Hacker News new | past | comments | ask | show | jobs | submit login
NSA/GCHQ: The HACIENDA Program for Internet Colonization (heise.de)
116 points by mstolpm on Aug 15, 2014 | hide | past | favorite | 49 comments



An anonymous hacker announces that they owned thousands of home routers to scan the entire Internet, security expert Rob Graham runs his masscan tool to scan the entire Internet, but when it's disclosed that .govs run nmap it's time to patch your TCP stacks?

Whether or not you think that governments should spy, the amount of hype here seems staggering.


> when it's disclosed that .govs run nmap it's time to patch your TCP stacks?

They don't just nmap the internet, they systematically compromise vulnerable targets as per the article and the slides. And unlike common criminals, there's no hope of them being stopped by any law enforcement agency.

If they're really going after every non 5-Eyes machine they can compromise, people living outside of the 5-Eyes need to protect themselves.


And unlike common criminals, if they decide that you deserve to be extraordinarily rendered, there's no hope of stopping them.

This is why you should resist government spying, because once you come to their attention, they could mistakenly or rightly decide that you need to be fucked with in some way, which could range from a brief arrest to murder. Merely coming to a government's attention puts you at risk, so we should minimize the chance that anyone can come to the government's attention.


> people living outside of the 5-Eyes need to protect themselves.

I wonder what would happen if they started using Monstermind-like software?


Yeah, I mean this colossal misunderstanding (or willful ignorance, really) also comes up in basically every discussion on privacy.

"Oh, so you give all that information to Facebook, but you don't want the goverment to have it?"

Well yes, smartypants, that's because the government has the monopoly on violence. Full stop.


The difference is, Rob Graham isn't going to compromise the box and use it to mask the origin of future scans and malware attacks.


Will he? What about the tens of thousands of other people that can run that tool? What about people that can type queries into SHODAN? Why are they not problems?

If you don't think that you government should spy, that's fine, a lot of very respectable people have had this opinion over the course of human history. I just don't buy the remediation story, at all.


> Will he? What about the tens of thousands of other people that can run that tool? What about people that can type queries into SHODAN? Why are they not problems?

You seem to conveniently ignore the fact they are doing this with the intent to exploit.

Its cute and all but honestly, anyone who is going to do that then seek to compromise a box is a problem. Its the intent of compromising the box that is the issue, not simply scanning.

Did you not RTFA?

"The covert infrastructure includes so-called Operational Relay Boxes (ORBs), which are used to hide the location of the attacker when the Five Eyes launch exploits against targets or steal data (Figure 18). Several times a year, the spy club tries to take control of as many machines as possible, as long as they are abroad. For example, in February 2010 twentyfour spies located over 3000 potential ORBs in a single work day (Figure 19). However, going over the port scan results provided by HACIENDA was considered too laborous (Figure 20), so they programmed their OLYMPIA system to automate the process (Figure 21). As a result, the spies brag that they can now locate vulnerable devices in a subnet in less than five minutes (Figure 22)."


How do you know that?


It's obvious, but I've not seen it presented clearly before: the interesting bit for me was that if your attacker can see all the traffic on the network, traditional means of hiding a host (moving off a common port, and port knocking) don't do you any good because your attacker can see the traffic when you use it, and use that as leverage to acquire themselves an ORB. Normally you wouldn't assume that J. Random Skiddie has your router.


I'm staggered by the level of distortion: I don't have any sort of demand from "Rob Graham", but I have many demands from my government.


I still find it hard to believe that there are people who justify these heinous tools as 'necessary' or 'vital' to the survival of the Western "democracies" who deploy them. Its a terrible state of affairs that we justify such intrusions - and yet fail to see, when 'the other side' lashes out in anger, the reasons why it is so. We are stuck in a feedback loop here, and it seems the only thing to do is turn off the microphone. But oh, the stage lights - how they draw us in!

Quickly people. Build a better Internet.


Its the same people that want to cut benefits for "those people", etc.

The simple fact of the matter is, the people making these decisions are members of a privileged class of people that see any other class of people as "those people".

Building a better technical solution is only a partial solution. All technical solutions will have flaws that can be exploited given sufficient financial resources being expended at the task.

We need to replace our government.


