
Who Is Publishing NSA and CIA Secrets, and Why? - germinalphrase
https://www.lawfareblog.com/who-publishing-nsa-and-cia-secrets-and-why
======
jwtadvice
This article reads pretty lazily in my opinion.

It fails to mention that the CIA had an internal hunt for the contractors
which leaked the "Vault7" arsenal - confirming that indeed it was a contractor
and indeed that they had mishandled the arsenal by providing global access to
the weapon cache.

It also failed to mention the full original story provided by the Shadow
Brokers and those that reported on them: that NSA had (similarly) mishandled
hacking tools by loading too many of them onto attack staging servers. This
story has not changed, nor have the recent publications contradicted it. In
fact the Shadow Brokers said exactly what they were going to publish when they
first went public and have followed through with what they said they were
going to publish exactly.

The author speculates and conspires that both of these must be Russia. Mostly
it's the standard fare conspiracy theorist "to whose benefit" but it's clear
the author doesn't understand whether and how Russia would benefit from these
disclosures.

Finally, after all the public panic induced over "Russian hacking" during the
election, there's been no intelligence summary, statement, or even
Congressional statement to the affect that either the Shadow Brokers or the
Vault7 leaks are in any way attributed to Russia. Wouldn't that have been fuel
for that fire?

My guess is that the Shadow Brokers are a criminal organization with informal
relationships with state intelligence services. My guess is that Vault7 was a
CIA and contractor who shared the massive trove too broadly, where it ended up
in the hands of the Wikileaks journalism reporting outlet.

The author appeals to Occam's Razor only by name. The lack of careful analysis
in the article insists, unfortunately, in using unfounded speculation in the
place of evidence, and horror, to then appeal to Occam's Razor on behalf of
assumptions.

~~~
walshemj
That's a "brave" assertion to make about Bruce Schneier

~~~
thraway2016
It's not just Schneier. Seems that nearly everybody in infosec is convinced of
Russia's complicity in everything from the DNC leaks, to Vault7, to
ShadowBrokers, and now allegedly the Macron campaign.

Listening to the RiskyBusiness podcast, for instance, it's incredibly obvious
that the community is fully in the tank for the Russian attribution
hypothesis, and habitually carries the water for FiveEyes IC.

Meanwhile, we mere plebs have very little evidence to judge the community's
beliefs by, other than blind faith in, say, CrowdStrike.

If the infosec community would like to actually state their case to the plebs,
I would love to hear it. But all I've _ever_ been able to find is "the
phishing email is a little similar to something produced by APT28, and there
was an IP once used by FancyBear like 5 years ago, so it's 99.9999% certainly
Russia".

And nobody seems to care enough about those outside the community to even try
to state the case.

~~~
jwtadvice
I wouldn't characterize everything-is-Russia complicity as an infosec
community consensus. I'm in the infosec industry and disagree. In fact, my
colleagues and coworkers tend to have far more nuanced and informed positions
than what mass media has inappropriately characterized as the infosec
consensus.

I remember when Wasthington Post and others were claiming that Russia had
hacked voting machines and that the infosec community agreed with that. All
kinds of researchers reached out to complain but their voices were never
heard. Instead the story was quietly dropped when it turned out it was PR and
propaganda bullshit.

I'm sorry that you have an impression that there's an infosec consensus on
this.

It doesn't exist.

~~~
thraway2016
Thanks for your response. I'm peripherally interested in application security,
so I've followed SwiftOnSecurity, the grugq, HN's very own tqbf, 0x00string,
xntrik, matt blaze, etc. I also listen to Risky Business, LiquidMatrix,
cyberwire, etc.

My impression based on following "thought leaders" and listening to the most
highly-regarded podcasts is that the community is, in fact, exactly as I
described. (even the recent appointment of IC shill Jeff Man as a regular on
Paul's Security Weekly has dramatically shifted his show in that direction.)

