Internet Security Threats at the Olympics

There are a lot:

The cybersecurity company McAfee recently uncovered a cyber operation, dubbed Operation GoldDragon, attacking South Korean organizations related to the Winter Olympics. McAfee believes the attack came from a nation state that speaks Korean, although it has no definitive proof that this is a North Korean operation. The victim organizations include ice hockey teams, ski suppliers, ski resorts, tourist organizations in Pyeongchang, and departments organizing the Pyeongchang Olympics.

Meanwhile, a Russia-linked cyber attack has already stolen and leaked documents from other Olympic organizations. The so-called Fancy Bear group, or APT28, began its operations in late 2017 --­ according to Trend Micro and Threat Connect, two private cybersecurity firms­ -- eventually publishing documents in 2018 outlining the political tensions between IOC officials and World Anti-Doping Agency (WADA) officials who are policing Olympic athletes. It also released documents specifying exceptions to anti-doping regulations granted to specific athletes (for instance, one athlete was given an exception because of his asthma medication). The most recent Fancy Bear leak exposed details about a Canadian pole vaulter's positive results for cocaine. This group has targeted WADA in the past, specifically during the 2016 Rio de Janeiro Olympics. Assuming the attribution is right, the action appears to be Russian retaliation for the punitive steps against Russia.

A senior analyst at McAfee warned that the Olympics may experience more cyber attacks before closing ceremonies. A researcher at ThreatConnect asserted that organizations like Fancy Bear have no reason to stop operations just because they've already stolen and released documents. Even the United States Department of Homeland Security has issued a notice to those traveling to South Korea to remind them to protect themselves against cyber risks.

One presumes the Olympics network is sufficiently protected against the more pedestrian DDoS attacks and the like, but who knows?

EDITED TO ADD: There was already one attack.

Posted on February 12, 2018 at 6:36 AM • 40 Comments

Comments

22519February 12, 2018 7:54 AM

It's probably SIGINT and cyber ground zero now that Kim Yo-jong, Kim Jong-un's half sister, is doing diplomacy for the North at the Olympics.

Moreover, she is now in full view, which has not been the case for a while.

Clive RobinsonFebruary 12, 2018 10:01 AM

@ Bruce, ALL,

One presumes the Olympics network is sufficiently protected against the more pedestrian DDoS attacks and the like, but who knows?

WiFi is WiFi, and as we know so many people like journalists want to use it to post stories and the like, the username and password get written up on white boards and postit notes in press centers, that TV journalists end up with them in camera for all the world to see.

The Olympics is a spectacular of "Peace and co-operation" that is supposed to bring "Goodwill to all men". But every politico worth a bribe will use it for political reasons, likewise other people of even lesser goodwill want to use it for their own political reasons...

Thus you have a tension between making the spectacular good for the competitors and those who watch and those of alternative intent.

It's difficult to be both open and closed at the same time.

Unfortunatly we also know that those of real malintent such as the NSA and CIA amongst many others will be worming their way into the Host Nations infrestructure any which way they can regardless of consequences (Greek Olympics being just the most obvious).

Whilst I have no doubt uncle tom cobbly and all SigInt and IC entities will be trying it on atribution is as always a major problem.

Lets be honest here, we know the CIA and NSA were upto their noses in the Greek Olympics. We also know the NSA have the tools to defeate 99.99...% of security practitioners that are not Gov entities. We also know the CIA has tools that can impersonate other cyber-attacks thus cause major misatribution to their benifit.

From what is currently happening in the world we know the CIA atleast if not the NSA would love to have the Russian's pointing at North Korea and the other way around. We also know they would love to create friction with China as well...

Oh and we know that there are groups of South Korean's that hate the North in a way that few westerners can realy understand.

There is also good reason to believe that they have "assisted the CIA" in various false flag ops to raise political tensions between the North and South.

Perhaps it's time we took a couple of steps back from the atribution game. Because the Internet does not alow for reliable atribution to be possible.

The SigInt and IC entities know this full well and realy rely on it to do their "dirty tricks".

Thus untill some real reliable and most importantly verifiable HumInt comes through, it's all hearsay and not in any way shape or form evidence. Thus do not fall into the trap of buying into the atribution nonsense, learn to think independently and not be lead around by the nose like bulls to the slaughter by people reliant on US tax Dollars and secretive arrangements with the SigInt and IC entities or politico's on the make...

Bauke Jan DoumaFebruary 12, 2018 1:03 PM

@Clive
"Perhaps it's time we took a couple of steps back from the atribution game. Because the Internet does not alow for reliable atribution to be possible."

Words that should be cross-stitched and hung over beds.

Impossibly StupidFebruary 12, 2018 1:09 PM

Based on numerous attacks against my own servers, the only hostile nation state I see that "speaks Korean" is South Korea. Not that NK and Kimmy are good people, but SK clearly has far more criminal organizations that are active online.

Russia (and Ukraine) are active in my logs, too, but I have to wonder what they think they're going to accomplish when it comes to attacking the Olympics further. I mean, once you get caught screwing with an organization, you don't get back into their good graces by screwing with them further. The only reasonable end game would be to ruin them (e.g., get evidence of such extensive corruption that the Olympics ceased to exist), but then you'd have to wonder in retrospect why you made them so important in the first place such that you had to go through an elaborate cheating scheme to "win" at all costs. That's a highly dysfunctional "If I can't have you, nobody can!" mentality.

No mention of China, though, is what stands out to me. Either they're sophisticated enough that they're escaping detection, or they simply have enough power to influence the Olympics through more traditional channels. Otherwise, though, they're the worst offender I see when it comes to online attacks.

(required)February 12, 2018 4:23 PM

"Kim Jong-un's half sister, is doing diplomacy for the North at the Olympics."

People got excited but it was nonsense. She's not a diplomat. She was there as propaganda.
She's already back at home, she was there for like 3 days. She did nothing, said nothing.

NK was trying to make overtures to turn SK against the US, which actually isn't so far-fetched.
Now they invited SK to visit, Pence only gave the 'ok' IF they agree to make zero concessions now.
Apparently they agreed to exactly that.

SK sees Trump as a madman who very well may get them all killed. They want to try their own hand at negotiation with Kims as they're convinced they'll do a better job and frankly we can't really fault them for thinking so right now. Certainly they've got their own self-interest closer at hand than Trump's grand visions for their peninsula - at 20,000 degrees F.

"Because the Internet does not alow for reliable atribution to be possible."

Sure it does. You just have to wait until you get vetted information instead of relying on conjecture.
Some people think that's impossible. For them, it may be.

(required)February 12, 2018 4:39 PM

Russia, completely banned from the olympics due to being caught systematically cheating so many times,
is stewing at home. The fact that they can't compete is a national disgrace to them.

We have evidence that Russia does this and they have a motive, now.
False flag suggested? Show us evidence or it's purely a timely guess.

To paint the NSA as the same boogeymen as the CIA is to probably misunderstand both, including TAO.
Sure it's possible, it could also be Vietnam, Turkey, Israel, lots of places have hackers.
ANY of them can hire Koreans with skills. It's not rocket science. It's money.

For the US to do it would require a significant objective, that's why they do this.
That's why anyone does things. This was targeted, it's not wannacry or something.

The suggestions for motive are pretty vague. Russia has a very straightforward motive.
That's certainly not evidence, but you can't just discount that out of hand either.
And yet didn't I just read that exactly?

Clive you say take a step back and wait for attribution, that's exactly right. So, let's. Right?

Defending Putin and attacking the NSA isn't really illustrative of that notion, is it?
Though I believe I understand why you do it.


(required)February 12, 2018 4:49 PM

Look at the malware.

It's a credential stealer, it's trying to get deeper into the org and cover its tracks.
It is only 'noticed' because it deletes logs and whatnot doing exactly that.

