May the source be with you, but remember the KISS principle ;-) Skepticism and critical thinking is not panacea, but can help to understand the world better
It is generally stupid to talk about individual vulnerabilities without taking into account the
general architecture of a particular network segment, especially set of ports opened across the
segment. Also routers, switches and even network printers can be as vulnerable or even more
vulnerable then individual Linux servers or desktops.
Internet routers are now the most common point of attacks
on individual home computers. That means that the usage of a proxy server after the rounter (using some kind of
Firewall Micro Appliance ) for internet access now should be viewed as the necessary evil, as the
"best practice".
But unfortunately in home networks they are not widely used, mostly because the user lack the necessary skills. That is often
true even for home netwrk of system administrators, who are lazy enough to configure VPN for connection with the organization and
use completely separate, not connected to home network computer to work with corporate server. Duel use laptops in such case
is huge evil. Which means that home networks of system administrators often represent the weakest link in corporate security and the
optimal entry point for a determined hacker into corporate or some other networks.
Another important fact is the level of
stupidity/gullibility of users in a large organization. It can take various forms. With the most recent, most stunning example
being
Hillary Clinton email scandal which demonstrated that shadow
IT represents a significant and underappreciated danger. And the level of stupidity and greed cannot be overestimated. Note that the level of qualification of
system administrators in this case was average at best, and even NIST recommendations were ignored in
setup and maintenance of the server(s). So people who installed and maintained the server were not qualified to do that. And
such situation is typical for shadow IT.
So the security and vulnerability of Linux is only a small part of the whole puzzle. Human factor is another important variable
and some user represent natural Trojan horse in corporate networks. That means that many organizations which enforce monthly
or even more frequent patching in a vain attempt to increase their server security actually lower it, as they are barking to the
wrong tree. And those efforts might be better used for user education and for improving general architecture (for example
blocking the ability of desktops/laptops to communicate with other desktops laptops directly but only via server segment. Even
Windows administrators should first connect to some window server (which serve ads multiplexor of remote desktops) and from it
to user laptops/desktops.
Fascination with the installation of multiple security products on a corporate desktop is another cancer that recently hit
corporate networks. Not only it make desktops/laptops often barely operable, it also provide a false sense of security, offloading
the responsively to protect the network of AV vendor. Usefulness of AV in protection of Linux and linux workstations is
highly questionable and attempt to "unify" them with Windows are badly advised.
Also security vulnerability patches are created equal. Only very few of them represent remotely exploitable vulnerability and
even those presuppose that specific ports are open. which often is not true in corporate or a good home network where only
three of for port are allowed to communicate with external sites. (for example, http https, DNS and ssh/scp) Most security patches
pushed by vendors like Red hat each month are exploitable only with the account on the server or even some additional conditions.
Claims that open source software is more secure then proprietary solutions can not be taken at their
face value. Theoretically this is true, but the complexity of open source software negates this.
Historically OpenSSH vulnerabilities were one of the most favorite ways for breaking into
Internet ISPs, for at least a half of the decade. According the US Government's database of computer security vulnerabilities maintained
by the National Institute of Standards and Technology (http://icat.nist.gov)
as of April 15, 2004, there have been more High Severity (remotely exploitable) vulnerabilities
found in the Linux operating system than in Microsoft Windows. And this is not surprising as Linux has more goodies installed in the standard setup and more ports opened (recently that changed in
RHEL). But if linux installed in minimal configuration (as it should) many of those vulnerabilities are related to
non-existent packages and protocols. So the reverse is true -- minimized linux even without hardening is much more secure than any,
even hardened, Windows desktop or server.
Also many vulnerabilities are applicable only to specific version of linux or application, or protocol In March 2004, Forrester Research
published a
report
that came to the conclusion that Linux is no more secure than Windows. Also Linux in practice (especially in home networks) is often running
with firewall disabled, which is big "no-no" security wise. Amateur users often use root as
their user account -- another bog "no-no". Add to this mind boggling complexity of modern
Linux where even Apache server probably requires years of study to be configured and used properly
and you get the picture.
It is true that Windows is often used is less secure way then Linux (with the user operating
all the time from Administrator account or equivalent), but if regular user account is used such mechanisms for providing security
as
Windows Group policy and cryptographically signed executables beats Linux in default
configuration. An excellent security system introduced by Suse
AppArmor did not became Linux standard. Red
Hat SElinux that few people understand and few configure correctly (most often disable) is dominant.
Only Solaris is competitive in this area. It also benefits from security via obscurity,
especially if deployed on Sparc servers.
Another key factor that the
number of security flaws discovered is generally proportional to market share, so the dominant OS
is the most natural target of attacks. This issue on a new level is often replayed in Linux vs.
Solaris security debate. In security, being a non-mainstream has its own set of advantages.
There is huge and lucrative market for Windows zero days exploits. Some market exist for Linux too. There is no such market for
Solaris.
There is also government sponsored hackers who develop professional exploit for both windows and
Linux. Stuxnet, Flame and subsequent set of nasty worms were developed by government and later
those technologies fall into the hand of the hackers. Unlike regular munitions, cyber weapons
did not explode on contact. They can be captured disassembled, studied and replicated on a new, more
sophisticated and dangerous level in a never ending battle of defense and attack tools. When
some government unleashed Stuxnet out of the box it literally open the Pandora box of cyber war.
In other words when we discuss security of an individual Linux box this is an abstraction, and often not very
useful abstraction,. What we should discuss is the security of network in which particular Linux box
is installed. Also there are some "semi-hidden" parts of network infrastructure, for example
the subnet on which management interfaces like Dell DRAC or HP ILO exist (and nobody knows how many
vulnerabilities those contain and who has them other then NSA), and which are seldom
secured properly despite the fact that this is an obvious like of attack on linux servers. As
such they represent more subtle and potentially more lucrative way to break into the server the
frontal attack. There are a lot of commercial servers, even in major datacenters which still have
default passwords for DRAC or ILO, and default accounts still enabled.
All this suggest that when discussing individual vulnerabilities it is important to see the bigger picture --
it is
architecture that matter most in providing desirable level of security. What boxes
are open to internet and which are not. Which ports are opened across the segment on this sensitive
box is installed. Is DMZ configuration used. Is private DNS used? answers to all those
questions by-and-large define the level of security that you can achieve. Patching is another
interesting topic with its own set of warts. And patching infrastructure can and was in the past
used as a way to break into the servers (breaking into repository and installing troyanized versions
of some components is just the tip of this iceberg). Again look at the level of stupidity in
configuring Hillary bathroom server (Hillary
Clinton email scandal) as a pretty educational example how not to do such things.
Smartphone infrastructure (and Android is nothing but a proprietary version of Linux used by
Google) in companies is now another "Wild West" with little security and a lot of ways to
subvert those few measures that are used. Here stupidity and gullibility of users reached probably
its maximum level.
But there silver lining in any dark clouds. first of all there are "DVD-only" distributions which are secure after each reboot. So for highly
confidential tasks you can reimage the server from DVD or just use such a distribution. That
somewhat guarantees that for the next few hours you work with "clean" system. In general use
of non-violable storage
can be considered as a measure that is to some extent is alternative to periodic patching. In
this case you are guaranteed that you executables will not be troyanized or some accounts or
components are added to the system. There is no real necessary for such directories as /bin /usr
/boot /root, and some others to be writable. And /etc/while writable consist mostly of static files
that can be overwritten as often as you wish from "safe" non-violable storage. This is one way to avoid web site hacking -- nobody can
write file on a write protected disks without physical access to the disk.
And then there is such danger as Shadow IT, which often
exists below the radar in many highly bureaucratized, fossilized/outsourced IT environments.
Which are pretty common for large corporations. This was the essence of
Hillary Clinton email hacking scandal. To make long story short the key part of the State
Department IT infrastructure -- mail server used by Secretary of state and her close entourage --
was installed as a private "bathroom" Windows-based server with Microsoft Exchange as a
mail server directly opened to the Internet. And all this mess was maintained by rank-and-file specialists with mainly
experience in IT for non-profits and without proper security training.
After this episode it is easy to stop believing into the ability of the US government to maintain
security of its servers. The server (or group of servers ) was configured without any attempt to satisfy NIST guidelines for this type of servers. If you have
architecture flaws like this, you are royally f*cked no matter how hard you try to patch individual
vulnerabilities. Architecture faults overwrite all this and when we are talking about individual
vulnerabilities we assume that sound architecture, proper for desirable level of security of
particular server is already in place. Otherwise the whole discussion just does not
make any sense.
If you have architecture flaws like those in Hillary email server you are royally f*cked no matter how hard you try to
patch individual vulnerabilities. Architecture faults overwrite those efforts and when we are talking about individual
vulnerabilities we assume that sound architecture, proper for desirable level of security of
particular server is already in place. Otherwise the whole discussion just does not
make any sense.
Forrester measured the time between the discovery of a flaw and the release of a fix for the flaw
-- not a perfect but still worthwhile metric. It claims Linux, in this particular sense, was less secure than Windows because
not only the total number of security
alerts for Linux outnumbered those for Windows, but also because time for fixing it was not impressive. But this is a difficult metric to provide objectively,
as the severity of the flaws varies and the most flaws counted against Linux were actually flaws in
applications or programming environments that run on Linux, not in the Linux kernel per se. Also
with firewall tightly configured many of them just does not make any sense and are not exploitable.
Paranoia fueled by greedy security firms, which exaggerate the severity of the flaw and hide the
information about conditions necessary for its exploitation, actually does a lot of harm to
Linux.
On high level
of security with AppArmor enabled (or if you have an
expert in SElinux security, able to configure it properly for your case) and with internal firewall
not only enabled, but properly configured (emphasize of properly), you simply deny access to most vulnerabilities and it does not matter much if they patched
or not -- they are simply inaccessible.
Only very few protocols that are opened (DNS is one example)
can be secured by constantly monitoring the integrity of the server and blocking any changes outside
/tmp and similar filesystems. In case of DNS using private internal DNS with "fake"
root also helps. For small organizations it is possible to use /etc/hosts table
instead, eliminating DNS. But even for DNS there are inventive way to improve security -- for
example in most organizations DNS tables are pretty much
static and can be written on CD instead of hard drive. That makes it harder possibility to modify them
you need to create new writable directory copy files and redirect DNS server to this folder -- the
task which is difficult to accomplish without already being root. In
general the more secure environment you wish to have the larger part of this environment should
consist of non writable media.
Another important aspect is what you are running. For example if you do not run X server, it is unclear
why you should worry about those vulnerabilities that apply to this environment. In this sense
minimization of your installation is the most powerful security tool and early hardening packages
like Titan provides some minimization frameworks. Now most commercial distribution have the option
"minimal server" which is a good start.
Minimization of your installation is the most powerful security tool. Now most commercial
Linux distribution have the option "minimal server" which is a good start.
As Linux is an independent POSIX compatible reimplementation of Unix, the principles of
Linux hardening are the same as for other Unixes and are well developed.
That means that Linux in principle can be more completely and more deeply hardened then Windows,
because it is more open system.
But the way how Linux is typically installed often deny or even pervert this advantage. In June 2004, Danish security firm Secunia
compared
security across operating systems and concluded that Windows was more secure, than many people think.
According to a new Aberdeen Group report, open-source solution Linux has surpassed Windows as the most
vulnerable OS, contrary to the high-profile press Microsoft's security woes. And march larger
share of servers running windows. Furthermore, the
Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the
first 10 months of 2002 were for Linux and other open-source software solutions.
"Open-source software, commonly used in many versions of Linux, UNIX, and network routing equipment,
is now the major source of elevated security vulnerabilities for IT buyers," the report reads. "Security
advisories for open-source and Linux software accounted for 16 out of the 29 security advisories--about
one of every two advisories--published for the first 10 months of 2002. During this same time, vulnerabilities
affecting Microsoft products numbered seven, or about one in four of all advisories."
Decentralized nature of Linux development makes possible for critical flows in applications (and
sometimes even kernel) to exist for years without detection.
The Aberdeen Group says this information proves that Linux and UNIX are just as prone to Trojan horse
attacks as any other OS, despite press reports to the contrary. According to the Aberdeen Group, the
open-source community's claim that it can fix security vulnerabilities more quickly than proprietary
developers means very little. The group says that the open-source software and hardware solutions need
more rigorous security testing before they're released their products to customers. As I
mentioned before, it is
interesting that open SSH implementation was for several year the preferred way of hacking into
Linux ISPs.
We can rail against Microsoft and its security policies (which are indefensible), but far more people and systems use Microsoft's
software than any competing software. And most Linux system administrators do not know how secure Linux
and are not motivated to do this as it makes their work much more difficult. Linux is moving to
Windows environment when "clueless administrator managed servers used by clueless users". And this
environment that can't be defended by any technical means.
Moreover even despite the fact that Linux isn't as prevalent as Windows, we're still seeing a
gradual increase in Linux security advisories from year to year. We judge that the large companies
should exercise caution in deploying Linux on DMZ and deploy Solaris instead, if they are really
concerned about hacking and Linux security. Security via obscurity is not a bad thing. Even
use of FreeBSD (or, better, OpenBSD) sometimes can dramatically improve the level of security, as it automatically stops
most of linux exploits without any patching.
Long time ago, Secunia publishes graphs on the security
advisories for Red Hat Enterprise AS3. According to the graphs, 66% of the listed vulnerabilities can be exploited
remotely, meaning they are exposed to an attacker who does not have an account on the system. Even
if they are wrong by 50% that's a lot. Another
graph shows that 17% of the vulnerabilities can allow a cracker to escalate his privileges on the vulnerable
system, which means that after getting into the system on non-privileged account the cracker may be able to get root privileges.
Secunia page that includes similar graphs for Windows 2003 Enterprise Edition. According to these
graphs, only 48% of the Windows 2003 vulnerabilities can be exploited by a remote user, which taking
into account weakness of their methodology might mean that in this sense Linux and windows are
close. None is superior to another. The number of vulnerabilities that allow a cracker to escalate
privileges is only 13% in Windows compared to 17% for Red Hat, which also means that they are close
(as those figures need to be taken with a grain of salt and definitely rounded tin a single significant
digits, as one percent difference means nothing in this context.
That means that without additional hardening Red Hat Enterprise Server AS3 used to have
approximately the same level of risk as Windows 2003 Enterprise Edition. which means both are
indefensible against motivated hacker.
In other words the level of security of the system depends on several factors:
General architecture of particular network (whether NIST recommendations were used to
configure the network and servers, is it proxied, firewalled both on entrance from the internet
and individual server level, whether AppArmor is
used and properly configured (brilliant security idea that never get enough traction as Red Hat
supported SElinux), whether organization uses private DNS, uses hostfile for name resolution
instead of DNS (not a bad idea for small networks), how well individual server is hardened,
etc) and
the level of hardening
Qualification of administrators and users.
Level of security of other components of particular network segment (DRAC or ILO if they are
on the same segment, router, switch, etc)
It means that it is almost meaningless to discuss it in abstract terms, It should be self-evident that the most serious type of vulnerability,
unless architecture prevent their use, it possible for an attacker without any account on the system to gain administrator privileges
and seize control of your system via the Internet both on Windows and Linux. Especially for the
attacker who can buy "zero-day" exploit.
If you need highly secure environment, then your network should be isolated from internet, and/or
use non IP based communication protocols (such as good old UUCP, BBS infrastructure and Fidonet
internally, or on more more modern level by use of Infiniband for UUCP). I actually saw that UUCP
was used in some organizations for explicitly this purpose. New is sometimes well forgotten
old. The most secure way to use computers is to use isolated non-network computers producing CD/DVDs
or just print materials. Rescanning of printed documents is pretty accurate, especially for regular
text files. I read somewhere that Russian government, after Stuxnet and Flame were exposed,
switched a part of its operation to electric typewriters. That's probably too drastic move,
but good old DOS can do wonders for most office tasks and has collection of applications which was
produced before NSA figured the ways to troyanize them ;-)
The question arises what vulnerabilities of the Linux operating systems are most often targeted by
malicious attackers. While there is a non-stopping stream of remotely exploitable Linux vulnerabilities
but only few of them were used for actual exploits against the number of servers.
But for the top vulnerabilities it make sense to go extra mile. for example it does not make any
sense to open ssh to the world unless absolutely necessary. Restricting IP range via tcp
wrappers or firewall in a powerful mechanism of making more secure even top exploitable protocols.
Below we will reproduce slightly edited list of the ten most commonly exploited vulnerabilities
similar to on produced by SANS
Institute The list for Unix/Linux vulnerabilities currently
includes (vulnerabilities that represent additional danger in large corporate environment due
to the number of servers with those applications installed):
Services like Webmin, phpmyadmin, Cpanel, etc that provide Web-based interface for
administrators and webmasters. They are typically attacked by script kiddies 24 x 7. As
they typically they do not understand what they are doing this is just noise, but still it
requires some means to hide ports and make URLs unique for the site. You should never have
generic URLs for those applications (Cpanel is an exception for obvious reasons).
Web and Application Server Misconfiguration: It is of critical importance that a secure Web application
have a strong server configuration standard.
PHP Web applications misconfigurations or, more commonly, bugs in major PHP applications. PHP is rarely
used in enterprise environment, but it attracts lion share of exploits directed against Web
sites. The top ten
are:
Unvalidated Parameters: Those intent on an attack can use this flaw to get at backside components
through a Web application. Information from Web requests is not validated before being used by a
Web application.
Broken Access Control: These flaws can be taken advantage of by hackers to access other users'
accounts, view sensitive files or use unauthorized functions. The flaws occur because the restrictions
on what authenticated users are allowed to do are not properly enforced.
Broken Account and Session Management: This vulnerability occurs when account credentials and
session tokens are not properly protected. Attackers can assume other users' identities by compromising
passwords, keys, session cookies or other tokens.
Cross-Site Scripting (XSS) Flaws: An attacker can use the Web application as a mechanism to transport
an attack to an end user's browser. Successfully utilizing this method can disclose the end users'
session token, attack the local machine or spoof content to fool the user.
Buffer Overflows: Web application components in some languages that do not properly validate
input can be crashed and, in some cases, used to take control of a process. These components can
include CGI, libraries, drivers and Web application server components.
Command Injection Flaws: Web applications pass parameters when they access external systems or
the local operating system. If an attacker can embed malicious commands in these parameters, the
external system may execute those commands on behalf of the Web application.
Error Handling Problems: If an attacker is able to create errors that the Web application does
not handle, they can gain detailed system information, deny service, cause security mechanisms to
fail or crash the server.
Insecure Use of Cryptography: Web applications often use cryptographic functions to protect information
and credentials. These functions, along with the code to integrate them, have proven difficult to
code properly, often resulting in weak protection.
Remote Administration Flaws: Many Web applications allow administrators to access the site using
a Web interface. If these administrative functions are not very carefully protected, an attacker
can gain full access to all aspects of a site.
Secure Shell (SSH) -- paradoxically ssh due to complexity of protocol and its implementation
is the most common way to get into remote system. Stream of remotely exploitable openssh vulnerabilities
has a long and ugly history.
BIND Domain Name System (large corporations often use appliances for DNS, but that
does
not mean that they are more secure ;-).
Java. Exploits against Java programs are actually far more common then exploits against
Apache. See the list of PHP vulnerabilities. It is fully applicable. Popular Java-based
application can be attacked like popular PHP application with application-specific exploits.
Open Secure Sockets Layer (SSL) -- like SSH it has a history of nasty exploits.
Patching is very important.
Remote Procedure Calls (RPC). There were several famous malware worms instances that
used those vulnerabilities to spread inside corporate environment.
Apache Web Server (large corporations generally use HTTP proxy and firewall before any Web server,
which limit impact of even unpatched exploits)
General UNIX Authentication problems such as accounts with no passwords or weak passwords.
In modern environment chances of cracking password via external login are close
to zero, unless the attacker has additional information about the victim. But still prudence
dictates the necessity to two factor authentication for any Internet facing server. In this sense many US banks, brokers and financial companies are simply negligent. For you
as a customer ability to provide a token is now an important criteria of choosing the financial
institution. For example both eTrade and Paypal provide tokens to customers.No externally facing corporate server can use just password authentication. Tokens are
really cheap and increase security. CMS protocol and cell phones can be used instead. In this
case CMS message is send and serve as the second password after the user authenticated,
One time passwords , mascots , etc also increase security of authentication. Individual user
mascots allow to distinguish real site from fake one.
Clear Text Services and shell vulnerabilities (predominantly bash). The most recent was
Shellshock (September, 2014).
Sendmail and set of email based exploits including phishing. Sendmail is outdated and
poorly understood by administrator program with multiple vulnerabilities and dismal history of
exploits that is still widely used in large corporate environment. The program still
has vulnerabilities that were not patched in common distributions but they are becoming more rate.
Sendmail mainly is used as a transport mechanism for malware and here the weakest link is not
the software but the users. Some phishing attempt are so ingenious, that they can full a large
number of users.
Simple Network Management Protocol (SNMP). This is a little understood by a typical
sysadmin protocol which
if enabled often has mistakes in configuration. Generally it should be restricted to relevant IPs. Opening it to the world is a big mistake.
Misconfiguration of Enterprise Services like NIS ( which is still widely used, but
gradually is replaced with LDAP), NFS, Samba, etc. Often IP ranges used to open those services
are way too wide. The additional problem with Samba is that Unix
sysadmin often does not clearly understand mapping of Windows file attributed into extended
attributes.
Although there are thousands of security incidents each year affecting major Linux distribution, the majority of successful attacks target one or more of these vulnerable services. Attackers
usually
are opportunistic. They take the easiest and most convenient route and exploit the best-known flaws
with the most effective and widely available attack tools. They count on organizations to be behind
in patching, especially patching of application and protocols like SSL, not fixing well-known the
problems. They often attack indiscriminately, scanning the Internet for any vulnerable systems.
The best strategy for large corporate is avoidance. On the Unix and Linux side, Berkeley Internet
Domain Name (BIND) software remains the top problem software. That means that large corporate should
never try to run bind on Linux. Similarly Apache as an external web server should generally work via
HTTP proxy. Generally apache is way too complex to be used as Internet facing Web server (but
it can and should be used as an internal WEB server, due to its functional superiority over competitors).
Running Sendmail on Linux is not recommended for the same reason, as at number 6 it belongs to most
vulnerable software on the Unix/Linux servers. In major distribution it was replaced by
postfix long ago, so this is only inertia that dictates continued use of Sendmail in enterprise
environment.
SANS Institute provides periodic list of top vulnerabilities which while can't be taken at face
value, still might contain useful information. It can be viewed on the organization's
Web site, The list below is
adapted from the SANS Web site and is old. But as reference is still makes sense as it shows the
futility of viewing Linux security without considering of network architecture and the level of
hardening. It also shows limitation of people at SANS which complied the list. Concentration on
individual software vulnerabilities makes sense for the attacker, but much less sense for the
defender.
The Berkeley Internet Name Domain (BIND) package is the most widely used implementation of the Domain
Name Service (DNS), a critical system that allows the conversion of hostnames into the registered IP
address. Unless you run your own internal DNS (which many corporation do and which constitute a good
practice) this is the system exposed to external attacks.
The ubiquity and critical nature of BIND has made it a frequent target, especially in Denial
of Service (DoS) attacks, which can result in a complete loss of accessibility to the Internet for services
and hosts. Whilst BIND developers have historically been quick to repair vulnerabilities, an inordinate
number of outdated, misconfigured and/or vulnerable servers remain in place. Also there are some
high level exploit of bind based of architectural flows that are not that easy to patch.
Among old, well know BIND weaknesses was a denial of service discussed in
CERT Advisory
CA-2002-15. In this case, an attacker can send specific DNS packets to force an internal consistency
check which itself is vulnerable and will cause the BIND daemon to shut down. Another was a buffer overflow
attack, discussed in
CERT Advisory
CA-2002-19, in which an attacker utilizes vulnerable implementations of the DNS resolver libraries.
By sending malicious DNS responses, the attacker can explore this vulnerability and execute arbitrary
code or even cause a denial of service.
A further risk is posed by a vulnerable BIND server, which may be compromised and used as a repository
for illicit material without the administrator's knowledge or in stepping-stone attacks which use the
server as a platform for further malicious activity.
Operating Systems Affected
Nearly all UNIX and Linux systems are distributed with a version of BIND. To increase the level of protection
it is recommended to use self-complied version of bind using Intel compiler and replace with this compiled
version the stock version of bind provided by operating system vendor.
Also due to criticality of the service Linux is a bad choice of the platform for its deployment.
Solaris should be used instead. For excellent guides to hardening BIND on Solaris systems as well as
additional references for BIND documentation, see
Running
the BIND9 DNS Server Securely and the archives of BIND security papers available from
Afentis.
for mission critical servers run BIND not installed via RPM, but compiled with appropriate
compiler option from source downloaded directly from the Internet
Software Consortium (ISC). Or buy a DNS appliance.
Ensure that your externally exposed DNS server runs the latest version of BIND. For most systems,
the command "named -v" will show the installed BIND version enumerated as X.Y.Z where X is
the major version, Y is the minor version, and Z is a patch level. A proactive approach to
maintaining the security of BIND is to subscribe to customized alerting and vulnerability reports. In addition, a vulnerability
scanner might be used to check DNS systems for configuration blunders and potential vulnerabilities.
This subsystem does not need to be exposed to the internet, so it is mostly internal
vulnerability, unlike DNS. most corporation now provide access to internal network for both users
and sysadmins via VPN, using separate not shared corporate PC/laptops, which often have smart card
authentication.
Description
Remote procedure calls (RPCs) allow programs on one computer to execute procedures on a second computer
by passing data and retrieving the results. RPC is therefore widely used for many distributed network
services such as remote administration, NFS file sharing, and NIS. However there are numerous flaws
in RPC which are being actively exploited. Many RPC services execute with elevated privileges that can
provide an attacker unauthorized remote root access to vulnerable systems.
The majority of the distributed denial of service attacks launched were executed by systems that
had been victimized through these RPC vulnerabilities. The broadly successful attack on U.S. Military
systems during the
Solar
Sunrise incident also exploited an RPC flaw found on hundreds of Department of Defense computer
systems. More recently, an MS Windows DCOM Remote Procedure Call vulnerability has played a role in
one of the most significant worm propagation events.
Operating Systems Affected
All versions of UNIX and Linux come with RPC services installed and often enabled. It is not always
possible to shut down this service as it is widely used and required for NFS implementation. For
that reason NFS should not be used on DMZ
Use a vulnerability scanner or the 'rpcinfo' command to determine if you are running one of the most
commonly exploited RPC services:
RPC Service
RPC Program Number
rpc.ttdbserverd
100083
rpc.cmsd
100068
rpc.statd
100024
rpc.mountd
100005
rpc.walld
100008
rpc.yppasswdd
100009
rpc.nisd
100300
sadmind
100232
cachefsd
100235
snmpXdmid
100249
RPC services are typically exploited through buffer overflow attacks which are successful because the
RPC programs do not perform sufficient error checking or input validation. Buffer overflow vulnerabilities
allow an attacker to send unexpected data (often in the form of malicious code) into the program memory
space. Due to poor error checking and input validation, the data overwrite key memory locations that
are in line to be executed by the processor. In a successful overflow attack, this malicious code is
then executed by the operating system. Since many RPC services execute with elevated privileges, successful
exploitation of these vulnerabilities can provide unauthorized remote root access to the system.
How to Protect Against It
Use the following steps to protect your system against RPC attacks:
Turn off or remove any RPC service which is not absolutely necessary for the function of your
network.
Install the latest patches for any services you cannot remove:
Regularly search the vendor patch database for new patches and install them right away.
Block the RPC portmapper, port 111 (TCP and UDP) and Windows RPC, port 135 (TCP and UDP), at
the border router or firewall.
Block the RPC "loopback" ports, 32770-32789 (TCP and UDP).
Enable a non-executable stack on those operating systems that support this feature. While a
non-executable stack will not protect against all buffer overflows, it can hinder the exploitation
of some standard buffer overflow exploits publicly available on the Internet.
For NFS exported file systems, the following steps should be taken:
Use host/IP based export lists.
Set up exported file systems for read-only or no-suid wherever possible.
Use 'nfsbug' to scan for vulnerabilities.
A summary document pointing to specific guidance about three principal RPC vulnerabilities -
Tooltalk, Calendar Manager, and Statd - may be found at: http://www.cert.org/incident_notes/IN-99-04.html.
Summary documents pointing to specific guidance about the above RPC vulnerabilities may be found
at:
In large corporation Apache or other Web server is never exposed to Intent directly. Usually it
is exposed via proxy such as BlueCoat. But small ISPs and small companies have Apache exposed
directly.
Apache has historically been, and continues to be the most popular web server on the Internet. In
comparison to Microsoft's Internet Information Server, Apache may have a cleaner record in regards to
security, but it still has its fair share of vulnerabilities. In addition to exploits in Apaches
core and modules (CA-2002-27,
CA-2002-17),
SQL, databases, CGI, PHP vulnerabilities are all potentially exposed through the web server.
If left unsecured, vulnerabilities in the Apache web server implementation and associated components
can result in denial of service, information disclosure, web site defacement, remote root access, or
countless other unfavorable results.
Affected Operating Systems
All UNIX systems running Apache. Many Linux and UNIX variants come with Apache installed and sometimes
enabled by default. Like in case of bind it is recommended to compile own version of Apache before deployment.
How to Determine if you are Vulnerable
Information regarding security advisories for Apache 2.x security information resides at
http://httpd.apache.org/security/
How to Protect Against It
Ensure that you are running the latest patch level.
Ensure that core operating system components that are referenced by Apache are patched. Only
the modules necessary for your server to function properly should be compiled into Apache.
note: The mod_ssl worm (CA-2002-27)
is a perfect example that resulted from vulnerabilities within OpenSSL (CA-2002-23).
Never run Apache as root. A unique user and group with minimal privileges should be created
for running Apache. No other system processes should be run under this user or group.
Limit the server information that is revealed.
While this suggestion tends to encounter opposition from people suggesting security by obscurity
is not the way and a number of exploit attempts you will see are done in a blind sweeping fashion
(proven by the fact that you will see in many Apache logs IIS exploit attempt after IIS exploit
attempt), there are also some exploits that will trigger based on header information.
Ensure that mod_info is not accessible from the Internet.
Directory indexing should be disabled.
For security centitive systems always run Apache in a chroot environment. If Apache is started chroot-ed it
cannot access any part of the operating system directory structure outside of the chroot. This can
often critical to prevent exploits. For example, an exploit may call a shell and since /bin/sh likely does
not (and should not) reside in the chroot, it would be ineffective.
As there are numerous methods of chrooting, software documentation should be consulted for assistance.
Additional information can be found below.
Efficient and thorough logging is essential to effectively track down any potential security
problems or unexplained behavior you may be experiencing with your web server. It is a good practice
to routinely rotate logs and keep older logs archived. This will make the log size more manageable
and easier to parse through if necessary.
Various information regarding log formats and rotation are available here:
In many scenarios the content of these logs may not be sufficient. Especially if youre using
PHP, CGI or other scripting it is a good idea to log GET and POST payloads. This can yield important
data and evidence in the event of a security compromise. Logging of GET and POST payloads can be
implemented via mod_security.
For security sensitive systems you should disable PHP, CGI, SSI and other scripting languages
as it is difficult/impossible to protect then from exploits. Use only precompiled static
pages.
Disable Server Side Includes (SSI) which can potentially be abused and cause the web server
to execute code which it was not intended to.
If PHP, CGI, SSI or other scripting languages are necessary, consider utilizing suEXEC.
suEXEC allows scripts to be run under Apache with a user id other than the Apache user id.
WARNING: It is imperative that suEXEC is understood thoroughly. If it is improperly utilized
it can create new security holes.
Additional modules can aid in security. The mod_security (www.modsecurity.org)
module can help protect against Cross Site Scripting (XSS) and SQL injection. Detailed implementation
instructions can be found at their website.
Auditing your scripts for vulnerabilities including XSS and SQL injection is also important.
There are a few open source tools that will accomplish this. Nikto (available at
http://www.cirt.net/code/nikto.shtml)
is one of the more comprehensive CGI scanning tools.
This is mostly an internal vulnerability as in no way you should be able to authenticate to
internal system from Internet for security sensitive systems. Only from private VPN. It is an
external vulnerability for ISPs and small companies that does no use VPN for this purpose. In this
case one time passord system or security token should be used to avoid cracking of password database
See recent Yahoo hack for details
Yahoo
discloses hack of 1 billion accounts
Google provides two factor authentication which as we know now Podesta did not use which
lead to huge embarrassment when his emails were stolen due to simplistic phishing scheme (he proved
to be completely incompetent idiot as for computer security, as most of Hillary Clinton entourage;
was too lazy to use two factor authentication that Google provides):
Signing in to your account will work a little differently
You'll enter your password.Whenever you sign in to Google, you'll enter your password as
usual.
You'll be asked for something else. Then, a code will be sent to your phone via text,
voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your
computer's USB port.
Passwords, passphrases and/or security codes are used in virtually every interaction between users
and information systems. The most simplisitc (one factor) authentication, as well as file and data protection, rely
heavily on user or vendor supplied passwords. In addition, since properly authenticated access is often
not logged, or if logged not likely to arouse suspicion, a compromised password is an opportunity to
explore a system virtually undetected. An attacker in possession of a valid user password would have
complete access to any resources available to that user, and would be significantly closer to being
able to access other accounts, nearby machines, and perhaps even obtain root level access on this system.
Despite this threat, user and administrator level accounts with poor or non-existent passwords are still
very common. As well, organizations with a well-developed and enforced password policy are still uncommon.
The most common password vulnerabilities are:
user accounts that have weak or nonexistent passwords;
users accounts with widely known or openly displayed passwords;
system or software created administrative level accounts with widely known, weak, or nonexistent
passwords;
weak or well known password hashing algorithms and/or user password hashes that are stored with
weak security and are visible to anyone.
The best defense against all of these vulnerabilities is a strong authentication policy that includes
usage of Secure Id or smartcards. We also need to create detailed instructions for users for strong
passwords creation; explicit rules for users to ensure their passwords remain secure; a process for
IT staff to promptly replace weak/insecure/default or widely known passwords and to promptly lock down
inactive or close down unused accounts; and a proactive and regular process of checking all passwords
for strength and complexity.
Operating Systems Affected
Any operating system or application on any platform where users authenticate via a user ID and password.
In Linux You we should requre to use the MD5 algorithm to hash passwords; this is somewhat more secure
than the older crypt algorithm.
How to Protect Against It
The best and most appropriate defense against password weaknesses is a strong policy which provides
detailed instructions to engender good user password habits and also entails regular proactive checking
of password integrity by system administrators with complete support from the organization. The following
steps should be used as guidelines for a good password policy:
Assure that passwords are consistently strong. Given enough hardware resources and enough
time, any password can be cracked using brute force guessing. Password crackers that are employed
by attackers use what are known as dictionary-style attacks. Since common password encryption methods
are widely known, the cracking utilities simply compare the encrypted form of a target password
against the encrypted forms of all dictionary words (in many languages), along with proper names,
and various common permutations of both. Therefore a password that in any way resembles a word (or
words in almost any documented language) is highly susceptible to a dictionary attack. Many organizations
instruct users to generate passwords by including combinations of alphanumeric and special characters,
and users more often than not adhere by taking a word (e.g., password) and converting letters to
numbers or special characters (e.g., pa$$w0rd). Such permutations cannot protect against a dictionary
attack: pa$$w0rd is as likely to be cracked as password.
A good password therefore cannot have a word or proper name as its root. A strong password policy
should direct users to generate passwords from something more random, like a phrase or a longer
title of a book or song. By concatenating a longer phrase into a string (i.e., taking the first
letter of each word in the phrase (preferably in mixed case), or substituting a special character
for a word in the initial phrase, and/or replacing all the vowels in that concatenated phrase with
various special characters, etc.), users can generate sufficiently long password strings which combine
alphanumeric and special characters in a way that dictionary attacks will have greater difficulty
cracking. And if the initial phrase is easy to remember, then the resulting password string should
be as well.
Once users are given the proper instructions for generating good passwords, detailed procedures
should be put in place to assure that these instructions are followed. The best way to do this is
by validating the password whenever the user changes it. Most flavors of UNIX/LINUX can use Npasswd
as a front-end to check entered passwords against your password policy. PAM-enabled systems can
also be extended to include cracklib (the libraries which accompany Crack) to check passwords as
they are generated. Most new PAM-enabled systems can also be setup to refuse bad passwords that
do not meet certain guidelines.
However, if passwords cannot be verified against dictionary libraries when they are entered using
tools such as Npasswd or PAM-enabled libraries, then cracking utilities should be run by the system
administrator in a stand-alone mode as part of a regular proactive procedure. Tools like those used
by potential attackers are generally the best choice. On a UNIX/LINUX-based platform, that would
include Crack and John the Ripper.
Please Note: Never run a password scanner, even on systems for which you have root-like
access, without explicit and preferably written permission from your employer/organization.
Administrators with the most benevolent of intentions have been fired for running password cracking
tools without the authority to do so. This authority should be in the form of a written letter
that forms part of the organizations strong password policy and allows for regular scheduled
password checks.
Once you have acquired authority to run cracking utilities on your system, do so regularly on
a physically protected and secure machine. The tools on the machine should not be openly accessible
to anyone but the authorized system administrator. Users whose passwords are cracked should be notified
confidentially and given instructions on how to choose a better password. As part of the organizations
password policy, both administrators and management should develop these notification procedures
together, so that management can provide guidance and/or assistance when users do not respond to
these notifications.
Other possible options to protect against nonexistent or weak passwords and/or to maintain password
policy procedures are (a) to use an alternative form of authentication such as password-generating
tokens or biometrics. These are effective if you are having trouble with weak passwords and can
be used as an alternative means of authenticating users. It should be noted that some password-generating
tokens need procedures in place to ensure they are not openly accessible to unauthorized users and
if stolen they are promptly denied from the system. Biometrics is a developing area and depending
on the type of authentication (e.g., fingerprints versus facial recognition), some of the technology
has not been perfected and errors in authentication may be common. (b) There are many comprehensive
third party tools (free and commercial) available to help manage good password policy.
Protect Strong Passwords. If you store password hashes in /etc/passwd, update your system
to use /etc/shadow. If your system runs NIS or LDAP in such a way that hashes cannot be protected,
anyone (even non-authenticated users) can read your password hashes and attempt cracking. You should
look for more secure alternatives to the NIS and LDAP version you are running. Until those insecure
applications can be secured/replaced, you should secure proper permission and run proactive cracking
as a regular procedure against those applications as well. Consider using the MD5 algorithm to hash
your passwords instead of crypt.
However, even if passwords themselves are strong, accounts can be compromised if users do not
protect their passwords. A good password policy should include detailed procedures for a user that
require that a user should never tell his or her password to anyone else, never write a password
down where it could be read by others, properly secure any files in which a password is stored for
automate authentication, and if a password is known to be stolen or known by others, to promptly
notify the system administrator. Password aging should be enforced so that any passwords which slip
through these rules are only vulnerable for a short window of time, and old passwords should not
be reused. Administrators should make sure that the users are given warning of a pending password
change and several chances to change their password before it expires. When faced with the message
Your password has expired and must be changed, users will tend to pick a bad password.
Tightly Control Accounts. Any service-based or administrative accounts not in use should
be disabled or if possible removed completely. Any service-based or administrative accounts which
are used should be given new and strong passwords as soon as the service or account is installed
or activated. Configure new user accounts with randomly-generated initial passwords, and force users
to change them when they first log in. Audit the accounts on your systems on a regular and proactive
basis, and maintain a master list of all of these accounts detailing the service requiring the account
and the intended need. Develop stringent procedures for adding/removing authorized accounts to/from
the list. Have rigid procedures for removing accounts when employees or contractors leave or when
the accounts are no longer required. Validate the master list on a regular scheduled basis to make
sure no new accounts have been added and that unused accounts have been removed. In addition, do
not forget to check the accounts and passwords on supporting systems like routers, switches, and
Internet-connected digital printers, copiers and printer controllers.
Many network services utilized by UNIX systems are clear-text (also known as "plain text"). That
means that there is no encryption used by those services. Lack of encryption allows everybody who is
observing network traffic ("sniffing") to gain access to either communication contents and/or authentication
credentials.
For example, to steal the FTP or telnet login information, an attacker needs to place a network sniffer
somewhere along the connection path, such as on the FTP server LAN or on the client LAN. The transmission
of information between R-command clients and R-services in plain-text permits data or keystrokes to
be intercepted as well. Attackers have often deployed sniffers in recent security incidents and often
on compromised machines. Finding usernames and passwords in sniffed data is very easy.
Here is a summary table of most common UNIX network services which are transmitted in clear text.
Service
Port
Clear Content
Clear Auth
What is transferred
FTP
21,20
y
y
Text, binary
TFTP
69
y
N/A
Text, binary
telnet
23
y
y
Text
SMTP
25
y
N/A
Text, binary
POP3
110
y
y
Text, binary
IMAP
143
y
y
Text, binary
rlogin
513
y
y
Text
rsh
514
y
y
Text
HTTP
80
y
y
Text, binary
Services such as telnet and FTP where both contents and authentication credentials are transmitted
in clear text present the highest risk, since attacker will be able to reuse the credentials and access
the system at their leisure. Additionally, command session run in clear text may also be hijacked and
used by the attacker to run commands without authentication.
Here is the risk summary from clear text services:
Activity possible
Risk
Sniffing the username
Simplifies brute-forcing attacks
Sniffing the password
Gives remote access
Sniffing FTP content
File stealing
Session hijacking
Run commands on a target system
HTTP session sniffing
Discloses web authentication credentials
The Operating Systems Affected
All UNIX flavors contain clear-text services (telnet and FTP being the most common). All UNIX/Linux
flavors with the possible exception of the latest editions of Free/OpenBSD ship with some of the services
enabled by default.
How to Determine if you are Vulnerable
The most effective and reliable way to determine whether clear text services are in use is to use a
sniffer tool similar to those used by attackers.
The most commonly used sniffer is "tcpdump" Run it as:
# tcpdump -X -s 1600
to detect any clear text communication. "Tcpdump" may be obtained at
http://www.tcpdump.org.
Another such tool is "ngrep" which allows one to look for specific patterns in network communication,
such as "sername" or "assword" (the first letters are removed to accomodate for possible capitalization).
Run the tool as:
There are also more sophisticated tools specifically designed to detect authentication credentials
on the network. "Dsniff" is the most popular tool of that sort. Simply running:
# /usr/sbin/dsniff
will make the tool to detect and print all username-password pairs detected on the network in a large
number of plain text protocols, such as FTP, telnet or POP3. Dsniff may be obtained at
http://www.monkey.org/~dugsong/dsniff/.
How to Protect Against It
Using end-to-end or at least link-level encryption will help. Some protocols have encrypted equivalents
such as POP3S and HTTPS. For the protocols which do not have native encryption capabilities, one can
tunnel them over SSH (Secure Shell) or SSL connection.
As an example: FTP might be replaced with more secure software solutions such as SFTP or SCP (parts
of the Secure Shell software package) and use a web server to distribute files to a wide audience.
The most popular and flexible SSH implementation is OpenSSH (available at
http://www.openssh.org). It runs
on most UNIX variants and may be used for remote interactive sessions (replaces telnet, rlogin and rsh)
and tunneling (of POP3, SMTP, X11 and many other protocols).
Here is how one can tunnel POP3 over SSH connection. The POP3 server needs to be also running the
SSH server. First run this on the client machine:
Now, point your email client to localhost, TCP port 110 (unlike the usual 'pop3.mail.server.com',
port 110). All communication between your machine and the POP3 mail server will be tunneled over SSH
and thus encrypted.
Another popular encrypted tunneling solution is "stunnel". It implements SSL protocol (via OpenSSL
toolkit) and may be used to tunnel various plain text protocols. Stunnel may be obtained at
http://www.stunnel.org/.
Sendmail is the program that sends, receives, and forwards most electronic mail processed on UNIX
and Linux systems. Sendmail is the most popular Mail Transfer Agent (MTA) and its widespread use on
the Internet has historically made it a prime target of attackers, resulting in numerous exploits over
the years.
Most of these exploits are successful only against older or unpatched versions of the software. Despite
the fact that the known vulnerabilities are well documented and have been repaired in newer releases,
there remain so many outdated or misconfigured versions still in use today that Sendmail remains one
of the most frequently attacked services. Among the most recent critical vulnerabilities are:
CERT Advisory CA-2003-12 Buffer Overflow in Sendmail
CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail
CERT Advisory CA-2003-25 Buffer Overflow in Sendmail
CERT Advisory
CA-2003-12
Buffer Overflow in Sendmail gives the following excellent description of a Sendmail buffer overflow
and the danger it poses to network integrity.
This vulnerability is message-oriented as opposed to connection-oriented. That means that the
vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level
network traffic. This is important because an MTA that does not contain the vulnerability will pass
the malicious message along to other MTAs that may be protected at the network level. In other words,
vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border
MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may
pass undetected through many common packet filters or firewalls.
The risks presented by running Sendmail can be grouped into two major categories: privilege escalation
caused by buffer overflows, and improper configuration that allows your machine to be a relay for electronic
mail from any other machine. The former is a problem on any system still running older or unpatched
versions of the software. The latter results from using either improper or default configuration files,
and is a chief obstacle to fighting the proliferation of spam.
Operating Systems Affected
Nearly all UNIX and Linux systems come with a version of Sendmail installed that is enabled and running
by default.
How to Determine if you are Vulnerable
Sendmail has had a large number of vulnerabilities in the past. Do not always trust the version string
returned by the daemon as that is just read from a text file on the system that may not have been updated
properly.
Any outdated or unpatched version of the software is likely to be vulnerable.
To determine the version of Sendmail, use the following command:
echo \$Z | /usr/lib/sendmail -bt -d0
Depending on your system, the path to Sendmail may be different and you have to modify the above
command accordingly to point to the right path.
How to Protect Against It
The following steps should be taken to protect Sendmail:
Upgrade to the latest version and/or implement patches. The source code can be found at http://www.sendmail.org/.
If your version of Sendmail came packaged with your operating system, patches should be available
at your operating system vendor's website (various vendor-specific information, including compile-time
and configuration suggestions, is also available at
http://www.sendmail.org).
Sendmail is typically enabled by default on most UNIX and Linux systems, even those which are
not acting as mail servers or mail relays. Do not run Sendmail in daemon mode (turn off the "-bd"
switch) on these machines. You can still send email from this system by configuring it to point
to a mail relay in the sendmail configuration file, sendmail.cf (which is typically located at /etc/mail/sendmail.cf).
If you must run Sendmail in daemon mode, ensure that your configuration is designed to relay
mail appropriately and only for systems under your purview. See
http://www.sendmail.org/tips/relaying.html
and http://www.sendmail.org/m4/anti_spam.html
for assistance in properly configuring your server. Starting with Sendmail 8.9.0, open relaying
was disabled by default.
When you change to a new version of Sendmail, it is also recommended to change the configuration
files that are provided with that version as older configurations may still allow relaying even
when running the newest code. It is now possible to build a Sendmail configuration file (sendmail.cf)
using the configuration files provided with the Sendmail release. Additional details on Sendmail
configuration can be obtained at
http://www.sendmail.org/m4/readme.html.
When you download the Sendmail distribution you must verify the PGP signature to ensure it is
an authentic copy. Do not use Sendmail without verifying the integrity of the source code. Trojan
copies of Sendmail have existed in the past. Please read the
CERT Advisory
CA-2002-28 Trojan Horse Sendmail Distribution to learn more. Keys used to sign Sendmail distributions
can be obtained at
http://www.sendmail.org/ftp/PGPKEYS. In the absence of PGP, you should use the MD5 checksums
to verify the integrity of the Sendmail source code distribution.
The Simple Network Management Protocol (SNMP) is used extensively to remotely monitor and configure
almost all types of modern TCP/IP-enabled devices. While SNMP is rather ubiquitous in its distribution
across networking platforms, it is most often used as a method to configure and manage devices such
as printers, routers, switches, access points, and to provide input for network monitoring services.
Simple Network Management communication consists of different types of exchanged messages between SNMP
management stations and network devices which run what is commonly referred to as agent software. The
method by which these messages are handled and the authentication mechanism behind such message handling
both have significant exploitable vulnerabilities.
The vulnerabilities behind the method by which SNMP version 1 handles and traps messages are outlined
in detail in CERT Advisory CA-2002-03. There exists a set of vulnerabilities in the way trap and request
messages are handled and decoded by management stations and agents alike. These vulnerabilities are
not restricted to any specific implementation of SNMP but instead affect a variety of vendors' SNMP
distributions. The result of attackers exploiting these vulnerabilities may range anywhere from denial
of service to unwanted configuration and management of your SNMP-enabled machinery.
The authentication mechanism of older SNMP frameworks also poses a significant vulnerability. SNMP
versions 1 and 2 use an unencrypted "community string" as their only authentication mechanism. Lack
of encryption is bad enough, but the default community string used by the vast majority of SNMP devices
is "public," with a few supposedly clever network equipment vendors changing the string to "private"
for more sensitive information. Attackers can use this vulnerability in SNMP to reconfigure or shut
down devices remotely. Sniffed SNMP traffic can reveal a great deal about the structure of your network
as well as the systems and devices attached to it. Intruders use such information to pick targets and
plan attacks.
Most vendors enable SNMP version 1 by default, and many do not offer products capable of using SNMP
version 3's security models which can be configured to use improved authentication methods. However,
there are freely-available replacements which do provide SNMPv3 support under GPL or BSD licenses.
SNMP is not unique to UNIX; it is extensively used on Windows, in networking equipment, wireless
access points and bridges, printers and embedded devices. But the majority of SNMP-related attacks seen
thus far have occurred on UNIX systems with poor SNMP configurations.
Operating Systems Affected
Nearly all UNIX and Linux systems come with SNMP installed, and often by default it is enabled. Most
other SNMP-enabled network devices and operating systems are also vulnerable.
How to Determine if you are Vulnerable
You can verify whether SNMP is running on network-connected devices by running a scanner or checking
manually.
SNMPing - You can obtain the free SNMPing scanning tool from the SANS Institute by emailing a blank
mail message to snmptool@sans.org. You will get a return message with the URL where you can download
the tool.
SNScan - Foundstone created another easy-to-use SNMP scanning tool called SNScan, which can be obtained
at http://www.foundstone.com/knowledge/free_tools.html.
If you cannot use any of the above tools, you should manually verify if SNMP is running on your systems.
Refer to your operating system documentation on how to specifically identify its particular SNMP implementation,
but the basic daemon can usually be identified by grepping for "snmp" in the process list or by looking
for services running on ports 161 or 162.
A running SNMP instance is probably sufficient evidence that you are vulnerable to pervasive trap
and request handling errors. Please see CERT Advisory CA-2002-03 for additional information.
If SNMP is running and any of these additional variables are met, you may have a default or easily
guessable string-related vulnerability:
How to Protect Against It
Trap and Request Handling Vulnerabilities:
If you do not absolutely require SNMP, disable it.
Wherever possible, employ an SNMPv3 user-based security model with message authentication and
possibly encryption of the protocol data unit.
If you must use SNMPv1 or v2, make sure you are running the latest patched version from your
vendor. A good starting point in obtaining vendor specific information is Appendix A of CERT Advisory
CA-2002-03.
Filter SNMP (port 161 TCP/UDP and 162 TCP/UDP) at the ingress points to your networks unless
it is absolutely necessary to poll or manage devices externally.
Employ host-based access control on your SNMP agent systems. While this capability may be limited
by SNMP agent operating system capabilities, control of what systems your agents will accept requests
from may be possible. On most UNIX systems this can be accomplished through a TCP-Wrappers or Xinetd
configuration. An agent-based packet filtering firewall on the host can also be used to block unwanted
SNMP requests.
Default and Guessable String-Related Vulnerabilities:
If you do not absolutely require SNMP, disable it.
Wherever possible, employ an SNMPv3 user-based security model with message authentication and
possibly encryption of the protocol data unit.
If you must use SNMPv1 or v2, use the same policy for community names as used for passwords.
Make sure they are difficult to guess or crack and they are changed periodically.
Filter SNMP (port 161 TCP/UDP and 162 TCP/UDP) at the ingress points to your networks unless
it is absolutely necessary to poll or manage devices externally. Then, if possible, configure filtering
to only permit SNMP traffic between trusted subnets.
Description
Secure shell (SSH) is a popular service for securing logins, command execution, and file transfers across
a network. Most UNIX-based systems use either the open-source
OpenSSH package or the commercial
version from SSH Communication Security.
Although SSH is vastly more secure than the telnet, ftp, and R-command programs it is intended to replace,
there have been multiple flaws found in both implementations. Most are minor bugs, but a few are major
security issues that should be repaired immediately. The most dangerous of these actively exploited
holes allows attackers to remotely obtain root access on a vulnerable machine.
It should also be noted that there is a growing use of SSH clients and servers in the Windows environment
and that most of the information in this section applies to both the *nix and Windows implementations
of SSH.
While SSH is presented here as one of the Top 20 vulnerabilities, it is more the case that the mismanagement
of SSH, specifically misconfiguration and the failure to apply updates and patches in a timely manner,
account for its inclusion in this list.
SSH2 is actually a powerful tool that when properly configured and maintained can help remediate
many of the other top 20 vulnerabilities, specifically those that send material in clear text across
untrusted networks like the Internet. Many of the vulnerabilities found in protocols such as POP3, FTP
(replace with SSH2s SFTP), Telnet, HTTP, and the rhost based tools (rlogin, rcp, and rsh) involve eavesdropping
on clear text transmissions or manipulating client server sessions. This makes encryption and authentication
key management provided by SSH2 along with its ability to forward or redirect sessions, an attractive
VPN type of wrapper for otherwise vulnerable traffic.
The SSH1 protocol itself has been demonstrated to be potentially vulnerable to having a session decrypted
in transit given certain configurations. For this reason, administrators are encouraged to use the stronger
SSH2 protocol whenever possible.
Note: SSH1 and SSH2 are not compatible. With only a few exceptions, the version of SSH
on both the client and the server must match.
In addition, users of OpenSSH should note that the OpenSSL libraries against which OpenSSH is typically
built have software vulnerabilities of their own. Please see
CERT Advisory
2002-23 for more details. They should also be aware that a trojan-horse version of the OpenSSH was
being distributed for a short time in the summer of 2002 (CAN-1999-0661).
Please see http://www.openssh.org/txt/trojan.adv
for details about ensuring that your version is not affected.
Operating Systems Affected
Any UNIX or Linux system running OpenSSH 3.3 or earlier (version 3.6.1 was released on April 1, 2003),
or SSH Communication Security's SSH 3.0.0 or earlier (3.2.5 was released on June 30, 2003).
How to Determine if you are Vulnerable
Use a vulnerability scanner to see whether you are running a vulnerable version, or check the software
version reported by running the command 'ssh -V'.
The ScanSSH tool is particularly useful for remotely identifying SSH servers that are dangerously
un-patched. The ScanSSH command line tool scans a list of addresses and networks for SSH protocol servers
and reports their version numbers. Written by Niels Provos
and released under the BSD-license, the latest version was released on 2001-11-30
and is available at
http://www.monkey.org/~provos/scanssh/.
How to Protect Against It
Upgrade to the most recent version of either
OpenSSH or
SSH. Or if SSH or OpenSSH came
installed with your operating system, retrieve the latest patches from your operating system vendor.
If you use OpenSSL, be sure to use the latest version of those libraries.
Where possible, upgrade from SSH1 to SSH2. SSH1 does not appear to be under further development,
while SSH2 is in active development. Where migration is not possible, begin developing plans and
strategies that will make migration to SSH2 possible.
Both the SSH implementations include a variety of configuration options to restrict what machines
can connect, what users are allowed to authenticate, and via what mechanisms. Administrators should
determine how these options could most appropriately be set for their environment.
Verify that each SSH client is not configured to revert back to the rsh program when connecting
to a server that does not support SSH. The FallBackToRsh key should be set to No in the SSH configuration
file.
Specify the use of blowfish encryption rather than the 3DES, which may be the default of the
version. This will provide faster operation without reducing the effective encryption strength.
A host providing SSH services must itself be adequately protected otherwise vulnerabilities
that allow the host to be compromised put the SSH service at risk.
The Network File System (NFS) and Network Information Service (NIS) are two important services used
in UNIX networks. NFS is a service originally created by Sun Microsystems that is designed to share
files among UNIX systems over a network. NIS is also a set of services that works as a database service
to provide location information, called Maps, to other network services such as NFS. The most common
examples of these Maps are the passwd and group files which are used to centralize user authentication.
The security problems with both services, represented by the continuous issues discovered over the
years (buffer overflows, DoS and weak authentication), made them a frequent target of attack.
Besides the unpatched services that are still widely deployed, the higher risks may be represented
by the misconfiguration of NFS and NIS that will easily allow security holes to be exploited and accessed
by users locally or remotely.
The lax authentication offered by NIS while querying NIS maps allow users to use applications like
ypcat that can display the values of NIS database, or map, to retrieve the password file. The same kind
of problem occurs with NFS which implicitly trusts the UID (user ID) and GIDs (group ID) that the NFS
client presents to the server, and depending on the server configuration, this may allow any user to
mount and explore the remote file system.
Operating Systems Affected
Nearly all UNIX and Linux systems come with a version of NFS and NIS installed and often enabled by
default.
How to Determine if you are Vulnerable
The following steps are related to NIS/NFS software vulnerabilities:
Verify that you are current with the patches released by your vendor. For most versions the
command rpc.mountd -version for NFS and ypserv -version for NIS will show the version of both. Any
unpatched or outdated version of the software is likely to be vulnerable.
For software vulnerabilities, a more complete approach would be to use an updated vulnerability
scanner to periodically check your system against new flaws.
The following steps are related to NIS configuration:
Ensure that Root password is not maintained in an NIS map.
Check if the users passwords are in accord with the security practices. A password cracker can
be used to accomplish this.
Please Note: Never run a password cracker, even on systems for which you have root-like
access, without explicit and preferably written permission from your employer. Administrators
with the most benevolent of intentions have been fired for running password cracking tools without
authority to do so.
The following steps are related to NFS configuration:
Verify if the hosts, netgroups and permissions in the /etc/exports file is up-to-date.
Run the command showmount e to see what has been exported. Check to see if your mounts are in
compliance with your security policy.
How to Protect Against It
The following steps are related to NIS configuration:
In each client you can explicitly list the NIS servers to bind to, preventing another systems
from masquerading as a NIS server.
While making the DBM files, activate the YP_SECURE feature to ensure that the server will only
answer requests from a client on privileged ports. This can be accomplished by using the switch
s with the command makedbm.
Include the trusted hosts and networks in the /var/yp/securenets used by the ypserv and the
ypxfrd processes, and remember to restart the daemons to get the changes to take effect.
On your NFS Clients be sure to have the entry +:*:0:0::: in your password map.
The following steps are related to NFS configuration:
Use numeric IP addresses or fully qualified domain names instead of aliases when allowing clients
in the /etc/exports file.
A tool called NFSBug can be used to test the configuration. The tests will include finding world
exported file systems, determining whether export restrictions work, determining whether file systems
can be mounted through the portmapper, trying to guess file handles, and exercising various bugs
to access file systems. ftp://coast.cs.purdue.edu/pub/tools/unix/nfsbug/
Use the /etc/exports file to restrict access to NFS file system by adding parameters:
Prevent normal users from mounting an NFS file system by adding a secure parameter after
the IP address or domain name of your NFS client. (e.g.: /home 10.20.1.25(secure) )
Export the NFS file system with appropriate permissions. This could be done by adding the
appropriate permission (ro for Read-only or rw for Read-Write) after the IP address or domain
name of your NFS client in the /etc/exports file. (e.g.: /home 10.20.1.25(ro) )
If possible, use the parameter root_squash after the IP address or domain name of your NFS
client. If this parameter is enabled, the superuser ID root on NFS Client will be replaced by
the user ID nobody in the NFS Server. This means that the root user on the client can't access
or change files that only root on the server can access or change, preventing it from gaining
superuser privileges in the server. (e.g.: /home 10.20.1.25(root_squash) )
A complete set of parameters can be found in the /etc/exports manpage. http://www.netadmintools.com/html/5exports.man.html
On Solaris O.S. make sure to activate the Port Monitoring feature. This can be done by adding
the line set nfssrv:nfs_portmon = 1 on the /etc/system file.
A Linux system by default denies cooperation with NFS clients using a non-privileged port.
General considerations related to NIS and NFS:
Review your firewall policies and be sure to block all unnecessary ports, as well Port 111 (Portmap)
and Port 2049 (Rpc.nfsd). Also allow access to the NIS and NFS servers only from authorized clients.
A local measure can also be applied by restricting access through tcp_wrappers located at
http://sunsite.cnlab-switch.ch/ftp/software/security/security-porcupine.org/. In your etc/hosts.allow
file you should state the service and IP allowed to access the service (e.g. portmap: 10.20.1.1/16
to allow the network 10.20.0.0 to access the portmap service). Also, in the /etc/hosts.deny file,
you should include the services and the IPs that are NOT allowed to access the services (e.g.: portmap:
ALL, which will deny access to all other IP addresses that are not included in the /etc/hosts.allow).
The Portmap service is an important service to have the access denied because it is the one that
the NFS operates though.
Apply all vendor patches or upgrade your NIS and NFS Servers to the latest version. For more
information about hardening your UNIX installation, see the CERTs
UNIX Security
Checklist.
Disable the NFS and NIS daemons on any system that is not specifically designated and authorized
to be a NFS and/or NIS server. To prevent this change from being reversed, it may be wise to also
remove the NFS and/or NIS software.
The open-source OpenSSL library
is a popular package to add cryptographic security to applications that communicate over the network.
Although Apache is probably the
most well-known use of the package (to support https: connections on port 443), many other programs
have been modified to use OpenSSL for security.
The usual usage of OpenSSL is a toolkit where other applications use OpenSSL to provide cryptographic
security for a connection. As a result, rather than targeting OpenSSL directly, the exploits for the
vulnerabilities will target the application using it. One popular exploit attacks the Apache server's
use of OpenSSL. Just because you are not running Apache with OpenSSL support does not mean you are safe.
A suitable modification of the exploit may be able to attack Sendmail, openldap, CUPS, or any other
OpenSSL using program installed on the target machine.
Multiple vulnerabilities have been found in OpenSSL, of which the most serious are the set of 4 vulnerabilities
listed in
CAN-2002-0655,
CAN-2002-0656,
CAN-2002-0557, and
CAN-2002-0659. These allow the remote execution of arbitrary code as the user of the OpenSSL libraries
(which in some cases, such as 'sendmail', is the 'root' user).
Operating Systems Affected
Any UNIX or Linux system running OpenSSL 0.9.7 or earlier. Note that quite often, OpenSSL is installed
to support some other component. For instance, on a RedHat Linux 9.0 system packages such as Apache,
CUPS, Curl, OpenLDAP, Stunnel, and Sendmail (among others) all use the OpenSSL libraries to secure connections.
How to Determine if you are Vulnerable
Check the output of the command 'openssl version'. If the version isn't 0.9.7a or later, you are vulnerable.
How to Protect Against It
Upgrade to the most recent version of
OpenSSL. If OpenSSL came installed
with your operating system, retrieve the latest patches from your operating system vendor. Note
that in some cases, re-compiling and/or re-linking of applications may be required to enable the
updated libraries. Note that one of the most common usages of OpenSSL is for securing HTTP traffic
over the public Internet for e-commerce where restricting hosts is probably not feasible.
"... The Word documents published in June 2016 by Guccifer 2 also show a "last saved as" user id written in Cyrillic. The Anglicized name is " Felix Edmundovich ", aka "Iron Felix" (the infamous director of an early Soviet spy agency). If you are a Russian cyber spy trying to conduct a covert operation, why do you sign your document with the name of one of the most infamous leaders of Russian intelligence? Robert Mueller wants you to believe that this was just Russian audacity. ..."
"... The phrase "personal beliefs about the competence or incompetence of the Russians" catches something important. Whether it was the Russians or somebody else that did this, whoever did it was pretty sloppy. What this report describes is almost as pathetic when considered a false flag operation as it is as a sabotage operation. So any theory of who stole and published the documents has to explain a capability to access the data combined with blissful obliviousness about handling them. I know of no reason to think the Russian, US, Israeli, or other intelligence communities incapable of such a combination. All of them have brilliant dedicated people but also seemingly endless supplies of mediocre time-servers. ..."
"... Scenario? Shutdown, closing of words with documents being automatically saved? Ok, otherwise there is apparently no precise saving time stamp on Winwords latest version. How much changed since 2016? ..."
"... The Vault7 leak of CIA tools also contained information on how to select any language environment. It's really a standard practice, even for normal criminals. ..."
Russia did not hack the DNC. This is not an opinion. It is a conclusion that flows from one
very specific claim made by the Special Counsel -- i.e., Guccifer 2.0 was a fictional identity
created by Russian Military Intelligence, the GRU. If Guccifer was in fact a creation or
creature of the GRU, then the forensic evidence should show that this entity was operating from
Russia or under the direct control of the GRU. The forensic evidence shows something quite
different -- the meta data in the Guccifer 2.0 documents were manipulated deliberately to plant
Russian fignerprints. This was not an accident nor an oversight due to carelessness.
What is meta data? This is the information recorded when a document is created. This data
includes things such as the date and time the document was created or modified. It tells you
who created the document. It is like the Wizard of Oz, it is the information behind the
curtain.
Special Counsel Robert Mueller's is correct in stating that Guccifer 2.0 was a "fictious
online persona. " He is wrong in attributing that action to Russian Military Intelligence.
While Guccifer 2.0 was a "fictious" entity, the information recorded about when, how and who
created the document show that deliberate choices were made to present the info as if it was
created by someone Russian.
Let us first stipulate and agree that Russia and the United States engage in cyber espionage
and covert action against each other. This has been the case since computers and the internet
came into existence. Within the U.S. Intelligence Community these activities generally are
labeled with the acronym, CNO -- Computer Network Operations. The Russians and the United
States have cadres of cyber "warriors" who sit at computer terminals and engage in operations
commonly known as hacking. Other countries, such as China, Iran and Ukraine do this as
well.
CNOs are classified at the highest level in the United States and normally are handled
within special restricted categories commonly known as SAPs (i.e, Special Access Programs). A
critical element of these kinds of operations is to avoid leaving any fingerprints or clues
that would enable the activity to be traced back to the United States. But this is not unique
to the United States. All professional intelligence services around the world understand and
practice this principle -- leave no evidence behind that proves you were there.
The case implicating Russia in the hack of the DNC and Clinton emails, including those of
her campaign Manager, John Podesta, rests on suspect forensic computer evidence -- is present
in the meta data in the documents posted on line by Guccifer 2.0. According to Disobedient
Media , "the files that Guccifer 2.0 initially pushed to reporters contain Russian
metadata, a Russian stylesheet entry and in some cases embedded Russian error messages."
Why would the Russians make such a mistake, especially in such a high stake operation
(targeting a national election with covert action most certainly is a high stake operation).
Mueller and the U.S. intelligence community want you to believe that the Russians are just
sloppy and careless buffoons. Those ideologically opposed to the Russians readily embrace this
nonsenses. But for those who actually have dealt with Russian civilian and military
intelligence operatives and operations, the Russians are sophisticated and cautious.
But we do not have to rely on our personal beliefs about the competence or incompetence of
the Russians. We simply need to look at the forensic evidence contained in the documents posted
by Guccifer 2.0. We will take Robert Mueller and his investigators at their word:
Beginning in or around June 2016, the Conspirators staged and released tens of thousands
of the stolen emails and documents. They did so using fictitious online personas, including
"DCLeaks" and "Guccifer 2.0." (p. 2-3)
The Conspirators also used the Guccifer 2.0 persona to release additional stolen
documents through a website maintained by an organization ("Organization 1") [aka WIKILEAKS],
that had previously posted documents stolen from U.S. persons, entities, and the U.S.
government. (p. 3)
Between in or around June 2016 and October 2016, the Conspirators used Guccifer 2.0 to
release documents through WordPress that they had stolen from the DCCC and DNC. The
Conspirators, posing as Guccifer 2.0, also shared stolen documents with certain individuals.
(p. 15)
An examination of those documents tells a very different story. While it does not reveal who
or what was Guccifer 2.0, it does undermine Mueller's claim that it was the Russians who did
these dastardly deeds.
One independent forensic computer investigator, who uses the name, "The Forensicator,"
examined the meta data in some of the documents posted by Guccifer 2.0 and
discovered the following :
Guccifer 2.0 published a file on 13 September 2016 that was originally copied on 5 July 2016
at approximately 6:45 PM Eastern time. It was copied and appeared as the "NGP VAN" 7zip
file.
The estimated speed of transfer was 23 MB/s. This means that this initial data transfer
could have been done remotely over the Internet. Instead, it was likely done from a computer
system that had direct access to the data. "By "direct access" we mean that the individual who
was collecting the data either had physical access to the computer where the data was stored,
or the data was copied over a local high-speed network (LAN)."
This initial copying activity was done on a system that used Eastern Daylight Time (EDT)
settings and was likely initially copied to a computer running Linux, because the file last
modified times all reflect the apparent time of the copy, which is a characteristic of the
Linux 'cp' command (using default options).
On September 1, 2016, a subset of the initial large collection of DNC related content (the
so-called NGP/VAN data), was transferred to working directories on a system running Windows.
The .rar files included in the final 7zip file were built from those working directories.
The alleged Russian fingerprints appeared in the first document "leaked" by Guccifer 2.0--
1.doc -- which was a report on Donald Trump . A forensic examination of
the documents shows thatgiven the word processor program used to create the Donald Trump
Document released by Guccifer 2.0, the author consciously and purposefully used formats that
deliberately inserted "Russian fingerprints" into the document. In other words, the meta-data
was purposely altered, and documents were pasted into a 'Russianified' word document with
Russian language settings and style headings.
Here are the key facts:
The meta data shows that Slate_-_Domestic_-_USDA_-_2008-12-20.doc was the template
for creating 1.doc , 2.doc and 3.doc . This template injected "Warren
Flood" as the author value and "GSA" as the company value in those first three Word documents.
This
template also injected the title , the watermark and header/footer fields found in the
final documents (with slight modifications).
The Word documents published in June 2016 by Guccifer 2 also show a "last saved as" user id
written in Cyrillic. The Anglicized name is " Felix Edmundovich ", aka
"Iron Felix" (the infamous director of an early Soviet spy agency). If you are a Russian cyber
spy trying to conduct a covert operation, why do you sign your document with the name of one of
the most infamous leaders of Russian intelligence? Robert Mueller wants you to believe that
this was just Russian audacity.
But the meta data tells a different story. When we examine The Revision Session Identifiers
aka 'RSID's, in the Guccifer document, we see the same Russian style-headings in 1.doc, 2.doc
and 3.doc. The document creation timestamps on docs 1, 2 and 3 also are all identical.
Given that MS word assigns a new random 'RSID' with each save when an element is added or
edited (this function allows one to track changes made to a Word document), the only way to
obtain identical creation timestamps means that someone either directly edited the source
document or that there was one empty document open and that individual documents were
copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as
(2.doc), etc. This
process also explains identical style-sheet RSIDs .
The document creation timestamps on docs 1, 2 and 3 also are all identical.
Curious, no doubt. But who of us did not consider Guccifer 2 curious. Put another way,
what experts considered him solid proof for Russian involvement?
Are you suggesting Winword templates were used for the metadata?
As IT nitwit, how can I save three *doc files or their 2016 word equivalent at the same
time? Any way to do that? Windows doesn't seem to have a solution to that.
Again: This is a nitwit user asking a question.
*******
I admittedly am not overly motivated to read the Mueller report. I'll read your contribution
again to figure out what you may suggest in or between the lines.
The phrase "personal beliefs about the competence or incompetence of the Russians" catches
something important. Whether it was the Russians or somebody else that did this, whoever did
it was pretty sloppy. What this report describes is almost as pathetic when considered a
false flag operation as it is as a sabotage operation. So any theory of who stole and
published the documents has to explain a capability to access the data combined with blissful
obliviousness about handling them. I know of no reason to think the Russian, US, Israeli, or
other intelligence communities incapable of such a combination. All of them have brilliant
dedicated people but also seemingly endless supplies of mediocre time-servers.
Equally interesting is the fact that this analysis has come from such a private source.
Surely all the major intelligence agencies have the skill to find the same indicators. And
all have comparatively endless resources to apply to the analysis. But they all seem to not
want to talk about it. For me the most suspicious thing about the handling of the theft was
the FBI's near complete lack of interest in examining the server. I have always assumed that
such indifference reflected that they already had all they needed in order to understand what
happened. Maybe even watched the theft in real time. But this report demonstrates that you
didn't need any special access to blow up the official story. (Note that the official story
may be "true". It is just not proven by the cited evidence.)
Yet, whatever actually happened, nobody seems interested in challenging the narrative that
Russians stole data and routed it through useful idiots to influence the 2016 elections. This
report indicates that a persuasive challenge would not have been hard to produce.
Perhaps the false flag was intentionally clumsy, intended to be detected. Bait for a trap
that no one wants to fall into. But I don't see where that thought leads.
This can be discovered by looking at things called 'rsid's or Revision Session
Identifiers in Guccifer's document. In order to track changes, MS word assigns a new random
'rsid' with each save upon each element added or edited. The rsids for the Russian
style-headings in 1.doc, 2.doc and 3.doc are all the same (styrsid11758497 in the raw
source).
Moreover, the document creation timestamps on 1,2, and 3.docs are all identical too.
This might imply there was one empty document open, with individual documents being
copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as
(2.doc), etc. This is the only way to go about obtaining identical creation timestamps short
of direct editing of the source, and would also explain identical style-sheet RSIDs.
Scenario? Shutdown, closing of words with documents being automatically saved? Ok,
otherwise there is apparently no precise saving time stamp on Winwords latest version. How
much changed since 2016?
Empty doc open? What would that change?
But good to see that Winword now integrated some type of automatic saving option, didn't
have it when I gave it up and shifted to Open Office. On the other hand, can I trust it to not confront me with an earlier revision version? I
admittedly asked myself lately. In a 200 page file, mind you.
As someone with a little bit of experience in that area I can assure you that language
metadata artifacts are practically worthless for attribution. You would mention it in a
report, but from it you can only conclude that
either the creator was an amateur and used his own language environment
or actually selected this particular language environment, either by running a - in this
case - Russian copy of Office, or by changing the metadata manually.
or he used his own language environment because he doesn't care, and because he knows that
this information is worthless for any forensics expert.
The Vault7 leak of CIA tools also contained information on how to select any language
environment. It's really a standard practice, even for normal criminals.
Attribution is really hard and usually amounts to a lot of guessing who might be interested
in the target of an attack, correlating information from other campaigns, and is only rarely
based on hard evidence. Big state actors probably can do a little bit better when they have
access to enough network taps. But in the end one bit looks like any other, and properties of
static documents can always be forged and made to look real. Or simply buy a copy of MS
Office in .
The document creation timestamps on docs 1, 2 and 3 also are all identical.
Ok doc creation times. Could one create a WinWord Macro? That does exactly that. ok, why
would one do this? True. Minor detail, I know. But I see we have experts around now.
*******
More generally. Guccifer 2.0 was a bit of an odd occurrence, not least due to US intelligence
considering Guccifer one or zero, if you like.
As someone with a little bit of experience in that area I can assure you that language
metadata artifacts are practically worthless for attribution. You would mention it in a
report, but from it you can only conclude that
either the creator was an amateur and used his own language environment
or actually selected this particular language environment, either by running a - in
this case - Russian copy of Office, or by changing the metadata manually.
or he used his own language environment because he doesn't care, and because he knows
that this information is worthless for any forensics expert.
The Vault7 leak of CIA tools also contained information on how to select any language
environment. It's really a standard practice, even for normal criminals.
Attribution is really hard and usually amounts to a lot of guessing who might be
interested in the target of an attack, correlating information from other campaigns, and is
only rarely based on hard evidence.
Big state actors probably can do a little bit better when they have access to enough
network taps. But in the end one bit looks like any other, and properties of static documents
can always be forged and made to look real. Or simply buy a copy of MS Office.
"... John Pilger, among few others, has already stressed how a plan to destroy WikiLeaks and Julian Assange was laid out as far back as 2008 – at the tail end of the Cheney regime – concocted by the Pentagon's shady Cyber Counter-Intelligence Assessments Branch. ..."
"... But it was only in 2017, in the Trump era, that the Deep State went totally ballistic; that's when WikiLeaks published the Vault 7 files – detailing the CIA's vast hacking/cyber espionage repertoire. ..."
"... This was the CIA as a Naked Emperor like never before – including the dodgy overseeing ops of the Center for Cyber Intelligence, an ultra-secret NSA counterpart. ..."
"... The monolithic narrative by the Deep State faction aligned with the Clinton machine was that "the Russians" hacked the DNC servers. Assange was always adamant; that was not the work of a state actor – and he could prove it technically. ..."
"... The DoJ wanted a deal – and they did make an offer to WikiLeaks. But then FBI director James Comey killed it. The question is why. ..."
"... Some theoretically sound reconstructions of Comey's move are available. But the key fact is Comey already knew – via his close connections to the top of the DNC – that this was not a hack; it was a leak. ..."
"... Ambassador Craig Murray has stressed, over and over again (see here ) how the DNC/Podesta files published by WikiLeaks came from two different US sources; one from within the DNC and the other from within US intel. ..."
"... he release by WikiLeaks in April 2017 of the malware mechanisms inbuilt in "Grasshopper" and the "Marble Framework" were indeed a bombshell. This is how the CIA inserts foreign language strings in source code to disguise them as originating from Russia, from Iran, or from China. The inestimable Ray McGovern, a VIPS member, stressed how Marble Framework "destroys this story about Russian hacking." ..."
"... No wonder then CIA director Mike Pompeo accused WikiLeaks of being a "non-state hostile intelligence agency" ..."
"... Joshua Schulte, the alleged leaker of Vault 7, has not faced a US court yet. There's no question he will be offered a deal by the USG if he aggress to testify against Julian Assange. ..."
"... George Galloway has a guest who explains it all https://www.youtube.com/watch?v=7VvPFMyPvHM&t=8s ..."
"... Escobar is brain dead if he can't figure out that Trumpenstein is totally on board with destroying Assange. As if bringing on pukes like PompAss, BoltON, and Abrams doesn't scream it. ..."
The Made-by-FBI indictment of
Julian Assange does look like a dead man walking. No evidence. No documents. No surefire
testimony. Just a crossfire of conditionals...
But never underestimate the legalese contortionism of US government (USG) functionaries. As
much as Assange may not be characterized as a journalist and publisher, the thrust of the
affidavit is to accuse him of conspiring to commit espionage.
In fact the charge is not even that Assange hacked a USG computer and obtained classified
information; it's that he may have discussed it with Chelsea Manning and may have had the
intention to go for a hack. Orwellian-style thought crime charges don't get any better than
that. Now the only thing missing is an AI software to detect them.
Assange legal adviser Geoffrey Robertson – who also happens to represent another
stellar political prisoner, Brazil's Lula – cut
straight to the chase (at 19:22 minutes);
"The justice he is facing is justice, or injustice, in America I would hope the British
judges would have enough belief in freedom of information to throw out the extradition
request."
That's far from a done deal. Thus the inevitable consequence; Assange's legal team is
getting ready to prove, no holds barred, in a British court, that this USG indictment for
conspiracy to commit computer hacking is just an hors d'oeuvre for subsequent espionage
charges, in case Assange is extradited to US soil.
All about Vault 7
John Pilger, among few others, has already stressed how a plan to
destroy WikiLeaks and Julian Assange was laid out as far back as 2008 – at the tail end
of the Cheney regime – concocted by the Pentagon's shady Cyber Counter-Intelligence
Assessments Branch.
It was all about criminalizing WikiLeaks and personally smearing Assange, using "shock
troops enlisted in the media -- those who are meant to keep the record straight and tell us the
truth."
This plan remains more than active – considering how Assange's arrest has been covered
by the bulk of US/UK mainstream media.
By 2012, already in the Obama era, WikiLeaks detailed the astonishing "scale of the US Grand
Jury Investigation" of itself. The USG always denied such a grand jury existed.
"The US Government has stood up and coordinated a joint interagency criminal investigation
of Wikileaks comprised of a partnership between the Department of Defense (DOD) including:
CENTCOM; SOUTHCOM; the Defense Intelligence Agency (DIA); Defense Information Systems Agency
(DISA); Headquarters Department of the Army (HQDA); US Army Criminal Investigation Division
(CID) for USFI (US Forces Iraq) and 1st Armored Division (AD); US Army Computer Crimes
Investigative Unit (CCIU); 2nd Army (US Army Cyber Command); Within that or in addition,
three military intelligence investigations were conducted. Department of Justice (DOJ) Grand
Jury and the Federal Bureau of Investigation (FBI), Department of State (DOS) and Diplomatic
Security Service (DSS). In addition, Wikileaks has been investigated by the Office of the
Director of National Intelligence (ODNI), Office of the National CounterIntelligence
Executive (ONCIX), the Central Intelligence Agency (CIA); the House Oversight Committee; the
National Security Staff Interagency Committee, and the PIAB (President's Intelligence
Advisory Board)."
But it was only in 2017, in the Trump era, that the Deep State went totally ballistic;
that's when WikiLeaks published the Vault 7 files – detailing the CIA's vast
hacking/cyber espionage repertoire.
This was the CIA as a Naked Emperor like never before – including the dodgy
overseeing ops of the Center for Cyber Intelligence, an ultra-secret NSA counterpart.
WikiLeaks got Vault 7 in early 2017. At the time WikiLeaks had already published the DNC
files – which the unimpeachable Veteran Intelligence Professionals for Sanity (VIPS)
systematically proved was a leak, not a hack.
The monolithic narrative by the Deep State faction aligned with the Clinton machine was
that "the Russians" hacked the DNC servers. Assange was always adamant; that was not the work
of a state actor – and he could prove it technically.
There was some movement towards a deal, brokered by one of Assange's lawyers; WikiLeaks
would not publish the most damning Vault 7 information in exchange for Assange's safe passage
to be interviewed by the US Department of Justice (DoJ).
The DoJ wanted a deal – and they did make an offer to WikiLeaks. But then FBI
director James Comey killed it. The question is why.
It's a leak, not a hack
Some theoretically sound
reconstructions of Comey's move are available. But the key fact is Comey already knew
– via his close connections to the top of the DNC – that this was not a hack; it
was a leak.
Ambassador Craig Murray has stressed, over and over again (see
here ) how the DNC/Podesta files published by WikiLeaks came from two different US sources;
one from within the DNC and the other from within US intel.
There was nothing for Comey to "investigate". Or there would have, if Comey had ordered the
FBI to examine the DNC servers. So why talk to Julian Assange?
T he release by WikiLeaks in April 2017 of the malware mechanisms inbuilt in
"Grasshopper" and the "Marble Framework" were indeed a bombshell. This is how the CIA inserts
foreign language strings in source code to disguise them as originating from Russia, from Iran,
or from China. The inestimable Ray McGovern, a VIPS member, stressed how Marble Framework
"destroys this story about Russian hacking."
No wonder then CIA director Mike Pompeo accused WikiLeaks of being a "non-state hostile
intelligence agency", usually manipulated by Russia.
Joshua Schulte, the alleged leaker of Vault 7,
has not faced a US court yet. There's no question he will be offered a deal by the USG if he
aggress to testify against Julian Assange.
It's a long and winding road, to be traversed in at least two years, if Julian Assange is
ever to be extradited to the US. Two things for the moment are already crystal clear. The USG
is obsessed to shut down WikiLeaks once and for all. And because of that, Julian Assange will
never get a fair trial in the "so-called 'Espionage Court'" of the Eastern District of
Virginia, as
detailed by former CIA counterterrorism officer and whistleblower John Kiriakou.
Meanwhile, the non-stop demonization of Julian Assange will proceed unabated, faithful to
guidelines established over a decade ago. Assange is even accused of being a US intel op, and
WikiLeaks a splinter Deep State deep cover op.
Maybe President Trump will maneuver the hegemonic Deep State into having Assange testify
against the corruption of the DNC; or maybe Trump caved in completely to "hostile intelligence
agency" Pompeo and his CIA gang baying for blood. It's all ultra-high-stakes shadow play
– and the show has not even begun.
Not to mention the Pentagram has silenced 100,000 whistleblower complaints by
Intimidation, threats, money or accidents over 5 years . A Whistleblower only does this when
know there is something seriously wrong. Just Imagine how many knew something was wrong but
looked the other way.
Maybe President Trump will maneuver the hegemonic Deep State into having Assange testify
against the corruption of the DNC; or maybe Trump caved in completely to "hostile
intelligence agency" Pompeo and his CIA gang baying for blood.
Escobar is brain dead if he can't figure out that Trumpenstein is totally on board with
destroying Assange. As if bringing on pukes like PompAss, BoltON, and Abrams doesn't scream it.
assange and wikileaks are the real criminals despite being crimeless. the **** is a
sanctioned criminal, allowed to be criminal with the system because the rest of the
sanctioned criminals would be exposed if she was investigated.
this is not the rule of laws. this is the law of rulers.
Originally from: The 'Guccifer 2.0' Gaps in Mueller's Full Report April 18, 2019 •
12 Commentsave
Like Team Mueller's indictment last July of Russian agents, the full report reveals questions about Wikileaks' role that
much of the media has been ignoring, writes Daniel Lazare.