If you don't mind, can you recommend other people to follow/listen to that
might balance out the impression I have received? Thanks.

~~~
cyber_gr1zzly
In terms of the NatSec - which has a broad overlap with InfoSec on twitter:
pwnallthethings, shaneharris, jimsciutto, josephfcox, etc. all provide useful
insight.

Broadly though, punditry shouldn't be used as a proxy for consensus.

~~~
daddyo
I thought pwnallthethings is also in the Russians-did-it camp.

DNC hack:
[https://twitter.com/pwnallthethings/status/74319706484310425...](https://twitter.com/pwnallthethings/status/743197064843104257?lang=en)
"Gosh, I wonder what outlet Russian intelligence is going to use to launder
these stolen documents."

Podesta Hack: 14 year old hackers vs. Russian Intelligence

[https://twitter.com/pwnallthethings/status/81662561706823680...](https://twitter.com/pwnallthethings/status/816625617068236802?lang=en)
"How many accounts did this "14 year old" hack? About 1800. In 2015. Who were
these accounts? Mil, govt personnel in the West, defence cos, journos critical
of govt in Russia etc"

DNC hack connected to German government hack

[https://twitter.com/pwnallthethings/status/75689252388524032...](https://twitter.com/pwnallthethings/status/756892523885240322)
"Reminder: Malware control servers used in DNC hack were also used in the hack
on Bundestag linked to Russian intel."

Influencing politics

[https://arstechnica.com/security/2016/06/guccifer-leak-of-
dn...](https://arstechnica.com/security/2016/06/guccifer-leak-of-dnc-trump-
research-has-a-russians-fingerprints-on-it/) ""There's also the fact that the
hacker is publishing documents at all, which rules out lots of nation-states,"
the PwnAllTheThings researcher told Ars in a private message. "China, for
example, would happily spy on the DNC to try and get the Trump oppo
[opposition] research to support their foreign policy objectives, but they
wouldn't publish the documents to influence the election.""

~~~
snowwrestler
pwnallthethings has also gone through great pains to walk through the evidence
(much of it public) and analysis that informs their opinion of attribution.

------
jerf
I think it's not out of the question it's multiple motives, too. It's not
impossible someone chose to grab some stuff due to moral objections, and is
feeding the information through some channels that themselves have their own
motivations. I've seen accusations that Snowden had that happen to him with
his documents, for instance, by which I don't mean that I do or do not believe
that, just that it's not inconceivable. You don't necessarily need a single
atomic motive for this to be happening.

If so, that raises other interesting questions, such as: "What is the largest,
most powerful possible intelligence agency that would not be virtually 100%
guaranteed to leak so hard that non-trivial stuff would even get into the open
air?" We spend a lot of time on HN worrying about how powerful a police state
could become with modern technology, but it's possible that that very power
could itself be a quantitative change and that an entity powerful enough to be
that strong of a police state might also virtually inevitably tear itself
apart with internal struggles. I mean, that would still suck for those not in
the middle (though it sucks for them too; one of the reasons I really hate
police states is that really _nobody_ is happy, not even the people with
power), but it may imply that it is intrinsically less stable of an
arrangement than many of us fear.

I'm just musing here for other people to bounce their ideas off of, not
particularly proposing a concrete idea here. But is it just me, or in the last
10 years have we not been seeing a slowly ramping rate of outright-public
leaks like this? What if it's not a fluke, but a fundamental attribute of the
current technology landscape and psychological makeup of humans at scale?

~~~
defen
> I think it's not out of the question it's multiple motives, too. It's not
> impossible someone chose to grab some stuff due to moral objections, and is
> feeding the information through some channels that themselves have their own
> motivations.

That would be my guess as well - an application of so-called "Fourth-
generation warfare". In the same way that ISIS seeks to encourage self-
radicalization, since it is virtually untraceable, Russia (or really, anyone
opposed to US interests) would aim to create a climate where NSA/CIA employees
"self-radicalize" in the sense that they become convinced that those
organizations are engaging in illegal or immoral activities.

So, create organizations like Wikileaks, people like Ed Snowden, plant news
stories, etc. At a high level the idea is that you create a broad-spectrum
propaganda campaign that is designed to encourage insiders to leak secrets for
the benefit of their own conscience. If you reach the right people you can
gain access to tons of secrets in a way that is 100% deniable. No payments, no
meetings or communications with Russian agents that can be tracked, etc.

~~~
cpr
Why would Russia (or other anti-US entities) need to create such a climate?

Isn't it prima facie clear that the three-letter agencies are essentially
rogue governments (the "deep state"), a law unto themselves, and thus
completely antithetical to the whole idea of a democratic republic?

So internal people at those agencies, if they have half a brain and a
conscience, and are patriotic in the original sense of loving one's patria
(fatherland), though hating the bad aspects of one's government, should
already be willing to spill the so-called secrets by which these agencies
operate their illegal and immoral agendas.

~~~
linkregister
Is it prima facie clear though?

Of the controversial activities the spy agencies have taken post-WW2, weren't
virtually all of them under some White House or Congressional auspice?

The actions and capabilities revealed in the Snowden leaks were overtly
defended by both the President and (most) members of Congressional
intelligence committees.

If there's a deep state in the Intelligence Community, then the Commander-in-
Chief, appointed Executive Branch officials (e.g. Director of National
Intelligence and Defense Secretary), and Senators & Representatives on Intel
committees are part of it. In which case, public elections are part of the
deep state?

~~~
cpr
Until you get a president the deep state loathes (like Trump) and whom they
would not have chosen, and then they can turn on him, like leaking negative
things about him and taking out his appointees (like Mike Flynn).

~~~
linkregister
Chris, I respect you. However, your comment contains conjecture without much
facts.

1\. _> The deep state loathes._ What makes you think that a large amount of
intelligence community members didn't vote for Trump? He won a third of
Maryland and almost half of Virginia. And what about the military? Do you
honestly think even 40% of servicemembers voted Democrat?

2\. _> and then they can turn on him, like leaking negative things_ So a
handful of leaks blemish the whole IC? The IC has been doing its job,
supporting military operations ordered by the President and assisting ICE and
CPB. As far as we know, the leaks came from congressional or White House
staff.

3\. _> taking out his appointees_ Is Mike Flynn's conduct defensible? He was
working for foreign governments without reporting it. I don't think there's
anything wrong with talking to the Russian Ambassador, but he brought all this
on himself.

You never addressed my point about the "deep state" being controlled by
Congress and the Executive. The IC is dependent on line items in its budget to
be passed in order to get funding. Unless congressmen are corrupted, there
isn't an autonomous "deep state."

------
rrggrr
The most likely leaker to Wikileaks? The CIA itself. Its tools already
compromised, perhaps by Russia or by someone internal, the sensible thing to
do is to leak the exploits in such a way that: (a) they can be patched and
rendered largely harmless; (b) the oversight focus is primarily on Wikileaks
and not the CIA for losing its jewels. Why would Russia (or any state actor)
wikileak these compromises instead of using them against unpatched targets
globally? No upside & makes no sense.

~~~
rm_-rf_slash
They probably have plenty of the same zero-days and using them would be a
waste: once someone knows you're using an exploit it'll get patched.

It makes perfect sense for an adversarial nation's intelligence agency to
undermine the CIA and Americans' trust in their own government.

America is too far away from its rivals and enemies for a conventional war to
be fought on its own shores. It makes more sense to use fear (9/11) and
propaganda (your CIA is spying on you!!) to get Americans at each other's
throats and distracted from the real threats to their wellbeing.

After all, our political parties have been doing that for my whole life, so
the groundwork laid is practically an invitation.

~~~
ak4g
On one hand, yes, our political divisions no doubt make that kind of
information warfare campaign tempting.

On the other hand, it's already pissed us off something fierce, and I think
the narrative in the mid-term future will ultimately be one where would-be
adversaries decide they don't want to be the next poor soul to be made an
example of.

------
jandrese
> What happens when intelligence agencies go to war with each other and don't
> tell the rest of us? I think there's something going on between the US and
> Russia that the public is just seeing pieces of. We have no idea why, or
> where it will go next, and can only speculate.

I think the term you are looking for is "Cold War".

~~~
linkregister
You don't think the Cold War in the 1950s was overwhelmingly supported by the
American public?

~~~
macintux
I don't follow.

The quoted paragraph says nothing about public support, just public knowledge,
and definitely the American public in the 1950s (and other decades) had very
limited visibility into the espionage undertaken as part of the Cold War.

~~~
linkregister
Espionage was only a small part of the Cold War conflict. Most of it was
diplomatic and economic, and overtly conducted through proxy wars. While you
might learn some new facts from newly declassified Cold War-era documents,
most of the relevant issues are in the history books.

Please don't change the goalposts. I'm responding to this:

 _> What happens when intelligence agencies go to war with each other and
don't tell the rest of us?_

 _I think the term you are looking for is "Cold War"._

The Cold War was not secret nor conducted without the consent of the publics
of the two powers. Many activities were conducted in secret, but the bulk of
the conflict was done overtly.

------
jorblumesea
Highly unpopular opinion, but Wikileaks is seeming more like an anti-western
operation funded by Russia. The more they leak the more their bias is showing.

~~~
draw_down
Mmm, you might be surprised how popular that opinion is, particularly among
American Democrats.

~~~
jorblumesea
The bias is so obvious it's hard not to draw conclusions from their actions.

~~~
1001101
Julian said this to Forbes in 2010:

"It's not correct to put me in any one philosophical or economic camp, because
I've learned from many. But one is American libertarianism, market
libertarianism. So as far as markets are concerned I'm a libertarian, but I
have enough expertise in politics and history to understand that a free market
ends up as monopoly unless you force them to be free.

WikiLeaks is designed to make capitalism more free and ethical."

So, core principles: open information, ethical capitalism.

His influences and associations with people like Noam Chomsky (ethical
political economy), Gavin MacFayden (open information) and others, seem to
reinforce this.

I'm not sure that Russian oligarchy, and restrictions on press freedoms/speech
etc. would really jive with Julian's worldview. He does seem to have a
particular bone to pick with US imperialism, so I wouldn't rule out accepting
help from the enemy of his enemy.

~~~
PerfectDlite
> WikiLeaks is designed to make capitalism more free and ethical

So somebody would imagine that he will publish Russian data as well, to make
Russian capitalism more free and ethical...

~~~
zigzigzag
This comes up every time Wikileaks is mentioned, and it is ridiculous every
time.

Assange has stated, very clearly, that Russia is not the source and that if
they had leaks related to Russia they'd publish them. But they don't. Probably
because Wikileaks isn't necessary for Russian leakers: it arose because
western newspapers were so reluctant to publish leaked material from western
governments. But those same newspapers are desperate to publish anything that
makes Russia look bad. So why go via Wikileaks, when you could go directly to
the NY Times or the Guardian.

The whole "Wikileaks = Russia" line just comes off as delusional. There's no
evidence, it has been explicitly denied, and the supporting arguments are very
weak.

~~~
PerfectDlite
Sorry, your defensive arguments are very weak. Like "if they had leaks related
to Russia they'd publish them. But they don't. Probably because Wikileaks
isn't necessary for Russian leakers" \- really?

~~~
zigzigzag
What kind of an answer is that? Do you have evidence that they have leaks
they're sitting on? If so, why would the leaker not just send their materials
elsewhere? The point of Wikileaks is to publish, after all. You're arguing
that they have lots of material they refuse to publish, and the people who
provided that material oddly don't use other channels, yet you have no
evidence.

~~~
PerfectDlite
> The point of Wikileaks is to publish, after all.

So how many anti-Putin materials were published there?

------
empath75
This is Bruce Schneier, btw. So not some random blogger.

~~~
BlackjackCF
Seems like some people on here don't know Bruce Schneier based off the way
that they're shitting on the article?

~~~
ignoramceisblis
Should we not criticize someone's publications, even if we think they deserve
criticism? And should we use their name as reason for abstaining from that?

Not to imply that you do this, but here's some general advice: don't appeal to
authority--at least for the sake of authority. Don't idolize. We should be
free to criticize whomever we want, if we think we have good reason to. If we
don't have such freedom, we'll quickly find ourselves in a state where a
select group of individuals have a disproportionate amount of power over
others. Though I speak too late.

~~~
empath75
Well yes but if someone has demonstrated expertise in a field you shouldn't
dismiss their opinions in a cursory way as many people here have done.

~~~
ignoramceisblis
I think I understand what you're trying to get at. But it assumes that the
person's expertise is truly "aligned" with the subject matter.

I don't want to badger you with all of my thoughts on this, but, at the
extreme, even if the author (was such an expert that they) knew who was
performing these leaks and why--as opposed to giving speculation, which the
author does state--we would also have to trust that they're giving their
complete and honest account on the matter. So even in the case that they have
perfection information, you must consider how much faith you want to put in
their output. Note: I don't like the idea of will-nilly distrusting everything
everyone says, but I do think it's worth pointing out possibilities that may
exist for many situations.

------
Johnny555
I want to know why we are allowing government agencies to accumulate a vast
trove of data (of dubious intelligence value) about everyone when they've
shown that they are unable to secure their own secrets.

------
blisterpeanuts
Maybe a naive question, but why do CIA and NSA hire so many contractors for
such sensitive work?

Perhaps they should restrict these sensitive positions to full timers who have
committed to the Agency -- i.e. they know that the organization will be
watching them pretty much for the rest of their lives. Ex-agency people I've
met said they have to notify the Agency whenever they travel abroad -- if they
don't hear back, it's fine, but the Agency reserves the right to stop them.

The amount of damage (some might prefer to say, whistle blowing) done by
contractors in recent years suggests that it's time to reexamine who gets such
sensitive access.

~~~
daddyo
Capitalism at work. Commercial businesses need profit to survive and so, in
general, deliver better innovative products. There is no way for CIA and NSA
to compete with Google on search and web crawling, so why bother competing
with them with their own subpar products?

I don't think the contractors leaked themselves. I think foreign intelligence
agencies target most of them, and having multiple attack points yields more
leaks than having just a single well-guarded agency. Trade-off between
clamming up and remaining State-of-the-art.

~~~
linkregister
Judging by your comment, you don't know very much about contracting in the IC.
I'd rather you be less authoritative and leave it at "I think X" instead of
"It's definitely X".

~~~
daddyo
Please be more courteous with your dismissal. What shows that I don't know
anything about contracting in the IC, and what really happens instead?

I also thought my answer was very careful in its assertions. What have I
stated as a definite fact and why was this wrong?

~~~
linkregister
Sorry, I was too harsh.

I felt it was outrageous to inject a pro-Capitalist treatise with regards to
government contracting, which for me fits in two buckets:

1\. Government needs some hardware (e.g. radar, missile, aircraft,
watercraft). Some preapproved vendors who have already developed relationships
and comply with extensive contracting requirements bid on a project. One or
more win. Some vendors that win are wildly underqualified and, especially in
the realm of IT, make an inferior product at 10x the price. One of the
government stakeholders works for that contractor after a few years.

2\. Government for political reasons can't hire or pay enough employees, so
they pay a consultancy to provide employees for them.

Neither seems like an efficient capitalist action. The first due to its
significant barriers to entry that forms oligopoly, and the second because
it's just hiding government employment within a contract.

I don't know of a good way to improve #1, but for it to be considered a
testament to the efficiency of capitalism is absurd to me.

------
mmaunder
Final paragraph: "What happens when intelligence agencies go to war with each
other and don't tell the rest of us? I think there's something going on
between the US and Russia that the public is just seeing pieces of. We have no
idea why, or where it will go next, and can only speculate."

Correct. For over 75 years now. Article is just a summary of recent events in
IC leaks. I clicked because I thought the author was going to speculate
they're planned leaks as part of a counter-intel operation. That would have
been interesting.

