That Spiegel NSA story is activist nonsense

Yet again activists demonstrate they are less honest than the NSA. Today, Der Spiegel has released more documents about the NSA. They largely confirm that the NSA is actually doing, in real-world situations, what we'ved suspected they can do. The text of the article describing these documents, however, wildly distorts what the documents show. A specific example is a discussion of something call "TUNDRA".

It is difficult to figure out why TUNDRA is even mentioned in the story. It's cited to support some conclusion, but I'm not sure what that conclusion is. It appears the authors wanted to discuss the "conflict of interest" problem the NSA has, but had nothing new to support this, so just inserted something at random. They are exploiting the fact the average reader can't understand what's going on. In this post, I'm going to describe the context around this.

TUNDRA was a undergraduate student project, as the original document makes clear, not some super-secret government program into cryptography. The purpose of the program is to fund students and find recruits, not to create major new advances in cryptography.

It's given a code-name "TUNDRA" and the paragraph in the document is labeled "TOP SECRET". The public has the misconception that this means something important is going on. The opposite is true: the NSA puts codenames on nearly everything. Among the reasons is that by putting codenames even on trivial things, it prevents adversaries from knowing which codenames are important. The NSA routinely overclassifies things. That's why so many FOIA requests come with the "TOP SECRET" item crossed out -- you classify everything as highly as you can first, then relax the restriction later. Thus, unimportant student projects get classified codenames.

The Spiegel article correctly says that the "agency is actively looking for ways to break the very standard it recommends", and it's obvious from context that that the Spiegel is implying this is a bad thing. But it's a good thing, as part of the effort in improving encryption. You secure things by trying to break them. That's why this student project was funded by the IAD side of the NSA -- the side dedicated to improving cryptography. Most of us in the cybersecurity industry are trying to break things -- we only trust things that we've tried to break but couldn't.

The Spiegel document talks about AES, but it's not AES being attacked. Instead, it's all block ciphers in "electronic codebook" modes that are being attacked. The NSA, like all cryptographers, recommends that you don't use the basic "electronic codebook" mode, because it reveals information about the encrypted data, as the well known "ECB penguin" shows. As you can see in the image, when you encrypt a bitmap image of a penguin, you can still see it's a penguin despite the encryption. Finding appropriate modes other than "electronic codebook" is an important area of research. [***]

The NSA already has ways of attacking ECB mode, as the penguin image demonstrates. I point this out because if the NSA already has a "handful of ways" of doing something, adding one more really isn't a major new development. Thus, even if you don't understand cryptography, it should be obvious that the inclusion of TUNDRA in this story is pretty stupid.

Journalism is supposed to be different from activism. Journalists are supposed to be accurate and fair, to communicate rather than convince. The activist has the oppose goal, to convince the reader, even if that means exploiting misinformation. We see that in this Der Spiegel article, where the TUNDRA item is distorted into order to convince the reader that the NSA is doing something evil.

---

Update: [***] There has been some discussion on Twitter about the ECB penguin above. That's because where the document says "electronic codebook", it may not necessarily be referring to ECB mode (even though ECB stands for "electronic codebook"). That's because "codebook" is also just another name for "block cipher", the more common/modern name for encryption algorithms like AES.

Regardless, the principle still holds: it's not AES that TUNDRA attacks, but the underlying "codebook" property, whatever that refers to, whether it's "block ciphers" or "block ciphers in ECB mode". Also regardless, since it's an undergraduate project designed for recruitment, it's probably something basic (like the ECB penguin) rather than a major advancement in cryptography.

Dear Leader's Lesson in Confirmation Bias

Brian Krebs has a blogpost citing those who claim evidence of North Korea involvement in the massive Sony hack. He uses as an example the similarities between the Sony defacement and a South Korean defacement that was attributed to the North Koreans. He shows these two images side-by-side so that you can see that they are obviously similar.

However, they don't look similar at all. This is generally what all website defacements look like. Specifically, the common components among defacements in are:

• black background
• green, red, and white foreground
• "Hacked by" message
• WARNING banner
• Phrack-style headers (like ::: on either side of header)
• Powerful picture in center, often a skull
• Message that strokes the ego, often "we are legion" style

In the bottom of this post, I include a gallery of other defacement pictures, so that you can see that this is normal hacker underground culture.

There are certainly some similarities, such as the "we have all your data" message. But that's easily explained by the fact that the South Korean hack was widely popularized in the media, so it's easy to see how they would take this as inspiration. Or, it's just simply that if the goal of your hack is to steal data and extort the victim, this is pretty much always going to be how your phrase it.

At the same time, there are many dissimilar items. One does multiple colors in the same word, the other doesn't. One capitalizes every word, one doesn't. One appears to have copied and pasted from a word processor with broken unicode characters, the other didn't. Stylistically, these point to very different groups.

This is an example of something called confirmation bias, a well known logical fallacy. Once you've decide on the conclusion ("North Korea hackers"), your perception of the evidence changes. Everything you see starts to confirm your conclusion. This is especially true when you are ignorant of the larger perspective. To those of us with perspective, we don't see the evidence that you believe in.

I see the similarities with the underground as disproof of DPRK involvement. North Korean hackers are trained as professional, nation state hackers. They aren't part of the vast world wide underground of hackers, were kids start as teenagers and are mentored by the system. This vast underground shares culture, tools, techniques, and processes. That's why attacks from wildly diverse cultures often appear the same. North Korean may certainly recruit foreign hackers into their teams, or contract out tasks to foreign groups, but it's unlikely their own cybersoldiers would behave in this way.

---

Here are a bunch of defacements. See for yourself whether the above two are particularly similar.

Ask a nerd

One should probably consult a lawyer on legal questions. Likewise, lawyers should probably consult nerds on technical questions. I point this out because of this crappy Lawfare post. It's on the right side of the debate (FBI's evidence pointing to North Korea is bad), but it's still crap.

For example, it says: "One hears a lot in cybersecurity circles that the government has “solved” the attribution problem". That's not true, you hear the opposite among cybersecurity experts. I suspect he gets this wrong because he's not talking about technical experts, but government circles. What government types in Washington D.C. say about cybersecurity is wholly divorced from reality -- you really ought to consult technical people.

He then says: "it is at least possible that some other nation is spoofing a North Korean attack". This is moronic, accepting most of the FBI's premise that a nation state sponsored the attack, and that we are only looking for which nation state this might be. In reality, the Sony hack is well within the capabilities of teenagers. The evidence is solid that Sony had essentially no internal security -- it required no special sophistication by the hacker. Anybody could've done this.

He then talks about the FBI "admitting that it knew about the tools and signatures that North Korea used in past attacks and exploitations and yet still was either unwilling or unable to stop the attack on Sony". Just because The Phantom leaves behind his signature glove in his cat burglaries doesn't mean police can stop him robbing the Pink Panther diamond. It's perfectly reasonable to find similarities in computer viruses without that information being helpful in stopping future viruses. This is one of those things that seems only plausible to those completely ignorant of technology, which is why you ought to consult a techy first to see if you are off-base.

He then says "There are many, many steps the government will need to take to keep our networks more secure". That's a political line by fascists, like "government needs to keep the trains running on time". Neither is a particular need; both are justifications for police states. A cyber police states is not the appropriate response to the Sony hack.

In summary, while this Lawfare post appears to be on my side (not enough North Korea evidence), it's actually on the opposite side. It accepts all the basic premises by the government but only disagrees with them on one point. In actuality, much more is wrong with the government's argument than the lack of evidence.

Sony hack was the work of SPECTRE

The problem with hacking is that people try to understand it through analogies with things they understand. They try to fit new information into old stories/tropes they are familiar with. This doesn't work -- hacking needs to be understood in its own terms.

But since you persist in doing it this way, let me use the trope of SPECTRE to explain the Sony hack. This is the evil criminal/terrorist organization in the James Bond films that is independent of all governments. Let's imagine that it's SPECTRE who is responsible for the Sony hack, and how that fits within the available evidence.

This trope adequately explains the FBI "evidence" pointing to North Korea. SPECTRE has done work for North Korea, selling them weapons, laundering their money, and conducting hacking for them. While North Korea is one of their many customers, they aren't controlled by North Korea.

The FBI evidence also points to Iran, with the Sony malware similar to that used in the massive Saudi Aramco hack. That would make sense, since an evil organization like SPECTRE does business with all the evil countries. Conversely, the Iranian connection doesn't make sense if the Sony hack were purely the work of the North Koreans.

SPECTRE's organization is highly modular, with different groups doing different things. Indeed, different arms of SPECTRE might be working for both sides of a conflict at the same time without each knowing about it. One arm of SPETRE develops malware. Another arm uses that to break into companies and steal credit card numbers. Another arm converts those credit cards numbers to cash.

It's quite possible that the Sony hack was the work of a single SPECTRE agent. We'll call him #8. Certainly, #8 uses the resources of SPECTRE to carry out the attack, and other resources will be called in to profit from the attack, but it's largely an independent operation. In other words, "Guardians of Peace" can refer to a single guy -- a largely independent operator who is unaware of those parts of SPECTRE who have interacted with Iran and North Korea. Thus, once he got into Sony, other members of SPECTRE contacted their North Korean customers and said "hey, we have an opportunity, give us $1 million and we'll shut down that film you hate". Once they got the cash, they directed #8 to make the threat.

My story of SPECTRE better explains the evidence in the Sony case than the FBI's story of a nation-state attack. In both cases, there are fingerprints leading to North Korea. In my story, North Korea is a customer. In the FBI's story, North Korea is in charge. However, my story better explains how everything is in English, how there are also Iranian fingerprints, and how the threats over The Interview came more than a week after the attack. The FBI's story is weak and full of holes, my story is rock solid.

I scan the Internet. I find compromised machines all over the place. Hackers have crappy opsec, so that often leads me to their private lairs (i.e. their servers and private IRC chat rooms). There are a lot of SPECTRE-like organizations throughout the world, in Eastern Europe, South America, the Islamic world, and Asia. At the bottom, we see idiot kids defacing websites. The talented move toward the top of the organization, which has nebulous funding likely from intelligence operations or Al Qaeda, though virtually none of their activities are related to intelligence/cyberwar/cyberterror (usually, stealing credit cards for porn sites).

My point is this. Our government has created a single story of "nation state hacking". When that's the only analogy that's available, all the evidence seems to point in that direction. But hacking is more complex than that. In this post, I present a different analogy, one that better accounts for all the evidence, but one in which North Korea is no longer the perpetrator.

The FBI's North Korea evidence is nonsense

The FBI has posted a press release describing why they think it's North Korea. While there may be more things we don't know, on its face it's complete nonsense. It sounds like they've decided on a conclusion and are trying to make the evidence fit. They don't use straight forward language, but confusing weasel words, like saying "North Korea actors" instead of simply "North Korea". They don't give details.

The reason it's nonsense is that the hacker underground shares code. They share everything: tools, techniques, exploits, owned-systems, botnets, and infrastructure. Different groups even share members. It is implausible that North Korea would develop it's own malware from scratch.

Here's the thing with computer evidence: you don't need to keep it secret. It wouldn't harm Sony and wouldn't harm the investigation. It would help anti-virus and security vendors develop signatures to stop it. It would crowd source analysis, to see who it really points to. We don't need to take the FBI's word for it, we should be able to see the evidence ourselves. In other words, instead of saying "IP addresses associated with North Korea", then can tell us what those IP addresses are, like "203.131.222.102".

But the FBI won't do that. They aren't in the business of protection but control. The idea that Americans should protect themselves and decide for themselves is anathema to the FBI.

I just bought a ticket for The Interview

I care about free speech, a lot. Recently, hackers successfully threatened Sony in order to cancel the movie The Interview. Consequently, I just went online and purchased tickets for the movie -- even though Sony has announced they are going to cancel the premier.

Free speech is only partly a government issue ("1st Amendment"). Throughout the world, speech is chilled more by thugs than by police. It could be youth gangs beating up journalists like in Russia, or Islamists killing cartoonists and movie makers. Even in America, we increasingly have a culture that seeks to silence debate, rather than countering bad speech with more speech.

There is action we can take, and it's this: when some are threatened, they should not stand alone. They can't kill, beat up, or dox all of us when we are many. We should draw pictures of Mohamed. We should criticize the despotic rule of Putin. We should buy tickets to The Interview and brag about it online.

What they miss about Uber/Lyft pay

In this story, writer Timothy B. Lee (@binarybits) becomes a Lyft driver for a week. He focuses on the political questions, such as the controversially low pay. He makes the same mistakes that everyone else makes.

Lyft (and Uber) pay can be low for the same reason McDonalds is open at midnight. In absolute terms, McDonalds loses money staying open late. But, when you take into account all the sunk costs for operating during the day, they would lose even more money by not remaining open late. In other words, staying open late is marginally better.

The same is true of Lyft/Uber drivers. I take Uber/UberX on a regular basis and always interview the drivers. Without exception, it's a side business.

This one time, my UberX driver was a college student. He spent his time between pickups studying. When calculating wait-time plus drive-time, he may have been earning minimum wage. However, when calculating just drive-time, he was earning a great wage for a student -- better than other jobs open to students.

Without exception, all the Uber black-car drivers have their own business. They have fixed contracts with companies to drive employees/clients. Or, they have more personal relationships with rich executives, driving them to/from work on a daily basis. They just use Uber to fill in the gaps. They already in invest in the care and maintenance of the black car, and would be sitting around waiting anyway, so anything they earn from Uber is gravy on the top.

I always ask drivers if they derive 100% of their income from Uber/UberX, and (with the exception of the student) they've all said "no". The same is likely true for Lee. It's unlikely he was just sitting in his car staring out into space while waiting for the next pickup. It's more likely that he writing his next Vox piece, or researching his next Bitcoin/Anonymous book.

Some drivers do earn 100% of their incoming from Lyft/UberX -- right now. Drivers tell me of their friends who are only driving temporarily, while hunting for a new job. In other words, while they are working full time at UberX at the moment, it's only a few months out of the year while between other jobs. They've already invested in buying a car and insurance -- rather than these being difficult costs during a period of unemployment, they are benefits.

Leftists wanting to ban unregulated innovation focus on "wages", but that's nonsense. If wages were as bad as claimed, drivers wouldn't be doing it. If drivers had a better alternative, they'd be doing it. Indeed, as I mentioned above, that's what some were doing: driving while looking for better jobs. Thus, the argument that drivers don't earn enough wages is false on its face.

Instead, what's going on is that the "sharing" economy is really the "marginal" economy. You can't report on its as if it's a replacement for a full time job -- you have to report on it as it fits within other jobs or lifestyle. Great marginal wages may suck when compared against full time wages, but that completely misses the point of this innovation.

Notes on the CIA light-torture report

I'm reading through the Senate report on the CIA's light-torture program, and I came across this giggly bit:

#10: The CIA coordinated the release of classified information to the media, including inaccurate information concerning the effectiveness of the CIA's enhanced interrogation techniques. The CIA's Office of Public Affairs and senior CIA officials coordinated to share classified information on the CIA's Detention and Interrogation Program to select members of the media to counter public criticism, shape public opinion

Of course they did, but then so did the Senate committee itself. They've been selectively leaking bits of the report for over a year. Their description of the "CIA hacking" scandal was completely inaccurate.

Moreover, this Executive Summary wasn't simply published, but given to select people in the media beforehand in order to shape the message.

There's no doubt that the CIA's brutal treatment of prisoners is evil, a stain on the nation's honor, and something that should be prosecuted. But Senator Feinstein and her colleagues are as guilty of this as anybody else. This report is political garbage designed to shield Feinstein from the blame she shares.

All malware defeats 90% of defenses

When the FBI speaks, you can tell they don't know anything about hacking. An example of this quote by Joseph Demarest, the assistant director of the FBI’s cyberdivision:

"The malware that was used would have slipped, probably would have gotten past 90% of the net defenses that are out there today in private industry, and I would challenge to even say government”

He's trying to show how sophisticated, organized, and unprecedented the hackers were.

This is nonsense. All malware defeats 90% of defenses. Hackers need do nothing terribly sophisticated in order to do what they did to Sony.

Take, for example, a pentest we did of a Fortune 500 financial firm. We had some USB drives made with the logo of the corporation we were pen-testing. We grabbed a flash game off the Internet, changed the graphics so that they were punching the logo of their main competitor, and put text in the Final Score screen suggesting "email this to your friends and see what they get". We then added some malware components to it. We then dropped the USB drives in the parking lot.

This gave us everything in the company as people passed the game around. The CEO and many high-level executives ran it on their machines. Sysadmins ran it. Once we got control of the central domain controller, we got access to everything: all files, all emails, ... everything.

The point I'm trying to make here is that we used relatively unsophisticated means to hack an extremely secure company. Crafting malware to get past their anti-virus defenses is trivially easy. Everything we did was easy.

The problem isn't that hackers are sophisticated but that company are insecure. Companies believe that anti-virus stops viruses when it doesn't, for example. The FBI perpetuates this myth, claiming Sony hackers were sophisticated, able to get around anti-virus, when the truth is that Sony relied too much on anti-virus, so even teenagers could get around it.

The FBI perpetuates these myths because they want power. If the problem is sophisticated hackers, then there is nothing you can do to stop them. You are then helpless to defend yourself, so you need the FBI to defend you. Conversely, if the problem is crappy defense, then you you can defend yourself by fixing your defenses.

---

Update: Here is a previous post where I add a Metasploit exploit to a PDF containing a legal brief that gets past anti-virus.

FYI: Snowden made things worse

Snowden appeared at a #CatoSpyCon, and cited evidence of how things have improved since his disclosures (dislaimer: as Libertarian, I'm a fan of both CATO and Snowden). He cited some pretty compelling graphs, such as a sharp increase of SSL encryption. However, at the moment, I'm pretty sure he's made things worse.

The thing is, governments didn't know such surveillance was possible. Now that Snowden showed what the NSA was doing, governments around the world are following that blueprint, dramatically increasing their Internet surveillance. Not only do they now know how to do it, they are given good justifications. If the United States (the moral leader in "freedoms") says it's okay, then it must be okay for more repressive governments (like France). There is also the sense of competition, that if the NSA knows what's going on across the Internet, then they need to know, too.

This is a problem within the United Sates, too. The NSA collected everyone's phone records over the last 7 years. Before Snowden, that database was accessed rarely, and really for only terrorism purposes. However, now that everyone else in government knows the database exists, they are showing up at the NSA with warrants to get the data. It's not just the FBI, but any department within the government who thinks they have a need for that data (e.g. the IRS). Recently, an amendment was added to the Intelligence Authorization bill to codify the process. We don't have any transparency into this, but it's a good bet that the database has been accessed to retrieve American information more often in the year since Snowden than the 7 years before.

Snowden did the right thing in exposing phone surveillance, of course. My point isn't to say he's wrong. Instead, my point is that we aren't winning the war against surveillance. Activists are focussing on the good news, cherry picking the parts where we win. They are ignoring the bad news, that we are losing the war. The Intelligence Authorization bill is an excellent example of that.

EFF: We've always been at war with EastAsia

As a populist organization, the EFF is frequently Orwellian. That's demonstrated in their recent post about the "Declaration of Independence of Cyberspace", where they say:

"The Declaration resounds eerily today. We live in an era where net neutrality is threatened by corporations that want to remove competition and force customers to pay more to have equal access to some sites."

This is self-contradictory. The Declaration says, unequivocally, that governments should not regulate cyberspace ("You have no sovereignty where we gather"), and should not make it into a public utility. The current EFF position is exactly the opposite, that government needs to regulate cyberspace as a public utility.

It is like that bit in 1984 where Orwell's government changes allegiances, going from being an ally with Eastasia to becoming their enemy, and then claim that they had always been at war with Eastasia. They made the change in mid-rally. Orwell describes how the mob quickly switched their beliefs, agreeing that they'd always been at war with Eastasia.

When I read 1984, I thought this was a bit over the top, that the mob would not behave so illogically. But we see the EFF mob today acts exactly that way today. The EFF mob truly believes "The Declaration resounds eerily today" despite all evidence to the contrary. That Declaration was about "Governments", yet the EFF mob will now easily believe "we've always been at war against Corporations".