
If you only work on your malware on weekdays, you might be a CIA hacker - imanewsman
https://qz.com/954523/if-you-only-work-on-your-malware-on-weekdays-you-might-be-a-cia-hacker/
======
cs02rm0
I've put some thought into similar deductions in the distant past. And
measures to avoid them.

Still waiting for the day a leak is attributed to the French because of the
length of lunch breaks inferred from timestamps.

~~~
oh_sigh
How long is a typical French programmers lunch break?

~~~
cyberpunk
1.5-2hrs unless there is wine involved...

~~~
emmanuel_1234
Can we avoid French bashing here? This is not reddit.

~~~
cyberpunk
Lighten up? I'm not trying to abuse the French here, I've really observed this
when working with several French teams!

I found it amusing, if you're offended then my apologies, it was written with
a light heart and no intentional malice; and I gauged it by my not being
offended by those who comment on observing the various stereotypes applied to
my specific situation but alas my skin is thicker than others..

I don't think there is any value in using lunch length as any kind of
meaningful metric, can we put the guns away?

------
CWuestefeld
_Symantec had already concluded that Longhorn was a group based in North
America. That was partly based on the American time zones they saw, but also
on the finding that Longhorn primarily targeted devices in Europe, Asia,
Africa, and the Middle East—and seemed particularly averse to American
computers._

Now the CIA is going to claim that for national security reasons, they're
going to have to hack American computers too.

~~~
beager
Humor aside, one wonders how much increased communication could facilitate
common malware usage between the CIA, NSA, etc. If some common malware were
developed and distributed agnostic to foreign or domestic targets, it could be
a conduit for other, more targeted software to be deployed, and otherwise not
appear, based on detection, to specifically target foreign or domestic
machines.

------
azinman2
The CIA's dos and donts specifically mention putting build timestamps into
others time zones:
[https://www.schneier.com/blog/archives/2017/03/the_cias_deve...](https://www.schneier.com/blog/archives/2017/03/the_cias_develo.html)

~~~
INTPenis
Yes but domains are registered and C&C servers are activated, things that can
be tracked on other ends like clients and public databases.

So what they really need to do is make a queue system for actions like that
and have them execute randomly during weekends. Would require a lot more
patience and long sightedness but I don't see any other way of masking it.

------
unit91
> “On one occasion a computer in the United States was compromised but,
> following infection, an uninstaller was launched within hours, which may
> indicate this victim was infected unintentionally,” the blog post said.

A surprisingly refreshing feature.

------
omarforgotpwd
Great example of a headline that captures something really interesting about
the story without lying or misleading readers.

~~~
lawnchair_larry
It does mislead the reader, because this pattern is the case for most malware,
and has been for over a decade. If you only work on it on weekdays, you are
probably _not_ a CIA hacker.

~~~
omarforgotpwd
I disagree. The headline clearly states that if you only work on weekdays you
"might" be a CIA hacker, implicitly admitting that there are also non CIA
hackers working on weekdays. What I found funny and interesting about this is
that if I were working on malware and making exciting progress I definitely
would not be able to resist working on the weekend. The idea that there is a
government employee who is paid to create malware but sees it just a 9-5 thing
that he doesn't care about when he clocks out is pretty funny to me.

~~~
rblatz
I don't know this for a fact, but I assume people working on top secret CIA
malware probably can't work from home. They'd have to go into the office and
access the code from a secure computer.

~~~
omarforgotpwd
I'm sure you're right. Which is why you only see activity on weekdays.

------
Nadya
If every government entity can fake/scrub/modify time zones, how are time
zones are a "tell" at all?

Let's say the US uses French time zones and France uses US eastern time zones.
You've discovered malware that for whatever reason has time stamps for US
Eastern.

Is it really from the US or is it from France? How would you deduce such a
fact? I posit it would be better to see who the malware is targeting: entities
may be averse to targeting their own countries.

~~~
r3bl
> Let's say the US uses French time zones

I know you're only using France as an example, but it's even more ridiculous
when you consider that (mainland) France has one time zone (CE(S)T), which it
shares with more than a dozen of other countries (central Europe + most of the
western Europe + majority of Scandinavia + former Yugoslavia).

------
lithos
That's actually pretty funny.

Article mostly talks about the validation that security companies got from
recent leaks, when before it could only be based on update and domain
registration times.

Kind of makes the US look silly with that oversight. Though even if they did
fix themselves, it's not like you could change behavior on the old stuff.

~~~
SomeStupidPoint
It also might be on purpose -- if you have a signature, then unsigned things
aren't you, right?

I suspect it was largely accidental, though. Heck, there's been private
entities I know who have ended up with tells that pinned them to timezones.

~~~
Luc
Easy to do with e.g. postings to forums, including those about bitcoin...

~~~
SomeStupidPoint
I've generally given up trying to conceal anything above what city I'm in.

There are just too many information leaks that can be used to track people
back to regions, and I honestly don't care if people know I'm one of millions
of people.

(Whoops, there goes another -- there's only 53 US metros above 1mil people and
34 above 2mil.)