Who wants to get deep into the IOC? Who could it be!

You think the NSA would need to deliberately cripple computers in covering its tracks?
Please.

Dan HFebruary 12, 2018 6:54 PM

The CIA was behind Japan’s nuclear power plant meltdown.
The CIA was behind Houston’s hurricane.
The NSA created Alexa to spy on people.
The NSA crews the ISS.
The CIA crashed the Russian plane.
The CIA and NSA infiltrated CNN to create positive coverage of Kim’s sister.

Clive is more than a little paranoid and thinks Putin, Kim, China, Iran are the good guys trying to slay the evil USA.

(required)February 12, 2018 8:19 PM

There's a non-zero possibility this is a false flag. Clive is 100% right to consider that notion.
It just seems not up to par with his other more methodical insights.

How's that for a backhanded compliment? He's not in bed with Vlad. (yet)

It just seems like it comes a little quickly. I don't trust the CIA either. The NSA has certainly provably abused our trust also, it's perfectly true. Reasonable to consider absolutely. But first, here, without any real evidence to point to? Not even a solid motive really? Eh...

I just wonder why it would seem so unreasonable to him that Vlad would want to disrupt or infiltrate the Olympics, has means and motive both, and that comparably juxtaposed in motive the UKUSA had something substantial to gain by (very!) marginally disrupting the IOC org in an effort to pin this on "someone", undefined as yet... but to what end?

To try to reestablish that Russia has hacking squads, reported again in the public sphere? There's no lack of stories about that, no need to "invent" any. It would be a big mistake to casually try to frame Russia for something in a half-assed kind of way right now, all eyes on it. Self defeating, massively. I don't see the big upside if successful really either.

But it's true, the bay of pigs did go down. The media has lied before, all of them have.
We can't really discount or disprove the possibility of what Clive is getting at without evidence.
It's pretty damn near impossible to do comprehensively without a clearance.

So back to the blogosphere it goes... where attribution lands, nobody knows...

tyrFebruary 12, 2018 11:52 PM


@Clive

The simple-minded of the world want to have
closure, to believe the narrative of clearly
defined good and evil, to assume that they
can see through any deception to the 'truth'.

You can understand why, the world is far too
complex and nothing is what it seems to be
on first glance so wrapping your tail around
your balls and retreating into fantasy seems
highly preferable.

Thank you for your efforts to rein in the more
speculative when they jump to unwarranted and
specious conclusions.

The Korean peninsula is full of people on both
sides of the DMZ who are not too tightly wrapped
and they have their reasons for being that way.

The best outcome for both would be an end to
the war without a nuclear exchange that would
embroil the rest of the world. The Koreans can
solve their own problem.

Oh reallyFebruary 13, 2018 1:56 AM

Yeah nobody but idiots wants to know the truth, good point.

Clive has magic secret information on this topic proving the CIA/NSA both the same, and culpable.

Makes sense to me, where do I pay alms around here?

Bong-Smoking Primitive Monkey-Brained SpookFebruary 13, 2018 3:10 AM

@ Oh really:

... CIA/NSA both the same, and culpable.

He didn't say that. Put the bong down (and give it to me)! You can't handle it; it clouds your comprehension :)

22519February 13, 2018 3:11 AM

@ Clive

"...the trap of buying into the attribution nonsense."

That is certainly true.

"There is also good reason to believe that they have 'assisted the CIA'..."

Let's not jump on the NSA or CIA when they are doing they jobs on the Korean Peninsula--incredibly important jobs at that. We can all agree that preventing nuclear catastrophe is a worthwhile goal.

I very much doubt that U.S. intell, even down in the innards of some basement, really wants to stoke tensions between the North and South. We already have enough of those.

North Korea is a heinous operation, and Kim Jong-un's sister is a salamander. It is demented.

The DPRK is a good place for Western intell types to go do their jobs against Miss Salamander, her murderous half-brother, and the whole abomination against human dignity that the DPRK has become.

(req'd)February 13, 2018 3:44 AM

He didn't say that.

I was paraphrasing and you're right, it wasn't exactly as I said.

BEGIN QUOTE

Unfortunatly we also know that those of real malintent such as the NSA and CIA amongst many others will be worming their way into the Host Nations infrestructure any which way they can regardless of consequences (Greek Olympics being just the most obvious).

Whilst I have no doubt uncle tom cobbly and all SigInt and IC entities will be trying it on atribution is as always a major problem.

Lets be honest here, we know the CIA and NSA were upto their noses in the Greek Olympics. We also know the NSA have the tools to defeate 99.99...% of security practitioners that are not Gov entities. We also know the CIA has tools that can impersonate other cyber-attacks thus cause major misatribution to their benifit.

From what is currently happening in the world we know the CIA atleast if not the NSA would love to have the Russian's pointing at North Korea and the other way around. We also know they would love to create friction with China as well...

END QUOTE

NostradumbassFebruary 13, 2018 3:52 AM

The CIA and the NSA have different missions. It's separate for a reason.

Clive not only equivocated them he implied their false flag here was more plausible than anything else.

That's very something. I appreciate a good yarn-rant as much as the next cat.
Evidence would go a long way in lieu of a plausibly described motive.

echoFebruary 13, 2018 5:51 AM

In politics I have noticed a lot of data being cherry picked. Is there any objective assessment of individual countries intelligience invasiveness (properly weighted so the final numbers make sense)?

Are there indirect methods of assessing capabilities?

Naked gain aside is it fair to assume that on the surface adversarial nations would use their intelligience aparatus to warn another nation if they detected a threat?

I know all this is obvious stuff but this kind of view is rarely given a headline.

Yawn.February 13, 2018 9:18 AM

What's the problem? So what if they get hacked, how does that affect athletic performance? I didn't think eSports were going to be a part of these games. It's the Olympics, not the stock market.

Unless the timekeeping clocks are being messed with, I see nothing but a bunch of media hysteria. You can't just hack away someone's muscles or reflexes with a computer... you'd need a hatchet for that hacking job! I'm pretty sure the games themselves will be safe, unless Tonya Harding managed to book a flight on a false identity.

Sorry if this is naïve of me, but what exactly could be "hacked" that would actually mess with the results and outcome of the events, or the performance of the athletes who compete in them? I'm willing to concede to any decent examples, but I personally can't think of any at the moment.

Sure, non-athletes such as the media could have their stuff broken into, nothing they're not already used to dealing with and taking countermeasures against every single time they travel. They're journalists, they deal with this crap in their hotel rooms and at border crossings all the time.

As for visiting families and supporters... yeah, learn how to protect yourself, or just travel "disconnected" if you can't be arsed, i.e. leave the tech at home and enjoy your vacation without the distractions. You can still get cameras that are just cameras, they're fun.

Yawn.February 13, 2018 9:52 AM

Sorry for the double-post, but if all that's being done is having documents from WADA being stolen and leaked, I still fail to see any problem here. Hypocrisy is being exposed, which is a highly noble goal for anyone who takes the risk of using their hacking skills in the name of encouraging fairness, even if it is done by force.

As a Canadian, I'm not offended by that information leaked on that coke-snorting pole vaulter, I'm glad that leak happened. Strip his medal for dishonouring the sport and shove that pole up where it really belongs for all I care. The truth is more important than my right to puff my chest up over my country's medal count.

I honestly hope it does turn out to be the Russians behind this leak. They of all people deserve a shot at exposing hypocrisy in the Olympics after they've been under such a coordinated propaganda campaign never before seen since the days of the cold war.

I'm not denying that there's quite a problem with Russian athletes (and judges!) corrupting the games with drugs and money, but let's also not forget it was the United States Postal Service -- a function of the United States federal government -- who helped Lance Armstrong dope his way through the Tour de France.

