Forgot your password?
typodupeerror
Government Security IT

Confessions of a Cyber Warrior 213

Posted by Soulskill
from the he-hacked-the-last-donut dept.
snydeq writes "InfoWorld's Roger Grimes interviews a longtime friend and cyber warrior under contract with the U.S. government, offering a fascinating glimpse of the front lines in the ever-escalating and completely clandestine cyber war. From the interview: 'They didn't seem to care that I had hacked our own government years ago or that I smoked pot. I wasn't sure I was going to take the job, but then they showed me the work environment and introduced me to a few future co-workers. I was impressed. ... We have tens of thousands of ready-to-use bugs in single applications, single operating systems. ... It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.'"
This discussion has been archived. No new comments can be posted.

Confessions of a Cyber Warrior

Comments Filter:
  • saber rallying (Score:5, Insightful)

    by ThorGod (456163) on Tuesday July 09, 2013 @04:18PM (#44229987) Journal

    Does this sound like boasting to anyone else? It's like a more modern version of having the press watch an explosion of their latest bomb.

    • Re:saber rallying (Score:5, Insightful)

      by Crudely_Indecent (739699) on Tuesday July 09, 2013 @04:29PM (#44230153) Journal

      Makes sense to me. Software/hardware vulnerabilities are worthless once patched. If this group is tasked with having a way into any system, their main focus is going to be to not-only find exploits, but also to protect those exploits for future use. I have no doubt that such a group exists, and that their collection of exploits is extensive.

      Hopefully those exploits are used against our enemies and not against us, but that's probably just a silly hope.

      • by stanlyb (1839382)
        What enemy? China? Don't make me laugh.
        • Re:saber rallying (Score:5, Insightful)

          by jc42 (318812) on Tuesday July 09, 2013 @04:51PM (#44230421) Homepage Journal

          Hopefully those exploits are used against our enemies and not against us, but that's probably just a silly hope.

          What enemy? China? Don't make me laugh.

          Nah; anyone who has been following security-related news stories for at least a few years understands that the primary enemy of any government is its own citizens. They're nearby, where they can vote against you, take you to court, or shoot at you. None of these threats are easily available to people in other countries.

          Just dig into the histories of the related US agencies (e.g., HUAC or the FBI or even the CIA) in the 1950s, 60s and 70s. How many external "enemies" -- or domestic "subversives" -- did they ever catch and prosecute? Pretty close to none at all. How many citizens did they attack and serious injure (either their reputation, finances, or physical well-being)? Lots and lots of them.

          This story is only news to someone who isn't familiar with the long, documented history of such activities. Fact is, your government considers you more of a threat than pretty much anyone outside its borders. This is especially true if you're involved in any activity that threatens the income (especially under-the-counter income) of anyone in your government.

          • by Garridan (597129)
            The majority of theft in grocery stores is committed by employees, after all.
            • by jc42 (318812)

              Heh; I think you've got the idea. ;-)

              An only slightly greater stretch of the idea is the claim that has come out in the US's gun legislation, to the effect that a large majority of the deaths from gunshot wounds are due to suicide.

              I wonder how many more interesting examples we can produce showing that most dangers come from "insiders".

            • by stanlyb (1839382)
              True. Now, lets see, the people are the employer, the government is the employee......
      • I have no doubt that such a group exists, and that their collection of exploits is extensive.

        Oh yeah, and they make big money too [forbes.com].

      • Re:saber rallying (Score:5, Interesting)

        by Dan East (318230) on Tuesday July 09, 2013 @04:41PM (#44230273) Homepage Journal

        If it's used against "us" then the likelihood of it being detected and disclosed is too high. They can't utilize these exploits carte blanche, but would have to save them only for specific targets, and still they face the risk of compromising an exploit every time it's used. Any evidence collected in this manner is not usable in court either, so it's really only useful for the spy game against high value foreign targets.

        • If it's used against "us" then the likelihood of it being detected and disclosed is too high. They can't utilize these exploits carte blanche, but would have to save them only for specific targets, and still they face the risk of compromising an exploit every time it's used. Any evidence collected in this manner is not usable in court either, so it's really only useful for the spy game against high value foreign targets.

          You're assuming that such use is detected and that people capable of creating a countermeasure are informed. Current technologies utilize a number of honeypots and detection networks to catch new releases into the public networks, but if something like Stuxnet is released and is targetted and doesn't infect many systems, the odds of it being picked up, identified as malicious, and a countermeasure devised, are all remote.

          This assumption means that you (incorrectly) are basing your security on the idea that

        • Re: (Score:2, Funny)

          by kesuki (321456)

          i read the fine article and he was working on software that finds flaws called a fuzzer
          http://en.wikipedia.org/wiki/Fuzz_testing [wikipedia.org]
          with the eminent arrival of computer intelligence software that automatically detects and rewrites zero day exploits is soon at hand. then it will be systemically used against everyone at the speed of light to all spheres with computers on them thorough the entire galaxy. just look at modern game engines, if a simple chip or two lets you run a complex 3-d world with billions of ope

          • by RulerOf (975607)
            Keep in mind: software vulnerabilities exist not because it's impossible to create perfect code, they exist because it's financially impractical. When something as deterministic and self-accountable as artificial intelligence is writing the code, those economies of scale will invalidate that statement.

            That was actually my biggest gripe about the Terminator movies... computers wouldn't miss that frequently.
          • by tibman (623933)

            Down with Core! Arm all the way!

      • by Nrrqshrr (1879148)
        But... we are the enemy.
      • by Synerg1y (2169962)

        I disagree most real world exploits are configuration specific and further behind hardened network defenses. Our code is shit, but our router and switch are solid. I somehow doubt that the government has secret cisco buffer overflows that were over looked by millions of security researchers since the beginning of computing.

        Spearfishing? Definitely
        Obscure industrial systems? Yep (see DES key article on /)
        Corporate / Government networks? Nah, maybe some but not most.

        Systems not directly connected to the int

        • I somehow doubt that the government has secret cisco buffer overflows

          I'm sure someone at Cisco knows all about them.

        • by lennier (44736)

          I somehow doubt that the government has secret cisco buffer overflows that were over looked by millions of security researchers since the beginning of computing.

          I used to doubt that Windows could be full of thousands of security vulnerabilities that had been overlooked by millions of security researchers so far, and yet. Every month, the privately disclosed 0-days just keep coming.

          And those are just the ones that a) white hats have chosen to disclose to Microsoft rather than the NSA/competitors/Russian Mafia, and b) Microsoft has been given the greenlight from the NSA to patch.

          Cisco's source code is secret and so is their security remediation process, so we've got

          • by Synerg1y (2169962)

            You're 100% right, so here's the difference: the NSA says they have ready made stacks of exploits ready. 0-day by nature is a revolving door of ever changing exploits.

            It doesn't matter how secret or back-doored Cisco is as countries like China will never use it. Their equivalent of Cisco will be hardened with no NSA back doors built in.

      • by gmuslera (3436)

        This is about population control, not hypotetical enemies. You critizice something the government or any of their protegees do, then you are a potential threat, no matter how fair or obvious is your critic or complaint. And anything they collect could be used to silence you.

        In the plus side, is a good way to make everyone agree.

      • by PopeRatzo (965947)

        Hopefully those exploits are used against our enemies

        "Our enemies" doesn't narrow it down very much, unfortunately.

        Easier to list the people whose computing and communications systems we don't attack.

        If there was ever any question whether the U.S. is a rogue state, I'm pretty sure all doubt has now been removed. Wiretapping our allies at G8? I'm surprised they still let us be a member of the UN.

      • Hopefully those exploits are used against our enemies and not against us, but that's probably just a silly hope.

        Heres news for you; no matter who you are, even if you work for these people, even if you are a corporate executive or member of your congress or senate YOU ARE THE ENEMY who this is used against.

    • Does this sound like boasting to anyone else? It's like a more modern version of having the press watch an explosion of their latest bomb.

      It sounds like obscurity really is the only security.

    • by AmiMoJo (196126) *

      Sounds like an invitation for a drone strike. Of course it will be a US drone, probably one operated by a police department or other less tech savvy agency. Someone on the other side of the cyber-war will take control and crash it into his house.

    • Re: (Score:3, Informative)

      by Anachragnome (1008495)

      "Does this sound like boasting to anyone else?..."

      Boasting or not, I think everyone that speaks out about pervasive surveillance techniques should be paid attention. Whether or not their information is accurate, relevant or factual should be decided by ourselves. The NSA has shown us that they cannot be trusted to do anything but lie. If we are to get any accurate information, we have to start taking all perspectives into account, even those of the NSA shills, as they provide contrast.

      And, if anyone is inte

      • Re:saber rallying (Score:5, Informative)

        by cold fjord (826450) on Tuesday July 09, 2013 @07:01PM (#44231909)

        Once again we have Anachragnome posting his crackpot conspiracy theories about me. If you bothered reading his post above and find it persuasive, then you should read this post [slashdot.org] of his, and note this line:

        This is East Germany, all over again--the NSA literally has us spying on each other, inadvertently or not.

        Anachragnome seems to think that everyone is spying for the NSA. Who is it doing all this mutual spying? If you stop and think for even a moment you realize that the idea is nonsense. But it does play into his fear inducing agenda, including attempts to make people suspicious and fear me. He is engaging in the very same sort of behavior he is complaining about. By spreading fear he hopes to control people, to stamp out opinions he finds disagreeable, and control discussions. Ask yourself - are you living in fear? I don't. And yet he seems to want you to. Why?

        Anachragnome seems to find great significance, even to the point of it being evidence that I am a government agent, that I have a different viewpoint, a minority viewpoint among the population of posters on Slashdot. For some reason he can't accept that different viewpoints don't constitute a conspiracy. What is the purpose of having civil rights if we all have to believe the same thing? I thought that was what fascism was about.

        Further evidence that his claims are nonsense is the fact that he thinks that I am both an NSA plant and that I have multiple accounts named with a common theme, no doubt including the recently created troll accounts that have been trying to harass me of late (coid fjord [slashdot.org], and co1d fjord [slashdot.org]). That would seem to be pretty pathetic tradecraft if that were the case. His view is just another sad example of a crank seeing a pattern in the noise [scientificamerican.com] that doesn't really exist, and thinking it significant. Go ahead and read from the two troll accounts. I don't think you'll find much evidence to support Anachragnome's nonsense view. (If you think you have, read more of the thread and check UIDs.)

        Apparently the only people that disagree with him are spies. Bow to his power, or you may be branded a "shill" and "forum breaker." Submit to his fear. [slashdot.org] He expects you to inform on each other. Obey him, or you may be branded a traitor too.

        Or maybe he is just a crank full of suspicion and fear that should be ignored. Take your pick.

        • by fredrated (639554)

          Thank you, shill, for your consistent shilling.

    • Reeks of disinfo.

      Why didn't hippy-hacker leak exploits at the time?

    • It sounds like reality. Do you really think that every month or two when Adobe or Oracle patches a remote exploit that's in 90% of computers it's a bug introduced within the last patch cycle? Of course not. Software is riddled with bugs and they're found incrementally. If you can find bugs faster than the public researchers you will have a database of zero-days, end of story.
    • by gweihir (88907)

      Clearly boasting. "We can break anything easily". Sounds like standard small skills and large ego. [Ref.: google("Incompetent and unaware of it")] Things like PostFix, OpenSSH, Linux Netfilter or xBSD PF, PGP/GnuPG, etc. have been on the exposed surface for a long time and did not have critical vulnerabilities (if configured sanely) for a long time.

      Of course, I immediately believe that the usual commercial trash with no security architecture and a test&fix approach to security is easily exploitable in m

  • by Anonymous Coward

    Poor Infoworld.... getting left behind in the Snowdon fiasco so has to do a bit of "Me Me Me.. We're still relevant" crap

    Literally, if you can name the software or the controller, we have ways to exploit it.

    Pacman?? Didnt think so.

  • I basically believe the information presented here, but the source could be anyone. It could be a complete work of fiction, and even if that is the case, it may still all be accurate. If someone asked me to come up with a laundry list of things that in all likelihood the feds have, I'd have easily come up with everything listed here.

  • by Dishwasha (125561) on Tuesday July 09, 2013 @04:26PM (#44230119)

    In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.'

    For some reason I doubt that private government workers, let alone government contractors, have discovered (let alone classified and organized) more bugs than the armies of security researchers out there to qualify as "barely scratching the surface". More likely the government is paying private security researchers for bugs and the promise of non-disclosure. Even then with how altruistic many researchers are, it's likely that kind of exchange would be exposed.

    • Re:fud (Score:5, Interesting)

      by h4rr4r (612664) on Tuesday July 09, 2013 @04:28PM (#44230145)

      Or they would take the money and disclose the vulnerability. Enforcing an NDA in this case would give away that these exchanges are on going.

    • by dmt0 (1295725)
      The whole article is fake. Trying to clean up the mess after Snowden scandal, trying to justify the existence of the whole apparatus...
    • by gl4ss (559668)

      In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.'

      For some reason I doubt that private government workers, let alone government contractors, have discovered (let alone classified and organized) more bugs than the armies of security researchers out there to qualify as "barely scratching the surface". More likely the government is paying private security researchers for bugs and the promise of non-disclosure. Even then with how altruistic many researchers are, it's likely that kind of exchange would be exposed.

      it's likely they're paying for some bugs - but can't even verify if they work or under what circumstances. I seriously doubt that the fabricated person and his five thousand peers have anything to do with it though.

    • Re:fud (Score:5, Insightful)

      by Kjella (173770) on Tuesday July 09, 2013 @05:12PM (#44230699) Homepage

      There's a lot of boasting yes, but as I understand it a lot of security bugs are discovered because they're being exploited. If you do all your hacking in a test lab and only use it sparingly and targeting specific computers it might take a long time before it ends up in any security researcher's lab. For example, take this recent bug [microsoft.com] from Microsoft, it affects every IE version back to IE6 - possibly older since they don't test further. Assuming it was in the original IE6 code base that's a bug the cyberwar division might have been sitting on for 12 years. Multiply that with lots and lots of top notch people and a system that don't disclose and (mostly) don't exploit, just hoard for a rainy day and I have no problem believing they have a pretty solid stash.

      However that is also their biggest limitation, if you start using them they'll also become exposed so they're more like deep undercover agents. They're not going to "waste" them trying to catch the odd criminal, even if it's for serious crimes. They're military assets stockpiled for a cyberwar, like being able to crack the Enigma code during WWII. Some of it for espionage but I'm guessing most for being able to strike both physically and electronically at the same time, paralyze or even mislead their systems while you move in.

    • by gmuslera (3436)

      Security researches can't do reverse engineering or publish too soon what they find, at least if they are working in the open (think that don't applies to black hats). Government, in the other hand, have first hand [techweekeurope.co.uk] the information of exploits far before is patched, or even could get intentional backdoors [slashdot.org] in commercial software.

      Anyway, patching a bug won't remove the already put backdoor in that computer, unless you do a clean reinstall after those bugs are fixed.

  • by Anonymous Coward on Tuesday July 09, 2013 @04:37PM (#44230235)

    So, if what's being claimed is true (I'm doubtful), by not making these flaws public and giving vendors the chance to fix the issues, they are jeopardizing the domestic infrastructure they are ostensibly tasked to protect?

    There's something profoundly inconsistent in this story, or profoundly hypocritical if it is true.

    And he plays in a "hardcore rap/EDM band"? Either this person is an idiot for revealing something so specifically identifiable (even among "5000 people on my team", how many others of them are into it that much?), or they're spinning a yarn (misdirection or the whole story is nonsense).

    • by gl4ss (559668)

      well the non-nonsense(yeahyeah..) parts of the story are just "we find holes and have thousands of them and can crack anything". it's just bullshit all the way.

    • ...they are jeopardizing the domestic infrastructure they are ostensibly tasked to protect?

      You must be new here. Don't you know how things work here in America?

    • by Dzimas (547818)
      Grimes' friend isn't tasked to protect anything. He is a civilian defence contractor whose job is to exploit flaws in software for the benefit of his employer's client.
    • by oursland (1898514)
      Know all of those "Send error report to Microsoft" windows that pop up when an app crashes? I suspect that these dumps are making their way to these guys.

      Basically, everyone who's ever clicked "send report" has been informing the NSA of exploit vectors and not letting the vendor know.
    • "He becomes a myth, a spook story that criminals tell their kids at night. "Rat on your pop, and Keyser Soze will get you."

      Maybe it's to scare all the leet folks into thinking everything in their tool bag is nothing but Swiss cheese to the NSA.

  • Ignoring that he suddenly goes from one of the elite of the elites in penetration testing to an average guy in a group of thousands...

    • by Flere Imsaho (786612) on Tuesday July 09, 2013 @05:07PM (#44230631)

      Yeah, a lot of it sounds far-fetched to me as well.

      " Most of the software written in the world has a bug every three to five lines of code. " Sure, buddy.

      "It's all zero-days. Literally, if you can name the software or the controller, we have ways to exploit it. There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface." Oookaaay, that sounds legit.

      "My loft was up near the rafters, so I scooted over into the next storage area, climbed down" No lock-up facility I've been in has access through the roof space to the roof space into other units. Would you keep "$100,000 worth of computers, radio equipment, and oscilloscopes" in such a facility?

      This reeks strongly of male bovine excrement.

  • by Sperbels (1008585) on Tuesday July 09, 2013 @04:49PM (#44230393)

    Literally, if you can name the software or the controller, we have ways to exploit it.

    Voting machines?

    • by meta-monkey (321000) on Tuesday July 09, 2013 @05:06PM (#44230617) Journal

      Voting machines?

      Dude could save the country and be a national hero. I can see CNN on election night 2016 now...

      Wolf Blitzer: "In a shocking turn of events, not a single Republican or Democrat, or anyone on the ballot for that matter, won a single national election today. The entirety of the Senate is now made up of 20 random engineers, 15 doctors, 10 accountants, 10 school teachers, 10 construction workers, 5 disabled veterans, the 5 honest cops, and the rest are mexican day laborers. There's not a single lawyer or millionaire among them, and the new President is comedian Doug Stanhope."

  • Disclosing these vulnerabilities would do much more against the Chinese hackers than hacking back does. Sometimes the best defence is defence.

  • This sounds like baloney, so I'll write some Walking Dead fan fiction.

    You ever known a real fighter? I do. His name is Larry Ellison. Back when I headed to Atlanta, only to find a graveyard, I hooked up with some survivors camped outside the city. Best fucking luck I ever had. It was a few days later I met Ellison. He'd returned from scavenging in the city. I heard that most are in and out in a day - you don't want to risk staying overnight unless you really have to. This guy had been on his own in zombie c

  • ...and whistleblowers.

    It's like the war against government watch groups - the idea that by limiting what the government does (and increasingly the crony corporations that have cropped up to help it expend it's reach) - not fighting, but just calling out and limiting it, you are an enemy of the state and you need to be removed.

    Exploits are bought/discovered and kept as armaments to be used on industrial/state espionage, and also for internal clandestine operations. So clearly anyone "invalidating" one by di

  • then how did a guy with a usb stick steal information from the NSA?

  • by gr8_phk (621180) on Tuesday July 09, 2013 @06:41PM (#44231701)

    Most of the software written in the world has a bug every three to five lines of code. It isn't like you have to be a supergenius to find bugs.

    Some blend of three options here:
    1) He's full of shit
    2) I'm delusional in thinking I write code way better than that
    3) Most of the world really is barely held together by bubble gum and duck tape

    What bothers me is to what extent is #3 actually the answer.

    • Re: (Score:3, Funny)

      by danda (11343)

      duct tape, not duck tape. That's a bug in 1 out of 3 lines. :P

      > Most of the world really is barely held together by bubble gum and duck tape

  • by tmark (230091)

    Like so many others, I call BS.

    - he says he's middle aged - let's say 50. He also said at 16 or 17 he joined "one of the distros". The earliest "distros" as such, started appearing around 1992, IIRC - around 21 years ago. So at most he's now 37 or 38 - not middle aged.

    Now if he just defines "middle aged" differently, then he would have been hanging at 15 around the Radio Shacks (a hacker cliche) around 1990 - well past the eras of the TRS-80s and Color Computers that the cliche says hackers would be work

  • Software developers have an incessant need to add features regularly in order to induce paid updates. Take Microsoft for example-- who needed a completely new UI in Windows 8? Only Microsoft. The only update features I ever need from Microsoft is stability/security/bug fixes. After about another 7 or 8 major rev levels of those, there would be some chance of having a system stable and secure enough to actually depend on-- but that'll never happen, as they're too busy monkeying with it in order to justif
  • As I said last week, the root cause which enables cyberwarfare is persistently insecure endpoints [slashdot.org] all over the internet. Each and every system out running linux, windows, mac osx, etc... all are based on an outdated and useless security model. Those nodes can then be used to attack or DOS anything that actually happens to be secure. Unless we shift everything to a system based on capabilities (and the principle of least privilege [wikipedia.org]) we're going to be in a "cyberwar" forever.
  • I was going to write a serious comment, but then I remembered that at least 75% of Slashdot accounts are just people shilling for the king of Thailand.
  • . There is no software that isn't easily crackable. In the last few years, every publicly known and patched bug makes almost no impact on us. They aren't scratching the surface.'"

    What does that say about the theory that open source will have fewer defects? Most of the internet is run on open source. He seems to be saying that it's a bugfest.

    I have ot say I think it's true and here's why. Early on I had to implement a protocol from scratch. I read the RFP and implemented it but as you may know RFPs aren't ac

Whoever dies with the most toys wins.

Working...