
Thousands of computers now compromised with leaked NSA tools, researchers say - remx
https://www.cyberscoop.com/fast-thousands-computers-now-compromised-leaked-nsa-tools-researchers-say/
======
arca_vorago
Which is exactly what we _crazy cookoo conspiracy theorists_ have been warning
about. It's the same slipperly slope we already went through in the 90's
crypto wars, but SV gets amnesia when it gets lots of stupid company
valuations and forgets all those lessons apparently.

Bottom line is this. If you put backdoors in, or exploit 0days for your own,
they will get out in the wild eventually, and suddenly you have massively
_weakened_ infrastructure, corporate, and government security... basically all
the things important to national security in general. So while I don't
disagree that triple letters need some cool tools to get shit done, I think
this function needs some technocratic oversight specifically for this issue.

It's time for a new Church committee.

~~~
sillysaurus3
The antidote seems to be for the NSA to maintain a security report for each
discovered zero day. If it ever leaks, they can send the target company the
report, which explains both what the exploit is and how to fix it.

That seems fair enough. The NSA needs to exploit flaws, but they can be a bit
less evil about it by being ready to fix them if necessary.

That doesn't solve the fact that NSA's competitors could find and exploit the
same flaws, or that sometimes it's hard to tell whether any leaks have
happened, but it's an improvement.

At the end of it, it's hard to seriously argue that the NSA should stop
exploiting computers. It's their role. We need them, just like we need a
military. But we can think of ways to reduce the impact without getting in the
way of their job.

~~~
averagewall
> it's hard to seriously argue that the NSA should stop exploiting computers.
> It's their role. We need them, just like we need a military.

Would you say the same of Chinese government hackers and Syran military? If
yes, OK. I understand you accept the need for competition in arms. If not, can
you explain why?

~~~
Ajedi32
> Would you say the same of Chinese government hackers and Syran military?

No, for the same reason why I'm okay with the US military having nukes but
wouldn't be okay with Syria having them.

Obviously it'd be great if we could get by with no military powers having to
possess zero-day exploits (or nukes), but so long as we can't be sure no other
nations are benefiting from such exploits, it makes no sense strategically to
forbid our own governments from doing the same.

~~~
averagewall
So it equally makes no sense for China to forbid itself from using their own
exploits? As long as they can't be sure America isn't benefiting from them,
they'd better keep up with the arms race.

Or do you consider America to be special and that it deserves these powers
more than other countries? Personally I don't think it's competent to hold
them because it has an ongoing history of using its weapons to destroy other
countries, property and lives. If I had to choose who wins the arms race, I
would prefer a less hostile country like China or Germany to have them instead
of America. But really, why not nobody? Exploits are offensive weapons, not
defensive ones.

~~~
Ajedi32
> So it equally makes no sense for China to forbid itself from using their own
> exploits? As long as they can't be sure America isn't benefiting from them,
> they'd better keep up with the arms race.

Correct. Same goes for any nation. Since there's no way to be sure that other
nations aren't developing zero-day exploits, not developing exploits of your
own does nothing more than put you at a disadvantage.

> Or do you consider America to be special and that it deserves these powers
> more than other countries?

Yes. I know this seems to be a rather unpopular opinion with the HN crowd
these days, but the US absolutely deserves to have better military
capabilities than nations like Syria or China. (As for Germany, I'd also be
mostly okay with them possessing exploits; as they're a democratic nation who
I generally trust to act in the best interests of their citizens. I cannot say
the same for Syria or China.)

> But really, why not nobody? Exploits are offensive weapons, not defensive
> ones.

That'd be great, but unfortunately it's not a realistic option. So long as one
nation possesses and benefits from zero-day exploits (even secretly) then it
makes no strategic sense for any other nation to intentionally put themselves
at a disadvantage by not developing exploits of their own.

------
eternalvision
Tech security has been an afterthought for too long. The core technologies we
use are putting us at grave risk in ways we simply cannot imagine. As we now
are starting to realize, that all of our digital lives are permanently
centrally recorded carries currently unimaginable risks down the road. That we
have centralized global social networks carries risks that the majority of
people are not able to experience or understand. We're progressing too fast
technologically, and there's way too much of a gap between morphing cultural
norms and a system of government that will be, by default, always out of date
with respect to these evolving norms.

That we connect directly to a worldwide network with minimum consideration for
security is very troubling. In decades to come, we'll look back in humility
and realize that the manners in which we used technology added grave risks to
our health.

In 2017, we are not in the "wild wild west" age of technology. Rather, we are
firmly in the dark ages. We're so far away from having an understanding
regarding the lack of social maturity in our technological growth that we fail
to properly consider the downside risks.

This is a tough nut to crack because technology is simply _too good_ for the
majority, even the technically inclined majority. I recall efforts by very
very talented folks to build decentralized technologies to help mitigate some
of these long term risks, but such efforts will remain firmly at the fringes
of intellectual superiority for a long time. Meanwhile, Goliath will simply
grow stronger in time, unless there is some major cultural shift. Is there any
such shift happening, beyond the fringe?

~~~
TheSpiceIsLife
Poetic, but you shot yourself in the foot in the first paragraph.

 _" That we have centralized global social networks carries risks that the
majority of people are not able to experience"_

If the majority of people do not experience the consequences of the risks of
whatever-it-is-your-railing-against, if those risks are never realised by the
majority, your argument evaporates.

~~~
wu-ikkyu
Perhaps the reason most of us don't experience the risks is because the nature
of cyber warfare is more subtle than any other form of warfare in history.
Social engineers prefer to be undetectable, that means they're doing it right.

~~~
TheSpiceIsLife
Then it's hard to tell where the line between (cyber) warfare and social
engineering can be drawn.

Is what Facebook did[1] (does?) warfare? I sometimes like to dabble in
hyperbolic alarmism, so I'm inclined to want to say yes.

Maybe it's a sign of progress that we now consider emotional manipulation
"war". It's probably less harmful, by all accounts, than slaughtering each
other.

1\.
[https://www.theguardian.com/technology/2014/jun/29/facebook-...](https://www.theguardian.com/technology/2014/jun/29/facebook-
users-emotions-news-feeds)

~~~
wu-ikkyu
I agree on all accounts. Facebook testing emotional manipulation is corporate
psyops weapons development.

Marshall McLuhan postulated back in the 1970 about the future of warfare:

>World War I a railway war of centralization and encirclement. World War II a
radio war of decentralization concluded by the Bomb...

>World War III is a guerilla information war with no division between military
and civilian participation

~~~
eternalvision
Cult-driven intellectual authorities believe that designing and firing rainbow
glitter embedded bullets of absolute power at rebels is a justified path to
social control. Tech such as FB's is misused accordingly.

------
ChuckMcM
It would be interesting (although I expect impossible) to figure out how many
of those thousands were compromised by the NSA vs those compromised by people
who got the tools through the leak. It was nice that Microsoft had already
fixed a bunch of them (almost like they were told ahead of time they were
coming).

It is also interesting to read the outrage about the tools and the
presentations on how to use them. If you have ever read the user's manual for
a cluster bomb which no doubt tells you in detail how to maximize the number
of people it will kill, you get a sense of how destructive and outrageous war
can be. Why should cyber war be any different? And how is it any different to
use a zero day to compromise a system than it is to use an architectural
feature of a building to bring it down on top of its occupants (other than the
obvious loss of life). Exploiting defects in the deployed system to maximize
the effectiveness of a munition, not a new thing at all. Just the reality of
warfare.

We're pretty clearly already in a form of warfare and it is having visible
effects on things like infrastructure and elections. So how do we make the
battles visible to the common folks? How do convince Mom & Dad to patch their
router so that they don't inadvertently aid the 'badguys' in their quest for
dominance on the digital battlefield?

Definitely feels like Phase III of the Internet has begun to me.

~~~
thomastjeffery
> Why should cyber war be any different?

Because we aren't talking about bombs. We are talking about security.

We are concerned about "nuclear proliferation". Why aren't we concerned about
the proliferation of these tools? It takes material to make nuclear weapons
(obviously nuclear weapons are much more concerning, that isn't my point), but
it only takes instructions to create and use security exploits. In this
scenario, threats only have power for everyone who knows about them, and that
is inherently dangerous. We should put all of our focus into _getting rid of_
security exploits, not _creating them_.

~~~
ChuckMcM
We are talking about both because they are the one and the same.

I was talking about aggression against an enemy. Bombs, sanctions, cyber war
fare. All in service to making the 'other guy' pay the price. In the context
of cyber warfare getting rid of your own security exploits and creating them
for stuff the 'other guy' uses.

But that gets right to the essence of how this is different. The NSA sought to
use a superior knowledge of exploits available in the software their enemies
used against the enemy, even tho the same tools can be used on their friends.
That is no different than picking up the weapon of an enemy soldier and using
it against his own squad mates. Or having the enemy pick up your weapon and
use it against your squad mates.

Computers and networks are now (and arguably always have been) weapons of war.
Just as cars and the people walking into markets wearing vests full of semtex
are. And that is a sad truth because it means becoming a casualty can happen
anywhere without warning. And that seems to be what Phase III will be about.

------
mirimir
> “Shodan has currently indexed more than 2 million IPs running a public SMB
> service on port 445. ..."

OK, I understand SMB on LAN. But SMB on the Internet? Is that likely
accidental?

~~~
thomastjeffery
Or a stupid way to make your data available on the go.

~~~
mirimir
I did Google for "remote SMB". And your point was made in most of the top
forum threads. But sure, people like the easy fix.

------
1001101
I have heard the NSA mission in this regard characterized as both defensive,
and offensive. Defensive in that they protect our infrastructure (a counter-
intel role), and offensive in that they attempt to exploit the infrastructure
of our adversaries (and others) for sigint. They trick is finding the right
balance, and I don't think there's much hope for agreement on that at the
moment. I also find the debate a difficult one to engage in because there are
large information asymmetries and much of what we're trying to discuss is
obscured by secret courts, classified documents, etc. My impression is that
even the people who are tasked with oversight don't get the full picture, so
what do we hope to know about it. I've had experiences in industry that I
can't talk about that maybe you (in the general sense) haven't had that also
inform my views.

Personally, my view is that we should be putting the focus on the defensive
side. Protect infrastructure, IP, etc. I believe the reputation of technology
in general is harmed by the offensive mission, and US companies
disproportionately so. There is now even greater incentives for our
adversaries (and friends) to foster development of technologies that compete
directly with US products in their own jurisdictions (where they can get a
look under the hood).

------
lend000
I like the idea of the agencies being allowed to use a zero-day with some
asterisks. __

* The zero-day has to be powerful enough to allow the agency to gain full access & remotely patch the zero day -- i.e. if the zero-day gets out, and the agency didn't warn the manufacturer ahead of time and instead used it for its own purposes, it _must_ have the capability to "immediately" scan the internet for the vulnerability and patch it where accessible.

* If the above condition is not satisfied, or if the agency can't/won't dedicate the resources to develop a backup patch, it should be required to alert the manufacturer immediately.

Does this cost more? Yes. Does it limit some of the monitoring capabilities
they will have? Yes. The second seems like a pro. The first one seems like a
worthy compromise for questionable activity with high potential for collateral
damage.

~~~
cosinetau
At some point, they'd make the patch, and discover they need access again for
some reason. We'd be right back where we started.

------
c0achmcguirk
"Once installed, DOUBLEPULSAR is a stealthy backdoor that’s difficult to
detect and continuously relays new information back to its controller."

Seems to contradict itself? If it's continuously relaying information,
wouldn't that make it easy to detect?

~~~
chongli
I think what that means is that it's difficult to detect on the infected host
machine. It's easy to detect at the network level, however.

~~~
jessaustin
Depending on the implementation of "continuously", it might not be easy there
either. Most hosts have some reason to be on the internet. Therefore, with
some cleverness, attack traffic can be hidden within normal, expected traffic.

------
LoSboccacc
shower thought: have them been infected now, or now are known to be infected?

~~~
iraklism
I was about to comment something similar , but then I saw your post. Btw I
don't know why people are down voting it.

This is an important point. This research comes after 10 days of the leak. I
have been following the leak closely, I've even compiled a list with all the
analysis and resources on a gist.

Good guys, bad guys, kids, bored Blackhats, had enough time to practically
follow the step by step instructions in order to implant the backdoor. It
doesn't take more than 30-40 mins for the first read till a successful
exploit.

The short answer is that we have no idea of knowing how many of those were
backdoored by the NSA.

Also worth noting is that the leak happened 3-4 months ago. A lot of people
had access to this privately.

~~~
TACIXAT
I was thinking this created great plausible deniability for the NSA.

------
davidf18
I am worried about the firmware of Intel processors which I believe have had
firmware since the mid-1990s or a bit later. Is this possible and are there
tools "in the wild" that are capable of doing this? Does Intel do some sort of
checksum to ensure that this cannot happen?

~~~
i336_
Not sure whether you're referring to CPU microcode or the OS in the management
engine.

Microcode is remarkably tiny and heavily encrypted. I've never heard of anyone
dropping hints as to what's in it, so if that's permeable at all I get the
impression you'd probably have to have some rather nice friends to learn about
it.

Regarding ME security, here's some interesting info I found a while ago:
[https://news.ycombinator.com/item?id=13782508](https://news.ycombinator.com/item?id=13782508)

~~~
davidf18
Thank you. I was thinking about CPU microcode, but the problem would apply to
the ME, I'd guess.

Seems to me the CPU microcode could be hackable given NSA or Israeli govt
resources.

------
balgan
For more details on this and regular updated on the infection numbers
check:[https://blog.binaryedge.io/2017/04/21/doublepulsar/](https://blog.binaryedge.io/2017/04/21/doublepulsar/)

------
Pica_soO
The zero-day NSA Pensionfund congratulates John & Jane Doe to his retirement
and wishes him/her a nice golden autumn in his Florida beach villa.

------
squozzer
"The sheer number of computers infected with DOUBLEPULSAR is likely the work
of amateurish hackers, experts said."

A huge assumption.

------
rapjs
Thanks Apple, for not caving to public pressure.

------
awarer
Side topic: How can the free market/enterprise work properly if there are
backdoors and zero days all over the place?

~~~
iraklism
If your threat model includes 3 letter agencies, the short answer is that you
cannot.

~~~
quantumhobbit
Problem is that the 3-letter agencies tools get leaked and then are open for
script Kidd to use. So you're threat model has a dristributive connection to
the 3-letters no matter what.

------
awqrre
At the very least, they should at least create some honeypots to know when
those exploits are being used by others...

------
thomastjeffery
Just thousands? I think that is a few orders of magnitude shy...

------
godmodus
Good, the will jolt national and global security standards.

------
wslh
Are the added to a popular antivirus list?

------
sebow
shocking news indeed, seems like you need researchers and studies about
everything nowadays, otherwise you're called names

------
noja
"now"

