Originally published at: http://boingboing.net/2017/03/10/no-security-in-obscurity.html
…
Responsible disclosure.
WikiLeaks.
Critical irony failure.
I have worked on several bug bounty programs. Companies that don’t understand how they work likely don’t understand how QA, devops, or continuous testing work either.
Well maintained bounty programs are a godsend. They are cheaper to run than hiring a bunch of fte’s; usually more accurate; and they build trust and goodwill.
Incontrovertible proof that wikileaks is a shill!
Russian propaganda!
Gratuitous DRM reference? Check.
Ugh. The tool that purportedly fakes Russian malware signatures right wing nutters (and general tinfoil hat types) have been making way too much hay out of.
I have little doubt it is nothing terribly fancy, just automating otherwise manual steps. Wish I could peek at it, though.
Indeed. Much better for America to slip ever closer to the panopticon without any of the filthy plebs knowing about it. After all, saying the wrong thing here and there might inconvenience the hyper rich and the preposterously powerful and that, ah, that would be a tragedy.
Well fact of the matter is that we don’t know how much hay is the correct amount of hay. And the only thing connecting Russia to those DNC hacks is forensics. Whose credibility just took a serious hit. Of course the CIA could be as pure as the driven snow here but much in the same way it is possible to be carrying lockpicks in a bank after midnight for perfectly innocent reasons and still people will be, ah, profoundly suspicious of your motives.
Well fact of the matter is that we don’t know how much hay is the correct amount of hay.
A point the nutters don’t want to hear–that the evidence behind the DNC hack hasn’t been released.
Whose credibility just took a serious hit.
Because laymen looked at something technical and relayed it in layman’s terms to other laymen instead of releasing the materials. Alas, we have learned from this past election insinuation goes farther than nuanced facts backed up with data.
I am going to be pretty annoyed if the source gets released and it’s just a find-and-replace of strings with Russian words.
Hey, one of the bits of forensics that was seriously floated about was “Well, there was a Word document with Russian settings on it and registered to Felix Dzerzhinsky[1]” so a a few regexps with Russian words might be enough.
But no, you’ve the right of it, we don’t have the evidence. We do have the word of the intelligence agencies but I personally trust those as far as I can throw New Jersey.
[1] I’d have held out for Viktor Kagebeovitch, personally, but fine.
Well, forensics, plus all the people who are furiously lying about Russia. I think the matter deserves an independent investigation, don’t you?
I actually downloaded the word docs from the DNC and took a spin through. These ones were posted by “Guccifer 2.0” and floated as belonging to the Clinton campaign (but were obviously curated DNC docs). The “MSM” didn’t report on it (rightfully), but it popped up on YC news.
I’d be interested in which doc was mentioned?
I can’t give details. This isn’t a false flag operation. The question of how far up this goes in the RU chain of command is still open. And the true intent is still open for debate. And if the real mission was successful is open for debate.
But the code speaks for itself. Perhaps, in a similar vein like our tangerine colored POTUS implied it could have been a lone wolf in a basement in Russia, but the provenance of the code isn’t up for debate.
It does. It won’t get it, but it does.
But I must confess, there’s an inner skepticism that’s unshakable in me because, well, isn’t it convenient that we can blame the utter, utter, farcical failure of the DNC at doing politics on a nation that most people in America seem to utterly loathe. Goodness knows bigger coincidences have happened, but it still niggles at me. And, of course, nobody will show me any significant evidence which doesn’t help.
It is one of those, apparently.
It’s not a particularly good piece of evidence. Save for the name it could have come from my computer and I’m not Russian, nor have I ever set foot in Russia. (I also have German keyboard[1] settings without being German, and, come to think of it, US English without being American). And Феликс Эдмундович is such a on-the-nose name that it strikes of either false-flag or, far more likely, someone deliberately making fun of people looking at the doc.
[1] Also, while it’s damned hard to do so, you can totally type Russian text from a US keyboard and if you choose the ‘mnemonic’ layout with chording, it isn’t even particularly difficult.
I’m sorry, and you are? I mean, I’ve been here for a bit, and your name looks familiar but I can’t recall any details? Are you a computer forensics specialist? CIA agent? I do beg your pardon but “I can’t give you any details, trust me” might fly from my nearest and dearest but you aren’t either.
I am easy to find, ironically.
https://www.linkedin.com/in/jeremy-pickett-6aa0aa33/
Pm me if you want my number. Also, I can grant access to some of my OSINT resources if you’d like. As a last resort, I can also name drop
Canary::wharf is the main OSINT project I run, along with Maze and DLP. Early openvpn integrator.
I will readily acknowledge your superior experience in the field. I won’t pry for classified details because it’d be rather insulting to suggest you’d part with them, but could you perhaps explain roughly how, in principle, one may establish the provenance of an attack with such fidelity, especially to be sure that it is Russian, but not be sure if merely by nationality or by governmental design?
This is not my field—clearly!—but what I’ve seen so far has not inspired great confidence.
Semi Anonymized network circuits that were used
Pdb and debug information
Method calls
Specific Compilers
So a couple things, I appreciate your patience and politeness. There is doubt. It isn’t clear exactly what is going on. However given the same sets of analysis tools that led us to Equation (US), flame, (Us), stuxnet (us, Germany, Israel), it becomes increasingly easy to identify at least general sources.
As I like to tell more junior members, it only takes one OPSEC failure to unmask who you are. And it only takes one OPSEC failure for nerd like me to figure out a bunch about the adversary.
There are bigger, more fundamental questions that havent–and likely won’t ever be–answered. But provenance is not one of them.
I am sort of shocked that somebody would use code that hasn’t had its debug information stripped but, damn it all, you got me with ‘specific compilers.’ That leaves a huge signature: same code compiled with very nearly the same compiler/settings can produce binaries that are shockingly different. Fingerprinting those is probably a worthwhile endeavor.
Mm.
I’ve revised my opinion. There can be such evidence and I’m provisionally willing to accept that such evidence exists.
So, to recap: there is credible evidence that someone from the Russian Federation made the attacks and that’s the extent of it?
Much obliged for the reply. I think I understand how the attribution was made and why it has the error bars that it does. This is useful information. Thank you.
Giggle you know that’s the default setting for visual studio, right?
Certainly. So’s not showing line numbers. Doesn’t mean it’s a good idea.