Hacker News new | past | comments | ask | show | jobs | submit login
Snowden: Hack of an NSA server is not unprecedented, publication of the take is (twitter.com)
387 points by ajdlinux on Aug 16, 2016 | hide | past | web | favorite | 229 comments



His complete post (just in case) original 4:40 AM - 16 Aug 2016 from @Snowden:

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know: (1/x)

1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.

2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.

3) This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.

4) Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed.

5) Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant:

9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.

10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

11) Particularly if any of those operations targeted elections.

12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So...

The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You're welcome, @NSAGov. Lots of love.


So this seems to be the "Dr Strangelove" scenario playing out, but with (fortunately) exploits rather than nuclear weapons. It sounds like many countries have other significant exploits into other countries, but this isn't "admitted"; it's not an unignorable public fact (+). The Russian destabilisation plan is to get Western countries to see NSA attacks on them and lose trust in the US - plus an attack on the concept of democracy by getting enough people to lose faith in the US election.

(+) "unignorable public fact" is a clunky way of expressing it, but I mean something that you can bring up in a news report and politicians discuss what the appropriate reaction is, rather than challenging the fact itself. This is getting increasingly rare.


It takes Russia pointing this out to make us lose trust in the U.S.? I think the U.S. has done this all on their own. Snowden was just the latest whistleblower showing the world they can't be trusted. There were others before him, but it got swept under the rug.

We all know the U.S. election system is flawed to a point of being broken and thus democracy as we like to believe it's supposed to work doesn't even exist. But everyone just accepts that's the way it is and carries on with life because "at least it's not North Korea." If you hadn't already lost faith in the U.S. election system years ago, then you've got your head in the sand.

It might be a hard pill to swallow, but I think if Russia's plan is to make the U.S. wake up and smell the coffee, they're actually doing the U.S. people a huge favour.


"The Puzzle Palace" was written in 1982. It's by an insider, James Bamford, and about his discovering by happenstance that people at the NSA listening post he was stationed at were listening in on american conversations illegally.

He also discovered that the Carter administration's justice department had opened a criminal investigation on the NSA, and through FOIA managed to get a copy of the file. It was pretty damning stuff.

This was 1982. What changed because of this?

https://theintercept.com/2014/10/02/the-nsa-and-me/


That article was incredibly enlightening - thank you for posting the link!


We all know

That was the point I was trying to make with "unignorable public fact" - "we" don't "all" "know" that, for various values of those words. Would you expect TV anchors to say things like "Well, I'm standing outside this polling place, but I'm not really sure what the point is because elections are broken"? Millions of people get involved in fighting elections like they mean it.

Consensus about this kind of thing is a real problem, because the landscape is polluted with lies and delusions.

Edit: I specifically said "lose faith in the US election", not "lose faith in the US [generally]"; it's one thing if the bad policy is the result of legitimate elections, it's quite another if either the vote is widely rigged (hacking voting machines), subject to intimidation. People ending up believing it's rigged when it actually wasn't is just as bad, it's the kind of thing that leads to political violence.


Oh, I don't mean it's rigged or hacked or subject to intimidation. I feel like it's legitimately hamstrung/broken.

Equally I haven't lost faith in the U.S. - there are millions of amazing Americans. I've just lost faith in the U.S.'s a). ability to elect the person they really want in charge because the voting system is broken and b). the person they _do_ elect doesn't have any meaningful power anyway because the senate is purposely designed to restrict any meaningful power.


The US political climate is most certainly not in a great place, but I wouldn't blame our system of checks and balances. In fact, I'd say that it's working as intended. It would be a horrible scenario if a president could easily override the will of Congress or the Supreme Court.


Why do people insist on calling the US a democracy ?

It is a Constitutional Republic with the only democratic process being the representatives you elect .... represent you ... sometimes... if they feel like it.... unless they have been bribe^H^H^H^H lobbied to do otherwise.


It is a democracy. A Constitutional Republic is just one way of implementing a democracy, similar to how a constitutional monarchy is just one way of implementing a monarchy. Mob rule everyone votes on everything and even a majority by one decides everything is another (poor) way of implementing democracy.


Sorry... your logic is flawed at least semantically. If a "constitutional monarchy is just one way of implementing a monarchy," then presumably a "Constitutional Republic is just one way of implementing a" republic.

The only nexus between republic and democracy in this case would be the Constitutional Republican Guarantee clause. Since that has essentially never been adjudicated we can't know for certain whether - at least in Constitutional terms - a Republic does convey democratic rights.


Because it is a democracy. When you democratically elect representatives, it's a democracy.

If you elect incompetent, or corrupt, or evil representatives, it's still a democracy.


The law of the land is the constitution. A Republic is a land of laws. A democracy is a land of majority rule.

Democracy is a tyranny of majority. The founders did NOT want a democracy.


> A Republic is a land of laws.

A republic is a land where political authority isn't formally heritable personal property (e.g., basically a not-monarchy), a republic can also (like the US) be a representative democracy. It can also be an authoritarian dictatorship. It can also be a direct democracy.


A republic bound by a constitution cannot be a democracy of any sort.

The laws bind it.

I suppose since the constitution is completely ignored you might have valid points.


> A republic bound by a constitution cannot be a democracy of any sort.

You clearly are using "democracy" in a very peculiar sense. If you narrowly define "democracy" as "lawless mob rule", then your statement is true, but that's not what the word democracy is generally used to mean when discussing political systems.


Even accepting your personal definition of "democracy" to mean "pure majority rule", constitutions typically have provisions for modifications by majority vote. So a being "bound by a constitution" does not eliminate majority rule.


That definition is anything but personal and carries the history of the democratic system prevalent at the time the term was coined. Just because you decide to use the same term for everything now doesn't mean that the original definition is "personal".


Democracy never meant "mob rule". Even in Athenian democracy, few things were decided by actual majority rule. Never in history has there been a democracy where pure majority rule was the typical case.

So yes, it is a personal definition. Scholars don't use this definition. Pundits don't use this definition. The common man doesn't use this definition. It's a BS definition, and if it weren't, it would be pointless and redundant because "majority rule" captures this already.


"A democracy is a land of majority rule"

That's where you're wrong. A democracy is a state where people have (or nominally should have) equal power to affect society's collective decisions. Not all implementations of "majority rule" meet this criterion.

Political decisions affect everyone, thus everyone should have an equal share in determining which ones we take - at least a priori.

We can cede some power if we decide that a certain class of questions are none of our business (for instance, delegate some decisions to a local level, or give Sharia courts jurisdiction over their adherents to take an uglier example). Or declare that some questions are non-political in nature, and should be decided by some sort of experts. But the decision about what is our own business must always be our own business.

Another way of saying the same is that all legitimate government comes from the people - as opposed to e.g. the divine right of kings, or a "natural" aristocracy.


> A democracy is a land of majority rule.

How can you have that without at least a one line constitution that says, more or less, "The majority rules"? You beg the question, sir.

You very narrow definition of "democracy", majority rule without a constitution, isn't possible. Thus your definition is useless and therefor meaningless.


You don't get to narrowly define democracy to mean "mob rule" and expect people to use your meaningless definition. This is not the original nor the currently accepted definition and pretending that everyone should use your personal definition will not make it true.


It doesn't matter what the founders wanted, they're dead and buried. Their whims and dreams codified in this Constitution that everyone lives and dies by.

What matters is what the people want now and for the future of their United States... are you going to live forever more adhering to the rules of dead people? Seems er... pointless.


“Experience keeps a dear school, but fools will learn in no other, and scarce in that.”


Doesn't that depend what the representatives then do? Also, what about federal judges? None of those are democratically elected, and they get to interpret all the laws in ways that have great consequence. Hence, America's government is a little more complicated than "democracy", although some parts of it are surely "democratic" (e.g. the house of reps).


> Doesn't that depend what the representatives then do?

No. If you democratically elect terrible representatives who eat puppies, it's still democratic.

> Also, what about federal judges? None of those are democratically elected, and they get to interpret all the laws in ways that have great consequence.

You don't have to elect every government official for it to be a representative democracy. Democracy means that the ultimate power is vested in the people. If you elect representatives who appoint judges, the judges are still appointed by the power of the people.

> Hence, America's government is a little more complicated than "democracy", although some parts of it are surely "democratic" (e.g. the house of reps).

No government is simple. America is very clearly not a direct democracy, nor are all officials elected, but it is still a democracy.


While I see what you are saying, the OP to your post has it correct. You can say a republic is a bastardized form of democracy, but the reverse is not true. You can look at one of the few true democracies that has ever existed as an example - ancient Greece. Every citizen[1] could vote and put forward changes to laws or even create new laws (obviously with a majority vote).

[1] A citizen was considered to be any person born of Greece, white and male.


I think you're thinking of the Athenian democracy, because Greece wasn't politically unified at that time.

https://en.wikipedia.org/wiki/Athenian_democracy

I doubt that the Athenians had the present-day concept of "white people". Wikipedia says that citizens "had to be descended from citizens", so maybe at least in a certain era nobody known to be descended from people coming from outside of Athens could be a citizen.

https://en.wikipedia.org/wiki/Athenian_democracy#Citizenship...

Edit: looking at one of the references, it seems that there was a year when explicit citizenship lists were drawn up based on all free men who lived in Athens (maybe with some kind of ethnic exclusion at that time too?). From then on until Pericles, children could be added to the list if their fathers were on the list. After Pericles, children could be added to the list if their mothers and fathers were on the list.


First, it was Athens, not Greece as a whole. It was free, male descendants of Athenians who were allowed to participate - their degree of whiteness was not an issue independent of that. They had a large class of immigrants and descendants of immigrants who were not allowed to participate.

Most importantly, while there were a few questions settled by referendum where all citizens could vote, most were settled by randomly allotted juries. This meant there was little advantage to forming political parties around popular demagogues, or run well-funded propaganda campaigns.

Athenian democracy got knocked down many times and came back every time, except the last. The second-to-last time, a bunch of immigrants had fought for the liberation and restoration of democracy, and some leaders argued forcefully that they should be awarded citizenship for this. But they didn't get it, the existing citizens voted against.

The reason democracy finally failed was probably this. The Athenians knew (especially the poor) just how unusual and lucky they were to have political freedom, so they were fiercely protective of it - and didn't want to dilute it by sharing it. Eventually a large part of their society had so little stake in democracy that they didn't bother to restore it.


> Why do people insist on calling the US a democracy ?

Because it is designed as a (representative) democracy. Its also a federal republic whose constituent units are mostly-representative [but some with significant aspects of direct] democracies.


Do we need to have this conversation every time?

They absolutely do represent you.

What do you think the representatives doing when they're trying to fuel up the corporations in your district? They're representing your interests by making sure that the jobs stay where they are, just not the interest of the American people.

The senators represent the state's interest, the representatives represent the district's interest.


Go to a town hall meeting - the local and state government level. Democracy is not just electoral process.


off topic, but I keep seeing things in the format of "word^^^^^" and "bribe^H^H^H^H" things like that. In your case it seems to indicate sarcasm, but that doesn't always seem to be the case.

Can someone fill me in?




I like to call it a Constitutional Democratic Republic.


>> If you hadn't already lost faith in the U.S. election system years ago, then you've got your head in the sand.

The only check on this is the separation of powers, and even then, career politicians, special interests, and tons of money have way too much influence. Add in the fact that the press were supposed to be the check on government and now they're firmly in bed with the political parties. All you get is the incredibly slanted, biased, and spun stories to influence you so all you get is their viewpoint. I can't imagine how I would see the world if I only read the New York Times and only watched MSNBC.

If some of the fringe third parties would all come together and find a common platform, it would certainly replace my faith in the current system.


Career politicians, special interests and tons of money got comprehensively spanked in the Republic Primary process. Trump is an even worse choice - but he demonstrated that it is possible to beat the machine. Sanders came very close to doing exactly the same thing. The US system is significantly more favourable to insurgents than many.


It was interesting to see how the "establishment" Republicans tried at every turn to thwart and remove Trump from the process, but in the end relented (however much it pained them) because that's what the voters said they wanted.

The "establishment" Democrats were the same except they succeeded in placing their candidate ahead of what many believe their base really wanted.


Given the outcomes of these scenarios, it's hard to see pure democracy as an advantageous model from this example.


> But everyone just accepts that's the way it is and carries on with life because "at least it's not North Korea."

They aren't Brazil either, or even most places in Europe.

Were I an US citizen, I'd be very wary of people trying to fix Democracy¹. They have a pretty good quality of life, and any attempted change can go very badly very easily - the more "let's fix things" is the change, the easier it could go badly.

1 - Hell, I'm wary of them here at Brazil! Because, you know, we aren't North Korea either, nor Venezuela. That said, we recently got a very good and very safe fix applied - the trick is that nobody was claiming it was a fix for Democracy, it was some people "just doing their work" on unforeseen ways.


Part of the question is the basic mechanics of democracy: does everyone actually get a vote, and does the count accurately reflect votes cast? "Fixing" that should be less controversial than it is.

Far too many voting machines are still insecure, and one of the candidates is pre-accusing the other of fixing the election.


But it is not whether it should be fixed that is controversial. It is how you fix it. And there's plenty of danger with most fixing procedures.

And yes, there's also some propaganda for not fixing it at all. That's what support voting machines (at least here). But, again, how do you fix the problem that makes propaganda viable?

For the specific problem of voting machines, candidates accusing others may be the best avenue for moving people in the correct direction.


>Far too many voting machines are still insecure

And they always will be. It's impossible to have a secure voting machine.


> We all know

rolls eyes, adjust your tinfoil hat.

Look, even if you believe that dark, unseen forces control the world using the US as a conduit - it would appear that the world has been the better for it. Given a choice of world management between Russian and US in this regard, the choice is pretty straightforward.

People who complain about Europe, the US and the general Western alliances management of the world are selling a pretty ugly alternative.


I think many people of vietnam, cambodia, laos, indonesia, angola, nicaragua, grenada, most of the middle east, afghanistan, pakistan [1] and so on would strongly disagree. Potentially lesser evil out of 2 evils ain't no good choice.

[1] http://academic.evergreen.edu/g/grossmaz/interventions.html


Most of these countries (or regions) never took up capitalism, free markets, and liberalism. Being partners on either side of a proxy war obviously didn't help.


So they deserved it then? Please keep in mind you're talking about many innocent bystanders being killed as an outcome of US foreign policy.

I don't think it's entirely black and white in the other direction either but your comment strikes me as crass and indifferent towards human life, dehumanizing, confusing people with their larger society and government.


The classic example of a generally stable and democratic country being overthrown into illiberalism and mass murder by the US is Chile, which was missing from that list.


Would not call 73's chile stable, unless you consider current venezuela a stable country which i do not.


.. and there's the other half of the false dichotomy: if you're not with "us", you're against us.

It's interesting that you choose to use the word "management" here - we in other countries are not left to make our own decisions, they're "managed".


If, you believe what you say. If you believe Russia releasing hacks and influencing US elections -- how is that any different than what the US does?

If you believe all that, you have to consider the results of Putin's Russia: Oligarchy & Nationalization, direct imperialism (Ukraine), the support of extremists/facists in foreign countries...


Yes, Putin's Russia is terrible, and exporting problems. They're a contributor to the Syrian mess as well.

That doesn't make it OK for the US to do it as well! This is what I meant by "false dichotomy". If anything, the US (and especially UK) use of domestic surveillance and extraterritorial interference makes it harder for us to argue that Russia should not do those things either.


Whether the US is a force for good is a completely different argument than whether it's untrustworthy and/or undemocratic.


#1, Yes, I specifically called out his argument as being hollow, and supported only by an appeal to "everyone knows" - he's self selecting his audience.

Even within that audience which implicitly accepts the government is more directly engaged in protection of sovereignty via clandestine means against it's own citizens -- that audience should probably consider the goals of the sources.


I think the expression you are looking for is "common knowledge". It's something that you know that the other guy knows you know and so on.

https://en.wikipedia.org/wiki/Common_knowledge_(logic)


>> The Russian destabilisation plan is to get Western countries to see NSA attacks on them and lose trust ...

That assumes that we 'the people' are part of the equation. We aren't. This looks like standard gamesmanship between intelligence agencies. They operate in a world above the cares and needs of the common people. Such messages normally pass quietly through known channels (servers known by both sides). The going public says to me that the message wasn't getting through, or wasn't being taken seriously by the right people. This is about communicating intention to someone who, perhaps, needed to be publicly shamed in order that they take the situation seriously. That would fit the pattern of many 'cold war' spy games.


What is this 'Russian destabilization plan' you are talking about?


Thank you for summarizing that. As others have commented, I wish Snowden would simply blog about this sort of thing. Twitter is frustrating to digest for any insightful commentary that is on the longer side.


if we're lucky, twitter will do what they did with the hashtag and other things when they realised their users needs were 'inventing' new features.

The 1/n 2/n n/n tweets is a huge indicator of a feature need. Of course, that's going to dilute their original value proposition of short direct messages.


Twitter started out as an SMS repeater.

SMS has for ages, thanks to Nokia, had the capability of merging multiple messages into a single large one.

Twitter could just make use of this and save themselves a whole lot of grief.


Let's be serious. No one reads twitter over sms anymore. This isn't at all the reason twitter continues to limit to 140 characters.

(Before some smartass replies "I do read over sms", well even without sms merging, twitter could still split a tweet into multiple sms. 99.9999% of their userbase wouldn't care.)


That's not relevant to the OPs point. The point is that even SMS clients were capable of merging multiple messages together, yet Twitter has still failed to do so. So whether or not they were SMS doesn't matter.


No one read twitter over sms in the first place. It was a quirk of a pivot.


> value proposition of short direct messages.

"Value proposition" or stubbornly clinging to something that users do their best to work around?

Why not just cut to the chase and make this thing essentially broadcast email, or more generally yet another blogging platform?


I've said it before: Amazing that it was Instagram that copied the idea of Snapchat stories.

Facebook has a complete "Post" blogging mechanism.

Twitter is soon going to stop counting urls in the 140 characters.

One of these things is not like the others...


Oh By Codes[1] are 4096 characters long and can be used, inside a tweet, as a tweet expander. No URL/link necessary.

[1] https://0x.co

edit: well, not everyone knows what an Oh By Code is yet, so for now I suppose the link format is best, but eventually, just the code itself will suffice ...


I agree, but twitter does simplify the spread of certain "quotes". I doubt the same amount of people would take to social media to share a blog entry as opposed to tweets.


Yeah I don't understand why people don't just blog and be done with it, without all the formatting gredue.

Then, you can just post a link on your twitter and say "hey, see my new blog post".


If HN and Reddit are any indication, if you post a link to a blog post, people will respond without reading it. People don't like switching domains, especially if they are browsing from an app. (Myself included)


Sure but that's not just being lazy, its also a learned habit. There's a great deal of blog posts (like most writing in general) that is 5% information and 95% fluff. Sometimes you want the art, sometimes (esp. the engineering mindset) you just want the information. Skipping to comments frequently yields this, often with bonus comments like "I'm an actual expert and that post is very innaccurate".


This. I frequently find myself skimming over HN comments on a submission before reading the article, because it provides a hint at whether reading the submission is actually worth my time.


Or in this case, the HN comments actually provide a more complete article/summary :-)


Also blogs often mean fancy HTML etc, something that rarely produce a good reading experience on mobile devices.


In my experience, twitter is one of the worst offenders here, with an exorbitant amount of HTML, Javascript and pop-ups just to prevent me from reading 140 characters.


Ironically, I find Facebook's webpage way better on mobile than their actual app. I believe their app may originally have been designed for cellphone battery endurance testing. After a bit of hacking, someone figured out it could access Facebook and they decided to release it as an app.


In this case Twitter at least provides a single authoritative source, which is valuable.


True, but there are ways you can do something similar on a blog. If you link to the blog post from Twitter, I think that becomes a simple confirmation that the person wrote it.

Or, given this is Snowden, he could GPG sign his blog posts and post his fingerprint to Twitter or something to verify identity.


Given the way that people like to pull quotes out of context, writing something as a series of tweets forces you to look at each piece and see if it can stand alone.


There is an interesting story and for some reason HN's top comments have to do with people being annoyed he tweeted rather than blogged. Let's hope some additional voting improves the s/n ratio of this thread, and the useless comments (including this one) disappear.


Linkable version https://typed.pw/a/1333


> 5) Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

I know enough to say that this sentence reveals a lot about what snowden knows, and what he doesn't. Mostly the latter. He doesn't seem to understand the context and meaning of acronyms he uses.


I know enough to say that an anonymous comment on the internet pretending to know about NSA procedures & jargon is not worth much especially when said comment is attacking someone we know for sure had access to the NSA.


Alright bud. I don't have a facebook, twitter, instagram, or any of that other stuff, so I'm not sure how to refute your claim of anonymous. I can say that anonymous hostile replies sure don't do much to further the conversation. What do they say, something about pots and kettles?


A year ago you said you don't work for the NSA or DoD but know one person who does:

https://news.ycombinator.com/item?id=9297990

Are you seriously expecting us to believe that your friend is telling you how the NSA is internally structured and how sensitive foreign operation intelligence programs work?

Plus in another comment of yours you claimed to know how General Atomics MQ-1C Gray Eagle worked behind the scenes but when asked to post more info you never did.

https://news.ycombinator.com/item?id=10954248

So you're seemingly a Linux admin, but know tons about the inner workings of both military contractors, the DoD, and NSA from your single friend? Seems uhh a stretch, let's just say that.


> Plus in another comment of yours you claimed to know how General Atomics MQ-1C Gray Eagle

He spelled it "Grey Eagle". It's unlikely one can actually speak "professionally" about a program when they can't spell it correctly.

If you're part of the program, you're seeing/typing/writing the name "Gray Eagle" day in/day out.


Heh, if you're part of the program, you may also call it 280, or 64-bit. But, you'd only know that if, ya know, you're actually part of the program.


Oh no, I'm part of the program now!


[flagged]


You must be young. It's generally an after-dinner dessert drink.


Care to elaborate? TAO (https://en.wikipedia.org/wiki/Tailored_Access_Operations) seems fine to me.


TAO is composed of much, much more than "hackers". To give him the benefit of the doubt, his comment shows willful ignorance of this fact.


No it doesn't.

To use an analogy this is like someone saying the "US Army" in reference to infantrymen specifically and then someone, such as yourself, coming along throwing their hands up and saying "The US Army is composed of much more than just 'infantrymen,' this comment shows willful ignorance of that fact."

We can all read the Wikipedia article on the TAO[0]. You aren't fooling anyone by acting like you know more than is publically available, and trying to correct someone who provably worked for the NSA seems at best arrogant, at worst ridiculous.

[0] https://en.wikipedia.org/wiki/Tailored_Access_Operations


C'mon, it's Twitter, where you only have 140 characters. He's not going to type out "NSA's hackers (generally part of the group known as Tailored Access Operations, but there are some in other groups)" just so you can't be pedantic.


The quoted tweet uses two acronyms. Which is incorrect?

You say acronyms as a plural.

Can you please identify two or more specific usages (hopefully with citation!) of Snowden using acronyms incorrectly?


TAO is composed of much more than hackers, and hackers are in other groups besides TAO. No, I don't have link-able sources.


Yes, TAO is more than hackers. NSA isn't the only organization in possession of SigInt groups which operate like this, hell, its a pretty long list of groups.

However, you may want to consider Snowden isn't hostile enough to go through and list ever group in the US that maintains an arsenal of malware for operations in public. That doesn't necessarily mean ignorance, a more generous interpretation is everyone knows about TAO so he calls it TAO.

I realize you probably don't like the guy, but would you really preferred he list off every SigInt group in the US with a malware arsenal just to cover all his bases and all of their component groups that operate in relation to it?

Idk about you, but I don't need him to post org charts of all of that to get the gist.


Yoy also need to realize his audience and this communication medium. He is speaking to the Americans public. He needs it as simple as can be.


Seems like it would a be a fun multidisciplinary place to work, but wouldn't wanna jump through all the hoops and tend to weight any quest for "secret" knowledge with such that the limit approaches zero.


> it would a be a fun multidisciplinary place to work

They apparently don't shy from morally questionable ways to accomplish their goals. So if you are into it.. Snowden actually wasn't and that was one of the reasons why he decided to quit CIA and eventually become a whistleblower.


> but wouldn't wanna jump through all the hoops and tend to weight any quest for "secret" knowledge with such that the limit approaches zero.

There was this part, i also tend to think there are more technically interesting problems than circle jerking over the latest js framework for engaging with skinner boxes that more people get the so wonderful opportunity to make decent money for.

>* Snowden actually wasn't and that was one of the reasons why he decided to quit CIA and eventually become a whistleblower.*

I also dont see snowden as a hero like most paint him to be, binney, drake et al. and many others came before (whose opinions get often ignored compared to the latest lord savior). The fact that he tends to get the most paid press offerings and stamp of approval from the media™ tends to make me think lower of him, as with his dubious "service" in the first place… shrugs… his life, not mine.


It also highlights the risks of NSA exploiting zero-days and creating malware to conduct offensive operations, rather than reporting vulnerabilities to the vendor to make everyone safer. Now these tools have been stolen by one of their adversaries, and may make it out into the public for anyone to take advantage of.

I just watched an excellent documentary called "Zero Days" (https://weshare.me/823adb83b8e98628) this morning about the whole Stuxnet (aka Olympic Games) debacle. They really are playing with fire.


Slightly off-topic but I also tried to watch "Zero Days" since the subject interest me. But, with the constant exaggeration and dumbing down of the subject, I could only watch about 20 minutes before I turned it off.

If you want something technical that is not exaggerated, you better watch something else. If someone have an recommendation, please share.


I recommend sticking through till the end. The first 20 minutes just sets the scene - the story gets a lot more interesting once it links up the technical stuff with geopolitics and the relationship between US & Iran, and what they did to the centrifuges.

The last part has some insightful commentary by a number of experts on the new world of so-called "cyber warfare" that we're entering into.


The book '@War: The Rise of the Military-Internet Complex' by Shane Harris from The Daily Beast is very good and talks about the obsessions with offensive weapons. And the embarrassingly bad defensive posture the US has via policy failure (ie: focusing on private-public info sharing deals that do nothing, instead of real defence) and inter-agency fighting.

https://www.amazon.com/War-Rise-Military-Internet-Complex/dp...


> focusing on private-public info sharing deals that do nothing, instead of real defence

Can you elaborate? I haven't been exposed to any ideas that address this without compromising civil liberties.

That is, "real defence" sounds like the government monitoring internet connections to my company for malicious activity. I don't think that's good for business.

I might be thinking a little close-minded about it though. Please share what you mean.


It's been a couple of years since I read @War, but ISTR it described interactions between public officials and private industry that were explicitly more about politics and marketing than they were about security or risk management. E.g., NSA set up public-private dialogues with tiered access, then tantalized executives with off-the-record-but-in-a-meeting-also-attended-by-other-companies reports of server pwnage, to motivate them to sign up for the next, more stringent tier of cooperation. If the idea really were to improve security, the same information could have been distributed in truly private fashion. Also, NSA could acknowledge that private security firms are generally more helpful to companies than NSA is, and simply transfer their knowledge, when appropriate, directly to one or more NSA-vetted firms. The public actions of TLAs described in that book were far too entrepreneurial, in the sense that they didn't care what they did or what effect that had, so long as they were in the middle of everything to demonstrate their budgetary importance.


Thanks! It appears that the real problem is in the supremely suboptimal execution of a potentially acceptable vision.


I'm not sure how much explanatory power your summary has: couldn't that be a description of any government fuck-up? b^)


have you read Countdown to zero day: https://www.amazon.com/dp/B00KEPLC08/ref=dp-kindle-redirect?... ?

It is ultimately penned for the masses, but even if you're technical you'll likely enjoy it. And there's plenty of scope for going off and doing your own research about bits and pieces.


A fire that they are showing they do not know how to control.


They do not know how to perfectly control it. Given the obviously huge scale at which they operate, it seems to work reasonably well. Yet the huge scale is exactly what scares the socks off of knowledgable people - even more than a fire here and there. Their PR problem is that the number of times they successfully work in the dark is somehow confidential...


You have got it right there! Breaking into a system is easy keeping yours intact is not. That is part that the US GOV still doesn't get the defensive part of the equation. BS (Before Snowden) people suspected but now we know people are listening everywhere. And even the NSA is not immune...that is scary that no matter how good your InfoSec is that your IA is lagging far behind.


It's the consequences, not their size.

"Look, we've put off 99.9% of the fires we started last week. Your complaint about we completely burning 2 cities down is baseless, you can't reasonably expect our fire-control to get any better."


Question: Does the NSA have an obligation to be ethical?


They swore an oath to protect the Constitution.

https://www.law.cornell.edu/uscode/text/5/3331

They even reaffirmed it late last year.

(sorry for the google cache link; www.nsa.gov (AkamaiGHost?) is currently returning 503 Service Unavailable)

https://webcache.googleusercontent.com/search?q=cache:-yz7S-...


I would argue yes, in the sense that all of us do (both in our professional and personal lives). The US likes to promote itself as the "good guys", and if they want that reputation, they have to earn it. NSA's activities are in direct conflict with that ideal.

Society only functions properly when people act ethically. We have laws in place for punishing those who harm others in various ways (financially, physically, etc.), as a means to discourage bad behaviour. In theory there's supposed to be international law, but sadly no-one seems to pay much attention to it.