I've been very skeptical of this blanket ban on Russian athletes from the beginning, it stinks of propaganda and dirty politics. I would have agreed with kicking out those who have been proven to be cheating, but the entire national team?! It's like this is what we have to do now that we can't blame Russia for "haxing teh elekshunz" anymore. Well, that didn't work the way we hoped it would, so... Plan B: Kick them out of the Olympics!

But again, as I asked in my above post, aside from hanging people's dirty laundry out to dry, exposing the uncomfortable truth to everyone and holding all athletes to the same standards regardless of nationality, how could evil hackers ruin the games in a malicious, unethical, unfair fashion?

MFebruary 13, 2018 11:22 AM

From the linked article about the attack:

"But best international practice says that you don’t talk about an attack."

I'm wondering what international best practice that would be...

Clive RobinsonFebruary 13, 2018 1:05 PM

@ (required),

Sure it does. You just have to wait until you get vetted information instead of relying on conjecture.

No it does not, it's a technical not pay grade or political issue. Vetting has nothing to do with it just an education at a good academic institution suffices.

If you think about it, the only thing you can actually verify directly is what is coming in on the network cable at the hole in the wall at your point of measurment. After that "it's all conjecture" plain and simple, no pay grade issues are needed to see that.

Whilst their are techniques like Time-Domain Reflectometry (TDR) that can produce echos from changes in a transmission lines performance such as impedence change they are by no means perfect due to measurment sensitivity and the degree of mismatch within the line.

Also how would you tell from "looking in the cable" if what you do see is a ISO OSI layer one or less "line conditioning / amplifier unit", an "In-line Tap/Tee" or something more sophisticated? If you can not answer that question acurately your knowledge is not sufficient to determine very much when it comes to what actually goes on, which makes your comment "unqualified" as well as "conjecture".

It's funny but the old time security people from the 1980's and earlier understood this stuff without comment and understood the limitations of what was and was not possible, likewise what constituted evidence and what did not. You can actually find some of it online including the old standards (@Nick P occasional puts up compendiums of such information). There is also a couple of indirect refrences to it in a book you should have read,

    "The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage", 1989, by Clifford Stoll

Cliff assumed his readers would know exactly what he was talking about in certain areas thus did not clutter the dialogue up with it. I guess Cliff like many of us did not realise just how much things would get dummed down in the next three decades.

Sorry to be as blunt about it as this but there are people who know the reality of these things and those who don't and I've been over it a couple of times previously on this blog in the past so you can look back and catch up, or go read a post graduate book or three on the subject.

Also on the "Political Front" as I have pointed out on a number of occasions in the past, I realy do not care who did it because in most cases they are all as bad as each other no matter what flag they salute or nod to, it's just more of the same old "Great Game".

That's not getting into bed with Vlad, or Kim or bring paronoid etc, it's just knowing that most of the related comment is political blustering from those who have an agenda that I've certainly no interest in as it lacks any credibility. They are also quite silly and like most "sound bites" have less than zero contact with reality, aimed at those who can not or do not wish to think critically. Which I believe is sometimes refered to as "sheepol" manipulating the "sheeple" (see the Urban dictionary).

However what I do care about is consequences of such inanity, as they are actualy important. Especially if some idiot decieds the kinetic option is the way to go. That is when political inanity and rehetoric boil over into military action and then unfortunatly escalates when the antagonists are at similar levels (hence the idea of proxie wars).

However our knowledge of human nature tells us that as dire as MAD might be there is always going to be atleast one idiot who thinks they have a plan around it, and if they get into the required position will often "go for it".

Currently the US pushed by it's War Hawks and MIC want another excuse for a war somewhere, as the war on terror is going stale as that on drugs did earlier. Infact some respected US commentators have indicated it's more than half a decade overdue for the US to go and beat up on some significantly lesser country as an example to others to toe the US line. The US are also the ones "banging the drums" about going kinetic and are overly fond of sending in the drones to commit acts of war, as any US MSM rag should have got over to the majority by now.

As people are starting to finally wake up to, the world was talked into the invasion of Iraq by lies very clearly "cooked up" by cliques around US President G.W.Bush and UK Prime Minister A.Blair. They chose to fabricate evidence rather than use available and verifiable evidence, their excuse has always been to blaim others or not comment. Yet the actual evidence shows them to have either lied over and over and over, or be seriously deranged. Either way there is little indication that things have changed in that respect in either the US or UK.

It's fairly clear to many that the US has and still does try to provoke North Korea into military action and a little thinking will show that another proxie war there will bring not just Russia but China into the conflict as both regard North Korea as a buffer nation to their own territories.

Again if you look back on this blog I've been pointing out where the US are next most likely to cause problems and why long before others do. It gives me no great satisfaction to be effectively right. You don't need a clearance or enhanced "pay grade" to see the evidence and work out what is likely to be true and false from it.

The US political structure has had it's nose put out of joint quite badly recently over both North Korea and Iran, the rest of the world is chosing to increasingly ignore the US and marginalize it's opinions and rhetoric. As has been observed of tigers they become dangerous as they become toothless. Unfortunatly what applies to wild animals can as easily apply to Nation States as history has shown often. In essence they don't want to lose power or primacy, and as history shows they often do not go gracefully.

By population alone the US is well down on the Nations listings, and as the EU is becoming as Federal as the US then that pushes the US down further. Technically, Educationaly and Health care wise the US is again down the rankings. But the US has a more insidious problem, US lifestyles are way way above the norm even in recession, and the US is running out of cheap resourses to support those life styles. History shows us that politicians do not fare well when living standards drop and that leads to political instability which as history shows again frequently leads to armed conflict and the considerable harm that gets written off as "Collateral Damage". Most other nations are tired of having their citizens and infrastructure viewed that way by the US which also accounts for their increasing distrust, a view that is not helped by US Corporate behaviour and the chicanery that came out over the Obama Trade Talks, that eventualy stopped them.

As I've pointed out in the past the US IC/SigInt entities managed to dodge a bullet in Dec 14 at Doha, but that is likely to change. Much of the US electronic intel is possible due only to the "All roads lead to Rome" current construction of the Internet having the center of the web in the US and the Five-Eyes stradeling communications "choke points". Thus giving them a significant technical advantage.

For various reasons not all political, things were begining to change all be it slowely and that technical edge becoming more expensive to maintain. But the Ed Snowden and other revelations came along in Jun 13 and later speeded those changes up. Worse the behaviour of the US tech corps with the NSA comming out into the open has made it political in a way few in the US understand. Hence the changes are happening yet faster still and the technical advantages are starting to ebb for other reasons as well as a result.

Whilst there is not as such a boycot on US goods and services, buying from non US sources is on the rise further damaging the US economy. Oh and US Corps are increasingly finding themselves in legal cross hairs with regards avoided profits, questionable business practices and what boil down to human rights such as privacy. And that's all before the US military war hawks do stupid things in South Korea, Japan and other parts of the world such as the old Communist block. That little "golf course" incident ended up hurting the South Korean economy enough to cause not just international news, but is also starting to cause increasingly more South Korean's to see the US, not the North or China as the enemy who will make them "Collateral Damage" or "Ash City" under a mushroom cloud or ten.

As has been pointed out in the past, the US does not have enough citizens to conscript to win a conventional war in the Korean Peninsula. Which is why back in the 1950's the US Commander in the Field after directly or indirectly killing a third of the population, and still loosing demanded the use of nuclear weapons, which the US politicions of the time declined and the US effectively lost any chance of winning even a pyric victory.

The Korean's on both sides of the DMZ get taught this as part of their education, unlike the US, so it's something they think about a lot more. Which is why they realise that with both Russia and China having not just nuclear capability but effective delivery mechanisms the nuclear option that they think Donald Trump is seriously considering will not work either, the US can not win a war in the Korean Peninsula, plain and simple, all they can do is create trouble. The fact that the North has a delivery mechanism and nukes developing, they also realise is the behaviour of a "rational actor" in the face of an otherwise irrational actor in the US. The same thinking is happening in Japan and Taiwan as they realise they are on the US "Ash City" list as well.

Try asking South Korean, Japanese and Taiwanese security experts who they think has most to gain from what is going on in the Olympics and you will get a view that might supprise you, as you will find fingers increasingly pointing across the Pacific...

Whether the US want's it or not "US Isolationism" is coming back, rather more from without than within, and a fall in citizen status will happen as a result, we have already seen this and it's destabilising political result. The chances are good that this will continue for some time, thus it's become clear that this is causing concern in the US Political hierarchy and it's kind of hanging in the balance waiting for the mid-terms. As with all the House of Representative and a third of the Senate seats up for grabs in nine months neither side are apparently ready to decide on what to do about the "third way" currently.

Finally you also need to consider that the appaling conditions in various countries that come about from sanctions. But like the carpet bombing that started in WWII such behaviour does not in general cause the effected nation to become demoralised, or actually blaim their government. In fact the opposite is more likely, causing a strengthaning of resolve. It's also been indicated as one of the causes of terrorism, likewise international crime including drugs and human slavery.

A study of recent history shows that the US not only uses sanctions as a method of oppression, it quite deliberatly fosters them. In the case of Iraq, Iran and Korea it can be seen that the US quite deliberatly renages on it's negotiated agreements. Which is why they are now being excluded from talks by other nations...

Hence it gave Russia the opportunity to make fun of both the US and Canada less than a month ago,

http://www.newsweek.com/north-korea-war-will-cause-catastrophe-russia-warns-us-ahead-vancouver-talks-781700

@ Dan H,

Clive is more than a little paranoid and thinks Putin, Kim, China, Iran are the good guys trying to slay the evil USA.

No I'm not, and stop trying to push words into my mouth I never said, I have a low regard not just for their political leaders but quite obviously those of the UK and US as well.

You realy are not very good at putting words in peoples mouths, your list is easily seen not as parody or satire but just silly nonsense. And as has been seen in the past you hurt your own reputation a lot more than those you try to target with such sillyness.

It's a shame realy because occasionally you do make worthwhile and interesting comments. But at the end of the day 'It's your behaviour choice, your reputation loss'.

@ Nostradumbass,

The CIA and the NSA have different missions. It's separate for a reason.

Yes they are but as in many things in life their objectives can and do coincide more often than you would at first think. In part because they have a common paymaster and thus commander.

However, you mention equivocation whilst actually using it,

Clive not only equivocated them he implied their false flag here was more plausible than anything else.

I mentioned that they had the tools, they had previously done similar and that currently their viewpoints were similar.

If you disagree with that feel free to say why, but you might find it difficult to do.

As for saying they are more plausable, well as I said they have the tools etc thus are more than capable technically.

I've also pointed out that they both have a history with regards the Korean Peninsula and have actively involved themselves not just with South Korean military and IC but other groups as well.

But I also pointed out there were other IC's in fact many via my statment of,

    Whilst I have no doubt uncle tom cobbly and all SigInt and IC entities will be trying it on atribution is as always a major problem.

Importantly was the point of

    atribution is as always a major problem.

It should have made clear that I was making a point about the difficulty of attribution not ascribing it to any entity. That is if we just judge by known capabilities the US IC is most probable in fact it would be easy for them to do so, but does it make them guilty?

I would have thought my closing point of,

    Perhaps it's time we took a couple of steps back from the atribution game. Because the Internet does not alow for reliable atribution to be possible.

Would have made it clear that not only do we not have sufficient evidence to conclude the "who", what we do have circumstantial evidence wise points where most people would not like it to.

I was kind of hoping it had got the point across that it's time to step back from the attribution game. Not only is it technically not possible to do with any certainty, it lacks any possability of being evidence in the sense that more than a thousand years of jurisprudence has shown is the only way acceptable to our society.

@ All,

If anyone wants to argue the technical merits of my viewpoint fine I'm happy to go through them from the laws of physics upwards if you want.

As for the points I said about the NSA and CIA they are as far as we can tell on the evidence available factual. If you have other evidence bring it forward I would not be the only person interested in seeing/reviewing it.

As for the foreign policy and economics of what has been happening this century, these things are not hard science, and people take differing views. After all some think so highly of economists and politicians they actually pay for their oppinions.

Personaly I tend to view them in a less than favourable light at the best of times, as I suspect most longterm readers already know. Likewise my "political ideology" when I can be bothered with it is conservative with a small "c" in some things, socialist with a small "s" in other things. Thus I see good reason for there to be a public purse to pay for infrastructure, education, health and similar because they effect everybody, rich or poor, insular or cosmopolitan, hawk or dove, as they say "a rising tide lifts all boats". Likewise I see good reason for markets but real ones not faux, and I can see good reason for appropriate regulation. As far as I'm aware none of these are particularly controversial where I live or in many other Western Nations.

As for the basis of political systems and political regimes, yes I will point out what I disagree with and highlight issues. But not "party politics" because the "My Country Right or Wrong" attitude is just as fascile when used in politics, religion, sport or other asspects of societal living it's in effect "Brut tribalism" writ large. That can and frequently is exploited by authotitarians and overly eager authoratarian followers for the largess and badge of belonging.

I think that if something offends a persons morals or ethics, then they should be objective about it not partisan. Importantly the ability to present and argue it not just objectively but coherently is what engages others and cause opinion to change.

If you think that I'm wrong on this you are open to try coherent and objective reasoning. Presenting factual evidence is always helpful, but I also realise that facts can and often are clinical if not cold and subject to interpretation. Long term readers will have seen me say that there is always one more point of view which is the real one that nobody actually sees.

(req'd)February 13, 2018 1:58 PM

Clive the issue isn't that everything you said about NSA/CIA is completely untrue.
What you intimated is not entirely infeasible, false flag operations have happened.
I granted you that much at length. We can't discount the possibility without evidence.

But what you present as your connective tissue to make that "historical" re-determination does not seem to touch THIS story - because there certainly isn't any direct or even circumstantial evidence of what you described going on here in this case - Or you could point to it right here.

It just becomes a convenient foil in an oft repeated conspiracy theorist's trope, as I mentioned :

"The CIA did bay of pigs and xyz in the 60's, therefore who can say what they did here?"

It's really not a valid accusation to draw without evidence. You can say it was just riffing, you were exploring a possibility, but again you're hammering over and over and over on something for which there is no actual proof, and you present it as the only option. You don't explore Russia's motive, you don't look at anyone else.

Just the CIA and NSA, who you've lumped together as bad actors who sometimes work together.
Well, sometimes they do, it's true. But here?

You go well out of your way to imagine that the CIA and NSA are hacking the Olympic Committee, destructively no less and covering their tracks in a slipshod manner compared to previous known operations, in some kind of unspecified false flag and without supplying a very palpable specific motive for doing it. If the Duqu/Flame/Stux people were really involved here what was the end game? It falls apart.

Why is it unlikely in your view that Russia or another actor would try to burrow into the IOC with a mal-campaign and steal embarrassing secrets or target individuals for information collection purposes? Why is your go-to theory without looking at the malware or any specific details here that the NSA and CIA were involved?

Folks seem to take what you say with a certain deferential reverence and so it might behoove you to less casually and loosely (I mean, completely without evidence here of any sort, not even specific related analysis really) implicate those who you cannot actually directly implicate with evidence or even a reasonably plausible motive.

(Especially while saying folks should be slower to come to conclusions about attribution, no less.)

That's all. It just seems like an ill fitting shoe and an overzealous salesman trying to "make it work"
despite any and all evidence to the contrary.

"Well it fit in the 60's! Who knows that it won't? Theoretically it could fit."

"But why don't you try on the Putin shoe, and see how well that fits?"

"I won't consider it for a moment! This particular old well-worn shoe or nothing!"

I don't blame you for trying it on, I just wonder why that particular shoe is the only one you like?

(req'd)February 13, 2018 3:01 PM

@Clive

"Again if you look back on this blog I've been pointing out where the US are next most likely to cause problems and why long before others do"

I can't argue against that point, you are correct that the US "does stuff" around the world.

But you can't just make up "most likely" "probabilities" for one-off events when it's unknown!
That's not how probability works and I know you know that. :D

Anyway rant over, but if you DO find something linking the NSA/CIA to this, I'd very much like to see that so I can fall on my sword and apologize for doubting your secret information on the topic!

echoFebruary 13, 2018 3:30 PM

I enjoy reading Clives comments on organisations and politics. To some degree his comments expose our own general lack of awareness of what is happening around the world and how to put solutions in place for many common complaints.

In UK law a citizen does not have to believe a state official merely because the state official says so. (Opinions must be at least half credible and reasoned through). Another thing is the reasonable person test which means there is a higher threshold for people who claim an expertise. Additionally, people are now more generally aware that human rights are not negotiable. I don't believe it is unfair to view our own and foreign governments through this kind of lens.

I believe at least some of the nationalism and rhetoric and scapegoating we read of today is driven in part by inadeqaucy of leadership - their own feelings of impotence and depression.

(req'd)February 13, 2018 3:58 PM

Well the solution to this complaint is evidence of NSA/CIA involvement.

I like Clive too. I hope it didn't come across as otherwise.

(required)February 13, 2018 6:33 PM

Related note : (?)

Trump just got done facing pretty much the entire IC telling him one after another that there's ample evidence of Russia's meddling in our elections, and without any actual reason or explanation he is once again rejecting the very methodically uncovered and laid-out conclusions. They have access to the hard evidence and they've shown it to him. He's basically pretending he doesn't see it, even as Pence and others under him admit it exists and proves what they say it does - Republicans admit it, Trump can't.

Congress ~unanimously passed additional sanctions on Russia, Trump pocket vetoed it.
He gave no rationale for doing so. He gave no reason to think he knows better.

8+ times, Russian spyprog-related officials have visited Trump without WH officially acknowledging that on the schedule or any state disclosures. In fact each time it was discovered only after the fact as Russian media put out candid pictures Trump had barred the US Press from being aware of.

Each of the three heads of the Russian intel agencies, GRU/FSB/SVR, each one has secretly met with the Trump admin IN THE WHITE HOUSE without the US public or even the Congress being told about it. It's the first time in US history that all three have visited the US, lest of all the White House, in secret, only to have it exposed by a gleeful Russian media as if to rub the point in.

He'll insult anyone or any group, he'll float any BS theory, he'll say anything...
But he won't accept any facts that paint Russia in a bad light. Hasn't yet once.
His entire rationale is to change the subject and point at anything else.

Sometimes... you get that feeling among like-minded political supporters of his that they also go out of their way to pretend Putin is as reasonable as anyone and Russia's government is being unfairly scapegoated when it comes to any sort of attribution along these lines. It seems specifically limited to people with those prebaked political ideologies, and I tend to doubt that's a coincidence.

Some of that is well earned, the US IC has blown some credibility over the years to be sure...
But what has Putin done to earn ANY trust? Point to why ex-KGB is more trustworthy than CIA? Anyone?

What has Russia's government done to push back against any of the proof of decades of involvement in doping schemes, hacking-bear groups, meddling in election processes (an act of war potentially) or the rest? Maybe they had nothing to do with the Ukrainian uprising or the rebels in Crimea, but what about all the damning evidence proving they sure as hell did? Do you take those at face value, a blanket bullshit denial vs multiple unrelated piles of vetted evidence as equals?

In this case the Russian foreign bureau preempted the results of the IOC malware analysis by basically saying "we know the US will accuse us, but we have never done anything wrong and they'll never show you any evidence." - When evidence is shown and it's prima facie compelling, they push their "it's all lies" defense that doesn't really address the details of it at all.

The IOC says it doesn't want to disclose the origin, but in January researchers released evidence they say points to a campaign being set up in Russia to target the IOC, which we all know has a massive hardon for the IOC right now. Maybe these researchers are all lying too, and Putin can be trusted as the only truth-teller in the world... but who reasonably assumes that WITHOUT ANY EVIDENCE in the face of what we can already prove?

And look at the null hypothesis, what would be the motive for framing Russia on this?

How would that be worth the effort and risk, what is gained even if it went off without a hitch?
NOTHING! We all KNOW Russia hacks, there's already plenty of press detailing decades of it!
There's any number of ways to set them up waaaay more seriously than this, with actual consequences.

So to hammer the CIA/NSA first without a single fiber of evidence there.. what brings that about?
It's just so odd that this only started happening AFTER Trump was accused of colluding.

Maybe it's just a huge coincidence, maybe the NSA did do this, I don't claim to have answers,
only pointed questions and cocked eyebrows pointed at those proffering unattached defenses.

Clive RobinsonFebruary 13, 2018 9:22 PM

@ echo,

I'm guessing you remember the 2012 London Olympics with the anti-aircraft missiles getting schedualed to be put on the roof of a private resedential block in East London, oh and G4S failures by the dozen resulting in the British Army being called in to make up for the G4S failings (whilst G4S were also fleecing the UK tax payer over "ankle bracelet" home offender managment and abusing people with disabilities)?

It's just that your comment above, especialy the last paragraph, the Olympics and this article from today coincide, and I think you and possibly @AlanS might like it,

https://www.opendemocracy.net/shinealight/kiri-kankhwende/uk-outsourcing-alan-white-serco-G4S

I suspect other readers might be appaled by what it says about certain asspects of how things don't work when run without proper safe guards, communications, audit and organisational memory.

Oh and for those who did attend London 2012 and thanked the UK armed forces for all they did, I thank you. If you knew the background to it you would be even more impressed. Esspecialy when you know that many of them stayed not in buildings but in camp beds tucked out of sight at security points and behind event and exhibition stands. They were an example of what can happen when those above are as committed and focused on the task as those who carry it out.

hmmFebruary 13, 2018 11:08 PM

@ Clive

"Also how would you tell from "looking in the cable" if what you do see is a ISO OSI layer one or less "line conditioning / amplifier unit", an "In-line Tap/Tee" or something more sophisticated? If you can not answer that question acurately your knowledge is not sufficient to determine very much when it comes to what actually goes on, which makes your comment "unqualified" as well as "conjecture"."

Getting into OSI-I weeds seems a little deeper than necessary given the circumstances.

https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/

Unless the CIA are now faking the Fancy-bear email dumping to frame them as... the moderately successful Russian state-sponsored 900-1700 MSK hackers that we already knew about?

Doppler cross-channel interferometry geotagging, is that what you were leading us to?
Kind of vague as asked.


echoFebruary 14, 2018 4:11 AM

@Clive

Yes, I remember these incidents plus a few more recent examples of this kind. To build up a picture of evidence I collect links on topics including abuse of disabled and other people which can be viewed in exactly the kind of failures of safe guards and communication and organisational memory. There are also more bare metal issues at an individual level such as assumptions and shortcuts taken due to worldview or financial and time pressures which can be pernicious and the potentially forseeable impact only measured later.

Thanks for the link. I'm agnostic on public/private sector. There are issues including dogmatic and partisan attitudes on both sides. This can be a vicious circle.

GCHQ being involved with the private sector was news again this week. I have included a few links including older news covering this story. I believe this program is not without its issues. There is still too much institutionalising and I am unsure UK start-ups can really break out of being a cottage industry and it may not lead to a change of culture or attitude but I leave this discussion for another day.

First cyber security start-ups selected for GCHQ Cyber Accelerator
https://wayra.co.uk/first-cyber-security-start-ups-selected-for-gchq-cyber-accelerator/

Groundbreaking partnership between Government and tech start-ups to develop world-leading cyber security technology
https://www.gov.uk/government/news/groundbreaking-partnership-between-government-and-tech-start-ups-to-develop-world-leading-cyber-security-technology

UK intelligence agencies turn to start-ups on cyber security
https://www.ft.com/content/6cdfa82e-77bd-11e7-a3e8-60495fe6ca71 (Paywall. Search through Google to access article for free.)

Clive RobinsonFebruary 14, 2018 5:56 AM

@ (req'd) / (required),

THIS story - because there certainly isn't any direct or even circumstantial evidence of what you described going on here in this case - Or you could point to it right here.

No because as you know there is no circumstantial evidence or evidence at all to say it's any IC entity, for what ever nation you or anybody else cares to think about with this current Olympics. As people realy should know and realise, this Olympic attack could be anyone currently.

That is criminal hackers, IC or even a contractor to an LEO organisation trying to do what happened to FIFA (see Mr Steel of the Trump Dossier and his previous activities) to the IOC, heven alone knows how much dirt there is to be found in that respect.

Plain and simple it's wide open to any speculation anyone cares to make there is no real evidence, or anything else of merit.

All we can say currently is that some IC entities have hacked nations as part of Olympics in the past (which I have noted before is something the US IC is known to have done due to the lax behaviour of a US operative which alowed real tangible and presentable evidence to be gathered).

The only clues we have been given so far is some very vague (doddgy) reasoning based on something some contractors beholdent to US government funding made when the US Gov was naming a nation state as a "Cyber-existential threat" for US public consumption...

The US has a history of doing this "One cyber-existential Threat Nation" at a time, they have done it that way for some time now, naming China, Iran, North Korea and Russia at various times as suiting the political whim within the US...

Has it not struck you as odd that there is only one cyber-existential threat nation to the US at any one time? Yet the same four nations get shuffled around time and again to be the next cyber-exitential threat nation?

To be blunt it's almost a direct play from the George Orwell play book from 1948. Further have you noticed what these four nations have in common?

But did you also notice it was Obama that this started with. There was no stated reason for Obama to break existing intel protocol and name countries. Which was odd and coincidently there was and still is also a supposed independendt contractor to "back the play"?

It all looks "Stage Managed in the playhouse of Security Theatre"...

There are a couple of sayings,

    Once happens, twice is coincidence, three is suspicious, four times is beyond suspicious.
    Fool me once shame on you, Fool me twice shame on me.

They or similar exist for a reason, they tell you that you are potentially being played and should take a lot more notice of what is going on, maybe do a little digging and examine the basis of what you are getting told. Thus they in turn have given rise to other sayings to help you judge what you see,

    Follow the money.
    He who pays the piper calls the tune.
    It is difficult to get a person to see a fault, when their living depends on not doing so.

When you dig in as I have in the past, you find all the attributions are based on very little or nothing indicative and could easily be falsified by a teenager with only typing skills...

That is reverse engineers find things in code they have been sent that they think points to the language the programmer was native in... Usually they are things like date formats or less like file names that might or might not have cultural refrences. Almost invariably these are not things that are actually intrinsic to the functionality of the code. That is you could go in with a binary file editor and change them to something else and the code would work just as welk... That is they are to the code what face powder is to the shirt worn by the bridegroom at a stag party.

Thus people should realise such things that are easy to change can get changed in many ways, and might have been changed at any point in the past. The fact that something so easily changed or removed should be telling you something. The question is what.

One reason for changes is where a second programmer incorporates another programmers code in their own or modifies the work of another programmer. This practice of code stealing / borrowing / buying is more than endemic in the industry of malware at the script kiddy level and upwards.

Even Proof of Concept code frequently gets put into a framework of existing code that comes from other sources. Thus malware is so rarely original it has more potential fathers than an ally cat kitten and it's siblings.

The software industry actually lauds such behaviour in it's own products as "code reuse", "product update", "product maintainance" etc, though the parentage is as diverse generally, a little more certain is who their pay masters are. Which also tends to apply to organised malware development.

So the real question of "Who is the paymaster?" of the code these bits of fluff unnecessarily hang off and usually say little or nothing about. Thus it is just guess work by the contractors and almost invariably the latest cyber-existential threat nation gets named. It could be cognative bias it could be a piper, we don't know as these companies never say for obvious reasons.

Once started in on a particular track we start to see "cherry picking" at subsequent points, so gut hunches hang together. Again it might be cognative bias, a piper, code reuse, coincidence, etc the list is long but again no way to judge the quality of the assumptions. Worse no way for them to be independently judged even statisticaly. Thus worthless to independent researchers, investigators or any other person. Does that strike you as odd?

In other words as evidence that can be used as such they do not even get to the first hurdle let alone clear it....

But we now know that there are tools out there that build malware to a "known profile" to do false flag activities. I believe it is safe to say that every IC entity that could make, steal or buy such a tool has. It just so happens it's the CIA that got outed in a way that we can credibly say they have such a tool. I will leave it to you to decide why the CIA got unlucky to be outed as they did, but it's not relevant to the fact such tools can be convincingly shown to exist in the hands of IC entities and others from white to black and all types of grey hat inbetween.

Thus evidence wise those contractors and their gut hunches are not evidence, not even qualified opinion, just questionable guesses that would not even make the grade as inadmissable hearsay...

But it gets worse in the attribution game. Not only is it fairly easy to show that you can not say who is sending malware through the whole in your wall it is as I have said not possible to learn anything from any tangible measurments you can make there.

Which gives rise to a problem of legal and illegal activities. Logically if you can not make a usable measurment from your premises you need to move towards what you suspect may be the source and test there. But you probably break the law if you do. Ignoring the "fruit of the poisoned vine" issue it raises a more fundemental point. Which is, if you can gain illegal entry into a network node under somebody elses supposed control then so can other people.

This means that you are not working from a node you can trust, nore can you determine that the node is trustworthy or not because the node has no way to know and thus can not tell it's not trustworthy with current system designs. If you want to know more look back for discussions on Castles-v-Prisons or C-v-P if you want to know why and what could be done about it[1].

So even if you got into the computer on Vladimir Putin's desk (assuming he has both and uses them) and found what you thought was "evidence" you have a problem. How do you know how it got there. Recently Kaspersky were in the news, as apparently one of Israel's IC entities broke into a group of Russian spooks (thus either bull541t or blowing Israeli IC operational methods and sources...),

https://www.theregister.co.uk/2017/10/11/israel_russia_kaspersky/

Important to note is the web cam and screen capture asspects of the story. Either the alledged spooks are being careless or it's being made up. Either way is the point that many would have missed. If true the Israeli's were after verification of what was happening or were making it look like they were. We don't know, the important take away is that unlike the US contractors and their reported hunches some people are taking verification rather more seriously.

But we now knew that there were tools out there long before that and that they are based not just on zero day attacks but longterm vulnerabilities in major OS etc. I believe it is safe to say that every IC entity that could make, steal or buy such a set of hacking tools has. Again it just so happens that a US agency with such tools to do this sort of illegal entry into other peoples systems, not only got outed, it was apparently because they were careless in some way.

Thus the NSA like the CIA appear tovhave egg on their face for being careless or outed. Oh and as indicated above US "insiders" have potentially added the Israeli SigInt agency to the "known" list. I'll leave it to you to decide if it is coincidence or not.

The point is there is credible evidence for the tools with two of the US IC agencies and it has been well publicized. Further they are the most highly funded and well known of all IC agencies outside their own country. Thus they are recognisable examples that most know about. Whilst I'm sure that other countries IC entities have such tools and I have said as much repeatedly in my posts in this thread, they have not been careless / outed or if they have (Australia, China, France, Israel, New Zealand, UK etc) in a much less recognised way, so don't make as good an example to use.

But there is another issue that makes the US IC entities good examples. They and the rest of the Five-Eyes are in either the center of the physical internet or stradling communications choke points that in the past have given them significant surveillance advantages, allowing techniques that are not possible by other Nations IC's. Because of revelations, outings, and their mistakes they are loosing that edge because it's one of the things that are causing things to start to change. Which as a consequence also effects large US corps as they will not be carrying traffic the way they have which will have knock on effects.

But you say,

You don't explore Russia's motive, you don't look at anyone else.

I've not explored anyones "motive" because it's actually not that relevent or should not be to attribution. Attribution investigation should be bassed on "means and opportunity" first and foremost not on "motive". Doing it that way reduces your suspect list down. Motive even in ordinary crime is often overstated as an investigative tool as it usually says nothing about how the crime was commited and rarely if ever provides evidence of use.

If I asked you to "list who hates Donald Trump" you would probably say "nearly everyone" and you might be right. But it does not help if he's found face down in the Rose Garden. The first question would be "who has access" which is the "opportunity" asspect. Investigators would then look for the cause of why "Dear Donald" is face down, which is the first step on "means" asspect.

The same thing applies to the Olympic organisations, there are many who dislike them for many reasons. Thus motive is only going to help if and when you get a backside on the seat in the dock, and probably not much even then.

You mention,

It just becomes a convenient foil in an oft repeated conspiracy theorist's trope

If you look at most conspiracies, they are long and strong on "motive" but unsound on means and opportunity. Saying "It's t'reds hunder t'bed wot dun't cos..." does not give any tangible evidence. Often as evidence does arrive the conspiracy theory gets into all sorts of knots and twists to account for it or rejects it as irrelevent or invented. Conspiracy is a belief thing and as many know beliefs are often not rational.

But belief can lead you astray in your assesment. For instance you say,

Why is your go-to theory without looking at the malware or any specific details here that the NSA and CIA were involved?

Because I happen to know that both the CIA and the NSA are there. They will be doing their thing at the Olympics, it's not secret knowledge, they turn up anywhere prominent US "targets of opportunity" go which covers the US and other "at risk" nations athletes. They do it even if requested not to by the host nation. However "their thing" is generally to spot certain types of people. The fact that there are North Koreans there means that "their thing" is likely to be rather more than usuall. If they get a defector or two they will be as happy as a dog with two tails to wag.

Are they involved with this hacking I don't know, but their setup would generally have given them some actionable intelligence on it if there is any to find.

However the point remains that they would be almost as two tail happy if they could get fingers pointing at Russia from South Korea, as it would be a change in fortune for them. That is the US would not be so much the pariah they currently are with the South Koreans. Likewise opening up a rift between North and South would make them more than two tail happy. If they could sour China and Russian relations with North Korea then maybe three tail happy.

Before you say I'm conspiring against the US or some such. No I'm mearly looking at the current US foreign policy in the area.

Funnily enough if you think aboit what Korean reintegration would mean there are several nations that would be against it China, Japan and Taiwn even India and the other tiger countries as well as Germany the UK and US. Because whilst the North has resources including cheap labour the South has technology and various other skills. The joining of the two would in effect give what the other has not got. Thus start a quite disruptive economic power house that would if South Korean history is anything to go by be making big waves within ten to twenty years. It's certainly something that neither Japan or Taiwan want and the Chinese would not like the competition. Russia would however benifit from a rejoined Korea as it would provide further opportunities than Europe is currently giving it.

Thus if you are looking just at "motive" which you appear to be doing then you realy should broaden your horizons.

[1] The Castles-v-Prisons idea which has been discussed at length on this blog in the past is apparently so good even academics from the UK's UCL and Cambridge University think it is worth stealing not just to plagiarize but as a buisness proposition they are putting their money into[2]...

[2] Which is justafiably annoying to others on this blog, who have not just participated in the discussions constructively, but have sought and been given permission to use the idea for their own product based around certain technologies. Which again it appears the academics have stolen for their own business.

(required)February 14, 2018 2:43 PM

"I've not explored anyones "motive" because it's actually not that relevent"

Motive isn't determined at the outset of an investigation but it's still a consideration.

I was exploring your motive for looking at the CIA and NSA as one, early and often, without any evidence of their involvement and at length without exploring other possibilities in any real sense. And not just in this particular event. You do seem to fall back to that default position on a handful of stories here. I just wanted to ask why, if you had reasons in this case.

"As people realy should know and realise, this Olympic attack could be anyone currently."

It could be the CIA and NSA, working to... discredit.. ah, it fell apart again. Drat.
I do agree with you, near-anyone 'could' have. In the absence of any evidence, fine.
But they have evidence. They are not releasing it immediately. Those details exist.

Of what has been leaked, just about none of it makes ANY case for the NSA or CIA.
Wiping logs destructively and getting caught in mere days would be a major, major fail.
If it were either and they were caught it would be detrimental to national security.
It would undermine the US position and the Olympics at the same time, both tangled.
Both ripe for Putin to say "aha, I told you!"

On the other end of the hypothetical, if it did work, what outocme is worth that risk to attempt it?
Russia's APT28 would be falsely accused in 1 hack of hundreds we can legitimately point to. Gain?
Do you see any angle that makes this likely or cost/benefit positive? Any at all?

"When you dig in as I have in the past, you find all the attributions are based on very little or nothing indicative and could easily be falsified by a teenager with only typing skills..."

You're asserting that ALL THE ATTRIBUTIONS are based on little or nothing indicative.
That's quite a home run, if you hit it.

I'd be fine to take your word for that but having dug through a few myself there are actually tonnes of details that make an attribution possible and the more details the more incrementally confident one can be about it. When fewer details are available it's that much harder to arrive at without cross referencing other event details also. I'm going to go out on a limb and say you might not be doing that professionally at the level of scope and breadth to determine attribution in this case. That would rightly require a clearance also. But to sit back and say it "can't be done" without looking at the data, implying there IS no data to look at, implying this cases is exactly as others you've looked into and found no attributable details?

"The only clues we have been given so far is some very vague (doddgy) reasoning based on something some contractors beholdent to US government funding made when the US Gov was naming a nation state as a "Cyber-existential threat" for US public consumption..."

https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/

At least until they publish their stolen wares that is? Or was this the CIA masquerading also?

They have details of the attack, they have the code used linked to previous code bases, operational details indicating their TOO and schedule, they certainly have a strong motive and historical precedent and they've ADMITTED it in dropping the exfiltrated files in question in an attempt to embarrass and draw scrutiny on the anti-doping program. Unfortunately for them the strength of their case was pretty weak in those emails, and it went out with a whimper rather than a bang. Still embarrassing but more importantly IT IS QUITE ATTRIBUTABLE. That's a relevant backstory. Agree? No?


"Has it not struck you as odd that there is only one cyber-existential threat nation to the US at any one time?"

I reject your premise and I don't think you've made the case to call it legitimate.
There has never been a "single" techno adversary of the US since the 50's.

If you're going based on what the media tail wags at, that's not going to prove much.
But even there, the media doesn't seem to limit us at 1 adversary at a time at all.
That's a fallacious artifact and easily disproved.

---
From January's Enisa security report:

"China, India, and Russia were the three most "botnet infected countries", it said, referring to automated internet accounts used to send out spam, malware, denial of service attacks, and other malicious tricks.

The EU report said China was "the top attacking country" on denial of service attacks, which paralyse target systems by flooding them with data. It said 60 percent of all such attacks came from "China's army of hackers" and that 90 percent of them targeted US entities.

Attackers could hire botnet hordes on some Chinese sites "that even include dashboards showing the number of attacks carried out and the number of online bots" available the report said.

They could also rent "exploit kits", software designed to find security loopholes in users' systems, for up to $2,000 a month, on underground websites that offered online "support to both Russian and English speaking clients".

The EU report named three Chinese and Russian cyber-espionage groups - APT17389, APT28387, and APT29388 - as being among the most active and dangerous last year.

It said the China-based APT17389 group conducted "network intrusions against US government entities, the defence industry, law firms, information technology companies, mining companies, and non-government organisations".

It noted that APT28387, "a cyber-espionage group most probably sponsored by the Russian government" had tried to steal VIP guests' data in "hotels in at least seven European countries" in 2017.

The APT29388 group, "a Russian hacker group believed to be associated with Russian intelligence", had targeted Dutch and Norwegian government ministries.

---
I won't clog the boards with more, there's plenty out there looking at multiple actors.
To say this is all a focus the CIA/NSA are cooking up is not defensible empirically.

"Because I happen to know that both the CIA and the NSA are there."

"Are they involved with this hacking I don't know, but their setup would generally have given them some actionable intelligence on it if there is any to find."

Your first suspect and naming no others, on the basis that "they are there" - really.
Would you say you have an axe to grind with the US IC in making these evaluations, Clive?

A bias perhaps? Any at all?

You distrust anything from the unexplored "US contractors" which you've implied here are being dishonest, but then go on to imply that the NSA/CIA is a likely suspect in the IOC hack on the basis of "They were there and can see things from that vantage."

Do you see that as a pretty weak attributable "link" like I do? Or do you think that's worthy?

"Important to note is the web cam and screen capture asspects of the story. Either the alledged spooks are being careless or it's being made up. Either way is the point that many would have missed. If true the Israeli's were after verification of what was happening or were making it look like they were. We don't know, the important take away is that unlike the US contractors and their reported hunches some people are taking verification rather more seriously."

First off, APT28 is NOT "alleged" spooks. That characterization is slanted beyond recognition.

They've been documented over years. That paperwork didn't all blow away last night.
Whether or not you believe it, a VERY STRONG CASE has been made many, many times here.
They exist and yes, they do hack. People know where they centrally operate from.

The Dutch got into the security camera on the building. Actors are careless all the time. Israel discovered the plot in the first place if the information is valid, so it's reasonable that they were in a position to follow up and verify it rather than the US calling in a team to dig out that root themselves for posterity over the course of months that it would require.

They're partners. The US gives Israel security information also, obviously. You're trying here to portray them as more honest or diligent than the American IC from a very loose position. It's like you want to embed little barbs like that in your assertions for that purpose. It smacks of the bias I mentioned before, not of a compelling case.

"But did you also notice it was Obama that this started with" - in a word, bulltokens.
Your "evidence of old idiomatic sayings" nonwithstanding.

"One reason for changes is where a second programmer incorporates another programmers code in their own or modifies the work of another programmer. This practice of code stealing / borrowing / buying is more than endemic in the industry of malware at the script kiddy level and upwards."

Everyone ought to know that. It's obviously accounted for when poring over details.
They don't just say "aha! CYRILLIC! PROOF!"

"But we now know that there are tools out there that build malware to a "known profile" to do false flag activities."

Sure, and books on Russian and spycraft, and... any evidence any of that was used here?

The existence of capability is a starting place, not a conclusion or compelling evidence.
You're waving it awfully hard as if it were. Any evidence WHATSOEVER of a false flag, here?
ANY evidence? AT ALL? A shred? A modicum? A speck? An iota? Point! Let's look at it!

"The fact that something is so easily changed or removed should be telling you something. The question is what."

Yes, the question IS what. They don't go by just a few details, it's the aggregate.
To "change" all of that is a modest undertaking even in 1 simple malware variant.
To "change" all of that for all malware variants ever discovered this? Not likely.
Efforts at doing so have been discovered many times, sometimes one mistake is "it".

But it seems you're going further down the rabbit hole in suggesting that HISTORICAL evidence is also being changed "by the evil CIA and NSA" to suit your asserted one-threat-nation focus you described above, even as they attack and defend from and publish results on DOZENS of countries' nationally-founded exploitation efforts every month. It's all "able" to be altered, and therefore you've decided none of it can be used in determination. Well how convenient.

Some relevant sayings you seem to draw your above inspiration from :

"Don't trust, and don't even try to verify because they've altered the data." - Reagan

"There are known-knowns and known-unknowns, but everybody knows the US is always lying."

"Trust no one, the truth is out there but the CIA and NSA are obviously behind it.
Just take my word, I've seen alien stuff." -Mulder


To get back to where the investigation into attribution should begin, from your words :

"attribution investigation should be bassed on "means and opportunity" first and foremost"

So let's. SEVERAL APT's have means and opportunity - AND motive. Not just the two, all three.

You go WELL out of your way to defend them from a hard look on the basis that the US "is there."

You mention various ways these investigations can go awry, most of which are very true, but then you seem to imply that this IS HAPPENING HERE when there's zero to really point to. I asked you to point to it and you pointed to everything possible else, the fact that the NSA and CIA "are there at the games" - perhaps that's not a fault by itself, you're being thorough... but you're not being nearly AS thorough as you are in doubting anything US-connected.

However, if you applied your stated rationale beyond your seeming bias, and evenly, you'd not have mentioned the CIA/NSA (* as if the same thing no less) 6 times in a row in your initial outlay in strongly implying that they BOTH are now involved in a false flag hack and falsely implicating Russian groups for... some undefined motive (any that fits?)... without a shred of actual evidence of that to point to and in a revisionist's attack on valid characterizations of known APT's funded by foreign nation states.

It reads like a narrative, not an analysis. You weave the two quite entertainingly, I say from a reader's perspective - and in fact I do enjoy reading them, I learn things from you and others here on several occasions. But when you assert things like :

"The point is there is credible evidence for the tools with two of the US IC agencies and it has been well publicized. Further they are the most highly funded and well known of all IC agencies outside their own country. Thus they are recognisable examples that most know about. Whilst I'm sure that other countries IC entities have such tools and I have said as much repeatedly in my posts in this thread, they have not been careless / outed or if they have (Australia, China, France, Israel, New Zealand, UK etc) in a much less recognised way, so don't make as good an example to use."

..But fail to acknowledge that this attack doesn't seem to fit the Stuxnet/Duqu/Flame/etc model in complexity or scale or focus, any of it, and then point to the NSA/CIA 'being there' as 'evidence enough' that they 'could have' been involved? It's just clearly not an even comparison on your part. Empirically. I could really break it down at length but this is long enough already and I believe you can admit based on what I've said yet that there MIGHT be a WEE BIT of BIAS even in the great Clive Robinson, master of determining that the US is probably lying and/or incompetently so, no matter what.

At least until Fancy Bear dumps the next load of exfiltrated booty, I suppose?

Or would that be uncompelling also, after all... it COULD be Obama in disguise... he DOES exist you know.


(required)February 14, 2018 2:57 PM

Acknowlegement - I'm not even 1% convinced Russia is involved, APT28-500 or anyone else.
I don't have the data. I'm not saying either one is more compelling than the other.

I'm saying your FOCUS is apparent in lieu of evidence, and that's called bias.
If your bias is drawn from a well that connects factually, you're a genius.
And you may very well be right in the end, I'll happily crow your accolades.

However if it's NOT a false flag, and there's ZERO evidence of that, and nobody EVER finds any to point to, and evidence implicating other nation states IS found... would you be willing to admit that it's possible that the NSA/CIA did NOT frame anyone here?

(Or at least if they did, that they weren't completely incompetent about it? Either I guess...)

I sure don't get that from reading your spiels on this blog from time to time.
My point in observing this is to sharpen your analytical edge, not dull it.
We all have biases in our approach.

Cheers Clive.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.