~~~
cat199
> Correct. For over 75 years now.

Have a look at Lenin's train and try 100.

Or, the dawn of time, depending.

------
mirimir
Specifics aside, this may just be more Cold War. In a new realm, for sure, and
one where Russia isn't as disadvantaged by resource limitations. Trying to
match US physical resources arguably destroyed the Soviet Union.

But I also wonder whether the US got too careless about hiring blackhat
hackers. And whether some of them left backdoors.

------
brilliantcode
Putin, in case anyone had trouble with the article's implied message.

------
SFJulie
It was a fun read, but I can outsmart him in a non fact based analysis that
might be closer to the truth.

In its blog circa 1813 at St Hélène Napoleon posted on YikYak never credit to
malice what can be simply explained by incompetence, and while trying to
dominate the world with a huge army, I discovered that my machiavelic plans
were anyway countered by having huge organization that tend have incompetence
at critical points.

Well, Napoléon may have been right. The estimate headcount of all the US
agencies are 3 000 000 workers, a huge amount of the population if you want to
keep stuffs secret.

If not enough, you have at least 5 big agencies and a lot of small one.

You also have a tendency to have the patriots like Snowden attracted to secret
services and army.

Some of them whose opinions may diverge as much with their agencies heading as
their sense of duty is strong.

Plus without uncovering any big secrets, since 1986 commercial war with Europa
and the WTO agreement on stopping to subsidize companies with public money,
NASA, DARPA and secret services have been used as a way to discrelty fund part
of the economy (namely IT, aeronautic and military industry). And let's no lie
to ourselves one of the biggest part of the agencies' job is economical
intelligence to favor the interest of _some_ companies.

So, well, these subsidies are a resource increasingly taken by the services :)
and some companies want this money.

Subsidies used to go in road infrastructures where mafia was happy to have its
share. Urbanism used to favor real eastate....

There are a lot of enemies inside the USA against the services and their power
over this huge budget of theirs.

My take on the issue is that maybe russian ... mob ... constituted of USA
citizens could totally be involved, but as much as any other economical agents
in the USA.

The problem of having too much money is that you'd better live in the shadow
to not become the target of jealousy.

It may be knowing how much CIA and NSA have been involved with IT companies
(as both suppliers and recipient of subsidize and probably economical
intelligence) that other sectors of the economy like .... real estate,
agriculture, energy, distribution want to have their place under the sun back
again.

So, going back to Napoléon, I do think that the leak in secret service
employing that much persons not all trusted requires so much duplication of
information and internal leaks to simply get the work done on a day to day
basis, that leaks are just a simple expression of a probable incompetence that
did not scale up very well.

Yes, the russians may have opportunistically played with it. But clearly the
biggest problem first is to have huge mammothean bureaucratic agencies.

Voilà, me too I made my own I don't know nothing I will tell you everything
analysis based on wind.

:P

------
draw_down
I'm going to guess before I read this that Russia comes up a bunch.

Update: yep. It's all Russia all the time these days.

~~~
charonn0
They are the most likely suspect, aren't they?

~~~
wu-ikkyu
Why are they the most likely suspect? Aside from the popular notion that they
are. There are billions of people across the world who could have done this.

~~~
fortenforge
Billions? Really? 1 in 7 people could have hacked the NSA or CIA?

~~~
wu-ikkyu
There is a plethora of free hacking/social engineering training and tools on
the internet. Anyone with internet access and a motive has a shot.

