Hacker News new | past | comments | ask | show | jobs | submit login
Ex-NSA cyberspies reveal how they helped hack foes of UAE (2019) (reuters.com)
194 points by jbegley 8 days ago | hide | past | favorite | 76 comments

Stroud's judgment is interesting; is the mistake predictable?

> In 2013, her world changed. While stationed at NSA Hawaii, Stroud says, she made the fateful recommendation to bring a Dell technician already working in the building onto her team. That contractor was Edward Snowden. / “He’s former CIA, he’s local, he’s already cleared,” Stroud, 37, recalled. “He’s perfect!” Booz and the NSA would later approve Snowden’s transfer, providing him with even greater access to classified material.

Then Stroud trusted the Project Raven employers, not only to start but over and over, as they had Stroud violate human rights (spying on journalists, 16 year olds, human rights activists), after Stroud discovered evidence of spying on Americans.

And then Stroud didn't trust the FBI; note that the claimed motivation could simply fabricated - clearly Stroud wanted to do this work.

> Two agents approached Stroud in 2016 at Virginia’s Dulles airport as she was returning to the UAE after a trip home. Stroud, afraid she might be under surveillance by the UAE herself, said she brushed off the FBI investigators. “I’m not telling you guys jack,” she recounted.

And possibly this is related:

> Still, she found the work exhilarating. “It was incredible because there weren’t these limitations like there was at the NSA. There wasn’t that bullshit red tape,” she said. “I feel like we did a lot of good work on counterterrorism.”

Maybe those rules, the principles of human rights, and the FBI are there for a reason. Stroud seems to think they are unrelated to her character:

> “I don’t think Americans should be doing this to other Americans,” she told Reuters. “I’m a spy, I get that. I’m an intelligence officer, but I’m not a bad one.”

> Stroud said her background as an intelligence operative made her comfortable with human rights targets as long as they weren’t Americans. “We’re working on behalf of this country’s government, and they have specific intelligence objectives which differ from the U.S., and understandably so,” Stroud said. “You live with it.”

"Stroud said her background as an intelligence operative made her comfortable with human rights targets "

should read

"Stroud said her background as an intelligence operative made her comfortable with human rights _violations_"

The subject of the article hired Snowden into an NSA project just before he fled as a whistleblower, tried to resurrect her career for a private company doing espionage overseas, and after a few years ultimately made good by becoming a whistleblower herself against her spybosses. What a fantastic story arc! Hollywood....

And I thought I was failing up!

Follow-up, from today's news:

"Three Former U.S. Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges Arising from Their Provision of Hacking-Related Services to a Foreign Government"


For those interested, there is a Darknet Diaries episode about this. [1] Really quite interesting, interview is with someone who worked for Project Raven, like Lori. [1] https://darknetdiaries.com/episode/47/

Every once in a while, my brain asks a good question.

https://www.state.gov/reports/country-reports-on-terrorism-2... “ 2019 Terrorist Incidents: There were no terrorist attacks reported in the UAE in 2019.”

Either they were extraordinarily good at their job or their job was bullshit. IBM Presents You Make the Call.

Why would there be terrorist attacks in the UAE?

There aren't even political parties in monarchies making political action more difficult, not to mention the UAE has less crime than Norway.

Is your contention no monarchy has ever seen organized political resistance? I’m not sure what the crime rate has to do with it.

Maybe they don't paint a giant target on their forehead?

Maybe that's the key?

Yes, surely that’s the key. We are all being kept safe by these wonderful demigods who trade out human agency for safety.

Feel good yet?

How do all these people hack into phones all the time? Is there just a cache of 0Days that they have access to or do they just get really clever with phishing attacks?


The going rate for iOS full chain (iMessage, Safari, or BT/WiFi exploit + sandbox escape, protection bypass, and persistence) is over two million dollars. The brokers then sell them for 2x-5x that amount. Reporting that same vulnerability to Apple can net you up to a million.

Just your periodic reminder that the dollar figures here aren't apples-apples. Apple will pay you X for a vulnerability, and a broker might pay nX. But n is complicated. The ordinary way it works is that payments are tranched; you're paid in chunks, up to some cap, until the vulnerability is burnt. Once that happens, you stop getting paid, so n can be less than 1.

It's also always worth pointing out, even though it's not relevant to this thread, that the vulnerabilities we're talking about all fit into a similar mold; they're all generally some form of drive-by or click-by clientside RCE (they're some of the harder vulnerabilities to find and weaponize, and, from what we can see in reporting, they're not the kinds of vulnerabilities we see lots of disputes about with vendors, though I'm happy to be corrected).

And, as always, I want to point out that even at these eye-watering figures, vulnerabilities are cheap. The market competition to RCE vulnerabilities and implant kits is human intelligence. You will pay more just in health insurance and benefits overhead to run a single human intelligence program against a target. Every government in the world, from Germany to the Seychelles, can afford what the IC pays for vulnerabilities, and there's probably no figure we can realistically drive vulnerabilities to in the near future that will change that --- Iran can pull this kind of money out from under its couch cushions, and NATO and China's couch cushions are stuffed with it.

> The ordinary way it works is that payments are tranched; you're paid in chunks, up to some cap, until the vulnerability is burnt.

Eh, it is very complicated. On one end of the spectrum you can take a cash payout up front for less money, on the other end you are under contract to keep an arsenal with specific coverage at a minimum fixed size. Brokers exist to trade risk for upside and shield parties from each other.

I think we are in alignment on your second point. Oil rich companies lack domestic talent but have massive war chests of money. I have some insights into the numbers they are throwing around to skilled foreign workers and while it is clear the numbers are stupid big, it is nothing in comparison to running a HUMINT asset or buying a drone.

How much would they pay for foreign skilled workers?

> The brokers then sell them for 2x-5x that amount. Reporting that same vulnerability to Apple can net you up to a million.

If this is true, I'm super-curious about the economic incentives involved. According to Apple's Sept. 2020 balance sheet, they had over $143 billion in current assets on their books. They have deeper pockets than basically anyone else on Earth, including many state actors. They could 10x their current bounty and it would still basically be couch money for them.

So why are 0-day brokers and their customers able to outbid them? I would think that Apple has much more skin in the game than attackers do, and much more to lose from being the #2 bidder. But judging by the going rates you mentioned, that doesn't seem to be the case. The only thing I can think of is that the small minority of parties with both the means and motive to outbid Apple (the respective governments of the US, China, Russia, etc) are in fact the ones doing so.

“I would think that Apple has much more skin in the game than attackers do”

What skin in the game do they have? As long as they aren’t viewed as way more insecure than Android vulnerabilities don’t really cost them anything.

More likely, Apple will lead you on for months and then pay you nothing.

It seems pretty clear that just about every government has a large bank of exploits on just about every single system. We only hear about the ones that get exposed and fixed and not the 30 others in storage or active use.

> Reporting that same vulnerability to Apple can net you up to a million.

I think there was a post on HN awhile back where the guy just got 100K for a a very major bug. So you will definitely get more money if you go rouge

According to the article, it seems like it was heavily based off of Apple iMessage zero-click exploits built into some platform. And even a bit of social engineering.

Past that, who knows where they get exploits from? I imagine if they're renting servers with Bitcoins to perform computer attacks, these operatives are probably familiar with darknet sites for trading secrets as well.

Pretty much, that also have 0 days on components, so it's a matter of putting together an exploit chain that gets them what they need.

If software developers were ever held responsible for defects in their software that lead to breaches of privacy and harm caused through those breaches, I wonder how quickly software development practices would change. Memory unsafe languages like C would probably disappear as a choice for new projects in a heartbeat due to the liability.

95% social engineering/phishing, maybe 5% exploits.

Using exploits is complicated, expensive, and risky. In most cases - to quote XKCD - it's cheaper and easier to just hit the victim on the head w/ a proverbial $5 wrench until they cough up their password, e.g.: have them download your "secure messaging app" which is actually just your implant.

From the article:

> To get close to Donaghy, a Raven operative should attempt to “ingratiate himself to the target by espousing similar beliefs,” the cyber-mercenaries wrote. Donaghy would be “unable to resist an overture of this nature,” they believed. Posing as a single human rights activist, Raven operatives emailed Donaghy asking for his help to “bring hope to those who are long suffering,” the email message said. The operative convinced Donaghy to download software he claimed would make messages “difficult to trace.” In reality, the malware allowed the Emiratis to continuously monitor Donaghy’s email account and Internet browsing.

He fell for that? They were warning you about that trick in the 2000s!

they have lots of funds to buy 0days on dark web and to hire the best.

Is it just me or at this point Americans will do anything for profit? The last American with moral standard is currently living in exile in Russia. Lori Stroud is a disgrace, who after all these, she basically became a mercenary attempting to justify her disgraceful actions. What a time to be alive, so first we have 911 that changed the lives online and offline as we know it. Then we have never ending wars that costed lives around the world, topping that with a global surveillance machine with a rapacious appetite for private information. These behaviors are far from the American values preached everyday by the left and right. It’s time to look in the mirror.

It's the result of an atomized society. Fuck everyone else, I'm going to get mine.

So hacking human rights activists is ok, but hacking US citizens crosses the line? WTF?

It's always like that.

The last days in Afghan they kill 10 people, and no one hell accountable. All they do is labeled them as ISIS members.


didn't they report like 90% of people killed in drone strikes are civilians... now the person who leaked this information is in prison for showing us that. They also commit war crimes like targeting first responders after initial strike, something terrorists like doing, US calls it a "double tap".

hopefully one day US will be held responsible for the death and destruction it has caused world wide, maybe we could have a version of the Nuremberg trials for the US.

instead US leaves the international criminal court and pardons war criminals, so the world has no way to get justice.

What would you like to be done about it?

Tried as a war crime, perhaps? Murdering an aid worker and seven children, then trying to cover it up, seems pretty horrific to me.

Not to get too deep into it, but there must be some difference between casualties of war, even if those casualties come from horrific mistakes and literal war crimes right? There must be some gradation in our reproach. War doesn't really provide good options. You end up a bit too careful and hundreds of people die, a bit too little and you kill tens of people. I'm not going to say an investigation shouldn't happen, but to say anything less then perfection equals war crime really devalues that term

Is killing an aid worker registered as working with a US NGO as he was surrounded by 7 kids really just shy of perfection?

That was 1000% preventable. You don't get to kill people based on circumstantial evidence without even counting the number of bystanders, without verifying their identity, without doing any level of human intelligence, all easily accomplished tasks, and then claim that you did everything you could.

It's absolutely clear the US did not give a single shit about civilians. Many US and coalition soldiers were even happy to kill civilians. You don't authorize a policy of systematically killing first responders ("double tap strikes") and then claim you were trying to minimize civilians casualties. It wasn't a mistake, it was knowingly just not giving a shit.

But I remember watching the video where about 10 people were killed from kilometres away. The people responsible were clearly having fun. I also remember a few people getting in big trouble over releasing just a small piece of an enormous pile.

It's clear where stand: "Things happen in war"

Sounds like you're referring to the Wikileaks leaked 'Collateral murder' video [0]. Note, pretty grim material.

0: https://www.youtube.com/watch?v=zYTxuW2vmzk

I thought this was referring to the seemingly tragic killing of a man and some of his family who the military claims was planning to drive a bomb up to the airport. I'm not claiming the US has not committed war crimes in Afghanistan

Many on this site struggle when it comes to reasoning about civilian casualties, war, war crimes, collateral damage, etc. War is not black and white, it's a shitty gray nuanced hell for all involved.

Just try the responsible parties so that others will act responsibly? The US's withdrawal of support for the ICC is quite telling. The Trump administration even authorized sanctions against the ICC. The US is quite on par with Russia regarding this matter, as in "we support the court as long as it doesn't come after us".


Yeah I was shocked to read that too. Sounds like if it's true an epic intelligence failure and maybe a reason not to put death by drone control into lower level field decision makers.

But I would think murder war crime implies intent not negligence.

Who specifically should be tried?

Let's start with the person who pushed without verifying that the targets were truly ISIS and work our way upwards

What does that mean? The person who pulled the trigger to release the Hellfire from the drone?

Yup, they'll know who told them not to do it, and being ordered to do something is no defense against war crimes


Lets start with the people who physically killed them.

If you're referring to the "people who physically killed them" as the individual(s) who operated the drone(s), I imagine they are the ones who need the most (mental) help, after learning their superiors provided faulty intelligence and allegedly killed innocent people.[0]

The two(+) that are perhaps the most relevant are those that provided the intelligence (framing), and those that made the decision to act on it.

[0] I don't know how much liberty drone operators have to make live decisions in the .. "field" about whether to engage or not, but I suspect this case involved some level of abstraction.

Okay? Who is that? Who specifically? The drone pilot?

With a missile strike, who would that be?

At least the party who ordered the missile strike. The Navy servicemen mainly launch the missiles to coordinates X, Y without questioning the order, so they're an accessory to murder.


I don't necessarily disagree, but how would they have effectively questioned that order? If they asked for confirmation for who they were striking, they would have received the US's faulty intel. And it's not like they had any power to independently verify it.

If there were a massive amount of charges filed for everyone involved with the strike, I'd agree that the servicemen should also be charged. I'm not sure that's where we should start, as I feel it's too likely that's also where we would end and they are the least responsible of the related parties.

They don't have any choice but to follow orders once they're part of a military org. That's why the parties ordering the strike should carry most of the responsibility.

no wrong... you can not commit war crimes and use that as a excuse why you did it, following orders is what the Nazis tried to uses as a excuse... if you see you are bombing a hospital,a school,open market or first responders and you still bomb them then you and the people ordering it are responsible.

True, but I was arguing the missile operators only get the order with the coordinates and may not know what the target is or may get misleading intel, like the drone operator who was told that their target were ISIS operatives when in reality they were aid workers associated with the US. The nazis knowingky took people to the concentration camps and executed them.

Nobody even cares much when they do it to American citizens.

Anwar al-Awlaki was a American citizen born in New Mexico.

Didn't stop several US administrations from hunting down him and his family to the other side of the planet to systematically assassinate them.

He was killed by a drone strike in September 2011 [0], in October 2011 his 16 years old son, also a American citizen, was killed in another drone strike in Yemen.

One of his surviving daughters, was killed during a NAVY Seal raid in 2017, when she was only 8 years old. It was the first mission greenlit under Trump, the Pentagon and US press claimed "no civilian casulties" [1], while local sources later reported dozens of dead women and children [2].

For over a decade this family of Americans has been targeted and hunted down with the full might of the American military and Five Eyes surveillance apparatus, but it's all okay because they are "terrorists".

[0] https://en.wikipedia.org/wiki/Anwar_al-Awlaki

[1] https://edition.cnn.com/2017/01/29/politics/us-servicemember...

[2] https://theintercept.com/2017/01/30/obama-killed-a-16-year-o...

It seems like Anwar al-Awlaki was what the US call a terrorist. I don't know why the CIA killed his kids though. It's too much of a coincidence that two of his kids were killed.

Yeah that's why the constitution gives your rights 'except when some burocrates think you are a terrorist or related to a terrorist.

Statistically, is it?

edit: I am completely missing the mark

>What evidence do you have that it was not done by ISIS members?

The US openly admits firing the missile. That seems more likely than ISIS acquiring and launching a missile at an Afghanistan home then the US taking "credit" for it.

The US hasn't been (officially) at war since WW2 ended.

The War on Terror is a gift that keeps on giving.

pretty sure USA has been in like 20+ wars since WW2,what do you mean? since WW2 they have destroyed countless countries.. how is doing war not war?

Because Article One of the constitution requires congress to approve declarations of war, and they haven't done that. Whatever has happened in the meantime, it has been hasn't been considered a "war" in the US legal framework.

If by "ok" you mean legal, then yes. NSA is foreign targets only. If by "ok" you mean moral, then no.

Also local targets, if they're foreigners or interacting with foreigners

Yes, according to the law.

Yes, because we have the FBI to do that to US citizens.

This company reached out to me a few years ago. They promised mid-range 6 figures and said a few people who worked in the intelligence community already worked there. I reached out to a few friends and they told me not to take the job. I'm happy I didn't.


In the news today since they were just charged with a bunch of Federal crimes for this work:


> Former program operatives previously told Reuters they believed they were following the law because superiors promised them the U.S. government had approved the work.

Absolute horseshit. This is 100% a loophole to give them some flimsy plausible deniability. If the NSA approves they should have confirmed with the actual NSA.

Looks like the whistleblower wasn't charged, which is good, though you still have to be a pretty shitty person to go work on targeting journalists and dissidents in the first place. I suspect she didn't have moral qualms as much as she realized how much trouble she'd get in unless she came clean.

I'm interested to learn how exactly any of this is legal. Isn't it illegal for Americans to hack anyone, regardless of where you live? Like could I really go to Russia and openly hack Ukraine as an American and not get charged when I come back to the US?

Are you seriously gatekeeping the whistleblower? Like they did the right thing, but you can maybe imagine they weren't pure enough for you and therefore shitty?

OK let me do that to you:

You are commenting some good things, but i suspect you aren't doing it because you believe it, but rather you want some sweet karma. Therefore you are shitty human being. Feel shame person I've never interacted with before and have no other knowledge of.

(Maybe check out the Darknet Diaries episode linked in the comments here and learn about the situation a bit before declaring the motives of a person you admit having no knowledge of.)

> The defendants are being charged also with military export restriction violations.

They are throwing the book at them. But there's also this other, amusing, cachet-related viewpoint:

"I'm so badass that I was labeled a restricted military asset"...

Political blowback.

Nothing new in this day and age but you have to wonder what is causing these rifts.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact