
NSA Exposes Tool Used by Russian Hackers - rbanffy
https://www.bloomberg.com/news/articles/2020-05-28/national-security-agency-exposes-tool-used-by-russian-hackers
======
kennxfl
Most intriguing part of the story is the new ability of governments to call
each other out, the deterioration of diplomatic tone and language whereby
nation states would never explicitly attack each other verbally. Since the the
controversy with Iran, foes have been more like five year olds in their
criticism for each other. I'm sure everyone is aware of the mutually assured
destruction brought forth by conflict (no one really wants a war), but none of
these leaders are willing to back down at any cost.

~~~
mehrdadn
I'm not sure openly calling out other countries like this is really new. See
for instance [1]:

> By 1987, the Soviets began to sour on the campaign as Moscow’s scientific
> establishment rebuked it. Secretary of State George P. Shultz also accused
> Mikhail S. Gorbachev, who was then the leader of the Soviet Union, with
> hawking “bum dope about AIDS.” Mr. Gorbachev ordered the K.G.B. to stop
> spreading the conspiracy theory and after the collapse of the bloc, former
> Soviet intelligence officials owned up to it.

[1] [https://www.nytimes.com/2017/12/12/us/politics/russian-
disin...](https://www.nytimes.com/2017/12/12/us/politics/russian-
disinformation-aids-fake-news.html)

~~~
DiogenesKynikos
Ironic that nowadays the US government is the one promoting conspiracy
theories about a pandemic. Even the theory is almost exactly the same: that
the virus comes from a lab.

~~~
kspacewalk2
You're taking about the assertion that the virus spread from an accidental
contamination at a lab in Wuhan. It is crossing into conspiracy theory
territory to believe the assertion without proof. However, the theory itself
is completely reasonable and sound. This is an unproven claim; a conspiracy
theory is something different.

~~~
DiogenesKynikos
The theory is just as "reasonable" as the Soviet misinformation about HIV was.
That is, not at all. It's a wildly implausible assertion that there's no
evidence for.

People outside of labs are exposed to bat coronaviruses all the time. The
chances that one of a very small number of highly trained researchers working
according to strict protocols was patient zero - as opposed to the millions of
regular people who come into contact with bat coronaviruses with absolutely no
protection or training - is minuscule.

Just like the Soviet misinformation in the 1980s, the theory can't be
disproven right now, in exactly the same way that any other malicious
accusation made with zero evidence can't be disproven. The Trump
administration is acting extremely recklessly by spreading this unsupported
conspiracy theory.

~~~
dependenttypes
> implausible

Explain the previous sars releases then.

~~~
DiogenesKynikos
SARS spilled over naturally, not from a lab.

After it spilled over naturally, it became the subject of intense study,
sometimes in labs with poor procedures. Huge amounts of SARS-CoV were being
cultured by people with little training.

That's an entirely different circumstance from now. The lab where they study
coronaviruses in Wuhan operates at a much higher standard than poorly run
Chinese labs in 2004. The lab in Wuhan wasn't even conceived back then.

It's essentially proven that SARS-CoV-2 was not under study before the
outbreak, because the it's not in any of the standard databases where all
known coronaviruses are published. But even disregarding that, the idea that
huge quantities of a virus that nobody has ever heard of would be cultured is
implausible.

------
tyingq
The CVE is from mid last year:
[https://www.exim.org/static/doc/security/CVE-2019-10149.txt](https://www.exim.org/static/doc/security/CVE-2019-10149.txt)

So I guess this is an attempt to get exim users to update.

~~~
strictnein
Exactly this. By one estimate 1/4 of all MTAs on the Internet were running
vulnerable versions of Exim.

------
panpanna
Maybe I'm mistaken, but wasn't exim created as a more secure alternative to
sendmail?

Edit: on a second thought, "more secure than sendmail" means nothing. It is
probably impossible to be _less_ secure than sendmail.

~~~
whoopdedo
My recollection it was billed as easier to setup than Sendmail. During the
vote to make it default[1] it was also helped by being smaller than Postfix
(at a time when Debian was still supporting floppy disks for installation).
There may have been some (with hindsight naive) justification that the easier
configuration would make systems more secure by avoiding common Sendmail
pitfalls. But I don't think we were thinking about security 20 years ago the
same as we do now. It was mostly a "if you can put it in a chroot you'll be
fine" attitude.

[1]
[https://wiki.debian.org/Debate/DefaultMTA](https://wiki.debian.org/Debate/DefaultMTA)

------
harry8
There is no evidence presented that Russia and the GRU used this. None. Could
be true. Could be false. Could be trying to propagate this ridiculous "it's
the Russians" narrative so prevalent to explain everything those in 3 letter
agencies don't like politically. From the electoral unpopularity of Hilary
Clinton, through why Wikileaks publishing secrets of their crimes is not in
your interest to now why people are protesting (not record unemployment, not
continuing police brutality, not the existence of an underclass in the richest
nation on the planet no. Russians).

So yeah, could be true but if you laugh at anyone claiming *Russians" with no
evidence to back it that's probably the safest thing to do.

No evidence at all of Russian hacking Hilary's email if you were paying
attention in the last week or so other than from evidence free DNC claims.
Maybe they did, sure. And maybe Saddam had WMD - believing that lie, and i
did, cost us rather a lot. It would be silly to fall for it again.

------
salmo
Heck, I'm impressed that enough people are running an MTA that touches
incoming mail for this to be effective. It was never "easy", even in the 90s.
Back then it was an issue of having a performant, secure config. But these
days, it's way more complex and too much money.

I wouldn't think that many people are using fetchmail + local MTA anymore, but
maybe I'm wrong.

I used to do it for my family, but maintaining an MTA, spam filtering,
IMAP/POP, webmail, CalDAV & CardDAV is rough. And supporting folks hooking up
their devices that increasingly needed to go 8 menus deep to punch in the
settings for something that wasn't gmail/hotmail/outlook was just too much.

And then you can't run it out of your house, unless you pay money for static
IPs, or you pay for hosting and make sure you keep yourself off blocklists.
Just the cost of doing it made it not worth it unless you hit economy of scale
number of users.

That said, sendmail did improve my M4 skills FWIW.

~~~
wtracy
I recently paid for a Debian VPS instance, and when I logged in it had Exim
already installed.

(I think it was running by default, too, but I don't trust my memory. I
uninstalled it pretty quickly.)

------
joshfraser
Once again, this feels politically motivated. 1\. It's old news. 2\. They
blame Russian hackers, but we rarely ever have full certainty into the true
source of an attack. This is due to false flags (for example, the Germans
adding some Russian comments to their code) and hackers routing their attacks
via a daisy chain of compromised machines all over the world. 3\. The NSA are
the worst offenders when it comes to exploiting software vulnerabilities.

~~~
strictnein
This isn't some conspiracy theory. The NSA is simply doing what people have
been asking of them for years: be more proactive and public on the defensive
side of things. The fact they are also burning RU methods is just icing on the
cake for them.

------
joemazerino
Exim is installed by default in many popular web hosting panel platforms,
cPanel for example.

------
peter_d_sherman
You know what would be interesting?

Someone should do the following:

1) Get all of the source code for Exim, and other codebases, codebases for
which vulnerabilities have been discovered -- but before the vulnerability has
been removed from source code.

2) Run machine learning on the code, with the understanding that different
parts of code may have been written by different authors.

3) Use those ML models to see if other codebases, codebases which are as-of-
yet unknown if they contain vulnerablilties, to see if those might have the
same coding patterns in certain areas as the affected software above,
indicating potential tampering.

In other words, via ML, software which has been tampered with -- might be able
to be detected preemptively...

Disclaimer: I am not a ML expert, and this might be a somewhat futuristic
idea, due to various constraints...

------
sschueller
I haven't run across many who use Exim. Any benefits over postgress/dovecot?

~~~
dijit
EXIM is much easier to configure than postfix. Postfix is faster than EXIM.

They are both mail-trasport daemons (basically mail relays).

dovecot is comparable to Cyrus, it's not a mail relay, it's POP/IMAP server
used for accessing mail from storage.

~~~
wtracy
> EXIM is much easier to configure than postfix. Postfix is faster than EXIM.

You might have the two reversed?

I don't have hands-on experience with Exim, but every "getting started with
email" document on the internet seems to recommend Postfix as easier for a
beginner to install.

~~~
lstodd
Before Debian made exim default and made an ungodly mess of macros and
unintelligible crap out of their config, it was pretty simple to configure.

In fact, as an old hand (been dealing with exim configs since 2001), the very
first thing I did and still do is delete the default debian hell and copy-
paste a simple two-screen config which then needs only 3-4 lines tweaked.

------
colsandurz
So the NSA is doing what they actually should be doing?

