Takedowns of Shadow Brokers Files Affirm Files as Stolen

I’ve been wondering something.

Almost immediately after the Shadow Brokers posted their Equation Group files, GitHub, Reddit, and Tumblr took down the postings of the actual files. In retrospect, it reminded me of the way Wikileaks was booted off PayPal in 2010 for, effectively, publishing files.

So I sent email to the three outlets asking on what basis they were taken down. GitHub offered the clearest reason. In refreshingly clear language, its official statement said,

Per our Terms of Service (section A8), we do not allow the auction or sale of stolen property on GitHub. As such, we have removed the repository in question.

Mind you, A8 prohibits illegal purpose, not the auction of stolen property:

You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

Moreover, at least in its Pastebin explanation, Shadow Brokers were ambiguous about how they obtained the files.

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

They state they “found” the files, or at least traces of the files, and only say they “hacked” to obtain them to get to the latest stage. If they (in the Russian theory of the files) were “found” on someone’s own system, does that count as “stealing” property?

Tumblr wasn’t quite as clear as GitHub. They said,

Tumblr is a global platform for creativity and self-expression, but we have drawn lines around a few narrowly defined but deeply important categories of content and behavior, as outlined in our Community Guidelines. The account in question was found to be in violation of these policies and was removed.

But it’s not actually clear what part of their user guidelines Shadow Brokers violated. They’ve got a rule against illegal behavior.

I guess the sale of stolen property is itself illegal, but that goes back to the whole issue of Shadow Brokers’ lack of clarity of how they got what they got. Their property specific guidelines require someone to file a notice.

Intellectual property is a tricky issue, so now is as good a time as any to explain some aspects of the process we use for handling copyright and trademark complaints. We respond to notices of alleged copyright infringement as per our Terms of Service and the Digital Millennium Copyright Act; please see our DMCA notification form to file a copyright claim online. Please note that we require a valid DMCA notice before removing content. Parties asserting a trademark infringement claim should identify the allegedly infringing work and the legal basis for their claim, and include the registration and/or application number(s) pertaining to their trademark. Each claim is reviewed by a trained member of our Trust and Safety team.

If we remove material in response to a copyright or trademark claim, the user who posted the allegedly infringing material will be provided with information from the complainant’s notice (like identification of the rightsholder and the allegedly infringed work) so they can determine the basis of the claim.

The tech companies might claim copyright violations here (or perhaps CFAA violations?), but the files came down long before anyone had publicly IDed them as the victims. So the only “owner” here would  be the NSA. Did they call Tumblr AKA Verizon AKA a close intelligence partner of the NSA?

Finally, Shadow Brokers might be in violation of Tumblr’s unauthorized contests.

The guidelines say you can link to whackjob contest (which this is) elsewhere, but you do have to make certain disclosures on Tumblr itself.

One more thing about Tumblr, though. It claims it will give notice to a user before suspending their content.

Finally, there’s Reddit, which blew off my request altogether. Why would they take down Shadow Brokers, given the range of toxic shit they permit to be posted?

They do prohibit illegal content, which they describe as,

Content may violate the law if it includes, but is not limited to:

  • copyright or trademark infringement
  • illegal sexual content

Again, GitHub’s explanation of this as selling stolen property might fit this description more closely than copyright infringement, at least of anyone who would have complained early enough to have gotten the files taken down.

The more interesting thing about Reddit is they claim they’ll go through an escalating series of warning before taking down content, which pretty clearly did not happen here.

We have a variety of ways of enforcing our rules, including, but not limited to

  • Asking you nicely to knock it off
  • Asking you less nicely
  • Temporary or permanent suspension of accounts
  • Removal of privileges from, or adding restrictions to, accounts
  • Adding restrictions to Reddit communities, such as adding NSFW tags or Quarantining
  • Removal of content
  • Banning of Reddit communities

Now, don’t get me wrong. These are dangerous files, and I can understand why social media companies would want to close the barn door on the raging wild horses that once were in their stable.

But underlying it all appears to be a notion of property that I’m a bit troubled by. Even if Shadow Brokers stole these files from NSA servers — something not at all in evidence — they effectively stole NSA’s own tools to break the law. But if these sites are treating the exploits themselves as stolen property, than so would be all the journalism writing about it.

Finally, there’s the question of how these all came down so quickly. Almost as if someone called and reported their property stolen.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

12 replies
  1. Evangelista says:

    “We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group.”

    A lot of times the best way to define what some action involving something unusual really is, or equates to in reality, is to substitute something commonplace for the unusual components and correspond the activiies.

    To try this technique, for giggles and interest, in the case of the above ‘Shadow Brokers” actions in regard to what it defines ‘Equation Group’, I will suggest we substitute something totally familiar, but with a totally outlandish character set, so that we do not have to addend one of those “This is a work of fiction. All characters and incidents that could equate to realities in any ways that could get us into trouble are entirely coincidental and products of our inabilities to be more imaginative while staying proximate to things that could maybe, really possibly happen…”

    So, since you did not really have to read any of the above, we start here: We will call the ‘Shadow Brokers’ ‘Drug Economy Antagonists’ (DEA for short). We will call ‘Equation Group’ ‘The Lansky Crime Family’ (The Lansky Family for short). We will call the ‘cyber weapons’ ‘heroin’ (shit for short). We will call Kaspersky ‘Federal Bureau of Investigation'(FBI for short). We will call ‘source range’ ‘distribution network’ (distro-net for short). We will call ‘hacking’ ‘wiretapping’ (no shorts here, they blow out phone equipment).

    Now we plug it in:

    “We find heroin made by creators of smack, horse, junk, skag, [who] FBI calls the Lansky Crime Family. We follow Lansky Family traffic. We find Lansky Family distribution network. We wiretap Lansky Family.”

    Done this way, damned if it doesn’t read like a standard sequence in a legiimate investigation.

    You don’t suppose, maybe, some clever clesmer in da Family mighta called maybe Whitey Bulger an’ maybe Whitey called his Man in da FIB an’ da FIBMan tipped da techies to ice da game?

    • martin says:

      quote”You don’t suppose, maybe, some clever clesmer in da Family mighta called maybe Whitey Bulger an’ maybe Whitey called his Man in da FIB an’ da FIBMan tipped da techies to ice da game?”unquote

      You don’t suppose your alcohol intake tonight was above average?

      • Evangelista says:

        martin,

        As I sit here on this uncomfortable stool, under the one bare light bulb over the little table bolted to the floor in this tiny room with no windows and a too thick door, looking at the phone book on the table, but no phone, only a rubber-hose, I find myself wishing I had some excuse, like having drunk too much, that could explain my normal way of thinking not normal…

  2. Six says:

    A picture of a murder is not a murder. A story about stolen goods is not stolen goods. How can you not be certain that journalism writing about exploits are not exploits?

  3. SpaceLifeForm says:

    The quick takedown is super easy when you
    ‘Collect it all’ and do dpi. Matter of minutes.

  4. SpaceLifeForm says:

    iOS 9.3.5 out. You may need it. 3 zero days.

    https://motherboard.vice.com/read/government-hackers-iphone-hacking-jailbreak-nso-group

    Pegasus, is designed to quietly infect an iPhone and be able to steal and intercept all data inside of it, as well as any communication going through it.

    “It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls. It also basically backdoors every communications mechanism you have on the phone,” Murray explained. “It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram—you name it.”

  5. SpaceLifeForm says:

    San Bernardino?

    Moreover, the malware is programmed with settings that go all the way back to iOS 7, which indicates that NSO has likely been able to hack iPhone devices since the iPhone 5.

  6. Stephen says:

    empty wheel wrote: “But underlying it all appears to be a notion of property that I’m a bit troubled by. Even if Shadow Brokers stole these files from NSA servers — something not at all in evidence — they effectively stole NSA’s own tools to break the law.”

    Assuming the files posted came from the NSA…

    I kind of think you’re missing the most salient point here. Those cyber tools that were posted were arguably what the NSA itself uses to (among other uses!) steal other people’s property. Posting them online is kind of like a thief stealing ANOTHER thief’s burglar tools and then putting them up for sale on Christie’s!

    For Reedit et al to object to the posting of those files and taking them down would be equivalent to Christie stopping the sale of the burglar tools and returning them to the burglar (so the poor fellow can get back the business of burgling)!

    • SpaceLifeForm says:

      Well yeah, thieves know not to trust other thieves.
      But big picture, just call it economic espionage.
      Because that is what is going on.

  7. SpaceLifeForm says:

    More on pegasus:

    https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

    Playing both sides. It would be a shame if
    something happened to your business.

    ‘Two of NSO Group’s three co-founders, Shalev Hulio and Omri Lavie, are also co-founders of mobile security company Kaymera, which promises a “Multi Layered Cyber Defense Approach” to clients. On Kaymera’s website, the company reprints a Bloomberg article pointing out that they “play both sides of the cyber wars.” The article also quotes NSO Group’s CEO, who suggests that they entered the defense business when potential clients saw the capabilities of NSO Group’s tools.’

  8. SpaceLifeForm says:

    A wakeup call. The Mother of all Metadata (SS7)
    and recent events at least moved Ted Lieu to start
    to wake up the rest of Congress.

    https://lieu.house.gov/media-center/press-releases/congressman-lieu-statement-revelation-cell-phone-security-vulnerability

    “As a computer science major, I am incredibly alarmed, but unfortunately not surprised, by the discovery of significant security vulnerabilities in one of our country’s most prolific smartphone operating systems. The fact that over two thirds of adults in the United States own a smartphone makes the device a natural target for bad actors, and we as a nation have thus far failed to take the threat seriously. From the SS7 network to iOS, vulnerabilities in our communications systems have made it possible for foreign governments, criminal syndicates and hackers to target individuals and have near-full access to everything we say or do on our smartphone. Today’s announcement follows news last week that an anonymous group had stolen a jackpot of hacking tools to exploit “zero-day” vulnerabilities from the National Security Agency and published them for all the world to use.”

    “I am pleased that Apple was able to quickly address this security breach, but it is clear that Congress must do more to address the issues of mobile security. I believe a congressional hearing is in order and plan to work with my colleagues to examine these critical security concerns. I also again urge the Administration to disclose the criteria used in determining whether to notify cyber vulnerabilities to private sector companies rather than hoard and conceal the vulnerabilities. Whatever our government may do in terms of using cyber malware, others will do to American citizens. The best protection for the United States and our people is to have secure systems.”

Comments are closed.