
I Hunt Sys Admins - detcader
https://firstlook.org/theintercept/document/2014/03/20/hunt-sys-admins/
======
Pitarou
TL;DR

Our target is using a network. We need access to that network. The sysadmin
has the keys to the kingdom. The sysadmin uses Facebook. Through QUANTUM
INSERT, we own anybody who uses Facebook. So we just need to figure out the IP
address of the sysadmin.

If they use unencrypted telnet we just hack the account and grab the telnet
server's IP address whitelist. With our resources and capabilities, this is so
easy that someone should write a script to automate it and do it in bulk.

If they use SSH, we do it be listening to the connection. Even though we can't
decrypt communications, we can figure out which IP addresses sysadmins are
logging in from.

But it's not just us who are hacking routers. We can also hack the hackers ...
and the rest is redacted. Shame. That would have been REALLY interesting.

~~~
greenyoda
Here's a brief description of QUANTUM, for those who are unfamiliar with it:

[https://en.wikipedia.org/wiki/Tailored_Access_Operations#QUA...](https://en.wikipedia.org/wiki/Tailored_Access_Operations#QUANTUM_attacks)

~~~
Tossrock
Jesus. There's really no way to fight it other than going full RMS, is there?
Who knows how many zero-days the NSA is sitting on for all major browsers. I
wonder if they can attack sites that implement full end-to-end HTTPS.

~~~
anonbanker
I personally consider SSL little more than a placebo at this point. Moxie
Marlinspike showed at Defcon 19[1] that SSL is easily compromiseable using
upstream certificate authorities. He created Convergence[2] as a potential
solution to it. But nobody's using it.

I went full RMS in 2007. Uncomfortable at first, but it's really the only way
to stay unmonitored. Consider avoiding the gross anti-social bits of his
personality, but don't throw the baby out with the bathwater.

1\.
[https://www.youtube.com/watch?v=pDmj_xe7EIQ](https://www.youtube.com/watch?v=pDmj_xe7EIQ)

2\. [http://convergence.io/](http://convergence.io/)

------
skue
So the NSA targets the personal online accounts and personal computers of
sysadmins who just happen to work at major network providers. These are people
who have done absolutely nothing wrong, other than being in the way of an out
of control agency.

I am so sickened, angry, and ashamed.

~~~
jauer
And this is different from spies seducing and/or blackmailing clerks how?

It may be distasteful to you but it is the traditional work of spies in
service to their country.

~~~
sentenza
What kind of question is that even? If you'd told me before the Snowden/NSA
scandal that the NSA or GCHQ were _blackmailing_ clerks, I'd have called it
spy fiction.

To my knowledge, it was only publically proven that the Russians use these
tactics, but the US?

And now you are telling me that the NSA compromising the informational
integrity of thousands of sysadmins is not surprising since they already used
unethical TV-drama bullshit in the past?

This raises so many questions. Do you have examples of the NSA blackmailing a
clerk?

~~~
JabavuAdams
> To my knowledge, it was only publically proven that the Russians use these
> tactics, but the US?

This is a very strange belief. I mean I prefer living under US rule to living
under Russian rule but the idea that the US has clean hands is laughable. I'm
curious -- did you grow up inside the US? I've found that perceptions from
inside the US reality-distortion bubble are very different from perceptions
even a few hundred kilometres away.

~~~
sentenza
I grew up in Germany during the 90s. Our view was that, while the US doesn't
have the figurative "clean hands" (insert vague reminiscence of some half-
knowledge about things that happened South America), they were rather
"civilized" about things.

I DO REALIZE NOW that this was of course a distorted picture of reality, which
I think dawned on me around the time the illegal rendition/secret torture
prison affair of the CIA came to light.

However, compared to the Americans, the Russians were never _too_ discrete
about the rough practices of their intelligence agencies. This is what I was
refering to: To the current state of my knowledge (which, admittedly I did not
update with even a Google search) there are publically known instances of the
Russians crushing private individuals by inserting HUMINT into their lives,
whereas I don't know of any example involving an American service.

Maybe this is also why the Belgacom hack was so shocking to me. I had not
previously thought that they (NSA GCHQ) would take apart some poor schmuck who
happens to work at the wrong company just to gain access.

On a more general note, to me it just seems that bringing down the power of a
governmental intelligence agency on an innocent bystander for the sake of a
"shortcut" is unethical.

~~~
JabavuAdams
Interesting. Thanks.

------
TrainedMonkey
Fact that they casually speak of logging significant amount of connections is
alarming. SSH targeting methodology would only work if you have ability to
monitor significant portion of electronic communications.

Since majority of traffic logging capabilities of no such agency is coming
from US itself and few close allies we collaborate on intelligence with* you
can estimate that Sys Admin SSH technique is most useful in US itself and
aforementioned close allies. Thus I would expect this to disproportionally
affect Google as opposed to let's say Baidu.

* I am making an assumption here, please let me know if it is unwarranted.

~~~
jauer
My assumption would be that most of the intercept capabilities are in Africa,
Middle East, and Southeast Asia. A lot of Africa uses (or used to use)
satellite links for internet which you'd expect to be tapped and there's
undersea cables around there that had a rash of weird breakage over the past
few years.

Incidentally, those are areas where China has a strong economic development
interest so you have another well funded government as a adversary that's
known to target routers and such.

So far as admin SSH, once you reach a certain size you generally stop letting
admins ssh in from random places and require VPNs (often with crypto tokens),
if only because it gives you a easy chokepoint to disable access when you fire
people. From what I've seen those most likely to use direct SSH or telnet are
small companies (including regional/emerging telcos) that have a handful of
people actually running things.

~~~
acqq
Google "Boundless Informant" and "Room 641A." Most of abilites are in the U.S.
and more is collected there than in most of the countries. Why? "Becase we
can."

~~~
jauer
Room 641A (and associated points around the US) are a very minor part of the
publicly known infrastructure operated by the NSA.

This is a organization that has nuclear submarines (see also SSN-23) outfitted
to tap cables and runs intercept stations (Pine Gap, Menwith Hill, etc) around
the world positioned for satcom coverage. If you can get most of what you want
from a handful of colo rooms in allied countries then why bother with
submarines, satcom stations, and satellites that spy on other satellites?

Clearly they feel that the value and scope of information gathered from
intercepting communications that take place outside of (and not crossing)
allied countries justifies the expense.

~~~
acqq
Clearly that doesn't mean that they would therefore be inclined to let the
data that they can collect in the U.S. slip through.

------
8_hours_ago
Wow.

I am completely torn between really wanting to work for the NSA because they
have the ability to do really awesome analysis like that with huge amounts of
data, and being deathly terrified. Nothing in that article should be a
surprise to me, or anyone else who can half-guess the NSA's capabilities, but
it is still shocking to read. For some reason, knowing that the NSA has
information on literally everyone stored in some database isn't that
frightening to me, but seeing specific details that they could have (and
probably do have) is very scary.

~~~
midas007
No brainer: join to move the needle in a sensible direction.

~~~
garrettgrimsley
That isn't how bureaucracies work. The parent can't join the NSA and hope to
advance if they (openly) hold views fundamentally contrary to those of their
superiors.

I believe there is a notable and recent case of how this actually plays out.
What was it? Towden? Mowden?

~~~
judk
Mr Bowden was amazingly successful at the work he did, actually.

See also Schindler's List for an example of how a contractor of the enemy can
undermine it.

~~~
vacri
As amazing as Schindler's actions were, they ultimately had little effect on
the overall scene, such was the scale of it. He fought the monster and
survived, not fought the monster and brought it low.

Schindler saved a thousand people through some pretty ballsy actions. But for
scale, the battles of Stalingrad, Leningrad, and Moscow each had total
casualty rates for both sides of 1-2 million people apiece.

~~~
lotsofcows
One man can only do his best. Every man that stood against fascism was still
only one man. And yet they won.

Also, there is some indication that Schindler sabotaged the bomb parts he made
so he saved more people than is immediately obvious.

~~~
lotsofcows
Downvote? Any clues why?

------
bdb
So, uh, does this mean that NSA has an internal LiveJournal instance?

~~~
drewcrawford
This is kind of off-topic, but I don't know where else to ask.

Have we seriously entertained using "OSS" licenses that would prevent NSA &
co. from using them?

I know Douglas Crockford has his "don't be evil" JSON license that got
everybody's knickers in a twist. And I know OSI has a nice page on why field
of use restrictions are bad.

However... I wonder if these pre-Snowden viewpoints credibly consider an
organization that uses the software community's tools to conduct targeted
attacks on that community. I mean, these documents suggest a much scarier
attack on software developers than, say, putting the Linux kernel in a TiVo or
whatever they changed in the GPLv3.

On the other hand, maybe FOU restrictions are still bad on principle. What do
you all think?

