It is incredible, even the most generous estimation of the NSA's capabilities before the Snowden disclosures now look conservative. This is the stuff conspiracy theories are made of.
UR = UNITEDRAKE ("Regin", basically?). And that'd probably be rmgree5@nsa.gov: that's the format their addresses are in.
This does seem to be, broadly-speaking, NSA's top-dollar brand-new 0-day-laden (at the time) malware, that they use to launch their less shiny stuff, which is more awkward and a massive overfunded modular boondoggle. This does not seem to be as freely shared around with the "Five Eyes".
By the way, there are innocent machines in the US infected with this thing, at this very moment. Anyone care to explain that?
The hard-drive component should be completely detectable, if you don't boot from it, based on the (small, sadly incomplete) fragment of (Cortex-M0?) stuff I've seen. Power-cycle it, send an ATA reset, read the MBR and following sectors. Look out for the NIC "option rom" persistence module, too - you may be well-advised to do it from something really exotic that doesn't run x86, just in case! (Independent hackers are running (µ)Linux on hard disks now, so it's not surprising a huge agency able to spend billions of dollars of tax money funding contractors on tiny pieces of this project got something of a head start!) Not sure of a good way to detect it in software, but it's not perfect, so it probably can be redpilled somehow.
Watch for "CD-ROM"s that unexpectedly have ATIPs, I guess?
Detecting an infected hard drive in software would be the usual malware arms race: you find some characteristic of it, they improve the firmware.
But if we start to systematically check for it, it should be easy to discover via hardware debugging. Find the JTAG interface on the hard disk controller (or whatever debugging interface the specific processor uses), dump the firmware and compare it to firmware dumps from other hard drives of the same model. I don't see how they could fool that process (given that you have a clean machine to read out the firmware).
Of course to be thorough you would have to check pretty much the firmware of every component of the computer.
> dump the firmware and compare it to firmware dumps from other hard drives of the same model
And then ponder the unstated assumption that said other hard drives may or may not have been exploited already. Dealing with a state level actor is hard, in the "trusting trust" sense.
Well update your threat model appropriately. What are the realities if they've somehow hit every single hard disk in the US? What is the likelihood this level of subterfuge can be maintained? How many people are involved?
Just because you can imagine it doesn't suddenly make it practical, and it certainly doesn't mean they're going to burn that capability outing some guys porn habits either.
> What are the realities if they've somehow hit every single hard disk in the US?
Who knows. The problem is you're not so concerned with "every single" hard drive in the US, but you may well be concerned with the other one you wish to use as a benchmark.
When you're dealing with things like hardware being compromised on the way from the plant to the store, or (as mentioned) a burned CD being compromised in the mail, and other things that really only governments can do, it changes the whole nature of the threat model.
The malware might remain quiescent unless the examination techniques mimic a computer that is booting.
I might prefer to use an analyzer to monitor the disk channel of a machine that is booting and running.
Building an SATA probe/analyzer is within hobbyist knowledge and skill levels now. If you have money you can simply buy it from LeCroy and many others, or rent it by the month/week.
There's a specific reason I said to send an ATA reset first! IRATEMONK (for it is that) isn't that smart. Doesn't need to be.
If you want to test more thoroughly, or actually dump the object for analysis, as wongarsu says below, the JTAG port or the serial port is the way to go. That's how they get it in there.
Usually a booting PC will issue several identify commands and try a SMART health check, and if there is a RAID option ROM then specific series of READ will be issued. If it would really disclose itself with simple RESET, READ interrogation then I must be a better malware author than those players. I don't think I am, and I feel that if it would give itself away without ensuring that the OS is really booting, this is a big flaw. If it were my project, it would be a showstopper. I'm a noob in the sense that I have never considered malware before, so probably the developers (who are smarter than me) thought about it long before I did.
This flaw would also make it much simpler to write a script for MHDD that would reveal the infection on the infected target itself after booting from a floppy.
I think a JTAG probe is not especially useful to analyze a hard disk. The flash on the board is usually only a bootstrap and "physical driver" of sorts. The rest of the firmware is stored on the media - you can see that many disks do not even know what they are if you disconnect the heads and try to identify.
I think JTAG is not commonly in the toolbox of the data recovery guys who dump firmware modules and trade them. DR sometimes involves replacing corrupted firmware that is on the disk, or reprogramming a controller board to match one that's failed. They have bought software and serial port cables, and this seems to handle it for them, so I concluded that there must be a way to dump all of the firmware - on chips and disks - with ATA commands or the serial port, and we know from field-service tools that there is usually a way to update it all with only ATA commands.
Had a family member that worked for SPEA (test equipment manufacture). Said different government organizations would bring in boards with massively parallel sets of chips and input/output on them, like nothing they ever saw in any other field. They were expressly forbidden to take pictures of them.
Between that and the massive data centers they are building I'm guessing they have rather impressive capabilities.
This particular set of exploits has little to do with collecting information. This seems to be directly related to command and control operations, including over systems that aren't connected to the internet.
There are a pretty scary set of discovered exploits.
I believe this is not the correct thread, but how can anyone sift through so much data, in general? Private companies need simpler things, like people you are likely to know in the real world, from the data they acquire. But intelligence agencies need actionable intelligence. That would require something way more intelligent than a simple spam filter.
That depends on the data you are talking about. The operations described here don't seems to collect huge amounts of data. If you're talking about the usual dragnet surveillance: a lot of it seems to be relatively simple filters and simple data correlation.
For example, you can build huge social graphs with simple metadata. Then you can search for all people who communicate a lot with people who communicate a lot with some known terrorist leader. Of those people, you take just those using tor. If any of them plans to enter the US, you flag them to be detained and searched at the airport. If any of them is already in the US, you can tell FBI to check them out.
Or you can look for sudden changes in message volumes. If terrorist leader A suddenly starts to communicate a lot more with random person B and random person C, who in term start communicating with other people, you suddenly have a whole list of people who might be planning a terrorist operation.
Of course you still need huge computing capacity even for these relatively simple operations, but they certainly have the funds for a few datacenters.
> intelligence agencies need actionable intelligence
For the most part that hasn't really been how it's worked so far. Generally intelligence agencies have used the information they've gathered so far to try to manipulate people.
'were', I think, may be more operative. I first heard that statistic about a long time ago, more like the '70s. Mathematicians don't seem to be very useful to the NSA's current hacker paradigm. (Note what we haven't gotten from the Snowden leaks so far: any sort of major mathematical or theoretical advance. Amazing hacking infrastructure, though.)
NLP's foundation is in statistics, so calling it "not maths" seems rather short-sighted. Mathematics, especially statistics, play a crucial role in all data interpretation when you get to any kind of scale and they seem to be the biggest of them all.....
Its only really useful against non-terrorists, but that doesn't mean its a waste of money: if it is used to make money.
So maybe its being used to make money - i.e. targetting non-terrorists (i.e. industrial espionage) - precisely because it is a huge waste of money. Wow, its almost like the whole thing was just a bad idea in the first place - its become self-serving.
If you've been charged with a criminal crime, you can't press a civil suit against the victim, essentially.
The point here is somewhat similar: trying to sue the FBI for unauthorized access to a server would hinge on the relative standing of that law compared to much more serious offences (i.e. conspiracy to murder being the big one) - since the case would have to come from DPR against the FBI, and would thus be subject I suspect to similar tests of standing.
Other people have made the wider point more thoroughly as well - you'd really struggle to prove wrongdoing when all that was acquired was an IP address.
Example of somebody prosecuted strictly for fiddling?
To answer my own question, I guess you could say weev, but I think his troubles really began when he made the pivot from fiddling to mass scraping. I think it's harder to argue the FBI's access was unauthorized when what they were looking at was the "access is denied" page.
I think that the intelligence agencies would rather have the vulnerabilities for their own use and roll the dice on being on the receiving end rather than buy up everything and close it, making it so they can't use it either.
My real problem with this is writing the password with numbers, punctuation and stuff on a mobile keyboard. Feels like surgery even if I'd memorize it.
I use 1P on my laptop most of the time so it's not a huge deal. Everything else on the iPhone just remembers credentials.
I know I can force myself to use a great password for iCloud but my point is that most of the time, I'd go for an idiot password rather than forcing myself. Just like most people.
that little voice in your head that is screaming "i hate this" is your problem. It really is not a big deal to type a password, and even to type it a few times, just try to have a more zen attitude about it. It's how passwords work, stop trying to figure out how to defeat your own password, it's doing what it's supposed to do.
This may help, some special characters dump the keyboard back to the primary keyboard, so create a password that is letters, then numbers/specials, then the ' character, then more letters.
for example, pass2'word would only require you to hit the alt-keyboard switch once.
All I want is to encryptedly back up some directories on my home server, but nothing* really does that. I use SpiderOak at the moment, but it's not OSS.
We currently allow 1.1 PB in a single "namespace" (zpool).
There are non-obvious ways to make a petabyte-sized zpool non-scary ... but even with those employed we still utilize raidz3 and have contingencies for rollbacks.
edit: for obvious reasons, that 1.1 PB number will grow by 50% in the very near future...
It's easy enough to jam enough disks into a rack with these 90disk 4u super micro jbods. The thing that always scared me (ESP with rsync) is how do you get performant metadata for a few billion files? Or even tens of millions.
And raidz3 resilver must be horrible at those densities!
Again. Just curious. Email at jmancuso@expandrive if you feel like chatting. I know we offer a similar product, but we are about to leave zfs for the above concerns. Wouldn't mind sending some business your way.
No OSS linux client, but we do have a closed source one. CrashPlan Does work headless[1], but note that that setup out of the scope for our support team.
I can't say one way or another if the client is OSS, but I do know you can run it headless, I've done it before.
IIRC, you need to tweak a non-headless client to direct it to the headless instance (some config file to point to the server vs localhost) and everything works from there.
What makes you think the majority of Google employees had any idea this was going on? We have the testimony of several Google employees who comment here on Hacker News that there was no indication any of this was happening.
Then there's the news report that corroborates this, implying not even the leaders of the companies had any idea.
I mean, again, they could all be lying...but Occam's Razor and all that.
Maybe the world is a bit more random than one in which overarching conspiracies rule everything. Snowden was pretty random, no? He could have stayed put and sold his data, or simply kept his mouth shut, but he did what he did when he did it. There are a lot of other people working there, and none of them were the ones to expose all of that crap. So maybe the people at Google valued their jobs more than doing the right thing. That hardly makes for some big plot.
Your statement only makes sense if you make the logical leap that Google does the things you are implying they do. The fact that none of Google's 100k+ employees and former employees have ever leaked anything of this nature is a strong indicator that it's not actually happening.
Skype specifically refuted that rumor after it came out. That being said, based on everything that has come out in Snowden's documents and other reporting, I now believe all Skype communications are compromised.
I did a fun experiment once. I wrote the actual recipient address in the return address place, and put a non existant address in the front. I also didn't stamp it. It did arrive to the recipient 2 weeks later, with a "return to sender" banner.
Working in the mailing business and dealing with the USPS carriers; they are not dummies (the usual people warning here) and if someone gets curious on why so many pieces arrive at a certain address w/o postage, I would expect that address to get flagged for a special looksee.
It is incredible, even the most generous estimation of the NSA's capabilities before the Snowden disclosures now look conservative. This is the stuff conspiracy theories are made of.