
Flame is Lame  - wglb
http://www.f-secure.com/weblog/archives/00002383.html
======
nikcub
> 7\. The stolen info is sent out by infecting USB sticks that are used in an
> infected machine and copying an encrypted SQLLite database to the sticks, to
> be sent when they are used outside of the closed environment. This way data
> can be exfiltrated even from a high-security environment with no network
> connectivity.

> "Agent.BTZ did something like this already in 2008. Flame is lame."

Flame's approach is different and more impressive. Agent.BTZ copied itself and
used an easy-to-discover autorun.inf file in the root directory of attached
disks or network shares. Flame exports its database by encrypting it and then
writing it to the USB disk as a file called '.' (just a period, meaning
'current directory')

When you run a directory listing you can't see it. You can't open it. The
windows API doesn't allow you to create a file with that name and Flame
accomplishes this by opening the disk as a raw device and directly writing to
the FAT partition. Impressive, right.

While a lot of these individual features alone are not impressive the sum of
the parts, combined with the collision attack on the certificate signature are
very impressive.

As for the main point of Mikko's post, I have never understood why so many
folks in the netsec industry are arrogantly pessimistic about the innovation
of others. I found Flame jaw-droppingly amazing.

Nobody knew about it for years, yet it was derided when discovered and
documented.

~~~
m0nastic
_As for the main point of Mikko's post, I have never understood why so many
folks in the netsec industry are arrogantly pessimistic about the innovation
of others. I found Flame jaw-droppingly amazing._

Infosec is an inherently pessimistic enterprise, although spending time here
makes me think it's not a perspective limited to security.

Just look at how almost every post here ends up littered with comments like
"This isn't new. My XYZ already does all of this." People like to feel
superior (it helps reinforce the individual nerd exceptionalism)

~~~
Maakuth
You might want to read between the lines. My take is that the style is a bit
sarcastic, especially considering the last lines.

~~~
scott_s
I believe m0nastic was talking about the people that the author is implicitly
responding to, not the author.

------
patio11
I think tptacek has hummed a few bars in this direction before, but it has
become received wisdom on some parts of the Internet that geeks vs. government
is an asymmetric fight and that since governments are stupid geeks will win.
You often see this in, let me cherry pick out of charitability, threads
suggesting that the OSS community develop surveillance countermeasures for use
by dissidents subject to certifiably evil regimes.

It doesn't really matter whether the nation state in question is Iran or the
United States. Do not pick fights with people who can respond to a hacking
incident by writing a check for $5 million dollars to a defense contractor and
consider that low-intensity conflict resolution. It will not end well.

~~~
DanI-S
> You often see this in, let me cherry pick out of charitability, threads
> suggesting that the OSS community develop surveillance countermeasures for
> use by dissidents subject to certifiably evil regimes.

> It doesn't really matter whether the nation state in question is Iran or the
> United States. Do not pick fights with people who can respond to a hacking
> incident by writing a check for $5 million dollars to a defense contractor
> and consider that low-intensity conflict resolution. It will not end well.

Are you really saying that people should avoid writing software that could
help people who are subject to evil regimes because said evil regime might be
upset at them? There's an uncertain level of personal risk associated with
doing such things, but there's definite moral hazard in total self-interest.

Either way, if Flame was written by the US or Israel a lot of us on here are
already complicit in such a project. We live in a democracy. Those are our tax
dollars, hard at work.

I totally agree with you otherwise; governments are not stupid.

~~~
tptacek
He's not saying that, I am.

There's no personal risk to writing regime circumvention tools. Iran isn't
going to have you assassinated for your work on Tor.

There is serious risk to _using_ Tor in Iran. Death squads and disappearances
aren't a conspiracy theory in Iran; they are the regime's well-understood M.O.
When circumvention tools like Tor work, they hide your traffic from the
regime. When they stop working, or are turned, they do exactly the opposite:
they attach a statistical marker to your traffic that says "whether or not you
can read these packets, the person sending them is interesting".

The people working on circumvention tools are mostly well-intentioned (many of
them are friends of mine), but they are delusional about the SWOT analysis at
play here. None of them have any unique skills that aren't available to an
organization willing to shell out 6-7 figures to a team in a month. Money buys
competence. A lot of money buys a lot of competence. Iran has a lot of money.
Circumvention projects do not.

Kickstarter hasn't seen the amount of money that a world government could
spend without director-level approval on a project to turn a circumvention
tool against its users.

And that's before you get to the fact that many, if not most, of the computers
in authoritarian regimes are probably already rootkitted.

~~~
morsch
All the competence in the world won't let you break basic crypto algorithms
without at least breaking a sweat.

The playing field between Alice and Bob on the one hand and Eve on the other
hand is inherently asymmetrical. Given equal competence and time to work on
it, Alice and Bob are going to come up with an encryption scheme that Eve
won't be able to break. You seem to be convinced that given almost unlimited
resources, Eve can break any scheme Alice and Bob can come up with. I'm not
sure I see any evidence for that.

~~~
monkeyfacebag
I don't think he's saying that at all. I interpreted it as, given unlimited
resources, Eve can determine that Alice and Bob are communicating over
encrypted channels which, for Alice and Bob, is almost as bad as having their
encryption broken.

~~~
morsch
I took that to be a specific example -- _Tor may be detected using traffic
analysis_ \-- of a more general principle -- _circumvention tools can not hope
to withstand nearly unlimited resources_. I thought tptacek was pretty
explicit in making this more general statement.

~~~
tptacek
One thing that a lot of circumvention tool promoters get wrong is the threat
model. The threat model isn't "attacker can read your traffic" --- although
some of the best known circumvention tools have made cryptographic mistakes
that did allow that. The threat model is "tractable attacks that isolate
traffic using your tool from bulk Internet traffic".

A torture cell will do just peachy at decrypting the actual packets.

------
Niten
The thing I find most interesting about Flame: whoever developed it surely
understood that by being released into the wild like this, their new
cryptographic attack was guaranteed to eventually be discovered and analyzed.
And yet they spent that attack's secrecy on a (very sophisticated, but still)
fishing expedition.

So what cryptanalytical capabilities do they have which _are_ considered too
sensitive to expose via malware?

~~~
tptacek
Bear in mind that attacks on MD5 have an inherently limited shelf life, and
that while the exploit used in Flame may be new, the underlying vulnerability
and the fundamental technique used to exploit it are very well known.

------
weavejester
It's a fairly nice summary of Flame, but it could do without the link-bait
title, since the conclusion of the article is exactly the opposite.

~~~
MehdiEG
It's clearly linkbait but it is actually nicely written and informative so
I'll give them a pass on this one.

------
mtgx
If this was indeed developed by NSA, wouldn't this sort of attack be easier
for them since NSA gets access to Microsoft's source code for Windows?

~~~
slig
How come do they get access to MS code?

~~~
dchest
[http://www.microsoft.com/government/en-
gb/initiatives/Pages/...](http://www.microsoft.com/government/en-
gb/initiatives/Pages/government-engagement-programs.aspx)

 _Government Security Program: Addressing the unique security requirements of
governments worldwide by helping government actively participate in ensuring
the security of their critical systems. We help enhance system security by
providing access to Microsoft Windows and Office source code, prescriptive and
authoritative security guidance, technical training, security information, and
Microsoft security experts._

~~~
einhverfr
Cool, so it's public knowledge now :-D

~~~
tptacek
It's been public knowledge for something like a decade.

------
bjornsing
Completely agree. That novel cryptographic hash collision thing is mind
boggling, all the rest is just run-of-the-mill.

~~~
wglb
Well, I thought the unreadable, unprocessable, undeleteable file named '.' was
rather clever.

~~~
lmm
It was clever the first time someone did it, but it's old-hat by now

~~~
wglb
Who did it first?

------
yassim
I'm curious.

>9\. Latest research proves that Flame is indeed linked to Stuxnet....

Whats the chance that this "Resource 207" is some 3rd party module that more
than 1 developer had access to? I concede that placing the same resource in
the same resource location in 2 different unrelated applications is a bit of a
long shot, but I dont see it as a smoking gun either.

------
at-fates-hands
>> Nobody knew about it for years, yet it was derided when discovered and
documented.

I had the same reaction, then I thought they did this on purpose to downplay
how really impressive Flame is. I imagine the people writing these blogs are
actually thinking "Holy S%$&!" behind closed doors or within other security
circles.

------
cdooh
I've been meaning to ask, exactly how big a team would it take to design such
a virus?

------
brunnsbe
Who said that Flame was Lame? I haven't stumbled on that much critique about
Flame.

~~~
mikkohypponen
Some examples:

[http://idealab.talkingpointsmemo.com/2012/05/flame-
malware-m...](http://idealab.talkingpointsmemo.com/2012/05/flame-malware-
mostly-smoke-and-mirrors-say-security-experts.php) "The hype surrounding Flame
may be partially the result of the ITU"

[http://www.thetechherald.com/articles/Is-the-hype-
surroundin...](http://www.thetechherald.com/articles/Is-the-hype-surrounding-
Flame-blazing-a-FUD-fueled-trail-of-panic) "None of the methods of this
malware are particularly new."

<http://xato.net/malware/flame-is-kind-of-lame/> "It’s just not that
impressive as far as features go. In fact, 10 years ago it really wouldn’t
have been that impressive."

Mikko

------
ritratt
Flame caught all the attention because it made use of a new hash collision
technique currently not know to anyone. Which would mean it was govt. backed.

------
ticks
I'm probably alone on this, but 'lame' is such a lazy word to use. Saying it
repeatedly just made me stop reading.

~~~
adewinter
FWIW (I didn't realize this either until the end), the article is actually
pointing out that flame isn't lame for one very specific reason: the cutting
edge cryptography research that went into it.

~~~
gjm11
No. The article is pointing out that Flame isn't lame in lots of different
ways, and saying that the naysayers kept calling it lame until one single
spectacular bit of non-lameness came to light. It's suggesting that they
should have cottoned on sooner. At least, that's my reading of it.

------
sparknlaunch
I thought the big thing was that flame found itself into a network locked out
from the outside world. So the intrigue lies in how it made it into this
network ?

~~~
Auguste
I hadn't heard about that (so please excuse my ignorance), but surely it's
just a case of somebody accidentally/intentionally bringing it in on removable
storage, like a USB drive, and plugging it in.

~~~
celticninja
yes, the article says that it will put itself onto USB sticks so that it can
be transferred out of a walled garden, therefore it can enter the same way.

~~~
pbhjpbhj
Not only duplicating itself but putting data from inside the airgapped network
on to pen drives so it can escape. I guess the one is useless without the
other but this somehow seems far more impressive.

