When only some people have security, nobody has security.
This is the sort of event that should -- though it obviously won't -- lead to a policy debate about the wisdom of locating cyberdefense and cyberwar within the same hallwaus.
Sort of. They're only legally required to protect government communications, maybe government systems, and defense contractors. The "defense-only" solutions they have for them are high-quality. Then they push BS for everyone else to benefit surveillance mission. Quite a lame deal we US taxpayers get on those high-security products.
It is entertaining to read NSA's recommendations on how US govt should secure its data. Because you always wonder if they'd know of a vulnerability if they'd still advise using that technology. That is, if that department which writes the guide talks to the department that does the exploits.
I imagine due to heavy and intentional compartmentalization this doesn't happen.
Perhaps it depends on the nature of the exploit. For example, I consider the weakening of Dual_EC_DRBG devilishly good: because of the chosen P and Q they knew it was weak but also were the only ones who had the key. They would definitely not tell anyone about that.
I imagine due to heavy and intentional compartmentalization this doesn't happen"
That seems to be best explanation. Two different groups with IAD being smaller one. The IAD also faces many issues with regs, red tape, Congessional mandate to use COTS garbage, lack of liability enforcement, etc. It all adds up to them getting less effective over time.
They still do some good stuff when they put their pros on it. Their Inline Media Encryptor is great. I just cloned it and expanded in one of my designs. Just compare its security features to any encrypted USB disk. You'll see high-security vs mainstream security difference.
Our taxes went to build this hoard of zero-days, and now they're going to be used for criminals and foreign governments against us. Good job, NSA. Good job. I hope this causes enough havoc to make everyone regret using insecure endpoints as a means of surveillance.
In the freely distributed exploits, EPICBANANA looks like a serious headache - I think there's a sizeable stranded fleet of older PIXes out there that can't update beyond 804.
Obviously the seller's grasp of English is quite poor. Perhaps someone with a linguistics background could speculate on what their native language most likely is? At novice proficiency, presumably a speaker's native tongue influences how they speak a particular language.
Of course, the seller could always be pretending. Given the seeming authenticity of the leak however, it's doubtful they're western—unless they're operating very illegally and trying to cover their tracks.
Feels like someone faking a poor grasp of English -- there are linguistic "tics" in there that to my mind seem indicative of Asian and Slavic languages, but scattered about like chaff. My guess is that they're working to make it difficult to try and trace their native tongue.
I think them being Slavic speakers is in fact plausible (one element that seemed salient to me is the use of "cattle" where native speakers may perhaps have preferred "sheep" - it would work as a translation of быдло, which is a term the RUnet quite likes to apply to the sort of people they are talking about).
However, their command of English is almost certainly pretty good, seeing how they use somewhat fancy words ("closing remarks") appropriately and clearly know English idiom well ("When we feel is time to end" - using "feel" in that phrase is sufficiently peculiar to English that I wouldn't expect it from anyone who thinks in another language and translates in their head more or less mechanically). This makes it harder to rule out that the "free" file consists of exploits they collected on the market and doctored to give them a more NSAish veneer.
Another sign of Slavic speakers is the incorrect usage of "is" where "it is" would be grammatically correct.
> Q: What is in auction files? A: Is secret.
> Q: When does auction end? A: Unknown. When we feel is time to end.
A native speaker would say "it's secret" or "it's a secret", or "when we feel it's time [to end it]".
Granted, the text seems a bit like someone imitating a Russian who speaks broken English from the movies. It may well be misdirection. It's possible that non-native speakers from other languages also make this mistake, but I have seen it commonly with Slavic speakers.
(Modern) Russian doesn't even have a verb corresponding to "is", so I'm not convinced that this turn of phrase is a thing that exists outside of American movies.
I have seen actual Slavic non-native English speakers make this mistake (more than one). I haven't inquired into why. I was giving one of those people informal advice to improve their English, and that was one of the things I had to keep reminding them about.
Actors playing Russian spies in American movies sound like that, too. I don't think the README contains enough information to read into the writer's native language.
> ("When we feel is time to end" - using "feel" in that phrase is sufficiently peculiar to English that I wouldn't expect it from anyone who thinks in another language and translates in their head more or less mechanically)
This is typical of mandarin chinese; the verbs 觉得 and 感觉 are "feel" in a literal sense, but mean "think (something)".
If one language uses a metaphor, odds are some other languages do too.
Regarding the cattle remark, it might also be a reference to
> You wanted to know who I am, Zero Cool? Well, let me explain the New World Order. Governments and corporations need people like you and me. We are Samurai... the Keyboard Cowboys... and all those other people out there who have no idea what's going on are the cattle... Moooo.
That was my take as well. Writing styles are recognizable, or at least narrow-downable. Writing in that awkward style is definitely intended to neuter any style analysis.
More likely they are trying very hard to avoid any linguistic profiling. Maybe they google-translated the text back and forward multiple times.
Anyway, they painted a huge target on their back if this is real NSA stuff. I can't see how they would cash-out any significant bitcoin amount ($100k+) without being traced.
They didn't google translate back and forth a few times, because both google and the NSA would have a copy of the originals, and that would out their original text / writing style.
Not necessarily, there's a way to run Google Translate offline (the app can download translation files, and you can then run it even after you rip out every antenna physically and put the phone in a faraday cage)
That's why you buy a 10$ android phone at black friday sale, download via public WiFi in a mall in a different city than your own, preferably a different country when you're just travelling through, and so on.
Btw, if you're in Germany, you might still have a chance to get an anonymous prepaid SIM in the next weeks before the carriers adapt to the legal change - you can use that, too.
I believe anonymous prepaid SIMs will keep existing in the UK for a long time. I used to have a Tesco Pay-as-you-go SIM card, bought and topped-up anonymously with cash, £12.50 a month for a semi-usable package with 1 GB data. Looks like they still have them:
With roaming in the EU becoming free mid-2017, and Brexit not coming into effect til 2019, the whole EU will still be well covered by anonymous prepaid.
Well, if you're trying to fight the NSA, Tor might not be good enough anymore.
Just like they sent a takedown to every site hosting content from the shadowbreakers, they might just send a SWAT team to every Tor node your data ran through, and try to track you.
And that's in addition to whatever TAO has in their reportoire.
Tor development sprang out of a US Navy project. The US government has probably been able to intercept Tor for a long time if it's important enough; they just have to have more than 40% of all nodes (IIRC) and they win. There's only ~10k relays + bridges in the entire network. 4000 computers is utter pocket change compared to the NSAs hardware budget.
We auction best files to highest bidder. Auction files better than stuxnet.
The lack of definite articles and linking verbs is particularly suggestive of a Slavic background. Here's another telling signature:
We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group.
So instead of using the standard "linking verb + gerund" construction that modern English provides to indicate continual (or background) activity they're using the simple present tenses of these verbs the way Slavic languages do, via the imperfective forms of these verbs.
And also:
If you want reverse, write many words, make big name for self, get many customers, you send bitcoin.
You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.
You like reward, you take risk, maybe win, maybe not, no guarantees.
The use of commas to link independent clauses (instead of coordinating conjunctions, like English) also happens to be very characteristic of Russian.
I speak a few languages including Russian, and am inclined to think that level of brokenness sounds almost deliberate. Yes it does sound Slavic, but over the top. It is almost how South Park would make a Russian-sounding character.
Also I am guessing in a group of computer literate people, from Eastern Europe, they couldn't find one person with a better handle on English grammar and phraseology.
That's the thing with partial fluency -- and really now, their English is quite good (much better than our proficiency in their native languages) -- that it will be peppered with many idiomatic phrases ("can do with X as they please") while other parts remain comically broken. Like, you know, Google Translate.
Good. People who know cryptography should also know enough about game theory to not participate in a dollar auction.
I mean, even with a perfectly honest auctioneer, dollar auctions (where one person wins but more than one person pays) are one of those games where the only way to win is not to play. Now add to that the fact that there's no reason to trust the auctioneer.
People who know cryptography would not be participating. However I think this is deliberately made to look stupid (complete with over-the-top Russian sounding phraseology to imply these are those famous ex-KGB hackers) to attract irrational but wealthy entities -- probably governments and their spy agencies. They have large sums of money to play with.
I can see perhaps Iran in a desperate attempt to exact revenge for their centrifuge plant being hacked, throwing few hundred thousands at them, just on small chance this would yield something.
Doesn't seem like any source code... Except Python..
Also, i wonder if computer scientists feel anything like the scientists after creating and deploying the atomic bomb... "Now I am become Death, the destroyer of worlds."
Referring to the source code of some of the major components. Any python source was stripped of comments, which is surely interesting, but not as interesting as the source of the binaries.
I had to look up "Equation Group". A couple of articles mention that various malware tied to Equation Group includes timestamps indicating programmers working 8-5, Mon to Fri, in Eastern US timezones.
Anyone know of more info on why this would be left in? A simple oversight? False-flag propaganda?
Where would I look for more information on fingerprinting binaries? I.e. perhaps identifying compiler and even build environment.
> Can we trust this information? The answer is: not fully, because the link timestamp can be altered by the developer in a way that’s not always possible to spot. However, certain indicators such as matching the year on the timestamp with the support of technology popular in that year leads us to believe that the timestamps were, at the very least, not wholly replaced. Looking at this from the other side, the easiest option for the developer is to wipe the timestamp completely, replacing it with zeroes. This was not found in the case of EquationDrug.
Equation group is the advanced malware outfit that is suspected to be NSA. The name was given by the group at kaspersky who put the report together. A brief summary is found in the linked PDF [0].
False flag is possible, but it's not unreasonable to think that these were uncaught mistakes, just ones that have no functional effect. The Mandiant APT1 report shows a similar pattern of bread crumbs, though in that case they felt more intentional (ego flourishes) to me.
As to your final question, that field is reverse engineering. If you're looking for tools, IDA Pro is a very powerful disassembler.
This is the sort of event that should -- though it obviously won't -- lead to a policy debate about the wisdom of locating cyberdefense and cyberwar within the same hallwaus.