
Wikileaks releases CIA's Marble: Malware obfuscation tools - daenz
https://wikileaks.org/ciav7p1/cms/page_14588467.html?marble=1
======
asimpletune
How about instead of talking about whether Wikileaks is good or bad or whether
you support them or not, let's talk about the content of the post.

From what I've read so far, this is pretty freaking cool. It's super
interesting to read these docs and see their thought process involved,
especially since the product their building is so different from what people
are making on a day to day business. It actually looks pretty fun to work on.
Also, I think it's neat to read about their need for developing frameworks
that can be used around the agency to accomplish stuff.

Unfortunately, I didn't ready anything about self modifying code, which is
probably the most difficult malware to detect and probably to write. Maybe
it's in there though, I didn't read the whole document. I came to the comments
about half way through to see dozens of people talking about whether they
support Wikileaks or not which I think is fine, free country, but I'd like to
actually know what some people who work with this kind of stuff think.

A framework for compiling to self modifying, yet correct, code wiukd be super
cool. I wonder if it always has to be written by hand? Probably not but maybe
that's a separate tool Wikileaks has yet to release.

~~~
openasocket
Self-modifying the underlying machine code isn't what it used to be. Besides
the difficulty in writing it, there's lot's of caveats about how it interacts
with the cache and the instruction pipeline. It also requires setup, because
with modern memory protection all the machine code is read-only. Changing the
memory protection for some machine code to be executable and writable at once
will set off some alarms (And isn't even possible on systems with W^X). So you
need to change it to just writable, make your modifications, then change it
back to just executable, which is less suspicious, it just looks like what JIT
compilers do. But all in all self-modifying code doesn't really give you
anything.

The exception to that is packers and other obfuscation techniques, which are
related to self-modifying code. The general idea with these is that you take
your real program and compress/encrypt/mangle/etc it and store that data in an
executable. The code in that executable de-compresses/decrypts/demangles that
data, sets it as executable, and then runs it. Unlike traditional self-
modifying code, packing is orders of magnitude easier to write for the malware
developer. The advantage here is that an antivirus tool can't determine what
your real program does statically unless it understands how you mangled it,
which is hard to do in general. To "unpack" an executable you've got three
general techniques:

1\. Packers tend to get reused a lot, so just have a person write an unpacker
for popular packers by hand, and do some pattern matching to figure out which
packer an executable is using. This doesn't work for everything, but it's
fairly simple.

2\. Dynamic Analysis. Run the executable and watch the contents of memory as
the program unpacks itself, the real program should pop right out. Of course
you have to run the executable in some sort of sandbox environment, and
there's ways for the malware to detect that and alter it's behavior. This also
isn't the most efficient process, so you can't really do this to executables
during, say, an antivirus scan.

3\. Symbolic Analysis. Basically static analysis on steroids to figure out
what the executable will do without actually running it. The malware can't
stop this with sandbox detection. But it's super slow and is still an active
area of research.

~~~
canada_dry
> Dynamic Analysis. Run the executable and watch the contents of memory as the
> program unpacks itself

Of course nowadays the makers of fine malware detect whether they are running
inside a sandbox, and won't activate.

~~~
cormacrelf
You can always run it on a real, unimportant machine not connected to
anything. (And never connect that machine to anything ever again.) That
feature just makes it slightly more difficult and costly to compromise program
security.

------
azinman2
I've really turned on Wikileaks. Itd be one thing if all the major powers had
equivalent leaks publishing, but focusing on the US basically serves Chinese
and Russian interests far more than it does the citizens of the US. String
obfuscation isn't stemming from some corrupt deal that needs sunlight... this
is just doing a disservice to their original mission.

~~~
elif
The truth isn't responsible for serving anyone's interests, and especially not
the interests of the biggest secret keeper. The truth is not political, except
that it is the natural enemy of politics which rely upon secrecy.

If your perspective is that more secrets are being kept by more egregious
actors than the US, the truth welcomes your contribution...

~~~
gkoberger
The truth may not be political, however the curation is. Take the US election,
for example. Wikileaks has released information about Clinton and the DNC, and
claims they have stuff they never released about Trump and the GOP [1, 2].
Other sources have said the GOP was hacked in the same attack that got Podesta
[3].

The only person less likely to criticize Russia than Trump is Assange.

Wikileaks lost any proximity to an alleged moral high ground when they stopped
leaking everything they got, and started editorializing their release schedule
for political impact, started talking about US politics, and held back bad
things about people they like.

(I say this as someone who is very pro-Snowden.)

1/ [http://thehill.com/blogs/ballot-box/presidential-
races/29345...](http://thehill.com/blogs/ballot-box/presidential-
races/293453-assange-wikileaks-trump-info-no-worse-than-him)

2/ [http://theweek.com/speedreads/645239/julian-assange-tells-
me...](http://theweek.com/speedreads/645239/julian-assange-tells-megyn-kelly-
why-wikileaks-isnt-releasing-dirt-donald-trump)

3/ [http://www.nbcnews.com/news/us-news/russia-hack-u-s-
politics...](http://www.nbcnews.com/news/us-news/russia-hack-u-s-politics-
bigger-disclosed-includes-gop-n661866)

~~~
mhermher
Do you hold WaPo, NYT, CNN to those same standards? Because that is mainly
what American "MSM" does, selectively publish information which bebefits the
agenda of American foreign policy interests.

It's fair if you align yourself with American foreign policy interests, I do
too, but to single out other publications that don't follow that agenda is
just a case of having self interested double standards. All of the criticism
of Wiki leaks and non-America MSM has all sounded like that to me. "They are
selectively publishing different things than we want to be selectively
published. Waaah".

But let me guess what the go to response would be: "whataboutism" (aka you
can't call me a hypocrite, because some guy made a term for it).

~~~
elemenopy
I disagree: I think there is a reasonable case to hold WikiLeaks and the NYT
to different standards. I think WikiLeaks holds itself out as a much more
anarchic news organisation than traditional outlets like the NYT. WikiLeaks
isn't connected or have allegiance to any particular country, and will
publish, let the facts speak for themselves and damn the establishment and any
particular national interests that are harmed. On the other hand,
organisations like the NYT are pretty open about how while they often publish
against the wishes of USG they do ask for comment and may defer publication if
they are satisfied there are very good reasons to do so. [1]

Therefore, for WikiLeaks to become highly partisan is a radical departure from
their original mission; moreover, it has happened without WikiLeaks
acknowledging that this is the case. I think you can't same the same for the
NYT.

1\. [http://www.nytimes.com/2013/11/10/public-editor/sullivan-
les...](http://www.nytimes.com/2013/11/10/public-editor/sullivan-lessons-in-a-
surveillance-drama-redux.html)

~~~
Natsu
The problem with holding Wikileaks as "selective" is that you would have to
establish that there are true leaks which they have withheld from us. There's
this popular misconception that Wikileaks actually hacks to obtain the data,
but this is false and no one has ever so much as attempted to prove otherwise.

So given that they can't select the sources, the claims of them being
"selective" just sound ignorant to anyone who knows how they operate,
especially when those same claims are so often repeated in publications which
are openly selective.

~~~
contrast
First of all, if you know how Wikileaks operates, you know that as well as the
leaks they generate content and opinions. They are not merely a funnel.

Second, if they were trying to be just a funnel but realised that they were
only getting information from limited sources with a known agenda, then they
would also know that they are facilitating a political agenda. They could be
open about this. But they are not. They are keeping critical details of their
own activities secret (ie they choose to be selective), which is directly
contrary to their stated philosophy.

In a more empirical sense, an organisation can only be judged by its output,
not by its slogans or cheerleaders. In that sense Wikileaks is clearly an
organisation promoting a political agenda.

~~~
Natsu
> First of all, if you know how Wikileaks operates, you know that as well as
> the leaks they generate content and opinions. They are not merely a funnel.

Yes, but that opinion is that powerful, unaccountable organizations shouldn't
be able to keep deep secrets from the general public when they do things like
manufacturing consent for war.

------
oliv__
The WARBLE languages are pretty telling of which actors this software is
intended to target:

    
    
        * Arabic
        * Chinese
        * Russian
        * Korean
        * Farsi
    

Interesting...

~~~
DigitalJack
Why is that interesting? Seems obvious so I am wondering if I missed
something.

------
MaxLeiter

      You can't. LOLZ. Yet.
    

[https://wikileaks.org/ciav7p1/cms/page_16384857.html](https://wikileaks.org/ciav7p1/cms/page_16384857.html)

------
rbanffy
I think I'll just open an issue and let someone else update the name lists...
Wikileaks is publishing these things faster than I can update my code.

[https://github.com/rbanffy/nsaname](https://github.com/rbanffy/nsaname)

------
salesguy222
I wonder if Sony really was "hacked by the North Koreans" then.

~~~
eli
You think the CIA did it instead? Other than it maybe being technically
possible, what evidence or motivation would they have for doing that?

~~~
salesguy222
Before I answer, I'd like to state that I am an American citizen living abroad
and I have no particular allignment to or against any country :)

I don't know if the CIA did or would want to do this specific attack.

But, I could grasp at straws to fit the Sony attack in line with the narrative
of what I would call "1950s American Imperialism".

In my view, the Americans took covert or overt actions for many decades now to
undermine economically competitive countries. We've bombed Germany, Italy,
Japan, Serbia, Korea, China, Vietnam... we've invaded Iraq... we've taken
actions against many Latin American governments and Iran...

Over the years, the powers at be have been pretty good at framing other
nations for attacks or dangers, in order to drum up public support to attack
them. Gulf of Tonkin, WMDs, USS Vincennes...

So, in short, if you had definitive proof that Russian and NK hacking were in
fact orchestrated by the CIA...

... then the economic imperialism narrative would hold as pretty plausible
motives!

The most blatant endgame here for the US is "NK hacked us. They have nukes!
It's time to invade!". And then NK becomes a new market for the West to take
over for cheap as they did in Communist Yugoslavia and so on

~~~
matthewbauer
> The most blatant endgame here for the US is "NK hacked us. They have nukes!
> It's time to invade!". And then NK becomes a new market for the West to take
> over for cheap as they did in Communist Yugoslavia and so on

But "They have nukes!" would be reasonable enough reason to invade. Why not
work with that narrative as opposed to "They're hacking us!"?

Some might say the US has a moral obligation to pursue regime change in N
Korea, but US foreign policy has focused on isolating as opposed to invasion

~~~
salesguy222
I do think nukes are the primary reason, much like with Iran. But you see a
trend with Iran, Russia, China, NK- when the country is too legitimate to
invade (compared to little Serbia or Somalia), isolation and sanctions are
pursued.

Perhaps it is convenient fear-mongering and deepening of arguments. America
seems to be pretty good at spreading multi-faceted arguments about why you
shouldn't even _think_ about the legitimacy of a multi-polar world.

I guess my point is, the American government and official state media seem
pretty content to have these multi-bullet playbooks against nations that are
quite deeply fulfill the criteria of "non-western", "non-democratic", "non-
capitalist", but still quite serious "economic and militaristic threats"

~~~
tgragnato
> I do think nukes are the primary reason, much like with Iran. But you see a
> trend with Iran, Russia, China, NK- when the country is too legitimate to
> invade (compared to little Serbia or Somalia), isolation and sanctions are
> pursued.

Stuxnet was (in a sense) a much more interesting topic than this leak. It
showed that the retaliation is pursued not only by isolation and sanctioning,
but with (subtle & undercover) direct attacks too.

------
albertTJames
wonder when wikileaks will publish fsb hacking tools

LOL

~~~
equalunique
Seems FSB has better security than CIA.

90% of intelligence community cyber security spending is on offensive
projects, so this revelation should not be too surprising.
([http://www.reuters.com/article/us-usa-cyber-defense-
idUSKBN1...](http://www.reuters.com/article/us-usa-cyber-defense-
idUSKBN17013U))

~~~
sandworm101
And FSB's attack surface is less than 1% of CIA's. Much fsb work is farmed out
to contractors, the offensive stuff that CIA keeps in house. CIA people chat
via email, messaging and by voice. FSB people chat in person. That's why
russian hackers are always traveling while CIA hackers keep having thier stuff
leaked.

~~~
equalunique
Great points. I don't know many details of how they operate. Someone told me
they still rely on paper-based methods in order to avoid some types of
electronic surveillance.

In theory, 50% offense and 50% defense should be the only budget for a sane
operation.

~~~
dredmorbius
[https://news.ycombinator.com/item?id=14007213](https://news.ycombinator.com/item?id=14007213)

------
joshvm
(Perhaps not so) Interesting that the demonstration languages are: Chinese,
Russian, Arabic, Farsi and Korean.

Could be a fun one for game DRM? Or apps where an API key is hidden in the
binary?

------
philfrasty
(noob question)

Do you need THE best software-development talent to be able to build
comprehensive surveillance like the big agencies? Like THE Christiano Ronaldo
or THE Michael Jordan of programming.

Or is this more about funds and the power to set such a system in motion?

~~~
dredmorbius
That's an interesting question.

My thought is that much of the problem is tactical, logistical,
organisational, and capabilities-oriented.

Consider the problem domain:

1\. There's a vast amount of information flowing around the world. Much of it
remains at best _poorly_ protected, and until recently, that was even more the
case.

2\. Much of surveillance revolves around _access to the channels_ themselves.
Which means places such as satellite uplink/downlink centres, transoceanic
cable landfalls, major switching hubs, telecoms hubs (AT&T's notorious San
Francisco closet), etc.

3\. Then you've got the problem of _simply ingesting the information_. For
that, you need fat pipe of your own, and massive storage.

4\. Then the problem of _classifying and prioritising the information_ , or
_identifying and tracing specific targets_. Again, in both cases, _scale_
matters more than _capability_ , where scale is both a matter of data
(transmission, storage, processing) and above all _access_.

If you want to tap a specific landline, or cellphone, or cloud / online
storage provider, _do you have the tactical assets in place to be able to do
so?_ E.g., official or unofficial liasons with the organisation in question.
If official, how do you maintain that relationship (what balance of carrots
and sticks). If unofficial, do you risk burning through such assets by
utilising them. Google, to take an example, apparently looks poorly on
employees directly accessing user data, and could well discipline or terminate
any staff or contractors who do so. This doesn't mean that the NSA doesn't
have and cannot use such assets, _but they can likely only use each one a
small number of times, possibly only once._ That raises the costs for any such
access, though again, scale offers a potential counterweight. (Rinse, wash,
and repeat for all non-Google organisations, I'm actually raising them as an
example here _on account_ of their apparently stringent internal controls.)

5\. Technical capabilities. For any given channel, there are the fundamental
information-theoretical problems of establishing a link, transferring, and
comprehending data. Depending on the complexities involved, this may be easy
or hard, but there's almost certainly a fixed setup cost for any given
service. This also means that the surveillance entity will likely target
technical sources by some balance of total size (likelihood that _any_ given
target will be on it) and specific interest (that a _particular_ target is
there).

Such resources are again finite, and suggest yet another possible defeat: by
embracing rapid change, workfactor for achieving technical penetration
increases.

I'm arguing my own way through this, but in general, I'd think that _size_
matters more than _skill_ , though the two complement, and there are almost
certainly instances in which brute intelligence and capability in conceiving
of exploits is an essential factor.

------
vxxzy
What would be the advantage to making your exploits appear to come from other
countries? What do we gain from this? It feels like an instigation.

~~~
rdtsc
There is a huge advantage to do that. False flag attacks are one of the tried
and true methods of intelligence agencies since ancient times.

For example the official pretext for WWII was started as a false flag:
[https://en.wikipedia.org/wiki/Gleiwitz_incident](https://en.wikipedia.org/wiki/Gleiwitz_incident)
US did it at the start of Vietnam War:
[https://en.wikipedia.org/wiki/Gulf_of_Tonkin_incident](https://en.wikipedia.org/wiki/Gulf_of_Tonkin_incident)

We gain a lot from this. We can for example manufacture "Russian hysteria" \-
"Look we found a Russian rootkit on a DNC server". We can attack our allies
and then make it look like the Chinese did it, and so on. It is immensely
useful.

~~~
shuntress
>"Look we found a Russian rootkit on a DNC server"

Implying a 'Russian rootkit' was planted in a false flag operation?

So the CIA pretended to be Russia helping to get Trump elected -- why?

~~~
rdtsc
Did they pretend to be Russia? I didn't see any evidence. They seemed to have
heavily invested in this capability though. Why waste time and money if they
don't plan on using it?

Why do you think they might want to pretend to be someone else?

------
ndesaulniers
It's unethical for anyone who calls themselves an engineer to do this kind of
work.

~~~
sigmar
It's unethical to write a script that will xor strings?

~~~
Crito
> _" It's unethical to shoot somebody"_

It's unethical to pull on a little piece of metal?

------
brooklynmarket
Wow C is back. Figured they were using php and Wordpress. :-)

------
ComodoHacker
>Alternatively you can email User #72806

------
lightbyte
Why would they release their own tools?

~~~
rdtsc
Oh I get it, because Assange is a Russian FSB agent. Yap, makes total sense.

~~~
JabavuAdams
More like Assange knows that the FSB will just straight up poison him with
Polonium instead of slapping him around a bit and shipping him to GITMO.

~~~
superioritycplx
He could also be Seth Rich'd
[https://en.wikipedia.org/wiki/Murder_of_Seth_Rich](https://en.wikipedia.org/wiki/Murder_of_Seth_Rich)

~~~
sanswork
That interview was the final straw in causing my total loss of respect for
Wikileaks. Trying to profit politically off the death of an innocent man is
vile. Forcing his parents and family to endure the weight of the conspiracy
community in an attempt to attack your political opponents is an awful thing
to do.

------
defen
You're either a really good troll, or you need more practice with your
articles to pass as a native English speaker :)

~~~
dang
You can't conduct personal attacks like this on Hacker News. The odds that
you're right in any particular case are low and not worth the considerable
damage it does to the community. Please don't do this again.

We detached this comment from
[https://news.ycombinator.com/item?id=14008045](https://news.ycombinator.com/item?id=14008045)
and marked it off-topic.

------
faragon
Wikileaks is an organization built to destabilize the US government. Romantic
and idealist stuff aside, they are playing the role of "useful idiot" for
other intelligence agencies. And that is very dangerous.

------
arca_vorago
Look at all the people complaining that wikileaks is anti-western and/or
foriegn supported/agents with no proof of this whatsoever.

If anything wikileaks has shown a superior journalistic record in publishing
whatever comes across their desk, so I don't see people criticising wikileaks
on this the weakest of points as anything but intellectually dishonest _at
best._

~~~
angry-hacker
As a foreigner this witchunt for Assange is pathetic, suddenly when you
support bad boys he's no good.

Who said advertising doesn't work? Especially political.

------
SXX
It's funny to see how many educated people on HN expect to see something like
"Russia / FSB / etc" hacking tools or documents leaks or whatever. Probably
it's due to looking at how three letter agencies operate in first world
countries someone would expect that you actually need that many people to
steal some emails or get hands over company database.

It's obviously that no matter how big NSA conspiracy is every dollar spent,
every meeting occur, every decision made all have to be controlled and
documented. And any 3rd party company working for agency must have official
contract, must report taxes and sometimes can even sell all the same tools for
other governments. So it's thousand people participate at every single step.

In world of paranoid and corrupt ex-KGB mafia nothing like that required. All
you need is just few experts and enough of money. Russia have plenty of online
criminals: carders, illegal pharmacy and drug dealers, owners of credit card
processings used for fraud, money laundering payment systems, botnet owners,
spyware developers and most of them are controlled by state or somewhat under
special agency protection racket.

Need 0-day exploit? Rootkit? Spyware? Any unique tools? Anything can is there
for money! DDoS attack or a lot of proxy servers at any location needed?
Plenty of services there and agencies obviously know owners. No documentation
or reporting needed since corrupt government agencies are closely tied to
those criminals for years.

So the same attacks that would involve at least few hundred of people in usual
US three letter agency would likely require to just few dozens in Russia.
What's more important no one would ever tell the difference between this
activity and usual agency behaviour that related to usual corruption schemes.

So if you seriously think there is Russian government behind some attacks then
shouldn't expect any leaks about that. If there is something important for
Kremlin they wouldn't mind to dump money on it, but there will be very few
people aware of it and of course there will never be any documents or other
traces since they would be done as any other attack against commercial company
or opposition politician.

~~~
kushti
This is the perfect example of "whataboutism".

~~~
jwtadvice
Could you explain the difference between whataboutism and context,
particularly if a comment tries specifically to say that "two wrongs don't
make a right"?

------
jorblumesea
The more I look at Wikileaks the more I can see them being funded by
US/Chinese interests. They are turning from a leaks organization to vehemently
anti-Western.

