Monday, July 14, 2014

JTRIG weekend projects

The Intercept has released a page of JTRIG tools and techniques. I thought I'd comment on them.

Largely, this is a long list of small projects. Few of these projects require more than a couple lines of code, or would take an average hacker more than a weekend to accomplish.

For example, there is CHANGELING, which says "Ability to spoof any email address and send email under that identity". That's the sort of thing you'd ask as an interview question for a cybersec company. You'd expect the candidate to produce this in 20 minutes.

Some sound like big projects, but they are in fact just leveraging existing large open-source projects. A tiny amount of scripting on top of a project like OpenBTS would deliver big, scary results, such as fuzzing GSM.

I point this out because people have the misapprehension that the intelligence services have advanced "cyber-weapons". That's not true. Instead, what's going on is like Rambo stuck in a jungle with only a knife, who can fashion anything into a weapon, from twigs to rocks. That's what you see going on here: given the existing base of open-source (and closed-source) code, cyber-warriors fashion new tools with a little bit of added code.

Rather than being scared of their "advanced" cyber-weapons, what we should be scared about is their "access" and their "brute-force".

Intelligence services have access to things we don't. An example is MUSTANG's "access to the location of GSM cell towers". That information isn't public, and is the sort of thing that intelligence services would have. This allows them to have better location tracking tools than the public -- not because they have better technology but because they have better access.

Intelligence services can spend bajillions of dollars on things. An excellent example is XKEYSCORE, which is a rather primitive packet-sniffer as its base, but spread throughout the world on a thousand systems. They tap undersea fiber-optic cables, and insert monitors into ISPs in target countries. They spend hundreds of millions of dollars on this. If you live in Iraq, it's unlikely you can do anything on the Internet without getting monitored by this system.

No comments: