[HN Gopher] Ex-NSA cyberspies reveal how they helped hack foes o... ___________________________________________________________________ Ex-NSA cyberspies reveal how they helped hack foes of UAE (2019) Author : jbegley Score : 102 points Date : 2021-09-14 20:52 UTC (2 hours ago) (HTM) web link (www.reuters.com) (TXT) w3m dump (www.reuters.com) | wolverine876 wrote: | Stroud's judgment is interesting; is the mistake predictable? | | > In 2013, her world changed. While stationed at NSA Hawaii, | Stroud says, she made the fateful recommendation to bring a Dell | technician already working in the building onto her team. That | contractor was Edward Snowden. / "He's former CIA, he's local, | he's already cleared," Stroud, 37, recalled. "He's perfect!" Booz | and the NSA would later approve Snowden's transfer, providing him | with even greater access to classified material. | | Then Stroud trusted the Project Raven employers, not only to | start but over and over, as they had Stroud violate human rights | (spying on journalists, 16 year olds, human rights activists), | after Stroud discovered evidence of spying on Americans. | | And then Stroud didn't trust the FBI; note that the claimed | motivation could simply fabricated - clearly Stroud wanted to do | this work. | | > Two agents approached Stroud in 2016 at Virginia's Dulles | airport as she was returning to the UAE after a trip home. | Stroud, afraid she might be under surveillance by the UAE | herself, said she brushed off the FBI investigators. "I'm not | telling you guys jack," she recounted. | | And possibly this is related: | | > Still, she found the work exhilarating. "It was incredible | because there weren't these limitations like there was at the | NSA. There wasn't that bullshit red tape," she said. "I feel like | we did a lot of good work on counterterrorism." | | Maybe those rules, the principles of human rights, and the FBI | are there for a reason. Stroud seems to think they are unrelated | to her character: | | > "I don't think Americans should be doing this to other | Americans," she told Reuters. "I'm a spy, I get that. I'm an | intelligence officer, but I'm not a bad one." | | > Stroud said her background as an intelligence operative made | her comfortable with human rights targets as long as they weren't | Americans. "We're working on behalf of this country's government, | and they have specific intelligence objectives which differ from | the U.S., and understandably so," Stroud said. "You live with | it." | JimBlackwood wrote: | For those interested, there is a Darknet Diaries episode about | this. [1] Really quite interesting, interview is with someone who | worked for Project Raven, like Lori. [1] | https://darknetdiaries.com/episode/47/ | ragnot wrote: | How do all these people hack into phones all the time? Is there | just a cache of 0Days that they have access to or do they just | get really clever with phishing attacks? | causasui wrote: | 95% social engineering/phishing, _maybe_ 5% exploits. | | Using exploits is complicated, expensive, and risky. In most | cases - to quote XKCD - it's cheaper and easier to just hit the | victim on the head w/ a proverbial $5 wrench until they cough | up their password, e.g.: have them download your "secure | messaging app" which is actually just your implant. | | From the article: | | > _To get close to Donaghy, a Raven operative should attempt to | "ingratiate himself to the target by espousing similar | beliefs," the cyber-mercenaries wrote. Donaghy would be "unable | to resist an overture of this nature," they believed. Posing as | a single human rights activist, Raven operatives emailed | Donaghy asking for his help to "bring hope to those who are | long suffering," the email message said. The operative | convinced Donaghy to download software he claimed would make | messages "difficult to trace." In reality, the malware allowed | the Emiratis to continuously monitor Donaghy's email account | and Internet browsing._ | sleibrock wrote: | According to the article, it seems like it was heavily based | off of Apple iMessage zero-click exploits built into some | platform. And even a bit of social engineering. | | Past that, who knows where they get exploits from? I imagine if | they're renting servers with Bitcoins to perform computer | attacks, these operatives are probably familiar with darknet | sites for trading secrets as well. | mike_d wrote: | Money. | | The going rate for iOS full chain (iMessage, Safari, or BT/WiFi | exploit + sandbox escape, protection bypass, and persistence) | is over two million dollars. The brokers then sell them for | 2x-5x that amount. Reporting that same vulnerability to Apple | can net you up to a million. | SilverRed wrote: | It seems pretty clear that just about every government has a | large bank of exploits on just about every single system. We | only hear about the ones that get exposed and fixed and not | the 30 others in storage or active use. | gonzo41 wrote: | Pretty much, that also have 0 days on components, so it's a | matter of putting together an exploit chain that gets them what | they need. | AgentME wrote: | If software developers were ever held responsible for defects | in their software that lead to breaches of privacy and harm | caused through those breaches, I wonder how quickly software | development practices would change. Memory unsafe languages | like C would probably disappear as a choice for new projects | in a heartbeat due to the liability. | perihelions wrote: | Follow-up, from today's news: | | _" Three Former U.S. Intelligence Community and Military | Personnel Agree to Pay More Than $1.68 Million to Resolve | Criminal Charges Arising from Their Provision of Hacking-Related | Services to a Foreign Government"_ | | https://www.justice.gov/opa/pr/three-former-us-intelligence-... | anonymousDan wrote: | So hacking human rights activists is ok, but hacking US citizens | crosses the line? WTF? | rlewkov wrote: | Yes, according to the law. | vkou wrote: | Yes, because we have the FBI to do that to US citizens. | [deleted] | jorblumesea wrote: | If by "ok" you mean legal, then yes. NSA is foreign targets | only. If by "ok" you mean moral, then no. | 8note wrote: | Also local targets, if they're foreigners or interacting with | foreigners | aha_throwaway wrote: | It's always like that. | | The last days in Afghan they kill 10 people, and no one hell | accountable. All they do is labeled them as ISIS members. | | (https://www.nytimes.com/2021/09/10/world/asia/us-air- | strike-...) | 2OEH8eoCRo0 wrote: | What would you like to be done about it? | hellcow wrote: | Tried as a war crime, perhaps? Murdering an aid worker and | seven children, then trying to cover it up, seems pretty | horrific to me. | 2OEH8eoCRo0 wrote: | Who specifically should be tried? | Taniwha wrote: | Let's start with the person who pushed without verifying | that the targets were truly ISIS and work our way upwards | SilverRed wrote: | Lets start with the people who physically killed them. | boomboomsubban wrote: | With a missile strike, who would that be? | chrononaut wrote: | If you're referring to the "people who physically killed | them" as the individual(s) who operated the drone(s), I | imagine they are the ones who need the most (mental) | help, after learning their superiors provided faulty | intelligence and allegedly killed innocent people.[0] | | The two(+) that are perhaps the most relevant are those | that provided the intelligence (framing), and those that | made the decision to act on it. | | [0] I don't know how much liberty drone operators have to | make live decisions in the .. "field" about whether to | engage or not, but I suspect this case involved some | level of abstraction. | vkou wrote: | What evidence do you have that it was not done by ISIS | members? | | The United States is at war with ISIS, it is not at war with | the Taliban. The Taliban is also currently at war with ISIS, | and is not at war with the United States. | | ISIS would, however, love to see the Taliban - US conflict to | resume. It weakens its enemies, it creates a lot of | convenient targets for it, and simplifies recruitment and | propaganda efforts. | Y_Y wrote: | The US hasn't been (officially) at war since WW2 ended. | boomboomsubban wrote: | >What evidence do you have that it was not done by ISIS | members? | | The US openly admits firing the missile. That seems more | likely than ISIS acquiring and launching a missile at an | Afghanistan home then the US taking "credit" for it. | unyttigfjelltol wrote: | The subject of the article hired Snowden into an NSA project just | before he fled as a whistleblower, tried to resurrect her career | for a private company doing espionage overseas, and after a few | years ultimately made good by becoming a whistleblower herself | against her spybosses. What a fantastic story arc! Hollywood.... | [deleted] | chrononaut wrote: | (2019) | mikeyouse wrote: | In the news today since they were just charged with a bunch of | Federal crimes for this work: | | https://www.reuters.com/world/us/american-hacker-mercenaries... | [deleted] | sterlind wrote: | _> Former program operatives previously told Reuters they | believed they were following the law because superiors | promised them the U.S. government had approved the work._ | | Absolute horseshit. This is 100% a loophole to give them some | flimsy plausible deniability. If the NSA approves they should | have confirmed with the actual NSA. | | Looks like the whistleblower wasn't charged, which is good, | though you still have to be a pretty shitty person to go work | on targeting journalists and dissidents in the first place. I | suspect she didn't have moral qualms as much as she realized | how much trouble she'd get in unless she came clean. | | I'm interested to learn how exactly _any of this is legal._ | Isn 't it illegal for Americans to hack anyone, regardless of | where you live? Like could I really go to Russia and openly | hack Ukraine as an American and not get charged when I come | back to the US? | sophacles wrote: | Are you seriously gatekeeping the whistleblower? Like they | did the right thing, but you can maybe imagine they weren't | pure enough for you and therefore shitty? | | OK let me do that to you: | | You are commenting some good things, but i suspect you | aren't doing it because you believe it, but rather you want | some sweet karma. Therefore you are shitty human being. | Feel shame person I've never interacted with before and | have no other knowledge of. | | (Maybe check out the Darknet Diaries episode linked in the | comments here and learn about the situation a bit before | declaring the motives of a person you admit having no | knowledge of.) | themodelplumber wrote: | > The defendants are being charged also with military export | restriction violations. | | They are throwing the book at them. But there's also this | other, amusing, cachet-related viewpoint: | | "I'm so badass that I was labeled a restricted military | asset"... ___________________________________________________________________ (page generated 2021-09-14 23:00 UTC)