Return to Video

https:/.../30c3-5713-en-To_Protect_And_Infect_Part_2_h264-hq.mp4

  • 0:00 - 0:06
    Herald: Good morning to this last minute
    edition to our “Fahrplan” today.
  • 0:06 - 0:10
    There will probably be time for a few
    minutes of Q&A in the end, so you can
  • 0:10 - 0:15
    ask questions here or on IRC
    and Twitter via our Signal Angels.
  • 0:15 - 0:20
    Please welcome Jake Appelbaum,
    independent journalist,
  • 0:20 - 0:24
    for his talk
    “To Protect And Infect Part 2”.
  • 0:24 - 0:30
    applause
  • 0:30 - 0:36
    Jacob: Okay. Alright. Thanks so much
    for coming so early in the morning.
  • 0:36 - 0:39
    Or maybe not so early in the morning
    for most of you apparently since
  • 0:39 - 0:44
    you’ve all been up for more than an hour.
    But I’m gonna talk today a little bit
  • 0:44 - 0:49
    about some things that we’ve heard about
    at the conference and I’m gonna talk a bit
  • 0:49 - 0:53
    about some things that you have not
    probably ever heard about in your life and
  • 0:53 - 0:56
    are even worse than your worst nightmares.
  • 0:56 - 1:00
    So recently we heard a little bit about
    some of the low-end corporate spying
  • 1:00 - 1:05
    that’s often billed as being sort of like
    the hottest, most important stuff, so the
  • 1:05 - 1:09
    FinFisher, the HackingTeam, the VUPEN.
    And sort of in that order it becomes
  • 1:09 - 1:14
    more sophisticated and more and more
    tied in with the National Security Agency.
  • 1:14 - 1:18
    There are some Freedom of Information Act
    requests that have gone out that actually
  • 1:18 - 1:24
    show VUPEN being an NSA contractor writing
    exploits, that there are some ties there.
  • 1:24 - 1:28
    This sort of covers the… sort of…
    the whole gamut, I believe,
  • 1:28 - 1:32
    which is that, you know you can buy these
    like little pieces of forensics hardware.
  • 1:32 - 1:35
    And just as a sort of fun thing I bought
    some of those and then I looked at
  • 1:35 - 1:39
    how they worked and I noticed that this
    ‘Mouse Jiggler’, you plug it in and
  • 1:39 - 1:43
    the idea is that it like keeps your screen
    awake. So have any of you seen that
  • 1:43 - 1:47
    at all? It’s a piece of forensics hardware
    so your screensaver doesn’t activate.
  • 1:47 - 1:51
    So I showed it to one of the systemd
    developers, and now when you plug those
  • 1:51 - 1:56
    into a Linux box that runs systemd,
    they automatically lock the screen
  • 1:56 - 2:02
    when it sees the USB ID.
    applause
  • 2:02 - 2:05
    So when people talk about Free Software,
    ‘free as in freedom’, that’s part of
  • 2:05 - 2:09
    what they’re talking about. So there are
    some other things which I’m not going
  • 2:09 - 2:12
    to really talk a lot about it because
    basically this is all bullshit that
  • 2:12 - 2:15
    doesn’t really matter and we can defeat
    all of that. This is individualized things
  • 2:15 - 2:20
    we can defend against. But I want
    to talk a little bit about how it’s
  • 2:20 - 2:24
    not necessarily the case that because
    they’re not the most fantastic, they’re
  • 2:24 - 2:28
    not the most sophisticated, that
    therefore we shouldn’t worry about it.
  • 2:28 - 2:31
    This is Rafael. I met him when
    I was in Oslo in Norway
  • 2:31 - 2:36
    for the Oslo Freedom Forum, and basically
    he asked me to look at his computer
  • 2:36 - 2:40
    because he said, “You know, something
    seems to be wrong with it. I think that
  • 2:40 - 2:44
    there’s something, you know,
    slowing it down.” And I said:
  • 2:44 - 2:46
    “Well, I’m not going to find anything.
    I don’t have any tools. We are just
  • 2:46 - 2:50
    going to like sit at the computer…”
    And I looked at it, and it has to be
  • 2:50 - 2:53
    the lamest back door I’ve ever found. It
    was basically a very small program that
  • 2:53 - 2:57
    would just run in a loop and take
    screenshots. And it failed to upload
  • 2:57 - 3:01
    some of the screenshots, and so there were
    8 GB of screenshots in his home directory.
  • 3:01 - 3:05
    laughter and applause
    And I said, “I’m sorry to break it to you
  • 3:05 - 3:09
    but I think that you’ve been owned.
    And… by a complete idiot.”
  • 3:09 - 3:14
    laughter
    And he, he, yeah, he was,
  • 3:14 - 3:18
    he was really… actually, he felt really
    violated and then he told me what he does,
  • 3:18 - 3:21
    which is he’s an investigative journalist
    who works with top secret documents
  • 3:21 - 3:26
    all the time, with extreme, extreme
    operational security to protect
  • 3:26 - 3:31
    his sources. But when it came to computing
    J[ournalism] school failed him.
  • 3:31 - 3:36
    And as a result, he was compromised
    pretty badly. He was not using
  • 3:36 - 3:38
    a specialized operating system like
    Tails, which if you’re a journalist
  • 3:38 - 3:41
    and you’re not using Tails you should
    probably be using Tails unless
  • 3:41 - 3:44
    you really know what you’re doing.
    Apple did a pretty good job at
  • 3:44 - 3:49
    revoking this application, and it was, you
    know, in theory it stopped, but there are
  • 3:49 - 3:53
    lots of samples from the same group
    and this group that did this is tied to
  • 3:53 - 3:58
    a whole bunch of other attacks across
    the world, actually, which is why
  • 3:58 - 4:03
    it’s connected up there with Operation
    Hangover. The scary thing, though, is that
  • 4:03 - 4:07
    this summer, after we’d met, he was
    actually arrested relating to some
  • 4:07 - 4:11
    of these things. And now, as
    I understand it, he’s out, but,
  • 4:11 - 4:15
    you know, when you mess with a military
    dictatorship it messes with you back.
  • 4:15 - 4:19
    So even though that’s one of the lamest
    backdoors, his life is under threat.
  • 4:19 - 4:24
    So just simple things can cause serious,
    serious harm to regular people that are
  • 4:24 - 4:28
    working for some kind of truth telling.
    And that to me is really a big part
  • 4:28 - 4:32
    of my motivation for coming here to talk
    about what I’m going to talk about next,
  • 4:32 - 4:35
    which is that for every person that we
    learn about like Rafael, I think there are
  • 4:35 - 4:40
    lots of people we will never learn about,
    and that’s, to me that’s very scary,
  • 4:40 - 4:43
    and I think we need to bring some
    transparency, and that’s what we’re
  • 4:43 - 4:47
    going to talk about now. And I really want
    to emphasize this point. Even though
  • 4:47 - 4:51
    they’re not technically impressive, they
    are actually still harmful, and that,
  • 4:51 - 4:55
    that is really a key point to drive home.
    I mean, some of the back doors that
  • 4:55 - 5:00
    I’ve seen are really not sophisticated,
    they’re not really that interesting, and
  • 5:00 - 5:04
    in some cases they’re common off-the-shelf
    purchases between businesses,
  • 5:04 - 5:09
    so it’s like business-to-business
    exploitation software development.
  • 5:09 - 5:13
    I feel like that’s really kind of sad,
    and I also think we can change this.
  • 5:13 - 5:19
    We can turn this around by exposing it.
    So, what’s it all about, though?
  • 5:19 - 5:24
    Fundamentally it’s about control, baby,
    and that is what we’re going to get into.
  • 5:24 - 5:28
    It’s not just about control of machines.
    What happened with Rafael is about
  • 5:28 - 5:32
    control of people. And fundamentally
    when we talk about things like internet
  • 5:32 - 5:36
    freedom and we talk about tactical
    surveillance and strategic surveillance,
  • 5:36 - 5:40
    we’re talking about control of people
    through the machinery that they use.
  • 5:40 - 5:44
    And this is a really, I think a really
    kind of – you know I’m trying
  • 5:44 - 5:47
    to make you laugh a little bit because
    what I’m going to show you today
  • 5:47 - 5:53
    is wrist-slitting depressing.
    So. Part 2, or Act 2 of Part 2.
  • 5:53 - 5:58
    Basically the NSA, they want
    to be able to spy on you, and
  • 5:58 - 6:01
    if they have 10 different options for
    spying on you that you know about,
  • 6:01 - 6:06
    they have 13 ways of doing it and they
    do all 13. So that’s a pretty scary thing,
  • 6:06 - 6:11
    and basically their goal is to have
    total surveillance of everything that
  • 6:11 - 6:15
    they’re interested in. So there really
    is no boundary to what they want to do.
  • 6:15 - 6:19
    There is only sometimes a boundary of
    what they are funded to be able to do and
  • 6:19 - 6:24
    the amount of things they’re able to do at
    scale. They seem to just do those things
  • 6:24 - 6:27
    without thinking too much about it. And
    there are specific tactical things
  • 6:27 - 6:31
    where they have to target a group or an
    individual, and those things seem limited
  • 6:31 - 6:36
    either by budgets or simply by their time.
    And as we have released today
  • 6:36 - 6:40
    on Der Spiegel’s website, which it should
    be live – I just checked, it should be live
  • 6:40 - 6:44
    for everyone here – we actually
    show a whole bunch of details
  • 6:44 - 6:50
    about their budgets as well as the
    individuals involved with the NSA
  • 6:50 - 6:53
    and the Tailored Access Operations group
    in terms of numbers. So it should give you
  • 6:53 - 6:59
    a rough idea showing that there was a
    small period of time in which the internet
  • 6:59 - 7:03
    was really free and we did not have people
    from the U.S. military that were watching
  • 7:03 - 7:07
    over it and exploiting everyone on
    it, and now we see every year
  • 7:07 - 7:12
    that the number of people who are hired to
    break into people’s computers as part of
  • 7:12 - 7:17
    grand operations, those people are growing
    day by day, actually. In every year
  • 7:17 - 7:22
    there are more and more people that are
    allocated, and we see this growth. So
  • 7:22 - 7:26
    that’s the goal: non-attribution, and total
    surveillance, and they want to do it
  • 7:26 - 7:31
    completely in the dark. The good
    news is that they can’t. So,
  • 7:31 - 7:35
    now I’m going to show you a bit about it.
    But first, before I show you any pictures,
  • 7:35 - 7:39
    I want to sort of give you the big picture
    from the top down. So there is
  • 7:39 - 7:43
    a planetary strategic surveillance system,
    and there – well, there are many of them
  • 7:43 - 7:48
    actually. Everything from I think
    off-planetary surveillance gear, which is
  • 7:48 - 7:52
    probably the National Reconnaissance
    Office and their satellite systems
  • 7:52 - 7:55
    for surveillance like the Keyhole
    satellites – these are all things most,
  • 7:55 - 7:58
    for the most part we actually know about
    these things. They’re on Wikipedia.
  • 7:58 - 8:01
    But I want to talk a little bit more about
    the internet side of things because
  • 8:01 - 8:05
    I think that’s really fascinating. So
    part of what we are releasing today
  • 8:05 - 8:08
    with ‘Der Spiegel’, or what has actually
    been released – just to be clear
  • 8:08 - 8:12
    on the timeline, I’m not disclosing it
    first, I’m working as an independent
  • 8:12 - 8:15
    journalist summarizing the work that we
    have already released onto the internet
  • 8:15 - 8:19
    as part of a publication house that went
    through a very large editorial process
  • 8:19 - 8:24
    in which we redacted all the names of
    agents and information about those names,
  • 8:24 - 8:26
    including their phone numbers
    and e-mail addresses.
  • 8:26 - 8:29
    applause
  • 8:29 - 8:33
    And I should say that I actually think
    that the laws here are wrong,
  • 8:33 - 8:37
    because they are in favor of
    an oppressor who is criminal.
  • 8:37 - 8:41
    So when we redact the names of people who
    are engaged in criminal activity including
  • 8:41 - 8:45
    drone murder, we are actually not doing
    the right thing, but I believe that
  • 8:45 - 8:49
    we should comply with the law in order
    to continue to publish, and I think
  • 8:49 - 8:56
    that’s very important.
    applause
  • 8:56 - 9:00
    We also redacted the names of
    victims of NSA surveillance,
  • 9:00 - 9:05
    because we think that there’s a balance.
    Unfortunately there is a serious problem
  • 9:05 - 9:09
    which is that the U.S. government asserts
    that you don’t have standing to prove
  • 9:09 - 9:12
    that you’ve been surveilled unless
    we release that kind of information,
  • 9:12 - 9:15
    but we don’t want to release that kind
    of information in case it could be
  • 9:15 - 9:19
    a legitimate target, and we – I’m really
    uncomfortable with that term, but let’s
  • 9:19 - 9:22
    say that there is a legitimate target, the
    most legitimate target, and we didn’t want
  • 9:22 - 9:26
    to make that decision. But we
    did also want to make sure
  • 9:26 - 9:29
    that we didn’t harm someone, but we
    also wanted to show concrete examples.
  • 9:29 - 9:32
    So if you look at the ‘Spiegel’ stuff online,
    we redacted the names even of those
  • 9:32 - 9:36
    who were victimized by the NSA’s
    oppressive tactics, which I think
  • 9:36 - 9:40
    actually goes further than is necessary,
    but I believe that it strikes
  • 9:40 - 9:43
    the right balance to ensure continued
    publication and also to make sure
  • 9:43 - 9:47
    that people are not harmed and that
    legitimate good things, however rare
  • 9:47 - 9:52
    they may be, they are also not harmed.
    So if you’ve been targeted by the NSA
  • 9:52 - 9:54
    and you would have found out today
    if we had taken a different decision,
  • 9:54 - 9:59
    I’m really sorry, but this is the thing
    I think that keeps us alive,
  • 9:59 - 10:02
    so this is the choice that I think is the
    right choice, and I think it’s also
  • 10:02 - 10:06
    the safest choice for everyone.
    So that said, basically the NSA has
  • 10:06 - 10:11
    a giant dragnet surveillance system that
    they call TURMOIL. TURMOIL is a passive
  • 10:11 - 10:15
    interception system. That passive
    interception system essentially spans
  • 10:15 - 10:18
    the whole planet. Who here has heard
    about the Merkel phone incident?
  • 10:18 - 10:22
    Some of you heard about Chancellor Merkel?
    So we revealed that in ‘Der Spiegel’, and
  • 10:22 - 10:26
    what we found was that they tasked her
    for surveillance. And I’ll talk a little bit
  • 10:26 - 10:29
    about that later. But basically the way
    that this works is that they have this
  • 10:29 - 10:34
    huge passive set of sensors; and any data
    that flows past it, they actually look at it.
  • 10:34 - 10:38
    So there was a time in the past where
    surveillance meant looking at anything
  • 10:38 - 10:43
    at all. And now the NSA tries
    to basically twist the words
  • 10:43 - 10:47
    of every person who speaks whatever
    language they’re speaking in, and they
  • 10:47 - 10:51
    try to say that it’s only surveillance
    if after they collect it and record it
  • 10:51 - 10:56
    to a database, and analyze it with
    machines, only if – I think – an NSA agent
  • 10:56 - 11:00
    basically looks at it
    personally and then clicks
  • 11:00 - 11:04
    “I have looked at this” do
    they call it surveillance.
  • 11:04 - 11:07
    Fundamentally I really object to that
    because if I ran a TURMOIL collection
  • 11:07 - 11:10
    system – that is passive signals
    intelligence systems collecting data
  • 11:10 - 11:14
    from the whole planet, everywhere they
    possibly can – I would go to prison
  • 11:14 - 11:18
    for the rest of my life.
    That’s the balance, right?
  • 11:18 - 11:22
    Jefferson talks about this. He says, you
    know, “That which the government
  • 11:22 - 11:25
    is allowed to do but you are not, this is
    a tyranny.” There are some exceptions
  • 11:25 - 11:30
    to that, but the CFAA in the United
    States, the Computer Fraud and Abuse Act,
  • 11:30 - 11:34
    you know, it’s so draconian
    for regular people,
  • 11:34 - 11:38
    and the NSA gets to do something like
    intercepting 7 billion people all day long
  • 11:38 - 11:43
    with no problems, and the rest of us
    are not even allowed to experiment
  • 11:43 - 11:47
    for improving the security of our own
    lives without being put in prison
  • 11:47 - 11:52
    or under threat of serious indictment, and
    that I think is a really important point.
  • 11:52 - 11:56
    So the TURMOIL system is a surveillance
    system, and it is a dragnet surveillance
  • 11:56 - 12:00
    system that is a general warrant dragnet
    surveillance if there ever was one.
  • 12:00 - 12:04
    And now we shot the British over this when
    we started our revolution. We called them
  • 12:04 - 12:07
    “general writs of assistance.” These
    were generalized warrants which
  • 12:07 - 12:11
    we considered to be a tyranny. And
    TURMOIL is the digital version of a
  • 12:11 - 12:15
    general writ of assistance system. And
    the general writ of assistance itself,
  • 12:15 - 12:19
    it’s not clear if it even exists, because
    it’s not clear to me that a judge
  • 12:19 - 12:22
    would understand
    anything that I just said.
  • 12:22 - 12:27
    applause
  • 12:27 - 12:32
    Okay, so now we’re gonna get scary.
    So that’s just the passive stuff.
  • 12:32 - 12:36
    There exists another system that’s called
    TURBINE, and we revealed about this system
  • 12:36 - 12:41
    in the ‘Spiegel’ publications
    today as well. So if TURMOIL
  • 12:41 - 12:47
    is deep packet inspection, then
    TURBINE is deep packet injection.
  • 12:47 - 12:52
    And it is the system that combined
    together with a thing…
  • 12:52 - 12:56
    – with TURMOIL and TURBINE you can create
    a platform which they have consolidated
  • 12:56 - 13:02
    which they call QFIRE. QFIRE is
    essentially a way to programmatically
  • 13:02 - 13:06
    look at things that flow across the
    internet that they see with TURMOIL
  • 13:06 - 13:10
    and then using TURBINE they’re able to
    actually inject packets to try to do attacks,
  • 13:10 - 13:14
    and I’ll describe some of those attacks
    in detail in a moment. But essentially
  • 13:14 - 13:17
    the interesting thing about QFIRE also
    is that they have a thing that’s called
  • 13:17 - 13:22
    a diode. So if you have for
    example a large number
  • 13:22 - 13:25
    of systems where you control them, you
    might say: “Hey, what are you doing
  • 13:25 - 13:28
    on that backbone?”, “Hey, what’s going on
    with these systems?” And they could say,
  • 13:28 - 13:31
    well, you know, we paid for access, we’re
    doing this, it’s all legal, etcetera.
  • 13:31 - 13:34
    QFIRE has this really neat little detail
    which is that they compromise
  • 13:34 - 13:37
    other people’s routers and then redirect
    through them so that they can beat
  • 13:37 - 13:40
    the speed of light. And how
    they do that is that they have
  • 13:40 - 13:43
    a passive sensor that’s nearby,
    a thing that they can inject from.
  • 13:43 - 13:48
    And when they see that that thing sees
    a selector that is interesting to them
  • 13:48 - 13:52
    or is doing a thing that they would like
    to tamper with in some way, then they
  • 13:52 - 13:55
    take a packet, they encapsulate the
    packet, they send it to the diode,
  • 13:55 - 14:00
    which might be your home router
    potentially, and then that home router
  • 14:00 - 14:05
    decapsulates that packet and sends it out.
    And because that is very close to you,
  • 14:05 - 14:10
    and let’s say you’re visiting Yahoo, then
    the Yahoo packet will not beat you.
  • 14:10 - 14:15
    That is, they will not beat the NSA
    or GCHQ. So it’s a race condition.
  • 14:15 - 14:18
    And so they basically are able to
    control this whole system and then
  • 14:18 - 14:23
    to localize attacks in that
    process. So that’s a pretty –
  • 14:23 - 14:28
    pretty scary stuff, actually. And while it
    is a digital thing, I think it’s important
  • 14:28 - 14:31
    to understand that this is what Jefferson
    talked about when he talked about tyranny.
  • 14:31 - 14:34
    This is turnkey tyranny, and it’s not that
    it’s coming, it’s actually here. It’s just
  • 14:34 - 14:38
    merely the question about whether or not
    they’ll use it in a way that we think is
  • 14:38 - 14:42
    a good way or not a good way. One
    of the scariest parts about this is that
  • 14:42 - 14:48
    for this system or these sets of systems
    to exist, we have been kept vulnerable.
  • 14:48 - 14:52
    So it is the case that if the Chinese,
    if the Russians, if people here
  • 14:52 - 14:56
    wish to build this system, there’s nothing
    that stops them. And in fact the NSA has
  • 14:56 - 15:00
    in a literal sense retarded the process
    by which we would secure the internet
  • 15:00 - 15:05
    because it establishes a hegemony
    of power, their power in secret,
  • 15:05 - 15:09
    to do these things. And in fact I’ve seen
    evidence that shows that there are so many
  • 15:09 - 15:12
    compromises taking place between the
    different Five Eyes signals intelligence
  • 15:12 - 15:16
    groups that they actually have lists that
    explain, “If you see this back door
  • 15:16 - 15:21
    on the system, contact a friendly agency.
    You’ve just recompromised the machine
  • 15:21 - 15:25
    of another person.” So
    when we talk about this,
  • 15:25 - 15:29
    we have to consider that this is
    designed for at-scale exploitation.
  • 15:29 - 15:33
    And as far as I can tell it’s being
    used for at-scale exploitation.
  • 15:33 - 15:39
    Which is not really in my mind a
    targeted particularized type of thing,
  • 15:39 - 15:42
    but rather it’s fishing operations.
    It’s fishing expeditions. It’s
  • 15:42 - 15:47
    more like fishing crusades, if you will.
    And in some cases, looking at the evidence
  • 15:47 - 15:51
    that seems to be what it is. Targeting
    Muslims, I might add. Because that’s
  • 15:51 - 15:55
    what they’re interested in doing.
    So that said, that’s the internet,
  • 15:55 - 15:58
    and we get all the way down to the bottom
    and we get to the Close Access Operations
  • 15:58 - 16:03
    and Off-Net. Off-Net and Close Access
    Operations are pretty scary things,
  • 16:03 - 16:06
    but basically this is what we would call a
    black bag job. That’s where these guys,
  • 16:06 - 16:10
    they break into your house, they put
    something in your computer and
  • 16:10 - 16:13
    they take other things out of your
    computer. Here’s an example.
  • 16:13 - 16:16
    First top secret document
    of the talk so far.
  • 16:16 - 16:18
    This is a Close Access Operations box.
  • 16:18 - 16:22
    It is basically car
    metasploit for the NSA,
  • 16:22 - 16:25
    which is an interesting thing. But
    basically they say that the attack is
  • 16:25 - 16:30
    undetectable, and it’s sadly
    a laptop running free software.
  • 16:30 - 16:35
    It is injecting packets. And they say that
    they can do this from as far away as
  • 16:35 - 16:40
    8 miles to inject packets, so presumably
    using this they’re able to exploit
  • 16:40 - 16:46
    a kernel vulnerability of some kind,
    parsing the wireless frames, and, yeah.
  • 16:46 - 16:50
    I’ve heard that they actually put this
    hardware, from sources inside of the NSA
  • 16:50 - 16:54
    and inside of other
    intelligence agencies, that
  • 16:54 - 16:58
    they actually put this type of hardware on
    drones so that they fly them over areas
  • 16:58 - 17:02
    that they’re interested in and they
    do mass exploitation of people.
  • 17:02 - 17:06
    Now, we don’t have a document
    that substantiates that part, but
  • 17:06 - 17:08
    we do have this document that actually
    claims that they’ve done it from up to
  • 17:08 - 17:13
    8 miles away. So that’s a really
    interesting thing because it tells us
  • 17:13 - 17:17
    that they understand that common wireless
    cards, probably running Microsoft Windows,
  • 17:17 - 17:21
    which is an American company, that they
    know about vulnerabilities and they
  • 17:21 - 17:25
    keep them a secret to use them. This is
    part of a constant theme of sabotaging
  • 17:25 - 17:30
    and undermining American companies and
    American ingenuity. As an American,
  • 17:30 - 17:33
    while generally not a nationalist, I find
    this disgusting, especially as someone
  • 17:33 - 17:38
    who writes free software and would
    like my tax dollars to be spent
  • 17:38 - 17:41
    on improving these things. And when they
    know about them I don’t want them
  • 17:41 - 17:44
    to keep them a secret because
    all of us are vulnerable.
  • 17:44 - 17:46
    It’s a really scary thing.
  • 17:46 - 17:52
    applause
  • 17:52 - 17:56
    And it just so happens that at my house,
    myself and many of my friends,
  • 17:56 - 17:59
    when we use wireless devices
    – Andy knows what I’m talking about,
  • 17:59 - 18:03
    a few other people here –
    all the time we have errors
  • 18:03 - 18:08
    in certain machines which are set up at
    the house, in some cases as a honey pot
  • 18:08 - 18:12
    – thanks, guys – where kernel
    panic after kernel panic,
  • 18:12 - 18:16
    exactly in the receive handler of the
    Linux kernel where you would expect
  • 18:16 - 18:20
    this specific type of thing to take place.
    So I think that if we talk about
  • 18:20 - 18:23
    the war coming home, we probably will
    find that this is not just used in places
  • 18:23 - 18:27
    where there’s a literal war on but where
    they decide that it would be useful,
  • 18:27 - 18:32
    including just parking outside your house.
    Now I only have an hour today,
  • 18:32 - 18:36
    so I’m gonna have to go through some
    other stuff pretty quickly. I want to make
  • 18:36 - 18:41
    a couple of points clear. This wasn’t
    clear, even though it was written
  • 18:41 - 18:46
    in the New York Times by my dear friend
    Laura Poitras, who is totally fantastic
  • 18:46 - 18:52
    by the way, and… you are great.
    But 15 years of data retention –
  • 18:52 - 18:56
    applause
  • 18:56 - 19:00
    So the NSA has 15 years
    of data retention.
  • 19:00 - 19:04
    It’s a really important point to
    drive home. I joked with Laura
  • 19:04 - 19:06
    when she wrote the New York Times article
    with James Risen, she should do the math
  • 19:06 - 19:11
    for other people and say “15 years”. She
    said: “They can do the math on their own,
  • 19:11 - 19:16
    I believe in them”. I just wanna do the
    math for you. 15 years, that’s scary!
  • 19:16 - 19:20
    I don’t ever remember voting on that,
    I don’t ever remember even having
  • 19:20 - 19:24
    a public debate about it. And that
    includes content as well as metadata.
  • 19:24 - 19:30
    So they use this metadata. They search
    through this metadata retroactively.
  • 19:30 - 19:34
    They do what’s called ‘tasking’, that is,
    they find a set of selectors – so that’s
  • 19:34 - 19:38
    a set of unique identifiers, e-mail
    addresses, cookies, MAC addresses, IMEIs…
  • 19:38 - 19:42
    whatever is useful. Voice prints
    potentially, depending on the system.
  • 19:42 - 19:47
    And then they basically
    task those selectors
  • 19:47 - 19:51
    for specific activities. So that ties
    together with some of the attacks
  • 19:51 - 19:55
    which I’ll talk about, but essentially
    QUANTUMINSERTION and things that are
  • 19:55 - 20:01
    like QUANTUMINSERTION, they’re triggered
    as part of the TURMOIL and TURBINE system
  • 20:01 - 20:06
    and the QFIRE system, and they’re all put
    together so that they can automate
  • 20:06 - 20:09
    attacking people based on the plain
    text traffic that transits the internet
  • 20:09 - 20:13
    or based on the source or
    destination IP addresses.
  • 20:13 - 20:16
    This is a second top secret document.
  • 20:16 - 20:21
    This is an actual NSA lolcat
  • 20:21 - 20:26
    for the QUANTUMTHEORY program.
  • 20:26 - 20:29
    applause
  • 20:29 - 20:33
    You’ll notice it’s a black cat, hiding. Okay.
  • 20:33 - 20:37
    So there are a few people in the audience
    that are still not terrified enough, and
  • 20:37 - 20:40
    there are a few people that as part
    of their process for coping with
  • 20:40 - 20:45
    this horrible world that we have found
    ourselves in, they will say the following:
  • 20:45 - 20:48
    “There’s no way they’ll ever find me. I’m
    not interesting.” So I just want to dispel
  • 20:48 - 20:53
    that notion and show you a little bit
    about how they do that. So we mentioned
  • 20:53 - 20:57
    TURMOIL, which is the dragnet surveillance,
    and TURBINE, which is deep packet injection,
  • 20:57 - 21:01
    and QFIRE, where we tie it all together,
    and this is an example of something which
  • 21:01 - 21:04
    I think actually demonstrates a crime but
    I’m not sure, I’m not a lawyer, I’m
  • 21:04 - 21:08
    definitely not your lawyer, and I’m
    certainly not the NSA’s lawyer.
  • 21:08 - 21:12
    But this is the MARINA system. This is
    merely one of many systems where they
  • 21:12 - 21:15
    actually have full content as well as
    metadata. Taken together, they do
  • 21:15 - 21:19
    contact chaining, where they find out you
    guys are all in the same room with me
  • 21:19 - 21:25
    – which reminds me, let’s
    see, I’ve got this phone…
  • 21:25 - 21:31
    Okay. That’s good. Let’s
    turn that on. So now…
  • 21:31 - 21:34
    laughter
    You’re welcome.
  • 21:34 - 21:38
    laughter
    You have no idea!
  • 21:38 - 21:40
    laughter
    But I just wanted to make sure that
  • 21:40 - 21:44
    if there was any question about whether
    or not you are exempt from needing to do
  • 21:44 - 21:48
    something about this,
    that that is dispelled.
  • 21:48 - 21:53
    applause
  • 21:53 - 21:59
    Okay? Cell phone’s on.
    Great. So. Hey, guys!
  • 21:59 - 22:03
    laughter
    So, the MARINA system is a
  • 22:03 - 22:08
    contact chaining system as well as a
    system that has data, and in this case
  • 22:08 - 22:13
    what we see is in fact reverse contact
    and forward contact graphing. So,
  • 22:13 - 22:17
    any lawyers in the audience? If there
    are American citizens in this database,
  • 22:17 - 22:21
    is reverse targeting like this illegal?
    Generally? Is it possible that that
  • 22:21 - 22:26
    could be considered illegal?
    Someone from audience mumbling
  • 22:26 - 22:29
    Yeah, so, interesting. If it’s called
    reverse contacts instead of
  • 22:29 - 22:35
    reverse targeting – yeah, exactly.
    So, you’ll also notice the,
  • 22:35 - 22:40
    on the right-hand side, webcam photos.
  • 22:40 - 22:44
    So, just in case you’re wondering,
    in this case this particular target,
  • 22:44 - 22:47
    I suppose that he did not or
    she did not have a webcam.
  • 22:47 - 22:50
    Good for them. If not, you should follow
    the EFF’s advice and you should put
  • 22:50 - 22:54
    a little sticker over your webcam. But
    you’ll also note that they try to find
  • 22:54 - 22:58
    equivalent identifiers. So every time
    there’s a linkable identifier that you
  • 22:58 - 23:03
    have on the internet, they try to put that
    and tie it together and contact chain it,
  • 23:03 - 23:08
    and they try to show who you are among all
    of these different potential identifiers –
  • 23:08 - 23:11
    if you have 5 e-mail addresses, they would
    link them together – and then they try
  • 23:11 - 23:14
    to find out who all your friends are.
    You’ll also note at the bottom here,
  • 23:14 - 23:19
    logins and passwords. So they’re
    also doing dragnet surveillance
  • 23:19 - 23:23
    in which they extract – the feature set
    extraction where they know semantically
  • 23:23 - 23:26
    what a login and a password is in a
    particular protocol. And in this case
  • 23:26 - 23:31
    this guy is lucky, I suppose, and they
    were not able to get passwords or webcam,
  • 23:31 - 23:34
    but you’ll note that they were able to get
    his contacts and they were able to see
  • 23:34 - 23:38
    in fact 29, give or take,
    received messages as well,
  • 23:38 - 23:42
    of which there are these things. Now in
    this case we have redacted the e-mail
  • 23:42 - 23:46
    and instant messenger information,
    but this is an example of how
  • 23:46 - 23:50
    laughs
    you can’t hide from these things, and
  • 23:50 - 23:54
    thinking that they won’t find you
    is a fallacy. So this is basically
  • 23:54 - 23:59
    the difference between taking one wire and
    clipping onto it in a particularized
  • 23:59 - 24:02
    suspicious way where they’re really
    interested, they have a particularized
  • 24:02 - 24:06
    suspicion, they think that someone is a
    criminal, they think someone has taken
  • 24:06 - 24:10
    some serious steps that are illegal, and
    instead what they do is they put all of us
  • 24:10 - 24:14
    under surveillance, record all of this
    data that they possibly can, and then
  • 24:14 - 24:18
    they go looking through it. Now
    in the case of Chancellor Merkel,
  • 24:18 - 24:23
    when we revealed NSRL 2002-388,
    what we showed was that
  • 24:23 - 24:26
    they were spying on Merkel. And by their
    own admission 3 hops away, that’s everyone
  • 24:26 - 24:30
    in the German Parliament
    and everyone here.
  • 24:30 - 24:36
    So that’s pretty serious stuff. It also
    happens that if you should be visiting
  • 24:36 - 24:42
    certain websites, especially if you’re
    a Muslim, it is the case that you can be
  • 24:42 - 24:47
    attacked automatically by this system.
    Right? So that would mean that
  • 24:47 - 24:50
    they would automatically start to break
    into systems. That’s what they would call
  • 24:50 - 24:55
    ‘untasked targeting’. Interesting idea
    that they call that targeted surveillance.
  • 24:55 - 24:59
    To me that doesn’t really sound too
    much like targeted surveillance unless
  • 24:59 - 25:03
    what you mean by carpet bombing, it – you
    know, I mean it just – you know, like… it
  • 25:03 - 25:08
    just doesn’t… it doesn’t strike me right.
    It’s not my real definition of ‘targeted’.
  • 25:08 - 25:11
    It’s not well defined. It’s not that a
    judge has said, “Yes, this person is
  • 25:11 - 25:15
    clearly someone we should target.” Quite
    the opposite. This is something where
  • 25:15 - 25:19
    some guy who has a system has decided to
    deploy it and they do it however they like
  • 25:19 - 25:23
    whenever they would like. And while there
    are some restrictions, it’s clear that
  • 25:23 - 25:27
    the details about these programs do not
    trickle up. And even if they do, they
  • 25:27 - 25:31
    do not trickle up in a useful way. So
    this is important, because members
  • 25:31 - 25:36
    of the U.S. Congress, they have no clue
    about these things. Literally, in the case
  • 25:36 - 25:43
    of the technology. Ask a Congressman
    about TCP/IP. Forget it.
  • 25:43 - 25:47
    You can’t even get a meeting with them.
    I’ve tried. Doesn’t matter. Even if you
  • 25:47 - 25:50
    know the secret interpretation of Section
    215 of the Patriot Act and you go
  • 25:50 - 25:53
    to Washington, D.C. and you meet with
    their aides, they still won’t talk to you
  • 25:53 - 25:56
    about it. Part of that is because they
    don’t have a clue, and another part of it
  • 25:56 - 26:00
    is because they can’t talk about it,
    because they don’t have a political solution.
  • 26:00 - 26:03
    Absent a political solution, it’s very
    difficult to get someone to admit that
  • 26:03 - 26:06
    there is a problem. Well, there is a
    problem, so we’re going to create
  • 26:06 - 26:10
    a political problem and also talk
    about some of the solutions.
  • 26:10 - 26:13
    The Cypherpunks generally have
    come up with some of the solutions
  • 26:13 - 26:17
    when we talk about encrypting the entire
    internet. That would end dragnet mass
  • 26:17 - 26:21
    surveillance in a sense, but it will
    come back in a different sense
  • 26:21 - 26:26
    even with encryption. We need both
    a marriage of a technical solution
  • 26:26 - 26:31
    and we need a political solution
    to go with it, and if we don’t have
  • 26:31 - 26:35
    those 2 things, we will unfortunately be
    stuck here. But at the moment the NSA,
  • 26:35 - 26:40
    basically, I feel, has more power than
    anyone in the entire world – any one
  • 26:40 - 26:45
    agency or any one person. So Emperor
    Alexander, the head of the NSA, really has
  • 26:45 - 26:50
    a lot of power. If they want to right now,
    they’ll know that the IMEI of this phone
  • 26:50 - 26:55
    is interesting. It’s very warm, which is
    another funny thing, and they would be
  • 26:55 - 26:59
    able to break into this phone almost
    certainly and then turn on the microphone,
  • 26:59 - 27:03
    and all without a court.
    So that to me is really scary.
  • 27:03 - 27:07
    And I especially dislike the fact that
    if you were to be building these
  • 27:07 - 27:11
    types of things, they treat you as an
    opponent, if you wish to be able to
  • 27:11 - 27:14
    fulfill the promises that you make to your
    customers. And as someone who writes
  • 27:14 - 27:18
    security software
    I think that’s bullshit.
  • 27:18 - 27:22
    So. Here’s how they do a bit of it.
    So there are different programs.
  • 27:22 - 27:26
    So QUANTUMTHEORY, QUANTUMNATION,
    QUANTUMBOT, QUANTUMCOPPER
  • 27:26 - 27:29
    and QUANTUMINSERT. You’ve heard of a few
    of them. I’ll just go through them real quick.
  • 27:29 - 27:33
    QUANTUMTHEORY essentially has
    a whole arsenal of zero-day exploits.
  • 27:33 - 27:38
    Then the system deploys what’s called
    a SMOTH, or a seasoned moth.
  • 27:38 - 27:44
    And a seasoned moth is an
    implant which dies after 30 days.
  • 27:44 - 27:49
    So I think that these guys either took a
    lot of acid or read a lot of Philip K. Dick,
  • 27:49 - 27:52
    potentially both!
    applause
  • 27:52 - 27:55
    And they thought Philip K. Dick
    wasn’t dystopian enough.
  • 27:55 - 28:00
    “Let’s get better at this”.
    And after reading VALIS, I guess,
  • 28:00 - 28:05
    they went on, and they also have
    as part of QUANTUMNATION
  • 28:05 - 28:09
    what’s called VALIDATOR or COMMONDEER.
    Now these are first-stage payloads
  • 28:09 - 28:14
    that are done entirely in memory.
    These exploits essentially are where they
  • 28:14 - 28:18
    look around to see if you have what are
    called PSPs, and this is to see, like,
  • 28:18 - 28:22
    you know, if you have Tripwire, if you
    have Aid, if you have some sort of
  • 28:22 - 28:26
    system tool that will detect if an
    attacker is tampering with files or
  • 28:26 - 28:29
    something like this, like
    a host intrusion detection system.
  • 28:29 - 28:34
    So VALIDATOR and COMMONDEER, which,
    I mean, clearly the point of COMMONDEER,
  • 28:34 - 28:37
    while it’s misspelled here – it’s not
    actually… I mean that’s the name
  • 28:37 - 28:41
    of the program… but the point is to make
    a pun on commandeering your machine. So,
  • 28:41 - 28:45
    you know, when I think about the U.S.
    Constitution in particular, we talk about
  • 28:45 - 28:49
    not allowing the quartering of
    soldiers – and, gosh, you know?
  • 28:49 - 28:54
    Commandeering my computer sounds
    a lot like a digital version of that, and
  • 28:54 - 28:57
    I find that’s a little bit confusing, and
    mostly in that I don’t understand
  • 28:57 - 29:01
    how they get away with it. But part of it
    is because until right now we didn’t know
  • 29:01 - 29:06
    about it, in public, which is why we’re
    releasing this in the public interest,
  • 29:06 - 29:09
    so that we can have a better debate
    about whether or not that counts, in fact,
  • 29:09 - 29:14
    as a part of this type of what I would
    consider to be tyranny, or perhaps
  • 29:14 - 29:19
    you think it is a measured and reasonable
    thing. I somehow doubt that. But
  • 29:19 - 29:23
    in any case, QUANTUMBOT is where
    they hijack IRC bots, because why not?
  • 29:23 - 29:26
    They thought they would like to do
    that, and an interesting point is that
  • 29:26 - 29:31
    they could in theory stop a lot
    of these botnet attacks and
  • 29:31 - 29:35
    they have decided to maintain that
    capability, but they’re not yet doing it
  • 29:35 - 29:39
    except when they feel like doing it for
    experiments or when they do it to
  • 29:39 - 29:43
    potentially use them. It’s not clear
    exactly how they use them. But
  • 29:43 - 29:46
    the mere fact of the matter is that that
    suggests they’re even in fact able to do
  • 29:46 - 29:50
    these types of attacks, they’ve tested
    these types of attacks against botnets.
  • 29:50 - 29:54
    And that’s the program you should FOIA
    for. We’ve released a little bit of detail
  • 29:54 - 29:58
    about that today as well. And
    QUANTUMCOPPER to me is really scary.
  • 29:58 - 30:02
    It’s essentially a thing that can
    interfere with TCP/IP and it can do things
  • 30:02 - 30:07
    like corrupt file downloads. So if you
    imagine the Great Firewall of China,
  • 30:07 - 30:10
    so-called – that’s for the whole planet.
  • 30:10 - 30:14
    So if the NSA wanted to tomorrow, they
    could kill every anonymity system
  • 30:14 - 30:20
    that exists by just forcing everyone who
    connects to an anonymity system to reset
  • 30:20 - 30:25
    just the same way that the Chinese do
    right now in China with the Great Firewall
  • 30:25 - 30:29
    of China. So that’s like the NSA builds
    the equivalent of the Great Firewall
  • 30:29 - 30:34
    of Earth. That’s, to me that’s
    a really scary, heavy-handed thing,
  • 30:34 - 30:39
    and I’m sure they only use it for good.
    clears throat
  • 30:39 - 30:45
    But, yeah. Back here in reality that to
    me is a really scary thing, especially
  • 30:45 - 30:49
    because one of the ways that they are able
    to have this capability, as I mentioned,
  • 30:49 - 30:53
    is these diodes. So what that suggests
    is that they actually repurpose
  • 30:53 - 30:56
    other people’s machines in order to
    reposition and to gain a capability
  • 30:56 - 31:01
    inside of an area where they actually
    have no legitimacy inside of that area.
  • 31:01 - 31:07
    That to me suggests it is not only
    heavy-handed, that they have probably some
  • 31:07 - 31:12
    tools to do that. You see where I’m going
    with this. Well, QUANTUMINSERTION,
  • 31:12 - 31:16
    this is also an important point, because
    this is what was used against Belgacom,
  • 31:16 - 31:22
    this is what’s used by a whole number of
    unfortunately players in the game where
  • 31:22 - 31:26
    basically what they do is they inject
    a packet. So you have a TCP connection,
  • 31:26 - 31:30
    Alice wants to talk to Bob, and for some
    reason Alice and Bob have not heard
  • 31:30 - 31:35
    about TLS. Alice sends an HTTP
    request to Bob. Bob is Yahoo.
  • 31:35 - 31:41
    NSA loves Yahoo. And basically they
    inject a packet which will get to Alice
  • 31:41 - 31:44
    before Yahoo is able to respond, right?
    And the thing is that if that was a
  • 31:44 - 31:49
    TLS connection, the man-on-the-side
    attack would not succeed.
  • 31:49 - 31:53
    That’s really key. If they were using TLS,
    the man-on-the-side attack could at best,
  • 31:53 - 31:56
    as far as we understand it at the moment,
    they could tear down the TLS session but
  • 31:56 - 32:00
    they couldn’t actually actively inject.
    So that’s a man-on-the-side attack.
  • 32:00 - 32:05
    We can end that attack with TLS.
    When we deploy TLS everywhere
  • 32:05 - 32:10
    then we will end that kind of attack. So
    there was a joke, you know, when you
  • 32:10 - 32:13
    download .mp3s, you ride with communism
    – from the ’90s, some of you may
  • 32:13 - 32:19
    remember this. When you bareback with
    the internet, you ride with the NSA.
  • 32:19 - 32:24
    applause
  • 32:24 - 32:29
    Or you’re getting a ride, going for
    a ride. So the TAO infrastructure,
  • 32:29 - 32:33
    Tailored Access and Operations. Some
    of the FOXACID URLs are public.
  • 32:33 - 32:38
    FOXACID is essentially like a watering
    hole type of attack where you go to,
  • 32:38 - 32:44
    you go to a URL. QUANTUMINSERT
    puts like an iframe or puts some code
  • 32:44 - 32:47
    in your web browser, which you then
    execute, which then causes you to
  • 32:47 - 32:51
    load resources. One of the resources that
    you load while you’re loading CNN.com,
  • 32:51 - 32:55
    for example, which is one of their
    examples, they – you like that, by the way?
  • 32:55 - 32:59
    So, you know, that’s an extremist site. So
    coughs
  • 32:59 - 33:03
    you might have heard about that. A lot of
    Republicans in the United States read it.
  • 33:03 - 33:08
    So – right before they wage
    illegal imperialist wars. So,
  • 33:08 - 33:13
    the point is that you go to a FOXACID
    server and it basically does a survey
  • 33:13 - 33:18
    of your box and decides if it can break
    into it or not, and then it does.
  • 33:18 - 33:22
    Yep, that’s basically it. And the FOXACID
    URLs, a few of them are public.
  • 33:22 - 33:27
    Some of the details about that have been
    made public, about how the structure
  • 33:27 - 33:31
    of the URLs are laid out and so on.
    An important detail is that they pretend
  • 33:31 - 33:34
    that they’re Apache, but they actually
    do a really bad job. So they’re
  • 33:34 - 33:38
    like Hacking Team, maybe it’s the same
    guys, I doubt it though, the NSA wouldn’t
  • 33:38 - 33:44
    slum with scumbags like that, but…
    Basically you can tell, you can find them,
  • 33:44 - 33:48
    because they aren’t really Apache servers.
    They pretend to be, something else.
  • 33:48 - 33:51
    The other thing is that none of their
    infrastructure is in the United States.
  • 33:51 - 33:56
    So, real quick anonymity question. You
    have a set of things and you know that
  • 33:56 - 34:02
    a particular attacker never comes from one
    place. Every country on the planet
  • 34:02 - 34:06
    potentially, but never one place. The
    one place where most of the internet is.
  • 34:06 - 34:10
    What does that tell you in terms of
    anonymity? It tells you usually that
  • 34:10 - 34:15
    they’re hiding something about that one
    place. Maybe there’s a legal requirement
  • 34:15 - 34:19
    for this. It’s not clear to me. But what
    is totally clear to me is that if you see
  • 34:19 - 34:23
    this type of infrastructure and it is not
    in the United States, there is a chance,
  • 34:23 - 34:28
    especially today, that it’s the NSA’s
    Tailored Access and Operations division.
  • 34:28 - 34:34
    And here’s an important point. When the
    NSA can’t do it, they bring in GCHQ.
  • 34:34 - 34:39
    So, for example, for targeting certain
    Gmail selectors, they can’t do it.
  • 34:39 - 34:43
    And in the documents we released today,
    we show that they say: “If you have
  • 34:43 - 34:47
    a partner agreement form and you need to
    target, there are some additional selectors
  • 34:47 - 34:51
    that become available should you
    need them”. So when we have a limit
  • 34:51 - 34:55
    of an intelligence agency in the United
    States, or here in Germany or
  • 34:55 - 34:59
    something like this, we have to recognize
    that information is a currency
  • 34:59 - 35:03
    in an unregulated market. And these
    guys, they trade that information, and
  • 35:03 - 35:08
    one of the ways they trade that is like
    this. And they love Yahoo.
  • 35:08 - 35:15
    So, little breather?
  • 35:15 - 35:19
    It’s always good to make fun of
    the GCHQ with Austin Powers!
  • 35:19 - 35:22
    laughter
    Okay. Another classified document here.
  • 35:22 - 35:27
    That’s actual NSA OpenOffice or Powerpoint
    clip art of their horrible headquarters
  • 35:27 - 35:31
    that you see in every news story, I can’t
    wait to see a different photo of the NSA
  • 35:31 - 35:38
    someday. But you’ll notice right here they
    explain how QUANTUM works. Now SSO is
  • 35:38 - 35:43
    a Special Source Operations site. So
    you’ve seen U.S. embassies? Usually
  • 35:43 - 35:46
    the U.S. embassy has dielectric panels on
    the roof, that’s what we showed in Berlin,
  • 35:46 - 35:52
    it was called “DAS NEST” on the cover
    of ‘Der Spiegel’. That’s an SSO site.
  • 35:52 - 35:56
    So they see that this type of stuff is
    taking place, they do an injection and
  • 35:56 - 36:02
    they try to beat the Yahoo packet back.
    Now another interesting point is
  • 36:02 - 36:08
    that for the Yahoo packet to be beaten,
    the NSA must impersonate Yahoo.
  • 36:08 - 36:11
    This is a really important detail because
    what it tells us is that they are
  • 36:11 - 36:16
    essentially conscripting Yahoo and saying
    that they are Yahoo. So they are
  • 36:16 - 36:21
    impersonating a U.S. company
    to a U.S. company user
  • 36:21 - 36:25
    and they are not actually supposed
    to be in this conversation at all.
  • 36:25 - 36:29
    And when they do it, then they of course
    – basically if you’re using Yahoo,
  • 36:29 - 36:33
    you’re definitely going to get owned. So
    – and I don’t just mean that in that
  • 36:33 - 36:37
    Yahoo is vulnerable, they are, but
    I mean people that use Yahoo tend to
  • 36:37 - 36:40
    – maybe it’s a bad generalization,
    but, you know – they’re not the most
  • 36:40 - 36:43
    security-conscious people on the planet,
    they don’t keep their computers up to date,
  • 36:43 - 36:47
    I’m guessing, and that’s probably why
    they love Yahoo so much. They also love
  • 36:47 - 36:51
    CNN.com, which is some other… I don’t know
    what that says, it’s like a sociological
  • 36:51 - 36:57
    study of compromise. But that’s an
    important detail. So the SSO site sniffs
  • 36:57 - 37:00
    and then they do some injection, they
    redirect you to FOXACID. That’s for
  • 37:00 - 37:04
    web browser exploitation. They obviously
    have other exploitation techniques.
  • 37:04 - 37:09
    Okay. So now. We all know
    that cellphones are vulnerable.
  • 37:09 - 37:14
    Here’s an example. This is a base station
  • 37:14 - 37:18
    that the NSA has that, I think it’s the
    first time ever anyone’s ever revealed
  • 37:18 - 37:22
    an NSA IMSI catcher. So, here it is.
    Well, actually the second time, because
  • 37:22 - 37:25
    ‘Der Spiegel’ did it this morning.
    But you know what I mean.
  • 37:25 - 37:30
    applause
  • 37:30 - 37:35
    So they call it ‘Find, Fix and
    Finish targeted handset users’.
  • 37:35 - 37:39
    Now it’s really important to understand
    when they say “targeting” you would think
  • 37:39 - 37:43
    ‘massive collection’, right? Because what
    are they doing? They’re pretending to be
  • 37:43 - 37:49
    a base station. They want to overpower.
    They want to basically be the phone
  • 37:49 - 37:52
    that you connect to… or the phone system
    that you connect to. And that means
  • 37:52 - 37:55
    lots of people are going to connect
    potentially. So it’s not just one
  • 37:55 - 37:59
    targeted user. So hopefully they have it
    set up so that if you need to dial 911,
  • 37:59 - 38:03
    or here in Europe 112 – you know,
    by the way, if you ever want to find
  • 38:03 - 38:06
    one of these things try to call different
    emergency numbers and note which ones
  • 38:06 - 38:10
    route where. Just as a little detail.
    Also note that sometimes if you go
  • 38:10 - 38:14
    to the Ecuadorian embassy you will receive
    a welcome message from Uganda Telecom.
  • 38:14 - 38:19
    Because the British when they deployed
    the IMSI catcher against Julian Assange
  • 38:19 - 38:23
    at the Ecuadorian embassy made the mistake
    of not reconfiguring the spy gear they [had]
  • 38:23 - 38:27
    deployed in Uganda [before]
    when they deployed in London.
  • 38:27 - 38:33
    applause
  • 38:33 - 38:38
    And this can be yours
    for only US$ 175.800.
  • 38:38 - 38:43
    And this covers GSM and PCS and
    DCS and a bunch of other stuff.
  • 38:43 - 38:47
    So basically if you use a cell phone
    – forget it. It doesn’t matter
  • 38:47 - 38:51
    what you’re doing. The exception may
    be Cryptophone and Redphone. In fact
  • 38:51 - 38:55
    I’d like to just give a shoutout to the
    people who work on free software, and
  • 38:55 - 38:58
    software which is actually secure. Like
    Moxie Marlinspike – I’m so sorry I mention
  • 38:58 - 39:02
    your name in my talk, but don’t worry,
    your silence won’t protect you!
  • 39:02 - 39:05
    I think it’s really important to know
    Moxie is one of the very few people
  • 39:05 - 39:08
    in the world who builds technologies that
    is both free and open source, and
  • 39:08 - 39:13
    as far as I can tell he refuses to do
    anything awful. No backdoors or anything.
  • 39:13 - 39:18
    And from what I can tell this proves
    that we need things like that.
  • 39:18 - 39:22
    This is absolutely necessary because they
    replace the infrastructure we connect to.
  • 39:22 - 39:26
    It’s like replacing the road that we would
    walk on, and adding tons of spy gear.
  • 39:26 - 39:30
    And they do that too,
    we’ll get to that. Okay.
  • 39:30 - 39:34
    So I’m gonna go a little quick through
    these because I think it’s better that you
  • 39:34 - 39:37
    go online and you adjust. And I wanna
    have a little bit of time for questions.
  • 39:37 - 39:41
    But basically here’s an example of how
    even if you disable a thing the thing is
  • 39:41 - 39:45
    not really disabled. So if you have a WiFi
    card in your computer the SOMBERKNAVE
  • 39:45 - 39:51
    program, which is another classified
    document here, they basically repurpose
  • 39:51 - 39:55
    your WiFi gear. They say: “You’re not
    using that WiFi card? We’re gonna scan
  • 39:55 - 39:58
    for WiFi nearby, we’re gonna exfiltrate
    data by finding an open WiFi network
  • 39:58 - 40:01
    and we’re gonna jump on it”. So
    they’re actually using other people’s
  • 40:01 - 40:05
    wireless networks in addition to having
    this stuff in your computer. And this is
  • 40:05 - 40:11
    one of the ways they beat a so-called
    air-gapped target computer.
  • 40:11 - 40:14
    Okay, so here’s some of the software
    implants. Now we’re gonna name a bunch
  • 40:14 - 40:19
    of companies because – fuck those guys
    basically, for collaborating when they do,
  • 40:19 - 40:23
    and fuck them for leaving us
    vulnerable when they do.
  • 40:23 - 40:26
    applause
  • 40:26 - 40:30
    And I mean that in the most loving way
    because some of them are victims, actually.
  • 40:30 - 40:33
    It’s important to note that we don’t
    yet understand which is which.
  • 40:33 - 40:37
    So it’s important to name them, so that
    they have to go on record, and so that
  • 40:37 - 40:40
    they can say where they are, and so
    that they can give us enough rope
  • 40:40 - 40:44
    to hang themselves. I really want that to
    happen because I think it’s important
  • 40:44 - 40:48
    to find out who collaborated and who
    didn’t collaborate. In order to have truth
  • 40:48 - 40:52
    and reconciliation we need to start with
    a little of truth. So STUCCOMONTANA
  • 40:52 - 40:56
    is basically BadBIOS if you guys have
    heard about that. I feel very bad
  • 40:56 - 40:59
    for Dragos, he doesn’t really talk to me
    right now. I think he might be kinda mad.
  • 40:59 - 41:05
    But after I was detained – by the
    US Army on US soil, I might add –
  • 41:05 - 41:08
    they took a phone from me. Now it
    shouldn’t matter but it did. They also
  • 41:08 - 41:11
    I think went after all my phone records so
    they didn’t need to take the phone. But
  • 41:11 - 41:14
    for good measure, they just wanted
    to try to intimidate me which is exactly
  • 41:14 - 41:20
    the wrong thing to do to me. But as he
    told the story after that happened
  • 41:20 - 41:23
    all of his computers including his Xbox
    were compromised. And he says
  • 41:23 - 41:28
    even to this day that some of those things
    persist. And he talks about the BIOS.
  • 41:28 - 41:33
    Here’s a document that shows clearly
    that they actually re-flash the BIOS
  • 41:33 - 41:37
    and they also have other techniques
    including System Management Mode
  • 41:37 - 41:42
    related rootkits and that they have
    persistence inside of the BIOS.
  • 41:42 - 41:46
    It’s an incredibly important point. This
    is evidence that the thing that Dragos
  • 41:46 - 41:50
    talked about, maybe he doesn’t
    have it, but it really does exist.
  • 41:50 - 41:55
    Now the question is how would he find it?
    We don’t have the forensics tools yet.
  • 41:55 - 41:58
    We don’t really have the capabilities
    widely deployed in the community
  • 41:58 - 42:02
    to be able to know that, and to be
    able to find it. Here’s another one.
  • 42:02 - 42:07
    This one’s called SWAP. In this case it
    replaces the Host Protected Area
  • 42:07 - 42:12
    of the hard drive, and you can see a
    little graph where there’s target systems,
  • 42:12 - 42:15
    you see the internet, Interactive OPS, so
    they’ve got like a guy who is hacking you
  • 42:15 - 42:19
    in real time, the People’s
    Liberation Army… uh, NSA! And…
  • 42:19 - 42:22
    laughter
    And you can see all of these different
  • 42:22 - 42:25
    things about it. Each one of these things,
    including SNEAKERNET, these are
  • 42:25 - 42:30
    different programs, most of which we
    revealed today in ‘Der Spiegel’.
  • 42:30 - 42:33
    But you’ll notice that it’s Windows,
    Linux, FreeBSD and Solaris.
  • 42:33 - 42:38
    How many Al Qaeda people
    use Solaris, do you suppose?
  • 42:38 - 42:42
    This tells you a really important point.
    They are interested in compromising
  • 42:42 - 42:47
    the infrastructure of systems,
    not just individual people.
  • 42:47 - 42:50
    They want to take control and
    literally colonize those systems
  • 42:50 - 42:55
    with these implants. And that’s not part
    of the discussion. People are not talking
  • 42:55 - 43:00
    about that because they don’t know about
    that yet. But they should. Because
  • 43:00 - 43:04
    in addition to the fact that Sun is a U.S.
    company which they are building
  • 43:04 - 43:08
    capabilities against – that to me, really,
    it really bothers me; I can’t tell you
  • 43:08 - 43:11
    how much that bothers me – we also
    see that they’re attacking Microsoft,
  • 43:11 - 43:14
    another U.S. company, and Linux and
    FreeBSD, where there are a lot of people
  • 43:14 - 43:16
    that are building it from all around the
    world. So they’re attacking not only
  • 43:16 - 43:19
    collective efforts and corporate
    efforts, but basically every option
  • 43:19 - 43:25
    you possibly can, from end users
    down to telecom core things.
  • 43:25 - 43:29
    Here’s another one, DEITYBOUNCE.
    This is for Dell,
  • 43:29 - 43:34
    so Dell PowerEdge 1850,
    2850, 1950, 2950…
  • 43:34 - 43:38
    RAID servers using any of the
    following BIOS versions. Right?
  • 43:38 - 43:42
    So just in case you’re wondering, hey
    Dell, why is that? Curious about that.
  • 43:42 - 43:46
    Love to hear your statements about it.
    So if you write YARA sigs [signatures]
  • 43:46 - 43:50
    and you’re interested in looking
    for NSA malware, look for things
  • 43:50 - 43:55
    that use RC6, so look for the constants
    that you might find in RC6.
  • 43:55 - 44:00
    And when they run, if they emit UDP
    traffic – we’ve actually seen a sample
  • 44:00 - 44:04
    of this but we were not able
    to capture it, sadly, but
  • 44:04 - 44:08
    emitting UDP traffic that is encrypted.
    You know, people that I’ve worked with
  • 44:08 - 44:11
    on things related to this, they’ve even,
    they’ve had their house black bagged.
  • 44:11 - 44:14
    They’ve had pretty bad stuff happen
    to them. That’s their story to tell.
  • 44:14 - 44:19
    But one of the interesting details is
    that after those events occurred,
  • 44:19 - 44:24
    these types of things were seen. Ben
    has a really bad idea for those guys,
  • 44:24 - 44:27
    I might add, because I wouldn’t have put
    this slide in if that had not occurred.
  • 44:27 - 44:30
    But if you want to look for it, you’ll
    find it. I know some people that have
  • 44:30 - 44:34
    looked with YARA sigs and they have
    in fact found things related to this,
  • 44:34 - 44:37
    so I suspect a lot of malware researchers
    in the near future are going to have
  • 44:37 - 44:41
    a lot of stuff to say about this
    particular slide. I’ll leave that to them.
  • 44:41 - 44:45
    I think it’s very important to go looking
    for these things, especially to find out
  • 44:45 - 44:50
    who is victimized by them. Here’s an
    iPhone back door.
  • 44:50 - 44:56
    So DROPOUTJEEP, so
    you can see it right there.
  • 44:56 - 45:01
    So, SMS, contact list retrieval,
    voicemail, hot microphone,
  • 45:01 - 45:07
    camera capture, cell tower location. Cool.
    Do you think Apple helped them with that?
  • 45:07 - 45:10
    I don’t know. I hope Apple will clarify
    that. I think it’s really important
  • 45:10 - 45:14
    that Apple doesn’t. Here’s
    a problem. I don’t really believe
  • 45:14 - 45:18
    that Apple didn’t help them. I can’t
    prove it yet, but they literally claim
  • 45:18 - 45:24
    that any time they target an iOS device,
    that it will succeed for implantation.
  • 45:24 - 45:29
    Either they have a huge collection of
    exploits that work against Apple products,
  • 45:29 - 45:32
    meaning that they are hoarding
    information about critical systems that
  • 45:32 - 45:35
    American companies produce
    and sabotaging them,
  • 45:35 - 45:40
    or Apple sabotaged it themselves.
    Not sure which one it is!
  • 45:40 - 45:43
    I’d like to believe that since Apple
    didn’t join the PRISM program until
  • 45:43 - 45:50
    after Steve Jobs died that maybe it’s
    just that they write shitty software.
  • 45:50 - 45:53
    We know that’s true!
    laughter
  • 45:53 - 45:58
    applause
  • 45:58 - 46:02
    Here’s a HVT, high-value target.
    This is a high-value target
  • 46:02 - 46:06
    being targeted with a back door for
    Windows CE Thuraya phones.
  • 46:06 - 46:11
    So if you have a Thuraya phone and you’re
    wondering if it was secure – yeah maybe.
  • 46:11 - 46:15
    Good luck! Here’s one where they
    replaced the hard drive firmware.
  • 46:15 - 46:19
    There was a talk at OHM this year
    [OHM2013] where a guy talked about
  • 46:19 - 46:23
    replacing hard drive firmware.
    You were onto something.
  • 46:23 - 46:26
    You were really onto something. Whoever
    you are, you were onto something.
  • 46:26 - 46:30
    Because the NSA has a program here,
    IRATEMONK, and that’s exactly
  • 46:30 - 46:33
    what they do. They replace the firmware
    in the hard drive, so it doesn’t matter
  • 46:33 - 46:37
    if you reformat the hard drive, you’re
    done. The firmware itself can do
  • 46:37 - 46:42
    a whole bunch of stuff. So. Here are
    the names of the hard drive companies
  • 46:42 - 46:47
    were it works: Western Digital, Seagate,
    Maxtor and Samsung, and of course
  • 46:47 - 46:52
    they support FAT, NTFS, EXT3 and UFS.
    They probably now have support for
  • 46:52 - 46:56
    additional file systems, but this is
    what we can prove. Please note
  • 46:56 - 47:01
    at the bottom left and the bottom right:
    “Status: Released and Deployed.
  • 47:01 - 47:06
    Ready for Immediate Delivery”.
    And: “Unit Cost: $0”.
  • 47:06 - 47:12
    It’s free! No, you can’t get it.
    It’s not free as in free software.
  • 47:12 - 47:15
    It’s free as in “You’re owned!”.
    laughter
  • 47:15 - 47:20
    applause
  • 47:20 - 47:23
    I want to give a shoutout to Karsten Nohl
    and Luca [Luca Melette] for their
  • 47:23 - 47:26
    incredible talk where they showed this
    exact attack without knowing that
  • 47:26 - 47:31
    they had found it. Right?
    They say – yeah, absolutely.
  • 47:31 - 47:35
    applause
  • 47:35 - 47:39
    Important point. The NSA says that when
    they know about these things, that
  • 47:39 - 47:42
    nobody will come to harm, no one will be
    able to find them, they’ll never be able
  • 47:42 - 47:47
    to be exploited by another third party.
    Karsten found this exact vulnerability.
  • 47:47 - 47:52
    They were able to install a Java applet on
    the SIM card without user interaction,
  • 47:52 - 47:55
    and it was based on the service provider’s
    security configuration, which is exactly
  • 47:55 - 47:59
    what the NSA says here, and they talk
    about attacking the same toolkit
  • 47:59 - 48:03
    inside of the phone; and Karsten
    found the same vulnerability
  • 48:03 - 48:07
    and attacked it in the wild. This
    is perfect evidence, not only of
  • 48:07 - 48:11
    how badass Karsten and Luca are
    – they are, no question – but also about
  • 48:11 - 48:16
    how wrong the NSA is with this balance.
    Because for every Karsten and Luca, there
  • 48:16 - 48:21
    are hundreds of people who are paid to do
    this full-time and never tell us about it.
  • 48:21 - 48:29
    applause
  • 48:29 - 48:33
    Important detail. Do you see that
    ‘interdiction’ phrase right there?
  • 48:33 - 48:36
    “Through remote access” – in other
    words, we broke into your computer –
  • 48:36 - 48:40
    “or interdiction” – in other words,
    we stole your fucking mail. Now.
  • 48:40 - 48:43
    This is a really important point. We
    all have heard about these paranoid
  • 48:43 - 48:46
    crazy people talking about people breaking
    into their houses – that’s happened to me
  • 48:46 - 48:50
    a number of times – motherfuckers,
    getting you back – it’s really important
  • 48:50 - 48:53
    to understand this process is
    one that threatens all of us.
  • 48:53 - 48:59
    The sanctity of the postal system
    has been violated. I mean – whoa!
  • 48:59 - 49:02
    God, it makes me so angry, you know?
    You can’t even send a letter without
  • 49:02 - 49:06
    being spied on, but even worse that they
    tamper with it! It’s not enough that
  • 49:06 - 49:11
    the U.S. Postal Service records all
    of this information and keeps it
  • 49:11 - 49:14
    – that’s not enough. They also have to
    tamper with the packages! So every time
  • 49:14 - 49:18
    you buy from Amazon, for example, every
    time you buy anything on the internet,
  • 49:18 - 49:22
    there is the possibility that they will
    actually take your package and change it.
  • 49:22 - 49:25
    One of the ways that I’ve heard that they
    change it is that they will actually
  • 49:25 - 49:30
    take the case of your computer and they
    will injection mold a hardware back door
  • 49:30 - 49:34
    into the case of the computer.
    So that even if you were to look
  • 49:34 - 49:37
    at the motherboard or have it serviced,
    you would not see this. It merely
  • 49:37 - 49:42
    just needs to be in the proximity
    of the motherboard. So.
  • 49:42 - 49:47
    Let’s talk about hardware implants
    that they will put into your devices.
  • 49:47 - 49:52
    Here’s one. This is called BULLDOZER.
    It’s a PCI bus hardware implant.
  • 49:52 - 49:56
    Pretty scary, doesn’t look so great,
    but let’s go on a little bit. Okay?
  • 49:56 - 49:59
    Here’s one where they actually exploit
    the BIOS and System Management Mode.
  • 49:59 - 50:02
    There’s a big graph that shows all of
    these various different interconnections,
  • 50:02 - 50:06
    which is important. Then they talk about
    the long-range comms, INMARSAT, VSAT,
  • 50:06 - 50:10
    NSA MEANS and Future Capabilities. I think
    NSA MEANS exists. Future Capabilities
  • 50:10 - 50:15
    seems self-explanatory. “This
    hardware implant provides
  • 50:15 - 50:20
    2-way RF communication.” Interesting.
    So you disable all the wireless cards,
  • 50:20 - 50:23
    whatever you need. There you go.
    They just added a new one in there and
  • 50:23 - 50:28
    you don’t even know. Your system has no
    clue about it. Here’s a hardware back door
  • 50:28 - 50:32
    which uses the I2C interface, because
    no one in the history of time
  • 50:32 - 50:35
    other than the NSA probably has ever
    used it. That’s good to know that finally
  • 50:35 - 50:41
    someone uses I2C for something
    – okay, other than fan control. But,
  • 50:41 - 50:44
    look at that! It’s another American
    company that they are sabotaging.
  • 50:44 - 50:48
    They understand that HP’s servers
    are vulnerable, and they decided,
  • 50:48 - 50:53
    instead of explaining that this is
    a problem, they exploit it. And IRONCHEF,
  • 50:53 - 50:57
    through interdiction, is one of
    the ways that they will do that.
  • 50:57 - 51:02
    So I wanna really harp on this. Now it’s
    not that I think European companies
  • 51:02 - 51:07
    are worth less. I suspect especially
    after this talk that won’t be true,
  • 51:07 - 51:10
    in the literal stock sense, but I don’t
    know. I think it’s really important
  • 51:10 - 51:14
    to understand that they are sabotaging
    American companies because of the
  • 51:14 - 51:18
    so-called home-field advantage. The
    problem is that as an American who writes
  • 51:18 - 51:22
    software, who wants to build hardware
    devices, this really chills my expression
  • 51:22 - 51:25
    and it also gives me a problem, which
    is that people say: “Why would I use
  • 51:25 - 51:30
    what you’re doing? You know,
    what about the NSA?”
  • 51:30 - 51:35
    Man, that really bothers me.
    I don’t deserve the Huawei taint,
  • 51:35 - 51:39
    and the NSA gives it. And President
    Obama’s own advisory board
  • 51:39 - 51:44
    that was convened to understand the scope
    of these things has even agreed with me
  • 51:44 - 51:48
    about this point, that this should not be
    taking place, that hoarding of zero-day
  • 51:48 - 51:53
    exploits cannot simply happen without
    thought processes that are reasonable
  • 51:53 - 51:58
    and rational and have an economic and
    social valuing where we really think about
  • 51:58 - 52:03
    the broad-scale impact. Now.
    I’m gonna go on to a little bit more.
  • 52:03 - 52:07
    Here’s where they attack SIM cards. This
    is MONKEYCALENDAR. So it’s actually
  • 52:07 - 52:12
    the flow chart of how this would work.
    So in other words, they told you all of
  • 52:12 - 52:17
    the ways in which you should be certainly,
    you know, looking at this. So if you ever
  • 52:17 - 52:22
    see your handset emitting encrypted SMS
    that isn’t Textsecure, you now have
  • 52:22 - 52:27
    a pretty good idea that it might be this.
    Here’s another example. If you have
  • 52:27 - 52:34
    a computer in front of you… I highly
    encourage you to buy the Samsung SGH-X480C
  • 52:34 - 52:39
    – that’s the preferred phone of the NSA
    for attacking another person’s phone.
  • 52:39 - 52:43
    I’m not exactly sure why, but an important
    point is, they add the back door, then
  • 52:43 - 52:48
    they send an SMS from a regular phone
    – what does that tell you? What does that
  • 52:48 - 52:52
    tell you about the exploitation process?
    It tells you that it’s actually something
  • 52:52 - 52:55
    which is pretty straightforward,
    pretty easy to do, doesn’t require
  • 52:55 - 52:59
    specialized access to the telecoms once
    they’ve gotten your phone compromised.
  • 52:59 - 53:03
    That to me suggests that other people
    might find it, other people might use
  • 53:03 - 53:07
    these techniques. Okay, here’s a USB
    hardware implant called COTTONMOUTH.
  • 53:07 - 53:11
    We released this in ‘Spiegel’ today as
    well. See the little red parts. It will
  • 53:11 - 53:14
    provide a wireless bridge onto the
    target network with the ability to load
  • 53:14 - 53:19
    exploit software. Here’s a little bit of
    extra details about that. It actually
  • 53:19 - 53:23
    shows the graph at the bottom, how they do
    this, how they get around, how they beat
  • 53:23 - 53:27
    the air gap with these things. And they
    talk a bit about being GENIE compliant.
  • 53:27 - 53:32
    So GENIE, and for the rest of these
    programs, these are – like DROPOUTJEEP
  • 53:32 - 53:36
    is part of the CHIMNEYPOOL programs,
    and COTTONMOUTH is part of the rest of
  • 53:36 - 53:41
    these programs over here. These are huge
    programs where they’re trying to beat
  • 53:41 - 53:45
    a whole bunch of different adversaries,
    and different capabilities are required.
  • 53:45 - 53:49
    And this is one of the probably I think
    more interesting ones, but here’s
  • 53:49 - 53:53
    the next revision of it where it’s in a
    USB plug, not actually in the cable.
  • 53:53 - 53:58
    And look, 50 units for US$ 200,000.
    It’s really cheap.
  • 53:58 - 54:04
    You like my editorializing there, I hope?
    So, $200,000, okay.
  • 54:04 - 54:09
    And here’s where you look for it. If you
    happen to have an x-ray machine,
  • 54:09 - 54:14
    look for an extra chip. And that’s
    a HOWLERMONKEY radiofrequency transmitter.
  • 54:14 - 54:19
    Well what’s a HOWLERMONKEY? We’ll
    talk about that in a second, but basically
  • 54:19 - 54:24
    this is for ethernet, here. This is the
    FIREWALK. It can actually do injection
  • 54:24 - 54:27
    bidirectionally on the ethernet controller
    into the network that it’s sitting on.
  • 54:27 - 54:30
    So it doesn’t even have to do things
    directly to the computer. It can actually
  • 54:30 - 54:34
    inject packets directly into the network,
    according to the specification sheet,
  • 54:34 - 54:39
    which we released today on
    Der Spiegel’s website. As it says,
  • 54:39 - 54:44
    ‘active injection of ethernet packets onto
    the target network’. Here’s another one
  • 54:44 - 54:50
    from Dell with an actual FLUXBABBITT
    hardware implant for the PowerEdge 2950.
  • 54:50 - 54:55
    This uses the JTAG debugging interface
    of the server. Why did Dell leave
  • 54:55 - 55:00
    a JTAG debugging interface on these
    servers? Interesting, right? Because,
  • 55:00 - 55:04
    it’s like leaving a vulnerability in. Is
    that a bug door or a back door or
  • 55:04 - 55:09
    just a mistake? Well hopefully they will
    change these things or at least make it so
  • 55:09 - 55:13
    that if you were to see this you would
    know that you had some problems.
  • 55:13 - 55:16
    Hopefully Dell will release some
    information about how to mitigate
  • 55:16 - 55:20
    this advanced persistent threat. Right?
    Everything that the U.S. Government
  • 55:20 - 55:25
    accuse the Chinese of doing – which they
    are also doing, I believe – we are learning
  • 55:25 - 55:31
    that the U.S. Government has been doing to
    American companies. That to me is really
  • 55:31 - 55:35
    concerning, and we’ve had no public debate
    about these issues, and in many cases
  • 55:35 - 55:39
    all the technical details are obfuscated
    away and they are just completely
  • 55:39 - 55:43
    outside of the purview of discussions. In
    this case we learn more about Dell, and
  • 55:43 - 55:47
    which models. And here’s the HOWLERMONKEY.
    These are actually photographs
  • 55:47 - 55:53
    of the NSA implanted chips that they
    have when they steal your mail.
  • 55:53 - 55:56
    So after they steal your mail they put
    a chip like this into your computer.
  • 55:56 - 56:00
    So the one, the FIREWALK
    one is the ethernet one, and
  • 56:00 - 56:05
    that’s an important one. You probably will
    notice that these look pretty simple,
  • 56:05 - 56:10
    common off-the-shelf parts. So.
  • 56:10 - 56:16
    Whew! All right. Who here
    is surprised by any of this?
  • 56:16 - 56:21
    waits for audience reaction
    I’m really, really, really glad to see
  • 56:21 - 56:25
    that you’re not all cynical fuckers and
    that someone here would admit
  • 56:25 - 56:30
    that they were surprised. Okay, who
    here is not surprised? waits
  • 56:30 - 56:35
    I’m going to blow your fucking mind!
    laughter
  • 56:35 - 56:39
    Okay. We all know about TEMPEST,
    right? Where the NSA pulls data
  • 56:39 - 56:42
    out of your computer, irradiate stuff
    and then grab it, right? Everybody
  • 56:42 - 56:44
    who raised their hand and said they’re
    not surprised, you already knew
  • 56:44 - 56:49
    about TEMPEST, right?
    Right? Okay. Well.
  • 56:49 - 56:53
    What if I told you that the NSA had
    a specialized technology for beaming
  • 56:53 - 56:58
    energy into you and to the computer
    systems around you, would you believe
  • 56:58 - 57:01
    that that was real or would that be
    paranoid speculation of a crazy person?
  • 57:01 - 57:05
    laughter
    Anybody? You cynical guys
  • 57:05 - 57:08
    holding up your hand saying that you’re
    not surprised by anything, raise your hand
  • 57:08 - 57:12
    if you would be unsurprised by that.
    laughter
  • 57:12 - 57:17
    Good. And it’s not the same number.
    It’s significantly lower. It’s one person.
  • 57:17 - 57:24
    Great. Here’s what they do with those
    types of things. That exists, by the way.
  • 57:24 - 57:30
    When I told Julian Assange about this, he
    said: “Hmm. I bet the people who were
  • 57:30 - 57:34
    around Hugo Chavez are going to wonder
    what caused his cancer.” And I said:
  • 57:34 - 57:37
    “You know, I hadn’t considered that. But,
    you know, I haven’t found any data
  • 57:37 - 57:43
    about human safety about these tools.
    Has the NSA performed tests where they
  • 57:43 - 57:48
    actually show that radiating people
    with 1 kW of RF energy
  • 57:48 - 57:51
    at short range is safe?”
    laughter
  • 57:51 - 57:56
    My God! No, you guys think I’m
    joking, right? Well, yeah, here it is.
  • 57:56 - 58:01
    This is a continuous wave generator,
    a continuous wave radar unit.
  • 58:01 - 58:05
    You can detect its use because it’s
    used between 1 and 2 GHz and
  • 58:05 - 58:10
    its bandwidth is up to 45 MHz,
    user adjustable, 2 watts
  • 58:10 - 58:13
    using an internal amplifier. External
    amplifier makes it possible to go
  • 58:13 - 58:19
    up to 1 kilowatt.
  • 58:19 - 58:25
    I’m just gonna let you take that
    in for a moment. clears throat
  • 58:25 - 58:32
    Who’s crazy now?
    laughter
  • 58:32 - 58:35
    Now, I’m being told I only have one
    minute, so I’m going to have to go
  • 58:35 - 58:39
    a little bit quicker. I’m sorry. Here’s
    why they do it. This is an implant
  • 58:39 - 58:44
    called RAGEMASTER. It’s part of the
    ANGRYNEIGHBOR family of tools,
  • 58:44 - 58:47
    laughter
    where they have a small device that they
  • 58:47 - 58:52
    put in line with the cable in your monitor
    and then they use this radar system
  • 58:52 - 58:57
    to bounce a signal – this is not unlike
    the Great Seal bug that [Leon] Theremin
  • 58:57 - 59:01
    designed for the KGB. So it’s good to
    know we’ve finally caught up with the KGB,
  • 59:01 - 59:07
    but now with computers. They
    send the microwave transmission,
  • 59:07 - 59:11
    the continuous wave, it reflects off of
    this chip and then they use this device
  • 59:11 - 59:15
    to see your monitor.
  • 59:15 - 59:21
    Yep. So there’s the full life cycle.
    First they radiate you,
  • 59:21 - 59:24
    then you die from cancer,
    then you… win? Okay, so,
  • 59:24 - 59:30
    here’s the same thing, but this time for
    keyboards, USB and PS/2 keyboards.
  • 59:30 - 59:35
    So the idea is that it’s a data
    retro-reflector. Here’s another thing,
  • 59:35 - 59:38
    but this one, the TAWDRYYARD program, is
    a little bit different. It’s a beacon, so
  • 59:38 - 59:44
    this is where probably then
    they kill you with a drone.
  • 59:44 - 59:49
    That’s pretty scary stuff. They also have
    this for microphones to gather room bugs
  • 59:49 - 59:53
    for room audio. Notice the bottom. It says
    all components are common off the shelf
  • 59:53 - 59:57
    and are so non-attributable to the NSA.
    Unless you have this photograph
  • 59:57 - 60:02
    and the product sheet. Happy hunting!
  • 60:02 - 60:08
    applause
  • 60:08 - 60:12
    And just to give you another idea, this is
    a device they use to be able to actively
  • 60:12 - 60:16
    hunt people down. This is a hunting
    device, right? Handheld finishing tool
  • 60:16 - 60:23
    used for geolocation targeting
    handsets in the field. So!
  • 60:23 - 60:29
    Who was not surprised by this? I’m so
    glad to have finally reached the point
  • 60:29 - 60:33
    where no one raised their hand except
    that one guy who I think misheard me.
  • 60:33 - 60:38
    laughter
    Or you’re brilliant. And
  • 60:38 - 60:41
    please stay in our community
    and work on open research!
  • 60:41 - 60:43
    somebody off mike shouts:
    Audience: Maybe he can add something!
  • 60:43 - 60:47
    Yeah! And if you work for the NSA,
    I’d just like to encourage you
  • 60:47 - 60:52
    to leak more documents!
    laughter
  • 60:52 - 60:58
    applause, cheers
  • 60:58 - 61:05
    applause
  • 61:05 - 61:12
    applause
  • 61:12 - 61:18
    applause, cheers, whistles
  • 61:18 - 61:25
    applause, cheers, whistles, ovation
  • 61:25 - 61:32
    applause, ovation
  • 61:32 - 61:39
    applause, cheers, ovation
  • 61:39 - 61:46
    applause, ovation
  • 61:46 - 61:49
    Herald: Thank you very much, Jake.
  • 61:49 - 61:53
    Thank you. I’m afraid we ran
    all out of time for the Q&A.
  • 61:53 - 61:56
    I’m very sorry for anyone
    who wanted to ask questions.
  • 61:56 - 61:58
    Jacob: But we do have a press conference.
    Well, if you guys… you know,
  • 61:58 - 62:01
    I’d say: “occupy the room for another
    5 minutes”, or… know that there’s
  • 62:01 - 62:04
    a press conference room that will be
    opened up, where we can all ask
  • 62:04 - 62:07
    as many questions as we want,
    in 30 minutes, if you’re interested.
  • 62:07 - 62:11
    And I will basically be available until
    I’m assassinated to answer questions.
  • 62:11 - 62:19
    laughter, applause
    So…
  • 62:19 - 62:22
    in the immortal words of Julian Assange:
    Remember, no matter what happens,
  • 62:22 - 62:26
    even if there’s a videotape of it,
    it was murder! Thank you!
  • 62:26 - 62:30
    Herald: Thank you. Please give a warm
    round of applause to Jake Appelbaum!
  • 62:30 - 62:33
    applause
  • 62:33 - 62:38
    silent postroll
  • 62:38 - 62:42
    Subtitles created by c3subtitles.de
    in the year 2016. Join, and help us!
Title:
Description:

noc test

more » « less
Video Language:
English
Duration:
01:02:42
  • I imported the subtitles from the other incomplete streamdump

  • Looks like they were created via speech recognition and not via the text in the pad

English subtitles

Revisions Compare revisions