[CONTENT WARNING: extreme sexism and racism] [Read more…]
[CONTENT WARNING: extreme sexism and racism] [Read more…]
It’s funny, Trump didn’t used to be this opposed to Iran. Now, between all the domestic scandals he faces, and his love of military power along with the warmongering far-right, he’s decided to reverse course and get aggressive with Iran.
“It is clear to me that we cannot prevent an Iranian nuclear bomb under the decaying and rotten structure of the current agreement,” Trump said from the White House Diplomatic Room. “The Iran deal is defective at its core. If we do nothing we know exactly what will happen.” In announcing his decision, Trump said he would initiate new sanctions on the regime, crippling the touchstone agreement negotiated by his predecessor. Trump said any country that helps Iran obtain nuclear weapons would also be “strongly sanctioned.”
“This was a horrible one-sided deal that should have never, ever been made,” the President said. “It didn’t bring calm, it didn’t bring peace, and it never will.” … “At the point when the US had maximum leverage, this disastrous deal gave this regime — and it’s a regime of great terror — many billions of dollars, some of it in actually cash — a great embarrassment to me as a citizen,” Trump said.
One problem: what are the consequences of withdrawing? Iran’s nuclear program was going fine when they were under earlier sanctions, so imposing sanctions isn’t going to have much effect. As for the political situation within Iran,
Sadeq Zibakalam, a prominent political commentator and professor of politics at Tehran University, struck a pessimistic tone about the consequences of Trump’s decision in Iran. “Many people are worried about war,” he told the Guardian on phone from Tehran. “Whenever the country faces a crisis in its foreign policy or economy, the situation gets better for hardliners, they’d be able to exert their force more easily.”
He added: “At the same time, hardliners will gain politically from this situation, because they’ll attack reformists and moderates like [President] Rouhani that this is evidence of what they had been saying for years, that the US cannot be trusted, and that US is always prepared to knife you in the back.”
Zibakalam, who is close to the reformists, said he did not think it would take long for Europeans and other nations to follow in the footsteps of the US, because they won’t endanger their economic ties with Washington, which would outweigh the benefits of doing business with Iran.
Rouhani has taken an aggressive stance to jump in front of the hardliners.
“This is a psychological war, we won’t allow Trump to win… I’m happy that the pesky being has left the Barjam,” he said referring to Persian acronym for JCPOA or the nuclear deal.
“Tonight we witnessed a new historic experience… for 40 years we’ve said and repeated that Iran always abides by its commitments, and the US never complies, our 40-year history shows us Americans have been aggressive towards great people of Iran and our region .. from the  coup against the legitimate government of [Mohammad] Mosaddegh Mosadeq government and their meddling in the affairs of the last regime, support for Saddam [Hussein during Iran-Iraq war] and downing or our passenger plane by a US vessel and their actions in Afghanistan, in Yemen,” he said.
“What Americans announced today was a clear demonstration of what they have been doing for months. Since the nuclear deal, when did they comply? They only left a signature and made some statements, but did nothing that would benefit the people of Iran.”
Rouhani said the International Atomic Energy Agency (the IAEA) has verified that Tehran has abide by its obligations under the deal. “This is not an agreement between Iran and the US… for US to announce it’s pulling out, it’s a multilateral agreement, endorsed by the UN security council resolution 2231, Americans officially announcement today showed that their disregard for international commitments.. We saw that in their disregard for Paris agreement..
“Our people saw that the only regime that supports Trump is the illegitimate Zionist regime, the [s]ame regime that killed our nuclear scientists”
“From now on, this is an agreement between Iran and five countries… from now on the P5+1 has lost its 1… we have to wait and see how other react. If we come to the conclusion that with cooperation with the five countries we can keep what we wanted despite Israeli and American efforts, Barjam can cursive,” he said referring to Persian acronym for JCPOA or the nuclear deal.
“We had already come to the conclusion that Trump will not abide by international commitments and won’t respect Barjam.”
And the other signers to the Iran deal are keeping a stiff upper lip, at least for now.
According to the IAEA, Iran continues to abide by the restrictions set out by the JCPoA, in line with its obligations under the Treaty on the Non-Proliferation of Nuclear Weapons. The world is a safer place as a result. Therefore we, the E3, will remain parties to the JCPoA. Our governments remain committed to ensuring the agreement is upheld, and will work with all the remaining parties to the deal to ensure this remains the case including through ensuring the continuing economic benefits to the Iranian people that are linked to the agreement.
Last year, on a reporting trip though a few European capitals, something I heard over and over from European foreign policy officials: We remember 2003, and we’re starting to think this is the real America. Aggressive, unpredictable, unreliable, and dangerous.
I’ve created and deleted drafts on this topic all weekend. All the metaphors I’ve tried to come up with are pretty inaccurate, or don’t add anything that others haven’t already said. So I’ll just do this the boring way.
Don’t let the cute logos fool you, both Spectre and Meltdown are about as serious as you can get in computer security. Both take advantage of the design of many high-end CPUs. In order to squeeze out as much efficiency as possible, nearly all CPUs from Intel allow the processor to reorder the instructions it executes and make guesses about certain values. Unfortunately, when the CPU is jumping ahead it relaxes some of its normal security checks; fortunately, if those guesses are wrong it undoes any changes and executes the right code. On the surface, that prevents any security issues.
But there are still fingerprints of what was executed left behind, hidden in places a programmer can’t directly access but which nonetheless have subtle effects on the behavior of the processor. A clever programmer can combine brute-force checking with probability to guess at the contents of what the processor executed then erased, allowing them to wiggle past security checks. The result is devastating, as it can reveal sensitive data like passwords or worse. These attacks also take place at the hardware level, which makes them incredibly difficult to fix; at one point, US-CERT’s primary recommendation was to replace your CPU, roughly equivalent to replacing a car’s engine. Ouch! Bruce Schneier has weighed in, which saves me from being doom-and-gloom for once.
The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. […]
It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown. There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
I got lucky. When I ran the Spectre demo code on my home computer, nothing happened; while many AMD CPUs are effected, they fare better than Intel’s. ARM CPUs, like those on your phone, are somewhere in between. Having said that, Schneier’s right: these bugs are a big deal, and are guaranteed to spur the development of nastier ones.
but there’s someone I’d like you to meet. His name is George Papadopoulos, and he has quite the story to tell.
In early March 2016, defendant PAPADOPOULOS learned he would be a foreign policy advisor for the Campaign. Defendant PAPADOPOULOS was living in London, England, at the time. Based on a conversation that took place on or about March 6, 2016, with [Sam Clovis] (the “Campaign Supervisor”), defendant PAPADOPOULOS understood that a principal foreign policy focus of the Campaign was an improved U.S. relationship with Russia. […]
On or about March 31, 2016, defendant PAPADOPOULOS attended a “national security meeting” in Washington, D.C., with then-candidate Trump and other foreign policy advisors for the Campaign. When defendant PAPADOPOULOS introduced himself to the group, he stated, in sum and substance, that he had connections that could help arrange a meeting between then-candidate Trump and President Putin. […]
On or about ApriI 18, 2016, the Professor introduced defendant PAPADOPOULOS over email to an individual in Moscow (the “Russian MFA Connection”) who told defendant PAPADOPOULOS he had connections to the Russian Ministry of Foreign Affairs (“MFA .. ). The MFA is the executive entity in Russia responsible for Russian foreign relations. Over the next several weeks, defendant PAPADOPOULOS and the Russian MFA Connection had multiple conversations over Skype and email about setting “the groundwork” for a “potential” meeting between the Campaign and Russian government officials. […]
The government notes that [Paul Manafort] forwarded defendant PAPADOPOULOS’s email to [Rick Gates] (without including defendant PAPADOPOULOS) and stated: “Let[‘]s discuss. We need someone to communicate that DT is not doing these trips. It should
be someone low level in the campaign so as not to send any signal.”
What’s especially fascinating is when all this happened. Not the bits detailed in the “Statement of the Offense,” mind, but the fact that Papadopoulos was arrested in July of 2017 and pled guilty on October 5th. Robert Muller not only has a critical witness to Trump-Kremlin collusion in his back pocket (see section 6 on page 4, plus this tweet), he’s managed to keep that from leaking out for months. Even worse, Papadopoulos has close connections to Jeff Sessions and Donald Trump.
RYAN: Thank you… We’ve heard you’re going to be announcing your foreign policy team shortly… Any you can share with us?
TRUMP: Well, I hadn’t thought of doing it, but if you want I can give you some of the names… Walid Phares, who you probably know, PhD, adviser to the House of Representatives caucus, and counter-terrorism expert; Carter Page, PhD; George Papadopoulos, he’s an energy and oil consultant, excellent guy; the Honorable Joe Schmitz, [former] inspector general at the Department of Defense; [retired] Lt. Gen. Keith Kellogg; and I have quite a few more. But that’s a group of some of the people that we are dealing with. We have many other people in different aspects of what we do, but that’s a representative group.
See what I mean? I expect we’ll be hearing a lot more from Papadopoulos in future.
Goddammit, could they at least pace this stuff out?
The Court being in receipt of the government’s letter of October 30th, 2017, and having considered the government’s representation that sealing of the plea proceedings in the above-captioned case is no longer necessary … it is hereby
ORDERED that the Clerk of the Court shall unseal and make available on the public docket any and all documents filed with the Court pertaining to the above-captioned case, including: the information; defendant’s plea agreement (including the Statement of Facts); the transcript of the October 5, 2017 plea hearing, the government’s October 5, 2017 motion to seal; and the Court’s order granting the motion of seal; and it is further
ORDERED that the dockets in the above-captioned criminal case [Papadopoulos’ false statement case] and the associated miscellaneous case (No. 17-mc-2482) shall be unsealed in their entirety.
A few hours later, documents are starting to rain down on us. You’ll need a paid PACER account to read that one, but it’ll only be a matter of time until someone makes the document public. As that happens, I’ll try to update this post with links.
Also, what is “17-mc-2482?” That’s not the Manafort/Gates indictment, and Google searches come up empty. I guess we’ll find out shortly…
Sigh, I haven’t spotted any filings in Papadopoulos’ legal case in a few days. I guess they are pacing this out.
In the meantime, the White House’s denials that Papadopoulos had a non-trivial role in Trump’s campaign are beginning to unwind.
“Papadopolous was only one among the many contacts [the American Jewish Committee] established and maintained among advisers to both parties’ 2016 presidential candidates and in the two parties’ national committees,” AJC spokesperson Ken Bandler said in a statement. […]
The AJC forum, occurred on the third day of the RNC in downtown Cleveland. Papadopolous sat on a panel with Reps. Tom Marina, R-Pa., and Ted Yoho, R-Fla., both members of the House Foreign Affairs Committee while Sen. Bob Corker, R-Tenn., the chairman of the Senate Foreign Relations Committee, gave opening remarks.[…]
Papadopoulos’ public role for the Trump campaign continued. In late September, just six weeks before Election Day, he gave an interview as a Trump campaign official to the Russian Interfax News Agency, where he said that Trump will “restore the trust” between the U.S. and Russia.
And he met with Israeli leaders during the inauguration in January as a foreign policy adviser for the newly-sworn in president. “We are looking forward to ushering in a new relationship with all of Israel, including the historic Judea and Samaria,” Papadopoulos told the Jerusalem Post the following day.
Naturally, Carter Page isn’t helping the situation.
The hosts of Feminist Killjoys outdid themselves with their latest episode, when they interviewed a member of “Redneck Revolt,” an AntiFa group. The conversation was pretty one-sided and animated, but you get a great summary of what they do.
00:08:13,760 –> 00:08:50,120
… we were asked by anarchist people of color to go and defend Justice Park. Our mission in Charlottesville was purely defensive. We never moved – and I want to make this really clear, and I hope this message gets out – we never moved beyond a very fixed perimeter. We were highly disciplined, we had a clear mission: keep people safe, keep the state and the Nazis out of the park. [We were] successful, partially because 1) we were asked to be there, so we knew who had our back and who wanted us there and 2) we knew what was to our front, the state and the Nazis.
00:08:50,120 –> 00:09:31,040
We never mixed into the larger protest, and there’s been some discussion, I think, out in the internet world that “yeah, we’re just wandering around with guns.” I mean, we’re not operators – this isn’t SEAL team 6 cosplay. We kept our muzzles down, and we wanted to project the force and power that not only our group possesses, but what we knew was streaming behind us and through us: as AntiFa columns, groups of Quakers marched- BLM folks moved- queer liberation activists… all these people move through our line to go and face down white supremacy.
00:09:31,040 –> 00:09:41,780
White supremacists came to face us, but we were in complete concert with the people that were deploying other tactics, and that again is an enormous power that really can’t be underestimated.
I can’t find flaw in the tactics; when white supremacists are willing to murder and terrorize to get their way, and the police aren’t keeping the peace, this is precisely what you need. The interviewee also dropped an interesting citation.
00:20:05,330 –> 00:20:38,250
People should go read “This Non-Violence Stuff Will Get You Killed.” Great, amazing book about how weapons provided a militant armed self-defense backbone to the civil rights movement. It sweeps away the whitewashed narrative of Martin Luther King, and describes an entire interior world of African American and allied folks willingness – and sometimes actual use – of firearms to preserve the sanctity and lives of the people dedicated to that struggle.
I’m not that surprised to find guns mixed with social justice movements. The police and FBI have not been kind to activists, and in some cases have been infiltrated by white supremacists. Some sort of self-defense against state violence is sensible in those circumstances.
But what did surprise me was how common guns were.
Visiting Martin Luther King Jr. during the Montgomery, Alabama, bus boycott, journalist William Worthy almost sat on a loaded pistol. “Just for self-defense,” King assured him. It was not the only weapon King kept for such a purpose; one of his advisors remembered the reverend’s Montgomery, Alabama, home as “an arsenal.”
MLK Jr? Armed to the teeth? I’ve gotta pick up that book.
Back in the day, one of the strongest clues pointing away from the Kremlin came from a US intelligence agency report.
The PHP malware sample they have provided appears to be P.A.S. version 3.1.0 which is commonly available and the website that claims to have authored it says they are Ukrainian. It is also several versions behind the most current version of P.A.S which is 4.1.1b. One might reasonably expect Russian intelligence operatives to develop their own tools or at least use current malicious tools from outside sources.
WordFence pointed out that this malware was available widely, and the New York Times concurs.
He had made it available to download, free, from a website that asked only for donations, ranging from $3 to $250. The real money was made by selling customized versions and by guiding his hacker clients in its effective use.
But what happened after that report was interesting.
After the Department of Homeland Security identified his creation, he quickly shut down his website and posted on a closed forum for hackers, called Exploit, that “I’m not interested in excessive attention to me personally.”
Soon, a hint of panic appeared, and he posted a note saying that, six days on, he was still alive. […]
Serhiy Demediuk, chief of the Ukrainian Cyber Police, said in an interview that Profexer went to the authorities himself. As the cooperation began, Profexer went dark on hacker forums. He last posted online on Jan. 9. Mr. Demediuk said he had made the witness available to the F.B.I., which has posted a full-time cybersecurity expert in Kiev as one of four bureau agents stationed at the United States Embassy there. The F.B.I. declined to comment.
Profexer was not arrested because his activities fell in a legal gray zone, as an author but not a user of malware, the Ukrainian police say. But he did know the users, at least by their online handles. “He told us he didn’t create it to be used in the way it was,” Mr. Demediuk said.
A member of Ukraine’s Parliament with close ties to the security services, Anton Gerashchenko, said that the interaction was online or by phone and that the Ukrainian programmer had been paid to write customized malware without knowing its purpose, only later learning it was used in Russian hacking.
Huh. It turns out there was a Kremlin connection after all! This is just a side-effect of a rather smart choice made by Putin.
Also emerging from Ukraine is a sharper picture of what the United States believes is a Russian government hacking group known as Advanced Persistent Threat 28 or Fancy Bear. It is this group, which American intelligence agencies believe is operated by Russian military intelligence, that has been blamed, along with a second Russian outfit known as Cozy Bear, for the D.N.C. intrusion.
Rather than training, arming and deploying hackers to carry out a specific mission like just another military unit, Fancy Bear and its twin Cozy Bear have operated more as centers for organization and financing; much of the hard work like coding is outsourced to private and often crime-tainted vendors.
Do you remember the good old days? Back when political parties didn’t team up with foreign powers on multiple occasions to use illegally obtained material for personal gain?
[Aaron] Nevins confirmed to the [Wall Street] Journal that he told hacker Guccifer 2.0 to “feel free to send any Florida based information” after learning that the hacker had tapped into Democratic Congressional Campaign Committee (DCCC) computers last summer. From the DCCC, Guccifer 2.0 released internal assessments of Democratic congressional candidates, known as “self-opposition research,” to GOP operatives using social media. Nevins told the Journal that, after receiving the stolen documents from the hacker, he “realized it was a lot more than even Guccifer knew that he had.” The stolen DCCC documents also contained sensitive information on voters in key Florida districts, breaking down how many people were considered dependable Democratic voters, undecided Democrats, Republican voters and the like. Nevins made a war analogy, describing the data he received to Guccifer 2.0 as akin to a “map to where all the troops are deployed.”
After Nevins published some of the material on the blog HelloFLA.com, using his own pseudonym, Guccifer 2.0 sent a link of the information to close Trump associate Roger Stone — who is currently under federal investigation for potential collusion with Russia.
What the Journal story does indicate, however, is that a GOP operative who presented himself as working with Mike Flynn, a top Trump adviser with numerous dodgy Russian ties himself, actively solicited Clinton emails from hackers he believed to be Russian and assumed to be affiliated with the Russian government. Once he obtained a stash of unverified emails presented as the deleted Clinton emails, this operative then suggested the hackers release the cache to WikiLeaks one month after the DNC WikiLeaks dump and a month before the Podesta WikiLeaks dump.
*sigh*, I sure miss those days.
In the last part of my series on the DNC hack, I mentioned that I watched a seminar hosted by Crowdstrike on how it was done. Some Google searching didn’t turn up much at first, but it did reveal other videos from Crowdstrike and other security firms. I’m still shaking my head at the view counts of some of these; shouldn’t reporters have swarmed them?
Ah well. If you’d like to see how these security companies viewed the DNC hack, here are some videos to check out.
Ranum’s turn! Old blog post first.
Joking aside, Putin’s right: the ‘attribution’ to Russia was very very poor compared to what security practitioners are capable of. This “it’s from IP addresses associated with Russia” nonsense that the US intelligence community tried to sell is very thin gruel.
Here’s the Joint Analysis Report which has been the focus of so much ire, as well as a summary paragraph of what the US intelligence agency is trying to sell:
Previous JARs have not attributed malicious cyber activity to specific countries or threat actors. However, public attribution of these activities to RIS is supported by technical indicators from the U.S. Intelligence Community, DHS, FBI, the private sector, and other entities. This determination expands upon the Joint Statement released October 7, 2016, from the Department of Homeland Security and the Director of National Intelligence on Election Security.
They aren’t using IP addresses or attack signatures to sell attribution, they’re pooling all the analysis they can get their hands on, public and private. It’s short on details, partly for reasons I explained last time, and partly because it makes little sense to repeat details shared elsewhere.
I agree with most experts that the suggestions given are pretty useless, but that’s because defending against spearphishing is hard. Oh, it’s easy to white list IP access and lock down a network, but actually do that and your users will revolt and find workarounds that a network administrator can’t monitor.
The reporting on the Russian hacking consistently fails to take into account the fact that the attacks were pretty obvious, basic phishing emails. That’s right up the alley of a 12-year-old. In fact, let me predict something here, first: eventually some 12-year-old is going to phish some politician as a science fair project and there will be great hue and cry. It really is that easy.
I dunno, there’s a fair bit of creativity involved in trickery. You need to do some research to figure out the target’s infrastructure (so you don’t present them with a Gmail login if they’re using an internal Exchange server); research their social connections (an angry email from their boss is far more likely to get a response); find ways to disguise the URL displayed that neither a human nor browser will notice; construct an SSL certificate that the browser will accept; and it helps if you can find a way around two-factor encryption. The amount of programming is minimal, but so what? Computer scientists tend to value the ability to program above everything else, but systems analysis and design are arguably at least as important.
I wouldn’t be surprised to learn of a 12-year-old capable of expert phishing, any more than I’d be surprised that a 12-year-old had entered college or ran their own business or successfully engineered their own product; look at enough cases, and eventually you’ll see something exceptional.
By the way, there are loads of 12-year-old hackers. Go do a search and be amazed! It’s not that the hackers are especially brilliant, unfortunately – it’s more that computer security is generally that bad.
And yes, the state of computer security is fairly abysmal. Poor password choices (if people use passwords at all), poor algorithms, poor protocols, and so on. This is irrelevant, though; the fact that house break-ins are easy to do doesn’t refute the evidence that someone burgled a house.
Hey, that was quick. Next post!
Hornbeck left off two possibilities, but I could probably (if I exerted myself) go on for several pages of possibilities, in order to make assigning prior probabilities more difficult. But first: Hornbeck has left off at least two cases that I’d estimate as quite likely:
H) Some unknown person or persons did it
I) An unskilled hacker or hackers who had access to ‘professional’ tools did it
J) Marcus Ranum did it
I’d argue the first two are handled by D, “A skilled independent hacking team did it,” but it’s true that I assumed a group was behind the attack. Could the DNC hack be pulled off by an individual? In theory, sure, but in practice the scale suggests more than one person involved. For instance,
That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. […]
SecureWorks was tracking known Fancy Bear command and control domains. One of these lead to a Bitly shortlink, which led to the Bitly account, which led to the thousands of Bitly URLs that were later connected to a variety of attacks, including on the Clinton campaign. With this privileged point of view, for example, the researchers saw Fancy Bear using 213 short links targeting 108 email addresses on the hillaryclinton.com domain, as the company explained in a somewhat overlooked report earlier this summer, and as BuzzFeed reported last week.
That SecureWorks report expands on who was targeted.
In March 2016, CTU researchers identified a spearphishing campaign using Bitly accounts to shorten malicious URLs. The targets were similar to a 2015 TG-4127 campaign — individuals in Russia and the former Soviet states, current and former military and government personnel in the U.S. and Europe, individuals working in the defense and government supply chain, and authors and journalists — but also included email accounts linked to the November 2016 United States presidential election. Specific targets include staff working for or associated with Hillary Clinton’s presidential campaign and the Democratic National Committee (DNC), including individuals managing Clinton’s communications, travel, campaign finances, and advising her on policy.
Even that glosses over details, as that list also includes Colin Powell, John Podesta, and William Rinehart. Also bear in mind that all these people were phished over roughly nine months, sometimes multiple times. While it helps that many of the targets used Gmail, when you add up the research involved to craft a good phish, plus the janitorial work that kicks in after a successful attack (scanning and enumeration, second-stage attack generation, data transfer and conversion), the scale of the attack makes it extremely difficult for an individual to pull off.
Similar reasoning applies to an unskilled person/group using professional tools. The multiple stages to a breach would be easy to screw up, unless you had experience carrying these out; the scale of the phish demands a level of organisation that amateurs shouldn’t be capable of. Is it possible? Sure. Likely? No. And in the end, it’s the likelihood we care about.
Besides, this argument tries to eat and have its cake. If spearphishing attacks are so easy to carry out, the difference between “unskilled” and “skilled” is small. Merely pulling off this spearphish would make the attackers experienced pros, no matter what their status was beforehand. The difference between hypotheses D and I is trivial.
There’s even more unconscious bias in Hornbeck’s list: he left Guccifer 2.0 off the list as an option. Here, you have someone who has claimed to be responsible left off the list of priors, because Hornbeck’s subconscious presupposition is that “Russians did it” and he implicitly collapsed the prior probability of “Guccifer 2.0” into “Russians” which may or may not be a warranted assumption, but in order to make that assumption, you have to presuppose Russians did it.
Who is Guccifer 2.0, though? Are they a skilled hacking group (hypothesis D), a Kremlin stooge (A), an unknown person or persons (H), or amateurs playing with professional tools (I)? “Guccifer 2.0 did it” is a composite of existing hypothesis subsets, so it makes more sense to focus on those first then drill down.
I added J) because Hornbeck added himself. And, I added myself (as Hornbeck did) to dishonestly bias the sample: both Hornbeck and I know whether or not we did it. Adding myself as an option is biasing the survey by substituting in knowns with my unknowns, and pretending to my audience that they are unknowns.
Ranum may know he didn’t do it, but I don’t know that. What’s obvious to me may not be to someone else, and I have to account for that if I want to do a good analysis. Besides, including myself fed into the general point that we have to liberal with our hypotheses.
I) is also a problem for the “Russian hackers” argument. As I described the DNC hack appears to have been done using a widely available PHP remote management tool after some kind of initial loader/breach. If you want a copy of it, you can get it from github. Now, have we just altered the ‘priors’ that it was a Russian?
This is being selective with the evidence. Remember “Home Alone?” Harry and Marv used pretty generic means to break into houses, from social engineering to learn about their targets, surveillance to verify that information and add more, and even crowbars on the locks. If that was all you knew about their techniques, you’d have no hope of tracking them down; but as luck would have it, Marv insisted on turning on all the faucets as a distinctive calling card. This allowed the police to track down earlier burglaries they’d done.
Likewise, if all we knew was that a generic PHP loader was used in the DNC hack, the evidence wouldn’t point strongly in any one direction. Instead, we know the intruders also used a toolkit dubbed “XAgent” or “CHOPSTICK,” which has been consistently used by the same group for nearly a decade. No other group appears to use the same tool. This means we can link the DNC hack to earlier ones, and by pooling all the targets assess which actor would be interested in them. As pointed out earlier, these point pretty strongly to the Kremlin.
I don’t think you can even construct a coherent Bayesian argument around the tools involved because there are possibilities:
- Guccifer is a Russian spy whose tradecraft is so good that they used basic off the shelf tools
- Guccifer is a Chinese spy who knows that Russian spies like a particular toolset and thought it would be funny to appear to be Russian
- Guccifer is an American hacker who used basic off the shelf tools
- Guccifer is an American computer security professional who works for an anti-malware company who decided to throw a head-fake at the US intelligence services
Quick story: I listened to Crowdstrike’s presentation on the Russian hack of the DNC, and they claimed XAgent/CHOPSTICK’s source code was private. During the Q&A, though, someone mentioned that another security company claimed to have a copy of the source.
The presenters pointed out that this was probably due to a quirk in Linux attacks. There’s a lot of variance in which kernel and libraries will be installed on any given server, so merely copying over the attack binary is prone to break. Because of this variety, though, it’s common to have a compiler installed on the server. So on Linux, attackers tend to copy over their source code, compile it into a binary, and delete the code.
You can see how this could go wrong, though. If the stub responsible for deleting the original code fails, or the operators are quick, you could salvage the source code of XAgent.
“Could.” Note that you need the perfect set of conditions in place. Even if those did occur, and even if the source code bundle contains Windows or OSX source too (excluding that would reduce the amount of data transferred and increase the odds of compilation slightly), the attack binary for those platforms usually needs to be compiled elsewhere. Compilation environments are highly variable yet leave fingerprints all over the executable, such as compilation language and time-stamps. A halfway-savvy IT security firm (such as FireEye) would pick up on those differences and flag the executable as a new variant, at minimum.
And as time went on, the two code bases would diverge as either XAgent’s originators or the lucky ducks with their own copy start modifying it. Eventually, it would be obvious one toolkit was in the hands of another group. And bear in mind, the first usage of XAgent was about a decade ago. If this is someone using a stolen copy of APT28/Fancy Bear’s tool, they’ve either stolen it recently and done an excellent job of replicating the original build environment, or have faked being Russian for a decade without slipping up.
While the above is theoretically possible, there’s no evidence it’s actually happened; as mentioned, despite years of observation by at least a half-dozen groups capable of detecting this event, only APT28 has been observed using XAgent.* None of Ranum’s options fit XAgent, nor do they fit APT28’s tactics either; from FireEye’s first report (they now have a second, FYI),
Since 2007, APT28 has systematically evolved its malware, using flexible and lasting platforms indicative of plans for long-term use. The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts.
APT28 malware, in particular the family of modular backdoors that we call CHOPSTICK, indicates a formal code development environment. Such an environment would almost certainly be required to track and define the various modules that can be included in the backdoor at compile time.
And as a reminder, APT28 aka. Fancy Bear is one of the groups that hacked into the DNC, and is alleged to be part of the Kremlin.
Ranum does say a lot more in that second blog post, but it’s either similar to what Biddle wrote over at The Intercept or amounts to kicking sand at Bayesian statistics. I’ve covered both angles, so the rest isn’t worth tackling in detail.