

Black ops: how HBGary wrote backdoors for the government - jayro
http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars

======
metachris
This is a _really_ good article after reading through thousands of emails. It
also provides good insights into the bigger picture, and what kind of
fascinating glimpse this email leak provides in to a secretive industry.

I'm glad this whole thing has happened.

~~~
iuguy
Please don't think that the information security industry (or penetration
testing or malware niche) in general is like this. While many firms have
relationships with defence contractors, the local military and intelligence
agencies, we're not all writing undetectable rootkits and exploit code for
commercial gain. I would say the actions disclosed in the very well written
article (in a series of very well written articles) highlight one of a subset
of security firms. I'm loathe to use the enron-esque bad apples description,
because the truth is I just don't know but I suspect that such actions are
limited to a minority of firms.

~~~
plastics
Considering the amount of money governments are willing to spend on rootkits
as compared to more benevolent activities, I suspect that these companies
won't stay a minority for long.

------
bane
The more I hear about the HBGary story, the more concerned I get with their
business partners at Palantir and Berico. This can't be the bottom of the
rabbit hole.

Apparently both companies are deep into fighting the war on terror, are they
seriously pursuing business against U.S. citizens?

~~~
rdtsc
You are probably right.

Always follow the money. The government is concerned about "cyber-security
type things" and there will be no end of shady and less-shady firms willing to
charge millions of dollars for providing whatever the government thinks it
wants (which is probably not what it needs).

And as you pointed out these firms don't operate in a vacuum, they form
networks. They compete with each other but also look for a possible strategic
partnership if one comes along.

The real key is to recruit someone who retired from the military or from one
of the 3-letter-agencies. (At least ask them to serve on the board). Just that
right there nets you an enormous amount of projects. You thought big
enterprise runs on golf-ware, but big government projects also run on friend-
ware and friend-of-a-friend-ware. It is very much an incestuous family.

~~~
emit_time_n3rgy
Case-in-point: "For eight years, government officials turned to Dennis
Montgomery, a California computer programmer, for eye-popping technology that
he said could catch terrorists. Now, federal officials want nothing to do with
him and are going to extraordinary lengths to ensure that his dealings with
Washington stay secret."
[https://www.nytimes.com/2011/02/20/us/politics/20data.html?_...](https://www.nytimes.com/2011/02/20/us/politics/20data.html?_r=2)

------
plnewman

      "I got this word doc linked off a dangler site for Al Qaeda peeps"
    

I find his choice of words there to be rather amusing.

~~~
rdtsc
> Al Qaeda peeps

Interesting that these people brainwashed themselves and believe there are
actually lots of Al Qaeda operatives out there hiding in the bushes,
researching methods to kill their victims using fecal matter. These are the
kinds of people who get lots of government money for "security" related
projects...

~~~
iuguy
No doubt Al Qaeda were researching a biological weapon based on Jenkem ;) -
<http://en.wikipedia.org/wiki/Jenkem>

~~~
rdtsc
Clearly we need to be worried and perhaps we should even phone our
representatives and ask them to increase anti-terrorism and DoD funding.

------
btilly
Does anyone know whether Anonymous got all of the 0-day exploits discussed? If
so, does anyone know what they are planning to do with them?

~~~
trotsky
Having slides claiming ownership of exploits is a very long way away from
having the exploits themselves. Such a commodity has substantial financial
value - if an intruder came upon them they'd be unlikely to publicly announce
their existence but not release them.

It's possible such exploits don't exist, are misrepresented or were never in
HBGary's possession. Exploits have a shelf life that degrades as other actors
are likely to discover the same bug, maybe 6-18 months in general wisdom. But,
it is always possible to claim you have a private cache and then buy them
if/when they are needed.

~~~
poet
It's possible that it is all a work of fiction, but Greg Hoglund is an
accomplished security researcher. It's certainly a realistic scenario that
Hoglund discovered them himself, or purchased them from someone else if he
didn't have time to do the vulndev. That being said, if it is fiction it
wouldn't be the first time a contracter mislead the government about
competency.

~~~
trotsky
I agree with you, it's not that I'm trying to say the whole thing is a work of
fiction, just that things are often (partially) misrepresented. I believe the
breadth of the claimed in house and unused code is unusual, but certainly not
impossible. There seems to be a lot of people that attempt to sell/broker
other peoples code that they aren't in possession of (since IP protections in
these cases are non-existent)

Regardless, it seems anon got a SQL dump, root on a web server and a ticket
box, and a google apps admin account - these aren't the types of places
marketable vulnerabilities are usually kept.

~~~
btilly
Anon got more than that. Anon got passwords that got reused. I would be
shocked if they did not poke around the network more to see where those
passwords would go, and (given that passwords were reused where they shouldn't
have been) I would not be surprised if there were not some more interesting
places that they got into.

------
henryw
So the whole thing about plugging something into your computer port (firewall,
etc) to gain complete control like in the movies is true.

~~~
marshray
Yes there are two pieces of uber-secret space alien technology Microsoft
included in Windows at the behest of the NSA called "autorun" and "plug and
play".

 _Windows installs a Plug and Play device and its driver automatically._
[http://www.microsoft.com/resources/documentation/windows/xp/...](http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-
us/pnp_driver_support.mspx)

~~~
barrkel
Well, there's a piece of Apple-championed technology, Firewire, which doesn't
care what OS you're running because it has direct path to the DMA controller,
and can read and write physical memory.

~~~
epochwolf
This is not true. OSX locks down the FireWire ports to protect system memory.
I am not sure exactly how this works but I believe it's firmware/driver
dependent and Windows usually lacks the drivers to force the firmware into a
protected mode. FireWire having direct access to the system ram is not a
requirement of the 1.0 spec, it's a stupid implemention decision by chip
designers.

~~~
barrkel
It must have done it pretty recently then, because it's been vulnerable to
this for a very long time.

------
Darmani
I wonder if the "technology to carry payloads through USB drives" was used in
Stuxnet?

~~~
kgtm
The highly sophisticated _autorun_ technology? Shrugs.

~~~
PostOnce
Is USB autorun not enabled by default in XP? I tried getting some stuff to
autorun from a thumbdrive and I never did get it working.

~~~
wipt
Microsoft recently patched that so it's no longer the default action.

------
chipsy
The best part of the article is the obvious sockpuppet in the comments. Same
format I saw among many paid stock bashers: Buddy up with the emoticons, claim
little, suggest a lot.

------
scottbessler
Wouldn't researching and discovering 0-day vulnerabilities be treading close
to DMCA violations and/or cybercrime laws? I don't see why this information
isn't causing Microsoft and/or the Government to go on the offensive legally
against the likes of HBGary.

~~~
daeken
I can't speak to any cybercrime laws (I'm simply not familiar enough with
them), but the DMCA 1) only applies to mechanisms which protects copyright,
and 2) has very explicit exemptions for the purpose of security research,
among other things.

~~~
marcinw
Not to mention, government TLA's do their own "research."

------
yaix
Has anybody tried a "grep stuxnet" on the email messages? Or is the Torrent
still up? Then I could try it myself.

------
tectonic
All of this reminds me of Daemon.

~~~
bobds
[http://en.wikipedia.org/wiki/Daemon_%28technothriller_series...](http://en.wikipedia.org/wiki/Daemon_%28technothriller_series%29)

Came up as the third result for "daemon" on Google. There's a lot I don't like
about Google, but sometimes it just works.

