Corrente

If you have "no place to go," come here!

Anyone want to help with Jacob Appelbaum 30c3 transcript? Updated: draft 4.0 - are we done?

transcriber's picture

I did a first draft of Jacob Appelbaum's keynote presentation at the 30c3 conference. I'd like to do a good job and have it out there asap because I think it's important, but this first draft is extremely rough, I am no geek, don't know the terms, lots of guesses and flubs and I am done for tonight. Also, all I've got is the audio from Soundcloud: http://soundcloud.com/moltke/to-protect-and-infect-part-2. I can't see youtubes anymore, and I would love to see what he's showing - slides I think - and I'd like to do the slide inserts like in the Aaron Swartz transcript here but I need screenshots.

Day 2

Update #1: Now second draft, thank you for help! Need much more!

Update #2: Now incorporating changes from Lambert's very helpful submission, so I'm calling this version 2.1. Thanks! Please note that I'm probably the only person here who can't see the video.

Update #3: Now with Flora's screenshots (thank you!!) added, so I'm calling this version 2.2. Hopefully tomorrow we can call it finished at version 3? Also is placement of screenshots right? My timeline is the Soundcloud audio file, I'm sure you all are using YouTube times, so ballpark.

Update #4: Did Flora's corrections; calling this draft 2.3. Still a few questions (ones not struck out, and see comment at bottom) and waiting for screenshots, otherwise done? Speak now...

Day 3

Update #5: In progress, incorporating Flora's screenshots, calling this draft 3.0. Still a few questions (below fold, ones not struck out), and I want to do some linking. But if there's something you see, speak now...

Update #6: Draft 3.1, screenshot-to-youtube links added. Still questions below fold, and we're looking for the original nsa slides (Der Spiegel? someplace else?) that are used.

Update #7: Draft 3.2, now with links to Der Spiegel sources so people can go look at the nsa slides for themselves. People, are we done here? Question remaining is "Om"

Day 4

Update #8: Draft 4.0, fixed OHM, thank you Hipparchia! Added "Room Surveillance" category to block at bottom that I missed. Are we done?

Here's the video, so users can read along with it (and perhaps offer corrections in comments?) If you haven't listened to this, you really should; you don't need to understand the mass of detail to get the picture. --lambert

Anyway, if you can help proof this, please post corrections and I'll come back to this tomorrow and try some more. Screenshots with timestamps would be great so I know where to insert them. Or maybe someone will post a better transcript, it's only a matter of time? If anyone sees this and wants to pick this up and use it, that's great, leave a link if you improve it.

So, draft transcript [4.0] below the fold. Thanks.

Related transcripts from the conference that I know of:
- Glenn Greenwald: https://github.com/poppingtonic/greenwald-30c3-keynote/tree/master/trans...
- Panel 303: Sysadmins of the World, Unite! with Julian Assange, Jacob Appelbaum, and Sarah Harrison (29 Dec 2013): http://wikileaksetc.blogspot.nl/2014/01/transcript-30c3-sysadmins-of-wor...

Questions:
- 15:47 wireless frame or frames?
- 30:56 expect? inspect?
- 31:46 iframe? I-frame? uh...
- 32:36 their like Hacking Team (as in first slide) - or - they're like a hacking team
- 33:56 a limit of an?
- 34:50 dielectric panels?
- 39:56 "Stuccomontana"?
- There was a talk at 45:19 “Om” this year - Om?
- they actually exploit the BIOS 49:02 [in? and?] system management mode (I bet it's and)
- 49:09 MRsat, Dsat ?
- 56:30 it right? (not clear, I took it out - "when it doubt, leave it out")

Also style - use "owned" or "pwned"? I saw "pwn" in third slide so I went with that - changing back to owned, dunno
Bulldozer in all caps?
Anybody have any idea who the moderator at the end is? [ ]? - He is now "Moderator"

Thanks all.
- - - -

Notes on slides:

Clicking on a slide in the transcript below will take you to that spot in the YouTube.

Der Spiegel posted the slide presentation NSA QUANTUM Tasking Techniques for the R&T Analyst in association with article this article (in German - with more slides than in English set? - don't exactly correlate)

The NSA product data specs are posted in an Interactive Graphic with the Der Spiegel story Shopping for Spy Gear: Catalog Advertises NSA Toolbox. For specific names, see note at transcript bottom. You can also see the specs in a string here: http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-... (But where is the GODSURGE (FLUXBABBITT)/Dell spec?)

* * *

THIS IS NOW ROUGH DRAFT 4.0

https://www.youtube.com/watch?v=b0w36GAyZIA

30c3: To Protect And Infect, Part 2
The militarization of the Internet
YouTube published on Dec 30, 2013
by: Jacob "@ioerror" Applebaum

Transcript

Act One

Jacob Appelbaum: So recently we heard a little bit about some of the low-end corporate spying that’s often billed as being sort of like the hottest, most important stuff, so the FinFisher, the Hacking Team, the VUPEN and sort of in that order it becomes more sophisticated and more and more tied in with the National Security Agency. There are some Freedom of Information Act requests that have gone out that actually show VUPEN being an NSA contractor, writing exploits, that there are some ties there.

This sort of covers the sort of, the whole gamut I believe, which is that, you know, you can buy these like little pieces of forensics hardware, and just as a sort of fun thing I bought some of those and then I looked at how they worked and I noticed that this "Mouse Jiggler," you plug it in and the idea is that it like keeps your screen awake. So have any of you seen that at all? This piece of forensics hardware so your screensaver doesn’t activate. So I showed it to one of the systemd developers and now when you plug those into a Linux box that runs systemd, it automatically locks the screen when it sees a USB ID.

[applause]

So when people talk about free software, free as in freedom, that’s part of what they’re talking about.

So there are some other things which I’m not going to really talk a lot about it because basically this is all bullshit that doesn’t really matter and we can defeat all of that. This is the individualized things we can defend against. But I want to talk a little bit about how it’s not necessarily the case that because they’re not the most fantastic, they’re not the most sophisticated, that therefore we shouldn’t worry about it.

This is Rafael.

I met him when I was in Oslo in Norway for the Oslo Freedom Forum, and basically he asked me to look at his computer because he said, “You know, something seems to be wrong with it. I think that there’s something, you know, slowing it down.” And I said, “Well, I’m not going to find anything. I don’t have any tools.” We were just going to like sit at the computer. And I looked and it has to be the lamest back door I’ve ever found. It was basically a very small program that would just run in a loop and take screenshots. And it failed to upload some of the screenshots, and so there were 8 gigabytes of screenshots in his home directory.

[laughter]

And I said, “I’m sorry to break it to you but I think that you’ve been owned. And by a complete idiot.”

[laughter]

And he, he, yeah, he was, he was really actually, he felt really violated, and then he told me what he does, which is he’s an investigative journalist who works with top secret documents all the time with extreme, extreme operational security to protect his sources. But when it came to computing, J-school failed him. And as a result, he was compromised pretty badly. He was not using a specialized operating system like Tails, which if you’re a journalist and you’re not using Tails you should probably be using Tails unless you really know what you’re doing. Apple did a pretty good job of revoking this application, and it was, you know, in theory it stopped, but there are lots of samples from the same group and this group that did this is tied to a whole bunch of other attacks across the world, actually, which is why it’s connected up there with Operation Hangover.

The scary thing, though, is that this summer, after we’d met, he was actually arrested relating to some of these things. And now, as I understand it, he’s out, but, you know, when you mess with a military dictatorship it messes with you back. So even though that’s one of the lamest back doors, his life is under threat. So just simple things can cause serious, serious harm to regular people that are working for some kind of truth telling.

And that to me is really a big part of my motivation for coming here to talk about what I’m going to talk about next, which is that for every person that we learn about like Rafael, I think there are lots of people we will never learn about, and that’s, to me that’s very scary, and I think we need to bring some transparency, and that’s what we’re going to talk about now.

And I really want to emphasize this point. Even though they’re not technically impressive, they are actually still harmful, and that is really a key point to drive home. I mean, some of the back doors that I’ve seen are really not sophisticated, they’re not really that interesting, and in some cases they’re common off-the-shelf purchases between businesses, so it’s like business-to-business exploitation software development. I feel like that’s really kind of sad, and I also think we can change this. We can turn this around by exposing it.

So, what’s it all about, though?

Fundamentally it’s about control, baby, and that is what we’re going to get into. It’s not just about control of machines. What happened with Rafael is about control of people. And fundamentally when we talk about things like internet freedom and we talk about tactical surveillance and strategic surveillance, we’re talking about control of people through the machinery that they use. And this is a really, I think a really kind of, you know – I’m trying to make you laugh a little bit because what I’m going to show you today is wrist-slitting depressing.