~~~
sjtgraham
Wouldn't it be futile since the federal government has sovereign immunity?
It's not as if you could sue for unlicensed use.

~~~
hobs
[http://torrentfreak.com/u-s-caught-pirating-military-
softwar...](http://torrentfreak.com/u-s-caught-pirating-military-software-
pays-50-million-to-settle-131127/)

It has happened as far as I can tell.

~~~
jasomill
In the US, sovereign immunity doesn't exempt the federal government or its
employees from _criminal_ prosecution, and there are statutes on the books
that explicitly waive immunity for civil cases that arise as a result of
contract disputes (among other things).

------
Intermernet
Is anyone else more disturbed at the 4chan-esque style of the author, than the
actual ramifications of the "presentation"?

It sounds like international security is being run by 10 year old wannabe
anonymous members.

Do the NSA employees really watch presentations such as this?

~~~
forgottenpass
_It sounds like international security is being run by 10 year old wannabe
anonymous members._

Yep. Replace "wannabe anonymous members" with "wannabe hardass" or "war hawk"
and you have the essence of the US approach to international relations.

So while childish language for childish actions bothers me, so does the act of
trying to class-up childish behavior with the well worn flavor of political
rhetoric that acts like whatever bullshit getting peddled is reasonable and
responsible.

I can't decide which I like less.

------
noonespecial
"Dude! Map all the networks"?... lulz?...leet?...nouns pluralized with a z?

I have seen the enemy and he is a 14 year old boy who's found his father's
(admittedly very large and scary) gun.

~~~
chippy
"I have seen George Bush and he is a stupid Texan hillbilly."

"I have seen Ronald Reagan and he is a demented old man with no brain."

\----

These "jokes" appear to belittle the people with real power, in the public's
mind. It makes the people feel better. They make them appear harmless. It is a
complete mistake to do this. It helps the powerful to spread these jokes, it
does not help the people.

"oh he won't harm us, he's stupid. He wouldn't be evil, he has no brain. He
wouldn't spy on the world, he's just a kid"

~~~
BgSpnnrs
The Boris Johnson effect. :/

------
Tobu
The Intercept article (which this is from) has a lot more links and context:
[https://firstlook.org/theintercept/article/2014/03/20/inside...](https://firstlook.org/theintercept/article/2014/03/20/inside-
nsa-secret-efforts-hunt-hack-system-administrators/)

------
6a68
Well, fuck you very much. This is unbelievable.

------
anonbanker
This is an excellent advertisement for:

* disabling telnet on your router

* creating 4096-bit ssh keys

* enabling ssh key-based authentication only.

* setting ssh to non-standard ports

* enabling port knocking

* using _only_ tor to check webmail

* deleting your facebook account

------
grrowl
If this is true, we can assume the computers of all but the very most careful
and dutiful admins have been pwned. I'm flabbergasted even looking at my own
laptop, the element of trust in any of my own hardware is gone.

------
conover
It occurs to me that judges, members of congress, law enforcement officials,
etc. could be considered "sys admins" in a sense.

------
Wyrmkill
Who else feels like they just read an excellent spy novel, but that maybe it
was a little over the top in conspiracy zealotry.

Only to find out at the end, it's all been real and the people with the tin
foil hats aren't really that far off base.

------
codezero
Is there any TCP implementation that will notice receiving multiple disparate
replies (containing different data)?

Basically, is there any way to know that you are being targeted?

~~~
e12e
You could presumably log some such packets in iptables -- but that assumes you
actually receive duplicate packets. If NSA owns a router _between_ you and the
target for spoofing, there's no reason that router need to relay the "correct"
packet. I know a lot of the text on these attacks states something along the
lines of "replies before the legitimate packet arrives" \-- I'm just not
certain it's that simple in practice.

edit: This might be of interest:

[http://ask.wireshark.org/questions/8490/tcp-
retransmission-i...](http://ask.wireshark.org/questions/8490/tcp-
retransmission-is-detected-instead-of-a-duplicate-ip-packet)

edit2: Perhaps a logging dns resolver (to track "strange" ip changes) coupled
with an iptables rule that uses contrack and logs INVALID packets is a start?

------
mixologic
They're so gleeful about it all. Wow.

~~~
chippy
They are technies just like you reading this comment, and they believe that
what they are doing is Right and Good.

------
GBond
From the context of this, it sounds like this QUANTUM system has impacted way
more than the reported 100,000 computers around the world.

~~~
lunixbochs
The post said "queue them up for QUANTUM", which implies there are still
actions to be done before it's usable.

~~~
nls
In my opinion, it implies that QUANTUM has a queuing system.

------
peterbotond
an alternate link from cryptome: [http://cryptome.org/2014/03/nsa-hunt-
sysadmins.pdf](http://cryptome.org/2014/03/nsa-hunt-sysadmins.pdf)

------
midas007
Would really like to see the unredacted cookbook for hacking routers. :)

~~~
Anthony-G
At first reading, I thought the redacted part was about how to tell if _your_
router was compromised but on closer reading, it looks like it covers routers
owned by others that the NSA have cracked but they want to know if the Chinese
or anyone else has done the same.

~~~
midas007
So probably not Diodes then.

It's interesting how this is boils down to existing malware strategies but
with a how to. They're probably not going to type this stuff up in a wiki
anymore going forward, shift to in-person training and word-of-mouth.

------
GamboMama
Are there really companies out there where sysadmins are allowed to use i-Diot
or W-inDiot products on non-free hardware?

I like the NSA, because they show the world how stupid most computer users and
especially the "geeks"are that do not see how ridicolous it is to show of a
big apple logo on a speaker desk.

I-diots are always the problem.

~~~
anonbanker
>> products on non-free hardware.

So how long have you been an exclusive Lemote Yeelong user?

------
josh-wrale
As a sysadmin, I try to skip articles whose text is hidden because I have
NoScript enabled. Cheers! :)

------
eps
I call fan fiction.

This is too many words for inherently trivial ideas that are all based on the
magic assumed already to be in place and readily available. But mostly it's
the tone and triviality of what's being discussed. It's all a script-kiddie
level.

~~~
chippy
I find your view interesting. it's one shared by many people. It's almost a
misconception, a mistake which actully helps those with the real power.

These are the questions that this brings up, which I find interesting.

What makes us think that techies in government departments are different from
techies in other places?

What makes us think that pictures of kittens and internet memes are only
acceptable for open source freedom hackers, and not people working for the
government and private companies?

What makes us think that the internal messaging systems of secret
organisations should not be trivial, human and sharing humour?

What makes us think that if someone thinks they are helping and protecting
their country in their mind that they are morally wrong and have a criminal
personality (James Bond Villain) because they are systematically abusing the
law?

------
rblatz
This site is completely unusable on mobile. Does anyone have a second source?

~~~
intslack
[https://firstlook.org/theintercept/article/2014/03/20/inside...](https://firstlook.org/theintercept/article/2014/03/20/inside-
nsa-secret-efforts-hunt-hack-system-administrators/)

[https://s3.amazonaws.com/s3.documentcloud.org/documents/1094...](https://s3.amazonaws.com/s3.documentcloud.org/documents/1094387/i-hunt-
sys-admins.pdf)

~~~
Stwerp
Thank you for posting the PDF link. For the life of me, I have NO IDEA why
sites still try to push hacked together PDF viewers on us when there are tools
already on my system. I really thought this site was just broken.

------
qzwxecrvtb
can they find me if I don't have a job title? hm...perhaps this also explains
why I was photoshopped out of the team photo...

------
FLUX-YOU
Good to know the NSA is a fan of Allie Brosh.

------
frankydp
This is a beautiful troll. If only sipr and jwics comms was so hilarious, and
on the same network.

------
ForHackernews
TL;DR: Never use Telnet for anything.

~~~
Pitarou
TL;DR Never use anything for anything.

These guys make the "professional" hacker gangs look like a bunch of clueless
amateurs.

~~~
trolleyed
They have resources, though every technique in this paper is very simple.
There are some incredibly talented people out there, and not all of them work
for the NSA.

~~~
Pitarou
I quite agree. Ultimately, it's all about the resources. Their budget is more
than half that of NASA.

The "simple" techniques are enabled by some very sophisticated backend stuff
that is just taken for granted in these slides.

