Group Linked To NSA Spy Leaks Threatens Sale of New Tech Secrets

Hacker group Shadow Brokers, which has taken credit for leaking NSA cyber spying tools -- including ones used in the WannaCry global ransomware attack -- has said it plans to sell code that can be used to hack into the world's most used computers, software and phones. From a report on Reuters: Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world's biggest commercial secrets. In the blog post, the group said it was setting up a "monthly data dump" and that it could offer tools to break into web browsers, network routers, phone handsets, plus newer exploits for Windows 10 and data stolen from central banks. It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft's latest software system, Windows 10. The post did not identify other products by name. It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.

Trolling or stupid?

[TWX]

It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.

Are they attempting to ensure that there's no safe harbor for them anywhere in the whole world? Seems like if one pisses off the USA, Russia, and China, that there's no country in the entire world that wouldn't give up these people to someone if their identities are uncovered.

This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

Re:Trolling or stupid?

[Moheeheeko]

This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

I think this last week has proven that, yes, they do have access to these tools.

Re:Trolling or stupid?

[mfh]

Either they aren't thinking this through or they are shills for some government to give them an excuse for another scorched earth policy.

Computers can be made secure most of the time with a little anti-stupidity. Firefox/netflix stops 99.999% of malware unless you whitelist some EvilWebsite. Don't open forwarded emails from your computer-challenged friends & family members.

Sure there are some nasty exploits on almost every platform but most of them require a javascript call to execute or some poor sap to open an attachment and run it.

Re:Trolling or stupid?

Russia does not care. Their country is in the shitter and they've adopted the long term strategy of attempting to drag everyone down in to the shitter with them. Their system of government thrives on chaos and misery.

Re: Trolling or stupid?

stupid

Re:Trolling or stupid?

Either they aren't thinking this through or they are shills for some government to give them an excuse for another scorched earth policy.

Computers can be made secure most of the time with a little anti-stupidity. Firefox/netflix stops 99.999% of malware unless you whitelist some EvilWebsite. Don't open forwarded emails from your computer-challenged friends & family members.

The problem with this mentality is most of the world is comprised of very stupid and ignorant computer users, which is kind of the main reason ransomware has turned into a very successful business model over the last 12 - 24 months.

Sure there are some nasty exploits on almost every platform but most of them require a javascript call to execute or some poor sap to open an attachment and run it.

The number of poor saps in the world is equal to the number of devices running Java/Javascript, proving both can be rather hard to manage.

Re:Trolling or stupid?

Firefox/netflix? What have you been streaming lol?

Re:Trolling or stupid?

Why would state-sponsored hackers from Russia be concerned about Russia's reaction to what Russia wants them to do in the first place?????

Re:Trolling or stupid?

The NSA knows what the Shadow Brokers have (basically, everything the NSA has). The NSA knows how much damage they can do. Further, the NSA, and ONLY the NSA, are in a position to disclose the remaining weaponized vulnerabilities to Microsoft, to get them fixed, and protect the rest of us from harm.

It's beautiful, you see. The NSA MUST voluntarily surrender the weapons that they have been sitting on, or they will be directly responsible for the use of those weapons against us. And this time, there is no head start...if the NSA doesn't disclose them, Microsoft can't fix them, and the ensuing hacks will make WannaCry look like a preshock.

Re:Trolling or stupid?

[TWX]

One of the things that has bothered me about computing developments over the last 20 or so years is that the push for easier and easier UI should have ended about fifteen years ago, and when the realization that an ever-increasingly-connected Internet was to be the future, the focus should have shifted away from UI and to backend security and testing of software products and protocols. Unfortunately that stuff isn't visual, so it's hard to sell a user on a new version of Windows without changing the look.

In my opinion GUI development peaked sometime around 1996 or 1997. Windows 95 OSR2 with IE4 debuted and integrated the web browser into the filesystem shell in a way that's basically the same as it is today, and most of the elements in Windows that we're used to were implemented. In XWindows the most important elements of each major windowmanager project had been created. Only lagging was Apple, OSX wouldn't debut for another four or five years, but again, there were UI elements similar to Microsoft's or to Common Desktop Environment (CDE) or to KDE, so there wasn't a whole lot that was truly new, and a lot of the OS was borrowed from its predecessor NeXT anyway.

Sure they've changed the colors, they've shifted back and forth between 3D-looking window frames and icons and 2D-looking window frames and icons, and they rearrange the look of the dialogue boxes or replace the Start Menu with a new menu, but the just seem to be reinventing the wheel, not actually creating anything new. But they aren't focusing on security like they should be either, even though with the UI nailed-down they really should be.

Re:Trolling or stupid?

[Sir+Holo]

This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

RULE #1: Don't hold the whole world for ransom –– where would you go once they paid-up?

Re:Trolling or stupid?

[Sir+Holo]

Agreed. NSA bears a huge responsibility for any bad things that happen.

NSA not only kept zero-days exploits secret, but they weaponized them. And, apparently, even wrote manuals for these weapons. Then they failed to keep these weapons secure –– now they are out there.

Every day that NSA lets this stuff just sit out there, without doing anything to mitigate potential damage from their weapons, puts more and more responsibility on their shoulders.

Re:Trolling or stupid?

I was guessing that he meant "firefox/noscript".

Re:Trolling or stupid?

[mfh]

/facepalm

Thanks, Autocorrect!

Re:Trolling or stupid?

These guys are front runners for the annual Darwin Trophy. They better get a much longer stick if they want to continue poking the caged tiger. Their arrogance will lead to their downfall so they best start running and hiding. They seem to be under the impression that the NSA is actually staffed with government employees that are as incompetent as the government as a whole is. In reality they are staffed by some of the best software and hardware engineers on the planet with almost no limits on the resources they can call upon. Their current actions will most likely end up destroying the perception that Bitcoin transactions are immune to being identified and tracked. I am sure the NSA has a lot of capabilities they are keeping a secret until a situation arises where the tool can be used to maximum effect. They won't use these tools against normal cyber crimes but this group might just worth exposing the ability to take them out. But then again Israel may already have an undercover asset placed into this group to take care of the situation if asked nicely.

Re:Trolling or stupid?

Answer: Make the world have far bigger problems to deal with so that they have no choice but to ignore you while you establish a new cover identity.

I'd doubt the nuclear claim, but they could easily send the world's economy into the toilet. Causing bank runs, mass panic, and riots.

Re:Trolling or stupid?

Out of 150K (claimed by the authorities) Playpen pedos just 1K is in prison. And authorities has been working out of the best place possible. The yield is less than one percent. A clever pedo now knows that she only needs to be better than bottom 5% say to be totally safe in her lifetime.

From my observations, good cybercriminals are in a third quartile, typically.

Re:Trolling or stupid?

Perhaps the larger game that is afoot is to ALLOW the tools to grow in the wild and not give the multinational companies the edge in stopping the wildfire before it begins. This would accomplish several things:
1. Significant stigmatization towards the US by those in other countries
2. Significant stigmatization towards the gov (in simple terms: Trump and the security apparatus) and multinational companies in the US indirectly facilitating a political shift in the direction that was desired back in 2016
3. Stir the pot of distrust towards the US to influence other geopolitical events that usurp the US's overseas influence and aids in isolating the country from international affairs (in simple terms: move away from swift when those are compromised on a large scale (not to mention banks), dollar use in trade, and so on)
4. And...more...just sit back and ponder the possibilities for a moment.

Seems probable.

Re:Trolling or stupid?

[sit1963nz]

I wonder if there is now some means for whole countries to sue the USA government under current trade agreements. After all, it can be shown that the US government (via its agencies) knows about these flaws but is choosing to hold them back to stop them from being patched. This causes financial harm to countries who may have the rights to sue under trade agreements. THAT could get interesting.

Re:Trolling or stupid?

[sit1963nz]

Who said financial reward was their ultimate goal ?

Maybe its to force the US government into revealing all their exploits so they can be patched.

The alternate is that US allies will feel betrayed, that loss of trust will get reflected in attitudes to the USA, make it a tipping point where US citizens get scrutinised more heavily at international boarders, need Visas for entry, trade goods will need closer (and more expensive) inspection, US owned transport given lower priority at ports and airports, reduction on dependence of US software companies, etc etc etc etc etc

One way or another, this is a huge setback for the USA. And if that's the goal, the money is a smoke screen.

Re: Trolling or stupid?

Netflix stops malware now? Well i guess if you're watching it you aren't browsing other sites.

Re:Trolling or stupid?

[Onthax]

US doesn't recognize the international courts soo...

Re:Trolling or stupid?

[Sir+Holo]

Who said financial reward was their ultimate goal ?

. . .

One way or another, this is a huge setback for the USA. And if that's the goal, the money is a smoke screen.

Hmmn. $300 does seem kind of low for a ransom, doesn't it?

Re:Trolling or stupid?

[sit1963nz]

Its small enough that some will pay anyway, and who knows maybe its going to them, or maybe to a 3rd party.

But the hit that spy/law enforcement agencies and the US is going to take to their reputation is probably priceless.

And as they dribble out more exploits, this is going to be the gift that keeps on giving and its going to take YEARS to recover, if they ever do.

It may even be that if this is state sponsored, they have made themselves much safer while leaving everyone else open to the exploits they know about.

Re:Trolling or stupid?

In reality they are staffed by some of the best software and hardware engineers on the planet that have sufficiently-abysmal moral standards and who when approached did not tell them to go fuck themselves and go off to form the shadow brokers.

FTFY
HAND

Re:Trolling or stupid?

This couldn't be more out of context.
Yes, basic security works most of the time, but we are talking about zero days and the swift here.

Re:Trolling or stupid?

Or they are using a false flag technique. Most likely they are actually affiliated with one of those major powers and to avoid revealing which one they have to appear to piss off each of them. Let's just say they are North Korean for example, then the NK documents they release would probably be mostly BS to throw people off the trail (with a couple old bits that can be verified to come from NK to keep up the ruse).

send in some elite govt killers

[FudRucker]

to hunt them down and hose em down with machinegun fire

Re:send in some elite govt killers

Why? Why do you hate them? The NSA and CIA have known about all of these exploits for a long time. Do you think the SB guys are the ONLY criminals to ever find these holes? These guys are semi-heroes in my mind.

They are NOT creating attack vectors. They are pulling back the curtain to EXPOSE known attack vectors that evil organizations have possibly put there on purpose.

Re:send in some elite govt killers

[FudRucker]

they are profiteers wanting to make money selling computer exploits, they wont care who buys them, even if some terrorists buys them to extort or rob banks and corporations with to fund terrorist activity, they need to be found and stopped

Re:send in some elite govt killers

If they didn't make the threat real, then nobody would care. They are doing what they have to in order to force Microsoft's hand.

Re:send in some elite govt killers

[sit1963nz]

Americans "We come in peace, shoot to kill".

Can I assume that you also believe any foreign government has a right to retaliate ?

No matter what you have been told, American lives are not automatically worth more than anyone elses.

Re:send in some elite govt killers

If youre an american they are.

End of Bitcoin

[DatbeDank]

It's only a matter of time before some hair brained bureaucrat suggests blocking bitcoin transactions as a means to prevent criminals from funding themselves.

Re:End of Bitcoin

Well, there is a reason that the $100 is America's largest commonly circulated currency. Not saying it would be right to regulate or end it. Just that if they CAN'T regulate it, they will inevitably try to end it.

Re:End of Bitcoin

Actually, I wonder if Bitcoin will prove their undoing.

Contrary to popular belief, Bitcoin is not anonymous. It's pseudonymous. Every single bitcoin transaction is recorded in the shared ledger of which account it went from, and which account it went to - it's HEAVILY tied to an identity. The thing is anyone can set up a bitcoin wallet with an encryption key, so we don't know which real person each wallet is associated with.

Why is this relevant? Because AT SOME POINT, the criminals need to get their money OUT of bitcoin and into the real world, where they can actually spend it on things. And at that point, they need to sell bitcoins out of some wallet, and exchange them for cash.

Because every single bitcoin transaction is traceable (this is the entire purpose of the ledger), it's easily knowable which wallet the ransom was paid to. It's easily knowable which other wallets that wallet transferred the bitcoins to. And, at some point, it will be knowable when one of those wallets attempts to trade bitcoins for cash. And, should the perpetrators be arrested at this point, there will be a forensically traceable trail tying them to every single ransom they were paid, and so to every crime they committed.

Re:End of Bitcoin

[DatbeDank]

Couldn't a criminal just use a bitcoin mixer to mitigate this?

Re:End of Bitcoin

[Opportunist]

Same way that they do it now with bank phising: Hire some bum off the street to go into the Western Union to cash in the money from the transaction slip you give him. He gets to keep a few pennies and hands you the rest of the dough.

Re: End of Bitcoin

Yes.

Re:End of Bitcoin

people in power are very much enjoying bitcoin
it is here to stay
its fueling the coke habits

Re:End of Bitcoin

[cfalcon]

> . And at that point, they need to sell bitcoins out of some wallet, and exchange them for cash

Yea, but like any burgeoning semicriminal area, there's a reasonable amount of mitigations for this risk.

The simplest one is overt laundering. You put some amount of your illegally gained money into a pool that is trusted to spit out some fraction of that at a later time, to an entirely different account. Because the pool is constantly spewing bitcoin at arbitrary accounts, it is not always obvious which goes where. As this can be repeated several times, it is argued online that it makes investigations difficult (or at least, that's the implications of the totally-not-a-criminal types who run these things).

A secondary one is to convert bitcoin to an entirely different cryptocurrency, good, or future, one that is believed to be harder to trace, and then convert it from there to either bitcoin, or direct purchase of goods.

It could also be directly turned into goods or services, or even donated to some supposed charity.

Bitcoins clearly can be investigated, and are. If they can be traced properly, that capability is not a well known or frequently deployed one.

Re: End of Bitcoin

Yes.

No.

Or rather; sort of. Bitcoin mixers are not perfect and I don't think they are fully understood.

CAPTCHA: Mistakes

Re:End of Bitcoin

[AHuxley]

For that to work the person of interest has to be in a nation that keeps CCTV for 6 months and does the final cash transaction in person in front of a nice HD camera.
Or who drives their own car to do the cash exchange and gets caught in a nation thats keeps car park CCTV for 12 months and can find that date and time weeks or months later.

Re: End of Bitcoin

Agreed. It is possible to properly mix bitcoins but a single cycle through a typical mixing service is far from foolproof (and somewhat expensive to boot).

Odd Behavior

[nehumanuscrede]

Considering their last attempt to sell such data was somewhat lacking in buyers, I'm curious why they don't just ring up WikiLeaks, get a semi-decent payday and be done with it.

Unless, of course, it's the intel agencies themselves playing the part of TSB seeing who they can reel in on their fishing expedition.

Re:Odd Behavior

[courteaudotbiz]

Interesting view. Fishing expedition. But I guess any buyer will be careful enough not to reveal his real identity, and will for sure hide behind strong anonymization services. Then how would they really catch their fish? It's a pretty risky way to go fishing...

Re:Odd Behavior

They better act quickly, before Donald gives it away for free.

Re:Odd Behavior

[Guy+Smiley]

An alternate approach that may make more money, and would definitely be both more legit and less likely to piss everyone off, would be to use the exploits to get payouts from each company's bug bounty program. Unless the NSA went ahead and preempted this approach by releasing all of their zero-day exploits to the vendors (seems unlikely), they could do this for years, maybe at 10-50k a pop depending on how bad they are.

Re:Odd Behavior

That would give their identities away.

How bad is this, really?

Everybody, and I mean everybody, knows that most of our computer systems totally and irredeemably suck to an overwhelming, extreme degree. They aren't made to not suck! There is near-unanimous consensus that the computer systems in most businesses, governments and other organizations are very insecure, from the smallest to the largest. The only reason they aren't penetrated routinely is that nobody cares enough to bother -- no, wait we know that's true. The only reason you aren't hearing about them being penetrated all the time, is that it goes undetected.

We know we are doing a totally awful job and this is not controversial. Nobody who doesn't work in a sales, says "our systems are secure."

And we aren't doing anything about it. Microsoft isn't even close to being out of business.

Maybe the whole thing getting more in-your-face is a good thing, not a bad thing. It's not like the degree of vulnerability has changed; it's just that the perps are more audacious and better publicized. Your bank's and employer's and government's systems were just as terrible a year ago. But now you're hearing about it all the time.

Good! I also think it's good that the president tweets. He should be a focus of attention.

Everybody ought to be coming up with ways to keep these disasters from happening again. And having it rubbed in your face every day, might be the only way we'll do what we need to. We otherwise aren't responsible enough to do the obvious things that need to be done. We are children, and until we clean up our rooms, it's all broccoli and no cookies for us.

Keep the horror show going.

Re:How bad is this, really?

[Opportunist]

Erh... no. Allow me to shed some light onto this.

I've been in IT security for about 10 years now. For most of this time, security was but an afterthought. Security is the equivalent of insurance or military: Expensive and utterly useless unless you really, really need it. Be honest, do you need fire insurance? As long as it doesn't burn anywhere, it's just a waste of money. And for the longest time, there was no fire anywhere in IT. Yes, from time to time there was a bit of a problem. A worm that dug into millions of computers. Or some big company was hit by a hack that did minimal damage.

The problem here is that the damage was simply not high enough to warrant employing people who cost 6 figures a year and can't even guarantee you to be protected against anything that may come your way. Take this highly simplified risk calculation: If your potential damage in case the risk manifests isn't higher than the chance of it manifesting times the cost to mitigate it, it is more sensible to just carry the risk.

And for the longest time, this was the case. Imagine a potential damage of a million bucks per incident. If that happens once every ten years in your company, your annual cost to mitigate must not be higher than 100k. And 100k isn't really much money in ITsec.

If it costs more, you're better off just taking the hit once a decade.

For the longest time this was actually a sensible way to operate. Financially sensible. We've been warning about something like this for years. It was pointless, because the risk never manifested as incidents.

Now the incidents happen.

And now it is too late. We're in too deep to recover. Most of the software and hardware we use cannot be sensibly secured, because, as noted before, security is an afterthought and was not part of the fundamental design. Take HTTPS of all the things. What is it, essentially, but a thin security fig leaf on top of http? And we're still dealing with crucial infrastructure like DNS and DHCP that are by no means secure (not only because they still use a protocol where you can't even sensibly find out who the hell sent the packet in the first place), and while secure replacements exist, their implementation cost too much. Not only because we'd need new hardware.

More importantly, we'd need better trained administrators. Wait, more precisely: We'd need administrators that get at least basic security training. When you see people shrug at you when you tell them that using self signed certs is not ok and you get back a "what's your problem, it IS encrypted, what else do you want?", you know that the person does not even understand what he is doing here. We are critically underprepared for what's coming our way, what we see here is the tip of the spear that's going to hit us right into the chest.

And we will not have the time left to don armor.

Re: How bad is this, really?

Me and my band are over here in the corner playing some lovely toons. We are trying to figure out where to put these deck chairs next. Stop on over before the boat sinks. We appreciate any feedback.

xD

Re:How bad is this, really?

There IS no armor, that's a failed paradigm. What you need is to be non-corporeal.

Re:How bad is this, really?

[Mhrmnhrm]

Wait, more precisely: We'd need administrators that get at least basic security training. When you see people shrug at you when you tell them that using self signed certs is not ok and you get back a "what's your problem, it IS encrypted, what else do you want?", you know that the person does not even understand what he is doing here.

Yes, because we *ALL* know how trustworthy the CA's are. With a self-signed cert, you have direct and immediate control over it. Going through a CA, you're trusting (there's that concept again) that they know what they're doing, that they're not issuing... alternative... certs that you didn't authorize, and that should your cert be compromised, they'll inform you in a timely (if at all) manner.

Re:How bad is this, really?

[Opportunist]

Don't worry. Quite a few companies will be in the near future...

Re:How bad is this, really?

[Opportunist]

Why should I trust your cert? More importantly, why should I believe that the cert your server presents to me is your cert? How do I know it is your server presenting the cert and not some man in the middle? I cannot verify a self signed certificate. I have no way to determine whether the certificate you present to me is genuine.

Re:How bad is this, really?

[Slayer]

By trusting a signed cert I basically trust that signing company (certificate authority), and this doesn't always work out. Stolen certs were used to spread virus/malware infections, and political activists in Iran were spied on by their gov't because some CA's root certificate was hacked.

Certs signed by registered CAs may offer a tad more protection against MITM attacks than self signed ones, but they are definitely no silver bullets.

Re:How bad is this, really?

[AHuxley]

Re "The only reason you aren't hearing about them being penetrated all the time, is that it goes undetected."
Thats the interesting part. The lists of the Anti Virus brands that don't have the skills to do behavioral analysis or watch over the OS for changes.
Some brands have the staff and skills to find and track gov funded malware long term.
With more smart people globally reading the gov files, more people might just avoid that low quality AV brands and buy quality AV that detected or was able to track past gov malware.
The more new people that buy the AV, the more new staff can be hired, the better detection and tracking gets.

Re:How bad is this, really?

[Opportunist]

There is no silver bullet. And people understanding certificates wrongly is only the tip of the ice berg. Even if they do start to get the idea, it isn't a given that they actually understand the implications. Just because the certificate is CA signed doesn't mean that your data is protected. At least if you click a link that connects you to Bank0fAmerica.com. Yes, the connection is encrypted and the certificate is really for the server Bank0fAmerica.com. But I somehow doubt that this is where you want to send your Bank of America credentials...

Security is a process, not a product. Security isn't a little black box you can buy, put in the corner, connect to your network and it automagically protects you against anything and everything an attacker may throw at you. I know that this is what management wants and keeps buying from snake oil peddlers, but it just does not work that way.

That does not mean that it's futile, that we should throw our hands up, yell "it's hopeless" and give the attackers free reign. It isn't hopeless and it isn't impossible. But it is an arms race. It isn't something you can buy today and forget about it, it is something you have to develop, implement, measure, evaluate and refine. Constantly.

That management does not like to hear this is a different matter...

Re:How bad is this, really?

[Slayer]

CA signed certificates protect you only in those cases where you don't need protection anyway, and as soon as you really need this protection against MITM, they are the first to fall while instilling a wrong sense of security. As long as there is no truly dependable CA out there, one might as well put the same amount of trust in self signed certificates.

US/UK based companies have shown on multiple occasions, that they are ready to bend over for authorities as fast as they could, just remember the shameful behavior of Mastercard/Visa/Amazon during the wikileaks/cablegate episode, or Google/Yahoo with regard to Chinese dissidents. CAs from other countries are either borderline incompetent (remember Diginotar) or just as easily manipulated/coerced, just with less media coverage than US based companies.

The biggest issue with half-arsed solutions like this CA mess are that people put way too much trust in them. These "solutions" switch people into ignorance=bliss mode. While everybody will agree, that security is a process and not a product, it's just so damn convenient to forget this once in a while.

Re:How bad is this, really?

[Opportunist]

CAs protect against rogue actors. Normal criminals. Protection against criminal governments takes more effort.

Re:How bad is this, really?

[Slayer]

I would assume that 99.99% of all MITM attacks were executed by, or per request from, a government, typically the one the client resides in. I just don't see my Telco or some upstream provider sniff on my banking or gmail traffic unless my government would specifically instruct them to do so. Once that is the case, no browser automated CA signature check can save you.

SSL/TLS are mechanisms to ensure, that traffic is encrypted such that only you and the actual endpoint of the connection can read its contents. Putting any trust beyond this in such a connection is likely going to lead to a compromise. Once we settle for this, a self signed certificate is just as trustworthy as one signed by some CA.

Re:How bad is this, really?

[Opportunist]

Don't forget that the "man" in the MITM can as well be some kind of trojan sitting inside your computer, proxying the connection.

It boils down to the problem of determining whether the certificate presented to you is actually one issued by the server you are connecting to. This can of course also be solved with self-signed certificates. Actually, in all really important cases, I do solve it with self signed certificates, but it means that you somehow have to solve the problem of verifying authenticity. This is acceptable when you are dealing with a handful of critical servers that MUST be verifiably genuine, where you do not want to rely on the trust to a certain CA.

It is completely unfeasible for the masses of encrypted servers out there. If I first had to verify the signature of every single https server I connect to, I wouldn't do much else with my time.

Re:How bad is this, really?

[Slayer]

Don't forget that the "man" in the MITM can as well be some kind of trojan sitting inside your computer, proxying the connection.

Once you lost control over your computer, encryption won't be of much help - just think of keyloggers ...

It boils down to the problem of determining whether the certificate presented to you is actually one issued by the server you are connecting to. This can of course also be solved with self-signed certificates.

This is generally not practical, since it would require you to receive authentication through a distinct communication channel - not happening at least in WWW. Current situation goes like this: 1. you call phone number you found somewhere. 2. party claims to be someone. 3. party sends you SMS confirming that part is really who they claim they are 4. you send SMS to someone else, asking "is this really who I think it is?" and 5. that someone else tells you "yes, it is!"

Since that "someone else" owes you exactly nothing, whereas that "someone else" gets paid by the party you actually got on the phone, whoever that may be, you have a massive conflict of interest working against you, making self signed certs not less credible than CA signed ones.

Actually, in all really important cases, I do solve it with self signed certificates, but it means that you somehow have to solve the problem of verifying authenticity. This is acceptable when you are dealing with a handful of critical servers that MUST be verifiably genuine, where you do not want to rely on the trust to a certain CA.

I agree, that's hardly feasible for world wide web traffic. Still: SSL/TLS is great for protecting against sniffing by peers (=other folks on the same LAN), but not for much else, regardless of who signed your certificate.

Re:How bad is this, really?

[Opportunist]

In this case the certificate (along with pinning) does less for your security than for your ability to detect that the connection is compromised. That's the whole point behind CA-signed certificates. They don't encrypt any better than self signed, they only tell you that the encryption isn't between you and who you think you are connecting to.

And yes, verifying the authenticity of self-signed certificates isn't feasible in most circumstances, unless the required security warrants the disproportionally insane overhead. But yes, such applications exist. They are rare and certainly not something you do for your average online server, but I have traveled myself just to deliver a key in person to ensure that all important authenticity.

What I cannot agree to is that TLS isn't sufficient to encrypt sensitive data. Its actual weakness currently is mostly to verify the authenticity of the other end, the encryption part is actually pretty decent.

Again?

[Opportunist]

Last time they pulled that stunt I think the bid went up to 3 or even 5 bitcoins.

Re:Again?

I think they might get a little more attention now that we've seen what some of their tools are capable of doing.
Last time, I think they offered to sell all of the stolen data/tools for $12 million in bitcoin. In this new statement, they are clearly upset about the fact that nobody took them up on the offer.

What if I told you

[DeplorableCodeMonkey]

You can be in favor of the death penalty for the US citizens who decided it was a good idea to facilitate these leaks and oppose the NSA's practices at the same time?

Any US citizen who was involved in this deserves to be regarded as the Internet version of the Rosenbergs if this really plays out.

Re:What if I told you

I disagree. Sometimes, the only way to get something fixed is to expose it to the public. I'm not saying Snowden was a hero, but the people who are bringing these known bugs to light kind of are.

The Internet needs to be fixed.

Re:What if I told you

[craigminah]

Why doesn't WikiLeaks leak information about China, Russia, Iran, North Korea or any other country? Just American leaks are made public so I bet WikiLeaks is supported by one or more of our enemies financially or technically.

Re:What if I told you

Oh please! Stop with the drama. All these tools are old and obsolete. Let the commies have them. The new shit that hasn't been revealed goes far beyond any of this.

Re:What if I told you

Why doesn't WikiLeaks leak information about China, Russia, Iran, North Korea or any other country?

They did and do (at least on 1st three mentioned). One of their biggest data dumps is from Turkey. Have a look in their website.
That your fake news does not cover those, does not mean they do not exist. Get out of bubble you live in, find more news sources. Bezos owned news media is hardly a good source.

-
However, IMO, they should focus primarily on USA, as the most powerful state, harming and killing, and invading privacy of, more people than any other state.

Re:What if I told you

[AHuxley]

Re "Any other country"
Other nations got their networks totally penetrated by the NSA and GCHQ so they don't do anything interesting on the phone or internet anymore.
They learned from all their past network mistakes and have people thinking about better security.
They have a secure base, site, science city thats totally secure from the outside world. No tourists, no students on holiday, no illegal migrants, no foreigners wondering around, no embassy staff making friends. Less spies get near their sites of interest.
Their secrets stay safe as they test and select their staff to a better level too.
None of that US gov worker, US contractor, mil, other agency staff mix with questions about who is giving orders and why the wage differences.
Why does a new company get to give orders? Why the wage gap for the same work? Why is the contractor enjoying the nice wage with less skills and less skills? Other nations don't have the work place wage tensions and stress the US has. Gov and mil make the work place better for all cleared workers in other nations.
Other nations educated their staff well and then profile the people with traits who won't walk out with their nations secrets,
The US just lets any contractors in and they do a day job until they are moved to the next job. Great for short term profits, very bad for gov security.
Other nations just don't do that as they know its bad for their security. The US also stores data in plain text on internet facing computers. No encryption, fast networks.
The West hires contractors on talent, imagination, creativity. Such people can then leak data for "reasons" given the same ability to think and dream.
Other nations just don't give such "creative" people security clearances. Want to play fantasy computer games all day? No security clearance, mil work or gov work. Other nations still have a uniform or gov sector esprit de corp and only hire the best their nation has to offer.
No contractors giving orders to mil and gov staff and needing a project kept in plain text so other contractors can work on the same project all around the USA.
The US spreads it projects out to as many contractors as possible so wisdom and creativity can flow up from the best in the private sector. The profile motive always ensures new ideas.
Other nations just keep their secret secure and work hard on getting the project ready. The site is secure.
No data on open networks for the NSA and GCHQ to gather. No staff wondering around to be approached by the CIA and MI6 with a huge cash offer to buy secrets. Other nations have very small budgets and fewer staff, mil to watch too. They have learned from all their past decades of NSA, GCHQ, CIA, MI6 issues.

Re:What if I told you

Why don't you try reading Wikileaks' response to your question? The answer is they do leak damaging information about all those countries. They've even been used in Russian courts to sue.
Also, why bring Wikileaks up on a completely unrelated discussion? You must be one of those paid government propaganda trolls from the US or UK.

Not a good move

[m0s3m8n]

Releasing exploits and sensitive data that harms the USA is understandable as the US government is just a pussy (and yes I live in the US). Piss on Russia or China and they may find there cohorts dead with their genitals in their mouths or polonium in their veins. Do you really think the Russian equivalent of Snowden would still be alive today????

hero's

The shadow brokers are hero's. They are showing how poor u.s. security is, and how useless and illegitimate the fbi, nsa, and cia are.
The things shadow brokers revealed were used on u.s. citizens by their government in secret.

Writing Style

[OverlordQ]

> Using trademark garbled English,

I wonder if they translate and reverse their releases to help defeat style-analysis on what they write.

Re:Writing Style

Sounds dangerous and pointless. Google Translate is almost certainly logging every input to their API.

Re:Writing Style

TIL Google Translate is the only translation engine

Re:Writing Style

Google translate has banned me so I use Yandex translate now.

why is weaponization not treason?

The NSA had the choice to either weaponize these exploits, or to help inoculate against them and thereby protect the US and its allies. They chose to weaponize them, which has been a direct assistance to enemies of the United States and its allies around the world, e.g, the recent UK NHS problems. That's not even getting into being a direct breach of the Constitution.

Is that not treason? Why are we not seeing those people brought to trial?

If they take the money

that is the one that screws them. Even bank notes tend to be all be uniquely numbered. The ability to trace monetary transactions is huge.

Is there any safe harbour when it comes to money? The banking system really represents One World Order, and wasn't WWII really all about this,

At the end of WWII as countries around the globe were being liberated or invaded, their monetary systems were being taken, fast forward to today and they are still taken. They managed to get a lot of continental Europe to accept one currency the Euro.

Bitcoin is heavily traced, that's how it works on the chain, laundering it just makes the tracing harder, as soon as someone tries to purchase something that will start to tie them to a physical being.

Perhaps they are thinking this way:

1. Mine Bitcoin
2. Launch Ransomware that demands Bitcoin / Sell ransomware that demands Bitcoin
3. Sell Bitcoin for profit due to higher demand.

So, they are looking to make on the sale of bitcoin, but not so much on the ransomed bitcoin. That would be a lot harder to trace and prove. They may not even sell, just looking to increase the profile of bitcoin for longer term gains.

HTTPS = pure bullshit (slowdown & breakable)

See subject: THIS is your proof as to exactly HOW & WHY https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/ via "Windsor Green"... there's some SECURITY INFO for you.

* Plus, the stupid LIBS used for https? Always break backward compatibility EVERY SINGLE F'ING TIME so when old model's found to be breakable (ala TLS & SSL)? They don't keep the same return types (common way to bust API's by shithead rookies) so that legacy apps can't use them right in THEIR code!

APK

P.S.=> It's TOTAL horseshit so WE AGREE here & mere "lip service" security-theater that is EASILY broken (especially by the NSA)... apk

Re:Not terribly smart on their part...

this is just stupid armchair army-boy fantasy

In reality, Trump is gonna do jack shit about cyber-anything. He's too busy with the Washington Post up his ass nitpicking every move 24/7

Strike back

[niks42]

I was just watching Pearl Harbor - not a great film, but it brought back to me that the greatest threat to these people is the sheer force of American willpower. The Japanese military machine tugged at the tail of a sleeping tiger, and they lived to regret it.

Well, America, it is time to hit back at those that seek to disrupt our way of life through these attacks. We are seeing just the beginning of this new warfare, but we need to hark back to the spirit that was awoken in us in 1941, and we need to hit them back 100 times over for every strike on us. We owe it to the Free World.

Re:Strike back

[sit1963nz]

1. You are not the leader of the free world.
2. You do not automatically have the right to attack any country or their citizens
3. ALL you will do is create enemies and loose allies.

Re:Strike back

[eaglesrule]

We have a difficult problem facing society, one that cannot be solved by the usual declaration of War on (ISSUE HERE). As we've seen before, the unintended consequences ended up being worse than the original problem.

Currently we still have something resembling an open internet. Those that fall sway to jingoistic buzzwords to justify knee-jerk overreactions is why we can't have nice things.

Re:Strike back

sheer force of American willpower.

You're a nation of overweight opiate addicts talking about willpower.

Re:Strike back

[painandgreed]

I was just watching Pearl Harbor - not a great film, but it brought back to me that the greatest threat to these people is the sheer force of American willpower. The Japanese military machine tugged at the tail of a sleeping tiger, and they lived to regret it.

I doubt American willpower was a serious contender considering the other side had people litter lay training to be suicide bombers. Americans troops typically were the first to break and run away. We had some advantages in that Americans were also the first to rally and run back into battle with more resolve, and with a different plan to make sure the last mistake didn't happen. The first mistake the Japanese did was mistakenly think that bombing people would make them want to give up. If anything, actively bombing a population has the opposite effect. Second, the sleeping tiger that the Japanese actually awoke was American industrial might. The Japanese could not replace sunken ships, downed airplanes, or dead pilots and soldiers. They US was pumping out enough for two fronts to double every year or two (not to mention while also supplying the Brits and Russians with considerable war material at the same time). Part of that was bad Japanese military tactics that aided in their downfall just like Sparta, while the US will try a different tactic till they find one that works, but mostly, it was just American has the industry, economy, and population to win a war through attrition.

Re:this is bad news

[volodymyrbiryuk]

Stop spamming every comments section with this crap. There is probably another, better suited online platform to air out your creative brainfarts.

America has a lot of resource

It was more about logistics and dropping nuclear bombs than will power.

Like the attitude though, not just an eye for eye, an eye for a hundred eyes. Yeah, that pretty much ensures a blind human race for many generations.

Re:Not terribly smart on their part...

[sit1963nz]

"Oops, sorry, we thought that American Airlines plane full of passengers was the military aircraft used to ship in the US terrorists...our bad"

Trump is NOT really smart.

And of course such an action could put a target on the back of every american overseas

Brutality and killing has only ever resulted in MORE people being brutalised and killed, is never actually a solution.

Re:this is bad news

[LifesABeach]

yawn

Hay Dumb Ass Shadow Brokers !

[LifesABeach]

If you're so scary smart, lets see Trump's taxes.

Sooner or later...

[Evil+Kerek]

I figured they are going to piss off someone with some real money that's going to put a price on their heads. I wish I had the money to do it.

Re:Sooner or later...

Go talk to your boi obumma about a loan. He's pretty flush with all those dead presidents he's been raking in from lowbrows who just love to see those mudflaps on his face slap together.

Yeah

[Ryanrule]

youusa people gonna die?

Re:HTTPS = pure bullshit (slowdown & breakable

[Opportunist]

So I read the document provided and I can spare the rest of the community the work: The (insert three letter agency of choice here) have a supercomputer in the making or already ready that's a few 100 times faster than anything they had before and that can easily break 1024bit key encryption.

So switch to 4096bit and SHA256.

That's basically the gist of the document and the solution to this the-sky-is-falling problem. They have not broken https, they just threw more computing power against it. Which is pretty pointless when you have an asymmetric problem like encryption. By doubling my workload to encrypt, I can increase your workload to break by the tune of 10^10. All you have to do when you know your enemy is increasing its brute force computing power is to increase the key size, and unless something spectacular changes in the game, it more than nullifies his attempt.

Until recently I actually thought that you knew a thing or two about security...

Insulting me you menial chump?

See subject: Enough so CIS Tool (highly esteemed) took fixes from me & I've got actual proof of it in programs for it alsoAPK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ )

So - do you?

* Let's see it - let's see if you can "backup your bluster".

ANYONE CAN "TALK" boy... very FEW of us actually DO.

APK

P.S.=> You don't "get it" do you? IF it's NOT 'broken', then WHY DO LEGACY APPS USING SSL/TLS BREAK whenever one of them is pierced & they reissue new libs for it?? They change the return type (size most likely as you note) in the functions/procs wreaking havoc (that can be gotten around in THEIR OWN CODE you know - or maybe you don't know - being a LIMITED IN SCOPE mere MENIAL that you are apparently (security work = a joke buddy - guys like me make code fools like YOU merely USE, user))... apk

Bank of America CEO on security budget

[asjk]

Signaling the abundant and high-risk nature of hack-attacks, CEO Brian Moynihan says the Charlotte-based lender (NYSE:BAC) has no spending limits in place for its cyber security teams. Currently at $400M.

"The only place in the company that doesn't have a budget constraint is that area."

Re:Not terribly smart on their part...

[LeftCoastThinker]

"Brutality and killing has only ever resulted in MORE people being brutalized and killed, is never actually a solution."

Spoken like a true, brainwashed, ignorant liberal... Apparently you failed history class. Here are a few highlights of the exact opposite: WW2 ended "new Socialist" Hitler's bid for world domination and extermination of around 8 million people of "lesser races", Korea stopped the brutalization and murder of millions of south Koreans (see what happened when the US failed in Vietnam and the millions of people brutalized and 7.5 million murdered there after we left http://rebirthofreason.com/Art... ), Desert Storm (the people of Kuwait were saved from brutalization and murder), even the crusades for all their faults, stopped the bloody, violent, imperialist expansion of Islam http://www.americanthinker.com... .

Trumps intelligence was underestimated by a lot of people, including you, apparently. How smart he actually is will be determined by his record.

Considering your own apparent lack of basic history, I suggest you may better use your time reading up on history so that in the future you can make a more reasonable argument.