So.

Part 2, or Act Two of Part 2

Basically the NSA, they want to be able to spy on you, and if they have 10 different options for spying on you that you know about, they have 13 ways of doing it and they do all 13. So that’s a pretty scary thing, and basically their goal is to have total surveillance of everything that they are interested in. So there really is no boundary to what they want to do. There is only sometimes a boundary of what they are funded to be able to do and the amount of things they’re able to do at scale. They seem to just do those things without thinking too much about it, and there are specific tactical things where they have to target a group or an individual, and those things seem limited either by budgets or simply by their time. And as we have released today on Der Spiegel’s website, which it should be live – I just checked, it should be live for everyone here – we actually show a whole bunch of details about their budgets as well as the individuals involved with the NSA and the Tailored Access Operations group in terms of numbers.

So it should give you a rough idea showing that there was a small period of time in which the internet was really free and we did not have people from the U.S. military that were watching over it and exploiting everyone on it, and now we see every year that the number of people who are hired to break into people’s computers as part of grand operations, those people are growing day by day, actually, and every year there are more and more people that are allocated, and we see this growth.

So that’s the goal: Nonattribution, and total surveillance, and they want to do it completely in the dark.

The good news is that they can’t. So, now I’m going to show you a bit about it. But first, before I show you any pictures, I want to sort of give you the big picture from the top down.

So there is a planetary strategic surveillance system, and there – well, there are many of them actually. Everything from I think off-planetary surveillance gear, which is probably the National Reconnaissance Office and their satellite systems for surveillance like the Keyhole satellites – these are all things most, for the most part we actually know about these things. They’re on Wikipedia. But I want to talk a little bit more about the internet side of things because I think that’s really fascinating.

So part of what we are releasing today with Der Spiegel or what has actually been released – just to be clear on the timeline, I’m not disclosing it first, I’m working as an independent journalist summarizing the work that we have already released onto the internet as part of a publication house that went through a very large editorial process in which we redacted all the names of agents and information about those names, including their phone numbers and e-mail addresses.

[applause]

And I should say that I actually think that the laws here are wrong, because they are in favor of an oppressor who is criminal. So when we redact the names of people who are engaged in criminal activity including drone murder, we are actually not doing the right thing, but I believe that we should comply with the law in order to continue to publish, and I think that’s very important.

[applause]

We also redacted the names of victims of NSA surveillance, because we think that there’s a balance. Unfortunately there is a serious problem which is that the U.S. government asserts that you don’t have standing to prove that you’ve been surveilled unless we release that kind of information, but we don’t want to release that kind of information in case it could be a legitimate target, and we – I’m really uncomfortable with that term, but let’s say that there is a legitimate target, the most legitimate target, and we didn’t want to make that decision. But we did also want to make sure that we didn’t harm someone, but we also wanted to show concrete examples. So if you look at the Spiegel stuff on line, we redacted the names even of those who were victimized by the NSA’s oppressive tactics, which I think actually goes further than is necessary, but I believe that it strikes the right balance to ensure continued publication and also to make sure that people are not harmed and that legitimate good things, however rare they may be, they are also not harmed. So if you’ve been targeted by the NSA and you would have found out today if we had taken a different decision, I’m really sorry, but this is the thing I think that keeps us alive, so this is the choice that I think is the right choice, and I think it’s also the safest choice for everyone.

So that said, basically the NSA has a giant dragnet surveillance system that they call TURMOIL. TURMOIL is a passive interception system. The passive interception system essentially spans the whole planet. And who here has heard about the Merkel phone incident? Some of you heard about Chancellor Merkel? So we revealed that in Der Spiegel, and what we found was that they tasked her for surveillance. And I’ll talk a little bit about that later.

But basically the way that this works is that they have this huge passive set of sensors, and any data that flows past it, they actually look at it. So there was a time in the past where surveillance meant looking at anything at all. And now the NSA tries to basically twist the words of every person who speaks whatever language they’re speaking in, and they try to say that it’s only surveillance if after they collect it and record it to a database and analyze it with machines, only if I think an NSA agent basically looks at it personally and then clicks “I have looked at this” do they call it surveillance.

Fundamentally I really object to that because if I ran a TURMOIL collection system – that is passive signals intelligence systems collecting data from the whole planet, everywhere they possibly can – I would go to prison for the rest of my life. That’s the balance, right?

Jefferson talks about this. He says, you know, “That which the government is allowed to do but you are not, this is a tyranny.”

There are some exceptions to that, but the CFAA in the United States, the Computer Fraud and Abuse Act, you know, it’s so draconian for regular people, and the NSA gets to do something like intercepting 7 billion people all day long with no problem, and the rest of us are not even allowed to experiment for improving the security of our own lives without being put in prison or under threat of serious indictment, and that I think is a really important point.

So the TURMOIL system is a surveillance system, and it is a dragnet surveillance system that is a general warrant dragnet surveillance if there ever was one.

And now we shot the British over this when we started our revolution. We called them “general writs of assistance.” These were generalized warrants which we considered to be a tyranny. And TURMOIL is the digital version of a general writ of assistance system. And the general writ of assistance itself, it’s not clear if it even exists, because it’s not clear to me that a judge would understand anything that I just said.

[applause]

Okay, so now we’re going to get scary. So that’s just the passive stuff. There exists another system that’s called TURBINE, and we revealed about this system in the Spiegel publication today as well. So if TURMOIL is deep packet inspection, then TURBINE is deep packet injection. And it is the system that combined together with the things – with TURMOIL and TURBINE you can create a platform which they have consolidated which they call QFIRE. QFIRE is essentially a way to programmatically look at things that flow across the internet that they see with TURMOIL and then using TURBINE they’re able to actually inject packets to try to do attacks, and I’ll describe some of those attacks in detail in a moment.

But essentially the interesting thing about QFIRE also is that they have a thing that’s called a diode. So if you have for example a large number of systems where you control them, you might say, “Hey, what are you doing on that backbone?” “Hey, what’s going on with these systems?” And they could say, well, you know, we paid for access, we’re doing this, it’s all legal, etcetera. QFIRE has this really neat little detail which is that they compromise other people’s routers and then redirect through them so that they can beat the speed of light.

And how they do that is that they have a passive sensor that’s nearby a thing that they can inject from, and when they see that thing sees a selector that is interesting to them or is doing a thing that they would like to tamper with in some way, then they take a packet, they encapsulate the packet, they send it to the diode, which might be your home router potentially, and then that home router decapsulates that packet and sends it out. And because that is very close to you, and let’s say you’re visiting Yahoo, then the Yahoo packet will not beat you. That is, they will not beat the NSA or GCHQ. So it’s a race condition. And so they basically are able to control this whole system and then localize attacks in that process.

So that’s a pretty – pretty scary stuff, actually. And while it is a digital thing, I think it’s important to understand that this is what Jefferson talked about when he talked about tyranny. This is turnkey tyranny, and it’s not that it’s coming, it’s actually here. It’s just merely a question about whether or not they’ll use it in a way that we think is a good way or not a good way.

One of the scariest parts about this is that for this system or these sets of systems to exist, we have been kept vulnerable. So it is the case that if the Chinese, if the Russians, if people here wish to build this system, there’s nothing that stops them. And in fact the NSA has in a literal sense retarded the process by which we would secure the internet because it establishes a hegemony of power, their power in secret to do these things. And in fact I’ve seen evidence that shows that there are so many compromises taking place between the different Five Eyes signals intelligence groups that they actually have lists that explain, “If you see this back door on the system, contact a friendly agency. You’ve just recompromised the machine of another person.”

So when we talk about this, we have to consider that this is designed for at-scale exploitation. And as far as I can tell it’s being used for at-scale exploitation. Which is not really in my mind a targeted particularized type of thing, but rather it’s fishing operations. It’s fishing expeditions. It’s more like fishing crusades, if you will. And in some cases, looking at the evidence, that seems to be what it is. Targeting Muslims, I might add, because that’s what they’re interested in doing.

So that said, that’s the internet, and we get all the way down to the bottom and we get to the Close Access Operations and Off-Net. Off-Net and Close Access Operations are pretty scary things, but basically this is what we would call a black bag job. That’s where these guys, they break into your house, they put something in your computer and they take other things out of your computer.

Here’s an example. First top secret document of the talk so far.

This is a Close Access Operations box. It is basically car metasploit for the NSA, which is an interesting thing. But basically they say that the attack is undetectable, and it’s sadly a laptop running free software. It is injecting packets. And they say that they can do this from as far away as eight miles to inject packets, so presumably using this they’re able to exploit a kernel vulnerability of some kind, parsing the wireless frames, and, yeah. I’ve heard that they actually put this hardware, from sources inside of the NSA and inside of other intelligence agencies, that they actually put this type of hardware on drones so that they fly them over areas that they’re interested in and they do mass exploitation of people.

Now, we don’t have a document that substantiates that part, but we do have this document that actually claims that they’ve done it from up to eight miles away.

So that’s a really interesting thing because it tells us that they understand that common wireless cards, probably running Microsoft Windows, which is an American company, that they know about vulnerabilities and they keep them a secret to use them. This is part of a constant theme of sabotaging and undermining American companies and American ingenuity. As an American, while generally not a nationalist, I find this disgusting, especially as someone who writes free software and would like my tax dollars to be spent on improving these things, and when they know about them I don’t want them to keep them a secret because all of us are vulnerable. It's a really scary thing.

[applause]

And it just so happens that at my house, myself and many of my friends, when we use wireless devices – Andy knows what I’m talking about, a few other people here – all the time we have errors in certain machines which are set up at the house, in some cases as a honey pot, thanks guys, where kernel panic after kernel panic, exactly in the receive handler of the Linux kernel where you would expect this specific type of thing to take place.

So I think that if we talk about the war coming home, we probably will find that this is not just used in places where there’s a literal war on but where they decide that it would be useful, including just parking outside your house.

Now I only have an hour today, so I’m going to have to go through some other stuff pretty quickly.

I want to make a couple points clear. This wasn’t clear, even though it was written in the New York Times by my dear friend Laura Poitras, who is totally fantastic by the way, and you are great. But 15 years of data retention –

[applause]

So the NSA has 15 years of data retention. It’s a really important point to drive home. I joked with Laura when she wrote the New York Times article with James Risen, she should do the math for other people and say 15 years. She said, "They can do the math on their own. I believe in them." I just want to do the math for you. Fifteen years. That’s scary. I don’t ever remember voting on that. I don’t ever remember even having a public debate about it. And that includes content as well as metadata.

So they use this metadata, they search through this metadata retroactively, they do what’s called “tasking” – that is, they find a set of selectors, so that’s a set of unique identifiers – e-mail addresses, cookies, MAC addresses, IMEIs, whatever is useful. Voiceprints potentially, depending on the system. And then they basically task those selectors for specific activities.

So that ties together with some of the attacks which I’ll talk about, but essentially QUANTUMINSERTION and things that are like QUANTUMINSERTION, they’re triggered as part of the TURMOIL and TURBINE system and the QFIRE system, and they’re all put together so that they can automate attacking people based on the plain text traffic that transits the internet or based on the source or destination IP addresses.

This is the second top secret document. This is an actual NSA lolcat for the QUANTUMTHEORY program.

[applause]

You’ll notice it’s a black cat hiding.

Okay. So there are a few people in the audience that are still not terrified enough, and there are a few people that as part of their process for coping with this horrible world that we have found ourselves in, they will say the following: “There’s no way they’ll ever find me. I’m not interesting.” So I just want to dispel that notion and show you a little bit about how they do that.

So we mentioned TURMOIL, which is the dragnet surveillance, and TURBINE, which is deep packet injection, and QFIRE, where we tie it all together, and this is an example of something which I think actually demonstrates a crime but I’m not sure, I’m not a lawyer, I’m definitely not your lawyer, and I’m certainly not the NSA’s lawyer. But this is the MARINA system.


from
here and here

This is merely one of many systems where they actually have full content as well as metadata. Taken together, they do contact chaining where they find out, you guys are all in the same room with me – which reminds me, let’s see, I’ve got this phone – okay. Good. Turn that off. So now –

[laughter]

You’re welcome.

[laughter]

You have no idea.

[laughter]

But I just wanted to make sure that if there was any question about whether or not you are exempt from needing to do something about this, that that is dispelled.

[applause]

You see? Cellphone’s on. Great. So. Hey guys.

[laughter]

So, the MARINA system is a contact chaining system as well as a system that has data, and in this case what we see is in fact reverse contact and forward contact graphing. So, any lawyers in the audience? If there are American citizens in this database, is reverse targeting like this illegal? Generally? Is it possible that that could be considered illegal?

Yeah, so, interesting. If it’s called reverse contact instead of reverse targeting – yeah, exactly.

So, you’ll also notice the, on the right-hand side, webcam photos. So, just in case you’re wondering, in this case this particular target, I suppose that he did not or she did not have a webcam. Good for them. If not, you should follow the EFF’s advice and you should put a little sticker over your webcam.

But you’ll also note that they try to find equivalent identifiers. So every time there’s a linkable identifier that you have on the internet, they try to put that and tie it together and contact chain it, and they try to show who you are among all of these different potential identifiers – if you have five e-mail addresses, they would link them together – and then they try to find out who all your friends are.

You’ll also note at the bottom here, logins and passwords. So they’re also doing dragnet surveillance in which they extract – the feature set extraction where they know semantically what a login and a password is in a particular protocol. And in this case this guy is lucky, I suppose, and they were not able to get passwords or webcam, but you’ll note that they were able to get his contacts and they were able to see in fact 29, give or take, received messages as well, of which there are these things. Now in this case we have redacted the e-mail and instant messager information, but this is an example of how (laughs) you can’t hide from these things, and thinking that they won’t find you is a fallacy.

So this is basically the difference between taking one wire and clipping onto it in a particularized suspicious way where they’re really interested, they have a particularized suspicion, they think that someone is a criminal, they think someone has taken some serious steps that are illegal, and instead what they do is they put all of us under surveillance, record all of this data that they possibly can, and then they go looking through it.

Now in the case of Chancellor Merkel, when we revealed NSRL 2002-388, what we showed was that they were spying on Merkel, and by their own admission, three hops away, that’s everyone in the German Parliament and everyone here.

So that’s pretty serious stuff.

It also happens that if you should be visiting certain websites, especially if you’re a Muslim, it is the case that you can be attacked automatically by this system. Right? So that would mean that they would automatically start to break into systems. That’s what they would call untasked targeting.

Interesting idea that they call that targeted surveillance. To me that doesn’t really sound too much like targeted surveillance unless what you mean by carpet bombing, it – you know, I mean it just – you know, like, it just doesn’t, it doesn’t strike me right. It’s not my real definition of targeted. It’s not well defined. It’s not that a judge has said, “Yes, this person is clearly someone we should target.” Quite the opposite.

This is something where some guy who has a system has decided to deploy it and they do it however they like whenever they would like. And while there are some restrictions, it’s clear that the details about these programs do not trickle up. And even if they do, they do not trickle up in a useful way.

So this is important, because members of the U.S. Congress, they have no clue about these things. Literally, in the case of the technology. Ask a Congressman about TCP/IP. Forget it. You can’t even get a meeting with them. I’ve tried. Doesn’t matter. Even if you know the secret interpretation of Section 215 of the PATRIOT Act and you go to Washington, D.C. and you meet with their aides, they still won’t talk to you about it. Part of that is because they don’t have a clue, and another part of it is because they can’t talk about it because they don’t have a political solution. Absent a political solution, it’s very difficult to get someone to admit that there is a problem.

Well, there is a problem, so we’re going to create a political problem and also talk about some of the solutions.

The Cypherpunks generally have come up with some of the solutions when we talk about encrypting the entire internet. That would end dragnet mass surveillance in a sense, but it will come back in a different sense even with encryption. We need both a marriage of a technical solution and we need a political solution to go with it, and if we don’t have those two things, we will unfortunately be stuck here.

But at the moment the NSA, basically, I feel, has more power than anyone in the entire world – any one agency or any one person. So Emperor Alexander, the head of the NSA, really has a lot of power. If they want to right now, they’ll know that the IMEI of this phone is interesting. It’s very warm, which is another funny thing, and they would be able to break into this phone almost certainly and then turn on the microphone, and all without a court.

So that to me is really scary. And I especially dislike the fact that if you were to be building these types of things, they treat you as an opponent if you wish to be able to fulfill the promises that you make to your customers. And as someone who writes security software, I think that’s bullshit.

So. Here’s how they do a bit of it.

So there are different programs. So QUANTUMTHEORY, QUANTUMNATION, QUANTUMBOT, QUANTUMCOPPER and QUANTUMINSERT. You’ve heard of a few of them. I’ll just go through them real quick.

QUANTUMTHEORY essentially has a whole arsenal of zero-day exploits. Then the system deploys what’s called a SMOTH, or a seasoned moth. And a seasoned moth is an implant which dies after 30 days. So I think that these guys either took a lot of acid or read a lot of Philip K. Dick, potentially both.

[applause]

And they thought Philip K. Dick wasn’t dystopian enough. Let’s get better at this. And after reading VALIS, I guess, they went on, and they also have as part of QUANTUMNATION what’s called VALIDATOR or COMMONDEER. Now these are first-stage payloads that are done entirely in memory. These exploits essentially are where they look around to see if you have what are called PSPs, and this is to see, like, you know, if you have Tripwire, if you have Aid, if you have some sort of system tool that will detect if an attacker is tampering with files or something like this, like a host intrusion detection system. So VALIDATOR and COMMONDEER, which, I mean, clearly the point of COMMONDEER, while it’s misspelled here – it’s not actually, I mean that’s the name of the program – but the point is to make a pun on commandeering your machine.

So, you know, when I think about the U.S. Constitution in particular, we talk about not allowing the quartering of soldiers – and, gosh, you know? Commandeering my computer sounds a lot like a digital version of that, and I find that a little bit confusing, and mostly in that I don’t understand how they get away with it, but part of it is because until right now we didn’t know about it, in public, which is why we’re releasing this in the public interest so that we can have a better debate about whether or not that counts in fact as a part of this type of what I would consider to be tyranny, or perhaps you think it is a measured and reasonable thing. I somehow doubt that.

But in any case, QUANTUMBOT is where they hijack IRC bots, because, why not, they thought they would like to do that, and an interesting point is that they could in theory stop a lot of these botnet attacks and they have decided to maintain that capability, but they’re not yet doing it except when they feel like doing it for experiments or when they do it to potentially use them. It’s not clear exactly how they use them. But the mere fact of the matter is that that suggests they’re even in fact able to do these types of attacks, they’ve tested these types of attacks against botnets, and that’s the program you should FOIA for. We’ve released a little bit of detail about that today as well.

And QUANTUMCOPPER to me is really scary. It’s essentially a thing that can interfere with TCP/IP and it can do things like corrupt file downloads. So if you imagine the Great Firewall of China, so-called, that’s for the whole planet. So if the NSA wanted to tomorrow, they could kill every anonymity system that exists by just forcing everyone who connects to an anonymity system to reset just the same way that the Chinese do right now in China with the Great Firewall of China. So that’s like the NSA builds the equivalent of the Great Firewall of Earth. That’s, to me that’s a really scary, heavy-handed thing, and I’m sure they only use it for good. (clears throat)

[laughter]

But, yeah. Back here in reality, that to me is a really scary thing, especially because one of the ways that they are able to have this capability, as I mentioned, is these diodes. So what that suggests is that they actually repurpose other people’s machines in order to reposition and to gain a capability inside of an area where they actually have no legitimacy inside of that area. That to me suggests it is not only heavy-handed, that they have probably some tools to do that. You see where I’m going with this.

Well, QUANTUMINSERTION, this is also an important point, because this is what was used against Belgacom, this is what’s used by a whole number of unfortunately players in the game where basically what they do is they inject a packet. So you have a TCP connection, Alice wants to talk to Bob, and for some reason Alice and Bob have not heard about TLS. Alice sends an HTTP request to Bob. Bob is Yahoo. NSA loves Yahoo. And basically they inject a packet which will get to Alice before Yahoo is able to respond, right? And the thing is that if that was a TLS connection, the man-on-the-side attack would not succeed. That’s really key. If they were using TLS, the man-on-the-side attack could at best, as far as we understand it at the moment, they could tear down the TLS session but they couldn’t actually actively inject. So that’s a man-on-the-side attack. We can end that attack with TLS. When we deploy TLS everywhere, then we will end that kind of attack.

So there was a joke, you know, when you download .mp3s, you ride with communism – from the’90s, some of you may remember this. When you bareback with the internet, you ride with the NSA.

[applause]

Or you’re getting a ride. Going for a ride.

So the TAO infrastructure, Tailored Access and Operations. Some of the FOXACID URLs are public. FOXACID is essentially like a watering hole type of attack where you go to a URL, QUANTUMINSERT puts like an iframe or puts some code in your web browser, which you then execute, which then causes you to load resources.

One of the resources that you load while you’re loading CNN.com, for example, which is one of their examples, they – you like that, by the way? So, you know, that’s an extremist site. So (coughs) you might have heard about that. A lot of Republicans in the United States read it. So – Right before they wage illegal imperialist wars.

So the point is that you go to a FOXACID server and it basically does a survey of your box and decides if it can break into it or not, and then it does.

Yep, that’s basically it.

And the FOXACID URLs, a few of them are public. Some of the details about that have been made public, about how the structure of the URLs are laid out and so on. An important detail is that they pretend that they’re Apache, but they actually do a really bad job. So they're like Hacking Team, maybe it’s the same guys, I doubt it though, the NSA wouldn’t slum with scumbags like that, but. Basically you can tell, you can find them, because they aren’t really Apache servers. They pretend to be something else.

The other thing is that none of their infrastructure is in the United States. So, real quick anonymity question. You have a set of things and you know that a particular attacker never comes from one place. Every country on the planet potentially, but never one place. The one place where most of the internet is. What does that tell you in terms of anonymity? It tells you usually that they’re hiding something about that one place. Maybe there’s a legal requirement for this. It’s not clear to me. But what is totally clear to me is that if you see this type of infrastructure and it is not in the United States, there is a chance, especially today, that it’s the NSA’s Tailored Access and Operations division.

And here’s an important point. When the NSA can’t do it, they bring in GCHQ.

So, for example, for targeting certain G-mail selectors, they can’t do it. And in the documents we released today, we show that they say, “If you have a partner agreement form and you need to target, there are some additional selectors that become available should you need them. So when we have a limit of an intelligence agency in the United States, or if you’re in Germany or something like this, we have to recognize that information is a currency in an unregulated market, and these guys, they trade that information, and one of the ways they trade that is like this. And they love Yahoo.

So, little breather?

It’s always good to make fun of the GCHQ with Austin Powers.

[laughter]

Okay. Another classified document here.

That actual NSA Open Office or Powerpoint clip art of their horrible headquarters that you see in every news story, I can’t wait to see a different photo of the NSA someday, but you’ll notice right here they explain how QUANTUM works.

Now SSO is a Special Source Operations site. So you’ve seen U.S. embassies? Usually the U.S. embassy has dielectric panels on the roof, that’s what we showed in Berlin, it was called "DAS NEST" on the cover of Der Spiegel. That’s an SSO site. So they see that this type of stuff is taking place, they do an injection and they try to beat the Yahoo packet back.

Now another interesting point is that for the Yahoo packet to be beaten, the NSA must impersonate Yahoo. This is a really important detail because what it tells us is that they are essentially conscripting Yahoo and saying that they are Yahoo. So they are impersonating a U.S. company to a U.S. company user and they are not actually supposed to be in this conversation at all. And when they do it, then they of course – basically if you’re using Yahoo, you’re definitely going to get owned. So – and I don’t just mean that in that Yahoo is vulnerable, they are, but I mean people that use Yahoo tend to – maybe it’s a bad generalization, but, you know, they’re not the most security-conscious people on the planet, they don’t keep their computers up to date, I’m guessing, and that’s probably why they love Yahoo so much. They also love CNN.com, which is some other, I don’t know what that says, it’s like a sociological study of compromise. But that’s an important detail.

So the SSO site sniffs and then they do some injection, they redirect you to FOXACID. That’s your web browser exploitation. They obviously have other exploitation techniques.

Okay. So now. We all know that cellphones are vulnerable. Here’s an example.

This is a base station that the NSA has that, I think it’s the first time ever anyone’s ever revealed an NSA IMSI catcher. So, here it is. Well, actually the second time, because Der Spiegel did it this morning. But you know what I mean.

[applause]

So they call it "find, fix and finish targeted handset users."

Now, it’s really important to understand. When they say targeting, you would think massive collection, right? Because what are they doing? They’re pretending to be a base station. They want to overpower. They want to basically be the phone that you connect to or the phone system that you connect to. And that means lots of people are going to connect potentially. So it’s not just one targeted user. So hopefully they have it set up that if you need to dial 911 or here in Europe 112 – you know, by the way, if you ever want to find one of these things, try to call different emergency numbers, note which ones are out where, just a little detail. Also note that sometimes if you go to the Ecuadorean embassy you will receive a welcome message from Uganda Telecom.

[laughter]

Because the British, when they deployed the IMSI catcher against Julian Assange at the Ecuadorean embassy, made the mistake of not reconfiguring the spy gear they deployed in Uganda when they deployed it in London.

[applause]

And this can be yours for only 175,800 U.S. dollars. And this covers GSM and PCS and DCS and a bunch of other stuff. So basically if you use a cellphone, forget it. It doesn’t matter what you’re doing.

The exception may be cryptophone and red phone. In fact, I’d like to just give a shoutout to the people who work on free software and software which is actually secure. Like Moxie Marlinspike, I’m so sorry I mentioned your name in my talk, but don’t worry, your silence won’t protect you. I think it’s really important to know, Moxie is one the very few people in the world who build technology that is both free and open source and as far as I can tell he refuses to do anything awful. No back doors or anything. And from what I can tell, this proves that we need things like that. This is absolutely necessary. Because they replace the infrastructure we connect to. It’s like replacing the road that we would walk on and adding tons of spy gear. And they do that too. We’ll get to that.

Okay. So I’m going to go a little quick through these because I think it’s better that you go online and you ingest it, and I want to have a little bit of time for questions. But basically here’s an example of how even if you disable a thing, the thing is not really disabled.

So if you have a wifi card in your computer, the SOMBERKNAVE program, which is another classified document here, they basically repurpose your wifi gear. They say, you’re not using that wifi card? We’re going to scan for wifi nearby. We’re going to exfiltrate data by finding an open wifi network and we’re going to jump on it. So they’re actually using other people’s wireless networks in addition to having this stuff in your computer. And this is one of the ways they beat a so-called airgapped target computer.

Okay. So here are some of the software implants.

Now, we’re going to name a bunch of companies, because fuck those guys, basically, for collaborating when they do, and fuck them for leaving us vulnerable when they do.

[applause]

And I mean that in the most loving way, because some of them are victims, actually. It’s important to note that we don’t yet understand which is which. So it’s important to name them so that they have to go on record, and so that they can say where they are, and so that they can give us enough rope to hang themselves. I really want that to happen because I think it’s important to find out who collaborated and who didn’t collaborate. In order to have truth and reconciliation, we need to start with a little truth.

So, STUCCOMONTANA is basically badBIOS. If you guys have heard about that, I feel very bad for Dragos. He doesn’t really talk to me right now. I think he might be kind of mad. But after I was detained by the U.S. Army, on U.S. soil I might add, they took a phone from me. Now it shouldn’t matter, but they did. They also, I think, went after all my phone records, so they didn’t need to take the phone, but for good measure they just wanted to try to intimidate me, which is exactly the wrong thing to do to me. But as he told the story, after that happened, all of his computers including his Xbox were compromised. And he says, even to this day, that some of those things persist. And he talks about the BIOS. Here’s a document that shows clearly that they actually reflash the BIOS and they also have other techniques including System Management Mode related rootkits and that they have persistence inside of the BIOS. It's an incredibly important point. This is evidence that the thing that Dragos talked about, maybe he doesn’t have it, but it really does exist. Now the question is how would he find it? We don’t have the forensics tools yet. We don’t really have the capabilities widely deployed in the community to be able to know that and to be able to find it.

Here’s another one.

This one’s called SWAP. In this case it replaces the Host Protected Area of the hard drive, and you can see a little graph where the target systems, see the internet, Interactive OPS, so they’ve got like a guy who is hacking you in real time, the People’s Liberation Army, uh, NSA, and –

[laughter]

And you can see all of these different things about it. Each one of these things, including SNEAKERNET, these are different programs, most of which we revealed today in Der Spiegel. But you’ll notice that it’s Windows, Linux, FreeBSD and Solaris.

How many Al Qaeda people use Solaris, do you suppose?

This tells you a really important point. They are interested in compromising the infrastructure of systems, not just individual people. They want to take control and literally colonize those systems with these implants. And that’s not part of the discussion. People are not talking about that because they don’t know about that yet. But they should. Because in addition to the fact that Sun is a U.S. company which they are building capabilities against – that to me, really, it really bothers me; I can’t tell you how much that bothers me – we also see that they’re attacking Microsoft, another U.S. company, and Linux and FreeBSD, where there are a lot of people that are building it from all around the world. So they’re attacking not only collective efforts and corporate effort, but basically every option you can possibly can, from end users down to telecom core things.

Here’s another one, DEITYBOUNCE. This is for Dell, so Dell PowerEdge 1850, 2850, 1950, 2950 RAID servers using any of the following BIOS versions. Right. So just in case you’re wondering, hey Dell, why is that? Curious about that. Love to hear your statements about it.

So if you write YARA sigs [signatures] and you’re interested in looking for NSA malware, look for things that use RC6, so look for the constants that you might find in RC6, and when they run, if they emit UDP traffic – we’ve actually seen a sample of this but we were not able to capture it, sadly, but emitting UDP traffic that is encrypted. You know, people that I’ve worked with on things related to this, they’ve even, they’ve had their house black bagged. They’ve had pretty bad stuff happen to them. That’s their story to tell. But one of the interesting details is that after those events occurred, these types of things were seen. Ben has a really bad idea for those guys, I might add, because I wouldn’t have put this slide in if that had not occurred. But if you want to look for it, you’ll find it. I know some people that have looked with YARA sigs and they have in fact found things related to this, so I suspect a lot of malware researchers in the near future are going to have a lot of stuff to say about this particular slide. I’ll leave that to them. I think it’s very important to go looking for these things, especially to find out who is victimized by them.

Here’s an iPhone back door.

So DROPOUTJEEP, so you can see right there. So, SMS, contact list retrieval, voicemail, hot microphone, camera capture, cell tower location. Cool. Do you think Apple helped them with that? I don’t know. I hope Apple will clarify that. I think it’s really important that Apple doesn’t.

Here’s a problem. I don’t really believe that Apple didn’t help them. I can’t prove it yet, but they literally claim that any time they target an iOS device, that it will succeed for implantation. Either they have a huge collection of exploits that work against Apple products, meaning that they are hoarding information about critical systems that American companies produce and sabotaging them, or Apple sabotaged it themselves. I’m not sure which one it is. I’d like to believe that since Apple didn’t join the PRISM program until after Steve Jobs died that maybe it’s just that they write shitty software. We know that’s true.

[laughter, applause]

Here’s a HVT, high-value target.

This is a high-value target being targeted with a back door for Windows CE Thuraya phones. So if you have a Thuraya phone and you’re wondering if it was secure – yeah maybe. Good luck.

Here’s one where they replaced the hard drive firmware.

There was a talk at OHM this year [OHM2013] where a guy talked about replacing hard drive firmware. You were onto something. You were really onto something. Whoever you are, you were onto something. Because the NSA has a program here, IRATEMONK, and that’s exactly what they do. They replace the firmware in the hard drive, so it doesn’t matter if you reformat the hard drive, you’re done. The firmware itself can do a whole bunch of stuff.

So. Here are the names of the hard drive companies were it works: Western Digital, Seagate, Maxtor and Samsung, and of course they support FAT, NTFS, EXT3 and UFS. They probably now have support for additional file systems, but this is what we can prove.

Please note at the bottom left and the bottom right: "Status: Released and Deployed. Ready for Immediate Delivery". And "Unit Cost: $0". It’s free.

No, you can’t get it. It’s not free as in free software. It’s free as in you’re owned.

[laughter, applause]

I want to give a shoutout to Karsten Noll and Luca [Luca Melette] for their incredible talk where they showed this exact attack without knowing that they had found it. Right? They say – yeah, absolutely.

[applause]

Important point.

The NSA says that when they know about these things, that nobody will come to harm, no one will be able to find them, they’ll never be able to be exploited by another third party. Karsten found this exact vulnerability. They were able to install a Java applet on the SIM card without user interaction, and it was based on the service provider’s security configuration, which is exactly what the NSA says here, and they talk about attacking the same toolkit inside of the phone, and Karsten found the same vulnerability and attacked it in the wild. This is perfect evidence, not only of how badass Karsten and Luca are – they are, no question – but also about how wrong the NSA is with this balance. Because for every Karsten and Luca, there are hundreds of people who are paid to do this full-time and never tell us about it.

[applause]

Important detail.

Do you see that interdiction phrase right there? Through remote access – in other words, we broke into your computer – or interdiction – in other words, we stole your fucking mail. Now. This is a really important point. We all have heard about these paranoid crazy people talking about people breaking into their houses – that’s happened to me a number of times – motherfuckers, getting you back – it’s really important to understand this process is one that threatens all of us. The sanctity of the postal system has been violated. I mean – whaa, God, it makes me so angry, you know? You can’t even send a letter without being spied on, but even worse that they tamper with it. It’s not enough that the U.S. Postal Service records all of this information and keeps it – that’s not enough. They also have to tamper with the packages! So every time you buy from Amazon, for example, every time you buy anything on the internet, there is the possibility that they will actually take your package and change it. One of the ways that I’ve heard that they change it is that they will actually take the case of your computer and they will injection mold a hardware back door into the case of the computer. So that even if you were to look at the motherboard or have it serviced, you would not see this. It merely just needs to be in the proximity of the motherboard.

So let’s talk about hardware implants that they will put into your devices.

Here’s one. This is called BULLDOZER. It’s a PCI bus hardware implant.

Pretty scary, doesn’t look so great, but let’s go on a little bit.

Okay. Here’s one where they actually exploit the BIOS and System Management Mode. There’s a big graph that shows all of these various different interconnections. This is important.

Then they talk about the long-range comms, INMARSAT, VSAT, NSA MEANS and Future Capabilities. I think NSA MEANS exists. Future Capabilities seems self-explanatory. "This hardware implant provides two-way RF communication." Interesting. So you disable all the wireless cards, whatever you need. There you go. They just added a new one in there and you don’t even know. Your system has no clue about it.

Here’s a hardware back door which uses the I2C interface because no one in the history of time other than the NSA probably has ever used it. That’s good to know that finally someone uses I2C for something – okay, other than fan control. But, look at that. It’s another American company that they are sabotaging. They understand that HP’s servers are vulnerable and they decided, instead of explaining that this is a problem, they exploit it. And IRONCHEF, through interdiction, is one of the ways that they will do that.

So I want to really harp on this. Now it’s not that I think European companies are worth less. I suspect especially after this talk that won’t be true, in the literal stock sense, but I don’t know. I think it’s really important to understand that they are sabotaging American companies because of the so-called home-field advantage. The problem is that as an American who writes software, who wants to build hardware devices, this really chills my expression and it also gives me a problem, which is that people say, “Why would I use what you’re doing? You know, what about the NSA?” Man, that really bothers me. I don’t deserve the Huawei taint, and the NSA gives it. And President Obama’s own advisory board that was convened to understand the scope of these things has even agreed with me about this point, that this should not be taking place, that hoarding of zero-day exploits cannot simply happen without thought processes that are reasonable and rational and have an economic and social valuing where we really think about the broad-scale impact.

Now. I’m going to go on to a little bit more. Here’s where they attack SIM cards. This is MONKEYCALENDAR.

So it’s actually the flow chart of how this would work. So in other words, they told you all of the ways in which you should be certainly, you know, looking at this. So if you ever see your handset emitting encrypted SMS that isn’t text secure, you now have a pretty good idea that it might be this.

Here’s another example.

If you have a computer in front of you, I highly encourage you to buy the Samsung SGH-X480C – that’s the preferred phone of the NSA for attacking another person’s phone. I’m not exactly sure why, but an important point is, they add the back door, then they send an SMS from a regular phone – what does that tell you? What does that tell you about the exploitation process? It tells you that it’s actually something which is pretty straightforward, pretty easy to do, doesn’t require specialized access to the telecoms once they’ve gotten your phone compromised. That to me suggests that other people might find it, other people might use these techniques.

Okay, here’s a USB hardware implant called COTTONMOUTH.

We released this in Der Spiegel today as well. See the little red parts. It will provide a wireless bridge onto the target network with the ability to load exploit software.

Here’s a little bit of extra details about that.

It actually shows a graph at the bottom, how they do this, how they get around, how they beat the air gap with these things. And they talk a bit about being GENIE compliant. So GENIE, and for the rest of these programs, these are – like DROPOUTJEEP is part of the CHIMNEYPOOL programs and COTTONMOUTH is part of the rest of these programs over here. These are huge programs where they’re trying to beat a whole bunch of different adversaries, and different capabilities are required. And this is one of the probably I think more interesting ones, but here’s the next revision of it where it’s in a USB plug, not actually in the cable. And look, 50 units for 200,000 U.S. dollars. It’s really cheap.

Do you like my editorializing there, I hope? So, $200,000, okay.

And here’s where you look for it. If you happen to have an x-ray machine, look for an extra chip.

And that’s a HOWLERMONKEY radiofrequency transmitter.

Well what’s a HOWLERMONKEY? We’ll talk about that in a second, but basically this is for ethernet, here, this is the FIREWALK. It can actually do injection bidirectionally on the ethernet controller into the network that it’s sitting on. It doesn’t even have to do things directly to the computer. It can actually inject packets directly into the network, according to the specification sheet which we released today on Der Spiegel’s website. As it says, active injection of ethernet packets onto the target network.

Here’s another one from Dell with an actual FLUXBABBITT hardware implant for the PowerEdge 2950.

This uses the JTAG debugging interface of the server. Why did Dell leave a JTAG debugging interface on these servers? Interesting, right? Because it’s like leaving a vulnerability in. Is that a bug door or a back door or just a mistake? Well hopefully they will change these things or at least make it so that if you were to see this you would know that you had some problems. Hopefully Dell will release some information about how to mitigate this advanced persistent threat. Right?

Everything that the U.S. government accuse the Chinese of doing – which they are also doing, I believe – we are learning that the U.S. government has been doing to American companies. That to me is really concerning, and we’ve had no public debate about these issues, and in many cases all the technical details are obfuscated away and they are just completely outside of the purview of discussion. In this case we learn more about Dell and which models.

And here’s the HOWLERMONKEY.

These are actually photographs of the NSA implanted chips that they have when they steal your mail. So after they steal your mail they put a chip like this into your computer. So the one, the FIREWALK one is the ethernet one, and that’s an important one. You probably will notice that these look pretty simple, common off-the-shelf parts.

So. Whew! All right.

Who here is surprised by any of this?

I’m really, really, really glad to see that you’re not all cynical fuckers and that someone here would admit that they were surprised.

Okay, who here is not surprised?

I’m going to blow your fucking mind.

[laughter]

Okay. We all know about TEMPEST, right?

Where the NSA pulls data out of your computer, irradiate stuff and then grab it, right? Everybody who raised their hand and said they’re not surprised, you already knew about TEMPEST, right? Right? Okay. Well, what if I told you that the NSA had a specialized technology for beaming energy into you and to the computer systems around you, would you believe that that was real or would that be paranoid speculation of a crazy person?

[laughter]

Anybody? You cynical guys holding up your hand saying that you’re not surprised by anything, raise your hand if you would be unsurprised by that.

[laughter]

Good. And it’s not the same number. It’s significantly lower. It’s one person. Great.

Here’s what they do with those types of things. That exists, by the way. When I told Julian Assange about this, he said, “Hmm. I bet the people who were around Hugo Chavez are going to wonder what caused his cancer.” And I said, “You know, I hadn’t considered that. But you know, I haven’t found any data about human safety about these tools. Has the NSA performed tests where they actually show that radiating people with 1 kilowatt of RF energy at short range is safe?”

[laughter]

My God!

No, you guys think I’m joking, right? Well, yeah, here it is.

This is a continuous wave generator, a continuous wave radar unit. You can detect its use because its use is between 1 and 2 GHz and its bandwidth is up to 45 MHz, user adjustible, 2 watts using an internal amplifier, external amplifier makes it possible to go up to 1 kilowatt.

Just going to let you take that in for a moment. [clears throat] Who’s crazy now?

[laughter]

Now, I’m being told I only have one minute, so I’m going to have to go a little bit quicker. I’m sorry.

Here’s why they do it. This is an implant called RAGEMASTER.

It’s part of the ANGRYNEIGHBOR family of tools,

[laughter]

where they have a small device that they put in line with the cable in your monitor and then they use this radar system to bounce a signal – this is not unlike the Great Seal bug that [Leon] Theremin designed for the KGB. So it’s good to know we’ve finally caught up with the KGB, but now with computers. They send the microwave transmission, the continuous wave, it reflects off of this chip and then they use this device to see your monitor.

Yep. So there’s the full life cycle. First they radiate you, then you die from cancer, then you... win?

Okay, so, here’s the same thing, but this time for keyboards, USB and PS/2 keyboards.

So the idea is that it’s a data retro-reflector.

Here’s another thing, but this one, the TAWDRYYARD program, is a little bit different. It’s a beacon, so this is where probably then they kill you with a drone.

That’s pretty scary stuff.

They also have this for microphones to gather room bugs for room audio. Notice the bottom. It says all components are common off the shelf and are so non-attributable to the NSA. Unless you have this photograph and the product sheet. Happy hunting.

[applause]

And just to give you another idea, this is a device they use to be able to actively hunt people down.

This is a hunting device, right? Handheld finishing tool used for geolocation targeting handsets in the field.

So. Who was not surprised by this?

I’m so glad to have finally reached the point where no one raised their hand except that one guy who I think misheard me.

[laughter]

Or you’re brilliant. And please stay in our community and work on open research.

[somebody off mike says something]

Yeah! And if you work for the NSA, I’d just like to encourage you to leak more documents.

[laughter, applause, cheers, ovation]

Moderator: Thank you very much, Jake. Thank you. I’m afraid we ran all out of time for the Q&A. I’m very sorry for anyone who wanted to ask questions.

Jacob Appelbaum: But we do have a press conference. Well, if you guys – you know, I’d say occupy the room for another five minutes, or, know that there’s a press conference room that will be opened up where we can all ask as many questions as we want in 30 minutes if you’re interested, and I will basically be available until I’m assassinated to answer questions.

[laughter, applause]

So in the immortal words of Julian Assange, remember, no matter what happens, ever if there’s a videotape of it, it was murder. Thank you.

Moderator: Thank you. Please give a warm round of applause to Jake Appelbaum.

* * *

Where to look for specific names in In Der Spiegel's NSA spy gear catalog Interactive Graphic :

Servers: IRONCHEF/HP, DEITYBOUNCE/Dell; Microsoft Windows 2000, 2003, XP

Firewalls: JETPLOW (BANANAGLEE)/Cisco, HALLUXWALL (TURBOPANDA)/Huawei, FEEDTROUGH (BANANAGLEE, ZESTYLEAK)/Juniper, GOURMETTROUGH (BANANAGLEE)/Juniper, SOUFFLETROUGH (BANANAGLEE)/Juniper

Router: HEADWATER (HAMMERMILL), TURBOPANDA)/Huawei, SCHOOLMONTANA (VALIDATOR)/Juniper, Junos, SIERRAMONTANA (VALIDATOR)/Juniper, Junos, STUCCOMONTANA (VALIDATOR)/Juniper, Junos

Room Surveillance: CTX4000 (VAGRANT, DROPMIRE, PHOTOANGLO), LOUDATO (ANGRYNEIGHBOR), NIGHTWATCH (VAGRANT, CTX4000, PHOTOANGLO, VIEWPLATE), PHOTOANGLO (CTX4000, NIGHTWATCH, LFS-2, VIEWPLATE), TAWDRYYARD (RAGEMASTER, ANGRYNEIGHBOR)

Wireless LAN: NIGHTSTAND. SPARROW II (BLINDDATE)

Computers: GINSU (BULLDOZER, KONGUR)/Microsoft Windows 9x, 2000, 2003, XP, Vista, IRATEMONK (UNITEDRAKE, STRAITBAZZARE, SLICKERVICAR)/Western Digital, Seagate, Maxtor, Samsung, SWAP (ARKSTREAM, SNEAKERNET, TUNING FORK, TWISTEDKILT), Windows, Linux, FreeBSD, Solaris, WISTFULTOLL (UNITEDRAKE, STRAITBIZZARE, STRAITBAZZARE, RETURNSPRING, SEAGULLFARO, TUNING FORK)/Windows Management Instrumentation WMI, HOWLERMONKEY (SUTURESAILOR, YELLOWPIN, FIREWALK, CONJECTURE/SPECULATION, STRIKEZONE), JUNIORMINT, MAESTRO-II, SOMBERKNAVE (OLYMPUS, VALIDATOR)/Windows XP, TRINITY

USB: COTTONMOUTH-I CM-1 (STRAITBIZARRE, GENIE, CHIMNEYPOOL, TRINITY, HOWLERMONKEY, MOCCASIN, SPECULATION), COTTONMOUTH-II CM-II (STRAITBIZARRE, GENIE, CHIMNEYPOOL), COTTONMOUTH-III CM-III (STRAITBIZARRE, GENIE, CHIMNEYPOOL, TRINITY, HOWLERMONKEY, SPECULATION), FIREWALK (DANDERSPRITZ, HOWLERMONKEY)

Keyboards: SURLYSPAWN (ANGRYNEIGHBOR)

Computer Monitor Surveillance: RAGEMASTER (VAGRANT, NIGHTWATCH, GOTHAM, VIEWPLATE)

Mobile phones: DROPOUTJEEP (STRAITBIZARRE, CHIMNEYPOOL, FREEFLOW, TURBULENCE)/Apple iPhone, GOPHERSET/GSM/SIM cards, MONKEYCALENDAR/GSM/SIM cards, TOTECHASER (TOTEGHOSTLY)/Windows CE Thuraya, TOTEGHOSTLY (STRAITBIZARRE, CHIMNEYPOOL, FREEFLOW, TURBULENCE, FRIEZERAMP)/Windows Mobile), PICASSO/GSM, Eastcom, Samsung, with Arabic keypad/language option

Cell Phone Networks: CROSSBEAM (WAGONBED, CHIMNEYPOOL, ROCKYKNOB)/GSM, CANDYGRAM/GSM, CYCLONE HX9 (TYPHON), EBSR/GSM, ENTOURAGE (HOLLOWPOINT, NEBULA, GALAXY), GENESIS, NEBULA (TYPHON)/ 2G 3G, TYPHON HX/GSM, WATERWITCH

5
Average: 5 (4 votes)

Comments

Submitted by lambert on

We've already had one very helpful submission, but on a project of this scope, the more, the merrier!

Cujo359's picture
Submitted by Cujo359 on

Various documents I signed a long time ago forbid me from speculating about the contents of this talk. I'll add an editorial note, though: it's "TCP/IP", not "TC/PIP". TCP/IP is a sort of shorthand acronym for the suite of protocols used to transport data on the Internet and other computer networks. TCP is "Transport Control Protocol" and IP is "Internet Protocol", which are terms that only have meaning if you understand the layered protocol concept of computer networks, I suppose.

Cujo359's picture
Submitted by Cujo359 on

More editing notes:

"System D" usually written "systemd", which is a daemon, or background, process that runs on some Linux systems. Such software is usually given a name that is a string describing its function, followed by a 'd'. They are often pronounced like "systemdee", the function followed by "dee".

"black-eye (black-guy?) job." During the Cold War, these were referred to as "black bag" jobs. I don't know if the colloquialism has changed, but that's what it was called twenty or thirty years ago. It referred to work done by the FBI (probably DH(i)S now) to do a search or listening device installation in secret.

I'll also note in passing this list of modern computer file system types.

Submitted by flora on

Questions:
- 15:47 wireless frame or frames? – “frames”
- 30:56 expect? inspect? – “at best”
- 31:46 iframe? I-frame? uh... – “IFrame”
- 32:36 “they’re like Hacking Team” (as in first slide)
- 33:56 a limit of an? -- yes
- 34:50 dielectric panels? -- yes
- 39:56 "Stuccomontana"? – yes

I'll send more screen shots tomorrow.

Cujo359's picture
Submitted by Cujo359 on

I don't know if there's a style guide. I usually capitalize it when I'm discussing the HTML tag. If I'm discussing a block of HTML that's in an IFRAME block, or what is rendered by that code, then I go with lower case. Same with most HTML tags.

Cujo359's picture
Submitted by Cujo359 on

I don't know if there's a style guide. I usually capitalize it when I'm discussing the HTML tag. If I'm discussing a block of HTML that's in an IFRAME block, or what is rendered by that code, then I go with lower case. Same with most HTML tags.

Submitted by lambert on

All caps, like TABLE, if pointy brackets, like <table> cannot be used.

However in this case, since there are also bizarre acronyms in all caps, use the pointy brackets, which like entered like "&lt;table&gt;" (the ampersand is the escape character and "lt" and "gt" are greater than and less than, respectively, and be sure to add the trailing semicolon).

Submitted by lambert on

From the slides, it looks like all the bizarre code names are two words with no space between in all caps.

Submitted by flora on

Think you’re right that there’s a small time stamp difference between transcriber audio and youtube.
Notes on existing screenshot placements to match youtube talk slide changes. Although it may read better the way you currently have it.

ANGOLA ATTACK slide - Move up to start of paragraph “And he, he, yeah, he was…”

NIGHTSTAND slide – Move up to start of paragraph “Here’s an example. First top secret document …“

HOW THEY DO IT slide – Move up to start of paragraph “ Now I only have an hour today, so I’m…”

FROM WIRETAPPING TO WHOLE LIFE slide – move upto start of paragraph “So this is basically the difference between taking….”

THIS IS THE MILITARATION OF THE INTERNET slide – move up to start of paragraph “So this is important, because members of the U.S. Congress,

ACTIVE EXPLOITATION TARGETS WITH FOXACID - move up to start of paragraph
“QUANTUMTHEORY essentially has a whole arsenal of zero-day exploits.”

TAO INFRASTRUCTURE slide – move up to just below “Or you’re getting a ride. Going for a ride.”

WHAT IS QUANTUM slide – move up above “Okay. Another classified document here.”