I would only add that the NSA has politicized themselves in exchange for the expansion of their powers. Now as a political entity it seems they have a much lower standard of ethics and now it is about maintaining power.


Does anyone on earth not have an obligation to be ethical? (Yes, I know there is no universally accepted definition of "ethical".)


Yes, I don't. Because when you say "act ethical" you mean "do what pleases me". This is why you can't put forth a definition, because if you did, it would expose your hypocrisy.

And I'm not one bit interested in doing what pleases you. I'm only interested in doing what pleases ME (as is every other person on Earth, although most will never admit it out of cowardice).

So no, I don't have ANY obligation at all towards you.

Now, is it in my best interest to treat you nice and contribute to your well-being? Yes, in most circumstances I'd have to admit that it is.

Have a lovely day!


That's pseudo-intellectual hobbelgoggle.

"Pleasing" deals with emotions, so we can drop the facade of hyper-rationality right there. Cooperation is beneficial for an itdividuums' survival, as you rightfully state. It is indeed of such importance that the standards of cooperation have been internalized long ago – for non-sociopaths, altruism is an end in itself and creates positive feelings.

And if you insist on your way of looking at it you actually stopped half-way: what "pleases you" is /also/ just a useful heuristic to maximize you reproductive success. The warm feeling you get from winning the lottery is no more or less real than the warm feeling (other) people get when they see someone happily getting married.

For this whole system the borders between the individual and the group are fluid. While certainly, all else being equal, the individual's need usually trumps the group's, it is anything but clear-cut in most real scenarios. You may be willing to sacrifice someones life to save your own, but that can change if the other person is you daughter, when you get to old age or when it's not a 1:1 sacrifice but merely an assumption of a non-zero risk of death.


Calculated actions that take emotions into consideration seem pretty "hyper-rational" - you acknowledged as much with examples.

> ... but that can change if the other person is you daughter ... old age ...

It isn't as complicated as you're making it out to be, the decision made by the individual depends on the maximization of their goals. So that depends on the weight they assign to the importance of genetic immortality, reproductive years remaining, justice in an afterlife, etc. Sure, not everybody is a perfectly rational actor applying game theory in their daily interactions, but individuals are much more self interested than you're describing - even with family.


I don't really disagree that all human actions have self-interest as the core motive. I'm just saying that in an interdependent social environment, a phenomenon best described as altruism naturally emerges, either because instincts initially developed for self-serving purposes develop a life of their own, or because the still-existing individual benefits are obscured (i. e. a sort of game-theoretic justification for a middle class person to support welfare).

I'm mostly taking offense with the characterization of such "feelings" as "not real" or of lesser value than the "pure" thought of rational egoism:

1. If we take altruism as a highly developed extension of egoism, it's worth to consider it an invaluable heuristic trained over thousands of generations to intuitively make good decisions. Where a cold analysis may tell you that giving money to a poor person is wasteful, I'd say that the warm fuzzy feeling we get from giving is an encoding of results gained over millennia of experience.

This also touches another point: I'd suspect that most altruistic behaviors are actually net-negative for the individual but, when practiced by large parts of the population are beneficial for everyone. Here, emotions serve as a prehistoric solution to the tragedy of the commons. It's an idée fixe in some circles, most notably libertarians and the Ayn Rand crowd to replace this with a system of contracts or simply force but that disregards (amongst other things) that almost no idea in psychology has more empirical support than the beneficial effects of helping.

2. If we consider altruism as an emergent behavior, a sort of instinctual moral code, it should be revered as one of the highest achievements of humanity on a level with art or science.


> ... "feelings" as "not real" or of lesser value ...

Well without getting into value judgement, you seem to be on board with the idea that emotions are a much higher level of abstraction above the cold logic of genetic survival. I'd welcome an emotional appeal in a public policy discussion as much as I'd welcome a javascript based boot loader. There is a time and place for everything, but emotion is given far too much weight.

Altruism is by definition a net negative for the individual, and I agree that it is very likely deeply rooted in our gene pool. But I certainly wouldn't hold it up as any kind of great achievement, especially considering how frequently it is exploited as a weakness by those in power ("think of the children"). I don't know if we'll ever get to the point where it can be considered a vestigial adaptation, in the same way we have unused muscles for controlling the orientation of our ears, but I hope that one day we'll be able to survive without the genetic compulsion to self-sacrifice.

It has been a long time since I gave Ayn Rand any thought, but your characterization seems pretty far off the mark to me. Have you read her books? She hated libertarians, the use of force, and she didn't want to replace altruism - she wanted it gone. Her reasoning is pretty well founded, as history is full of well intended and ill-conceived calls for sacrifice - the road to hell is paved with good intentions, etc. As far as contracts... I'd love for the world to have that level of clarity. That is why the US is such an attractive setting for business vs many other well developed economies (Mexico for instance), businesses hate uncertainty.


> I'm only interested in doing what pleases ME (as is every other person on Earth, although most will never admit it out of cowardice).

This simply isn't true. Humans engage in many self sacrificing behaviors for a variety of reasons. We're a social species with complex instincts and tendencies in how we form groups and collaborate. People who understand humanity is not a cartoon of individual self interest are not cowards.


[flagged]


Quite the eloquent rebuttal. You've swayed me with your words.


Pretty much right, you don't need a religion or code of conduct to tell you not to be a dick. With the NSA, and many other agencies and organizations, a culture of ends justifying means is highly contagious. Human nature and our reasons for being decent moral persons and speaking the truth instead of a lie, always has some threshold defined by our world view and beliefs. When you deal with scumbags all day, those pesky rules and rights are just in the way of justice some times.


This is a circular question. One's obligations derive from one's ethics.


Yes, noone does. You are not bound by law to be ethical. There's no law about it. Are you _supposed_ to act ethical? absolutely. but you dont have an obligation


Legal obligation being the only possible meaning of "obligation", obviously.


When the best thing you can say about your position is it's not literally illegal, you should probably stop digging.


The naive point of view would be that if you're an American citizen the NSA agents are supposed to be YOUR employees so they have an obligation to be whatever you ask them.


They are indirectly doing exactly what the citizenry have asked them to do. It's just that the HN community (and me) don't agree with it.

1. The most pressing issue for debates is terrorism response. [1]

2. Lawmakers and the Executive are elected on this mandate and spend significant resources (estimated $100Bn per year). [2]

3. The NSA performs all of its functions based off of requirements generated by ODNI, DoD, the Chief Executive, and congress. [3]

4. Most individuals care deeply about privacy and think there should be greater limits to what the government collects. However, less than 10% have changed their habits to improve their privacy posture. I conjecture that this suggests that privacy is not a priority compared to physical and financial security to most citizens. [4]

In this case I think it is fair to say that the best interests of American society and its economy are being thwarted by security concerns of a plurality of citizens. The right course of action is for privacy debates to be publicized. The Pew report referenced in #4 shows a far greater skew toward privacy action after being informed of government and commercial surveillance.

[1] http://www.pewresearch.org/fact-tank/2016/08/15/in-debates-v...

[2] http://money.cnn.com/2015/11/16/news/economy/cost-of-fightin...

[3] http://fas.org/irp/offdocs/int023.html

[4] http://www.pewinternet.org/2015/05/20/americans-attitudes-ab...


[flagged]


Please comment civilly and substantively on HN or not at all.


Please pardon if my comment came off as uncivil. My intent was to illustrate the potential ambiguity of ethics in national security issues by quoting a speech of Col. Jessup (Jack Nicholson) from a "A Few Good Men". I saw the message of Jessup's tirade as parallel to the discussion topic and as illustritive commentary on the ethical boundaries of the NSA. Who defines those boundaries and in what context? Military, intelligence, or civilian? Peacetime or a time or threat? While the emerging activities and powers of the NSA concern me, I do not believe the agency is inhabited by evil people, but rather by people that believe (correctly or not) that they are playing a key role in protecting our nation. Their ethical boundaries are likely defined by the context of the threats that they encounter during their work. Some may believe that the critique by some nerd at a computer(me), who is ignorant to many of those threats, is ironic and a demonstration of the freedom that they protect. I did not intend to disrespect HN or it's users as this a informative and entertaining forum which is a daily stop for me. In retrospect, I probably should not have used all Caps, and I should have placed an explanation along with the quote.-Respectfully, Vibrio


>and may make it out into the public for anyone to take advantage of.

Why would they do that? Its more likely they'll be kept for other attacks or sold to nation states for vast profits.

I also suspect there's nothing magical going on at the NSA. Whatever zero days they have are probably had by other intelligence agencies and hacking groups. Whether to report them publicly is a political decision that these groups have zero incentive to make. Ethical researchers and white hats, from my understanding, are a very small part of the scene, or at least the part of the scene that gets real results.


Their adversaries likely won't make use of the tools for anything serious. They know the NSA already have detection capabilities for their own 0days, and using these tools is a dead giveaway to the NSA that they've been made. An adversary would do well to be very careful about their use of stolen knowledge.

As for it hitting the public like this; I'm not sure we'll see this happening incredibly regularly.


IMHO Twitter is the worst media for this kind of discussion : I would have loved to read something more substantial but being limited to 140 char forces you to omit a lot of details.

Why use something like 10 tweets where a blog post lets you have as many words as necessary. You can still be concise but 140 char is too short, it's just for people that have uninteresting things to say and Snowden is certainly not one of them (unless he starts to comment about the weather in Russia).


Because twitter has a vast public reach, more so than an individuals blog. It's also really easy to use by journalists who get pre-made sound bites, which is a bonus for the sources too - they can more easily edit and shape how they are quoted.

While a blog would be much better quality, quality journalism doesn't sell nearly as well as highly-polarised, bite-sized clips.


The obvious solution is to use Twitter to link to your longer article. Isn't it?


I think people fear the rather nasty experience of embedded webview when you click a link. It seems to be a bit of a barrier to entry.


What is that? On both TweetDeck and the normal Twitter page, when I click a link the target opens in a new page; nothing embedded.


It's on Twitter for Android, which falls back to the system webview (on my old-ish phone, IIRC Chrome v30), when you don't have Chrome installed.


Oh yeah, I hate that. I suppose there is a good client for Twitter on Android, but I haven't found it yet.


I'm writing one with pure HTML5 (Cordova) actually. Too bad it needs either a Cordova container, or a server backend as a proxy, because Twitter sends out fairly restrictive CORS headers.

If you don't want to wait until it's ready, I recommend tweecha - or install Google Chrome from the Play Store, that should make Twitter automatically use the Chrome webview instead.


Ideally, yes, although I can't actually imagine how any interesting discussion could come of this particular information in either medium - the "good" stuff will be on satellite communities like HN, reddit, 4chan.

While a blog is a better authoring medium, it's still shit for discussion, and loses some of the media impact benefits that Snowden probably intends to leverage here.


I know that, but Snowden is less superficial than politicians and journalists : he has convictions at least.


Right now it seems like the only game he can play, whether or not he actually wants it.


I'm fond of tweeting a screenshot of longer text, e.g. from the notes app.


I hate when people do that. Much like I hate when people looking for support send me screenshots - it's SO MUCH harder to transcribe ID#s, for example, or to record the details of the issue for future search.


If it's a question of a lesser of two evils - tweetstorms or one screenshot - which do you prefer? Consider also the fact that when people share a tweetstorm, they may even take a screenshot of it.


What about http://pastebin.com or http://www.twitlonger.com (latter requires sign-in, though)?


Mine are Pastebin'd. Works fine for most writing.


> If it's a question of a lesser of two evils - tweetstorms or one screenshot - which do you prefer?

How about a screenshot with a link to the text version for those sufficiently motivated? I know most people don't care for accessibility, but sheesh, that simple courtesy would mean the world to those who use screenreaders.


I don't know if you care about this, but when you post screenshots of text, make sure you also provide a transcription, or you'll be excluding visually impaired users from accessing your content.


The whole point is you can't, because Twitter only allows 140 characters.


Twitter allows you to provide a caption for images now that gets inserted with the proper accessibility tags.


I just barfed.


And when you run out of resolution, write another note, take another screenshot, and post another tweet!


>8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant:

Interesting that he's not afraid to point the finger at Russia while still relying on them for protection. My respect for him just went up.


Unless this leak was part of that very protection arrangement, or part of some larger play. It's possible Snowden had all this stuff and the timing works out (right?). And let's not forget the mysterious "it's time" tweets from Snowden a few weeks ago.

Edit: I don't know why I'm being downvoted here. Isn't this a plausible explanation until we have more evidence?


Unless you have evidence for any of that you are just playing the "Lets pull out a wild conspiracy card" game.

Personally I think Snowden is the Lemming Prophet of the Epsilon-Tau Lizard People.


Snowden worked at the NSA and took a bunch of stuff. These leaks are from that time period. This isn't crazy.

Edit: His "it's time" tweet happened less than 48 hours after the first TheShadowBrokers account (reddit) was created, prior to activity. Those accounts were dormant until the drop.

It's also possible the timestamps on the files match up to Snowden's leaks because the NSA stopped using that server / etc.

But the "it's time" tweet seems to imply Snowden may have known this was coming. It could also be a conincidence, of course.


If Snowden is right then Russia wants people to know extra-officially that it was them.


That's not new, actually. Remember the Polonium murder? They take some weird pride in their lack of humanity.


Unlike the US, which is busy creating narratives to justify their lack of humanity?


exactly. the DNC hack was traced by 2 agencies and 3 private firms. no one leaves behind that kind of evidence unless they want to get caught


Exactly what I thought about this "hack"


To be fair, he also all but accuses NSA of interfering with US ally's Elections.


Honestly, I think its a bit far fetched the US would meddle in the foreign affairs of an ally. We have a long documented history of staying out of civil wars, guerrilla warfare, and aiding the "right" people to come to leadership as it suits us.


Right now though the average person can still say "Where's your tinfoil hat, stop being ridiculous".

If it were confirmed, they'd have to switch to "Well if they weren't doing anything wrong they wouldn't have to worry about being interfered with, stop being ridiculous".

--

FWIW, I personally would be relatively shocked if that(election tampering) did turn out to be legit. I suppose there's motive and means, but it just seems a little too far for the NSA. On the other hand, I can't understand why Snowden would put that in a tweet if he didn't want people to consider the possibility. So either,

1) He's a careless writer(I think this one is the least likely)

2) The NSA interferes with US ally's elections

3) Snowden is a Russian agent or has been coerced into that messaging


The CIA has used torture and overthrown governments. Since the NSA is another secretive US government agency, I have no reason to believe that there is such a thing as going too far for them in an ethical sense, although of course there are practical limits on what they can accomplish.

Also, like any organization, the NSA is not monolithic. It must have various strata, various different groups making it up. It is possible, for example, that 95% of the NSA operates in ways that are relatively ethical, but that there is also a more-or-less secret pipeline of information and control built into the organization's architecture that enables important figures both inside and outside of the organization to use its databases and tools and to coordinate its operations without the knowledge of most of its employees.


I can't believe the tinfoil argument is still strong even after the NSA revelations. At this point it's deep denial, which seems to run strong.


You'l have to show the sarcasm tag, I almost fell for it...


"America has no permanent friends or enemies, only interests." -Henry Kissinger


The more interesting question is that are any proofs behind the theory around? For DNCLeaks, for example, not really.


Ed was a Booz Allen Hamilton employee only for a couple of months. He wasn't even out of his probation period as an employee. It's really amazing that in such a short time he was able to siphon all this information out of the NSA.

I wonder what more information could he have collected if he had spent a longer time contracting for the NSA. I wonder how much more about the NSA we could know if people who have dedicated their entire careers to the NSA would whistleblow.


If you want to put on your tinfoil hat for a second, consider the fact that Snowden started his career in the military, then moved to CIA, then moved to Booz Allen.

It's entirely possible that Snowden is an ongoing CIA op to discredit their rival NSA as part of a turf war.


That feels not impossible, but unlikely.

If Snowden were a CIA deep-cover operative against another US institution, couldn't they have found him a better safe-house than in Russia?

Having no experience with the CIA, maybe I just vastly under-estimate the amenities of Russian safe-houses. ;)


What else could he be? Don't have the time to enumerate all the reasons but if you entertain this option then a very happy news and silver lining follows ...

> tinfoil

You mean thinking and arriving at conclusions not blared from approved media outlets?


> You mean thinking and arriving at conclusions not blared from approved media outlets?

Nah, cynical one-upmanship by a bunch of people who consider Tom Clancy to be a good author.


It's also entirely possible that unicorns are real.


I really don't think it's an unreasonable possibility. It's a known fact Snowden worked for CIA and even received deep cover training while working in Geneva. Much of his behavior is not that of a hapless IT admin, but someone well trained in HUMINT operations.

He comes from a multigenerational military family. That's the kind of background that breeds strong loyalty to the state, and the exact kind of background from which the CIA recruits its top spies.

I find it almost implausible that someone with that kind of loyalty would suddenly resign from the CIA after they invested so much in him, only to jump ship to a private contractor. If his reasons for leaving the CIA were purely moral, why would a private contractor ameliorate any of those concerns? It seems more likely the CIA sent him to Booz Allen.

But hey, it's all a big conspiracy right? Don't believe anything you read on the Internet, except what Ed Snowden tells you.


The kind of person with a deep loyalty to the S̶t̶a̶t̶e̶ constitution actually sounds like the kind of person who may try and sunlight what they perceive as an unconstitutional system. Especially if they feel they will be remembered as a patriot for it.

Besides, the private sector pays a lot better than the CIA, and nobody is free from the gravitas of wealth.


It's just as likely he was operating on direct orders from the president himself because he feared the power of the NSA and needed the public against it!

That's the thing about conspiracies, when there is no proof or reasonable cause you're free to just make up whatever you want.


Remember when it was a conspiracy theory that the NSA was reading all your emails?


People in the IC often "jump ship" to private contractors. Be it for better pay, hours, or whatever. I don't find it hard to believe that Snowden would go to a private contractor. No conspiracy there.


Would the CIA willingly do so much damage to the US? Surely there are other ways to sabotage the NSA instead of doing something as high profile as leaking NSA documents to the public. Besides, I think leaking classified documents of other intelligence agencies is something no agency does, because an escalation of this sort would be disastrous for both agencies involved.


Has he really done that much damage? People are more afraid of the NSA than ever. One could argue that's exactly what they wanted.


I don't think the majority of people in the US are afraid, but aware.


Last thing CIA would do is reveal them. All leverage is lost. They would instead hold them hostage.


Who knows, in today's political climates, anything and everything will be done


But while the above possibility is merely unlikely, this possibility is logically impossible (using the definition of unicorn from philosophy). Quite a difference.


Both are absurd points to make. Just because something is theoretically possible in some version of the universe doesn't mean it's worth discussing without any real evidence. Tinfoil hat or not.


Don't get our hopes up.


> It's entirely possible that Snowden is an ongoing CIA op to discredit their rival NSA as part of a turf war.

It's a shame that snowden's CIA background isn't talked about very often.


Possibly someone inside the NSA had some dirt on someone inside the CIA and retaliation ensued to keep people at the NSA busy...


Haven't Snowden's leaks hurt the CIA a little too much to be considered collateral damage?


He did the majority of his data siphon over many months during his time as a system administrator as a Dell contractor [1]. He was only a Booz Allen Hamilton employee for 3 months [2], one of which where he was actually on the job (and ostensibly siphoning docs until his last day).

(According to reports; we haven't heard an official account yet.)

1. http://arstechnica.com/tech-policy/2013/08/us-govt-snowden-a...

2. http://arstechnica.com/tech-policy/2013/06/whistleblower-who...


I think he spent years working for the CIA beforehand. He probably came in pretty well versed. Plus, you can pick up a lot if you're paying attention.


Or what damage a normal spy could have done...


What makes him different than a normal spy? It's just the adversary he worked for was the public. I'd say "instead of an enemy of the U.S. Government," but I'm hard pushed to separate that distinction somehow. The NSA's behaviour would seem to point to its considering the U.S. people as enemies of the state... rather than the people being the state and themselves being the enemy.

I suppose it's not beyond belief that Snowden _could_ have been a CIA operative the entire time he was in the NSA and "blowing his cover" by going public was just the endgame to move scrutiny of CIA projects to NSA projects. Of course, there's a thousand conspiracy theories. What if that wasn't the endgame? What if "defecting" to Russia is still part of a bigger operation?

Just to be clear, I have no evidence supporting this theory, nor do I believe he's any more than he suggests. But we'd all do well to evaluate what and why we trust the things we do from time to time.


Or is doing.


There was another article posted that pointed to the DoD-assigned IP of (something like) "30.40.50.60" that was referenced in one of the files. I'm fairly certain that was just a coincidence.

However, I did find that one of the autogenerated shellcodes for EXTRABACON contained this DoD-assigned IP: 155.222.211.8 (http://whois.domaintools.com/155.222.211.8). The OrgName is "DoD Network Information Center". This appears to be run by DISA which is also headquartered at Ft. Meade.


I do appreciate your sleuthing, but the cidrs used by the government are public, and including them in files like this is trivial and ultimately means nothing for attribution.


There are a lot of little gems in the wording of the auction message. (http://pastebin.com/raw/JBcipKBL) If it is Russia there will be some content that only the US gov will understand. I wonder which portions those would be.

The "message to wealthy elites" portion of the auction message is also interesting.

"Do you feel in charge?" in quotes suggests a reference with a pretty relevant top hit (https://www.google.com/search?q="Do+you+feel+in+charge")


> Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs).

That also feels like a pretty thinly-veiled reference to current events in the US election cycle.


It's ridiculously written to the point of being a parody at guessing who did it. That's my takeaway.


Attribution security is the meta-message. Perhaps that's the best attribution.

It could be someone else taking advantage of the timing but that is definitely the intended frame.

"Better than stuxnet" is also quite the claim.


This is no different than the constant "war" between military offense and defense. "Good guys" and "bad guys" constant try to get the upper hand leading to temporary winners and losers. You build a fatter castle wall, I build a stronger cannon. The NSA and its adversaries are no different.


Not at all. This are governments attacking citizens, both in the same and other countries. Secretly, and without a declaration of war. Targeting activists, political targets, financial institutions to exploit them, not to win a war.

And the victims cannot even surrender.


Except usually when you build a bigger canon you point it at people outside your castle.


Here's the full thread - http://quote.ms/2bkM2HW


Where is the leak he's referring to?



O government, tell us again how you keep all of the dragnet data collected on Americans safe from hackers.


I suspect it was an inside job. The NSA.GOV site is down ATM probably as they do a sweep. A Twitter user inactive since 2005 said it was an inside job and the file naming conventions in the leaks are internal only.


Why does the idea persist in this day and age that because the public-facing component of an organization's website is down or being DDoS'd that it has anything to do with the internet or non-internet facing operations otherwise?

The NSA, White House, and State Department currently use Akamai for their public websites, for example.


But Twitter was founded in 2006...


The National Insecurity Agency is more interested in creating and trading exploits than protecting citizens' security, which ends us putting everyone at greater risk.


Many people complain about the Twitter format and I agree. Fortunately, Twitter allows people to use about 2KB of text in a tweet, if you encode it as a URL:

The URL: http://because.a.tweet.doesnt.fit.lucb1e.com/?text=From%3A+h...

Example tweet: https://twitter.com/lucb1e/status/765544321747718144

This uses a third party site to display, but the data is all in the URL. Anyone could verify that the site (my site in this case) is not tampering with the content.


I actually enjoy the format. It's easy and fast to read, and forces the author to distill their thoughts.


in the early nineties all this security stuff was about writing mostly harmless MS/DOS viruses. Who would have imaged that this business was going to get politicized to such a degree - that could only happen once all these machines got onto the net. Now its all as paranoid as 'Mother Night' by Vonnegut.


I posted about this in a different thread with a different throwaway, because I had suspicions that Snowden knew about the whole EG auction thing anyways. The writing has been on the walls.

This is why there is so much hype over what appears at a first glance to be an obvious scam, because there is a lot of potential for civilians to learn a lot about how state-sponsored hacking actually operates. It's very different from how it's portrayed in the movies, and you really wouldn't be any wiser from not having been tainted by the movies anyways just due to the ridiculous amount of stealth involved in day-to-day operations.

If rumors are to be believed, then it means that EG can't possibly be crazy enough to make such a (relatively) rudimentary mistake like leaving behind binaries to tools that they KNOW only they have access to. These binaries don't seem like such a big deal, but the real situation is this: these binaries are the ONE thing that can tie all the dots together about all the different attacks that have happened. IRATEMONK, Stuxnet, Flame, etc. All these crazy "unprecedented" hacks that have just popped up out of nowhere could potentially be linked together with these binaries that may or may not exist. On top of that, with enough analysis, it's possible to even identify different programmers just from their stylometry, even through code, so if these binaries are detailed enough there could be the potential for correlation of the author(s).

That auction is really interesting.


Tying them together wouldn't be very interesting. Am I wrong on this? Don't we already "know" that the US is behind stuxnet? I don't think that makes the front pages.

Struxnet was used against a foreign adversary to disable nuclear bomb-making capabilities. That sounds pretty useful to me.

What would be interesting is learning where these came from and how they were used. If Ed's musing is right and there's evidence these exploits were used in democratic elections here in the US then there's going to be hell to pay.


I logged back into this one just for you! That is a big no-no, so I sure hope I don't go mysteriously missing after this!

Anyways, I don't "know" anything that isn't out there to be found. It's a reasonable assumption to assume that you've already assumed that I work in/around the intelligence industry/community, but this is hardly the reason I'm so interested in all of this.

Anyways, to your remark, yes absolutely Stuxnet was contracted or engineered by the US. We're completely positive that our hands are dirty in that aspect, but the real question is whodunnit. The beauty of all these state-sponsored hacks is that they can be waved away as some """rogue""" like Snowden from the outside-looking-in.

What we really want to know is how deep the roots of the tree go, and how many of these cells actually exist. How many contractors are there? Where did they come from? What are their backgrounds? What are their ethnic backgrounds? How were they recruited? What changes in their online presence can we observe around the time that they were recruited?

To be perfectly, brutally honest, I could give half a shit what happens in the election. The clinton mafia has been writing on the wall for literally decades at this point, what's another snippets?

On the other hand, somebody is out there issuing commands to potentially DOZENS of the most elite, sought-after, highly-educated, intelligence-savvy hackers. Maybe they report to a secret committee that controls them, and that committee is composed of only perfect operators. People who wouldn't fuck up and let slip that it even exists. That seems unlikely, and just from a logistical standpoint, it's complex to organize that kind of effort. In the IT world, there are project managers that went to university to learn how manage teams effectively, there's a huge science behind it and I can't bring myself to believe that a committee is capable of the watertight operations that would be necessary for this.

That leads me to believe that one of several scenarios is the truth:

A) EG doesn't exist. It's another smoke-and-mirrors trick, and there are many squads like mine that use the same name to avoid correlation, and "play characters." There is no secret mastermind, just some intel-oriented director issuing objectives, and that's it.

B) EG does exist, and is controlled by one single person, probably well-guarded, and he/she manages other smaller splinter groups, and are doing their own thing. Maybe they made a dirty deal with some USG official, and whomever that was managed to not fuck it up.

C) EG doesn't exist, and the entire thing is carefully organized by some special-purpose squad within the NSA or some such branch that we don't know about. I think this is the most likely option given some of the tactics we've seen so far, and the level of caution and just the overall "flavor" of how these hacks seem to happen. Stuxnet for example, was ALL about collecting information and guerilla operation within "hostile" nuclear environments. Prevent danger and gather as much actionable intelligence as possible.

IRATEMONK, for example, was all about spreading through networks, through USB, that sort of thing. Imagine a secure facility, guarded by soldiers, operated by intelligence professionals or nuclear scientists, or some such "high-value" people. IM was capable of spreading quickly, persistently, flexibly, etc. Just digs in and gathers it all up.

That's how modern US intelligence work is done. It's how most government work is done, period. OODA is as relevant today as it ever has been, and people like me, people like snowden that have seen those environments and those sorts of people, just recognize right out of the gate that something is a bit too familiar about it all.

I don't know very much about the election side of things. I'm certain some sneaky shit is going on, but it always has been. Nothing new.

What I really want to know, and what I think these binaries can tell us all, is who is behind these hacks. Where the power is coming from. If even just a single author is identified and correlated with something on the inside of the intelligence universe, then this whole thing is blown wide open.

These guys know how close they're cutting it, that's why this auction is so interesting because if it's real, if they're taking these risks to make money, or just to get the binaries out somehow, then there are some HEAVY implications that they might realize that they're in danger. If the auction proves to be real, it'll speak VOLUMES over something that has been previously unobservable. I'm assuming of course that the secret mastermind behind EG doesn't want the binaries out to the public, and so if they somehow make it out, then someone who had access to them did, maybe as a call for help, as revenge, whatever. Regardless, it's a sign of unrest, and that the cat's claws are indeed tearing the bag.

My handles are always snips from the Mary Poppins films. There's multiple people, but you'll get the idea. It's going to be a very interesting couple weeks!

Cheers


Wait, important question.. there are multiple Mary Poppins films?


Cheers indeed! Thank you for the response.


I wish you didn't use throwaways so I could follow your posts. I assume you're the blink person from the other post.

It sounds like you're someone who knows a little more than average about what's happening.


Yeah I'd totally follow this writer's stuff. Too bad...




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: