
Snowden Document Search - sinak
https://search.edwardsnowden.com/
======
rdtsc
Some interesting stuff:

\---

TS//SI//REL FVEY We have discovered a way that may be able to remotely brick
network cards. We need someone to perform research and develop a deployable
tool.

\---

TS//SI//REL) Currently CASTLECRASHER is the only production quality Windows
execution technique that Payload Persistence techniques have. Another
mechanism to execute DNT payloads is needed. Most pre-boot Persistence
techniques only have the ability to influence an OS through modifications to
the target file system. Work needs to be done to investigate other ways to get
execution inside of Windows

\---

(TS//SI//REL) BERSERKR is a persistent backdoor that is implanted into the
BIOS and runs from SMM. Although the core of the code is stable, there are
always new requirements against which to develop. This includes new network
interface card parasitic drivers as well as applications.

\---

(TS//SI//REL) GOPHERRAGE is the Persistence Division's pilot program to apply
industry best practices and agile development processes to internal projects.
To this end, the project is managed via the Scrum process. Test Driven
Development (TDD) practices are used as well in an effort to reduce code
defects. The project also is looking to incorporate ideas from DNT such as
their SCube build environment

[Aha, so it is top secret that NSA is using TDD and Scrum. I find that kind of
funny]

\---

(TS//SI//REL) TORNSTEAK is a persistence solution for two firewall devices
from a particular vendor. We need to port TORNSTEAK from the existing two
firewalls to several more from the same vendor.

\---

~~~
azinman2
The "good news" is that this should help show that there isn't already big
back doors in windows otherwise they wouldn't need these tools.

~~~
madez
I wouldn't make that conclusion. As we know, knowledge is very
compartmentalized in the NSA. So, there could be groups in the NSA trying to
find attack vectors for Microsoft Windows while other parties in the NSA might
have backdoor access to Windows for use in specific circumstances.

Furthermore, Microsoft has universal access to Windows machines which connect
to Microsoft servers to download patches. The government can argue with risk
to national security and force Microsoft to let them use that update mechanism
to spread their malware.

~~~
secfirstmd
Very true...I've often wondering about that relationship to the Google Play /
iOS Apple store.

~~~
RegW
um - best not to wonder too loudly.

~~~
anonbanker
the fact that this was downvoted to light grey terrifies me.

------
bitmapbrother
Some more interesting stuff:

July 31, 2012

Microsoft (MS) began encrypting web-based chat with the introduction of the
new outlook.com service. This new Secure Socket Layer (SSL) encryption
effectively cut off collection of the new service for FAA 702 and likely 12333
(to some degree) for the Intelligence Community (IC). MS, working with the
FBI, developed a surveillance capability to deal with the new SSL. These
solutions were successfully tested and went live 12 Dec 2012.

March 7, 2014

PRISM now collects Microsoft Skydrive data as part of PRISM'S standard Stored
Communications collection package for a tasked FISA Amendments Act Section 702
(FAA702) selector. This means that analysts will no longer have to make a
special request to SSO for this - a process step that many analysts may not
have known about. This new capability will result in a much more complete and
timely collection response from SSO for our Enterprise customers. This success
is the result of the FBI working for many months with Microsoft to get this
tasking and collection solution established. "SkyDrive is a cloud service that
allows users to store and access their files on a variety of devices.

March 15, 2013

SSO's PRISM program began tasking all Microsoft PRISM selectors to Skype
because Skype allows users to log in using account identifiers in addition to
Skype usernames. Until now, PRISM would not collect any Skype data when a user
logged in using anything other than the Skype username which resulted in
missing collection; this action will mitigate that. In fact, a user can create
a Skype account using any e-mail address with any domain in the world. UTT
does not currently allow analysts to task these non-Microsoft e-mail addresses
to PRISM, however,

~~~
ionised
> MS, working with the FBI, developed a surveillance capability to deal with
> the new SSL. These solutions were successfully tested and went live 12 Dec
> 2012.

And there it is. They claim ignorance to NSA data tapping of their servers but
are in fact entirely complicit as we suspected.

~~~
josefresco
"They claim ignorance to NSA data tapping"

They did? Interested in the link/reference if you have it.

~~~
mcintyre1994
[http://news.microsoft.com/2013/07/11/statement-from-
microsof...](http://news.microsoft.com/2013/07/11/statement-from-microsoft-
about-response-to-government-demands-for-customer-data/)

>our compliance team examines all demands very closely

> To be clear, Microsoft does not provide any government with blanket or
> direct access to SkyDrive, Outlook.com, Skype or any Microsoft product.

Not hugely direct but seems to be contradicted by the document.

~~~
rayiner
It's not at all contradicted by the document. The document references Section
702 of the FISA Amendment Act, and the Stored Communications Act. Section 702
allows targeted access to non-U.S. persons and Section 2703 of the Stored
Communications Act allows the government to compel disclosure of stored
communications with a warrant, or notice to the customer plus a subpoena or
court order. 18 U.S.C. 2703(b)(1).

Nothing about the document suggests blanket or direct access.

------
zxcvcxz
I read this:

• (TS//SI//REL) SODAPRESSED - Linux application persistence. Given a running
installation of Linux, install some application or inject something into
memory which will. This currently works on certain versions of Linux without
SELinux enabled. [1]

Does anyone know what exploit this refers to?

[1]
[https://search.edwardsnowden.com/docs/S3285InternProjects201...](https://search.edwardsnowden.com/docs/S3285InternProjects20150117)

~~~
therein
> Title: S3285/Intern Projects

That sounds like a great internship. I thought I had cool projects when I was
interning at Silicon Valley.

~~~
vezzy-fnord
They seem to define "persistence" variously, though I think they're talking
about a rootkit in general (as opposed to checkpoint/restore). Emphasis on
hypervisors, HDD and SSD firmware and, of course, the SMM.

Given that they talk about "Linux application persistence", I'd assume it's
some kernel module rootkit. In which case, it's not that cool. The in-kernel
ABI changes a lot and basic techniques like hooking the IDT vary.

------
Noctem
I'm most excited about the collection of documents in their GitHub repo. I've
casually tried to build my own collection, but most media organizations aren't
very good about consistently providing the source documents in an easily
downloadable format.

[https://github.com/transparencytoolkit/nsa-
data](https://github.com/transparencytoolkit/nsa-data)

------
robwormald
[https://search.edwardsnowden.com/docs/IHuntSysAdmins20140320](https://search.edwardsnowden.com/docs/IHuntSysAdmins20140320)

This reads like a reddit or HN post.

"Yeah, that pretty much makes sense, but how are you 'just gonna get CNE
access' on an admin?"

(S/SI//REL) Good question, thanks for asking. Most of the time I'm going to
rely on QUANTUM to get access to their account (yeah, you could try spam, but
people have been getting smarter over the last 5-10 years... it's not as
reliable anymore). So, inorderto work our QUANTUM-magic on an admin, we'll
need some sort of webmail/facebook selector for them.

"You know, you _could_ just look up the 'point of contact' in the registry
information associated with their IP space/domain names..."

(S/SI//REL) Yeah, you could do that. Personally, I haven't had a huge amount
of luck with it, because most of the time I end up running across their
♦official* e-mail address that's hosted on their own network. That's generally
not a recipe for success in the QUANTUM world, what we'd really like is a
personal webmail or facebook account to target. There's a couple ways you
could try' this: dumpster-dive for alternate selectors in the big SIGINT trash
can, or pull out your wicked Google-fu to see if they've posted on any forums
and list both their official and non-official e-mails in a signature
block...but what if there was another way to do it?

(S/SI//REL) If a target that I care about is on a network that I don't have
access to. in this post I described that I will try to get access to that
network by targeting the sys admin. In order to target the sys admin, it's
easiest if I know what their personal webmail/facebook username is so that I
can target it with QUANTUM. The hardest part is identifying that admin's
personal account to target in the first place.

Now, fade off with me into dream-land. Pretend that we had some master list.
This master list contained tons of networks around the world, and the personal
accounts of admins for each of those networks. And any time you wanted to
target a new network, you could just find the admin associated with it, queue
his accounts up for QUANTUM, get access to his box and proceed to pwn the
network. Wouldn't that be swell?

~~~
unreal37
Yes I reading this too. Very interesting. Earlier in the doc, he says:

"...our ability to pull bits out of random places of the Internet, bring them
back to the mother-base to evaluate and build intelligence off of is just
plain awesome!

(S/SI//REL) One of the coolest things about it is how much data we have at our
fingertips. If we _only_ collected the data we knew we wanted...yeah, we'd
fill some of our requirements, but this is a whole world of possibilities we'd
be missing! It would be like going on a road-trip, but wearing a blindfold the
entire time, and only removing it when you're at one of your
destinations...yeah, you'll still see stuff, but you'll be missing out on the
entire journey!"

They really do have a different view of privacy. Only being giving what you're
specifically seeking is like going on a trip with a blindfold on! Well, yes,
yes it is!

~~~
dTal
This, I think, is single most damning piece of evidence regarding NSA culture.
From the horse's mouth: they collect as much data as they can, not because
they need to, but because it's interesting.

------
jhallenworld
As previously reported, the BULLRUN document is very interesting. One line
stands out to me:

"Cryptanalytic capabilities \- Are extremely difficult and costly to acquire
\- Require a long lead time "

There is a tie-in with the export law. Look at 740.17:

"(B) Other technology. Encryption technology classified under ECCN 5E002
except technology for “cryptanalytic items,” “non-standard cryptography” or
any “open cryptographic interface,” to any non-“government end-user” located
in a country not listed in Country Group D:1 or E:1 of Supplement No. 1 to
part 740 of the EAR."

They do not like "non-standard cryptography." I take from this that while it
is true that well known algorithms are the safest in terms of receiving the
most scrutiny, new less scrutinized algorithms may still offer a practical
defense.

~~~
madez
Of course they don't like unknown cryptography. It easily makes automatic
decryption impossible. That means that the NSA needed scarce expert-time for
each customly secured communications. No agency in the world has the
ressources to pull that off for many connections. That is the reason why they
love Google and Facebook, and why I stay away from these services.

But here on HN, many folks like their mantra of "security by obscurity is bad"
too much. Personally, I think many of those who repeat that didn't think for
themselves.

~~~
ohitsdom
Using unknown cryptography is not security through obscurity. If the
encryption is legit, then it's good. The problem is when you are relying
solely on obscurity without the encryption.

------
secfirstmd
This is very cool. It would be awesome if the site itself had a bit more
functionality to grow in future. Rather than be static it could be linked to
other media articles, discussions etc. For example, new stuff being found by
XYZ virus vendor could then be linked and discussed to the original source
documents. Similarly patents which are declassified, data found about people
who operated these systems on Linkedin or other leaks, suspicions could be
incorporated.

------
butler14
there's an unnervingly high degree of overlap between spying and digital
marketing

'selectors' instead of 'attributes', 'targets' instead of 'users/audiences'...
and both are terrible at using PowerPoint

the spies just have a great deal more (illegally obtained) data to play with.

~~~
crisnoble
And perhaps unwittingly, digital marketing, their databases of users and tags,
is helping to making the spying possible.

------
travjones
This is great. Mainstream media should be eating this up, but where are they?

~~~
fwn
I think it is not a good thing to write on. People feel either not interested
or helpless. Both are feelings, publishers probably try to avoid.

------
jackgavigan
Interestingly, this collection of documents doesn't seem to include the list
of targeted IP addresses in Hong Kong and China that he handed over to the
South China Morning Post when he was in Hong Kong[1].

1: [http://www.scmp.com/news/hong-kong/article/1260306/edward-
sn...](http://www.scmp.com/news/hong-kong/article/1260306/edward-snowden-
classified-us-data-shows-hong-kong-hacking-targets?page=all)

------
colinbartlett
Curious about the legalities of downloading these materials. (Not that it's
going to stop me.)

Are they technically still "classified"? Or have they been declassified? I
remember hearing threats of prosecuting NSA folks who had these materials and
weren't supposed to, even though they were already released.

~~~
rdl
The United States does not have an Official Secrets Act (UK does).

Outside of the Intelligence Identities Protection Act of 1982, if you were
never granted a clearance or read in to specific programs (you'd know; you
have to sign an NDA and such), you have no obligation to keep classified
information secret. Arguably if you gave information/support/etc. to enemies
of the US, it might be treason, but there's no need for that information to be
classified in the first place for it to be treason.

If you have had a clearance, even for unrelated stuff, you don't want to touch
these -- it can be a violation of your NDA for the other materials.

I am not a lawyer; I am not your lawyer; this is not legal advice.

~~~
d_theorist
Classification aside, these documents are still stolen, aren't they? Couldn't
a reasonable case be made that downloading them constitutes handling stolen
property?

~~~
d_theorist
Perhaps I should say 'copyright violation' rather than 'handling stolen
property'.

~~~
Karunamon
Government-produced content like this isn't subject to copyright, if I recall
correctly.

~~~
d_theorist
Looks like you are probably right:

"Usually, a work receives copyright protection as soon as pen hits paper.
However, a work created by an NSA employee, or any USG employee, as a part of
the employee's official duties is not entitled to copyright protection"[1]

[1][https://www.nsa.gov/research/tnw/tnw193/article4.shtml](https://www.nsa.gov/research/tnw/tnw193/article4.shtml)

------
rajadigopula
Find this interesting -
[https://search.edwardsnowden.com/docs/IdentityIntelligenceIm...](https://search.edwardsnowden.com/docs/IdentityIntelligenceImageisEverything)

------
relet
Isn't naming the collection after Snowden a bit unfortunate?

~~~
coldpie
How else would you identify them? The June 2013 Leaks?

------
ytdht
Could government spying be fixed, in addition to added encryption, by adding
more easily accessible (truly) anonymous access points?

~~~
spin
Isn't that the basic purpose of Tor?

~~~
ytdht
If you are using your personal device, you need to be sure that it isn't
compromised and hasn't tor been cracked by the government?

------
Animats
Some of this looks fake. I've been reading through the documents, and there's
little or no detail there that indicates any inside information. It's mostly
plausible management-level PowerPoint presentations.

Some not so plausible.The picture of a "network operations center"[1] is
actually a power station control room; the picture was lifted from a site for
industrial generating plants.[2] That presentation is supposedly by "Head of
GCHQ NAC", but whoever picked that picture has never been in a network
operations center.

Also, some of of the "classified codewords" seem related to the subject
matter. Real NSA codewords are chosen randomly, to avoid that.

[1]
[https://search.edwardsnowden.com/docs/AutomatedNOCDetection2...](https://search.edwardsnowden.com/docs/AutomatedNOCDetection20141213)
[2] [http://www.pgsicorp.com/industrial-
generators.html](http://www.pgsicorp.com/industrial-generators.html)

~~~
omeid2
I honestly don't understand how a cover photo explains anything here. Care to
elaborate?

Did you expect a real NSA Network Operations photo on a presentation? would
that add any credibility?

------
aporetics
[http://whois.icann.org/en/lookup?name=edwardsnowden.com](http://whois.icann.org/en/lookup?name=edwardsnowden.com)

------
OmniGiraffe
[https://nsa.gov1.info/dni/nsa-ant-catalog/](https://nsa.gov1.info/dni/nsa-
ant-catalog/)

------
pcf
So who exactly are leaking/presenting these? And has anything been written
about this site in the media at all?

------
webmaven
Only 459 documents?

~~~
lvs
I'm assuming that these are the curated subset of documents which have so far
been made public by media organizations to accompany articles.

