
Lifting the Shadows of the NSA’s Equation Group - cwn
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/
======
HillRat
When only some people have security, _nobody_ has security.

This is the sort of event that should -- though it obviously won't -- lead to
a policy debate about the wisdom of locating cyberdefense and cyberwar within
the same hallwaus.

~~~
Zigurd
> _" locating cyberdefense and cyberwar within the same hallways"_

This is thus far the largest scale example that if you sell security _and_
surveillance, at most one of those product lines isn't a fraud.

~~~
nickpsecurity
Sort of. They're only legally required to protect government communications,
maybe government systems, and defense contractors. The "defense-only"
solutions they have for them are high-quality. Then they push BS for everyone
else to benefit surveillance mission. Quite a lame deal we US taxpayers get on
those high-security products.

~~~
rdtsc
It is entertaining to read NSA's recommendations on how US govt should secure
its data. Because you always wonder if they'd know of a vulnerability if
they'd still advise using that technology. That is, if that department which
writes the guide talks to the department that does the exploits.

I imagine due to heavy and intentional compartmentalization this doesn't
happen.

Perhaps it depends on the nature of the exploit. For example, I consider the
weakening of Dual_EC_DRBG devilishly good: because of the chosen P and Q they
knew it was weak but also were the only ones who had the key. They would
definitely not tell anyone about that.

~~~
nickpsecurity
I imagine due to heavy and intentional compartmentalization this doesn't
happen"

That seems to be best explanation. Two different groups with IAD being smaller
one. The IAD also faces many issues with regs, red tape, Congessional mandate
to use COTS garbage, lack of liability enforcement, etc. It all adds up to
them getting less effective over time.

They still do some good stuff when they put their pros on it. Their Inline
Media Encryptor is great. I just cloned it and expanded in one of my designs.
Just compare its security features to any encrypted USB disk. You'll see high-
security vs mainstream security difference.

------
Zigurd
Our taxes went to build this hoard of zero-days, and now they're going to be
used for criminals and foreign governments against us. Good job, NSA. Good
job. I hope this causes enough havoc to make everyone regret using insecure
endpoints as a means of surveillance.

------
Moral_
This shows the dangers of hording 0-days. When/if they go public en-masse they
can cause serious havoc.

~~~
kuschku
And the potential! Think of all the bugs we can now fix.

Expect to get a _lot_ of updates in the next weeks.

~~~
kardos
If they keep word, going public not happen, one million bitcoin too many

------
caf
I would have thought that if they promised to return all non-winning bids to
the sending or change address, they'd get a lot more bids?

~~~
arkadiyt
They'd have no reason to honor that promise anyway, and a bidder should have
no expectation that they would.

~~~
ajdlinux
Finally, something Ethereum might be useful for!

------
caf
In the freely distributed exploits, EPICBANANA looks like a serious headache -
I think there's a sizeable stranded fleet of older PIXes out there that can't
update beyond 804.

~~~
cornchips
How to defend yourself against a man armed with a banana:

\- First of all you force him to drop the banana

\- then, second, you eat the banana, thus disarming him.

\- You have now rendered him ’elpless.

[http://rump2010.cr.yp.to/c659ebaf681758e01ccf824fd58f3c42.pd...](http://rump2010.cr.yp.to/c659ebaf681758e01ccf824fd58f3c42.pdf)

------
rl3
Obviously the seller's grasp of English is quite poor. Perhaps someone with a
linguistics background could speculate on what their native language most
likely is? At novice proficiency, presumably a speaker's native tongue
influences how they speak a particular language.

Of course, the seller could always be pretending. Given the seeming
authenticity of the leak however, it's doubtful they're western—unless they're
operating very illegally and trying to cover their tracks.

~~~
kafkaesq
_We auction best files to highest bidder. Auction files better than stuxnet._

The lack of definite articles and linking verbs is particularly suggestive of
a Slavic background. Here's another telling signature:

 _We follow Equation Group traffic. We find Equation Group source range. We
hack Equation Group._

So instead of using the standard "linking verb + gerund" construction that
modern English provides to indicate continual (or background) activity they're
using the simple present tenses of these verbs the way Slavic languages do,
via the imperfective forms of these verbs.

And also:

 _If you want reverse, write many words, make big name for self, get many
customers, you send bitcoin._

 _You bid against Equation Group, win and find out or bid pump price up, piss
them off, everyone wins._

 _You like reward, you take risk, maybe win, maybe not, no guarantees._

The use of commas to link independent clauses (instead of coordinating
conjunctions, like English) also happens to be very characteristic of Russian.

~~~
msane
There are a few phrases which suggest perfectly fluent english, such as _" can
do with files as they please"_.

If anything stands out from the writing to me it's that it sounds like a scam.

~~~
kafkaesq
That's the thing with partial fluency -- and really now, their English is
quite good (much better than our proficiency in their native languages) --
that it will be peppered with many idiomatic phrases ("can do with X as they
please") while other parts remain comically broken. Like, you know, Google
Translate.

BTW, it should be " _the_ files".

------
Animats
How are the bids going? All the bid info is in the blockchain. CIO magazine
says only 45 BTC bid so far.[1]

[1] [http://www.cio.com/article/3107946/nsa-hacked-top-cyber-
weap...](http://www.cio.com/article/3107946/nsa-hacked-top-cyber-weapons-
allegedly-go-up-for-auction.html)

~~~
LeoPanthera
45 dollars, not 45 BTC.

Unless they changed the address, they've only received a total of 0.08003067
BTC at the time of this comment.

[https://blockchain.info/address/19BY2XCgbDe6WtTVbTyzM9eR3LYr...](https://blockchain.info/address/19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK)

~~~
rspeer
Good. People who know cryptography should also know enough about game theory
to not participate in a dollar auction.

I mean, even with a perfectly honest auctioneer, dollar auctions (where one
person wins but more than one person pays) are one of those games where the
only way to win is not to play. Now add to that the fact that there's no
reason to trust the auctioneer.

~~~
rdtsc
People who know cryptography would not be participating. However I think this
is deliberately made to look stupid (complete with over-the-top Russian
sounding phraseology to imply these are those famous ex-KGB hackers) to
attract irrational but wealthy entities -- probably governments and their spy
agencies. They have large sums of money to play with.

I can see perhaps Iran in a desperate attempt to exact revenge for their
centrifuge plant being hacked, throwing few hundred thousands at them, just on
small chance this would yield something.

------
cornchips
Doesn't seem like any source code... Except Python..

Also, i wonder if computer scientists feel anything like the scientists after
creating and deploying the atomic bomb... "Now I am become Death, the
destroyer of worlds."

~~~
viraptor
What do you consider "source code" then if Python doesn't qualify?

~~~
cornchips
any -> much

Referring to the source code of some of the major components. Any python
source was stripped of comments, which is surely interesting, but not as
interesting as the source of the binaries.

------
JabavuAdams
I had to look up "Equation Group". A couple of articles mention that various
malware tied to Equation Group includes timestamps indicating programmers
working 8-5, Mon to Fri, in Eastern US timezones.

Anyone know of more info on why this would be left in? A simple oversight?
False-flag propaganda?

Where would I look for more information on fingerprinting binaries? I.e.
perhaps identifying compiler and even build environment.

Thanks!

~~~
MajesticHobo
> Can we trust this information? The answer is: not fully, because the link
> timestamp can be altered by the developer in a way that’s not always
> possible to spot. However, certain indicators such as matching the year on
> the timestamp with the support of technology popular in that year leads us
> to believe that the timestamps were, at the very least, not wholly replaced.
> Looking at this from the other side, the easiest option for the developer is
> to wipe the timestamp completely, replacing it with zeroes. This was not
> found in the case of EquationDrug.

[https://securelist.com/blog/research/69203/inside-the-
equati...](https://securelist.com/blog/research/69203/inside-the-equationdrug-
espionage-platform/)

