If pretty basic software can place misleading markers on internet traffic and file metadata, why is the presence of Russian metadata in a hack or leak considered evidence?
Because "Russian metadata" was not the totality of evidence used to draw the conclusion that it was Russia. It's never just one thing, it's all the things, together.
If you want an example of the kind of analytical techniques that people use for attribution in the US government and sophisticated industry groups, then refer to the Diamond Model of Intrusion Analysis: http://www.activeresponse.org/wp-content/uploads/2013/07/dia...
There are 2 types of people who read summaries of the crowdstrike report, those who have retained a security company to produce some type of report and those who haven't.
A self-signed certificate using the CN of a website which the target device may already connect to (assuming it has KAV) is useful for stealth as it allows your implant to blend into traffic more easily.
However, attributing an attack based on the CN of an invalid TLS certificate would be very silly, as literally anyone can generate one (Instructions for generating the self-signed certs are actually right there in the source bundle).
Poster probably meant to say TS/SCI: Top Secret/Security Compartmentalized Information. Part of the contract involved in getting a U.S. government security clearance assigns you liability for exposure to any TS/SCI, even if you were not the publisher. Therefore if you're subject to one of those contracts, you generally (almost always?) want to avoid reading these leaks like the plague.
Assuming it's TS/SCI: it's a highly classified and compartmentalized type of US classified material. Generally if you hold a clearance you don't want to access those links on a work computer, because DOD/DOI still consider it "contaminating" and unclassified system with classified material even if the material has been leaked to the public.
> (U) Definition: Special Intelligence, or SI, Is a sensitive compartmented information (SCI) control system designed to protect technical and Intelligence Information derived from the monitoring of foreign communications signals by other than the intended recipients. The SI control system protects SI-derived Information and information relating to SI activities, capabilities, techniques, process and procedures.
That's twice in the same minute that you've replied "That's not what SI means" (to two different definitions, so you have to be right at least once). But it would be more useful if you would supply what you think the correct definition is, rather than making us guess (or making us grovel before your superior knowledge, which is not really the point of HN).
Interesting that WL goes after the one nation state that is not going to completely fubar them, and has much better human rights than the other big nation states it could go after. I say that if WL's real goal is to promote human rights, the US is not the highest target on the list. On the other hand, if they want easy publicity with minimal risk to self, the US is probably their best target.
> I say that if WL's real goal is to promote human rights, the US is not the highest target on the list.
well, I say that constant hopes for transparency and the strides we take towards those goals will keep the United States high on the list of nations with decents human rights.
WL is one of those strides, and I think it's invaluable.
It's 'interesting' that given the muck that WL has raked up about the U.S. that anyone could be upset about their ( the US ) having been a target..
The question is not whether the US should be subject to oversight, the question is "does WikiLeaks intend to push a deliberate agenda with their disproportionate targeting of the US?"
You would be naive to take for granted that WikiLeaks is acting exclusively out of principle.
>I say that if WL's real goal is to promote human rights,
That's where you're wrong. Wikileaks' mission is "transparency for governments and privacy for people". Perhaps they seem to have affinity for publishing things contrary to the US' interests and you're right that the US isn't uniquely bad at protecting human rights, but the US (and Western European sigint community) violates privacy on a scale that's simply unmatched, it's reasonable for them to treat the Anglosphere's sigint as their primary adversary.
You think that the US violates privacy more than, say, Russia? Or, going back to WL's stated goal, you think that the US government is less transparent than Russia's?
I think the US is much more likely to violate the privacy of a random 3rd party than Russia, absolutely. How many Kenyans have their data sitting in NSA servers? I bet it's more than Kenyans on the FSB's servers.
I don't know, but I would be surprised of Russia even captured 1% of the data that the NSA captures routinely (or was capturing at the height of its excess).
Additionally, Russia seems to keep quiet about what they do which is lying by omission at worse. A lot of US security officials have lied under oath about what the US is doing - I think it's more important to expose active and direct and popular lies than incidental lies.
Fair point. I wasn't looking at it that way, though. I was trying to say that Russia is more likely to violate a Russian's privacy than the US is to violate an American's privacy. Yes, the NSA may well have the American's communications on their servers (though they are not supposed to unless it left the country), but the FSB probably has the Russian's communications, and seems to me considerably more likely to examine them - or to more actively spy on the Russian citizen.
This is the source code (and several binary compiles) of the CIA C2 infrastructure + client implants for Solaris, Linux and various routers. I suspect that now this is in the open, past and current CIA malware will now be detectable by commercial Anti Virus.
I'm not so sure about that. WL released the documentation back in April, which contained more than enough information to create a few behavioral detection signatures for the implants. I would assume that any AV company who cared has already created and deployed signatures.
We now know that all comms implant to C2 are TLS with a unique (fake) certificate tree. They use unique, single use domains for operations. I don't believe there was enough information in vault 7 to identify IOC's that could be used for behavioural analysis.
We also now know that the C2 fronting servers negotiate 'Client Cert optional', which is a fairly unique configuration item.
The git repo contains 3 binary builds of the client/server malware. I think this is more important for detection than their docs.
AV is now far beyond just using hash-based detection, but you are correct that having the three binary builds will allow that to also be added to their (hopefully existing) detections. No argument there.
What you're saying comes from the documentation included in the source, yes. But if you dig into the Confluence dump from back in March, you'll see that the User's Guide and Developer's Guide PDFs for Hive were attached to one of the wiki pages already, explaining how this all worked. It did not get any press attention as it was quite mundane compared to the more interesting leaked wiki pages, but I would really hope AV companies and others in infosec noticed this already.
The following line from /honeycomb/crypto.c look very interesting...
/*
* Computing a "safe" DH-1024 prime can take a very
* long time, so a precomputed value is provided below.
* You may run dh_genprime to generate a new value.
*/
char *my_dhm_P =
"E4004C1F94182000103D883A448B3F80" \
"2CE4B44A83301270002C20D0321CFD00" \
"11CCEF784C26A400F43DFB901BCA7538" \
"F2C6B176001CF5A0FD16D2C48B1D0C1C" \
"F6AC8E1DA6BCC3B4E1F96B0564965300" \
"FFA1D0B601EB2800F489AA512C4B248C" \
"01F76949A60BB7F00A40B1EAB64BDD48" \
"E8A700D60B7F1200FA8E77B0A979DABF";
You're right, I got over-enthusiastic. And it looks like the C code has been migrated to Python anyway.
Also, owners of MikroTik hardware look to be thoroughly owned:
The bad news is that soon CIA will not have to build their own infrastructure due to the rise of all kinds of public P2P technologies. The best type of covert operation is the one that is hidden in plain sight.
I see Wikileaks is still publishing "leaks" about US agencies in the week following major news on the Russian investigation, as they have more-or-less consistently since February.
Can someone tell me if there's actual malfeasance this time or just more edgy moaning about the spy agency doing its job?
I'm happy to call out the security apparatus when it actually oversteps its bounds (Eg the Snowden leaks). But so far as I can tell wikileaks vault 7/8 isn't a leak in the public interest. Its just anti-American wankery.
The amount of work that they put into throwing off attribution, while expected, is important to make it's way into public knowledge rather than just the realm of conspiracy, IMO.
In the commercial sector I seem to find myself spending a significant amount of my time working on projects that were started many decades ago that have just been improved over time.
I honestly wouldn't be too surprised if a lot of these applications were used today with relatively little change.
But the point is moot anyway: either their tools are still relevant today, in that case it's good to see what they can use against the people, or they are not, in which case it won't hurt them if we see them and it's not "anti american".
Don't you realize that the institution that's being examined isn't necessarily on your side? Without oversight, how could they possibly be kept on the good side? Having gone so long without oversight, how far have they strayed?
Assuming you weren't involved in any of this, ask yourself: did I authorize it? Did the legitimate authority of my civil peers (to which I am willing to cede) authorize it? Did my representatives authorize it? (Not everyone in congress is on these top-secret commitiees, it's entirely possible that some action could be taken that the voters of an entire state had essentially zero say in.)
Finally,
What would happen if a cleared individual decided to take an action without asking anybody or telling anybody? You know, like Snowden, except not conscience-driven to make sure we all heard about it. It's not like established systems have ever suppressed secrets that would make them look bad if widely known, right? Right?
I'd be careful with that kind of nihilistic attitude; note that it has the same effect as wholehearted support! (Which is, advocating that nothing different be done.)
Oh, but I advocate precisely what Wikileaks is doing. In the essay I linked Assange describes a rather effective approach to disrupting these organizations. Leaks such as this one will eventually lead to these organizations having to be so careful that they'll simply be unable to act.
I certainly understand how you could come to see this kind of stuff as anti-American, but that's really a misjudgment.
I (or we?) stand in one of the many countries where this threat is developing, but one of the few countries where our predecessors have secured the liberties for us to do something about it. So in this sense, we are the custodians of ourselves: and any true American would tend to their government while discussing with their countrymen how they can do the same.
(Hopefully that addresses your point, now that I see what you're really saying.)
Don't assume everyone on HN is American. Some are actually from openly hostile countries, so what? Can't we discuss these things freely on the internet as long as we don't hurt anyone?
I put (we) in parenthasis - certainly, I'm aware that fact that not everyone on HN is from the US!
And no, if you're from a country that's openly hostile to free speech, you really can't speak freely online without fear of reprisal. In an abstract sense I can't speak with a complete lack of fear of reprisal either - but essentially what I'm trying to exhort people to realize is that taking on the personal risk of saying the "wrong thing" in public is a civil duty: the civil duty of maintaining our government.
I have many questions but two are very high on my list:
1. one of the commit messages mentions merge from a git remote hosted at devlan.net. Who owns that host and is it a hidden CIA server or repurposed captured host?
It kinda looks like a captured host registered originally by a French admin.
2. Why Solaris? Microtik and the other router targets make sense in combination with generic Linux machines, but Solaris sticks out and there must be an interesting explanation for targeting that. What kind of internet facing Solaris hosts are out there or which orgs use it in such a capacity to become a target for the CIA?
1. it's very bad practice, even if only internal, to use an already registered public domain. It crossed my mind that this might just be an internal domain (devlan -> developer LAN), though it seemed unbelievable an agency would have people in IT with that much disrespect for proper network config.
It must be an interesting life for the French admin of the "real" devlan.net since the leaks.
2. I don't get the Kaspersky reference. Can you explain?
ISP and University: I suppose you mean those would be running public Solaris hosts, right? And that therefore the CIA has been hiding on those servers. I sure would hate the CIA to spy on scientists, though it's not unheard of that one of the agencies knocks on a door of a scientist who just happened to be on the verge of publishing something they deem a risk. Happened in the past and sure still does. The imbalance and abuse of power is the problem and here it's legalized/constitutionalised. An agency can spy on my private life and professional work without being questioned, but we aren't allowed to demand a transparent administration or any of the many ranches of government.
