How Hal Martin Stole 75% of NSA’s Hacking Tools: NSA Failed to Implement Required Security Fixes for Three Years after Snowden

The other day, Ellen Nakashima reported that Hal Martin, the Booz Allen contractor who has been in custody for months based on allegations he stole terabytes of NSA’s hacking tools, may be indicted this week. The story raises some interesting questions — such as how, absent some proof that Martin leaked this information to a third party, prosecutors intend to distinguish Martin’s hoarding from David Petraeus’ sharing of code word information with his girlfriend Paula Broadwell. One detail Nakashima included — that Martin had stolen “operational plans against ‘a known enemy’ of the United States” — may suggest prosecutors plan to insinuate Martin stole the information to alert that known enemy (especially if the known enemy is Russia).

All that said, the detail in Nakashima’s story that has attracted the most notice is the claim that Martin stole 75% of NSA’s hacking tools.

Some U.S. officials said that Martin allegedly made off with more than 75 percent of TAO’s library of hacking tools — an allegation which, if true, would be a stunning breach of security.

Frankly, this factoid feels a lot like the claim that Edward Snowden stole 1.5 million documents from NSA, a claim invented at least in part because Congress wanted an inflammatory detail they could leak and expand budgets with. That’s especially true given that the 75% number comes from “US officials,” which sometimes include members of Congress or their staffers.

Still, the stat is pretty impressive: even in the wake of the Snowden leak, a contractor was able to walk out the door, over time, with most of NSA’s most dangerous hacking tools.

Except it should in no way be a surprise. Consider what the House Intelligence Report on Snowden revealed, which I mentioned here. Buried way back at the end of the report, it describes how in the wake of Snowden’s leaks, NSA compiled a list of security improvements that would have stopped Snowden, which it dubbed, “Secure the Net.” This initiative included the following, among other things:

  • Imposing two person control for transferring data by removable media (making it harder for one individual to put terabytes of data on a thumb drive and walk out the door with it)
  • Reducing the number of privileged and authorized data transfer agents (making it easier to track those who could move terabytes of data around)
  • Moving towards continuous evaluation model for background investigations (which might reveal that someone had debt problems, as Martin did)

By July 2014, the report reveals, even some of the most simple changes included in the initiative had not been implemented. On August 22, 2016 — nine days after an entity calling itself Shadow Brokers first offered to auction off what have since been verified as NSA tools — NSA reported that four of the initiatives associated with the Secure the Net remained unfulfilled.

All the while, according to the prosecutors’ allegations, Martin continued to walk out of NSA with TAO’s hacking tools.

Parallel to NSA’s own Secure the Net initiative, in the intelligence authorization for 2016 the House directed the DOD Inspector General to assess NSA’s information security. I find it interesting that HPSCI had to order this review and that they asked DOD’s IG, not NSA’s IG, to do it.

DOD IG issued its report on August 29, 2016, two days after a search of Martin’s home had revealed he had taken terabytes of data and the very day he was arrested. The report revealed that NSA needed to do more than its proposed fixes under the Secure the Net initiative. Among the things it discovered, for example, is that NSA did not consistently secure server racks and other sensitive equipment in data centers, and did not extend two-stage authentication controls to all high risk users.

So more than three years after Snowden walked out of the NSA with thousands of documents on a thumb drive, DOD Inspector General discovered that NSA wasn’t even securing all its server racks.

“Recent security breaches at NSA underscore the necessity for the agency to improve its security posture,” The HPSCI report stated dryly, referring obliquely to Martin and (presumably) another case Nakashima has reported on.

Then the report went on to reveal that CIA didn’t even require a physical token for general or privileged users of its enterprise or mission systems.

So yes, it is shocking that a contractor managed to walk out the door with 75% of NSA’s hacking tools, whatever that means. But it is also shocking that even the Edward Snowden breach didn’t lead NSA to implement some really basic security procedures.

Whither Shadow Brokers in Discussions of Foreign Hacks of America?

Since Shadow Brokers first started leaking apparent NSA tools in August, there have been very few mentions of the compromise from Congress. Adam Schiff expressed some concern about the compromise at the time (though not about the failures of the Vulnerabilities Equities Process the leaks appeared to indicate). And the HPSCI report on Edward Snowden had a sentence stating, “Recent security breaches at NSA underscore the necessity for the agency to improve its security posture,” though that reference doesn’t name Hal Martin, the still unnamed NSA TAO employee who stole some hacking tools in 2015 referred to in a November WaPo article, or Shadow Brokers (which may or may not have relied on Martin as a source).

That silence continued today in the Senate Armed Services Committee on Foreign Cyber Threats to the US. Even if Shadow Brokers is not a Russian group, as many people speculated back in August, or even foreign, wouldn’t the exposure of NSA’s (dated) hacking tools pose a cyber threat by itself?

But there were two exchanges in the hearing that may have pointed to Shadow Brokers. Even if they did not, both are worth bookmarking for the assertions made. In the first exchange, Tom Cotton (who, in addition to SASC, is also on SSCI, so would be privy to any Shadow Brokers information shared with the full intelligence committees) tried to narrowly bracket what the IC means when it refers to Russia hacking the US (after 1:24).

