
‘Shadow Brokers’ Leak Raises Question of whether the N.S.A. was Hacked - carbocation
http://www.nytimes.com/2016/08/17/us/shadow-brokers-leak-raises-alarming-question-was-the-nsa-hacked.html
======
meowface
A hack seems pretty plausible. But looking at what was leaked and from what I
could guess from their lingo, there's just "scripts" (documentation on how to
implement specific operations/implant a target) and "bins" (the code-scripts,
tools, and exploits themselves). It looks very operational and task-oriented,
like a messy mishmash of directories a pentester would prepare before a CTF
competition or something.

The documentation is fairly shitty and poorly formatted, and the Python I
looked at is abysmal (though it's not uncommon for infosec experts to be
shitty scripters).

So, they probably got into something akin to a "forward operating base", or
perhaps a compromised server where an incompetent implanter accidentally left
all of this stuff lying around, but not an actual compromise of NSA's network.
There also doesn't look to be anything in here that wasn't already known from
the Snowden leaks, other than some specific technical details and context
clues from people writing the documentation.

~~~
nathancahill
"just"

~~~
meowface
If Snowden never leaked anything, this would be a huge revelation.

But this is just some technical documentation about project codenames we
already know a lot about.

    
    
        #################
        #    Survey     #
        #################
    
    
        # Set up forward tunnel to TCP/443 on the target, and reverse tunnel for NOPEN.
    
        -tunnel
        l 443 $TARGETIP 443
        r $RHP1 127.0.0.1 $RHP1
    
        #perform touch to gather info and set env for exploit
    
        ./eligiblecandidate.py -t https://127.0.0.1:443 touch
    
    

It's dozens of documents like these, and poorly written scripts (not to be
confused with operation "scripts", like movie scripts) to make it a bit
easier.

The only somewhat interesting thing is the exploit code for ex-0-days, but I
believe vendors are mostly patched against everything discussed in the Snowden
leaks. Someone correct me if I'm wrong.

~~~
msane
The script style is intentional. They may be discovered / heard / stuck. It
minimizes attribution.

Even still, "poorly written" is mostly big talk.

~~~
dsfyu404ed
"Even still, "poorly written" is mostly big talk."

This. Custom code (likely adapted from some other script the author saw or
wrote in the past) made for a 1-time job for one server doesn't have to be
efficient/good because it doesn't have to scale. Getting it written, making it
do what it needs and getting as entrenched in the target as possible ASAP is
far more important than writing "good" and/or legible code.

------
rrggrr
I recommend Dave Aitel's explanation of the hack (link below).
[https://cybersecpolitics.blogspot.com/2016/08/why-eqgrp-
leak...](https://cybersecpolitics.blogspot.com/2016/08/why-eqgrp-leak-is-
russia.html)

Even with NSA's considerable budget operating and defending against Russia,
China and several dozen other unfriendly and friendly countries is no easy
task.

~~~
rdtsc
> Information results from HUMINT, not simple hack of a C2 box as suggested
> (not that even that would be easy). Level of difficulty: Very Experienced
> Nation State.

I don't get his reasoning why it necessarily has to be HUMINT. State actors
from other countries can find 0-day exploits presumably. Don't think it was
that outrageous they could have hacked into a c2 server.

People who do the work at NSA (assuming it is) are not necessarily super-
wizzards or automatically better equipped at defending against an attack. They
were most likely average developers from the DC area who happen to have
clearance and work for Uncle Sam. Because of compartmentalization, those who
specialize in attackig specific targets (firewalls) might not necessarily have
the knowledge to secure a server well.

------
hannibalhorn
So, it sounds like Snowden going public forced them to tighten up security, in
effect locking out the Russians that previously had access to the source code
of taxpayer sponsored malware? Lovely, that.

~~~
eplanit
Is it possible that it's an insider operation like that of Snowden himself?
Perhaps it's somebody who wanted the information outed, but who wanted to
avoid the 'publicity' (and all that it brings).

~~~
altcognito
Given that Snowden was popping off keys just recently, this seems like an odd
coincidence. I'm not saying he's involved, I'm saying he probably should be
considered a datapoint in this drama.

~~~
sangnoir
> Given that Snowden was popping off keys just recently, this seems like an
> odd coincidence. I'm not saying he's involved, I'm saying he probably should
> be considered a datapoint in this drama.

HNer _might_ say you put your point across like Trump or Glen Beck - _I 'm not
saying it_. If it _were_ true, you'd be a weasel to suggest one thing while
disassociating yourself from the said suggestion[1], which means you _could_
be a coward who is afraid of people judging you for holding such a
disagreeable opinion while dog-whistling to the minority who do not share the
same distaste. I'm not saying this is what you are, I think it is an idea that
should be considered when reading your comments.

1\.
[http://literarydevices.net/paralipsis/](http://literarydevices.net/paralipsis/)

~~~
CarpetBench
You're being annoying about an extremely minor phrasing issue, and being
incredibly rude to the person you're responding to.

The person you're responding to is obviously trying to imply something about
the strength of their belief: That it's not ironclad and it's an interesting
coincidence.

That you're drawing an analogy between the poster and Glenn Beck is extremely
cringeworthy. Leave him back where he belongs, in 2012.

------
DonHopkins
I've heard of a Dutch Auction before, but apparently a Pseudo-Latvian Auction
is where only the highest bidder wins the auction, and the auctioneer gets to
keep all of the bids.

>Auction Instructions

>We auction best files to highest bidder. Auction files better than stuxnet.
Auction files better than free files we already give you. The party which
sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before
bidding stops is winner, we tell how to decrypt. Very important!!! When you
send bitcoin you add additional output to transaction. You add OP_Return
output. In Op_Return output you put your (bidder) contact info. We suggest use
bitmessage or I2P-bote email address. No other information will be disclosed
by us publicly. Do not believe unsigned messages. We will contact winner with
decryption instructions. Winner can do with files as they please, we not
release files to public.

~~~
crypty
'Tullock auction' is the proper term and it's actually not that uncommon if
you think of a lottery as a kind of auction. I've also seen it played like a
real auction at charity events. If you want to stretch the meaning you could
even see bribery as a Tullock auction.

------
rdtsc
(I posted in anther thread but this might be more appropriate)

Took a quick look at files:

> TOOLS/Apache/httpd-2.0.52-9.ent.i386.rpm

Heh RHEL4! Nothing points to a 3 letter US govt agency like an outdated RHEL
version. Even for 2013 (based on file date) RHEL4 was ancient. RHEL7 beta for
example, came out that year.

Also another striking thing about it, there are no swear or l33t-speak words
in there. I know if I had to write ASN.1-based SNMP firmware hacks for obscure
Juniper switches, that code would be drowning in curse words.

Seeing this kind of stuff is fun too:

    
    
         ar rules update filename `/tmp/.b` type ar url http://topsec.com.cn
    

Also a bit of whimsy perhaps, can't be too serious after all, even at the NSA:

    
    
        class ELCAExploit(HTTPSExploit):
          name = "ELIGIBLECANDIDATE"
          version = "v1.1.0.1"
          desc="What is the sound of a single thread blocking?"
          modes = ["nopen"]

~~~
laretluval
There's something hilarious and poetic to me about seeing exploits organized
into nice, big-corporation-style object hierarchy.

~~~
DonHopkins
Since Conway's Law [1] states that "organizations which design systems ... are
constrained to produce designs which are copies of the communication
structures of these organizations", this code leak must reveal a lot of
interesting clues about the NSA's internal communication structures!

[1]
[https://en.wikipedia.org/wiki/Conway%27s_law](https://en.wikipedia.org/wiki/Conway%27s_law)

~~~
techdragon
It's worth remembering that part of their Operational security practices will
be dedicated to avoiding this. Not saying they can defy Conway's law but I
imagine the analysis would be less revealing than theory would predict.

~~~
DonHopkins
They seem to have forgotten about the part of operational security practices
that are dedicated to avoiding having your top secret code stolen in the first
place.

------
sqldba
But they should totally have golden key back doors to everything and can
surely keep THAT safe.

~~~
daxorid
NSA is not agitating for backdoors; FBI and other domestic law enforcement is.

~~~
acdha
They spent the 90s trying to get that access[1]. The timeline I've heard is
that the failure to get the U.S. tech industry on board with easily-accessed
systems caused them to focus on the kinds of mass exploit development we're
hearing about now.

1\. e.g.
[https://en.wikipedia.org/wiki/Clipper_chip](https://en.wikipedia.org/wiki/Clipper_chip)
or weak export-grade crypto

------
tedmiston
> The attack on the Democratic National Committee has raised questions about
> whether the Russian government is trying to influence the American election.

I don't see where they're going with that. Anyone care to elaborate?

~~~
meowface
Assuming Russia's government was involved in the DNC hack (which, despite most
of HN repeatedly saying it's just a conspiracy theory or fearmongering or
falsely suggesting that the only evidence is Russian IPs or Russian comments,
seems quite plausible at this point), they're trying to help elect the
candidate who would best serve their interests. Between Hillary and Trump,
that's Trump.

~~~
tropo
Hillary approved giving Russia control of 20% of US uranium.

It's obvious that Hillary is better for Russia. I think Putin just likes or
admires Trump in an entirely personal way. Having Putin all starstruck could
be a good thing.

~~~
nostrademons
Putin doesn't like or admire anyone but Putin.

~~~
cookiecaper
Why characterize Putin as a cartoon villain? I'm sure he is more or less a
normal man with peers whom he likes, respects, and admires and peers whom he
doesn't. Wild caricatures portend propaganda.

~~~
randac
Hilarious that this was downvoted, with a cowardly lack of discourse as usual.

Please, continue to assume Putin is a stereotypical cartoon villain. One would
think users of a site like HN would have at least passing knowledge of Occam's
Razor...

~~~
nostrademons
I wasn't the one who downvoted, but I've heard someone who has met him speak
(in a semi-private, company-internal event), and his exact words were "Putin
is _scary_." This is from someone who is in tight with the current US
administration, and who in the same talk mocked Kim Jong-un saying "North
Korea has one export - fear. Everything else, they suck at", so it's not like
he's afraid of all world leaders.

You don't get to the highest levels of power by being a normal person nor by
having other people who you like, respect, and admire, particularly not in a
country with a long tradition of autocratic rule. I think that people who are
assuming Putin is just another old Joe are projecting their own thought
processes onto him, which in a way is admirable - I would love to believe the
best in people too - but is at odds with both the culture and history of the
country he rules and with the workings of power across all cultures.

~~~
riboflava
Meeting Putin would scare me just on the basis that as ex-KGB he could snap my
neck if he was so inclined. I'm not sure that's enough to really characterize
the man, though, at least it's little more than what the people who project
average-Joeness have. At least with e.g. Larry Ellison we have many
independent reports from those that worked with / under him that we can safely
agree it is a mistake to anthropomorphize him.

------
JabavuAdams
I'm curious: why isn't Kaspersky viewed as beholden to the Russian government?
In a country like Russia, you do business essentially at the government's
pleasure. You can't do anything too out of line, or they will shut you down,
in ways that are more opaque than could be done in the US.

I mean, these are the guys who used a radiological weapon to kill a dissident
in a foreign country. They do not mess around. That _must_ have a chilling
effect on companies in or reachable by Russia.

~~~
saynsedit
If people started writing about how Kaspersky was not to be trusted because of
potential ties to the Russian government that would seriously harm their
business!!! Kaspersky is a potential advertiser after all.

Better to reserve the Russian sympathizer narrative for situations when it
would vastly increase readership. A Kaspersky take-down benefits nobody's
pocket.

------
pbarnes_1
It really doesn't. Either someone leaked these scripts or some remote shell
was compromised. Not "the NSA".

------
daxorid
Is there something about the Equation dump that is not relevant to HN? Seems
that most stories related to it are _rapidly_ flagged off the front page,
despite obvious interest.

~~~
dang
Au contraire:

[https://news.ycombinator.com/item?id=12290623](https://news.ycombinator.com/item?id=12290623)

[https://news.ycombinator.com/item?id=12297530](https://news.ycombinator.com/item?id=12297530)

[https://news.ycombinator.com/item?id=12292703](https://news.ycombinator.com/item?id=12292703)

[https://news.ycombinator.com/item?id=12300947](https://news.ycombinator.com/item?id=12300947)

HN's moderation practice around this sort of thing is well established: once a
major story has had a major thread, the test for new submissions becomes "does
this article add significant new information?" If yes, then the post is a new
story in its own right and it makes sense to have a new discussion. If not, we
treat it as a repost and downweight it.

We came up with this after the Great Snowden Flood of 2013, and it has held up
well in practice. It allows for long-running stories to have repeated
discussion while protecting the front page from being overwhelmed by follow-up
posts that don't add anything new. The latter is important because major
stories attract lots of copycat articles.

~~~
1812Overture
Maybe a feature to sticky a thread for a while is called for so major stories
like this don't fall off too quickly?

