Got a YouTube account?

New: enable viewer-created translations and captions on your YouTube channel!

English subtitles

noc test

Get Embed Code
2 Languages

Showing Revision 74 created 11/29/2016 by raven.

  1. Herald: Good morning to this last minute
    edition to our “Fahrplan” today.

  2. There will probably be time for a few
    minutes of Q&A in the end, so you can
  3. ask questions here or on IRC
    and Twitter via our Signal Angels.
  4. Please welcome Jake Appelbaum,
    independent journalist,
  5. for his talk
    “To Protect And Infect Part 2”.
  6. applause
  7. Jacob: Okay. Alright. Thanks so much
    for coming so early in the morning.
  8. Or maybe not so early in the morning
    for most of you apparently since
  9. you’ve all been up for more than an hour.
    But I’m gonna talk today a little bit
  10. about some things that we’ve heard about
    at the conference and I’m gonna talk a bit
  11. about some things that you have not
    probably ever heard about in your life and
  12. are even worse than your worst nightmares.
  13. So recently we heard a little bit about
    some of the low-end corporate spying
  14. that’s often billed as being sort of like
    the hottest, most important stuff, so the
  15. FinFisher, the HackingTeam, the VUPEN.
    And sort of in that order it becomes
  16. more sophisticated and more and more
    tied in with the National Security Agency.
  17. There are some Freedom of Information Act
    requests that have gone out that actually
  18. show VUPEN being an NSA contractor writing
    exploits, that there are some ties there.
  19. This sort of covers the… sort of…
    the whole gamut, I believe,
  20. which is that, you know you can buy these
    like little pieces of forensics hardware.
  21. And just as a sort of fun thing I bought
    some of those and then I looked at
  22. how they worked and I noticed that this
    ‘Mouse Jiggler’, you plug it in and
  23. the idea is that it like keeps your screen
    awake. So have any of you seen that
  24. at all? It’s a piece of forensics hardware
    so your screensaver doesn’t activate.
  25. So I showed it to one of the systemd
    developers, and now when you plug those
  26. into a Linux box that runs systemd,
    they automatically lock the screen
  27. when it sees the USB ID.
  28. So when people talk about Free Software,
    ‘free as in freedom’, that’s part of
  29. what they’re talking about. So there are
    some other things which I’m not going
  30. to really talk a lot about it because
    basically this is all bullshit that
  31. doesn’t really matter and we can defeat
    all of that. This is individualized things
  32. we can defend against. But I want
    to talk a little bit about how it’s
  33. not necessarily the case that because
    they’re not the most fantastic, they’re
  34. not the most sophisticated, that
    therefore we shouldn’t worry about it.
  35. This is Rafael. I met him when
    I was in Oslo in Norway
  36. for the Oslo Freedom Forum, and basically
    he asked me to look at his computer
  37. because he said, “You know, something
    seems to be wrong with it. I think that
  38. there’s something, you know,
    slowing it down.” And I said:
  39. “Well, I’m not going to find anything.
    I don’t have any tools. We are just
  40. going to like sit at the computer…”
    And I looked at it, and it has to be
  41. the lamest back door I’ve ever found. It
    was basically a very small program that
  42. would just run in a loop and take
    screenshots. And it failed to upload
  43. some of the screenshots, and so there were
    8 GB of screenshots in his home directory.
  44. laughter and applause
    And I said, “I’m sorry to break it to you
  45. but I think that you’ve been owned.
    And… by a complete idiot.”
  46. laughter
    And he, he, yeah, he was,
  47. he was really… actually, he felt really
    violated and then he told me what he does,
  48. which is he’s an investigative journalist
    who works with top secret documents
  49. all the time, with extreme, extreme
    operational security to protect
  50. his sources. But when it came to computing
    J[ournalism] school failed him.
  51. And as a result, he was compromised
    pretty badly. He was not using
  52. a specialized operating system like
    Tails, which if you’re a journalist
  53. and you’re not using Tails you should
    probably be using Tails unless
  54. you really know what you’re doing.
    Apple did a pretty good job at
  55. revoking this application, and it was, you
    know, in theory it stopped, but there are
  56. lots of samples from the same group
    and this group that did this is tied to
  57. a whole bunch of other attacks across
    the world, actually, which is why
  58. it’s connected up there with Operation
    Hangover. The scary thing, though, is that
  59. this summer, after we’d met, he was
    actually arrested relating to some
  60. of these things. And now, as
    I understand it, he’s out, but,
  61. you know, when you mess with a military
    dictatorship it messes with you back.
  62. So even though that’s one of the lamest
    backdoors, his life is under threat.
  63. So just simple things can cause serious,
    serious harm to regular people that are
  64. working for some kind of truth telling.
    And that to me is really a big part
  65. of my motivation for coming here to talk
    about what I’m going to talk about next,
  66. which is that for every person that we
    learn about like Rafael, I think there are
  67. lots of people we will never learn about,
    and that’s, to me that’s very scary,
  68. and I think we need to bring some
    transparency, and that’s what we’re
  69. going to talk about now. And I really want
    to emphasize this point. Even though
  70. they’re not technically impressive, they
    are actually still harmful, and that,
  71. that is really a key point to drive home.
    I mean, some of the back doors that
  72. I’ve seen are really not sophisticated,
    they’re not really that interesting, and
  73. in some cases they’re common off-the-shelf
    purchases between businesses,
  74. so it’s like business-to-business
    exploitation software development.
  75. I feel like that’s really kind of sad,
    and I also think we can change this.
  76. We can turn this around by exposing it.
    So, what’s it all about, though?
  77. Fundamentally it’s about control, baby,
    and that is what we’re going to get into.
  78. It’s not just about control of machines.
    What happened with Rafael is about
  79. control of people. And fundamentally
    when we talk about things like internet
  80. freedom and we talk about tactical
    surveillance and strategic surveillance,
  81. we’re talking about control of people
    through the machinery that they use.
  82. And this is a really, I think a really
    kind of – you know I’m trying
  83. to make you laugh a little bit because
    what I’m going to show you today
  84. is wrist-slitting depressing.
    So. Part 2, or Act 2 of Part 2.
  85. Basically the NSA, they want
    to be able to spy on you, and
  86. if they have 10 different options for
    spying on you that you know about,
  87. they have 13 ways of doing it and they
    do all 13. So that’s a pretty scary thing,
  88. and basically their goal is to have
    total surveillance of everything that
  89. they’re interested in. So there really
    is no boundary to what they want to do.
  90. There is only sometimes a boundary of
    what they are funded to be able to do and
  91. the amount of things they’re able to do at
    scale. They seem to just do those things
  92. without thinking too much about it. And
    there are specific tactical things
  93. where they have to target a group or an
    individual, and those things seem limited
  94. either by budgets or simply by their time.
    And as we have released today
  95. on Der Spiegel’s website, which it should
    be live – I just checked, it should be live
  96. for everyone here – we actually
    show a whole bunch of details
  97. about their budgets as well as the
    individuals involved with the NSA
  98. and the Tailored Access Operations group
    in terms of numbers. So it should give you
  99. a rough idea showing that there was a
    small period of time in which the internet
  100. was really free and we did not have people
    from the U.S. military that were watching
  101. over it and exploiting everyone on
    it, and now we see every year
  102. that the number of people who are hired to
    break into people’s computers as part of
  103. grand operations, those people are growing
    day by day, actually. In every year
  104. there are more and more people that are
    allocated, and we see this growth. So
  105. that’s the goal: non-attribution, and total
    surveillance, and they want to do it
  106. completely in the dark. The good
    news is that they can’t. So,
  107. now I’m going to show you a bit about it.
    But first, before I show you any pictures,
  108. I want to sort of give you the big picture
    from the top down. So there is
  109. a planetary strategic surveillance system,
    and there – well, there are many of them
  110. actually. Everything from I think
    off-planetary surveillance gear, which is
  111. probably the National Reconnaissance
    Office and their satellite systems
  112. for surveillance like the Keyhole
    satellites – these are all things most,
  113. for the most part we actually know about
    these things. They’re on Wikipedia.
  114. But I want to talk a little bit more about
    the internet side of things because
  115. I think that’s really fascinating. So
    part of what we are releasing today
  116. with ‘Der Spiegel’, or what has actually
    been released – just to be clear
  117. on the timeline, I’m not disclosing it
    first, I’m working as an independent
  118. journalist summarizing the work that we
    have already released onto the internet
  119. as part of a publication house that went
    through a very large editorial process
  120. in which we redacted all the names of
    agents and information about those names,
  121. including their phone numbers
    and e-mail addresses.
  122. applause
  123. And I should say that I actually think
    that the laws here are wrong,
  124. because they are in favor of
    an oppressor who is criminal.
  125. So when we redact the names of people who
    are engaged in criminal activity including
  126. drone murder, we are actually not doing
    the right thing, but I believe that
  127. we should comply with the law in order
    to continue to publish, and I think
  128. that’s very important.
  129. We also redacted the names of
    victims of NSA surveillance,
  130. because we think that there’s a balance.
    Unfortunately there is a serious problem
  131. which is that the U.S. government asserts
    that you don’t have standing to prove
  132. that you’ve been surveilled unless
    we release that kind of information,
  133. but we don’t want to release that kind
    of information in case it could be
  134. a legitimate target, and we – I’m really
    uncomfortable with that term, but let’s
  135. say that there is a legitimate target, the
    most legitimate target, and we didn’t want
  136. to make that decision. But we
    did also want to make sure
  137. that we didn’t harm someone, but we
    also wanted to show concrete examples.
  138. So if you look at the ‘Spiegel’ stuff online,
    we redacted the names even of those
  139. who were victimized by the NSA’s
    oppressive tactics, which I think
  140. actually goes further than is necessary,
    but I believe that it strikes
  141. the right balance to ensure continued
    publication and also to make sure
  142. that people are not harmed and that
    legitimate good things, however rare
  143. they may be, they are also not harmed.
    So if you’ve been targeted by the NSA
  144. and you would have found out today
    if we had taken a different decision,
  145. I’m really sorry, but this is the thing
    I think that keeps us alive,
  146. so this is the choice that I think is the
    right choice, and I think it’s also
  147. the safest choice for everyone.
    So that said, basically the NSA has
  148. a giant dragnet surveillance system that
    they call TURMOIL. TURMOIL is a passive
  149. interception system. That passive
    interception system essentially spans
  150. the whole planet. Who here has heard
    about the Merkel phone incident?
  151. Some of you heard about Chancellor Merkel?
    So we revealed that in ‘Der Spiegel’, and
  152. what we found was that they tasked her
    for surveillance. And I’ll talk a little bit
  153. about that later. But basically the way
    that this works is that they have this
  154. huge passive set of sensors; and any data
    that flows past it, they actually look at it.
  155. So there was a time in the past where
    surveillance meant looking at anything
  156. at all. And now the NSA tries
    to basically twist the words
  157. of every person who speaks whatever
    language they’re speaking in, and they
  158. try to say that it’s only surveillance
    if after they collect it and record it
  159. to a database, and analyze it with
    machines, only if – I think – an NSA agent
  160. basically looks at it
    personally and then clicks
  161. “I have looked at this” do
    they call it surveillance.
  162. Fundamentally I really object to that
    because if I ran a TURMOIL collection
  163. system – that is passive signals
    intelligence systems collecting data
  164. from the whole planet, everywhere they
    possibly can – I would go to prison
  165. for the rest of my life.
    That’s the balance, right?
  166. Jefferson talks about this. He says, you
    know, “That which the government
  167. is allowed to do but you are not, this is
    a tyranny.” There are some exceptions
  168. to that, but the CFAA in the United
    States, the Computer Fraud and Abuse Act,
  169. you know, it’s so draconian
    for regular people,
  170. and the NSA gets to do something like
    intercepting 7 billion people all day long
  171. with no problems, and the rest of us
    are not even allowed to experiment
  172. for improving the security of our own
    lives without being put in prison
  173. or under threat of serious indictment, and
    that I think is a really important point.
  174. So the TURMOIL system is a surveillance
    system, and it is a dragnet surveillance
  175. system that is a general warrant dragnet
    surveillance if there ever was one.
  176. And now we shot the British over this when
    we started our revolution. We called them
  177. “general writs of assistance.” These
    were generalized warrants which
  178. we considered to be a tyranny. And
    TURMOIL is the digital version of a
  179. general writ of assistance system. And
    the general writ of assistance itself,
  180. it’s not clear if it even exists, because
    it’s not clear to me that a judge
  181. would understand
    anything that I just said.
  182. applause
  183. Okay, so now we’re gonna get scary.
    So that’s just the passive stuff.
  184. There exists another system that’s called
    TURBINE, and we revealed about this system
  185. in the ‘Spiegel’ publications
    today as well. So if TURMOIL
  186. is deep packet inspection, then
    TURBINE is deep packet injection.
  187. And it is the system that combined
    together with a thing…
  188. – with TURMOIL and TURBINE you can create
    a platform which they have consolidated
  189. which they call QFIRE. QFIRE is
    essentially a way to programmatically
  190. look at things that flow across the
    internet that they see with TURMOIL
  191. and then using TURBINE they’re able to
    actually inject packets to try to do attacks,
  192. and I’ll describe some of those attacks
    in detail in a moment. But essentially
  193. the interesting thing about QFIRE also
    is that they have a thing that’s called
  194. a diode. So if you have for
    example a large number
  195. of systems where you control them, you
    might say: “Hey, what are you doing
  196. on that backbone?”, “Hey, what’s going on
    with these systems?” And they could say,
  197. well, you know, we paid for access, we’re
    doing this, it’s all legal, etcetera.
  198. QFIRE has this really neat little detail
    which is that they compromise
  199. other people’s routers and then redirect
    through them so that they can beat
  200. the speed of light. And how
    they do that is that they have
  201. a passive sensor that’s nearby,
    a thing that they can inject from.
  202. And when they see that that thing sees
    a selector that is interesting to them
  203. or is doing a thing that they would like
    to tamper with in some way, then they
  204. take a packet, they encapsulate the
    packet, they send it to the diode,
  205. which might be your home router
    potentially, and then that home router
  206. decapsulates that packet and sends it out.
    And because that is very close to you,
  207. and let’s say you’re visiting Yahoo, then
    the Yahoo packet will not beat you.
  208. That is, they will not beat the NSA
    or GCHQ. So it’s a race condition.
  209. And so they basically are able to
    control this whole system and then
  210. to localize attacks in that
    process. So that’s a pretty –
  211. pretty scary stuff, actually. And while it
    is a digital thing, I think it’s important
  212. to understand that this is what Jefferson
    talked about when he talked about tyranny.
  213. This is turnkey tyranny, and it’s not that
    it’s coming, it’s actually here. It’s just
  214. merely the question about whether or not
    they’ll use it in a way that we think is
  215. a good way or not a good way. One
    of the scariest parts about this is that
  216. for this system or these sets of systems
    to exist, we have been kept vulnerable.
  217. So it is the case that if the Chinese,
    if the Russians, if people here
  218. wish to build this system, there’s nothing
    that stops them. And in fact the NSA has
  219. in a literal sense retarded the process
    by which we would secure the internet
  220. because it establishes a hegemony
    of power, their power in secret,
  221. to do these things. And in fact I’ve seen
    evidence that shows that there are so many
  222. compromises taking place between the
    different Five Eyes signals intelligence
  223. groups that they actually have lists that
    explain, “If you see this back door
  224. on the system, contact a friendly agency.
    You’ve just recompromised the machine
  225. of another person.” So
    when we talk about this,
  226. we have to consider that this is
    designed for at-scale exploitation.
  227. And as far as I can tell it’s being
    used for at-scale exploitation.
  228. Which is not really in my mind a
    targeted particularized type of thing,
  229. but rather it’s fishing operations.
    It’s fishing expeditions. It’s
  230. more like fishing crusades, if you will.
    And in some cases, looking at the evidence
  231. that seems to be what it is. Targeting
    Muslims, I might add. Because that’s
  232. what they’re interested in doing.
    So that said, that’s the internet,
  233. and we get all the way down to the bottom
    and we get to the Close Access Operations
  234. and Off-Net. Off-Net and Close Access
    Operations are pretty scary things,
  235. but basically this is what we would call a
    black bag job. That’s where these guys,
  236. they break into your house, they put
    something in your computer and
  237. they take other things out of your
    computer. Here’s an example.
  238. First top secret document
    of the talk so far.
  239. This is a Close Access Operations box.
  240. It is basically car
    metasploit for the NSA,
  241. which is an interesting thing. But
    basically they say that the attack is
  242. undetectable, and it’s sadly
    a laptop running free software.
  243. It is injecting packets. And they say that
    they can do this from as far away as
  244. 8 miles to inject packets, so presumably
    using this they’re able to exploit
  245. a kernel vulnerability of some kind,
    parsing the wireless frames, and, yeah.
  246. I’ve heard that they actually put this
    hardware, from sources inside of the NSA
  247. and inside of other
    intelligence agencies, that
  248. they actually put this type of hardware on
    drones so that they fly them over areas
  249. that they’re interested in and they
    do mass exploitation of people.
  250. Now, we don’t have a document
    that substantiates that part, but
  251. we do have this document that actually
    claims that they’ve done it from up to
  252. 8 miles away. So that’s a really
    interesting thing because it tells us
  253. that they understand that common wireless
    cards, probably running Microsoft Windows,
  254. which is an American company, that they
    know about vulnerabilities and they
  255. keep them a secret to use them. This is
    part of a constant theme of sabotaging
  256. and undermining American companies and
    American ingenuity. As an American,
  257. while generally not a nationalist, I find
    this disgusting, especially as someone
  258. who writes free software and would
    like my tax dollars to be spent
  259. on improving these things. And when they
    know about them I don’t want them
  260. to keep them a secret because
    all of us are vulnerable.
  261. It’s a really scary thing.
  262. applause
  263. And it just so happens that at my house,
    myself and many of my friends,
  264. when we use wireless devices
    – Andy knows what I’m talking about,
  265. a few other people here –
    all the time we have errors
  266. in certain machines which are set up at
    the house, in some cases as a honey pot
  267. – thanks, guys – where kernel
    panic after kernel panic,
  268. exactly in the receive handler of the
    Linux kernel where you would expect
  269. this specific type of thing to take place.
    So I think that if we talk about
  270. the war coming home, we probably will
    find that this is not just used in places
  271. where there’s a literal war on but where
    they decide that it would be useful,
  272. including just parking outside your house.
    Now I only have an hour today,
  273. so I’m gonna have to go through some
    other stuff pretty quickly. I want to make
  274. a couple of points clear. This wasn’t
    clear, even though it was written
  275. in the New York Times by my dear friend
    Laura Poitras, who is totally fantastic
  276. by the way, and… you are great.
    But 15 years of data retention –
  277. applause
  278. So the NSA has 15 years
    of data retention.
  279. It’s a really important point to
    drive home. I joked with Laura
  280. when she wrote the New York Times article
    with James Risen, she should do the math
  281. for other people and say “15 years”. She
    said: “They can do the math on their own,
  282. I believe in them”. I just wanna do the
    math for you. 15 years, that’s scary!
  283. I don’t ever remember voting on that,
    I don’t ever remember even having
  284. a public debate about it. And that
    includes content as well as metadata.
  285. So they use this metadata. They search
    through this metadata retroactively.
  286. They do what’s called ‘tasking’, that is,
    they find a set of selectors – so that’s
  287. a set of unique identifiers, e-mail
    addresses, cookies, MAC addresses, IMEIs…
  288. whatever is useful. Voice prints
    potentially, depending on the system.
  289. And then they basically
    task those selectors
  290. for specific activities. So that ties
    together with some of the attacks
  291. which I’ll talk about, but essentially
    QUANTUMINSERTION and things that are
  292. like QUANTUMINSERTION, they’re triggered
    as part of the TURMOIL and TURBINE system
  293. and the QFIRE system, and they’re all put
    together so that they can automate
  294. attacking people based on the plain
    text traffic that transits the internet
  295. or based on the source or
    destination IP addresses.
  296. This is a second top secret document.
  297. This is an actual NSA lolcat
  298. for the QUANTUMTHEORY program.
  299. applause
  300. You’ll notice it’s a black cat, hiding. Okay.
  301. So there are a few people in the audience
    that are still not terrified enough, and
  302. there are a few people that as part
    of their process for coping with
  303. this horrible world that we have found
    ourselves in, they will say the following:
  304. “There’s no way they’ll ever find me. I’m
    not interesting.” So I just want to dispel
  305. that notion and show you a little bit
    about how they do that. So we mentioned
  306. TURMOIL, which is the dragnet surveillance,
    and TURBINE, which is deep packet injection,
  307. and QFIRE, where we tie it all together,
    and this is an example of something which
  308. I think actually demonstrates a crime but
    I’m not sure, I’m not a lawyer, I’m
  309. definitely not your lawyer, and I’m
    certainly not the NSA’s lawyer.
  310. But this is the MARINA system. This is
    merely one of many systems where they
  311. actually have full content as well as
    metadata. Taken together, they do
  312. contact chaining, where they find out you
    guys are all in the same room with me
  313. – which reminds me, let’s
    see, I’ve got this phone…
  314. Okay. That’s good. Let’s
    turn that on. So now…
  315. laughter
    You’re welcome.
  316. laughter
    You have no idea!
  317. laughter
    But I just wanted to make sure that
  318. if there was any question about whether
    or not you are exempt from needing to do
  319. something about this,
    that that is dispelled.
  320. applause
  321. Okay? Cell phone’s on.
    Great. So. Hey, guys!
  322. laughter
    So, the MARINA system is a
  323. contact chaining system as well as a
    system that has data, and in this case
  324. what we see is in fact reverse contact
    and forward contact graphing. So,
  325. any lawyers in the audience? If there
    are American citizens in this database,
  326. is reverse targeting like this illegal?
    Generally? Is it possible that that
  327. could be considered illegal?
    Someone from audience mumbling
  328. Yeah, so, interesting. If it’s called
    reverse contacts instead of
  329. reverse targeting – yeah, exactly.
    So, you’ll also notice the,
  330. on the right-hand side, webcam photos.
  331. So, just in case you’re wondering,
    in this case this particular target,
  332. I suppose that he did not or
    she did not have a webcam.
  333. Good for them. If not, you should follow
    the EFF’s advice and you should put
  334. a little sticker over your webcam. But
    you’ll also note that they try to find
  335. equivalent identifiers. So every time
    there’s a linkable identifier that you
  336. have on the internet, they try to put that
    and tie it together and contact chain it,
  337. and they try to show who you are among all
    of these different potential identifiers –
  338. if you have 5 e-mail addresses, they would
    link them together – and then they try
  339. to find out who all your friends are.
    You’ll also note at the bottom here,
  340. logins and passwords. So they’re
    also doing dragnet surveillance
  341. in which they extract – the feature set
    extraction where they know semantically
  342. what a login and a password is in a
    particular protocol. And in this case
  343. this guy is lucky, I suppose, and they
    were not able to get passwords or webcam,
  344. but you’ll note that they were able to get
    his contacts and they were able to see
  345. in fact 29, give or take,
    received messages as well,
  346. of which there are these things. Now in
    this case we have redacted the e-mail
  347. and instant messenger information,
    but this is an example of how
  348. laughs
    you can’t hide from these things, and
  349. thinking that they won’t find you
    is a fallacy. So this is basically
  350. the difference between taking one wire and
    clipping onto it in a particularized
  351. suspicious way where they’re really
    interested, they have a particularized
  352. suspicion, they think that someone is a
    criminal, they think someone has taken
  353. some serious steps that are illegal, and
    instead what they do is they put all of us
  354. under surveillance, record all of this
    data that they possibly can, and then
  355. they go looking through it. Now
    in the case of Chancellor Merkel,
  356. when we revealed NSRL 2002-388,
    what we showed was that
  357. they were spying on Merkel. And by their
    own admission 3 hops away, that’s everyone
  358. in the German Parliament
    and everyone here.
  359. So that’s pretty serious stuff. It also
    happens that if you should be visiting
  360. certain websites, especially if you’re
    a Muslim, it is the case that you can be
  361. attacked automatically by this system.
    Right? So that would mean that
  362. they would automatically start to break
    into systems. That’s what they would call
  363. ‘untasked targeting’. Interesting idea
    that they call that targeted surveillance.
  364. To me that doesn’t really sound too
    much like targeted surveillance unless
  365. what you mean by carpet bombing, it – you
    know, I mean it just – you know, like… it
  366. just doesn’t… it doesn’t strike me right.
    It’s not my real definition of ‘targeted’.
  367. It’s not well defined. It’s not that a
    judge has said, “Yes, this person is
  368. clearly someone we should target.” Quite
    the opposite. This is something where
  369. some guy who has a system has decided to
    deploy it and they do it however they like
  370. whenever they would like. And while there
    are some restrictions, it’s clear that
  371. the details about these programs do not
    trickle up. And even if they do, they
  372. do not trickle up in a useful way. So
    this is important, because members
  373. of the U.S. Congress, they have no clue
    about these things. Literally, in the case
  374. of the technology. Ask a Congressman
    about TCP/IP. Forget it.
  375. You can’t even get a meeting with them.
    I’ve tried. Doesn’t matter. Even if you
  376. know the secret interpretation of Section
    215 of the Patriot Act and you go
  377. to Washington, D.C. and you meet with
    their aides, they still won’t talk to you
  378. about it. Part of that is because they
    don’t have a clue, and another part of it
  379. is because they can’t talk about it,
    because they don’t have a political solution.
  380. Absent a political solution, it’s very
    difficult to get someone to admit that
  381. there is a problem. Well, there is a
    problem, so we’re going to create
  382. a political problem and also talk
    about some of the solutions.
  383. The Cypherpunks generally have
    come up with some of the solutions
  384. when we talk about encrypting the entire
    internet. That would end dragnet mass
  385. surveillance in a sense, but it will
    come back in a different sense
  386. even with encryption. We need both
    a marriage of a technical solution
  387. and we need a political solution
    to go with it, and if we don’t have
  388. those 2 things, we will unfortunately be
    stuck here. But at the moment the NSA,
  389. basically, I feel, has more power than
    anyone in the entire world – any one
  390. agency or any one person. So Emperor
    Alexander, the head of the NSA, really has
  391. a lot of power. If they want to right now,
    they’ll know that the IMEI of this phone
  392. is interesting. It’s very warm, which is
    another funny thing, and they would be

  393. able to break into this phone almost
    certainly and then turn on the microphone,
  394. and all without a court.
    So that to me is really scary.
  395. And I especially dislike the fact that
    if you were to be building these
  396. types of things, they treat you as an
    opponent, if you wish to be able to
  397. fulfill the promises that you make to your
    customers. And as someone who writes
  398. security software
    I think that’s bullshit.
  399. So. Here’s how they do a bit of it.
    So there are different programs.
  401. and QUANTUMINSERT. You’ve heard of a few
    of them. I’ll just go through them real quick.
  402. QUANTUMTHEORY essentially has
    a whole arsenal of zero-day exploits.
  403. Then the system deploys what’s called
    a SMOTH, or a seasoned moth.
  404. And a seasoned moth is an
    implant which dies after 30 days.
  405. So I think that these guys either took a
    lot of acid or read a lot of Philip K. Dick,
  406. potentially both!
  407. And they thought Philip K. Dick
    wasn’t dystopian enough.
  408. “Let’s get better at this”.
    And after reading VALIS, I guess,
  409. they went on, and they also have
    as part of QUANTUMNATION
  410. what’s called VALIDATOR or COMMONDEER.
    Now these are first-stage payloads
  411. that are done entirely in memory.
    These exploits essentially are where they
  412. look around to see if you have what are
    called PSPs, and this is to see, like,
  413. you know, if you have Tripwire, if you
    have Aid, if you have some sort of
  414. system tool that will detect if an
    attacker is tampering with files or
  415. something like this, like
    a host intrusion detection system.
  416. So VALIDATOR and COMMONDEER, which,
    I mean, clearly the point of COMMONDEER,
  417. while it’s misspelled here – it’s not
    actually… I mean that’s the name
  418. of the program… but the point is to make
    a pun on commandeering your machine. So,
  419. you know, when I think about the U.S.
    Constitution in particular, we talk about
  420. not allowing the quartering of
    soldiers – and, gosh, you know?
  421. Commandeering my computer sounds
    a lot like a digital version of that, and
  422. I find that’s a little bit confusing, and
    mostly in that I don’t understand
  423. how they get away with it. But part of it
    is because until right now we didn’t know
  424. about it, in public, which is why we’re
    releasing this in the public interest,
  425. so that we can have a better debate
    about whether or not that counts, in fact,
  426. as a part of this type of what I would
    consider to be tyranny, or perhaps
  427. you think it is a measured and reasonable
    thing. I somehow doubt that. But
  428. in any case, QUANTUMBOT is where
    they hijack IRC bots, because why not?
  429. They thought they would like to do
    that, and an interesting point is that
  430. they could in theory stop a lot
    of these botnet attacks and
  431. they have decided to maintain that
    capability, but they’re not yet doing it
  432. except when they feel like doing it for
    experiments or when they do it to
  433. potentially use them. It’s not clear
    exactly how they use them. But
  434. the mere fact of the matter is that that
    suggests they’re even in fact able to do
  435. these types of attacks, they’ve tested
    these types of attacks against botnets.
  436. And that’s the program you should FOIA
    for. We’ve released a little bit of detail
  437. about that today as well. And
    QUANTUMCOPPER to me is really scary.
  438. It’s essentially a thing that can
    interfere with TCP/IP and it can do things
  439. like corrupt file downloads. So if you
    imagine the Great Firewall of China,
  440. so-called – that’s for the whole planet.
  441. So if the NSA wanted to tomorrow, they
    could kill every anonymity system
  442. that exists by just forcing everyone who
    connects to an anonymity system to reset
  443. just the same way that the Chinese do
    right now in China with the Great Firewall
  444. of China. So that’s like the NSA builds
    the equivalent of the Great Firewall
  445. of Earth. That’s, to me that’s
    a really scary, heavy-handed thing,
  446. and I’m sure they only use it for good.
    clears throat
  447. But, yeah. Back here in reality that to
    me is a really scary thing, especially
  448. because one of the ways that they are able
    to have this capability, as I mentioned,
  449. is these diodes. So what that suggests
    is that they actually repurpose
  450. other people’s machines in order to
    reposition and to gain a capability
  451. inside of an area where they actually
    have no legitimacy inside of that area.
  452. That to me suggests it is not only
    heavy-handed, that they have probably some
  453. tools to do that. You see where I’m going
    with this. Well, QUANTUMINSERTION,
  454. this is also an important point, because
    this is what was used against Belgacom,
  455. this is what’s used by a whole number of
    unfortunately players in the game where
  456. basically what they do is they inject
    a packet. So you have a TCP connection,
  457. Alice wants to talk to Bob, and for some
    reason Alice and Bob have not heard
  458. about TLS. Alice sends an HTTP
    request to Bob. Bob is Yahoo.
  459. NSA loves Yahoo. And basically they
    inject a packet which will get to Alice
  460. before Yahoo is able to respond, right?
    And the thing is that if that was a
  461. TLS connection, the man-on-the-side
    attack would not succeed.
  462. That’s really key. If they were using TLS,
    the man-on-the-side attack could at best,
  463. as far as we understand it at the moment,
    they could tear down the TLS session but
  464. they couldn’t actually actively inject.
    So that’s a man-on-the-side attack.
  465. We can end that attack with TLS.
    When we deploy TLS everywhere
  466. then we will end that kind of attack. So
    there was a joke, you know, when you
  467. download .mp3s, you ride with communism
    – from the ’90s, some of you may
  468. remember this. When you bareback with
    the internet, you ride with the NSA.
  469. applause
  470. Or you’re getting a ride, going for
    a ride. So the TAO infrastructure,
  471. Tailored Access and Operations. Some
    of the FOXACID URLs are public.
  472. FOXACID is essentially like a watering
    hole type of attack where you go to,
  473. you go to a URL. QUANTUMINSERT
    puts like an iframe or puts some code
  474. in your web browser, which you then
    execute, which then causes you to
  475. load resources. One of the resources that
    you load while you’re loading,
  476. for example, which is one of their
    examples, they – you like that, by the way?
  477. So, you know, that’s an extremist site. So
  478. you might have heard about that. A lot of
    Republicans in the United States read it.
  479. So – right before they wage
    illegal imperialist wars. So,
  480. the point is that you go to a FOXACID
    server and it basically does a survey
  481. of your box and decides if it can break
    into it or not, and then it does.
  482. Yep, that’s basically it. And the FOXACID
    URLs, a few of them are public.
  483. Some of the details about that have been
    made public, about how the structure
  484. of the URLs are laid out and so on.
    An important detail is that they pretend
  485. that they’re Apache, but they actually
    do a really bad job. So they’re
  486. like Hacking Team, maybe it’s the same
    guys, I doubt it though, the NSA wouldn’t
  487. slum with scumbags like that, but…
    Basically you can tell, you can find them,
  488. because they aren’t really Apache servers.
    They pretend to be, something else.
  489. The other thing is that none of their
    infrastructure is in the United States.
  490. So, real quick anonymity question. You
    have a set of things and you know that
  491. a particular attacker never comes from one
    place. Every country on the planet
  492. potentially, but never one place. The
    one place where most of the internet is.
  493. What does that tell you in terms of
    anonymity? It tells you usually that
  494. they’re hiding something about that one
    place. Maybe there’s a legal requirement
  495. for this. It’s not clear to me. But what
    is totally clear to me is that if you see
  496. this type of infrastructure and it is not
    in the United States, there is a chance,
  497. especially today, that it’s the NSA’s
    Tailored Access and Operations division.
  498. And here’s an important point. When the
    NSA can’t do it, they bring in GCHQ.
  499. So, for example, for targeting certain
    Gmail selectors, they can’t do it.
  500. And in the documents we released today,
    we show that they say: “If you have
  501. a partner agreement form and you need to
    target, there are some additional selectors
  502. that become available should you
    need them”. So when we have a limit
  503. of an intelligence agency in the United
    States, or here in Germany or
  504. something like this, we have to recognize
    that information is a currency
  505. in an unregulated market. And these
    guys, they trade that information, and
  506. one of the ways they trade that is like
    this. And they love Yahoo.
  507. So, little breather?
  508. It’s always good to make fun of
    the GCHQ with Austin Powers!
  509. laughter
    Okay. Another classified document here.
  510. That’s actual NSA OpenOffice or Powerpoint
    clip art of their horrible headquarters
  511. that you see in every news story, I can’t
    wait to see a different photo of the NSA
  512. someday. But you’ll notice right here they
    explain how QUANTUM works. Now SSO is
  513. a Special Source Operations site. So
    you’ve seen U.S. embassies? Usually
  514. the U.S. embassy has dielectric panels on
    the roof, that’s what we showed in Berlin,
  515. it was called “DAS NEST” on the cover
    of ‘Der Spiegel’. That’s an SSO site.
  516. So they see that this type of stuff is
    taking place, they do an injection and
  517. they try to beat the Yahoo packet back.
    Now another interesting point is
  518. that for the Yahoo packet to be beaten,
    the NSA must impersonate Yahoo.
  519. This is a really important detail because
    what it tells us is that they are
  520. essentially conscripting Yahoo and saying
    that they are Yahoo. So they are
  521. impersonating a U.S. company
    to a U.S. company user
  522. and they are not actually supposed
    to be in this conversation at all.
  523. And when they do it, then they of course
    – basically if you’re using Yahoo,
  524. you’re definitely going to get owned. So
    – and I don’t just mean that in that
  525. Yahoo is vulnerable, they are, but
    I mean people that use Yahoo tend to
  526. – maybe it’s a bad generalization,
    but, you know – they’re not the most
  527. security-conscious people on the planet,
    they don’t keep their computers up to date,
  528. I’m guessing, and that’s probably why
    they love Yahoo so much. They also love
  529., which is some other… I don’t know
    what that says, it’s like a sociological
  530. study of compromise. But that’s an
    important detail. So the SSO site sniffs
  531. and then they do some injection, they
    redirect you to FOXACID. That’s for
  532. web browser exploitation. They obviously
    have other exploitation techniques.
  533. Okay. So now. We all know
    that cellphones are vulnerable.
  534. Here’s an example. This is a base station
  535. that the NSA has that, I think it’s the
    first time ever anyone’s ever revealed
  536. an NSA IMSI catcher. So, here it is.
    Well, actually the second time, because
  537. ‘Der Spiegel’ did it this morning.
    But you know what I mean.
  538. applause
  539. So they call it ‘Find, Fix and
    Finish targeted handset users’.
  540. Now it’s really important to understand
    when they say “targeting” you would think
  541. ‘massive collection’, right? Because what
    are they doing? They’re pretending to be
  542. a base station. They want to overpower.
    They want to basically be the phone
  543. that you connect to… or the phone system
    that you connect to. And that means
  544. lots of people are going to connect
    potentially. So it’s not just one
  545. targeted user. So hopefully they have it
    set up so that if you need to dial 911,
  546. or here in Europe 112 – you know,
    by the way, if you ever want to find
  547. one of these things try to call different
    emergency numbers and note which ones
  548. route where. Just as a little detail.
    Also note that sometimes if you go
  549. to the Ecuadorian embassy you will receive
    a welcome message from Uganda Telecom.
  550. Because the British when they deployed
    the IMSI catcher against Julian Assange
  551. at the Ecuadorian embassy made the mistake
    of not reconfiguring the spy gear they [had]
  552. deployed in Uganda [before]
    when they deployed in London.
  553. applause
  554. And this can be yours
    for only US$ 175.800.
  555. And this covers GSM and PCS and
    DCS and a bunch of other stuff.
  556. So basically if you use a cell phone
    – forget it. It doesn’t matter
  557. what you’re doing. The exception may
    be Cryptophone and Redphone. In fact
  558. I’d like to just give a shoutout to the
    people who work on free software, and
  559. software which is actually secure. Like
    Moxie Marlinspike – I’m so sorry I mention
  560. your name in my talk, but don’t worry,
    your silence won’t protect you!
  561. I think it’s really important to know
    Moxie is one of the very few people
  562. in the world who builds technologies that
    is both free and open source, and
  563. as far as I can tell he refuses to do
    anything awful. No backdoors or anything.
  564. And from what I can tell this proves
    that we need things like that.
  565. This is absolutely necessary because they
    replace the infrastructure we connect to.
  566. It’s like replacing the road that we would
    walk on, and adding tons of spy gear.
  567. And they do that too,
    we’ll get to that. Okay.
  568. So I’m gonna go a little quick through
    these because I think it’s better that you
  569. go online and you adjust. And I wanna
    have a little bit of time for questions.
  570. But basically here’s an example of how
    even if you disable a thing the thing is
  571. not really disabled. So if you have a WiFi
    card in your computer the SOMBERKNAVE
  572. program, which is another classified
    document here, they basically repurpose
  573. your WiFi gear. They say: “You’re not
    using that WiFi card? We’re gonna scan
  574. for WiFi nearby, we’re gonna exfiltrate
    data by finding an open WiFi network
  575. and we’re gonna jump on it”. So
    they’re actually using other people’s
  576. wireless networks in addition to having
    this stuff in your computer. And this is
  577. one of the ways they beat a so-called
    air-gapped target computer.
  578. Okay, so here’s some of the software
    implants. Now we’re gonna name a bunch
  579. of companies because – fuck those guys
    basically, for collaborating when they do,
  580. and fuck them for leaving us
    vulnerable when they do.
  581. applause
  582. And I mean that in the most loving way
    because some of them are victims, actually.
  583. It’s important to note that we don’t
    yet understand which is which.
  584. So it’s important to name them, so that
    they have to go on record, and so that
  585. they can say where they are, and so
    that they can give us enough rope
  586. to hang themselves. I really want that to
    happen because I think it’s important
  587. to find out who collaborated and who
    didn’t collaborate. In order to have truth
  588. and reconciliation we need to start with
    a little of truth. So STUCCOMONTANA
  589. is basically BadBIOS if you guys have
    heard about that. I feel very bad
  590. for Dragos, he doesn’t really talk to me
    right now. I think he might be kinda mad.
  591. But after I was detained – by the
    US Army on US soil, I might add –
  592. they took a phone from me. Now it
    shouldn’t matter but it did. They also
  593. I think went after all my phone records so
    they didn’t need to take the phone. But
  594. for good measure, they just wanted
    to try to intimidate me which is exactly
  595. the wrong thing to do to me. But as he
    told the story after that happened
  596. all of his computers including his Xbox
    were compromised. And he says
  597. even to this day that some of those things
    persist. And he talks about the BIOS.
  598. Here’s a document that shows clearly
    that they actually re-flash the BIOS
  599. and they also have other techniques
    including System Management Mode
  600. related rootkits and that they have
    persistence inside of the BIOS.
  601. It’s an incredibly important point. This
    is evidence that the thing that Dragos
  602. talked about, maybe he doesn’t
    have it, but it really does exist.
  603. Now the question is how would he find it?
    We don’t have the forensics tools yet.
  604. We don’t really have the capabilities
    widely deployed in the community
  605. to be able to know that, and to be
    able to find it. Here’s another one.
  606. This one’s called SWAP. In this case it
    replaces the Host Protected Area
  607. of the hard drive, and you can see a
    little graph where there’s target systems,
  608. you see the internet, Interactive OPS, so
    they’ve got like a guy who is hacking you
  609. in real time, the People’s
    Liberation Army… uh, NSA! And…
  610. laughter
    And you can see all of these different
  611. things about it. Each one of these things,
    including SNEAKERNET, these are
  612. different programs, most of which we
    revealed today in ‘Der Spiegel’.
  613. But you’ll notice that it’s Windows,
    Linux, FreeBSD and Solaris.
  614. How many Al Qaeda people
    use Solaris, do you suppose?
  615. This tells you a really important point.
    They are interested in compromising
  616. the infrastructure of systems,
    not just individual people.
  617. They want to take control and
    literally colonize those systems
  618. with these implants. And that’s not part
    of the discussion. People are not talking
  619. about that because they don’t know about
    that yet. But they should. Because
  620. in addition to the fact that Sun is a U.S.
    company which they are building
  621. capabilities against – that to me, really,
    it really bothers me; I can’t tell you
  622. how much that bothers me – we also
    see that they’re attacking Microsoft,
  623. another U.S. company, and Linux and
    FreeBSD, where there are a lot of people
  624. that are building it from all around the
    world. So they’re attacking not only
  625. collective efforts and corporate
    efforts, but basically every option
  626. you possibly can, from end users
    down to telecom core things.
  627. Here’s another one, DEITYBOUNCE.
    This is for Dell,
  628. so Dell PowerEdge 1850,
    2850, 1950, 2950…
  629. RAID servers using any of the
    following BIOS versions. Right?
  630. So just in case you’re wondering, hey
    Dell, why is that? Curious about that.
  631. Love to hear your statements about it.
    So if you write YARA sigs [signatures]
  632. and you’re interested in looking
    for NSA malware, look for things
  633. that use RC6, so look for the constants
    that you might find in RC6.
  634. And when they run, if they emit UDP
    traffic – we’ve actually seen a sample
  635. of this but we were not able
    to capture it, sadly, but
  636. emitting UDP traffic that is encrypted.
    You know, people that I’ve worked with
  637. on things related to this, they’ve even,
    they’ve had their house black bagged.
  638. They’ve had pretty bad stuff happen
    to them. That’s their story to tell.
  639. But one of the interesting details is
    that after those events occurred,
  640. these types of things were seen. Ben
    has a really bad idea for those guys,
  641. I might add, because I wouldn’t have put
    this slide in if that had not occurred.
  642. But if you want to look for it, you’ll
    find it. I know some people that have
  643. looked with YARA sigs and they have
    in fact found things related to this,
  644. so I suspect a lot of malware researchers
    in the near future are going to have
  645. a lot of stuff to say about this
    particular slide. I’ll leave that to them.
  646. I think it’s very important to go looking
    for these things, especially to find out
  647. who is victimized by them. Here’s an
    iPhone back door.
  648. So DROPOUTJEEP, so
    you can see it right there.
  649. So, SMS, contact list retrieval,
    voicemail, hot microphone,
  650. camera capture, cell tower location. Cool.
    Do you think Apple helped them with that?
  651. I don’t know. I hope Apple will clarify
    that. I think it’s really important
  652. that Apple doesn’t. Here’s
    a problem. I don’t really believe
  653. that Apple didn’t help them. I can’t
    prove it yet, but they literally claim
  654. that any time they target an iOS device,
    that it will succeed for implantation.
  655. Either they have a huge collection of
    exploits that work against Apple products,
  656. meaning that they are hoarding
    information about critical systems that
  657. American companies produce
    and sabotaging them,
  658. or Apple sabotaged it themselves.
    Not sure which one it is!
  659. I’d like to believe that since Apple
    didn’t join the PRISM program until
  660. after Steve Jobs died that maybe it’s
    just that they write shitty software.
  661. We know that’s true!
  662. applause
  663. Here’s a HVT, high-value target.
    This is a high-value target
  664. being targeted with a back door for
    Windows CE Thuraya phones.
  665. So if you have a Thuraya phone and you’re
    wondering if it was secure – yeah maybe.
  666. Good luck! Here’s one where they
    replaced the hard drive firmware.
  667. There was a talk at OHM this year
    [OHM2013] where a guy talked about
  668. replacing hard drive firmware.
    You were onto something.
  669. You were really onto something. Whoever
    you are, you were onto something.
  670. Because the NSA has a program here,
    IRATEMONK, and that’s exactly
  671. what they do. They replace the firmware
    in the hard drive, so it doesn’t matter
  672. if you reformat the hard drive, you’re
    done. The firmware itself can do
  673. a whole bunch of stuff. So. Here are
    the names of the hard drive companies
  674. were it works: Western Digital, Seagate,
    Maxtor and Samsung, and of course
  675. they support FAT, NTFS, EXT3 and UFS.
    They probably now have support for
  676. additional file systems, but this is
    what we can prove. Please note
  677. at the bottom left and the bottom right:
    “Status: Released and Deployed.
  678. Ready for Immediate Delivery”.
    And: “Unit Cost: $0”.
  679. It’s free! No, you can’t get it.
    It’s not free as in free software.
  680. It’s free as in “You’re owned!”.
  681. applause
  682. I want to give a shoutout to Karsten Nohl
    and Luca [Luca Melette] for their
  683. incredible talk where they showed this
    exact attack without knowing that
  684. they had found it. Right?
    They say – yeah, absolutely.
  685. applause
  686. Important point. The NSA says that when
    they know about these things, that
  687. nobody will come to harm, no one will be
    able to find them, they’ll never be able
  688. to be exploited by another third party.
    Karsten found this exact vulnerability.
  689. They were able to install a Java applet on
    the SIM card without user interaction,
  690. and it was based on the service provider’s
    security configuration, which is exactly
  691. what the NSA says here, and they talk
    about attacking the same toolkit
  692. inside of the phone; and Karsten
    found the same vulnerability
  693. and attacked it in the wild. This
    is perfect evidence, not only of
  694. how badass Karsten and Luca are
    – they are, no question – but also about
  695. how wrong the NSA is with this balance.
    Because for every Karsten and Luca, there
  696. are hundreds of people who are paid to do
    this full-time and never tell us about it.
  697. applause
  698. Important detail. Do you see that
    ‘interdiction’ phrase right there?
  699. “Through remote access” – in other
    words, we broke into your computer –
  700. “or interdiction” – in other words,
    we stole your fucking mail. Now.
  701. This is a really important point. We
    all have heard about these paranoid
  702. crazy people talking about people breaking
    into their houses – that’s happened to me
  703. a number of times – motherfuckers,
    getting you back – it’s really important
  704. to understand this process is
    one that threatens all of us.
  705. The sanctity of the postal system
    has been violated. I mean – whoa!
  706. God, it makes me so angry, you know?
    You can’t even send a letter without
  707. being spied on, but even worse that they
    tamper with it! It’s not enough that
  708. the U.S. Postal Service records all
    of this information and keeps it
  709. – that’s not enough. They also have to
    tamper with the packages! So every time
  710. you buy from Amazon, for example, every
    time you buy anything on the internet,
  711. there is the possibility that they will
    actually take your package and change it.
  712. One of the ways that I’ve heard that they
    change it is that they will actually
  713. take the case of your computer and they
    will injection mold a hardware back door
  714. into the case of the computer.
    So that even if you were to look
  715. at the motherboard or have it serviced,
    you would not see this. It merely
  716. just needs to be in the proximity
    of the motherboard. So.
  717. Let’s talk about hardware implants
    that they will put into your devices.
  718. Here’s one. This is called BULLDOZER.
    It’s a PCI bus hardware implant.
  719. Pretty scary, doesn’t look so great,
    but let’s go on a little bit. Okay?
  720. Here’s one where they actually exploit
    the BIOS and System Management Mode.
  721. There’s a big graph that shows all of
    these various different interconnections,
  722. which is important. Then they talk about
    the long-range comms, INMARSAT, VSAT,
  723. NSA MEANS and Future Capabilities. I think
    NSA MEANS exists. Future Capabilities
  724. seems self-explanatory. “This
    hardware implant provides
  725. 2-way RF communication.” Interesting.
    So you disable all the wireless cards,
  726. whatever you need. There you go.
    They just added a new one in there and
  727. you don’t even know. Your system has no
    clue about it. Here’s a hardware back door
  728. which uses the I2C interface, because
    no one in the history of time
  729. other than the NSA probably has ever
    used it. That’s good to know that finally
  730. someone uses I2C for something
    – okay, other than fan control. But,
  731. look at that! It’s another American
    company that they are sabotaging.
  732. They understand that HP’s servers
    are vulnerable, and they decided,
  733. instead of explaining that this is
    a problem, they exploit it. And IRONCHEF,
  734. through interdiction, is one of
    the ways that they will do that.
  735. So I wanna really harp on this. Now it’s
    not that I think European companies
  736. are worth less. I suspect especially
    after this talk that won’t be true,
  737. in the literal stock sense, but I don’t
    know. I think it’s really important
  738. to understand that they are sabotaging
    American companies because of the
  739. so-called home-field advantage. The
    problem is that as an American who writes
  740. software, who wants to build hardware
    devices, this really chills my expression
  741. and it also gives me a problem, which
    is that people say: “Why would I use
  742. what you’re doing? You know,
    what about the NSA?”
  743. Man, that really bothers me.
    I don’t deserve the Huawei taint,
  744. and the NSA gives it. And President
    Obama’s own advisory board
  745. that was convened to understand the scope
    of these things has even agreed with me
  746. about this point, that this should not be
    taking place, that hoarding of zero-day
  747. exploits cannot simply happen without
    thought processes that are reasonable
  748. and rational and have an economic and
    social valuing where we really think about
  749. the broad-scale impact. Now.
    I’m gonna go on to a little bit more.
  750. Here’s where they attack SIM cards. This
    is MONKEYCALENDAR. So it’s actually
  751. the flow chart of how this would work.
    So in other words, they told you all of
  752. the ways in which you should be certainly,
    you know, looking at this. So if you ever
  753. see your handset emitting encrypted SMS
    that isn’t Textsecure, you now have
  754. a pretty good idea that it might be this.
    Here’s another example. If you have
  755. a computer in front of you… I highly
    encourage you to buy the Samsung SGH-X480C
  756. – that’s the preferred phone of the NSA
    for attacking another person’s phone.
  757. I’m not exactly sure why, but an important
    point is, they add the back door, then
  758. they send an SMS from a regular phone
    – what does that tell you? What does that
  759. tell you about the exploitation process?
    It tells you that it’s actually something
  760. which is pretty straightforward,
    pretty easy to do, doesn’t require
  761. specialized access to the telecoms once
    they’ve gotten your phone compromised.
  762. That to me suggests that other people
    might find it, other people might use
  763. these techniques. Okay, here’s a USB
    hardware implant called COTTONMOUTH.
  764. We released this in ‘Spiegel’ today as
    well. See the little red parts. It will
  765. provide a wireless bridge onto the
    target network with the ability to load
  766. exploit software. Here’s a little bit of
    extra details about that. It actually
  767. shows the graph at the bottom, how they do
    this, how they get around, how they beat
  768. the air gap with these things. And they
    talk a bit about being GENIE compliant.
  769. So GENIE, and for the rest of these
    programs, these are – like DROPOUTJEEP
  770. is part of the CHIMNEYPOOL programs,
    and COTTONMOUTH is part of the rest of
  771. these programs over here. These are huge
    programs where they’re trying to beat
  772. a whole bunch of different adversaries,
    and different capabilities are required.
  773. And this is one of the probably I think
    more interesting ones, but here’s
  774. the next revision of it where it’s in a
    USB plug, not actually in the cable.
  775. And look, 50 units for US$ 200,000.
    It’s really cheap.
  776. You like my editorializing there, I hope?
    So, $200,000, okay.
  777. And here’s where you look for it. If you
    happen to have an x-ray machine,
  778. look for an extra chip. And that’s
    a HOWLERMONKEY radiofrequency transmitter.
  779. Well what’s a HOWLERMONKEY? We’ll
    talk about that in a second, but basically
  780. this is for ethernet, here. This is the
    FIREWALK. It can actually do injection
  781. bidirectionally on the ethernet controller
    into the network that it’s sitting on.
  782. So it doesn’t even have to do things
    directly to the computer. It can actually
  783. inject packets directly into the network,
    according to the specification sheet,
  784. which we released today on
    Der Spiegel’s website. As it says,
  785. ‘active injection of ethernet packets onto
    the target network’. Here’s another one
  786. from Dell with an actual FLUXBABBITT
    hardware implant for the PowerEdge 2950.
  787. This uses the JTAG debugging interface
    of the server. Why did Dell leave
  788. a JTAG debugging interface on these
    servers? Interesting, right? Because,
  789. it’s like leaving a vulnerability in. Is
    that a bug door or a back door or
  790. just a mistake? Well hopefully they will
    change these things or at least make it so
  791. that if you were to see this you would
    know that you had some problems.
  792. Hopefully Dell will release some
    information about how to mitigate
  793. this advanced persistent threat. Right?
    Everything that the U.S. Government
  794. accuse the Chinese of doing – which they
    are also doing, I believe – we are learning
  795. that the U.S. Government has been doing to
    American companies. That to me is really
  796. concerning, and we’ve had no public debate
    about these issues, and in many cases
  797. all the technical details are obfuscated
    away and they are just completely
  798. outside of the purview of discussions. In
    this case we learn more about Dell, and
  799. which models. And here’s the HOWLERMONKEY.
    These are actually photographs
  800. of the NSA implanted chips that they
    have when they steal your mail.
  801. So after they steal your mail they put
    a chip like this into your computer.
  802. So the one, the FIREWALK
    one is the ethernet one, and
  803. that’s an important one. You probably will
    notice that these look pretty simple,
  804. common off-the-shelf parts. So.
  805. Whew! All right. Who here
    is surprised by any of this?
  806. waits for audience reaction
    I’m really, really, really glad to see
  807. that you’re not all cynical fuckers and
    that someone here would admit
  808. that they were surprised. Okay, who
    here is not surprised? waits
  809. I’m going to blow your fucking mind!
  810. Okay. We all know about TEMPEST,
    right? Where the NSA pulls data
  811. out of your computer, irradiate stuff
    and then grab it, right? Everybody
  812. who raised their hand and said they’re
    not surprised, you already knew
  813. about TEMPEST, right?
    Right? Okay. Well.
  814. What if I told you that the NSA had
    a specialized technology for beaming
  815. energy into you and to the computer
    systems around you, would you believe
  816. that that was real or would that be
    paranoid speculation of a crazy person?
  817. laughter
    Anybody? You cynical guys
  818. holding up your hand saying that you’re
    not surprised by anything, raise your hand
  819. if you would be unsurprised by that.
  820. Good. And it’s not the same number.
    It’s significantly lower. It’s one person.
  821. Great. Here’s what they do with those
    types of things. That exists, by the way.
  822. When I told Julian Assange about this, he
    said: “Hmm. I bet the people who were
  823. around Hugo Chavez are going to wonder
    what caused his cancer.” And I said:
  824. “You know, I hadn’t considered that. But,
    you know, I haven’t found any data
  825. about human safety about these tools.
    Has the NSA performed tests where they
  826. actually show that radiating people
    with 1 kW of RF energy
  827. at short range is safe?”
  828. My God! No, you guys think I’m
    joking, right? Well, yeah, here it is.
  829. This is a continuous wave generator,
    a continuous wave radar unit.
  830. You can detect its use because it’s
    used between 1 and 2 GHz and
  831. its bandwidth is up to 45 MHz,
    user adjustable, 2 watts
  832. using an internal amplifier. External
    amplifier makes it possible to go
  833. up to 1 kilowatt.
  834. I’m just gonna let you take that
    in for a moment. clears throat
  835. Who’s crazy now?
  836. Now, I’m being told I only have one
    minute, so I’m going to have to go
  837. a little bit quicker. I’m sorry. Here’s
    why they do it. This is an implant
  838. called RAGEMASTER. It’s part of the
    ANGRYNEIGHBOR family of tools,
  839. laughter
    where they have a small device that they
  840. put in line with the cable in your monitor
    and then they use this radar system
  841. to bounce a signal – this is not unlike
    the Great Seal bug that [Leon] Theremin
  842. designed for the KGB. So it’s good to
    know we’ve finally caught up with the KGB,
  843. but now with computers. They
    send the microwave transmission,
  844. the continuous wave, it reflects off of
    this chip and then they use this device
  845. to see your monitor.
  846. Yep. So there’s the full life cycle.
    First they radiate you,
  847. then you die from cancer,
    then you… win? Okay, so,
  848. here’s the same thing, but this time for
    keyboards, USB and PS/2 keyboards.
  849. So the idea is that it’s a data
    retro-reflector. Here’s another thing,
  850. but this one, the TAWDRYYARD program, is
    a little bit different. It’s a beacon, so
  851. this is where probably then
    they kill you with a drone.
  852. That’s pretty scary stuff. They also have
    this for microphones to gather room bugs
  853. for room audio. Notice the bottom. It says
    all components are common off the shelf
  854. and are so non-attributable to the NSA.
    Unless you have this photograph
  855. and the product sheet. Happy hunting!
  856. applause
  857. And just to give you another idea, this is
    a device they use to be able to actively
  858. hunt people down. This is a hunting
    device, right? Handheld finishing tool
  859. used for geolocation targeting
    handsets in the field. So!
  860. Who was not surprised by this? I’m so
    glad to have finally reached the point
  861. where no one raised their hand except
    that one guy who I think misheard me.
  862. laughter
    Or you’re brilliant. And
  863. please stay in our community
    and work on open research!
  864. somebody off mike shouts:
    Audience: Maybe he can add something!
  865. Yeah! And if you work for the NSA,
    I’d just like to encourage you
  866. to leak more documents!
  867. applause, cheers
  868. applause
  869. applause
  870. applause, cheers, whistles
  871. applause, cheers, whistles, ovation
  872. applause, ovation
  873. applause, cheers, ovation
  874. applause, ovation
  875. Herald: Thank you very much, Jake.
  876. Thank you. I’m afraid we ran
    all out of time for the Q&A.
  877. I’m very sorry for anyone
    who wanted to ask questions.
  878. Jacob: But we do have a press conference.
    Well, if you guys… you know,
  879. I’d say: “occupy the room for another
    5 minutes”, or… know that there’s
  880. a press conference room that will be
    opened up, where we can all ask
  881. as many questions as we want,
    in 30 minutes, if you’re interested.
  882. And I will basically be available until
    I’m assassinated to answer questions.
  883. laughter, applause
  884. in the immortal words of Julian Assange:
    Remember, no matter what happens,
  885. even if there’s a videotape of it,
    it was murder! Thank you!
  886. Herald: Thank you. Please give a warm
    round of applause to Jake Appelbaum!
  887. applause
  888. silent postroll
  889. Subtitles created by
    in the year 2016. Join, and help us!