Cotton: We’ve heard a lot of imprecise language here today and it’s been in the media here as well. Phrases like “hacked the election,” “undermine democracy,” “intervened in election.” So I want to be more precise here. Director Clapper let’s go to the October 7 statement. That says, quote, “the recent compromises of emails from US persons and institutions including from US political organizations” was directed by the Russian government.” Are we talking there specifically about the hack of the DNC and the hack of John Podesta’s emails?

Clapper: Yes.

Cotton: Are we talking about anything else?

Clapper: That was, essentially at the time, what we were talking about.

Cotton: At the time then — it says that “recent disclosures through websites like DC Leaks and Wikileaks … are consistent with the methods and motivations of Russian directed efforts.” DNC emails were leaked first, I believe, in July.  Is that what the statement is talking about there?

Clapper: I believe so.

Cotton: Mr. Podesta’s emails were not leaked I believe until that very day on October 7, so was the statement referring to that, yet, or was that not intending to be included?

Clapper: I’d have to research the exact chronology of when John Podesta’s emails were compromised. But I think though that that bears on my statement that our assessment now is even more resolute than it was with that statement on the 7th of October. [my emphasis]

Cotton’s statement is odd in any case. He makes no mention of the DCCC, which of course had also been hacked by October 7. Moreover, in his second citation from the DHS/ODNI statement, he omits the reference to the Guccifer 2 persona, who leaked the DCCC documents as well as some DNC files and — according to him, at least — handed those over to Wikileaks. So in his effort to inject precision into this discussion, he’s either introducing imprecision, or he’s revealing details from classified briefings.

In any case, in response to Cotton’s questions, Clapper admits that the only hack referenced in the October 7 statement (though it’s clear he doesn’t have these facts ready at hand). But then he suggests — without much emotion — that what the IC was talking about on October 7 is different from what the IC might include now, which is one reason the IC is more “resolute” about its assessment of Russian attribution.

There are many things Clapper might include in additional entities, not least GOP targets, including Colin Powell (whose emails, after all, had already been released on DC Leaks). One of those is Shadow Brokers.

Fifteen minutes later (after 1:41), Joe Donnelly ask a question that Clapper justifiably can’t make sense of.

The government has named those responsible for the DNC hack as APT 28 and APT 29, part of the Russian intelligence services: the GRU and the FSB. Are all the actors targeted by these two entities known to the public, sir?

Clapper: I’m sorry sir, the question again, are all what?

Donnelly: All the actors targeted by these two entities, GRU, FSB, APT 28, 29, do we know everybody, have you told us who’s involved or are there more that you can’t discuss at this time?

Clapper: Right. I don’t think I can discuss that in this forum.

It appears Donnelly is asking about whether APT 28 and 29 hacked other victims (though when I heard this in real time it sounded like Donnelly was asking about other Russian participants in the hacking). We know they have (indeed, the Joint Analysis Report released the other day discusses those other targets, so they can’t be classified at all). But whatever Clapper took from Donnelly’s question, he took the answer to be too sensitive to respond to in open session. Furthermore, he said he could not discuss it in this forum, not that Donnelly should wait until next week’s report.

The Shadow Brokers is still out on Twitter, bitching (as recently as January 1) they didn’t get included in the JAR report or sanctions list, suggesting they at least want you to believe they’re part of the larger Russian hack.

So why was there no mention of them in the SASC hearing?

Update, 1/10: Embarrassing whither/wither typo fixed. H/t Christopher.

As of August 29, 2016, Not All High Risk Users at NSA Had Two-Factor Authentication

For the last several weeks, all of DC has been wailing that Russia hacked the election, in part because John Podesta didn’t have two-factor authentication on his Gmail account.

So it should scare all of you shitless that, as of August 29, 2016, not all high risk users at NSA had 2FA.

That revelation comes 35 pages  into the 38 page HPSCI report on Edward Snowden. It describes how an IG Report finished on August 29 found that NSA still had not closed the Privileged Access-Related holes in the NSA’s network.

That’s not the only gaping hole: apparently even server racks in data centers were not secure.

And note that date: August 29? Congress would have heard about these glaring problems just two weeks after the first Shadow Brokers leak, and days after Hal Martin got arrested with terabytes of NSA data in his backyard shed.

I think I can understand why James Clapper and Ash Carter want to fire Mike Rogers.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Shadow Brokers: “A Nice Little NSA You’ve Got Here; It’d Be a Shame If…”

When President Obama discussed how to retaliate against Russia for hacking the DNC last Friday, he described the trick of finding “an appropriate response that increases costs for them for behavior like this in the future, but does not create problems for us.” Aside from questions of efficacy, Obama raised something that a number of people looking for a big explosive response seem to have forgotten: that any response may create problems for us.

Which is why I find it curious that — aside from this one piece by Krypt3ia — no one factored in another cyber-attack on the US in discussions about retaliation, one that is, at least in execution, on-going: the release of NSA tools by a group calling itself the Shadow Brokers.

I’ve put a rough timeline (!) below. But as it shows, several weeks after the initial release of the DNC emails led to Debbie Wasserman Schultz’s resignation, the Shadow Brokers posted the first of what have thus far been 6 messages. Especially recently, the timing of the Shadow Brokers releases correlates in interesting ways with developments in the DNC hack. At the very least, the coincidence suggests the threat of further exposure of NSA’s hacking may be a factor in discussions about a response.

Release One: Burning US firewall providers

The first Shadow Brokers post announced an auction of Equation Group (that is, NSA offensive hacking) files. It released enough files to make it clear that a number of firewall companies, including several American companies, had been targeted by the NSA. Accompanying the release was a rant that indirectly pointed to the Clintons — discussing blowjobs and running for President — but at that point, there was not much focus about whether these files were related to the Russian hacking and, more importantly, not a ton of focus on the files in discussions of the Russian hacking. That is, while many people assumed Russia might be the culprit, that it might fell out of the discussion.

Two weeks later, the FBI arrested Hal Martin, a(nother) Booz Allen contractor that — the NYT story that revealed his arrested — served as a ready scapegoat for the files.

The very next day, Shadow Brokers posted its second message, the first of several proving that it was not, personally, Hal Martin. It was basically a play on Team America’s Kim Jong Il character, asking why everyone was so stupid.

A few days later, on September 5, President Obama gave Vladimir Putin the first of several warnings about the hacking — understood to be the DNC hacking (reportedly, no one knew about the Podesta hack yet, even though the emails had been stolen in March).

Almost a month passed before Shadow Brokers posted again, on October 1, basically whining about no one playing in the auction. The following two weeks are critical in the DNC hack rollout.

On October 7, two leaks distract from the IC attribution announcement

On October 7, three things happen (well, more, but I’ll come back to that): First, ODNI and DHS released their statement blaming Russia for the hack. The WaPo published the Access Hollywood “Grab them by the pussy” video. And WikiLeaks started releasing the Podesta emails.

Side note: This weekend, Podesta complained about the latter two events, describing how they came out just an hour apart. People even disputed the claim. But in neither Podesta’s comment nor the fact-check are people mentioning that it’s not so much the Podesta emails distracted from the Trump video (which I don’t think to be the case anyway, because the GrabThemByThePussy really did distract us for a while), but both — and especially the video — distracting from the Russia implication.

A week later, the same NBC team that has been the recipient of other DNC hack related leaks published a dick-wagging story promising that the CIA was about to cyber-retaliate for the hacks.

The next day, Shadow Brokers released message number 4 calling off the auction. The Shadow Brokers post also crassly spoofs airplane Loretta Lynch’s meeting with Bill Clinton (there a cultural reference here I don’t get), bringing the message content of the SB series still closer to the context of the Hillary emails.

Release Two: ID alleged NSA targets and threaten the election

Thus far, mind you, Shadow Brokers had just released enough to seriously compromise America’s firewall companies and their relationship with the NSA — but had mostly just been making noise since the first release. That changed on October 30, less than two weeks before the election.

Most of the focus on this release has been on the data released: a set of IP addresses seemingly showing the addresses NSA had hacked or used as a proxy. The IP addresses were dated, so the release wasn’t exposing ongoing operations, probably. But it did reveal a significant number of academic targets. It also showed that, several years before we drummed up the Iraq War, we were targeting the Organization for the Prohibition of Chemical Weapons. Unlike the first release, then, this one didn’t so much help anyone hack. Instead, it identified who had been hacked, and the degree to which these were not obvious targets.

But the message from that release is, in retrospect, just as important. It includes a reference to the NBC dick-wagging story about CIA hacking Russia. It questions why the focus has been on the DNC hack and not the Shadow Brokers release, “hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed.” It invited people to hack the election.

On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016.

And then it demanded payment or the bleeding would continue. “How bad do you want it to get? When you are ready to make the bleeding stop, payus,”

The next day, according to NBC, for the first time in his Administration, President Obama used the “Red Phone” communication system with Russia and discussed war, albeit in muddled terms.

Now, even aside from this timing, it makes more sense that Obama was reacting to the Shadow Brokers release than the DNC ones. Though Dems have suggested Russia kept hacking after the spring, that appears to have been more phishing attempts, not known theft of documents. As for the DNC and Podesta files, as Obama said on Friday, those files had already been stolen. Short of stopping WikiLeaks (and Ecuador had cut off Julian Assange’s wifi access by then, presumably in response to US pressure, though it had little impact on the release of the Podesta files), there was nothing that a call could do about the ongoing leaks pertaining to Hillary. There were, admittedly, the probes of state voter registration sites, but the IC has consistently stopped short of attributing those to Russia.

But a response to a threat to hack Russia?

Which would seem to suggest the IC believes that these Shadow Brokers files are coming from Russia.

Release Three: A broad array of alleged tools, including those that hacked Belgacom

Then things went quiet again for a while, until the leakapalooza starting on December 9, which was basically an effort by the Dems and some spooks to pressure Trump and/or delegitimize his election. Significantly, however, the December 9 WaPo story also reported, for the first time, that CIA knew who the cut-outs between Russia’s hackers and Wikileaks were, something James Clapper said the IC didn’t have as late as November 17. In addition, the NYT published its long piece describing the hack, told in a way to put the Dems in the best possible light (which is a polite way of saying it is not hard-hitting news).

So on December 14, a Motherboard post from a persona named Bocefus Cleetus points to a ZeroNet site with a set of files listed for individual sale (and aggregating all the past messages).

With regards to the files, here is HackerHouse’s analysis, here is the Grugq’s post on the technical aspect of the files, and a few of Shadow Brokers’ most recent tweets allegedly describe what some of the files are. The short version though is, like the original release, these are dated files, some of them triggering known interests of commentary on NSA’s hacking. There’s a good deal of variety in tools, some of which sound cool. One of them, at least according to Hacker House, is likely one of the tools used to hack Belgacom.

Interestingly, HackerHouse and the Grugq disagree as to what this array suggests about the source of the files. The Grugq argues that these files must come from inside the NSA, because there’d be no other explanation for all of them to be in the same place.

Why High Side?

The easiest way to tell this is high side [inside NSA’s classified networks] gear, not a back hack from an ops box is that there is simply too much here. Its hard for me to explain because it requires a level of information security knowledge combined with understanding how cyber operations are conducted (which is different from pen tests or red teaming.)

The TAO of Cyber

Cyber operations are basically designed with operational security in mind. The operators create a minimal package of tooling needed for conducting exactly, only and specifically the operation they are doing. This means, for example, if they are hitting a telco Call Data Records (CDR) box, they will plan for what they are going to do on that specific computer and prepare the tools for only that plan and that computer. If those tools are captured, or there is a back hack up to their staging point, the loss is compartmented.

But HackerHouse argues they must be from a staging site (that is, external to the NSA) because they are binary files.

The bulk of these projects are not provided in source code form and instead appear to be binary files, which further strengthens the hypothesis that these files were compromised from an operational staging post or actively obtained from a field operation. If they had been in source code format then this would suggest an insider leak is more likely, binary files are often used in operations over their source code counterpart.

For what it’s worth, in the first post, Shadow Brokers claims it tracked EG’s traffic. “We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group.” But it is worth noting that, 4 months after the first leak, tech folks are still disputing whether these must have come from inside our outside the NSA.

Assuming no one buys these files, then, the release has done several things. First, it provided Belgacom and other potential targets of US hacking more evidence they might use to identify an NSA hack. As such, it seems consistent with the earlier releases: not so damaging for current operations as it is for the exposure of who and how the US targets civilian targets.

But it also tells the NSA more about what Shadow Brokers has — at least some of the tools it has (in the first post, SB claimed NSA didn’t know what it had), but also where they were obtained.

Cleetus’ close commentary on recent events

Which brings me to the message (post one, post two) of presumed Shadow Brokers persona, Bocefus Cleetus (as others have argued, a possible allusion to “ventriloquist dummy of FSB”), which the Grugq wrote about here. I suspect (this is a wildarseguess) Cleetus may serve as a temporally contingent way to alert the public to files that may have been out there for a while.

As the Grugq notes, the first message is interesting for its invocation of Rage against the Machine’s “People of the Sun” juxtaposed against a background and fake discourse targeting caricatured Neo-Nazi Trump voters. He reads the former as a warning about invading brown people, but I think — given the stylistic fluidity across the six Shadow Brokers’ messages — it might better be understood as mixed metaphors. RATM where one has been led to expect Hank Williams Jr.

There’s also a reference to fake news. As with the October 30 release (assuming Cleetus is a persona of Shadow Brokers), this is also a piece responding to very current events.

But Cleetus’ second message that is a far more interesting comment on immediate events. For example, from the first, it invokes NYT’s blockbuster (which is remarkably favorable to the DNC) story on the hack, which has now been translated into Russia. Here’s Cleetus’ first line:

After my shadow brokers tweet I was contacted by an anonymous source claiming to be FBI. Yep I know prove it? I wasn’t able to get’em to verify their identity.

Here’s an early line from the NYT story:

“I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I.

This line from Cleetus:

The NSA has the global surveillance capabilities to intercept all the DNC and Podesta emails.

Seems to reflect Bill Binney’s theory, which is that the NSA would know if there were really a hack because it would have seen the traffic.

In other words, any data that is passed from the servers of the Democratic National Committee (DNC) or of Hillary Rodham Clinton (HRC) – or any other server in the U.S. – is collected by the NSA.  These data transfers carry destination addresses in what are called packets, which enable the transfer to be traced and followed through the network.


The bottom line is that the NSA would know where and how any “hacked” emails from the DNC, HRC or any other servers were routed through the network. This process can sometimes require a closer look into the routing to sort out intermediate clients, but in the end sender and recipient can be traced across the network.

There’s the reference to the now-forgotten stink when Trump interviewed Mike Rogers.

Clapper and Carter tried to get Rogers fired. They also called for the breakup of NSA.

That was first reported by the same folks who set off this leakapalooza.

The heads of the Pentagon and the nation’s intelligence community have recommended to President Obama that the director of the National Security Agency, Adm. Michael S. Rogers, be removed.

The recommendation, delivered to the White House last month, was made by Defense Secretary Ashton B. Carter and Director of National Intelligence James R. Clapper Jr., according to several U.S. officials familiar with the matter.

Action has been delayed, some administration officials said, because relieving Rogers of his duties is tied to another controversial recommendation: to create separate chains of command at the NSA and the military’s cyberwarfare unit, a recommendation by Clapper and Carter that has been stalled because of other issues.

What ever happened to Trump’s imminent plan to replace James Clapper with Mike Rogers amidst a big rearrangement of the spook desk chairs, I wonder? Has he completely forgotten Clapper is out of here on January 20, at noon sharp, Clapper said?

In any case, those bits directly echo very current news. But the rest of the post posits a fight between DOD and CIA, some of it rooted in equally real, if more dated, pissing contests.

