Last active
5 days, 12 hours ago
User Picture

The NSA slides I hope Glenn Greenwald chooses to release.

By: kgb999 Thursday June 13, 2013 1:12 pm

When Edward Snowden provided a power point presentation to media outlets, it contained 41 slides. Thus far, we have seen only a handful. In interviews, Glenn Greenwald has indicated more disclosures are to come – but has also hinted that some slides will not be revealed. I understand a major media outfit handling this type of material is weighing a lot of issues and facing pressure from untold directions. Knowing more details are on the way, perhaps speaking up now is jumping the gun somewhat, but in the spirit of things…

Based on the nature of the presentation, we can infer that certain open-secret capabilities would almost certainly be detailed. The tussle over which operations will see the light of day is undoubtedly pretty intense right now. It would be unfortunate if a decision were made to avoid discussion about the use of intrusive offense capabilities – trojans, viruses, zero day exploits, rootkits, command & control servers and related technologies.

We Know This Should Be In There

In the context of NSA digital surveilence abilities, an overview detailing capabilities to directly monitor and leverage control of a targeted digital system seems obvious in it’s absence. Goodness only knows what far-too-cute name the NSA crew have given, but to imagine these capabilities are not touched upon in the presentation begs disbelief.

Questions of privacy and oversight these approaches raise are apparent. As a result, these issues are an instinctive measure to assess the merits of disclosure against, and are certainly to be kept in mind. But there is more to this question than one of simply ensuring that only bad guys are being targeted or that the privacy of American citizens is protected. Theses bigger issues, though perhaps not immediately apparent, I think, tip balance in favor of putting these cards on the table.

Several events in recent years have revealed information showing this class of capabilities exists and is employed by security agencies. One event stands out as being an exceptionally good case study that ties many of these larger issues together.

The security firm HB Gary was famously hacked by Anonymous a few years back. It was a total loss – terabytes of data accessed and expropriated, scandalous emails released for all to read – a media heyday. Many angles were explored in the reporting ranging from personality profiles of various players involved to questions of corporations trying to undermine Occupy protests. Amid this, Ars Technica published an excellent article about how HB Gary had been crafting and selling backdoors to the government and corporate clients. If you didn’t follow the saga when it occurred or need a refresher, it is well worth the read. The implications of some facts highlighted provide a strong illustration for a very important point.

Hidden Costs in Wholesale Weaponization of Devices

A dynamic highlighted in the article was HB Gary’s competition against much bigger players in the market of selling exploits to the military and intelligence services. One major concern Ars Technica raised was that private contractors appeared more than willing to turn around and work for corporate interests against private citizens. This is similar to the “good-use” vs. “bad-use” dicotomy the current discussion is often presented under. The simple questions of privacy and propriety are one thing, but there are equally important, perhaps larger, questions about the impact wholesale weaponization of commonly used commercial items is having; both in terms of systemic functionality as well as across broader society.

Think about the significance of what HB Gary was selling (and what the now-parent company is probably still selling). One part of it is the rootkit/malware combo; software that can secretly run on a device to collect information and allow the attacker to assert control as desired. The other part is the exploit; the method used to get the malicious software on to a target device. The Ars article sets up the exploit part nicely.

The goal of this sort of work is always to create something undetectable, and there’s no better way to be undetectable than by taking advantage of a security hole that no one else has ever found. Once vulnerabilities are disclosed, vendors like Microsoft race to patch them, and they increasingly push those patches to customers via the Internet. Among hackers, then, the most prized exploits are “0-day” exploits—exploits for holes for which no patch yet exists.

HBGary kept a stockpile of 0-day exploits. A slide from one of the company’s internal presentations showed that the company had 0-day exploits for which no patch yet existed—but these 0-day exploits had not yet even been published. No one knew about them.

The company had exploits “on the shelf” for Windows 2000, Flash, Java, and more; because they were 0-day attacks, any computer around the world running these pieces of software could be infiltrated.

…These exploits were sold to customers. One email, with the subject “Juicy Fruit,” contains the following list of software:

VMware ESX and ESXi *
Win2K3 Terminal Services
Solaris 10 RPC
Adobe Flash *
Sun Java *
Win2k Professional & Server
XRK Rootkit and Keylogger *
Rootkit 2009 *

the asterisk beside some of the names “means the tool has been sold to another customer on a non-exclusive basis and can be sold again.”

So, there we have a security researcher that seeks out flaws in major platforms. When flaws are found, rather being reported and fixed, the flaws are leveraged for money. It is a classic black hat hacker operation. Yet this time they are not treated like a black hat. Instead they work for the government and are among the top echelon of respected security researchers.

Another way of looking at it; when the people best at tracking down dangerous security holes successfully find them … they actively hide the security holes from everyone else and leave millions of systems insecure. This is happening in America. In Russia. In China. All over the globe. There is an entire legitimized ecosystem of security researchers who just leave the flaws they find and immediately tip-toe off to start seeking entities who’d like to use the holes to break into unsuspecting systems.

How many of those with a shingle above their door that reads “security researcher” do this? We have no idea. Unsurprisingly, it’s a secret.

For a tragic example, see “Sun Java” (now known as Oracle Java) … featured in that HB Gary 0-day exploit list up there. You may have heard the name recently if you happen to posses something digital. Based on his company’s marketing materials, it is entirely possible that Greg Hogulund could have prevented at least some of that. But for some reason he chose not to. And that’s a huge problem.

A primary reason millions of devices have been compromised pretty much boils down to being because the government pays the best and the brightest a crap-ton of money not to fix any security holes in our devices. They do this so it is possible to spy on you and me – just in case you and me happen to turn out to be a terrorist. How’s that for flipping genius?

In the end, five years after we find HB Gary commercializing Java exploits rather than exposing them, Homeland Security finally steps in with the only solution that makes any sense in the environment … simply stop using what was once a cornerstone of the internet and embedded systems. By any reckoning, this is a multibillion dollar negative impact that touches an immense number of lives.

Perverse Market Incentives

In the traditional view of our information economy, to exchange money Black-Hats must trade in bitcoin or use a service like Liberty Reserve to even operate. And when they catch the eye of government, they go to jail. Juxtaposed, an IT professional can earn a nice living writing anti-virus software or providing protective services to companies and individuals; enjoying good benefits and stability for a family. And generally such folks also enjoy a reasonably benign relationship with their government when they happen to cross paths. This dynamic creates a strong market incentive in the direction of fixing holes and a strong disincentive to keeping holes hidden and using them to compromise unsuspecting digital systems.

Then along comes those like HB Gary, who sold a base rootkit for $60,000 cash money – and the price went up from there depending on the zero-day exploits a customer (agency or contractor) purchased to compromise targeted systems.  Their business model is identical to that of the “hackers” illicitly selling their wares. But the government greets them with a chest-bump and a hoo-ha. This dynamic has no choice but create an undercurrent in the systemic security profile having all the negative impacts of black hat hackers paired with the institutional acceptance of white hat security professional – driven by a financial incentive beyond the wildest dreams of most typical private-sector IT security workers.

If there is any truth to markets, with the direction things are heading now, ultimately the system will become so bug-riddled and insecure that it will collapse. The situation with Java is a canary in the coalmine. Even if we imagine that the good guys will use the capabilities they uncover only for good, the good guys aren’t the only ones who end up having them.

Leaving Our Pants Down To Stare Closely At Our Own Butts

For these government-sponsored black-hats, all of the dynamics of an illicit underground information economy apply. Keeping the details of how to execute an exploit secret is key to keeping it’s capacity potent. The more widely an exploit is used, the more likely it will be detected – either by a security researcher/contractor acting legitimately or by a rival black-hat group that might utilize it in a way the original group disapproves of (and in a way that almost certainly will stupidly call more attention and increase detection risk).

An email snippit from the HB Gary article provides an instructive illustration of just how dangerous the current situation really is.

“I got this word doc linked off a dangler site for Al Qaeda peeps,” wrote Hoglund. “I think it has a US govvy payload buried inside. Would be neat to [analyze] it and see what it’s about. DONT open it unless in a [virtual machine] obviously… DONT let it FONE HOME unless you want black suits landing on your front acre. :-)”

In this, we find Gary Hoglund trolling Al Qaeda sites looking for dangerous payloads. It seems likely he captured a tool sold by one of his competitors that had been deployed by a government outfit hunting Al Qaeda. Obviously, he’s not the only one who can and does troll like this. Anyone with the requisite abilities and an internet connection can do it.

There are any number of ways hackers actively seek out infection sequences to acquire unknown skills and exploits … and the more “good guys” are using any given one, the more likely it is for an actual bad guy to capture it for their own use. Which is where the asterisks in the HB Gary zero-day menu become important. If something has never been sold, there is a much greater chance of using it without someone else blowing your operation … and the more times it is sold, the more likely it is for an exploit to fall into the hands of undesired individuals.

And that’s where reality heaps even more scary atop concerns of a government-run-amok. There is absolutely nothing to keep folks aligned with Al Qaeda or any other terrorist organization from capturing these exploits in exactly the same way that HB Gary does. Just like a host of other researchers and hackers do now. And when a terrorist network inevitably captures the government’s best 0-day? The NSA backdoor which allowed our government to individually check that 300,000,000-odd Americans (and, of course, countless foreigners) aren’t busy being terrorists – just to be sure – becomes a backdoor by which a legitimate terrorist network takes control of millions of American devices … and instructs them to do whatever the terrorists’ hearts desire.

Another under-discussed issue is what happens when a government aligned black-hat security firm such as HB Gary gets hacked? In short, the hackers acquire any software on their network. Is it any wonder that Lulzsec went on a rampage across the wider tubes of these here internets? If they had access to everything advertised, the HB Gary hack put a ton of zero-day exploits directly into their hands. It is bad enough when this happens in a legitimate security company to prematurely expose exploits software manufacturers know about and are actively working to fix. The potential damage is exponentially greater when dealing with exploits software makers are completely unaware of – especially when it is entirely possible some have been actively deployed in national security operations.

The questions about national security vs. civilian network security become pretty hazy. The whole situation feels a total mess that we’re currently dealing with by ignoring it. And it doesn’t seem to be getting better.

Back to Glenn Greenwald

So. Back to the Guardian and Glen Greenwald. If the nature of the NSA’s approach in this respect has been laid bare in the power-point slides and documentation they have been given the journalistic responsibility of representing to the public, I certainly hope they consider releasing enough data to help frame a very important conversation. Seeing the concrete policy would absolutely help Americans to better understand to what extent the entirety of issues related to this are impacting us on a daily basis.

And if, for some unfathomable reason, the leaked presentation outlining capacities NSA operatives have at their disposal didn’t mention these known tools … maybe we can take advantage of the current dynamic to start discussing the issue even without a power-point slide?


A layman’s take on academic freedom vs. academic excellence at UC Berkley.

By: kgb999 Saturday September 10, 2011 1:52 am

One of the more inexplicable facts of modern life from the layman’s perspective is  that one John Yoo continues to hold a job. The simple fact of being employed isn’t really that inexplicable … of course a man of his background would be expected to find themselves parked at some think-tank somewhere getting paid handsomely simply for being a generally horrible person (as we all know, the primary purpose of think tanks is to quietly pay off people for acting so horribly in public life they have rendered themselves unemployable in polite society). The surprising bit is that he is employed by an institution that claims a mission of turning students into highly qualified, well trained legal professionals. And his job, apparently, involves teaching these students that his cocked-up legal opinions and the thought processes underlying them – repudiated by every other legal mind asked to place their own professional career and reputation on the line – may be ethically employed by the next generation of American lawyers.

Such is academic excellence at the legal department, University of California, Berkley (Boalt Hall). Co-overseen by David Caron and Christopher Edley Jr.

Recently, Mr. Edley found himself confronted at a public forum. His responses were, and continue to be, a bit eyebrow-raising. Subsequent discussions regarding Obama and his decision to ignore serious Bush-era lawbreaking has been fascinating. But equally fascinating is the snapshot of how the head of a reasonably prestigious legal program views issues of law, responsibility, accountability and the role of educational institutions in society.

Pondering Centrism and the 2012 Election.

By: kgb999 Thursday September 8, 2011 2:47 am

I’m not much of a centrist fan. Don’t get me wrong, I hope the best for ‘em on a personal level. But it’s just that … I don’t know. Increasingly it feels like even the Tea Party folks have a more rational plan of action to improve the nation than so-called-centrist Democrats … who have apparently gone all-in with an “avalanche of clichéd platitudes while doing whatever corporations ask in exchange for mega-donations so we can WIN WIN WIN!” approach to government and policy. The act of owning the White House is clearly all that matters and it is increasingly clear this is all that has mattered from day one.

Thinking back on recent years, it is hard not to observe Bush’s crew was also almost exclusively focused on winning a second term. At the time, Republicans swore everyone had to play along or the alternative unleashed by Democrats would be far worse. Much as blind-loyal Democrats are swearing now. In retrospect, these Bush apologists were, of course (and unsurprisingly), wrong. Partisans are notorious for happily selling their country down the river in exchange for illusionary power over their “rivals.” Now just look at the shambles Democrats have created in our nation by doing it.

Won’t plunge the knife in so deep, indeed!

By: kgb999 Wednesday August 24, 2011 7:13 am
"Eric Schneiderman"

"Eric Schneiderman" by citizenactionny on flickr

So, hot on the heels of revelations Team Obama has been out in force twisting the arm of one NY Attorney General, Eric Schneiderman, to release bankers from darn near all liability for any crimes, mistakes or civil infractions they may have committed during the economic collapse or anytime thereafter (by this point, the man has taken the concept of “don’t look back” to pathological levels), signs quickly emerged that the approach wasn’t going so well … and subsequently it emerged BoA isn’t doing so well with investors when there may be an outside chance they would actually have to play by the rules. Today comes the news that Eric Schneiderman has been summarily removed from the the 50-state task force committee charged with probing foreclosure abuses and potentially negotiating a settlement. (via huffpo)


The email announcing Schneiderman’s dismissal from the states’ executive committee was sent just after noon to more than 50 people by Patrick Madigan, a top lawyer in the Iowa Attorney General’s Office. It read: “Effective immediately, the New York Attorney General’s Office has been removed from the Executive Committee of the Robosigning multistate.”

…[Schneiderman spokesman, Danny Kanner] said Schneiderman was removed at Iowa Attorney General Tom Miller’s “prerogative.”

Miller, through a spokesman, said that Schneiderman was “intimately involved in every aspect of this investigation and possible settlement” from the launch of the probe last October to this past June. Schneiderman was “on every internal [executive committee] conference call and participated in all conference calls and meetings with the top five mortgage servicers. As such, New York had a large influence on the actions and decisions of the multistate.”

But in June, after The Huffington Post reported on a confidential conference call between state and federal officials, the executive committee was reduced to a smaller group of states that would directly negotiate with the five banks. Schneiderman was invited to join this smaller group, but declined, Miller said.

“Since that time, New York has actively worked to undermine the very same multistate group that it had spent the previous nine months working very closely with,” Miller continued. “While we certainly respect the right of any state to choose to no longer participate in a multistate and to pursue another path, working to actively undermine a multistate while still a member of the Executive Committee simply doesn’t make sense, is unprecedented and is unacceptable. Accordingly, today I informed New York that it is no longer a member of the Executive Committee.”

Schneiderman’s removal will likely make it easier for state and federal officials to reach an accord with the five banks. However, the potential amount of money they’ll be able to extract will likely decrease.

This task force was formed, somewhat surprisingly, by the Attorney General for that hotbed of foreclosures and banking, Iowa …

Reid: Behind in the Polls, Ahead in Votes?

By: kgb999 Thursday October 28, 2010 4:00 pm

I have been having a little debate with conventional wisdom regarding the Nevada senate race of late. I’m still predicting a win despite several pundits and famous statisticians having written Harry Reid off based on topline poll results. Despite serious misgivings regarding the utility of opinion polling that premises itself on “If the election were held today” in the midst of votes actually being collected, that seems to be the game we’re playing. So, all right, let’s play.

Playing the game of armchair analyst, one must accept certain limitations. For example, I sure as hell won’t be subscribing to Rasmussan for the honor of being able to see how their results break down. So, for the purposes of this post, I will be using the results from  the CNN/Time poll released yesterday showing a 49/45 swing to Angle … and then pretty much ignoring that topline number all together. In my opinion, this race comes down to the GOP crossover vote which I believe is being significantly underestimated. The independent swing against Reid is important, but I don’t believe it will be definitive; with 22% of the electorate, the range from best-case to worst appears to be worth about 2% when viewed in the context of all voters.

The question everyone is looking at top-line results for is:

If the election for U.S. Senate were held today and the candidates were Harry Reid, the Democrat, Sharron Angle, the Republican, Scott Ashjian, the TPN/Tea Party candidate, or none of the above, who would you be more likely to vote for?“.

The aggregate result (+/- 3.5%), as I already observed, is 49/45 in Angle’s favor. But Time/CNN was kind enough to break it down by party affiliation. This shows that about 3% of Democrats would vote for Angle … while 10% of Republicans say they would vote for Reid (although the margin of error on this number increases to a noisy +/- 6%). This is probably as good a snapshot of the “crossover” as we’re likely to get until the votes are actually counted.

Just assuming these numbers are in the ball park, what does that mean for Reid today? Based on the statewide numbers reported yesterday Democrats have cast 1500 more votes than Republicans. Conventional wisdom has counted every Democrat as voting for Reid and every Republican voting for Angle. I think there is more than enough anecdotal evidence to challenge this assumption. So, what does the election look like as of yesterday if one ignores conventional wisdom and does the math based on the projected crossover from the most recent polling?

Based on my calculations this is what it looks like (I tried to show my work … feel free to challenge in the comments):

Total Votes  Statewide: 264,420
Total GOP:131,460 (264,420 / 2 – 750)
Total Dem:132,960 (264,420 / 2 + 750)
3% Dem Crossover: 3,989
10% GOP Crossover: 13,146
Estimated GOP: 122,303 (131,460 + 3,989 – 13,146)
Estimated Dem:142,117 (132,960 + 13,146 – 3,989)
Current Reid Lead: 19,814

Obviously, the needed caveats here are numerous. But when it’s all said and done don’t be surprised if this race turns out not to be nearly as close as the pundocracy is predicting. Of course, don’t be surprised if some random blog guy taking a first whack at political prognostication is embarrassingly off base either.