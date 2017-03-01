Hacker News new | comments | show | ask | jobs | submit login
If you only work on your malware on weekdays, you might be a CIA hacker (qz.com)
78 points by imanewsman 79 days ago | hide | past | web | 24 comments | favorite



I've put some thought into similar deductions in the distant past. And measures to avoid them.

Still waiting for the day a leak is attributed to the French because of the length of lunch breaks inferred from timestamps.


How long is a typical French programmers lunch break?


1.5-2hrs unless there is wine involved...


Can we avoid French bashing here? This is not reddit.


Lighten up? I'm not trying to abuse the French here, I've really observed this when working with several French teams!

I found it amusing, if you're offended then my apologies, it was written with a light heart and no intentional malice; and I gauged it by my not being offended by those who comment on observing the various stereotypes applied to my specific situation but alas my skin is thicker than others..

I don't think there is any value in using lunch length as any kind of meaningful metric, can we put the guns away?


Symantec had already concluded that Longhorn was a group based in North America. That was partly based on the American time zones they saw, but also on the finding that Longhorn primarily targeted devices in Europe, Asia, Africa, and the Middle East—and seemed particularly averse to American computers.

Now the CIA is going to claim that for national security reasons, they're going to have to hack American computers too.


Humor aside, one wonders how much increased communication could facilitate common malware usage between the CIA, NSA, etc. If some common malware were developed and distributed agnostic to foreign or domestic targets, it could be a conduit for other, more targeted software to be deployed, and otherwise not appear, based on detection, to specifically target foreign or domestic machines.


Couple of hours and if you move south in Europe it could be even longer


The CIA's dos and donts specifically mention putting build timestamps into others time zones: https://www.schneier.com/blog/archives/2017/03/the_cias_deve...


Yes but domains are registered and C&C servers are activated, things that can be tracked on other ends like clients and public databases.

So what they really need to do is make a queue system for actions like that and have them execute randomly during weekends. Would require a lot more patience and long sightedness but I don't see any other way of masking it.


> “On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally,” the blog post said.

A surprisingly refreshing feature.


Great example of a headline that captures something really interesting about the story without lying or misleading readers.


It does mislead the reader, because this pattern is the case for most malware, and has been for over a decade. If you only work on it on weekdays, you are probably not a CIA hacker.


I disagree. The headline clearly states that if you only work on weekdays you "might" be a CIA hacker, implicitly admitting that there are also non CIA hackers working on weekdays. What I found funny and interesting about this is that if I were working on malware and making exciting progress I definitely would not be able to resist working on the weekend. The idea that there is a government employee who is paid to create malware but sees it just a 9-5 thing that he doesn't care about when he clocks out is pretty funny to me.


I don't know this for a fact, but I assume people working on top secret CIA malware probably can't work from home. They'd have to go into the office and access the code from a secure computer.


I'm sure you're right. Which is why you only see activity on weekdays.


If every government entity can fake/scrub/modify time zones, how are time zones are a "tell" at all?

Let's say the US uses French time zones and France uses US eastern time zones. You've discovered malware that for whatever reason has time stamps for US Eastern.

Is it really from the US or is it from France? How would you deduce such a fact? I posit it would be better to see who the malware is targeting: entities may be averse to targeting their own countries.


> Let's say the US uses French time zones

I know you're only using France as an example, but it's even more ridiculous when you consider that (mainland) France has one time zone (CE(S)T), which it shares with more than a dozen of other countries (central Europe + most of the western Europe + majority of Scandinavia + former Yugoslavia).


That's actually pretty funny.

Article mostly talks about the validation that security companies got from recent leaks, when before it could only be based on update and domain registration times.

Kind of makes the US look silly with that oversight. Though even if they did fix themselves, it's not like you could change behavior on the old stuff.


The issue is that when you have analysts combing over your attack there are so many different ways information can be leaked that it's impossible to try and elude everything. To properly conceal your identity to prevent fingerprinting you'd have to rewrite all your malware from scratch every time using completely different techniques, and choose targets largely at random so your motives don't become obvious. So APT groups have to prioritize on what information you absolutely don't want to get out and go from there, and look at the trade offs involved. To conceal working hours you'd have to either make everyone work random hours (which wouldn't be very popular) or perform certain activities like domain registration on a random time delay (which you may not always want, some things really need humans on keyboards to monitor). So it's a lot of effort to conceal an attribute that, while telling, isn't actually enough to implicate you.


It also might be on purpose -- if you have a signature, then unsigned things aren't you, right?

I suspect it was largely accidental, though. Heck, there's been private entities I know who have ended up with tells that pinned them to timezones.


Easy to do with e.g. postings to forums, including those about bitcoin...


I've generally given up trying to conceal anything above what city I'm in.

There are just too many information leaks that can be used to track people back to regions, and I honestly don't care if people know I'm one of millions of people.

(Whoops, there goes another -- there's only 53 US metros above 1mil people and 34 above 2mil.)


They've found the same things about Russian and Chinese hackers as well. They work regular hours for their local time zone.