> Building a better technical solution is only a partial solution. All technical solutions will have flaws that can be exploited given sufficient financial resources being expended at the task.

History has demonstrated that this is true of social/political solutions, as well (unsurprising, as these are really "technical" solutions in a different domain of technology.)

> We need to replace our government.

This is occasionally a good solution for existing problems, but quite often -- even when the government in question is far worse than our current one -- the cure ends up at least as bad as the disease. So, with any such call, one must demand a detailed accounting of "with what do you wish to replace it" that stands up to scrutiny not just of its theoretical attractiveness but its ability to be established and operate as intended in the world that actually exists and the people that are actually in it.


I mean vote against the sort of politicians that empower these people and contribute to lobbies that are pro-privacy/civil rights.


Lots of people voted for Obama exactly because he said or implied that he would rein these people in, yet he's done nothing but ramp up, and add drone strikes.

Now what? Vote for the next guy who says he's going to rein this in?


Replace our government with what and how? What is the timeframe?

Technical solutions can be implemented now.

Formal methods can be used to prove correctness. The number of flaws could be cut by a factor 1000 I'd imagine when thinking of the current state of code running on devices connected to the internet.


"Heinous tools"? They're literally running nmap.


I'll quote the slides: 1. (R)econaissance 2. (I)nfection 3. (C)ommand And Control 4. (E)xfiltration

They're litterally running nmap for the reconnaissance part but I believe the "heinous" qualifier apply to the rest of the plan, which according to figure 18 consists in acquiring "as many new ORBs as possible in as many non 5-Eyes countries as possible". Unless I'm reading it wrong, they describe how they try to pwn as many machines as possible outside of Australia, Canada, New Zealand, the United Kingdom and the United States.


I think they may have been referring to the tools used to identify security vulnerabilities and exploit them after the initial port scanning. Probably just variants on Nessus / OpenVAS / Metasploit / etc. at a guess.

I agree with you though, The existence of nmap, Nessus etc. isn't the problem. These tools help the state of security over time. The fact that the governments of the world are so paranoid that they feel they need to try to automatically compromise the majority of internet facing devices in the world is a problem.


"They are using a tool I know, therefore it's ok"


One need not use nmap to understand that their reconnaissance is of information already considered public information.


The only way a reasonable person could write this comment is if they didn't know what nmap did.


The only way a reasonable person would correct his comment is if he though mislabelling nmap as heinous is of any importance with regards to the heinous nature of the whole operation.


Yes, that's about right.


I know what nmap is, and its not the tool I was referring to .. the entire program (a 'tool for governments') is the object of my ire.


Yes, the surface justifications for the surveillance programs of the NSA/GCHQ/etc. are one of public safety and national security, but I think the evidence increasingly points to strategies whose primary intent is to protect the political and capitalist classes against an uprising. These intrusive efforts by the intelligence agencies are necessary simply to better shape public opinion and, if things truly go from bad to worse, to protect themselves.

Improving the internet so that it is less susceptible to surveillance is an important effort, but one that does not address the underlying problems of current income inequality or future climate change, both which can (and more than likely will) become vessels for disorder.


None of this looks particularly new or shocking to me. Seems like automation of standard techniques, which I would be more surprised to find out they weren't using. And hacking foreign networks... isn't that exactly their job as signals intelligence?


Yes, but they don't want the hacking to be traced back to them. So they're hacking random servers online and using them as their bounce boxes to attack their actual intended targets from.


The problem is they do things like take out the internet in all of Syria.

http://www.theverge.com/2014/8/13/5998237/nsa-responsible-fo...

They are targeting civilian networks, not military ones. That is a huge problem. Its one thing if they were trying to break into foreign, legitimate targets of interest [military, defense industry, foreign intelligence, foreign governments].

That isn't what they are doing. They are just trying to get access to everything they can get their hands on. Civilian and military alike.


The problem with your comment is that it has nothing to do with this story. It involves a different intelligence agency, doesn't involve routers, doesn't involve attacks of any sort, and could not have brought down the Internet in Asmara Eritrea, let alone Syria.


What do you think "take control of as many machines as possible" means? Asking them nicely to hand over their SSH keys?

"The covert infrastructure includes so-called Operational Relay Boxes (ORBs), which are used to hide the location of the attacker when the Five Eyes launch exploits against targets or steal data (Figure 18). Several times a year, the spy club tries to take control of as many machines as possible, as long as they are abroad. For example, in February 2010 twentyfour spies located over 3000 potential ORBs in a single work day (Figure 19). However, going over the port scan results provided by HACIENDA was considered too laborous (Figure 20), so they programmed their OLYMPIA system to automate the process (Figure 21). As a result, the spies brag that they can now locate vulnerable devices in a subnet in less than five minutes (Figure 22)."


If you literally believe that GCHQ has owned up every machine it is technically and feasibly capable of owning up, there's not a lot of reasonable conversation that can happen between the two of us.


Pretty much. You blatantly ignore the repeated statements that the vulnerability scan is a prelude to actively attacking machines for some reason. I'm not sure why.

I'm not saying they are attacking any machine they can. They are, however, attacking some machines.

You don't develop the capability to build target lists, to attack targets, and state you do attack targets...unless y'know, you actually do.

You might use it on a limited scale at specific targets but you do use it. The problem is, I don't have faith they actually engage in selective targeting.


There is absolutely no way the USG's best program for mass-scale network reconnaissance relies on nmap. All possible respect to Fyodor, but nmap just isn't very good at that task, and if ever there was a bikeshedding problem in software security, port scanning and active host identification is it.


Though I respect both your opinion and Fyodor greatly, I have to disagree here.

Mass-scale isn't really the issue. They have plenty of hosts to work with, so masscan wouldn't help. They're doing more than just open port detection, so nmap's many other features are helpful, as is the fact that nmap's scanning signatures aren't as suspicious as a custom scanning service that just so happened to be deployed worldwide.


Is anyone saying this is the "best"? I'd put it down to "most easily hacked together under time pressure".


I assume when doing active probes, you'd want to match the fingerprint of the most common tool for plausible deniability. I also highly suspect that this predates open source alternatives like masscan and zmap.

Performance isn't a concern because they are using lots of other peoples infrastructure.


It isn't the best, but it's not bad, and they do use it.


So they break into my router, then fuck with somebody else's network, and then I'm getting blamed for it ?

1. using my bandwidth, electricity etc is theft. 2. framing me for for their crimes is criminal conspiracy. 3. fucking with somebody else's network is terrorism.

Either all these people (not just the scape goats) go to jail, or they just declared the internet as law less zone. Effectively legalizing piracy spam blackhat-hacking etc.

Because proving guilt is now impossible, every plaintive can just point to dark government circles having control over their computer. In case proving guilt is no longer the guiding principle for justice they just lost the bases for governmental monopoly of violence, the right to collect taxes etc.

Also it's only going to be a matter of time, until some other criminal(s) gets access to their ORBs & start ddosing or blackmailing everybody with impunity.

Governments should stay out of the internet, because now we have cyberwar. They just create MORE chaos & disorder. Give the internet back to the geeks & maybe we'll get some semblance of decency back.


The entire internet apparently has a common enemy. The more we learn the more I realize how broken todays internet is.

It's insane the such operations are going forward without the victim-states raising extremely serious concerns.

I wonder how the future's internet will become if this insanity doesn't stop.


The more I think about it, the less I want it to be an internet I'm on.


At least some victim states might very well be aware of what is going on but may feel that silently monitoring these attacks is in their best interest. Or that they can spread misinformation through these channels when deemed necessary.


Well luckily everyone will soon start boycotting the US and the UK, and Canada and Australia etc. Any day now.


Yeah the Cisco layoffs have nothing to do with loss of trust.


And Anne Neuberger blathers about reaching some new "social contract:" http://blog.longnow.org/02014/08/11/the-nsa-reaches-out/

It would be like a social contract with a venomous snake.


If you honestly want to defend Anne Neuberger's "Intelligent America" scenario, go right ahead.

It is in fact a grossly dishonest chunk of wishful thinking wrapped in Soccer Mom-friendly platitudes.


I like how the interview writeup leads with a Godwin (or reverse Godwin, even more skilled).

The NSA could save face by not actively making itself look bad.


BREAKING: Government has discovered nmap.




Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: