Herald: Good morning to this last minute
edition to our “Fahrplan” today.
There will probably be time for a few
minutes of Q&A in the end, so you can
ask questions here or on IRC
and Twitter via our Signal Angels.
Please welcome Jake Appelbaum,
independent journalist,
for his talk
“To Protect And Infect Part 2”.
applause
Jacob: Okay. Alright. Thanks so much
for coming so early in the morning.
Or maybe not so early in the morning
for most of you apparently since
you’ve all been up for more than an hour.
But I’m gonna talk today a little bit
about some things that we’ve heard about
at the conference and I’m gonna talk a bit
about some things that you have not
probably ever heard about in your life and
are even worse than your worst nightmares.
So recently we heard a little bit about
some of the low-end corporate spying
that’s often billed as being sort of like
the hottest, most important stuff, so the
FinFisher, the HackingTeam, the VUPEN.
And sort of in that order it becomes
more sophisticated and more and more
tied in with the National Security Agency.
There are some Freedom of Information Act
requests that have gone out that actually
show VUPEN being an NSA contractor writing
exploits, that there are some ties there.
This sort of covers the… sort of…
the whole gamut, I believe,
which is that, you know you can buy these
like little pieces of forensics hardware.
And just as a sort of fun thing I bought
some of those and then I looked at
how they worked and I noticed that this
‘Mouse Jiggler’, you plug it in and
the idea is that it like keeps your screen
awake. So have any of you seen that
at all? It’s a piece of forensics hardware
so your screensaver doesn’t activate.
So I showed it to one of the systemd
developers, and now when you plug those
into a Linux box that runs systemd,
they automatically lock the screen
when it sees the USB ID.
applause
So when people talk about Free Software,
‘free as in freedom’, that’s part of
what they’re talking about. So there are
some other things which I’m not going
to really talk a lot about it because
basically this is all bullshit that
doesn’t really matter and we can defeat
all of that. This is individualized things
we can defend against. But I want
to talk a little bit about how it’s
not necessarily the case that because
they’re not the most fantastic, they’re
not the most sophisticated, that
therefore we shouldn’t worry about it.
This is Rafael. I met him when
I was in Oslo in Norway
for the Oslo Freedom Forum, and basically
he asked me to look at his computer
because he said, “You know, something
seems to be wrong with it. I think that
there’s something, you know,
slowing it down.” And I said:
“Well, I’m not going to find anything.
I don’t have any tools. We are just
going to like sit at the computer…”
And I looked at it, and it has to be
the lamest back door I’ve ever found. It
was basically a very small program that
would just run in a loop and take
screenshots. And it failed to upload
some of the screenshots, and so there were
8 GB of screenshots in his home directory.
laughter and applause
And I said, “I’m sorry to break it to you
but I think that you’ve been owned.
And… by a complete idiot.”
laughter
And he, he, yeah, he was,
he was really… actually, he felt really
violated and then he told me what he does,
which is he’s an investigative journalist
who works with top secret documents
all the time, with extreme, extreme
operational security to protect
his sources. But when it came to computing
J[ournalism] school failed him.
And as a result, he was compromised
pretty badly. He was not using
a specialized operating system like
Tails, which if you’re a journalist
and you’re not using Tails you should
probably be using Tails unless
you really know what you’re doing.
Apple did a pretty good job at
revoking this application, and it was, you
know, in theory it stopped, but there are
lots of samples from the same group
and this group that did this is tied to
a whole bunch of other attacks across
the world, actually, which is why
it’s connected up there with Operation
Hangover. The scary thing, though, is that
this summer, after we’d met, he was
actually arrested relating to some
of these things. And now, as
I understand it, he’s out, but,
you know, when you mess with a military
dictatorship it messes with you back.
So even though that’s one of the lamest
backdoors, his life is under threat.
So just simple things can cause serious,
serious harm to regular people that are
working for some kind of truth telling.
And that to me is really a big part
of my motivation for coming here to talk
about what I’m going to talk about next,
which is that for every person that we
learn about like Rafael, I think there are
lots of people we will never learn about,
and that’s, to me that’s very scary,
and I think we need to bring some
transparency, and that’s what we’re
going to talk about now. And I really want
to emphasize this point. Even though
they’re not technically impressive, they
are actually still harmful, and that,
that is really a key point to drive home.
I mean, some of the back doors that
I’ve seen are really not sophisticated,
they’re not really that interesting, and
in some cases they’re common off-the-shelf
purchases between businesses,
so it’s like business-to-business
exploitation software development.
I feel like that’s really kind of sad,
and I also think we can change this.
We can turn this around by exposing it.
So, what’s it all about, though?
Fundamentally it’s about control, baby,
and that is what we’re going to get into.
It’s not just about control of machines.
What happened with Rafael is about
control of people. And fundamentally
when we talk about things like internet
freedom and we talk about tactical
surveillance and strategic surveillance,
we’re talking about control of people
through the machinery that they use.
And this is a really, I think a really
kind of – you know I’m trying
to make you laugh a little bit because
what I’m going to show you today
is wrist-slitting depressing.
So. Part 2, or Act 2 of Part 2.
Basically the NSA, they want
to be able to spy on you, and
if they have 10 different options for
spying on you that you know about,
they have 13 ways of doing it and they
do all 13. So that’s a pretty scary thing,
and basically their goal is to have
total surveillance of everything that
they’re interested in. So there really
is no boundary to what they want to do.
There is only sometimes a boundary of
what they are funded to be able to do and
the amount of things they’re able to do at
scale. They seem to just do those things
without thinking too much about it. And
there are specific tactical things
where they have to target a group or an
individual, and those things seem limited
either by budgets or simply by their time.
And as we have released today
on Der Spiegel’s website, which it should
be live – I just checked, it should be live
for everyone here – we actually
show a whole bunch of details
about their budgets as well as the
individuals involved with the NSA
and the Tailored Access Operations group
in terms of numbers. So it should give you
a rough idea showing that there was a
small period of time in which the internet
was really free and we did not have people
from the U.S. military that were watching
over it and exploiting everyone on
it, and now we see every year
that the number of people who are hired to
break into people’s computers as part of
grand operations, those people are growing
day by day, actually. In every year
there are more and more people that are
allocated, and we see this growth. So
that’s the goal: non-attribution, and total
surveillance, and they want to do it
completely in the dark. The good
news is that they can’t. So,
now I’m going to show you a bit about it.
But first, before I show you any pictures,
I want to sort of give you the big picture
from the top down. So there is
a planetary strategic surveillance system,
and there – well, there are many of them
actually. Everything from I think
off-planetary surveillance gear, which is
probably the National Reconnaissance
Office and their satellite systems
for surveillance like the Keyhole
satellites – these are all things most,
for the most part we actually know about
these things. They’re on Wikipedia.
But I want to talk a little bit more about
the internet side of things because
I think that’s really fascinating. So
part of what we are releasing today
with ‘Der Spiegel’, or what has actually
been released – just to be clear
on the timeline, I’m not disclosing it
first, I’m working as an independent
journalist summarizing the work that we
have already released onto the internet
as part of a publication house that went
through a very large editorial process
in which we redacted all the names of
agents and information about those names,
including their phone numbers
and e-mail addresses.
applause
And I should say that I actually think
that the laws here are wrong,
because they are in favor of
an oppressor who is criminal.
So when we redact the names of people who
are engaged in criminal activity including
drone murder, we are actually not doing
the right thing, but I believe that
we should comply with the law in order
to continue to publish, and I think
that’s very important.
applause
We also redacted the names of
victims of NSA surveillance,
because we think that there’s a balance.
Unfortunately there is a serious problem
which is that the U.S. government asserts
that you don’t have standing to prove
that you’ve been surveilled unless
we release that kind of information,
but we don’t want to release that kind
of information in case it could be
a legitimate target, and we – I’m really
uncomfortable with that term, but let’s
say that there is a legitimate target, the
most legitimate target, and we didn’t want
to make that decision. But we
did also want to make sure
that we didn’t harm someone, but we
also wanted to show concrete examples.
So if you look at the ‘Spiegel’ stuff online,
we redacted the names even of those
who were victimized by the NSA’s
oppressive tactics, which I think
actually goes further than is necessary,
but I believe that it strikes
the right balance to ensure continued
publication and also to make sure
that people are not harmed and that
legitimate good things, however rare
they may be, they are also not harmed.
So if you’ve been targeted by the NSA
and you would have found out today
if we had taken a different decision,
I’m really sorry, but this is the thing
I think that keeps us alive,
so this is the choice that I think is the
right choice, and I think it’s also
the safest choice for everyone.
So that said, basically the NSA has
a giant dragnet surveillance system that
they call TURMOIL. TURMOIL is a passive
interception system. That passive
interception system essentially spans
the whole planet. Who here has heard
about the Merkel phone incident?
Some of you heard about Chancellor Merkel?
So we revealed that in ‘Der Spiegel’, and
what we found was that they tasked her
for surveillance. And I’ll talk a little bit
about that later. But basically the way
that this works is that they have this
huge passive set of sensors; and any data
that flows past it, they actually look at it.
So there was a time in the past where
surveillance meant looking at anything
at all. And now the NSA tries
to basically twist the words
of every person who speaks whatever
language they’re speaking in, and they
try to say that it’s only surveillance
if after they collect it and record it
to a database, and analyze it with
machines, only if – I think – an NSA agent
basically looks at it
personally and then clicks
“I have looked at this” do
they call it surveillance.
Fundamentally I really object to that
because if I ran a TURMOIL collection
system – that is passive signals
intelligence systems collecting data
from the whole planet, everywhere they
possibly can – I would go to prison
for the rest of my life.
That’s the balance, right?
Jefferson talks about this. He says, you
know, “That which the government
is allowed to do but you are not, this is
a tyranny.” There are some exceptions
to that, but the CFAA in the United
States, the Computer Fraud and Abuse Act,
you know, it’s so draconian
for regular people,
and the NSA gets to do something like
intercepting 7 billion people all day long
with no problems, and the rest of us
are not even allowed to experiment
for improving the security of our own
lives without being put in prison
or under threat of serious indictment, and
that I think is a really important point.
So the TURMOIL system is a surveillance
system, and it is a dragnet surveillance
system that is a general warrant dragnet
surveillance if there ever was one.
And now we shot the British over this when
we started our revolution. We called them
“general writs of assistance.” These
were generalized warrants which
we considered to be a tyranny. And
TURMOIL is the digital version of a
general writ of assistance system. And
the general writ of assistance itself,
it’s not clear if it even exists, because
it’s not clear to me that a judge
would understand
anything that I just said.
applause
Okay, so now we’re gonna get scary.
So that’s just the passive stuff.
There exists another system that’s called
TURBINE, and we revealed about this system
in the ‘Spiegel’ publications
today as well. So if TURMOIL
is deep packet inspection, then
TURBINE is deep packet injection.
And it is the system that combined
together with a thing…
– with TURMOIL and TURBINE you can create
a platform which they have consolidated
which they call QFIRE. QFIRE is
essentially a way to programmatically
look at things that flow across the
internet that they see with TURMOIL
and then using TURBINE they’re able to
actually inject packets to try to do attacks,
and I’ll describe some of those attacks
in detail in a moment. But essentially
the interesting thing about QFIRE also
is that they have a thing that’s called
a diode. So if you have for
example a large number
of systems where you control them, you
might say: “Hey, what are you doing
on that backbone?”, “Hey, what’s going on
with these systems?” And they could say,
well, you know, we paid for access, we’re
doing this, it’s all legal, etcetera.
QFIRE has this really neat little detail
which is that they compromise
other people’s routers and then redirect
through them so that they can beat
the speed of light. And how
they do that is that they have
a passive sensor that’s nearby,
a thing that they can inject from.
And when they see that that thing sees
a selector that is interesting to them
or is doing a thing that they would like
to tamper with in some way, then they
take a packet, they encapsulate the
packet, they send it to the diode,
which might be your home router
potentially, and then that home router
decapsulates that packet and sends it out.
And because that is very close to you,
and let’s say you’re visiting Yahoo, then
the Yahoo packet will not beat you.
That is, they will not beat the NSA
or GCHQ. So it’s a race condition.
And so they basically are able to
control this whole system and then
to localize attacks in that
process. So that’s a pretty –
pretty scary stuff, actually. And while it
is a digital thing, I think it’s important
to understand that this is what Jefferson
talked about when he talked about tyranny.
This is turnkey tyranny, and it’s not that
it’s coming, it’s actually here. It’s just
merely the question about whether or not
they’ll use it in a way that we think is
a good way or not a good way. One
of the scariest parts about this is that
for this system or these sets of systems
to exist, we have been kept vulnerable.
So it is the case that if the Chinese,
if the Russians, if people here
wish to build this system, there’s nothing
that stops them. And in fact the NSA has
in a literal sense retarded the process
by which we would secure the internet
because it establishes a hegemony
of power, their power in secret,
to do these things. And in fact I’ve seen
evidence that shows that there are so many
compromises taking place between the
different Five Eyes signals intelligence
groups that they actually have lists that
explain, “If you see this back door
on the system, contact a friendly agency.
You’ve just recompromised the machine
of another person.” So
when we talk about this,
we have to consider that this is
designed for at-scale exploitation.
And as far as I can tell it’s being
used for at-scale exploitation.
Which is not really in my mind a
targeted particularized type of thing,
but rather it’s fishing operations.
It’s fishing expeditions. It’s
more like fishing crusades, if you will.
And in some cases, looking at the evidence
that seems to be what it is. Targeting
Muslims, I might add. Because that’s
what they’re interested in doing.
So that said, that’s the internet,
and we get all the way down to the bottom
and we get to the Close Access Operations
and Off-Net. Off-Net and Close Access
Operations are pretty scary things,
but basically this is what we would call a
black bag job. That’s where these guys,
they break into your house, they put
something in your computer and
they take other things out of your
computer. Here’s an example.
First top secret document
of the talk so far.
This is a Close Access Operations box.
It is basically car
metasploit for the NSA,
which is an interesting thing. But
basically they say that the attack is
undetectable, and it’s sadly
a laptop running free software.
It is injecting packets. And they say that
they can do this from as far away as
8 miles to inject packets, so presumably
using this they’re able to exploit
a kernel vulnerability of some kind,
parsing the wireless frames, and, yeah.
I’ve heard that they actually put this
hardware, from sources inside of the NSA
and inside of other
intelligence agencies, that
they actually put this type of hardware on
drones so that they fly them over areas
that they’re interested in and they
do mass exploitation of people.
Now, we don’t have a document
that substantiates that part, but
we do have this document that actually
claims that they’ve done it from up to
8 miles away. So that’s a really
interesting thing because it tells us
that they understand that common wireless
cards, probably running Microsoft Windows,
which is an American company, that they
know about vulnerabilities and they
keep them a secret to use them. This is
part of a constant theme of sabotaging
and undermining American companies and
American ingenuity. As an American,
while generally not a nationalist, I find
this disgusting, especially as someone
who writes free software and would
like my tax dollars to be spent
on improving these things. And when they
know about them I don’t want them
to keep them a secret because
all of us are vulnerable.
It’s a really scary thing.
applause
And it just so happens that at my house,
myself and many of my friends,
when we use wireless devices
– Andy knows what I’m talking about,
a few other people here –
all the time we have errors
in certain machines which are set up at
the house, in some cases as a honey pot
– thanks, guys – where kernel
panic after kernel panic,
exactly in the receive handler of the
Linux kernel where you would expect
this specific type of thing to take place.
So I think that if we talk about
the war coming home, we probably will
find that this is not just used in places
where there’s a literal war on but where
they decide that it would be useful,
including just parking outside your house.
Now I only have an hour today,
so I’m gonna have to go through some
other stuff pretty quickly. I want to make
a couple of points clear. This wasn’t
clear, even though it was written
in the New York Times by my dear friend
Laura Poitras, who is totally fantastic
by the way, and… you are great.
But 15 years of data retention –
applause
So the NSA has 15 years
of data retention.
It’s a really important point to
drive home. I joked with Laura
when she wrote the New York Times article
with James Risen, she should do the math
for other people and say “15 years”. She
said: “They can do the math on their own,
I believe in them”. I just wanna do the
math for you. 15 years, that’s scary!
I don’t ever remember voting on that,
I don’t ever remember even having
a public debate about it. And that
includes content as well as metadata.
So they use this metadata. They search
through this metadata retroactively.
They do what’s called ‘tasking’, that is,
they find a set of selectors – so that’s
a set of unique identifiers, e-mail
addresses, cookies, MAC addresses, IMEIs…
whatever is useful. Voice prints
potentially, depending on the system.
And then they basically
task those selectors
for specific activities. So that ties
together with some of the attacks
which I’ll talk about, but essentially
QUANTUMINSERTION and things that are
like QUANTUMINSERTION, they’re triggered
as part of the TURMOIL and TURBINE system
and the QFIRE system, and they’re all put
together so that they can automate
attacking people based on the plain
text traffic that transits the internet
or based on the source or
destination IP addresses.
This is a second top secret document.
This is an actual NSA lolcat
for the QUANTUMTHEORY program.
applause
You’ll notice it’s a black cat, hiding. Okay.
So there are a few people in the audience
that are still not terrified enough, and
there are a few people that as part
of their process for coping with
this horrible world that we have found
ourselves in, they will say the following:
“There’s no way they’ll ever find me. I’m
not interesting.” So I just want to dispel
that notion and show you a little bit
about how they do that. So we mentioned
TURMOIL, which is the dragnet surveillance,
and TURBINE, which is deep packet injection,
and QFIRE, where we tie it all together,
and this is an example of something which
I think actually demonstrates a crime but
I’m not sure, I’m not a lawyer, I’m
definitely not your lawyer, and I’m
certainly not the NSA’s lawyer.
But this is the MARINA system. This is
merely one of many systems where they
actually have full content as well as
metadata. Taken together, they do
contact chaining, where they find out you
guys are all in the same room with me
– which reminds me, let’s
see, I’ve got this phone…
Okay. That’s good. Let’s
turn that on. So now…
laughter
You’re welcome.
laughter
You have no idea!
laughter
But I just wanted to make sure that
if there was any question about whether
or not you are exempt from needing to do
something about this,
that that is dispelled.
applause
Okay? Cell phone’s on.
Great. So. Hey, guys!
laughter
So, the MARINA system is a
contact chaining system as well as a
system that has data, and in this case
what we see is in fact reverse contact
and forward contact graphing. So,
any lawyers in the audience? If there
are American citizens in this database,
is reverse targeting like this illegal?
Generally? Is it possible that that
could be considered illegal?
Someone from audience mumbling
Yeah, so, interesting. If it’s called
reverse contacts instead of
reverse targeting – yeah, exactly.
So, you’ll also notice the,
on the right-hand side, webcam photos.
So, just in case you’re wondering,
in this case this particular target,
I suppose that he did not or
she did not have a webcam.
Good for them. If not, you should follow
the EFF’s advice and you should put
a little sticker over your webcam. But
you’ll also note that they try to find
equivalent identifiers. So every time
there’s a linkable identifier that you
have on the internet, they try to put that
and tie it together and contact chain it,
and they try to show who you are among all
of these different potential identifiers –
if you have 5 e-mail addresses, they would
link them together – and then they try
to find out who all your friends are.
You’ll also note at the bottom here,
logins and passwords. So they’re
also doing dragnet surveillance
in which they extract – the feature set
extraction where they know semantically
what a login and a password is in a
particular protocol. And in this case
this guy is lucky, I suppose, and they
were not able to get passwords or webcam,
but you’ll note that they were able to get
his contacts and they were able to see
in fact 29, give or take,
received messages as well,
of which there are these things. Now in
this case we have redacted the e-mail
and instant messenger information,
but this is an example of how
laughs
you can’t hide from these things, and
thinking that they won’t find you
is a fallacy. So this is basically
the difference between taking one wire and
clipping onto it in a particularized
suspicious way where they’re really
interested, they have a particularized
suspicion, they think that someone is a
criminal, they think someone has taken
some serious steps that are illegal, and
instead what they do is they put all of us
under surveillance, record all of this
data that they possibly can, and then
they go looking through it. Now
in the case of Chancellor Merkel,
when we revealed NSRL 2002-388,
what we showed was that
they were spying on Merkel. And by their
own admission 3 hops away, that’s everyone
in the German Parliament
and everyone here.
So that’s pretty serious stuff. It also
happens that if you should be visiting
certain websites, especially if you’re
a Muslim, it is the case that you can be
attacked automatically by this system.
Right? So that would mean that
they would automatically start to break
into systems. That’s what they would call
‘untasked targeting’. Interesting idea
that they call that targeted surveillance.
To me that doesn’t really sound too
much like targeted surveillance unless
what you mean by carpet bombing, it – you
know, I mean it just – you know, like… it
just doesn’t… it doesn’t strike me right.
It’s not my real definition of ‘targeted’.
It’s not well defined. It’s not that a
judge has said, “Yes, this person is
clearly someone we should target.” Quite
the opposite. This is something where
some guy who has a system has decided to
deploy it and they do it however they like
whenever they would like. And while there
are some restrictions, it’s clear that
the details about these programs do not
trickle up. And even if they do, they
do not trickle up in a useful way. So
this is important, because members
of the U.S. Congress, they have no clue
about these things. Literally, in the case
of the technology. Ask a Congressman
about TCP/IP. Forget it.
You can’t even get a meeting with them.
I’ve tried. Doesn’t matter. Even if you
know the secret interpretation of Section
215 of the Patriot Act and you go
to Washington, D.C. and you meet with
their aides, they still won’t talk to you
about it. Part of that is because they
don’t have a clue, and another part of it
is because they can’t talk about it,
because they don’t have a political solution.
Absent a political solution, it’s very
difficult to get someone to admit that
there is a problem. Well, there is a
problem, so we’re going to create
a political problem and also talk
about some of the solutions.
The Cypherpunks generally have
come up with some of the solutions
when we talk about encrypting the entire
internet. That would end dragnet mass
surveillance in a sense, but it will
come back in a different sense
even with encryption. We need both
a marriage of a technical solution
and we need a political solution
to go with it, and if we don’t have
those 2 things, we will unfortunately be
stuck here. But at the moment the NSA,
basically, I feel, has more power than
anyone in the entire world – any one
agency or any one person. So Emperor
Alexander, the head of the NSA, really has
a lot of power. If they want to right now,
they’ll know that the IMEI of this phone
is interesting. It’s very warm, which is
another funny thing, and they would be
able to break into this phone almost
certainly and then turn on the microphone,
and all without a court.
So that to me is really scary.
And I especially dislike the fact that
if you were to be building these
types of things, they treat you as an
opponent, if you wish to be able to
fulfill the promises that you make to your
customers. And as someone who writes
security software
I think that’s bullshit.
So. Here’s how they do a bit of it.
So there are different programs.
So QUANTUMTHEORY, QUANTUMNATION,
QUANTUMBOT, QUANTUMCOPPER
and QUANTUMINSERT. You’ve heard of a few
of them. I’ll just go through them real quick.
QUANTUMTHEORY essentially has
a whole arsenal of zero-day exploits.
Then the system deploys what’s called
a SMOTH, or a seasoned moth.
And a seasoned moth is an
implant which dies after 30 days.
So I think that these guys either took a
lot of acid or read a lot of Philip K. Dick,
potentially both!
applause
And they thought Philip K. Dick
wasn’t dystopian enough.
“Let’s get better at this”.
And after reading VALIS, I guess,
they went on, and they also have
as part of QUANTUMNATION
what’s called VALIDATOR or COMMONDEER.
Now these are first-stage payloads
that are done entirely in memory.
These exploits essentially are where they
look around to see if you have what are
called PSPs, and this is to see, like,
you know, if you have Tripwire, if you
have Aid, if you have some sort of
system tool that will detect if an
attacker is tampering with files or
something like this, like
a host intrusion detection system.
So VALIDATOR and COMMONDEER, which,
I mean, clearly the point of COMMONDEER,
while it’s misspelled here – it’s not
actually… I mean that’s the name
of the program… but the point is to make
a pun on commandeering your machine. So,
you know, when I think about the U.S.
Constitution in particular, we talk about
not allowing the quartering of
soldiers – and, gosh, you know?
Commandeering my computer sounds
a lot like a digital version of that, and
I find that’s a little bit confusing, and
mostly in that I don’t understand
how they get away with it. But part of it
is because until right now we didn’t know
about it, in public, which is why we’re
releasing this in the public interest,
so that we can have a better debate
about whether or not that counts, in fact,
as a part of this type of what I would
consider to be tyranny, or perhaps
you think it is a measured and reasonable
thing. I somehow doubt that. But
in any case, QUANTUMBOT is where
they hijack IRC bots, because why not?
They thought they would like to do
that, and an interesting point is that
they could in theory stop a lot
of these botnet attacks and
they have decided to maintain that
capability, but they’re not yet doing it
except when they feel like doing it for
experiments or when they do it to
potentially use them. It’s not clear
exactly how they use them. But
the mere fact of the matter is that that
suggests they’re even in fact able to do
these types of attacks, they’ve tested
these types of attacks against botnets.
And that’s the program you should FOIA
for. We’ve released a little bit of detail
about that today as well. And
QUANTUMCOPPER to me is really scary.
It’s essentially a thing that can
interfere with TCP/IP and it can do things
like corrupt file downloads. So if you
imagine the Great Firewall of China,
so-called – that’s for the whole planet.
So if the NSA wanted to tomorrow, they
could kill every anonymity system
that exists by just forcing everyone who
connects to an anonymity system to reset
just the same way that the Chinese do
right now in China with the Great Firewall
of China. So that’s like the NSA builds
the equivalent of the Great Firewall
of Earth. That’s, to me that’s
a really scary, heavy-handed thing,
and I’m sure they only use it for good.
clears throat
But, yeah. Back here in reality that to
me is a really scary thing, especially
because one of the ways that they are able
to have this capability, as I mentioned,
is these diodes. So what that suggests
is that they actually repurpose
other people’s machines in order to
reposition and to gain a capability
inside of an area where they actually
have no legitimacy inside of that area.
That to me suggests it is not only
heavy-handed, that they have probably some
tools to do that. You see where I’m going
with this. Well, QUANTUMINSERTION,
this is also an important point, because
this is what was used against Belgacom,
this is what’s used by a whole number of
unfortunately players in the game where
basically what they do is they inject
a packet. So you have a TCP connection,
Alice wants to talk to Bob, and for some
reason Alice and Bob have not heard
about TLS. Alice sends an HTTP
request to Bob. Bob is Yahoo.
NSA loves Yahoo. And basically they
inject a packet which will get to Alice
before Yahoo is able to respond, right?
And the thing is that if that was a
TLS connection, the man-on-the-side
attack would not succeed.
That’s really key. If they were using TLS,
the man-on-the-side attack could at best,
as far as we understand it at the moment,
they could tear down the TLS session but
they couldn’t actually actively inject.
So that’s a man-on-the-side attack.
We can end that attack with TLS.
When we deploy TLS everywhere
then we will end that kind of attack. So
there was a joke, you know, when you
download .mp3s, you ride with communism
– from the ’90s, some of you may
remember this. When you bareback with
the internet, you ride with the NSA.
applause
Or you’re getting a ride, going for
a ride. So the TAO infrastructure,
Tailored Access and Operations. Some
of the FOXACID URLs are public.
FOXACID is essentially like a watering
hole type of attack where you go to,
you go to a URL. QUANTUMINSERT
puts like an iframe or puts some code
in your web browser, which you then
execute, which then causes you to
load resources. One of the resources that
you load while you’re loading CNN.com,
for example, which is one of their
examples, they – you like that, by the way?
So, you know, that’s an extremist site. So
coughs
you might have heard about that. A lot of
Republicans in the United States read it.
So – right before they wage
illegal imperialist wars. So,
the point is that you go to a FOXACID
server and it basically does a survey
of your box and decides if it can break
into it or not, and then it does.
Yep, that’s basically it. And the FOXACID
URLs, a few of them are public.
Some of the details about that have been
made public, about how the structure
of the URLs are laid out and so on.
An important detail is that they pretend
that they’re Apache, but they actually
do a really bad job. So they’re
like Hacking Team, maybe it’s the same
guys, I doubt it though, the NSA wouldn’t
slum with scumbags like that, but…
Basically you can tell, you can find them,
because they aren’t really Apache servers.
They pretend to be, something else.
The other thing is that none of their
infrastructure is in the United States.
So, real quick anonymity question. You
have a set of things and you know that
a particular attacker never comes from one
place. Every country on the planet
potentially, but never one place. The
one place where most of the internet is.
What does that tell you in terms of
anonymity? It tells you usually that
they’re hiding something about that one
place. Maybe there’s a legal requirement
for this. It’s not clear to me. But what
is totally clear to me is that if you see
this type of infrastructure and it is not
in the United States, there is a chance,
especially today, that it’s the NSA’s
Tailored Access and Operations division.
And here’s an important point. When the
NSA can’t do it, they bring in GCHQ.
So, for example, for targeting certain
Gmail selectors, they can’t do it.
And in the documents we released today,
we show that they say: “If you have
a partner agreement form and you need to
target, there are some additional selectors
that become available should you
need them”. So when we have a limit
of an intelligence agency in the United
States, or here in Germany or
something like this, we have to recognize
that information is a currency
in an unregulated market. And these
guys, they trade that information, and
one of the ways they trade that is like
this. And they love Yahoo.
So, little breather?
It’s always good to make fun of
the GCHQ with Austin Powers!
laughter
Okay. Another classified document here.
That’s actual NSA OpenOffice or Powerpoint
clip art of their horrible headquarters
that you see in every news story, I can’t
wait to see a different photo of the NSA
someday. But you’ll notice right here they
explain how QUANTUM works. Now SSO is
a Special Source Operations site. So
you’ve seen U.S. embassies? Usually
the U.S. embassy has dielectric panels on
the roof, that’s what we showed in Berlin,
it was called “DAS NEST” on the cover
of ‘Der Spiegel’. That’s an SSO site.
So they see that this type of stuff is
taking place, they do an injection and
they try to beat the Yahoo packet back.
Now another interesting point is
that for the Yahoo packet to be beaten,
the NSA must impersonate Yahoo.
This is a really important detail because
what it tells us is that they are
essentially conscripting Yahoo and saying
that they are Yahoo. So they are
impersonating a U.S. company
to a U.S. company user
and they are not actually supposed
to be in this conversation at all.
And when they do it, then they of course
– basically if you’re using Yahoo,
you’re definitely going to get owned. So
– and I don’t just mean that in that
Yahoo is vulnerable, they are, but
I mean people that use Yahoo tend to
– maybe it’s a bad generalization,
but, you know – they’re not the most
security-conscious people on the planet,
they don’t keep their computers up to date,
I’m guessing, and that’s probably why
they love Yahoo so much. They also love
CNN.com, which is some other… I don’t know
what that says, it’s like a sociological
study of compromise. But that’s an
important detail. So the SSO site sniffs
and then they do some injection, they
redirect you to FOXACID. That’s for
web browser exploitation. They obviously
have other exploitation techniques.
Okay. So now. We all know
that cellphones are vulnerable.
Here’s an example. This is a base station
that the NSA has that, I think it’s the
first time ever anyone’s ever revealed
an NSA IMSI catcher. So, here it is.
Well, actually the second time, because
‘Der Spiegel’ did it this morning.
But you know what I mean.
applause
So they call it ‘Find, Fix and
Finish targeted handset users’.
Now it’s really important to understand
when they say “targeting” you would think
‘massive collection’, right? Because what
are they doing? They’re pretending to be
a base station. They want to overpower.
They want to basically be the phone
that you connect to… or the phone system
that you connect to. And that means
lots of people are going to connect
potentially. So it’s not just one
targeted user. So hopefully they have it
set up so that if you need to dial 911,
or here in Europe 112 – you know,
by the way, if you ever want to find
one of these things try to call different
emergency numbers and note which ones
route where. Just as a little detail.
Also note that sometimes if you go
to the Ecuadorian embassy you will receive
a welcome message from Uganda Telecom.
Because the British when they deployed
the IMSI catcher against Julian Assange
at the Ecuadorian embassy made the mistake
of not reconfiguring the spy gear they [had]
deployed in Uganda [before]
when they deployed in London.
applause
And this can be yours
for only US$ 175.800.
And this covers GSM and PCS and
DCS and a bunch of other stuff.
So basically if you use a cell phone
– forget it. It doesn’t matter
what you’re doing. The exception may
be Cryptophone and Redphone. In fact
I’d like to just give a shoutout to the
people who work on free software, and
software which is actually secure. Like
Moxie Marlinspike – I’m so sorry I mention
your name in my talk, but don’t worry,
your silence won’t protect you!
I think it’s really important to know
Moxie is one of the very few people
in the world who builds technologies that
is both free and open source, and
as far as I can tell he refuses to do
anything awful. No backdoors or anything.
And from what I can tell this proves
that we need things like that.
This is absolutely necessary because they
replace the infrastructure we connect to.
It’s like replacing the road that we would
walk on, and adding tons of spy gear.
And they do that too,
we’ll get to that. Okay.
So I’m gonna go a little quick through
these because I think it’s better that you
go online and you adjust. And I wanna
have a little bit of time for questions.
But basically here’s an example of how
even if you disable a thing the thing is
not really disabled. So if you have a WiFi
card in your computer the SOMBERKNAVE
program, which is another classified
document here, they basically repurpose
your WiFi gear. They say: “You’re not
using that WiFi card? We’re gonna scan
for WiFi nearby, we’re gonna exfiltrate
data by finding an open WiFi network
and we’re gonna jump on it”. So
they’re actually using other people’s
wireless networks in addition to having
this stuff in your computer. And this is
one of the ways they beat a so-called
air-gapped target computer.
Okay, so here’s some of the software
implants. Now we’re gonna name a bunch
of companies because – fuck those guys
basically, for collaborating when they do,
and fuck them for leaving us
vulnerable when they do.
applause
And I mean that in the most loving way
because some of them are victims, actually.
It’s important to note that we don’t
yet understand which is which.
So it’s important to name them, so that
they have to go on record, and so that
they can say where they are, and so
that they can give us enough rope
to hang themselves. I really want that to
happen because I think it’s important
to find out who collaborated and who
didn’t collaborate. In order to have truth
and reconciliation we need to start with
a little of truth. So STUCCOMONTANA
is basically BadBIOS if you guys have
heard about that. I feel very bad
for Dragos, he doesn’t really talk to me
right now. I think he might be kinda mad.
But after I was detained – by the
US Army on US soil, I might add –
they took a phone from me. Now it
shouldn’t matter but it did. They also
I think went after all my phone records so
they didn’t need to take the phone. But
for good measure, they just wanted
to try to intimidate me which is exactly
the wrong thing to do to me. But as he
told the story after that happened
all of his computers including his Xbox
were compromised. And he says
even to this day that some of those things
persist. And he talks about the BIOS.
Here’s a document that shows clearly
that they actually re-flash the BIOS
and they also have other techniques
including System Management Mode
related rootkits and that they have
persistence inside of the BIOS.
It’s an incredibly important point. This
is evidence that the thing that Dragos
talked about, maybe he doesn’t
have it, but it really does exist.
Now the question is how would he find it?
We don’t have the forensics tools yet.
We don’t really have the capabilities
widely deployed in the community
to be able to know that, and to be
able to find it. Here’s another one.
This one’s called SWAP. In this case it
replaces the Host Protected Area
of the hard drive, and you can see a
little graph where there’s target systems,
you see the internet, Interactive OPS, so
they’ve got like a guy who is hacking you
in real time, the People’s
Liberation Army… uh, NSA! And…
laughter
And you can see all of these different
things about it. Each one of these things,
including SNEAKERNET, these are
different programs, most of which we
revealed today in ‘Der Spiegel’.
But you’ll notice that it’s Windows,
Linux, FreeBSD and Solaris.
How many Al Qaeda people
use Solaris, do you suppose?
This tells you a really important point.
They are interested in compromising
the infrastructure of systems,
not just individual people.
They want to take control and
literally colonize those systems
with these implants. And that’s not part
of the discussion. People are not talking
about that because they don’t know about
that yet. But they should. Because
in addition to the fact that Sun is a U.S.
company which they are building
capabilities against – that to me, really,
it really bothers me; I can’t tell you
how much that bothers me – we also
see that they’re attacking Microsoft,
another U.S. company, and Linux and
FreeBSD, where there are a lot of people
that are building it from all around the
world. So they’re attacking not only
collective efforts and corporate
efforts, but basically every option
you possibly can, from end users
down to telecom core things.
Here’s another one, DEITYBOUNCE.
This is for Dell,
so Dell PowerEdge 1850,
2850, 1950, 2950…
RAID servers using any of the
following BIOS versions. Right?
So just in case you’re wondering, hey
Dell, why is that? Curious about that.
Love to hear your statements about it.
So if you write YARA sigs [signatures]
and you’re interested in looking
for NSA malware, look for things
that use RC6, so look for the constants
that you might find in RC6.
And when they run, if they emit UDP
traffic – we’ve actually seen a sample
of this but we were not able
to capture it, sadly, but
emitting UDP traffic that is encrypted.
You know, people that I’ve worked with
on things related to this, they’ve even,
they’ve had their house black bagged.
They’ve had pretty bad stuff happen
to them. That’s their story to tell.
But one of the interesting details is
that after those events occurred,
these types of things were seen. Ben
has a really bad idea for those guys,
I might add, because I wouldn’t have put
this slide in if that had not occurred.
But if you want to look for it, you’ll
find it. I know some people that have
looked with YARA sigs and they have
in fact found things related to this,
so I suspect a lot of malware researchers
in the near future are going to have
a lot of stuff to say about this
particular slide. I’ll leave that to them.
I think it’s very important to go looking
for these things, especially to find out
who is victimized by them. Here’s an
iPhone back door.
So DROPOUTJEEP, so
you can see it right there.
So, SMS, contact list retrieval,
voicemail, hot microphone,
camera capture, cell tower location. Cool.
Do you think Apple helped them with that?
I don’t know. I hope Apple will clarify
that. I think it’s really important
that Apple doesn’t. Here’s
a problem. I don’t really believe
that Apple didn’t help them. I can’t
prove it yet, but they literally claim
that any time they target an iOS device,
that it will succeed for implantation.
Either they have a huge collection of
exploits that work against Apple products,
meaning that they are hoarding
information about critical systems that
American companies produce
and sabotaging them,
or Apple sabotaged it themselves.
Not sure which one it is!
I’d like to believe that since Apple
didn’t join the PRISM program until
after Steve Jobs died that maybe it’s
just that they write shitty software.
We know that’s true!
laughter
applause
Here’s a HVT, high-value target.
This is a high-value target
being targeted with a back door for
Windows CE Thuraya phones.
So if you have a Thuraya phone and you’re
wondering if it was secure – yeah maybe.
Good luck! Here’s one where they
replaced the hard drive firmware.
There was a talk at OHM this year
[OHM2013] where a guy talked about
replacing hard drive firmware.
You were onto something.
You were really onto something. Whoever
you are, you were onto something.
Because the NSA has a program here,
IRATEMONK, and that’s exactly
what they do. They replace the firmware
in the hard drive, so it doesn’t matter
if you reformat the hard drive, you’re
done. The firmware itself can do
a whole bunch of stuff. So. Here are
the names of the hard drive companies
were it works: Western Digital, Seagate,
Maxtor and Samsung, and of course
they support FAT, NTFS, EXT3 and UFS.
They probably now have support for
additional file systems, but this is
what we can prove. Please note
at the bottom left and the bottom right:
“Status: Released and Deployed.
Ready for Immediate Delivery”.
And: “Unit Cost: $0”.
It’s free! No, you can’t get it.
It’s not free as in free software.
It’s free as in “You’re owned!”.
laughter
applause
I want to give a shoutout to Karsten Nohl
and Luca [Luca Melette] for their
incredible talk where they showed this
exact attack without knowing that
they had found it. Right?
They say – yeah, absolutely.
applause
Important point. The NSA says that when
they know about these things, that
nobody will come to harm, no one will be
able to find them, they’ll never be able
to be exploited by another third party.
Karsten found this exact vulnerability.
They were able to install a Java applet on
the SIM card without user interaction,
and it was based on the service provider’s
security configuration, which is exactly
what the NSA says here, and they talk
about attacking the same toolkit
inside of the phone; and Karsten
found the same vulnerability
and attacked it in the wild. This
is perfect evidence, not only of
how badass Karsten and Luca are
– they are, no question – but also about
how wrong the NSA is with this balance.
Because for every Karsten and Luca, there
are hundreds of people who are paid to do
this full-time and never tell us about it.
applause
Important detail. Do you see that
‘interdiction’ phrase right there?
“Through remote access” – in other
words, we broke into your computer –
“or interdiction” – in other words,
we stole your fucking mail. Now.
This is a really important point. We
all have heard about these paranoid
crazy people talking about people breaking
into their houses – that’s happened to me
a number of times – motherfuckers,
getting you back – it’s really important
to understand this process is
one that threatens all of us.
The sanctity of the postal system
has been violated. I mean – whoa!
God, it makes me so angry, you know?
You can’t even send a letter without
being spied on, but even worse that they
tamper with it! It’s not enough that
the U.S. Postal Service records all
of this information and keeps it
– that’s not enough. They also have to
tamper with the packages! So every time
you buy from Amazon, for example, every
time you buy anything on the internet,
there is the possibility that they will
actually take your package and change it.
One of the ways that I’ve heard that they
change it is that they will actually
take the case of your computer and they
will injection mold a hardware back door
into the case of the computer.
So that even if you were to look
at the motherboard or have it serviced,
you would not see this. It merely
just needs to be in the proximity
of the motherboard. So.
Let’s talk about hardware implants
that they will put into your devices.
Here’s one. This is called BULLDOZER.
It’s a PCI bus hardware implant.
Pretty scary, doesn’t look so great,
but let’s go on a little bit. Okay?
Here’s one where they actually exploit
the BIOS and System Management Mode.
There’s a big graph that shows all of
these various different interconnections,
which is important. Then they talk about
the long-range comms, INMARSAT, VSAT,
NSA MEANS and Future Capabilities. I think
NSA MEANS exists. Future Capabilities
seems self-explanatory. “This
hardware implant provides
2-way RF communication.” Interesting.
So you disable all the wireless cards,
whatever you need. There you go.
They just added a new one in there and
you don’t even know. Your system has no
clue about it. Here’s a hardware back door
which uses the I2C interface, because
no one in the history of time
other than the NSA probably has ever
used it. That’s good to know that finally
someone uses I2C for something
– okay, other than fan control. But,
look at that! It’s another American
company that they are sabotaging.
They understand that HP’s servers
are vulnerable, and they decided,
instead of explaining that this is
a problem, they exploit it. And IRONCHEF,
through interdiction, is one of
the ways that they will do that.
So I wanna really harp on this. Now it’s
not that I think European companies
are worth less. I suspect especially
after this talk that won’t be true,
in the literal stock sense, but I don’t
know. I think it’s really important
to understand that they are sabotaging
American companies because of the
so-called home-field advantage. The
problem is that as an American who writes
software, who wants to build hardware
devices, this really chills my expression
and it also gives me a problem, which
is that people say: “Why would I use
what you’re doing? You know,
what about the NSA?”
Man, that really bothers me.
I don’t deserve the Huawei taint,
and the NSA gives it. And President
Obama’s own advisory board
that was convened to understand the scope
of these things has even agreed with me
about this point, that this should not be
taking place, that hoarding of zero-day
exploits cannot simply happen without
thought processes that are reasonable
and rational and have an economic and
social valuing where we really think about
the broad-scale impact. Now.
I’m gonna go on to a little bit more.
Here’s where they attack SIM cards. This
is MONKEYCALENDAR. So it’s actually
the flow chart of how this would work.
So in other words, they told you all of
the ways in which you should be certainly,
you know, looking at this. So if you ever
see your handset emitting encrypted SMS
that isn’t Textsecure, you now have
a pretty good idea that it might be this.
Here’s another example. If you have
a computer in front of you… I highly
encourage you to buy the Samsung SGH-X480C
– that’s the preferred phone of the NSA
for attacking another person’s phone.
I’m not exactly sure why, but an important
point is, they add the back door, then
they send an SMS from a regular phone
– what does that tell you? What does that
tell you about the exploitation process?
It tells you that it’s actually something
which is pretty straightforward,
pretty easy to do, doesn’t require
specialized access to the telecoms once
they’ve gotten your phone compromised.
That to me suggests that other people
might find it, other people might use
these techniques. Okay, here’s a USB
hardware implant called COTTONMOUTH.
We released this in ‘Spiegel’ today as
well. See the little red parts. It will
provide a wireless bridge onto the
target network with the ability to load
exploit software. Here’s a little bit of
extra details about that. It actually
shows the graph at the bottom, how they do
this, how they get around, how they beat
the air gap with these things. And they
talk a bit about being GENIE compliant.
So GENIE, and for the rest of these
programs, these are – like DROPOUTJEEP
is part of the CHIMNEYPOOL programs,
and COTTONMOUTH is part of the rest of
these programs over here. These are huge
programs where they’re trying to beat
a whole bunch of different adversaries,
and different capabilities are required.
And this is one of the probably I think
more interesting ones, but here’s
the next revision of it where it’s in a
USB plug, not actually in the cable.
And look, 50 units for US$ 200,000.
It’s really cheap.
You like my editorializing there, I hope?
So, $200,000, okay.
And here’s where you look for it. If you
happen to have an x-ray machine,
look for an extra chip. And that’s
a HOWLERMONKEY radiofrequency transmitter.
Well what’s a HOWLERMONKEY? We’ll
talk about that in a second, but basically
this is for ethernet, here. This is the
FIREWALK. It can actually do injection
bidirectionally on the ethernet controller
into the network that it’s sitting on.
So it doesn’t even have to do things
directly to the computer. It can actually
inject packets directly into the network,
according to the specification sheet,
which we released today on
Der Spiegel’s website. As it says,
‘active injection of ethernet packets onto
the target network’. Here’s another one
from Dell with an actual FLUXBABBITT
hardware implant for the PowerEdge 2950.
This uses the JTAG debugging interface
of the server. Why did Dell leave
a JTAG debugging interface on these
servers? Interesting, right? Because,
it’s like leaving a vulnerability in. Is
that a bug door or a back door or
just a mistake? Well hopefully they will
change these things or at least make it so
that if you were to see this you would
know that you had some problems.
Hopefully Dell will release some
information about how to mitigate
this advanced persistent threat. Right?
Everything that the U.S. Government
accuse the Chinese of doing – which they
are also doing, I believe – we are learning
that the U.S. Government has been doing to
American companies. That to me is really
concerning, and we’ve had no public debate
about these issues, and in many cases
all the technical details are obfuscated
away and they are just completely
outside of the purview of discussions. In
this case we learn more about Dell, and
which models. And here’s the HOWLERMONKEY.
These are actually photographs
of the NSA implanted chips that they
have when they steal your mail.
So after they steal your mail they put
a chip like this into your computer.
So the one, the FIREWALK
one is the ethernet one, and
that’s an important one. You probably will
notice that these look pretty simple,
common off-the-shelf parts. So.
Whew! All right. Who here
is surprised by any of this?
waits for audience reaction
I’m really, really, really glad to see
that you’re not all cynical fuckers and
that someone here would admit
that they were surprised. Okay, who
here is not surprised? waits
I’m going to blow your fucking mind!
laughter
Okay. We all know about TEMPEST,
right? Where the NSA pulls data
out of your computer, irradiate stuff
and then grab it, right? Everybody
who raised their hand and said they’re
not surprised, you already knew
about TEMPEST, right?
Right? Okay. Well.
What if I told you that the NSA had
a specialized technology for beaming
energy into you and to the computer
systems around you, would you believe
that that was real or would that be
paranoid speculation of a crazy person?
laughter
Anybody? You cynical guys
holding up your hand saying that you’re
not surprised by anything, raise your hand
if you would be unsurprised by that.
laughter
Good. And it’s not the same number.
It’s significantly lower. It’s one person.
Great. Here’s what they do with those
types of things. That exists, by the way.
When I told Julian Assange about this, he
said: “Hmm. I bet the people who were
around Hugo Chavez are going to wonder
what caused his cancer.” And I said:
“You know, I hadn’t considered that. But,
you know, I haven’t found any data
about human safety about these tools.
Has the NSA performed tests where they
actually show that radiating people
with 1 kW of RF energy
at short range is safe?”
laughter
My God! No, you guys think I’m
joking, right? Well, yeah, here it is.
This is a continuous wave generator,
a continuous wave radar unit.
You can detect its use because it’s
used between 1 and 2 GHz and
its bandwidth is up to 45 MHz,
user adjustable, 2 watts
using an internal amplifier. External
amplifier makes it possible to go
up to 1 kilowatt.
I’m just gonna let you take that
in for a moment. clears throat
Who’s crazy now?
laughter
Now, I’m being told I only have one
minute, so I’m going to have to go
a little bit quicker. I’m sorry. Here’s
why they do it. This is an implant
called RAGEMASTER. It’s part of the
ANGRYNEIGHBOR family of tools,
laughter
where they have a small device that they
put in line with the cable in your monitor
and then they use this radar system
to bounce a signal – this is not unlike
the Great Seal bug that [Leon] Theremin
designed for the KGB. So it’s good to
know we’ve finally caught up with the KGB,
but now with computers. They
send the microwave transmission,
the continuous wave, it reflects off of
this chip and then they use this device
to see your monitor.
Yep. So there’s the full life cycle.
First they radiate you,
then you die from cancer,
then you… win? Okay, so,
here’s the same thing, but this time for
keyboards, USB and PS/2 keyboards.
So the idea is that it’s a data
retro-reflector. Here’s another thing,
but this one, the TAWDRYYARD program, is
a little bit different. It’s a beacon, so
this is where probably then
they kill you with a drone.
That’s pretty scary stuff. They also have
this for microphones to gather room bugs
for room audio. Notice the bottom. It says
all components are common off the shelf
and are so non-attributable to the NSA.
Unless you have this photograph
and the product sheet. Happy hunting!
applause
And just to give you another idea, this is
a device they use to be able to actively
hunt people down. This is a hunting
device, right? Handheld finishing tool
used for geolocation targeting
handsets in the field. So!
Who was not surprised by this? I’m so
glad to have finally reached the point
where no one raised their hand except
that one guy who I think misheard me.
laughter
Or you’re brilliant. And
please stay in our community
and work on open research!
somebody off mike shouts:
Audience: Maybe he can add something!
Yeah! And if you work for the NSA,
I’d just like to encourage you
to leak more documents!
laughter
applause, cheers
applause
applause
applause, cheers, whistles
applause, cheers, whistles, ovation
applause, ovation
applause, cheers, ovation
applause, ovation
Herald: Thank you very much, Jake.
Thank you. I’m afraid we ran
all out of time for the Q&A.
I’m very sorry for anyone
who wanted to ask questions.
Jacob: But we do have a press conference.
Well, if you guys… you know,
I’d say: “occupy the room for another
5 minutes”, or… know that there’s
a press conference room that will be
opened up, where we can all ask
as many questions as we want,
in 30 minutes, if you’re interested.
And I will basically be available until
I’m assassinated to answer questions.
laughter, applause
So…
in the immortal words of Julian Assange:
Remember, no matter what happens,
even if there’s a videotape of it,
it was murder! Thank you!
Herald: Thank you. Please give a warm
round of applause to Jake Appelbaum!
applause
silent postroll
Subtitles created by c3subtitles.de
in the year 2016. Join, and help us!
朝早くにお集り頂きありがとう
起きっぱなしの人も多いかもしれないですが
今日私が話すことの一部はおそらく
あなたが今までに聞いた事がないような事です
そしてそれはあなたが考えうる
どんな悪夢より悪いかもしれません
さて最近、ローエンドな企業製スパイウェアについて
非常に話題になっていますね
FinFisherやHackingTeam、VUPENなど…
手口はより巧妙に、
企業とNSAの繫がりは増々密になっています
VUPENが実際にNSAと契約を結び、
脆弱性情報を提供していたという事実は、
FOIA(情報公開法)の請求により
明らかになっています
ここにまとめたようなフォレンジックツールは
あなたにも買う事ができます
私も余興で買ってみて気付いたことが
このマウスジグラーというツールは
PCに差すとスリープ状態を回避させる働きをする
見た事あるかな?
スクリーンセイバーを起動させないようにするんです
以前systemdのデベロッパーにこれを見せたところ
現在では、
systemdが走っているLinuxPCにこれを差すと、
自動的にロックする対応がされました
フリーソフトウェアのフリーが自由って意味の場合、
こういう事が重要です
他にも色々書いてますが、
今日はいちいち話しません
ほとんどは
たいした問題じゃありませんから
個別で対処可能な事柄です
でも、一見大したことじゃなさそうでも
無視ができない場合があることについて
少し話していきたいと思います
彼はラファエル
オスロ・フリーダム・フォーラムで出会いました
彼は私に自分のPCを見て欲しいと頼んできました
動作が異様に遅いので、何かがおかしいと言って
私はツールを何も持っていなかったので、
力になれないと思ったのですが、
見てみると、そこには史上最大にバレバレのバックドアが…
それは定期的にスクリーンショットを撮るだけの
シンプルなプログラムでしたが
その画像データの送信に失敗していたために
ホームディレクトリに8GB分のデータが溜まってて…
で彼に「打ち明けるのは辛いんですが、
やられちゃってます、それも救いようのないバカに」って。
彼はとても侵害されたと感じました
実は彼は、トップレベルの機密情報を扱うような
調査報道記者だったんです
でもジャーナリズム学校では
PCの使い方は教えてくれなかったようです
結果として深刻な被害を受ける事になりました
彼はTailsのようなツールも使っていなかった
もし貴方がジャーナリストで、対策を考えていないなら
Tailsは使った方が良いですよ
アップルはすぐに対策をして、
一応このスパイアプリは削除されましたが
これをやったのは国際的なサイバースパイ活動、
「オペレーション・ハングオーバー」の
グループにも関連があると見られているのです
恐ろしいのは、ラファエルはその夏、
調査報道の仕事に関して彼は
逮捕されてしまったのです
今は解放されたようですが
しかしこれが、
軍事政権に首を突っ込むことのリスクです
彼のような立場、真実を報道する事に
仕える人間にとっては
ずさんなバックドアでも、
人生を脅威にさらすことがある
今日私がここでお話ししたいと思ったのも
こういった事が大きな動機になっています
ラファエルのような人のためには…そして世界には
ラファエルのような人が
沢山いると思います…
そのためには透明性が必要だということを、
お話したいのです
特に私が強調したいのは
技術的に巧妙な攻撃だけが脅威ではないということ
それが肝心なポイントです
私が見てきたバックドアは必ずしも良く出来たものじゃないし、
かなしいことに、
普通に売られてる既製品にあったりします
ですが、公にしていくことによって
現状を変えていけると思っています
さて、今日の本題はなにかというと、
「コントロールさ、ベイビー!」ってこと
マシンだけではなく、
人をコントロールすることも含めて
インターネットの自由とか、
戦略的監視について話すと言う事は同時に
機械を通じて、それを使う人間を
コントロールすると言う事についてでもあります
みんなをちょっと笑わせたかったんですが。なぜなら、
これからお見せするものは、
自殺したくなるほど気を滅入らせるはずだから
ではパート2、アクト2のパート2です
NSAがあなたを監視したいと思ったら、
NSAはあなたを監視するのに使える全ての
選択肢を総動員してやります
彼らの目標は包括的監視ですが、
それは興味を持った者は誰でも監視するという事で
それには限界がない
彼らの活動に限度があるのは、
具体的な組織や個人を
ターゲットにしているような戦略がある場合、
予算が時間の限界が決まっている時ぐらいです
そしてデア・シュピーゲル誌のサイトに
ちょうど今日、公開した記事で
NSAの予算の詳細、NSAとTAOに関わりのある
人数の規模について明らかにしています
この記事で皆さんにも流れが掴めると思います
かつてインターネットには本当に自由で、
常に軍から監視されていなかった時期もありましたが、
今や大きな目的の一端として多くの人間が
他人のコンピューターに侵入するために雇われている
そしてこうした人間は日に日に数を増していると言う事が
彼らのゴールは、全体監視を
完璧な暗闇の中で行うことです
良いニュースは、それは無理だったって事です
順を追って説明しましょう
まず、全体像を掴むためにスライドを見てください
大規模監視システム自体は珍しいものじゃありません
たとえばアメリカ国家偵察局の、キーホール衛星などの
監視衛星などについては良く知られています
概要はWikipediaにも載ってます
今回はもう少しインターネットサイドの
話をしたいと思ってます
まず時系列を明らかにしたいのですが、
今回のシュピーゲルの記事の内容は、
私がそれを最初に暴露したのではありません
私はフリージャーナリストの立場から、
内容を記事にまとめる仕事をしただけで、
既にインターネットでは、個人名やアドレスを伏せる等の
骨の折れる編集作業を経て公開していたものです
個人的には、無人機殺戮などの犯罪的行為に賛同し
関わっている、いわば迫害者である人間の名前まで
削除するのは正しくないと思ったのですが、
これからも正式に公開を続けるためには、
法に従う事が重要だと判断しました
双方のバランスを考えて、
私達はNSAの監視の被害者についても名前をふせました
しかし被害者の個人名を出さないということは、
監視されていた事実の証拠を出せないという事にもなる
しかし公開によって標的になる危険を考えて、
私達は公開にはふみきりませんでした
記事によって被害を被る人を出さないようにすると同時に、
具体的な例も示したかった
記事を見てもらえば、削除の跡が分かると思います
少し潔癖にやりすぎたかもしれないけれど
安全に報道を続けるために
必要な事だったと信じています
名前を公表していたら、自分が標的にされていたと
今日知る事が出来た人がいたかもしれません
そういう人には申し訳なかったと思いますが、
この選択が私達、ひいては皆の命綱になったと思ってます
さて、NSAにはTURMOILという
巨大な監視網があるようです
TURMOILとは受動的な傍受システムのことで、
その範囲は世界中に及びます
メルケル首相の電話が盗聴された件は知ってますよね
シュピーゲル誌でも報じましたが、彼女も監視リストに
入っていた1人です。この話はまた後で
基本的には、彼らは巨大な受信センサーを持っていて、
そこを通るデータを全て監視するという仕組みです
ここで言う「監視」はかつての「見る」という意味ではなく
今やNSAは世界中のあらゆる人が話した言葉を
都合良く利用する為に、録音し、データベースに蓄え、
機械で分析し、職員が個人的に情報を
チェックしたりするようなことを「監視」と呼ぶのです
でももし個人がTURMOILの様な情報収集システムを使い、
世界中からデータを集めたりしたら、
一生刑務所に入る罪になる
これが現状にある不均衡さです
ジェファーソンも言っています、「政府に許され
個人に許されない事があるとき、それが暴政だ」と
例外はあります。しかしCFAA(コンピュータ犯罪防止法)
は一般人には非常に厳しい一方で、
NSAは70億人を盗聴してもおとがめなしです
私達は自分たちのプライバシーを守ろうとするだけで
犯罪者予備軍と目をつけられ刑務所行きに
これは問題です
さてTURMOILシステムは監視システムであり、
そして一般令状的監視システムと言えます
ここで英国の歴史を振り返ると
「援助令状」というものがありました
捜査範囲を特定せずに発行される一般令状のことで、
いわばTURMOILはこれのデジタル版です
援助令状というもの自体の存在は分かりません
法廷が今の話を理解してくれるかも微妙なので
ぞっとしてきましたか
TURMOILは受動的な傍受にすぎません
そこで今日シュピーゲルでも報じたのが、
TURBINEというもうひとつのシステムです
TURMOILがDPI(データへの検閲)だとするなら、
TURBINEはデータへの能動的な介入といえます
そしてこれらのプラットフォームとしてQFIREがあり、
QFIREのプログラムによって、
インターネット上を流れる情報をTURMOILで収集し、
TURBINEを使いデータに介入し攻撃する
これは詳細を追って解説します
QFIREのさらに興味深い点は
ダイオードというものの存在です
QFIREは他人のルーターに侵入して、
そこからリダイレクトするというプロセスをとることで
システムに感知される危険を回避できる
いわば光の早さに勝てるのです
受信センサーが興味深そうなデータの流れを感知した際、
彼らはパケットを抜き取り、カプセル化し、
ダイオードに送る。この場合はホームルータにあたる。
するとホームルータはパケットのデカプセル化を行い、
それを送り出す
この距離の近さによって、
あなたがその時見ているサイトのパケットより
早く到達する事ができる
このプロセスにより、彼らはシステム全体を制御し、
攻撃をローカライズできるのです
本当にこれは脅威です
デジタルな世界で起きている事ですが、
ジェファソンの暴政の定義が当てはまる
これはいわばターンキー式の暴政です。
そしてそれはもう始まっている。あとは彼らがそれを、
善い目的のために使うか、
悪い目的のために使うかということだけなんです
このシステムの怖さは、それがある限りは
私たちは常に脆弱性に晒されているということ
ロシアや中国やここにいる人でも、システムさえあれば
それを止める手段はない
NSAは私達がインターネットをセキュアにするプロセスを
妨害する事によって、支配力を獲得し、
全てを秘密裡に行おうとしている
ファイブアイズ(国際諜報同盟国)間でも頻繁に
セキュリティへの侵害行為が行われているという事を
説明する証拠もありました
これらの計画が、大規模なインターネット攻略を
対象にしている事を考えねばなりません
ムスリムを標的にする事の他に、
特定の標的のために設計されているものとは考えられない
もはやフィッシングというより漁です
さて一番下のクロース・アクセス・オペレーションと
Off-Netのところまで来ました
これはいわゆるブラックバッグジョブ
(情報入手ための不法侵入)で、
家に侵入し、コンピューターに何かを入れて
代わりに何かを盗み出す手口です
例があります。今日最初の機密文書のお出ましです
これはクロース・アクセス・オペレーション・ボックス
基本的にはメタスプロイトで、
その攻撃は感知不能と書かれてます
悲しいことにフリーソフトが使われてますが、
曰く、8マイル彼方からでも通信に侵入することができる
カーネルの脆弱性をついて、無線通信を解析し…
さらに、NSA内部の情報提供者の話では、
この装置を無人機に載せて、
興味がある人物のいるエリアに飛ばして、
大勢のセキュリティ侵害をしていると
その証拠はありません。しかし、
8マイル先から攻撃可能なことは確かに書かれてます
そしてこれが示唆しているのは、普通にWindowsで
使われるような、標準的なWifi通信にある脆弱性を
彼らは知っていた上でそれを利用するために
秘密にしていたということです
アメリカの企業や製品に対する侵害行為というのは
今日のテーマのひとつで
特に私自身アメリカ人で、
あんまり愛国主義者じゃないですけど、
特に私自身フリーソフトを作っている身からして、
私たちを脆弱性に晒すような情報を
秘密にしていてほしくありません
それは恐ろしいことです
ちょうどこの間家で、私は友人たち、
アンディとか、ここにも何人かいますが
あるマシンをハニーポット(おとり)に使い
ワイヤレスデバイスのエラーを検証した
そしたらLinuxカーネルで予想したような
エラーが次々起こったんです
つまり今や戦場はあなたの家の中、もしくは駐車場、
彼らが戦争するのに便利な場所で起きてる
時間が限られているので、駆け足で進めます
明らかにしたいことが、NYタイムズ紙に、
私の素晴らしい友人、ローラ・ポイトラスが
書いた記事にあるんですが…
ローラは本当に素晴らしい人です!
NSAは、15年分のデータを保有してるという
これは心に留めてほしい事です
ローラは計算すれば誰にでも分かると
今日は私が皆さんのために計算しましょう
15年です
その頃、自分がそれについて賛成票を投じたかも
覚えてません
そして情報にはメタデータだけでなく内容も含まれます
こうしたメタデータを使い、
遡及的に検索をかけることを彼らは「タスキング」と呼び、
e-mailアドレス、cookie、MACアドレス、IMEI、
時には声紋などの情報を
一連のユニークな識別子(セレクター)として、
データを振り分けます
そしてまずQUANTUMINSERTIONというのが
トリガーとして働き
TURMOILやTURBINE、QFIREといったシステムを
組み合わせることによって
送受信されるデータやIPアドレス等を元に
自動的に標的を定め攻撃ができるのです
次の機密文書は、
本物のNSA版LOLcatですよ
黒猫が隠れてますね
まだ驚いてない聴衆のために、もしくは
「自分は関係ない、自分は見つからない」と
思っている人の為に、実際の彼らのやり口を説明して、
その考えを払拭してあげましょう
これまでTURMOIL=監視網、TURBINE=通信への攻撃、
QFIRE=それを組み合わせたシステム、について
そしてこれから見せるものは犯罪の証拠になるもの…
いえ、私は弁護士じゃないので確かじゃないですが…
しかしこれが、MARINAシステムです
メタデータとコンテント(内容)から、
近い人間関係を割り出す(コンタクト・チェイニング)
ということが出来るシステムです。
つまり、今あなた達は私と同じ部屋の中にいるから、
…電話を切っておこう…
礼はいいよ
分からないでしょ…
これで関係ない人がいるかどうか
はっきりさせたかったんです
電源を入れましたよ。やあ
MARINAシステムはデータから、
コミュニケーションの流れを相関図化する
この中に弁護士はいらっしゃいますか?
もしこのデータの中にアメリカ人が含まれた場合
それは違法になるでしょうか?
つまりこれがアメリカ人を監視対象にする口実
(リバース・ターゲティング)になる場合です
そして右側の「ウェブカムの写真」の項目が
気になっている人のために…
幸いな事にこのターゲットのPCには
ウェブカムが付いてなかったようですね
そうでなければ、EFFの勧めに従って
カメラのレンズをステッカーなどで覆った方がいい
ここを見ると、リンク付けできるインターネット上のIDを
探し出し、ひも付けして、
あなたがWEB上で用いている各IDや行動を全て
関連づけるということもやっている
もしあなたが5つの別々のメールアドレスを持っていても、
彼らはその持ち主が同じ人間だと分析できるし、
その持ち主が連絡を取っているのが
誰と誰かというところまで分かる
下の所に、ログイン情報とパスワードとある
対象の集合的な情報を持つ監視網を作っているんです
この人は多分運が良くて、パスワードもウェブカムの画像も
抜き出されなかった
それでもこの人がとったコンタクトや、
受信や送信メールの情報は入手できている
実際のメール部分の内容はお見せできませんが、
あなたがまだ自分は見つからないと思っているなら
それは間違った考えだという良い実例になったでしょう
監視という言葉のずれがここにあります
犯罪に関与していそうな人、
その特定の人物の通信を見張る代わりに
彼らは全ての人間を監視下に置き、
出来る限りの全てのデータを録音しておいて、
そこから調べようというのです
メルケル首相の件を見てみましょう
NSRL(※諜報リスト)にはNSAが
メルケルをスパイしていたというコードがあり
そこから3ホップでドイツ議会の全員、
そしてあなたがた全員に辿り着きます
あなたが偶然特定のウェブサイトにアクセスし、
そして特にあなたがイスラム教徒だった場合
自動的にあなたが標的リストに加わるという事がありえる
これは”Untasked Targeting”呼ばれています
だから彼らが「標的監視」と言う言葉を使う時、
普通の標的という言葉の定義を考えると、
私には凄く違和感があります
彼らがそれを絨毯爆撃という意味で使ってるんじゃない限り
多少の制限があるにせよ、
自由勝手にシステムを行使できる人がいて、
そのプログラムの詳細が漏れてくる事もほぼ無い
深刻ですよ。米国議会の人達はテクノロジーの世界で
何が起きてるか全く分かってないですから
議員を捕まえてTCP/IPについて質問してみるといい
いや、そもそも捕まらないだろうけど
しあなたが米国愛国者法215条の秘密解釈を知り、
ワシントンD.C.に行って高官に会えたとしても
彼らは話し合おうとはしない
解決のしようがないからです
政治解決の糸口が分からないのに
そこに問題があると認めさせるのは難しい
では、政治的問題を考えて解決法について話そう
サイファーパンクスはインターネット全体を
暗号化しようと提唱したが
それでも結局また別の方法での大量監視が
生まれるかもしれない
技術的側面と政治的側面の双方から解決を目指さなければ
この問題に出口はない
しかし今、NSAは世界の誰よりも力を持っています
帝王アレキサンダーこと、NSA長官の力は絶大です
彼は知ろうと思えば今すぐにでもこの携帯の
IMEI(識別番号)を知る事ができるでしょう
気分がいいですね。そして携帯に侵入し、
マイクをオンにする事も出来る…令状なしで
私が一番恐ろしいのは、もしあなたが
セキュリティソフトを作る事などに関わっている場合、
あなたが顧客に誠実にあろうとするほど
NSAはあなたを敵として扱うのです
私はその一人として、本当に嫌な気分です
もう少し実例を見ましょう
これらは別々のプログラムです
QUANTUMTHEORY, QUANTUMNATION,
QUANTUMBOT, QUANTUMCOPPER, QUANTUMINSERT
聞いたものもあると思うので、手短かに説明します
QUANTUMTHORYはゼロデイ脆弱を利用するもの
SMOTHまたはseasoned moth(ラリった蚊??)と
呼ばれるソフトウェアはPCに侵入した後
30日後に自滅するように作られている
この人達、アシッドのやり過ぎかフィリップKディックの
読み過ぎだと思うね。どっちもかも
でも彼らにとってはフィリップKディックの
ディストピアなんかまだまだらしい
そして彼らはおそらくディックの「VALIS」を読んだ後、
QUANTUMNATIONの一角としてVALIDATOR、そして
COMMONDEERと言うものを作った
これらはメモリの中で行われる攻撃で、まず
あなたのマシンがTriplewireやAidといったような、
異常を感知するセキュリティーツールを
導入しているかどうかを探ります
そして、COMMONDEERという名前が
もじりになっているのかどうか、
あなたのマシーンを乗っ取る(commandeer)んです
合衆国憲法に、所有者の同意なしに兵士を
家宅に宿営させてはならないというのがありましたよね
自分のPCが乗っ取られるって、
それのデジタル版みたいですよ
どうしてそんなことが許されているんでしょう
そもそも誰も今まで気付いてなかったからです
私達が今回公表した事で、こういった事が暴政にあたるか
それとも、中には、
妥当な行いだという意見もあるかもしれないが、
そういった議論が一般にされることが大事です
さらにこれは、QUANTUMBOTというIRCボットを
乗っ取るツールです
そんな事が出来るなら、多くのボットネット攻撃
(DDos攻撃etc)を止めることだってはずですが
どうやらそのために使っている風もない
詳細な使い道は謎なのですが、
問題なのは、彼らはそんな事まで出来るのだという事です
情報公開されるべきプログラムだと思います
私たちも今日さらに詳細を公開します
そしてQUANTUMCOPPERというのが、一層恐ろしい
基本的には、TCP/IP通信に干渉し
ファイルのダウンロードを破壊できるようなもの
それはNSAが望めば、現存する(TOR等の)
匿名システムを全て破壊する事ができ、
中国のグレートファイアウォールの地球規模版を
一夜にして作れてしまうという事です
暴力的なシステムです
もちろん善い目的のために使われるんでしょうが
怖いのは、先ほども触れましたが、こういった事を
可能にする「ダイオード」というもの
他人のマシンに侵入し、操縦し、
権限のない領域にまで入ってくる
荒っぽいだけの話ではない
次にQUANTUMINSERTIONです
これは規模が大きい。Belgacom(ベルギーの通信会社)
に対して行われているからです
基本的には、パケット改ざんを行なうものです
例えばTCP通信で、
アリスはボブに交信したいと思う
そして、たまたま2人ともTLS (暗号化)
について知らなかったとする
アリスはHTTPリクエストをボブに送る
ボブというのはYahoo。NSAはYahooが大好き
そしてNSAはYahooからアリスにレスポンドが届く前に
改ざんしたパケットを返す
TLSを使っていれば、こういった攻撃は防げます
せいぜい、通信を遮断することには成功できても、
パケットに対してなにかをする事までは出来なくなります
こういったいわゆるマン・オン・ザ・サイド
(man-on-the-side/MotS)攻撃は
TLSさえ使えば防げる問題なんです
90年代に「MP3をダウンロードするとき、
共産主義もダウンロードしている」というジョークが
「インターネットに裸で乗るとき、
NSAが相乗りしている」…
さて、TAO(Tailored Access and Operation)です
FOXACIDは水飲み場型攻撃のようなもので、
あなたがあるURLにアクセスすると
QUANTUMINSERTがインラインフレームやコードを
webブラウザに埋め込んで
リソースを読み込ませます
FOXACIDに利用されているサイトのひとつに
CNN.comがある
だって…みんな好きでしょ?
過激派のサイトだし。共和党支持者が読んでます。
非合法的帝国主義戦争勃発に備えて…
簡単にいうと、あなたがこれにひっかかると
FOXACID側のサーバーは
あなたのマシンが攻撃できそうかどうか調査して、
できそうなら実行する
それだけです
FOXACIDに使われているいくつかのURLや、
その仕組みについては分かっています
注目はFOXACIDのサーバーがアパッチに
擬態していることです
手口からして、Hacking Teamが
絡んでいるかもしれないとにらんでいますが…
ともかく、それが偽のアパッチサーバーである事は
明らかです
それと、彼らのインフラは米国内にない、
という事に注目です
もし、あるアタッカーがインターネットのある、
世界中のあらゆる場所から攻撃をしかけてきているのに、
あるひとつの所からだけは絶対にやってこないと
わかった場合
これを匿名性の観点から考えると?
普通はその場所に何か隠されていると思いますよね
法的要求事項の問題でしょうか?
しかしNSAのTAO部隊のインフラが米国内にない、
という状況はよく考える価値がある
そしてポイントは、NSAは出来ない事は、
GCHQに持ち込まれる、という事です
例えば、NSAがGmailの特定のセレクターを
標的にする事が出来ない時
協定同意フォームに記入さえすれば、
国内の諜報に限界がある時でも、情報を手に入れられる
情報は通貨のように、GCHQと取引する事ができる
ちなみに彼らもYahooが大好き!
ちょっと一息
オースティンパワーズネタでGCHQをちゃかすのは
鉄板だよね
OK、次の機密資料です
これはNSAの実際のパワポ資料です
おなじみの醜悪な本部も描かれてますね
QUANTUMの仕組みについて説明されてます
SSOとはSpecial Source Operations site
(特別情報運用拠点)
デア・シュピーゲル誌の表紙で報じた
「DAS NEST(巣)」という
ベルリンの米国大使館の屋根にある盗聴用のパネルは
まさにこれの事です
このようにしてYahooからのパケット通信にも
割り込んでいる
Yahooのパケットを蹴り飛ばしたからには、
NSAはYahooになりすまして、
Yahooの代わりをしなくてはならない
アメリカ企業になりすましてそのユーザーとの
会話に侵入する
これをやられたら、あなたはYahooを使った時点でおしまい
私が思うに、彼らがYahooを好むのは、
特にYahoo自体に脆弱性があるという事ではなく
典型的なYahooユーザーは…偏見かもしれませんが、
セキュリティに敏感でアップデートをこまめにする様な
人間じゃないと思われているからでないかと
彼らはCNN.comも大好きです
社会学的研究になりますが
SSOが嗅ぎ回り、侵入を行い、
FOXACIDにリダイレクトさせる
これはWebブラウザに対する侵略の一例ですが、
彼らは他にも色々な方法を持っているでしょう
私達は携帯電話の脆弱性についてはよく知っています
例を挙げましょう
これはNSAが使っている携帯のIMSI(識別番号)を
キャッチできる基地局です
世界初公開です
今朝のシュピーゲルの記事をカウントしなければですが
「標的を探して、捕らえて、とどめを刺す装置」だそうです
彼らが「標的」という言葉を使う時はもう、
それは大量傍受のことだって分かりますよね
これは基地局のふりをするもの
彼らは電話や通信、そのものになろうとしています
そこを通る人は誰でもターゲットになる可能性がある
緊急電話の911に、ヨーロッパだと112に、電話が必要な時
彼らが待機してるといいんですが
あなたがこういう事を見つけたいと思ったら、
どこが繫がるか色々な緊急通報用番号にかけてみるといい
あと注目なのは、エクアドル大使館に行くと、
ウガンダのテレコムから
ウェルカムメッセージが来るってことです
エクアドル大使館にいるジュリアン・アサンジに対して
このIMSIキャッチャーを配備した際に、
装置の再設定を忘れて、ロンドンの回線に見せかける
はずが、ウガンダのままになってしまってたからです
この装置は17万5800ドルで買えますよ
GSMもPCSもDCS(規格)もカバーしてます
でもあなたが携帯電話を使う人ならこの話は忘れましょう
なにをしてもしょうがないですから
例外はクリプトフォンとRedPhoneです
本当にセキュアなフリーソフトウェアを作っている人達に
声援を送りたい
モキシー・マーリンスパイク氏のような
名前を出してごめん、でも沈黙は君を守ってはくれないよ
知る事が大事です、モキシーは本当にフリーで
オープンソースなものを作り
そしてバックドアを付けたりとか
ゲスな事はやっていないというまれな人です
私達にはこういうものが必要なんです
なぜなら奴らは私達のアクセスするインフラ自体を
すげ替えてしまうからです
まるで私たちの歩く舗道を、スパイ装置が
仕組まれたものに入れ替えてしまうみたいに
実際そういうこともやってます
ここからはざっと説明する程度にします
各自オンラインでよく見てもらった方がいいし、
Q&Aの時間も残したいので
wifiカードがあるPCに、SOMBERKNAVEという
プログラムがwifi装置に入り込みます
もしwifiカードが無かったら、近辺のwifiをスキャンして、
オープンwifiネットワークに乗っかります
あなたのコンピュータに入り込むために
他人のwifiネットワークまで利用するんです
これでエアーギャップ(隔離されたネットワーク)
内のターゲットも標的化できる
これはソフトウェア「インプラント」について
これに関わっているクソ企業の名前を挙げていきたいですね
私達のセキュリティを弱める事に加担してるんですから
愛情をもって言うんですけどね
彼らの中の一部はまた被害者かもしれないので
私達にはどっちがどっちか判断できない
だから告発する事によって、彼らも態度をはっきりできる
誰が関わっていて誰がそうでないか見抜きたいんです
これからの関係のために
STUCCOMONTANAというのは基本的には
「badBIOS」です
聞いた事あるでしょうか、
気の毒なDragos氏が被害にあったマルウェアです
現在、彼は私と話せる状態じゃないです
頭にも来てると思うんで
私が米国内で勾留された時、
私は電話を取り上げられました
それからおそらく彼らは、私の通話履歴を全部調べた
電話機がなくてもそれ位できるはずですが、
私への脅しのつもりもあったんでしょう、効果ないですけど
ですがその事があってから、Dragos氏の全ての
コンピュータやXboxが感染の被害にあったんです
彼はずっとそう主張してます
そしてBIOSについて彼が言った事は、
まさにここに書かれているテクニックです
NSAはBIOSに攻撃を行っていた
また、システム管理モードを利用して、BIOS内部に潜伏
する方法が書かれています
つまり、これはDragos氏が主張していることの
完璧な裏付けです
そこで疑問なのは、彼がどうやってそれを突き止めたのか?
それを検証可能なツールはまだない
そのための手段を有していないのにです
では次
これはSWAPというもの
ハードドライブの隠しエリアの書き換えをする
この図を見てください
リアルタイムでハッキングが可能なようですね
中華人民解放軍…ええと、NSA…
ここに書かれているSNEAKERNETなどは、
これらは全て別々のプログラムです
Windows、Linux、FreeBSDに対応しています
アルカイダのメンバーでSolaris使っている人が
どれだけいますかね?
ここから重要なことが分かります。彼らは
インフラ自体を支配したいんです、個別の人間ではなく
これらのインプラント(埋め込み)によって、
彼らはシステム全体を「植民地化」したいんです
人々が知らない所で行われているので、
議論にすらなりません。でも知るべきです
とりわけサン・マイクロシステム社と
NSAの関わりという事実を考えると
私がどれだけこのことを気に病んでいるか言葉にできない
彼らはMicrosoftや他のアメリカ企業だけでなく、
多国民が関わるLinuxやFreeBSDも標的にしている
侵略は集団や企業にとどまらず、
あなたの選べる全てのオプション、
エンドユーザーからテレコムネットワークの
コアにまで及んでいます
DEITYBOUNCEはDellに向けた攻撃です
Dell PowerEdge 1850, 2850, 1950, 2950 RAIDサーバーは
全て記載のいずれかのBIOSのバージョンを使っています
しかし、それって一体なぜなんでしょう
Dellさん、理由を教えてもらえると嬉しいんだけど
あなたがYARA(マルウェア検索ツール)のシグネチャを
書いてる人で、NSAのマルウェアに興味がある人なら
RC6暗号が使われているか、
RC6に見られる定数がないか探すでしょう
そして彼らがUDPの暗号化された
トラフィックを吐き出すかを見るでしょう
私達はそのサンプルを見る事ができました、
残念ながらキャプチャーは出来ませんでしたが
私と共にこの件に関して調べている人達は、
政府から強制的な家宅捜索を受けたりとか
ひどい目にあってますが、興味深いのは、ちょうどその後
この手のものが発見されるようになったんです
起こっていない事なら
このスライドには入れられません
でもあなたにその気があれば検証できることです
実際YARAのマルウェア情報に照らし合わせて
関連した現象を見つけている人はいます
近いうちに多くのマルウェアリサーチャーが
このスライドの内容について言及するでしょう
そういった人達に研究をすすめてもらいたい、
誰が被害者なのかをはっきりされるためにも
これはiphone用のバックドア
DROPOUTJEEPというもの
SMSから、連絡先情報、ボイスメール、マイクの音声、
カメラのキャプチャ、基地局情報まで。すごいね
アップルがこれを助けていると思います?どうでしょう
彼らがはっきり否定してくれるのを願います
正直ちょっと怪しいなというのが問題なんですが
勿論確証はないですけど、
でも彼ら、iOSデバイスをターゲットにしたインプラントは
「いつでも」成功していると主張しているんです
彼らがアップル製品に対して有効な
大量のエクスプロイトのデータを有していて
つまり彼らがアメリカ企業製品の核となるシステムの
情報を持っていて、妨害を行っているか
もしくは、アップル自らそれを行っているのか
私にはわかりません
アップルは、PRISMプログラムにも
参加していなかったことからして、
私は信じたいです、ジョブズが亡くなって以降、
彼らはただクソみたいな製品を作っているだけなんだって
本当でしょ?
これはHVT
Windows CE搭載のスラーヤ・フォン(衛星携帯電話)の
バックドアを利用し、HVT(ハイバリューターゲット)を狙う
あなたがもしスラーヤ・フォンを使っているなら…幸運を
これもファームウェアの書き換えを行います
今年のOHM(2013)でも、
ファームウェアすり換えについてのトークがありました
もうピンときましたね。IRATEMONKというプログラムで
NSAはまさにその手を使ってる
ハードドライブ内のファームウェアを入れ替えるので、
あなたがハードドライブをリフォーマットしようが関係ない
ファームウェアだけでこれだけの事をやるんです
ここに対象のハードドライブの企業名が書いてあります
Western Digital、Seagate、Maxtor、Samsung
FAT、NTFS、EXT3、UFSをサポートしている
おそらく実際はさらにいくつかのファイルシステムも
Status欄に注目して下さい。「直ちに実行に移せる状態」
そして「コスト:$0」。フリーです
いや、みなさんにとってフリーって意味じゃないですよ、
みなさんが彼らにとってフリーって意味で
カーステン・ノール氏とルカ氏が、まさにこの
攻撃方法についての素晴らしいスピーチをしてくれました
NSAはこの脆弱性を知っていて、誰にも見つけられないし、
第三者から危害を及ぼされることはない、などと
言っていたわけですが、
カーステンはまさにこの脆弱性を発見しました
ユーザーに知られずSIMカードにjavaアプレットの
インストールを行う事が出来て
それはサービスプロバイダの
セキュリティ設定に依存している
そしてカーステンはまさにここに書かれている、
ツールキットへの攻撃についても、独自に成功したのです
これは確たる証拠です、
カーステンとルカがとんでもないという事だけでなく、
NSAがいかに公正さを欠いているかということの
金をもらってこれらの事をしていて、黙っていた人が
沢山いたんです
重要な事です
「インターディクション」という言葉が見えますか
リモートアクセスを介してー言い換えれば、
コンピュータに侵入するーか、
もしくはインターディクションする
ー言い換えれば、おまえの郵便を盗むーか、という
みんなよく私達みたいなパラノイアな人々が、
家に押し入られたとか主張してるのを聞くと思いますが
実際私も何度もやられてますんで…
くそ野郎ども覚えておけよ…大事なのは、
このプロセスは私たち全員を脅かすものだということです
これは郵便制度の尊厳を汚すものです。つまり…
本当に腹が立つんですが、これって、あなたは
スパイされずに手紙も送れないってことだけじゃなく、
更に、やつらはそれに細工してるかもってことなんです
米国郵政公社が全ての情報を記録しているだけでは
物足りず、荷物に手を加えることまで!
ですから例えば、あなたがAmazonとか、
インターネット上で物を買うたびに、
それが彼らの手に渡って取り替えられてる
可能性が常にあるってことなんです
話に聞いたやり口のひとつは、
彼らは物理的にコンピューターのケースを取って、
その中にバックドアを仕込むというのです
だからそれが極めてマザーボードに隣接していれば、
点検してもそれは見つけられません
ハードウェアのインプラントについて話しましょう
これはBULLDOZER
PCIバスのハードウェア・インプラントです
そうは見えないけど、結構怖いものです
これはBIOSとシステム管理モードに干渉してます
多様な接続が利用されているというのも重要です
INMARSAT, VSAT, NSA MEANS、Future Capabilities
という長距離通信が描かれています
NSA MEANSは実際ありそうです
Future Capabilitiesは自明です
「このハードウェア インプラントは
双方向の無線通信を供給する」
あなたが全てのwifiカードを無効にしたところで、
彼らは既にあなたのシステムに
感知できないものを植え込んでるんです
このハードウェアのバックドアは
I2Cインターフェースを利用します
NSA以外に使う人などいなそうなテクニックだからです
何かの役に立っていたんですね、ファンの制御以外に…
しかし見てください。またアメリカの企業の名前が
彼らはHPのサーバーの脆弱性を知っていて
それを黙って利用したんです
IRONCHEFはそのひとつの見本です
アメリカ企業との関わりについては何度でも強調したい
これってヨーロッパの企業に利用価値がないということでは
ないと思うのですが、利権的にも、分かりませんが…
でも彼らがアメリカ企業を狙うのは地の利があるからです
そして、私自身ソフトウェアやハードウェアデバイスを
作るアメリカ人として、気分が悪いだけでなく
実際問題になるのは、
自分も同じ穴の狢みたいに思われてしまうことです
政府が行っているアメリカ企業に対する、
ゼロデイ脆弱性の収集というのは、
社会全体に対して真に重要性のある場合以外、
やめるべきだと言うことに関して
オバマ大統領の諮問委員会だって私と同意見なのです
これは実際の流れのフローチャートです
またの名をあなたが逃れられない道筋
もしあなたの携帯から暗号化されたSMSが
送られているのを見た事があるなら…送り先はNSAかも
もうひとつ例があります
携帯電話を買うなら、
samsungのSGH-X480Cをお勧めです
NSAにとって他人の携帯電話を攻撃するのに最適な機種
だそうです。何故なのかはわかりません
彼らはバックドアを追加して、
標準的な携帯電話からSMSを送るだけ
この攻撃のプロセスから分かるのは、
あまりに簡単だって事です
一度あなたの携帯に侵入されたら、
彼らは特に特殊なアクセスも必要としない
他にも気付いた人間が、
このテクニックを使っているかもしれない
次はCOTTONMOUTH、USBのハードウェア インプラント
デア・シュピーゲルにも詳細があります
赤いパーツ部分を見てください
これはワイヤレスブリッジの役割をして、
悪質なソフトウェアをロードする事ができます
詳細があります
この図は仕組みを説明してますが
回り道をしてエアーギャップを克服しています
ここに書かれている規格のGENIEとか、その他の色々な
プログラム名は、DROPOUTJEEPと同じく、
CHIMNEYPOOLを元にしています
様々な対象に攻撃するために、様々な能力を持った
大量のプログラムが存在しています
これから派生しているものの中でも面白いのが、
USBプラグに入っているもの
そしてこれ、50個で200,000ドル。安いんです
私のメッセージ気に入りました?そう、200,000ドルです
次は、レントゲン撮影機を持っている人には
朗報のチップです
HOWLERMONKEY高周波数発信機と書かれてます
HOWLERMONKEYとは?
というのはひとまず置いておいて、
まずこれはイーサネットを利用する、
FIREWALKというもの
イーサネットコントローラの中に配置されます
コンピューターに対してどうこうする必要なく、
直接ネットワーク内のパケットに介入できます
シュピーゲルのwebサイトに詳細部分を載せましたが、
ターゲットネットワークのイーサネット上の
パケットに対する能動的攻撃、だそうです
これはDellのPowerEdge 2950にインプラントする
実際のハードウェア、FLUXBABBITT
JTAGデバッグ・インターフェースを利用します
どうしてDellのサーバはこれを残しておいてるんでしょう?
脆弱性を残しているということですよ
意図的にでしょうか、ミスでしょうか?
Dellにはこれを改善するか少なくともこういった
APT攻撃に対処する情報を公開してほしい
アメリカが中国に対して告発していることは、
全てアメリカもやっている
自国の企業に対しても、と言う事が分かってきた
そして公の問題にもなってこなかった
特に多くの技術的詳細は不明瞭にされ議論する事が
できなかった
そしてHOWLERMONKEYです
これはNSAがあなたの荷物にインプラントするチップの
実物の写真です
郵便を開けて、あなたのコンピューターに
これらのチップを入れるんです
FIREWALKは特に重要なものですが、
シンプルで平凡なパーツに見えるでしょう
驚いた人は?
ここにいる人がみんなシニカルじゃなさそうでよかった
そういう野郎でもさすがに驚いたでしょう
まだ驚いてない人はいる?
よし、君の脳天をぶっ飛ばしてやろう
さて、みんなTEMPESTについては知ってますよね?
電磁波照射によって、コンピュータから
データを抜き取る手法です
古いテクニックだからこれには誰も驚きませんね
さて、NSAはあなたと、あなたの周りの
コンピューターシステムに
エネルギーを照射することに特化したテクニックを
持っていると言ったらどうですか?
本当だと思いますか、それとも狂人の妄想だと思いますか?
どうです?君たちみたいにひねくれてる人達は
何にも驚かないかな?驚かない人は手をあげてみて
いいですね。さっきよりずっと挙手が減りましたよ…
あと一人ですね。素晴らしい
ここには彼らが実際やっていることが書かれてます
ジュリアン・アサンジにこの事を話したら彼、
「ふむ、ヒューゴ・チャベスの周りにいた人は
何が彼の癌の原因だったのかに思いを馳せるだろうなあ」と
私は「それは今まで考えたことなかった。そういえば
これらの装置の身体への安全性について
のデータが見つからないな。NSAはちゃんと1キロワットの
高周波を人間に近距離から照射しても、
安全だって検証するテストを行ったんだろうか?」
なんてこった!
まだ冗談だと思っているでしょう、ではこれを見てください
これは連続的周波発信/探知器です
用途は明らかですね
レンジは1から2GHzの間で、帯域幅の上限は45MHz迄
で調節可能、内部アンプで2ワットまで、
外部アンプで1キロワットまで出力可能
飲み込むのに時間をあげましょう
さあ、クレイジーなのは誰かな?
あと1分しかないそうです。ペースを上げます
これはRAGEMASTERというインプラント
ANGRYNEIGHBOR(怒った隣人?)
というツール軍の一部で…
この小さなデバイスはレーダーシステムで、
シグナルを受信するために
モニター内部のケーブルに埋め込まれています
テルミン氏がKGBに作ったGreat Seal bug(盗聴システム)
とあまり違わないものです
やっとKGBに追いついたわけですね
発信器から照射される連続的な電磁波が
このチップに反射することにより、
モニターの内容を見る事ができるのです
ここに完成されたライフサイクルがありますね
まず電磁波を照射して、癌で殺して、
それであなたは…あがり?
こちらは同じ仕組みで、キーボードに対するもの
データのリトロリフレクターといえます
もうひとつ、これはTAWDRYYARDプログラム
ちょっと毛色の違うもので、これはビーコンです
おそらくあなたをドローンで殺すための
恐ろしい装置です
マイクロフォンに対して使うこともあるようです
そして、既製の部品から出来ているので、
出所がNSAだと分からない、と書いてあります
この資料さえ公表されなければね!
ハッピーハンティング!
これって「狩り」の道具ですよ
ターゲットの携帯の位置情報に対して
仕上げに使われるツールです
さあ、これでも驚かない人は?
よかった、ついに、誰も手を挙げなくなりました
…何かを聞き間違えたに違いない一人を除いては…
もしくは君はとても賢いのかも
どうか私達のために研究を進めてほしい
それからNSAで働いている人がいたら、
もっとリークしてください
ありがとうジェイク
残念ながらQ&Aの時間がなくなってしまいました
でもプレスカンファレンスがありますよ
カンファレンスルームが開いてますので、
そこで質問のある人は受け付けます
それまでに私がもし暗殺されてなければですが
では最後にジュリアン・アサンジの名言を引用して…
『もし私に何かあったら、たとえ映像や証拠があっても、
それは殺人だ』
ありがとう
subtitles created by c3subtitles.de
Join, and help us!