim Jong Nam last Monday, which has triggered a diplomatic spat between Malaysia and Pyongyang.

South Korean and U.S. officials believe Kim Jong Nam was killed by agents from the reclusive North, whose diplomats in Kuala Lumpur have sought to prevent an autopsy on the 46-year-old's body and demanded it be handed over.

"We believe the North Korean regime is behind this incident, considering five suspects are North Koreans," Jeong Joon-hee, spokesman at South Korea's Unification Ministry that handles inter-Korea affairs, told a briefing on Sunday.

Kim Jong Nam, the eldest son of the late North Korean leader Kim Jong Il, had spoken out publicly against his family's dynastic control of the isolated, nuclear-armed nation.

The young, unpredictable North Korean leader had issued a "standing order" for his elder half-brother's assassination, and there was a failed attempt in 2012, according to some South Korean lawmakers.

Deputy Inspector-General of police Noor Rashid Ibrahim told a news conference that Malaysia was coordinating with Interpol to track down the four North Koreans, but would not reveal where they flew to on the day of the murder.

"The four suspects are holding normal passports, not diplomatic passports," he said. "Next plan is to get them. We of course have international cooperation especially with Interpol, bilateral involvement with the country involved, we will go through those avenues to get the people involved."

The four suspects arrived in Malaysia just days before the attack on Kim Jong Nam, according to police.

Noor Rashid named the four who escaped as Ri Ji Hyon, Hong Song Hac, O Joong Gil, and Ri Jae Nam. The police are looking for three other people who are not suspects but who they believe could help with their enquiries, one of whom is North Korean.

http://www.reuters.com/article/us-northkorea-malaysia-kim-police-idUSKBN15Y068

I've got more, not on that specific sub-topic but I still need time to collate the kicker out of this for the VX aspect. Please don't mind the repetitive and backwards orientation of the narrative but do note than the reuters link hits on the chemist & other suspects and potential exact vector prior to vx being named 'officially'.

The big one is next I think you get the initial point for now.

rFebruary 25, 2017 6:52 PM

What the CIA (proponent(?)) said on the this thread earlier may be unfortunately timely considering the advent of escalation on others topics.

A nerf war may be exactly what we've gotten into with 'unattributable' leaks + 'fake' news.

Duck Duck...

PatriotFebruary 25, 2017 9:17 PM

@r

Is that you think 'loveint' is news.

I didn't think that any of what I posted was news, but you didn't believe any of it was real so I posted reliable sources as proof.
I only mentioned loveint in response to someone saying that we needed more analysts, as if there were only a small, trusted, well behaved, law abiding little group of people who had access to the domestic spying database, as if it would be easy to find more who wouldn't abuse it. But they already have way too many to properly discipline them all.

The rest of your responses are simply ad hominem attacks; you've debunked nothing I've said other than to point out that the Equation Group being part of the NSA hasn't yet been admitted to by the NSA themselves.
Everything else I wrote against the NSA is confirmed by their own words, and really the amount of evidence linking EG to NSA is enough for any reasonable standard, unless you want to start doubting things like object permanence. I am skeptical but not to the point of believing nothing at all.

I don't understand how you went so quickly from writing about how you enjoyed our discussion but would like more proof, to saying that reading my post was as harmful as having rootkits installed on all your computers, worse than being the victim of all cyber crimes in the world, as soon as I posted proof, nor why you insist that cybercrime is victimless and harms noone.
I don't know why it made you think that I'm being paid, when all that I advocated for were charities, real non-profits, open source programs with no purpose but to defend against viruses and worms, botnets and spyware. I said that all ICs were as bad as the NSA so you're not accusing me of being paid to side with one of them. I'm obviously against all commercial and all communist products since they're closed source.

I'm sorry for offending you so greatly. I did not intend to make any of this personal. I thought that we were enjoying a civil discussion discourse and that we largely agreed with eachother other than about what I had wrongly believed was common knowledge, and I quickly admitted my wrong there.
I hope that whatever about me repulsed you so much didn't prevent you from reading the articles, as these issues are very real and affect everyone, however hard it is to believe that parts of your government are breaking the law.
Have a good day.

rFebruary 26, 2017 4:15 AM

Yeah sure, except they didn't detect their tools in use by anyone. So either their dragnet SUCKS or whoever got them was intelligent enough to not take the bait.

I don't think you're capable of following me, sorry if you don't think...

that an international nerf war is funny en failure at this point.

Who's ars are we going to drag out into the streets?

The NSA? The CIA? The GRU?

And what will happen to the hydra when we cut off those heads?

Or when we grab our picket signs so hard that some guy named Leo get's a hard on for his baton in confusion?

Will the programs only head further underground than they already are? Look closely at the point I made reinforcing Miss iLE's stance.

If you want to make a difference you need to do it politely (from their perspective), as you can see all sides are just 'children with toys (e.g. nerf guns)'.

You're not getting it, I don't care. Anyways your leaky language tells me you're a knock off.

My country? Patriot? Ad-hominem attacks?

What you posted was shit, the positions you took are at this point gut reactions from where I am and if you think they were attacks then no wonder why you believe your own bullshit.

These are valid points that should invoke double think, it is not double speak on my end to be pointing this stuff out.

'our human race', you're losing the battle - we all are.

Your links and assertions were shallow, are shallow. Under what threat of physical violence are we coders to assume looms over our head other than the one I bring up above?

You sound very much like a paid and organized troll, whereas I should be very obviously an unpaid unorganized troll.

Which is better and which is worse?

In or on who's books?

I'm over this, you're simply a reformulated GRU after last weeks conversation with them.

Come at me bro.

rFebruary 26, 2017 4:38 AM

@Mod,

Did you make a pass over his blockquote failure?

I think it's worse now than it was, at least before it looked like it was messed up now the response case is semi-inverted.

@Id10t,

Let me refresh your memory of why you illicit such a response from me.

Not just Lavabit, anyone providing any IT services to Americans is required to make it easy to hack. Every single ISP and mail provider has to log everything the Americans do and make it trivial to get at that data per CALEA. Anyone who refuses to so sabotage American security will be kidnapped and if they struggle they will be murdered.

Really?

And you believe this is true why? Because of your own state propaganda? The funny thing is I can't even find a news article translated to english from any other countries that would even come remotely close to that assertion lol.

Links please or it never happened.

I think your inability to use blockquote properly led you to re-read my words as your own.

You're a fraudulent representation of a free-thinking individual come back when you're honest with us and yourself.

Can you add hominems?

Clive RobinsonFebruary 26, 2017 6:56 AM

@ r, Anura,

I guess I was a little to brief ;-)

From what we have been told publicaly there are a number of people belived to be involved, all at fairly lowely positions in the grand scheme of things. From the way things were done it's reasonable to assume that the women involved would have a very low probability of getting away clean, which is a thought to hang onto.

Now North Korea is a place where advancment in higher levels is by second guessing what the eternal glorious leader wants, whilst ensuring there are patsies in place to take the fall if he is displeased as that has a habit of being expressed in colourful ways such as a PR examination by howitzer.

There is also some evidence available that even though the regime is as functional as a rabid sheepdog there are "agents" of foreign powers in more senior positions...

So the question of who gave the order and why is an open one currently, as is why it was done the way it was. Also the motivation behind it. The victim whilst potentially being a "thorn in the side" of the NK regime was long past his "sell by date" in terms of "revelation potential", after all when did he last appear in western news etc? Thus there may be other reasons such as he might have been suspected of being a candidate for a coup d'état organised / backed by one of a number of world powers. Or he may have been suspected of being a contact/conduit for agents etc etc. But the questions come back to "by who" and "who actioned it" and "who planned it", and some of those answers may not be North Korean.

But getting back to the little we've been told and thus think about the actions of the two women, they clearly had knowledge that a venomous agent was involved and more than likely it was in binary form. It raises the possibility that they had reason to belive they would get not just detained but convicted thus subject to the maximum sentance... So the question of their motivators comes into play.

As more information becomes public it will prove interesting to compare this alleged North Korean assasination against the earlier alleged Israeli assasination. One thing that can be said is that high definition CCTV and recording is having a quite visable effect on such "wet work"...

Some I guess more comfy chair and popcorn time, whilst more information comes out.

rFebruary 26, 2017 10:22 AM

@GRU

re: Yeah sure, except they didn't detect their tools in use by anyone. So either their dragnet SUCKS or whoever got them was intelligent enough to not take the bait.

Alas, there's a third option: maybe the crew that obtained the NSA 'leftovers' wasn't capable enough to vet their true fortune.

Were paranoia and incompetence factors in their un-use?

Did the GRU/FSB freeze in a panic, did they think it a test? ;-)

Do you have any second guesses for this line of inquiry ?

rFebruary 26, 2017 10:29 AM

We know from previously, as with Iran and it's Genovian sourced blueprints that our intelligence structures are not above the dissemination of misinformation and sabotage.

It would be wise for you to build all your own tools, would you dare ask the Maoists to share?

rFebruary 26, 2017 10:31 AM

Why not concentrate with us on binding the dirty little hands and feet of the (very) industrious Chinese?

Certainly you could win brownie points with the American IC and industrialist base through such constructive action.

PatriotFebruary 26, 2017 11:14 PM

@r

You sound very much like a paid and organized troll
By RMS? The EFF? ACLU?

@GRU
Did you miss where I wrote "Everyone already knows that PLA/GRU are evil so I don't bother critiquing then."?
re: Yeah sure, except they didn't detect their tools in use by anyone. So either their dragnet SUCKS or whoever got them was intelligent enough to not take the bait.
I didn't write that the part about Equation Group was 100% proven, I wrote "the Equation Group being part of the NSA hasn't yet been admitted to by the NSA themselves. Everything else I wrote against the NSA is confirmed by their own words, and really the amount of evidence linking EG to NSA is enough for any reasonable standard". Calling this circumstantial evidence when the US has ordered assassinations based on metadata is absurd; https://www.wired.com/2015/02/kapersky-discovers-equation-group/
A keyword—GROK—found in a keylogger component appears in NSA documents leaked by Edward Snowden to The Intercept that describe a keylogger by that name. There are other connections to an NSA spy tool catalog leaked to other journalists in 2013. The 53-page catalog details—with pictures, diagrams and secret codenames—an array of complex devices and capabilities available to intelligence operatives. The capabilities of several tools in the catalog identified by the codenames UNITEDRAKE, STRAITBAZZARE, VALIDATOR and SLICKERVICAR appear to match the tools Kaspersky found. These codenames don’t appear in the components from the Equation Group, but Kaspersky did find “UR” in EquationDrug, suggesting a possible connection to UNITEDRAKE (United Rake). Kaspersky also found other codenames in the components that aren’t in the NSA catalog but share the same naming conventions—they include SKYHOOKCHOW, STEALTHFIGHTER, DRINKPARSLEY, STRAITACID, LUTEUSOBSTOS, STRAITSHOOTER, and DESERTWINTER.
Other evidence possibly pointing to the NSA is the fact that five victims in Iran who were infected with Equation Group components were also key victims of Stuxnet, which was reportedly created and launched by the U.S. and Israel.

Kaspersky wouldn’t identify the Iranian victims hit by the Equation tools, but the five key Stuxnet victims have been previously identified as five companies in Iran, all contractors in the business of building and installing industrial control systems for various clients. Stuxnet targeted industrial control systems used to control centrifuges at a uranium-enrichment plant near Natanz, Iran. The companies—Neda Industrial Group, Kala Electric, Behpajooh, CGJ (believed to be Control Gostar Jahed) and Foolad Technic—were infected with Stuxnet in the hope that contractors would carry it into the enrichment plant on an infected USB stick. This link between the Equation Group and Stuxnet raises the possibility that the Equation tools were part of the Stuxnet attack, perhaps to gather intelligence for it.

But the newly uncovered worm created by the Equation Group, which the researchers are calling Fanny after the name of one of its files, has an equally intriguing connection to Stuxnet.

It uses two of the same zero-day exploits that Stuxnet used, including the infamous .LNK zero-day exploit that helped Stuxnet spread to air-gapped machines at Natanz—machines that aren’t connected to the internet. The .LNK exploit in Fanny has a dual purpose—it allows attackers to send code to air-gapped machines via an infected USB stick but also lets them surreptitiously collect intelligence about these systems and transmit it back to the attackers. Fanny does this by storing the intelligence in a hidden file on the USB stick; when the stick is then inserted into a machine connected to the internet, the data intelligence gets transferred to the attackers. EquationDrug also makes use of the .LNK exploit. A component called SF loads it onto USB sticks along with a trojan to infect machines.

The other zero-day Fanny uses is an exploit that Stuxnet used to gain escalated privileges on machines in order to install itself seamlessly.

Fanny

Raiu says he thinks Fanny was an early experiment to test the viability of using self-replicating code to spread malware to air-gapped machines and was only later added to Stuxnet when the method proved a success. Notably, the first version of Stuxnet, believed to have been unleashed in late 2007, didn’t use zero-day exploits to spread; instead it spread by infecting the Step 7 project files used to program control systems at Natanz. Fanny was subsequently compiled in July 2008 with the two zero-day exploits. When the next version of Stuxnet was unleashed in 2009, the privilege-escalation exploit from Fanny was added to it. Then in 2010, the .LNK exploit from Fanny was added to a version of Stuxnet unleashed that March and April.

Fanny may have been used initially as proof-of-concept to test the viability of getting Stuxnet onto air-gapped machines in Iran. Or it could have been used for a different operation entirely, and its developers simply shared the exploits with the Stuxnet crew. The vast majority of Fanny infections detected so far are in Pakistan. Kaspersky has found no infections in Iran. This suggests Fanny was likely created for a different operation.

Pakistan’s nuclear weapons program, like Iran’s, has long been a U.S. concern. The centrifuge designs used in Iran’s uranium-enrichment plant at Natanz came from Pakistan—a Pakistani scientist helped jumpstart Iran’s nuclear program with them. Information about the NSA’s black budget, leaked by Snowden to the Washington Post in 2013, shows that Pakistan’s nuclear program, and the security of its nuclear weapons, is a huge concern to U.S. intelligence and there is “intense focus” on gaining more information about it. “No other nation draws as much scrutiny across so many categories of national security concern,” the Post wrote in a story about the budget.

Kaspersky found only one version of Fanny. It arrived in their virus collection system in December 2008 but went unnoticed in their archive until last year. Raiu doesn’t know where the Fanny file came from—possibly another anti-virus firm’s shared collection.


Or did you want proof that the Shadow Broker's leak was from the Equation Group? They gave a large sample out for free as proof and independent researchers have verified it; http://www.ibtimes.co.uk/hackers-claim-have-breached-nsas-elite-cyber-spy-team-auction-stolen-cyberweapons-1576245 https://arstechnica.com/security/2016/08/group-claims-to-hack-nsa-tied-hackers-posts-exploits-as-proof/


Your links and assertions were shallow, are shallow. Under what threat of physical violence are we coders to assume looms over our head other than the one I bring up above?
Anyone who refuses to so sabotage American security will be kidnapped and if they struggle they will be murdered.

Really?

And you believe this is true why? Because of your own state propaganda? The funny thing is I can't even find a news article translated to english from any other countries that would even come remotely close to that assertion lol.

Links please or it never happened.Do you think that this isn't a violent threat? Oh that was the CIA not NSA my bad.
Someone comes up with a service that the NSA are too dumb to hack and he has 3 choices; sabotage or shut it down for them, by kidnapped, or resist and be murdered.
Oops that was the FBI. But they're arguably merged now so I'm basically correct; http://foreignpolicy.com/2013/11/21/meet-the-spies-doing-the-nsas-dirty-work/

Do you think nothing untoward would have befallen the author of LotusNotes if not for ceding to NSA's demand to cripple its security?

Do you think it's more likely that RSA/NIST are GRU fronts than it is that they're telling the truth when they say that the NSA sabotaged a primarily American standard and that using it is dangerous?

I believe that that does cover everything. If any of my other accusations against the NSA haven't been established firmly enough for you, please specify which ones and I'll be happy to expound on them.

Dan HFebruary 27, 2017 7:00 AM

Snowden is no different than Robert Hanssen, Aldrich Ames, Chi Mak, John Anthony Walker Jr, or other spies who did damage to the USA.

rFebruary 27, 2017 7:40 AM

@Dan H,

I'm on the fence about Snowden at this point in all fairness, but there is a HUGE glaring difference: he released at least SOME of his exfiltrations.

So even your position is a position of slant at this point, this knot is a hard one to undo.

On the same fence, making him 'better' are the same qualities that potentially make him 'worse'. The damage he's done through going public is considerably further reaching otherwise.

@Patriot,

@Bruce's site is quirky, blockquote usage allows for only a single depth making it very easy to handcode.

Dreamweaver?

Believe you me, I am an avid supporter of the EFF and ACLU at this point in my life but I think our empasse is that I see no way around the militarization that has been and will continue to occur. My apologies for dismissing you as one of the previous GRU apparitions and believe me that I completely understand your reservations either as a united states citizen or not but we are all in deep shit at this point. There's no other way to go about it other than to **cough** infiltrate the system and then to **infiltrate** their heads.

Responsibility must be promoted, if you believe that online censorship is bad and spying is bad then likely you will also believe that the silence resulting from the usage of a nuclear weapon on what are effectively peasants is also bad.

The world has gotten to the point where we are firing 'nerf guns' at centrifuges, at researchers, at protesters. Because these are perceived and basically sometimes are 'soft weapons' the escalation has gotten to the point where it's went from a couple of salvos of soft foam into an outright war with them.

But, if these nerf guns can be used responsibly then there is good that can be done. I think that should be the goal, to temper our usage so as to not be lobbing what are essentially temper tantrums.

This problem is not going away, not now and not ever there will always be hackers and spies. We don't really know enough at this point to call for a complete deescalation and even if we could we know from past experience (the recent pipeline and occupy wallstreet etc) that such powers will be continually abused.

Believe me, I'm scared about the juridictional changes related to warrant issuing and the "going light(not dark)(('green lighting'))" of things like IMSI catchers at this point.

We must develop arguments both for an against and we must disseminate these arguments in a manner that's conducive to a dialog because otherwise they will continue to be used indiscriminately.

That's my odd little angle to the situation at hand, again I apologize for my paranoia with seeing you as a GRU ghost (I did see your PLA position).

We are in this together, we have to understand both what is capable and what is reasonable.

Those two questions are an ever evolving monster and we only get glimpses of what's going on underneath the rug.

I do not refute that EG is the NSA, but something to consider is that where stuxnet and iran are considered it was likely (and proven) to be a much larger (group wise) interaction than some solo NSA effort and therefore may include components of the CIA etc.

EG could be the same thing, we don't know a whole lot about TAO but the NSA is likely not the only opponent with such capabilities and we absolutely do not know where the overlap begins or where it ends.

rFebruary 27, 2017 7:43 AM

should read: **cough** infiltrate the system and then to **cough** infiltrate their heads (effecting change through responsibility and guidance)

Clive RobinsonFebruary 27, 2017 10:46 AM

@ Dan H,

Snowden is no different than Robert Hanssen, Aldrich Ames, Chi Mak, John Anthony Walker Jr, or other spies who did damage to the USA.

Oh dear another generalisation that is eorth rather less than the effort it took to type it.

There is a lot of noise about Ed Snowden doing damage to the USA, however like blowing smoke thers a lot of fug but no evidence of fire.

Come back when you can actually present credible evidence of "damage to the USA". Oh and don't bother with any of the political rhetoric from idiots on the hill or those in charge of the IC agencies, their word is of no worth, and they have been proved to be either uninformed or liars...

Dan HFebruary 27, 2017 2:29 PM

@Clive Robertson

I actually find it quite humorous you believe you know more than the heads of the departments of the damage done and you dismiss their claims because of their positions.

Clive RobinsonFebruary 27, 2017 5:33 PM

@ Dan H,

I actually find it quite humorous...

Not as funny as the fact you offer squat diddly to support your claims, and would appear to take the word of a bunch of braggats and dick pick posters on the take who managed to con the electorate, and a bunch of proven liers on the make for a million a month out of banks etc after handing out over priced contracts to various type like Booze Allen etc.

vas pupFebruary 28, 2017 12:38 PM

@skl and other respected bloggers responded to my initial post:
VX nerve agent 10 times more poisonous than sarin:
http://www.dw.com/en/vx-nerve-agent-10-times-more-poisonous-than-sarin/a-37701420
“The production of VX is not very difficult for trained chemists with regular laboratory equipment.(!)” That is real threat with commercial drones as precise delivery option. LEAs, please wake up and develop kind of preparation plan! Radicalized chemists are trained already in universities of Europe and US. Drones available out of the shelf. Could you please connect the dots?


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.