[HN Gopher] Ex-NSA cyberspies reveal how they helped hack foes o...
___________________________________________________________________
Ex-NSA cyberspies reveal how they helped hack foes of UAE (2019)
Author : jbegley
Score : 102 points
Date : 2021-09-14 20:52 UTC (2 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| wolverine876 wrote:
| Stroud's judgment is interesting; is the mistake predictable?
|
| > In 2013, her world changed. While stationed at NSA Hawaii,
| Stroud says, she made the fateful recommendation to bring a Dell
| technician already working in the building onto her team. That
| contractor was Edward Snowden. / "He's former CIA, he's local,
| he's already cleared," Stroud, 37, recalled. "He's perfect!" Booz
| and the NSA would later approve Snowden's transfer, providing him
| with even greater access to classified material.
|
| Then Stroud trusted the Project Raven employers, not only to
| start but over and over, as they had Stroud violate human rights
| (spying on journalists, 16 year olds, human rights activists),
| after Stroud discovered evidence of spying on Americans.
|
| And then Stroud didn't trust the FBI; note that the claimed
| motivation could simply fabricated - clearly Stroud wanted to do
| this work.
|
| > Two agents approached Stroud in 2016 at Virginia's Dulles
| airport as she was returning to the UAE after a trip home.
| Stroud, afraid she might be under surveillance by the UAE
| herself, said she brushed off the FBI investigators. "I'm not
| telling you guys jack," she recounted.
|
| And possibly this is related:
|
| > Still, she found the work exhilarating. "It was incredible
| because there weren't these limitations like there was at the
| NSA. There wasn't that bullshit red tape," she said. "I feel like
| we did a lot of good work on counterterrorism."
|
| Maybe those rules, the principles of human rights, and the FBI
| are there for a reason. Stroud seems to think they are unrelated
| to her character:
|
| > "I don't think Americans should be doing this to other
| Americans," she told Reuters. "I'm a spy, I get that. I'm an
| intelligence officer, but I'm not a bad one."
|
| > Stroud said her background as an intelligence operative made
| her comfortable with human rights targets as long as they weren't
| Americans. "We're working on behalf of this country's government,
| and they have specific intelligence objectives which differ from
| the U.S., and understandably so," Stroud said. "You live with
| it."
| JimBlackwood wrote:
| For those interested, there is a Darknet Diaries episode about
| this. [1] Really quite interesting, interview is with someone who
| worked for Project Raven, like Lori. [1]
| https://darknetdiaries.com/episode/47/
| ragnot wrote:
| How do all these people hack into phones all the time? Is there
| just a cache of 0Days that they have access to or do they just
| get really clever with phishing attacks?
| causasui wrote:
| 95% social engineering/phishing, _maybe_ 5% exploits.
|
| Using exploits is complicated, expensive, and risky. In most
| cases - to quote XKCD - it's cheaper and easier to just hit the
| victim on the head w/ a proverbial $5 wrench until they cough
| up their password, e.g.: have them download your "secure
| messaging app" which is actually just your implant.
|
| From the article:
|
| > _To get close to Donaghy, a Raven operative should attempt to
| "ingratiate himself to the target by espousing similar
| beliefs," the cyber-mercenaries wrote. Donaghy would be "unable
| to resist an overture of this nature," they believed. Posing as
| a single human rights activist, Raven operatives emailed
| Donaghy asking for his help to "bring hope to those who are
| long suffering," the email message said. The operative
| convinced Donaghy to download software he claimed would make
| messages "difficult to trace." In reality, the malware allowed
| the Emiratis to continuously monitor Donaghy's email account
| and Internet browsing._
| sleibrock wrote:
| According to the article, it seems like it was heavily based
| off of Apple iMessage zero-click exploits built into some
| platform. And even a bit of social engineering.
|
| Past that, who knows where they get exploits from? I imagine if
| they're renting servers with Bitcoins to perform computer
| attacks, these operatives are probably familiar with darknet
| sites for trading secrets as well.
| mike_d wrote:
| Money.
|
| The going rate for iOS full chain (iMessage, Safari, or BT/WiFi
| exploit + sandbox escape, protection bypass, and persistence)
| is over two million dollars. The brokers then sell them for
| 2x-5x that amount. Reporting that same vulnerability to Apple
| can net you up to a million.
| SilverRed wrote:
| It seems pretty clear that just about every government has a
| large bank of exploits on just about every single system. We
| only hear about the ones that get exposed and fixed and not
| the 30 others in storage or active use.
| gonzo41 wrote:
| Pretty much, that also have 0 days on components, so it's a
| matter of putting together an exploit chain that gets them what
| they need.
| AgentME wrote:
| If software developers were ever held responsible for defects
| in their software that lead to breaches of privacy and harm
| caused through those breaches, I wonder how quickly software
| development practices would change. Memory unsafe languages
| like C would probably disappear as a choice for new projects
| in a heartbeat due to the liability.
| perihelions wrote:
| Follow-up, from today's news:
|
| _" Three Former U.S. Intelligence Community and Military
| Personnel Agree to Pay More Than $1.68 Million to Resolve
| Criminal Charges Arising from Their Provision of Hacking-Related
| Services to a Foreign Government"_
|
| https://www.justice.gov/opa/pr/three-former-us-intelligence-...
| anonymousDan wrote:
| So hacking human rights activists is ok, but hacking US citizens
| crosses the line? WTF?
| rlewkov wrote:
| Yes, according to the law.
| vkou wrote:
| Yes, because we have the FBI to do that to US citizens.
| [deleted]
| jorblumesea wrote:
| If by "ok" you mean legal, then yes. NSA is foreign targets
| only. If by "ok" you mean moral, then no.
| 8note wrote:
| Also local targets, if they're foreigners or interacting with
| foreigners
| aha_throwaway wrote:
| It's always like that.
|
| The last days in Afghan they kill 10 people, and no one hell
| accountable. All they do is labeled them as ISIS members.
|
| (https://www.nytimes.com/2021/09/10/world/asia/us-air-
| strike-...)
| 2OEH8eoCRo0 wrote:
| What would you like to be done about it?
| hellcow wrote:
| Tried as a war crime, perhaps? Murdering an aid worker and
| seven children, then trying to cover it up, seems pretty
| horrific to me.
| 2OEH8eoCRo0 wrote:
| Who specifically should be tried?
| Taniwha wrote:
| Let's start with the person who pushed without verifying
| that the targets were truly ISIS and work our way upwards
| SilverRed wrote:
| Lets start with the people who physically killed them.
| boomboomsubban wrote:
| With a missile strike, who would that be?
| chrononaut wrote:
| If you're referring to the "people who physically killed
| them" as the individual(s) who operated the drone(s), I
| imagine they are the ones who need the most (mental)
| help, after learning their superiors provided faulty
| intelligence and allegedly killed innocent people.[0]
|
| The two(+) that are perhaps the most relevant are those
| that provided the intelligence (framing), and those that
| made the decision to act on it.
|
| [0] I don't know how much liberty drone operators have to
| make live decisions in the .. "field" about whether to
| engage or not, but I suspect this case involved some
| level of abstraction.
| vkou wrote:
| What evidence do you have that it was not done by ISIS
| members?
|
| The United States is at war with ISIS, it is not at war with
| the Taliban. The Taliban is also currently at war with ISIS,
| and is not at war with the United States.
|
| ISIS would, however, love to see the Taliban - US conflict to
| resume. It weakens its enemies, it creates a lot of
| convenient targets for it, and simplifies recruitment and
| propaganda efforts.
| Y_Y wrote:
| The US hasn't been (officially) at war since WW2 ended.
| boomboomsubban wrote:
| >What evidence do you have that it was not done by ISIS
| members?
|
| The US openly admits firing the missile. That seems more
| likely than ISIS acquiring and launching a missile at an
| Afghanistan home then the US taking "credit" for it.
| unyttigfjelltol wrote:
| The subject of the article hired Snowden into an NSA project just
| before he fled as a whistleblower, tried to resurrect her career
| for a private company doing espionage overseas, and after a few
| years ultimately made good by becoming a whistleblower herself
| against her spybosses. What a fantastic story arc! Hollywood....
| [deleted]
| chrononaut wrote:
| (2019)
| mikeyouse wrote:
| In the news today since they were just charged with a bunch of
| Federal crimes for this work:
|
| https://www.reuters.com/world/us/american-hacker-mercenaries...
| [deleted]
| sterlind wrote:
| _> Former program operatives previously told Reuters they
| believed they were following the law because superiors
| promised them the U.S. government had approved the work._
|
| Absolute horseshit. This is 100% a loophole to give them some
| flimsy plausible deniability. If the NSA approves they should
| have confirmed with the actual NSA.
|
| Looks like the whistleblower wasn't charged, which is good,
| though you still have to be a pretty shitty person to go work
| on targeting journalists and dissidents in the first place. I
| suspect she didn't have moral qualms as much as she realized
| how much trouble she'd get in unless she came clean.
|
| I'm interested to learn how exactly _any of this is legal._
| Isn 't it illegal for Americans to hack anyone, regardless of
| where you live? Like could I really go to Russia and openly
| hack Ukraine as an American and not get charged when I come
| back to the US?
| sophacles wrote:
| Are you seriously gatekeeping the whistleblower? Like they
| did the right thing, but you can maybe imagine they weren't
| pure enough for you and therefore shitty?
|
| OK let me do that to you:
|
| You are commenting some good things, but i suspect you
| aren't doing it because you believe it, but rather you want
| some sweet karma. Therefore you are shitty human being.
| Feel shame person I've never interacted with before and
| have no other knowledge of.
|
| (Maybe check out the Darknet Diaries episode linked in the
| comments here and learn about the situation a bit before
| declaring the motives of a person you admit having no
| knowledge of.)
| themodelplumber wrote:
| > The defendants are being charged also with military export
| restriction violations.
|
| They are throwing the book at them. But there's also this
| other, amusing, cachet-related viewpoint:
|
| "I'm so badass that I was labeled a restricted military
| asset"...
___________________________________________________________________
(page generated 2021-09-14 23:00 UTC)