Slashdot Mirror
Confessions of a Cyber Warrior
snydeq writes "InfoWorld's Roger Grimes interviews a longtime friend and cyber warrior under contract with the U.S. government, offering a fascinating glimpse of the front lines in the ever-escalating and completely clandestine cyber war. From the interview: 'They didn't seem to care that I had hacked our own government years ago or that I smoked pot. I wasn't sure I was going to take the job, but then they showed me the work environment and introduced me to a few future co-workers. I was impressed. ... We have tens of thousands of ready-to-use bugs in single applications, single operating systems. ... It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.'"
Does this sound like boasting to anyone else? It's like a more modern version of having the press watch an explosion of their latest bomb.
PS: I don't reply to ACs.
Poor Infoworld.... getting left behind in the Snowdon fiasco so has to do a bit of "Me Me Me.. We're still relevant" crap
Literally, if you can name the software or the controller, we have ways to exploit it.
Pacman?? Didnt think so.
Boring to test open source. Exciting to make another never-used item at git or sourceforge.
And 95% are in acrobat or flash.
first is 20% cooler
I get the feeling he works for a different part of the military based on his answers about Snowden.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
I basically believe the information presented here, but the source could be anyone. It could be a complete work of fiction, and even if that is the case, it may still all be accurate. If someone asked me to come up with a laundry list of things that in all likelihood the feds have, I'd have easily come up with everything listed here.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
...If they have access to such awesome vulnerability detection software, why don't they run it on all the government's servers and applications?
Sounds like shit.
If a hacker could hack into a megabank, airline, hotel chain, etc, how could you possibly pay them enough to ensure that not one of them makes a nice life for themselves?
This corporate shill states: "There's no way what we do will be shut down. First, I don't intentionally do anything that involves spying on domestic communications. I don't think anyone in my company does that, although I don't know for sure. Second, it would be very dangerous to stop what we do. We are the new army. You may not like what the army does, but you still want an army."
The US is outsourcing its sovereignty to corporations who have no allegiance to anything other than profit. Don't get in the way of those profits - or else!
In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.'
For some reason I doubt that private government workers, let alone government contractors, have discovered (let alone classified and organized) more bugs than the armies of security researchers out there to qualify as "barely scratching the surface". More likely the government is paying private security researchers for bugs and the promise of non-disclosure. Even then with how altruistic many researchers are, it's likely that kind of exchange would be exposed.
Just think how much safer our digital infrastructure would be, how everyone's privacy and data could be protected if, instead of hoarding exploits for use in an asinine "cyberwar", the US gov quietly released them to developers so their vulnerable software could be fixed. Fuckers.
or else this "cyberwarrior" had better book a seat to Venezuela next to Snowden.
Uncle Sugar does not take kindly to this type of discussion by employees or contractors. Real spooks, even geeky ones, are forbidden to even acknowledge their line of work. The least onerous sanction is instant dismissal for Demonstrated Unreliability under Personnel Reliability Program guidelines.
Given the gov's capabilities, this guy, if he exists, is already identified and being rather intensively debriefed at this moment.
So, if what's being claimed is true (I'm doubtful), by not making these flaws public and giving vendors the chance to fix the issues, they are jeopardizing the domestic infrastructure they are ostensibly tasked to protect?
There's something profoundly inconsistent in this story, or profoundly hypocritical if it is true.
And he plays in a "hardcore rap/EDM band"? Either this person is an idiot for revealing something so specifically identifiable (even among "5000 people on my team", how many others of them are into it that much?), or they're spinning a yarn (misdirection or the whole story is nonsense).
Ignoring that he suddenly goes from one of the elite of the elites in penetration testing to an average guy in a group of thousands...
Loading...
this is coming from a journalist!
captcha: impudent
So, instead of hardening our software and operating systems, you are knowingly leaving the world unpatched and vulnerable?
You are part of the probem. You ARE the enemy.
Literally, if you can name the software or the controller, we have ways to exploit it.
Voting machines?
Disclosing these vulnerabilities would do much more against the Chinese hackers than hacking back does. Sometimes the best defence is defence.
Most of the software written in the world has a bug every three to five lines of code.
Hahaha bullshit. What a shit article. This "cyber warrior" is either feeding the author shit or is made up.
Government likes sure things. They may have a library of open source bugs but these risk evaporating if they should get discovered which is entirely possible if not likely. Even if they bribe or blackmail (say) linux kernel developers to build-in and obfuscate back doors, as may have happened in the past, these may still get discovered.
Otoh proprietary software gives the NSA everything they need and represents a lasting investment, not to mention it's what most people are using. And which companies do we know for a fact cooperate fully with the NSA? Who else has bugs that will never be disclosed or fixed? Which company was informing the NSA of vulnerabilities before going public with same?
And what about closed source proprietary drivers for linux and unix? Those are in kernel space, fuck knows what they could do.
That is like hoarding exploits for an ATM that only has two buttons:
1. Vaporize my funds.
2. Deploy robotic groin punch.
This sounds like baloney, so I'll write some Walking Dead fan fiction.
You ever known a real fighter? I do. His name is Larry Ellison. Back when I headed to Atlanta, only to find a graveyard, I hooked up with some survivors camped outside the city. Best fucking luck I ever had. It was a few days later I met Ellison. He'd returned from scavenging in the city. I heard that most are in and out in a day - you don't want to risk staying overnight unless you really have to. This guy had been on his own in zombie central for three days, and he looked like he'd just returned from the circus! I never saw anyone else that calm.
A week after that some walkers came through the camp. Calm as anything, he moved like a robot. I though that this was a guy with PTSD just bubbling under the surface, but then our eyes met as he jammed a screwdriver through a zombie head. You know what I saw? A caretaker. Ellison, the billionaire yacht enthusiast was somewhere else, probably with a warm fire and a harem of furries, while this man held the keys. No emotion, just relentlessly driving towards a time when we could sleep soundly.
I don't know where he is now. Maybe balls-deep in some guy in a Bugs Bunny costume, or still stalking decaying cities with that cold stare in which only a slight glimmer of the man remained? Either way, I hope at least one of those men has found peace. One night on watch he told me he used to make Java. I though he was a barista, and said as much. He half-smiled a moment, and said he gets a lot if that. With all those nights on watch, that's a out the only time I think I met the Ellison under the shell. I knows as well because I felt a burning need to push him off a cliff, and I can't explain why. Glenn, another survivor, told me that everyone feels that way about Larry.
-- Using the preview button since 2005
...and whistleblowers.
It's like the war against government watch groups - the idea that by limiting what the government does (and increasingly the crony corporations that have cropped up to help it expend it's reach) - not fighting, but just calling out and limiting it, you are an enemy of the state and you need to be removed.
Exploits are bought/discovered and kept as armaments to be used on industrial/state espionage, and also for internal clandestine operations. So clearly anyone "invalidating" one by disclosing it is restricting the power of the government.
Make sure everyone's vote counts: Verified Voting
Yes. Agreed. Computer security is eating itself.
then how did a guy with a usb stick steal information from the NSA?
“What's this? 'Extremely high voltage.' Well, I don't need safety gloves, 'cause I'm Homer Simp-!”
Frank Grimes, just before his death
He learned hacking at the local Radio Shack. Outside the US. In this "non-developed" country, where at 16 or 17, he amassed $100k worth of equipment that he 'ordered' and installed in the storage shed he was renting.
Is there anything more to be said?
"Pfagh - a mere 'conjurers cone' - I DABBLED WITH SUCH PUNY TRICKS WHEN I WAS BUT A CHILD!" - "The Dread Dormammu" from Dr. Strange's early stories (Marvel).
Tell you boys what: Do me a favor, & "exploit this" (see link below) - I mean it, not data around it, IT...
* :)
Anyone limiting themselves to NOT programming is doing that, to themselves. Users, with a better password/access level, nothing more. A waste of human portential imo - "been there/done that" over decades transitioning over - you learn TONS more on the coding end - tons. In fact, put it THIS way: Want a tool? Well, you just build it!
(You can - anyone reading who does will agree, that if you put in the time to know the goal & process end-to-end completely, data + all else, & then type it in, 1 line @ a time)
E.G. -> My latest effort here? ~35,000 lines http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
APK
P.S.=> Seriously though? This whole entire surveillance society thing is insane, & it's got to go, that's for sure (seeing Congress lied to did it for me). Nobody likes this whole spy on everyone business from a bunch of guys working in an agency that is supposed to surveil anyone BUT U.S. Citizens! That's all & makes sense, right? Hey. Nobody sane and speaking of their true/own free will I know @ least. It's wrong. Had a beer with a neighbor today and he spoke about this to me. We both don't like it, for example. Does anyone? Come on IF you say yes... lol! That's bullshit (I don't like projecting my views on others, but that's just my speaking sanity & truth is all on THAT one now)...
... apk
Unless the language of the interviewee is obfuscated, I would say that either:
A: the guy is for real, but some kind of idiot-savant. I know the type -- I've met people who are barely literate and can't even string a sentence together, but would blitz an electronic engineering degree.
or B: just a bona-fide wannabe idiot
Judging by the language alone, I can't actually tell.
Some blend of three options here:
1) He's full of shit
2) I'm delusional in thinking I write code way better than that
3) Most of the world really is barely held together by bubble gum and duck tape
What bothers me is to what extent is #3 actually the answer.
Like so many others, I call BS.
- he says he's middle aged - let's say 50. He also said at 16 or 17 he joined "one of the distros". The earliest "distros" as such, started appearing around 1992, IIRC - around 21 years ago. So at most he's now 37 or 38 - not middle aged.
Now if he just defines "middle aged" differently, then he would have been hanging at 15 around the Radio Shacks (a hacker cliche) around 1990 - well past the eras of the TRS-80s and Color Computers that the cliche says hackers would be working on - unless he's claiming that was on PCs. Did Radio Shack sell PCs ?
Then he just snuck out the back door when the men-in-black showed up. He got away because he never went back - even though surely the MIB knew who he was and that he was, apparently, still living with his mother and step-dad.
He doesn't want to be emailed in the months leading up to the conversation, ostensibly to maintain secrecy, which opens up another bunch of inconsistencies. First, if I'm able to read the author's emails, all I need to do is look for friends who stopped emailing him for a few months around the conversation. Secondly, who is he hiding from if he's already working for the government ?
Finally, the notion that a super-secret, middle-aged white guy ho walso plays in a hardcore rap band - and IDENTIFIES HIMSELF AS SUCH - exposes this pack of lies completely. That's a pretty shitty cloak of anonymity a middle aged white guy that came from another country and plays a lot of instruments in a hard-core rap band north of DC is hiding under.
This guy is real. how do I know ? I know couple of folks of this type. Advertise themselves as born with very high IQ, boast that they hacked/developed software 'early in life', they cannot fly because of certain things that they cannot disclose.. blah..blah...blah.. and guess what ? they cannot put together couple of shell scripts even if they try hard.
Software developers have an incessant need to add features regularly in order to induce paid updates. Take Microsoft for example-- who needed a completely new UI in Windows 8? Only Microsoft. The only update features I ever need from Microsoft is stability/security/bug fixes. After about another 7 or 8 major rev levels of those, there would be some chance of having a system stable and secure enough to actually depend on-- but that'll never happen, as they're too busy monkeying with it in order to justify paid upgrades.
http://www.supermegamonkey.net/chronocomic/entries/scans2/ST127_vsDormammu.JPG
* :)
We're talking "actual footage" up there, as it happened per my quote in my last post!
In any event: I hope that my 'p.s.' got thru to the right people from my last response! Hope they realize the twisted things potential what they've got has, and in the long term too, for anyone (even themselves).
(That's what my speaking earlier was really all about - this other stuff is analogous in a way though too - It's just me recalling a tale of a creature with unlimited power, & what HE was like is all - personally (evil as hell)).
So, in keeping with the comics here, lol, well?
Even Loki the prince of evil/mischief even said of anyone or anything with unlimited power(s): Absolute Power, Corrupting Absolutely & enough? Is NEVER enough, essentially -> http://3.bp.blogspot.com/-2_Jua1OfDz8/ULJS0DHvLmI/AAAAAAAAH9s/8DrC8-p2AM0/s1600/av116_8.jpg
For you Trek freaks? Think Lt. Gary Mitchell... same thing in essence. It's got a way of getting to any man's head, and morals become annoyances and are dispensed with. That can't end good for anyone.
"God. If all this makes a God. Or, is it making you something else?"
Childish?
Maybe, but not really, in using comics etc.: It's just to illustrate a point. Music & MegaDeth's "Symphony of Destruction"'s 1st verse pretty much says the same also for those of you out there that are musically inclined. "You take a mortal man, & put him in control..."
APK
P.S.=> Can't believe I found that 1st image - I read that over 40 yrs. ago now as a 7 ir 8 yr. old boy (unbelievable what you can find online) ... apk
See what I did there? ;-)
As I said last week, the root cause which enables cyberwarfare is persistently insecure endpoints all over the internet. Each and every system out running linux, windows, mac osx, etc... all are based on an outdated and useless security model. Those nodes can then be used to attack or DOS anything that actually happens to be secure. Unless we shift everything to a system based on capabilities (and the principle of least privilege) we're going to be in a "cyberwar" forever.
I was going to write a serious comment, but then I remembered that at least 75% of Slashdot accounts are just people shilling for the king of Thailand.
Go away Terry Davis.
Somebody from a China Telecom jiangsu province (Nanjing or thereabouts) IP scanning for bind version, somebody from a .uk MOD addy trying to set up an openvpn connection, and somebody from a bogus .info domain knocking on the mysql door.
It has the look of some kind of clandestine cyberwar.
There's nothing remotely believable about this story. It posits something entirely unbelievable: that nobody outside a small circle of government stooges is capable of discovering exploitable security flaws, and not only that, but no software (be it closed or open source) out there whatsoever has zero-day exploits not discovered by this mythical team of elite hackers. The mere introduction of "secret" and "government" into the discussion does not make you omnipotent.
This is a recruiting advert slash pro-NSA PR-campaign and Slashdot editors are falling for it. Again. This site is a veritable magnet for both recruiters and data miners looking to get the pulse of the real programming community.
Stop humoring them. Neither job related temptation nor polling disinformation is going to repair the damage done to the sanctimonious façade just destroyed by Edward Snowden's revelations. Nice try, but just throw in the towel. You're just not going to PR-manage this one. Your targeting of Slashdot is desperate.
. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.'"
What does that say about the theory that open source will have fewer defects? Most of the internet is run on open source. He seems to be saying that it's a bugfest.
I have ot say I think it's true and here's why. Early on I had to implement a protocol from scratch. I read the RFP and implemented it but as you may know RFPs aren't actually written in EBNF or anything like it so there's plenty of room between the spaces left by the wordy, not completely explicit spec.
As it happened my correct implementation also took down the server instance that received it for a particular server which shall remain nameless except to say that at that time that internet server software accounted for , oh , 95% of servers out there.
So what I had created completely by accident was a near universal death ray.
I am quite sure there are TONS of stuff out there of a similar nature waiting to be exploited. For all I know, that death ray still works.
We don't locate these things because only a small number of us (programmers) are actively looking . Most of us use this stuff trying NOT to break it. The number of people doing the opposite is small. The number of possible serious bugs is more or less infinite. The rest follows from the math.
After Snowden, there'll be lots of checking out his colleagues, and some will lose their jobs. So there's a need for recruitment. This story reads rather like a Stross novel, it's rather exciting, just the right background for recuiting young impressionable, malliable, minds. So I reckon you should read this as an ad for vacancies for the naïve clever.
And the lesson was: The only way to win is not to play at all.
Entertaining story, but highly unlikely to be true, he must have been a shit head of I.T. at 15 - but I suppose it's like they say, "Hire a teenager, because they know everything". A bug every three to five lines of code??? I know of some scary ass bubble gum systems managing countries economies but a bug after three lines of code? Nothing would work. Planes would be dropping out the sky, cars exploding when they brake and use a turn indicator, TV's would be microwaving their audience. Story is not factually sound at all.
Maybe it's to scare all the leet folks into thinking everything in their tool bag is nothing but Swiss cheese to the NSA.
In this line of work, it is scary easy to identify someone in this line of work, especially one who is unprofessional enough to grant an interview to a trade pub (and to do little to further mask his identity). I attended a recent seminar in this field in which panelists debated this very question: Is it ethical to assassinate young, stupid "cyberwarriors" if their work has the potential to disrupt or destabilize mission-critical operations? The bottom line was that most think it is, on the ground that these guys are civilian operatives acting as military "cyberwarfare" "combatants" -- not much of a terminology stretch in a world of "enhanced interrogation techniques."
So what I'm saying is that it may not be long until (and I wouldn't be surprised if it's already happening in places like Israel & Palestine) guys like this interviewee, and their families, are routinely targeted by hit men, suicide bombers, drones, seals, whatever. If they're performing military functions -- think Iranian centrifuges -- why wouldn't they be fair game?
And when that happens, how does this social dynamic change? Does our dopey Season 1 Walter White hackercracker immediately transition to Season 5?