TYPHON slide – move up above “Okay. So now. We all know that cellphones are vulnerable.”

SOMBERKNAVE slide - move up above “Okay. So I’m going to go a little quick through these “

Submitted by lambert on

Confused about the time codes on the screen dumps (thank you flora).

Are they the same as the YT? If so, we could use the time codes from the screen dump file names to link from the screens to the YT. Thank you!

Submitted by flora on

Yes, they're the same as YT, with this note: the screenshot was of a slide that was displayed for several seconds, sometimes 30 seconds or even a minute. The time stamp on the file is within the time range the slide was "playing". So there's some elasticity in the time stamp.

I'm sending a bunch more screenshots. Probably way more than you can use. Edit in the ones that seem best and edit out the rest. I'll be a couple more hours before I can upload them.

The file names this time will have a timestamp+slide description. I'm including an index file with the file names and a line of text placement so you can better locate the images in the transcript since YT and Transcriber times don't sync perfectly.

This is kinda fun. Your have posters who know their sys admin and HTML stuff. I'm learning stuff from them.

Submitted by flora on

P.S. If the confusion is on the list of screenshot/slide file names to be moved (my next to last post) rather than timestamp file names: the slide names are just the first line of text in the slide. So if you the read slides as embedding in your article, that will tell you which slide I'm talking about for reference. Sorry I switched reference methods mid-stream.

Submitted by lambert on

So I will use the time codes to create the links, and then double check with the first line. (If I go by the first line, I actually have to listen to the video instead of blasting through the markup like a machine...

You could use a format like [time:code]_[first_line].jpg if you wanted (the bracketed material placeholder for real data).

Oh, wait, that's just what you did. Sorry, I'm frantically multitasking.

transcriber's picture
Submitted by transcriber on

Yo flora! You're great! Before you change your file naming convention -- here's where I'm going. Take a look at the Aaron transcript and see how I did the slides there. I could see youtubes then. You click on the slide there and it takes you to that spot in the very long youtube. I can do that again here if I have the right time in youtube min and sec to link to. (There's an option even on youtube to give you that exact URL if you want, but it's not necessary to get it from there.)

So... whatever file naming convention you use, tell me where the slide should go in the transcript text, and tell me what min and sec in the youtube. (I can see your slides, just not the youtube or any video/media file that has to play) I'll try to do that right now with the slides I've got. Did I say you're great? You're great! Thanks so much.

(I see you and Lambert both said this)

Submitted by flora on

There are 39 screenshots.
I know you can’t use all these slides, or even most, but I have no idea which ones are the best.

Note: The text insert points (before/after) are where in the talk the slide/screenshot first appears in the YT
video. The next screenshot timestamp and insert point is where the next screenshot
appears in the YT. This gives a rough idea of where the slide fits into the talk.

Submitted by flora on

the filename forced me to use a semi-colon between number;second. If your bulk processing that may need a global search/replace.

04;30theseguys
right before “Even though they’re not technically impressive”

05;04controlbaby
before “So, what’s it all about though?”

05;37intellegence
just after “So. Part2, or Act2 of Part2.”

20;02Lolcat
before “This is the second top secret document.”

20;21theyllnever
after “You’ll notice it’s a black cat hiding”

20;47marina
before “But this is the MARINA system”

34;30whenthensa
after “When the NSA can’t do it, they bring in GCHQ”

35;00austinpowers
after “So, littler breather?”

Submitted by flora on

the time stamp for screen shots under 60 minutes are mm:ss format. after 60 minutes its hh:mm:ss.

40;01softwareimplants
before “Okay. So here are some of the software implants”

40;42stuccomontana
before “So, Stuccomontana is basically badBIOS”

41;53swap
before “Here’s another one. This one’s called”

44;36iphone
before “Here’s an iPhone back door”

45;45totechaser
before “Here’s a HVT, high-value target”

46;06iratemonk
before “Here’s one where they replaced the hard drive firmware”

46;46statusdeployed
after “It’s free as in you’re owned.”

47;03modemSIM
follows after above file – no text separating the two

Submitted by flora on

49;30hardwareimplants
before “So lets talk about hardware implants…”

49;35BULLDOZER
after “This is called BULLDOZER”.

49;50IRONCHEF
before “Then they talk about the long-range columns.”

50;20isquaredc
before “Heres a hardware back door which uses the I squared C”

50;48sabotage
after “Now I really want to harp on this.”

52;00MONKEYCALENDAR
before “This is Monkey Calendar.”

52;17SMS
before “If you have a computer in front of you”

52;57COTTONMOUTH
after “Okay, here’s a USB hardware implant called COTTONMOUTH”

Submitted by flora on

53;30COTTONMOUTH2

53;50cheap
before “Do you like my editorializing there?”

53;52hereswhereyoulookforit
after “Look for an extra chip.”

54;33fromDell
Before “This uses the JTAG debugging interface”

55;34HOWLERMONKEY
after “And here’s the HOWLERMONKEY”

56;24TEMPEST
after “Okay. We all know about TEMPEST, right?”

57;48CW
before “This is a continuous wave generator”

Submitted by flora on

58;26RAGEMASTER
after “This is an implant called RAGEMASTER

59;15keyboard
after “USB and PS2 keyboard”

59;32TAWDRYYARD
after “probably then they kill you with a drone”

59;54SSI
before “Just to give you another idea”

1:00;08austinpowers3
after “So. Who was not surprised by this?”

1:00:39credits
after “encourage you to leak more documents”

1:00;49lastscreenshot

Submitted by flora on

I know you're not finished. But there are 2 places where slides are duplicated.

the second IRATEMONK slide - replace with file 46;46statusdeployed.jpg below "but this is what we can prove."

the second IRONCHEF slide - replace with file 50;20isquaredc.jpg below "your system has no clue about it.

Really, this is looking fantastic! Can't wait to see the whole thing.

transcriber's picture
Submitted by transcriber on

I'll take a look at iratemonk, but I saw that isquaredc is duplicate of ironchef - can you reload that screenshot? Also wondering... are the nsa slides themselves posted in better quality elsewhere like at Der Spiegel? Maybe for those ones instead of linking to the youtube we could link to the slide itself? I have the worst computer/connection/luck in the world but they look fuzzy to me, and I know there's a size constraint to posting quality screenshots here -- it hoses. Flora? Lambert?

transcriber's picture
Submitted by transcriber on

iratemonk = statusdeployed, so if you could reupload status deployed?

Also there's a place where he talks about look at webcam on the right side -- could you do a screenshot?

Also there's a long part with no screenshots, is that right? Should there be a turmoil slide?

crap i have to fix hvt, i screwed that up

jo6pac's picture
Submitted by jo6pac on

Thanks transcriber and everyone else for a rough draft all a can do :)

Submitted by flora on

sigh - I didn't proof my own files. glad you alerted me. New files end in 2 and replace originals.

46;46statusdeployed2

50;20isquaredc2

52;00MONKEYCALENDAR2
-----
There are no webcam pics in the MARINA slide. That's just an item in the slide pointed to by the red arrow. very hard to read it even in the original youtube

The first 30 - 35 minutes don't have a lot of slides. A few slides stay up a long time. the big flurry of slides is at the end
---------

I went to Der Spiegel (sp?) website . Very few pics that I could see.

Maybe someone else has a good source?

transcriber's picture
Submitted by transcriber on

go through and click to see if they go to (approximately) the right place in youtube?

(something that could be done but i can't. but I did just do the links.)

transcriber's picture
Submitted by transcriber on

Yo Flora, did I tell you you're great? You're great. Everybody here is, thank you all!!

Okay, I have been to Der Spiegel and I can find the gadget spec sheets glob and another place where some of the program slides are. Still sorting this through, not sure I can find every slide but you'd think...

What's good about your leaksource link is that you can find each item isolated with a URL. At Spiegel it's an interactive thing, you have to have Javascript to make it work, and there's no individual URL per gadget. So. http://www.spiegel.de/international/world/a-941262.html - linked from this story: http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-d... (I can see that MRsat and Dsat are really INMARSAT and VSAT, so that's a question down :-)

Here are the quantum program slides, though the context frame is in German: http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheim...

The gadgets talks about taking control of your computer -- you know he mentioned Hugo Chavez but not Michael Hastings.

Now I have to figure out how to do this, whatever this is. (Linking, not inserting full slide)

Submitted by lambert on

I thought maybe if I turned off JavaScript in FF (here's how) I'd get something that gracefully degraded to HMTL pages, but now. I don't see any URL's to grab anywhere, or images with file naming conventions, either.

Maybe there's somebody smarter about this than me, but I don't see a way to deep link into this.

Pages

Turlock