-
Herald: Good morning to this last minute
edition to our “Fahrplan” today.
-
There will probably be time for a few
minutes of Q&A in the end, so you can
-
ask questions here or on IRC
and Twitter via our Signal Angels.
-
Please welcome Jake Appelbaum,
independent journalist,
-
for his talk
“To Protect And Infect Part 2”.
-
applause
-
Jacob: Okay. Alright. Thanks so much
for coming so early in the morning.
-
Or maybe not so early in the morning
for most of you apparently since
-
you’ve all been up for more than an hour.
But I’m gonna talk today a little bit
-
about some things that we’ve heard about
at the conference and I’m gonna talk a bit
-
about some things that you have not
probably ever heard about in your life and
-
are even worse than your worst nightmares.
-
So recently we heard a little bit about
some of the low-end corporate spying
-
that’s often billed as being sort of like
the hottest, most important stuff, so the
-
FinFisher, the HackingTeam, the VUPEN.
And sort of in that order it becomes
-
more sophisticated and more and more
tied in with the National Security Agency.
-
There are some Freedom of Information Act
requests that have gone out that actually
-
show VUPEN being an NSA contractor writing
exploits, that there are some ties there.
-
This sort of covers the… sort of…
the whole gamut, I believe,
-
which is that, you know you can buy these
like little pieces of forensics hardware.
-
And just as a sort of fun thing I bought
some of those and then I looked at
-
how they worked and I noticed that this
‘Mouse Jiggler’, you plug it in and
-
the idea is that it like keeps your screen
awake. So have any of you seen that
-
at all? It’s a piece of forensics hardware
so your screensaver doesn’t activate.
-
So I showed it to one of the systemd
developers, and now when you plug those
-
into a Linux box that runs systemd,
they automatically lock the screen
-
when it sees the USB ID.
applause
-
So when people talk about Free Software,
‘free as in freedom’, that’s part of
-
what they’re talking about. So there are
some other things which I’m not going
-
to really talk a lot about it because
basically this is all bullshit that
-
doesn’t really matter and we can defeat
all of that. This is individualized things
-
we can defend against. But I want
to talk a little bit about how it’s
-
not necessarily the case that because
they’re not the most fantastic, they’re
-
not the most sophisticated, that
therefore we shouldn’t worry about it.
-
This is Rafael. I met him when
I was in Oslo in Norway
-
for the Oslo Freedom Forum, and basically
he asked me to look at his computer
-
because he said, “You know, something
seems to be wrong with it. I think that
-
there’s something, you know,
slowing it down.” And I said:
-
“Well, I’m not going to find anything.
I don’t have any tools. We are just
-
going to like sit at the computer…”
And I looked at it, and it has to be
-
the lamest back door I’ve ever found. It
was basically a very small program that
-
would just run in a loop and take
screenshots. And it failed to upload
-
some of the screenshots, and so there were
8 GB of screenshots in his home directory.
-
laughter and applause
And I said, “I’m sorry to break it to you
-
but I think that you’ve been owned.
And… by a complete idiot.”
-
laughter
And he, he, yeah, he was,
-
he was really… actually, he felt really
violated and then he told me what he does,
-
which is he’s an investigative journalist
who works with top secret documents
-
all the time, with extreme, extreme
operational security to protect
-
his sources. But when it came to computing
J[ournalism] school failed him.
-
And as a result, he was compromised
pretty badly. He was not using
-
a specialized operating system like
Tails, which if you’re a journalist
-
and you’re not using Tails you should
probably be using Tails unless
-
you really know what you’re doing.
Apple did a pretty good job at
-
revoking this application, and it was, you
know, in theory it stopped, but there are
-
lots of samples from the same group
and this group that did this is tied to
-
a whole bunch of other attacks across
the world, actually, which is why
-
it’s connected up there with Operation
Hangover. The scary thing, though, is that
-
this summer, after we’d met, he was
actually arrested relating to some
-
of these things. And now, as
I understand it, he’s out, but,
-
you know, when you mess with a military
dictatorship it messes with you back.
-
So even though that’s one of the lamest
backdoors, his life is under threat.
-
So just simple things can cause serious,
serious harm to regular people that are
-
working for some kind of truth telling.
And that to me is really a big part
-
of my motivation for coming here to talk
about what I’m going to talk about next,
-
which is that for every person that we
learn about like Rafael, I think there are
-
lots of people we will never learn about,
and that’s, to me that’s very scary,
-
and I think we need to bring some
transparency, and that’s what we’re
-
going to talk about now. And I really want
to emphasize this point. Even though
-
they’re not technically impressive, they
are actually still harmful, and that,
-
that is really a key point to drive home.
I mean, some of the back doors that
-
I’ve seen are really not sophisticated,
they’re not really that interesting, and
-
in some cases they’re common off-the-shelf
purchases between businesses,
-
so it’s like business-to-business
exploitation software development.
-
I feel like that’s really kind of sad,
and I also think we can change this.
-
We can turn this around by exposing it.
So, what’s it all about, though?
-
Fundamentally it’s about control, baby,
and that is what we’re going to get into.
-
It’s not just about control of machines.
What happened with Rafael is about
-
control of people. And fundamentally
when we talk about things like internet
-
freedom and we talk about tactical
surveillance and strategic surveillance,
-
we’re talking about control of people
through the machinery that they use.
-
And this is a really, I think a really
kind of – you know I’m trying
-
to make you laugh a little bit because
what I’m going to show you today
-
is wrist-slitting depressing.
So. Part 2, or Act 2 of Part 2.
-
Basically the NSA, they want
to be able to spy on you, and
-
if they have 10 different options for
spying on you that you know about,
-
they have 13 ways of doing it and they
do all 13. So that’s a pretty scary thing,
-
and basically their goal is to have
total surveillance of everything that
-
they’re interested in. So there really
is no boundary to what they want to do.
-
There is only sometimes a boundary of
what they are funded to be able to do and
-
the amount of things they’re able to do at
scale. They seem to just do those things
-
without thinking too much about it. And
there are specific tactical things
-
where they have to target a group or an
individual, and those things seem limited
-
either by budgets or simply by their time.
And as we have released today
-
on Der Spiegel’s website, which it should
be live – I just checked, it should be live
-
for everyone here – we actually
show a whole bunch of details
-
about their budgets as well as the
individuals involved with the NSA
-
and the Tailored Access Operations group
in terms of numbers. So it should give you
-
a rough idea showing that there was a
small period of time in which the internet
-
was really free and we did not have people
from the U.S. military that were watching
-
over it and exploiting everyone on
it, and now we see every year
-
that the number of people who are hired to
break into people’s computers as part of
-
grand operations, those people are growing
day by day, actually. In every year
-
there are more and more people that are
allocated, and we see this growth. So
-
that’s the goal: non-attribution, and total
surveillance, and they want to do it
-
completely in the dark. The good
news is that they can’t. So,
-
now I’m going to show you a bit about it.
But first, before I show you any pictures,
-
I want to sort of give you the big picture
from the top down. So there is
-
a planetary strategic surveillance system,
and there – well, there are many of them
-
actually. Everything from I think
off-planetary surveillance gear, which is
-
probably the National Reconnaissance
Office and their satellite systems
-
for surveillance like the Keyhole
satellites – these are all things most,
-
for the most part we actually know about
these things. They’re on Wikipedia.
-
But I want to talk a little bit more about
the internet side of things because
-
I think that’s really fascinating. So
part of what we are releasing today
-
with ‘Der Spiegel’, or what has actually
been released – just to be clear
-
on the timeline, I’m not disclosing it
first, I’m working as an independent
-
journalist summarizing the work that we
have already released onto the internet
-
as part of a publication house that went
through a very large editorial process
-
in which we redacted all the names of
agents and information about those names,
-
including their phone numbers
and e-mail addresses.
-
applause
-
And I should say that I actually think
that the laws here are wrong,
-
because they are in favor of
an oppressor who is criminal.
-
So when we redact the names of people who
are engaged in criminal activity including
-
drone murder, we are actually not doing
the right thing, but I believe that
-
we should comply with the law in order
to continue to publish, and I think
-
that’s very important.
applause
-
We also redacted the names of
victims of NSA surveillance,
-
because we think that there’s a balance.
Unfortunately there is a serious problem
-
which is that the U.S. government asserts
that you don’t have standing to prove
-
that you’ve been surveilled unless
we release that kind of information,
-
but we don’t want to release that kind
of information in case it could be
-
a legitimate target, and we – I’m really
uncomfortable with that term, but let’s
-
say that there is a legitimate target, the
most legitimate target, and we didn’t want
-
to make that decision. But we
did also want to make sure
-
that we didn’t harm someone, but we
also wanted to show concrete examples.
-
So if you look at the ‘Spiegel’ stuff online,
we redacted the names even of those
-
who were victimized by the NSA’s
oppressive tactics, which I think
-
actually goes further than is necessary,
but I believe that it strikes
-
the right balance to ensure continued
publication and also to make sure
-
that people are not harmed and that
legitimate good things, however rare
-
they may be, they are also not harmed.
So if you’ve been targeted by the NSA
-
and you would have found out today
if we had taken a different decision,
-
I’m really sorry, but this is the thing
I think that keeps us alive,
-
so this is the choice that I think is the
right choice, and I think it’s also
-
the safest choice for everyone.
So that said, basically the NSA has
-
a giant dragnet surveillance system that
they call TURMOIL. TURMOIL is a passive
-
interception system. That passive
interception system essentially spans
-
the whole planet. Who here has heard
about the Merkel phone incident?
-
Some of you heard about Chancellor Merkel?
So we revealed that in ‘Der Spiegel’, and
-
what we found was that they tasked her
for surveillance. And I’ll talk a little bit
-
about that later. But basically the way
that this works is that they have this
-
huge passive set of sensors; and any data
that flows past it, they actually look at it.
-
So there was a time in the past where
surveillance meant looking at anything
-
at all. And now the NSA tries
to basically twist the words
-
of every person who speaks whatever
language they’re speaking in, and they
-
try to say that it’s only surveillance
if after they collect it and record it
-
to a database, and analyze it with
machines, only if – I think – an NSA agent
-
basically looks at it
personally and then clicks
-
“I have looked at this” do
they call it surveillance.
-
Fundamentally I really object to that
because if I ran a TURMOIL collection
-
system – that is passive signals
intelligence systems collecting data
-
from the whole planet, everywhere they
possibly can – I would go to prison
-
for the rest of my life.
That’s the balance, right?
-
Jefferson talks about this. He says, you
know, “That which the government
-
is allowed to do but you are not, this is
a tyranny.” There are some exceptions
-
to that, but the CFAA in the United
States, the Computer Fraud and Abuse Act,
-
you know, it’s so draconian
for regular people,
-
and the NSA gets to do something like
intercepting 7 billion people all day long
-
with no problems, and the rest of us
are not even allowed to experiment
-
for improving the security of our own
lives without being put in prison
-
or under threat of serious indictment, and
that I think is a really important point.
-
So the TURMOIL system is a surveillance
system, and it is a dragnet surveillance
-
system that is a general warrant dragnet
surveillance if there ever was one.
-
And now we shot the British over this when
we started our revolution. We called them
-
“general writs of assistance.” These
were generalized warrants which
-
we considered to be a tyranny. And
TURMOIL is the digital version of a
-
general writ of assistance system. And
the general writ of assistance itself,
-
it’s not clear if it even exists, because
it’s not clear to me that a judge
-
would understand
anything that I just said.
-
applause
-
Okay, so now we’re gonna get scary.
So that’s just the passive stuff.
-
There exists another system that’s called
TURBINE, and we revealed about this system
-
in the ‘Spiegel’ publications
today as well. So if TURMOIL
-
is deep packet inspection, then
TURBINE is deep packet injection.
-
And it is the system that combined
together with a thing…
-
– with TURMOIL and TURBINE you can create
a platform which they have consolidated
-
which they call QFIRE. QFIRE is
essentially a way to programmatically
-
look at things that flow across the
internet that they see with TURMOIL
-
and then using TURBINE they’re able to
actually inject packets to try to do attacks,
-
and I’ll describe some of those attacks
in detail in a moment. But essentially
-
the interesting thing about QFIRE also
is that they have a thing that’s called
-
a diode. So if you have for
example a large number
-
of systems where you control them, you
might say: “Hey, what are you doing
-
on that backbone?”, “Hey, what’s going on
with these systems?” And they could say,
-
well, you know, we paid for access, we’re
doing this, it’s all legal, etcetera.
-
QFIRE has this really neat little detail
which is that they compromise
-
other people’s routers and then redirect
through them so that they can beat
-
the speed of light. And how
they do that is that they have
-
a passive sensor that’s nearby,
a thing that they can inject from.
-
And when they see that that thing sees
a selector that is interesting to them
-
or is doing a thing that they would like
to tamper with in some way, then they
-
take a packet, they encapsulate the
packet, they send it to the diode,
-
which might be your home router
potentially, and then that home router
-
decapsulates that packet and sends it out.
And because that is very close to you,
-
and let’s say you’re visiting Yahoo, then
the Yahoo packet will not beat you.
-
That is, they will not beat the NSA
or GCHQ. So it’s a race condition.
-
And so they basically are able to
control this whole system and then
-
to localize attacks in that
process. So that’s a pretty –
-
pretty scary stuff, actually. And while it
is a digital thing, I think it’s important
-
to understand that this is what Jefferson
talked about when he talked about tyranny.
-
This is turnkey tyranny, and it’s not that
it’s coming, it’s actually here. It’s just
-
merely the question about whether or not
they’ll use it in a way that we think is
-
a good way or not a good way. One
of the scariest parts about this is that
-
for this system or these sets of systems
to exist, we have been kept vulnerable.
-
So it is the case that if the Chinese,
if the Russians, if people here
-
wish to build this system, there’s nothing
that stops them. And in fact the NSA has
-
in a literal sense retarded the process
by which we would secure the internet
-
because it establishes a hegemony
of power, their power in secret,
-
to do these things. And in fact I’ve seen
evidence that shows that there are so many
-
compromises taking place between the
different Five Eyes signals intelligence
-
groups that they actually have lists that
explain, “If you see this back door
-
on the system, contact a friendly agency.
You’ve just recompromised the machine
-
of another person.” So
when we talk about this,
-
we have to consider that this is
designed for at-scale exploitation.
-
And as far as I can tell it’s being
used for at-scale exploitation.
-
Which is not really in my mind a
targeted particularized type of thing,
-
but rather it’s fishing operations.
It’s fishing expeditions. It’s
-
more like fishing crusades, if you will.
And in some cases, looking at the evidence
-
that seems to be what it is. Targeting
Muslims, I might add. Because that’s
-
what they’re interested in doing.
So that said, that’s the internet,
-
and we get all the way down to the bottom
and we get to the Close Access Operations
-
and Off-Net. Off-Net and Close Access
Operations are pretty scary things,
-
but basically this is what we would call a
black bag job. That’s where these guys,
-
they break into your house, they put
something in your computer and
-
they take other things out of your
computer. Here’s an example.
-
First top secret document
of the talk so far.
-
This is a Close Access Operations box.
-
It is basically car
metasploit for the NSA,
-
which is an interesting thing. But
basically they say that the attack is
-
undetectable, and it’s sadly
a laptop running free software.
-
It is injecting packets. And they say that
they can do this from as far away as
-
8 miles to inject packets, so presumably
using this they’re able to exploit
-
a kernel vulnerability of some kind,
parsing the wireless frames, and, yeah.
-
I’ve heard that they actually put this
hardware, from sources inside of the NSA
-
and inside of other
intelligence agencies, that
-
they actually put this type of hardware on
drones so that they fly them over areas
-
that they’re interested in and they
do mass exploitation of people.
-
Now, we don’t have a document
that substantiates that part, but
-
we do have this document that actually
claims that they’ve done it from up to
-
8 miles away. So that’s a really
interesting thing because it tells us
-
that they understand that common wireless
cards, probably running Microsoft Windows,
-
which is an American company, that they
know about vulnerabilities and they
-
keep them a secret to use them. This is
part of a constant theme of sabotaging
-
and undermining American companies and
American ingenuity. As an American,
-
while generally not a nationalist, I find
this disgusting, especially as someone
-
who writes free software and would
like my tax dollars to be spent
-
on improving these things. And when they
know about them I don’t want them
-
to keep them a secret because
all of us are vulnerable.
-
It’s a really scary thing.
-
applause
-
And it just so happens that at my house,
myself and many of my friends,
-
when we use wireless devices
– Andy knows what I’m talking about,
-
a few other people here –
all the time we have errors
-
in certain machines which are set up at
the house, in some cases as a honey pot
-
– thanks, guys – where kernel
panic after kernel panic,
-
exactly in the receive handler of the
Linux kernel where you would expect
-
this specific type of thing to take place.
So I think that if we talk about
-
the war coming home, we probably will
find that this is not just used in places
-
where there’s a literal war on but where
they decide that it would be useful,
-
including just parking outside your house.
Now I only have an hour today,
-
so I’m gonna have to go through some
other stuff pretty quickly. I want to make
-
a couple of points clear. This wasn’t
clear, even though it was written
-
in the New York Times by my dear friend
Laura Poitras, who is totally fantastic
-
by the way, and… you are great.
But 15 years of data retention –
-
applause
-
So the NSA has 15 years
of data retention.
-
It’s a really important point to
drive home. I joked with Laura
-
when she wrote the New York Times article
with James Risen, she should do the math
-
for other people and say “15 years”. She
said: “They can do the math on their own,
-
I believe in them”. I just wanna do the
math for you. 15 years, that’s scary!
-
I don’t ever remember voting on that,
I don’t ever remember even having
-
a public debate about it. And that
includes content as well as metadata.
-
So they use this metadata. They search
through this metadata retroactively.
-
They do what’s called ‘tasking’, that is,
they find a set of selectors – so that’s
-
a set of unique identifiers, e-mail
addresses, cookies, MAC addresses, IMEIs…
-
whatever is useful. Voice prints
potentially, depending on the system.
-
And then they basically
task those selectors
-
for specific activities. So that ties
together with some of the attacks
-
which I’ll talk about, but essentially
QUANTUMINSERTION and things that are
-
like QUANTUMINSERTION, they’re triggered
as part of the TURMOIL and TURBINE system
-
and the QFIRE system, and they’re all put
together so that they can automate
-
attacking people based on the plain
text traffic that transits the internet
-
or based on the source or
destination IP addresses.
-
This is a second top secret document.
-
This is an actual NSA lolcat
-
for the QUANTUMTHEORY program.
-
applause
-
You’ll notice it’s a black cat, hiding. Okay.
-
So there are a few people in the audience
that are still not terrified enough, and
-
there are a few people that as part
of their process for coping with
-
this horrible world that we have found
ourselves in, they will say the following:
-
“There’s no way they’ll ever find me. I’m
not interesting.” So I just want to dispel
-
that notion and show you a little bit
about how they do that. So we mentioned
-
TURMOIL, which is the dragnet surveillance,
and TURBINE, which is deep packet injection,
-
and QFIRE, where we tie it all together,
and this is an example of something which
-
I think actually demonstrates a crime but
I’m not sure, I’m not a lawyer, I’m
-
definitely not your lawyer, and I’m
certainly not the NSA’s lawyer.
-
But this is the MARINA system. This is
merely one of many systems where they
-
actually have full content as well as
metadata. Taken together, they do
-
contact chaining, where they find out you
guys are all in the same room with me
-
– which reminds me, let’s
see, I’ve got this phone…
-
Okay. That’s good. Let’s
turn that on. So now…
-
laughter
You’re welcome.
-
laughter
You have no idea!
-
laughter
But I just wanted to make sure that
-
if there was any question about whether
or not you are exempt from needing to do
-
something about this,
that that is dispelled.
-
applause
-
Okay? Cell phone’s on.
Great. So. Hey, guys!
-
laughter
So, the MARINA system is a
-
contact chaining system as well as a
system that has data, and in this case
-
what we see is in fact reverse contact
and forward contact graphing. So,
-
any lawyers in the audience? If there
are American citizens in this database,
-
is reverse targeting like this illegal?
Generally? Is it possible that that
-
could be considered illegal?
Someone from audience mumbling
-
Yeah, so, interesting. If it’s called
reverse contacts instead of
-
reverse targeting – yeah, exactly.
So, you’ll also notice the,
-
on the right-hand side, webcam photos.
-
So, just in case you’re wondering,
in this case this particular target,
-
I suppose that he did not or
she did not have a webcam.
-
Good for them. If not, you should follow
the EFF’s advice and you should put
-
a little sticker over your webcam. But
you’ll also note that they try to find
-
equivalent identifiers. So every time
there’s a linkable identifier that you
-
have on the internet, they try to put that
and tie it together and contact chain it,
-
and they try to show who you are among all
of these different potential identifiers –
-
if you have 5 e-mail addresses, they would
link them together – and then they try
-
to find out who all your friends are.
You’ll also note at the bottom here,
-
logins and passwords. So they’re
also doing dragnet surveillance
-
in which they extract – the feature set
extraction where they know semantically
-
what a login and a password is in a
particular protocol. And in this case
-
this guy is lucky, I suppose, and they
were not able to get passwords or webcam,
-
but you’ll note that they were able to get
his contacts and they were able to see
-
in fact 29, give or take,
received messages as well,
-
of which there are these things. Now in
this case we have redacted the e-mail
-
and instant messenger information,
but this is an example of how
-
laughs
you can’t hide from these things, and
-
thinking that they won’t find you
is a fallacy. So this is basically
-
the difference between taking one wire and
clipping onto it in a particularized
-
suspicious way where they’re really
interested, they have a particularized
-
suspicion, they think that someone is a
criminal, they think someone has taken
-
some serious steps that are illegal, and
instead what they do is they put all of us
-
under surveillance, record all of this
data that they possibly can, and then
-
they go looking through it. Now
in the case of Chancellor Merkel,
-
when we revealed NSRL 2002-388,
what we showed was that
-
they were spying on Merkel. And by their
own admission 3 hops away, that’s everyone
-
in the German Parliament
and everyone here.
-
So that’s pretty serious stuff. It also
happens that if you should be visiting
-
certain websites, especially if you’re
a Muslim, it is the case that you can be
-
attacked automatically by this system.
Right? So that would mean that
-
they would automatically start to break
into systems. That’s what they would call
-
‘untasked targeting’. Interesting idea
that they call that targeted surveillance.
-
To me that doesn’t really sound too
much like targeted surveillance unless
-
what you mean by carpet bombing, it – you
know, I mean it just – you know, like… it
-
just doesn’t… it doesn’t strike me right.
It’s not my real definition of ‘targeted’.
-
It’s not well defined. It’s not that a
judge has said, “Yes, this person is
-
clearly someone we should target.” Quite
the opposite. This is something where
-
some guy who has a system has decided to
deploy it and they do it however they like
-
whenever they would like. And while there
are some restrictions, it’s clear that
-
the details about these programs do not
trickle up. And even if they do, they
-
do not trickle up in a useful way. So
this is important, because members
-
of the U.S. Congress, they have no clue
about these things. Literally, in the case
-
of the technology. Ask a Congressman
about TCP/IP. Forget it.
-
You can’t even get a meeting with them.
I’ve tried. Doesn’t matter. Even if you
-
know the secret interpretation of Section
215 of the Patriot Act and you go
-
to Washington, D.C. and you meet with
their aides, they still won’t talk to you
-
about it. Part of that is because they
don’t have a clue, and another part of it
-
is because they can’t talk about it,
because they don’t have a political solution.
-
Absent a political solution, it’s very
difficult to get someone to admit that
-
there is a problem. Well, there is a
problem, so we’re going to create
-
a political problem and also talk
about some of the solutions.
-
The Cypherpunks generally have
come up with some of the solutions
-
when we talk about encrypting the entire
internet. That would end dragnet mass
-
surveillance in a sense, but it will
come back in a different sense
-
even with encryption. We need both
a marriage of a technical solution
-
and we need a political solution
to go with it, and if we don’t have
-
those 2 things, we will unfortunately be
stuck here. But at the moment the NSA,
-
basically, I feel, has more power than
anyone in the entire world – any one
-
agency or any one person. So Emperor
Alexander, the head of the NSA, really has
-
a lot of power. If they want to right now,
they’ll know that the IMEI of this phone
-
is interesting. It’s very warm, which is
another funny thing, and they would be
-
able to break into this phone almost
certainly and then turn on the microphone,
-
and all without a court.
So that to me is really scary.
-
And I especially dislike the fact that
if you were to be building these
-
types of things, they treat you as an
opponent, if you wish to be able to
-
fulfill the promises that you make to your
customers. And as someone who writes
-
security software
I think that’s bullshit.
-
So. Here’s how they do a bit of it.
So there are different programs.
-
So QUANTUMTHEORY, QUANTUMNATION,
QUANTUMBOT, QUANTUMCOPPER
-
and QUANTUMINSERT. You’ve heard of a few
of them. I’ll just go through them real quick.
-
QUANTUMTHEORY essentially has
a whole arsenal of zero-day exploits.
-
Then the system deploys what’s called
a SMOTH, or a seasoned moth.
-
And a seasoned moth is an
implant which dies after 30 days.
-
So I think that these guys either took a
lot of acid or read a lot of Philip K. Dick,
-
potentially both!
applause
-
And they thought Philip K. Dick
wasn’t dystopian enough.
-
“Let’s get better at this”.
And after reading VALIS, I guess,
-
they went on, and they also have
as part of QUANTUMNATION
-
what’s called VALIDATOR or COMMONDEER.
Now these are first-stage payloads
-
that are done entirely in memory.
These exploits essentially are where they
-
look around to see if you have what are
called PSPs, and this is to see, like,
-
you know, if you have Tripwire, if you
have Aid, if you have some sort of
-
system tool that will detect if an
attacker is tampering with files or
-
something like this, like
a host intrusion detection system.
-
So VALIDATOR and COMMONDEER, which,
I mean, clearly the point of COMMONDEER,
-
while it’s misspelled here – it’s not
actually… I mean that’s the name
-
of the program… but the point is to make
a pun on commandeering your machine. So,
-
you know, when I think about the U.S.
Constitution in particular, we talk about
-
not allowing the quartering of
soldiers – and, gosh, you know?
-
Commandeering my computer sounds
a lot like a digital version of that, and
-
I find that’s a little bit confusing, and
mostly in that I don’t understand
-
how they get away with it. But part of it
is because until right now we didn’t know
-
about it, in public, which is why we’re
releasing this in the public interest,
-
so that we can have a better debate
about whether or not that counts, in fact,
-
as a part of this type of what I would
consider to be tyranny, or perhaps
-
you think it is a measured and reasonable
thing. I somehow doubt that. But
-
in any case, QUANTUMBOT is where
they hijack IRC bots, because why not?
-
They thought they would like to do
that, and an interesting point is that
-
they could in theory stop a lot
of these botnet attacks and
-
they have decided to maintain that
capability, but they’re not yet doing it
-
except when they feel like doing it for
experiments or when they do it to
-
potentially use them. It’s not clear
exactly how they use them. But
-
the mere fact of the matter is that that
suggests they’re even in fact able to do
-
these types of attacks, they’ve tested
these types of attacks against botnets.
-
And that’s the program you should FOIA
for. We’ve released a little bit of detail
-
about that today as well. And
QUANTUMCOPPER to me is really scary.
-
It’s essentially a thing that can
interfere with TCP/IP and it can do things
-
like corrupt file downloads. So if you
imagine the Great Firewall of China,
-
so-called – that’s for the whole planet.
-
So if the NSA wanted to tomorrow, they
could kill every anonymity system
-
that exists by just forcing everyone who
connects to an anonymity system to reset
-
just the same way that the Chinese do
right now in China with the Great Firewall
-
of China. So that’s like the NSA builds
the equivalent of the Great Firewall
-
of Earth. That’s, to me that’s
a really scary, heavy-handed thing,
-
and I’m sure they only use it for good.
clears throat
-
But, yeah. Back here in reality that to
me is a really scary thing, especially
-
because one of the ways that they are able
to have this capability, as I mentioned,
-
is these diodes. So what that suggests
is that they actually repurpose
-
other people’s machines in order to
reposition and to gain a capability
-
inside of an area where they actually
have no legitimacy inside of that area.
-
That to me suggests it is not only
heavy-handed, that they have probably some
-
tools to do that. You see where I’m going
with this. Well, QUANTUMINSERTION,
-
this is also an important point, because
this is what was used against Belgacom,
-
this is what’s used by a whole number of
unfortunately players in the game where
-
basically what they do is they inject
a packet. So you have a TCP connection,
-
Alice wants to talk to Bob, and for some
reason Alice and Bob have not heard
-
about TLS. Alice sends an HTTP
request to Bob. Bob is Yahoo.
-
NSA loves Yahoo. And basically they
inject a packet which will get to Alice
-
before Yahoo is able to respond, right?
And the thing is that if that was a
-
TLS connection, the man-on-the-side
attack would not succeed.
-
That’s really key. If they were using TLS,
the man-on-the-side attack could at best,
-
as far as we understand it at the moment,
they could tear down the TLS session but
-
they couldn’t actually actively inject.
So that’s a man-on-the-side attack.
-
We can end that attack with TLS.
When we deploy TLS everywhere
-
then we will end that kind of attack. So
there was a joke, you know, when you
-
download .mp3s, you ride with communism
– from the ’90s, some of you may
-
remember this. When you bareback with
the internet, you ride with the NSA.
-
applause
-
Or you’re getting a ride, going for
a ride. So the TAO infrastructure,
-
Tailored Access and Operations. Some
of the FOXACID URLs are public.
-
FOXACID is essentially like a watering
hole type of attack where you go to,
-
you go to a URL. QUANTUMINSERT
puts like an iframe or puts some code
-
in your web browser, which you then
execute, which then causes you to
-
load resources. One of the resources that
you load while you’re loading CNN.com,
-
for example, which is one of their
examples, they – you like that, by the way?
-
So, you know, that’s an extremist site. So
coughs
-
you might have heard about that. A lot of
Republicans in the United States read it.
-
So – right before they wage
illegal imperialist wars. So,
-
the point is that you go to a FOXACID
server and it basically does a survey
-
of your box and decides if it can break
into it or not, and then it does.
-
Yep, that’s basically it. And the FOXACID
URLs, a few of them are public.
-
Some of the details about that have been
made public, about how the structure
-
of the URLs are laid out and so on.
An important detail is that they pretend
-
that they’re Apache, but they actually
do a really bad job. So they’re
-
like Hacking Team, maybe it’s the same
guys, I doubt it though, the NSA wouldn’t
-
slum with scumbags like that, but…
Basically you can tell, you can find them,
-
because they aren’t really Apache servers.
They pretend to be, something else.
-
The other thing is that none of their
infrastructure is in the United States.
-
So, real quick anonymity question. You
have a set of things and you know that
-
a particular attacker never comes from one
place. Every country on the planet
-
potentially, but never one place. The
one place where most of the internet is.
-
What does that tell you in terms of
anonymity? It tells you usually that
-
they’re hiding something about that one
place. Maybe there’s a legal requirement
-
for this. It’s not clear to me. But what
is totally clear to me is that if you see
-
this type of infrastructure and it is not
in the United States, there is a chance,
-
especially today, that it’s the NSA’s
Tailored Access and Operations division.
-
And here’s an important point. When the
NSA can’t do it, they bring in GCHQ.
-
So, for example, for targeting certain
Gmail selectors, they can’t do it.
-
And in the documents we released today,
we show that they say: “If you have
-
a partner agreement form and you need to
target, there are some additional selectors
-
that become available should you
need them”. So when we have a limit
-
of an intelligence agency in the United
States, or here in Germany or
-
something like this, we have to recognize
that information is a currency
-
in an unregulated market. And these
guys, they trade that information, and
-
one of the ways they trade that is like
this. And they love Yahoo.
-
So, little breather?
-
It’s always good to make fun of
the GCHQ with Austin Powers!
-
laughter
Okay. Another classified document here.
-
That’s actual NSA OpenOffice or Powerpoint
clip art of their horrible headquarters
-
that you see in every news story, I can’t
wait to see a different photo of the NSA
-
someday. But you’ll notice right here they
explain how QUANTUM works. Now SSO is
-
a Special Source Operations site. So
you’ve seen U.S. embassies? Usually
-
the U.S. embassy has dielectric panels on
the roof, that’s what we showed in Berlin,
-
it was called “DAS NEST” on the cover
of ‘Der Spiegel’. That’s an SSO site.
-
So they see that this type of stuff is
taking place, they do an injection and
-
they try to beat the Yahoo packet back.
Now another interesting point is
-
that for the Yahoo packet to be beaten,
the NSA must impersonate Yahoo.
-
This is a really important detail because
what it tells us is that they are
-
essentially conscripting Yahoo and saying
that they are Yahoo. So they are
-
impersonating a U.S. company
to a U.S. company user
-
and they are not actually supposed
to be in this conversation at all.
-
And when they do it, then they of course
– basically if you’re using Yahoo,
-
you’re definitely going to get owned. So
– and I don’t just mean that in that
-
Yahoo is vulnerable, they are, but
I mean people that use Yahoo tend to
-
– maybe it’s a bad generalization,
but, you know – they’re not the most
-
security-conscious people on the planet,
they don’t keep their computers up to date,
-
I’m guessing, and that’s probably why
they love Yahoo so much. They also love
-
CNN.com, which is some other… I don’t know
what that says, it’s like a sociological
-
study of compromise. But that’s an
important detail. So the SSO site sniffs
-
and then they do some injection, they
redirect you to FOXACID. That’s for
-
web browser exploitation. They obviously
have other exploitation techniques.
-
Okay. So now. We all know
that cellphones are vulnerable.
-
Here’s an example. This is a base station
-
that the NSA has that, I think it’s the
first time ever anyone’s ever revealed
-
an NSA IMSI catcher. So, here it is.
Well, actually the second time, because
-
‘Der Spiegel’ did it this morning.
But you know what I mean.
-
applause
-
So they call it ‘Find, Fix and
Finish targeted handset users’.
-
Now it’s really important to understand
when they say “targeting” you would think
-
‘massive collection’, right? Because what
are they doing? They’re pretending to be
-
a base station. They want to overpower.
They want to basically be the phone
-
that you connect to… or the phone system
that you connect to. And that means
-
lots of people are going to connect
potentially. So it’s not just one
-
targeted user. So hopefully they have it
set up so that if you need to dial 911,
-
or here in Europe 112 – you know,
by the way, if you ever want to find
-
one of these things try to call different
emergency numbers and note which ones
-
route where. Just as a little detail.
Also note that sometimes if you go
-
to the Ecuadorian embassy you will receive
a welcome message from Uganda Telecom.
-
Because the British when they deployed
the IMSI catcher against Julian Assange
-
at the Ecuadorian embassy made the mistake
of not reconfiguring the spy gear they [had]
-
deployed in Uganda [before]
when they deployed in London.
-
applause
-
And this can be yours
for only US$ 175.800.
-
And this covers GSM and PCS and
DCS and a bunch of other stuff.
-
So basically if you use a cell phone
– forget it. It doesn’t matter
-
what you’re doing. The exception may
be Cryptophone and Redphone. In fact
-
I’d like to just give a shoutout to the
people who work on free software, and
-
software which is actually secure. Like
Moxie Marlinspike – I’m so sorry I mention
-
your name in my talk, but don’t worry,
your silence won’t protect you!
-
I think it’s really important to know
Moxie is one of the very few people
-
in the world who builds technologies that
is both free and open source, and
-
as far as I can tell he refuses to do
anything awful. No backdoors or anything.
-
And from what I can tell this proves
that we need things like that.
-
This is absolutely necessary because they
replace the infrastructure we connect to.
-
It’s like replacing the road that we would
walk on, and adding tons of spy gear.
-
And they do that too,
we’ll get to that. Okay.
-
So I’m gonna go a little quick through
these because I think it’s better that you
-
go online and you adjust. And I wanna
have a little bit of time for questions.
-
But basically here’s an example of how
even if you disable a thing the thing is
-
not really disabled. So if you have a WiFi
card in your computer the SOMBERKNAVE
-
program, which is another classified
document here, they basically repurpose
-
your WiFi gear. They say: “You’re not
using that WiFi card? We’re gonna scan
-
for WiFi nearby, we’re gonna exfiltrate
data by finding an open WiFi network
-
and we’re gonna jump on it”. So
they’re actually using other people’s
-
wireless networks in addition to having
this stuff in your computer. And this is
-
one of the ways they beat a so-called
air-gapped target computer.
-
Okay, so here’s some of the software
implants. Now we’re gonna name a bunch
-
of companies because – fuck those guys
basically, for collaborating when they do,
-
and fuck them for leaving us
vulnerable when they do.
-
applause
-
And I mean that in the most loving way
because some of them are victims, actually.
-
It’s important to note that we don’t
yet understand which is which.
-
So it’s important to name them, so that
they have to go on record, and so that
-
they can say where they are, and so
that they can give us enough rope
-
to hang themselves. I really want that to
happen because I think it’s important
-
to find out who collaborated and who
didn’t collaborate. In order to have truth
-
and reconciliation we need to start with
a little of truth. So STUCCOMONTANA
-
is basically BadBIOS if you guys have
heard about that. I feel very bad
-
for Dragos, he doesn’t really talk to me
right now. I think he might be kinda mad.
-
But after I was detained – by the
US Army on US soil, I might add –
-
they took a phone from me. Now it
shouldn’t matter but it did. They also
-
I think went after all my phone records so
they didn’t need to take the phone. But
-
for good measure, they just wanted
to try to intimidate me which is exactly
-
the wrong thing to do to me. But as he
told the story after that happened
-
all of his computers including his Xbox
were compromised. And he says
-
even to this day that some of those things
persist. And he talks about the BIOS.
-
Here’s a document that shows clearly
that they actually re-flash the BIOS
-
and they also have other techniques
including System Management Mode
-
related rootkits and that they have
persistence inside of the BIOS.
-
It’s an incredibly important point. This
is evidence that the thing that Dragos
-
talked about, maybe he doesn’t
have it, but it really does exist.
-
Now the question is how would he find it?
We don’t have the forensics tools yet.
-
We don’t really have the capabilities
widely deployed in the community
-
to be able to know that, and to be
able to find it. Here’s another one.
-
This one’s called SWAP. In this case it
replaces the Host Protected Area
-
of the hard drive, and you can see a
little graph where there’s target systems,
-
you see the internet, Interactive OPS, so
they’ve got like a guy who is hacking you
-
in real time, the People’s
Liberation Army… uh, NSA! And…
-
laughter
And you can see all of these different
-
things about it. Each one of these things,
including SNEAKERNET, these are
-
different programs, most of which we
revealed today in ‘Der Spiegel’.
-
But you’ll notice that it’s Windows,
Linux, FreeBSD and Solaris.
-
How many Al Qaeda people
use Solaris, do you suppose?
-
This tells you a really important point.
They are interested in compromising
-
the infrastructure of systems,
not just individual people.
-
They want to take control and
literally colonize those systems
-
with these implants. And that’s not part
of the discussion. People are not talking
-
about that because they don’t know about
that yet. But they should. Because
-
in addition to the fact that Sun is a U.S.
company which they are building
-
capabilities against – that to me, really,
it really bothers me; I can’t tell you
-
how much that bothers me – we also
see that they’re attacking Microsoft,
-
another U.S. company, and Linux and
FreeBSD, where there are a lot of people
-
that are building it from all around the
world. So they’re attacking not only
-
collective efforts and corporate
efforts, but basically every option
-
you possibly can, from end users
down to telecom core things.
-
Here’s another one, DEITYBOUNCE.
This is for Dell,
-
so Dell PowerEdge 1850,
2850, 1950, 2950…
-
RAID servers using any of the
following BIOS versions. Right?
-
So just in case you’re wondering, hey
Dell, why is that? Curious about that.
-
Love to hear your statements about it.
So if you write YARA sigs [signatures]
-
and you’re interested in looking
for NSA malware, look for things
-
that use RC6, so look for the constants
that you might find in RC6.
-
And when they run, if they emit UDP
traffic – we’ve actually seen a sample
-
of this but we were not able
to capture it, sadly, but
-
emitting UDP traffic that is encrypted.
You know, people that I’ve worked with
-
on things related to this, they’ve even,
they’ve had their house black bagged.
-
They’ve had pretty bad stuff happen
to them. That’s their story to tell.
-
But one of the interesting details is
that after those events occurred,
-
these types of things were seen. Ben
has a really bad idea for those guys,
-
I might add, because I wouldn’t have put
this slide in if that had not occurred.
-
But if you want to look for it, you’ll
find it. I know some people that have
-
looked with YARA sigs and they have
in fact found things related to this,
-
so I suspect a lot of malware researchers
in the near future are going to have
-
a lot of stuff to say about this
particular slide. I’ll leave that to them.
-
I think it’s very important to go looking
for these things, especially to find out
-
who is victimized by them. Here’s an
iPhone back door.
-
So DROPOUTJEEP, so
you can see it right there.
-
So, SMS, contact list retrieval,
voicemail, hot microphone,
-
camera capture, cell tower location. Cool.
Do you think Apple helped them with that?
-
I don’t know. I hope Apple will clarify
that. I think it’s really important
-
that Apple doesn’t. Here’s
a problem. I don’t really believe
-
that Apple didn’t help them. I can’t
prove it yet, but they literally claim
-
that any time they target an iOS device,
that it will succeed for implantation.
-
Either they have a huge collection of
exploits that work against Apple products,
-
meaning that they are hoarding
information about critical systems that
-
American companies produce
and sabotaging them,
-
or Apple sabotaged it themselves.
Not sure which one it is!
-
I’d like to believe that since Apple
didn’t join the PRISM program until
-
after Steve Jobs died that maybe it’s
just that they write shitty software.
-
We know that’s true!
laughter
-
applause
-
Here’s a HVT, high-value target.
This is a high-value target
-
being targeted with a back door for
Windows CE Thuraya phones.
-
So if you have a Thuraya phone and you’re
wondering if it was secure – yeah maybe.
-
Good luck! Here’s one where they
replaced the hard drive firmware.
-
There was a talk at OHM this year
[OHM2013] where a guy talked about
-
replacing hard drive firmware.
You were onto something.
-
You were really onto something. Whoever
you are, you were onto something.
-
Because the NSA has a program here,
IRATEMONK, and that’s exactly
-
what they do. They replace the firmware
in the hard drive, so it doesn’t matter
-
if you reformat the hard drive, you’re
done. The firmware itself can do
-
a whole bunch of stuff. So. Here are
the names of the hard drive companies
-
were it works: Western Digital, Seagate,
Maxtor and Samsung, and of course
-
they support FAT, NTFS, EXT3 and UFS.
They probably now have support for
-
additional file systems, but this is
what we can prove. Please note
-
at the bottom left and the bottom right:
“Status: Released and Deployed.
-
Ready for Immediate Delivery”.
And: “Unit Cost: $0”.
-
It’s free! No, you can’t get it.
It’s not free as in free software.
-
It’s free as in “You’re owned!”.
laughter
-
applause
-
I want to give a shoutout to Karsten Nohl
and Luca [Luca Melette] for their
-
incredible talk where they showed this
exact attack without knowing that
-
they had found it. Right?
They say – yeah, absolutely.
-
applause
-
Important point. The NSA says that when
they know about these things, that
-
nobody will come to harm, no one will be
able to find them, they’ll never be able
-
to be exploited by another third party.
Karsten found this exact vulnerability.
-
They were able to install a Java applet on
the SIM card without user interaction,
-
and it was based on the service provider’s
security configuration, which is exactly
-
what the NSA says here, and they talk
about attacking the same toolkit
-
inside of the phone; and Karsten
found the same vulnerability
-
and attacked it in the wild. This
is perfect evidence, not only of
-
how badass Karsten and Luca are
– they are, no question – but also about
-
how wrong the NSA is with this balance.
Because for every Karsten and Luca, there
-
are hundreds of people who are paid to do
this full-time and never tell us about it.
-
applause
-
Important detail. Do you see that
‘interdiction’ phrase right there?
-
“Through remote access” – in other
words, we broke into your computer –
-
“or interdiction” – in other words,
we stole your fucking mail. Now.
-
This is a really important point. We
all have heard about these paranoid
-
crazy people talking about people breaking
into their houses – that’s happened to me
-
a number of times – motherfuckers,
getting you back – it’s really important
-
to understand this process is
one that threatens all of us.
-
The sanctity of the postal system
has been violated. I mean – whoa!
-
God, it makes me so angry, you know?
You can’t even send a letter without
-
being spied on, but even worse that they
tamper with it! It’s not enough that
-
the U.S. Postal Service records all
of this information and keeps it
-
– that’s not enough. They also have to
tamper with the packages! So every time
-
you buy from Amazon, for example, every
time you buy anything on the internet,
-
there is the possibility that they will
actually take your package and change it.
-
One of the ways that I’ve heard that they
change it is that they will actually
-
take the case of your computer and they
will injection mold a hardware back door
-
into the case of the computer.
So that even if you were to look
-
at the motherboard or have it serviced,
you would not see this. It merely
-
just needs to be in the proximity
of the motherboard. So.
-
Let’s talk about hardware implants
that they will put into your devices.
-
Here’s one. This is called BULLDOZER.
It’s a PCI bus hardware implant.
-
Pretty scary, doesn’t look so great,
but let’s go on a little bit. Okay?
-
Here’s one where they actually exploit
the BIOS and System Management Mode.
-
There’s a big graph that shows all of
these various different interconnections,
-
which is important. Then they talk about
the long-range comms, INMARSAT, VSAT,
-
NSA MEANS and Future Capabilities. I think
NSA MEANS exists. Future Capabilities
-
seems self-explanatory. “This
hardware implant provides
-
2-way RF communication.” Interesting.
So you disable all the wireless cards,
-
whatever you need. There you go.
They just added a new one in there and
-
you don’t even know. Your system has no
clue about it. Here’s a hardware back door
-
which uses the I2C interface, because
no one in the history of time
-
other than the NSA probably has ever
used it. That’s good to know that finally
-
someone uses I2C for something
– okay, other than fan control. But,
-
look at that! It’s another American
company that they are sabotaging.
-
They understand that HP’s servers
are vulnerable, and they decided,
-
instead of explaining that this is
a problem, they exploit it. And IRONCHEF,
-
through interdiction, is one of
the ways that they will do that.
-
So I wanna really harp on this. Now it’s
not that I think European companies
-
are worth less. I suspect especially
after this talk that won’t be true,
-
in the literal stock sense, but I don’t
know. I think it’s really important
-
to understand that they are sabotaging
American companies because of the
-
so-called home-field advantage. The
problem is that as an American who writes
-
software, who wants to build hardware
devices, this really chills my expression
-
and it also gives me a problem, which
is that people say: “Why would I use
-
what you’re doing? You know,
what about the NSA?”
-
Man, that really bothers me.
I don’t deserve the Huawei taint,
-
and the NSA gives it. And President
Obama’s own advisory board
-
that was convened to understand the scope
of these things has even agreed with me
-
about this point, that this should not be
taking place, that hoarding of zero-day
-
exploits cannot simply happen without
thought processes that are reasonable
-
and rational and have an economic and
social valuing where we really think about
-
the broad-scale impact. Now.
I’m gonna go on to a little bit more.
-
Here’s where they attack SIM cards. This
is MONKEYCALENDAR. So it’s actually
-
the flow chart of how this would work.
So in other words, they told you all of
-
the ways in which you should be certainly,
you know, looking at this. So if you ever
-
see your handset emitting encrypted SMS
that isn’t Textsecure, you now have
-
a pretty good idea that it might be this.
Here’s another example. If you have
-
a computer in front of you… I highly
encourage you to buy the Samsung SGH-X480C
-
– that’s the preferred phone of the NSA
for attacking another person’s phone.
-
I’m not exactly sure why, but an important
point is, they add the back door, then
-
they send an SMS from a regular phone
– what does that tell you? What does that
-
tell you about the exploitation process?
It tells you that it’s actually something
-
which is pretty straightforward,
pretty easy to do, doesn’t require
-
specialized access to the telecoms once
they’ve gotten your phone compromised.
-
That to me suggests that other people
might find it, other people might use
-
these techniques. Okay, here’s a USB
hardware implant called COTTONMOUTH.
-
We released this in ‘Spiegel’ today as
well. See the little red parts. It will
-
provide a wireless bridge onto the
target network with the ability to load
-
exploit software. Here’s a little bit of
extra details about that. It actually
-
shows the graph at the bottom, how they do
this, how they get around, how they beat
-
the air gap with these things. And they
talk a bit about being GENIE compliant.
-
So GENIE, and for the rest of these
programs, these are – like DROPOUTJEEP
-
is part of the CHIMNEYPOOL programs,
and COTTONMOUTH is part of the rest of
-
these programs over here. These are huge
programs where they’re trying to beat
-
a whole bunch of different adversaries,
and different capabilities are required.
-
And this is one of the probably I think
more interesting ones, but here’s
-
the next revision of it where it’s in a
USB plug, not actually in the cable.
-
And look, 50 units for US$ 200,000.
It’s really cheap.
-
You like my editorializing there, I hope?
So, $200,000, okay.
-
And here’s where you look for it. If you
happen to have an x-ray machine,
-
look for an extra chip. And that’s
a HOWLERMONKEY radiofrequency transmitter.
-
Well what’s a HOWLERMONKEY? We’ll
talk about that in a second, but basically
-
this is for ethernet, here. This is the
FIREWALK. It can actually do injection
-
bidirectionally on the ethernet controller
into the network that it’s sitting on.
-
So it doesn’t even have to do things
directly to the computer. It can actually
-
inject packets directly into the network,
according to the specification sheet,
-
which we released today on
Der Spiegel’s website. As it says,
-
‘active injection of ethernet packets onto
the target network’. Here’s another one
-
from Dell with an actual FLUXBABBITT
hardware implant for the PowerEdge 2950.
-
This uses the JTAG debugging interface
of the server. Why did Dell leave
-
a JTAG debugging interface on these
servers? Interesting, right? Because,
-
it’s like leaving a vulnerability in. Is
that a bug door or a back door or
-
just a mistake? Well hopefully they will
change these things or at least make it so
-
that if you were to see this you would
know that you had some problems.
-
Hopefully Dell will release some
information about how to mitigate
-
this advanced persistent threat. Right?
Everything that the U.S. Government
-
accuse the Chinese of doing – which they
are also doing, I believe – we are learning
-
that the U.S. Government has been doing to
American companies. That to me is really
-
concerning, and we’ve had no public debate
about these issues, and in many cases
-
all the technical details are obfuscated
away and they are just completely
-
outside of the purview of discussions. In
this case we learn more about Dell, and
-
which models. And here’s the HOWLERMONKEY.
These are actually photographs
-
of the NSA implanted chips that they
have when they steal your mail.
-
So after they steal your mail they put
a chip like this into your computer.
-
So the one, the FIREWALK
one is the ethernet one, and
-
that’s an important one. You probably will
notice that these look pretty simple,
-
common off-the-shelf parts. So.
-
Whew! All right. Who here
is surprised by any of this?
-
waits for audience reaction
I’m really, really, really glad to see
-
that you’re not all cynical fuckers and
that someone here would admit
-
that they were surprised. Okay, who
here is not surprised? waits
-
I’m going to blow your fucking mind!
laughter
-
Okay. We all know about TEMPEST,
right? Where the NSA pulls data
-
out of your computer, irradiate stuff
and then grab it, right? Everybody
-
who raised their hand and said they’re
not surprised, you already knew
-
about TEMPEST, right?
Right? Okay. Well.
-
What if I told you that the NSA had
a specialized technology for beaming
-
energy into you and to the computer
systems around you, would you believe
-
that that was real or would that be
paranoid speculation of a crazy person?
-
laughter
Anybody? You cynical guys
-
holding up your hand saying that you’re
not surprised by anything, raise your hand
-
if you would be unsurprised by that.
laughter
-
Good. And it’s not the same number.
It’s significantly lower. It’s one person.
-
Great. Here’s what they do with those
types of things. That exists, by the way.
-
When I told Julian Assange about this, he
said: “Hmm. I bet the people who were
-
around Hugo Chavez are going to wonder
what caused his cancer.” And I said:
-
“You know, I hadn’t considered that. But,
you know, I haven’t found any data
-
about human safety about these tools.
Has the NSA performed tests where they
-
actually show that radiating people
with 1 kW of RF energy
-
at short range is safe?”
laughter
-
My God! No, you guys think I’m
joking, right? Well, yeah, here it is.
-
This is a continuous wave generator,
a continuous wave radar unit.
-
You can detect its use because it’s
used between 1 and 2 GHz and
-
its bandwidth is up to 45 MHz,
user adjustable, 2 watts
-
using an internal amplifier. External
amplifier makes it possible to go
-
up to 1 kilowatt.
-
I’m just gonna let you take that
in for a moment. clears throat
-
Who’s crazy now?
laughter
-
Now, I’m being told I only have one
minute, so I’m going to have to go
-
a little bit quicker. I’m sorry. Here’s
why they do it. This is an implant
-
called RAGEMASTER. It’s part of the
ANGRYNEIGHBOR family of tools,
-
laughter
where they have a small device that they
-
put in line with the cable in your monitor
and then they use this radar system
-
to bounce a signal – this is not unlike
the Great Seal bug that [Leon] Theremin
-
designed for the KGB. So it’s good to
know we’ve finally caught up with the KGB,
-
but now with computers. They
send the microwave transmission,
-
the continuous wave, it reflects off of
this chip and then they use this device
-
to see your monitor.
-
Yep. So there’s the full life cycle.
First they radiate you,
-
then you die from cancer,
then you… win? Okay, so,
-
here’s the same thing, but this time for
keyboards, USB and PS/2 keyboards.
-
So the idea is that it’s a data
retro-reflector. Here’s another thing,
-
but this one, the TAWDRYYARD program, is
a little bit different. It’s a beacon, so
-
this is where probably then
they kill you with a drone.
-
That’s pretty scary stuff. They also have
this for microphones to gather room bugs
-
for room audio. Notice the bottom. It says
all components are common off the shelf
-
and are so non-attributable to the NSA.
Unless you have this photograph
-
and the product sheet. Happy hunting!
-
applause
-
And just to give you another idea, this is
a device they use to be able to actively
-
hunt people down. This is a hunting
device, right? Handheld finishing tool
-
used for geolocation targeting
handsets in the field. So!
-
Who was not surprised by this? I’m so
glad to have finally reached the point
-
where no one raised their hand except
that one guy who I think misheard me.
-
laughter
Or you’re brilliant. And
-
please stay in our community
and work on open research!
-
somebody off mike shouts:
Audience: Maybe he can add something!
-
Yeah! And if you work for the NSA,
I’d just like to encourage you
-
to leak more documents!
laughter
-
applause, cheers
-
applause
-
applause
-
applause, cheers, whistles
-
applause, cheers, whistles, ovation
-
applause, ovation
-
applause, cheers, ovation
-
applause, ovation
-
Herald: Thank you very much, Jake.
-
Thank you. I’m afraid we ran
all out of time for the Q&A.
-
I’m very sorry for anyone
who wanted to ask questions.
-
Jacob: But we do have a press conference.
Well, if you guys… you know,
-
I’d say: “occupy the room for another
5 minutes”, or… know that there’s
-
a press conference room that will be
opened up, where we can all ask
-
as many questions as we want,
in 30 minutes, if you’re interested.
-
And I will basically be available until
I’m assassinated to answer questions.
-
laughter, applause
So…
-
in the immortal words of Julian Assange:
Remember, no matter what happens,
-
even if there’s a videotape of it,
it was murder! Thank you!
-
Herald: Thank you. Please give a warm
round of applause to Jake Appelbaum!
-
applause
-
silent postroll
-
Subtitles created by c3subtitles.de
in the year 2016. Join, and help us!
Andi
I imported the subtitles from the other incomplete streamdump
Andi
Looks like they were created via speech recognition and not via the text in the pad