Look it up for yerself! DOD and CIA have had a turf war going back to the Afghanistan and Iraq Wars bout whose job it was to run paramilitary operations. A turf war over the next “domain of battle” with all the government cheese.

One reason Shadow Brokers’ positing of a NSA-CIA spat — which the Grugq argues could not be real — is so interesting is because most of the recent reporting has forgotten NSA’s centrality in all this and instead focused on an FBI-CIA split, which was artificially resolved by pre-empting the President’s press conference on Friday.

I don’t think there’s really an NSA-CIA pissing contest, though there may be an interesting detail here or there I’ll return to.

But it brings us full circle. President Obama, in urging calm, invoked the kind of retaliation that might, “create problems for us.” Those comments took place as if only the DNC and Podesta hacks were at issue (indeed, he made Martha Raddatz qualify what leaks the IC had blamed on Russia, and that’s what she said). But it appears likely that the IC connects Shadow Broker to the other two. And the whole time we’ve been talking about retaliating, the Shadow Brokers has not so much been undercutting the NSA’s bread and butter, but letting our allies and other neutral parties see precisely whom we conduct this dragnet on.

That sounds like something that might “create problems for us.”

On October 30, Shadow Brokers taunted, “When you are ready to make the bleeding stop, payus, so we can move onto the next game.” I think we’re still in that first game.

Shadow Brokers Timeline

August 13: Message 1 Equation Group Warez Auction Invitation

The name, in general, is a play on the villain from Mass Effect.

GitHub, Reddit, Tumblr (see note), with takedowns as stolen property

Message on Pastebin

Claims files obtained by following EG traffic, claims EG doesn’t know what it lost

We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group.


Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.

Rant about wealthy elites who don’t get blowjobs who run for President

We have final message for “Wealthy Elites”. We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and fuck other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs). Elites top friends announce, no law broken, no crime commit. Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? “Do you feel in charge?” Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?

August 27: Hal Martin arrested

August 28: Message 2 “Why is everyone so fucking stupid”

A play on Team America’s “I’m so ronery

Additional details on auction, Pastebin

September 1: Message 6 files signed

September 5: Obama and Putin discuss DNC hacks at G-20

September 25: Sam Adams Award presentation; Craig Murray meets intermediary tied to Podeseta leak

October 1: Message 3 “Why you no like?”

More details on the auction. Medium

Q: Why saying “don’t trust us”?

A: TheShadowBrokers is making comment on trust-less exchanges. TheShadowBrokers is thinking is no thing now as trust-less. “Don’t Trust” is not equal to “Is Scam”. TheShadowBrokers is thinking no way to exchange secrets (auction files) without one party trusting other. If seller trust buyer and buyer no pay, then no more secrets. If buyer trust seller and seller no deliver, the no more sales. TheShadowBrokers is having more things to sell. Reputation is being another benefit of public auction.

October 7: IC Attribution of DNC hack to Russia, Podesta email release starts, Access Hollywood video

October 14: NBC story, CIA Prepping for Possible Cyber Strike Against Russia

Vice President Joe Biden told “Meet the Press” moderator Chuck Todd on Friday that “we’re sending a message” to Putin and that “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.”

October 15: Message 4 “Yo Swag Me Out”

Calls off auction and provides spoof (I’m missing what this is a reference to) of Loretta Lynch/Bill Clinton plane conversation

October 17: Ecuador cuts off Assange’s Internet access

October 30: Message 5 Trick or Treat for Amerikanskis

Medium announcement

A reference to October 14 NBC story and Biden’s threat to Putin, mocking relative focus on DNC hacks over Equation Group hacks

Why is DirtyGrandpa threating CIA cyberwar with Russia? Why not threating with NSA or CyberCommand? CIA is cyber B-Team, yes? Where is cyber A-Team? Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures.

A challenge about whether the DNC hack is more important that the EG hack

But neverminding, hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed?


Maybe political hacks is being more important?

A call for people to hack the elections

TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016. If peoples is not being hackers, then #disruptelection2016, #disruptcorruption2016. Maybe peoples not be going to work, be finding local polling places and protesting, blocking , disrupting , smashing equipment, tearing up ballots? The wealthy elites is being weakest during elections and transition of power.

A threat that it will get worse

How bad do you want it to get? When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out!

October 31: Obama contacts Putin on Red Phone for first time in presidency, reportedly warns he’ll treat an attack on the election as an act of war.

November 26: Anonymous White House statement on election integrity

December 9: Obama calls for a review of hacking; WaPo releases releases story claiming CIA believes Russia did the hack to elect Trump

December 13: NYT story on DNC hack that leads with detail that FBI called DNC but staffer didn’t believe he was FBI.

December 14 (?): Message 6 “Black Friday/Cyber Monday Sale” (file signed September 1; Mustafa al-Bassam seemed to know they were coming if not already out there)

December 14: Message 6B Bocefus Cleetus 1 “Are the Shadow Brokers selling NSA tools on ZeroNet?”

Reference to Rage Against the Machine People of the Sun

Possible reference to Hank Williams Jr, Dukes of Hazard (perhaps ventriloquist doll for FSB)

Reference to fake news

December 15: Shadow Brokers interview with Motherboard

December 16, 5:21 AM(?): Message 6A Bocefus Cleetus 2, ““New Theory: Shadow Brokers Incident is a Deep State Civil War between CIA vs NSA”

Reference to NYT story on how DNC got hacked

Reference to Bill Binney theory on hack

Seeming rewriting of perceived FBI-CIA feud

Reference to (now forgotten) Trump interview with Mike Rogers

Reference to larger discussions of bureaucratic organization

DOD and CIA have had a turf war going back to the Afghanistan and Iraq Wars bout whose job it was to run paramilitary operations. A turf war over the next “domain of battle” with all the government cheese.

December 16, 2:40PM: Obama press conference

January 1, 2017 [Update} Shadow Brokers complains it did not get included in Obama’s sanctions list

Takedowns of Shadow Brokers Files Affirm Files as Stolen

I’ve been wondering something.

Almost immediately after the Shadow Brokers posted their Equation Group files, GitHub, Reddit, and Tumblr took down the postings of the actual files. In retrospect, it reminded me of the way Wikileaks was booted off PayPal in 2010 for, effectively, publishing files.

So I sent email to the three outlets asking on what basis they were taken down. GitHub offered the clearest reason. In refreshingly clear language, its official statement said,

Per our Terms of Service (section A8), we do not allow the auction or sale of stolen property on GitHub. As such, we have removed the repository in question.

Mind you, A8 prohibits illegal purpose, not the auction of stolen property:

You may not use the Service for any illegal or unauthorized purpose. You must not, in the use of the Service, violate any laws in your jurisdiction (including but not limited to copyright or trademark laws).

Moreover, at least in its Pastebin explanation, Shadow Brokers were ambiguous about how they obtained the files.

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

They state they “found” the files, or at least traces of the files, and only say they “hacked” to obtain them to get to the latest stage. If they (in the Russian theory of the files) were “found” on someone’s own system, does that count as “stealing” property?

Tumblr wasn’t quite as clear as GitHub. They said,

Tumblr is a global platform for creativity and self-expression, but we have drawn lines around a few narrowly defined but deeply important categories of content and behavior, as outlined in our Community Guidelines. The account in question was found to be in violation of these policies and was removed.

But it’s not actually clear what part of their user guidelines Shadow Brokers violated. They’ve got a rule against illegal behavior.

I guess the sale of stolen property is itself illegal, but that goes back to the whole issue of Shadow Brokers’ lack of clarity of how they got what they got. Their property specific guidelines require someone to file a notice.

Intellectual property is a tricky issue, so now is as good a time as any to explain some aspects of the process we use for handling copyright and trademark complaints. We respond to notices of alleged copyright infringement as per our Terms of Service and the Digital Millennium Copyright Act; please see our DMCA notification form to file a copyright claim online. Please note that we require a valid DMCA notice before removing content. Parties asserting a trademark infringement claim should identify the allegedly infringing work and the legal basis for their claim, and include the registration and/or application number(s) pertaining to their trademark. Each claim is reviewed by a trained member of our Trust and Safety team.

If we remove material in response to a copyright or trademark claim, the user who posted the allegedly infringing material will be provided with information from the complainant’s notice (like identification of the rightsholder and the allegedly infringed work) so they can determine the basis of the claim.

The tech companies might claim copyright violations here (or perhaps CFAA violations?), but the files came down long before anyone had publicly IDed them as the victims. So the only “owner” here would  be the NSA. Did they call Tumblr AKA Verizon AKA a close intelligence partner of the NSA?

Finally, Shadow Brokers might be in violation of Tumblr’s unauthorized contests.

The guidelines say you can link to whackjob contest (which this is) elsewhere, but you do have to make certain disclosures on Tumblr itself.

One more thing about Tumblr, though. It claims it will give notice to a user before suspending their content.

Finally, there’s Reddit, which blew off my request altogether. Why would they take down Shadow Brokers, given the range of toxic shit they permit to be posted?

They do prohibit illegal content, which they describe as,

Content may violate the law if it includes, but is not limited to:

  • copyright or trademark infringement
  • illegal sexual content

Again, GitHub’s explanation of this as selling stolen property might fit this description more closely than copyright infringement, at least of anyone who would have complained early enough to have gotten the files taken down.

The more interesting thing about Reddit is they claim they’ll go through an escalating series of warning before taking down content, which pretty clearly did not happen here.

We have a variety of ways of enforcing our rules, including, but not limited to

  • Asking you nicely to knock it off
  • Asking you less nicely
  • Temporary or permanent suspension of accounts
  • Removal of privileges from, or adding restrictions to, accounts
  • Adding restrictions to Reddit communities, such as adding NSFW tags or Quarantining
  • Removal of content
  • Banning of Reddit communities

Now, don’t get me wrong. These are dangerous files, and I can understand why social media companies would want to close the barn door on the raging wild horses that once were in their stable.

But underlying it all appears to be a notion of property that I’m a bit troubled by. Even if Shadow Brokers stole these files from NSA servers — something not at all in evidence — they effectively stole NSA’s own tools to break the law. But if these sites are treating the exploits themselves as stolen property, than so would be all the journalism writing about it.

Finally, there’s the question of how these all came down so quickly. Almost as if someone called and reported their property stolen.

Wealthy Elites and Blowjobs

I haven’t seen this part of the Shadow Broker files get mentioned. The files themselves are addressed to, “!!! Attention government sponsors of cyber warfare and those who profit from it !!!!” with a description of the auction for further files (which most people believe to be fake).

But at the end of the Pastebin file from them, they include this rant.

We have final message for “Wealthy Elites”. We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and fuck other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs). Elites top friends announce, no law broken, no crime commit. Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? “Do you feel in charge?” Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?

Ostenisbly, the rant serves to warn that if such tools get out, people might target banks and financial systems, specifically mentioning the hacks on SWIFT (not to mention suggesting that if the other claimed files get out someone might target finance).

Along the way it includes a reference to elites having their top friends announcing “no law broken, no crime commit.” And right before it, this: “make promise future handjobs, (but no blowjobs).”

Maybe I’m acutely sensitive to mentions of blowjobs, especially those received by Bill Clinton, for reasons that are obvious to most of you. But the reference to handjobs but no blowjobs in the immediate proximity of getting off of a crime followed closely by a reference to running for President seems like an oblique reference to the Clintons.

If so, it would place this leak more closely in line with the structure of the other leaks targeting Hillary.

That’s in no way dispositive, but the blowjobs references does merit mentioning.

Friday: Smells Like

With the lights out, it’s less dangerous
Here we are now, entertain us
I feel stupid and contagious
Here we are now, entertain us
A mulatto, an Albino
A mosquito, my libido, yeah

— excerpt, Smells Like Teen Spirit by Nirvana

Been a rough week so I’m indulging myself with some double bass — and because it’s Friday, it’s jazz. This is 2009 Thelonious Monk Competition winner Ben Williams whose ‘Teen Spirit’ is both spirited and minimalist. Check out this set with Home and Dawn Of A New Day, the first embued with a hip-hoppy beatmaking rhythm.

More Shadows on the wall
While Marcy has some questions about the recent alleged Shadow Brokers’ hack of NSA-front Equation Group and malware staging servers, I have a different one.

Why is Cisco, a network equipment company whose equipment appears to have been backdoored by the NSA, laying off 20% of its workforce right now? Yeah, yeah, I hear there’s a downturn in networking hardware sales due to Brexit and the Chinese are fierce competitors and businesses are moving from back-end IT to the cloud, but I see other data that says 50-60% of ALL internet traffic flows through Cisco equipment and there are other forecasts anticipating internet traffic growth to double between now and 2020, thanks in part to more video streaming and mobile telecom growth replacing PCs. Sure, software improvements will mediate some of that traffic’s pressure on hardware, but still…there’s got to be both ongoing replacement of aging equipment and upgrades (ex: Southwest Airlines’ router-fail outage), let alone new sales, and moving the cloud only means network equipment is consolidated, not distributed. Speaking of new sales and that internet traffic growth, there must be some anticipation related to increased use of WiFi-enabled Internet of Things stuff (technical term, that — you know, like Philips’ Hue lighting and Google Nest thermostats and Amazon Echo/Alexa-driven services).

Something doesn’t add up. Or maybe something rolls up. I dunno’. There are comments out on the internet suggesting competitor Huawei is hiring — that’s convenient, huh?

AI and Spy

  • Data security firm working on self-tweeting AI (MIT Review) — The software can generate tweets more likely to illicit response from humans than the average phishing/spearphishing attempt. Seems a little strange that a data security company is working on a tool which could make humans and networks less secure, doesn’t it?
  • Toyota sinks a bunch of cash into AI project at U of Michigan (ReadWrite) — $22 million the automaker pledged to development of self-driving cars, stair-climbing wheelchairs and other mobility projects. Toyota has already invested in similar AI development programs at Stanford in Palo Alto, CA and MIT in Cambridge, MA. Funding academic research appears to be a means to avoid a bigger hit to the corporation’s bottom line if the technologies do not yield commercially viable technology.
  • Steganography developed to mask content inside dance music (MIT Review) — Warsaw University of Technology researcher co-opted the rhythm specific to Ibiza trance music genre. The embedded Morse code buried in rhythm could not be audibly detected by casual listeners as long as it did not distort the tempo by more than 2%.


  • New theory suggests fifth force of nature possible (Los Angeles Times) — The search for a “dark photon” may have led to a new theory explaining the existence and action of dark energy and dark matter, which together make up 95% of the universe. I admit I need to hunt down a better article on this; this one doesn’t make all the pieces snap into place for me. If you’ve seen a better one, please share in comments.
  • Sound wave-based black hole model may show Hawking radiation at work (Scientific American) — Can’t actually create a real black hole in the lab, but a model like this one created by an Israeli scientist using phonons (not photons) may prove Stephen Hawking was right about information leakage from black holes. The work focuses on the actions of quantum-entangled particle pairs which are separated on either side of the event horizon. Beyond adding to our understanding of the universe, how this work will be used isn’t quite clear. But use of quantum entanglement in cryptography is an important and growing field; I wouldn’t be surprised to see this finding shapes cryptographic development.
  • Pregnant women’s immune system response may affect fetus’ neurological system (MedicalXpress via — While an expectant mother’s immune system may prevent a virus from attacking her fetus, the protective process may still affect the fetus long term. Research suggests that some neurological disorders like schizophrenia and autism may be associated with maternal infections pre-birth.

Late adder: Travel Advisory issued for pregnant women to avoid Miami Beach area according to CDC — Five more cases of Zika have been identified and appeared to have originated in the newly identified second Zika zone, this one east of Biscayne Bay in the Miami Beach area. The initial Zika zone was on the west side of Biscayne Bay. The CDC also discouraged pregnant women and their sex partners from traveling to Miami-Dade County as a whole; the county has now had a total of 36 cases of Zika.

In the video in the report linked above, FL Gov. Rick Scott pokes at the White House about additional Zika assistance, but Scott previously reduced spending on mosquito control by 40%. Now he’s ready to pay private firms to tackle mosquito spraying. Way to go, Republican dirtbag. Penny wise, pound foolish, and now it’s somebody else’s job to bat cleanup.

Longread: Stampede at JFK
A firsthand account of the public’s stampede-like reaction to a non-shooting at New York’s JFK International Airport. To paraphrase an old adage, if all you have is a gun, everything looks and sounds like a shooting.

Let go of your fear and let the weekend begin.

Thursday: Creep

Covers are often treated like poor relations in hand-me-downs. It’s not the performer’s own work, how can they possibly do the original justice?

Yeah…and then this. I think it’s an example of an exceptional cover. It’s one of my favorites. There are a number of other fine covers of this same piece — some are sweet, some have better production values, and some are very close to Radiohead’s original recording. But this one has something extra. Carrie Manolakos, a Broadway performer known for her role as Elphaba in Wicked, takes a breath at 2:19 and watch out. Her second album will release next month if you enjoy her work.

In Sickness and Health
Here, read these two stories and compare them:

Leaving you with the actual heds on these articles. How isn’t this simple extortion? You know, like, “Nice national health care system you’ve got there. It’d be a shame if anything happened to it.”

Cry me a river about corporate losses. Last I checked Aetna’s been paying out dividends regularly, which means they still have beaucoup cash.

If only we’d had a debate about offering single payer health care for everyone back in 2009 so we could say Fuck You to these vampiric corporate blackmailers.

Still in Shadow
A timeline of articles, analysis, commentary on the hacking of NSA malware staging servers by Shadow Brokers — no window dressing, just links:

15-AUG-2016 8:48 AM — (Mikko Hypponen–Kaspersky tweeting discovery of Shadow Brokers’ auction of Equation Group code)

16-AUG-2016 7:22 AM — (Info sec expert Dave Aitel’s assessment on hackers responsible)

16-AUG-2016 7:40 AM — (Edward Snowden’s tweet thread [NB: don’t be an idiot and click on any other links in that thread])

16-AUG-2016 7:22 PM — (time zone unclear)

16-AUG-2016 ?:?? —

17-AUG-2016 8:05 AM EST —

17-AUG-2016 ?:?? — (University of Illinois’ Stephen Checkoway’s initial impressions)

17-AUG-2016 7:23 PM EST —

18-AUG-2016 6:59 AM EST — (Thomas Rid suggests Shadow Brokers’ auction may be “retaliation” — note at this embedded tweet the use of “retaliation” and the embedded, highlighted image in which the words “Panama Papers” appear in red. Make of that what you will.[1])

18-AUG-2016 2:35 PM EST — (Two linguists suggest Shadow Brokers’ primary language is English distorted to mimic Russian ESL)

You know what this reminds me of? Sony Pictures’ email hacking. Back and forth with Russia-did-it-maybe-not-probably, not unlike the blame game pointing to North Korea in Sony’s case. And the linguistic analysis then suggesting something doesn’t quite fit.

[Today's front pages from USA Today, The New York Times, Wall Street Journal, Los Angeles Times, shared here under Fair Use.]

[Today’s front pages from USA Today, The New York Times, Wall Street Journal, Los Angeles Times, shared here under Fair Use.]

American Refugees
I read in one of my timelines today a complaint by a journalist about Louisiana flooding news coverage. Wish I’d captured the thread at the time; they were put out that the public was unhappy about the media’s reporting — or lack thereof. They noted all the links to articles, videos, photos being shared in social media, noting this content came from journalists.

Except there really is a problem. The embedded image here is the front page of each of the four largest newspapers in the U.S. based on circulation, total combined circulation roughly six million readers. NONE OF THEM have a story on the front page about the flooding in Louisiana, though three of them covered the California Blue Cut Fire. Naturally, one would expect the Los Angeles Times to cover a fire in their own backyard, and they do have a nice photo-dense piece online. But nothing on the front page about flooding.

The Livingston Parish, Louisiana sheriff noted more than 100,000 parish residents had lost everything in the flood. There are only 137,000 total residents in that parish.

Between the +80,000 Blue Cut Fire evacuees and more than 100,000 left temporarily homeless in Louisiana, the U.S. now has more than a couple hundred thousand climate change refugees for which we are utterly unprepared. The weather forecast this week is not good for the Gulf Coast as unusually warm Gulf water continues to pump moisture into the atmosphere. We are so not ready.

Longread: The last really big American flood
Seven Scribes’ Vann R. Newkirk II looks at the last time a long bout of flooding inundated low-lying areas in the south, setting in motion the Great Migration. This is the history lesson we’ve forgotten. We need to prepare for even worse because like the Blue Cut Fire in California and Hurricane Sandy in New Jersey and New York, disaster won’t be confined to a place too easily written off the front page.

One more day. Hope to make it through.
[1] Edited for clarity. Kind of.