
Canada's 'secret spy agency' is releasing a malware-fighting tool to the public - found_reading
http://www.cbc.ca/news/technology/cse-canada-cyber-spy-malware-assemblyline-open-source-1.4361728
======
jordigh
The main repo seems to be here:

[https://bitbucket.org/cse-
assemblyline/assemblyline/src](https://bitbucket.org/cse-
assemblyline/assemblyline/src)

Released under the MIT license with crown copyright. Looks like a plain ol'
Flask application. I don't know what I was expecting from the government.
Maybe more Microsoft and more Oracle, more "enterprise". And the git history
goes back ten months with an initial commit of December 21, 2016.

I'm actually surprised to learn that CSE would be in charge of such a thing. I
would have thought that this fell under the role of Canadian Security
Intelligence Services. We definitely don't hear a lot about CSIS or CSE in the
news to the point that I think most Canadians might have a hard time expanding
those acronyms or know what they mean. It's good to see a little more
transparency from them and to not have to wait for NSA leaks to figure out
what their Canadian counterparts are up to.

~~~
52-6F-62
CSE is comparable to America's NSA in general function and scope. While CSIS
does intelligence work with computers and hires a lot of programmers and
analysts, CSE is traditionally the more technologically-focused of the two.
You also hear _significantly_ less about it than even CSIS.

They're good at their jobs.

edit: Spelling. They changed it from CSEC to CSE

~~~
canistr
More like they changed it "back" to CSE. :)

------
stephengillie
> _Assemblyline is described by CSE as akin to a conveyor belt: files go in,
> and a handful of small helper applications automatically comb through each
> one in search of malicious clues. On the way out, every file is given a
> score..._

This sounds like it could sit nicely between Github and CI
(Jenkins/Travis/Circle/etc), and be a pre-integration security scan. Can we
name it Sherlock?

~~~
KGIII
Mountie might be better.

~~~
mberger
How about Canadian Shield? CanShield?

~~~
52-6F-62
Chad Kroeger. Nobody would ever come near it again.

~~~
SuperPaintMan
Rude.

------
danesparza
Is it just me, or is it amazing that they're releasing this for free? Even
Canadian SPY organizations are friendly!

~~~
rphlx
A cynic, and, perhaps, a realist could consider their motivation to be fairly
similar to that of a private blackhat attempting to purge _foreign_ malware on
hosts that they own, or may want to own. Exclusive control being always
preferable to competing control.

I'd be far more impressed and grateful if these state services released
disclosures and actual patches for complex zero-day vulns, particularly in
unmaintained, widely deployed closed-source products such as WinXP. 8-Ball
says that is 'Unlikely' though.

~~~
kaybe
I don't think I trust foreign intelligence agencies enough to install their
software on my devices.

Sure, they probably also release stuff not under their name and not open, but
still.

------
a1371
I don't find my answer, I just have one question: does it send any "usage
stats" or "unknown files" back to them? If your computer establishes any kind
of connection with their center it wouldn't be only something for the public,
they'd also benefit.

That isn't necessarily a bad thing but seems important enough to be discussed.

~~~
crimsonalucard
Doubt it. That'd be too obvious.

------
EGreg
Interesting, Kaspersky is constantly maligned for simply being USED by Russian
spy agencies, or "having associations with" them. Russia and China now demand
audits of security software from the USA. Countries build their own national
Linuxes now that Windows phones home all your passwords, for the CIA and NSA
to easily backdoor or get via an order.

So, why would anyone trust a spy agency's software? Only if it's all open
source.

~~~
e1ven
It's MIT license, and the repo seems to have full history.

~~~
bfred_it
That doesn’t mean that the binaries match the repo content.

~~~
gnode
Does it even have binaries? It's a Python app, isn't it?

------
ktta
Looks like they use Binary Ninja too.

[https://bitbucket.org/cse-
assemblyline/alsvc_binja](https://bitbucket.org/cse-assemblyline/alsvc_binja)

------
BenoitEssiambre
Is this just a pond or do they have an actual moat around the building?

~~~
peeters
Just a pond and wide angle:

[https://www.google.ca/maps/@45.4325043,-75.6175154,97a,35y,1...](https://www.google.ca/maps/@45.4325043,-75.6175154,97a,35y,13.51h,67.75t/data=!3m1!1e3)

------
dddddaviddddd
What does it actually do?

~~~
hk__2
The article says:

> … files go in, and a handful of small helper applications automatically comb
> through each one in search of malicious clues. On the way out, every file is
> given a score, which lets analysts sort old, familiar threats from the new
> and novel attacks that typically require a closer, more manual approach to
> analysis.

------
3pt14159
This is the first major commit where they pulled in the existing codebase
almost a year ago:

[https://bitbucket.org/cse-
assemblyline/assemblyline/commits/...](https://bitbucket.org/cse-
assemblyline/assemblyline/commits/ef004b6bd7d24ee5a2664e62251092817db7eec2?at=master#chg-
al/common/security.py)

Couple interesting bits:

1\. Bcrypt looks trusted. I guessed as much given that I've seen it used in
other GC projects that were "Protected B" (think Revenue Canada / similar).

2\. It doesn't look like they enabled HSTS by default until a couple months
later in the repo:

[https://bitbucket.org/cse-
assemblyline/assemblyline/commits/...](https://bitbucket.org/cse-
assemblyline/assemblyline/commits/d874f39dd46185bc61680076e226acd555c1ffbd)

Again, unsurprising since the CSE / CST main page doesn't have HSTS.

3\. This part of the original version of the README is interesting:

<README SNIPPET>

#### License (or lack thereof) and Conditions of use

As is fairly evident, we haven't selected a license for this project as of
yet. As discussed when members were first granted read access to the
repository, dissemination is based on the premise of originator controlled. If
you feel there are other partners that would benefit from an early view and
would be able to contribute, please contact the project leads and we should be
able to sort it out.

We will soon be splitting the platform and services into two separate repo's,
so please treat the services as slightly more sensitive than the platform
itself, ie: release it and perish!!! ... but seriously, we do not grant anyone
the right to do anything other than deploy the platform and use it. No
sharing, presenting, etc without our knowledge.

We hope to have a clear release plan soon.

</README SNIPPET>

So it looks like they passed it around a bit either internally in the CSE or
to a wider audience that may have included other departments. Probably getting
more eyes on it to stop something stupid from going out.

4\. There are some fun little commits like this:

[https://bitbucket.org/cse-
assemblyline/assemblyline/commits/...](https://bitbucket.org/cse-
assemblyline/assemblyline/commits/7907b5c217cfea5627d9dcf69d1080b7c2d66c30?at=master)

Or this (adding the French version is always one of the last steps before
something goes public):

[https://bitbucket.org/cse-
assemblyline/assemblyline/commits/...](https://bitbucket.org/cse-
assemblyline/assemblyline/commits/f51059f010bb2a87682112ea7d6817e957bcf029)

Or this (we've all been there):

[https://bitbucket.org/cse-
assemblyline/assemblyline/commits/...](https://bitbucket.org/cse-
assemblyline/assemblyline/commits/fe8d98795939aaa29fe60aad9aa1bcb4dc3ad957)

~~~
52-6F-62
Lol. I don't know if you clicked the username, but it's appropriate:
[https://bitbucket.org/sgaron-cse/](https://bitbucket.org/sgaron-cse/)

~~~
3pt14159
Yeah, of course, haha :)

------
crimsonalucard
Chances are there's some really really obscure security hole in the app that
they hope to exploit sometime in the far future. I'm telling you.

~~~
bonestamp2
Or hoping someone will fix and submit a pull request.

------
ulises314
First OpenBSD and then this, Canada is like the promised land for security
minded people!

------
bane
How's this compare with things like Laika BOSS or mitre's multiscanner?

------
lpgauth
Billangual README!

~~~
ape4
Its a Canadian government rule that even URLs have to be bilingual. eg You
can't have [http://host.ca/news](http://host.ca/news) (with bilingual text on
the page) it has to be
[http://host.ca/news_nouvelles](http://host.ca/news_nouvelles) This is only
for fed government sites.

~~~
8note
I'm surprised there isn't a separate copy of all the code in French, or at
least the code comments

~~~
52-6F-62

        // En français, s'il vous plaît
    
        fonction commencer(état) {
          si (état !== nonDéfini) {
            laisser nouveauChaîne = `Bonjour, ${état}`;
            faire {
               console.journal(nouveauChaîne);
               piraterTousLesSystèmes();
            } tandisQue (systèmesSontDébloqués())
          } autre {
            merde(`partout`);
          }
        }
    
        // Commencer!
    
        commencer(`L'état du Brésil`);
    
        // Bon.

~~~
rapind
I'd like to see the code for `piraterTousLesSystèmes`

------
eslachance
We're sorry we didn't come up with it sooner, eh?