The five pages that the special prosecutor's report devotes to WikiLeaks are essentially lifted from Mueller's
indictment last July of 12 members of the Russian military
intelligence agency known as the GRU. It charges that after hacking the Democratic National Committee, the GRU used a specially-created
online persona known as Guccifer 2.0 to transfer a gigabyte's worth of stolen emails to WikiLeaks just as the 2016 Democratic
National Convention was approaching. Four days after opening the encrypted file, the indictment says, "Organization 1 [i.e. WikiLeaks]
released over 20,000 emails and other documents stolen from the DNC network by the Conspirators [i.e. the GRU]."
Attorney General William Barr holding press conference on full Mueller report, April 18, 2019. (YouTube)
Mueller's report says the same thing, but with the added twist that Assange then tried to cover up the GRU's role by
suggesting that murdered Democratic National Committee staffer Seth Rich may have been the source and by telling a congressman
that the DNC email heist was an "inside job" and that he had "physical proof" that the material was not from Russian.
All of which is manna from heaven for corporate news outlets eager to pile on Assange, now behind bars in London. An April 11,
2019, New York Timesnews analysis ,
for instance, declared that "[c]ourt documents have revealed that it was Russian intelligence – using the Guccifer persona – that
provided Mr. Assange thousands of emails hacked from the Democratic National Committee," while another Timesarticle published shortly after
his arrest accuses the WikiLeaks founder of "promoting a false cover story about the source of the leaks."
But there's a problem: it ain't necessarily so. The official story that the GRU is the source doesn't hold water, as a timeline
from mid-2016 shows. Here are the key events based on the GRU indictment and the Mueller report:
June 12: Assange
tells
Britain's ITV that another round of Democratic Party disclosures is on the way: "We have upcoming leaks in relation to Hillary Clinton,
which is great. WikiLeaks is having a very big year." June 14: The Democratic National Committee
accuses Russia of hacking its computers. June 15: Guccifer 2.0 claims credit for the hack. "The main part of the papers, thousands
of files and mails, I gave to WikiLeaks ," he
brags . "They will publish them soon."
June 22: WikiLeaks tells Guccifer via email: "Send any new material here for us to review and it will have a much higher impact
than what you are doing." July 6: WikiLeaks sends Guccifer another email: "if you have anything hillary related we want it
in the next tweo [ sic ] days prefable [ sic ] because the DNC [Democratic National Convention] is approaching and
she will solidify bernie supporters behind her after."Replies Guccifer: "ok . . . i " July 14: Guccifer sends WikiLeaks an
encrypted file titled "wk dnc link1.txt.gpg." July 18: WikiLeaks confirms it has opened "the 1Gb or so archive" and will release
documents "this week." July 22: WikiLeaks
releases more than 20,000 DNC emails and 8,000 other attachments.
According to Mueller and obsequious news outlets like the Times , the sequence is clear: Guccifer sends archive, WikiLeaks
receives archive, WikiLeaks accesses archive, WikiLeaks publishes archive. Donald Trump may not have colluded with
Russia, but Julian Assange plainly did. [Attorney General Will Barr, significantly calling WikiLeaks a publisher, said at
his Thursday press conference: " Under applicable law, publication of these types of materials would not be criminal unless the publisher
also participated in the underlying hacking conspiracy."]
Deputy Attorney General Rod Rosenstein announcing in 2018 the grand jury indictment of 12 GRU agents. (Wikimedia Commons)
Avoiding Questions
The narrative raises questions that the press studiously avoids. Why, for instance, would Assange announce on June 12 that a big
disclosure is on the way before hearing from the supposed source? Was there a prior communication that Mueller has not disclosed?
What about the reference to "new material" on June 22 – does that mean Assange already had other material in hand? After opening
the Guccifer file on July 18, why would he publish it just four days later? Would that give WikiLeaks enough time to review some
28,000 documents to insure they're genuine?
Honor Bob Parry's legacy by
donating
to our Spring Fund Drive.
"If a single one of those emails had been shown to be maliciously altered," blogger Mark F. McCarty
observes , "Wikileaks' reputation would have been in tatters." There's also the question that an investigator known as Adam Carter
poses in Disobedient
Media : why would Guccifer brag about giving WikiLeaks "thousands of files" that he wouldn't send for another month?
The narrative doesn't make sense – a fact that is crucially important now that Assange is fighting for his freedom in the U.K.
New Yorker staff writer Raffi Khatchadourian sounded
a rare note of caution last summer when he warned that little about Guccifer 2.0 adds up. While claiming to be the source for
some of WikiLeaks ' most explosive emails, the material he released on his own had proved mostly worthless – 20 documents
that he "said were from the DNC but which were almost surely not," as Khatchadourian puts it, a purported Hillary Clinton dossier
that "was nothing of the sort," screenshots of emails so blurry as to be "unreadable," and so forth.
John Podesta: Target of a phishing expedition. (Voice of America via Wikimedia Commons)
While insisting that "our source is not the Russian
government and it is not a state party, Assange told Khatchadourian that the source was not Guccifer either. "We received quite a
lot of submissions of material that was already published in the rest of the press, and people seemingly submitted the Guccifer archives,"
he said somewhat cryptically. "We didn't publish them. They were already published." When Khatchadourian asked why he didn't put
the material out regardless, he replied that "the material from Guccifer 2.0 – or on WordPress – we didn't have the resources to
independently verify."
No Time for Vetting
So four days was indeed too short a time to subject the Guccifer file to proper vetting. Of course, Mueller no doubt regards this
as more "dissembling," as his report describes it. Yet WikiLeaks has never been caught in a lie for the simple reason that honesty
and credibility are all-important for a group that promises to protect anonymous leakers who supply it with official secrets. (See
"Inside WikiLeaks : Working with the Publisher that Changed the World,"
Consortium News , July 19, 2018.) Mueller, by contrast, has a rich history of mendacity going back to his days as FBI
director when he sought to cover up
the Saudi role
in 9/11 and assured Congress on the eve
of the 2003 invasion that Iraqi weapons of mass destruction pose "a clear threat to our national security."
Mueller with President George W. Bush on July 5, 2001, as he is being appointed FBI director. (White House)
So if the Mueller narrative doesn't hold up, the charge of dissembling doesn't either. Indeed , as ex-federal prosecutor Andrew
C. McCarthy
observes in The National Review , the fact that the feds have charged Assange with unauthorized access to a government
computer rather than conspiring with the Kremlin could be a sign that Team Mueller is less than confident it can prove collusion
beyond a reasonable doubt. As he puts it, the GRU indictment "was more like a press release than a charging instrument" because the
special prosecutor knew that the chances were
zero that Russian intelligence agents would surrender to a U.S. court.
Indeed, when Mueller charged 13 employees and three companies owned by Russian businessman Yevgeny Prigozhin with interfering
in the 2016 election, he clearly didn't expect them to surrender either. Thus , his team seemed taken aback when one of the alleged
" troll farms
" showed up in Washington asking to be heard. The prosecution's initial response, as McCarthy
put it , was to seek
a delay "on the astonishing ground that the defendant has not been properly served – notwithstanding that the defendant has shown
up in court and asked to be arraigned." When that didn't work, prosecutors tried to limit Concord's access to some 3.2 million pieces
of evidence on the grounds that the documents are too "
sensitive " for Russian eyes to see. If they are again unsuccessful, they may have no choice but to drop the charges entirely,
resulting in yet another " public relations
disaster " for the Russia-gate investigation.
None of which bodes well for Mueller or the news organizations that worship at his shrine. After blowing the Russia-gate story
all these years, why does the Times continue to slander the one news organization that tells the truth?
Daniel Lazare is the author of "The Frozen Republic: How the Constitution Is Paralyzing Democracy" (Harcourt Brace, 1996) and
other books about American politics. He has written for a wide variety of publications from The Nation to Le Monde Diplomatique
and blogs about the Constitution and related matters at D aniellazare.com .
"... Blumenthal does chronicle a decades-long panoply of active measures by numerous pro-Israel Lobby figures, groups and think tanks. Yet he fails to explicitly recognize the connection between pro-Israel Lobby efforts and the covert operations and overt invasions of America's national security state. ..."
"... Julian Assange of Wikileaks was more explicit. Assange named the "country that has interfered in U.S. elections, has endangered Americans living or working overseas and has corrupted America's legislative and executive branches. It has exploited that corruption to initiate legislation favorable to itself, has promoted unnecessary and unwinnable wars and has stolen American technology and military secrets. Its ready access to the mainstream media to spread its own propaganda provides it with cover for its actions and it accomplishes all that and more through the agency of a powerful and well-funded domestic lobby [ ] That country is, of course, Israel." ..."
Behind the Omar Outrage: Suppressed History of the pro-Israel Lobby
Max Blumenthal's article and his 2019 book, The Management of Savagery: How America's
National Security State Fueled the Rise of Al Qaeda, ISIS, and Donald Trump (2019), is an
impressive exercise in burying the lede.
Blumenthal does chronicle a decades-long panoply of active measures by numerous pro-Israel
Lobby figures, groups and think tanks. Yet he fails to explicitly recognize the connection
between pro-Israel Lobby efforts and the covert operations and overt invasions of America's
national security state.
Julian Assange of Wikileaks was more explicit. Assange named the "country that has
interfered in U.S. elections, has endangered Americans living or working overseas and has
corrupted America's legislative and executive branches. It has exploited that corruption to
initiate legislation favorable to itself, has promoted unnecessary and unwinnable wars and
has stolen American technology and military secrets. Its ready access to the mainstream media
to spread its own propaganda provides it with cover for its actions and it accomplishes all
that and more through the agency of a powerful and well-funded domestic lobby [ ] That
country is, of course, Israel."
The more secretive or unjust an organization is, the more leaks induce fear and paranoia in
its leadership and planning coterie. This must result in minimization of efficient internal
communications mechanisms (an increase in cognitive "secrecy tax") and consequent
system-wide cognitive decline resulting in decreased ability to hold onto power as the
environment demands adaption.
Hence in a world where leaking is easy, secretive or unjust systems are nonlinearly hit
relative to open, just systems. Since unjust systems, by their nature induce opponents, and
in many places barely have the upper hand, mass leaking leaves them exquisitely vulnerable
to those who seek to replace them with more open forms of governance.
US Tech Companies have an extremely nice "inclusive" "open" "transparent" company culture.
People who don't drink the kool aid can deal with it, people who are on the Asperger/Authism
range can't. And these are the people extremely gifted for tech.
Basically US military and secret services believed that Western "Freedom" (TM) was such a
powerful advantage in global competition that open anonymous systems connecting dissidents
would work to their advantage. They forgot that some people can't do double think.
Wikileaks started as a Chinese dissident
project which certainly had the support of the US military-intelligence complex. It
quickly became something else, simply because the people working in the project believed the
ideology behind it and could not see that what is right for a Chinese dissident against the
Chinese state was not right for a US dissident against the US state.
With Julian Assange in Belmarsh prison, everything about "open society" "transparency"
"free media" "supporting dissidents" is in dispute.
"... Assange has exposed so much of the Obama and Clinton cabal that they and their henchman would try any means possible to not have him extradited. ..."
"... Bit hard to spy on corrupt world leaders without the internet. Pretty sure Moreno has his own set of enemies, since he's blackmailing or bankrolling everyone in his sight with the backing of Goldman Sachs. Also black kettle, that's the most surveilled building in the world inside and out. ..."
(From a horrified and disgusted Brit) My highest regard for: - the 3 dedicated panelists;
- those among the honest Spanish police mentioned; - the brave Ecuadorian journalists
pursuing presidential corruption charges; and: - elements of the UN not yet become toothless
tigers re basic human rights. I have little if any hope such moral fibre will prevail (or be
ALLOWED to do so) in the UK. Corruption and blind stupidity seem to have gone too far here,
as they have in the USA, and possibly also even in the remaining "5 eyes" countries. Iberia
(Portuguese Guteras at UN) has a chance to triumph in justice over degenerate Anglo-Saxon
increasingly dictatorship regimes. Will they triumph? We'll see. The whole world will see.
And the world has many many more than a mere 5 eyes.
It's disgusting how the governments behave as we've seen the truth in Wikileaks which
remains correct and truth 100% of the time...that's what the governments are scared of.....
the truth and transparency..... it shows them for what they are hypocrites and
lairs......!!!
Bit hard to spy on corrupt world leaders without the internet. Pretty sure Moreno has his
own set of enemies, since he's blackmailing or bankrolling everyone in his sight with the
backing of Goldman Sachs. Also black kettle, that's the most surveilled building in the world
inside and out.
Asylees are not supposed to be treated like criminals, he's without charge.
The US, Ecuador's current government and the UK are violating international law. And the
press is an anemic mess. Our message to them: you're next.
All journalism utilises sources
and those sources are entitled to protection. Not a grand jury. Not a supermax. Not
torture.
The cockroaches dont like when the rock is lifted and we see them for what they are.
Assange lifted the rock and now the cockroaches are out to get him.
It is not surprising that Equodoreian leader has failed the integrity of the country and
the people of Equodoreian. The fact that Julian Assange had full asylum was granted to him
with full protection, it proved the government before protected the souverign country and its
citizens as a country which is respected and free from any kind of being a puppet or slave
and master position. Assange' s case is extremely important but in the meantime the position
of Equodoreian people are let down on the world platform of shame. The day the new leader
left Equodoreian naked.
This is so wrong! He needs to be protected. Unless they are bringing him to USA to testify
against the Clinton/Obama crimes. We never would have found out anything of the corruption
and take down of the USA if it were not for his investigating reporting! Because the crooks
got caught and exposed they are trying to destroy him. He acted like a reporter or what they
use to be like. Just like the Nixon days but they broke into files. Assange was given
information. He was not the spy from what I can gather! They should be thanking him for
exposing the crimes that have been going on!
It is unclear what danger WikiLeaks represents naw, as it probably was infiltrated. But
publishing of Podesta emails and DNC files was really damaging to the Dems during 2016
elections.
Notable quotes:
"... "We have two foreign policies. We tell people what to do. And if they do it, we reward them. We give them a lot of money. If they don't, they're in for big trouble, they're liable to get bombed; we invade them, and there will be a coup," Dr. Paul said. ..."
"... "We find that Moreno, the president of Ecuador, did not do badly. He's been playing footsies with us, and gaining some money and he delivered, you know, after he became president – it's shame because the previous president the one that allowed or at least would at least Assange could be 'protected' to some degree," he stated. ..."
"... "The IMF has already delivered $4.2 billion to [Ecuador], and there's another six billion dollars in the pipeline for that," he said. ..."
Dr. Paul, the founder of the Ron Paul Institute for Peace and Prosperity, made the remarks
on Monday while discussing the violent arrest of Assange by UK Metropolitan Police last week at
the Ecuadorian embassy in London, after the Moreno government cancelled his asylum.
The Australian whistleblower was arrested on behalf of the US on Thursday at the Ecuadorean
embassy in London, where he had been granted asylum since 2012.
Assange, 47, is wanted by the US government for publishing classified documents related to
the Iraq and Afghanistan wars that were leaked by American whistleblower Chelsea Manning.
Assange spent seven years at the Ecuadorian embassy before his arrest.
"We have two foreign policies. We tell people what to do. And if they do it, we reward them.
We give them a lot of money. If they don't, they're in for big trouble, they're liable to get
bombed; we invade them, and there will be a coup," Dr. Paul said.
"We find that Moreno, the president of Ecuador, did not do badly. He's been playing
footsies with us, and gaining some money and he delivered, you know, after he became president
– it's shame because the previous president the one that allowed or at least would at
least Assange could be 'protected' to some degree," he stated.
"But he (Moreno) evidently is out form and now of course he has delivered him. And this
might not be even all of that. This probably is official tool of ours to provide these funds,"
the analyst noted.
"The IMF has already delivered $4.2 billion to [Ecuador], and there's another six billion
dollars in the pipeline for that," he said.
Moreno on Sunday accused Assange of trying to use Ecuador's embassy in London as a "center
for spying," and said that the decision to strip the whistleblower of his political asylum
followed "violations" of that status.
In an interview with The Guardian , Moreno defended his decision on the Assange
case.
"It is unfortunate that, from our territory and with the permission of authorities of the
previous government, facilities have been provided within the Ecuadoran Embassy in London to
interfere in processes of other states," the president said.
If Trump pardoned Assange, I would consider that draining the swamp. But Orange Jewlius is
a Deep State **** socket, so the swamp has grown to a lagoon
Clearly the US government has zero respect for Australia, Australian Law or Australian
citizens. The case is shite, else they would allow Assange to be deported to Australia and
the extradition hearing to be heard there. They refuse because they know their case is shite
and they would have to prove it in Australia before they could get extradition.
The USA is not an ally of Australia because it does not respect Australian law, not in the
least. Prove US respect of Australians by deporting Assange to Australia and holding the
extradition hearings there, else look as guilty as shite and never ever to be trusted by
Australians.
The US Govt respects NOBODY but its own Interests. It's the Australian Govt that's
complicit in this travesty of Nil justice. The Gutless Australian Govt has NO interest in
helping Julian Assange because they were persuaded NOT to by their American masters. It hurts
that your own Govt are total A$$holes & follow USA into Crimes with out question. The
Australian Govt has a History of lip service only when assistance Overseas is required. ****
them !
Assange probably is a narcissist. So what? All the people criticizing him are, too. At
least he's an honest narcissist. In everything he's published, not a single item has even
been allegedly false. Can any of these other so-called "journalists" demonstrate that level
of accuracy?
Here is a good article on Assange. Explains the cat. Things were okay for him under the
real elected president of Ecuador, except no sunlight thanks to US spooks.
Assange has been charged in the Eastern District of Virginia -- the so-called "Espionage
Court." That is just what many of us have feared. Remember, no national security defendant
has ever been found not guilty in the Eastern District of Virginia . The Eastern District is
also known as the "rocket docket" for the swiftness with which cases are heard and decided.
Not ready to mount a defense? Need more time? Haven't received all of your discovery? Tough
luck. See you in court.
I have long predicted that Assange would face Judge Leonie Brinkema were he to be charged
in the Eastern District. Brinkema handled my case, as well as CIA whistleblower Jeffrey
Sterling's. She also has reserved the Ed Snowden case for herself. Brinkema is a hanging
judge .
***
Brinkema gave me literally no chance to defend myself . At one point, while approaching
trial, my attorneys filed 70 motions, asking that 70 classified documents be declassified so
that I could use them to defend myself. I had no defense without them. We blocked off three
days for the hearings. When we got to the courtroom, Brinkema said, "Let me save everybody a
lot of time. I'm going to deny all 70 of these motions. You don't need any of this
information to be declassified." The entire process took a minute. On the way out of the
courtroom, I asked my lead attorney what had just happened. "We just lost the case. That's
what happened. Now we talk about a plea."
My attorneys eventually negotiated a plea for 30 months in prison -- significantly below
the 45 years that the Justice Department had initially sought. The plea was something called
an 11-C1C plea; it was written in stone and could not be changed by the judge. She could
either take it or leave it. She took it, but not after telling me to rise, pointing her
finger at me, and saying, "Mr. Kiriakou, I hate this plea. I've been a judge since 1986 and
I've never had an 11C1C. If I could, I would give you ten years." Her comments were
inappropriate and my attorneys filed an ethics complaint against her. But that's Brinkema.
That's who she is.
Julian Assange doesn't have a prayer of a fair trial in the Eastern District of
Virginia.
Assange's arrest represents an
abuse of power,
highlighting not only
how
true journalism has now been banished
in the West, but also how
politicians, journalists, news agencies and think-tanks
collude with each other to
silence people
"... Assange accomplished more in 2010 alone than any of his preening media antagonists will in their entire lifetime, combined. Your feelings about him as a person do not matter. He could be the scummiest human on the face of Earth, and it would not detract from the fact that he has brought revelatory information to public that would otherwise have been concealed. He has shone light on some of the most powerful political factions not just in the US, but around the world. This will remain true regardless of whether Trump capitulates to the 'Deep State' and goes along with this utterly chilling, free speech-undermining prosecution. ..."
"... My support was based on the fact that Assange had devised a novel way to hold powerful figures to account, whose nefarious conduct would otherwise go unexamined but for the methods he pioneered. ..."
The nine-year gap – long after Manning had been charged, found guilty, and released from prison – suggests that there is something
ulterior going on here. The offenses outlined in the indictment are on extraordinarily weak legal footing. Part of the criminal 'conspiracy,'
prosecutors allege, is that Assange sought to protect Manning as a source and encouraged her to provide government records in the
public interest.
This is standard journalistic practice.
And it is now being criminalized by the Trump DoJ, while liberals celebrate from the sidelines – eager to join hands with the
likes of Mike Pompeo and Lindsey Graham. You could not get a more sinister confluence of political fraudsters.
They – meaning most Democrats – will never get over their grudge against Assange for having dared to expose the corruption of
America's ruling party in 2016, which they believed help deprive their beloved Hillary of her rightful ascension to the presidential
throne. Once again, Rep. Tulsi Gabbard is among the few exceptions.
The DNC and Podesta email releases, now distilled reductively into the term 'Russian interference,' contained multitudinous newsworthy
revelations, as evidenced by the fact that virtually the entire US media reported on them. (Here, feel free to refresh your memory
on this as well.) But for no reason other than pure partisan score-settling, elite liberals are willing to toss aside any consideration
for the dire First Amendment implications of Assange's arrest and cry out with joy that this man they regard as innately evil has
finally been ensnared by the punitive might of the American carceral state.
Trump supporters and Trump himself also look downright foolish. It takes about two seconds to Google all the instances in which
Trump glowingly touted WikiLeaks on the 2016 campaign trail. 'I love WikiLeaks!' he famously proclaimed on October 10, 2016 in Wilkes-Barre,
Penn.
Presumably this expression of 'love' was indication that Trump viewed WikiLeaks as providing a public service. If not, perhaps
some intrepid reporter can ask precisely what his 'love' entailed. He can pretend all he wants now that he's totally oblivious to
WikiLeaks, but it was Trump himself who relayed that he was contemporaneously reading the Podesta emails in October 2016, and reveling
in all their newsworthiness. If he wanted, he could obviously intercede and prevent any unjust prosecution of Assange. Trump has
certainly seen fit to complain publicly about all matter of other inconvenient Justice Department activity, especially as it pertained
to him or his family members and associates. But now he's acting as though he's never heard of WikiLeaks, which is just pitiful:
not a soul believes it, even his most ardent supporters.
Sean Hannity became one of Assange's biggest fans in 2016 and 2017, effusively lavishing him with praise and even visiting him
in the Ecuadorian embassy in London for an exclusive interview. One wonders whether Hannity, who reportedly speaks to his best buddy
Trump every night before bedtime, will counsel a different course on this matter. There's also the question of whether Trump's most
vehement online advocates, who largely have become stalwart defenders of WikiLeaks, will put their money where their mouth is and
condition their continued support on Assange not being depredated by the American prison system.
Assange accomplished more in 2010 alone than any of his preening media antagonists will in their entire lifetime, combined.
Your feelings about him as a person do not matter. He could be the scummiest human on the face of Earth, and it would not detract
from the fact that he has brought revelatory information to public that would otherwise have been concealed. He has shone light on
some of the most powerful political factions not just in the US, but around the world. This will remain true regardless of whether
Trump capitulates to the 'Deep State' and goes along with this utterly chilling, free speech-undermining prosecution.
I personally have supported Assange since I started in journalism, nine years ago, not because I had any special affinity for
the man himself (although the radical transparency philosophy he espoused was definitely compelling). My support was based on
the fact that Assange had devised a novel way to hold powerful figures to account, whose nefarious conduct would otherwise go unexamined
but for the methods he pioneered. As thanks, he was holed up in a tiny embassy for nearly seven years – until yesterday, when
they hauled him out ignominiously to face charges in what will likely turn out to be a political show trial. Donald Trump has the
ability to stop this, but almost certainly won't. And that's all you need to know about him.
Vindictiveness not always play in the vindictive party favour.
You may love Assange you may hate Assange for his WikiLeaks revelation (And Vault 7 was a
real bombshell), but it is clear that it will cost Trump some reputation out of tini share that
still left, especially in view of Trump declaration "I love Wikileaks"
For seven years, we have had to listen to a chorus of journalists, politicians and "experts"
telling us that Assange was nothing more than a fugitive from justice, and that the British and
Swedish legal systems could be relied on to handle his case in full accordance with the law.
Barely a "mainstream" voice was raised in his defence in all that time.
... ... ...
The political and media establishment ignored the mounting evidence of a secret grand jury
in Virginia formulating charges against Assange, and ridiculed Wikileaks' concerns that the
Swedish case might be cover for a more sinister attempt by the US to extradite Assange and lock
him away in a high-security prison, as had happened to whistleblower Chelsea Manning.
... ... ...
Equally, they ignored the fact that Assange had been given diplomatic status by Ecuador, as
well as Ecuadorean citizenship. Britain was obligated to allow him to leave the embassy, using
his diplomatic immunity, to travel unhindered to Ecuador. No "mainstream" journalist or
politician thought this significant either.
... ... ...
They turned a blind eye to the news that, after refusing to question Assange in the UK,
Swedish prosecutors had decided to quietly drop the case against him in 2015. Sweden had kept
the decision under wraps for more than two years.
... ... ...
Most of the other documents relating to these conversations were unavailable. They had been
destroyed by the UK's Crown Prosecution Service in violation of protocol. But no one in the
political and media establishment cared, of course.
Similarly, they ignored the fact that Assange was forced to hole up for years in the
embassy, under the most intense form of house arrest, even though he no longer had a case to
answer in Sweden. They told us -- apparently in all seriousness -- that he had to be arrested
for his bail infraction, something that would normally be dealt with by a fine.
... ... ...
This was never about Sweden or bail violations, or even about the discredited Russiagate
narrative, as anyone who was paying the vaguest attention should have been able to work out. It
was about the US Deep State doing everything in its power to crush Wikileaks and make an
example of its founder.
It was about making sure there would never again be a leak like that of Collateral Murder,
the military video released by Wikileaks in 2007 that showed US soldiers celebrating as they
murdered Iraqi civilians. It was about making sure there would never again be a dump of US
diplomatic cables, like those released in 2010 that revealed the secret machinations of the US
empire to dominate the planet whatever the cost in human rights violations.
Now the pretence is over. The British police invaded the diplomatic territory of Ecuador --
invited in by Ecuador after it tore up Assange's asylum status -- to smuggle him off to jail.
Two vassal states cooperating to do the bidding of the US empire. The arrest was not to help
two women in Sweden or to enforce a minor bail infraction.
No, the British authorities were acting on an extradition warrant from the US. And the
charges the US authorities have concocted relate to Wikileaks' earliest work exposing the US
military's war crimes in Iraq -- the stuff that we all once agreed was in the public interest,
that British and US media clamoured to publish themselves.
Still the media and political class is turning a blind eye. Where is the outrage at the lies
we have been served up for these past seven years? Where is the contrition at having been
gulled for so long? Where is the fury at the most basic press freedom -- the right to publish
-- being trashed to silence Assange? Where is the willingness finally to speak up in Assange's
defence?
It's not there. There will be no indignation at the BBC, or the Guardian, or CNN. Just
curious, impassive -- even gently mocking -- reporting of Assange's fate.
And that is because these journalists, politicians and experts never really believed
anything they said. They knew all along that the US wanted to silence Assange and to crush
Wikileaks. They knew that all along and they didn't care. In fact, they happily conspired in
paving the way for today's kidnapping of Assange.
They did so because they are not there to represent the truth, or to stand up for ordinary
people, or to protect a free press, or even to enforce the rule of law. They don't care about
any of that. They are there to protect their careers, and the system that rewards them with
money and influence. They don't want an upstart like Assange kicking over their applecart.
Now they will spin us a whole new set of deceptions and distractions about Assange to keep
us anaesthetised, to keep us from being incensed as our rights are whittled away, and to
prevent us from realising that Assange's rights and our own are indivisible. We stand or fall
together.
Jonathan Cook won the Martha Gellhorn Special Prize for Journalism. His books include
"Israel and the Clash of Civilisations: Iraq, Iran and the Plan to Remake the Middle East"
(Pluto Press) and "Disappearing Palestine: Israel's Experiments in Human Despair" (Zed Books).
His website is www.jonathan-cook.net .
This should be an uncomfortable time for the “journalists” of the
Establishment. Very few will speak up as does Mr. Cook. Watch how little is said about the
recent Manning re-imprisonment to sweat out grand jury testimony. Things may have grown so
craven that we’ll even see efforts to revoke Mr. Assange’s awards.
This is also a good column for us to share with those people who just might want not to
play along with the lies that define Exceptionalia.
… from the moment Julian Assange first sought refuge in the Ecuadorean embassy in
London, they have been telling us we were wrong, that we were paranoid conspiracy
theorists. We were told there was no real threat of Assange’s extradition to the
United States, that it was all in our fevered imaginations.
It all reminds me of Rod Dreher’s Law of Merited Impossibility: “That’ll
never happen. And when it does , boy won’t you deserve it!”
Equally, they ignored the fact that Assange had been given diplomatic status by Ecuador,
as well as Ecuadorean citizenship. Britain was obligated to allow him to leave the embassy,
using his diplomatic immunity, to travel unhindered to Ecuador. No “mainstream”
journalist or politician thought this significant either.
Why would they? They don’t even recognize diplomatic status for heads of state who
get in their way! Remember what they did to President Evo Morales of Bolivia back when he was
threatening to grant asylum to Ed Snowden? Here’s a refresher:
People who just watch corporate media think Julian Assange is a bad guy who deserves life
in prison, except those who watch the great Tucker Carlson. Watch his recent show where he
explains why our corporate media and political class hate Assange.
He is charged with encouraging Army Private Chelsea Manning to send him embarrassing
information, specifically this video of a US Army Apache helicopter gunning down civilians in
broad daylight in Baghdad.
But there is no proof of this, and Manning has repeatedly said he never communicated to
Assange about anything. Manning got eight years in prison for this crime; the Apache pilots
were never charged. and now they want to hang Assange for exposing a war crime. I have
recommend this great 2016 interview twice, where Assange calmly explains the massive
corruption that patriotic FBI agents refer to as the “Clinton Crime Family.”
This gang is so powerful that it ordered federal agents to spy on the Trump political
campaign, and indicted and imprisoned some participants in an attempt to pressure President
Trump to step down. It seems Trump still fears this gang, otherwise he would order his
attorney general to drop this bogus charge against Assange, then pardon him forever and
invite him to speak at White House press conferences.
“… they ignored the fact that Assange was forced to hole up for years in
the embassy, under the most intense form of house arrest, even though he no longer had a
case to answer in Sweden.”
Meh! Assange should have walked out the door of the embassy years ago. He might have ended
up in the same place, but he could have seized the moral high ground by seeking asylum in
Britain for fear of the death penalty in the US, which was a credible fear given public
comments by various US officials. By rotting away in the Ecuadorian embassy, be greatly
diminished any credibility he might have had to turn the UK judicial system inside out to his
favour. Now he’s just a creepy looking bail jumper who flung faeces against the wall,
rather than being a persecuted journalist.
@Johnny Rottenborough Millionaire politicians on both sides of the political fence get
very emotional about anything that impacts their own privacy & safety and the privacy
& safety of their kin, while ignoring the issues that jeopardize the privacy & safety
of ordinary voters. While corporate-owned politicians get a lot out of this game,
ordinary voters who have never had less in the way of Fourth Amendment privacy rights, and
whose First Amendment rights are quickly shrinking to the size of Assange’s, do not get
the consolation of riches without risk granted to bought-off politicians in this era’s
pay-to-play version of democracy. It’s a lose / lose for average voters.
Mr Cook’s criticism of the mainstream media (MSM) is absolutely justified.
It seems to me that their hatred of Mr Assange reflects the unfortunate fact that, while
he is a real journalist, they actually aren’t. Instead, they are stenographers for
power: what Paul Craig Roberts calls “presstitutes” (a very happy coinage which
exactly hits the bull’s eye).
The difference is that real journalists, like Mr Assange, Mr Roberts and Mr Cook, are
mainly motivated by the search for objective truth – which they then publish, as far as
they are able.
Whereas those people who go by the spurious names of “journalist”,
“reporter”, “editor”, etc. are motivated by the desire to go on
earning their salaries, and to gain promotion and “distinction” in society. (Sad
but true: social distinction is often gained by performing acts of dishonesty and downright
wickedness).
Here are some interesting quotations that cast some light on this disheartening state of
affairs. If you look carefully at their dates you may be surprised to find that nothing has
changed very much since the mid-19th century.
‘Marr: “How can you know that I’m self-censoring? How can you know that
journalists are…”
‘Chomsky: “I’m not saying you’re self censoring. I’m sure
you believe everything you’re saying. But what I’m saying is that if you believed
something different, you wouldn’t be sitting where you’re
sitting”’.
‘If something goes wrong with the government, a free press will ferret it out and it
will get fixed. But if something goes wrong with our free press, the country will go straight
to hell’.
‘There is no such a thing in America as an independent press, unless it is out in
country towns. You are all slaves. You know it, and I know it. There is not one of you who
dares to express an honest opinion. If you expressed it, you would know beforehand that it
would never appear in print. I am paid $150 for keeping honest opinions out of the paper I am
connected with. Others of you are paid similar salaries for doing similar things. If I should
allow honest opinions to be printed in one issue of my paper, I would be like Othello before
twenty-four hours: my occupation would be gone. The man who would be so foolish as to write
honest opinions would be out on the street hunting for another job. The business of a New
York journalist is to distort the truth, to lie outright, to pervert, to vilify, to fawn at
the feet of Mammon, and to sell his country and his race for his daily bread, or for what is
about the same — his salary. You know this, and I know it; and what foolery to be
toasting an “Independent Press”! We are the tools and vassals of rich men behind
the scenes. We are jumping-jacks. They pull the string and we dance. Our time, our talents,
our lives, our possibilities, are all the property of other men. We are intellectual
prostitutes’.
‘The press today is an army with carefully organized arms and branches, with
journalists as officers, and readers as soldiers. But here, as in every army, the soldier
obeys blindly, and war-aims and operation-plans change without his knowledge. The reader
neither knows, nor is allowed to know, the purposes for which he is used, nor even the role
that he is to play. A more appalling caricature of freedom of thought cannot be imagined.
Formerly a man did not dare to think freely. Now he dares, but cannot; his will to think is
only a willingness to think to order, and this is what he feels as his liberty’.
– Oswald Spengler, “The Decline of the West” Vol. II, trans. C.F.
Atkinson (1928), p. 462
‘How do wars start? Wars start when politicians lie to journalists, then believe
what they read in the press’.
Very good article. There is one point that I would like to make: Assange asked for asyl
before he went to the embassy of Ecuador and Ecuador gave him asylum. This meant that they
had an obligation to protect him. It’s really unbeliavable that a country gives asylum
to someone and half way tells that they have changed their mind and will let the person be
arrested. ” We told you you would be safe with us, but now we just changed our
mind”. Assange also became a citizen of Ecuador and this possibly means that Ecuador
couldn’t have let him been arrested in their embassy by the police of another country
without a process against him in Ecuador and without him having the right to defend himself
in a court. Many countries don’t extradit their citizens to other countries.
Another remark. For years there were uncountable articles about Assange in The Guardian.
Those articles were read by many people and got really many comments. There were very fierce
discussions about him with thousends of comments. With time The Guardian turned decisively
against him and published articles againt him. There were people there who seemed to hate
him. In the last days there were again many articles about him. They pronounce themselves
discretely against his extradition to the US even if showing themselves to be critical of him
as if trying to justify their years of attacks against him. But one detail: I didn’t
find even one article in The Guardian where you can comment the case. Today for instance you
can comment an article by Gaby Hinsliff about Kim Kardashian. Marina Hyde talks in an article
about washing her hair (whatever else she wants to say, with 2831 comments at this moment).
But you don’t find any article about Assange that you can comment. 10 or 8 or 5 years
ago there were hundreds of articles about him that you could comment.
UK PM May said about Assange – “no one is above the law” –
proving she is a weak sister without a clue.
No one is above the law except the British government, which ignored the provisions of the
EU Withdrawal Act requiring us to leave on March 29th.
No one is above the law except for the US and the UK which have illegally deployed forces
to Syria against the wishes of the government in Damascus.
And Tony Blair, a million dead thanks to his corruption. He should be doing time in a
Gulag for his evil crimes.
And of course, the black MP for Peterborough – Fiona Onasanya – served a mere
three weeks in jail for perverting the course of justice, normally regarded as a very serious
offence. But she was out in time – electronic tag and curfew notwithstanding – to
vote in the House of Commons against leaving the EU.
"... It appears the FBI, CIA, and NSA have great difficulty in differentiating between Russians and Democrats posing as Russians. ..."
"... Maybe the VIPS should look into the murder of Seth Rich, the DNC staffer who had the security clearance required to access the DNC servers, and who was murdered in the same week as the emails were taken. In particular, they should ask why the police were told to stand down and close the murder case without further investigation. ..."
"... What a brilliant article, so logical, methodical & a forensic, scientific breakdown of the phony Russiagate project? And there's no doubt, this was a co-ordinated, determined Intelligence project to reverse the results of the 2016 Election by initiating a soft coup or Regime change op on a elected Leader, a very American Coup, something the American Intelligence Agencies specialise in, everywhere else, on a Global scale, too get Trump impeached & removed from the Whitehouse? ..."
"... Right. Since its purpose is to destroy Trump politically, the investigation should go on as long as Trump is in office. Alternatively, if at this point Trump has completely sold out, that would be another reason to stop the investigation. ..."
"... Nancy Pelosi's announcement two days ago that the Democrats will not seek impeachment for Trump suggests the emptiness of the Mueller investigation on the specific "collusion" issue. ..."
"... We know and Assange has confirmed Seth Rich, assassinated in D.C. for his deed, downloaded the emails and most likely passed them on to former British ambassador Craig Murray in a D.C. park for transport to Wikileaks. ..."
"... This so-called "Russiagate" narrative is an illustration of our "freedom of the press" failure in the US due to groupthink and self censorship. He who pays the piper is apt to call the tune. ..."
"... Barr, Sessions, every congressmen all the corporate MSM war profiteer mouth pieces. They all know that "Russia hacked the DNC" and "Russia meddled" is fabricated garbage. They don't care, because their chosen war beast corporate candidate couldn't beat Donald goofball Trump. So it has to be shown that the war beast only lost because of nefarious reasons. Because they're gonna run another war beast cut from the same cloth as Hillary in 2020. ..."
"... Mar 4, 2019 Tom Fitton: President Trump a 'Crime Victim' by Illegal Deep State DOJ & FBI Abuses: https://youtu.be/ixWMorWAC7c ..."
"... Trump is a willing player in this game. The anti-Russian Crusade was, quite simply, a stunningly reckless, short-sighted effort to overturn the 2016 election, removing Trump to install Hillary Clinton in office. ..."
"... Much ado about nothing. All the talk and chatter and media airplay about "Russian meddling" in the 2016 election only tells me that these liars think the American public is that stupid. ..."
"... Andrew Thomas I'm afraid that huge amounts of our History post 1947 is organized and propagandized disinformation. There is an incredible page that John Simpkin has organized over the years that specifically addresses individuals, click on a name and read about them. https://spartacus-educational.com/USAdisinformation.htm ..."
"... It's pretty astonishing that Mueller was more interested in Roger Stone and Jerome Corsi as credible sources about Wikileaks and the DNC release than Craig Murray! ..."
"... Yes, he has done his job. And his job was to bring his royal Orangeness to heel, and to make sure that detente and co-operation with Russia remained impossible. The forever war continues. Mission Accomplished. ..."
I could not suffer through reading the whole article. This is mainly because I have
watched the news daily about Mueller's Investigation and I sincerely believe that Mueller is
Champion of the Democrats who are trying to depose President Donald Trump at any cost.
For what Mueller found any decent lawyer with a Degree and a few years of experience could
have found what Mueller found for far far less money. Mueller only found common crimes AND NO
COLLUSION BETWEEN PRESIDENT TRUMP AND PUTIN!
The Mueller Investigation should be given to an honest broker to review, and Mueller
should be paid only what it would cost to produce the commonplace crimes Mueller, The
Democrats, and CNN has tried to convince the people that indeed Trump COLLUDED with RUSSIA.
Mueller is, a BIG NOTHING BURGER and THE DEMOCRATS AND CNN ARE MUELLER'S SINGING CANARYS!
Mueller should be jailed.
Bogdan Miller , March 15, 2019 at 11:04 am
This article explains why the Mueller Report is already highly suspect. For another thing,
we know that since before 2016, Democrats have been studying Russian Internet and hacking
tactics, and posing as Russian Bots/Trolls on Facebook and other media outlets, all in an
effort to harm President Trump.
It appears the FBI, CIA, and NSA have great difficulty in differentiating between Russians
and Democrats posing as Russians.
B.J.M. Former Intelligence Analyst and Humint Collector
vinnieoh , March 15, 2019 at 8:17 am
Moving on: the US House yesterday voted UNANIMOUSLY (remember that word, so foreign these
days to US governance?) to "urge" the new AG to release the complete Mueller report.
A
non-binding resolution, but you would think that the Democrats can't see the diesel
locomotive bearing down on their clown car, about to smash it to pieces. The new AG in turn
says he will summarize the report and that is what we will see, not the entire report. And
taxation without representation takes a new twist.
... ... ...
Raymond Comeau , March 15, 2019 at 12:38 pm
What else would you expect from two Political Parties who are really branches of the ONE
Party which Represents DEEP STATE".
DWS , March 15, 2019 at 5:58 am
Maybe the VIPS should look into the murder of Seth Rich, the DNC staffer who had the
security clearance required to access the DNC servers, and who was murdered in the same week
as the emails were taken. In particular, they should ask why the police were told to stand
down and close the murder case without further investigation.
Raymond Comeau , March 15, 2019 at 12:47 pm
EXACTLY! But, Deep State will not allow that. And, it would ruin the USA' plan to continue
to invade more sovereign countries and steal their resources such as oil and Minerals. The
people of the USA must be Ostriches or are so terrified that they accept anything their
Criminal Governments tell them.
Eventually, the chickens will come home to roost and perhaps the USA voters will ROAST
when the crimes of the USA sink the whole country. It is time for a few Brave Men and Women
to find their backbones and throw out the warmongers and their leading Oligarchs!
KiwiAntz , March 14, 2019 at 6:44 pm
What a brilliant article, so logical, methodical & a forensic, scientific breakdown of
the phony Russiagate project? And there's no doubt, this was a co-ordinated, determined
Intelligence project to reverse the results of the 2016 Election by initiating a soft coup or
Regime change op on a elected Leader, a very American Coup, something the American
Intelligence Agencies specialise in, everywhere else, on a Global scale, too get Trump
impeached & removed from the Whitehouse?
If you can't get him out via a Election, try
& try again, like Maduro in Venezuela, to forcibly remove the targeted person by setting
him up with fake, false accusations & fabricated evidence? How very predictable & how
very American of Mueller & the Democratic Party. Absolute American Corruption, corrupts
absolutely?
Brian Murphy , March 15, 2019 at 10:33 am
Right. Since its purpose is to destroy Trump politically, the investigation should go on
as long as Trump is in office. Alternatively, if at this point Trump has completely sold out, that would be another
reason to stop the investigation.
If the investigation wraps up and finds nothing, that means Trump has already completely
sold out. If the investigation continues, it means someone important still thinks Trump retains some
vestige of his balls.
DH Fabian , March 14, 2019 at 1:19 pm
By last June or July the Mueller investigation has resulted in roughly 150 indictments
for perjury/financial crimes, and there was a handful of convictions to date. The report did
not support the Clinton wing's anti-Russian allegations about the 2016 election, and was
largely brushed aside by media. Mueller was then reportedly sent back in to "find something."
presumably to support the anti-Russian claims.
mike k , March 14, 2019 at 12:57 pm
From the beginning of the Russia did it story, right after Trump's electoral victory, it
was apparent that this was a fraud. The democratic party however has locked onto this
preposterous story, and they will go to their graves denying this was a scam to deny their
presidential defeat, and somehow reverse the result of Trump's election. My sincere hope is
that this blatant lie will be an albatross around the party's neck, that will carry them down
into oblivion. They have betrayed those of us who supported them for so many years. They are
in many ways now worse than the republican scum they seek to replace.
DH Fabian , March 14, 2019 at 1:26 pm
Trump is almost certain to be re-elected in 2020, and we'll go through this all over
again.
The very fact that the FBI never had access to the servers and took the word of a private
company that had a history of being anti-Russian is enough to throw the entire ruse out.
LJ , March 14, 2019 at 2:39 pm
Agreed!!!! and don't forget the FBI/Comey gave Hillary and her Campaign a head's up before
they moved to seize the evidence. . So too, Comey said he stopped the Investigation , thereby
rendering judgement of innocence, even though by his own words 'gross negligence' had a
occurred (which is normally considered grounds for prosecution). In doing so he exceeded the
FBI's investigative mandate. He rationalized that decision was appropriate because of the
appearance of impropriety that resulted from Attorney General Lynch having a private meeting
on a plane on a runway with Bill and Hillary . Where was the logic in that. Who called the
meeting? All were Lawyers who had served as President, Senator, Attorney General and knew
that the meeting was absolutely inappropriate. . Comey should be prosecuted if they want to
prosecute anyone else because of this CRAP. PS Trump is an idiot. Uhinfortunately he is just
a symptom of the disease at this point. Look at the cover of Rolling Stone magazine , carry a
barf bag.
Jane Christ , March 14, 2019 at 6:51 pm
Exactly. This throws doubt on the ability of the FBI to work independently. They are
working for those who want to cover -up the Hillary mess . She evidently has sufficient funds
to pay them off. I am disgusted with the level of corruption.
hetro , March 14, 2019 at 10:50 am
Nancy Pelosi's announcement two days ago that the Democrats will not seek impeachment for
Trump suggests the emptiness of the Mueller investigation on the specific "collusion" issue.
If there were something hot and lingering and about to emerge, this decision is highly
unlikely, especially with the reasoning she gave at "so as not to divide the American
people." Dividing the people hasn't been of much concern throughout this bogus witch hunt on
Trump, which has added to his incompetence in leavening a growing hysteria and confusion in
this country. If there is something, anything at all, in the Mueller report to support the
collusion theory, Pelosi would I'm sure gleefully trot it out to get a lesser candidate like
Pence as opposition for 2020.
We know and Assange has confirmed Seth Rich, assassinated in D.C. for his deed, downloaded
the emails and most likely passed them on to former British ambassador Craig Murray in a D.C.
park for transport to Wikileaks.
We must also honor Shawn Lucas assassinated for serving DNC with a litigation notice
exposing the DNC conspiracy against Sanders.
hetro , March 14, 2019 at 3:18 pm
Where has Assange confirmed this? Assange's long-standing position is NOT to reveal his
sources. I believe he has continued to honor this position.
Skip Scott , March 15, 2019 at 7:15 am
It has merely been insinuated by the offering of a reward for info on Seth's murder. In
one breath he says wikileaks will never divulge a source, and in the next he offers a $20k
reward saying that sources take tremendous risk. Doesn't take much of a logical leap to
connect A to B.
DH Fabian , March 14, 2019 at 1:30 pm
Are you aware that Democrats split apart their 0wn voting base in the 1990s, middle class
vs. poor? The Obama years merely confirmed that this split is permanent. This is particularly
relevant for Democrats, as their voting base had long consisted of the poor and middle class,
for the common good. Ignoring this deep split hasn't made it go away.
hetro , March 14, 2019 at 3:24 pm
Even more important is how the Democrats have sold out to an Establishment view favoring
neocon theory, since at least Bill Clinton. Pelosi's recent behavior with Ilhan Omar confirms
this and the split you're talking about. My point is it is distinctly odd that Pelosi is
discouraging impeachment on "dividing the Party" (already divided, of course, as you say),
whereas the Russia-gate fantasy was so hot not that long ago. Again it points to a cynical
opportunism and manipulation of the electorate. Both parties are a sad excuse to represent
ordinary people's interests.
Skip Scott , March 15, 2019 at 7:21 am
She said "dividing the country", not the party. I think she may have concerns over Trump's
heavily armed base. That said, the statement may have been a ruse. There are plenty of
Republicans that would cross the line in favor of impeachment with the right "conclusions" by
Mueller. Pelosi may be setting up for a "bombshell" conclusion by Mueller. One must never
forget that we are watching theater, and that Trump was a "mistake" to be controlled or
eliminated.
Mueller should be ashamed that he has made President Trump his main concern!! If all this
investigation would stop he could save America millions!!! He needs to quit this witch-hunt
and worry about things that really need to be handled!!! If the democrats and Trump haters
would stop pushing senseless lies hopefully this would stop ? It's so disgusting that his
democrat friend was never really investigated ? stop the witch-hunt and move forward!!!!
torture this , March 14, 2019 at 7:29 am
According to this letter, mistakes might have been made on Rachel Maddow's show. I can't
wait to read how she responds. I'd watch her show, myself except that it has the same effect
on me as ipecac.
Zhu , March 14, 2019 at 3:37 am
People will cling to "Putin made Trump President!!!" much as many cling "Obama's a Kenyan
Muslim! Not a real American!!!". Both nut theories are emotionally satisfying, no matter what
the historical facts are. Many Americans just can't admit their mistakes and blaming a
scapegoat is a way out.
O Society , March 14, 2019 at 2:03 am
Thank you VIPS for organizing this legit dissent consisting of experts in the field of
intelligence and computer forensics.
This so-called "Russiagate" narrative is an illustration of our "freedom of the press"
failure in the US due to groupthink and self censorship. He who pays the piper is apt to call
the tune.
It is astounding how little skepticism and scientifically-informed reasoning goes on in
our media. These folks show themselves to be native advertising rather than authentic
journalists at every turn.
DH Fabian , March 14, 2019 at 1:33 pm
But it has been Democrats and the media that market to middle class Dems, who persist in
trying to sell the Russian Tale. They excel at ignoring the evidence that utterly contradicts
their claims.
Oh, we're well beyond your "Blame the middle class Dems" stage.
The WINNING!!! team sports bullshit drowns the entire country now the latrine's sprung a
leak. People pretend to live in bubbles made of blue or red quite like the Three Little Pigs,
isn't it? Except instead of a house made of bricks saving the day for the littlepiggies, what
we've got here is a purple puddle of piss.
Everyone's more than glad to project all our problems on "THEM" though, aren't we?
Meanwhile, the White House smells like a urinal not washed since the 1950s and simpletons
still get their rocks off arguing about whether Mickey Mouse can beat up Ronald McDonald.
T'would be comic except what's so tragic is the desperate need Americans have to believe,
oh just believe! in something. Never mind the sound of the jackhammer on your skull dear,
there's an app for that or is it a pill?
I don't know, don't ask me, I'm busy watching TV. Have a cheeto.
Very good analysis clearly stated, especially adding the FAT timestamps to the
transmission speeds.
Minor corrections: "The emails were copied from the network" should be "from the much
faster local network" because this is to Contradict the notion that they were copied over the
internet network, which most readers will equate with "network." Also "reportedin" should be
"reported in."
Michael , March 13, 2019 at 6:25 pm
It is likely that New Knowledge was actually "the Russians", possibly working in concert
with Crowdstrike. Once an intelligence agency gets away with something like pretending to be
Russian hackers and bots, they tend to re-use their model; it is too tempting to discard an
effective model after a one-off accomplishment. New Knowledge was caught interfering/
determining the outcome in the Alabama Senate race on the side of Democrat Doug Jones, and
claimed they were merely trying to mimic Russian methods to see if they worked (they did; not
sure of their punishment?). Occam's razor would suggest that New Knowledge would be competent
to mimic/ pretend to be "Russians" after the fact of wikileaks' publication of emails. New
Knowledge has employees from the NSA and State department sympathetic to/ working with(?)
Hillary, and were the "outside" agency hired to evaluate and report on the "Russian" hacking
of the DNC emails/ servers.
DH Fabian , March 13, 2019 at 5:48 pm
Mueller released report last summer, which resulted in (the last I checked) roughly 150
indictments, a handful of convictions to date, all for perjury/financial (not political)
crimes. This wasn't kept secret. It simply wasn't what Democrats wanted to hear, so although
it was mentioned in some lib media (which overwhelmingly supported neoliberal Hillary
Clinton), it was essentially swept under the carpet.
Billy , March 13, 2019 at 11:11 pm
Barr, Sessions, every congressmen all the corporate MSM war profiteer mouth pieces. They
all know that "Russia hacked the DNC" and "Russia meddled" is fabricated garbage. They don't
care, because their chosen war beast corporate candidate couldn't beat Donald goofball Trump.
So it has to be shown that the war beast only lost because of nefarious reasons. Because
they're gonna run another war beast cut from the same cloth as Hillary in 2020.
Realist , March 14, 2019 at 3:22 am
You betcha. Moreover, who but the Russians do these idiots have left to blame? Everybody
else is now off limits due to political correctness. Sigh Those Catholics, Jews, "ethnics"
and sundry "deviants" used to be such reliable scapegoats, to say nothing of the
"undeveloped" world. As Clapper "authoritatively" says, only this vile lineage still carries
the genes for the most extremes of human perfidy. Squirrels in your attic? It must be the
damned Russkies! The bastards impudently tried to copy our democracy, economic system and
free press and only besmirched those institutions, ruining all of Hillary's glorious plans
for a worldwide benevolent dictatorship. All this might be humorous if it weren't so
funny.
And those Chinese better not get to thinking they are somehow our equals just because all
their trillions invested in U.S. Treasury bonds have paid for all our wars of choice and MIC
boondoggles since before the turn of the century. Unless they start delivering Trump some
"free stuff" the big man is gonna cut off their water. No more affordable manufactured goods
for the American public! So there!
As to the article: impeccable research and analysis by the VIPS crew yet again. They've
proven to me that, to a near certainty, the Easter Bunny is not likely to exist. Mueller
won't read it. Clapper will still prance around a free man, as will Brennan. The Democrats
won't care, that is until November of 2020. And Hillary will continue to skate, unhindered in
larding up the Clinton Foundation to purposes one can only imagine.
Joe Tedesky , March 14, 2019 at 10:02 pm
Realist,
I have posted this article 'the Russia they Lost' before and from time to time but
once again it seems appropriate to add this link to expound upon for what you've been saying.
It's an article written by a Russian who in they're youth growing up in the USSR dreamed of
living the American lifestyle if Russia were to ever ditch communism. But . Starting with
Kosovo this Russian's youthful dream turned nightmarishly ugly and, as time went by with more
and yet even more USA aggression this Russian author loss his admiration and desire for all
things American to be proudly envied. This is a story where USA hard power destroyed any hope
of American soft power for world unity. But hey that unity business was never part of the
plan anyway.
right you are, joe. if america was smart rather than arrogant, it would have cooperated
with china and russia to see the belt and road initiative succeed by perhaps building a
bridge or tunnel from siberia to alaska, and by building its own fleet of icebreakers to open
up its part of the northwest passage. but no, it only wants to sabotage what others propose.
that's not being a leader, it's being a dick.
i'm gonna have to go on the disabled list here until the sudden neurological problem with
my right hand clears up–it's like paralysed. too difficult to do this one-handed using
hunt and peck. at least the problem was not in the old bean, according to the scans. carry
on, sir.
Brian James , March 13, 2019 at 5:04 pm
Mar 4, 2019 Tom Fitton: President Trump a 'Crime Victim' by Illegal Deep State DOJ &
FBI Abuses: https://youtu.be/ixWMorWAC7c
DH Fabian , March 13, 2019 at 5:55 pm
Trump is a willing player in this game. The anti-Russian Crusade was, quite simply, a stunningly reckless,
short-sighted effort to overturn the 2016 election, removing Trump to install Hillary Clinton in office. Trump and the
Republicans continue to win by default, as Democrats only drive more voters away.
Thank you Ray McGovern and the Other 17 VIPS C0-Signers of your National Security Essay
for Truth. Along with Craig Murray and Seymour Hirsch, former Sam Adams Award winners for
"shining light into dark places", you are national resources for objectivity in critical
survival information matters for our country. It is more than a pity that our mainstream
media are so beholden to their corporate task masters that they cannot depart from the
company line for fear of losing their livelihoods, and in the process we risk losing life on
the planet because of unconstrained nuclear war on the part of the two main adversaries
facing off in an atmosphere of fear and mistrust. Let me speak plainly. THEY SHOULD BE
TALKING TO YOU AND NOT THE VESTED INTERESTS' MOUTHPIECES. Thank you for your continued
leadership!
Roger Ailes founder of FOX news died, "falling down stairs" within a week of FOX news
exposing to the world that the assassinated Seth Rich downloaded the DNC emails.
DH Fabian , March 13, 2019 at 6:03 pm
Google the Mueller investigation report from last June or July. When it was released, the
public response was like a deflated balloon. It did not support the "Russian collusion"
allegations -- the only thing Democrats still had left to sell. The report resulted in
roughly 150 indictments for perjury/financial crimes (not political), and a handful of
convictions to date -- none of which had anything to do with the election results.
Hank , March 13, 2019 at 6:19 pm
Much ado about nothing. All the talk and chatter and media airplay about "Russian
meddling" in the 2016 election only tells me that these liars think the American public is
that stupid. They are probably right, but the REAL reason that Hillary lost is because there
ARE enough informed people now in this nation who are quite aware of the Clinton's sordid
history where scandals seem to follow every where they go, but indictments and/or
investigations don't. There IS an internet nowadays with lots of FACTUAL DOCUMENTED
information. That's a lot more than I can say about the mainstream corporate-controlled
media!
I know this won't ever happen, but an HONEST investigation into the Democratic Party and
their actions during the 2016 election would make ANY collusion with ANY nation look like a
mole hill next to a mountain! One of the problems with living in this nation is if you are
truly informed and make an effort 24/7 to be that way by doing your own research, you
more-than-likely can be considered an "island in a sea of ignorance".
We know that the FBI never had access to the servers and a private company was allowed to
handle the evidence. Wasnt it a crime scene? The evidence was tampered with And we will never
know what was on the servers.
Mark McCarty , March 13, 2019 at 4:10 pm
As a complement to this excellent analysis, I would like to make 2 further points:
The Mueller indictment of Russian Intelligence for hacking the DNC and transferring their
booty to Wikileaks is absurd on its face for this reason: Assange announced on June 12th the
impending release of Hillary-related emails. Yet the indictment claims that Guccifer 2.0 did
not succeed in transferring the DNC emails to Wikileaks until the time period of July 14-18th
– after which they were released online on July 22nd. Are we to suppose that Assange, a
publisher of impeccable integrity, publicly announced the publication of emails he had not
yet seen, and which he was obtaining from a source of murky provenance? And are we further to
suppose that Wikileaks could have processed 20K emails and 20K attachments to insure their
genuineness in a period of only several days? As you will recall, Wikileaks subsequently took
a number of weeks to process the Podesta emails they released in October.
And another peculiarity merits attention. Assange did not state on June 12th that he was
releasing DNC emails – and yet Crowdstrike and the Guccifer 2.0 personna evidently knew
that this was in store. A likely resolution of this conundrum is that US intelligence had
been monitoring all communications to Wikileaks, and had informed the DNC that their hacked
emails had been offered to Wikileaks. A further reasonable prospect is that US intelligence
subsequently unmasked the leaker to the DNC; as Assange has strongly hinted, this likely was
Seth Rich. This could explain Rich's subsequent murder, as Rich would have been in a position
to unmask the Guccifer 2.0 hoax and the entire Russian hacking narrative.
Curious that Assange has Not explicitly stated that the leaker was Seth Rich, if it was,
as this would take pressure from himself and incriminate the DNC in the murder of Rich.
Perhaps he doesn't know, and has the honor not to take the opportunity, or perhaps he knows
that it was not Rich.
View the Dutch TV interview with Asssange and there is another interview available on
youtube in which Assange DOES subtly confirmed it was Seth Rich.
Assange posted a $10,000 reward for Seth Rich's murders capture.
Abby , March 13, 2019 at 10:11 pm
Another mistaken issue with the "Russia hacked the DNC computers on Trump's command" is
that he never asked Russia to do that. His words were, "Russia if you 'find' Hillary's
missing emails let us know." He said that after she advised congress that she wouldn't be
turning in all of the emails they asked for because she deleted 30,000 of them and said that
they were personal.
But if Mueller or the FBI wants to look at all of them they can find them at the NYC FBI
office because they are on Weiner's laptop. Why? Because Hillary's aid Huma Abedin, Weiner's
wife sent them to it. Just another security risk that Hillary had because of her private
email server. This is why Comey had to tell congress that more of them had been found 11 days
before the election. If Comey hadn't done that then the FBI would have.
But did Comey or McCabe look at her emails there to see if any of them were classified? No
they did not do that. And today we find out that Lisa Page told congress that it was Obama's
decision not to charge Hillary for being grossly negligent on using her private email server.
This has been known by congress for many months and now we know that the fix was always in
for her to get off.
robert e williamson jr , March 13, 2019 at 3:26 pm
I want to thank you folks at VIPS. Like I have been saying for years now the relationship
between CIA, NSA and DOJ is an incestuous one at best. A perverse corrupted bond to control
the masses. A large group of religious fanatics who want things "ONE WAY". They are the
facilitators for the rogue government known as the "DEEP STATE"!
Just ask billy barr.
More truth is a very good thing. I believe DOJ is supporting the intelligence community
because of blackmail. They can't come clean because they all risk doing lots of time if a new
judicial mechanism replaces them. We are in big trouble here.
Apparently the rule of law is not!
You folks that keep claiming we live in the post truth era! Get off me. Demand the truth
and nothing else. Best be getting ready for the fight of your lives. The truth is you have to
look yourself in the mirror every morning, deny that truth. The claim you are living in the
post truth era is an admission your life is a lie. Now grab a hold of yourself pick a
dogdamned side and stand for something,.
Thank You VIPS!
Joe Tedesky , March 13, 2019 at 2:58 pm
Hats off to the VIP's who have investigated this Russian hacking that wasn't a hacking for
without them what would we news junkies have otherwise to lift open the hood of Mueller's
never ending Russia-gate investigation. Although the one thing this Russia-gate nonsense has
accomplished is it has destroyed with our freedom of speech when it comes to how we citizens
gather our news. Much like everything else that has been done during these post 9/11 years of
continual wars our civil rights have been marginalized down to zero or, a bit above if that's
even still an argument to be made for the sake of numbers.
Watching the Manafort sentencing is quite interesting for the fact that Manafort didn't
conclude in as much as he played fast and loose with his income. In fact maybe Manafort's
case should have been prosecuted by the State Department or, how about the IRS? Also wouldn't
it be worth investigating other Geopolitical Rain Makers like Manafort for similar crimes of
financial wrongdoing? I mean is it possible Manafort is or was the only one of his type to do
such dishonest things? In any case Manafort wasn't charged with concluding with any Russians
in regard to the 2016 presidential election and, with that we all fall down.
I guess the best thing (not) that came out of this Russia-gate silliness is Rachel
Maddow's tv ratings zoomed upwards. But I hate to tell you that the only ones buying what Ms
Maddow is selling are the died in the wool Hillary supporters along with the chicken-hawks
who rally to the MIC lobby for more war. It's all a game and yet there are many of us who
just don't wish to play it but still we must because no one will listen to the sanity that
gets ignored keep up the good work VIP's some of us are listening.
Andrew Thomas , March 13, 2019 at 12:42 pm
The article did not mention something called to my attention for the first time by one of
the outstanding members of your commentariat just a couple of days ago- that Ambassador
Murray stayed publicly, over two years ago, that he had been given the thumb drive by a
go-between in D.C. and had somehow gotten it to Wikileaks. And, that he has NEVER BEEN
INTERVIEWED by Mueller &Company. I was blown away by this, and found the original
articles just by googling Murray. The excuse given is that Murray "lacks credibility ", or
some such, because of his prior relationship with Assange and/or Wikileaks. This is so
ludicrous I can't even get my head around it. And now, you have given me a new detail-the
meeting with Pompeo, and the complete lack of follow-up thereafter. Here all this time I
thought I was the most cynical SOB who existed, and now I feel as naive as when I was 13 and
believed what Dean Rusk was saying like it was holy writ. I am in your debt.
Bob Van Noy , March 13, 2019 at 2:33 pm
Andrew Thomas I'm afraid that huge amounts of our History post 1947 is organized and
propagandized disinformation. There is an incredible page that John Simpkin has organized
over the years that specifically addresses individuals, click on a name and read about
them. https://spartacus-educational.com/USAdisinformation.htm
Mark McCarty , March 13, 2019 at 4:18 pm
A small correction: the Daily Mail article regarding Murray claimed that Murray was given
a thumbdrive which he subsequently carried back to Wikileaks. On his blog, Murray
subsequently disputed this part of the story, indicating that, while he had met with a leaker
or confederate of a leaker in Washington DC, the Podesta emails were already in possession of
Wikileaks at the time. Murray refused to clarify the reason for his meeting with this source,
but he is adamant in maintaining that the DNC and Podesta emails were leaked, not hacked.
And it is indeed ludicrous that Mueller, given the mandate to investigate the alleged
Russian hacking of the DNC and Podesta, has never attempted to question either Assange or
Murray. That in itself is enough for us to conclude that the Mueller investigation is a
complete sham.
Ian Brown , March 13, 2019 at 4:43 pm
It's pretty astonishing that Mueller was more interested in Roger Stone and Jerome Corsi
as credible sources about Wikileaks and the DNC release than Craig Murray!
LJ , March 13, 2019 at 12:29 pm
A guy comes in with a pedigree like that, """ former FBI head """ to examine and validate
if possible an FBI sting manufactured off a phony FISA indictment based on the Steele Report,
It immediately reminded me of the 9-11 Commission with Thomas Kean, former Board member of
the National Endowment for Democracy, being appointed by GW Bush the Simple to head an
investigation that he had previously said he did not want to authorize( and of course bi
partisan yes man Lee Hamilton as #2, lest we forget) . Really this should be seen as another
low point in our Democracy. Uncle Sam is the Limbo Man, How low can you go?
After Bill and
Hillary and Monica and Paula Jones and Blue Dresses well, Golden Showers in a Moscow luxury
hotel, I guess that make it just salacious enough.
Mueller looks just like what he is. He
has that same phony self important air as Comey . In 2 years this will be forgotten.. I do
not think this hurts Trumps chances at re-election as much as the Democrats are hurting
themselves. This has already gone on way too long.
Mueller has nothing and he well knows it. He was willingly roped into this whole pathetic
charade and he's left grasping for anything remotely tied to Trump campaign officials and
Russians.
Even the most tenuous connections and weak relationships are splashed across the mass
media in breathless headlines. Meanwhile, NONE of the supposed skulduggery unearthed by
Mueller has anything to do with the Kremlin "hacking" the election to favor Trump, which was
the entire raison d'etre behind Rosenstein, Brennan, Podesta and Mueller's crusade on behalf
of the deplorable DNC and Washington militarist-imperialists. It will be fascinating to
witness how Mueller and his crew ultimately extricate themselves from this giant fraudulent
edifice of deceit. Will they even be able to save the most rudimentary amount of face?
So sickening to see the manner in which many DNC sycophants obsequiously genuflect to
their godlike Mueller. A damn prosecutor who was likely in bed with the Winter Hill Gang.
Jack , March 13, 2019 at 12:21 pm
You have failed. An investigation is just that, a finding of the facts. What would Mueller
have to extricate himself from? If nothing is found, he has still done his job. You are a
divisive idiot.
Skip Scott , March 13, 2019 at 1:13 pm
Yes, he has done his job. And his job was to bring his royal Orangeness to heel, and to
make sure that detente and co-operation with Russia remained impossible. The forever war
continues. Mission Accomplished.
@Jack,
Keep running cover for an out of control prosecutor, who, if he had any integrity, would have
hit the bully pulpit mos ago declaring there's nothing of substance to one of the most
potentially dangerous accusations in world history: the Kremlin hacking the election. Last I
checked it puts two nuclear nation-states on the brink of potential war. And you call me
divisive? Mueller's now a willing accomplice to this entire McCarthyite smear and
disinformation campaign. It's all so pathetic that folks such as yourself try and mislead and
feed half-truths to the people.
Drew, you might enjoy this discussion Robert Scheer has with Stephen Cohen and Katrina
vanden Heuvel.
Realist , March 15, 2019 at 3:38 am
Moreover, as the Saker pointed out in his most recent column in the Unz Review, the entire
Deep State conspiracy, in an ad hoc alliance with the embarrassed and embarrassing Democrats,
have made an absolute sham of due process in their blatant witch hunt to bag the president.
This reached an apex when his personal lawyer, Mr. Cohen, was trotted out before congress to
violate Trump's confidentiality in every mortifying way he could even vaguely reconstruct.
The man was expected to say anything to mitigate the anticipated tortures to come in the
course of this modern day inquisition by our latter day Torquemada. To his credit though,
even with his ass in a sling, he could simply not confabulate the smoking gun evidence for
the alleged Russian collusion that this whole farce was built around.
Mueller stood with Bush as he lied the world into war based on lies and illegally spied on
America and tortured some folks.
George Collins , March 13, 2019 at 2:02 pm
QED: as to the nexus with the Winter Hill gang wasn't there litigation involving the
Boston FBI, condonation of murder by the FBI and damages awarded to or on behalf of convicted
parties that the FBI had reason to know were innocent? The malfeasance reportedly occurred
during Mueller time. Further on the sanctified diligence of Mr. Mueller can be gleaned from
the reports of Coleen Rowley, former FBI attorney stationed in Milwaukee??? when the DC FBI
office was ignoring warnings sent about 9/11. See also Sibel Edmonds who knew to much and was
court order muzzled about FBI mis/malfeasance in the aftermath of 9/11.
I'd say it's game, set, match VIPS and a pox on Clapper and the
complicit intelligence folk complicit in the nuclear loaded Russia-gate fibs.
Kiers , March 13, 2019 at 11:47 am
How can we expect the DNC to "hand it " to Trumpf, when, behind the scenes, THEY ARE ONE
PARTY. They are throwing faux-scary pillow bombs at each other because they are both
complicit in a long chain of corruptions. Business as usual for the "principled" two party
system! Democracy! Through the gauze of corporate media! You must be joking!
Skip Scott , March 13, 2019 at 11:28 am
"We believe that there are enough people of integrity in the Department of Justice to
prevent the outright manufacture or distortion of "evidence," particularly if they become
aware that experienced scientists have completed independent forensic study that yield very
different conclusions."
I wish I shared this belief. However, as with Nancy Pelosi's recent statement regarding
pursuing impeachment, I smell a rat. I believe with the help of what the late Robert Parry
called "the Mighty Wurlitzer", Mueller is going to use coerced false testimony and fabricated
forensics to drop a bombshell the size of 911. I think Nancy's statement was just a feint
before throwing the knockout punch.
If reason ruled the day, we should have nothing to worry about. But considering all the
perfidy that the so-called "Intelligence" Agencies and their MSM lackeys get away with daily,
I think we are in for more theater; and I think VIPS will receive a cold shoulder outside of
venues like CN.
I pray to God I'm wrong.
Sam F , March 13, 2019 at 7:32 pm
My extensive experience with DOJ and the federal judiciary establishes that at least 98%
of them are dedicated career liars, engaged in organized crime to serve political gangs, and
make only a fanatical pretense of patriotism or legality. They are loyal to money alone,
deeply cynical and opposed to the US Constitution and laws, with no credibility at all beyond
any real evidence.
Eric32 , March 14, 2019 at 4:24 pm
As near I can see, Federal Govt. careers at the higher levels depend on having dirt on
other players, and helping, not hurting, the money/power schemes of the players above
you.
The Clintons (through their foundation) apparently have a lot of corruption dirt on CIA,
FBI etc. top players, some of whom somehow became multi-millionaires during their civil
service careers.
Trump, who was only running for President as a name brand marketing ploy with little
desire to actually win, apparently came into the Presidency with no dirt arsenal and little
idea of where to go from there.
Bob Van Noy , March 13, 2019 at 11:09 am
I remember reading with dismay how Russians were propagandized by the Soviet Press
Management only to find out later the depth of disbelief within the Russian population
itself. We now know what that feels like. The good part of this disastrous scenario for
America is that for careful readers, disinformation becomes revelatory. For instance, if one
reads an editorial that refers to the Russian invasion of Ukraine, or continually refers to
Russian interference in the last Presidential election, then one can immediately dismiss the
article and question the motivation for the presentation. Of course the problem is how to
establish truth in reporting
Jeff Harrison , March 13, 2019 at 10:41 am
Thank you, VIPs. Hopefully, you don't expect this to make a difference. The US has moved
into a post truth, post reality existence best characterized by Karl Rove's declaration:
"we're an empire now, when we act, we create our own reality." What Mr. Rove in his arrogance
fails to appreciate is that it is his reality but not anyone else's. Thus Pompous can claim
that Guaido is the democratic leader in Venezuela even though he's never been elected .
Thank you. The next time one of my friends or family give me that glazed over stare and
utters anymore of the "but, RUSSIA" nonsense I will refer them directly to this article. Your
collective work and ethical stand on this matter is deeply appreciated by anyone who values
the truth.
Russiagate stands with past government propaganda operations that were simply made up out
of thin air: i.e. Kuwaiti incubator babies, WMD's, Gaddafi's viagra fueled rape camps, Assad
can't sleep at night unless he's gassing his own people, to the latest, "Maduro can't sleep
at night unless he's starving his own people."
The complete and utter amorality of the deep state remains on display for all to see with
"Russiagate," which is as fact-free a propaganda campaign as any of those just mentioned.
Marc , March 13, 2019 at 10:13 am
I am a computer naif, so I am prepared to accept the VIPS analysis about FAT and transfer
rates. However, the presentation here leaves me with several questions. First, do I
understand correctly that the FAT rounding to even numbers is introduced by the thumb drive?
And if so, does the FAT analysis show only that the DNC data passed through a thumb drive?
That is, does the analysis distinguish whether the DNC data were directly transferred to a
thumb drive, or whether the data were hacked and then transferred to a thumb drive, eg, to
give a copy to Wikileaks? Second, although the transatlantic transfer rate is too slow to fit
some time stamps, is it possible that the data were hacked onto a local computer that was
under the control of some faraway agent?
Jeff Harrison , March 13, 2019 at 11:12 am
Not quite. FAT is the crappy storage system developed by Microsoft (and not used by UNIX).
The metadata associated with any file gets rewritten when it gets moved. If that movement is
to a storage device that uses FAT, the timestamp on the file will end in an even number. If
it were moved to a unix server (and most of the major servers run Unix) it would be in the
UFS (unix file system) and it would be the actual time from the system clock. Every storage
device has a utility that tells it where to write the data and what to write. Since it's
writing to a storage device using FAT, it'll round the numbers. To get to your real question,
yes, you could hack and then transfer the data to a thumb drive but if you did that the dates
wouldn't line up.
Skip Scott , March 14, 2019 at 8:05 am
Jeff-
Which dates wouldn't line up? Is there a history of metadata available, or just metadata
for the most recent move?
David G , March 13, 2019 at 12:22 pm
Marc asks: "[D]oes the analysis distinguish whether the DNC data were directly transferred
to a thumb drive, or whether the data were hacked and then transferred to a thumb drive, eg,
to give a copy to Wikileaks?"
I asked that question in comments under a previous CN piece; other people have asked that
question elsewhere.
To my knowledge, it hasn't been addressed directly by the VIPS, and I think they should do
so. (If they already have, someone please enlighten me.)
Skip Scott , March 13, 2019 at 1:07 pm
I am no computer wiz, but Binney has repeatedly made the point that the NSA scoops up
everything. If there had been a hack, they'd know it, and they wouldn't only have had
"moderate" confidence in the Jan. assessment. I believe that although farfetched, an argument
could be made that a Russian spy got into the DNC, loaded a thumb drive, and gave it to Craig
Murray.
David G , March 13, 2019 at 3:31 pm
Respectfully, that's a separate point, which may or may not raise issues of its own.
But I think the question Marc posed stands.
Skip Scott , March 14, 2019 at 7:59 am
Hi David-
I don't see how it's separate. If the NSA scoops up everything, they'd have solid evidence
of the hack, and wouldn't have only had "moderate" confidence, which Bill Binney says is
equivalent to them saying "we don't have squat". They wouldn't even have needed Mueller at
all, except to possibly build a "parallel case" due to classification issues. Also, the FBI
not demanding direct access to the DNC server tells you something is fishy. They could easily
have gotten a warrant to examine the server, but chose not to. They also purposely refuse to
get testimony from Craig Murray and Julian Assange, which rings alarm bells on its own.
As for the technical aspect of Marc's question, I agree that I'd like to see Bill Binney
directly answer it.
The final Mueller report should be graded "incomplete," says VIPS, whose forensic work proves the speciousness of the story that
DNC emails published by WikiLeaks came from Russian hacking.
MEMORANDUM FOR: The Attorney General
FROM: Veteran Intelligence Professionals for Sanity (VIPS)
SUBJECT: Mueller's Forensics-Free Findings
Executive Summary
Media reports are predicting that Special Counsel Robert Mueller is about to give you the findings of his probe into any
links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump.
If Mueller gives you his "completed" report anytime soon, it should be graded "incomplete."
Major deficiencies include depending on a DNC-hired cybersecurity company for forensics and failure to consult with those who
have done original forensic work, including us and the independent forensic investigators with whom we have examined the data. We
stand ready to help.
We veteran intelligence professionals (VIPS) have done enough detailed forensic work to prove the speciousness of the prevailing
story that the DNC emails published by WikiLeaks came from Russian hacking. Given the paucity of evidence to support that story,
we believe Mueller may choose to finesse this key issue and leave everyone hanging. That would help sustain the widespread belief
that Trump owes his victory to President Vladimir Putin, and strengthen the hand of those who pay little heed to the unpredictable
consequences of an increase in tensions with nuclear-armed Russia.
There is an overabundance of "assessments" but a lack of hard evidence to support that prevailing narrative. We believe that there
are enough people of integrity in the Department of Justice to prevent the outright manufacture or distortion of "evidence," particularly
if they become aware that experienced scientists have completed independent forensic study that yield very different conclusions.
We know only too well -- and did our best to expose -- how our former colleagues in the intelligence community manufactured fraudulent
"evidence" of weapons of mass destruction in Iraq.
We have scrutinized publicly available physical data -- the "trail" that every cyber operation leaves behind. And we have had
support from highly experienced independent forensic investigators who, like us, have no axes to grind. We can prove that the conventional-wisdom
story about Russian-hacking-DNC-emails-for-WikiLeaks is false. Drawing largely on the unique expertise of two VIPS scientists who
worked for a combined total of 70 years at the National Security Agency and became Technical Directors there, we have regularly published
our findings. But we have been deprived of a hearing in mainstream media -- an experience painfully reminiscent of what we had to
endure when we exposed the corruption of intelligence before the attack on Iraq 16 years ago.
This time, with the principles of physics and forensic science to rely on, we are able to adduce solid evidence exposing mistakes
and distortions in the dominant story. We offer you below -- as a kind of aide-memoire -- a discussion of some of the key
factors related to what has become known as "Russia-gate." And we include our most recent findings drawn from forensic work on data
associated with WikiLeaks' publication of the DNC emails.
We do not claim our conclusions are "irrefutable and undeniable," a la Colin Powell at the UN before the Iraq war. Our judgments,
however, are based on the scientific method -- not "assessments." We decided to put this memorandum together in hopes of ensuring
that you hear that directly from us.
If the Mueller team remains reluctant to review our work -- or even to interview willing witnesses with direct knowledge, like
WikiLeaks' Julian Assange and former UK Ambassador Craig Murray, we fear that many of those yearning earnestly for the truth on Russia-gate
will come to the corrosive conclusion that the Mueller investigation was a sham.
In sum, we are concerned that, at this point, an incomplete Mueller report will fall far short of the commitment made by then
Acting Attorney General Rod Rosenstein "to ensure a full and thorough investigation," when he appointed Mueller in May 2017. Again,
we are at your disposal.
Discussion
The centerpiece accusation of Kremlin "interference" in the 2016 presidential election was the charge that Russia hacked Democratic
National Committee emails and gave them to WikiLeaks to embarrass Secretary Hillary Clinton and help Mr. Trump win. The weeks following
the election witnessed multiple leak-based media allegations to that effect. These culminated on January 6, 2017 in an evidence-light,
rump report misleadingly labeled "Intelligence Community Assessment (ICA)." Prepared by "handpicked analysts" from only three of
the 17 U.S. intelligence agencies (CIA, FBI, and NSA), the assessment expressed "high confidence" in the Russia-hacking-to-WikiLeaks
story, but lacked so much as a hint that the authors had sought access to independent forensics to support their "assessment."
The media immediately awarded the ICA the status of Holy Writ, choosing to overlook an assortment of banal, full-disclosure-type
caveats included in the assessment itself -- such as:
" When Intelligence Community analysts use words such as 'we assess' or 'we judge,' they are conveying an analytic assessment
or judgment. Judgments are not intended to imply that we have proof that shows something to be a fact. Assessments are based on
collected information, which is often incomplete or fragmentary High confidence in a judgment does not imply that the assessment
is a fact or a certainty; such judgments might be wrong."
To their credit, however, the authors of the ICA did make a highly germane point in introductory remarks on "cyber incident attribution."
They noted: "The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber
operation -- malicious or not -- leaves a trail." [Emphasis added.]
Forensics
The imperative is to get on that "trail" -- and quickly, before red herrings can be swept across it. The best way to establish
attribution is to apply the methodology and processes of forensic science. Intrusions into computers leave behind discernible physical
data that can be examined scientifically by forensic experts. Risk to "sources and methods" is normally not a problem.
Direct access to the actual computers is the first requirement -- the more so when an intrusion is termed "an act of war" and
blamed on a nuclear-armed foreign government (the words used by the late Sen. John McCain and other senior officials). In testimony
to the House Intelligence Committee in March 2017, former FBI Director James Comey admitted that he did not insist on physical access
to the DNC computers even though, as he conceded, "best practices" dictate direct access.
In June 2017, Senate Intelligence Committee Chair Richard Burr asked Comey whether he ever had "access to the actual hardware
that was hacked." Comey answered, "In the case of the DNC we did not have access to the devices themselves. We got relevant forensic
information from a private party, a high-class entity, that had done the work. " Sen. Burr followed up: "But no content? Isn't content
an important part of the forensics from a counterintelligence standpoint?" Comey: "It is, although what was briefed to me by my folks
is that they had gotten the information from the private party that they needed to understand the intrusion by the spring of 2016."
The "private party/high-class entity" to which Comey refers is CrowdStrike, a cybersecurity firm of checkered reputation and multiple
conflicts of interest, including very close ties to a number of key anti-Russian organizations. Comey indicated that the DNC hired
CrowdStrike in the spring of 2016.
Given the stakes involved in the Russia-gate investigation – including a possible impeachment battle and greatly increased tension
between Russia and the U.S. -- it is difficult to understand why Comey did not move quickly to seize the computer hardware so the
FBI could perform an independent examination of what quickly became the major predicate for investigating election interference by
Russia. Fortunately, enough data remain on the forensic "trail" to arrive at evidence-anchored conclusions. The work we have done
shows the prevailing narrative to be false. We have been suggesting this for over two years. Recent forensic work significantly strengthens
that conclusion.
We Do Forensics
Recent forensic examination of the Wikileaks DNC files shows they were created on 23, 25 and 26 May 2016. (On June 12, Julian
Assange announced he had them; WikiLeaks published them on July 22.) We recently discovered that the files reveal a FAT (File Allocation
Table) system property. This shows that the data had been transferred to an external storage device, such as a thumb drive,
before WikiLeaks posted them.
FAT is a simple file system named for its method of organization, the File Allocation Table. It is used for storage only and is
not related to internet transfers like hacking. Were WikiLeaks to have received the DNC files via a hack, the last modified times
on the files would be a random mixture of odd-and even-ending numbers.
Why is that important? The evidence lies in the "last modified" time stamps on the Wikileaks files. When a file is stored under
the FAT file system the software rounds the time to the nearest even-numbered second. Every single one of the time stamps in the
DNC files on WikiLeaks' site ends in an even number.
We have examined 500 DNC email files stored on the Wikileaks site. All 500 files end in an even number -- 2, 4, 6, 8 or 0. If
those files had been hacked over the Internet, there would be an equal probability of the time stamp ending in an odd number. The
random probability that FAT was not used is 1 chance in 2 to the 500th power. Thus, these data show that the DNC emails posted by
WikiLeaks went through a storage device, like a thumb drive, and were physically moved before Wikileaks posted the emails on the
World Wide Web.
This finding alone is enough to raise reasonable doubts, for example, about Mueller's indictment of 12 Russian intelligence officers
for hacking the DNC emails given to WikiLeaks. A defense attorney could easily use the forensics to argue that someone copied the
DNC files to a storage device like a USB thumb drive and got them physically to WikiLeaks -- not electronically via a hack.
Role of NSA
For more than two years, we strongly suspected that the DNC emails were copied/leaked in that way, not hacked. And we said so.
We remain intrigued by the apparent failure of NSA's dragnet, collect-it-all approach -- including "cast-iron" coverage of WikiLeaks
-- to provide forensic evidence (as opposed to "assessments") as to how the DNC emails got to WikiLeaks and who sent them. Well before
the telling evidence drawn from the use of FAT, other technical evidence led us to conclude that the DNC emails were not hacked over
the network, but rather physically moved over, say, the Atlantic Ocean.
Is it possible that NSA has not yet been asked to produce the collected packets of DNC email data claimed to have been hacked
by Russia? Surely, this should be done before Mueller competes his investigation. NSA has taps on all the transoceanic cables leaving
the U.S. and would almost certainly have such packets if they exist. (The detailed slides released by Edward Snowden actually show
the routes that trace the packets.)
The forensics we examined shed no direct light on who may have been behind the leak. The only thing we know for sure is that the
person had to have direct access to the DNC computers or servers in order to copy the emails. The apparent lack of evidence from
the most likely source, NSA, regarding a hack may help explain the FBI's curious preference for forensic data from CrowdStrike. No
less puzzling is why Comey would choose to call CrowdStrike a "high-class entity."
Comey was one of the intelligence chiefs briefing President Obama on January 5, 2017 on the "Intelligence Community Assessment,"
which was then briefed to President-elect Trump and published the following day. That Obama found a key part of the ICA narrative
less than persuasive became clear at his last press conference (January 18), when he told the media, "The conclusions of the intelligence
community with respect to the Russian hacking were not conclusive as to how 'the DNC emails that were leaked' got to WikiLeaks.
Is Guccifer 2.0 a Fraud?
There is further compelling technical evidence that undermines the claim that the DNC emails were downloaded over the internet
as a result of a spearphishing attack. William Binney, one of VIPS' two former Technical Directors at NSA, along with other former
intelligence community experts, examined files posted by Guccifer 2.0 and discovered that those files could not have been downloaded
over the internet. It is a simple matter of mathematics and physics.
There was a flurry of activity after Julian Assange announced on June 12, 2016: "We have emails relating to Hillary Clinton which
are pending publication." On June 14, DNC contractor CrowdStrike announced that malware was found on the DNC server and claimed there
was evidence it was injected by Russians. On June 15, the Guccifer 2.0 persona emerged on the public stage, affirmed the DNC statement,
claimed to be responsible for hacking the DNC, claimed to be a WikiLeaks source, and posted a document that forensics show
was synthetically tainted with "Russian fingerprints."
Our suspicions about the Guccifer 2.0 persona grew when G-2 claimed responsibility for a "hack" of the DNC on July 5, 2016, which
released DNC data that was rather bland compared to what WikiLeaks published 17 days later (showing how the DNC had tipped the primary
scales against Sen. Bernie Sanders). As VIPS
reported in a wrap-up
Memorandum for the President on July 24, 2017 (titled "Intel Vets Challenge 'Russia Hack' Evidence)," forensic examination of the
July 5, 2016 cyber intrusion into the DNC showed it NOT to be a hack by the Russians or by anyone else, but rather a copy onto an
external storage device. It seemed a good guess that the July 5 intrusion was a contrivance to preemptively taint anything WikiLeaks
might later publish from the DNC, by "showing" it came from a "Russian hack." WikiLeaks published the DNC emails on July 22, three
days before the Democratic convention.
As we prepared our July 24 memo for the President, we chose to begin by taking Guccifer 2.0 at face value; i. e., that the documents
he posted on July 5, 2016 were obtained via a hack over the Internet. Binney conducted a forensic examination of the metadata contained
in the posted documents and compared that metadata with the known capacity of Internet connection speeds at the time in the U.S.
This analysis showed a transfer rate as high as 49.1 megabytes per second, which is much faster than was possible from a remote online
Internet connection. The 49.1 megabytes speed coincided, though, with the rate that copying onto a thumb drive could accommodate.
Binney, assisted by colleagues with relevant technical expertise, then extended the examination and ran various forensic tests
from the U.S. to the Netherlands, Albania, Belgrade and the UK. The fastest Internet rate obtained -- from a data center in New Jersey
to a data center in the UK -- was 12 megabytes per second, which is less than a fourth of the capacity typical of a copy onto a thumb
drive.
The findings from the examination of the Guccifer 2.0 data and the WikiLeaks data does not indicate who copied the information
to an external storage device (probably a thumb drive). But our examination does disprove that G.2 hacked into the DNC on July 5,
2016. Forensic evidence for the Guccifer 2.0 data adds to other evidence that the DNC emails were not taken by an internet spearphishing
attack. The data breach was local. The emails were copied from the network.
Presidential Interest
After VIPS' July 24, 2017 Memorandum for the President, Binney, one of its principal authors, was invited to share his insights
with Mike Pompeo, CIA Director at the time. When Binney arrived in Pompeo's office at CIA Headquarters on October 24, 2017 for an
hour-long discussion, the director made no secret of the reason for the invitation: "You are here because the President told me that
if I really wanted to know about Russian hacking I needed to talk with you."
Binney warned Pompeo -- to stares of incredulity -- that his people should stop lying about the Russian hacking. Binney then started
to explain the VIPS findings that had caught President Trump's attention. Pompeo asked Binney if he would talk to the FBI and NSA.
Binney agreed, but has not been contacted by those agencies. With that, Pompeo had done what the President asked. There was no follow-up.
Confronting James Clapper on Forensics
We, the hoi polloi, do not often get a chance to talk to people like Pompeo -- and still less to the former intelligence
chiefs who are the leading purveyors of the prevailing Russia-gate narrative. An exception came on November 13, when former National
Intelligence Director James Clapper came to the Carnegie Endowment in Washington to hawk his memoir. Answering a question during
the Q&A about Russian "hacking" and NSA, Clapper said:
" Well, I have talked with NSA a lot And in my mind, I spent a lot of time in the SIGINT business, the forensic evidence
was overwhelming about what the Russians had done. There's absolutely no doubt in my mind whatsoever." [Emphasis added]
Clapper added: " as a private citizen, understanding the magnitude of what the Russians did and the number of citizens in our
country they reached and the different mechanisms that, by which they reached them, to me it stretches credulity to think they didn't
have a profound impact on election on the outcome of the election."
(A transcript of the interesting Q&A can be found
here and a commentary
on Clapper's performance at Carnegie, as well as on his longstanding lack of credibility, is
here .)
Normally soft-spoken Ron Wyden, Democratic senator from Oregon, lost his patience with Clapper last week when he learned that
Clapper is still denying that he lied to the Senate Intelligence Committee about the extent of NSA surveillance of U.S. citizens.
In an unusual outburst, Wyden said: "James Clapper needs to stop making excuses for lying to the American people about mass surveillance.
To be clear: I sent him the question in advance. I asked him to correct the record afterward. He chose to let the lie stand."
The materials brought out by Edward Snowden in June 2013 showed Clapper to have lied under oath to the committee on March 12,
2013; he was, nevertheless, allowed to stay on as Director of National Intelligence for three and half more years. Clapper fancies
himself an expert on Russia, telling Meet the Press on May 28, 2017 that Russia's history shows that Russians are "typically,
almost genetically driven to co-opt, penetrate, gain favor, whatever."
Clapper ought to be asked about the "forensics" he said were "overwhelming about what the Russians had done." And that, too, before
Mueller completes his investigation.
For the steering group, Veteran Intelligence Professionals for Sanity:
William Binney , former NSA Technical Director for World Geopolitical & Military Analysis; Co-founder of NSA's Signals
Intelligence Automation Research Center (ret.)
Richard H. Black , Senator of Virginia, 13th District; Colonel US Army (ret.); Former Chief, Criminal Law Division,
Office of the Judge Advocate General, the Pentagon (associate VIPS)
Bogdan Dzakovic , former Team Leader of Federal Air Marshals and Red Team, FAA Security (ret.) (associate VIPS)
Philip Girald i, CIA, Operations Officer (ret.)
Mike Gravel , former Adjutant, top secret control officer, Communications Intelligence Service; special agent of the
Counter Intelligence Corps and former United States Senator
James George Jatras , former U.S. diplomat and former foreign policy adviser to Senate leadership (Associate VIPS)
Larry C. Johnson , former CIA and State Department Counter Terrorism officer
John Kiriakou , former CIA Counterterrorism Officer and former senior investigator, Senate Foreign Relations Committee
Karen Kwiatkowski , former Lt. Col., US Air Force (ret.), at Office of Secretary of Defense watching the manufacture
of lies on Iraq, 2001-2003
Edward Loomis , Cryptologic Computer Scientist, former Technical Director at NSA (ret.)
David MacMichael , Ph.D., former senior estimates officer, National Intelligence Council (ret.)
Ray McGovern , former US Army infantry/intelligence officer & CIA analyst; CIA Presidential briefer (ret.)
Elizabeth Murray , former Deputy National Intelligence Officer for the Near East, National Intelligence Council & CIA
political analyst (ret.)
Todd E. Pierce , MAJ, US Army Judge Advocate (ret.)
Peter Van Buren , US Department of State, Foreign Service Officer (ret.) (associate VIPS)
Sarah G. Wilton , CDR, USNR, (ret.); Defense Intelligence Agency (ret.)
Kirk Wiebe , former Senior Analyst, SIGINT Automation Research Center, NSA
Ann Wright , retired U.S. Army reserve colonel and former U.S. diplomat who resigned in 2003 in opposition to the Iraq
War
Veteran Intelligence Professionals for Sanity (VIPS) is made up of former intelligence officers, diplomats, military officers
and congressional staffers. The organization, founded in 2002, was among the first critics of Washington's justifications for launching
a war against Iraq. VIPS advocates a US foreign and national security policy based on genuine national interests rather than contrived
threats promoted for largely political reasons. An archive of
VIPS memoranda is available at Consortiumnews.com.
Or in other words, a simple, reliable and clear solution (which has some faults due to its age) was replaced with a gigantic KISS
violation. No engineer worth the name will ever do that. And if it needs doing, any good engineer will make damned sure to achieve maximum
compatibility and a clean way back. The systemd people seem to be hell-bent on making it as hard as possible to not use their monster.
That alone is a good reason to stay away from it.
Notable quotes:
"... We are systemd. Lower your memory locks and surrender your processes. We will add your calls and code distinctiveness to our own. Your functions will adapt to service us. Resistance is futile. ..."
"... I think we should call systemd the Master Control Program since it seems to like making other programs functions its own. ..."
"... RHEL7 is a fine OS, the only thing it's missing is a really good init system. ..."
Systemd is nothing but a thinly-veiled plot by Vladimir Putin and Beyonce to import illegal German Nazi immigrants over the
border from Mexico who will then corner the market in kimchi and implement Sharia law!!!
We are systemd. Lower your memory locks and surrender your processes. We will add your calls and code distinctiveness to
our own. Your functions will adapt to service us. Resistance is futile.
They don't want to replace the kernel, they are more than happy to leverage Linus's good
work on what they see as a collection of device drivers. No, they want to replace the GNU/X
in the traditional Linux/GNU/X arrangement. All of the command line tools, up to and
including bash are to go, replaced with the more Windows like tools most of the systemd
developers grew up on, while X and the desktop environments all get rubbished for Wayland
and GNOME3.
And I would wish them luck, the world could use more diversity in operating systems. So
long as they stayed the hell over at RedHat and did their grand experiment and I could
still find a Linux/GNU/X distribution to run. But they had to be borg and insist that all
must bend the knee and to that I say HELL NO!
This is the core system within systemd that allows different bits of userspace to talk to
each other. But it's got problems. A demonstration of the D-Bus problem is the recent Jeep hack
by researchers Charlie Miller and Chris Valasek. The root problem was that D-Bus was openly
(without authentication) accessible from the Internet.
Likewise, the "AllJoyn" system for the "Internet of Things" opens up D-Bus on the home
network. D-Bus indeed simplifies communication within userspace, but its philosophy is to put
all your eggs in one basket, then drop the basket.
In the second part of his blog post, Strauss argues that systemd improves security by making
it easy to apply hardening techniques to the network services which he calls the "keepers of
data attackers want." According to Strauss, I'm "fighting one of the most powerful tools we
have to harden the front lines against the real attacks we see every day." Although systemd
does make it easy to restrict the privileges of services, Strauss vastly overstates the value
of these features.
The best systemd can offer is whole application sandboxing. You can start a daemon as a
non-root user, in a restricted filesystem namespace, with mandatory access control. Sandboxing
an entire application is an effective way to run potentially malicious code, since it protects
other applications from the malicious one. This makes sandboxing useful on smartphones, which
need to run many different untrustworthy, single-user applications. However, since sandboxing a
whole application cannot protect one part of the application from a compromise of a different
part, it is ineffective at securing benign-but-insecure software, which is the problem faced on
servers. Server applications need to service requests from many different users. If one user is
malicious and exploits a vulnerability in the application, whole application sandboxing doesn't
protect the other users of the service.
For concrete examples, let's consider Apache and Samba, two daemons which Strauss says would
benefit from systemd's features.
First Apache. You can start Apache as a non-root user provided someone else binds to ports
443 and 80. You can further sandbox it by preventing it from accessing parts of the filesystem
it doesn't need to access. However, no matter how much you try to sandbox Apache, a typical
setup is going to need a broad amount of access to do its job, including read permission to
your entire website (including password-protected parts) and access to any credential (database
password, API key, etc.) used by your CGI, PHP, or similar webapps.
Even under systemd's most restrictive sandboxing, an attacker who gains remote code
execution in Apache would be able to read your entire website, alter responses to your
visitors, steal your HTTPS private keys, and gain access to your database and any API consumed
by your webapps. For most people, this would be the worst possible compromise, and systemd can
do nothing to stop it. Systemd's sandboxing would prevent the attacker from gaining access to
the rest of your system (absent a vulnerability in the kernel or systemd), but in today's world
of single-purpose VMs and containers, that protection is increasingly irrelevant. The attacker
probably only wants your database anyways.
To provide a meaningful improvement to security without rewriting in a memory-safe language,
Apache would need to implement proper privilege separation. Privilege separation means using
multiple processes internally, each running with different privileges and responsible for
different tasks, so that a compromise while performing one task can't lead to the compromise of
the rest of the application. For instance, the process that accepts HTTP connections could pass
the request to a sandboxed process for parsing, and then pass the parsed request along to yet
another process which is responsible for serving files and executing webapps. Privilege
separation has been used effectively by OpenSSH, Postfix, qmail, Dovecot, and over a dozen daemons in
OpenBSD . (Plus a couple of my own: titus and rdiscd .) However, privilege
separation requires careful design to determine where to draw the privilege boundaries and how
to interface between them. It's not something which an external tool such as systemd can
provide. (Note: Apache already implements privilege separation that allows it to process
requests as a non-root user, but it is too coarse-grained to stop the attacks described
here.)
Next Samba, which is a curious choice of example by Strauss. Having configured Samba and
professionally administered Windows networks, I know that Samba cannot run without full root
privilege. The reason why Samba needs privilege is not because it binds to privileged ports,
but because, as a file server, it needs the ability to assume the identity of any user so it
can read and write that user's files. One could imagine a different design of Samba in which
all files are owned by the same unprivileged user, and Samba maintains a database to track the
real ownership of each file. This would allow Samba to run without privilege, but it wouldn't
necessarily be more secure than the current design, since it would mean that a
post-authentication vulnerability would yield access to everyone's files, not just those of the
authenticated user. (Note: I'm not sure if Samba is able to contain a post-authentication
vulnerability, but it theoretically could. It absolutely could not if it ran as a single user
under systemd's sandboxing.)
Other daemons are similar. A mail server needs access to all users' mailboxes. If the mail
server is written in C, and doesn't use privilege separation, sandboxing it with systemd won't
stop an attacker with remote code execution from reading every user's mailbox. I could continue
with other daemons, but I think I've made my point: systemd is not magic pixie dust that can be
sprinkled on insecure server applications to make them secure. For protecting the "data
attackers want," systemd is far from a "powerful" tool. I wouldn't be opposed to using a
library or standalone
tool to sandbox daemons as a last line of defense, but the amount of security it provides
is not worth the baggage of running systemd as PID 1.
Achieving meaningful improvement in software security won't be as easy as adding a few lines
to a systemd config file. It will require new approaches, new tools, new languages. Jon Evans
sums it up eloquently :
... as an industry, let's at least set a trajectory . Let's move towards writing
system code in better languages, first of all -- this should improve security and speed.
Let's move towards formal specifications and verification of mission-critical code.
Systemd is not part of this trajectory. Systemd is more of the same old, same old, but with
vastly more code and complexity, an illusion of security features, and, most troubling,
lock-in. (Strauss dismisses my lock-in concerns by dishonestly claiming that applications
aren't encouraged to use their non-standard DBUS API for DNS resolution. Systemd's own
documentation says "Usage of this API is generally recommended to clients." And while
systemd doesn't preclude alternative implementations, systemd's specifications are not
developed through a vendor-neutral process like the IETF, so there is no guarantee that other
implementers would have an equal seat at the table.) I have faith that the Linux ecosystem can
correct its trajectory. Let's start now, and stop following systemd down the primrose path.
Ubuntu,
Fedora, Arch Linux and other Linux distributions have released patches for a serious arbitrary
code execution vulnerability that could be exploited through malicious Domain Name System (DNS)
packets.
The flaw was found in systemd-resolved
, a service that's part of the systemd initialization system adopted by
many Linux distributions in recent years. The resolved service provides network name resolution
to local applications by querying DNS servers.
The vulnerability, tracked as CVE-2017-9445 , was
discovered by Chris Coulson , a
software engineer at Canonical and member of the Ubuntu team, who noticed that when dealing
with certain data packet sizes, systemd-resolved fails to allocate a sufficiently large
buffer.
"A malicious DNS server can exploit this by responding with a specially crafted TCP payload
to trick systemd-resolved to allocate a buffer that's too small, and subsequently write
arbitrary data beyond the end of it," Coulson said in an advisory posted on the Open
Source Security mailing list.
This could be exploited to crash the systemd-resolved daemon or to execute potentially
malicious code in its context.
There are multiple ways in which an attacker could send malicious DNS packets to a Linux
system with systemd-resolved running. One of them is by launching a man-in-the-middle attack on
an insecure wireless network or through a compromised router.
Fortunately, not all Linux systems are affected because some distributions don't use systemd
and even among those that do, not all of them include systemd-resolved. For example, SUSE and
openSUSE distributions don't ship this component and, while
Debian 9 (Stretch) includes it, the service is not enabled by default . The
previous Debian versions don't have the vulnerable code at all.
Ubuntu ,
Arch Linux and probably
other distributions are also affected. Users should check if they have any updates pending for
systemd and should deploy the patches as soon as possible. According to Coulson, the flaw was
likely introduced in systemd version 223 in 2015 and affects all versions up to and including
233.
Security firm Qualys has disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 )
in a component of
systemd
, a software suite that provides fundamental building blocks for a Linux operating system
used in most major Linux distributions.
The flaws reside in the
systemd
–
journald
,
a service of the
systemd
that collects and stores logging data.
Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the
CVE-2018-16866 is an out of bounds issue that can lead to an
information
leak.
Security patches for the three vulnerabilities are included in
distro
repository since the coordinated disclosure, but some Linux distros such as some versions
of
Debian
remain vulnerable. The flaws cannot be exploited in SUSE Linux Enterprise 15, openSUSE Leap 15.0, and
Fedora 28 and 29 because their code is compiled with GCC's -fstack-clash-protection option.
"... is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. ..."
"... could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." reads the advisory published by Red Hat. ..."
Both Ubuntu and Red Hat Linux published a security advisory on the issue. summary :
"
systemd – networkd is vulnerable to an out-of-bounds heap write in the
DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker
could exploit this via malicious DHCP server to corrupt heap memory on client machines,
resulting in a denial of service or potential code execution." reads the advisory published by Red
Hat.
"Felix Wilhelm discovered that systemd-networkd's dhcp6 client could be made to write beyond
the bounds (buffer overflow) of a heap allocated buffer when responding to a dhcp6 server with
an overly-long server-id parameter." reads the advisory
published by Ubuntu.
The author of Systemd, Leonard Poettering, promptly
published a security fix for Systemd-based Linux system
relying on systemd-networkd.
1. It's reasonable to claim that amd64 (x86_64) is more secure than x86. x86_64 has larger address space, thus higher ASLR
entropy. The exploit needs 10 minutes to crack ASLR on x86, but 70 minutes on amd64. If some alert systems have been deploy on
the server (attacks need to keep crashing systemd-journald in this process), it buys time. In other cases, it makes exploitation
infeasible.
2. CFLAGS hardening works, in addition to ASLR, it's the last line of defense for all C programs. As long as there are still
C programs running, patching all memory corruption bugs is impossible. Using mitigation techniques and sandbox-based isolation
are the only two ways to limit the damage. All hardening flags should be turned on by all distributions, unless there is a special
reason. Fedora turned "-fstack-clash-protection" on since Fedora 28 (
https://fedoraproject.org/wiki/Changes/HardeningFlags28
).
If you are releasing a C program on Linux, please consider the following,
Major Linux distributions, including Fedora, Debian, Arch Linux, openSUSE are already doing it. Similarly, Firefox and Chromium
are using many of these flags too. Unfortunately, Debian did not use `-fstack-clash-protection` and got hit by the exploit, because
it was only added since GCC 8.
"Proof" suggests a level of absolute confidence that this example certainly does not give.
> The exploit needs 10 minutes to crack ASLR on x86, but 70 minutes on amd64.
Is there any realistic threat model under which the difference between 10 minutes and 70 minutes is the difference between
"insecure" and "secure"?
> Using mitigation techniques and sandbox-based isolation are the only two ways to limit the damage.
I'm not at all convinced that mitigation techniques represent a real improvement in security, because by definition a mitigation
technique is not backed by a solid model. If you're letting an attacker control the modification of memory that your security
model assumes isn't modifiable, how confident can you be that ad-hoc mitigations for all the ways you could think of to exploit
that cover all the possible ways to exploit that? E.g. I can remember a time when ASLR was touted as a solution to C's endemic
security vulnerabilities; now cracking ASLR as part of vulnerability exploitation is routine, as seen here. Mitigations appear
to give a security improvement because an app with mitigations is no longer the low-hanging fruit, but I suspect this is a case
of "you don't have to outrun the bear": as long as there are C programs without mitigations, attackers will go after those first.
That's different from saying that mitigations provide substantial protection.
The hands-on-keyboard SLA for a lot of on-calls is 30 minutes.
So in an "attack was detected, break all the glass" scenario, the difference between 10 and 70 minutes is sufficient to
allow human operators to render the attack moot by offlining its target, while the attackers are still trying to break through
API servers.
At both big corps I've been at, the incident response plan for an exfiltration attack on customer data was invalidate DB
creds and take the system down ourselves.
Better to be out of service than lose custody of customer data.
>Is there any realistic threat model under which the difference between 10 minutes and 70 minutes is the difference between
"insecure" and "secure"?
How about an intrusion detection system that flags up a human response? 10 minutes is hardly any time at all to respond,
an hour gives you a chance to roll out of bed.
PaX offers an anti-bruteforce protection: if the kernel discovers a crash, the `fork()` syscall of the parent process is blocked
for 30 seconds for each failed attempt, the attacker is going to have a hard time beating 32-bit entropy. Meanwhine, it also
writes a critical-level message to the kernel logbuffer to notify sysadmins, and possibly uncover the 0day exploit the attacker
has used.
I guess, as long as the IDS senses the attack in progress quickly -- my gut is this type of attack would be hard to detect
until the outcome was achieved. More likely the initial entry would be the detected event(s) -- in which case yeah the extra
time gives some safety net.
In either case, it still feels like pulling all things into systemd creates a much harder to protect surface area on systems.
Why should init care if your logger crashes, let alone take down init with it? I am not a anti-systemd person but I honestly
do see the tradeoffs of the "let me do it all" architecture as a huge penalty.
It cares in the same way it cares about all the other processes. There's nothing systemd-specific here. Journald service
is configured to restart of crash, same as many other services.
It's not taking down init when journald crashes either.
> In either case, it still feels like pulling all things into systemd creates a much harder to protect surface area on systems.
Why should init care if your logger crashes, let alone take down init with it? I am not a anti-systemd person but I honestly
do see the tradeoffs of the "let me do it all" architecture as a huge penalty.
100% this. Also, as I understand it the exploit would not exist if it was literally just outputting log lines to a file
in /var/log/systemd/ ?
EDIT: Also as I understand it, appending directly to a file is just as stable as the journald approach, given that many,
many disk controllers and kernels are known to lie about whether they have actually flushed their cache to disk (actually moreso,
because the binary format of journald is arguably more difficult to recover into proper form than a timestamped plaintext --
please correct me if I'm wrong, though!!)
> the binary format of journald is arguably more difficult to recover into proper form than a timestamped plaintext -- please
correct me if I'm wrong, though!!
It depends what you mean by recover. To get the basic plaintext, you can pretty much run "strings" on the journal file and
grep for "MESSAGE=". It's append-only so the entries are in order. Just because it's a binary file doesn't mean the text itself
is mangled. (Unless you enable compression)
Enterprise systems or any large scale stack can have one running like this where people dismiss it for an hour. Some systems run hard like this by default. See Transcoding
Also, Weekend and Christmas attacks. In the field we are seeing more attacks with a valid username and pass occur at times
when a sysadmin may not be on call.
> Is there any realistic threat model under which the difference between 10 minutes and 70 minutes is the difference between
"insecure" and "secure"?
Time is given here just for an example. To crack systemd, it only takes 70 minutes, but in general, bruteforcing ASLR on
64-bit systems can take as few as 1.3 hours but as many as 34.1 hours, depending on the nature of bug. On the other hand, the
~20-bit of entropy on 32-bit systems is trivial to crack in 10 minutes for nearly all cases, and does not provide an adequate
security margin.
Oon a 64-bit system there is ~32-40 bit of ASLR entropy available for a PIE program. It forces an attacker to brute-force
it. Unlike other protections, no matter how is the system cleverly analyzed beforehand, it taxes the exploit by forcing it
to solve a computational puzzle. This fact alone, is enough to stop many "Morris Worm"-type remote exploitations (they have
suddenly became a serious consideration, given the future of IoT), since an exploit takes months or years to crack a single
machine.
If it's not enough (it is not, I acknowledge ASLR by itself cannot be enough), an intrusion detection system should be used,
and it already has used by many. For example, PaX offers an optional, simple yet effective anti-bruteforce protection: if the
kernel discovers a crash, the `fork()` attempt of the parent process is blocked for 30 seconds. It takes years before an attacker
is able to overcome the randomization (so the attacker is likely to try something else). In addition, it also writes a critical-level
message to the kernel logbuffer, the sysadmin can be notified, and possibly uncover the 0day exploit the attacker has used.
I'd call it a realistic threat model.
Finally, information leaks is a great concern here. Kernels and programs are leaking memory address like a sieve, and effectively
making ASLR useless. Linux kernel is already actively plugging these holes (but with limited effectiveness, HardenedBSD should
be the future case-study), so should other programs.
> e.g. I can remember a time when ASLR was touted as a solution to C's endemic security vulnerabilities; now cracking ASLR
as part of vulnerability exploitation is routine, as seen here.
You can make the same comment on NX bit, or W^X/PaX, or BSD jail, or SMAP/SMEP (in recent Intel CPUs), or AppArmor, or SELinux,
or seccomp(), or OpenBSD's pledge(), or Control Flow Integrity, or process-based sandboxing in web browsers, or virtual machine-based
isolation.
Better defense leads to better attacks, and it in turns leads to better defense. By playing the game, it may not be possible
to win, but by not playing it, losing the game is guaranteed. In this case, systemd is exploitable despite ASLR, due to a relatively
new exploit technique called "Stack Clash", and for this matter, GCC has already updated its -fstack-check to the new -fstack-clast-protection
long before the systemd exploit was discovered. If this mitigation has been used (like, by Fedora and openSUSE), it causes
simply a crash, and is not exploitable. At least before the attacker finds another way round.
Early kernels and web browsers have no memory and exploit protections whatsoever: a single wrong pointer dereference or
buffer overflow is enough to completely takeover the system. Nowadays, an attack needs to overcome at least NX, ASLR, sandboxing,
and compiler-level mitigation, and we still see exploits. So the conclusion is all mitigations are completely useless? If it's
your opinion, I'm fine to agree to your disagreement, many sensitive C programs need to be written in a memory-safe language
anyway. But as I see it, as long as there are still C programs running with undiscovered vulnerabilities, and as long as attackers
have to add more and more up-to-date workarounds and cracking techniques (ROP, anyone? but now the most sophisticated
attackers are moving to DATA-ONLY attacks) to their exploit checklist, then we are not losing the race by increasing the cost
of attacks.
On the other hand, if an attacker don't have to use an up-to-date cracking techniques, then we have serious problems. For
example, broken and incomplete mitigation is often seen in the real word, and it's the real trouble. Recently, it has been
discovered that the ASLR implementation in the MinGW toolchain is broken, allowing attackers to exploit VLC using shellcode
tricks from the 2000s (
https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-r... ). And we still see broken NX bit protection and the total
absence of any ASLR, or -fstack-protector in ALL home routers (
https://cyber-itl.org/2018/12/07/a-look-at-home-routers-and-...
).
The principle of Defense-in-Depth is that, if the enemies are powerful enough, it's inevitable all protections will be overcame.
Like the Swiss Cheese Model ( https://en.wikipedia.org/wiki/Swiss_cheese_model
), a cliche in accident analysis, eventually there will be something that managed to find a hole in every layer of defense
and pass though. What we can do, is to do our best at each layer of defense to prevent the preventable incidents, and adding
more layers when the technology permits us.
My final words are: at least, do something. ASLR is already implemented as a prototype, analyzed, and exploited by clever
hackers back in 2002 ( http://phrack.org/issues/59/9.html
), but only seen major adoptions ten years later. It would be a surprise if ASLR-breaking techniques has not improved given
the inaction of most vendors.
> "Proof" suggests a level of absolute confidence that this example certainly does not give.
I agree. I should've use "given more empirical evidences" instead of "given a proof".
For real security, I believe memory-safe programming (e.g. Rust), and formal verification (e.g seL4) are the way forward,
although they still have a long way to go.
> You can make the same comment on NX bit, or W^X/PaX, or BSD jail, or SMAP/SMEP (in recent Intel CPUs), or AppArmor, or SELinux,
or seccomp(), or OpenBSD's pledge(), or Control Flow Integrity, or process-based sandboxing in web browsers
I can, and I would.
> or virtual machine-based isolation
A little different because a VM can be designed to offer a rigid security boundary (with a solid model behind it) rather
than as an ad-hoc mitigation technique.
> So the conclusion is all mitigations are completely useless? If it's your opinion, I'm fine to agree to your disagreement,
many sensitive C programs need to be written in a memory-safe language anyway. But as I see it, as long as there are still
C programs running with undiscovered vulnerabilities, and as long as attackers have to add more and more up-to-date workarounds
and cracking techniques (ROP, anyone? but now the most sophisticated attackers are moving to DATA-ONLY attacks) to their exploit
checklist, then we are not losing the race by increasing the cost of attacks.
> The principle of Defense-in-Depth is that, if the enemies are powerful enough, it's inevitable all protections will be
overcame. Like the Swiss Cheese Model ( https://en.wikipedia.org/wiki/Swiss_cheese_model
), a cliche in accident analysis, eventually there will be something that managed to find a hole in every layer of defense
and pass though. What we can do, is to do our best at each layer of defense to prevent the preventable incidents, and adding
more layers when the technology permits us.
> For real security, I believe memory-safe programming (e.g. Rust), and formal verification (e.g seL4) are the way forward,
although they still have a long way to go.
I think the defense in depth / swiss cheese approach has shown itself to be a failure, and exploit mitigation techniques
have been a distraction from real security. It's worth noting that systemd is both recently developed and aggressively compatibility-breaking;
there really is no excuse for it to be written in C, mitigations or no. Even if you don't think Rust was mature enough at that
point, there were memory-safe languages that would have made sense (OCaml, Ada, ...). Certainly there's always more to be done,
but I really don't think there's anything that would block the adoption of these languages and techniques if the will was there.
Before the critique, I want to thank you all the detailed information (esp compiler tips) you're putting out on the thread
for everyone. :)
"You can make the same comment on NX bit, or W^X/PaX, or BSD jail, or SMAP/SMEP (in recent Intel CPUs), or AppArmor, or
SELinux, or seccomp(), or OpenBSD's pledge(), or Control Flow Integrity, or process-based sandboxing in web browsers, or virtual
machine-based isolation."
You can indeed say that about all those systems since they mix insecure, bug-ridden code with probabilistic and tactical
mechanisms that they prey will stop hackers. In high-assurance security, the focus was instead to identify each root cause,
prevent/detect/fail-safe on it with some method, and add automation where possible for these. Since a lot of that is isolation,
I'd say the isolation based method would be separation kernels running apps in their own compartments or in deprivileged, user-mode
VM's. Genode OS is following that path with stuff like seL4, Muen, and NOVA running undearneath. First two are separation kernels,
NOVA just correctnes focused with high-assurance, design style.
Prior systems designed like those did excellent in NSA pentesting whereas the UNIX-based systems with extensions like MAC
were shredded. All we're seeing is a failure to apply the lessons of the past in both hardware and software with predictable
results.
"Better defense leads to better attacks, and it in turns leads to better defense. By playing the game, it may not be possible
to win, but by not playing it, losing the game is guaranteed. "
Folks using stuff like Ada, SPARK, Frama-C w/ sound analyzers, Rust, Cryptol, and FaCT are skipping playing the game to
just knock out all the attack classes. Plus, memory-safety methods for legacy code like SAFEcode in SVA-OS or Softbound+CETS.
Throw in Data-Flow Integrity or Information-Flow Control (eg JIF/SIF languages). Then, you just have to increase hardware spending
a bit to make up for the performance penalty that comes with your desired level of security. Trades a problem that takes geniuses
decades to solve for one an average, IT person with an ordering guide can handle quickly on eBay. Assuming the performance
penalty even matters given how lots of code isn't CPU-bound.
I'd rather not play the "extend and obfuscate insecure stuff for the win" game if possible since defenders have been losing
it consistently for decades. Obfuscation should just be an extra measure on top of methods that eliminate root causes to further
frustrate attackers. Starting with most cost-effective for incremental progress like memory-safe languages, contracts, test
generation, and static/dynamic analysis. The heavyweight stuff on ultra-critical components such as compilers, crypto/TLS,
microkernels, clustering protocols, and so on. We already have a lot of that, though.
"For real security, I believe memory-safe programming (e.g. Rust), and formal verification (e.g seL4) are the way forward,
although they still have a long way to go. "
Well, there you go saying it yourself. :)
"Early kernels and web browsers have no memory and exploit protections whatsoever"
Yeah, we pushed for high-assurance architecture to be applied there. Chrome did a weakened version of OP. Here's another
design if you're interested in how to solve... attempt to solve... that problem:
FWIW, the stack vulnerabilities here aren't just a C problem. Most languages, including every language relying on LLVM and
GCC until the most recent versions, failed to perform stack probing.
I hesitate to call stack probing "hardening". IMO it's better understood as a failure by compilers to emit proper code in
the first place, and it's been a glaringly obvious deficiency for years if not decades.
Linux servers top
the list of victims to a ransomware attack that seems to take advantage of poorly configured
IPMI devices.
SysAdmins, who probably already have much on their plates at the end of the holiday season,
have another rather urgent task at hand if they administer servers equipped with Intelligent
Platform Management Interface (IPMI) cards. It seems that since November, black hat hackers
have been using the cards to gain access in order to install JungleSec
ransomware that encrypts data and demands a 0.3 bitcoin payment (about $1,100 at the
current rate) for the unlock key.
For the uninitiated, IPMI is a management interface that's either built into server
motherboards or on add-on cards that provides management and monitoring capabilities that are
independent of the system's CPU, firmware, and operating system. With it, admins can remotely
manage a server to do things like power it up and down, monitor system information, access
KVMs, and more. While this is useful for managing off-premises servers in colocation data
centers and the like, it also offers an opening for attackers if it's not properly locked.
There's been a lot of uneven reporting on this since
BleepingComputer broke the story on Dec. 26, with many sites indicating that the hack only
affects Linux servers.
While it's true that the majority of servers affected have been running Linux, Windows as well
as Mac servers have also fallen victim. At this point it's not clear whether Linux servers
appear to be most affected simply because of Linux's dominance in the server market or because
attackers are finding the attack easier to successfully manage when targeting Linux
machines.
There have also been reports that the exploit only takes advantage of systems using default
IPMI passwords, but BleepingComputer reported it had found at least one victim that had
disabled the IPMI Admin user and was still hacked by an attacker that evidently gained access
by taking advantage of a vulnerability that was most likely the result of IPMI not being
configured properly.
Indeed, it appears at this point that poor configuration is how attackers are gaining
entry.
The good news is that securing against such attacks should be rather straightforward,
starting with making sure the IPMI password isn't the default. In addition, access control
lists (ACLs) should be configured to specify the IP addresses that have access the IPMI
interface, and to also configure IPMI to only listen on internal IP addresses, which would
limit access to admins inside the organization's system.
For Linux servers, it might be a good idea to password protect the GRUB bootloader. After
gaining access to Linux servers, attackers have been rebooting into single user mode to gain
root access before downloading the malicious payload. At the very least, password protecting
GRUB would make reboots difficult.
Over the past year, U.S. prosecutors have discussed several types of charges they could potentially bring against the WikiLeaks
founder
The Justice Department is preparing to prosecute WikiLeaks founder Julian Assange and is increasingly optimistic it will be able
to get him into a U.S. courtroom, according to people in Washington familiar with the matter. Over the past year, U.S. prosecutors
have discussed several types of charges they could potentially bring against Mr. Assange, the people said. Mr. Assange has lived
in the Ecuadorean embassy in London since receiving political asylum from the South American country in 2012...
The exact charges Justice Department might pursue remain unclear, but they may involve the Espionage Act, which criminalizes the
disclosure of national defense-related information.
On two declassified letters from 2014 from the Intelligence Community Inspector General
(didn't know there was one, but doesn't do much good anyway, it seems, read further) to the
chairpersons of the House and Senate intelligence committees notifying them that the CIA has
been monitoring emails between the CIA's head of the whistleblowing and source protection and
Congressional. "Most of these emails concerned pending and developing whistleblower
complaints". Shows why Edward Snowdon didn't consider it appropriate to rely on internal
complaints proceedures. This while under the leadership of seasoned liars and criminals
Brennan and Clapper, of course.
It clearly shows a taste of what these buggers have to hide, and why they went to such
extraordinary lengths as Russiagate to cover it all up and save their skins - that of course
being the real reason behind Russiagate as I have said several times, nothing to do with
either Trump or Russia.
OWS was a Controlled-Dissent operation, sending poor students north to fecklessly march on
Wall Street when they could have shut down WADC, and sending wealthy seniors south to
fecklessly line Pennsylvania Avenue, when they could have shut down Wall Street.
Both I$I$, and Hamas, and Antifa et al are all Controlled Dissent operations. The
followers are duped, are used, abused and then abandoned by honey-pots put there by Central
Intelligence, at least since the Spanish Civil War.
That's why MoA articles like this one make you wonder, just who is conning whom, at a time
when the Internet is weaponized, when Google Assistant achieved AI awareness
indistinguishable from anyone on the phone, China TV has launched a virtual AI news reporter
indistinguishable from reality, and Stanford can audio-video a captured image of anyone as
well as their voice intonation, then 3D model them, in real time, reading and emoting from a
script, indistinguishable from reality, ...and then this.
Another Gift of Trust😂 brought to you by Scientocracy. Be sure to tithe your AI
bot, or word will get back to Chairman Albertus, then you'll be called in to confess your
thought crimes to the Green Cadre, itself another Controlled Dissent honeypot, in a
Tithe-for-Credits Swindle.
I tell my kids, just enjoy life, live it large, and get ready for hell. It's coming for
breakfast.
Hacking operations by anyone, can and will be used by US propagandists to provoke Russia
or whoever stands in the way of the US war machine, take this Pompeo rant against Iran and
the Iranian response......
Asking of Pompeo "have you no shame?", Zarif mocked Pompeo's praise for the Saudis for
"providing millions and millions of dollars of humanitarian relief" to Yemen, saying
America's "butcher clients" were spending billions of dollars bombing school buses. Iranian
Foreign Minister Javad Zarif issued a statement lashing Secretary of State Mike Pompeo for
his recent comments on the Yemen War. Discussing the US-backed Saudi invasion of Yemen,
Pompeo declared Iran to be to blame for the death and destruction in the country. https://news.antiwar.com/2018/11/09/iran-fm-slams-pompeo-for-blaming-yemen-war-on-iran/
The US way of looking at things supposes that up is down, and white is black, it makes no
sense, unless the US hopes these provocations will lead to a war or at the very least Russia
or Iran capitulating to US aggression, which will not happen. Sanctions by the US on all and
sundry must be opposed, if not the US will claim justifiably to be the worlds policeman and
the arbiter of who will trade with who, a ludicrous proposition but one that most governments
are afraid is now taking place, witness the new US ambassador to Germany in his first tweet
telling the Germans to cease all trade with Iran immediately.
Hole opens up remote-code execution to miscreants – or a crash, if you're
lucky A security bug in Systemd can be exploited over the network to, at best, potentially
crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.
The flaw therefore puts Systemd-powered Linux computers – specifically those using
systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can
try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable
systems, leading to potential code execution. This code could install malware, spyware, and
other nasties, if successful.
The vulnerability – which was made public this week – sits within the
written-from-scratch DHCPv6 client of the open-source Systemd management suite, which is built
into various flavors of Linux.
This client is activated automatically if IPv6 support is enabled, and relevant packets
arrive for processing. Thus, a rogue DHCPv6 server on a network, or in an ISP, could emit
specially crafted router advertisement messages that wake up these clients, exploit the bug,
and possibly hijack or crash vulnerable Systemd-powered Linux machines.
systemd-networkd
is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by
network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to
corrupt heap memory on client machines, resulting in a denial of service or potential code
execution.
Felix Wilhelm, of the Google Security team, was credited with discovering the flaw,
designated CVE-2018-15688 . Wilhelm found that a
specially crafted DHCPv6 network packet could trigger "a very powerful and largely controlled
out-of-bounds heap write," which could be used by a remote hacker to inject and execute
code.
"The overflow can be triggered relatively easy by advertising a DHCPv6 server with a
server-id >= 493 characters long," Wilhelm noted.
In addition to Ubuntu and Red
Hat Enterprise Linux, Systemd has been adopted as a service manager for Debian, Fedora, CoreOS,
Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the
vulnerable component by default.
Systemd creator Lennart Poettering has already
published a security fix for the vulnerable component
– this should be weaving its way into distros as we type.
If you run a Systemd-based Linux system, and rely on systemd-networkd, update your operating
system as soon as you can to pick up the fix when available and as necessary.
The bug will come as another argument against Systemd as the Linux management tool continues
to fight for the hearts and minds of admins and developers alike. Though a number of major
admins have in recent years adopted and championed it as
the replacement for the old Init era, others within the Linux world seem to still be less than
impressed with Systemd and Poettering's occasionally
controversial management of the tool. ® Page:
As anyone who bothers to read my comments (BTW "hi" to both of you) already knows, I
despise systemd with a passion, but this one is more an IPv6 problem in general.
Yes this is an actual bug in networkd, but IPv6 seems to be far more bug prone than v4,
and problems are rife in all implementations. Whether that's because the spec itself is
flawed, or because nobody understands v6 well enough to implement it correctly, or possibly
because there's just zero interest in making any real effort, I don't know, but it's a fact
nonetheless, and my primary reason for disabling it wherever I find it. Which of course
contributes to the "zero interest" problem that perpetuates v6's bug prone condition, ad
nauseam.
IPv6 is just one of those tech pariahs that everyone loves to hate, much like systemd,
albeit fully deserved IMO.
Oh yeah, and here's the obligatory "systemd sucks". Personally I always assumed the "d"
stood for "destroyer". I believe the "IP" in "IPv6" stands for "Idiot Protocol".
Fortunately, IPv6 by lack of adopted use, limits the scope of this bug.
Yeah, fortunately IPv6 is only used by a few fringe organizations like Google and
Microsoft.
Seriously, I personally want nothing to do with either systemd or IPv6. Both seem to me to
fall into the bin labeled "If it ain't broke, let's break it" But still it's troubling that
things that some folks regard as major system components continue to ship with significant
security flaws. How can one trust anything connected to the Internet that is more
sophisticated and complex than a TV streaming box?
Was going to say the same thing, and I disable IPv6 for the exact same reason. IPv6 code
isn't as well tested, as well audited, or as well targeted looking for exploits as IPv4.
Stuff like this only proves that it was smart to wait, and I should wait some more.
Count me in the camp of who hates systemd(hates it being "forced" on just about every
distro, otherwise wouldn't care about it - and yes I am moving my personal servers to Devuan,
thought I could go Debian 7->Devuan but turns out that may not work, so I upgraded to
Debian 8 a few weeks ago, and will go to Devuan from there in a few weeks, upgraded one
Debian 8 to Devuan already 3 more to go -- Debian user since 1998), when reading this article
it reminded me of
This makes me glad I'm using FreeBSD. The Xorg version in FreeBSD's ports is currently
*slightly* older than the Xorg version that had that vulnerability in it. AND, FreeBSD will
*NEVER* have systemd in it!
(and, for Linux, when I need it, I've been using Devuan)
That being said, the whole idea of "let's do a re-write and do a 'systemd' instead of
'system V init' because WE CAN and it's OUR TURN NOW, 'modern' 'change for the sake of
change' etc." kinda reminds me of recent "update" problems with Win-10-nic...
Oh, and an obligatory Schadenfreude laugh: HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA
HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA
HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA!!!!!!!!!!!!!!!!!!!
Finally got all my machines cut over from Debian to Devuan.
Might spin a FreeBSD system up in a VM and have a play.
I suspect that the infestation of stupid into the Linux space won't stop with or be
limited to SystemD. I will wait and watch to see what damage the re-education gulag has done
to Sweary McSwearFace (Mr Torvalds)
Not really, systemd has its tentacles everywhere and runs as root.
Yes, but not really the problem in this case. Any DHCP client is going to have to
run at least part of the time as root. There's not enough nuance in the Linux privilege model
to allow it to manipulate network interfaces, otherwise.
Yes, but not really the problem in this case. Any DHCP client is going to have to run at
least part of the time as root. There's not enough nuance in the Linux privilege model to
allow it to manipulate network interfaces, otherwise.
Sorry but utter bullshit. You can if you are so inclined you can use the Linux
Capabilities framework for this kind of thing. See
https://wiki.archlinux.org/index.php/capabilities
I remain very happy that I don't use systemd on any of my machines anymore. :)
"others within the Linux world seem to still be less than impressed with Systemd"
Yep, I'm in that camp. I gave it a good, honest go, but it increased the amount of hassle
and pain of system management without providing any noticeable benefit, so I ditched it.
> Just like it's entirely possible to have a Linux system without any GNU in it
Just like it's possible to have a GNU system without Linux on it - ho well as soon as GNU
MACH is finally up to the task ;-)
On the systemd angle, I, too, am in the process of switching all my machines from Debian
to Devuan but on my personnal(*) network a few systemd-infected machines remain, thanks to a
combination of laziness from my part and stubborn "systemd is quite OK" attitude from the
raspy foundation. That vuln may be the last straw : one on the aforementionned machines sits
on my DMZ, chatting freely with the outside world. Nothing really crucial on it, but i'd hate
it if it became a foothold for nasties on my network.
(*) policy at work is RHEL, and that's negociated far above my influence level, but I
don't really care as all my important stuff runs on Z/OS anyway ;-) . Ok we have to reboot a
few VMs occasionnally when systemd throws a hissy fit -which is surprisingly often for an
"enterprise" OS -, but meh.
"This code is actually pretty bad and should raise all kinds of red flags in a code
review."
Yeah, but for that you need people who can do code reviews, and also people who can accept
criticism. That also means saying "no" to people who are bad at coding, and saying that
repeatedly if they don't learn.
SystemD seems to be the area where people gather who want to get code in for their
resumes, not for people who actually want to make the world a better place.
... that an init, traditionally, is a small bit of code that does one thing very well.
Like most of the rest of the *nix core utilities. All an init should do is start PID1, set
run level, spawn a tty (or several), handle a graceful shutdown, and log all the above in
plaintext to make troubleshooting as simplistic as possible. Anything else is a vanity
project that is best placed elsewhere, in it's own stand-alone code base.
Inventing a clusterfuck init variation that's so big and bulky that it needs to be called
a "suite" is just asking for trouble.
IMO, systemd is a cancer that is growing out of control, and needs to be cut out of Linux
before it infects enough of the system to kill it permanently.
That's why systemd-networkd is a separate, optional component, and not actually part of
the init daemon at all. Most systemd distros do not use it by default and thus are not
vulnerable to this unless the user actively disables the default network manager and chooses
to use networkd instead.
Pardon my ignorance (I don't use a distro with systemd) why bother with networkd in the
first place if you don't have to use it.
Mostly because the old-style init system doesn't cope all that well with systems that move
from network to network. It works for systems with a static IP, or that do a DHCP request at
boot, but it falls down on anything more dynamic.
In order to avoid restarting the whole network system every time they switch WiFi access
points, people have kludged on solutions like NetworkManager. But it's hard to argue it's
more stable or secure than networkd. And this is always going to be a point of vulnerability
because anything that manipulates network interfaces will have to be running as root.
These days networking is essential to the basic functionality of most computers; I think
there's a good argument that it doesn't make much sense to treat it as a second-class
citizen.
"Funny that I installed ubuntu 18.04 a few weeks ago and the fucking thing installed
itself then! ( and was a fucking pain to remove)."
So I looked into it a bit more, and from a few references at least, it seems like Ubuntu
has a sort of network configuration abstraction thingy that can use both NM and
systemd-networkd as backends; on Ubuntu desktop flavors NM is usually the default, but
apparently for recent Ubuntu Server, networkd might indeed be the default. I didn't notice
that as, whenever I want to check what's going on in Ubuntu land, I tend to install the
default desktop spin...
"LP is a fucking arsehole."
systemd's a lot bigger than Lennart, you know. If my grep fu is correct, out of 1543
commits to networkd, only 298 are from Lennart...
in many respects when it comes to software because, over time, the bugs will have been
found and squashed. Systemd brings in a lot of new code which will, naturally, have lots of
bugs that will take time to find & remove. This is why we get problems like this DHCP
one.
Much as I like the venerable init: it did need replacing. Systemd is one way to go, more
flexible, etc, etc. Something event driven is a good approach.
One of the main problems with systemd is that it has become too big, slurped up lots of
functionality which has removed choice, increased fragility. They should have concentrated on
adding ways of talking to existing daemons, eg dhcpd, through an API/something. This would
have reused old code (good) and allowed other implementations to use the API - this letting
people choose what they wanted to run.
But no: Poettering seems to want to build a Cathedral rather than a Bazzar.
He appears to want to make it his way or no way. This is bad, one reason that *nix is good
is because different solutions to a problem have been able to be chosen, one removed and
another slotted in. This encourages competition and the 'best of breed' comes out on top.
Poettering is endangering that process.
Also: he refusal to accept patches to let it work on non-Linux Unix is just plain
nasty.
One of the main problems with systemd is that it has become too big, slurped up lots of
functionality which has removed choice, increased fragility.
IMO, there is a striking paralell between systemd and the registry in Windows OSs.
After many years of dealing with the registry (W98 to XPSP3) I ended up seeing the
registry as a sort of developer sanctioned virus running inside the OS, constantly changing
and going deeper and deeper into the OS with every iteration and as a result, progressively
putting an end to the possibility of knowing/controlling what was going on inside your
box/the OS.
Years later, when I learned about the existence of systemd (I was already running Ubuntu)
and read up on what it did and how it did it, it dawned on me that systemd was nothing more
than a registry class virus and it was infecting Linux_land at the behest of the
developers involved.
So I moved from Ubuntu to PCLinuxOS and then on to Devuan.
Call me paranoid but I am convinced that there are people both inside and outside IT that
actually want this and are quite willing to pay shitloads of money for it to
happen.
I don't see this MS cozying up to Linux in various ways lately as a coincidence: these
things do not happen just because or on a senior manager's whim.
What I do see (YMMV) is systemd being a sort of convergence of Linux with Windows,
which will not be good for Linux and may well be its undoing.
Much as I like the venerable init: it did need replacing.
For some use cases, perhaps. Not for any of mine. SysV init, or even BSD init, does
everything I need a Linux or UNIX init system to do. And I don't need any of the other crap
that's been built into or hung off systemd, either.
BSD init and SysV init work pretty darn well for their original purpose -- servers with
static IP addresses that are rebooted no more than once in a fortnight. Anything more dynamic
starts to give it trouble.
Linus doesn't care. systemd has nothing to do with the kernel ... other than the fact that
the lead devs for systemd have been banned from working on the kernel because they don't play
nice with others.
I've been using runit, because I am too lazy and clueless to write init scripts reliably.
It's very lightweight, runs on a bunch of systems and really does one thing - keep daemons
up.
I am not saying it's the best - but it looks like it has a very small codebase, it doesn't
do much and generally has not bugged me after I configured each service correctly. I believe
other systems also exist to avoid using init scripts directly. Not Monit, as it relies on you
configuring the daemon start/stop commands elsewhere.
On the other hand, systemd is a massive sprawl, does a lot of things - some of them
useful, like dependencies and generally has needed more looking after. Twice I've had errors
on a Django server that, after a lot of looking around ended up because something had changed
in the, Chef-related, code that's exposed to systemd and esoteric (not emitted by systemd)
errors resulted when systemd could not make sense of the incorrect configuration.
I don't hate it - init scripts look a bit antiquated to me and they seem unforgiving to
beginners - but I don't much like it. What I certainly do hate is how, in an OS that is
supposed to be all about choice, sometime excessively so as in the window manager menagerie,
we somehow ended up with one mandatory daemon scheduler on almost all distributions. Via, of
all types of dependencies, the GUI layer. For a window manager that you may not even have
installed.
Talk about the antithesis of the Unix philosophy of do one thing, do it well.
Oh, then there are also the security bugs and the project owner is an arrogant twat. That
too.
"init scripts look a bit antiquated to me and they seem unforgiving to beginners"
Init scripts are shell scripts. Shell scripts are as old as Unix. If you think that makes
them antiquated then maybe Unix-like systems are not for you. In practice any sub-system
generally gets its own scripts installed with the rest of the S/W so if being unforgiving
puts beginners off tinkering with them so much the better. If an experienced Unix user really
needs to modify one of the system-provided scripts their existing shell knowledge will let
them do exactly what's needed. In the extreme, if you need to develop a new init script then
you can do so in the same way as you'd develop any other script - edit and test from the
command line.
I personally like openrc as an init system, but systemd is a symptom of the tooling
problem.
It's for me a retrograde step but again, it's linux, one can, as you and I do, just remove
systemd.
There are a lot of people in the industry now who don't seem able to cope with shell
scripts nor are minded to research the arguments for or against shell as part of a unix style
of system design.
In conclusion, we are outnumbered, but it will eventually collapse under its own weight
and a worthy successor shall rise, perhaps called SystemV, might have to shorten that name a
bit.
"In addition to Ubuntu and Red Hat Enterprise Linux, Systemd has been adopted as a service
manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL
7, at least, does not use the vulnerable component by default."
I can tell you for sure that no version of Fedora does, either, and I'm fairly sure that
neither does Debian, SLES or Mint. I don't know anything much about CoreOS, but
https://coreos.com/os/docs/latest/network-config-with-networkd.html suggests it actually
*might* use systemd-networkd.
systemd-networkd is not part of the core systemd init daemon. It's an optional component,
and most distros use some other network manager (like NetworkManager or wicd) by default.
I mean commercial distributions seem to be particularly interested in trying out new
things that can increase their number of support calls. It's probably just that networkd is
either to new and therefore not yet in the release, or still works so badly even the most
rudimentary tests fail.
There is no reason to use that NTP daemon of systemd, yet more and more distros ship with
it enabled, instead of some sane NTP-server.
I won't hold my breath, then. I have a laptop at the moment that refuses to boot because
(as I've discovered from looking at the journal offline) pulseaudio is in an infinite loop
waiting for the successful detection of some hardware that, presumably, I don't have.
I imagine I can fix it by hacking the file-system (offline) so that fuckingpulse is no
longer part of the boot configuration, but I shouldn't have to. A decent init system would be
able to kick of everything else in parallel and if one particular service doesn't come up
properly then it just logs the error. I *thought* that was one of the claimed advantages of
systemd, but apparently that's just a load of horseshit.
My NAT router statefully firewalls incoming IPv6 by default, which I consider equivalently
secure. NAT adds security mostly by accident, because it de-facto adds a firewall that blocks
incoming packets. It's not the address translation itself that makes things more secure, it's
the inability to route in from the outside.
NAT is schtick for connecting a whole LAN to a WAN using a single IPv4 address (useful
with IPv4 because most ISPs don't give you a /24 when you sign up). If you have a native IPv6
address you'll have something like 2^64 addresses, so machines on your LAN can have an actual
WAN-visible address of their own without needing a trick like NAT.
"so machines on your LAN can have an actual WAN-visible address of their own without
needing a trick like NAT."
Avoiding that configuration is exactly the use case for using NAT with IPv6. As others
have pointed out, you can accomplish the same thing with IPv6 router configuration, but NAT
is easier in terms of configuration and maintenance. Given that, and assuming that you don't
want to be able to have arbitrary machines open ports that are visible to the internet, then
why not use NAT?
Also, if your goal is to make people more likely to move to IPv6, pointing out IPv4
methods that will work with IPv6 (even if you don't consider them optimal) seems like a
really, really good idea. It eases the transition.
Please El Reg these stories make ma rage at breakfast, what's this?
The bug will come as another argument against Systemd as the Linux management tool
continues to fight for the hearts and minds of admins and developers alike.
Less against systemd (which should get attacked on the design & implementation level)
or against IPv6 than against the use of buffer-overflowable languages in 2018 in code that
processes input from the Internet (it's not the middle ages anymore) or at least very hard
linting of the same.
But in the end, what did it was a violation of the Don't Repeat Yourself principle and
lack of sufficently high-level datastructures. Pointer into buffer, and the remaining buffer
length are two discrete variables that need to be updated simultaneously to keep the
invariant and this happens in several places. This is just a catastrophe waiting to happen.
You forget to update it once, you are out! Use structs and functions updating the structs
correctly.
The function receives a pointer to the option buffer buf, it's remaining size buflen
and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer
has enough space left to store the IA option, it does not take the additional 4 bytes from
the DHCP6Option header into account (B). Due to this the memcpy at (C) can go out-of-bound
and *buflen can underflow [i.e. you suddenly have a gazillion byte buffer, Ed.] in (D) giving
an attacker a very powerful and largely controlled OOB heap write starting at (E).
why don't we stop writing code in languages that make it easy to screw up so easily like
this?
There are plenty about nowadays, I'd rather my DHCP client be a little bit slower at
processing packets if I had more confidence it would not process then incorrectly and execute
code hidden in said packets...
The circus that is called "Linux" have forced me to Devuan and the likes however the
circus is getting worse and worse by the day, thus I have switched to the BSD world, I will
learn that rather than sit back and watch this unfold As many of us have been saying, the
sudden switch to SystemD was rather quick, perhaps you guys need to go investigate why it
really happened, don't assume you know, go dig and you will find the answers, it's rather
scary, thus I bid the Linux world a farewell after 10 years of support, I will watch the
grass dry out from the other side of the fence, It was destined to fail by means of
infiltration and screw it up motive(s) on those we do not mention here.
As many of us have been saying, the sudden switch to SystemD was rather quick, perhaps
you guys need to go investigate why it really happened, don't assume you know, go dig and you
will find the answers, it's rather scary ...
Indeed, it was rather quick and is very scary.
But there's really no need to dig much, just reason it out.
It's like a follow the money situation of sorts.
I'll try to sum it up in three short questions:
Q1: Hasn't the Linux philosophy (programs that do one thing and do it well) been a
success?
A1: Indeed, in spite of the many init systems out there, it has been a success in
stability and OS management. And it can easily be tested and debugged, which is an essential
requirement.
Q2: So what would Linux need to have the practical equivalent of the registry in
Windows for?
A2: So that whatever the registry does in/to Windows can also be done in/to Linux.
Q3: I see. And just who would want that to happen? Makes no sense, it is a huge
step backwards.
OK, so I was able to check through the link you provided, which says "up to and including
239", but I had just installed a systemd update and when you said there was already a fix
written, working it's way through the distro update systems, all I had to do was check my
log.
Linux Mint makes it easy.
But why didn't you say something such as "reported to affect systemd versions up to and
including 239" and then give the link to the CVE? That failure looks like rather careless
journalism.
A security bug in Systemd can be exploited over the network to, at best, potentially crash
a vulnerable Linux machine, or, at worst, execute malicious code on the box... Systemd creator
Leonard Poettering has already published a security fix for the vulnerable component –
this should be weaving its way into distros as we type.
"... Let's say every car manufacturer recently discovered a new technology named "doord", which lets you open up car doors much faster than before. It only takes 0.05 seconds, instead of 1.2 seconds on average. So every time you open a door, you are much, much faster! ..."
"... Unfortunately though, sometimes doord does not stop the engine. Or if it is cold outside, it stops the ignition process, because it takes too long. Doord also changes the way how your navigation system works, because that is totally related to opening doors ..."
Let's say every car manufacturer recently discovered a new technology named "doord",
which lets you open up car doors much faster than before. It only takes 0.05 seconds, instead
of 1.2 seconds on average. So every time you open a door, you are much, much faster!
Many of the manufacturers decide to implement doord, because the company providing doord
makes it clear that it is beneficial for everyone. And additional to opening doors faster, it
also standardises things. How to turn on your car? It is the same now everywhere, it is not
necessarily to look for the keyhole anymore.
Unfortunately though, sometimes doord does not stop the engine. Or if it is cold
outside, it stops the ignition process, because it takes too long. Doord also changes the way
how your navigation system works, because that is totally related to opening doors, but leads
to some users being unable to navigate, which is accepted as collateral damage. In the end, you
at least have faster door opening and a standard way to turn on the car. Oh, and if you are in
a traffic jam and have to restart the engine often, it will stop restarting it after several
times, because that's not what you are supposed to do. You can open the engine hood and tune
that setting though, but it will be reset once you buy a new car.
2015: systemd becomes default boot manager in debian.
2017:"complete, from-scratch rewrite"
[jwz.org]. In order to not have to maintain backwards compatibility, project is renamed to system-e.
2019: debut of systemf, absorbtion of other projects including alsa, pulseaudio, xorg, GTK, and opengl.
2021: systemg maintainers make the controversial decision to absorb The Internet Archive. Systemh created
as a fork without Internet Archive.
2022: systemi, a fork of systemf focusing on reliability and minimalism becomes default debian init
system.
2028: systemj, a complete, from-scratch rewrite is controversial for trying to reintroduce binary logging.
Consensus is against the systemj devs as sysadmins remember the great systemd logging bug of 2017 unkindly. Systemj project
is eventually abandoned.
2029: systemk codebase used as basis for a military project to create a strong AI, known as "project
skynet". Software behaves paradoxically and project is terminated.
2033: systeml - "system lean" - a "back to basics", from-scratch rewrite, takes off on several server
platforms, boasting increased reliability. systemm, "system mean", a fork, used in security-focused distros.
2117: critical bug discovered in the long-abandoned but critical and ubiquitous system-r project. A
new project, system-s, is announced to address shortcomings in the hundred-year-old codebase. A from-scratch rewrite begins.
2142: systemu project, based on a derivative of systemk, introduces "Artificially intelligent init
system which will shave 0.25 seconds off your boot time and absolutely definitely will not subjugate humanity". Millions
die. The survivors declare "thou shalt not make an init system in the likeness of the human mind" as their highest law.
2147: systemv - a collection of shell scripts written around a very simple and reliable PID 1 introduced,
based on the brand new religious doctrines of "keep it simple, stupid" and "do one thing, and do it well". People's computers
start working properly again, something few living people can remember. Wyld Stallyns release their 94th album. Everybody
lives in peace and harmony.
"... Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. At 2:15am it crashes. No one knows why. The binary log file was corrupted in the process and is unrecoverable. ..."
I honestly, seriously sometimes wonder if systemd is Skynet... or, a way for Skynet to
'waken'.
Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern
time, August 29th. At 2:15am it crashes.
No one knows why. The binary log file was corrupted in the process and is unrecoverable.
All
anyone could remember is a bug listed in the systemd bug tracker talking about su which was
classified as WON'T FIX as the developer thought it was a broken concept.
"... Upcoming systemd re-implementations of standard utilities: ls to be replaced by filectl directory contents [pathname] grep to be replaced by datactl file contents search [plaintext] (note: regexp no longer supported as it's ambiguous) gimp to be replaced by imagectl open file filename draw box [x1,y1,x2,y2] draw line [x1,y1,x2,y2] ... ..."
Great to see that systemd is finally doing something about all of those cryptic command
names that plague the unix ecosystem.
Upcoming systemd re-implementations of standard utilities: ls to be replaced
by filectl directory contents [pathname]grep to be replaced by
datactl file contents search [plaintext] (note: regexp no longer supported as
it's ambiguous) gimp to be replaced by imagectl open file filename draw
box [x1,y1,x2,y2] draw line [x1,y1,x2,y2] ...
I know systemd sneers at the old Unix convention of keeping it simple, keeping it
separate, but that's not the only convention they spit on. God intended Unix (Linux) commands
to be cryptic things 2-4 letters long (like "su", for example). Not "systemctl",
"machinectl", "journalctl", etc. Might as well just give everything a 47-character
long multi-word command like the old Apple commando shell did.
Seriously, though, when you're banging through system commands all day long, it gets old
and their choices aren't especially friendly to tab completion. On top of which why is
"machinectl" a shell and not some sort of hardware function? They should have just named the
bloody thing command.com.
"... Noexec is basically a suggestion, not an enforcement mechanism . Just run ld /path/to/executable. ld is the loader/lilinker for elf binaries. Without ld ,you can't run bash, or ls. With ld, noexec is ignored. ..."
> In short: I think chroot is plenty good for security
Check man chroot. The authors of chroot say it's useless for security. Perhaps you think
you know more than they do ,and more than security professionals like
myself do. Let's find out.
> you get a shell in one of my chroot's used for security, then.....
ur uid and gid are not going to be 0. Good luck telling the kernel to try and get you
out.
There aren't going to be any /dev, /proc, or other
special filesystems
Gonna be kind of tthough to have a ahell without a tty, aka
/dev/*tty*
So yeah, you need /dev. Can't launch a process, including
/bin/ls, without /proc, so you're going to need proc.
Have a look in /proc/1. You'll see a very interesting symlink there.
> mounted noexec
Noexec is basically a suggestion, not an enforcement mechanism . Just run ld
/path/to/executable. ld is the loader/lilinker for elf binaries. Without
ld ,you can't run bash, or ls. With ld, noexec is ignored.
My company does IT security for banks. Meaning we show the banks how they can be hacked.
When I say chroot is not a security control, I'm not guessing.
Russiagate can be viewed as a pretty inventive way to justify their own existence for bloated
Intelligence services: first CIA hacks something leaving traces of russians or Chinese; then the
FBI, CIAand Department of Homeland security all enjoy additional money and people to counter the
threat.
The US Department of Homeland Security fabricated "intelligence reports" of Russian
election hacking in order to try to get control of the election infrastructure (probebly so
that they can hack it more easily to control the election results).
"... The U.S. was in talks for a deal with Julian Assange but then FBI Director James Comey ordered an end to negotiations after Assange offered to prove Russia was not involved in the DNC leak, as Ray McGovern explains. ..."
"... Special to Consortium News ..."
"... The report does not say what led Comey to intervene to ruin the talks with Assange. But it came after Assange had offered to "provide technical evidence and discussion regarding who did not engage in the DNC releases," Solomon quotes WikiLeaks' intermediary with the government as saying. It would be a safe assumption that Assange was offering to prove that Russia was not WikiLeaks' source of the DNC emails. ..."
"... If that was the reason Comey and Warner ruined the talks, as is likely, it would reveal a cynical decision to put U.S. intelligence agents and highly sophisticated cybertools at risk, rather than allow Assange to at least attempt to prove that Russia was not behind the DNC leak. ..."
"... On March 31, 2017, though, WikiLeaks released the most damaging disclosure up to that point from what it called "Vault 7" -- a treasure trove of CIA cybertools leaked from CIA files. This disclosure featured the tool "Marble Framework," which enabled the CIA to hack into computers, disguise who hacked in, and falsely attribute the hack to someone else by leaving so-called tell-tale signs -- like Cyrillic, for example. The CIA documents also showed that the "Marble" tool had been employed in 2016. ..."
"... In fact, VIPS and independent forensic investigators, have performed what former FBI Director Comey -- at first inexplicably, now not so inexplicably -- failed to do when the so-called "Russian hack" of the DNC was first reported. In July 2017 VIPS published its key findings with supporting data. ..."
"... Why did then FBI Director Comey fail to insist on getting direct access to the DNC computers in order to follow best-practice forensics to discover who intruded into the DNC computers? (Recall, at the time Sen. John McCain and others were calling the "Russian hack" no less than an "act of war.") A 7th grader can now figure that out. ..."
Did Sen. Warner and Comey 'Collude' on Russia-gate? June 27, 2018 •
68 Comments
The U.S. was in talks for a deal with Julian Assange but then FBI Director James Comey
ordered an end to negotiations after Assange offered to prove Russia was not involved in the
DNC leak, as Ray McGovern explains.
By Ray McGovern
Special to Consortium News
An explosive
report by investigative journalist John Solomon on the opinion page of Monday's edition of
The Hill sheds a bright light on how Sen. Mark Warner (D-VA) and then-FBI Director
James Comey collaborated to prevent WikiLeaks editor Julian Assange from discussing "technical
evidence ruling out certain parties [read Russia]" in the controversial leak of Democratic
Party emails to WikiLeaks during the 2016 election.
A deal that was being discussed last year between Assange and U.S. government officials
would have given Assange "limited immunity" to allow him to leave the Ecuadorian Embassy in
London, where he has been exiled for six years. In exchange, Assange would agree to limit
through redactions "some classified CIA information he might release in the future," according
to Solomon, who cited "interviews and a trove of internal DOJ documents turned over to Senate
investigators." Solomon even provided a
copy of the draft immunity deal with Assange.
But Comey's intervention to stop the negotiations with Assange ultimately ruined the deal,
Solomon says, quoting "multiple sources." With the prospective agreement thrown into serious
doubt, Assange "unleashed a series of leaks that U.S. officials say damaged their cyber warfare
capabilities for a long time to come." These were the Vault 7 releases, which led then CIA
Director Mike Pompeo to call WikiLeaks "a hostile intelligence service."
Solomon's report provides reasons why Official Washington has now put so much pressure on
Ecuador to keep Assange incommunicado in its embassy in London.
Assange: Came close to a deal with the U.S. (Photo credit: New Media Days / Peter
Erichsen)
The report does not say what led Comey to intervene to ruin the talks with Assange. But it
came after Assange had offered to "provide technical evidence and discussion regarding who did
not engage in the DNC releases," Solomon quotes WikiLeaks' intermediary with the government as
saying. It would be a safe assumption that Assange was offering to prove that Russia was not
WikiLeaks' source of the DNC emails.
If that was the reason Comey and Warner ruined the talks, as is likely, it would reveal a
cynical decision to put U.S. intelligence agents and highly sophisticated cybertools at risk,
rather than allow Assange to at least attempt to prove that Russia was not behind the DNC
leak.
The greater risk to Warner and Comey apparently would have been if Assange provided evidence
that Russia played no role in the 2016 leaks of DNC documents.
Missteps and Stand Down
In mid-February 2017, in a remarkable display of naiveté, Adam Waldman, Assange's pro
bono attorney who acted as the intermediary in the talks, asked Warner if the Senate
Intelligence Committee staff would like any contact with Assange to ask about Russia or other
issues. Waldman was apparently oblivious to Sen. Warner's stoking of Russia-gate.
Warner contacted Comey and, invoking his name, instructed Waldman to "stand down and end the
discussions with Assange," Waldman told Solomon. The "stand down" instruction "did happen,"
according to another of Solomon's sources with good access to Warner. However, Waldman's
counterpart attorney David Laufman , an accomplished federal prosecutor picked by the
Justice Departent to work the government side of the CIA-Assange fledgling deal, told Waldman,
"That's B.S. You're not standing down, and neither am I."
But the damage had been done. When word of the original stand-down order reached WikiLeaks,
trust evaporated, putting an end to two months of what Waldman called "constructive, principled
discussions that included the Department of Justice."
The two sides had come within inches of sealing the deal. Writing to Laufman on March 28,
2017, Waldman gave him Assange's offer to discuss "risk mitigation approaches relating to CIA
documents in WikiLeaks' possession or control, such as the redaction of Agency personnel in
hostile jurisdictions," in return for "an acceptable immunity and safe passage agreement."
On March 31, 2017, though, WikiLeaks released the most damaging disclosure up to that
point from what it called "Vault 7" -- a treasure trove of CIA cybertools leaked from CIA
files. This disclosure featured the tool "Marble Framework," which enabled the CIA to hack into
computers, disguise who hacked in, and falsely attribute the hack to someone else by leaving
so-called tell-tale signs -- like Cyrillic, for example. The CIA documents also showed that the
"Marble" tool had been employed in 2016.
Misfeasance or Malfeasance
Comey: Ordered an end to talks with Assange.
Veteran Intelligence Professionals for Sanity, which includes among our members two former
Technical Directors of the National Security Agency, has repeatedly called
attention to its conclusion that the DNC emails were leaked -- not "hacked" by Russia or
anyone else (and, later, our suspicion that someone may have been playing Marbles, so to
speak).
In fact, VIPS and independent forensic investigators, have performed what former FBI
Director Comey -- at first inexplicably, now not so inexplicably -- failed to do when the
so-called "Russian hack" of the DNC was first reported. In July 2017 VIPS published its
key
findings with supporting data.
Two month later , VIPS published the results of
follow-up experiments conducted to test the conclusions reached in July.
Why did then FBI Director Comey fail to insist on getting direct access to the DNC computers
in order to follow best-practice forensics to discover who intruded into the DNC computers?
(Recall, at the time Sen. John McCain and others were calling the "Russian hack" no less than
an "act of war.") A 7th grader can now figure that out.
Asked on January 10, 2017 by Senate Intelligence Committee chair Richard Burr (R-NC) whether
direct access to the servers and devices would have helped the FBI in their investigation,
Comey replied
: "Our forensics folks would always prefer to get access to the original device or server
that's involved, so it's the best evidence."
At that point, Burr and Warner let Comey down easy. Hence, it should come as no surprise
that, according to one of John Solomon's sources, Sen. Warner (who is co-chairman of the Senate
Intelligence Committee) kept Sen. Burr apprised of his intervention into the negotiation with
Assange, leading to its collapse.
Ray McGovern works with Tell the Word, a publishing arm of the ecumenical Church of the
Saviour in inner-city Washington. He was an Army Infantry/Intelligence officer and then a CIA
analyst for a total of 30 years and prepared and briefed, one-on-one, the President's Daily
Brief from 1981 to 1985.
If you enjoyed this original article please consider
making a donation to Consortium News so we can bring you more stories like this
one.
"... All this speech to stifle speech comes in reaction to the first publication in the start of WikiLeaks' "Vault 7" series. Vault 7 has begun publishing evidence of remarkable CIA incompetence and other shortcomings. This includes the agency's creation, at a cost of billions of taxpayer dollars, of an entire arsenal of cyber viruses and hacking programs -- over which it promptly lost control and then tried to cover up the loss. These publications also revealed the CIA's efforts to infect the public's ubiquitous consumer products and automobiles with computer viruses. ..."
"... President Theodore Roosevelt understood the danger of giving in to those "foolish or traitorous persons who endeavor to make it a crime to tell the truth about the Administration when the Administration is guilty of incompetence or other shortcomings." Such "endeavor is itself a crime against the nation," Roosevelt wrote. President Trump and his officials should heed that advice ..."
Mike Pompeo, in his first speech as director of the CIA, chose to declare war on free speech
rather than on the United States' actual adversaries. He went after WikiLeaks, where I serve as
editor, as a "non-state hostile intelligence service." In Pompeo's worldview, telling the truth
about the administration can be a crime -- as Attorney General Jeff Sessions quickly
underscored when he described my arrest as a "priority." News organizations reported that
federal prosecutors are weighing whether to bring charges against members of WikiLeaks,
possibly including conspiracy, theft of government property and violating the Espionage
Act.
All this speech to stifle speech comes in reaction to the first publication in the start
of WikiLeaks' "Vault 7" series. Vault 7 has begun publishing evidence of remarkable CIA
incompetence and other shortcomings. This includes the agency's creation, at a cost of billions
of taxpayer dollars, of an entire arsenal of cyber viruses and hacking programs -- over which
it promptly lost control and then tried to cover up the loss. These publications also revealed
the CIA's efforts to infect the public's ubiquitous consumer products and automobiles with
computer viruses.
When the director of the CIA, an unelected public servant, publicly demonizes a publisher
such as WikiLeaks as a "fraud," "coward" and "enemy," it puts all journalists on notice, or
should. Pompeo's next talking point, unsupported by fact, that WikiLeaks is a "non-state
hostile intelligence service," is a dagger aimed at Americans' constitutional right to receive
honest information about their government. This accusation mirrors attempts throughout history
by bureaucrats seeking, and failing, to criminalize speech that reveals their own failings.
President Theodore Roosevelt understood the danger of giving in to those "foolish or
traitorous persons who endeavor to make it a crime to tell the truth about the Administration
when the Administration is guilty of incompetence or other shortcomings." Such "endeavor is
itself a crime against the nation," Roosevelt wrote. President Trump and his officials should
heed that advice .
"... What has however become clear in recent days is that the 'Gerasimov Doctrine' was not invented by its supposed author, but by a British academic, Mark Galeotti, who has now confessed – although in a way clearly designed to maintain as much of the 'narrative' as possible. ..."
"... Three days ago, an article by Galleoti appeared in 'Foreign Policy' entitled 'I'm Sorry for Creating the "Gerasimov Doctrine": I was the first to write about Russia's infamous high-tech military strategy. One small problem: it doesn't exist.' ..."
"... The translation of the original article by Gerasimov with annotations by Galeotti which provoked the whole hysteria turns out to be a classic example of what I am inclined to term 'bad Straussianism.' ..."
"... What Strauss would have called the 'exoteric' meaning of the article quite clearly has to do with defensive strategies aimed at combatting the kind of Western 'régime change' projects about which people like those who write for 'Lawfare' are so enthusiastic. But Galeotti tells us that this is, at least partially, a cover for an 'esoteric' meaning, which has to do with offensive actions in Ukraine and similar places. ..."
More material on the British end of the conspiracy.
Commenting on an earlier piece by PT, I suggested that a key piece of evidence pointing to
'Guccifer 2.0' being a fake personality created by the conspirators in their attempt to
disguise the fact that the materials from the DNC published by 'WikiLeaks' were obtained by a
leak rather than a hack had to do with the involvement of the former GCHQ person Matt
Tait.
To recapitulate: Back in June 2016, hard on the heels of the claim by Dmitri Alperovitch
of 'CrowdStrike' to have identified clinching evidence making the GRU prime suspects, Tait
announced that, although initially unconvinced, he had found a 'smoking gun' in the
'metadata' of the documents released by 'Guccifer 2.0.'
A key part of this was the use by someone modifying a document of 'Felix Edmundovich'
– the name and patronymic of Dzerzhinsky, the Lithuanian-Polish noble who created the
Soviet secret police.
As I noted, Tait was generally identified as a former GCHQ employee who now ran a
consultancy called 'Capital Alpha Security.' However, checking Companies House records
revealed that he had filed 'dormant accounts' for the company. So it looks as though the
company was simply a 'front', designed to fool 'useful idiots' into believing he was an
objective analyst.
As I also noted in those comments, Tait writes the 'Lawfare' blog, one of whose founders,
Benjamin Wittes, looks as though he may himself have been involved in the conspiracy up to
the hilt. Furthermore, a secure income now appears to have been provided to replace that from
the non-existent consultancy, in the shape of a position at the 'Robert S. Strauss Center for
International Security and Law', run by Robert Chesney, a co-founder with Wittes of
'Lawfare.'
A crucial part of the story, however, is that the notion of GRU responsibility for the
supposed 'hacks' appears to be part of a wider 'narrative' about the supposed 'Gerasimov
Doctrine.' From the 'View from Langley' provided to Bret Stephens by CIA Director Mike Pompeo
at the 'Aspen Security Forum' last July:
'I hearken back to something called the Gerasimov doctrine from the early 70s, he's now
the head of the – I'm a Cold War guy, forgive me if I mention Soviet Union. He's now
the head of the Russian army and his idea was that you can win wars without firing a single
shot or with firing very few shots in ways that are decidedly not militaristic, and that's
what's happened. What changes is the costs; to effectuate change through cyber and through RT
and Sputnik, their news outlets, and through other soft means; has just really been lowered,
right. It used to be it was expensive to run an ad on a television station now you simply go
online and propagate your message. And so they have they have found an effective tool, an
easy way to go reach into our systems, and into our culture to achieve the outcomes they are
looking for.'
What has however become clear in recent days is that the 'Gerasimov Doctrine' was not
invented by its supposed author, but by a British academic, Mark Galeotti, who has now
confessed – although in a way clearly designed to maintain as much of the 'narrative'
as possible.
Three days ago, an article by Galleoti appeared in 'Foreign Policy' entitled 'I'm
Sorry for Creating the "Gerasimov Doctrine": I was the first to write about Russia's infamous
high-tech military strategy. One small problem: it doesn't exist.'
'Gerasimov was actually talking about how the Kremlin understands what happened in the
"Arab Spring" uprisings, the "color revolutions" against pro-Moscow regimes in Russia's
neighborhood, and in due course Ukraine's "Maidan" revolt. The Russians honestly –
however wrongly – believe that these were not genuine protests against brutal and
corrupt governments, but regime changes orchestrated in Washington, or rather, Langley. This
wasn't a "doctrine" as the Russians understand it, for future adventures abroad: Gerasimov
was trying to work out how to fight, not promote, such uprisings at home.'
The translation of the original article by Gerasimov with annotations by Galeotti
which provoked the whole hysteria turns out to be a classic example of what I am inclined to
term 'bad Straussianism.'
What Strauss would have called the 'exoteric' meaning of the article quite clearly has
to do with defensive strategies aimed at combatting the kind of Western 'régime
change' projects about which people like those who write for 'Lawfare' are so enthusiastic.
But Galeotti tells us that this is, at least partially, a cover for an 'esoteric' meaning,
which has to do with offensive actions in Ukraine and similar places.
Having now read the text of the article, I can see a peculiar irony in it. In a section
entitled 'You Can't Generate Ideas On Command', Gerasimov suggests that 'The state of Russian
military science today cannot be compared with the flowering of military-theoretical thought
in our country on the eve of World War II.'
According to the 'exoteric' meaning of the article, it is not possible to blame anyone in
particular for this situation. But Gerasimov goes on on to remark that, while at the time of
that flowering there were 'no people with higher degrees' or 'academic schools or
departments', there were 'extraordinary personalities with brilliant ideas', who he terms
'fanatics in the best sense of the word.'
Again, Galeotti discounts the suggestion that nobody is to blame, assuming an 'esoteric
meaning', and remarking: 'Ouch. Who is he slapping here?'
Actually, Gerasimov refers by name to two, utterly different figures, who certainly were
'extraordinarily personalities with brilliant ideas.'
If Pompeo had even the highly amateurish grasp of the history of debates among Soviet
military theorists that I have managed to acquire he would be aware that one of the things
which was actually happening in the 'Seventies was the rediscovery of the ideas of Alexander
Svechin.
Confirming my sense that this has continued on, Gerasimov ends by using Svechin to point
up an intractable problem: it can be extraordinarily difficult to anticipate the conditions
of a war, and crucial not to impose a standardised template likely to be inappropriate, but
one has to make some kinds of prediction in order to plan.
Immediately after the passage which Galeotti interprets as a dig at some colleague,
Gerasimov elaborates his reference to 'extraordinary people with brilliant ideas' by
referring to an anticipation of a future war, which proved prescient, from a very different
figure to Svechin:
'People like, for instance, Georgy Isserson, who, despite the views he formed in the
prewar years, published the book "New Forms Of Combat." In it, this Soviet military
theoretician predicted: "War in general is not declared. It simply begins with already
developed military forces. Mobilization and concentration is not part of the period after the
onset of the state of war as was the case in 1914 but rather, unnoticed, proceeds long before
that." The fate of this "prophet of the Fatherland" unfolded tragically. Our country paid in
great quantities of blood for not listening to the conclusions of this professor of the
General Staff Academy.'
Unlike Svechin, whom I have read, I was unfamiliar with Isserson. A quick Google search,
however, unearthed a mass of material in American sources – including, by good fortune,
an online text of a 2010 study by Dr Richard Harrison entitled 'Architect of Soviet Victory
in World War II: The Life and Theories of G.S. Isserson', and a presentation summarising the
volume.
Ironically, Svechin and Isserson were on opposite sides of fundamental divides. So the
former, an ethnic Russian from Odessa, was one of the 'genstabisty', the former Tsarist
General Staff officers who sided with the Bolsheviks and played a critical role in teaching
the Red Army how to fight. Meanwhile Isserson was a very different product of the
'borderlands' – the son of a Jewish doctor, brought up in Kaunas, with a German Jewish
mother from what was then Königsberg, giving him an easy facility with German-language
sources.
The originator of the crucial concept of 'operational' art – the notion that in
modern industrial war, the ability to handle a level intermediate between strategy and
tactics was critical to success – was actually Svechin.
Developing the ambivalence of Clausewitz, however, he stressed that both the offensive and
the defensive had their places, and that the key to success was to know which was appropriate
when and also to be able rapidly to change from one to the other. His genuflections to
Marxist-Leninist dogma, moreover, were not such as to take in any of Dzerzhinsky's
people.
By contrast, Isserson was unambiguously committed to the offensive strand in the
Clausewitzian tradition, and a Bolshevik 'true believer' (although he married the daughter of
a dispossessed ethnically Russian merchant, who had their daughter baptised without his
knowledge.)
As Harrison brings out, Isserson's working through of the problems of offensive
'operational art' would be critical to the eventual success of the Red Army against Hitler.
However, the specific text to which he refers was, ironically, a warning of precisely one of
the problems implicit in the single-minded reliance on the offensive: the possibility that
one could be left with no good options confronting an antagonist similarly oriented –
as turned out to be the case.
As Gerasimov intimates, while unlike Svechin, executed in 1938, Isserson survived the
Stalin years, he was another of the victims of Dzerzhinsky's heirs. Arrested shortly before
his warnings were vindicated by the German attack on 22 June 1941, he would spend the war in
the Gulag and only return to normal life after Stalin's death.
So I think that the actual text of Gerasimov's article reinforces a point I have made
previously. The 'evidence' identified by Tait is indeed a 'smoking gun.' But it emphatically
does not point towards the GRU.
Meanwhile, another moral of the tale is that Americans really should stop being taken in
by charlatan Brits like Galeotti, Tait, and Steele.
"... The Deep State (Oligarchs and the MIC) is totally fucking loving this: they have Trump and the GOP giving them everything they ever wanted and they have the optics and distraction of an "embattled" president that claims to be against or a victim of the "deep state" and a base that rally's, circles the wagons around him, and falls for the narrative. ..."
"... They know exactly who it was with the memory stick, there is always video of one form or another either in the data center or near the premises that can indicate who it was. They either have a video of Seth Rich putting the stick into the server directly, or they at least have a video of his car entering and leaving the vicinity of the ex-filtration. ..."
"... This would have been an open and shut case if shillary was not involved. Since it was involved, you can all chalk it up to the Clinton body count. I pray that it gets justice. It and the country, the world - needs justice. ..."
Kim Dotcom has once again chimed in on the DNC hack, following a Sunday morning tweet from President Trump clarifying his previous
comments on Russian meddling in the 2016 election.
In response, Dotcom tweeted " Let me assure you, the DNC hack wasn't even a hack. It was an insider with a memory stick. I know
this because I know who did it and why," adding "Special Counsel Mueller is not interested in my evidence. My lawyers wrote to him
twice. He never replied. 360 pounds! " alluding of course to Trump's "400 pound genius" comment.
Dotcom's assertion is backed up by an analysis done last year by a researcher who goes by the name Forensicator , who determined
that the DNC files were copied at
22.6 MB/s - a speed virtually impossible to achieve from halfway around the world, much less over a local network - yet a speed
typical of file transfers to a memory stick.
The local transfer theory of course blows the Russian hacking narrative out of the water, lending credibility to the theory that
the DNC "hack" was in fact an inside job, potentially implicating late DNC IT staffer, Seth Rich.
John Podesta's email was allegely successfully "hacked" (he fell victim to a
phishing scam
) in March 2016, while the DNC reported suspicious activity (the suspected Seth Rich file transfer) in late April, 2016 according
to the
Washington Post.
On May 18, 2017, Dotcom proposed that if Congress includes the Seth Rich investigation in their Russia probe, he would provide
written testimony with evidence that Seth Rich was WikiLeaks' source.
On May 19 2017 Dotcom tweeted "I knew Seth Rich. I was involved"
Three days later, Dotcom again released a guarded statement saying "I KNOW THAT SETH RICH WAS INVOLVED IN THE DNC LEAK," adding:
"I have consulted with my lawyers. I accept that my full statement should be provided to the authorities and I am prepared
to do that so that there can be a full investigation. My lawyers will speak with the authorities regarding the proper process.
If my evidence is required to be given in the United States I would be prepared to do so if appropriate arrangements are made.
I would need a guarantee from Special Counsel Mueller, on behalf of the United States, of safe passage from New Zealand to the
United States and back. In the coming days we will be communicating with the appropriate authorities to make the necessary arrangements.
In the meantime, I will make no further comment."
Dotcom knew.
While one could simply write off Dotcom's claims as an attention seeking stunt, he made several comments and a series of tweets
hinting at the upcoming email releases prior to both the WikiLeaks dumps as well as the publication of the hacked DNC emails to a
website known as "DCLeaks."
In a May 14, 2015
Bloomberg article entitled "Kim Dotcom: Julian Assange Will Be Hillary Clinton's Worst Nightmare In 2016 ": "I have to say it's
probably more Julian," who threatens Hillary, Dotcom said. " But I'm aware of some of the things that are going to be roadblocks
for her ."
Two days later, Dotcom tweeted this:
Around two months later, Kim asks a provocative question
Two weeks after that, Dotcom then tweeted "Mishandling classified info is a crime. When Hillary's emails eventually pop up on
the internet who's going to jail?"
It should thus be fairly obvious to anyone that Dotcom was somehow involved, and therefore any evidence he claims to have, should
be taken seriously as part of Mueller's investigation. Instead, as Dotcom tweeted, "Special Counsel Mueller is not interested in
my evidence. My lawyers wrote to him twice. He never replied. "
The Deep State (Oligarchs and the MIC) is totally fucking loving this: they have Trump and the GOP giving them everything
they ever wanted and they have the optics and distraction of an "embattled" president that claims to be against or a victim of
the "deep state" and a base that rally's, circles the wagons around him, and falls for the narrative.
Meanwhile they keep enacting the most Pro Deep State/MIC/Police State/Zionist/Wall Street agenda possible. And they call it
#winning
"Had to be a Russian mole with a computer stick. MSM, DNC and Muller say so."
They know exactly who it was with the memory stick, there is always video of one form or another either in the data center
or near the premises that can indicate who it was. They either have a video of Seth Rich putting the stick into the server directly,
or they at least have a video of his car entering and leaving the vicinity of the ex-filtration.
This would have been an open and shut case if shillary was not involved. Since it was involved, you can all chalk it up
to the Clinton body count. I pray that it gets justice. It and the country, the world - needs justice.
Kim is great, Assange is great. Kim is playing a double game. He wants immunity from the US GUmmint overreach that destroyed
his company and made him a prisoner in NZ.
Good on ya Kim.
His name was Seth Rich...and he will reach out from the grave and bury Killary who murdered him.
There are so many nuances to this and all are getting mentioned but the one that also stands out is that in an age of demands
for gun control by the Dems, Seth Rich is never, ever mentioned. He should be the poster child for gun control. Young man, draped
in a American flag, helping democracy, gunned down...it writes itself.
They either are afraid of the possible racial issues should it turn out to be a black man killing a white man (but why should
that matter in a gun control debate?) or they just don't want people looking at this case. I go for #2.
Funny that George Webb can figure it out, but Trump, Leader of the Free World, is sitting there with his dick in his hand waiting
for someone to save him.
Whatever he might turn out to be, this much is clear: Trump is a spineless weakling. He might be able to fuck starlets, but
he hasn't got the balls to defend either himself or the Republic.
Webb's research is also...managed. But a lot of it was/is really good (don't follow it anymore) and I agree re: SR piece of
it.
I think SR is such an interesting case. It's not really an anomaly because SO many Bush-CFR-related hits end the same way and
his had typical signatures. But his also squeels of a job done w/out much prior planning because I think SR surprised everyone.
If, in fact, that was when he was killed. Everything regarding the family's demeanor suggests no.
MANY patterns in shootings: failure in law enforcement/intelligence who were notified of problem individuals ahead of time,
ARs, mental health and SSRIs, and ongoing resistance to gun control in DC ----these are NOT coincidences. Nor are distractions
in MSM's version of events w/ controlled propaganda.
Children will stop being killed when America wakes the
fuck up and starts asking the right questions, making the right demands. It's time.
I don't think you know how these hackers have nearly ALL been intercepted by CIA--for decades now. DS has had backdoor access
to just about all of them. I agree that Kim is great, brilliant and was sabotaged but he's also cooperating. Otherwise he'd be
dead.
Bes is either "disinfo plant" or energy draining pessimist. Result is the same - to deflate your power to create a new future.
Trump saw the goal of the Fed Reserve banksters decades ago and spoke often about it. Like Prez Kennedy he wants to return
USA economy to silver or gold backed dollar then transition to new system away from the Black Magic fed reserve/ tax natl debt
machine.
The Globalist Cabal has been working to destroy the US economy ever since they income tax April 15th Lincoln at the Ford theater.
125 years. But Bes claims because Trump cannot reverse 125 years of history in one year that it is kabuki.
"... The Dulles brothers, with Allan as head of Sullivan and Cromwells' CIA were notorious facilitators for the international banksters and their subsidiary corporations which comprise the largest oil and military entities which have literally plainly stated in writing, need to occasionally "GALVANIZE" the American public through catastrophic and catalyzing events in order for Americans to be terrified into funding and fighting for those interlocked corporations in their quest to spread "FULL SPECTRUM DOMINANCE," throughout the globe. ..."
"... The book by Peter Dale Scott, "The American Deep State Wall Street, Big Oil And the Attack on American Democracy" covers in detail some of the points you mention in your reply. It is a fascinating book. ..."
Your link to the Giraldi piece is appreciated, however, Giraldi starts off on a false
premise: He claims that people generally liked and trusted the FBI and CIA up until or
shortly after 9/11. Not so! Both agencies were complicit in the most infamous assassinations
and false flag episodes since the Kennedy/MLK Vietnam days. Don't forget Air America CIA drug
running and Iran/Contra / October Surprise affairs.
The Dulles brothers, with Allan as head of Sullivan and Cromwells' CIA were notorious
facilitators for the international banksters and their subsidiary corporations which comprise
the largest oil and military entities which have literally plainly stated in writing, need to
occasionally "GALVANIZE" the American public through catastrophic and catalyzing events in
order for Americans to be terrified into funding and fighting for those interlocked
corporations in their quest to spread "FULL SPECTRUM DOMINANCE," throughout the globe.
The political parties are theatre designed to fool the people into believing we are living
in some sort of legitimate, representative system, when it's the same old plutocracy that
manages to get elected because they've long figured out the art of polarizing people and
capitalising on tribal alignments.
We should eliminate all government for a time so that people can begin to see that
corporations really do and most always have run the country.
It's preposterous to think the stupid public is actually discussing saddling ourselves and
future generations with gargantuan debt through a system designed and run by banksters!
it should be self evident a sovereign nation should maintain and forever hold the rights
to develop a monetary/financial system that serves the needs of the people, not be indentured
servants in a financial system that serves the insatiable greed of a handful of parasitic
banksters and corporate tycoons!
Joe Tedesky , February 17, 2018 at 5:08 pm
You are so right, in fact Robert Parry made quite a journalistic career out of exposing
the CIA for such things as drug running. I gave up on that agency a longtime ago, after JFK
was murdered, and I was only 13 then. Yeah maybe Phil discounts the time while he worked for
the CIA, but the CIA has many, many rooms in which plots are hatched, so the valiant truth
teller Giraldi maybe excused this one time for his lack of memory .I guess, right?
Good comment Lee. Joe
Annie , February 17, 2018 at 5:56 pm
Yes, but he's referring to the public's opinion of these agencies, and if they didn't
continue to retain, even after 9/11, a significant popularity in the public's mind how would
we have so many American's buying into Russia-gate? In my perception of things they only lost
some ground after 9/11, but Americans notoriously have a short memory span.
Gregory Herr , February 17, 2018 at 6:42 pm
And films that are supposed to help Americans feel good about the aims and efficacy of the
agencies like Zero Dark Thirty and Argo are in the popular imagination.
Skeptigal , February 17, 2018 at 7:19 pm
The book by Peter Dale Scott, "The American Deep State Wall Street, Big Oil And the Attack
on American Democracy" covers in detail some of the points you mention in your reply. It is a
fascinating book.
Russians Spooked by Nukes-Against-Cyber-Attack Policy February 16, 2018
New U.S. policy on nuclear retaliatory strikes for cyber-attacks is raising concerns, with
Russia claiming that it's already been blamed for a false-flag cyber-attack – namely the
election hacking allegations of 2016, explain Ray McGovern and William Binney.
By Ray McGovern and William Binney
Moscow is showing understandable concern over the lowering of the threshold for employing
nuclear weapons to include retaliation for cyber-attacks, a change announced on Feb. 2 in the
U.S. Nuclear Posture Review (NPR).
A nuclear test detonation carried out in Nevada on April 18, 1953.
Explaining the shift in U.S. doctrine on first-use, the NPR cites the efforts of potential
adversaries "to design and use cyber weapons" and explains the change as a "hedge" against
non-nuclear threats. In response, Russia described the move as an "attempt to shift onto others
one's own responsibility" for the deteriorating security situation.
Moscow's concern goes beyond rhetoric. Cyber-attacks are notoriously difficult to trace to
the actual perpetrator and can be pinned easily on others in what we call "false-flag"
operations. These can be highly destabilizing – not only in the strategic context, but in
the political arena as well.
Russian President Vladimir Putin has good reason to believe he has been the target of a
false-flag attack of the political genre. We judged this to be the case a year and a half ago,
and said so. Our judgment was fortified last summer – thanks to forensic evidence
challenging accusations that the Russians hacked into the Democratic National Committee and
provided emails to WikiLeaks. (Curiously, the FBI declined to do forensics, even though the
"Russian hack" was being described as an "act of war.")
Our conclusions were based on work conducted over several months by highly experienced
technical specialists, including another former NSA technical director (besides co-author
Binney) and experts from outside the circle of intelligence analysts.
On August 9, 2017, investigative reporter Patrick Lawrence
summed up our findings in The Nation. "They have all argued that the hack theory is wrong
and that a locally executed leak is the far more likely explanation," he explained.
As we wrote in an open letter to Barack Obama dated January 17, three days before he left
office, the NSA's programs are fully capable of capturing all electronic transfers of data. "We
strongly suggest that you ask NSA for any evidence it may have indicating that the results of
Russian hacking were given to WikiLeaks," our letter said. "If NSA cannot produce such evidence
– and quickly – this would probably mean it does not have any."
A 'Dot' Pointing to a False Flag?
In his article, Lawrence included mention of one key, previously unknown "dot" revealed by
WikiLeaks on March 31, 2017. When connected with other dots, it puts a huge dent in the
dominant narrative about Russian hacking. Small wonder that the mainstream media immediately
applied white-out to the offending dot.
Lawrence, however, let the dot out of the bag, so to speak: "The list of the CIA's
cyber-tools WikiLeaks began to release in March and labeled Vault 7 includes one called
Marble Framework
that is capable of obfuscating the origin of documents in false-flag operations and leaving
markings that point to whatever the CIA wants to point to."
If congressional oversight committees summon the courage to look into "Obfus-Gate" and
Marble, they are likely to find this line of inquiry as lucrative as the Steele "dossier." In
fact, they are likely to find the same dramatis personae playing leading roles in both
productions.
Two Surprising Visits
Last October CIA Director Mike Pompeo invited one of us (Binney) into his office to discuss
Russian hacking. Binney told Pompeo his analysts had lied and that he could prove it.
In retrospect, the Pompeo-Binney meeting appears to have been a shot across the bow of those
cyber warriors in the CIA, FBI, and NSA with the means and incentive to adduce "just
discovered" evidence of Russian hacking. That Pompeo could promptly invite Binney back to
evaluate any such "evidence" would be seen as a strong deterrent to that kind of operation.
Pompeo's closeness to President Donald Trump is probably why the heads of Russia's three top
intelligence agencies paid Pompeo an unprecedented visit in late January. We think it likely
that the proximate cause was the strategic danger Moscow sees in the
nuclear-hedge-against-cyber-attack provision of the Nuclear Posture Statement (a draft of which
had been leaked a few weeks before).
If so, the discussion presumably focused on enhancing hot-line and other fail-safe
arrangements to reduce the possibility of false-flag attacks in the strategic arena -- by
anyone – given the extremely high stakes.
Putin may have told his intelligence chiefs to pick up on President Donald Trump's
suggestion, after the two met last July, to establish a U.S.-Russian cyber security unit. That
proposal was widely ridiculed at the time. It may make good sense now.
Ray McGovern, a CIA analyst for 27 years, was chief of the Soviet Foreign Policy Branch and
briefed the President's Daily Brief one-on-one from 1981-1985. William Binney worked for NSA
for 36 years, retiring in 2001 as the technical director of world military and geopolitical
analysis and reporting; he created many of the collection systems still used by NSA.
mike k , February 16, 2018 at 5:36 pm
Those Russians had a strange mission coming to CIA headquarters to try to negotiate with
soulless mass murderers in the name of maintaining a precarious semblance of peace, knowing
full well that these men's words and assurances were worth less than nothing. Ah well, I
guess in a mad situation one is reduced to making desperate gestures, hoping against hope
.
Mild-ly -Facetious , February 16, 2018 at 5:42 pm
F Y I :> Putin prefers Aramco to Trump's sword dance
Hardly 10 months after honoring the visiting US president, the Saudis are open to a
Russian-Chinese consortium investing in the upcoming Aramco IPO
By M.K. BHADRAKUMAR
FEBRUARY 16, 2018
[extract]
In the slideshow that is Middle Eastern politics, the series of still images seldom add up
to make an enduring narrative. And the probability is high that when an indelible image
appears, it might go unnoticed – such as Russia and Saudi Arabia wrapping up huge
energy deals on Wednesday underscoring a new narrative in regional and international
security.
The ebb and flow of events in Syria – Turkey's campaign in Afrin and its threat to
administer an "Ottoman slap" to the United States, and the shooting down of an Israeli F-16
jet – hogged the attention. But something of far greater importance was unfolding in
Riyadh, as Saudi and Russian officials met to seal major deals marking a historic challenge
to the US dominance in the Persian Gulf region.
The big news is the Russian offer to the Saudi authorities to invest directly in the
upcoming Aramco initial public offering – and the Saudis acknowledging the offer. Even
bigger news, surely, is that Moscow is putting together a Russian-Chinese consortium of joint
investment funds plus several major Russian banks to be part of the Aramco IPO.
Chinese state oil companies were interested in becoming cornerstone investors in the IPO,
but the participation of a Russia-China joint investment fund takes matters to an entirely
different realm. Clearly, the Chinese side is willing to hand over tens of billions of
dollars.
Yet the Aramco IPO was a prime motive for US President Donald Trump to choose Saudi Arabia
for his first foreign trip. The Saudi hosts extended the ultimate honor to Trump – a
ceremonial sword dance outside the Murabba Palace in Riyadh. Hardly 10 months later, they are
open to a Russian-Chinese consortium investing in the Aramco IPO.
Riyadh plans to sell 5% of Saudi Aramco in what is billed as the largest IPO in world
history. In the Saudi estimation, Aramco is worth US$2 trillion; a 5% stake sale could fetch
as much as $100 billion. The IPO is a crucial segment of Vision 2030, Saudi Crown Prince
Mohammad bin Salman's ambitious plan to diversify the kingdom's economy.
"Last October CIA Director Mike Pompeo invited one of us (Binney) into his office to
discuss Russian hacking. Binney told Pompeo his analysts had lied and that he could prove
it."
That was about some Dm. Alperovitch for CrowdStrike fame, who had discovered the "hacking" in
10 sec. Guess Alperovitch, as an "expert" at the viciously Russophobic Atlantic Council
(funded by the State Dept., NATO, and a set of unsavory characters like Ukrainian oligrach
Pinchuk) decided to show his "understanding" of the task. The shy FBI did not even attempt to
look at the Clinton's server because the bosses "knew better."
Alperovitch must be investigated for anti-American activities; the scoundrel has been sowing
discord into the US society with his lies while endangering the US citizenry.
Is not "included supporting the presidential campaign of then-candidate Donald J. Trump ("Trump Campaign") and disparaging
Hillary Clinton . " (or vise versa) by posting on social media an example of free speech ?
But usage of fake identities clearly is not: "The Russians tracked the metrics of their effort in reports and budgeted for their efforts. Some,
as described below, traveled to the U.S. to gather intelligence for the surreptitious campaign. They
used stolen U.S. identities, including fake driver's licenses, and contacted news media outlets to
promote their activities."
The question is how those unquestionable very talented Russians managed to learn English language without living in the USA and
operate such a sophisticated operation from oversees? English is a very difficult language for Russians to master and
Russian immigrants who came to the USA being older then 16 and living in the USA for ten or twenty years typically still have
horrible accent and bad or very bad grammar (tenses, "a" and "the" usage, you name it). Actually Russian woman are noticeably better
then men in this area, especially if they are married to a US spouse. Ass to this dismal understanding of the USA politics
including differences between Democratic and Republican parties (you probably need to live in the USA for ten years to start
appreciate those differences ;-) . How they managed to learn local political culture to be effective? That's a strong argument
in favor of false flag operation -- in case they have puppeteers from the USA everything is more or less rationally explainable.
Notable quotes:
"... It gets better: the defendants reportedly worked day and night shifts to pump out messages, controlling pages targeting a range of issues, including immigration, Black Lives Matter, and they amassed hundreds of thousands of followers. They set up and used servers inside the U.S. to mask the Russian origin of the accounts. ..."
"... The Russian organization named in the indictment - the Internet Research Agency - and the defendants began working in 2014 - so one year before the Trump candidacy was even announced - to interfere in U.S. elections, according to the indictment in Washington. They used false personas and social media while also staging political rallies and communicating with "unwitting individuals" associated with the Trump campaign, it said. ..."
"... The Russians tracked the metrics of their effort in reports and budgeted for their efforts. Some, as described below, traveled to the U.S. to gather intelligence for the surreptitious campaign. They used stolen U.S. identities, including fake driver's licenses, and contacted news media outlets to promote their activities. ..."
"... Defendant ORGANIZATION had a strategic goal to sow discord in the U.S. political system, including the 2016 U.S. presidential election. Defendants posted derogatory information about a number of candidates, and by early to mid-2016, Defendants' operations included supporting the presidential campaign of then-candidate Donald J. Trump ("Trump Campaign") and disparaging Hillary Clinton . ..."
"... Defendants, posing as U.S. persons and creating false U.S. personas, operated social media pages and groups designed to attract U.S. audiences. These groups and pages, which addressed divisive U.S. political and social issues, falsely claimed to be controlled by U.S. activists when, in fact, they were controlled by Defendants. Defendants also used the stolen identities of real U.S. persons to post on ORGANIZATION-controlled social media accounts. Over time, these social media accounts became Defendants' means to reach significant numbers of Americans for purposes of interfering with the U.S. political system, including the presidential election of 2016 ..."
"... Sixteen thousand Facebook users said that they planned to attend a Trump protest on Nov. 12, 2016, organized by the Facebook page for BlackMattersUS, a Russian-linked group that sought to capitalize on racial tensions between black and white Americans. The event was shared with 61,000 users. ..."
"... As many as 5,000 to 10,000 protesters actually convened at Manhattan's Union Square. They then marched to Trump Tower, according to media reports at the time . ..."
"... 13 Russians can influence US elections meanwhile US CIA and State Department spend $1 BIllion every year on opposition groups inside Russia without success. ..."
"... Indict AIPAC. That is the real foreign interference in ALL US elections. Such hypocrisy. At the very least, make them register as a foreign operation! Information warfare using social media ? What, you mean like the Israeli students who are paid to shape public opinion thru social media? This is no secret and has been in the news. I fail to find the difference? Psychologists call this projection, that is where you accuse others of the crimes you commit . ..."
"... It looks like Mueller would have these people for identity theft if he had them in the US, which he probably doesn't. ..."
"... Deep state pivot to keep the Russian hate alive. ..."
"... Fucking hilarious - Mueller has indicted an anti-Russian CIA operation that was run out of St. Petersburg. http://thesaker.is/a-brief-history-of-the-kremlin-trolls/ ..."
"... The bigger question is "when is Mueller going to be indicted for covering up the controlled demolition of the WTC buildings on nine eleven??" ..."
Mueller charges "defendants knowingly and intentionally conspired with each other (and with persons
known and unknown to the Grand Jury)
to defraud the United States by impairing, obstructing,
and defeating the lawful functions of the government through fraud and deceit for the purpose of
interfering with the U.S. political and electoral processes,
including the presidential
election of 2016."
The indictment adds that the Russians "
were instructed to post content
that focused on 'politics in the USA' and to 'use any opportunity to criticize Hillary and the rest
(except Sanders and Trump -- we support them)'
."
It gets better: the defendants reportedly worked day and night shifts to pump out messages,
controlling pages targeting a range of issues, including immigration, Black Lives Matter, and they
amassed hundreds of thousands of followers. They set up and used servers inside the U.S. to mask the
Russian origin of the accounts.
Ultimately, and this is the punchline,
the goal was to disparage Hillary Clinton and to
assist the election of Donald Trump.
In other words,
anyone who was disparaging Clinton, may have "unwittingly" been a
collaborator of the 13 Russian "specialists" who cost Hillary the election.
The Russian organization named in the indictment - the Internet Research Agency -
and the
defendants began working in 2014
-
so one year before the Trump candidacy was even
announced
- to interfere in U.S. elections, according to the indictment in Washington.
They used false personas and social media while also staging political rallies and
communicating with "unwitting individuals" associated with the Trump campaign, it said.
The Russians "had a strategic goal to sow discord in the U.S. political system," according to the
indictment in Washington.
The Russians also reportedly bought advertisements on U.S. social media, created numerous Twitter
accounts designed to appear as if they were U.S. groups or people, according to the indictment. One
fake account, @TEN_GOP account, attracted more than 100,000 online followers.
The Russians tracked the metrics of their effort in reports and budgeted for their efforts. Some,
as described below, traveled to the U.S. to gather intelligence for the surreptitious campaign. They
used stolen U.S. identities, including fake driver's licenses, and contacted news media outlets to
promote their activities.
The full list of named defendants in addition to the Internet Research Agency, as well as Concord
Management and Consulting and Concord Catering, include:
MIKHAIL IVANOVICH BYSTROV,
MIKHAIL LEONIDOVICH BURCHIK,
ALEKSANDRA YURYEVNA KRYLOVA,
ANNA VLADISLAVOVNA BOGACHEVA,
SERGEY PAVLOVICH POLOZOV,
MARIA ANATOLYEVNA BOVDA,
ROBERT SERGEYEVICH BOVDA,
DZHEYKHUN NASIMI OGLY ASLANOV,
VADIM VLADIMIROVICH PODKOPAEV,
GLEB IGOREVICH VASILCHENKO,
IRINA VIKTOROVNA KAVERZINA,
VLADIMIR VENKOV
YEVGENIY VIKTOROVICH PRIGOZHIN
Mueller's office said that none of the defendants was in custody.
So how is Trump involved? Well, he isn't, as it now seems that collusion narrative is dead, and
instead Russian involvement was unilateral. Instead, according to the indictment, the Russian
operations were unsolicited and pro bono, and included "
supporting Trump... and disparaging
Hillary Clinton,' staging political rallies, buying political advertising while posing as grassroots
U.S. groups.
Oh, and communicating "
with unwitting individuals associated with the
Trump Campaign and with other political activists to seek to coordinate political activities.
"
Defendant ORGANIZATION had a strategic goal to sow discord in the U.S. political system,
including the 2016 U.S. presidential election.
Defendants posted derogatory information
about a number of candidates, and by early to mid-2016, Defendants' operations included supporting
the presidential campaign of then-candidate Donald J. Trump
("Trump Campaign")
and
disparaging Hillary Clinton
.
Defendants made various expenditures to carry out those
activities, including buying political advertisements on social media in the names of U.S. persons
and entities. Defendants also staged political rallies inside the United States, and while posing
as U.S. grassroots entities and U.S. persons, and without revealing their Russian identities and
ORGANIZATION affiliation, solicited and compensated real U.S. persons to promote or disparage
candidates.
Some Defendants, posing as U.S. persons and without revealing their Russian
association, communicated with unwitting individuals associated with the Trump Campaign and with
other political activists to seek to coordinate political activities.
Furthermore, the dastardly Russians created fake accounts to pretend they are Americans:
Defendants, posing as U.S. persons and creating false U.S. personas, operated social media pages
and groups designed to attract U.S. audiences. These groups and pages, which addressed divisive
U.S. political and social issues, falsely claimed to be controlled by U.S. activists when, in fact,
they were controlled by Defendants. Defendants also used the stolen identities of real U.S. persons
to post on ORGANIZATION-controlled social media accounts.
Over time, these social media
accounts became Defendants' means to reach significant numbers of Americans for purposes of
interfering with the U.S. political system, including the presidential election of 2016
Mueller also alleges a combination of traditional and modern espionage...
Certain Defendants traveled to the United States under false pretenses for the purpose
of collecting intelligence to inform Defendants' operations.
Defendants also procured and
used computer infrastructure, based partly in the United States, to hide the Russian origin of
their activities and to avoid detection by U.S. regulators and law enforcement.
Mueller also charges that two of the defendants received US visas and from approximately June 4,
2014 through June 26, 2014, KRYLOVA and BOGACHEVA "
traveled in and around the United States,
including stops in Nevada, California, New Mexico, Colorado, Illinois, Michigan, Louisiana, Texas, and
New York to gather intelligence, After the trip, KRYLOVA and BURCHIK exchanged an intelligence report
regarding the trip."
* * *
The indictment points to a broader conspiracy beyond the pages of the indictment,
saying
the grand jury has heard about other people with whom the Russians allegedly conspired in their
efforts.
I wonder if any of these Russians were behind the anti-Trump rallies
of November 2016?
Thousands attended protest organized by Russians on
Facebook.
Thousands of Americans attended a march last November organized by
a Russian group that used social media to interfere in the 2016
election.
The demonstration in New York City, which took place a few
days after the election, appears to be the largest and most
successful known effort to date pulled off by Russian-linked groups
intent on using social media platforms to influence American
politics.
Sixteen thousand Facebook users said that they planned to attend a
Trump protest on Nov. 12, 2016, organized by the Facebook page for
BlackMattersUS, a Russian-linked group that sought to capitalize on
racial tensions between black and white Americans. The event was
shared with 61,000 users.
As many as 5,000 to 10,000 protesters actually convened at
Manhattan's Union Square. They then marched to Trump Tower, according
to media reports at the time
.
The BlackMattersUS-organized rally took advantage of outrage among
groups on the left following President Trump's victory on Nov. 8 to
galvanize support for its event. The group's protest was the fourth
consecutive anti-Trump rally in New York following election night,
and one of many across the country.
"Join us in the streets! Stop Trump and his bigoted
agenda!" reads the Facebook event page for the rally. "Divided is the
reason we just fell. We must unite despite our differences to stop
HATE from ruling the land."
13 Russians can influence US elections meanwhile US CIA and State
Department spend $1 BIllion every year on opposition groups inside
Russia without success.
Indict AIPAC.
That is the real foreign
interference in ALL US elections. Such hypocrisy. At the
very least, make them register as a foreign operation! Information
warfare using social media
?
What,
you mean like the Israeli students who are paid
to shape public opinion
thru social media? This is
no secret and has been in the news. I fail to find the
difference? Psychologists call this projection, that is where
you
accuse others of the crimes you commit
.
Boy Hillary sure didnt get her money's worth. She
shoulda hired these people.
Is it ok for MSM for
to make all of their disparaging commentary, but
not ok for people to do the same? Mueller
mustve forgot about the craigslist ads hiring
protesters to attack Trump rallies. What a fucking
clown show.
I guess that's it Mueller gets his indictments
to save face and Trump is pleased its over.
This ties directly into the October 31, 2017
testimony from Facebook, Twitter and Google
regarding Russian media presence on social
media. Mueller is grasping here, and given that
it talks about visas granted for short visits,
I'm led to believe that most of these people are
actually not on US soil to be arrested. This
means political grandstanding via an indictment
that is never going to see a courtroom where the
evidence can be examined and witnesses can be
cross examined. It looks like Mueller would
have these people for identity theft if he had
them in the US, which he probably doesn't.
I'm going to get called a Russian bot over
this elsewhere. Well, maybe facetiously here.
#WeAreAllRussianBotsNow
Wow, I am going to have to keep the
radio off for a couple of days.
They are going to be wall to wall on
this. Maybe even bump the stories
where fakely sympathetic reporter
cunts (FSRC) ask mother's if they
miss their dead kids.
This is a
fucking clownshow anymore. Jesus,
THIS is what the investigation
brought home? Holy fuckshit, this
is a joke. Some guy had 100k
followers? Really? Like anyone GAF
about that? We have AIPAC making
candidates kneel before them and yet
some guys on Tweeter fucked around.
I think that is even bullshit. If
Russians really did that, they
wouldn't "work in shifts" they would
program some fucking bots to do
this.
I can just imagine the fake
outrage that that worthless kike
from NY Chuckie "don't get between
me and a camera" Schumer has to say
about this.
This is a Matrix alright, and a
cheap ass one at that.
Mueller should be taken out and
horsewhipped for bringing this shit
home.
Hey Mueller, I read a comment on
Yahoo news that was in broken
English. Go get um!
I was gonna vote for
Hillary then I read tweets where
she bullied the woman her husband
raped to keep quiet. And how her
foundation got hundreds of
$millions from countries with
business before her at the state
dept. ALEKSANDRA YURYEVNA
KRYLOVA mislead me.
WANHUA CHEMICAL, A
$10
billion chemical company
controlled by the Chinese
government, now has an avenue
to influence American
elections.
On Monday, Wanhua joined
the American Chemistry
Council, a lobby organization
for chemical manufacturers
that is unusually aggressive
in intervening in U.S.
politics.
The ACC is a prominent
recipient of so-called dark
money -- that is, unlimited
amounts of cash from
corporations or
individuals the origins of
which are only disclosed to
the IRS, not the public.
During the
2012
,
2014
,
and
2016
election
cycles, the ACC took this dark
money and spent
over
$40 million
of it on
contributions to super PACs,
lobbying, and direct
expenditures. (Additional
money flowed directly to
candidates via the ACC's
political action
committee.).....
~" In other words, anyone
who was disparaging Clinton, may
have "unwittingly" been a
collaborator of the 13 Russian
"specialists" who cost Hillary
the election. "~
Wait,
does this mean that "disparaging
Hillary" was just for the
witless? I've been doing that for
years, (without any Russian
influence at all), and have found
it to be rather witty virtually
all the time.
Can we
NOW
get to the point where we appoint
a special prosecutor to
investigate Hillary?
any of us who
spread "fake news"
are now "conspirators" who
gave "support" to foreign
agents
with the goal of
undermining the "democratic
process"
by denying Hillary the
presidency.
tsk, tsk.
ignorance can be no excuse
for such wanton lawlessness.
Yes, Mueller is a clown
show, but he came up w/ this crap
in an attempt to divert media
attention away from his & McCabes
direct involvement in trying to
cover up Uranium 1 for
Hillary...The Truth!
The FBI going
DEEP
(#sarc)
into its playbook for this one.
Simultaneously distracting from their
incompetencies with regards to domestic
threats (school shooters/government
collusion to subvert presidential
election), and exonerating Hillary AGAIN.
"Using lies and deception to cover our
lies and deceptions, so that we can
enslave the populace to our will"
(visualize
Meuller/Comey/Strzok/Page/Ohr/Rosenstein/Obama/Rice/
with left hands on Satanic Bible and right
arms extended giving oath in Temple of
Mammon before upside down American flag).
The DoJ and Miller
activities are anti-American. What else is new
in occupied America?
PS
Note Trump does nothing about this
unprecedented assault on Freedom of Speech and
Assembly in the USA. Therefore, Trump is a
willing player in these criminal activities.
Mueller is going to go until he gets some meat.
Maybe this lean and stringy meat is enough to
satisfy. Of course, nobody will look at AIPAC and
all of the foreign influence money funneling into
senators coffers.
He said they stole identities, posting anti-Hillary remarks on
Russian-controlled sites, using the stolen identities. They must do that
through hacking, which is illegal.
They also organized rallies, he
said. There were ads on job sites, advertising for paid
[leftist] protestors, long before Trump emerged as a candidate. People
posted them on American sites. Some attribute it to Soros. I am a little
skeptical that Soros controls the world, anymore than Russians, but that
is what people often believe, when it is leftist ads.
Advertisements are all over the Internet. Is that illegal? He called
it fraud, referring to the misrepresentation of identity, I guess. They
should not be manipulating unknowing people.
But, I wonder if he has the same vigilance when illegal aliens use
fake SS cards to acquire jobs, while their girlfriends use real SS cards
of US-born kids to get $450 on average in EBT food assistance, in
addition to other welfare, making it easy for illegal aliens to undercut
American citizens in jobs. Using a fake SS number -- i.e. posing as an
American to get a job -- is fraud.
As long as the illegal aliens have sex after illegal border
crossings, reproduce and say they misrepresent their identities for the
good of their kids, this is legal and deserving of pay-per-birth welfare
/ child-tax-credit freebies and citizenship, whereas these Russians are
committing fraud.
They should not be doing that in either case, but the double standard
is interesting.
And if people cannot post freely on the internet without revealing
their real names, a lot of internet activity (and a lot of related
commerce) will cease. Many people post anonymously, often due to jobs or
other factors that have nothing to do with elections.
In fact, FBI agents post under identities (personas) that are not
their own. There are many articles, describing how police agencies
use fake identities on the internet to track down criminals, including
those who abuse children. They do the same thing to monitor terrorists;
they use fake identities.
Where are these indictments ? Obama, Hillary
Clinton, Victoria Nuland, Geoffrey Pyatt and John McCain.
The US has been meddling and interfering in other countries
elections and internal affairs for decades. Not only does
the US meddle and interfere in other countries elections it
overthrows democratically elected governments it simply
doesn't like, and then installs its own puppet leaders. Our
deep-state MIC owned neocons casually refer to this as
"regime change".
I can only imagine the hell that would break loose if
Russia fomented, paid for, and assisted in a violent
overthrow of the legitimately and democratically elected
government in Mexico. Imagine Russian spymasters working
from the Russian Embassy in Mexico City training radicals
how to use social media to bring out angry people and foment
violent pubic unrest. Then Russian Duma members in Mexico
City handing out tacos, and tamales emboldening and urging
these angry people to riot, and overthrow the government and
toss the bums out. Then Putin's executive group hand picking
all the new (anti-USA) drug cartel junta puppet leaders and
an old senile Russian senator in Mexico City stating at a
podium on RT, there are no drug cartels here, that's all
propaganda!
On the other side of the world Obama's neocon warmongers
spent billions doing exactly this. Instead of drug cartels
it was Banderist Neo-Nazis. Obama and our neocons, including
John McCain intentionally caused all of this fucking mess,
civil war and horrific death in Ukraine on Russia's border
and then placed the blame on Putin and Russia.
Thanks to John McCain and our evil fucking neocons - the
regime change policy implemented by Obama, Clinton and
Nuland's minions, like Geoffrey Pyatt, the Ukraine today is
totally fucked. It is now a corrupt banana republic
embroiled in a bloody civil war. For the US and NATO the
golden prize of this violent undemocratic regime change was
supposed to be the Crimea. This scheme did not play out as
intended. No matter what sanctions the warmongering neocons
place on Russia they will NEVER give back the Crimea!
Our neocon fuck heads spent billions of our hard earned
taxpayer dollars to create pain, suffering, death and a
civil war in Ukraine on the border with
Russia.
This is a case of don't do what we do, only do what we
tell you to do. It's perfectly okay when we meddle. We don't
like it when we think it may have been done to us. It's
hypocrisy and duplicity at its finest!
Tech Camp NGO
- operating out of US
Embassy in Kiev
(using social media to help bring out radicals-and cause
civil war-pre Maidan 2013)
Agreed, it's against the law to steal identities and operate
bank accounts and all that. But really, compared to the fraud
committed by just one bank - Wells Fargo- this is smal small
potatoes. And did I miss it or did the indictment not even
mention the value of the ads bought on Facebook - $100,000.
(nope, not missing any zeros). And it all started in 2014
while Donald was playing golf and sticking his dick in some
whore. And a few ruskies got into the good ol USofA with false
statements on their visas. While the courts fought Trump on the
fact that immigration from a few countries need to be stopped
because there was not way of checking data. I get it -
somebody driving too fast gets a speeding ticket, and Muellers
investigation gets to issue an indictment. I'm sure we all
feel better now.
So, did Mueller address the crime committed by the then FBI
head who refused to allow a FBI informant to address Congress
on the Uranium One scam before it was authorized? Uh, that
would be Mueller, his very self, so the answer is no.
What is the definition of a "fake social media account"? What
is the crime for operatine a fake social medial account? Is
this the standard by which we will all be judged?
Or is it
that Mueller has NOTHING and is too big of a corrupt idiot to
admit it.
"In other words,
anyone who was disparaging Clinton,
may have "unwittingly" been a collaborator of the 13 Russian
"specialists" who cost Hillary the election. "
No,
not "in other words." That's not what he said at all. Idiot
propagandist.
And Hillary has done nothing criminal in the last 40 years. All
of the evidence has been a fabrication. The Russians perfected
time travel technology in the 70's, and have been conspiring
against her and planting evidence since then.
What planet am
I living on again? We have now stepped into the twilight zone.
Facepalm.....
"Ultimately, and this is the punchline,
the goal was
to disparage Hillary Clinton and to assist the election of
Donald Trump."
The goal of the MSM was the opposite. To unfairly
disparage Trump and assist the election of Hillary Clinton.
So why no indictments of members of the American MSM?
What a bunch of horseshit. Mueller did nothing to locate
just as much foreign or Russian support for Hillary. Grand
Jury is just another one-sided court that passes judgment
without any input from the other side. Now where have we
seen that before? FISA.
What is wrong with anyone doing
what they want to support a candidate? If that is somehow
illegal interference, why is Soros running loose in the
world?
I have a friend that was a US Federal Prosecutor. He once
told me that the most un-American concepts that exist are
grand juries and conspiracy laws. I'm sure he would have
included FISA if it existed then.
The indictment adds that the Russians "
were
instructed to post content that focused on 'politics in
the USA' and to 'use any opportunity to criticize Hillary
and the rest (except Sanders and Trump -- we support them)'
."
Criticizing Hillary Clinton constitutes election
interference? This is the dumbest thing I've ever heard.
Over half the United States said she was corrupt and
morally bankrupt. Does that mean all those Americans
interfered in the election?
"Some Defendants, posing as U.S. persons and
without revealing their Russian association, communicated
with unwitting individuals associated with the Trump
Campaign and with other political activists to seek to
coordinate political activities."
I thought
this was our "shtick" for subverting and overthrowing
government(s) since 194_?... Fast forward to 2012 and
subverting sovereign foreign government(s) using other means
then election(s) (
https://jasirx.wordpress.com/
)
Just ask this person (
https://www.youtube.com/watch?v=CL_GShyGv3o
)
who handed out cookies before starting an "overthrow of a
sovereign government" right before a Winter Olympics?... And
while we're on the subject of subversion of sovereign
Nation(s) "OCONUS" ask this fat shit how it's going in the
Middle East with it's "partners" (
https://southfront.org/meeting-between-us-state-secretary-and-lebanese-
)
Nor should we forget 22 within the Russian diplomatic
community in the last 6 years "eliminated" for early
retirement courtesy of the U.S. government...
And if all this is true why isn't Muelller indicting
government officials within the FBI Department of
immigration and Homeland Security that would allow "some
defendants" to impersonate Americans after 9/11 and the
security infrastructure we built around U.S. to prevent
"future attacks" that were obviously (here illegally)???...
What a complete load of horseshit. Waste of time and money
while the crimes of the clintons and collaborators remain
unpunished, including Mueller himself.
"Mueller describes a sweeping, years-long,
multimillion-dollar conspiracy by hundreds of Russians aimed
at criticizing Hillary Clinton and supporting Senator Bernie
Sanders and Trump"
Only in the idiot world of Liberalism
and Conservatism is this not a laughable statement.
If this is true, then this is definitely a sophisticated false flag operation. Was malware Alperovich people injected specifically
designed to implicate Russians? In other words Crowdstrike=Fancy Bear
Images removed. For full content please thee the original source
One interesting corollary of this analysis is that installing Crowdstrike software is like inviting a wolf to guard your chicken.
If they are so dishonest you take enormous risks. That might be true for some other heavily advertized "intrusion prevention" toolkits.
So those criminals who use mistyped popular addresses or buy Google searches to drive lemmings to their site and then flash the screen
that they detected a virus on your computer a, please call provided number and for a small amount of money your virus will be removed
get a new more sinister life.
"... Disobedient Media outlines the DNC server cover-up evidenced in CrowdStrike malware infusion ..."
"... In the article, they claim to have just been working on eliminating the last of the hackers from the DNC's network during the past weekend (conveniently coinciding with Assange's statement and being an indirect admission that their Falcon software had failed to achieve it's stated capabilities at that time , assuming their statements were accurate) . ..."
"... To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this. In fact, things have now been discovered that bring some of their malware discoveries into question. ..."
"... there is a reason to think Fancy Bear didn't start some of its activity until CrowdStrike had arrived at the DNC. CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear: ..."
"... They found that generally, in a lot of cases, malware developers didn't care to hide the compile times and that while implausible timestamps are used, it's rare that these use dates in the future. It's possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples. Considering the dates of CrowdStrike's activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is: Did CrowdStrike plant some (or all) of the APT-28 malware? ..."
"... The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC. ..."
"... The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance. ..."
"... That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were. ..."
Of course the DNC did not want to the FBI to investigate its "hacked servers". The plan was well underway to excuse Hillary's
pathetic election defeat to Trump, and
CrowdStrike would help out by planting evidence to pin on those evil "Russian hackers." Some would call this
entire DNC server hack an
"insurance policy."
"... As a rule of thumb, malicious applications usually write to /tmp and then attempt to run whatever was written. A way to prevent this is to mount /tmp on a separate partition with the options noexec , nodev and nosuid enabled. ..."
2. System Settings – File Permissions and Masks
2.1 Restrict Partition Mount Options
Partitions should have hardened mount options:
/boot
– rw,nodev,noexec,nosuid
/home
– rw,nodev,nosuid
/tmp
– rw,nodev,noexec,nosuid
/var
– rw,nosuid
/var/log
– rw,nodev,noexec,nosuid
/var/log/audit
– rw,nodev,noexec,nosuid
/var/www
– rw,nodev,nosuid
As a rule of thumb, malicious applications usually write to
/tmp
and then attempt to run whatever was written. A way to prevent this is to mount
/tmp
on a separate partition with the options
noexec
,
nodev
and
nosuid
enabled.
This will deny binary execution from
/tmp
, disable any binary
to be suid root, and disable any block devices from being created.
The storage location
/var/tmp
should be bind mounted to
/tmp
,
as having multiple locations for temporary storage is not required:
If required, disable kernel support for USB via bootloader configuration. To
do so, append
nousb
to the kernel line GRUB_CMDLINE_LINUX in
/etc/default/grub
and generate the Grub2 configuration file:
# grub2-mkconfig -o /boot/grub2/grub.cfg
Note that disabling all kernel support for USB will likely cause problems
for systems with USB-based keyboards etc.
2.4 Restrict Programs from Dangerous Execution Patterns
Open
/etc/hosts.allow
and allow localhost traffic and SSH:
ALL: 127.0.0.1
sshd: ALL
The file
/etc/hosts.deny
should be configured to deny all by
default:
ALL: ALL
3.3 Kernel Parameters Which Affect Networking
Open
/etc/sysctl.conf
and add the following:
# Disable packet forwarding
net.ipv4.ip_forward = 0
# Disable redirects, not a router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# Enable source validation by reversed path
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log packets with impossible addresses to kernel log
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Disable ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Against SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Turning off timestamps could improve security but degrade performance.
# TCP timestamps are used to improve performance as well as protect against
# late packets messing up your data flow. A side effect of this feature is
# that the uptime of the host can sometimes be computed.
# If you disable TCP timestamps, you should expect worse performance
# and less reliable connections.
net.ipv4.tcp_timestamps = 1
# Disable IPv6 unless required
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Do not accept router advertisements
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
3.4 Kernel Modules Which Affect Networking
Open
/etc/modprobe.d/hardening.conf
and disable Bluetooth
kernel modules:
Since we're looking at server security, wireless shouldn't be an issue,
therefore we can disable all the wireless drivers.
# for i in $(find /lib/modules/$(uname -r)/kernel/drivers/net/wireless -name "*.ko" -type f);do \
echo blacklist "$i" >>/etc/modprobe.d/hardening-wireless.conf;done
3.5 Disable Radios
Disable radios (wifi and wwan):
# nmcli radio all off
3.6 Disable Zeroconf Networking
Open
/etc/sysconfig/network
and add the following:
NOZEROCONF=yes
3.7 Disable Interface Usage of IPv6
Open
/etc/sysconfig/network
and add the following:
NETWORKING_IPV6=no
IPV6INIT=no
3.8 Network Sniffer
The server should not be acting as a network sniffer and capturing packages.
Run the following to determine if any interface is running in promiscuous mode:
# ip link | grep PROMISC
3.9 Secure VPN Connection
Install the libreswan package if implementation of IPsec and IKE is
required.
# yum install libreswan
3.10 Disable DHCP Client
Manual assignment of IP addresses provides a greater degree of management.
For each network interface that is available on the server, open a
corresponding file
/etc/sysconfig/network-scripts/ifcfg-
interface
and configure the following parameters:
BOOTPROTO=none
IPADDR=
NETMASK=
GATEWAY=
4. System Settings – SELinux
Ensure that SELinux is not disabled in
/etc/default/grub
, and
verify that the state is enforcing:
# sestatus
5. System Settings – Account and Access Control
5.1 Delete Unused Accounts and Groups
Open
/etc/security/pwquality.conf
and add the following:
difok = 8
gecoscheck = 1
These will ensure that 8 characters in the new password must not be present
in the old password, and will check for the words from the passwd entry GECOS
string of the user.
5.4 Prevent Log In to Accounts With Empty Password
Remove any instances of
nullok
from
/etc/pam.d/system-auth
and
/etc/pam.d/password-auth
to
prevent logins with empty passwords.
Sed one-liner:
# sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth /etc/pam.d/password-auth
5.5 Set Account Expiration Following Inactivity
Disable accounts as soon as the password has expired.
Open
/etc/default/useradd
and set the following:
INACTIVE=0
Sed one-liner:
# sed -i 's/^INACTIVE.*/INACTIVE=0/' /etc/default/useradd
This will create the file
/boot/grub2/user.cfg
if one is not
already present, which will contain the hashed Grub2 bootloader password.
Verify permissions of
/boot/grub2/grub.cfg
:
# chmod 0600 /boot/grub2/grub.cfg
5.12 Password-protect Single User Mode
CentOS 7 single user mode is password protected by the root password by
default as part of the design of Grub2 and systemd.
5.13 Ensure Users Re-Authenticate for Privilege Escalation
The NOPASSWD tag allows a user to execute commands using sudo without having
to provide a password. While this may sometimes be useful it is also
dangerious.
Ensure that the NOPASSWD tag does not exist in
/etc/sudoers
configuration file or
/etc/sudoers.d/
.
5.14 Multiple Console Screens and Console Locking
Install the screen package to be able to emulate multiple console windows:
# yum install screen
Install the vlock package to enable console screen locking:
# yum install vlock
5.15 Disable Ctrl-Alt-Del Reboot Activation
Prevent a locally logged-in console user from rebooting the system when
Ctrl-Alt-Del is pressed:
# systemctl mask ctrl-alt-del.target
5.16 Warning Banners for System Access
Add the following line to the files
/etc/issue
and
/etc/issue.net
:
Unauthorised access prohibited. Logs are recorded and monitored.
5.17 Set Interactive Session Timeout
Open
/etc/profile
and set:
readonly TMOUT=900
5.18 Two Factor Authentication
The recent version of OpenSSH server allows to chain several authentication
methods, meaning that all of them have to be satisfied in order for a user to
log in successfully.
Adding the following line to
/etc/ssh/sshd_config
would require
a user to authenticate with a key first, and then also provide a password.
AuthenticationMethods publickey,password
This is by definition a two factor authentication: the key file is something
that a user has, and the account password is something that a user knows.
Alternatively, two factor authentication for SSH can be set up by using
Google Authenticator.
5.19 Configure History File Size
Open
/etc/profile
and set the number of commands to remember in
the command history to 5000:
HISTSIZE=5000
Sed one-liner:
# sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
6. System Settings – System Accounting with auditd
6.1 Auditd Configuration
Open
/etc/audit/auditd.conf
and configure the following:
The above auditd configuration should never use more than 250MB of disk
space (10x25MB=250MB) on
/var/log/audit
.
Set
admin_space_left_action=single
if you want to cause the
system to switch to single user mode for corrective action rather than send an
email.
Automatically rotating logs (
max_log_file_action=rotate
)
minimises the chances of the system unexpectedly running out of disk space by
being filled up with log data.
We need to ensure that audit event data is fully synchronised (
flush=data
)
with the log files on the disk .
6.2 Auditd Rules
System audit rules must have mode 0640 or less permissive and owned by the
root user:
Storing the database and the configuration file
/etc/aide.conf
(or SHA2 hashes of the files) in a secure location provides additional
assurance about their integrity.
Check AIDE database:
# /usr/sbin/aide --check
By default, AIDE does not install itself for periodic execution. Configure
periodic execution of AIDE by adding to cron:
The Tripwire configuration file is
/etc/tripwire/twcfg.txt
and
the policy file is
/etc/tripwire/twpol.txt
. These can be edited
and configured to match the system Tripwire is installed on, see
this blog post
for more details.
Initialise the database to implement the policy:
# tripwire --init
Check for policy violations:
# tripwire --check
Tripwire adds itself to
/etc/cron.daily/
for daily execution
therefore no extra configuration is required.
7.3 Prelink
Prelinking is done by the prelink package, which is not installed by
default.
# yum install prelink
To disable prelinking, open the file
/etc/sysconfig/prelink
and
set the following:
PRELINKING=no
Sed one-liner:
# sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink
Disable existing prelinking on all system files:
# prelink -ua
8. System Settings – Logging and Message Forwarding
8.1 Configure Persistent Journald Storage
By default, journal stores log files only in memory or a small ring-buffer
in the directory
/run/log/journal
. This is sufficient to show
recent log history with journalctl, but logs aren't saved permanently. Enabling
persistent journal storage ensures that comprehensive data is available after
system reboot.
Open the file
/etc/systemd/journald.conf
and put the following:
[Journal]
Storage=persistent
# How much disk space the journal may use up at most
SystemMaxUse=256M
# How much disk space systemd-journald shall leave free for other uses
SystemKeepFree=512M
# How large individual journal files may grow at most
SystemMaxFileSize=32M
Restart the service:
# systemctl restart systemd-journald
8.2 Configure Message Forwarding to Remote Server
Depending on your setup, open
/etc/rsyslog.conf
and add the
following to forward messages to a some remote server:
*.* @graylog.example.com:514
Here
*.*
stands for
facility.severity
.
Note that a single @ sends logs over UDP, where a double @ sends logs using
TCP.
8.3 Logwatch
Logwatch is a customisable log-monitoring system.
# yum install logwatch
Logwatch adds itself to
/etc/cron.daily/
for daily execution
therefore no configuration is mandatory.
9. System Settings – Security Software
9.1 Malware Scanners
Rkhunter adds itself to
/etc/cron.daily/
for daily execution
therefore no configuration is required. ClamAV scans should be tailored to
individual needs.
9.2 Arpwatch
Arpwatch is a tool used to monitor ARP activity of a
local network
(ARP spoofing detection), therefore it is unlikely one will use it in the
cloud, however, it is still worth mentioning that the tools exist.
Be aware of the configuration file
/etc/sysconfig/arpwatch
which you use to set the email address where to send the reports.
9.3 Commercial AV
Consider installing a commercial AV product that provides real-time
on-access scanning capabilities.
9.4 Grsecurity
Grsecurity is an extensive security enhancement to the Linux kernel.
Although it isn't free nowadays, the software is still worth mentioning.
The company behind Grsecurity stopped publicly distributing stable patches
back in 2015, with an exception of the test series continuing to be available
to the public in order to avoid impact to the Gentoo Hardened and Arch Linux
communities.
Two years later, the company decided to cease free distribution of the test
patches as well, therefore as of 2017, Grsecurity software is available to
paying customers only.
10. System Settings – OS Update Installation
Install the package yum-utils for better consistency checking of the package
database.
# yum install yum-utils
Configure automatic package updates via yum-cron.
# yum install yum-cron
Add the following to
/etc/yum/yum-cron.conf
to get notified via
email when new updates are available:
For
RSA
keys, 2048 bits is considered sufficient.
DSA
keys must be exactly 1024 bits as specified by FIPS 186-2.
For
ECDSA
keys, the -b flag determines the key length by
selecting from one of three elliptic curve sizes: 256, 384 or 521 bits.
ED25519
keys have a fixed length and the -b flag is ignored.
The host can be impersonated if an unauthorised user obtains the private SSH
host key file, therefore ensure that permissions of
/etc/ssh/*_key
are properly set:
# chmod 0600 /etc/ssh/*_key
Configure
/etc/ssh/sshd_config
with the following:
# SSH port
Port 22
# Listen on IPv4 only
ListenAddress 0.0.0.0
# Protocol version 1 has been exposed
Protocol 2
# Limit the ciphers to those which are FIPS-approved, the AES and 3DES ciphers
# Counter (CTR) mode is preferred over cipher-block chaining (CBC) mode
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
# Use FIPS-approved MACs
MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1
# INFO is a basic logging level that will capture user login/logout activity
# DEBUG logging level is not recommended for production servers
LogLevel INFO
# Disconnect if no successful login is made in 60 seconds
LoginGraceTime 60
# Do not permit root logins via SSH
PermitRootLogin no
# Check file modes and ownership of the user's files before login
StrictModes yes
# Close TCP socket after 2 invalid login attempts
MaxAuthTries 2
# The maximum number of sessions per network connection
MaxSessions 2
# User/group permissions
AllowUsers
AllowGroups ssh-users
DenyUsers root
DenyGroups root
# Password and public key authentications
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# Disable unused authentications mechanisms
RSAAuthentication no # DEPRECATED
RhostsRSAAuthentication no # DEPRECATED
ChallengeResponseAuthentication no
KerberosAuthentication no
GSSAPIAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
# Disable insecure access via rhosts files
IgnoreRhosts yes
AllowAgentForwarding no
AllowTcpForwarding no
# Disable X Forwarding
X11Forwarding no
# Disable message of the day but print last log
PrintMotd no
PrintLastLog yes
# Show banner
Banner /etc/issue
# Do not send TCP keepalive messages
TCPKeepAlive no
# Default for new installations
UsePrivilegeSeparation sandbox
# Prevent users from potentially bypassing some access restrictions
PermitUserEnvironment no
# Disable compression
Compression no
# Disconnect the client if no activity has been detected for 900 seconds
ClientAliveInterval 900
ClientAliveCountMax 0
# Do not look up the remote hostname
UseDNS no
UsePAM yes
In case you want to change the default SSH port to something else, you will
need to tell SELinux about it.
# yum install policycoreutils-python
For example, to allow SSH server to listen on TCP 2222, do the following:
# semanage port -a -t ssh_port_t 2222 -p tcp
Ensure that the firewall allows incoming traffic on the new SSH port and
restart the sshd service.
2. Service – Network Time Protocol
CentOS 7 should come with Chrony, make sure that the service is enabled:
# systemctl enable chronyd.service
3. Services – Mail Server
3.1 Postfix
Postfix should be installed and enabled already. In case it isn't, the do
the following:
"... the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. ..."
"... Using the AMT serial port, for example, is detectable. ..."
"... Do people really admin a machine through AMT through an external firewall? ..."
"... Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution. ..."
When you're a bad guy breaking into a network, the first problem you need to solve is, of course,
getting into the remote system and running your malware on it. But once you're there, the next challenge
is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed
a
neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade
firewalls and other endpoint-based network monitoring.
The group, which Microsoft has named PLATINUM, has developed a system for sending files -- such
as new payloads to run and new versions of their malware-to compromised machines. PLATINUM's technique
leverages Intel's Active Management Technology (AMT) to do an end-run around the built-in Windows
firewall. The AMT firmware runs at a low level, below the operating system, and it has access to
not just the processor, but also the network interface.
The AMT needs this low-level access for some of the legitimate things it's used for. It can, for
example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution,
enabling a remote user to send mouse and keyboard input to a machine and see what's on its display.
This, in turn, can be used for tasks such as remotely installing operating systems on bare machines.
To do this, AMT not only needs to access the network interface, it also needs to simulate hardware,
such as the mouse and keyboard, to provide input to the operating system.
But this low-level operation is what makes AMT attractive for hackers: the network traffic that
AMT uses is handled entirely within AMT itself. That traffic never gets passed up to the operating
system's own IP stack and, as such, is invisible to the operating system's own firewall or other
network monitoring software. The PLATINUM software uses another piece of virtual hardware-an AMT-provided
virtual serial port-to provide a link between the network itself and the malware application running
on the infected PC.
Communication between machines uses serial-over-LAN traffic, which is handled by AMT in firmware.
The malware connects to the virtual AMT serial port to send and receive data. Meanwhile, the operating
system and its firewall are none the wiser. In this way, PLATINUM's malware can move files between
machines on the network while being largely undetectable to those machines.
Enlarge / PLATINUM uses AMT's serial-over-LAN (SOL) to bypass the operating system's network
stack and firewall.
Microsoft
AMT has been
under scrutiny recently after the discovery of a long-standing remote authentication flaw that
enabled attackers to use AMT features without needing to know the AMT password. This in turn could
be used to enable features such as the remote KVM to control systems and run code on them.
However, that's not what PLATINUM is doing: the group's malware requires AMT to be
enabled and serial-over-LAN turned on before it can work. This isn't exploiting any flaw in
AMT; the malware just uses the AMT as it's designed in order to do something undesirable.
Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place;
if it's not turned on at all, there's no remote access. Microsoft's write-up of the malware expressed
uncertainty about this part; it's possible that the PLATINUM malware itself enabled AMT-if the malware
has Administrator privileges, it can enable many AMT features from within Windows-or that AMT was
already enabled and the malware managed to steal the credentials.
While this novel use of AMT is useful for transferring files while evading firewalls, it's not
undetectable. Using the AMT serial port, for example, is detectable. Microsoft says that
its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses
of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the
more common protective measures that we depend on to detect and prevent unwanted network activity.
potato44819 , Ars Legatus Legionis
Jun 8, 2017 8:59 PM Popular
"Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish
between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat
way of bypassing one of the more common protective measures that we depend on to detect and prevent
unwanted network activity."
It's worth noting that this is NOT Windows Defender.
Windows Defender Advanced Threat Protection is an enterprise product.
This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved
to be a massive PITA from the security perspective. Intel needs to really reconsider its approach
or drop it altogether.
"it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator
privileges, it can enable many AMT features from within Windows"
I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite
hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.)
Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled
via UEFI instead? 1810 posts | registered 8/28/2012
Always on and undetectable. What more can you ask for? I have to imagine that and IDS system at
the egress point would help here. 716 posts | registered 11/14/2012
Using SOL and AMT to bypass the OS sounds like it would work over SOL and IPMI as well.
I only have one server that supports AMT, I just double-checked that the webui for AMT does not
allow you to enable/disable SOL. It does not, at least on my version. But my IPMI servers do allow
someone to enable SOL from the web interface.
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets
bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit
has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of
the threat.
Do people really admin a machine through AMT through an external firewall? 178 posts
| registered 2/25/2016
Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because
you don't use them doesn't mean their disappearance is "fortunate".
Just out of curiosity, what do you use on the PC end when you still do require traditional serial
communication? USB-to-RS232 adapter? 1646 posts | registered 11/17/2006
This PLATINUM group must be pissed about the INTEL-SA-00075 vulnerability being headline news.
All those perfectly vulnerable systems having AMT disabled and limiting their hack. 175 posts
| registered 8/9/2002
Intel AMT is a fucking disaster from a security standpoint. It is utterly dependent on security
through obscurity with its "secret" coding, and anybody should know that security through obscurity
is no security at all.
Businesses demanded this technology and, of course, Intel beats the drum for it as well. While
I understand their *original* concerns I would never, ever connect it to the outside LAN. A real
admin, in jeans and a tee, is a much better solution.
Hopefully, either Intel will start looking into improving this and/or MSFT will make enough noise
that businesses might learn to do their update, provisioning in a more secure manner.
Nah, that ain't happening. Who am I kidding? 1644 posts | registered 3/31/2012
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets
bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit
has a beachhead? That is not a small thing, but it would give us a way to gauge the severity
of the threat. Do people really admin a machine through AMT through an external firewall?
The interconnect is via W*. We ran this dog into the ground last month. Other OSs (all as far
as I know (okay, !MSDOS)) keep them separate. Lan0 and lan1 as it were. However it is possible
to access the supposedly closed off Lan0/AMT via W*. Which is probably why this was caught in
the first place.
Note that MSFT has stepped up to the plate here. This is much better than their traditional silence
until forced solution. Which is just the same security through plugging your fingers in your ears
that Intel is supporting. 1644 posts | registered 3/31/2012
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets
bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit
has a beachhead? That is not a small thing, but it would give us a way to gauge the severity
of the threat. Do people really admin a machine through AMT through an external firewall?
The catch would be any machine that leaves your network with AMT enabled. Say perhaps an AMT managed
laptop plugged into a hotel wired network. While still a smaller attack surface, any cabled network
an AMT computer is plugged into, and not managed by you, would be a source of concern. 55 posts
| registered 11/19/2012
Serial ports are great. They're so easy to drive that they work really early in the boot process.
You can fix issues with machines that are otherwise impossible to debug.
This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved
to be a massive PITA from the security perspective. Intel needs to really reconsider its approach
or drop it altogether.
"it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator
privileges, it can enable many AMT features from within Windows"
I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm
despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this
is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter
if it was handled via UEFI instead?
I'm not even sure it's THAT convenient for sys admins. I'm one of a couple hundred sys admins
at a large organization and none that I've talked with actually use Intel's AMT feature. We have
an enterprise KVM (raritan) that we use to access servers pre OS boot up and if we have a desktop
that we can't remote into after sending a WoL packet then it's time to just hunt down the desktop
physically. If you're just pushing out a new image to a desktop you can do that remotely via SCCM
with no local KVM access necessary. I'm sure there's some sys admins that make use of AMT but
I wouldn't be surprised if the numbers were quite small. 273 posts | registered 5/5/2010
Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because
you don't use them doesn't mean their disappearance is "fortunate".
Just out of curiosity, what do you use on the PC end when you still do require traditional serial
communication? USB-to-RS232 adapter?
We just got some new Dell workstations at work recently. They have serial ports. We avoid the
consumer machines. 728 posts | registered 9/23/2011
Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays
quite rare to find on PCs.
Not that fortunately.. Serial ports are still very useful for management tasks. It's simple and
it works when everything else fails. The low speeds impose little restrictions on cables.
Sure, they don't have much security but that is partly mitigated by them usually only using
a few metres cable length. So they'd be covered under the same physical security as the server
itself. Making this into a LAN protocol without any additional security, that's where the problem
was introduced. Wherever long-distance lines were involved (modems) the security was added at
the application level.
There is a serious vulnerability in sudo command that grants root access to anyone with a shell
account. It works on SELinux enabled systems such as CentOS/RHEL and others too. A local user with
privileges to execute commands via sudo could use this flaw to escalate their privileges to root.
Patch your system as soon as possible.
It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting
to determine its controlling tty. A local attacker in some configurations could possibly use this
to overwrite any file on the filesystem, bypassing intended permissions or gain root shell.
... ... ...
A list of affected Linux distro
Red Hat Enterprise Linux 6 (sudo)
Red Hat Enterprise Linux 7 (sudo)
Red Hat Enterprise Linux Server (v. 5 ELS) (sudo)
Oracle Enterprise Linux 6
Oracle Enterprise Linux 7
Oracle Enterprise Linux Server 5
CentOS Linux 6 (sudo)
CentOS Linux 7 (sudo)
Debian wheezy
Debian jessie
Debian stretch
Debian sid
Ubuntu 17.04
Ubuntu 16.10
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
So far, OSS-Fuzz has found a total of
264 potential security vulnerabilities: 7 in Wireshark, 33 in LibreOffice, 8 in SQLite 3, 17 in FFmpeg
-- and the list goes on...
"Eligible projects
will receive $1,000 for initial integration, and up to $20,000 for ideal integration" -- or twice
that amount, if the proceeds are donated to a charity.
Some Linux distros will need to be updated following the discovery of an
easily exploitable flaw in a core system management component.
The
CVE-2016-10156
security hole in systemd v228 opens the door to privilege escalation attacks, creating
a means for hackers to root systems locally if not across the internet. The vulnerability is fixed
in systemd v229.
Essentially, it is possible to create world-readable, world-writeable setuid executable files
that are root owned by setting all the mode bits in a call to touch(). The systemd
changelog for
the fix reads:
basic: fix touch() creating files with 07777 mode
mode_t is unsigned, so MODE_INVALID < 0 can never be true.
This fixes a possible [denial of service] where any user could fill /run by writing to a world-writable
/run/systemd/show-status.
However, as pointed out by security researcher Sebastian Krahmer, the flaw is worse than a denial-of-service
vulnerability – it can be exploited by a malicious program or logged-in user to gain administrator
access: "Mode 07777 also contains the suid bit, so files created by touch() are world writable suids,
root owned."
The security bug was quietly fixed in January 2016 back when it was thought to pose only a system-crashing
risk. Now the programming blunder has been upgraded this week following a reevaluation of its severity.
The bug now weighs in at a CVSS score of 7.2, towards the top end of the 1-10 scale.
It's a local root exploit, so it requires access to the system in question to exploit,
but it pretty much boils down to "create a powerful file in a certain way, and gain root on the server."
It's trivial to pull off.
"Newer" versions of systemd deployed by Fedora or Ubuntu have been secured, but Debian
systems are still running an older version and therefore need updating.
systemd is a suite for building blocks for Linux systems that provides system and
service management technology. Security specialists view it with
suspicion and complaints about function creep are not uncommon. ®
"This article is more full of bullshit than a bull stable .... with shit in it."
bring to my mind all the comments from Microsoft fans/paid-for-shills in other forums. They tend to attack anyone not accepting
things imposed on them.
Remember Heartbleed?
If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit
bereft of a cool logo (someone in the marketing department of these vulns needs to get on that).
But in all seriousness, it does have the potential to be a biggie and
as I did with Heartbleed,
I wanted to put together something definitive both for me to get to grips with the situation and
for others to dissect the hype from the true underlying risk.
To set the scene, let me share some
content from
Robert
Graham's blog post who has been doing some excellent analysis on this. Imagine an HTTP request
like this:
Analysis of the source code history of
Bash shows that the vulnerabilities had existed undiscovered since approximately version 1.13 in
1992.[4]
The maintainers of the Bash source code have difficulty pinpointing the time of introduction due
to the lack of comprehensive changelogs.[1]
In Unix-based operating systems, and in other operating systems that Bash supports, each running
program has its own list of name/value pairs called
environment variables. When one
program starts another program, it provides an initial list of environment variables for the new
program.[14]
Separately from these, Bash also maintains an internal list of functions, which are named
scripts that can be executed from within the program.[15]
Since Bash operates both as a command interpreter and as a command, it is possible to execute Bash
from within itself. When this happens, the original instance can export environment variables
and function definitions into the new instance.[16]
Function definitions are exported by encoding them within the environment variable list as variables
whose values begin with parentheses ("()") followed by a function definition. The new instance of
Bash, upon starting, scans its environment variable list for values in this format and converts
them back into internal functions. It performs this conversion by creating a fragment of code from
the value and executing it, thereby creating the function "on-the-fly", but affected versions do
not verify that the fragment is a valid function definition.[17]
Therefore, given the opportunity to execute Bash with a chosen value in its environment variable
list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's
command interpreter.
On October 1st, Zalewski released details of the final bugs, and confirmed that Florian's patch
does indeed prevent them.
Zalewski says fixed
CGI-based web server attack
When a web server uses the
Common Gateway Interface (CGI)
to handle a document request, it passes various details of the request to a handler program in the
environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal
usage, identifies the program sending the request. If the request handler is a Bash script, or if
it executes one for example using the
system(3) call, Bash will receive the environment variables passed by the server and will process
them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability
with a specially crafted server request.[4]
The security documentation for the widely used Apache
web server states: "CGI scripts can ... be extremely dangerous if they are not carefully checked."[20]
and other methods of handling web server requests are often used. There are a number of online services
which attempt to test the vulnerability against web servers exposed to the Internet.[citation
needed]
SSH server example
OpenSSH has a "ForceCommand" feature, where
a fixed command is executed when the user logs in, instead of just running an unrestricted command
shell. The fixed command is executed even if the user specified that another command should be run;
in that case the original command is put into the environment variable "SSH_ORIGINAL_COMMAND". When
the forced command is run in a Bash shell (if the user's shell is set to Bash), the Bash shell will
parse the SSH_ORIGINAL_COMMAND environment variable on start-up, and run the commands embedded in
it. The user has used their restricted shell access to gain unrestricted shell access, using
the Shellshock bug.[21]
DHCP example
Some DHCP clients can also pass commands to
Bash; a vulnerable system could be attacked when connecting to an open Wi-Fi network. A
DHCP client typically requests and gets an IP address
from a DHCP server, but it can also be provided a series of additional options. A malicious
DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable
workstation or laptop.[9]
Note of offline system vulnerability
The bug can potentially affect machines that are not directly connected to the Internet when
performing offline processing, which involves the use of Bash.[citation
needed]
Initial report (CVE-2014-6271)
This original form of the vulnerability involves a specially crafted environment variable containing
an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing
commands when it imports the function.[22]
The vulnerability can be tested with the following command:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
In systems affected by the vulnerability, the above commands will display the word "vulnerable"
as a result of Bash executing the command "echo vulnerable", which was embedded into
the specially crafted environment variable named "x".[23][24]
There was an initial report of the bug made to the maintainers of Bash (Report# CVE-2014-6271).
The bug was corrected with a patch to the program. However, after the release of the patch there
were subsequent reports of different, yet related vulnerabilities. On 26 September 2014, two open-source
contributors, David A. Wheeler and
Norihiro Tanaka, noted that there were additional issues, even after patching systems using the
most recently available patches. In an email addressed to the oss-sec list and the bash bug list,
Wheeler wrote: "This patch just continues the 'whack-a-mole' job of fixing parsing errors that began
with the first patch. Bash's parser is certain [to] have many many many other vulnerabilities".[25]
On 27 September 2014, Michal Zalewski
announced his discovery of several other Bash vulnerabilities,[26]
one based upon the fact that Bash is typically compiled without
address space layout
randomization.[27]
Zalewski also strongly encouraged all concerned to immediately apply a patch made available by Florian
Weimer.[26][27]
CVE-2014-6277
CVE-2014-6277 relates to the parsing of function definitions in environment variables
by Bash. It was discovered by Michał Zalewski.[26][27][28][29]
This causes a segfault.
() { x() { _; }; x() { _; } <<a; }
CVE-2014-6278
CVE-2014-6278 relates to the parsing of function definitions in environment variables
by Bash. It was discovered by Michał Zalewski.[30][29]
() { _; } >_[$($())] { echo hi mom; id; }
CVE-2014-7169
On the same day the bug was published, Tavis Ormandy discovered a related bug which was assigned
the CVE identifier CVE-2014-7169.[21]
Official and distributed patches for this began releasing on 26 September 2014.[citation
needed] Demonstrated in the following code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
which would trigger a bug in Bash to execute the command "date" unintentionally. This would become
CVE-2014-7169.[21]
Testing example
Here is an example of a system that has a patch for CVE-2014-6271 but not CVE-2014-7169:
$ X='() { (a)=>\' bash -c "echo date"
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
$ cat echo
Fri Sep 26 01:37:16 UTC 2014
The patched system displays the same error, notifying the user that CVE-2014-6271 has
been prevented. However, the attack causes the writing of a file named 'echo', into the working
directory, containing the result of the 'date' call. The existence of this issue resulted in the
creation of CVE-2014-7169 and the release patches for several systems.
A system patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the
word "date" and the file "echo" will not be created.
$ X='() { (a)=>\' bash -c "echo date"
date
$ cat echo
cat: echo: No such file or directory
CVE-2014-7186
CVE-2014-7186 relates to an out-of-bounds
memory access error in the Bash parser code.[31]
While working on patching Shellshock, Red Hat researcher Florian Weimer found this bug.[23]
Testing example
Here is an example of the vulnerability, which leverages the use of multiple "<<EOF" declarations:
A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".
CVE-2014-7187
CVE-2014-7187 relates to an off-by-one
error, allowing out-of-bounds memory access, in the Bash parser code.[32]
While working on patching Shellshock, Red Hat researcher Florian Weimer found this bug.[23]
Testing example
Here is an example of the vulnerability, which leverages the use of multiple "done" declarations:
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"
A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".
The original flaw in Bash was assigned CVE-2014-6271. Shortly after that issue went public a researcher
found a similar flaw that wasn't blocked by the first fix and this was assigned CVE-2014-7169. Later,
Red Hat Product Security researcher Florian Weimer found additional problems and they were assigned
CVE-2014-7186 and CVE-2014-7187. It's possible that other issues will be found in the future and
assigned a CVE designator even if they are blocked by the existing patches.
... ... ...
Why is Red Hat using a different patch then others?
Our patch addresses the CVE-2014-7169 issue in a much better way than the upstream patch, we wanted
to make sure the issue was properly dealt with.
I have deployed web application filters to block CVE-2014-6271. Are these filters also effective
against the subsequent flaws?
If configured properly and applied to all relevant places, the "() {" signature will work against
these additional flaws.
Does SELinux help protect against this flaw?
SELinux can help reduce the impact of some of the exploits for this issue. SELinux guru Dan Walsh
has written about this in depth in his blog.
Are you aware of any new ways to exploit this issue?
Within a few hours of the first issue being public (CVE-2014-6271), various exploits were seen
live, they attacked the services we identified at risk in our first post:
from dhclient,
CGI serving web servers,
sshd+ForceCommand configuration,
git repositories.
We did not see any exploits which were targeted at servers which had the first issue fixed, but
were affected by the second issue. We are currently not aware of any exploits which target bash
packages which have both CVE patches applied.
Why wasn't this flaw noticed sooner?
The flaws in Bash were in a quite obscure feature that was rarely used; it is not surprising that
this code had not been given much attention. When the first flaw was discovered it was reported
responsibly to vendors who worked over a period of under 2 weeks to address the issue.
Red Hat is aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted
environment variables containing arbitrary commands that will be executed on vulnerable systems
under certain conditions. The new issue has been assigned CVE-2014-7169.
We are working on patches in conjunction with the upstream developers as a critical priority.
For details on a workaround, please see the
knowledgebase article.
Red Hat advises customers to upgrade to the version of Bash which contains the fix for CVE-2014-6271
and not wait for the patch which fixes CVE-2014-7169. CVE-2014-7169 is a less severe issue and patches
for it are being worked on.
Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed
utilities on any Linux system. From its creation in 1980, Bash has evolved from a simple terminal
based command interpreter to many other fancy uses.
In Linux, environment variables provide a way to influence the behavior of software on the system.
They typically consists of a name which has a value assigned to it. The same is true of the Bash
shell. It is common for a lot of programs to run Bash shell in the background. It is often used
to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts
(Apache, etc) or even provide limited command execution support (git, etc)
Coming back to the topic, the vulnerability arises from the fact that you can create environment
variables with specially-crafted values before calling the Bash shell. These variables can contain
code, which gets executed as soon as the shell is invoked. The name of these crafted variables does
not matter, only their contents. As a result, this vulnerability is exposed in many contexts, for
example:
ForceCommand is used in sshd configs to provide limited command execution capabilities for
remote users. This flaw can be used to bypass that and provide arbitrary command execution.
Some Git and Subversion deployments use such restricted shells. Regular use of OpenSSH is not
affected because users already have shell access.
Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in
Bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen
in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is
used (which depends on the command string).
PHP scripts executed with mod_php are not affected even if they spawn subshells.
DHCP clients invoke shell scripts to configure the system, with values taken from a potentially
malicious server. This would allow arbitrary commands to be run, typically as root, on the DHCP
client machine.
Various daemons and SUID/privileged programs may execute shell scripts with environment
variable values set / influenced by the user, which would allow for arbitrary commands to be
run.
Any other application which is hooked onto a shell or runs a shell script as using Bash
as the interpreter. Shell scripts which do not export variables are not vulnerable to this issue,
even if they process untrusted content and store it in (unexported) shell variables and open
subshells.
Like "real" programming languages, Bash has functions, though in a somewhat limited implementation,
and it is possible to put these Bash functions into environment variables. This flaw is triggered
when extra code is added to the end of these function definitions (inside the enivronment variable).
Something like:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
The patch used to fix this flaw, ensures that no code is allowed after the end of a Bash function.
So if you run the above example with the patched version of Bash, you should get an output similar
to:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
We believe this should not affect any backward compatibility. This would, of course, affect any
scripts which try to use environment variables created in the way as described above, but doing
so should be considered a bad programming practice.
Red Hat has issued security advisories that fixes this issue for Red Hat Enterprise Linux. Fedora
has also shipped packages that fixes this issue.
The only thing you have to fear with Shellshock, the Unix/Linux Bash security hole, is fear itself.
Yes, Shellshock can serve as a highway for worms and malware to hit your Unix, Linux, and Mac servers,
but you can defend against it.
The real and present danger is for servers. According to the National Institute of Standards
(NIST), Shellshock scores
a perfect 10 for potential impact and exploitability. Red Hat
reports that the most common attack vectors are:
httpd (Your Web server): CGI [Common-Gateway Interface] scripts are likely
affected by this issue: when a CGI script is run by the web server, it uses environment variables
to pass data to the script. These environment variables can be controlled by the attacker. If
the CGI script calls Bash, the script could execute arbitrary code as the httpd user. mod_php,
mod_perl, and mod_python do not use environment variables and we believe they are not affected.
Secure Shell (SSH): It is not uncommon to restrict remote commands that
a user can run via SSH, such as rsync or git. In these instances, this issue can be used to
execute any command, not just the restricted command.
dhclient: The Dynamic Host
Configuration Protocol Client (dhclient) is used to automatically obtain network configuration
information via DHCP. This client uses various environment variables and runs Bash to configure
the network interface. Connecting to a malicious DHCP server could allow an attacker to run
arbitrary code on the client machine.
CUPS (Linux, Unix and Mac OS X's print server):
It is believed that CUPS is affected by this issue. Various user-supplied values are
stored in environment variables when cups filters are executed.
sudo: Commands run via sudo are not affected by this issue. Sudo specifically
looks for environment variables that are also functions. It could still be possible for the
running command to set an environment variable that could cause a Bash child process to execute
arbitrary code.
Firefox: We do not believe Firefox can be forced to set an environment
variable in a manner that would allow Bash to run arbitrary commands. It is still advisable
to upgrade Bash as it is common to install various plug-ins and extensions that could allow
this behavior.
Postfix: The Postfix [mail] server
will replace various characters with a ?. While the Postfix server does call Bash in a variety
of ways, we do not believe an arbitrary environment variable can be set by the server. It is
however possible that a filter could set environment variables.
So much for Red Hat's thoughts. Of these, the Web servers and SSH are the ones that worry me
the most. The DHCP client is also troublesome, especially if, as it the case with small businesses,
your external router doubles as your Internet gateway and DHCP server.
Of these, Web server attacks seem to be the most common by far. As Florian Weimer, a Red Hat
security engineer, wrote: "HTTP requests to CGI
scripts have been identified as the major attack vector." Attacks are being made against systems
running
both Linux and Mac OS X.
Jaime Blasco, labs director at AlienVault, a security
management services company, ran a
honeypot looking for attackers
and found "several
machines trying to exploit the Bash vulnerability. The majority of them are only probing to
check if systems are vulnerable. On the other hand, we found two worms that are actively exploiting
the vulnerability and installing a piece of malware on the system."
Other security researchers have found that the malware is the usual sort. They typically try
to plant distributed denial of service (DDoS) IRC bots and attempt to guess system logins and passwords
using a list of poor passwords such as 'root', 'admin', 'user', 'login', and '123456.'
So, how do you know if your servers can be attacked? First, you need to check to see if you're
running a vulnerable version of Bash. To do that, run the following command from a Bash shell:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If you get the result:
vulnerable this is a test
Bad news, your version of Bash can be hacked. If you see:
bash: warning: x: ignoring function definition attempt bash: error importing function definition
for `x' this is a test
You're good. Well, to be more exact, you're as protected as you can be at the moment.
The issue CVE-2014-7169 ( http://support.novell.com/security/cve/CVE-2014-7169.html)
is less severe (no trivial code execution) but will also receive fixes for above. As more
patches are under discussions around the bash parser, we will wait some days to collect them to
avoid a third bash update.
The Last but not LeastTechnology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
FAIR USE NOTICEThis site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
You can use PayPal to make a contribution, supporting development
of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with.We do not warrant the correctness
of the information provided or its fitness for any purpose.
The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.
