Hacker News new | past | comments | ask | show | jobs | submit login
Gamma FinFisher hacked: 40 GB of internal documents and source code published (netzpolitik.org)
402 points by srslack on Aug 6, 2014 | hide | past | favorite | 102 comments



Although many of the files in the leak are PGP encrypted, the files contained the Key ID of the destination. I ran these through various keyservers to determine who the recipient of the files happened to be, but the results were not too interesting:

This key is a NL law enforcement officer: pub 1024D/5A14D578 2003-02-21 uid Jochen van der Wal sub 2048g/00BE9690 2003-02-21

This key appears to be a part-owner of a German private contractor (VERVIS): pub 1024D/66878388 2013-04-17 uid Alfons Rauscher <alfons.rauscher@vervis.de> sub 2048g/8269976E 2013-04-17

This key is for a gentleman who describes himself as a "Senior Security Specialist & Consultant for Law Enforcement and Intelligence Agencies around the world." pub 2048R/3F895273 2013-03-05 [expires: 2018-03-04] uid Alexander Hagenah <ah@primepage.de> sub 2048R/F166F2CA 2013-03-05 [expires: 2018-03-04]

This key turns up pretty much nothing: pub 2048D/89A4703C 2013-07-04 [expired: 2014-07-04] uid USB on Fire <usbonfire@gmail.com>

Same with this one: pub 1024D/85E86971 2009-06-12 uid campo@campinator.com (New key 12/6/09) <campo@campinator.com> sub 4096g/C3F3EC1B 2009-06-12

These are obviously Gamma's (although the first has a typo): pub 2048R/D81082F4 2012-03-08 uid Melvin Teoh (Gamma Group) <mt@gammmagroup.com> pub 2048R/A7A4AC21 2013-03-05 uid Hari Purnama (pgp) <hp@gammagroup.com>

The full list of keys, should you be able to correlate these with the oppressive regime of your choice:

6ABDA7D0 4FB534CB 42C2DDCE E061DE51 0FEB4CFF 0FC82479 1B14387E 6D531E64 65BACA20 CBFF2AB4 BA87B977 8E037629 6ABDF71F 9C3E839A 331A704A 6225EAA0 780E8451 77B11C19 7704B771 A7A4AC21 2B9A229A 2C52A5C8 F166F2CA C47B1004 695D98C9 70A03877 C56A85E9 4E676679 7774F144 C3F3EC1B 9BBDD293 F5946EA8 F158ADF2 D81082F4 58143658 3471B217 06E990A5 8269976E 00BE9690 CF246B05 280AD26F B03A5EA9 977E9F54


Canadian IP addresses show up as 5% in June 2010 in the leaked web analytics screenshots for FinFisher's support website:

https://imgur.com/krvsa9F

This coincides with G20 Toronto in June 2010, where one of the largest amount of mass-arrests happened in Canadian history (1100 people total were detained) and where the Toronto police invested hundreds of millions of dollars in survillence and security: https://en.wikipedia.org/wiki/2010_G-20_Toronto_summit

The Canadian gov has also recently attempted to make hacking peoples phones with a warrant legal, part of a sprawling 'cyberbullying' law.

http://news.nationalpost.com/2014/06/10/proposed-cyberbullyi...


Great... they have MBR infections too..

The SQL database contains a lot of support tickets detailing the internal workings of some of the exploits and attacks:

  2x MBR Infection - Windows XP 32bit SP3 
  One of them is on 2.41 and one is on 2.51 
  Master is 3.0

  After the upgrade to v3 the targets are online and connectible. Very fine. And everything worked flawlessly until the upgrade.
  Except the fact, that *no* module is installed anymore and of course cannot be added. Means, no modules can be seen neither in live session nor in configuration.
  Therefore, the targets are useless since then.

  FYI: The attached error ./TargetActivity/$ID/$ID.log didnt show up anytime before and is Target reports error -10017 now reoccurring all the time.


The exploit java code seems to have been taken straight from this article:

http://www.exploit-db.com/papers/12991/

https://github.com/FinFisher/FinFly-Web/commit/d4f184e394f6a...


I wonder how long until someone does "FinFisher, Community Edition".

While FinFisher was a huge threat to people like democracy advocates in Bahrain (which is what I am hopefully speaking about at SXSW 2015...), now it's out there and even FVEY friendly organizations need to fear it.

FFCE should be usable by pure criminal or even script kiddie type organizations. FF was a pretty decent package, but freed of licensing constraints and designed for more autonomous deployment, FFCE should rapidly surpass it.

(EDIT: Apparently not too long: https://github.com/FinFisher)


That's done by the company itself, though. Not sure how this is going to serve them. Won't everyone (who cares about this) see exactly what they are trying to do, and then fight against it? I saw Jake Appelbaum even ask the Chrome team to pay attention to it, so they know how to protect users against it.

Also, the same way Popcorn Time repositories got banned from Github, couldn't this be banned, too, for malware/cybercrime, etc? What's Github's policy on that?


That GitHub account is a parody, set up after the leaks, in the same vein as the parody Twitter account [1]

[1] https://twitter.com/GammaGroupPR/status/496787518302748672


popcorntime was taken "banned" due to a DMCA take down requested by the MPAA[1] and not for violating Github rules which are pretty permissive[2].

1. https://github.com/github/dmca/blob/3ccbdf1e3d20c78616c9a095...

2. See G7 - https://help.github.com/articles/github-terms-of-service


Ah, what a "fun" repo. I feel somewhat proud to have contributed code to a repo that was part of the first DMCA takedown that Github has in the dmca repo.

https://github.com/github/dmca/blob/master/2011-01-27-sony.m...


I would expect to see a DMCA request from Gamma as well.

This seems like a better application for a DMCA than Popcorntime. This is actual copyrighted stuff taken from Gamma. With Popcorntime it was just a tool that could be used for taking copyrighted stuff.


This is from the company itself? It's promoted by the mentioned twitter account: https://twitter.com/gammagrouppr

That's a spoof account, no?


For the curious, here is a magnet link of the leaked dump (38.7gb)

    magnet:?xt=urn:btih:4e8564f0edcb3875ad2dbb9658ca3d615cc6c152&dn=finfisher&tr=http://bt.careland.com.cn:6969/announce&tr=udp://tracker.coppersurfer.tk:6969/announce&tr=udp://tracker.openbittorrent.com/announce


I've had no success even starting it on uTorrent on windows. Transmission on my vm is happily chugging away though.

The biggest file in the torrent is FinSpy-PC+Mobile-2012-07-12-Final.zip (a hefty 33.75 gb)

Even though it's over 2 years in age, I hope that all the programmers out there, hackers, enthousiasts, employees of antivirus and antimalware companies turn this stuff inside out to see how it works and harden the world's software to make sure we can get better at protecting ourselves.

I've already found that the browser injection works either by either running a malware .jar file or installing a malware .xpi

Needless to say here on HN ofcourse, but i'm going to do it anyway: If you haven't done it already, GET THE JAVA RUNTIME OUT OF YOUR BROWSER


Unfortunately, that zip file is password protected. And it appears most of the other good stuff (minus the web framework) is gpg encrypted.


I don't understand what the point of password and pgp protecting the data is.

Typically with torrents, if they're password protected they get shunned. Most torrent downloading software is even programmed to ignore .zip files because of the frequency of password-protected zips. I understand why these show up for illegal media, but for something like a leak it doesn't make sense to me.

Is there an angle I'm missing? I mean, they said they were releasing it to get it into people's hands, it's not like they pulled a wikileaks and used it as their insurance policy.


In a couple of weeks, you won't be able to download the unencrypted data anymore without a malware scanner kicking in.

By encrypting, it's out of reach of any automation.


I'm just guessing here, but I think that they protected their website contents themselves, not the uploader of the torrent. This would be the sane thing to do : Even if the site gets hacked (...) your binaries still don't leak.

Pay the fee, get the PGP key.



These passwords don't seem to work. Do they work in your side?


looking at the file list most of the interesting stuff end with .gpg so if the key is not included it seems like a waste of bandwidth.


Unfortunately you may to be right. Nearly everything is gpg encrypted, and the massive 33gb zip is a password protected acronis true image file. So far all I have found that isn't encrypted is the web framework (posted on github) and a bunch of marketing documents.


Best practice for this kind of leak is widely distributing encrypted files and then later distributing the key.


or a dead-man's switch release if something happens to the key holder...


Use a VPN. All eyes will be on this.


So? Is it illegal to download leaked data? Or only if you're a newspaper?


I have no idea about the legality, but it could make your life difficult if you (or someone close to you) want to get a security clearance at some point, or have one and would like to keep it when the time comes to renew it.


I've had security clearance (DV in UK) and a rapist axe murderer could get it. They have virtually no info on anyone and pretty just base it on your likelihood of compliance.

Its easy to game.


Maybe so. The only person I know with security clearance says that when they have to renew it, people come and interview them, their neighbors, family members, etc. To go to that trouble without checking their internet history seems foolish, but that doesn't mean that they do it. (This is in the USA; I don't know what level of clearance they have, but I know they work on classified projects.)


They do the same in the UK but you can quite happily run anonymous accounts and be knee deep in anarchy and they wouldn't know.


BE WARNED:

My computer started behaving pretty strangely after I began downloading the torrent. Transmission had to download the metadata five times, then my SSD was locked at 100% usage even after I switched off my wifi card. My computer became unresponsive until after I restarted.

I wouldn't be surprised if there were malicious nodes somehow injecting an exploit payload. I recommend downloading this on a machine that you don't care much about.


Sounds more like Transmission was pre-allocating those files. At 38 gigs, even an SSD would be busy for a while.


you switched off your wifi card to stop a rogue process of some sort from using IO?



First takeaway from here [1] and the other docs:

1 - don't allow physical access to your machine. If you are worried about nation state actors, consider filling firewire and usb slots with super glue.

2 - don't use skype

[1] https://netzpolitik.org/wp-upload/FinSpyPC.4.51.ReleaseNotes...


3 - Don't use Windows.

Remember this gem? https://en.wikipedia.org/wiki/NSAKEY

Filling ports with glue is a pretty good idea. Clipping the leads might be necessary though; I'm not sure how well the glue will stick to metal.

Edit; I'm told that the government uses hot glue.

Another good suggestion that was in the news recently is to use nail polish to make your laptop tamper-evident.

http://www.wired.com/2013/12/better-data-security-nail-polis...


They do indeed use hot glue and bolt the computers into cages.

Then they buy monitors with built in USB hubs for keyboard and mouse and plug them in.

To circumvent, remove mouse inert USB stick.

No kidding. This was a tier 1 defense company and I was DV cleared.


Ouch. I was thinking, "What if you unplugged the monitor cable...?" but thats even worse.

Still, when I was going to go on a tour of LANL (I decided it wasn't worth divulging my SSN, in case it was misplaced), they made it very clear that cell phones, USBs, etc. were not allowed; I'm not sure if I would have actually been searched, however. (Not that I was remotely tempted to push it.)

That was a long time ago. Today you can get such tiny devices that theres no way they could find them. Perhaps you could modify the firmware on something like this, and swallow it;

http://laughingsquid.com/wp-content/uploads/269902-sandisk-c...


Definitely. I use one of those USB sticks in my car radio so it doesn't stick out. It is tiny.

I was searched going in and out but you could easily stick one up your bum like a drug mule!


So what OS should you use? I imagine Linux and OSX are also out of the question as they are also supported by the FinFisher.


You're right but you can reasonably expect some security patches now that it's been published, at least in the Linux world. Hopefully Apple could follow. Until then, you might perhaps consider using *BSD.


FWIW:

http://en.wikipedia.org/wiki/FinFisher#Detection

"According to announcements from ESET, FinFisher and FinSpy are detected by ESET antivirus software as "Win32/Belesak.D" trojan.[26][27]"

Apple did patch its itunes player - 3 years after apparently knowing about it:

http://krebsonsecurity.com/tag/finfisher/

"A prominent security researcher warned Apple about this dangerous vulnerability in mid-2008, yet the company waited more than 1,200 days to fix the flaw."

But yes, I agree you should go with OpenBSD if you're worried about this:

http://www.secpoint.com/Top-10-Most-Secure-Operating-Systems...

"By default, [OpenBSD] is the most secure general purpose operating system out there. The proof in the pudding? The fact that it suffered only two remote attack vulnerabilities in the last decade serves as solid evidence of its stringent security and strict auditing policy. Moreover, OpenBSD lacks a large enough attack surface (care of running numerous web applications) for hackers to exploit."


Or if you do use Skype, use the Metro version, which finfisher allegedly can't eavesdrop on.

Original source was on Dropbox and is overloaded, but here's a link on Slashdot: http://beta.slashdot.org/story/205507


They didn't do their homework in this case. Companies like Ranorex (and also my company) accesses Windows Metro controls.

For the first step, you can read "Injecting a DLL in a Modern UI Metro Application" [1]

[1] http://blog.nektra.com/main/2013/02/25/injecting-a-dll-in-mo...


Or just don't use Skype. You have more to fear about Skype than just FinFisher hacking you.


  Or if you do use Skype, use the Metro version, which 
  finfisher allegedly can't eavesdrop on.
What? Bullshit. Why would Microsoft remove the law enforcement backdoors in the Metro version?


I haven't seen any indication that FinFisher is using deliberate backdoors from MS; from the article it sounds like it's just installing your typical spyware via exploits in things like PDF and XLS files.

But as wslh points out, the assertion that metro's sandbox makes things more secure isn't accurate. I can't get to the dropbox page either, so I'm not sure whether it's saying "FinFisher isn't able to eavesdrop on metro for technical reasons" or "FinFisher can't eavesdrop on metro because they haven't implemented that yet."

Either way, isn't this a separate issue from any surveillance access Microsoft is providing? One is local spyware grabbing your communications on your computer, and the other Microsoft grabbing the data as it goes through the Skype servers. I know Microsoft has that capability for text chats [1], and I assume it's the same deal for audio streams.

Making the Skype client less vulnerable is no more closing law enforcement access than if Apple they fixed a vulnerability in Mail.app while continuing to hand out your iCloud emails to law enforcement agencies.

[1] http://arstechnica.com/security/2013/05/think-your-skype-mes...


Which is mostly the point, I guess.

If the feds want to listen in on your calls they have several options:

  1.) Use a 0day exploit in Skype client software.
  2.) Use the LE backdoors on the local machine.
  3.) Install a rooted version of Skype using some other Windows 
      0day or LE backdoor.
  4.) Just record any sound the microphone hears.
  5.) Capture traffic as it travels across the backbone.
  6.) Capture traffic as it travels through Microsoft's 
      central servers.
  7.) Capture traffic at the other end if the callee is using
      an old version of Skype.
Saying "the feds can't spy on you if you use Metro Skype" is in one narrow sense true, and in a wider sense outrageously, mendaciously false. If they can't do #1, they'll do #2-7.


The noise I've heard about FinFisher has been less about its use in Western countries, and more about Gamma selling it to oppressive regimes that use it against protestors.

If your goal is to keep your calls away from Egypt's State Security Investigations Service, by all means use metro Skype. If you're trying to hide from a country with law enforcement access to Skype's backend, then don't. But I don't see what the latter has to do with FinFisher.

As far as recording things from the mic outside of Skype, if FinFisher does that you're probably toast regardless. I haven't dug into the technical details, but I've seen it mentioned that it can deliver arbitrary payloads. Someone who reads through the doc dump will hopefully be able to confirm what exactly they've been doing with it.


Yeah, most of this finfisher stuff appears to be for surveillance states (plus assholes like nsa), not real law enforcement. Real cops / fbi can get a warrant and go straight to microsoft who appears to have very good skype capture ability. Why would you screw around with all this nonsense when all it takes is a couple hours of a DAs time to draft a warrant, a trip to see a judge (assuming you have a reasonable cause), then a fax to microsoft? Unless of course the reasonable cause thing is tripping you up...

ps -- that's not to say our governments aren't well aware of what FinFisher is doing. I bet the fastest way to seriously piss nsa/various pigs off is to sell an exploit before sharing it with the US/5 eyes. I mean, they don't "know know", but they know, the same way we know damn well what goes on in extraordinary rendition, though we all run around pretending to be shocked, shocked! that there's torture in egyptian prisons...


What? Did you really say fill your firwire and usb ports with super glue?


https://en.wikipedia.org/wiki/DMA_attack

Edited to add; This is heresay, but my friend just told me that this is the first thing techs do when they set up a computer at Los Alamos National Lab. (He knows some people who were contractors there.)


How do you plug in the mouse and keyboard?


The idea is hardening; disallow anything extraneous to your purpose which may negatively impact your security. So, get a computer with built-in peripherals (a laptop), or only leave the ports unglued which you intend to use.

An old-fashioned keyboard and mouse port serves only one function; connecting a keyboard or a mouse. A USB port is general purpose. Since the latter is much more complex, we can expect its drivers to contain lot more vulnerabilities. If you expose your keyboard and mouse ports, and your USB ports, you're vulnerable to all of the flaws in both. If you only expose your keyboard and mouse, you're better off.

Its worth noting that none of this matters if you don't use full-disk encryption. They can mount your hard drive and add a user with root privileges to /etc/shadow and /etc/passwd in a matter of minutes if your drives are stored in clear text.


> Its worth noting that none of this matters if you don't use full-disk encryption.

And just to be clear, one of the fun things with firewire exploits, is that it easily defeats fde -- it allows an attacker to dump the ram, and extract the encryption keys from ram (as the keys need to be in ram for the os to access the disks...).

So you could perhaps mirror the drives at night, when no-one is around, and dump the keys you need to use that dump during lunch break, when the machine is on, but unattended... You might argue that they could just blow some co2 on your ram sticks, and dump the keys from there (if they could already access your hds...) -- and you'd be right -- but firewire is a lot less intrusive...


I see. Thanks.


That's SOP in some large enterprises & government.


I cant edit my original comment, but I wasn't trying to imply anything except that I had never heard of this before. Reading the supplied links this is a lesson learned for me


No worries. There's a whole world of wacky stuff like this that most people never hear about!


I had just never heard of it before!


In www/GGI/SecureLink/secure_link.php, I present to you the password of the year: $SecureLinkKey="finfisher!@#$%^"; // Set to random string used to encrypt links


So random...


> An intelligence agency used FinFly ISP in the main national Internet Service Provider network. It was enough for the system to only know the target’s log-in information into the ISP network to be able to deploy a remote monitoring solution on his computer and monitor him from then onwards.

Wow. See https://netzpolitik.org/wp-upload/FF_SolutionBrosch%C3%BCre_... for FinISP.


Does this imply a designed back-door?


From Wikipedia:

>FinFisher can be covertly installed on targets' computers by exploiting security lapses in the update procedures of non-suspect software

Also, see: http://blogs.wsj.com/digits/2011/11/21/surveillance-company-...

So, apparently, no - just that most targets are running at least one application that downloads updates on an insecure channel. Because general-purpose OSes don't isolate applications from each other like, say, iOS, it would only take one neglected utility performing a software update over plain HTTP to be able to turn MITM into remote code execution with access to your entire computer.

If you are an ISP, you can of course commit MITM of HTTP traffic on any of your customers trivially.

The WSJ also shows a screenshot of a faked "download the latest version of flash player" screen, presumably on a non-HTTPs site. If your ISP is also a trusted CA (which I believe is not rare) they could also be MITMing HTTPs traffic as well.

It would seem that if you and all of the software you run uses HTTPs all the time and if your OS enforces code-signing so that, i.e., only Apple can patch iTunes, you're pretty much immune. A VPN might provide some defense, but the ISP with which your VPN terminates could be ordered to perform/allow the same kind of MITM attack with the same result.

Interestingly, this sort of attack featured heavily in the Girl with the Dragon Tattoo series, except that she and her friends (lacking control of ISPs) would actually go to people's houses while they were out and wire MITMing devices into their cable/DSL connections. Having administrator-level access to an ISP would obviate the need for field operations, hence the NSA's infamous "I hunt sysadmins."


A big round of applause to whoever did this.


I'd word it a different way.

The phrase, "it couldn't have happened to a nicer person" springs to mind (the company not the hacker).


I don't know ... if most of the juicy stuff is encrypted, this could just be a brilliant pr stunt... Now everyone[1] wants to buy this thing... right?

[1] #NotAllTyrants?


I'm worried for this individual's safety.


The kind of national agencies that have the capacity to make the hacker "have an accident" develop their own systems in-house. As far as I am aware the market for products like FINFISHER is ordinary LEO and crappy regimes in the middle-east and Asia that don't have the capacity to black-bag a foreign national.


I'm not. Too many eyes on this now.


That didn't stop Jeremy Hammond from being convicted and sentenced to 10 years for the Stratfor hack.


Maybe I'm missing something in the article, or disclosed elsewhere, but we don't know who s/he is. If the CIA put Thorium in their sushi, we'd have no way to connect the dots.

Edit: I think they'd be far more likely to prosecute them than assassinate them though.


its a little late for that.


Looks like the site might be under attack or just overwhelmed by traffic. Here's the google cache for those who can't access the site:

http://webcache.googleusercontent.com/search?q=cache:https:/...


Governments need to stop using private contractors for such sensitive projects. It exponentiates their attacks surface, and as Peter Zatko pointed out[1], they have little incentive to defend themselves; if another state steals a covert capability from a defense contractor, the government's response is to... hire a defense contractor to replace it with a new, improved capability.

[1] http://www.youtube.com/watch?v=oBtzaRHqP2c

Edit: perhaps I should clarify that I don't actually support governments doing this.


> Governments need to stop using private contractors for such sensitive projects.

This is a problem I've been wondering about for a little while now. A sitting US Senator is only paid $174,000/year. 100 of the most powerful men/women in the country, passing trillions of dollars in spending bills, are paid roughly what a mildly experience engineer makes at Google.

What do you think the average salary of a team capable of producing and securing software like FinFisher would be in a competitive market? Surely more than $174,000/year right? This presents a problem for the hierarchical nature of our government salary base. What possible incentive can you offer to get the highest quality workers with the prospect of 'hearings' for wasteful spending loom over you at every election season?


Seems like the original author is only commenting on Reddit. It's surprising that this was posted to /r/Anarchism instead of a bigger subreddit like /r/tech or /r/politics. That makes me think that the original leaker was already involved in the /r/Anarchism community in some way.

Interesting comments from the author on the Reddit thread:

"""

Not just replying to you, but directed at everyone that'll say I should've leaked it to some organization and that it's 'irresponsible' to dump the raw data on everyone or something:

I'm unconvinced that news stories about government's surveillance capabilities are actually effective in fighting those systems of control. Listening to stories all day about how we're all being hacked and spied on just feels disempowering. When everyone can participate it's more empowering, more fun, and far more effective. Gamma deliberately avoided storing identifying information about their customers, the customers I've managed to identify so far are from looking at the metadata in the documents they sent finfisher support staff and other mistakes they made. The more eyes looking at it, they more we'll find. I want the researchers at citizen lab and elsewhere who have been researching finfisher attacks to use this data in whatever way it'll help them. I want whoever wants to try their hand at forensics to be able to look through it and find what they can about Gamma's customers. I want programmers, hackers, and reverse engineers to have access so they can analyze the software and take it apart. In enabling people with diverse talents to actively participate in the research, we can hopefully develop a better understanding of the tools, organizations, and methods of operation involved in these attacks so that those targeted can actually defend themselves, not just read headlines about how powerful the organizations targeting them are. I want everyone having access to the data, not just the headlines! Seed the torrent!

"""

"""What rechelon said about the EFF. They're reformist lawyers that do some good work, but are terrified of anything too radical or illegal. There's no way they'd touch this, they aren't wikileaks. In the unlikely event that I ended up on trial for this, EFF probably wouldn't even help with the legal defense. They help with some hacking related cases like weev's or DeCSS, because those cases were on the edge of the law and legal precedent was being set. The EFF does not defend computer hackers if it's not setting legal precedent and aligning with their reformist goals.

"""

It'll be very interesting to see how this aspect plays out. I expect "anarchist hacker" headlines before long.


I wonder if those passages are enough to perform style analysis. reddit doesn't let us search comments, but we know they're a member of /r/Anarchism. These parts seem identifying to me:

* Capital letters and proper punctuation. Investigating the source code shows that they one-space.

* Single quotes, not double quotes, around individual words.

* Repetition in triplets with a serial comma ("...more empowering, more fun, and far more...", "...programmers, hackers, and reverse engineers...".

* No semicolons, sparing use of exclamation points at the end of comments only.

* Always uses contractions.

With further analysis we could probably find regional dialects, average sentence length, rate of punctuation use, etc. Crawling /r/Anarchism with that criteria could identify them.

Pure guesses and speculation follow: the hacker probably posts comments on /r/Anarchism. With 50,000 subscribers, there may be about 5,000 commenters. Of those, perhaps 80% of them put one space after a period. So, with only that criteria, we've reduced the anonymity set to 4,000 people.

For what it's worth, I commend their efforts (and am seeding the hell out of the torrent) but think it was a serious mistake to make a post announcing it. They should have posted it on major sites anonymously, not pseudonymously. To post prose online risks being identified by stylometrics or things like time between key presses, etc. (Perhaps these could be defeated by copy and pasting to and from Google Translate.)


Or you could do like the post itself suggests: If you're going to try your hand at forensics, why not dig into that 40GB data dump, see what you can find out this Gamma/Finspy business.

Sure it's interesting to figure out who hacked/leaked all this data. But in the same sense, it's extremely counterproductive to do so, if you agree in any way that it is wrong what this company is doing, collecting and selling 0day malware kits.

(hmm, for some reason I missed your last paragraph, so the above doesn't really apply to you. however the point still stands for others / in general)


If someone is going to try this, be sceptical of the results. We do not know for sure they're a member of /r/Anarchism. If you run the analysis only on the members of that subreddit, you'll only get "the member that writes most like the leaker".


Sorry to burst the bubble but you can't rely on the result of this kind of analysis. Identifying people through their writing style isn't new, and you don't know they haven't already done a prior analysis and ensured their writing style doesn't identify them (or maybe matches to someone else on /r/anarchy).

Things that can be faked have every chance of being faked. Especially when it comes to hackers who need to cover their tracks daily.


Very true. My post was self-described guesswork and theory, but I wouldn't be so dismissive of it!


One needs a grammar proxy to clean their writing.


Machine translation to another language and back?


Someone else to type the message as it's dictated to them, skewing style fingerprinting.


I've got json (includes) for the top 1000 posts from July 27. If someone wants it for this, PM me.


"PM me" Sarcasm?


I'm happy that he shares my exact point of view on this.

Apparently it's okay for anyone to just build up a suite of security penetrating software, call yourself a 'security company' and sell it on the open market. You will just get money thrown at you by governments and voila, there's your profit. Now just keep all the exploits you find private and rake in the millions. (100 clients in their database, times at least 1.5 million. You do the math)

The only thing we 'geeks' can do against this is tear this apart whenever it leaks, submit the relevant bugreports to the companies that are exploitable and hope for quick patches. It's an insane world we live in.

Footnote: I do not condone or promote hacking websites and then leaking data like this, but I have a strong feeling that this hacker just used SQLMap on their site (judging by the fact that there's no sql injection prevention at all in the code)


How does a security company not have sql injection protection!!!??

The irony is frightening.


They specialize in breaking security, not making it stronger. Same reason no thief would bother to install top-notch security system for his house.


IIRC HBGary got powned exactly like that


HBGary also got social-engineered with emails to an oversees sysadmin. At that point they already had used some relatively minor security exploit, then used the social-engineering to escalate privileges further.

(this is from vague memory, I may have gotten some details wrong here)



One question.

If this analysis by Citizen Labs is correct: https://citizenlab.org/2012/07/from-bahrain-with-love-finfis...

Then it seems very much that FinSpy uses GNU libGMP on its source code, right?

If that's the case, aren't they obligated by law and license to release the relevant source code of their system to the public under GNU v3 or GNU v2 licenses?


You don't have to release the source code to the public. That is just one of the easiest ways to satisfy the terms of the license.


To further specify: The GPL states that the recipient of the software has a right to also get the source. The public is simply not a recipient of the software.


Is in this case recipent also the user of the infected computer?


Well... now it is ;)


They only have to release that particular source code and any changes they have made. They aren't obligated to release anything related to or using that code. Essentially it just means they need to provide links to download either the original code if they haven't changed it or provide the source if they have altered it.


That's only if it's the LGPL and they modified the original library. If It's GPL licensed, then yes, if someone asks for the source code, they have to make it available.


After downloading the torrent for a while I noticed this on my router firewall logs entries

FIREWALL icmp check (1 of 1): Protocol: ICMP Src ip: 79.245.172.75 Dst ip: 82...* Type: Redirect Code: Redirect Datagram for the Host

The IP address that has the asteriks is MY IP address and the other one belongs to Deutsche Telecom. Are they trying to MITM me or what?


There is no news on this topic? It's a very important and almost have no relevance on the media. The leak detail the hac k here: http://t.co/QWRRo9cCLN




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: