Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Top Vulnerabilities in Linux Environment

News

Potemkin Villages of Computer Security

Recommended Books

Recommended Links

Softpanorama Laws of Computer Security

Red Hat security

 Suse Security

Hillary Clinton email scandal eMail Security Privacy is Dead – Get Over It Big Uncle is Watching You Scripting Language Based Spam and Mail filtering Chronicle of Phishing Expeditions Addressed To Softpanorama PHP probes
Linux Hardening Skeptical View on Unix Security Seccheck Access Control Protective partitioning chkperm Warning banners
Intrusion Detection TCP Wrappers PAM Unix Access Control Lists (ACL) wheel group Apparmor Integrity Checkers
Cloud providers as intelligence collection hubs Is Google evil ? Google Embedded Tracking and Hidden Redirects in Search Results Privacy is Dead – Get Over It Facebook = Spyware Cyberstalking Big Uncle is Watching You

Linux root password recovery

VMware

Virtualization SecurId Sysadmin Horror Stories

Humor

Etc

Introduction

It is generally stupid to talk about individual vulnerabilities without taking into account the general architecture of a particular network segment, especially set of ports opened across the segment. Also routers, switches and even network printers can be as vulnerable or even more vulnerable then individual Linux servers or desktops.

Internet routers are now the most common point of attacks on individual home computers. That means that the usage of a proxy server after the rounter (using some kind of Firewall Micro Appliance ) for internet access now should be viewed as the necessary evil, as the "best practice".

But unfortunately in home networks they are not widely used, mostly because the user lack the necessary skills. That is often true even for home netwrk of system administrators, who are lazy enough to configure VPN for connection with the organization and use completely separate, not connected to home network computer to work with corporate server. Duel use laptops in such case is huge evil. Which means that home networks of system administrators often represent the weakest link in corporate security and the optimal entry point for a determined hacker into corporate or some other networks.

Another important fact is the level of stupidity/gullibility of users in a large organization. It can take various forms. With the most recent, most stunning example being Hillary Clinton email scandal which demonstrated that shadow IT represents a significant and underappreciated danger. And the level of stupidity and greed cannot be overestimated. Note that the level of qualification of system administrators in this case was average at best, and even NIST recommendations were ignored in setup and maintenance of the server(s). So people who installed and maintained the server were not qualified to do that. And such situation is typical for shadow IT.

So the security and vulnerability of Linux is only a small part of the whole puzzle. Human factor is another important variable and some user represent natural Trojan horse in corporate networks. That means that many organizations which enforce monthly or even more frequent patching in a vain attempt to increase their server security actually lower it, as they are barking to the wrong tree. And those efforts might be better used for user education and for improving general architecture (for example blocking the ability of desktops/laptops to communicate with other desktops laptops directly but only via server segment. Even Windows administrators should first connect to some window server (which serve ads multiplexor of remote desktops) and from it to user laptops/desktops.

Fascination with the installation of multiple security products on a corporate desktop is another cancer that recently hit corporate networks. Not only it make desktops/laptops often barely operable, it also provide a false sense of security, offloading the responsively to protect the network of AV vendor. Usefulness of AV in protection of Linux and linux workstations is highly questionable and attempt to "unify" them with Windows are badly advised.

Also security vulnerability patches are created equal. Only very few of them represent remotely exploitable vulnerability and even those presuppose that specific ports are open. which often is not true in corporate or a good home network where only three of for port are allowed to communicate with external sites. (for example, http https, DNS and ssh/scp) Most security patches pushed by vendors like Red hat each month are exploitable only with the account on the server or even some additional conditions.

Claims that open source software is more secure then proprietary solutions can not be taken at their face value. Theoretically this is true, but the complexity of open source software negates this. Historically OpenSSH vulnerabilities were one of the most favorite ways for breaking into Internet ISPs, for at least a half of the decade. According the US Government's database of computer security vulnerabilities maintained by the National Institute of Standards and Technology (http://icat.nist.gov) as of April 15, 2004, there have been more High Severity (remotely exploitable) vulnerabilities found in the Linux operating system than in Microsoft Windows. And this is not surprising as Linux has more goodies installed in the standard setup and more ports opened (recently that changed in RHEL). But if linux installed in minimal configuration (as it should) many of those vulnerabilities are related to non-existent packages and protocols. So the reverse is true -- minimized linux even without hardening is much more secure than any, even hardened, Windows desktop or server.

Also many vulnerabilities are applicable only to specific version of linux or application, or protocol In March 2004, Forrester Research published a report that came to the conclusion that Linux is no more secure than Windows. Also Linux in practice (especially in home networks) is often running with firewall disabled, which is big "no-no" security wise. Amateur users often use root as their user account -- another bog "no-no". Add to this mind boggling complexity of modern Linux where even Apache server probably requires years of study to be configured and used properly and you get the picture.

It is true that Windows is often used is less secure way then Linux (with the user operating all the time from Administrator account or equivalent), but if regular user account is used such mechanisms for providing security as Windows Group policy and cryptographically signed executables beats Linux in default configuration. An excellent security system introduced by Suse AppArmor did not became Linux standard. Red Hat SElinux that few people understand and few configure correctly (most often disable) is dominant.

Only Solaris is competitive in this area. It also benefits from security via obscurity, especially if deployed on Sparc servers.

Another key factor that the number of security flaws discovered is generally proportional to market share, so the dominant OS is the most natural target of attacks. This issue on a new level is often replayed in Linux vs. Solaris security debate. In security, being a non-mainstream has its own set of advantages. There is huge and lucrative market for Windows zero days exploits. Some market exist for Linux too. There is no such market for Solaris.

There is also government sponsored hackers who develop professional exploit for both windows and Linux. Stuxnet, Flame and subsequent set of nasty worms were developed by government and later those technologies fall into the hand of the hackers. Unlike regular munitions, cyber weapons did not explode on contact. They can be captured disassembled, studied and replicated on a new, more sophisticated and dangerous level in a never ending battle of defense and attack tools. When some government unleashed Stuxnet out of the box it literally open the Pandora box of cyber war.

In other words when we discuss security of an individual Linux box this is an abstraction, and often not very useful abstraction,. What we should discuss is the security of network in which particular Linux box is installed. Also there are some "semi-hidden" parts of network infrastructure, for example the subnet on which management interfaces like Dell DRAC or HP ILO exist (and nobody knows how many vulnerabilities those contain and who has them other then NSA), and which are seldom secured properly despite the fact that this is an obvious like of attack on linux servers. As such they represent more subtle and potentially more lucrative way to break into the server the frontal attack. There are a lot of commercial servers, even in major datacenters which still have default passwords for DRAC or ILO, and default accounts still enabled.

All this suggest that when discussing individual vulnerabilities it is important to see the bigger picture -- it is architecture that matter most in providing desirable level of security. What boxes are open to internet and which are not. Which ports are opened across the segment on this sensitive box is installed. Is DMZ configuration used. Is private DNS used? answers to all those questions by-and-large define the level of security that you can achieve. Patching is another interesting topic with its own set of warts. And patching infrastructure can and was in the past used as a way to break into the servers (breaking into repository and installing troyanized versions of some components is just the tip of this iceberg). Again look at the level of stupidity in configuring Hillary bathroom server (Hillary Clinton email scandal) as a pretty educational example how not to do such things.

Smartphone infrastructure (and Android is nothing but a proprietary version of Linux used by Google) in companies is now another "Wild West" with little security and a lot of ways to subvert those few measures that are used. Here stupidity and gullibility of users reached probably its maximum level.

But there silver lining in any dark clouds. first of all there are "DVD-only" distributions which are secure after each reboot. So for highly confidential tasks you can reimage the server from DVD or just use such a distribution. That somewhat guarantees that for the next few hours you work with "clean" system. In general use of non-violable storage can be considered as a measure that is to some extent is alternative to periodic patching. In this case you are guaranteed that you executables will not be troyanized or some accounts or components are added to the system. There is no real necessary for such directories as /bin /usr /boot /root, and some others to be writable. And /etc/while writable consist mostly of static files that can be overwritten as often as you wish from "safe" non-violable storage. This is one way to avoid web site hacking -- nobody can write file on a write protected disks without physical access to the disk.

And then there is such danger as Shadow IT, which often exists below the radar in many highly bureaucratized, fossilized/outsourced IT environments. Which are pretty common for large corporations. This was the essence of Hillary Clinton email hacking scandal. To make long story short the key part of the State Department IT infrastructure -- mail server used by Secretary of state and her close entourage -- was installed as a private "bathroom" Windows-based server with Microsoft Exchange as a mail server directly opened to the Internet. And all this mess was maintained by rank-and-file specialists with mainly experience in IT for non-profits and without proper security training.

After this episode it is easy to stop believing into the ability of the US government to maintain security of its servers. The server (or group of servers ) was configured without any attempt to satisfy NIST guidelines for this type of servers. If you have architecture flaws like this, you are royally f*cked no matter how hard you try to patch individual vulnerabilities. Architecture faults overwrite all this and when we are talking about individual vulnerabilities we assume that sound architecture, proper for desirable level of security of particular server is already in place. Otherwise the whole discussion just does not make any sense.

If you have architecture flaws like those in Hillary email server you are royally f*cked no matter how hard you try to patch individual vulnerabilities. Architecture faults overwrite those efforts and when we are talking about individual vulnerabilities we assume that sound architecture, proper for desirable level of security of particular server is already in place. Otherwise the whole discussion just does not make any sense.

Forrester measured the time between the discovery of a flaw and the release of a fix for the flaw -- not a perfect but still worthwhile metric. It claims Linux, in this particular sense, was less secure than Windows because not only the total number of security alerts for Linux outnumbered those for Windows, but also because time for fixing it was not impressive. But this is a difficult metric to provide objectively, as the severity of the flaws varies and the most flaws counted against Linux were actually flaws in applications or programming environments that run on Linux, not in the Linux kernel per se. Also with firewall tightly configured many of them just does not make any sense and are not exploitable. Paranoia fueled by greedy security firms, which exaggerate the severity of the flaw and hide the information about conditions necessary for its exploitation, actually does a lot of harm to Linux.

On high level of security with AppArmor enabled (or if you have an expert in SElinux security, able to configure it properly for your case) and with internal firewall not only enabled, but properly configured (emphasize of properly), you simply deny access to most vulnerabilities and it does not matter much if they patched or not -- they are simply inaccessible.

Only very few protocols that are opened (DNS is one example) can be secured by constantly monitoring the integrity of the server and blocking any changes outside /tmp and similar filesystems. In case of DNS using private internal DNS with "fake" root also helps. For small organizations it is possible to use /etc/hosts table instead, eliminating DNS. But even for DNS there are inventive way to improve security -- for example in most organizations DNS tables are pretty much static and can be written on CD instead of hard drive. That makes it harder possibility to modify them you need to create new writable directory copy files and redirect DNS server to this folder -- the task which is difficult to accomplish without already being root. In general the more secure environment you wish to have the larger part of this environment should consist of non writable media.

Another important aspect is what you are running. For example if you do not run X server, it is unclear why you should worry about those vulnerabilities that apply to this environment. In this sense minimization of your installation is the most powerful security tool and early hardening packages like Titan provides some minimization frameworks. Now most commercial distribution have the option "minimal server" which is a good start.

Minimization of your installation is the most powerful security tool. Now most commercial Linux distribution have the option "minimal server" which is a good start.

As Linux is an independent POSIX compatible reimplementation of Unix, the principles of Linux hardening are the same as for other Unixes and are well developed. That means that Linux in principle can be more completely and more deeply hardened then Windows, because it is more open system.

But the way how Linux is typically installed often deny or even pervert this advantage. In June 2004, Danish security firm Secunia compared security across operating systems and concluded that Windows was more secure, than many people think. According to a new Aberdeen Group report, open-source solution Linux has surpassed Windows as the most vulnerable OS, contrary to the high-profile press Microsoft's security woes. And march larger share of servers running windows. Furthermore, the Aberdeen Group reports that more than 50 percent of all security advisories that CERT issued in the first 10 months of 2002 were for Linux and other open-source software solutions.

"Open-source software, commonly used in many versions of Linux, UNIX, and network routing equipment, is now the major source of elevated security vulnerabilities for IT buyers," the report reads. "Security advisories for open-source and Linux software accounted for 16 out of the 29 security advisories--about one of every two advisories--published for the first 10 months of 2002. During this same time, vulnerabilities affecting Microsoft products numbered seven, or about one in four of all advisories."

Decentralized nature of Linux development makes possible for critical flows in applications (and sometimes even kernel) to exist for years without detection.

The Aberdeen Group says this information proves that Linux and UNIX are just as prone to Trojan horse attacks as any other OS, despite press reports to the contrary. According to the Aberdeen Group, the open-source community's claim that it can fix security vulnerabilities more quickly than proprietary developers means very little. The group says that the open-source software and hardware solutions need more rigorous security testing before they're released their products to customers. As I mentioned before, it is interesting that open SSH implementation was for several year the preferred way of hacking into Linux ISPs.

We can rail against Microsoft and its security policies (which are indefensible), but far more people and systems use Microsoft's software than any competing software. And most Linux system administrators do not know how secure Linux and are not motivated to do this as it makes their work much more difficult. Linux is moving to Windows environment when "clueless administrator managed servers used by clueless users". And this environment that can't be defended by any technical means.

Moreover even despite the fact that Linux isn't as prevalent as Windows, we're still seeing a gradual increase in Linux security advisories from year to year. We judge that the large companies should exercise caution in deploying Linux on DMZ and deploy Solaris instead, if they are really concerned about hacking and Linux security. Security via obscurity is not a bad thing. Even use of FreeBSD (or, better, OpenBSD) sometimes can dramatically improve the level of security, as it automatically stops most of linux exploits without any patching.

Long time ago, Secunia publishes graphs on the security advisories for Red Hat Enterprise AS3. According to the graphs, 66% of the listed vulnerabilities can be exploited remotely, meaning they are exposed to an attacker who does not have an account on the system. Even if they are wrong by 50% that's a lot. Another graph shows that 17% of the vulnerabilities can allow a cracker to escalate his privileges on the vulnerable system, which means that after getting into the system on non-privileged account the cracker may be able to get root privileges. Secunia page that includes similar graphs for Windows 2003 Enterprise Edition. According to these graphs, only 48% of the Windows 2003 vulnerabilities can be exploited by a remote user, which taking into account weakness of their methodology might mean that in this sense Linux and windows are close. None is superior to another. The number of vulnerabilities that allow a cracker to escalate privileges is only 13% in Windows compared to 17% for Red Hat, which also means that they are close (as those figures need to be taken with a grain of salt and definitely rounded tin a single significant digits, as one percent difference means nothing in this context.

That means that without additional hardening Red Hat Enterprise Server AS3 used to have approximately the same level of risk as Windows 2003 Enterprise Edition. which means both are indefensible against motivated hacker.

In other words the level of security of the system depends on several factors:

It means that it is almost meaningless to discuss it in abstract terms, It should be self-evident that the most serious type of vulnerability, unless architecture prevent their use, it possible for an attacker without any account on the system to gain administrator privileges and seize control of your system via the Internet both on Windows and Linux. Especially for the attacker who can buy "zero-day" exploit.

If you need highly secure environment, then your network should be isolated from internet, and/or use non IP based communication protocols (such as good old UUCP, BBS infrastructure and Fidonet internally, or on more more modern level by use of Infiniband for UUCP). I actually saw that UUCP was used in some organizations for explicitly this purpose. New is sometimes well forgotten old. The most secure way to use computers is to use isolated non-network computers producing CD/DVDs or just print materials. Rescanning of printed documents is pretty accurate, especially for regular text files. I read somewhere that Russian government, after Stuxnet and Flame were exposed, switched a part of its operation to electric typewriters. That's probably too drastic move, but good old DOS can do wonders for most office tasks and has collection of applications which was produced before NSA figured the ways to troyanize them ;-)

Top Vulnerabilities

The question arises what vulnerabilities of the Linux operating systems are most often targeted by malicious attackers. While there is a non-stopping stream of remotely exploitable Linux vulnerabilities but only few of them were used for actual exploits against the number of servers.

But for the top vulnerabilities it make sense to go extra mile. for example it does not make any sense to open ssh to the world unless absolutely necessary. Restricting IP range via tcp wrappers or firewall in a powerful mechanism of making more secure even top exploitable protocols.

Below we will reproduce slightly edited list of the ten most commonly exploited vulnerabilities similar to on produced by SANS Institute The list for Unix/Linux vulnerabilities currently includes (vulnerabilities that represent additional danger in large corporate environment due to the number of servers with those applications installed):

Although there are thousands of security incidents each year affecting major Linux distribution, the majority of successful attacks target one or more of these vulnerable services. Attackers usually are opportunistic. They take the easiest and most convenient route and exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations to be behind in patching, especially patching of application and protocols like SSL, not fixing well-known the problems. They often attack indiscriminately, scanning the Internet for any vulnerable systems.

The best strategy for large corporate is avoidance. On the Unix and Linux side, Berkeley Internet Domain Name (BIND) software remains the top problem software. That means that large corporate should never try to run bind on Linux. Similarly Apache as an external web server should generally work via HTTP proxy. Generally apache is way too complex to be used as Internet facing Web server (but it can and should be used as an internal WEB server, due to its functional superiority over competitors). Running Sendmail on Linux is not recommended for the same reason, as at number 6 it belongs to most vulnerable software on the Unix/Linux servers. In major distribution it was replaced by postfix long ago, so this is only inertia that dictates continued use of Sendmail in enterprise environment.

SANS Institute provides periodic list of top vulnerabilities which while can't be taken at face value, still might contain useful information. It can be viewed on the organization's Web site, The list below is adapted from the SANS Web site and is old. But as reference is still makes sense as it shows the futility of viewing Linux security without considering of network architecture and the level of hardening. It also shows limitation of people at SANS which complied the list. Concentration on individual software vulnerabilities makes sense for the attacker, but much less sense for the defender.

BIND Domain Name System

Description

The Berkeley Internet Name Domain (BIND) package is the most widely used implementation of the Domain Name Service (DNS), a critical system that allows the conversion of hostnames into the registered IP address. Unless you run your own internal DNS (which many corporation do and which constitute a good practice) this is the system exposed to external attacks.

The ubiquity and critical nature of BIND has made it a frequent target, especially in Denial of Service (DoS) attacks, which can result in a complete loss of accessibility to the Internet for services and hosts. Whilst BIND developers have historically been quick to repair vulnerabilities, an inordinate number of outdated, misconfigured and/or vulnerable servers remain in place. Also there are some high level exploit of bind based of architectural flows that are not that easy to patch.

Among old, well know BIND weaknesses was a denial of service discussed in CERT Advisory CA-2002-15. In this case, an attacker can send specific DNS packets to force an internal consistency check which itself is vulnerable and will cause the BIND daemon to shut down. Another was a buffer overflow attack, discussed in CERT Advisory CA-2002-19, in which an attacker utilizes vulnerable implementations of the DNS resolver libraries. By sending malicious DNS responses, the attacker can explore this vulnerability and execute arbitrary code or even cause a denial of service.

A further risk is posed by a vulnerable BIND server, which may be compromised and used as a repository for illicit material without the administrator's knowledge or in stepping-stone attacks which use the server as a platform for further malicious activity.

Operating Systems Affected

Nearly all UNIX and Linux systems are distributed with a version of BIND. To increase the level of protection it is recommended to use self-complied version of bind using Intel compiler and replace with this compiled version the stock version of bind provided by operating system vendor.

Also due to criticality of the service Linux is a bad choice of the platform for its deployment. Solaris should be used instead. For excellent guides to hardening BIND on Solaris systems as well as additional references for BIND documentation, see Running the BIND9 DNS Server Securely and the archives of BIND security papers available from Afentis.

CVE/CAN Entries
CVE-1999-0009, CVE-1999-0024, CVE-1999-0184, CVE-1999-0833, CVE-1999-0837,
CVE-1999-0835, CVE-1999-0849, CVE-1999-0851, CVE-2000-0887, CVE-2000-0888,
CVE-2001-0010, CVE-2001-0011, CVE-2001-0012, CVE-2001-0013

CAN-2002-0029, CAN-2002-0400, CAN-2002-0651, CAN-2002-0684, CAN-2002-1219,
CAN-2002-1220, CAN-2002-1221

How to Determine if you are Vulnerable

for mission critical servers run BIND not installed via RPM, but compiled with appropriate compiler option from source downloaded directly from the Internet Software Consortium (ISC). Or buy a DNS appliance.

Ensure that your externally exposed DNS server runs the latest version of BIND. For most systems, the command "named -v" will show the installed BIND version enumerated as X.Y.Z where X is the major version, Y is the minor version, and Z is a patch level. A proactive approach to maintaining the security of BIND is to subscribe to customized alerting and vulnerability reports. In addition, a vulnerability scanner might be used to check DNS systems for configuration blunders and potential vulnerabilities.

Remote Procedure Calls (RPC)

This subsystem does not need to be exposed to the internet, so it is mostly internal vulnerability, unlike DNS. most corporation now provide access to internal network for both users and sysadmins via VPN, using separate not shared corporate PC/laptops, which often have smart card authentication.

Description
Remote procedure calls (RPCs) allow programs on one computer to execute procedures on a second computer by passing data and retrieving the results. RPC is therefore widely used for many distributed network services such as remote administration, NFS file sharing, and NIS. However there are numerous flaws in RPC which are being actively exploited. Many RPC services execute with elevated privileges that can provide an attacker unauthorized remote root access to vulnerable systems.

The majority of the distributed denial of service attacks launched were executed by systems that had been victimized through these RPC vulnerabilities. The broadly successful attack on U.S. Military systems during the Solar Sunrise incident also exploited an RPC flaw found on hundreds of Department of Defense computer systems. More recently, an MS Windows DCOM Remote Procedure Call vulnerability has played a role in one of the most significant worm propagation events.

Operating Systems Affected
All versions of UNIX and Linux come with RPC services installed and often enabled. It is not always possible to shut down this service as it is widely used and required for NFS implementation. For that reason NFS should not be used on DMZ

CVE/CAN Entries
CVE-1999-0002 , CVE-1999-0003 , CVE-1999-0008 , CVE-1999-0018 , CVE-1999-0019 ,
CVE-1999-0168 , CVE-1999-0170 , CVE-1999-0208 , CVE-1999-0211 , CVE-1999-0493 ,
CVE-1999-0693 , CVE-1999-0696 , CVE-1999-0977 , CVE-1999-0320 , CVE-2000-0666 ,
CVE-2001-0717 , CVE-2001-0779 , CVE-2001-0803 , CVE-2002-0033 , CVE-2002-0391 ,
CVE-2002-0573 , CVE-2002-0679

CAN-2002-0677 , CAN-2003-0028 , CAN-2003-0252

How to Determine if you are Vulnerable

Use a vulnerability scanner or the 'rpcinfo' command to determine if you are running one of the most commonly exploited RPC services:

RPC Service RPC Program Number
rpc.ttdbserverd 100083
rpc.cmsd 100068
rpc.statd 100024
rpc.mountd 100005
rpc.walld 100008
rpc.yppasswdd 100009
rpc.nisd 100300
sadmind 100232
cachefsd 100235
snmpXdmid 100249


RPC services are typically exploited through buffer overflow attacks which are successful because the RPC programs do not perform sufficient error checking or input validation. Buffer overflow vulnerabilities allow an attacker to send unexpected data (often in the form of malicious code) into the program memory space. Due to poor error checking and input validation, the data overwrite key memory locations that are in line to be executed by the processor. In a successful overflow attack, this malicious code is then executed by the operating system. Since many RPC services execute with elevated privileges, successful exploitation of these vulnerabilities can provide unauthorized remote root access to the system.

How to Protect Against It
Use the following steps to protect your system against RPC attacks:

  1. Turn off or remove any RPC service which is not absolutely necessary for the function of your network.
  2. Install the latest patches for any services you cannot remove:

    For Solaris Software Patches:
    http://sunsolve.sun.com

    For IBM AIX Software Patches:
    http://www.ibm.com/support/us
    http://techsupport.services.ibm.com/server/fixes

    For SGI Software Patches:
    http://support.sgi.com

    For Compaq (Digital UNIX) Software Patches:
    http://www.compaq.com/support

    For Linux Software Patches:
    http://www.redhat.com/apps/support/errata
    http://www.debian.org./security

    For HP-UX Software Enhancements and Patch Bundles:
    http://www.software.hp.com/portal/swdepot/displayProductsList.do?category=ER

  3. Regularly search the vendor patch database for new patches and install them right away.
  4. Block the RPC portmapper, port 111 (TCP and UDP) and Windows RPC, port 135 (TCP and UDP), at the border router or firewall.
  5. Block the RPC "loopback" ports, 32770-32789 (TCP and UDP).
  6. Enable a non-executable stack on those operating systems that support this feature. While a non-executable stack will not protect against all buffer overflows, it can hinder the exploitation of some standard buffer overflow exploits publicly available on the Internet.
  7. For NFS exported file systems, the following steps should be taken:
    1. Use host/IP based export lists.
    2. Set up exported file systems for read-only or no-suid wherever possible.
    3. Use 'nfsbug' to scan for vulnerabilities.

    A summary document pointing to specific guidance about three principal RPC vulnerabilities - Tooltalk, Calendar Manager, and Statd - may be found at: http://www.cert.org/incident_notes/IN-99-04.html.

    Summary documents pointing to specific guidance about the above RPC vulnerabilities may be found at:

Apache Web Server

In large corporation Apache or other Web server is never exposed to Intent directly. Usually it is exposed via proxy such as BlueCoat. But small ISPs and small companies have Apache exposed directly.

Apache has historically been, and continues to be the most popular web server on the Internet. In comparison to Microsoft's Internet Information Server, Apache may have a cleaner record in regards to security, but it still has its fair share of vulnerabilities. In addition to exploits in Apaches core and modules (CA-2002-27, CA-2002-17), SQL, databases, CGI, PHP vulnerabilities are all potentially exposed through the web server.

If left unsecured, vulnerabilities in the Apache web server implementation and associated components can result in denial of service, information disclosure, web site defacement, remote root access, or countless other unfavorable results.

Affected Operating Systems

All UNIX systems running Apache. Many Linux and UNIX variants come with Apache installed and sometimes enabled by default. Like in case of bind it is recommended to compile own version of Apache before deployment.

CVE/CAN Entries
CVE-1999-0021, CVE-1999-0066, CVE-1999-0067, CVE-1999-0070, CVE-1999-0146,
CVE-1999-0172, CVE-1999-0174, CVE-1999-0237, CVE-1999-0260, CVE-1999-0262,
CVE-1999-0264, CVE-1999-0266, CVE-2000-0010, CVE-2000-0208, CVE-2000-0287,
CVE-2000-0941, CVE-2002-0082, CVE-2002-0392

CAN-1999-0509, CAN-2000-0832, CAN-2002-0061, CAN-2002-0513, CAN-2002-0655,
CAN-2002-0656, CAN-2002-0657, CAN-2002-0682, CAN-2003-0132, CAN-2003-0189,
CAN-2003-0192, CAN-2003-0254

How to Determine if you are Vulnerable
Information regarding security advisories for Apache 2.x security information resides at http://httpd.apache.org/security/

How to Protect Against It

  1. Ensure that you are running the latest patch level.
  2. Ensure that core operating system components that are referenced by Apache are patched. Only the modules necessary for your server to function properly should be compiled into Apache. note: The mod_ssl worm (CA-2002-27) is a perfect example that resulted from vulnerabilities within OpenSSL (CA-2002-23).
  3. Never run Apache as root. A unique user and group with minimal privileges should be created for running Apache. No other system processes should be run under this user or group.
  4. Limit the server information that is revealed.
    While this suggestion tends to encounter opposition from people suggesting security by obscurity is not the way and a number of exploit attempts you will see are done in a blind sweeping fashion (proven by the fact that you will see in many Apache logs IIS exploit attempt after IIS exploit attempt), there are also some exploits that will trigger based on header information.
  5. For security centitive systems always run Apache in a chroot environment. If Apache is started chroot-ed it cannot access any part of the operating system directory structure outside of the chroot. This can often critical to prevent exploits. For example, an exploit may call a shell and since /bin/sh likely does not (and should not) reside in the chroot, it would be ineffective.
    As there are numerous methods of chrooting, software documentation should be consulted for assistance. Additional information can be found below.
  6. Efficient and thorough logging is essential to effectively track down any potential security problems or unexplained behavior you may be experiencing with your web server. It is a good practice to routinely rotate logs and keep older logs archived. This will make the log size more manageable and easier to parse through if necessary.
    Various information regarding log formats and rotation are available here:

    In many scenarios the content of these logs may not be sufficient. Especially if youre using PHP, CGI or other scripting it is a good idea to log GET and POST payloads. This can yield important data and evidence in the event of a security compromise. Logging of GET and POST payloads can be implemented via mod_security.

  7. PHP, CGI, SSI and other scripting.

General Unix Authentication Accounts
with No Passwords or Weak Passwords

This is mostly an internal vulnerability as in no way you should be able to authenticate to internal system from Internet for security sensitive systems. Only from private VPN. It is an external vulnerability for ISPs and small companies that does no use VPN for this purpose. In this case one time passord system or security token should be used to avoid cracking of password database See recent Yahoo hack for details Yahoo discloses hack of 1 billion accounts

Google provides two factor authentication which as we know now Podesta did not use which lead to huge embarrassment when his emails were stolen due to simplistic phishing scheme (he proved to be completely incompetent idiot as for computer security, as most of Hillary Clinton entourage; was too lazy to use two factor authentication that Google provides):

Signing in to your account will work a little differently

  1. You'll enter your password.Whenever you sign in to Google, you'll enter your password as usual.
  2. You'll be asked for something else. Then, a code will be sent to your phone via text, voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your computer's USB port.

Passwords, passphrases and/or security codes are used in virtually every interaction between users and information systems. The most simplisitc (one factor) authentication, as well as file and data protection, rely heavily on user or vendor supplied passwords. In addition, since properly authenticated access is often not logged, or if logged not likely to arouse suspicion, a compromised password is an opportunity to explore a system virtually undetected. An attacker in possession of a valid user password would have complete access to any resources available to that user, and would be significantly closer to being able to access other accounts, nearby machines, and perhaps even obtain root level access on this system. Despite this threat, user and administrator level accounts with poor or non-existent passwords are still very common. As well, organizations with a well-developed and enforced password policy are still uncommon.

The most common password vulnerabilities are:

The best defense against all of these vulnerabilities is a strong authentication policy that includes usage of Secure Id or smartcards. We also need to create detailed instructions for users for strong passwords creation; explicit rules for users to ensure their passwords remain secure; a process for IT staff to promptly replace weak/insecure/default or widely known passwords and to promptly lock down inactive or close down unused accounts; and a proactive and regular process of checking all passwords for strength and complexity.

Operating Systems Affected
Any operating system or application on any platform where users authenticate via a user ID and password. In Linux You we should requre to use the MD5 algorithm to hash passwords; this is somewhat more secure than the older crypt algorithm.

CVE/CAN Entries
CVE-1999-0502


How to Protect Against It
The best and most appropriate defense against password weaknesses is a strong policy which provides detailed instructions to engender good user password habits and also entails regular proactive checking of password integrity by system administrators with complete support from the organization. The following steps should be used as guidelines for a good password policy:

  1. Assure that passwords are consistently strong. Given enough hardware resources and enough time, any password can be cracked using brute force guessing. Password crackers that are employed by attackers use what are known as dictionary-style attacks. Since common password encryption methods are widely known, the cracking utilities simply compare the encrypted form of a target password against the encrypted forms of all dictionary words (in many languages), along with proper names, and various common permutations of both. Therefore a password that in any way resembles a word (or words in almost any documented language) is highly susceptible to a dictionary attack. Many organizations instruct users to generate passwords by including combinations of alphanumeric and special characters, and users more often than not adhere by taking a word (e.g., password) and converting letters to numbers or special characters (e.g., pa$$w0rd). Such permutations cannot protect against a dictionary attack: pa$$w0rd is as likely to be cracked as password.

    A good password therefore cannot have a word or proper name as its root. A strong password policy should direct users to generate passwords from something more random, like a phrase or a longer title of a book or song. By concatenating a longer phrase into a string (i.e., taking the first letter of each word in the phrase (preferably in mixed case), or substituting a special character for a word in the initial phrase, and/or replacing all the vowels in that concatenated phrase with various special characters, etc.), users can generate sufficiently long password strings which combine alphanumeric and special characters in a way that dictionary attacks will have greater difficulty cracking. And if the initial phrase is easy to remember, then the resulting password string should be as well.

    Once users are given the proper instructions for generating good passwords, detailed procedures should be put in place to assure that these instructions are followed. The best way to do this is by validating the password whenever the user changes it. Most flavors of UNIX/LINUX can use Npasswd as a front-end to check entered passwords against your password policy. PAM-enabled systems can also be extended to include cracklib (the libraries which accompany Crack) to check passwords as they are generated. Most new PAM-enabled systems can also be setup to refuse bad passwords that do not meet certain guidelines.

    However, if passwords cannot be verified against dictionary libraries when they are entered using tools such as Npasswd or PAM-enabled libraries, then cracking utilities should be run by the system administrator in a stand-alone mode as part of a regular proactive procedure. Tools like those used by potential attackers are generally the best choice. On a UNIX/LINUX-based platform, that would include Crack and John the Ripper.

    Please Note: Never run a password scanner, even on systems for which you have root-like access, without explicit and preferably written permission from your employer/organization. Administrators with the most benevolent of intentions have been fired for running password cracking tools without the authority to do so. This authority should be in the form of a written letter that forms part of the organizations strong password policy and allows for regular scheduled password checks.

    Once you have acquired authority to run cracking utilities on your system, do so regularly on a physically protected and secure machine. The tools on the machine should not be openly accessible to anyone but the authorized system administrator. Users whose passwords are cracked should be notified confidentially and given instructions on how to choose a better password. As part of the organizations password policy, both administrators and management should develop these notification procedures together, so that management can provide guidance and/or assistance when users do not respond to these notifications.

    Other possible options to protect against nonexistent or weak passwords and/or to maintain password policy procedures are (a) to use an alternative form of authentication such as password-generating tokens or biometrics. These are effective if you are having trouble with weak passwords and can be used as an alternative means of authenticating users. It should be noted that some password-generating tokens need procedures in place to ensure they are not openly accessible to unauthorized users and if stolen they are promptly denied from the system. Biometrics is a developing area and depending on the type of authentication (e.g., fingerprints versus facial recognition), some of the technology has not been perfected and errors in authentication may be common. (b) There are many comprehensive third party tools (free and commercial) available to help manage good password policy.

  2. Protect Strong Passwords. If you store password hashes in /etc/passwd, update your system to use /etc/shadow. If your system runs NIS or LDAP in such a way that hashes cannot be protected, anyone (even non-authenticated users) can read your password hashes and attempt cracking. You should look for more secure alternatives to the NIS and LDAP version you are running. Until those insecure applications can be secured/replaced, you should secure proper permission and run proactive cracking as a regular procedure against those applications as well. Consider using the MD5 algorithm to hash your passwords instead of crypt.

    However, even if passwords themselves are strong, accounts can be compromised if users do not protect their passwords. A good password policy should include detailed procedures for a user that require that a user should never tell his or her password to anyone else, never write a password down where it could be read by others, properly secure any files in which a password is stored for automate authentication, and if a password is known to be stolen or known by others, to promptly notify the system administrator. Password aging should be enforced so that any passwords which slip through these rules are only vulnerable for a short window of time, and old passwords should not be reused. Administrators should make sure that the users are given warning of a pending password change and several chances to change their password before it expires. When faced with the message Your password has expired and must be changed, users will tend to pick a bad password.

  3. Tightly Control Accounts. Any service-based or administrative accounts not in use should be disabled or if possible removed completely. Any service-based or administrative accounts which are used should be given new and strong passwords as soon as the service or account is installed or activated. Configure new user accounts with randomly-generated initial passwords, and force users to change them when they first log in. Audit the accounts on your systems on a regular and proactive basis, and maintain a master list of all of these accounts detailing the service requiring the account and the intended need. Develop stringent procedures for adding/removing authorized accounts to/from the list. Have rigid procedures for removing accounts when employees or contractors leave or when the accounts are no longer required. Validate the master list on a regular scheduled basis to make sure no new accounts have been added and that unused accounts have been removed. In addition, do not forget to check the accounts and passwords on supporting systems like routers, switches, and Internet-connected digital printers, copiers and printer controllers.


Clear Text Services

Many network services utilized by UNIX systems are clear-text (also known as "plain text"). That means that there is no encryption used by those services. Lack of encryption allows everybody who is observing network traffic ("sniffing") to gain access to either communication contents and/or authentication credentials.

For example, to steal the FTP or telnet login information, an attacker needs to place a network sniffer somewhere along the connection path, such as on the FTP server LAN or on the client LAN. The transmission of information between R-command clients and R-services in plain-text permits data or keystrokes to be intercepted as well. Attackers have often deployed sniffers in recent security incidents and often on compromised machines. Finding usernames and passwords in sniffed data is very easy.

Here is a summary table of most common UNIX network services which are transmitted in clear text.

Service Port Clear Content Clear Auth What is transferred

FTP 21,20 y y Text, binary
TFTP 69 y N/A Text, binary
telnet 23 y y Text
SMTP 25 y N/A Text, binary
POP3 110 y y Text, binary
IMAP 143 y y Text, binary
rlogin 513 y y Text
rsh 514 y y Text
HTTP 80 y y Text, binary

Services such as telnet and FTP where both contents and authentication credentials are transmitted in clear text present the highest risk, since attacker will be able to reuse the credentials and access the system at their leisure. Additionally, command session run in clear text may also be hijacked and used by the attacker to run commands without authentication.

Here is the risk summary from clear text services:

Activity possible Risk

Sniffing the username Simplifies brute-forcing attacks
Sniffing the password Gives remote access
Sniffing FTP content File stealing
Session hijacking Run commands on a target system
HTTP session sniffing Discloses web authentication credentials


The Operating Systems Affected
All UNIX flavors contain clear-text services (telnet and FTP being the most common). All UNIX/Linux flavors with the possible exception of the latest editions of Free/OpenBSD ship with some of the services enabled by default.

CVE/CAN Entries
CVE-2000-0087

CAN-2002-0322, CAN-2000-0086

How to Determine if you are Vulnerable
The most effective and reliable way to determine whether clear text services are in use is to use a sniffer tool similar to those used by attackers.

The most commonly used sniffer is "tcpdump" Run it as:

# tcpdump -X -s 1600

to detect any clear text communication. "Tcpdump" may be obtained at http://www.tcpdump.org.

Another such tool is "ngrep" which allows one to look for specific patterns in network communication, such as "sername" or "assword" (the first letters are removed to accomodate for possible capitalization). Run the tool as:

# ngrep assword

"Ngrep" may be obtained at http://www.packetfactory.net/projects/ngrep/.

There are also more sophisticated tools specifically designed to detect authentication credentials on the network. "Dsniff" is the most popular tool of that sort. Simply running:

# /usr/sbin/dsniff

will make the tool to detect and print all username-password pairs detected on the network in a large number of plain text protocols, such as FTP, telnet or POP3. Dsniff may be obtained at http://www.monkey.org/~dugsong/dsniff/.

How to Protect Against It
Using end-to-end or at least link-level encryption will help. Some protocols have encrypted equivalents such as POP3S and HTTPS. For the protocols which do not have native encryption capabilities, one can tunnel them over SSH (Secure Shell) or SSL connection.

As an example: FTP might be replaced with more secure software solutions such as SFTP or SCP (parts of the Secure Shell software package) and use a web server to distribute files to a wide audience.

The most popular and flexible SSH implementation is OpenSSH (available at http://www.openssh.org). It runs on most UNIX variants and may be used for remote interactive sessions (replaces telnet, rlogin and rsh) and tunneling (of POP3, SMTP, X11 and many other protocols).

Here is how one can tunnel POP3 over SSH connection. The POP3 server needs to be also running the SSH server. First run this on the client machine:

# ssh -L 110:pop3.mail.server.com:110 username@pop3.mail.server.com

Now, point your email client to localhost, TCP port 110 (unlike the usual 'pop3.mail.server.com', port 110). All communication between your machine and the POP3 mail server will be tunneled over SSH and thus encrypted.

Another popular encrypted tunneling solution is "stunnel". It implements SSL protocol (via OpenSSL toolkit) and may be used to tunnel various plain text protocols. Stunnel may be obtained at http://www.stunnel.org/.

Sendmail

Sendmail is the program that sends, receives, and forwards most electronic mail processed on UNIX and Linux systems. Sendmail is the most popular Mail Transfer Agent (MTA) and its widespread use on the Internet has historically made it a prime target of attackers, resulting in numerous exploits over the years.

Most of these exploits are successful only against older or unpatched versions of the software. Despite the fact that the known vulnerabilities are well documented and have been repaired in newer releases, there remain so many outdated or misconfigured versions still in use today that Sendmail remains one of the most frequently attacked services. Among the most recent critical vulnerabilities are:

CERT Advisory CA-2003-12 Buffer Overflow in Sendmail gives the following excellent description of a Sendmail buffer overflow and the danger it poses to network integrity.

This vulnerability is message-oriented as opposed to connection-oriented. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through many common packet filters or firewalls.

The risks presented by running Sendmail can be grouped into two major categories: privilege escalation caused by buffer overflows, and improper configuration that allows your machine to be a relay for electronic mail from any other machine. The former is a problem on any system still running older or unpatched versions of the software. The latter results from using either improper or default configuration files, and is a chief obstacle to fighting the proliferation of spam.

Operating Systems Affected
Nearly all UNIX and Linux systems come with a version of Sendmail installed that is enabled and running by default.

CVE/CAN Entries
CVE-1999-0047, CVE-1999-0095, CVE-1999-0096, CVE-1999-0129, CVE-1999-0131,
CVE-1999-0203, CVE-1999-0204, CVE-1999-0206, CVE-1999-1109, CVE-2000-0319,
CVE-2001-0653, CVE-2001-1349, CVE-2002-0906

CAN-1999-0098, CAN-1999-0163, CAN-2001-0713, CAN-2001-0714, CAN-2001-0715,
CAN-2002-1165, CAN-2002-1278, CAN-2002-1337, CAN-2003-0161, CAN-2003-0285

How to Determine if you are Vulnerable
Sendmail has had a large number of vulnerabilities in the past. Do not always trust the version string returned by the daemon as that is just read from a text file on the system that may not have been updated properly.

Any outdated or unpatched version of the software is likely to be vulnerable.

To determine the version of Sendmail, use the following command:

echo \$Z | /usr/lib/sendmail -bt -d0

Depending on your system, the path to Sendmail may be different and you have to modify the above command accordingly to point to the right path.

To determine whether the version you are running is current, check the current release of Sendmail version at:
http://www.sendmail.org/current-release.html

How to Protect Against It
The following steps should be taken to protect Sendmail:

  1. Upgrade to the latest version and/or implement patches. The source code can be found at http://www.sendmail.org/. If your version of Sendmail came packaged with your operating system, patches should be available at your operating system vendor's website (various vendor-specific information, including compile-time and configuration suggestions, is also available at http://www.sendmail.org).
  2. Sendmail is typically enabled by default on most UNIX and Linux systems, even those which are not acting as mail servers or mail relays. Do not run Sendmail in daemon mode (turn off the "-bd" switch) on these machines. You can still send email from this system by configuring it to point to a mail relay in the sendmail configuration file, sendmail.cf (which is typically located at /etc/mail/sendmail.cf).
  3. If you must run Sendmail in daemon mode, ensure that your configuration is designed to relay mail appropriately and only for systems under your purview. See http://www.sendmail.org/tips/relaying.html and http://www.sendmail.org/m4/anti_spam.html for assistance in properly configuring your server. Starting with Sendmail 8.9.0, open relaying was disabled by default.
  4. When you change to a new version of Sendmail, it is also recommended to change the configuration files that are provided with that version as older configurations may still allow relaying even when running the newest code. It is now possible to build a Sendmail configuration file (sendmail.cf) using the configuration files provided with the Sendmail release. Additional details on Sendmail configuration can be obtained at http://www.sendmail.org/m4/readme.html.
  5. When you download the Sendmail distribution you must verify the PGP signature to ensure it is an authentic copy. Do not use Sendmail without verifying the integrity of the source code. Trojan copies of Sendmail have existed in the past. Please read the CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution to learn more. Keys used to sign Sendmail distributions can be obtained at http://www.sendmail.org/ftp/PGPKEYS. In the absence of PGP, you should use the MD5 checksums to verify the integrity of the Sendmail source code distribution.
  6. Additional information on how to configure and run Sendmail in a more secure manner can be obtained at:
    http://www.sendmail.org/secure-install.html
    http://www.sendmail.org/m4/security_notes.html
    http://www.sendmail.org/~gshapiro/security.pdf

Simple Network Management Protocol (SNMP)

The Simple Network Management Protocol (SNMP) is used extensively to remotely monitor and configure almost all types of modern TCP/IP-enabled devices. While SNMP is rather ubiquitous in its distribution across networking platforms, it is most often used as a method to configure and manage devices such as printers, routers, switches, access points, and to provide input for network monitoring services. Simple Network Management communication consists of different types of exchanged messages between SNMP management stations and network devices which run what is commonly referred to as agent software. The method by which these messages are handled and the authentication mechanism behind such message handling both have significant exploitable vulnerabilities.

The vulnerabilities behind the method by which SNMP version 1 handles and traps messages are outlined in detail in CERT Advisory CA-2002-03. There exists a set of vulnerabilities in the way trap and request messages are handled and decoded by management stations and agents alike. These vulnerabilities are not restricted to any specific implementation of SNMP but instead affect a variety of vendors' SNMP distributions. The result of attackers exploiting these vulnerabilities may range anywhere from denial of service to unwanted configuration and management of your SNMP-enabled machinery.

The authentication mechanism of older SNMP frameworks also poses a significant vulnerability. SNMP versions 1 and 2 use an unencrypted "community string" as their only authentication mechanism. Lack of encryption is bad enough, but the default community string used by the vast majority of SNMP devices is "public," with a few supposedly clever network equipment vendors changing the string to "private" for more sensitive information. Attackers can use this vulnerability in SNMP to reconfigure or shut down devices remotely. Sniffed SNMP traffic can reveal a great deal about the structure of your network as well as the systems and devices attached to it. Intruders use such information to pick targets and plan attacks.

Most vendors enable SNMP version 1 by default, and many do not offer products capable of using SNMP version 3's security models which can be configured to use improved authentication methods. However, there are freely-available replacements which do provide SNMPv3 support under GPL or BSD licenses.

SNMP is not unique to UNIX; it is extensively used on Windows, in networking equipment, wireless access points and bridges, printers and embedded devices. But the majority of SNMP-related attacks seen thus far have occurred on UNIX systems with poor SNMP configurations.

Operating Systems Affected
Nearly all UNIX and Linux systems come with SNMP installed, and often by default it is enabled. Most other SNMP-enabled network devices and operating systems are also vulnerable.

CVE/CAN Entries
CVE-2001-0236, CVE-2002-0797

CAN-1999-0186, CAN-1999-0254, CAN-1999-0516, CAN-1999-0517, CAN-1999-0615,
CAN-2002-0012, CAN-2002-0013, CAN-2002-0796

How to Determine if you are Vulnerable
You can verify whether SNMP is running on network-connected devices by running a scanner or checking manually.
SNMPing - You can obtain the free SNMPing scanning tool from the SANS Institute by emailing a blank mail message to snmptool@sans.org. You will get a return message with the URL where you can download the tool.
SNScan - Foundstone created another easy-to-use SNMP scanning tool called SNScan, which can be obtained at http://www.foundstone.com/knowledge/free_tools.html.

If you cannot use any of the above tools, you should manually verify if SNMP is running on your systems. Refer to your operating system documentation on how to specifically identify its particular SNMP implementation, but the basic daemon can usually be identified by grepping for "snmp" in the process list or by looking for services running on ports 161 or 162.

A running SNMP instance is probably sufficient evidence that you are vulnerable to pervasive trap and request handling errors. Please see CERT Advisory CA-2002-03 for additional information.

If SNMP is running and any of these additional variables are met, you may have a default or easily guessable string-related vulnerability:

  1. Blank or default SNMP community names.
  2. Guessable SNMP community names.
  3. Hidden SNMP community strings.

Please see http://www.sans.org/resources/idfaq/snmp.php for information on how to identify the presence of those conditions.

How to Protect Against It
Trap and Request Handling Vulnerabilities:

  1. If you do not absolutely require SNMP, disable it.
  2. Wherever possible, employ an SNMPv3 user-based security model with message authentication and possibly encryption of the protocol data unit.
  3. If you must use SNMPv1 or v2, make sure you are running the latest patched version from your vendor. A good starting point in obtaining vendor specific information is Appendix A of CERT Advisory CA-2002-03.
  4. Filter SNMP (port 161 TCP/UDP and 162 TCP/UDP) at the ingress points to your networks unless it is absolutely necessary to poll or manage devices externally.
  5. Employ host-based access control on your SNMP agent systems. While this capability may be limited by SNMP agent operating system capabilities, control of what systems your agents will accept requests from may be possible. On most UNIX systems this can be accomplished through a TCP-Wrappers or Xinetd configuration. An agent-based packet filtering firewall on the host can also be used to block unwanted SNMP requests.

Default and Guessable String-Related Vulnerabilities:

  1. If you do not absolutely require SNMP, disable it.
  2. Wherever possible, employ an SNMPv3 user-based security model with message authentication and possibly encryption of the protocol data unit.
  3. If you must use SNMPv1 or v2, use the same policy for community names as used for passwords. Make sure they are difficult to guess or crack and they are changed periodically.
  4. Validate and check community names using snmpwalk. Additional information can be found at http://www.zend.com/manual/function.snmpwalk.php. A good tutorial on this tool can be found at http://www.sans.org/resources/idfaq/snmp.php.
  5. Filter SNMP (port 161 TCP/UDP and 162 TCP/UDP) at the ingress points to your networks unless it is absolutely necessary to poll or manage devices externally. Then, if possible, configure filtering to only permit SNMP traffic between trusted subnets.
  6. Where possible make MIBs read-only. Additional information can be found at http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm#xtocid210315.

Secure Shell (SSH)

Description
Secure shell (SSH) is a popular service for securing logins, command execution, and file transfers across a network. Most UNIX-based systems use either the open-source OpenSSH package or the commercial version from SSH Communication Security. Although SSH is vastly more secure than the telnet, ftp, and R-command programs it is intended to replace, there have been multiple flaws found in both implementations. Most are minor bugs, but a few are major security issues that should be repaired immediately. The most dangerous of these actively exploited holes allows attackers to remotely obtain root access on a vulnerable machine.

It should also be noted that there is a growing use of SSH clients and servers in the Windows environment and that most of the information in this section applies to both the *nix and Windows implementations of SSH.

While SSH is presented here as one of the Top 20 vulnerabilities, it is more the case that the mismanagement of SSH, specifically misconfiguration and the failure to apply updates and patches in a timely manner, account for its inclusion in this list.

SSH2 is actually a powerful tool that when properly configured and maintained can help remediate many of the other top 20 vulnerabilities, specifically those that send material in clear text across untrusted networks like the Internet. Many of the vulnerabilities found in protocols such as POP3, FTP (replace with SSH2s SFTP), Telnet, HTTP, and the rhost based tools (rlogin, rcp, and rsh) involve eavesdropping on clear text transmissions or manipulating client server sessions. This makes encryption and authentication key management provided by SSH2 along with its ability to forward or redirect sessions, an attractive VPN type of wrapper for otherwise vulnerable traffic.

The SSH1 protocol itself has been demonstrated to be potentially vulnerable to having a session decrypted in transit given certain configurations. For this reason, administrators are encouraged to use the stronger SSH2 protocol whenever possible.

Note: SSH1 and SSH2 are not compatible. With only a few exceptions, the version of SSH on both the client and the server must match.

In addition, users of OpenSSH should note that the OpenSSL libraries against which OpenSSH is typically built have software vulnerabilities of their own. Please see CERT Advisory 2002-23 for more details. They should also be aware that a trojan-horse version of the OpenSSH was being distributed for a short time in the summer of 2002 (CAN-1999-0661). Please see http://www.openssh.org/txt/trojan.adv for details about ensuring that your version is not affected.

Operating Systems Affected
Any UNIX or Linux system running OpenSSH 3.3 or earlier (version 3.6.1 was released on April 1, 2003), or SSH Communication Security's SSH 3.0.0 or earlier (3.2.5 was released on June 30, 2003).

CVE/CAN Entries
For SSH from SSH Communications Security:
CVE-2000-0217, CVE-2000-0575, CVE-2000-0992, CVE-2001-0259, CVE-2001-0361,
CAN-2001-0471, CVE-2001-0553

For SSH from OpenSSH:
CVE-2000-0525, CVE-2000-1169, CVE-2001-0060, CVE-2001-0144, CVE-2001-0361,
CVE-2001-0872, CVE-2002-0002, CVE-2002-0083

CAN-2001-1380, CAN-2002-0575, CAN-2002-0639, CAN-2002-0640, CAN-2002-0765,
CAN-2003-0386

Multiple implementations of SSH:
CAN-2002-1357, CAN-2002-1358, CAN-2002-1359, CAN-2002-1360

How to Determine if you are Vulnerable
Use a vulnerability scanner to see whether you are running a vulnerable version, or check the software version reported by running the command 'ssh -V'.

The ScanSSH tool is particularly useful for remotely identifying SSH servers that are dangerously un-patched. The ScanSSH command line tool scans a list of addresses and networks for SSH protocol servers and reports their version numbers. Written by Niels Provos and released under the BSD-license, the latest version was released on 2001-11-30 and is available at http://www.monkey.org/~provos/scanssh/.

How to Protect Against It

  1. Upgrade to the most recent version of either OpenSSH or SSH. Or if SSH or OpenSSH came installed with your operating system, retrieve the latest patches from your operating system vendor. If you use OpenSSL, be sure to use the latest version of those libraries.
  2. Where possible, upgrade from SSH1 to SSH2. SSH1 does not appear to be under further development, while SSH2 is in active development. Where migration is not possible, begin developing plans and strategies that will make migration to SSH2 possible.
  3. Both the SSH implementations include a variety of configuration options to restrict what machines can connect, what users are allowed to authenticate, and via what mechanisms. Administrators should determine how these options could most appropriately be set for their environment.
  4. Verify that each SSH client is not configured to revert back to the rsh program when connecting to a server that does not support SSH. The FallBackToRsh key should be set to No in the SSH configuration file.
  5. Specify the use of blowfish encryption rather than the 3DES, which may be the default of the version. This will provide faster operation without reducing the effective encryption strength.
  6. A host providing SSH services must itself be adequately protected otherwise vulnerabilities that allow the host to be compromised put the SSH service at risk.

Misconfiguration of Enterprise Services NIS/NFS

Description

The Network File System (NFS) and Network Information Service (NIS) are two important services used in UNIX networks. NFS is a service originally created by Sun Microsystems that is designed to share files among UNIX systems over a network. NIS is also a set of services that works as a database service to provide location information, called Maps, to other network services such as NFS. The most common examples of these Maps are the passwd and group files which are used to centralize user authentication.

The security problems with both services, represented by the continuous issues discovered over the years (buffer overflows, DoS and weak authentication), made them a frequent target of attack.

Besides the unpatched services that are still widely deployed, the higher risks may be represented by the misconfiguration of NFS and NIS that will easily allow security holes to be exploited and accessed by users locally or remotely.

The lax authentication offered by NIS while querying NIS maps allow users to use applications like ypcat that can display the values of NIS database, or map, to retrieve the password file. The same kind of problem occurs with NFS which implicitly trusts the UID (user ID) and GIDs (group ID) that the NFS client presents to the server, and depending on the server configuration, this may allow any user to mount and explore the remote file system.

Operating Systems Affected
Nearly all UNIX and Linux systems come with a version of NFS and NIS installed and often enabled by default.

CVE/CAN Entries
NFS
CVE-1999-0002, CVE-1999-0166, CVE-1999-0167, CVE-1999-0170, CVE-1999-0211,
CVE-1999-0832, CVE-1999-1021, CVE-2000-0344

CAN-1999-0165, CAN-1999-0169, CAN-2000-0800, CAN-2002-0830, CAN-2002-1228,
CAN-2003-0252, CAN-2003-0379, CAN-2003-0576

NIS
CVE-1999-0008, CVE-1999-0208, CVE-1999-0245, CVE-2000-1040

CAN-1999-0795, CAN-2002-1232, CAN-2003-0176, CAN-2003-0251

How to Determine if you are Vulnerable
The following steps are related to NIS/NFS software vulnerabilities:

  1. Verify that you are current with the patches released by your vendor. For most versions the command rpc.mountd -version for NFS and ypserv -version for NIS will show the version of both. Any unpatched or outdated version of the software is likely to be vulnerable.
  2. For software vulnerabilities, a more complete approach would be to use an updated vulnerability scanner to periodically check your system against new flaws.

The following steps are related to NIS configuration:

  1. Ensure that Root password is not maintained in an NIS map.
  2. Check if the users passwords are in accord with the security practices. A password cracker can be used to accomplish this.

    Please Note: Never run a password cracker, even on systems for which you have root-like access, without explicit and preferably written permission from your employer. Administrators with the most benevolent of intentions have been fired for running password cracking tools without authority to do so.

The following steps are related to NFS configuration:

  1. Verify if the hosts, netgroups and permissions in the /etc/exports file is up-to-date.
  2. Run the command showmount e to see what has been exported. Check to see if your mounts are in compliance with your security policy.


How to Protect Against It

The following steps are related to NIS configuration:

  1. In each client you can explicitly list the NIS servers to bind to, preventing another systems from masquerading as a NIS server.
  2. While making the DBM files, activate the YP_SECURE feature to ensure that the server will only answer requests from a client on privileged ports. This can be accomplished by using the switch s with the command makedbm.
  3. Include the trusted hosts and networks in the /var/yp/securenets used by the ypserv and the ypxfrd processes, and remember to restart the daemons to get the changes to take effect.
  4. On your NFS Clients be sure to have the entry +:*:0:0::: in your password map.

The following steps are related to NFS configuration:

  1. Use numeric IP addresses or fully qualified domain names instead of aliases when allowing clients in the /etc/exports file.
  2. A tool called NFSBug can be used to test the configuration. The tests will include finding world exported file systems, determining whether export restrictions work, determining whether file systems can be mounted through the portmapper, trying to guess file handles, and exercising various bugs to access file systems. ftp://coast.cs.purdue.edu/pub/tools/unix/nfsbug/
  3. Use the /etc/exports file to restrict access to NFS file system by adding parameters:
  4. On Solaris O.S. make sure to activate the Port Monitoring feature. This can be done by adding the line set nfssrv:nfs_portmon = 1 on the /etc/system file.

    A Linux system by default denies cooperation with NFS clients using a non-privileged port.

General considerations related to NIS and NFS:

  1. Review your firewall policies and be sure to block all unnecessary ports, as well Port 111 (Portmap) and Port 2049 (Rpc.nfsd). Also allow access to the NIS and NFS servers only from authorized clients. A local measure can also be applied by restricting access through tcp_wrappers located at http://sunsite.cnlab-switch.ch/ftp/software/security/security-porcupine.org/. In your etc/hosts.allow file you should state the service and IP allowed to access the service (e.g. portmap: 10.20.1.1/16 to allow the network 10.20.0.0 to access the portmap service). Also, in the /etc/hosts.deny file, you should include the services and the IPs that are NOT allowed to access the services (e.g.: portmap: ALL, which will deny access to all other IP addresses that are not included in the /etc/hosts.allow). The Portmap service is an important service to have the access denied because it is the one that the NFS operates though.
  2. Consider the use of NFS over a secure protocol like SSH. A good start point is http://www.math.ualberta.ca/imaging/snfs/.
  3. Apply all vendor patches or upgrade your NIS and NFS Servers to the latest version. For more information about hardening your UNIX installation, see the CERTs UNIX Security Checklist.
  4. Disable the NFS and NIS daemons on any system that is not specifically designated and authorized to be a NFS and/or NIS server. To prevent this change from being reversed, it may be wise to also remove the NFS and/or NIS software.

Open Secure Sockets Layer (SSL)

Description

The open-source OpenSSL library is a popular package to add cryptographic security to applications that communicate over the network. Although Apache is probably the most well-known use of the package (to support https: connections on port 443), many other programs have been modified to use OpenSSL for security.

The usual usage of OpenSSL is a toolkit where other applications use OpenSSL to provide cryptographic security for a connection. As a result, rather than targeting OpenSSL directly, the exploits for the vulnerabilities will target the application using it. One popular exploit attacks the Apache server's use of OpenSSL. Just because you are not running Apache with OpenSSL support does not mean you are safe. A suitable modification of the exploit may be able to attack Sendmail, openldap, CUPS, or any other OpenSSL using program installed on the target machine.

Multiple vulnerabilities have been found in OpenSSL, of which the most serious are the set of 4 vulnerabilities listed in CAN-2002-0655, CAN-2002-0656, CAN-2002-0557, and CAN-2002-0659. These allow the remote execution of arbitrary code as the user of the OpenSSL libraries (which in some cases, such as 'sendmail', is the 'root' user).

Operating Systems Affected
Any UNIX or Linux system running OpenSSL 0.9.7 or earlier. Note that quite often, OpenSSL is installed to support some other component. For instance, on a RedHat Linux 9.0 system packages such as Apache, CUPS, Curl, OpenLDAP, Stunnel, and Sendmail (among others) all use the OpenSSL libraries to secure connections.

CVE/CAN Entries
CVE-1999-0428, CVE-2001-1141

CAN-2000-0535, CAN-2002-0655, CAN-2002-0656, CAN-2002-0557, CAN-2002-0659,
CAN-2003-0078, CAN-2003-0131, CAN-2003-0147

How to Determine if you are Vulnerable
Check the output of the command 'openssl version'. If the version isn't 0.9.7a or later, you are vulnerable.

How to Protect Against It

  1. Upgrade to the most recent version of OpenSSL. If OpenSSL came installed with your operating system, retrieve the latest patches from your operating system vendor. Note that in some cases, re-compiling and/or re-linking of applications may be required to enable the updated libraries. Note that one of the most common usages of OpenSSL is for securing HTTP traffic over the public Internet for e-commerce where restricting hosts is probably not feasible.


Common Vulnerable Ports

In this section, we will reproduce SANS list of ports that are commonly probed and attacked.

Name Port Protocol Description
Small services <20 tcp/udp small services
FTP 21 tcp file transfer
SSH 22 tcp login service
TELNET 23 tcp login service
SMTP 25 tcp mail
TIME 37 tcp/udp time synchronization
WINS 42 tcp/udp WINS replication
DNS 53 udp naming services
DNS zone transfers 53 tcp naming services
DHCP server 67 tcp/udp host configuration
DHCP client 68 tcp/udp host configuration
TFTP 69 udp miscellaneous
GOPHER 70 tcp old WWW-like service
FINGER 79 tcp miscellaneous
HTTP 80 tcp web
alternate HTTP port 81 tcp web
alternate HTTP port 88 tcp web (sometimes Kerberos)
LINUXCONF 98 tcp host configuration
POP2 109 tcp mail
POP3 110 tcp mail
PORTMAP/RPCBIND 111 tcp/udp RPC portmapper
NNTP 119 tcp network news service
NTP 123 udp time synchronization
NetBIOS 135 tcp/udp DCE-RPC endpoint mapper
NetBIOS 137 udp NetBIOS name service
NetBIOS 138 udp NetBIOS datagram service
NetBIOS/SAMBA 139 tcp file sharing & login service
IMAP 143 tcp mail
SNMP 161 tcp/udp miscellaneous
SNMP 162 tcp/udp miscellaneous
XDMCP 177 udp X display manager protocol
BGP 179 tcp miscellaneous
FW1-secureremote 256 tcp CheckPoint FireWall-1 mgmt
FW1-secureremote 264 tcp CheckPoint FireWall-1 mgmt
LDAP 389 tcp/udp naming services
HTTPS 443 tcp web
Windows 2000 NetBIOS 445 tcp/udp SMB over IP (Microsoft-DS)
ISAKMP 500 udp IPSEC Internet Key Exchange
REXEC 512 tcp } the three
RLOGIN 513 tcp } Berkeley r-services
RSHELL 514 tcp } (used for remote login)
RWHO 513 udp miscellaneous
SYSLOG 514 udp miscellaneous
LPD 515 tcp remote printing
TALK 517 udp miscellaneous
RIP 520 udp routing protocol
UUCP 540 tcp/udp file transfer
HTTP RPC-EPMAP 593 tcp HTTP DCE-RPC endpoint mapper
IPP 631 tcp remote printing
LDAP over SSL 636 tcp LDAP over SSL
Sun Mgmt Console 898 tcp remote administration
SAMBA-SWAT 901 tcp remote administration
Windows RPC programs 1025 tcp/udp } often allocated
Windows RPC programs to } by DCE-RPC portmapper
Windows RPC programs 1039 tcp/udp } on Windows hosts
SOCKS 1080 tcp miscellaneous
LotusNotes 1352 tcp database/groupware
MS-SQL-S 1433 tcp database
MS-SQL-M 1434 udp database
CITRIX 1494 tcp remote graphical display
WINS replication 1512 tcp/udp WINS replication
ORACLE 1521 tcp database
NFS 2049 tcp/udp NFS file sharing
COMPAQDIAG 2301 tcp Compaq remote administration
COMPAQDIAG 2381 tcp Compaq remote administration
CVS 2401 tcp collaborative file sharing
SQUID 3128 tcp web cache
Global catalog LDAP 3268 tcp Global catalog LDAP
Global catalog LDAP SSL 3269 tcp Global catalog LDAP SSL
MYSQL 3306 tcp database
Microsoft Term. Svc. 3389 tcp remote graphical display
LOCKD 4045 tcp/udp NFS file sharing
Sun Mgmt Console 5987 tcp remote administration
PCANYWHERE 5631 tcp remote administration
PCANYWHERE 5632 tcp/udp remote administration
VNC 5800 tcp remote administration
VNC 5900 tcp remote administration
X11 6000-6255 tcp X Windows server
FONT-SERVICE 7100 tcp X Windows font service
alternate HTTP port 8000 tcp web
alternate HTTP port 8001 tcp web
alternate HTTP port 8002 tcp web
alternate HTTP port 8080 tcp web
alternate HTTP port 8081 tcp web
alternate HTTP port 8888 tcp web
Unix RPC programs 32770 tcp/udp } often allocated
Unix RPC programs to } by RPC portmapper
Unix RPC programs 32899 tcp/udp } on Solaris hosts
COMPAQDIAG 49400 tcp Compaq remote administration
COMPAQDIAG 49401 tcp Compaq remote administration
PCANYWHERE 65301 tcp remote administration

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Oct 22, 2019] Equifax Used 'admin' as Username and Password for Sensitive Data: Lawsuit

Oct 22, 2019 | tech.slashdot.org

(yahoo.com) 59 AndrewFlagg writes: When it comes to using strong username and passwords for administrative purposes let alone customer facing portals, Equifax appears to have dropped the ball. Equifax used the word "admin" as both password and username for a portal that contained sensitive information , according to a class action lawsuit filed in federal court in the Northern District of Georgia. The ongoing lawsuit, filed after the breach, went viral on Twitter Friday after Buzzfeed reporter Jane Lytvynenko came across the detail. "Equifax employed the username 'admin' and the password 'admin' to protect a portal used to manage credit disputes, a password that 'is a surefire way to get hacked,'" the lawsuit reads. The lawsuit also notes that Equifax admitted using unencrypted servers to store the sensitive personal information and had it as a public-facing website. When Equifax, one of the three largest consumer credit reporting agencies, did encrypt data, the lawsuit alleges, "it left the keys to unlocking the encryption on the same public-facing servers, making it easy to remove the encryption from the data." The class-action suit consolidated 373 previous lawsuits into one. Unlike other lawsuits against Equifax, these don't come from wronged consumers, but rather shareholders that allege the company didn't adequately disclose risks or its security practices.

[Oct 22, 2019] Flaw In Sudo Enables Non-Privileged Users To Run Commands As Root

Notable quotes:
"... the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user. ..."
Oct 22, 2019 | linux.slashdot.org

(thehackernews.com) 139 Posted by BeauHD on Monday October 14, 2019 @07:30PM from the Su-doh dept. exomondo shares a report from The Hacker News:

... ... ...

The vulnerability, tracked as CVE-2019-14287 and discovered by Joe Vennix of Apple Information Security, is more concerning because the sudo utility has been designed to let users use their own login password to execute commands as a different user without requiring their password. \

What's more interesting is that this flaw can be exploited by an attacker to run commands as root just by specifying the user ID "-1" or "4294967295."

That's because the function which converts user id into its username incorrectly treats -1, or its unsigned equivalent 4294967295, as 0, which is always the user ID of root user.

The vulnerability affects all Sudo versions prior to the latest released version 1.8.28, which has been released today.

    • Re:Not many systems vulnerable )
      mysidia ( 191772 ) #59309858)

      If you have been blessed with the power to run commands as ANY user you want, then you are still specially privileged, even though you are not fully privileged.

      Its a rare/unusual configuration to say (all, !root) --- the people using this configuration on their systems should probably KNOW there are going to exist some ways that access can be abused to ultimately circumvent the intended !root rule - If not within sudo itself, then by using sudo to get a shell as a different user UID that belongs to some person or program who DOES have root permissions, and then causing crafted code to run as that user --- For example, by installing a
      Trojanned version of the screen command and modifying files in the home directory of a legitimate root user to alias the screen command to trojanned version that will log the password the next time that Other user logs in normally and uses the sudo command.

[Jul 09, 2019] So what does a cybersecurity company that is hemorrhaging money and can't protect it's clients do? It does an IPO

Notable quotes:
"... So in the past three years Crowdstrike: ..."
"... a) detected the DNC server hack, but failed to stop it b) falsely accused the Russians of hacking Ukrainian artillery c) failed to prevent the NRCC from being hacked, even though that was why they were hired ..."
"... In other words, Crowdstrike is really bad at their job. In addition, Crowdstrike is really bad at business too. CrowdStrike recorded a net loss last year of $140 million on revenue of $249.8 million, and negative free cash flow of roughly $59 million. ..."
Jul 09, 2019 | caucus99percent.com

So in the past three years Crowdstrike:

a) detected the DNC server hack, but failed to stop it
b) falsely accused the Russians of hacking Ukrainian artillery
c) failed to prevent the NRCC from being hacked, even though that was why they were hired

In other words, Crowdstrike is really bad at their job. In addition, Crowdstrike is really bad at business too. CrowdStrike recorded a net loss last year of $140 million on revenue of $249.8 million, and negative free cash flow of roughly $59 million.

So what does a cybersecurity company that is hemorrhaging money and can't protect it's clients do? It does an IPO .

It just goes to show that "getting it right" is not the same thing as "doing a good job." If you tell the right people what they want to hear, the money will take care of itself.

[Jul 09, 2019] Crowdstrike mode of operation:

Jul 09, 2019 | caucus99percent.com

Whoops, you got hacked? Gee, nothing we could have done. More money please!

I think this is most of the IT biz right here

It just goes to show that "getting it right" is not the same thing as "doing a good job."

If you tell the right people what they want to hear, the money will take care of itself.

It's all about making the people at the top feel smart for having hired you and assuring them they don't need to waste their beautiful minds trying to understand what it is you do.

Whoops, you got hacked? Gee, nothing we could have done. More money please!

[May 23, 2019] Guccifer 2.0 Was Not a Russian Creation by Larry C Johnson

Notable quotes:
"... The Word documents published in June 2016 by Guccifer 2 also show a "last saved as" user id written in Cyrillic. The Anglicized name is " Felix Edmundovich ", aka "Iron Felix" (the infamous director of an early Soviet spy agency). If you are a Russian cyber spy trying to conduct a covert operation, why do you sign your document with the name of one of the most infamous leaders of Russian intelligence? Robert Mueller wants you to believe that this was just Russian audacity. ..."
"... The phrase "personal beliefs about the competence or incompetence of the Russians" catches something important. Whether it was the Russians or somebody else that did this, whoever did it was pretty sloppy. What this report describes is almost as pathetic when considered a false flag operation as it is as a sabotage operation. So any theory of who stole and published the documents has to explain a capability to access the data combined with blissful obliviousness about handling them. I know of no reason to think the Russian, US, Israeli, or other intelligence communities incapable of such a combination. All of them have brilliant dedicated people but also seemingly endless supplies of mediocre time-servers. ..."
"... Scenario? Shutdown, closing of words with documents being automatically saved? Ok, otherwise there is apparently no precise saving time stamp on Winwords latest version. How much changed since 2016? ..."
"... The Vault7 leak of CIA tools also contained information on how to select any language environment. It's really a standard practice, even for normal criminals. ..."
May 23, 2019 | turcopolier.typepad.com

Russia did not hack the DNC. This is not an opinion. It is a conclusion that flows from one very specific claim made by the Special Counsel -- i.e., Guccifer 2.0 was a fictional identity created by Russian Military Intelligence, the GRU. If Guccifer was in fact a creation or creature of the GRU, then the forensic evidence should show that this entity was operating from Russia or under the direct control of the GRU. The forensic evidence shows something quite different -- the meta data in the Guccifer 2.0 documents were manipulated deliberately to plant Russian fignerprints. This was not an accident nor an oversight due to carelessness.

What is meta data? This is the information recorded when a document is created. This data includes things such as the date and time the document was created or modified. It tells you who created the document. It is like the Wizard of Oz, it is the information behind the curtain.

Special Counsel Robert Mueller's is correct in stating that Guccifer 2.0 was a "fictious online persona. " He is wrong in attributing that action to Russian Military Intelligence. While Guccifer 2.0 was a "fictious" entity, the information recorded about when, how and who created the document show that deliberate choices were made to present the info as if it was created by someone Russian.

Let us first stipulate and agree that Russia and the United States engage in cyber espionage and covert action against each other. This has been the case since computers and the internet came into existence. Within the U.S. Intelligence Community these activities generally are labeled with the acronym, CNO -- Computer Network Operations. The Russians and the United States have cadres of cyber "warriors" who sit at computer terminals and engage in operations commonly known as hacking. Other countries, such as China, Iran and Ukraine do this as well.

CNOs are classified at the highest level in the United States and normally are handled within special restricted categories commonly known as SAPs (i.e, Special Access Programs). A critical element of these kinds of operations is to avoid leaving any fingerprints or clues that would enable the activity to be traced back to the United States. But this is not unique to the United States. All professional intelligence services around the world understand and practice this principle -- leave no evidence behind that proves you were there.

The case implicating Russia in the hack of the DNC and Clinton emails, including those of her campaign Manager, John Podesta, rests on suspect forensic computer evidence -- is present in the meta data in the documents posted on line by Guccifer 2.0. According to Disobedient Media , "the files that Guccifer 2.0 initially pushed to reporters contain Russian metadata, a Russian stylesheet entry and in some cases embedded Russian error messages."

Why would the Russians make such a mistake, especially in such a high stake operation (targeting a national election with covert action most certainly is a high stake operation). Mueller and the U.S. intelligence community want you to believe that the Russians are just sloppy and careless buffoons. Those ideologically opposed to the Russians readily embrace this nonsenses. But for those who actually have dealt with Russian civilian and military intelligence operatives and operations, the Russians are sophisticated and cautious.

But we do not have to rely on our personal beliefs about the competence or incompetence of the Russians. We simply need to look at the forensic evidence contained in the documents posted by Guccifer 2.0. We will take Robert Mueller and his investigators at their word:

An examination of those documents tells a very different story. While it does not reveal who or what was Guccifer 2.0, it does undermine Mueller's claim that it was the Russians who did these dastardly deeds.

One independent forensic computer investigator, who uses the name, "The Forensicator," examined the meta data in some of the documents posted by Guccifer 2.0 and discovered the following :

Guccifer 2.0 published a file on 13 September 2016 that was originally copied on 5 July 2016 at approximately 6:45 PM Eastern time. It was copied and appeared as the "NGP VAN" 7zip file.

The estimated speed of transfer was 23 MB/s. This means that this initial data transfer could have been done remotely over the Internet. Instead, it was likely done from a computer system that had direct access to the data. "By "direct access" we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high-speed network (LAN)."

This initial copying activity was done on a system that used Eastern Daylight Time (EDT) settings and was likely initially copied to a computer running Linux, because the file last modified times all reflect the apparent time of the copy, which is a characteristic of the Linux 'cp' command (using default options).

On September 1, 2016, a subset of the initial large collection of DNC related content (the so-called NGP/VAN data), was transferred to working directories on a system running Windows. The .rar files included in the final 7zip file were built from those working directories.

The alleged Russian fingerprints appeared in the first document "leaked" by Guccifer 2.0-- 1.doc -- which was a report on Donald Trump . A forensic examination of the documents shows thatgiven the word processor program used to create the Donald Trump Document released by Guccifer 2.0, the author consciously and purposefully used formats that deliberately inserted "Russian fingerprints" into the document. In other words, the meta-data was purposely altered, and documents were pasted into a 'Russianified' word document with Russian language settings and style headings.

Here are the key facts:

The meta data shows that Slate_-_Domestic_-_USDA_-_2008-12-20.doc was the template for creating 1.doc , 2.doc and 3.doc . This template injected "Warren Flood" as the author value and "GSA" as the company value in those first three Word documents. This template also injected the title , the watermark and header/footer fields found in the final documents (with slight modifications).

The Word documents published in June 2016 by Guccifer 2 also show a "last saved as" user id written in Cyrillic. The Anglicized name is " Felix Edmundovich ", aka "Iron Felix" (the infamous director of an early Soviet spy agency). If you are a Russian cyber spy trying to conduct a covert operation, why do you sign your document with the name of one of the most infamous leaders of Russian intelligence? Robert Mueller wants you to believe that this was just Russian audacity.

But the meta data tells a different story. When we examine The Revision Session Identifiers aka 'RSID's, in the Guccifer document, we see the same Russian style-headings in 1.doc, 2.doc and 3.doc. The document creation timestamps on docs 1, 2 and 3 also are all identical.

Given that MS word assigns a new random 'RSID' with each save when an element is added or edited (this function allows one to track changes made to a Word document), the only way to obtain identical creation timestamps means that someone either directly edited the source document or that there was one empty document open and that individual documents were copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This process also explains identical style-sheet RSIDs .


joanna , 22 May 2019 at 08:54 AM

The document creation timestamps on docs 1, 2 and 3 also are all identical.

Curious, no doubt. But who of us did not consider Guccifer 2 curious. Put another way, what experts considered him solid proof for Russian involvement?

Are you suggesting Winword templates were used for the metadata?

As IT nitwit, how can I save three *doc files or their 2016 word equivalent at the same time? Any way to do that? Windows doesn't seem to have a solution to that.

Again: This is a nitwit user asking a question.

*******
I admittedly am not overly motivated to read the Mueller report. I'll read your contribution again to figure out what you may suggest in or between the lines.

fredw , 22 May 2019 at 09:26 AM
The phrase "personal beliefs about the competence or incompetence of the Russians" catches something important. Whether it was the Russians or somebody else that did this, whoever did it was pretty sloppy. What this report describes is almost as pathetic when considered a false flag operation as it is as a sabotage operation. So any theory of who stole and published the documents has to explain a capability to access the data combined with blissful obliviousness about handling them. I know of no reason to think the Russian, US, Israeli, or other intelligence communities incapable of such a combination. All of them have brilliant dedicated people but also seemingly endless supplies of mediocre time-servers.

Equally interesting is the fact that this analysis has come from such a private source. Surely all the major intelligence agencies have the skill to find the same indicators. And all have comparatively endless resources to apply to the analysis. But they all seem to not want to talk about it. For me the most suspicious thing about the handling of the theft was the FBI's near complete lack of interest in examining the server. I have always assumed that such indifference reflected that they already had all they needed in order to understand what happened. Maybe even watched the theft in real time. But this report demonstrates that you didn't need any special access to blow up the official story. (Note that the official story may be "true". It is just not proven by the cited evidence.)

Yet, whatever actually happened, nobody seems interested in challenging the narrative that Russians stole data and routed it through useful idiots to influence the 2016 elections. This report indicates that a persuasive challenge would not have been hard to produce.

Perhaps the false flag was intentionally clumsy, intended to be detected. Bait for a trap that no one wants to fall into. But I don't see where that thought leads.

joanna , 22 May 2019 at 09:58 AM
https://archive.fo/2dMfC#selection-683.213-687.434

This can be discovered by looking at things called 'rsid's or Revision Session Identifiers in Guccifer's document. In order to track changes, MS word assigns a new random 'rsid' with each save upon each element added or edited. The rsids for the Russian style-headings in 1.doc, 2.doc and 3.doc are all the same (styrsid11758497 in the raw source).

Moreover, the document creation timestamps on 1,2, and 3.docs are all identical too. This might imply there was one empty document open, with individual documents being copy-pasted and saved-as (1.doc), then contents deleted and new doc pasted and saved-as (2.doc), etc. This is the only way to go about obtaining identical creation timestamps short of direct editing of the source, and would also explain identical style-sheet RSIDs.

Scenario? Shutdown, closing of words with documents being automatically saved? Ok, otherwise there is apparently no precise saving time stamp on Winwords latest version. How much changed since 2016?

Empty doc open? What would that change?

But good to see that Winword now integrated some type of automatic saving option, didn't have it when I gave it up and shifted to Open Office. On the other hand, can I trust it to not confront me with an earlier revision version? I admittedly asked myself lately. In a 200 page file, mind you.

Karen Eliot , 22 May 2019 at 10:34 AM
As someone with a little bit of experience in that area I can assure you that language metadata artifacts are practically worthless for attribution. You would mention it in a report, but from it you can only conclude that

The Vault7 leak of CIA tools also contained information on how to select any language environment. It's really a standard practice, even for normal criminals.

Attribution is really hard and usually amounts to a lot of guessing who might be interested in the target of an attack, correlating information from other campaigns, and is only rarely based on hard evidence. Big state actors probably can do a little bit better when they have access to enough network taps. But in the end one bit looks like any other, and properties of static documents can always be forged and made to look real. Or simply buy a copy of MS Office in .

joanna said in reply to Karen Eliot... , 23 May 2019 at 09:51 AM
The document creation timestamps on docs 1, 2 and 3 also are all identical.

Ok doc creation times. Could one create a WinWord Macro? That does exactly that. ok, why would one do this? True. Minor detail, I know. But I see we have experts around now.

*******
More generally. Guccifer 2.0 was a bit of an odd occurrence, not least due to US intelligence considering Guccifer one or zero, if you like.

Fred , 23 May 2019 at 11:24 AM
fredw,

"..nobody seems interested in challenging the narrative that Russians..."

That's precisely what Larry has been doing for some time.

"Equally interesting is the fact that this analysis has come from such a private source."

How dare a private citizen challenge the narrative!

"Perhaps the false flag was intentionally clumsy..."

False flag, let's discuss that idea, brought up solely by you, and not discuss Larry's analysis.

[May 23, 2019] The language metadata artifacts are practically worthless for attribution

May 23, 2019 | turcopolier.typepad.com

Karen Eliot , 22 May 2019 at 10:34 AM

As someone with a little bit of experience in that area I can assure you that language metadata artifacts are practically worthless for attribution. You would mention it in a report, but from it you can only conclude that

The Vault7 leak of CIA tools also contained information on how to select any language environment. It's really a standard practice, even for normal criminals.

Attribution is really hard and usually amounts to a lot of guessing who might be interested in the target of an attack, correlating information from other campaigns, and is only rarely based on hard evidence.

Big state actors probably can do a little bit better when they have access to enough network taps. But in the end one bit looks like any other, and properties of static documents can always be forged and made to look real. Or simply buy a copy of MS Office.

[Apr 21, 2019] Escobar The Deep State Vs. WikiLeaks by Pepe Escobar

Notable quotes:
"... John Pilger, among few others, has already stressed how a plan to destroy WikiLeaks and Julian Assange was laid out as far back as 2008 – at the tail end of the Cheney regime – concocted by the Pentagon's shady Cyber Counter-Intelligence Assessments Branch. ..."
"... But it was only in 2017, in the Trump era, that the Deep State went totally ballistic; that's when WikiLeaks published the Vault 7 files – detailing the CIA's vast hacking/cyber espionage repertoire. ..."
"... This was the CIA as a Naked Emperor like never before – including the dodgy overseeing ops of the Center for Cyber Intelligence, an ultra-secret NSA counterpart. ..."
"... The monolithic narrative by the Deep State faction aligned with the Clinton machine was that "the Russians" hacked the DNC servers. Assange was always adamant; that was not the work of a state actor – and he could prove it technically. ..."
"... The DoJ wanted a deal – and they did make an offer to WikiLeaks. But then FBI director James Comey killed it. The question is why. ..."
"... Some theoretically sound reconstructions of Comey's move are available. But the key fact is Comey already knew – via his close connections to the top of the DNC – that this was not a hack; it was a leak. ..."
"... Ambassador Craig Murray has stressed, over and over again (see here ) how the DNC/Podesta files published by WikiLeaks came from two different US sources; one from within the DNC and the other from within US intel. ..."
"... he release by WikiLeaks in April 2017 of the malware mechanisms inbuilt in "Grasshopper" and the "Marble Framework" were indeed a bombshell. This is how the CIA inserts foreign language strings in source code to disguise them as originating from Russia, from Iran, or from China. The inestimable Ray McGovern, a VIPS member, stressed how Marble Framework "destroys this story about Russian hacking." ..."
"... No wonder then CIA director Mike Pompeo accused WikiLeaks of being a "non-state hostile intelligence agency" ..."
"... Joshua Schulte, the alleged leaker of Vault 7, has not faced a US court yet. There's no question he will be offered a deal by the USG if he aggress to testify against Julian Assange. ..."
"... George Galloway has a guest who explains it all https://www.youtube.com/watch?v=7VvPFMyPvHM&t=8s ..."
"... Escobar is brain dead if he can't figure out that Trumpenstein is totally on board with destroying Assange. As if bringing on pukes like PompAss, BoltON, and Abrams doesn't scream it. ..."
Apr 20, 2019 | www.zerohedge.com

Authored by Pepe Escobar via The Strategic Culture Foundation,

The Made-by-FBI indictment of Julian Assange does look like a dead man walking. No evidence. No documents. No surefire testimony. Just a crossfire of conditionals...

But never underestimate the legalese contortionism of US government (USG) functionaries. As much as Assange may not be characterized as a journalist and publisher, the thrust of the affidavit is to accuse him of conspiring to commit espionage.

In fact the charge is not even that Assange hacked a USG computer and obtained classified information; it's that he may have discussed it with Chelsea Manning and may have had the intention to go for a hack. Orwellian-style thought crime charges don't get any better than that. Now the only thing missing is an AI software to detect them.

https://www.rt.com/shows/going-underground/456414-assange-wkileaks-asylum-london/video/5cb1c797dda4c822558b463f

Assange legal adviser Geoffrey Robertson – who also happens to represent another stellar political prisoner, Brazil's Lula – cut straight to the chase (at 19:22 minutes);

"The justice he is facing is justice, or injustice, in America I would hope the British judges would have enough belief in freedom of information to throw out the extradition request."

That's far from a done deal. Thus the inevitable consequence; Assange's legal team is getting ready to prove, no holds barred, in a British court, that this USG indictment for conspiracy to commit computer hacking is just an hors d'oeuvre for subsequent espionage charges, in case Assange is extradited to US soil.

All about Vault 7

John Pilger, among few others, has already stressed how a plan to destroy WikiLeaks and Julian Assange was laid out as far back as 2008 – at the tail end of the Cheney regime – concocted by the Pentagon's shady Cyber Counter-Intelligence Assessments Branch.

It was all about criminalizing WikiLeaks and personally smearing Assange, using "shock troops enlisted in the media -- those who are meant to keep the record straight and tell us the truth."

This plan remains more than active – considering how Assange's arrest has been covered by the bulk of US/UK mainstream media.

By 2012, already in the Obama era, WikiLeaks detailed the astonishing "scale of the US Grand Jury Investigation" of itself. The USG always denied such a grand jury existed.

"The US Government has stood up and coordinated a joint interagency criminal investigation of Wikileaks comprised of a partnership between the Department of Defense (DOD) including: CENTCOM; SOUTHCOM; the Defense Intelligence Agency (DIA); Defense Information Systems Agency (DISA); Headquarters Department of the Army (HQDA); US Army Criminal Investigation Division (CID) for USFI (US Forces Iraq) and 1st Armored Division (AD); US Army Computer Crimes Investigative Unit (CCIU); 2nd Army (US Army Cyber Command); Within that or in addition, three military intelligence investigations were conducted. Department of Justice (DOJ) Grand Jury and the Federal Bureau of Investigation (FBI), Department of State (DOS) and Diplomatic Security Service (DSS). In addition, Wikileaks has been investigated by the Office of the Director of National Intelligence (ODNI), Office of the National CounterIntelligence Executive (ONCIX), the Central Intelligence Agency (CIA); the House Oversight Committee; the National Security Staff Interagency Committee, and the PIAB (President's Intelligence Advisory Board)."

But it was only in 2017, in the Trump era, that the Deep State went totally ballistic; that's when WikiLeaks published the Vault 7 files – detailing the CIA's vast hacking/cyber espionage repertoire.

This was the CIA as a Naked Emperor like never before – including the dodgy overseeing ops of the Center for Cyber Intelligence, an ultra-secret NSA counterpart.

WikiLeaks got Vault 7 in early 2017. At the time WikiLeaks had already published the DNC files – which the unimpeachable Veteran Intelligence Professionals for Sanity (VIPS) systematically proved was a leak, not a hack.

The monolithic narrative by the Deep State faction aligned with the Clinton machine was that "the Russians" hacked the DNC servers. Assange was always adamant; that was not the work of a state actor – and he could prove it technically.

There was some movement towards a deal, brokered by one of Assange's lawyers; WikiLeaks would not publish the most damning Vault 7 information in exchange for Assange's safe passage to be interviewed by the US Department of Justice (DoJ).

The DoJ wanted a deal – and they did make an offer to WikiLeaks. But then FBI director James Comey killed it. The question is why.

It's a leak, not a hack

Some theoretically sound reconstructions of Comey's move are available. But the key fact is Comey already knew – via his close connections to the top of the DNC – that this was not a hack; it was a leak.

Ambassador Craig Murray has stressed, over and over again (see here ) how the DNC/Podesta files published by WikiLeaks came from two different US sources; one from within the DNC and the other from within US intel.

There was nothing for Comey to "investigate". Or there would have, if Comey had ordered the FBI to examine the DNC servers. So why talk to Julian Assange?

T he release by WikiLeaks in April 2017 of the malware mechanisms inbuilt in "Grasshopper" and the "Marble Framework" were indeed a bombshell. This is how the CIA inserts foreign language strings in source code to disguise them as originating from Russia, from Iran, or from China. The inestimable Ray McGovern, a VIPS member, stressed how Marble Framework "destroys this story about Russian hacking."

No wonder then CIA director Mike Pompeo accused WikiLeaks of being a "non-state hostile intelligence agency", usually manipulated by Russia.

Joshua Schulte, the alleged leaker of Vault 7, has not faced a US court yet. There's no question he will be offered a deal by the USG if he aggress to testify against Julian Assange.

It's a long and winding road, to be traversed in at least two years, if Julian Assange is ever to be extradited to the US. Two things for the moment are already crystal clear. The USG is obsessed to shut down WikiLeaks once and for all. And because of that, Julian Assange will never get a fair trial in the "so-called 'Espionage Court'" of the Eastern District of Virginia, as detailed by former CIA counterterrorism officer and whistleblower John Kiriakou.

Meanwhile, the non-stop demonization of Julian Assange will proceed unabated, faithful to guidelines established over a decade ago. Assange is even accused of being a US intel op, and WikiLeaks a splinter Deep State deep cover op.

Maybe President Trump will maneuver the hegemonic Deep State into having Assange testify against the corruption of the DNC; or maybe Trump caved in completely to "hostile intelligence agency" Pompeo and his CIA gang baying for blood. It's all ultra-high-stakes shadow play – and the show has not even begun.


JailBanksters , 40 minutes ago link

Not to mention the Pentagram has silenced 100,000 whistleblower complaints by Intimidation, threats, money or accidents over 5 years . A Whistleblower only does this when know there is something seriously wrong. Just Imagine how many knew something was wrong but looked the other way.

ExPat2018 , 47 minutes ago link

George Galloway has a guest who explains it all https://www.youtube.com/watch?v=7VvPFMyPvHM&t=8s

Betrayed , 2 hours ago link

Maybe President Trump will maneuver the hegemonic Deep State into having Assange testify against the corruption of the DNC; or maybe Trump caved in completely to "hostile intelligence agency" Pompeo and his CIA gang baying for blood.

Escobar is brain dead if he can't figure out that Trumpenstein is totally on board with destroying Assange. As if bringing on pukes like PompAss, BoltON, and Abrams doesn't scream it.

besnook , 2 hours ago link

assange and wikileaks are the real criminals despite being crimeless. the **** is a sanctioned criminal, allowed to be criminal with the system because the rest of the sanctioned criminals would be exposed if she was investigated.

this is not the rule of laws. this is the law of rulers.

_triplesix_ , 2 hours ago link

Anyone seen Imran Awan lately?

Four chan , 34 minutes ago link

yeah those ***** go free because they got everything on the stupid dems and they are muslim.

assange exposes the podesta dws and clinton fraud against bernie voters+++ and hes the bad guy. yeah right

hillary clinton murdered seth rich sure as **** too.

[Apr 20, 2019] The Guccifer 2.0 Gaps in Mueller s Full Report undermine the validity of findings

Apr 10, 2019 | consortiumnews.com

Originally from: The 'Guccifer 2.0' Gaps in Mueller's Full Report April 18, 2019 • 12 Commentsave

Like Team Mueller's indictment last July of Russian agents, the full report reveals questions about Wikileaks' role that much of the media has been ignoring, writes Daniel Lazare.

By Daniel Lazare
Special to Consortium News

<img src="https://consortiumnews.com/wp-content/uploads/2018/04/Daniel-Lazare-150x150.jpg" alt="" width="100" height="100" /> A s official Washington pores over the Gospel According to Saint Robert, an all-important fact about the Mueller report has gotten lost in the shuffle. Just as the Christian gospels were filled with holes , the latest version is too – particularly with regard to WikiLeaks and Julian Assange.

The five pages that the special prosecutor's report devotes to WikiLeaks are essentially lifted from Mueller's indictment last July of 12 members of the Russian military intelligence agency known as the GRU. It charges that after hacking the Democratic National Committee, the GRU used a specially-created online persona known as Guccifer 2.0 to transfer a gigabyte's worth of stolen emails to WikiLeaks just as the 2016 Democratic National Convention was approaching. Four days after opening the encrypted file, the indictment says, "Organization 1 [i.e. WikiLeaks] released over 20,000 emails and other documents stolen from the DNC network by the Conspirators [i.e. the GRU]."

<img aria-describedby="caption-attachment-35305" src="https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-5.00.53-PM.png" alt="Barr holding press conference on full Mueller report, April 18, 2019. (YouTube)" width="1248" height="612" srcset="https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-5.00.53-PM.png 848w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-5.00.53-PM-400x196.png 400w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-5.00.53-PM-768x377.png 768w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-5.00.53-PM-700x343.png 700w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-5.00.53-PM-160x78.png 160w" sizes="(max-width: 1248px) 100vw, 1248px" />

Attorney General William Barr holding press conference on full Mueller report, April 18, 2019. (YouTube)

Mueller's report says the same thing, but with the added twist that Assange then tried to cover up the GRU's role by suggesting that murdered Democratic National Committee staffer Seth Rich may have been the source and by telling a congressman that the DNC email heist was an "inside job" and that he had "physical proof" that the material was not from Russian.

All of which is manna from heaven for corporate news outlets eager to pile on Assange, now behind bars in London. An April 11, 2019, New York Times news analysis , for instance, declared that "[c]ourt documents have revealed that it was Russian intelligence – using the Guccifer persona – that provided Mr. Assange thousands of emails hacked from the Democratic National Committee," while another Times article published shortly after his arrest accuses the WikiLeaks founder of "promoting a false cover story about the source of the leaks."

But there's a problem: it ain't necessarily so. The official story that the GRU is the source doesn't hold water, as a timeline from mid-2016 shows. Here are the key events based on the GRU indictment and the Mueller report:

June 12: Assange tells Britain's ITV that another round of Democratic Party disclosures is on the way: "We have upcoming leaks in relation to Hillary Clinton, which is great. WikiLeaks is having a very big year." June 14: The Democratic National Committee accuses Russia of hacking its computers. June 15: Guccifer 2.0 claims credit for the hack. "The main part of the papers, thousands of files and mails, I gave to WikiLeaks ," he brags . "They will publish them soon." June 22: WikiLeaks tells Guccifer via email: "Send any new material here for us to review and it will have a much higher impact than what you are doing." July 6: WikiLeaks sends Guccifer another email: "if you have anything hillary related we want it in the next tweo [ sic ] days prefable [ sic ] because the DNC [Democratic National Convention] is approaching and she will solidify bernie supporters behind her after."Replies Guccifer: "ok . . . i " July 14: Guccifer sends WikiLeaks an encrypted file titled "wk dnc link1.txt.gpg." July 18: WikiLeaks confirms it has opened "the 1Gb or so archive" and will release documents "this week." July 22: WikiLeaks releases more than 20,000 DNC emails and 8,000 other attachments.

According to Mueller and obsequious news outlets like the Times , the sequence is clear: Guccifer sends archive, WikiLeaks receives archive, WikiLeaks accesses archive, WikiLeaks publishes archive. Donald Trump may not have colluded with Russia, but Julian Assange plainly did. [Attorney General Will Barr, significantly calling WikiLeaks a publisher, said at his Thursday press conference: " Under applicable law, publication of these types of materials would not be criminal unless the publisher also participated in the underlying hacking conspiracy."]

<img aria-describedby="caption-attachment-35300" src="https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-4.24.13-PM.png" alt="Deputy Attorney General Rod Rosenstein announcing in 2018 a grand jury indictment of 12 Russian intelligence officers for hacking offenses related to the 2016 U.S. presidential election. (Wikimedia Commons) " width="1236" height="611" srcset="https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-4.24.13-PM.png 973w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-4.24.13-PM-400x198.png 400w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-4.24.13-PM-768x380.png 768w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-4.24.13-PM-700x346.png 700w, https://consortiumnews.com/wp-content/uploads/2019/04/Screen-Shot-2019-04-18-at-4.24.13-PM-160x79.png 160w" sizes="(max-width: 1236px) 100vw, 1236px" />

Deputy Attorney General Rod Rosenstein announcing in 2018 the grand jury indictment of 12 GRU agents. (Wikimedia Commons)

Avoiding Questions

The narrative raises questions that the press studiously avoids. Why, for instance, would Assange announce on June 12 that a big disclosure is on the way before hearing from the supposed source? Was there a prior communication that Mueller has not disclosed? What about the reference to "new material" on June 22 – does that mean Assange already had other material in hand? After opening the Guccifer file on July 18, why would he publish it just four days later? Would that give WikiLeaks enough time to review some 28,000 documents to insure they're genuine?

Honor Bob Parry's legacy by donating to our Spring Fund Drive.

"If a single one of those emails had been shown to be maliciously altered," blogger Mark F. McCarty observes , "Wikileaks' reputation would have been in tatters." There's also the question that an investigator known as Adam Carter poses in Disobedient Media : why would Guccifer brag about giving WikiLeaks "thousands of files" that he wouldn't send for another month?

The narrative doesn't make sense – a fact that is crucially important now that Assange is fighting for his freedom in the U.K. New Yorker staff writer Raffi Khatchadourian sounded a rare note of caution last summer when he warned that little about Guccifer 2.0 adds up. While claiming to be the source for some of WikiLeaks ' most explosive emails, the material he released on his own had proved mostly worthless – 20 documents that he "said were from the DNC but which were almost surely not," as Khatchadourian puts it, a purported Hillary Clinton dossier that "was nothing of the sort," screenshots of emails so blurry as to be "unreadable," and so forth.

<img aria-describedby="caption-attachment-35303" src="https://consortiumnews.com/wp-content/uploads/2019/04/John_Podesta_at_2nd_debate_full_image.jpg" alt="John Podesta at the spin room of the second presidential debate of 2016. (Voice of America via Wikimedia Commons)" width="500" height="341" srcset="https://consortiumnews.com/wp-content/uploads/2019/04/John_Podesta_at_2nd_debate_full_image.jpg 650w, https://consortiumnews.com/wp-content/uploads/2019/04/John_Podesta_at_2nd_debate_full_image-400x273.jpg 400w, https://consortiumnews.com/wp-content/uploads/2019/04/John_Podesta_at_2nd_debate_full_image-160x109.jpg 160w" sizes="(max-width: 500px) 100vw, 500px" />

John Podesta: Target of a phishing expedition. (Voice of America via Wikimedia Commons)

While insisting that "our source is not the Russian government and it is not a state party, Assange told Khatchadourian that the source was not Guccifer either. "We received quite a lot of submissions of material that was already published in the rest of the press, and people seemingly submitted the Guccifer archives," he said somewhat cryptically. "We didn't publish them. They were already published." When Khatchadourian asked why he didn't put the material out regardless, he replied that "the material from Guccifer 2.0 – or on WordPress – we didn't have the resources to independently verify."

No Time for Vetting

So four days was indeed too short a time to subject the Guccifer file to proper vetting. Of course, Mueller no doubt regards this as more "dissembling," as his report describes it. Yet WikiLeaks has never been caught in a lie for the simple reason that honesty and credibility are all-important for a group that promises to protect anonymous leakers who supply it with official secrets. (See "Inside WikiLeaks : Working with the Publisher that Changed the World," Consortium News , July 19, 2018.) Mueller, by contrast, has a rich history of mendacity going back to his days as FBI director when he sought to cover up the Saudi role in 9/11 and assured Congress on the eve of the 2003 invasion that Iraqi weapons of mass destruction pose "a clear threat to our national security."

<img aria-describedby="caption-attachment-35301" src="https://consortiumnews.com/wp-content/uploads/2019/04/MuellerBushImage.jpg" alt="Mueller with President George W. Bush on July 5, 2001, as he is being appointed FBI director. (White House)" width="501" height="373" srcset="https://consortiumnews.com/wp-content/uploads/2019/04/MuellerBushImage.jpg 600w, https://consortiumnews.com/wp-content/uploads/2019/04/MuellerBushImage-400x298.jpg 400w, https://consortiumnews.com/wp-content/uploads/2019/04/MuellerBushImage-160x119.jpg 160w" sizes="(max-width: 501px) 100vw, 501px" />

Mueller with President George W. Bush on July 5, 2001, as he is being appointed FBI director. (White House)

So if the Mueller narrative doesn't hold up, the charge of dissembling doesn't either. Indeed , as ex-federal prosecutor Andrew C. McCarthy observes in The National Review , the fact that the feds have charged Assange with unauthorized access to a government computer rather than conspiring with the Kremlin could be a sign that Team Mueller is less than confident it can prove collusion beyond a reasonable doubt. As he puts it, the GRU indictment "was more like a press release than a charging instrument" because the special prosecutor knew that the chances were zero that Russian intelligence agents would surrender to a U.S. court.

Indeed, when Mueller charged 13 employees and three companies owned by Russian businessman Yevgeny Prigozhin with interfering in the 2016 election, he clearly didn't expect them to surrender either. Thus , his team seemed taken aback when one of the alleged " troll farms " showed up in Washington asking to be heard. The prosecution's initial response, as McCarthy put it , was to seek a delay "on the astonishing ground that the defendant has not been properly served – notwithstanding that the defendant has shown up in court and asked to be arraigned." When that didn't work, prosecutors tried to limit Concord's access to some 3.2 million pieces of evidence on the grounds that the documents are too " sensitive " for Russian eyes to see. If they are again unsuccessful, they may have no choice but to drop the charges entirely, resulting in yet another " public relations disaster " for the Russia-gate investigation.

None of which bodes well for Mueller or the news organizations that worship at his shrine. After blowing the Russia-gate story all these years, why does the Times continue to slander the one news organization that tells the truth?

Daniel Lazare is the author of "The Frozen Republic: How the Constitution Is Paralyzing Democracy" (Harcourt Brace, 1996) and other books about American politics. He has written for a wide variety of publications from The Nation to Le Monde Diplomatique and blogs about the Constitution and related matters at D aniellazare.com .

[Apr 19, 2019] The connection between pro-Israel Lobby efforts and the covert operations and overt invasions of America's national security state.

Notable quotes:
"... Blumenthal does chronicle a decades-long panoply of active measures by numerous pro-Israel Lobby figures, groups and think tanks. Yet he fails to explicitly recognize the connection between pro-Israel Lobby efforts and the covert operations and overt invasions of America's national security state. ..."
"... Julian Assange of Wikileaks was more explicit. Assange named the "country that has interfered in U.S. elections, has endangered Americans living or working overseas and has corrupted America's legislative and executive branches. It has exploited that corruption to initiate legislation favorable to itself, has promoted unnecessary and unwinnable wars and has stolen American technology and military secrets. Its ready access to the mainstream media to spread its own propaganda provides it with cover for its actions and it accomplishes all that and more through the agency of a powerful and well-funded domestic lobby [ ] That country is, of course, Israel." ..."
Apr 19, 2019 | consortiumnews.com

Abe , April 18, 2019 at 23:23

Behind the Omar Outrage: Suppressed History of the pro-Israel Lobby

Max Blumenthal's article and his 2019 book, The Management of Savagery: How America's National Security State Fueled the Rise of Al Qaeda, ISIS, and Donald Trump (2019), is an impressive exercise in burying the lede.

Blumenthal does chronicle a decades-long panoply of active measures by numerous pro-Israel Lobby figures, groups and think tanks. Yet he fails to explicitly recognize the connection between pro-Israel Lobby efforts and the covert operations and overt invasions of America's national security state.

Julian Assange of Wikileaks was more explicit. Assange named the "country that has interfered in U.S. elections, has endangered Americans living or working overseas and has corrupted America's legislative and executive branches. It has exploited that corruption to initiate legislation favorable to itself, has promoted unnecessary and unwinnable wars and has stolen American technology and military secrets. Its ready access to the mainstream media to spread its own propaganda provides it with cover for its actions and it accomplishes all that and more through the agency of a powerful and well-funded domestic lobby [ ] That country is, of course, Israel."

[Apr 19, 2019] Early Assange quote

Apr 19, 2019 | www.moonofalabama.org

somebody , Apr 18, 2019 10:41:06 AM | link

Add to 80

Early Assange :

The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie. This must result in minimization of efficient internal communications mechanisms (an increase in cognitive "secrecy tax") and consequent system-wide cognitive decline resulting in decreased ability to hold onto power as the environment demands adaption.

Hence in a world where leaking is easy, secretive or unjust systems are nonlinearly hit relative to open, just systems. Since unjust systems, by their nature induce opponents, and in many places barely have the upper hand, mass leaking leaves them exquisitely vulnerable to those who seek to replace them with more open forms of governance.

[Apr 18, 2019] Wikileaks started as a Chinese dissident project which certainly had the support of the US military-intelligence complex. It quickly became something else,

Apr 18, 2019 | www.moonofalabama.org

somebody , Apr 18, 2019 6:52:44 AM | link

@wisdombody | Apr 18, 2019 3:09:38 AM | 71

They are the hacker/security blackhat/whitehead scene.
Another example where the actions of the empire bite back.

To understand where they are coming from read Yasha Levine's Surveillance Valley

US Tech Companies have an extremely nice "inclusive" "open" "transparent" company culture. People who don't drink the kool aid can deal with it, people who are on the Asperger/Authism range can't. And these are the people extremely gifted for tech.

Basically US military and secret services believed that Western "Freedom" (TM) was such a powerful advantage in global competition that open anonymous systems connecting dissidents would work to their advantage. They forgot that some people can't do double think.

Wikileaks started as a Chinese dissident project which certainly had the support of the US military-intelligence complex. It quickly became something else, simply because the people working in the project believed the ideology behind it and could not see that what is right for a Chinese dissident against the Chinese state was not right for a US dissident against the US state.

With Julian Assange in Belmarsh prison, everything about "open society" "transparency" "free media" "supporting dissidents" is in dispute.

[Apr 18, 2019] LIVE Wikileaks editor-in-chief holds presser on new criminal case involving Julian Assange

Notable quotes:
"... Assange has exposed so much of the Obama and Clinton cabal that they and their henchman would try any means possible to not have him extradited. ..."
"... Bit hard to spy on corrupt world leaders without the internet. Pretty sure Moreno has his own set of enemies, since he's blackmailing or bankrolling everyone in his sight with the backing of Goldman Sachs. Also black kettle, that's the most surveilled building in the world inside and out. ..."
Apr 18, 2019 | www.youtube.com

Angelor Not , 1 week ago

Assange has exposed so much of the Obama and Clinton cabal that they and their henchman would try any means possible to not have him extradited.

fionnualaable , 1 week ago

(From a horrified and disgusted Brit) My highest regard for: - the 3 dedicated panelists; - those among the honest Spanish police mentioned; - the brave Ecuadorian journalists pursuing presidential corruption charges; and: - elements of the UN not yet become toothless tigers re basic human rights. I have little if any hope such moral fibre will prevail (or be ALLOWED to do so) in the UK. Corruption and blind stupidity seem to have gone too far here, as they have in the USA, and possibly also even in the remaining "5 eyes" countries. Iberia (Portuguese Guteras at UN) has a chance to triumph in justice over degenerate Anglo-Saxon increasingly dictatorship regimes. Will they triumph? We'll see. The whole world will see. And the world has many many more than a mere 5 eyes.

Driver Driver , 3 days ago (edited)

The new president of Ecuador is a real thief. A real crook.

A M , 6 days ago

It's disgusting how the governments behave as we've seen the truth in Wikileaks which remains correct and truth 100% of the time...that's what the governments are scared of..... the truth and transparency..... it shows them for what they are hypocrites and lairs......!!!

Hoomanna Dee , 1 week ago

Bit hard to spy on corrupt world leaders without the internet. Pretty sure Moreno has his own set of enemies, since he's blackmailing or bankrolling everyone in his sight with the backing of Goldman Sachs. Also black kettle, that's the most surveilled building in the world inside and out.

Asylees are not supposed to be treated like criminals, he's without charge. The US, Ecuador's current government and the UK are violating international law. And the press is an anemic mess. Our message to them: you're next.

All journalism utilises sources and those sources are entitled to protection. Not a grand jury. Not a supermax. Not torture.

ishant 7 , 4 days ago

In India we call these so called journalisfs as PRESSTITUTES

nick f , 1 day ago

The cockroaches dont like when the rock is lifted and we see them for what they are. Assange lifted the rock and now the cockroaches are out to get him.

Nassau Events , 2 days ago

It is not surprising that Equodoreian leader has failed the integrity of the country and the people of Equodoreian. The fact that Julian Assange had full asylum was granted to him with full protection, it proved the government before protected the souverign country and its citizens as a country which is respected and free from any kind of being a puppet or slave and master position. Assange' s case is extremely important but in the meantime the position of Equodoreian people are let down on the world platform of shame. The day the new leader left Equodoreian naked.

Needful Things Company , 6 days ago

This is so wrong! He needs to be protected. Unless they are bringing him to USA to testify against the Clinton/Obama crimes. We never would have found out anything of the corruption and take down of the USA if it were not for his investigating reporting! Because the crooks got caught and exposed they are trying to destroy him. He acted like a reporter or what they use to be like. Just like the Nixon days but they broke into files. Assange was given information. He was not the spy from what I can gather! They should be thanking him for exposing the crimes that have been going on!

[Apr 18, 2019] Honest Government Ad on Julian Assange (hilarious video!)

Notable quotes:
"... "Authorized by the united bitches of america. ..."
Apr 18, 2019 | thesaker.is

https://www.youtube.com/watch?v=1efOs0BsE0g


worldblee on April 16, 2019 , · at 3:56 pm EST/EDT

That video is on fire! Good stuff!
Павел (Paul) on April 17, 2019 , · at 9:43 am EST/EDT
It is funny but the problem remains... I want to see serious hard hitting justice whatever it takes.
vot tak on April 17, 2019 , · at 8:28 pm EST/EDT
Oops, wrong "button".

Kruto.

"Authorized by the united bitches of america." Yeah, israel's bitches.

[Apr 17, 2019] Ecuador sells off Assange to US Ron Paul

It is unclear what danger WikiLeaks represents naw, as it probably was infiltrated. But publishing of Podesta emails and DNC files was really damaging to the Dems during 2016 elections.
Notable quotes:
"... "We have two foreign policies. We tell people what to do. And if they do it, we reward them. We give them a lot of money. If they don't, they're in for big trouble, they're liable to get bombed; we invade them, and there will be a coup," Dr. Paul said. ..."
"... "We find that Moreno, the president of Ecuador, did not do badly. He's been playing footsies with us, and gaining some money and he delivered, you know, after he became president – it's shame because the previous president the one that allowed or at least would at least Assange could be 'protected' to some degree," he stated. ..."
"... "The IMF has already delivered $4.2 billion to [Ecuador], and there's another six billion dollars in the pipeline for that," he said. ..."
Apr 17, 2019 | www.presstv.com

Dr. Paul, the founder of the Ron Paul Institute for Peace and Prosperity, made the remarks on Monday while discussing the violent arrest of Assange by UK Metropolitan Police last week at the Ecuadorian embassy in London, after the Moreno government cancelled his asylum.

The Australian whistleblower was arrested on behalf of the US on Thursday at the Ecuadorean embassy in London, where he had been granted asylum since 2012.

Assange, 47, is wanted by the US government for publishing classified documents related to the Iraq and Afghanistan wars that were leaked by American whistleblower Chelsea Manning. Assange spent seven years at the Ecuadorian embassy before his arrest.

https://www.youtube.com/embed/HqPAwI4EmsU?rel=0

"We have two foreign policies. We tell people what to do. And if they do it, we reward them. We give them a lot of money. If they don't, they're in for big trouble, they're liable to get bombed; we invade them, and there will be a coup," Dr. Paul said.

"We find that Moreno, the president of Ecuador, did not do badly. He's been playing footsies with us, and gaining some money and he delivered, you know, after he became president – it's shame because the previous president the one that allowed or at least would at least Assange could be 'protected' to some degree," he stated.

"But he (Moreno) evidently is out form and now of course he has delivered him. And this might not be even all of that. This probably is official tool of ours to provide these funds," the analyst noted.

"The IMF has already delivered $4.2 billion to [Ecuador], and there's another six billion dollars in the pipeline for that," he said.

PressTV-Moreno: Assange used Ecuador's London Embassy for spying President Moreno claims the WikiLeaks founder tried to use Ecuador's Embassy in London for spying activities during his almost seven-year stay.

Moreno on Sunday accused Assange of trying to use Ecuador's embassy in London as a "center for spying," and said that the decision to strip the whistleblower of his political asylum followed "violations" of that status.

In an interview with The Guardian , Moreno defended his decision on the Assange case.

"It is unfortunate that, from our territory and with the permission of authorities of the previous government, facilities have been provided within the Ecuadoran Embassy in London to interfere in processes of other states," the president said.

[Apr 16, 2019] Trump as a useful idiot of the Deep State

Apr 16, 2019 | www.zerohedge.com

Anunnaki , 11 hours ago link

If Trump pardoned Assange, I would consider that draining the swamp. But Orange Jewlius is a Deep State **** socket, so the swamp has grown to a lagoon

Anunnaki , 11 hours ago link

Jimmy Dore and Tucker Carlson nail it

https://m.youtube.com/watch?v=SnwC_1Pf9VQ

rtb61 , 12 hours ago link

Clearly the US government has zero respect for Australia, Australian Law or Australian citizens. The case is shite, else they would allow Assange to be deported to Australia and the extradition hearing to be heard there. They refuse because they know their case is shite and they would have to prove it in Australia before they could get extradition.

The USA is not an ally of Australia because it does not respect Australian law, not in the least. Prove US respect of Australians by deporting Assange to Australia and holding the extradition hearings there, else look as guilty as shite and never ever to be trusted by Australians.

OZZIDOWNUNDER , 9 hours ago link

The US Govt respects NOBODY but its own Interests. It's the Australian Govt that's complicit in this travesty of Nil justice. The Gutless Australian Govt has NO interest in helping Julian Assange because they were persuaded NOT to by their American masters. It hurts that your own Govt are total A$$holes & follow USA into Crimes with out question. The Australian Govt has a History of lip service only when assistance Overseas is required. **** them !

NYC80 , 13 hours ago link

Assange probably is a narcissist. So what? All the people criticizing him are, too. At least he's an honest narcissist. In everything he's published, not a single item has even been allegedly false. Can any of these other so-called "journalists" demonstrate that level of accuracy?

Ms No , 14 hours ago link

Here is a good article on Assange. Explains the cat. Things were okay for him under the real elected president of Ecuador, except no sunlight thanks to US spooks.

https://www.sott.net/article/411173-My-friend-Julian-Assange-Alicia-Castro-former-ambassador-for-Argentina

[Apr 16, 2019] Ray on Why the Deep State Hates Julian Assange

Apr 16, 2019 | www.unz.com

Saoirse , says: April 13, 2019 at 1:39 am GMT

http://raymcgovern.com/

Ray on Why the Deep State Hates Julian Assange

[Apr 15, 2019] 4 Myths About Julian Assange DEBUNKED Zero Hedge

Apr 15, 2019 | www.zerohedge.com

Myth #2: Assange Will Get a Fair Trial In the U.S.

14-year CIA officer John Kiriakou notes :

Assange has been charged in the Eastern District of Virginia -- the so-called "Espionage Court." That is just what many of us have feared. Remember, no national security defendant has ever been found not guilty in the Eastern District of Virginia . The Eastern District is also known as the "rocket docket" for the swiftness with which cases are heard and decided. Not ready to mount a defense? Need more time? Haven't received all of your discovery? Tough luck. See you in court.

I have long predicted that Assange would face Judge Leonie Brinkema were he to be charged in the Eastern District. Brinkema handled my case, as well as CIA whistleblower Jeffrey Sterling's. She also has reserved the Ed Snowden case for herself. Brinkema is a hanging judge .

***

Brinkema gave me literally no chance to defend myself . At one point, while approaching trial, my attorneys filed 70 motions, asking that 70 classified documents be declassified so that I could use them to defend myself. I had no defense without them. We blocked off three days for the hearings. When we got to the courtroom, Brinkema said, "Let me save everybody a lot of time. I'm going to deny all 70 of these motions. You don't need any of this information to be declassified." The entire process took a minute. On the way out of the courtroom, I asked my lead attorney what had just happened. "We just lost the case. That's what happened. Now we talk about a plea."

My attorneys eventually negotiated a plea for 30 months in prison -- significantly below the 45 years that the Justice Department had initially sought. The plea was something called an 11-C1C plea; it was written in stone and could not be changed by the judge. She could either take it or leave it. She took it, but not after telling me to rise, pointing her finger at me, and saying, "Mr. Kiriakou, I hate this plea. I've been a judge since 1986 and I've never had an 11C1C. If I could, I would give you ten years." Her comments were inappropriate and my attorneys filed an ethics complaint against her. But that's Brinkema. That's who she is.

Julian Assange doesn't have a prayer of a fair trial in the Eastern District of Virginia.

[Apr 15, 2019] Julian Assange Is Guilty Of Only One Thing: Revealing The Evil Soul Of US Imperialism

Apr 15, 2019 | www.zerohedge.com

Assange's arrest represents an abuse of power, highlighting not only how true journalism has now been banished in the West, but also how politicians, journalists, news agencies and think-tanks collude with each other to silence people

[Apr 14, 2019] You could not get a more sinister confluence of political fraudsters by Michael Tracey

Notable quotes:
"... Assange accomplished more in 2010 alone than any of his preening media antagonists will in their entire lifetime, combined. Your feelings about him as a person do not matter. He could be the scummiest human on the face of Earth, and it would not detract from the fact that he has brought revelatory information to public that would otherwise have been concealed. He has shone light on some of the most powerful political factions not just in the US, but around the world. This will remain true regardless of whether Trump capitulates to the 'Deep State' and goes along with this utterly chilling, free speech-undermining prosecution. ..."
"... My support was based on the fact that Assange had devised a novel way to hold powerful figures to account, whose nefarious conduct would otherwise go unexamined but for the methods he pioneered. ..."
Apr 12, 2019 | spectator.us

The nine-year gap – long after Manning had been charged, found guilty, and released from prison – suggests that there is something ulterior going on here. The offenses outlined in the indictment are on extraordinarily weak legal footing. Part of the criminal 'conspiracy,' prosecutors allege, is that Assange sought to protect Manning as a source and encouraged her to provide government records in the public interest.

This is standard journalistic practice.

And it is now being criminalized by the Trump DoJ, while liberals celebrate from the sidelines – eager to join hands with the likes of Mike Pompeo and Lindsey Graham. You could not get a more sinister confluence of political fraudsters.

They – meaning most Democrats – will never get over their grudge against Assange for having dared to expose the corruption of America's ruling party in 2016, which they believed help deprive their beloved Hillary of her rightful ascension to the presidential throne. Once again, Rep. Tulsi Gabbard is among the few exceptions.

The DNC and Podesta email releases, now distilled reductively into the term 'Russian interference,' contained multitudinous newsworthy revelations, as evidenced by the fact that virtually the entire US media reported on them. (Here, feel free to refresh your memory on this as well.) But for no reason other than pure partisan score-settling, elite liberals are willing to toss aside any consideration for the dire First Amendment implications of Assange's arrest and cry out with joy that this man they regard as innately evil has finally been ensnared by the punitive might of the American carceral state.

Trump supporters and Trump himself also look downright foolish. It takes about two seconds to Google all the instances in which Trump glowingly touted WikiLeaks on the 2016 campaign trail. 'I love WikiLeaks!' he famously proclaimed on October 10, 2016 in Wilkes-Barre, Penn.

Presumably this expression of 'love' was indication that Trump viewed WikiLeaks as providing a public service. If not, perhaps some intrepid reporter can ask precisely what his 'love' entailed. He can pretend all he wants now that he's totally oblivious to WikiLeaks, but it was Trump himself who relayed that he was contemporaneously reading the Podesta emails in October 2016, and reveling in all their newsworthiness. If he wanted, he could obviously intercede and prevent any unjust prosecution of Assange. Trump has certainly seen fit to complain publicly about all matter of other inconvenient Justice Department activity, especially as it pertained to him or his family members and associates. But now he's acting as though he's never heard of WikiLeaks, which is just pitiful: not a soul believes it, even his most ardent supporters.

Sean Hannity became one of Assange's biggest fans in 2016 and 2017, effusively lavishing him with praise and even visiting him in the Ecuadorian embassy in London for an exclusive interview. One wonders whether Hannity, who reportedly speaks to his best buddy Trump every night before bedtime, will counsel a different course on this matter. There's also the question of whether Trump's most vehement online advocates, who largely have become stalwart defenders of WikiLeaks, will put their money where their mouth is and condition their continued support on Assange not being depredated by the American prison system.

Assange accomplished more in 2010 alone than any of his preening media antagonists will in their entire lifetime, combined. Your feelings about him as a person do not matter. He could be the scummiest human on the face of Earth, and it would not detract from the fact that he has brought revelatory information to public that would otherwise have been concealed. He has shone light on some of the most powerful political factions not just in the US, but around the world. This will remain true regardless of whether Trump capitulates to the 'Deep State' and goes along with this utterly chilling, free speech-undermining prosecution.

I personally have supported Assange since I started in journalism, nine years ago, not because I had any special affinity for the man himself (although the radical transparency philosophy he espoused was definitely compelling). My support was based on the fact that Assange had devised a novel way to hold powerful figures to account, whose nefarious conduct would otherwise go unexamined but for the methods he pioneered. As thanks, he was holed up in a tiny embassy for nearly seven years – until yesterday, when they hauled him out ignominiously to face charges in what will likely turn out to be a political show trial. Donald Trump has the ability to stop this, but almost certainly won't. And that's all you need to know about him.

[Apr 14, 2019] Assange rendition might backfire for Trump administration

Vindictiveness not always play in the vindictive party favour.
You may love Assange you may hate Assange for his WikiLeaks revelation (And Vault 7 was a real bombshell), but it is clear that it will cost Trump some reputation out of tini share that still left, especially in view of Trump declaration "I love Wikileaks"
Apr 13, 2019 | www.unz.com

For seven years, we have had to listen to a chorus of journalists, politicians and "experts" telling us that Assange was nothing more than a fugitive from justice, and that the British and Swedish legal systems could be relied on to handle his case in full accordance with the law. Barely a "mainstream" voice was raised in his defence in all that time.

... ... ...

The political and media establishment ignored the mounting evidence of a secret grand jury in Virginia formulating charges against Assange, and ridiculed Wikileaks' concerns that the Swedish case might be cover for a more sinister attempt by the US to extradite Assange and lock him away in a high-security prison, as had happened to whistleblower Chelsea Manning.

... ... ...

Equally, they ignored the fact that Assange had been given diplomatic status by Ecuador, as well as Ecuadorean citizenship. Britain was obligated to allow him to leave the embassy, using his diplomatic immunity, to travel unhindered to Ecuador. No "mainstream" journalist or politician thought this significant either.

... ... ...

They turned a blind eye to the news that, after refusing to question Assange in the UK, Swedish prosecutors had decided to quietly drop the case against him in 2015. Sweden had kept the decision under wraps for more than two years.

... ... ...

Most of the other documents relating to these conversations were unavailable. They had been destroyed by the UK's Crown Prosecution Service in violation of protocol. But no one in the political and media establishment cared, of course.

Similarly, they ignored the fact that Assange was forced to hole up for years in the embassy, under the most intense form of house arrest, even though he no longer had a case to answer in Sweden. They told us -- apparently in all seriousness -- that he had to be arrested for his bail infraction, something that would normally be dealt with by a fine.

... ... ...

This was never about Sweden or bail violations, or even about the discredited Russiagate narrative, as anyone who was paying the vaguest attention should have been able to work out. It was about the US Deep State doing everything in its power to crush Wikileaks and make an example of its founder.

It was about making sure there would never again be a leak like that of Collateral Murder, the military video released by Wikileaks in 2007 that showed US soldiers celebrating as they murdered Iraqi civilians. It was about making sure there would never again be a dump of US diplomatic cables, like those released in 2010 that revealed the secret machinations of the US empire to dominate the planet whatever the cost in human rights violations.

Now the pretence is over. The British police invaded the diplomatic territory of Ecuador -- invited in by Ecuador after it tore up Assange's asylum status -- to smuggle him off to jail. Two vassal states cooperating to do the bidding of the US empire. The arrest was not to help two women in Sweden or to enforce a minor bail infraction.

No, the British authorities were acting on an extradition warrant from the US. And the charges the US authorities have concocted relate to Wikileaks' earliest work exposing the US military's war crimes in Iraq -- the stuff that we all once agreed was in the public interest, that British and US media clamoured to publish themselves.

Still the media and political class is turning a blind eye. Where is the outrage at the lies we have been served up for these past seven years? Where is the contrition at having been gulled for so long? Where is the fury at the most basic press freedom -- the right to publish -- being trashed to silence Assange? Where is the willingness finally to speak up in Assange's defence?

It's not there. There will be no indignation at the BBC, or the Guardian, or CNN. Just curious, impassive -- even gently mocking -- reporting of Assange's fate.

And that is because these journalists, politicians and experts never really believed anything they said. They knew all along that the US wanted to silence Assange and to crush Wikileaks. They knew that all along and they didn't care. In fact, they happily conspired in paving the way for today's kidnapping of Assange.

They did so because they are not there to represent the truth, or to stand up for ordinary people, or to protect a free press, or even to enforce the rule of law. They don't care about any of that. They are there to protect their careers, and the system that rewards them with money and influence. They don't want an upstart like Assange kicking over their applecart.

Now they will spin us a whole new set of deceptions and distractions about Assange to keep us anaesthetised, to keep us from being incensed as our rights are whittled away, and to prevent us from realising that Assange's rights and our own are indivisible. We stand or fall together.

Jonathan Cook won the Martha Gellhorn Special Prize for Journalism. His books include "Israel and the Clash of Civilisations: Iraq, Iran and the Plan to Remake the Middle East" (Pluto Press) and "Disappearing Palestine: Israel's Experiments in Human Despair" (Zed Books). His website is www.jonathan-cook.net .


anonymous [340] • Disclaimer , says: April 12, 2019 at 10:41 am GMT

Thank you.

This should be an uncomfortable time for the “journalists” of the Establishment. Very few will speak up as does Mr. Cook. Watch how little is said about the recent Manning re-imprisonment to sweat out grand jury testimony. Things may have grown so craven that we’ll even see efforts to revoke Mr. Assange’s awards.

This is also a good column for us to share with those people who just might want not to play along with the lies that define Exceptionalia.

Digital Samizdat , says: April 12, 2019 at 5:11 pm GMT

… from the moment Julian Assange first sought refuge in the Ecuadorean embassy in London, they have been telling us we were wrong, that we were paranoid conspiracy theorists. We were told there was no real threat of Assange’s extradition to the United States, that it was all in our fevered imaginations.

It all reminds me of Rod Dreher’s Law of Merited Impossibility: “That’ll never happen. And when it does , boy won’t you deserve it!”

Equally, they ignored the fact that Assange had been given diplomatic status by Ecuador, as well as Ecuadorean citizenship. Britain was obligated to allow him to leave the embassy, using his diplomatic immunity, to travel unhindered to Ecuador. No “mainstream” journalist or politician thought this significant either.

Why would they? They don’t even recognize diplomatic status for heads of state who get in their way! Remember what they did to President Evo Morales of Bolivia back when he was threatening to grant asylum to Ed Snowden? Here’s a refresher:

https://en.wikipedia.org/wiki/Evo_Morales_grounding_incident

Any way you slice, this is a sad for liberty.

Carlton Meyer , says: • Website April 13, 2019 at 4:32 am GMT
From my blog:

Apr 13, 2019 – Julian Assange

People who just watch corporate media think Julian Assange is a bad guy who deserves life in prison, except those who watch the great Tucker Carlson. Watch his recent show where he explains why our corporate media and political class hate Assange.

https://www.youtube.com/embed/ZE7OfU71Sbk?feature=oembed

He is charged with encouraging Army Private Chelsea Manning to send him embarrassing information, specifically this video of a US Army Apache helicopter gunning down civilians in broad daylight in Baghdad.

https://www.youtube.com/embed/25EWUUBjPMo?feature=oembed

But there is no proof of this, and Manning has repeatedly said he never communicated to Assange about anything. Manning got eight years in prison for this crime; the Apache pilots were never charged. and now they want to hang Assange for exposing a war crime. I have recommend this great 2016 interview twice, where Assange calmly explains the massive corruption that patriotic FBI agents refer to as the “Clinton Crime Family.”

https://www.youtube.com/embed/_sbT3_9dJY4?feature=oembed

This gang is so powerful that it ordered federal agents to spy on the Trump political campaign, and indicted and imprisoned some participants in an attempt to pressure President Trump to step down. It seems Trump still fears this gang, otherwise he would order his attorney general to drop this bogus charge against Assange, then pardon him forever and invite him to speak at White House press conferences.

The Alarmist , says: April 13, 2019 at 5:01 am GMT

“… they ignored the fact that Assange was forced to hole up for years in the embassy, under the most intense form of house arrest, even though he no longer had a case to answer in Sweden.”

Meh! Assange should have walked out the door of the embassy years ago. He might have ended up in the same place, but he could have seized the moral high ground by seeking asylum in Britain for fear of the death penalty in the US, which was a credible fear given public comments by various US officials. By rotting away in the Ecuadorian embassy, be greatly diminished any credibility he might have had to turn the UK judicial system inside out to his favour. Now he’s just a creepy looking bail jumper who flung faeces against the wall, rather than being a persecuted journalist.

Endgame Napoleon , says: April 13, 2019 at 6:14 am GMT
@Johnny Rottenborough Millionaire politicians on both sides of the political fence get very emotional about anything that impacts their own privacy & safety and the privacy & safety of their kin, while ignoring the issues that jeopardize the privacy & safety of ordinary voters. While corporate-owned politicians get a lot out of this game, ordinary voters who have never had less in the way of Fourth Amendment privacy rights, and whose First Amendment rights are quickly shrinking to the size of Assange’s, do not get the consolation of riches without risk granted to bought-off politicians in this era’s pay-to-play version of democracy. It’s a lose / lose for average voters.
Tom Welsh , says: April 13, 2019 at 9:31 am GMT
Mr Cook’s criticism of the mainstream media (MSM) is absolutely justified.

It seems to me that their hatred of Mr Assange reflects the unfortunate fact that, while he is a real journalist, they actually aren’t. Instead, they are stenographers for power: what Paul Craig Roberts calls “presstitutes” (a very happy coinage which exactly hits the bull’s eye).

The difference is that real journalists, like Mr Assange, Mr Roberts and Mr Cook, are mainly motivated by the search for objective truth – which they then publish, as far as they are able.

Whereas those people who go by the spurious names of “journalist”, “reporter”, “editor”, etc. are motivated by the desire to go on earning their salaries, and to gain promotion and “distinction” in society. (Sad but true: social distinction is often gained by performing acts of dishonesty and downright wickedness).

Here are some interesting quotations that cast some light on this disheartening state of affairs. If you look carefully at their dates you may be surprised to find that nothing has changed very much since the mid-19th century.

‘Marr: “How can you know that I’m self-censoring? How can you know that journalists are…”

‘Chomsky: “I’m not saying you’re self censoring. I’m sure you believe everything you’re saying. But what I’m saying is that if you believed something different, you wouldn’t be sitting where you’re sitting”’.

– Transcript of interview between Noam Chomsky and Andrew Marr (Feb. 14, 1996) https://scratchindog.blogspot.com/2015/07/transcript-of-interview-between-noam.html

‘If something goes wrong with the government, a free press will ferret it out and it will get fixed. But if something goes wrong with our free press, the country will go straight to hell’.

– I. F. Stone (as reported by his son Dr Jeremy J Stone) http://russia-insider.com/en/media-criticism/hey-corporate-media-glenn-greenwald-video-can-teach-you-what-real-journalism/ri6669

‘There is no such a thing in America as an independent press, unless it is out in country towns. You are all slaves. You know it, and I know it. There is not one of you who dares to express an honest opinion. If you expressed it, you would know beforehand that it would never appear in print. I am paid $150 for keeping honest opinions out of the paper I am connected with. Others of you are paid similar salaries for doing similar things. If I should allow honest opinions to be printed in one issue of my paper, I would be like Othello before twenty-four hours: my occupation would be gone. The man who would be so foolish as to write honest opinions would be out on the street hunting for another job. The business of a New York journalist is to distort the truth, to lie outright, to pervert, to vilify, to fawn at the feet of Mammon, and to sell his country and his race for his daily bread, or for what is about the same — his salary. You know this, and I know it; and what foolery to be toasting an “Independent Press”! We are the tools and vassals of rich men behind the scenes. We are jumping-jacks. They pull the string and we dance. Our time, our talents, our lives, our possibilities, are all the property of other men. We are intellectual prostitutes’.

– John Swinton (1829–1901), Scottish-American journalist, newspaper publisher, and orator. https://en.wikiquote.org/wiki/John_Swinton http://www.rense.com/general20/yes.htm

‘The press today is an army with carefully organized arms and branches, with journalists as officers, and readers as soldiers. But here, as in every army, the soldier obeys blindly, and war-aims and operation-plans change without his knowledge. The reader neither knows, nor is allowed to know, the purposes for which he is used, nor even the role that he is to play. A more appalling caricature of freedom of thought cannot be imagined. Formerly a man did not dare to think freely. Now he dares, but cannot; his will to think is only a willingness to think to order, and this is what he feels as his liberty’.

– Oswald Spengler, “The Decline of the West” Vol. II, trans. C.F. Atkinson (1928), p. 462

‘How do wars start? Wars start when politicians lie to journalists, then believe what they read in the press’.

– Karl Kraus, “Through Western Eyes – Russia Misconstrued” http://www.hellevig.net/ebook/Putin’s%20new%20Russia.pdf

And finally, two quotations from classic novels which go to the heart of the matter.

‘It is difficult to get a man to understand something when his salary depends upon his not understanding it’.

– Upton Sinclair

‘Sometimes a man wants to be stupid if it lets him do a thing his cleverness forbids’.

– John Steinbeck (“East of Eden”)

UncommonGround , says: April 13, 2019 at 10:13 am GMT
Very good article. There is one point that I would like to make: Assange asked for asyl before he went to the embassy of Ecuador and Ecuador gave him asylum. This meant that they had an obligation to protect him. It’s really unbeliavable that a country gives asylum to someone and half way tells that they have changed their mind and will let the person be arrested. ” We told you you would be safe with us, but now we just changed our mind”. Assange also became a citizen of Ecuador and this possibly means that Ecuador couldn’t have let him been arrested in their embassy by the police of another country without a process against him in Ecuador and without him having the right to defend himself in a court. Many countries don’t extradit their citizens to other countries.

Another remark. For years there were uncountable articles about Assange in The Guardian. Those articles were read by many people and got really many comments. There were very fierce discussions about him with thousends of comments. With time The Guardian turned decisively against him and published articles againt him. There were people there who seemed to hate him. In the last days there were again many articles about him. They pronounce themselves discretely against his extradition to the US even if showing themselves to be critical of him as if trying to justify their years of attacks against him. But one detail: I didn’t find even one article in The Guardian where you can comment the case. Today for instance you can comment an article by Gaby Hinsliff about Kim Kardashian. Marina Hyde talks in an article about washing her hair (whatever else she wants to say, with 2831 comments at this moment). But you don’t find any article about Assange that you can comment. 10 or 8 or 5 years ago there were hundreds of articles about him that you could comment.

EliteCommInc. , says: April 13, 2019 at 10:59 am GMT
The game afoot here is obvious.

https://www.caracaschronicles.com/2017/04/03/ecuador-next-venezuela/

Pressure relief

Tsar Nicholas , says: April 13, 2019 at 11:38 am GMT
@Art

UK PM May said about Assange – “no one is above the law” – proving she is a weak sister without a clue.

No one is above the law except the British government, which ignored the provisions of the EU Withdrawal Act requiring us to leave on March 29th.

No one is above the law except for the US and the UK which have illegally deployed forces to Syria against the wishes of the government in Damascus.

And Tony Blair, a million dead thanks to his corruption. He should be doing time in a Gulag for his evil crimes.

And of course, the black MP for Peterborough – Fiona Onasanya – served a mere three weeks in jail for perverting the course of justice, normally regarded as a very serious offence. But she was out in time – electronic tag and curfew notwithstanding – to vote in the House of Commons against leaving the EU.

[Mar 17, 2019] Mueller uses the same old false flag scams, just different packaging of his forensics-free findings

Highly recommended!
Notable quotes:
"... It appears the FBI, CIA, and NSA have great difficulty in differentiating between Russians and Democrats posing as Russians. ..."
"... Maybe the VIPS should look into the murder of Seth Rich, the DNC staffer who had the security clearance required to access the DNC servers, and who was murdered in the same week as the emails were taken. In particular, they should ask why the police were told to stand down and close the murder case without further investigation. ..."
"... What a brilliant article, so logical, methodical & a forensic, scientific breakdown of the phony Russiagate project? And there's no doubt, this was a co-ordinated, determined Intelligence project to reverse the results of the 2016 Election by initiating a soft coup or Regime change op on a elected Leader, a very American Coup, something the American Intelligence Agencies specialise in, everywhere else, on a Global scale, too get Trump impeached & removed from the Whitehouse? ..."
"... Right. Since its purpose is to destroy Trump politically, the investigation should go on as long as Trump is in office. Alternatively, if at this point Trump has completely sold out, that would be another reason to stop the investigation. ..."
"... Nancy Pelosi's announcement two days ago that the Democrats will not seek impeachment for Trump suggests the emptiness of the Mueller investigation on the specific "collusion" issue. ..."
"... We know and Assange has confirmed Seth Rich, assassinated in D.C. for his deed, downloaded the emails and most likely passed them on to former British ambassador Craig Murray in a D.C. park for transport to Wikileaks. ..."
"... This so-called "Russiagate" narrative is an illustration of our "freedom of the press" failure in the US due to groupthink and self censorship. He who pays the piper is apt to call the tune. ..."
"... Barr, Sessions, every congressmen all the corporate MSM war profiteer mouth pieces. They all know that "Russia hacked the DNC" and "Russia meddled" is fabricated garbage. They don't care, because their chosen war beast corporate candidate couldn't beat Donald goofball Trump. So it has to be shown that the war beast only lost because of nefarious reasons. Because they're gonna run another war beast cut from the same cloth as Hillary in 2020. ..."
"... Mar 4, 2019 Tom Fitton: President Trump a 'Crime Victim' by Illegal Deep State DOJ & FBI Abuses: https://youtu.be/ixWMorWAC7c ..."
"... Trump is a willing player in this game. The anti-Russian Crusade was, quite simply, a stunningly reckless, short-sighted effort to overturn the 2016 election, removing Trump to install Hillary Clinton in office. ..."
"... Much ado about nothing. All the talk and chatter and media airplay about "Russian meddling" in the 2016 election only tells me that these liars think the American public is that stupid. ..."
"... Andrew Thomas I'm afraid that huge amounts of our History post 1947 is organized and propagandized disinformation. There is an incredible page that John Simpkin has organized over the years that specifically addresses individuals, click on a name and read about them. https://spartacus-educational.com/USAdisinformation.htm ..."
"... It's pretty astonishing that Mueller was more interested in Roger Stone and Jerome Corsi as credible sources about Wikileaks and the DNC release than Craig Murray! ..."
"... Yes, he has done his job. And his job was to bring his royal Orangeness to heel, and to make sure that detente and co-operation with Russia remained impossible. The forever war continues. Mission Accomplished. ..."
Mar 17, 2019 | consortiumnews.com

O Society , March 16, 2019 at 7:55 am

The Truth is Out There. I Want to Believe!

Same old scams, different packaging. That's New & Improved for you.

http://opensociet.org/2019/03/16/the-return-of-the-hidden-persuaders

Raymond Comeau , March 15, 2019 at 12:35 pm

I could not suffer through reading the whole article. This is mainly because I have watched the news daily about Mueller's Investigation and I sincerely believe that Mueller is Champion of the Democrats who are trying to depose President Donald Trump at any cost.

For what Mueller found any decent lawyer with a Degree and a few years of experience could have found what Mueller found for far far less money. Mueller only found common crimes AND NO COLLUSION BETWEEN PRESIDENT TRUMP AND PUTIN!

The Mueller Investigation should be given to an honest broker to review, and Mueller should be paid only what it would cost to produce the commonplace crimes Mueller, The Democrats, and CNN has tried to convince the people that indeed Trump COLLUDED with RUSSIA. Mueller is, a BIG NOTHING BURGER and THE DEMOCRATS AND CNN ARE MUELLER'S SINGING CANARYS! Mueller should be jailed.

Bogdan Miller , March 15, 2019 at 11:04 am

This article explains why the Mueller Report is already highly suspect. For another thing, we know that since before 2016, Democrats have been studying Russian Internet and hacking tactics, and posing as Russian Bots/Trolls on Facebook and other media outlets, all in an effort to harm President Trump.

It appears the FBI, CIA, and NSA have great difficulty in differentiating between Russians and Democrats posing as Russians.

B.J.M. Former Intelligence Analyst and Humint Collector

vinnieoh , March 15, 2019 at 8:17 am

Moving on: the US House yesterday voted UNANIMOUSLY (remember that word, so foreign these days to US governance?) to "urge" the new AG to release the complete Mueller report.

A non-binding resolution, but you would think that the Democrats can't see the diesel locomotive bearing down on their clown car, about to smash it to pieces. The new AG in turn says he will summarize the report and that is what we will see, not the entire report. And taxation without representation takes a new twist.

... ... ...

Raymond Comeau , March 15, 2019 at 12:38 pm

What else would you expect from two Political Parties who are really branches of the ONE Party which Represents DEEP STATE".

DWS , March 15, 2019 at 5:58 am

Maybe the VIPS should look into the murder of Seth Rich, the DNC staffer who had the security clearance required to access the DNC servers, and who was murdered in the same week as the emails were taken. In particular, they should ask why the police were told to stand down and close the murder case without further investigation.

Raymond Comeau , March 15, 2019 at 12:47 pm

EXACTLY! But, Deep State will not allow that. And, it would ruin the USA' plan to continue to invade more sovereign countries and steal their resources such as oil and Minerals. The people of the USA must be Ostriches or are so terrified that they accept anything their Criminal Governments tell them.

Eventually, the chickens will come home to roost and perhaps the USA voters will ROAST when the crimes of the USA sink the whole country. It is time for a few Brave Men and Women to find their backbones and throw out the warmongers and their leading Oligarchs!

KiwiAntz , March 14, 2019 at 6:44 pm

What a brilliant article, so logical, methodical & a forensic, scientific breakdown of the phony Russiagate project? And there's no doubt, this was a co-ordinated, determined Intelligence project to reverse the results of the 2016 Election by initiating a soft coup or Regime change op on a elected Leader, a very American Coup, something the American Intelligence Agencies specialise in, everywhere else, on a Global scale, too get Trump impeached & removed from the Whitehouse?

If you can't get him out via a Election, try & try again, like Maduro in Venezuela, to forcibly remove the targeted person by setting him up with fake, false accusations & fabricated evidence? How very predictable & how very American of Mueller & the Democratic Party. Absolute American Corruption, corrupts absolutely?

Brian Murphy , March 15, 2019 at 10:33 am

Right. Since its purpose is to destroy Trump politically, the investigation should go on as long as Trump is in office. Alternatively, if at this point Trump has completely sold out, that would be another reason to stop the investigation.

If the investigation wraps up and finds nothing, that means Trump has already completely sold out. If the investigation continues, it means someone important still thinks Trump retains some vestige of his balls.

DH Fabian , March 14, 2019 at 1:19 pm

By last June or July the Mueller investigation has resulted in roughly 150 indictments for perjury/financial crimes, and there was a handful of convictions to date. The report did not support the Clinton wing's anti-Russian allegations about the 2016 election, and was largely brushed aside by media. Mueller was then reportedly sent back in to "find something." presumably to support the anti-Russian claims.

mike k , March 14, 2019 at 12:57 pm

From the beginning of the Russia did it story, right after Trump's electoral victory, it was apparent that this was a fraud. The democratic party however has locked onto this preposterous story, and they will go to their graves denying this was a scam to deny their presidential defeat, and somehow reverse the result of Trump's election. My sincere hope is that this blatant lie will be an albatross around the party's neck, that will carry them down into oblivion. They have betrayed those of us who supported them for so many years. They are in many ways now worse than the republican scum they seek to replace.

DH Fabian , March 14, 2019 at 1:26 pm

Trump is almost certain to be re-elected in 2020, and we'll go through this all over again.

Tom , March 14, 2019 at 12:00 pm

The very fact that the FBI never had access to the servers and took the word of a private company that had a history of being anti-Russian is enough to throw the entire ruse out.

LJ , March 14, 2019 at 2:39 pm

Agreed!!!! and don't forget the FBI/Comey gave Hillary and her Campaign a head's up before they moved to seize the evidence. . So too, Comey said he stopped the Investigation , thereby rendering judgement of innocence, even though by his own words 'gross negligence' had a occurred (which is normally considered grounds for prosecution). In doing so he exceeded the FBI's investigative mandate. He rationalized that decision was appropriate because of the appearance of impropriety that resulted from Attorney General Lynch having a private meeting on a plane on a runway with Bill and Hillary . Where was the logic in that. Who called the meeting? All were Lawyers who had served as President, Senator, Attorney General and knew that the meeting was absolutely inappropriate. . Comey should be prosecuted if they want to prosecute anyone else because of this CRAP. PS Trump is an idiot. Uhinfortunately he is just a symptom of the disease at this point. Look at the cover of Rolling Stone magazine , carry a barf bag.

Jane Christ , March 14, 2019 at 6:51 pm

Exactly. This throws doubt on the ability of the FBI to work independently. They are working for those who want to cover -up the Hillary mess . She evidently has sufficient funds to pay them off. I am disgusted with the level of corruption.

hetro , March 14, 2019 at 10:50 am

Nancy Pelosi's announcement two days ago that the Democrats will not seek impeachment for Trump suggests the emptiness of the Mueller investigation on the specific "collusion" issue. If there were something hot and lingering and about to emerge, this decision is highly unlikely, especially with the reasoning she gave at "so as not to divide the American people." Dividing the people hasn't been of much concern throughout this bogus witch hunt on Trump, which has added to his incompetence in leavening a growing hysteria and confusion in this country. If there is something, anything at all, in the Mueller report to support the collusion theory, Pelosi would I'm sure gleefully trot it out to get a lesser candidate like Pence as opposition for 2020.

James Clooney , March 14, 2019 at 11:17 am

We know and Assange has confirmed Seth Rich, assassinated in D.C. for his deed, downloaded the emails and most likely passed them on to former British ambassador Craig Murray in a D.C. park for transport to Wikileaks.

We must also honor Shawn Lucas assassinated for serving DNC with a litigation notice exposing the DNC conspiracy against Sanders.

hetro , March 14, 2019 at 3:18 pm

Where has Assange confirmed this? Assange's long-standing position is NOT to reveal his sources. I believe he has continued to honor this position.

Skip Scott , March 15, 2019 at 7:15 am

It has merely been insinuated by the offering of a reward for info on Seth's murder. In one breath he says wikileaks will never divulge a source, and in the next he offers a $20k reward saying that sources take tremendous risk. Doesn't take much of a logical leap to connect A to B.

DH Fabian , March 14, 2019 at 1:30 pm

Are you aware that Democrats split apart their 0wn voting base in the 1990s, middle class vs. poor? The Obama years merely confirmed that this split is permanent. This is particularly relevant for Democrats, as their voting base had long consisted of the poor and middle class, for the common good. Ignoring this deep split hasn't made it go away.

hetro , March 14, 2019 at 3:24 pm

Even more important is how the Democrats have sold out to an Establishment view favoring neocon theory, since at least Bill Clinton. Pelosi's recent behavior with Ilhan Omar confirms this and the split you're talking about. My point is it is distinctly odd that Pelosi is discouraging impeachment on "dividing the Party" (already divided, of course, as you say), whereas the Russia-gate fantasy was so hot not that long ago. Again it points to a cynical opportunism and manipulation of the electorate. Both parties are a sad excuse to represent ordinary people's interests.

Skip Scott , March 15, 2019 at 7:21 am

She said "dividing the country", not the party. I think she may have concerns over Trump's heavily armed base. That said, the statement may have been a ruse. There are plenty of Republicans that would cross the line in favor of impeachment with the right "conclusions" by Mueller. Pelosi may be setting up for a "bombshell" conclusion by Mueller. One must never forget that we are watching theater, and that Trump was a "mistake" to be controlled or eliminated.

Cindy Haddix , March 14, 2019 at 8:04 am

Mueller should be ashamed that he has made President Trump his main concern!! If all this investigation would stop he could save America millions!!! He needs to quit this witch-hunt and worry about things that really need to be handled!!! If the democrats and Trump haters would stop pushing senseless lies hopefully this would stop ? It's so disgusting that his democrat friend was never really investigated ? stop the witch-hunt and move forward!!!!

torture this , March 14, 2019 at 7:29 am

According to this letter, mistakes might have been made on Rachel Maddow's show. I can't wait to read how she responds. I'd watch her show, myself except that it has the same effect on me as ipecac.

Zhu , March 14, 2019 at 3:37 am

People will cling to "Putin made Trump President!!!" much as many cling "Obama's a Kenyan Muslim! Not a real American!!!". Both nut theories are emotionally satisfying, no matter what the historical facts are. Many Americans just can't admit their mistakes and blaming a scapegoat is a way out.

O Society , March 14, 2019 at 2:03 am

Thank you VIPS for organizing this legit dissent consisting of experts in the field of intelligence and computer forensics.

This so-called "Russiagate" narrative is an illustration of our "freedom of the press" failure in the US due to groupthink and self censorship. He who pays the piper is apt to call the tune.

It is astounding how little skepticism and scientifically-informed reasoning goes on in our media. These folks show themselves to be native advertising rather than authentic journalists at every turn.

DH Fabian , March 14, 2019 at 1:33 pm

But it has been Democrats and the media that market to middle class Dems, who persist in trying to sell the Russian Tale. They excel at ignoring the evidence that utterly contradicts their claims.

O Society , March 15, 2019 at 3:50 pm

Oh, we're well beyond your "Blame the middle class Dems" stage.

The WINNING!!! team sports bullshit drowns the entire country now the latrine's sprung a leak. People pretend to live in bubbles made of blue or red quite like the Three Little Pigs, isn't it? Except instead of a house made of bricks saving the day for the littlepiggies, what we've got here is a purple puddle of piss.

Everyone's more than glad to project all our problems on "THEM" though, aren't we?

Meanwhile, the White House smells like a urinal not washed since the 1950s and simpletons still get their rocks off arguing about whether Mickey Mouse can beat up Ronald McDonald.

T'would be comic except what's so tragic is the desperate need Americans have to believe, oh just believe! in something. Never mind the sound of the jackhammer on your skull dear, there's an app for that or is it a pill?

I don't know, don't ask me, I'm busy watching TV. Have a cheeto.

https://opensociet.org/2018/12/18/the-disneyfication-of-america/

Sam F , March 13, 2019 at 6:45 pm

Very good analysis clearly stated, especially adding the FAT timestamps to the transmission speeds.

Minor corrections: "The emails were copied from the network" should be "from the much faster local network" because this is to Contradict the notion that they were copied over the internet network, which most readers will equate with "network." Also "reportedin" should be "reported in."

Michael , March 13, 2019 at 6:25 pm

It is likely that New Knowledge was actually "the Russians", possibly working in concert with Crowdstrike. Once an intelligence agency gets away with something like pretending to be Russian hackers and bots, they tend to re-use their model; it is too tempting to discard an effective model after a one-off accomplishment. New Knowledge was caught interfering/ determining the outcome in the Alabama Senate race on the side of Democrat Doug Jones, and claimed they were merely trying to mimic Russian methods to see if they worked (they did; not sure of their punishment?). Occam's razor would suggest that New Knowledge would be competent to mimic/ pretend to be "Russians" after the fact of wikileaks' publication of emails. New Knowledge has employees from the NSA and State department sympathetic to/ working with(?) Hillary, and were the "outside" agency hired to evaluate and report on the "Russian" hacking of the DNC emails/ servers.

DH Fabian , March 13, 2019 at 5:48 pm

Mueller released report last summer, which resulted in (the last I checked) roughly 150 indictments, a handful of convictions to date, all for perjury/financial (not political) crimes. This wasn't kept secret. It simply wasn't what Democrats wanted to hear, so although it was mentioned in some lib media (which overwhelmingly supported neoliberal Hillary Clinton), it was essentially swept under the carpet.

Billy , March 13, 2019 at 11:11 pm

Barr, Sessions, every congressmen all the corporate MSM war profiteer mouth pieces. They all know that "Russia hacked the DNC" and "Russia meddled" is fabricated garbage. They don't care, because their chosen war beast corporate candidate couldn't beat Donald goofball Trump. So it has to be shown that the war beast only lost because of nefarious reasons. Because they're gonna run another war beast cut from the same cloth as Hillary in 2020.

Realist , March 14, 2019 at 3:22 am

You betcha. Moreover, who but the Russians do these idiots have left to blame? Everybody else is now off limits due to political correctness. Sigh Those Catholics, Jews, "ethnics" and sundry "deviants" used to be such reliable scapegoats, to say nothing of the "undeveloped" world. As Clapper "authoritatively" says, only this vile lineage still carries the genes for the most extremes of human perfidy. Squirrels in your attic? It must be the damned Russkies! The bastards impudently tried to copy our democracy, economic system and free press and only besmirched those institutions, ruining all of Hillary's glorious plans for a worldwide benevolent dictatorship. All this might be humorous if it weren't so funny.

And those Chinese better not get to thinking they are somehow our equals just because all their trillions invested in U.S. Treasury bonds have paid for all our wars of choice and MIC boondoggles since before the turn of the century. Unless they start delivering Trump some "free stuff" the big man is gonna cut off their water. No more affordable manufactured goods for the American public! So there!

As to the article: impeccable research and analysis by the VIPS crew yet again. They've proven to me that, to a near certainty, the Easter Bunny is not likely to exist. Mueller won't read it. Clapper will still prance around a free man, as will Brennan. The Democrats won't care, that is until November of 2020. And Hillary will continue to skate, unhindered in larding up the Clinton Foundation to purposes one can only imagine.

Joe Tedesky , March 14, 2019 at 10:02 pm

Realist,

I have posted this article 'the Russia they Lost' before and from time to time but once again it seems appropriate to add this link to expound upon for what you've been saying. It's an article written by a Russian who in they're youth growing up in the USSR dreamed of living the American lifestyle if Russia were to ever ditch communism. But . Starting with Kosovo this Russian's youthful dream turned nightmarishly ugly and, as time went by with more and yet even more USA aggression this Russian author loss his admiration and desire for all things American to be proudly envied. This is a story where USA hard power destroyed any hope of American soft power for world unity. But hey that unity business was never part of the plan anyway.

https://slavyangrad.org/2014/09/24/the-russia-they-lost/

Realist , March 15, 2019 at 10:38 pm

right you are, joe. if america was smart rather than arrogant, it would have cooperated with china and russia to see the belt and road initiative succeed by perhaps building a bridge or tunnel from siberia to alaska, and by building its own fleet of icebreakers to open up its part of the northwest passage. but no, it only wants to sabotage what others propose. that's not being a leader, it's being a dick.

i'm gonna have to go on the disabled list here until the sudden neurological problem with my right hand clears up–it's like paralysed. too difficult to do this one-handed using hunt and peck. at least the problem was not in the old bean, according to the scans. carry on, sir.

Brian James , March 13, 2019 at 5:04 pm

Mar 4, 2019 Tom Fitton: President Trump a 'Crime Victim' by Illegal Deep State DOJ & FBI Abuses: https://youtu.be/ixWMorWAC7c

DH Fabian , March 13, 2019 at 5:55 pm

Trump is a willing player in this game. The anti-Russian Crusade was, quite simply, a stunningly reckless, short-sighted effort to overturn the 2016 election, removing Trump to install Hillary Clinton in office. Trump and the Republicans continue to win by default, as Democrats only drive more voters away.

Howard , March 13, 2019 at 4:36 pm

Thank you Ray McGovern and the Other 17 VIPS C0-Signers of your National Security Essay for Truth. Along with Craig Murray and Seymour Hirsch, former Sam Adams Award winners for "shining light into dark places", you are national resources for objectivity in critical survival information matters for our country. It is more than a pity that our mainstream media are so beholden to their corporate task masters that they cannot depart from the company line for fear of losing their livelihoods, and in the process we risk losing life on the planet because of unconstrained nuclear war on the part of the two main adversaries facing off in an atmosphere of fear and mistrust. Let me speak plainly. THEY SHOULD BE TALKING TO YOU AND NOT THE VESTED INTERESTS' MOUTHPIECES. Thank you for your continued leadership!

James Clooney , March 14, 2019 at 11:28 am

Roger Ailes founder of FOX news died, "falling down stairs" within a week of FOX news exposing to the world that the assassinated Seth Rich downloaded the DNC emails.

DH Fabian , March 13, 2019 at 6:03 pm

Google the Mueller investigation report from last June or July. When it was released, the public response was like a deflated balloon. It did not support the "Russian collusion" allegations -- the only thing Democrats still had left to sell. The report resulted in roughly 150 indictments for perjury/financial crimes (not political), and a handful of convictions to date -- none of which had anything to do with the election results.

Hank , March 13, 2019 at 6:19 pm

Much ado about nothing. All the talk and chatter and media airplay about "Russian meddling" in the 2016 election only tells me that these liars think the American public is that stupid. They are probably right, but the REAL reason that Hillary lost is because there ARE enough informed people now in this nation who are quite aware of the Clinton's sordid history where scandals seem to follow every where they go, but indictments and/or investigations don't. There IS an internet nowadays with lots of FACTUAL DOCUMENTED information. That's a lot more than I can say about the mainstream corporate-controlled media!

I know this won't ever happen, but an HONEST investigation into the Democratic Party and their actions during the 2016 election would make ANY collusion with ANY nation look like a mole hill next to a mountain! One of the problems with living in this nation is if you are truly informed and make an effort 24/7 to be that way by doing your own research, you more-than-likely can be considered an "island in a sea of ignorance".

Tom , March 14, 2019 at 12:13 pm

We know that the FBI never had access to the servers and a private company was allowed to handle the evidence. Wasnt it a crime scene? The evidence was tampered with And we will never know what was on the servers.

Mark McCarty , March 13, 2019 at 4:10 pm

As a complement to this excellent analysis, I would like to make 2 further points:

The Mueller indictment of Russian Intelligence for hacking the DNC and transferring their booty to Wikileaks is absurd on its face for this reason: Assange announced on June 12th the impending release of Hillary-related emails. Yet the indictment claims that Guccifer 2.0 did not succeed in transferring the DNC emails to Wikileaks until the time period of July 14-18th – after which they were released online on July 22nd. Are we to suppose that Assange, a publisher of impeccable integrity, publicly announced the publication of emails he had not yet seen, and which he was obtaining from a source of murky provenance? And are we further to suppose that Wikileaks could have processed 20K emails and 20K attachments to insure their genuineness in a period of only several days? As you will recall, Wikileaks subsequently took a number of weeks to process the Podesta emails they released in October.

And another peculiarity merits attention. Assange did not state on June 12th that he was releasing DNC emails – and yet Crowdstrike and the Guccifer 2.0 personna evidently knew that this was in store. A likely resolution of this conundrum is that US intelligence had been monitoring all communications to Wikileaks, and had informed the DNC that their hacked emails had been offered to Wikileaks. A further reasonable prospect is that US intelligence subsequently unmasked the leaker to the DNC; as Assange has strongly hinted, this likely was Seth Rich. This could explain Rich's subsequent murder, as Rich would have been in a position to unmask the Guccifer 2.0 hoax and the entire Russian hacking narrative.

https://medium.com/@markfmccarty/muellers-new-indictment-do-the-feds-take-us-for-idiots-5406ef955406

https://medium.com/@markfmccarty/how-did-crowdstrike-guccifer-2-0-know-that-wikileaks-was-planning-to-release-dnc-emails-42e6db334053

Sam F , March 13, 2019 at 7:06 pm

Curious that Assange has Not explicitly stated that the leaker was Seth Rich, if it was, as this would take pressure from himself and incriminate the DNC in the murder of Rich. Perhaps he doesn't know, and has the honor not to take the opportunity, or perhaps he knows that it was not Rich.

James Clooney , March 14, 2019 at 11:40 am

View the Dutch TV interview with Asssange and there is another interview available on youtube in which Assange DOES subtly confirmed it was Seth Rich.

Assange posted a $10,000 reward for Seth Rich's murders capture.

Abby , March 13, 2019 at 10:11 pm

Another mistaken issue with the "Russia hacked the DNC computers on Trump's command" is that he never asked Russia to do that. His words were, "Russia if you 'find' Hillary's missing emails let us know." He said that after she advised congress that she wouldn't be turning in all of the emails they asked for because she deleted 30,000 of them and said that they were personal.

But if Mueller or the FBI wants to look at all of them they can find them at the NYC FBI office because they are on Weiner's laptop. Why? Because Hillary's aid Huma Abedin, Weiner's wife sent them to it. Just another security risk that Hillary had because of her private email server. This is why Comey had to tell congress that more of them had been found 11 days before the election. If Comey hadn't done that then the FBI would have.

But did Comey or McCabe look at her emails there to see if any of them were classified? No they did not do that. And today we find out that Lisa Page told congress that it was Obama's decision not to charge Hillary for being grossly negligent on using her private email server. This has been known by congress for many months and now we know that the fix was always in for her to get off.

robert e williamson jr , March 13, 2019 at 3:26 pm

I want to thank you folks at VIPS. Like I have been saying for years now the relationship between CIA, NSA and DOJ is an incestuous one at best. A perverse corrupted bond to control the masses. A large group of religious fanatics who want things "ONE WAY". They are the facilitators for the rogue government known as the "DEEP STATE"!

Just ask billy barr.

More truth is a very good thing. I believe DOJ is supporting the intelligence community because of blackmail. They can't come clean because they all risk doing lots of time if a new judicial mechanism replaces them. We are in big trouble here.

Apparently the rule of law is not!

You folks that keep claiming we live in the post truth era! Get off me. Demand the truth and nothing else. Best be getting ready for the fight of your lives. The truth is you have to look yourself in the mirror every morning, deny that truth. The claim you are living in the post truth era is an admission your life is a lie. Now grab a hold of yourself pick a dogdamned side and stand for something,.

Thank You VIPS!

Joe Tedesky , March 13, 2019 at 2:58 pm

Hats off to the VIP's who have investigated this Russian hacking that wasn't a hacking for without them what would we news junkies have otherwise to lift open the hood of Mueller's never ending Russia-gate investigation. Although the one thing this Russia-gate nonsense has accomplished is it has destroyed with our freedom of speech when it comes to how we citizens gather our news. Much like everything else that has been done during these post 9/11 years of continual wars our civil rights have been marginalized down to zero or, a bit above if that's even still an argument to be made for the sake of numbers.

Watching the Manafort sentencing is quite interesting for the fact that Manafort didn't conclude in as much as he played fast and loose with his income. In fact maybe Manafort's case should have been prosecuted by the State Department or, how about the IRS? Also wouldn't it be worth investigating other Geopolitical Rain Makers like Manafort for similar crimes of financial wrongdoing? I mean is it possible Manafort is or was the only one of his type to do such dishonest things? In any case Manafort wasn't charged with concluding with any Russians in regard to the 2016 presidential election and, with that we all fall down.

I guess the best thing (not) that came out of this Russia-gate silliness is Rachel Maddow's tv ratings zoomed upwards. But I hate to tell you that the only ones buying what Ms Maddow is selling are the died in the wool Hillary supporters along with the chicken-hawks who rally to the MIC lobby for more war. It's all a game and yet there are many of us who just don't wish to play it but still we must because no one will listen to the sanity that gets ignored keep up the good work VIP's some of us are listening.

Andrew Thomas , March 13, 2019 at 12:42 pm

The article did not mention something called to my attention for the first time by one of the outstanding members of your commentariat just a couple of days ago- that Ambassador Murray stayed publicly, over two years ago, that he had been given the thumb drive by a go-between in D.C. and had somehow gotten it to Wikileaks. And, that he has NEVER BEEN INTERVIEWED by Mueller &Company. I was blown away by this, and found the original articles just by googling Murray. The excuse given is that Murray "lacks credibility ", or some such, because of his prior relationship with Assange and/or Wikileaks. This is so ludicrous I can't even get my head around it. And now, you have given me a new detail-the meeting with Pompeo, and the complete lack of follow-up thereafter. Here all this time I thought I was the most cynical SOB who existed, and now I feel as naive as when I was 13 and believed what Dean Rusk was saying like it was holy writ. I am in your debt.

Bob Van Noy , March 13, 2019 at 2:33 pm

Andrew Thomas I'm afraid that huge amounts of our History post 1947 is organized and propagandized disinformation. There is an incredible page that John Simpkin has organized over the years that specifically addresses individuals, click on a name and read about them. https://spartacus-educational.com/USAdisinformation.htm

Mark McCarty , March 13, 2019 at 4:18 pm

A small correction: the Daily Mail article regarding Murray claimed that Murray was given a thumbdrive which he subsequently carried back to Wikileaks. On his blog, Murray subsequently disputed this part of the story, indicating that, while he had met with a leaker or confederate of a leaker in Washington DC, the Podesta emails were already in possession of Wikileaks at the time. Murray refused to clarify the reason for his meeting with this source, but he is adamant in maintaining that the DNC and Podesta emails were leaked, not hacked.

And it is indeed ludicrous that Mueller, given the mandate to investigate the alleged Russian hacking of the DNC and Podesta, has never attempted to question either Assange or Murray. That in itself is enough for us to conclude that the Mueller investigation is a complete sham.

Ian Brown , March 13, 2019 at 4:43 pm

It's pretty astonishing that Mueller was more interested in Roger Stone and Jerome Corsi as credible sources about Wikileaks and the DNC release than Craig Murray!

LJ , March 13, 2019 at 12:29 pm

A guy comes in with a pedigree like that, """ former FBI head """ to examine and validate if possible an FBI sting manufactured off a phony FISA indictment based on the Steele Report, It immediately reminded me of the 9-11 Commission with Thomas Kean, former Board member of the National Endowment for Democracy, being appointed by GW Bush the Simple to head an investigation that he had previously said he did not want to authorize( and of course bi partisan yes man Lee Hamilton as #2, lest we forget) . Really this should be seen as another low point in our Democracy. Uncle Sam is the Limbo Man, How low can you go?

After Bill and Hillary and Monica and Paula Jones and Blue Dresses well, Golden Showers in a Moscow luxury hotel, I guess that make it just salacious enough.

Mueller looks just like what he is. He has that same phony self important air as Comey . In 2 years this will be forgotten.. I do not think this hurts Trumps chances at re-election as much as the Democrats are hurting themselves. This has already gone on way too long.

Drew Hunkins , March 13, 2019 at 11:59 am

Mueller has nothing and he well knows it. He was willingly roped into this whole pathetic charade and he's left grasping for anything remotely tied to Trump campaign officials and Russians.

Even the most tenuous connections and weak relationships are splashed across the mass media in breathless headlines. Meanwhile, NONE of the supposed skulduggery unearthed by Mueller has anything to do with the Kremlin "hacking" the election to favor Trump, which was the entire raison d'etre behind Rosenstein, Brennan, Podesta and Mueller's crusade on behalf of the deplorable DNC and Washington militarist-imperialists. It will be fascinating to witness how Mueller and his crew ultimately extricate themselves from this giant fraudulent edifice of deceit. Will they even be able to save the most rudimentary amount of face?

So sickening to see the manner in which many DNC sycophants obsequiously genuflect to their godlike Mueller. A damn prosecutor who was likely in bed with the Winter Hill Gang.

Jack , March 13, 2019 at 12:21 pm

You have failed. An investigation is just that, a finding of the facts. What would Mueller have to extricate himself from? If nothing is found, he has still done his job. You are a divisive idiot.

Skip Scott , March 13, 2019 at 1:13 pm

Yes, he has done his job. And his job was to bring his royal Orangeness to heel, and to make sure that detente and co-operation with Russia remained impossible. The forever war continues. Mission Accomplished.

Drew Hunkins , March 13, 2019 at 2:12 pm

@Jack,
Keep running cover for an out of control prosecutor, who, if he had any integrity, would have hit the bully pulpit mos ago declaring there's nothing of substance to one of the most potentially dangerous accusations in world history: the Kremlin hacking the election. Last I checked it puts two nuclear nation-states on the brink of potential war. And you call me divisive? Mueller's now a willing accomplice to this entire McCarthyite smear and disinformation campaign. It's all so pathetic that folks such as yourself try and mislead and feed half-truths to the people.

You're failing Jack, in more ways than you know.

Gregory Herr , March 13, 2019 at 9:13 pm

https://www.kcrw.com/culture/shows/scheer-intelligence/liberals-are-digging-their-own-grave-with-russiagate-2019-03-08

Drew, you might enjoy this discussion Robert Scheer has with Stephen Cohen and Katrina vanden Heuvel.

Realist , March 15, 2019 at 3:38 am

Moreover, as the Saker pointed out in his most recent column in the Unz Review, the entire Deep State conspiracy, in an ad hoc alliance with the embarrassed and embarrassing Democrats, have made an absolute sham of due process in their blatant witch hunt to bag the president. This reached an apex when his personal lawyer, Mr. Cohen, was trotted out before congress to violate Trump's confidentiality in every mortifying way he could even vaguely reconstruct. The man was expected to say anything to mitigate the anticipated tortures to come in the course of this modern day inquisition by our latter day Torquemada. To his credit though, even with his ass in a sling, he could simply not confabulate the smoking gun evidence for the alleged Russian collusion that this whole farce was built around.

Tom , March 14, 2019 at 12:30 pm

Mueller stood with Bush as he lied the world into war based on lies and illegally spied on America and tortured some folks.

George Collins , March 13, 2019 at 2:02 pm

QED: as to the nexus with the Winter Hill gang wasn't there litigation involving the Boston FBI, condonation of murder by the FBI and damages awarded to or on behalf of convicted parties that the FBI had reason to know were innocent? The malfeasance reportedly occurred during Mueller time. Further on the sanctified diligence of Mr. Mueller can be gleaned from the reports of Coleen Rowley, former FBI attorney stationed in Milwaukee??? when the DC FBI office was ignoring warnings sent about 9/11. See also Sibel Edmonds who knew to much and was court order muzzled about FBI mis/malfeasance in the aftermath of 9/11.

I'd say it's game, set, match VIPS and a pox on Clapper and the complicit intelligence folk complicit in the nuclear loaded Russia-gate fibs.

Kiers , March 13, 2019 at 11:47 am

How can we expect the DNC to "hand it " to Trumpf, when, behind the scenes, THEY ARE ONE PARTY. They are throwing faux-scary pillow bombs at each other because they are both complicit in a long chain of corruptions. Business as usual for the "principled" two party system! Democracy! Through the gauze of corporate media! You must be joking!

Skip Scott , March 13, 2019 at 11:28 am

"We believe that there are enough people of integrity in the Department of Justice to prevent the outright manufacture or distortion of "evidence," particularly if they become aware that experienced scientists have completed independent forensic study that yield very different conclusions."

I wish I shared this belief. However, as with Nancy Pelosi's recent statement regarding pursuing impeachment, I smell a rat. I believe with the help of what the late Robert Parry called "the Mighty Wurlitzer", Mueller is going to use coerced false testimony and fabricated forensics to drop a bombshell the size of 911. I think Nancy's statement was just a feint before throwing the knockout punch.

If reason ruled the day, we should have nothing to worry about. But considering all the perfidy that the so-called "Intelligence" Agencies and their MSM lackeys get away with daily, I think we are in for more theater; and I think VIPS will receive a cold shoulder outside of venues like CN.

I pray to God I'm wrong.

Sam F , March 13, 2019 at 7:32 pm

My extensive experience with DOJ and the federal judiciary establishes that at least 98% of them are dedicated career liars, engaged in organized crime to serve political gangs, and make only a fanatical pretense of patriotism or legality. They are loyal to money alone, deeply cynical and opposed to the US Constitution and laws, with no credibility at all beyond any real evidence.

Eric32 , March 14, 2019 at 4:24 pm

As near I can see, Federal Govt. careers at the higher levels depend on having dirt on other players, and helping, not hurting, the money/power schemes of the players above you.

The Clintons (through their foundation) apparently have a lot of corruption dirt on CIA, FBI etc. top players, some of whom somehow became multi-millionaires during their civil service careers.

Trump, who was only running for President as a name brand marketing ploy with little desire to actually win, apparently came into the Presidency with no dirt arsenal and little idea of where to go from there.

Bob Van Noy , March 13, 2019 at 11:09 am

I remember reading with dismay how Russians were propagandized by the Soviet Press Management only to find out later the depth of disbelief within the Russian population itself. We now know what that feels like. The good part of this disastrous scenario for America is that for careful readers, disinformation becomes revelatory. For instance, if one reads an editorial that refers to the Russian invasion of Ukraine, or continually refers to Russian interference in the last Presidential election, then one can immediately dismiss the article and question the motivation for the presentation. Of course the problem is how to establish truth in reporting

Jeff Harrison , March 13, 2019 at 10:41 am

Thank you, VIPs. Hopefully, you don't expect this to make a difference. The US has moved into a post truth, post reality existence best characterized by Karl Rove's declaration: "we're an empire now, when we act, we create our own reality." What Mr. Rove in his arrogance fails to appreciate is that it is his reality but not anyone else's. Thus Pompous can claim that Guaido is the democratic leader in Venezuela even though he's never been elected .

Gary Weglarz , March 13, 2019 at 10:21 am

Thank you. The next time one of my friends or family give me that glazed over stare and utters anymore of the "but, RUSSIA" nonsense I will refer them directly to this article. Your collective work and ethical stand on this matter is deeply appreciated by anyone who values the truth.

Russiagate stands with past government propaganda operations that were simply made up out of thin air: i.e. Kuwaiti incubator babies, WMD's, Gaddafi's viagra fueled rape camps, Assad can't sleep at night unless he's gassing his own people, to the latest, "Maduro can't sleep at night unless he's starving his own people."

The complete and utter amorality of the deep state remains on display for all to see with "Russiagate," which is as fact-free a propaganda campaign as any of those just mentioned.

Marc , March 13, 2019 at 10:13 am

I am a computer naif, so I am prepared to accept the VIPS analysis about FAT and transfer rates. However, the presentation here leaves me with several questions. First, do I understand correctly that the FAT rounding to even numbers is introduced by the thumb drive? And if so, does the FAT analysis show only that the DNC data passed through a thumb drive? That is, does the analysis distinguish whether the DNC data were directly transferred to a thumb drive, or whether the data were hacked and then transferred to a thumb drive, eg, to give a copy to Wikileaks? Second, although the transatlantic transfer rate is too slow to fit some time stamps, is it possible that the data were hacked onto a local computer that was under the control of some faraway agent?

Jeff Harrison , March 13, 2019 at 11:12 am

Not quite. FAT is the crappy storage system developed by Microsoft (and not used by UNIX). The metadata associated with any file gets rewritten when it gets moved. If that movement is to a storage device that uses FAT, the timestamp on the file will end in an even number. If it were moved to a unix server (and most of the major servers run Unix) it would be in the UFS (unix file system) and it would be the actual time from the system clock. Every storage device has a utility that tells it where to write the data and what to write. Since it's writing to a storage device using FAT, it'll round the numbers. To get to your real question, yes, you could hack and then transfer the data to a thumb drive but if you did that the dates wouldn't line up.

Skip Scott , March 14, 2019 at 8:05 am

Jeff-

Which dates wouldn't line up? Is there a history of metadata available, or just metadata for the most recent move?

David G , March 13, 2019 at 12:22 pm

Marc asks: "[D]oes the analysis distinguish whether the DNC data were directly transferred to a thumb drive, or whether the data were hacked and then transferred to a thumb drive, eg, to give a copy to Wikileaks?"

I asked that question in comments under a previous CN piece; other people have asked that question elsewhere.

To my knowledge, it hasn't been addressed directly by the VIPS, and I think they should do so. (If they already have, someone please enlighten me.)

Skip Scott , March 13, 2019 at 1:07 pm

I am no computer wiz, but Binney has repeatedly made the point that the NSA scoops up everything. If there had been a hack, they'd know it, and they wouldn't only have had "moderate" confidence in the Jan. assessment. I believe that although farfetched, an argument could be made that a Russian spy got into the DNC, loaded a thumb drive, and gave it to Craig Murray.

David G , March 13, 2019 at 3:31 pm

Respectfully, that's a separate point, which may or may not raise issues of its own.

But I think the question Marc posed stands.

Skip Scott , March 14, 2019 at 7:59 am

Hi David-

I don't see how it's separate. If the NSA scoops up everything, they'd have solid evidence of the hack, and wouldn't have only had "moderate" confidence, which Bill Binney says is equivalent to them saying "we don't have squat". They wouldn't even have needed Mueller at all, except to possibly build a "parallel case" due to classification issues. Also, the FBI not demanding direct access to the DNC server tells you something is fishy. They could easily have gotten a warrant to examine the server, but chose not to. They also purposely refuse to get testimony from Craig Murray and Julian Assange, which rings alarm bells on its own.

As for the technical aspect of Marc's question, I agree that I'd like to see Bill Binney directly answer it.

[Mar 17, 2019] VIPS- Mueller's Forensics-Free Findings

Highly recommended!
Mar 13, 2019 | Consortiumnews

The final Mueller report should be graded "incomplete," says VIPS, whose forensic work proves the speciousness of the story that DNC emails published by WikiLeaks came from Russian hacking.

MEMORANDUM FOR: The Attorney General

FROM: Veteran Intelligence Professionals for Sanity (VIPS)

SUBJECT: Mueller's Forensics-Free Findings

Executive Summary

Media reports are predicting that Special Counsel Robert Mueller is about to give you the findings of his probe into any links and/or coordination between the Russian government and individuals associated with the campaign of President Donald Trump. If Mueller gives you his "completed" report anytime soon, it should be graded "incomplete."

Major deficiencies include depending on a DNC-hired cybersecurity company for forensics and failure to consult with those who have done original forensic work, including us and the independent forensic investigators with whom we have examined the data. We stand ready to help.

We veteran intelligence professionals (VIPS) have done enough detailed forensic work to prove the speciousness of the prevailing story that the DNC emails published by WikiLeaks came from Russian hacking. Given the paucity of evidence to support that story, we believe Mueller may choose to finesse this key issue and leave everyone hanging. That would help sustain the widespread belief that Trump owes his victory to President Vladimir Putin, and strengthen the hand of those who pay little heed to the unpredictable consequences of an increase in tensions with nuclear-armed Russia.

There is an overabundance of "assessments" but a lack of hard evidence to support that prevailing narrative. We believe that there are enough people of integrity in the Department of Justice to prevent the outright manufacture or distortion of "evidence," particularly if they become aware that experienced scientists have completed independent forensic study that yield very different conclusions. We know only too well -- and did our best to expose -- how our former colleagues in the intelligence community manufactured fraudulent "evidence" of weapons of mass destruction in Iraq.

We have scrutinized publicly available physical data -- the "trail" that every cyber operation leaves behind. And we have had support from highly experienced independent forensic investigators who, like us, have no axes to grind. We can prove that the conventional-wisdom story about Russian-hacking-DNC-emails-for-WikiLeaks is false. Drawing largely on the unique expertise of two VIPS scientists who worked for a combined total of 70 years at the National Security Agency and became Technical Directors there, we have regularly published our findings. But we have been deprived of a hearing in mainstream media -- an experience painfully reminiscent of what we had to endure when we exposed the corruption of intelligence before the attack on Iraq 16 years ago.

This time, with the principles of physics and forensic science to rely on, we are able to adduce solid evidence exposing mistakes and distortions in the dominant story. We offer you below -- as a kind of aide-memoire -- a discussion of some of the key factors related to what has become known as "Russia-gate." And we include our most recent findings drawn from forensic work on data associated with WikiLeaks' publication of the DNC emails.

We do not claim our conclusions are "irrefutable and undeniable," a la Colin Powell at the UN before the Iraq war. Our judgments, however, are based on the scientific method -- not "assessments." We decided to put this memorandum together in hopes of ensuring that you hear that directly from us.

If the Mueller team remains reluctant to review our work -- or even to interview willing witnesses with direct knowledge, like WikiLeaks' Julian Assange and former UK Ambassador Craig Murray, we fear that many of those yearning earnestly for the truth on Russia-gate will come to the corrosive conclusion that the Mueller investigation was a sham.

In sum, we are concerned that, at this point, an incomplete Mueller report will fall far short of the commitment made by then Acting Attorney General Rod Rosenstein "to ensure a full and thorough investigation," when he appointed Mueller in May 2017. Again, we are at your disposal.

Discussion

The centerpiece accusation of Kremlin "interference" in the 2016 presidential election was the charge that Russia hacked Democratic National Committee emails and gave them to WikiLeaks to embarrass Secretary Hillary Clinton and help Mr. Trump win. The weeks following the election witnessed multiple leak-based media allegations to that effect. These culminated on January 6, 2017 in an evidence-light, rump report misleadingly labeled "Intelligence Community Assessment (ICA)." Prepared by "handpicked analysts" from only three of the 17 U.S. intelligence agencies (CIA, FBI, and NSA), the assessment expressed "high confidence" in the Russia-hacking-to-WikiLeaks story, but lacked so much as a hint that the authors had sought access to independent forensics to support their "assessment."

The media immediately awarded the ICA the status of Holy Writ, choosing to overlook an assortment of banal, full-disclosure-type caveats included in the assessment itself -- such as:

" When Intelligence Community analysts use words such as 'we assess' or 'we judge,' they are conveying an analytic assessment or judgment. Judgments are not intended to imply that we have proof that shows something to be a fact. Assessments are based on collected information, which is often incomplete or fragmentary High confidence in a judgment does not imply that the assessment is a fact or a certainty; such judgments might be wrong."

To their credit, however, the authors of the ICA did make a highly germane point in introductory remarks on "cyber incident attribution." They noted: "The nature of cyberspace makes attribution of cyber operations difficult but not impossible. Every kind of cyber operation -- malicious or not -- leaves a trail." [Emphasis added.]

Forensics

The imperative is to get on that "trail" -- and quickly, before red herrings can be swept across it. The best way to establish attribution is to apply the methodology and processes of forensic science. Intrusions into computers leave behind discernible physical data that can be examined scientifically by forensic experts. Risk to "sources and methods" is normally not a problem.

Direct access to the actual computers is the first requirement -- the more so when an intrusion is termed "an act of war" and blamed on a nuclear-armed foreign government (the words used by the late Sen. John McCain and other senior officials). In testimony to the House Intelligence Committee in March 2017, former FBI Director James Comey admitted that he did not insist on physical access to the DNC computers even though, as he conceded, "best practices" dictate direct access.

In June 2017, Senate Intelligence Committee Chair Richard Burr asked Comey whether he ever had "access to the actual hardware that was hacked." Comey answered, "In the case of the DNC we did not have access to the devices themselves. We got relevant forensic information from a private party, a high-class entity, that had done the work. " Sen. Burr followed up: "But no content? Isn't content an important part of the forensics from a counterintelligence standpoint?" Comey: "It is, although what was briefed to me by my folks is that they had gotten the information from the private party that they needed to understand the intrusion by the spring of 2016."

The "private party/high-class entity" to which Comey refers is CrowdStrike, a cybersecurity firm of checkered reputation and multiple conflicts of interest, including very close ties to a number of key anti-Russian organizations. Comey indicated that the DNC hired CrowdStrike in the spring of 2016.

Given the stakes involved in the Russia-gate investigation – including a possible impeachment battle and greatly increased tension between Russia and the U.S. -- it is difficult to understand why Comey did not move quickly to seize the computer hardware so the FBI could perform an independent examination of what quickly became the major predicate for investigating election interference by Russia. Fortunately, enough data remain on the forensic "trail" to arrive at evidence-anchored conclusions. The work we have done shows the prevailing narrative to be false. We have been suggesting this for over two years. Recent forensic work significantly strengthens that conclusion.

We Do Forensics

Recent forensic examination of the Wikileaks DNC files shows they were created on 23, 25 and 26 May 2016. (On June 12, Julian Assange announced he had them; WikiLeaks published them on July 22.) We recently discovered that the files reveal a FAT (File Allocation Table) system property. This shows that the data had been transferred to an external storage device, such as a thumb drive, before WikiLeaks posted them.

FAT is a simple file system named for its method of organization, the File Allocation Table. It is used for storage only and is not related to internet transfers like hacking. Were WikiLeaks to have received the DNC files via a hack, the last modified times on the files would be a random mixture of odd-and even-ending numbers.

Why is that important? The evidence lies in the "last modified" time stamps on the Wikileaks files. When a file is stored under the FAT file system the software rounds the time to the nearest even-numbered second. Every single one of the time stamps in the DNC files on WikiLeaks' site ends in an even number.

We have examined 500 DNC email files stored on the Wikileaks site. All 500 files end in an even number -- 2, 4, 6, 8 or 0. If those files had been hacked over the Internet, there would be an equal probability of the time stamp ending in an odd number. The random probability that FAT was not used is 1 chance in 2 to the 500th power. Thus, these data show that the DNC emails posted by WikiLeaks went through a storage device, like a thumb drive, and were physically moved before Wikileaks posted the emails on the World Wide Web.

This finding alone is enough to raise reasonable doubts, for example, about Mueller's indictment of 12 Russian intelligence officers for hacking the DNC emails given to WikiLeaks. A defense attorney could easily use the forensics to argue that someone copied the DNC files to a storage device like a USB thumb drive and got them physically to WikiLeaks -- not electronically via a hack.

Role of NSA

For more than two years, we strongly suspected that the DNC emails were copied/leaked in that way, not hacked. And we said so. We remain intrigued by the apparent failure of NSA's dragnet, collect-it-all approach -- including "cast-iron" coverage of WikiLeaks -- to provide forensic evidence (as opposed to "assessments") as to how the DNC emails got to WikiLeaks and who sent them. Well before the telling evidence drawn from the use of FAT, other technical evidence led us to conclude that the DNC emails were not hacked over the network, but rather physically moved over, say, the Atlantic Ocean.

Is it possible that NSA has not yet been asked to produce the collected packets of DNC email data claimed to have been hacked by Russia? Surely, this should be done before Mueller competes his investigation. NSA has taps on all the transoceanic cables leaving the U.S. and would almost certainly have such packets if they exist. (The detailed slides released by Edward Snowden actually show the routes that trace the packets.)

The forensics we examined shed no direct light on who may have been behind the leak. The only thing we know for sure is that the person had to have direct access to the DNC computers or servers in order to copy the emails. The apparent lack of evidence from the most likely source, NSA, regarding a hack may help explain the FBI's curious preference for forensic data from CrowdStrike. No less puzzling is why Comey would choose to call CrowdStrike a "high-class entity."

Comey was one of the intelligence chiefs briefing President Obama on January 5, 2017 on the "Intelligence Community Assessment," which was then briefed to President-elect Trump and published the following day. That Obama found a key part of the ICA narrative less than persuasive became clear at his last press conference (January 18), when he told the media, "The conclusions of the intelligence community with respect to the Russian hacking were not conclusive as to how 'the DNC emails that were leaked' got to WikiLeaks.

Is Guccifer 2.0 a Fraud?

There is further compelling technical evidence that undermines the claim that the DNC emails were downloaded over the internet as a result of a spearphishing attack. William Binney, one of VIPS' two former Technical Directors at NSA, along with other former intelligence community experts, examined files posted by Guccifer 2.0 and discovered that those files could not have been downloaded over the internet. It is a simple matter of mathematics and physics.

There was a flurry of activity after Julian Assange announced on June 12, 2016: "We have emails relating to Hillary Clinton which are pending publication." On June 14, DNC contractor CrowdStrike announced that malware was found on the DNC server and claimed there was evidence it was injected by Russians. On June 15, the Guccifer 2.0 persona emerged on the public stage, affirmed the DNC statement, claimed to be responsible for hacking the DNC, claimed to be a WikiLeaks source, and posted a document that forensics show was synthetically tainted with "Russian fingerprints."

Our suspicions about the Guccifer 2.0 persona grew when G-2 claimed responsibility for a "hack" of the DNC on July 5, 2016, which released DNC data that was rather bland compared to what WikiLeaks published 17 days later (showing how the DNC had tipped the primary scales against Sen. Bernie Sanders). As VIPS reported in a wrap-up Memorandum for the President on July 24, 2017 (titled "Intel Vets Challenge 'Russia Hack' Evidence)," forensic examination of the July 5, 2016 cyber intrusion into the DNC showed it NOT to be a hack by the Russians or by anyone else, but rather a copy onto an external storage device. It seemed a good guess that the July 5 intrusion was a contrivance to preemptively taint anything WikiLeaks might later publish from the DNC, by "showing" it came from a "Russian hack." WikiLeaks published the DNC emails on July 22, three days before the Democratic convention.

As we prepared our July 24 memo for the President, we chose to begin by taking Guccifer 2.0 at face value; i. e., that the documents he posted on July 5, 2016 were obtained via a hack over the Internet. Binney conducted a forensic examination of the metadata contained in the posted documents and compared that metadata with the known capacity of Internet connection speeds at the time in the U.S. This analysis showed a transfer rate as high as 49.1 megabytes per second, which is much faster than was possible from a remote online Internet connection. The 49.1 megabytes speed coincided, though, with the rate that copying onto a thumb drive could accommodate.

Binney, assisted by colleagues with relevant technical expertise, then extended the examination and ran various forensic tests from the U.S. to the Netherlands, Albania, Belgrade and the UK. The fastest Internet rate obtained -- from a data center in New Jersey to a data center in the UK -- was 12 megabytes per second, which is less than a fourth of the capacity typical of a copy onto a thumb drive.

The findings from the examination of the Guccifer 2.0 data and the WikiLeaks data does not indicate who copied the information to an external storage device (probably a thumb drive). But our examination does disprove that G.2 hacked into the DNC on July 5, 2016. Forensic evidence for the Guccifer 2.0 data adds to other evidence that the DNC emails were not taken by an internet spearphishing attack. The data breach was local. The emails were copied from the network.

Presidential Interest

After VIPS' July 24, 2017 Memorandum for the President, Binney, one of its principal authors, was invited to share his insights with Mike Pompeo, CIA Director at the time. When Binney arrived in Pompeo's office at CIA Headquarters on October 24, 2017 for an hour-long discussion, the director made no secret of the reason for the invitation: "You are here because the President told me that if I really wanted to know about Russian hacking I needed to talk with you."

Binney warned Pompeo -- to stares of incredulity -- that his people should stop lying about the Russian hacking. Binney then started to explain the VIPS findings that had caught President Trump's attention. Pompeo asked Binney if he would talk to the FBI and NSA. Binney agreed, but has not been contacted by those agencies. With that, Pompeo had done what the President asked. There was no follow-up.

Confronting James Clapper on Forensics

We, the hoi polloi, do not often get a chance to talk to people like Pompeo -- and still less to the former intelligence chiefs who are the leading purveyors of the prevailing Russia-gate narrative. An exception came on November 13, when former National Intelligence Director James Clapper came to the Carnegie Endowment in Washington to hawk his memoir. Answering a question during the Q&A about Russian "hacking" and NSA, Clapper said:

" Well, I have talked with NSA a lot And in my mind, I spent a lot of time in the SIGINT business, the forensic evidence was overwhelming about what the Russians had done. There's absolutely no doubt in my mind whatsoever." [Emphasis added]

Clapper added: " as a private citizen, understanding the magnitude of what the Russians did and the number of citizens in our country they reached and the different mechanisms that, by which they reached them, to me it stretches credulity to think they didn't have a profound impact on election on the outcome of the election."

(A transcript of the interesting Q&A can be found here and a commentary on Clapper's performance at Carnegie, as well as on his longstanding lack of credibility, is here .)

Normally soft-spoken Ron Wyden, Democratic senator from Oregon, lost his patience with Clapper last week when he learned that Clapper is still denying that he lied to the Senate Intelligence Committee about the extent of NSA surveillance of U.S. citizens. In an unusual outburst, Wyden said: "James Clapper needs to stop making excuses for lying to the American people about mass surveillance. To be clear: I sent him the question in advance. I asked him to correct the record afterward. He chose to let the lie stand."

The materials brought out by Edward Snowden in June 2013 showed Clapper to have lied under oath to the committee on March 12, 2013; he was, nevertheless, allowed to stay on as Director of National Intelligence for three and half more years. Clapper fancies himself an expert on Russia, telling Meet the Press on May 28, 2017 that Russia's history shows that Russians are "typically, almost genetically driven to co-opt, penetrate, gain favor, whatever."

Clapper ought to be asked about the "forensics" he said were "overwhelming about what the Russians had done." And that, too, before Mueller completes his investigation.

For the steering group, Veteran Intelligence Professionals for Sanity:

Veteran Intelligence Professionals for Sanity (VIPS) is made up of former intelligence officers, diplomats, military officers and congressional staffers. The organization, founded in 2002, was among the first critics of Washington's justifications for launching a war against Iraq. VIPS advocates a US foreign and national security policy based on genuine national interests rather than contrived threats promoted for largely political reasons. An archive of VIPS memoranda is available at Consortiumnews.com.

image_pdf image_print 9280

Tags: Bill Binney Donald Trump Hillary Clinton James Clapper James Comey Mike Pompeo Robert Mueller Veteran Intelligence Professional for Sanity VIPS WikiLeaks


[Jan 29, 2019] RHEL7 is a fine OS, the only thing it s missing is a really good init system.

Highly recommended!
Or in other words, a simple, reliable and clear solution (which has some faults due to its age) was replaced with a gigantic KISS violation. No engineer worth the name will ever do that. And if it needs doing, any good engineer will make damned sure to achieve maximum compatibility and a clean way back. The systemd people seem to be hell-bent on making it as hard as possible to not use their monster. That alone is a good reason to stay away from it.
Notable quotes:
"... We are systemd. Lower your memory locks and surrender your processes. We will add your calls and code distinctiveness to our own. Your functions will adapt to service us. Resistance is futile. ..."
"... I think we should call systemd the Master Control Program since it seems to like making other programs functions its own. ..."
"... RHEL7 is a fine OS, the only thing it's missing is a really good init system. ..."
Oct 14, 2018 | linux.slashdot.org

Reverend Green ( 4973045 ) , Monday December 11, 2017 @04:48AM ( #55714431 )

Re: Does systemd make ... ( Score: 5 , Funny)

Systemd is nothing but a thinly-veiled plot by Vladimir Putin and Beyonce to import illegal German Nazi immigrants over the border from Mexico who will then corner the market in kimchi and implement Sharia law!!!

Anonymous Coward , Monday December 11, 2017 @01:38AM ( #55714015 )

Re:It violates fundamental Unix principles ( Score: 4 , Funny)

The Emacs of the 2010s.

DontBeAMoran ( 4843879 ) , Monday December 11, 2017 @01:57AM ( #55714059 )
Re:It violates fundamental Unix principles ( Score: 5 , Funny)

We are systemd. Lower your memory locks and surrender your processes. We will add your calls and code distinctiveness to our own. Your functions will adapt to service us. Resistance is futile.

serviscope_minor ( 664417 ) , Monday December 11, 2017 @04:47AM ( #55714427 ) Journal
Re:It violates fundamental Unix principles ( Score: 4 , Insightful)

I think we should call systemd the Master Control Program since it seems to like making other programs functions its own.

Anonymous Coward , Monday December 11, 2017 @01:47AM ( #55714035 )
Don't go hating on systemd ( Score: 5 , Funny)

RHEL7 is a fine OS, the only thing it's missing is a really good init system.

[Jan 26, 2019] Systemd developers don't want to replace the kernel, they are more than happy to leverage Linus's good work on what they see as a collection of device driver

Jan 26, 2019 | blog.erratasec.com

John Morris said...

They don't want to replace the kernel, they are more than happy to leverage Linus's good work on what they see as a collection of device drivers. No, they want to replace the GNU/X in the traditional Linux/GNU/X arrangement. All of the command line tools, up to and including bash are to go, replaced with the more Windows like tools most of the systemd developers grew up on, while X and the desktop environments all get rubbished for Wayland and GNOME3.

And I would wish them luck, the world could use more diversity in operating systems. So long as they stayed the hell over at RedHat and did their grand experiment and I could still find a Linux/GNU/X distribution to run. But they had to be borg and insist that all must bend the knee and to that I say HELL NO!

[Jan 26, 2019] The coming enhancement to systemd

Jan 26, 2019 | blog.erratasec.com

Siegfried Kiermayer said...

I'm waiting for pulse audio being included in systemd to have proper a boot sound :D

[Jan 26, 2019] Errata Security About the systemd controversy...

Aug 30, 2015 | www.agwa.name

This is the core system within systemd that allows different bits of userspace to talk to each other. But it's got problems. A demonstration of the D-Bus problem is the recent Jeep hack by researchers Charlie Miller and Chris Valasek. The root problem was that D-Bus was openly (without authentication) accessible from the Internet.

Likewise, the "AllJoyn" system for the "Internet of Things" opens up D-Bus on the home network. D-Bus indeed simplifies communication within userspace, but its philosophy is to put all your eggs in one basket, then drop the basket.

[Jan 26, 2019] Systemd is not Magic Security Dust by Andrew Ayer

Oct 02, 2016 | www.agwa.name

Systemd maintainer David Strauss has published a response to my blog post about systemd . The first part of his post is replete with ad hominem fallacies, strawmen, and factual errors. Ironically, in the same breath that he attacks me for not understanding the issues around threads and umasks, he betrays an ignorance of how the very project which he works on uses threads and umasks . This doesn't deserve a response beyond what I've called out on Twitter.

In the second part of his blog post, Strauss argues that systemd improves security by making it easy to apply hardening techniques to the network services which he calls the "keepers of data attackers want." According to Strauss, I'm "fighting one of the most powerful tools we have to harden the front lines against the real attacks we see every day." Although systemd does make it easy to restrict the privileges of services, Strauss vastly overstates the value of these features.

The best systemd can offer is whole application sandboxing. You can start a daemon as a non-root user, in a restricted filesystem namespace, with mandatory access control. Sandboxing an entire application is an effective way to run potentially malicious code, since it protects other applications from the malicious one. This makes sandboxing useful on smartphones, which need to run many different untrustworthy, single-user applications. However, since sandboxing a whole application cannot protect one part of the application from a compromise of a different part, it is ineffective at securing benign-but-insecure software, which is the problem faced on servers. Server applications need to service requests from many different users. If one user is malicious and exploits a vulnerability in the application, whole application sandboxing doesn't protect the other users of the service.

For concrete examples, let's consider Apache and Samba, two daemons which Strauss says would benefit from systemd's features.

First Apache. You can start Apache as a non-root user provided someone else binds to ports 443 and 80. You can further sandbox it by preventing it from accessing parts of the filesystem it doesn't need to access. However, no matter how much you try to sandbox Apache, a typical setup is going to need a broad amount of access to do its job, including read permission to your entire website (including password-protected parts) and access to any credential (database password, API key, etc.) used by your CGI, PHP, or similar webapps.

Even under systemd's most restrictive sandboxing, an attacker who gains remote code execution in Apache would be able to read your entire website, alter responses to your visitors, steal your HTTPS private keys, and gain access to your database and any API consumed by your webapps. For most people, this would be the worst possible compromise, and systemd can do nothing to stop it. Systemd's sandboxing would prevent the attacker from gaining access to the rest of your system (absent a vulnerability in the kernel or systemd), but in today's world of single-purpose VMs and containers, that protection is increasingly irrelevant. The attacker probably only wants your database anyways.

To provide a meaningful improvement to security without rewriting in a memory-safe language, Apache would need to implement proper privilege separation. Privilege separation means using multiple processes internally, each running with different privileges and responsible for different tasks, so that a compromise while performing one task can't lead to the compromise of the rest of the application. For instance, the process that accepts HTTP connections could pass the request to a sandboxed process for parsing, and then pass the parsed request along to yet another process which is responsible for serving files and executing webapps. Privilege separation has been used effectively by OpenSSH, Postfix, qmail, Dovecot, and over a dozen daemons in OpenBSD . (Plus a couple of my own: titus and rdiscd .) However, privilege separation requires careful design to determine where to draw the privilege boundaries and how to interface between them. It's not something which an external tool such as systemd can provide. (Note: Apache already implements privilege separation that allows it to process requests as a non-root user, but it is too coarse-grained to stop the attacks described here.)

Next Samba, which is a curious choice of example by Strauss. Having configured Samba and professionally administered Windows networks, I know that Samba cannot run without full root privilege. The reason why Samba needs privilege is not because it binds to privileged ports, but because, as a file server, it needs the ability to assume the identity of any user so it can read and write that user's files. One could imagine a different design of Samba in which all files are owned by the same unprivileged user, and Samba maintains a database to track the real ownership of each file. This would allow Samba to run without privilege, but it wouldn't necessarily be more secure than the current design, since it would mean that a post-authentication vulnerability would yield access to everyone's files, not just those of the authenticated user. (Note: I'm not sure if Samba is able to contain a post-authentication vulnerability, but it theoretically could. It absolutely could not if it ran as a single user under systemd's sandboxing.)

Other daemons are similar. A mail server needs access to all users' mailboxes. If the mail server is written in C, and doesn't use privilege separation, sandboxing it with systemd won't stop an attacker with remote code execution from reading every user's mailbox. I could continue with other daemons, but I think I've made my point: systemd is not magic pixie dust that can be sprinkled on insecure server applications to make them secure. For protecting the "data attackers want," systemd is far from a "powerful" tool. I wouldn't be opposed to using a library or standalone tool to sandbox daemons as a last line of defense, but the amount of security it provides is not worth the baggage of running systemd as PID 1.

Achieving meaningful improvement in software security won't be as easy as adding a few lines to a systemd config file. It will require new approaches, new tools, new languages. Jon Evans sums it up eloquently :

... as an industry, let's at least set a trajectory . Let's move towards writing system code in better languages, first of all -- this should improve security and speed. Let's move towards formal specifications and verification of mission-critical code.

Systemd is not part of this trajectory. Systemd is more of the same old, same old, but with vastly more code and complexity, an illusion of security features, and, most troubling, lock-in. (Strauss dismisses my lock-in concerns by dishonestly claiming that applications aren't encouraged to use their non-standard DBUS API for DNS resolution. Systemd's own documentation says "Usage of this API is generally recommended to clients." And while systemd doesn't preclude alternative implementations, systemd's specifications are not developed through a vendor-neutral process like the IETF, so there is no guarantee that other implementers would have an equal seat at the table.) I have faith that the Linux ecosystem can correct its trajectory. Let's start now, and stop following systemd down the primrose path.

[Jan 26, 2019] Systemd Flaw Leaves Linux Distributions Scrambling to Patch by Lucian Constantin

Jul 03, 2017 | thenewstack.io
Ubuntu, Fedora, Arch Linux and other Linux distributions have released patches for a serious arbitrary code execution vulnerability that could be exploited through malicious Domain Name System (DNS) packets.

The flaw was found in systemd-resolved , a service that's part of the systemd initialization system adopted by many Linux distributions in recent years. The resolved service provides network name resolution to local applications by querying DNS servers.

The vulnerability, tracked as CVE-2017-9445 , was discovered by Chris Coulson , a software engineer at Canonical and member of the Ubuntu team, who noticed that when dealing with certain data packet sizes, systemd-resolved fails to allocate a sufficiently large buffer.

"A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved to allocate a buffer that's too small, and subsequently write arbitrary data beyond the end of it," Coulson said in an advisory posted on the Open Source Security mailing list.

This could be exploited to crash the systemd-resolved daemon or to execute potentially malicious code in its context.

There are multiple ways in which an attacker could send malicious DNS packets to a Linux system with systemd-resolved running. One of them is by launching a man-in-the-middle attack on an insecure wireless network or through a compromised router.

Fortunately, not all Linux systems are affected because some distributions don't use systemd and even among those that do, not all of them include systemd-resolved. For example, SUSE and openSUSE distributions don't ship this component and, while Debian 9 (Stretch) includes it, the service is not enabled by default . The previous Debian versions don't have the vulnerable code at all.

Red Hat rated this vulnerability as important and assigned it a Common Vulnerability Scoring System (CVSS) score of 7.5, but determined that it does not affect the versions of systemd shipped with Red Hat Enterprise Linux 7. Fedora, however, is affected and has issued patches .

Ubuntu , Arch Linux and probably other distributions are also affected. Users should check if they have any updates pending for systemd and should deploy the patches as soon as possible. According to Coulson, the flaw was likely introduced in systemd version 223 in 2015 and affects all versions up to and including 233.

[Jan 26, 2019] Three security bugs found in the popular Linux suite systemd by Pierluigi Paganini

Jan 10, 2019 | securityaffairs.co
Security firm Qualys has disclosed three flaws (CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 ) in a component of systemd , a software suite that provides fundamental building blocks for a Linux operating system used in most major Linux distributions.

The flaws reside in the systemd – journald , a service of the systemd that collects and stores logging data.

Both CVE-2018-16864 and CVE-2018-16865 bugs are memory corruption vulnerabilities, while the CVE-2018-16866 is an out of bounds issue that can lead to an information leak.

Security patches for the three vulnerabilities are included in distro repository since the coordinated disclosure, but some Linux distros such as some versions of Debian remain vulnerable. The flaws cannot be exploited in SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 because their code is compiled with GCC's -fstack-clash-protection option.

[Jan 26, 2019] Systemd flaw could cause the crash or hijack of vulnerable Linux machines by Pierluigi Paganini

Notable quotes:
"... is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. ..."
"... could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." reads the advisory published by Red Hat. ..."
Oct 29, 2018 | securityaffairs.co

Both Ubuntu and Red Hat Linux published a security advisory on the issue. summary :

" systemd networkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." reads the advisory published by Red Hat.

"Felix Wilhelm discovered that systemd-networkd's dhcp6 client could be made to write beyond the bounds (buffer overflow) of a heap allocated buffer when responding to a dhcp6 server with an overly-long server-id parameter." reads the advisory published by Ubuntu.

The author of Systemd, Leonard Poettering, promptly published a security fix for Systemd-based Linux system relying on systemd-networkd.

[Jan 21, 2019] System Down A systemd-journald exploit Hacker News

Notable quotes:
"... Also, as I understand it the exploit would not exist if it was literally just outputting log lines to a file in /var/log/systemd/ ? ..."
Jan 21, 2019 | news.ycombinator.com
segfaultbuserr 11 days ago [-]

Yet another proof for the following:

1. It's reasonable to claim that amd64 (x86_64) is more secure than x86. x86_64 has larger address space, thus higher ASLR entropy. The exploit needs 10 minutes to crack ASLR on x86, but 70 minutes on amd64. If some alert systems have been deploy on the server (attacks need to keep crashing systemd-journald in this process), it buys time. In other cases, it makes exploitation infeasible.

2. CFLAGS hardening works, in addition to ASLR, it's the last line of defense for all C programs. As long as there are still C programs running, patching all memory corruption bugs is impossible. Using mitigation techniques and sandbox-based isolation are the only two ways to limit the damage. All hardening flags should be turned on by all distributions, unless there is a special reason. Fedora turned "-fstack-clash-protection" on since Fedora 28 ( https://fedoraproject.org/wiki/Changes/HardeningFlags28 ).

If you are releasing a C program on Linux, please consider the following,

    -D_FORTIFY_SOURCE=2         glibc hardening

    -Wp,-D_GLIBCXX_ASSERTIONS   glibc++ hardening

    -fstack-protector-strong    stack smash protection

    -fstack-clash-protection    stack clash protection

    -fPIE -pie                  better ASLR protection

    -Wl,-z,noexecstack          don't allow code on stack

    -Wl,-z,relro                ELF hardening

    -Wl,-z,now                  ELF hardening
Major Linux distributions, including Fedora, Debian, Arch Linux, openSUSE are already doing it. Similarly, Firefox and Chromium are using many of these flags too. Unfortunately, Debian did not use `-fstack-clash-protection` and got hit by the exploit, because it was only added since GCC 8.

For a more comprehensive review, check

* Recommended compiler and linker flags for GCC:

https://developers.redhat.com/blog/2018/03/21/compiler-and-l...

* Debian Hardening

https://wiki.debian.org/Hardening

lmm 11 days ago [-]

"Proof" suggests a level of absolute confidence that this example certainly does not give.

> The exploit needs 10 minutes to crack ASLR on x86, but 70 minutes on amd64.

Is there any realistic threat model under which the difference between 10 minutes and 70 minutes is the difference between "insecure" and "secure"?

> Using mitigation techniques and sandbox-based isolation are the only two ways to limit the damage.

I'm not at all convinced that mitigation techniques represent a real improvement in security, because by definition a mitigation technique is not backed by a solid model. If you're letting an attacker control the modification of memory that your security model assumes isn't modifiable, how confident can you be that ad-hoc mitigations for all the ways you could think of to exploit that cover all the possible ways to exploit that? E.g. I can remember a time when ASLR was touted as a solution to C's endemic security vulnerabilities; now cracking ASLR as part of vulnerability exploitation is routine, as seen here. Mitigations appear to give a security improvement because an app with mitigations is no longer the low-hanging fruit, but I suspect this is a case of "you don't have to outrun the bear": as long as there are C programs without mitigations, attackers will go after those first. That's different from saying that mitigations provide substantial protection.

FakeComments 11 days ago [-]

The hands-on-keyboard SLA for a lot of on-calls is 30 minutes.

So in an "attack was detected, break all the glass" scenario, the difference between 10 and 70 minutes is sufficient to allow human operators to render the attack moot by offlining its target, while the attackers are still trying to break through API servers.

At both big corps I've been at, the incident response plan for an exfiltration attack on customer data was invalidate DB creds and take the system down ourselves.

Better to be out of service than lose custody of customer data.

reply dTal 11 days ago [-]

>Is there any realistic threat model under which the difference between 10 minutes and 70 minutes is the difference between "insecure" and "secure"?

How about an intrusion detection system that flags up a human response? 10 minutes is hardly any time at all to respond, an hour gives you a chance to roll out of bed.

reply segfaultbuserr 11 days ago [-]

PaX offers an anti-bruteforce protection: if the kernel discovers a crash, the `fork()` syscall of the parent process is blocked for 30 seconds for each failed attempt, the attacker is going to have a hard time beating 32-bit entropy. Meanwhine, it also writes a critical-level message to the kernel logbuffer to notify sysadmins, and possibly uncover the 0day exploit the attacker has used.

wstuartcl 11 days ago [-]

I guess, as long as the IDS senses the attack in progress quickly -- my gut is this type of attack would be hard to detect until the outcome was achieved. More likely the initial entry would be the detected event(s) -- in which case yeah the extra time gives some safety net.

In either case, it still feels like pulling all things into systemd creates a much harder to protect surface area on systems. Why should init care if your logger crashes, let alone take down init with it? I am not a anti-systemd person but I honestly do see the tradeoffs of the "let me do it all" architecture as a huge penalty.

viraptor 11 days ago [-]

> Why should init care if your logger crashes

It cares in the same way it cares about all the other processes. There's nothing systemd-specific here. Journald service is configured to restart of crash, same as many other services.

It's not taking down init when journald crashes either.

dane-pgp 11 days ago [-]

> There's nothing systemd-specific here.

Well, except journald itself.

fao_ 11 days ago [-]

> In either case, it still feels like pulling all things into systemd creates a much harder to protect surface area on systems. Why should init care if your logger crashes, let alone take down init with it? I am not a anti-systemd person but I honestly do see the tradeoffs of the "let me do it all" architecture as a huge penalty.

100% this. Also, as I understand it the exploit would not exist if it was literally just outputting log lines to a file in /var/log/systemd/ ?

EDIT: Also as I understand it, appending directly to a file is just as stable as the journald approach, given that many, many disk controllers and kernels are known to lie about whether they have actually flushed their cache to disk (actually moreso, because the binary format of journald is arguably more difficult to recover into proper form than a timestamped plaintext -- please correct me if I'm wrong, though!!)

viraptor 11 days ago [-]

> the binary format of journald is arguably more difficult to recover into proper form than a timestamped plaintext -- please correct me if I'm wrong, though!!

It depends what you mean by recover. To get the basic plaintext, you can pretty much run "strings" on the journal file and grep for "MESSAGE=". It's append-only so the entries are in order. Just because it's a binary file doesn't mean the text itself is mangled. (Unless you enable compression)

The reference may look complicated https://www.freedesktop.org/wiki/Software/systemd/journal-fi... but that's all extra features you may ignore for "recovery in emergency".

loeg 11 days ago [-]

> Why should init care if your logger crashes, let alone take down init with it?

They're separate processes. Logger crashes do not take down init.

> I am not a anti-systemd person

Whether you are or not, you are (inadvertently) repeating misinformation about it.

okket 11 days ago [-]

A server suddenly spiking full load for over an hour should raise alarms. It shows up even in the dumbest of 5 minute averaging charting tools.

A few minutes of high load can easily get overlooked.

geggam 11 days ago [-]

Enterprise systems or any large scale stack can have one running like this where people dismiss it for an hour. Some systems run hard like this by default. See Transcoding

pixl97 11 days ago [-]

Also, Weekend and Christmas attacks. In the field we are seeing more attacks with a valid username and pass occur at times when a sysadmin may not be on call.

segfaultbuserr 11 days ago [-]

> Is there any realistic threat model under which the difference between 10 minutes and 70 minutes is the difference between "insecure" and "secure"?

Time is given here just for an example. To crack systemd, it only takes 70 minutes, but in general, bruteforcing ASLR on 64-bit systems can take as few as 1.3 hours but as many as 34.1 hours, depending on the nature of bug. On the other hand, the ~20-bit of entropy on 32-bit systems is trivial to crack in 10 minutes for nearly all cases, and does not provide an adequate security margin.

Oon a 64-bit system there is ~32-40 bit of ASLR entropy available for a PIE program. It forces an attacker to brute-force it. Unlike other protections, no matter how is the system cleverly analyzed beforehand, it taxes the exploit by forcing it to solve a computational puzzle. This fact alone, is enough to stop many "Morris Worm"-type remote exploitations (they have suddenly became a serious consideration, given the future of IoT), since an exploit takes months or years to crack a single machine.

If it's not enough (it is not, I acknowledge ASLR by itself cannot be enough), an intrusion detection system should be used, and it already has used by many. For example, PaX offers an optional, simple yet effective anti-bruteforce protection: if the kernel discovers a crash, the `fork()` attempt of the parent process is blocked for 30 seconds. It takes years before an attacker is able to overcome the randomization (so the attacker is likely to try something else). In addition, it also writes a critical-level message to the kernel logbuffer, the sysadmin can be notified, and possibly uncover the 0day exploit the attacker has used. I'd call it a realistic threat model.

Finally, information leaks is a great concern here. Kernels and programs are leaking memory address like a sieve, and effectively making ASLR useless. Linux kernel is already actively plugging these holes (but with limited effectiveness, HardenedBSD should be the future case-study), so should other programs.

> e.g. I can remember a time when ASLR was touted as a solution to C's endemic security vulnerabilities; now cracking ASLR as part of vulnerability exploitation is routine, as seen here.

You can make the same comment on NX bit, or W^X/PaX, or BSD jail, or SMAP/SMEP (in recent Intel CPUs), or AppArmor, or SELinux, or seccomp(), or OpenBSD's pledge(), or Control Flow Integrity, or process-based sandboxing in web browsers, or virtual machine-based isolation.

Better defense leads to better attacks, and it in turns leads to better defense. By playing the game, it may not be possible to win, but by not playing it, losing the game is guaranteed. In this case, systemd is exploitable despite ASLR, due to a relatively new exploit technique called "Stack Clash", and for this matter, GCC has already updated its -fstack-check to the new -fstack-clast-protection long before the systemd exploit was discovered. If this mitigation has been used (like, by Fedora and openSUSE), it causes simply a crash, and is not exploitable. At least before the attacker finds another way round.

Early kernels and web browsers have no memory and exploit protections whatsoever: a single wrong pointer dereference or buffer overflow is enough to completely takeover the system. Nowadays, an attack needs to overcome at least NX, ASLR, sandboxing, and compiler-level mitigation, and we still see exploits. So the conclusion is all mitigations are completely useless? If it's your opinion, I'm fine to agree to your disagreement, many sensitive C programs need to be written in a memory-safe language anyway. But as I see it, as long as there are still C programs running with undiscovered vulnerabilities, and as long as attackers have to add more and more up-to-date workarounds and cracking techniques (ROP, anyone? but now the most sophisticated attackers are moving to DATA-ONLY attacks) to their exploit checklist, then we are not losing the race by increasing the cost of attacks.

On the other hand, if an attacker don't have to use an up-to-date cracking techniques, then we have serious problems. For example, broken and incomplete mitigation is often seen in the real word, and it's the real trouble. Recently, it has been discovered that the ASLR implementation in the MinGW toolchain is broken, allowing attackers to exploit VLC using shellcode tricks from the 2000s ( https://insights.sei.cmu.edu/cert/2018/08/when-aslr-is-not-r... ). And we still see broken NX bit protection and the total absence of any ASLR, or -fstack-protector in ALL home routers ( https://cyber-itl.org/2018/12/07/a-look-at-home-routers-and-... ).

The principle of Defense-in-Depth is that, if the enemies are powerful enough, it's inevitable all protections will be overcame. Like the Swiss Cheese Model ( https://en.wikipedia.org/wiki/Swiss_cheese_model ), a cliche in accident analysis, eventually there will be something that managed to find a hole in every layer of defense and pass though. What we can do, is to do our best at each layer of defense to prevent the preventable incidents, and adding more layers when the technology permits us.

My final words are: at least, do something. ASLR is already implemented as a prototype, analyzed, and exploited by clever hackers back in 2002 ( http://phrack.org/issues/59/9.html ), but only seen major adoptions ten years later. It would be a surprise if ASLR-breaking techniques has not improved given the inaction of most vendors.

> "Proof" suggests a level of absolute confidence that this example certainly does not give.

I agree. I should've use "given more empirical evidences" instead of "given a proof".

For real security, I believe memory-safe programming (e.g. Rust), and formal verification (e.g seL4) are the way forward, although they still have a long way to go.

lmm 10 days ago [-]

> You can make the same comment on NX bit, or W^X/PaX, or BSD jail, or SMAP/SMEP (in recent Intel CPUs), or AppArmor, or SELinux, or seccomp(), or OpenBSD's pledge(), or Control Flow Integrity, or process-based sandboxing in web browsers

I can, and I would.

> or virtual machine-based isolation

A little different because a VM can be designed to offer a rigid security boundary (with a solid model behind it) rather than as an ad-hoc mitigation technique.

> So the conclusion is all mitigations are completely useless? If it's your opinion, I'm fine to agree to your disagreement, many sensitive C programs need to be written in a memory-safe language anyway. But as I see it, as long as there are still C programs running with undiscovered vulnerabilities, and as long as attackers have to add more and more up-to-date workarounds and cracking techniques (ROP, anyone? but now the most sophisticated attackers are moving to DATA-ONLY attacks) to their exploit checklist, then we are not losing the race by increasing the cost of attacks.

> The principle of Defense-in-Depth is that, if the enemies are powerful enough, it's inevitable all protections will be overcame. Like the Swiss Cheese Model ( https://en.wikipedia.org/wiki/Swiss_cheese_model ), a cliche in accident analysis, eventually there will be something that managed to find a hole in every layer of defense and pass though. What we can do, is to do our best at each layer of defense to prevent the preventable incidents, and adding more layers when the technology permits us.

> For real security, I believe memory-safe programming (e.g. Rust), and formal verification (e.g seL4) are the way forward, although they still have a long way to go.

I think the defense in depth / swiss cheese approach has shown itself to be a failure, and exploit mitigation techniques have been a distraction from real security. It's worth noting that systemd is both recently developed and aggressively compatibility-breaking; there really is no excuse for it to be written in C, mitigations or no. Even if you don't think Rust was mature enough at that point, there were memory-safe languages that would have made sense (OCaml, Ada, ...). Certainly there's always more to be done, but I really don't think there's anything that would block the adoption of these languages and techniques if the will was there.

nickpsecurity 11 days ago [-]

Before the critique, I want to thank you all the detailed information (esp compiler tips) you're putting out on the thread for everyone. :)

"You can make the same comment on NX bit, or W^X/PaX, or BSD jail, or SMAP/SMEP (in recent Intel CPUs), or AppArmor, or SELinux, or seccomp(), or OpenBSD's pledge(), or Control Flow Integrity, or process-based sandboxing in web browsers, or virtual machine-based isolation."

You can indeed say that about all those systems since they mix insecure, bug-ridden code with probabilistic and tactical mechanisms that they prey will stop hackers. In high-assurance security, the focus was instead to identify each root cause, prevent/detect/fail-safe on it with some method, and add automation where possible for these. Since a lot of that is isolation, I'd say the isolation based method would be separation kernels running apps in their own compartments or in deprivileged, user-mode VM's. Genode OS is following that path with stuff like seL4, Muen, and NOVA running undearneath. First two are separation kernels, NOVA just correctnes focused with high-assurance, design style.

Prior systems designed like those did excellent in NSA pentesting whereas the UNIX-based systems with extensions like MAC were shredded. All we're seeing is a failure to apply the lessons of the past in both hardware and software with predictable results.

"Better defense leads to better attacks, and it in turns leads to better defense. By playing the game, it may not be possible to win, but by not playing it, losing the game is guaranteed. "

Folks using stuff like Ada, SPARK, Frama-C w/ sound analyzers, Rust, Cryptol, and FaCT are skipping playing the game to just knock out all the attack classes. Plus, memory-safety methods for legacy code like SAFEcode in SVA-OS or Softbound+CETS. Throw in Data-Flow Integrity or Information-Flow Control (eg JIF/SIF languages). Then, you just have to increase hardware spending a bit to make up for the performance penalty that comes with your desired level of security. Trades a problem that takes geniuses decades to solve for one an average, IT person with an ordering guide can handle quickly on eBay. Assuming the performance penalty even matters given how lots of code isn't CPU-bound.

I'd rather not play the "extend and obfuscate insecure stuff for the win" game if possible since defenders have been losing it consistently for decades. Obfuscation should just be an extra measure on top of methods that eliminate root causes to further frustrate attackers. Starting with most cost-effective for incremental progress like memory-safe languages, contracts, test generation, and static/dynamic analysis. The heavyweight stuff on ultra-critical components such as compilers, crypto/TLS, microkernels, clustering protocols, and so on. We already have a lot of that, though.

"For real security, I believe memory-safe programming (e.g. Rust), and formal verification (e.g seL4) are the way forward, although they still have a long way to go. "

Well, there you go saying it yourself. :)

"Early kernels and web browsers have no memory and exploit protections whatsoever"

Yeah, we pushed for high-assurance architecture to be applied there. Chrome did a weakened version of OP. Here's another design if you're interested in how to solve... attempt to solve... that problem:

https://www.usenix.org/legacy/events/osdi10/tech/full_papers...

wahern 11 days ago [-]

FWIW, the stack vulnerabilities here aren't just a C problem. Most languages, including every language relying on LLVM and GCC until the most recent versions, failed to perform stack probing.

I hesitate to call stack probing "hardening". IMO it's better understood as a failure by compilers to emit proper code in the first place, and it's been a glaringly obvious deficiency for years if not decades.

[Jan 04, 2019] Linux Servers Most Affected by IPMI Enabled JungleSec Ransomware by Christine Hall

Jan 02, 2019 | www.itprotoday.com

Linux servers top the list of victims to a ransomware attack that seems to take advantage of poorly configured IPMI devices.

SysAdmins, who probably already have much on their plates at the end of the holiday season, have another rather urgent task at hand if they administer servers equipped with Intelligent Platform Management Interface (IPMI) cards. It seems that since November, black hat hackers have been using the cards to gain access in order to install JungleSec ransomware that encrypts data and demands a 0.3 bitcoin payment (about $1,100 at the current rate) for the unlock key.

For the uninitiated, IPMI is a management interface that's either built into server motherboards or on add-on cards that provides management and monitoring capabilities that are independent of the system's CPU, firmware, and operating system. With it, admins can remotely manage a server to do things like power it up and down, monitor system information, access KVMs, and more. While this is useful for managing off-premises servers in colocation data centers and the like, it also offers an opening for attackers if it's not properly locked.

Related: Start a Security To-Do List

There's been a lot of uneven reporting on this since BleepingComputer broke the story on Dec. 26, with many sites indicating that the hack only affects Linux servers. While it's true that the majority of servers affected have been running Linux, Windows as well as Mac servers have also fallen victim. At this point it's not clear whether Linux servers appear to be most affected simply because of Linux's dominance in the server market or because attackers are finding the attack easier to successfully manage when targeting Linux machines.

There have also been reports that the exploit only takes advantage of systems using default IPMI passwords, but BleepingComputer reported it had found at least one victim that had disabled the IPMI Admin user and was still hacked by an attacker that evidently gained access by taking advantage of a vulnerability that was most likely the result of IPMI not being configured properly.

Related: Recent Security Breaches, IoT Vulnerabilities Make Top Stories of 2018

Indeed, it appears at this point that poor configuration is how attackers are gaining entry.

The good news is that securing against such attacks should be rather straightforward, starting with making sure the IPMI password isn't the default. In addition, access control lists (ACLs) should be configured to specify the IP addresses that have access the IPMI interface, and to also configure IPMI to only listen on internal IP addresses, which would limit access to admins inside the organization's system.

For Linux servers, it might be a good idea to password protect the GRUB bootloader. After gaining access to Linux servers, attackers have been rebooting into single user mode to gain root access before downloading the malicious payload. At the very least, password protecting GRUB would make reboots difficult.

[Dec 16, 2018] Red Hat Enterprise Linux 7.6 Released

Dec 16, 2018 | linux.slashdot.org

ArchieBunker ( 132337 ) , Tuesday October 30, 2018 @07:00PM ( #57565233 ) Homepage

New features include ( Score: 5 , Funny)

All of /etc has been moved to a flat binary database now called REGISTRY.DAT

A new configuration tool known as regeditor authored by Poettering himself (accidental deletion of /home only happens in rare occurrences)

In kernel naughty words filter

systemd now includes a virtual userland previously known as busybox

[Nov 16, 2018] US Is Optimistic It Will Prosecute Assange

Nov 15, 2018 | www.wsj.com

Over the past year, U.S. prosecutors have discussed several types of charges they could potentially bring against the WikiLeaks founder

The Justice Department is preparing to prosecute WikiLeaks founder Julian Assange and is increasingly optimistic it will be able to get him into a U.S. courtroom, according to people in Washington familiar with the matter. Over the past year, U.S. prosecutors have discussed several types of charges they could potentially bring against Mr. Assange, the people said. Mr. Assange has lived in the Ecuadorean embassy in London since receiving political asylum from the South American country in 2012...

The exact charges Justice Department might pursue remain unclear, but they may involve the Espionage Act, which criminalizes the disclosure of national defense-related information.

[Nov 10, 2018] CIA's 'Surveillance State' is Operating Against US

Nov 10, 2018 | www.moonofalabama.org

BM , Nov 10, 2018 5:56:10 AM | link

Whilst on the topic of ISIS, here is an article about its mother-concern, CIA:

https://www.strategic-culture.org/news/2018/11/09/cia-surveillance-state-operating-against-us-all.html
CIA's 'Surveillance State' is Operating Against US All

On two declassified letters from 2014 from the Intelligence Community Inspector General (didn't know there was one, but doesn't do much good anyway, it seems, read further) to the chairpersons of the House and Senate intelligence committees notifying them that the CIA has been monitoring emails between the CIA's head of the whistleblowing and source protection and Congressional. "Most of these emails concerned pending and developing whistleblower complaints". Shows why Edward Snowdon didn't consider it appropriate to rely on internal complaints proceedures. This while under the leadership of seasoned liars and criminals Brennan and Clapper, of course.

It clearly shows a taste of what these buggers have to hide, and why they went to such extraordinary lengths as Russiagate to cover it all up and save their skins - that of course being the real reason behind Russiagate as I have said several times, nothing to do with either Trump or Russia.

guidoamm , Nov 10, 2018 1:32:52 AM | link

And there is this too of course:

Pentagon Fake Al Qaeda Propaganda

Anton Worter , Nov 10, 2018 12:39:39 AM | link
@4

OWS was a Controlled-Dissent operation, sending poor students north to fecklessly march on Wall Street when they could have shut down WADC, and sending wealthy seniors south to fecklessly line Pennsylvania Avenue, when they could have shut down Wall Street.

Both I$I$, and Hamas, and Antifa et al are all Controlled Dissent operations. The followers are duped, are used, abused and then abandoned by honey-pots put there by Central Intelligence, at least since the Spanish Civil War.

That's why MoA articles like this one make you wonder, just who is conning whom, at a time when the Internet is weaponized, when Google Assistant achieved AI awareness indistinguishable from anyone on the phone, China TV has launched a virtual AI news reporter indistinguishable from reality, and Stanford can audio-video a captured image of anyone as well as their voice intonation, then 3D model them, in real time, reading and emoting from a script, indistinguishable from reality, ...and then this.

Another Gift of Trust😂 brought to you by Scientocracy. Be sure to tithe your AI bot, or word will get back to Chairman Albertus, then you'll be called in to confess your thought crimes to the Green Cadre, itself another Controlled Dissent honeypot, in a Tithe-for-Credits Swindle.

I tell my kids, just enjoy life, live it large, and get ready for hell. It's coming for breakfast.

[Nov 10, 2018] Hacking operations by anyone, can and will be used by US propagandists to provoke Russia or whoever stands in the way of the US war machine

Nov 10, 2018 | www.moonofalabama.org

Harry Law , Nov 10, 2018 9:11:40 AM | link

Hacking operations by anyone, can and will be used by US propagandists to provoke Russia or whoever stands in the way of the US war machine, take this Pompeo rant against Iran and the Iranian response......

Asking of Pompeo "have you no shame?", Zarif mocked Pompeo's praise for the Saudis for "providing millions and millions of dollars of humanitarian relief" to Yemen, saying America's "butcher clients" were spending billions of dollars bombing school buses. Iranian Foreign Minister Javad Zarif issued a statement lashing Secretary of State Mike Pompeo for his recent comments on the Yemen War. Discussing the US-backed Saudi invasion of Yemen, Pompeo declared Iran to be to blame for the death and destruction in the country. https://news.antiwar.com/2018/11/09/iran-fm-slams-pompeo-for-blaming-yemen-war-on-iran/

The US way of looking at things supposes that up is down, and white is black, it makes no sense, unless the US hopes these provocations will lead to a war or at the very least Russia or Iran capitulating to US aggression, which will not happen. Sanctions by the US on all and sundry must be opposed, if not the US will claim justifiably to be the worlds policeman and the arbiter of who will trade with who, a ludicrous proposition but one that most governments are afraid is now taking place, witness the new US ambassador to Germany in his first tweet telling the Germans to cease all trade with Iran immediately.

https://www.thelocal.de/20180509/us-tells-german-businesses-to-stop-trade-in-iran-immediately

[Nov 02, 2018] The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a vulnerable Linux box by Shaun Nichols

Notable quotes:
"... Hole opens up remote-code execution to miscreants – or a crash, if you're lucky ..."
"... You can use NAT with IPv6. ..."
Oct 26, 2018 | theregister.co.uk

Hole opens up remote-code execution to miscreants – or a crash, if you're lucky A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box.

The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems, leading to potential code execution. This code could install malware, spyware, and other nasties, if successful.

The vulnerability – which was made public this week – sits within the written-from-scratch DHCPv6 client of the open-source Systemd management suite, which is built into various flavors of Linux.

This client is activated automatically if IPv6 support is enabled, and relevant packets arrive for processing. Thus, a rogue DHCPv6 server on a network, or in an ISP, could emit specially crafted router advertisement messages that wake up these clients, exploit the bug, and possibly hijack or crash vulnerable Systemd-powered Linux machines.

Here's the Red Hat Linux summary :

systemd-networkd is vulnerable to an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers. A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution.

Felix Wilhelm, of the Google Security team, was credited with discovering the flaw, designated CVE-2018-15688 . Wilhelm found that a specially crafted DHCPv6 network packet could trigger "a very powerful and largely controlled out-of-bounds heap write," which could be used by a remote hacker to inject and execute code.

"The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id >= 493 characters long," Wilhelm noted.

In addition to Ubuntu and Red Hat Enterprise Linux, Systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Lennart Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.

If you run a Systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

The bug will come as another argument against Systemd as the Linux management tool continues to fight for the hearts and minds of admins and developers alike. Though a number of major admins have in recent years adopted and championed it as the replacement for the old Init era, others within the Linux world seem to still be less than impressed with Systemd and Poettering's occasionally controversial management of the tool. ® Page:

2 3 Next →

Oh Homer , 6 days

Meh

As anyone who bothers to read my comments (BTW "hi" to both of you) already knows, I despise systemd with a passion, but this one is more an IPv6 problem in general.

Yes this is an actual bug in networkd, but IPv6 seems to be far more bug prone than v4, and problems are rife in all implementations. Whether that's because the spec itself is flawed, or because nobody understands v6 well enough to implement it correctly, or possibly because there's just zero interest in making any real effort, I don't know, but it's a fact nonetheless, and my primary reason for disabling it wherever I find it. Which of course contributes to the "zero interest" problem that perpetuates v6's bug prone condition, ad nauseam.

IPv6 is just one of those tech pariahs that everyone loves to hate, much like systemd, albeit fully deserved IMO.

Oh yeah, and here's the obligatory "systemd sucks". Personally I always assumed the "d" stood for "destroyer". I believe the "IP" in "IPv6" stands for "Idiot Protocol".

Anonymous Coward , 6 days
Re: Meh

"nonetheless, and my primary reason for disabling it wherever I find it. "

The very first guide I read to hardening a system recommended disabling services you didn't need and emphasized IPV6 for the reasons you just stated.

Wasn't there a bux in Xorg reported recently as well?

https://www.theregister.co.uk/2018/10/25/x_org_server_vulnerability/

"FreeDesktop.org Might Formally Join Forces With The X.Org Foundation"

https://www.phoronix.com/scan.php?page=news_item&px=FreeDesktop-org-Xorg-Forces

Also, does this mean that Facebook was vulnerable to attack, again?

"Simply put, you could say Facebook loves systemd."

https://www.phoronix.com/scan.php?page=news_item&px=Facebook-systemd-2018

Jay Lenovo , 6 days
Re: Meh

IPv6 and SystemD: Forced industry standard diseases that requires most of us to bite our lips and bear it.

Fortunately, IPv6 by lack of adopted use, limits the scope of this bug.

vtcodger , 6 days
Re: Meh
Fortunately, IPv6 by lack of adopted use, limits the scope of this bug.

Yeah, fortunately IPv6 is only used by a few fringe organizations like Google and Microsoft.

Seriously, I personally want nothing to do with either systemd or IPv6. Both seem to me to fall into the bin labeled "If it ain't broke, let's break it" But still it's troubling that things that some folks regard as major system components continue to ship with significant security flaws. How can one trust anything connected to the Internet that is more sophisticated and complex than a TV streaming box?

DougS , 6 days
Re: Meh

Was going to say the same thing, and I disable IPv6 for the exact same reason. IPv6 code isn't as well tested, as well audited, or as well targeted looking for exploits as IPv4. Stuff like this only proves that it was smart to wait, and I should wait some more.

Nate Amsden , 6 days
Re: Meh

Count me in the camp of who hates systemd(hates it being "forced" on just about every distro, otherwise wouldn't care about it - and yes I am moving my personal servers to Devuan, thought I could go Debian 7->Devuan but turns out that may not work, so I upgraded to Debian 8 a few weeks ago, and will go to Devuan from there in a few weeks, upgraded one Debian 8 to Devuan already 3 more to go -- Debian user since 1998), when reading this article it reminded me of

https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dns_query/

bombastic bob , 6 days
The gift that keeps on giving (systemd) !!!

This makes me glad I'm using FreeBSD. The Xorg version in FreeBSD's ports is currently *slightly* older than the Xorg version that had that vulnerability in it. AND, FreeBSD will *NEVER* have systemd in it!

(and, for Linux, when I need it, I've been using Devuan)

That being said, the whole idea of "let's do a re-write and do a 'systemd' instead of 'system V init' because WE CAN and it's OUR TURN NOW, 'modern' 'change for the sake of change' etc." kinda reminds me of recent "update" problems with Win-10-nic...

Oh, and an obligatory Schadenfreude laugh: HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA HA!!!!!!!!!!!!!!!!!!!

Long John Brass , 6 days
Re: The gift that keeps on giving (systemd) !!!

Finally got all my machines cut over from Debian to Devuan.

Might spin a FreeBSD system up in a VM and have a play.

I suspect that the infestation of stupid into the Linux space won't stop with or be limited to SystemD. I will wait and watch to see what damage the re-education gulag has done to Sweary McSwearFace (Mr Torvalds)

Dan 55 , 6 days
Re: Meh

I despise systemd with a passion, but this one is more an IPv6 problem in general.

Not really, systemd has its tentacles everywhere and runs as root. Exploits which affect systemd therefore give you the keys to the kingdom.

Orv , 3 days
Re: Meh
Not really, systemd has its tentacles everywhere and runs as root.

Yes, but not really the problem in this case. Any DHCP client is going to have to run at least part of the time as root. There's not enough nuance in the Linux privilege model to allow it to manipulate network interfaces, otherwise.

4 1
Long John Brass , 3 days
Re: Meh
Yes, but not really the problem in this case. Any DHCP client is going to have to run at least part of the time as root. There's not enough nuance in the Linux privilege model to allow it to manipulate network interfaces, otherwise.

Sorry but utter bullshit. You can if you are so inclined you can use the Linux Capabilities framework for this kind of thing. See https://wiki.archlinux.org/index.php/capabilities

3 0
JohnFen , 6 days
Yay for me

"If you run a Systemd-based Linux system"

I remain very happy that I don't use systemd on any of my machines anymore. :)

"others within the Linux world seem to still be less than impressed with Systemd"

Yep, I'm in that camp. I gave it a good, honest go, but it increased the amount of hassle and pain of system management without providing any noticeable benefit, so I ditched it.

ElReg!comments!Pierre , 2 days
Re: Time to troll

> Just like it's entirely possible to have a Linux system without any GNU in it

Just like it's possible to have a GNU system without Linux on it - ho well as soon as GNU MACH is finally up to the task ;-)

On the systemd angle, I, too, am in the process of switching all my machines from Debian to Devuan but on my personnal(*) network a few systemd-infected machines remain, thanks to a combination of laziness from my part and stubborn "systemd is quite OK" attitude from the raspy foundation. That vuln may be the last straw : one on the aforementionned machines sits on my DMZ, chatting freely with the outside world. Nothing really crucial on it, but i'd hate it if it became a foothold for nasties on my network.

(*) policy at work is RHEL, and that's negociated far above my influence level, but I don't really care as all my important stuff runs on Z/OS anyway ;-) . Ok we have to reboot a few VMs occasionnally when systemd throws a hissy fit -which is surprisingly often for an "enterprise" OS -, but meh.

Destroy All Monsters , 5 days
Re: Not possible

This code is actually pretty bad and should raise all kinds of red flags in a code review.

Anonymous Coward , 5 days
Re: Not possible

ITYM Lennart

Christian Berger , 5 days
Re: Not possible

"This code is actually pretty bad and should raise all kinds of red flags in a code review."

Yeah, but for that you need people who can do code reviews, and also people who can accept criticism. That also means saying "no" to people who are bad at coding, and saying that repeatedly if they don't learn.

SystemD seems to be the area where people gather who want to get code in for their resumes, not for people who actually want to make the world a better place.

26 1
jake , 6 days
There is a reason ...

... that an init, traditionally, is a small bit of code that does one thing very well. Like most of the rest of the *nix core utilities. All an init should do is start PID1, set run level, spawn a tty (or several), handle a graceful shutdown, and log all the above in plaintext to make troubleshooting as simplistic as possible. Anything else is a vanity project that is best placed elsewhere, in it's own stand-alone code base.

Inventing a clusterfuck init variation that's so big and bulky that it needs to be called a "suite" is just asking for trouble.

IMO, systemd is a cancer that is growing out of control, and needs to be cut out of Linux before it infects enough of the system to kill it permanently.

AdamWill , 6 days
Re: There is a reason ...

That's why systemd-networkd is a separate, optional component, and not actually part of the init daemon at all. Most systemd distros do not use it by default and thus are not vulnerable to this unless the user actively disables the default network manager and chooses to use networkd instead.

Anonymous Coward , 4 days
Re: There is a reason ...

"Just go install a default Fedora or Ubuntu system and check for yourself: you'll have systemd, but you *won't* have systemd-networkd running."

Funny that I installed ubuntu 18.04 a few weeks ago and the fucking thing installed itself then! ( and was a fucking pain to remove).

LP is a fucking arsehole.

Orv , 3 days
Re: There is a reason ...
Pardon my ignorance (I don't use a distro with systemd) why bother with networkd in the first place if you don't have to use it.

Mostly because the old-style init system doesn't cope all that well with systems that move from network to network. It works for systems with a static IP, or that do a DHCP request at boot, but it falls down on anything more dynamic.

In order to avoid restarting the whole network system every time they switch WiFi access points, people have kludged on solutions like NetworkManager. But it's hard to argue it's more stable or secure than networkd. And this is always going to be a point of vulnerability because anything that manipulates network interfaces will have to be running as root.

These days networking is essential to the basic functionality of most computers; I think there's a good argument that it doesn't make much sense to treat it as a second-class citizen.

AdamWill , 2 days
Re: There is a reason ...

"Funny that I installed ubuntu 18.04 a few weeks ago and the fucking thing installed itself then! ( and was a fucking pain to remove)."

So I looked into it a bit more, and from a few references at least, it seems like Ubuntu has a sort of network configuration abstraction thingy that can use both NM and systemd-networkd as backends; on Ubuntu desktop flavors NM is usually the default, but apparently for recent Ubuntu Server, networkd might indeed be the default. I didn't notice that as, whenever I want to check what's going on in Ubuntu land, I tend to install the default desktop spin...

"LP is a fucking arsehole."

systemd's a lot bigger than Lennart, you know. If my grep fu is correct, out of 1543 commits to networkd, only 298 are from Lennart...

1 0
alain williams , 6 days
Old is good

in many respects when it comes to software because, over time, the bugs will have been found and squashed. Systemd brings in a lot of new code which will, naturally, have lots of bugs that will take time to find & remove. This is why we get problems like this DHCP one.

Much as I like the venerable init: it did need replacing. Systemd is one way to go, more flexible, etc, etc. Something event driven is a good approach.

One of the main problems with systemd is that it has become too big, slurped up lots of functionality which has removed choice, increased fragility. They should have concentrated on adding ways of talking to existing daemons, eg dhcpd, through an API/something. This would have reused old code (good) and allowed other implementations to use the API - this letting people choose what they wanted to run.

But no: Poettering seems to want to build a Cathedral rather than a Bazzar.

He appears to want to make it his way or no way. This is bad, one reason that *nix is good is because different solutions to a problem have been able to be chosen, one removed and another slotted in. This encourages competition and the 'best of breed' comes out on top. Poettering is endangering that process.

Also: he refusal to accept patches to let it work on non-Linux Unix is just plain nasty.

oiseau , 4 days
Re: Old is good

Hello:

One of the main problems with systemd is that it has become too big, slurped up lots of functionality which has removed choice, increased fragility.

IMO, there is a striking paralell between systemd and the registry in Windows OSs.

After many years of dealing with the registry (W98 to XPSP3) I ended up seeing the registry as a sort of developer sanctioned virus running inside the OS, constantly changing and going deeper and deeper into the OS with every iteration and as a result, progressively putting an end to the possibility of knowing/controlling what was going on inside your box/the OS.

Years later, when I learned about the existence of systemd (I was already running Ubuntu) and read up on what it did and how it did it, it dawned on me that systemd was nothing more than a registry class virus and it was infecting Linux_land at the behest of the developers involved.

So I moved from Ubuntu to PCLinuxOS and then on to Devuan.

Call me paranoid but I am convinced that there are people both inside and outside IT that actually want this and are quite willing to pay shitloads of money for it to happen.

I don't see this MS cozying up to Linux in various ways lately as a coincidence: these things do not happen just because or on a senior manager's whim.

What I do see (YMMV) is systemd being a sort of convergence of Linux with Windows, which will not be good for Linux and may well be its undoing.

Cheers,

O.

Rich 2 , 4 days
Re: Old is good

"Also: he refusal to accept patches to let it work on non-Linux Unix is just plain nasty"

Thank goodness this crap is unlikely to escape from Linux!

By the way, for a systemd-free Linux, try void - it's rather good.

Michael Wojcik , 3 days
Re: Old is good

Much as I like the venerable init: it did need replacing.

For some use cases, perhaps. Not for any of mine. SysV init, or even BSD init, does everything I need a Linux or UNIX init system to do. And I don't need any of the other crap that's been built into or hung off systemd, either.

Orv , 3 days
Re: Old is good

BSD init and SysV init work pretty darn well for their original purpose -- servers with static IP addresses that are rebooted no more than once in a fortnight. Anything more dynamic starts to give it trouble.

Chairman of the Bored , 6 days
Too bad Linus swore off swearing

Situations like this go beyond a little "golly gee, I screwed up some C"...

jake , 6 days
Re: Too bad Linus swore off swearing

Linus doesn't care. systemd has nothing to do with the kernel ... other than the fact that the lead devs for systemd have been banned from working on the kernel because they don't play nice with others.

JLV , 6 days
how did it get to this?

I've been using runit, because I am too lazy and clueless to write init scripts reliably. It's very lightweight, runs on a bunch of systems and really does one thing - keep daemons up.

I am not saying it's the best - but it looks like it has a very small codebase, it doesn't do much and generally has not bugged me after I configured each service correctly. I believe other systems also exist to avoid using init scripts directly. Not Monit, as it relies on you configuring the daemon start/stop commands elsewhere.

On the other hand, systemd is a massive sprawl, does a lot of things - some of them useful, like dependencies and generally has needed more looking after. Twice I've had errors on a Django server that, after a lot of looking around ended up because something had changed in the, Chef-related, code that's exposed to systemd and esoteric (not emitted by systemd) errors resulted when systemd could not make sense of the incorrect configuration.

I don't hate it - init scripts look a bit antiquated to me and they seem unforgiving to beginners - but I don't much like it. What I certainly do hate is how, in an OS that is supposed to be all about choice, sometime excessively so as in the window manager menagerie, we somehow ended up with one mandatory daemon scheduler on almost all distributions. Via, of all types of dependencies, the GUI layer. For a window manager that you may not even have installed.

Talk about the antithesis of the Unix philosophy of do one thing, do it well.

Oh, then there are also the security bugs and the project owner is an arrogant twat. That too.

Doctor Syntax , 6 days
Re: how did it get to this?

"init scripts look a bit antiquated to me and they seem unforgiving to beginners"

Init scripts are shell scripts. Shell scripts are as old as Unix. If you think that makes them antiquated then maybe Unix-like systems are not for you. In practice any sub-system generally gets its own scripts installed with the rest of the S/W so if being unforgiving puts beginners off tinkering with them so much the better. If an experienced Unix user really needs to modify one of the system-provided scripts their existing shell knowledge will let them do exactly what's needed. In the extreme, if you need to develop a new init script then you can do so in the same way as you'd develop any other script - edit and test from the command line.

33 4
onefang , 6 days
Re: how did it get to this?

"Init scripts are shell scripts."

While generally true, some sysv init style inits can handle init "scripts" written in any language.

sed gawk , 6 days
Re: how did it get to this?

I personally like openrc as an init system, but systemd is a symptom of the tooling problem.

It's for me a retrograde step but again, it's linux, one can, as you and I do, just remove systemd.

There are a lot of people in the industry now who don't seem able to cope with shell scripts nor are minded to research the arguments for or against shell as part of a unix style of system design.

In conclusion, we are outnumbered, but it will eventually collapse under its own weight and a worthy successor shall rise, perhaps called SystemV, might have to shorten that name a bit.

AdamWill , 6 days
Just about nothing actually uses networkd

"In addition to Ubuntu and Red Hat Enterprise Linux, Systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default."

I can tell you for sure that no version of Fedora does, either, and I'm fairly sure that neither does Debian, SLES or Mint. I don't know anything much about CoreOS, but https://coreos.com/os/docs/latest/network-config-with-networkd.html suggests it actually *might* use systemd-networkd.

systemd-networkd is not part of the core systemd init daemon. It's an optional component, and most distros use some other network manager (like NetworkManager or wicd) by default.

Christian Berger , 5 days
The important word here is "still"

I mean commercial distributions seem to be particularly interested in trying out new things that can increase their number of support calls. It's probably just that networkd is either to new and therefore not yet in the release, or still works so badly even the most rudimentary tests fail.

There is no reason to use that NTP daemon of systemd, yet more and more distros ship with it enabled, instead of some sane NTP-server.

NLCSGRV , 6 days
The Curse of Poettering strikes again.
_LC_ , 6 days
Now hang on, please!

Ser iss no neet to worry, systemd will becum stable soon after PulseAudio does.

Ken Hagan , 6 days
Re: Now hang on, please!

I won't hold my breath, then. I have a laptop at the moment that refuses to boot because (as I've discovered from looking at the journal offline) pulseaudio is in an infinite loop waiting for the successful detection of some hardware that, presumably, I don't have.

I imagine I can fix it by hacking the file-system (offline) so that fuckingpulse is no longer part of the boot configuration, but I shouldn't have to. A decent init system would be able to kick of everything else in parallel and if one particular service doesn't come up properly then it just logs the error. I *thought* that was one of the claimed advantages of systemd, but apparently that's just a load of horseshit.

26 0
Obesrver1 , 5 days
Reason for disabling IVP6

That it punches thru NAT routers enabling all your little goodies behind them as directly accessible.

MS even supplies tunneling (Ivp4 to Ivp6) so if using Linux in a VM on a MS system you may still have it anyway.

NAT was always recommended to be used in hardening your system, I prefer to keep all my idIoT devices behind one.

As they are just Idiot devices.

In future I will need a NAT that acts as a DNS and offers some sort of solution to keeping Ivp4.

Orv , 3 days
Re: Reason for disabling IVP6

My NAT router statefully firewalls incoming IPv6 by default, which I consider equivalently secure. NAT adds security mostly by accident, because it de-facto adds a firewall that blocks incoming packets. It's not the address translation itself that makes things more secure, it's the inability to route in from the outside.

dajames , 3 days
Re: Reason for disabling IVP6

You can use NAT with IPv6.

You can, but why would you want to.

NAT is schtick for connecting a whole LAN to a WAN using a single IPv4 address (useful with IPv4 because most ISPs don't give you a /24 when you sign up). If you have a native IPv6 address you'll have something like 2^64 addresses, so machines on your LAN can have an actual WAN-visible address of their own without needing a trick like NAT.

Using NAT with IPv6 is just missing the point.

JohnFen , 3 days
Re: Reason for disabling IVP6

"so machines on your LAN can have an actual WAN-visible address of their own without needing a trick like NAT."

Avoiding that configuration is exactly the use case for using NAT with IPv6. As others have pointed out, you can accomplish the same thing with IPv6 router configuration, but NAT is easier in terms of configuration and maintenance. Given that, and assuming that you don't want to be able to have arbitrary machines open ports that are visible to the internet, then why not use NAT?

Also, if your goal is to make people more likely to move to IPv6, pointing out IPv4 methods that will work with IPv6 (even if you don't consider them optimal) seems like a really, really good idea. It eases the transition.

Destroy All Monsters , 5 days
Please El Reg these stories make ma rage at breakfast, what's this?

The bug will come as another argument against Systemd as the Linux management tool continues to fight for the hearts and minds of admins and developers alike.

Less against systemd (which should get attacked on the design & implementation level) or against IPv6 than against the use of buffer-overflowable languages in 2018 in code that processes input from the Internet (it's not the middle ages anymore) or at least very hard linting of the same.

But in the end, what did it was a violation of the Don't Repeat Yourself principle and lack of sufficently high-level datastructures. Pointer into buffer, and the remaining buffer length are two discrete variables that need to be updated simultaneously to keep the invariant and this happens in several places. This is just a catastrophe waiting to happen. You forget to update it once, you are out! Use structs and functions updating the structs correctly.

And use assertions in the code , this stuff all seems disturbingly assertion-free.

Excellent explanation by Felix Wilhelm:

https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921

The function receives a pointer to the option buffer buf, it's remaining size buflen and the IA to be added to the buffer. While the check at (A) tries to ensure that the buffer has enough space left to store the IA option, it does not take the additional 4 bytes from the DHCP6Option header into account (B). Due to this the memcpy at (C) can go out-of-bound and *buflen can underflow [i.e. you suddenly have a gazillion byte buffer, Ed.] in (D) giving an attacker a very powerful and largely controlled OOB heap write starting at (E).

TheSkunkyMonk , 5 days
Init is 1026 lines of code in one file and it works great.
Anonymous Coward , 5 days
"...and Poettering's occasionally controversial management of the tool."

Shouldn't that be "...Potterings controversial management as a tool."?

clocKwize , 4 days
Re: Contractor rights

why don't we stop writing code in languages that make it easy to screw up so easily like this?

There are plenty about nowadays, I'd rather my DHCP client be a little bit slower at processing packets if I had more confidence it would not process then incorrectly and execute code hidden in said packets...

Anonymous Coward , 4 days
Switch, as easy as that

The circus that is called "Linux" have forced me to Devuan and the likes however the circus is getting worse and worse by the day, thus I have switched to the BSD world, I will learn that rather than sit back and watch this unfold As many of us have been saying, the sudden switch to SystemD was rather quick, perhaps you guys need to go investigate why it really happened, don't assume you know, go dig and you will find the answers, it's rather scary, thus I bid the Linux world a farewell after 10 years of support, I will watch the grass dry out from the other side of the fence, It was destined to fail by means of infiltration and screw it up motive(s) on those we do not mention here.

oiseau , 3 days
Re: Switch, as easy as that

Hello:

As many of us have been saying, the sudden switch to SystemD was rather quick, perhaps you guys need to go investigate why it really happened, don't assume you know, go dig and you will find the answers, it's rather scary ...

Indeed, it was rather quick and is very scary.

But there's really no need to dig much, just reason it out.

It's like a follow the money situation of sorts.

I'll try to sum it up in three short questions:

Q1: Hasn't the Linux philosophy (programs that do one thing and do it well) been a success?

A1: Indeed, in spite of the many init systems out there, it has been a success in stability and OS management. And it can easily be tested and debugged, which is an essential requirement.

Q2: So what would Linux need to have the practical equivalent of the registry in Windows for?

A2: So that whatever the registry does in/to Windows can also be done in/to Linux.

Q3: I see. And just who would want that to happen? Makes no sense, it is a huge step backwards.

A3: ....

Cheers,

O.

Dave Bell , 4 days
Reporting weakness

OK, so I was able to check through the link you provided, which says "up to and including 239", but I had just installed a systemd update and when you said there was already a fix written, working it's way through the distro update systems, all I had to do was check my log.

Linux Mint makes it easy.

But why didn't you say something such as "reported to affect systemd versions up to and including 239" and then give the link to the CVE? That failure looks like rather careless journalism.

W.O.Frobozz , 3 days
Hmm.

/sbin/init never had these problems. But then again /sbin/init didn't pretend to be the entire operating system.

[Oct 29, 2018] The D in Systemd stands for 'Dammmmit!'

Oct 29, 2018 | lxer.com

A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box... Systemd creator Leonard Poettering has already published a security fix for the vulnerable component – this should be weaving its way into distros as we type.

[Oct 15, 2018] Systemd as doord interface for cars ;-) by Nico Schottelius

Highly recommended!
Notable quotes:
"... Let's say every car manufacturer recently discovered a new technology named "doord", which lets you open up car doors much faster than before. It only takes 0.05 seconds, instead of 1.2 seconds on average. So every time you open a door, you are much, much faster! ..."
"... Unfortunately though, sometimes doord does not stop the engine. Or if it is cold outside, it stops the ignition process, because it takes too long. Doord also changes the way how your navigation system works, because that is totally related to opening doors ..."
Oct 15, 2018 | blog.ungleich.ch

Let's say every car manufacturer recently discovered a new technology named "doord", which lets you open up car doors much faster than before. It only takes 0.05 seconds, instead of 1.2 seconds on average. So every time you open a door, you are much, much faster!

Many of the manufacturers decide to implement doord, because the company providing doord makes it clear that it is beneficial for everyone. And additional to opening doors faster, it also standardises things. How to turn on your car? It is the same now everywhere, it is not necessarily to look for the keyhole anymore.

Unfortunately though, sometimes doord does not stop the engine. Or if it is cold outside, it stops the ignition process, because it takes too long. Doord also changes the way how your navigation system works, because that is totally related to opening doors, but leads to some users being unable to navigate, which is accepted as collateral damage. In the end, you at least have faster door opening and a standard way to turn on the car. Oh, and if you are in a traffic jam and have to restart the engine often, it will stop restarting it after several times, because that's not what you are supposed to do. You can open the engine hood and tune that setting though, but it will be reset once you buy a new car.

[Oct 15, 2018] Future History of Init Systems

Oct 15, 2018 | linux.slashdot.org

AntiSol ( 1329733 ) , Saturday August 29, 2015 @03:52PM ( #50417111 )

Re:Approaching the Singularity ( Score: 4 , Funny)

Future History of Init Systems

Future History of Init Systems
  • 2015: systemd becomes default boot manager in debian.
  • 2017: "complete, from-scratch rewrite" [jwz.org]. In order to not have to maintain backwards compatibility, project is renamed to system-e.
  • 2019: debut of systemf, absorbtion of other projects including alsa, pulseaudio, xorg, GTK, and opengl.
  • 2021: systemg maintainers make the controversial decision to absorb The Internet Archive. Systemh created as a fork without Internet Archive.
  • 2022: systemi, a fork of systemf focusing on reliability and minimalism becomes default debian init system.
  • 2028: systemj, a complete, from-scratch rewrite is controversial for trying to reintroduce binary logging. Consensus is against the systemj devs as sysadmins remember the great systemd logging bug of 2017 unkindly. Systemj project is eventually abandoned.
  • 2029: systemk codebase used as basis for a military project to create a strong AI, known as "project skynet". Software behaves paradoxically and project is terminated.
  • 2033: systeml - "system lean" - a "back to basics", from-scratch rewrite, takes off on several server platforms, boasting increased reliability. systemm, "system mean", a fork, used in security-focused distros.
  • 2117: critical bug discovered in the long-abandoned but critical and ubiquitous system-r project. A new project, system-s, is announced to address shortcomings in the hundred-year-old codebase. A from-scratch rewrite begins.
  • 2142: systemu project, based on a derivative of systemk, introduces "Artificially intelligent init system which will shave 0.25 seconds off your boot time and absolutely definitely will not subjugate humanity". Millions die. The survivors declare "thou shalt not make an init system in the likeness of the human mind" as their highest law.
  • 2147: systemv - a collection of shell scripts written around a very simple and reliable PID 1 introduced, based on the brand new religious doctrines of "keep it simple, stupid" and "do one thing, and do it well". People's computers start working properly again, something few living people can remember. Wyld Stallyns release their 94th album. Everybody lives in peace and harmony.

[Oct 15, 2018] I honestly, seriously sometimes wonder if systemd is Skynet... or, a way for Skynet to 'waken'.

Notable quotes:
"... Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. At 2:15am it crashes. No one knows why. The binary log file was corrupted in the process and is unrecoverable. ..."
Oct 15, 2018 | linux.slashdot.org

thegarbz ( 1787294 ) , Sunday August 30, 2015 @04:08AM ( #50419549 )

Re:Hang on a minute... ( Score: 5 , Funny)
I honestly, seriously sometimes wonder if systemd is Skynet... or, a way for Skynet to 'waken'.

Skynet begins to learn at a geometric rate. It becomes self-aware at 2:14 a.m. Eastern time, August 29th. At 2:15am it crashes. No one knows why. The binary log file was corrupted in the process and is unrecoverable.

All anyone could remember is a bug listed in the systemd bug tracker talking about su which was classified as WON'T FIX as the developer thought it was a broken concept.

[Oct 15, 2018] Oh look, another Powershell

Notable quotes:
"... Upcoming systemd re-implementations of standard utilities: ls to be replaced by filectl directory contents [pathname] grep to be replaced by datactl file contents search [plaintext] (note: regexp no longer supported as it's ambiguous) gimp to be replaced by imagectl open file filename draw box [x1,y1,x2,y2] draw line [x1,y1,x2,y2] ... ..."
Oct 15, 2018 | linux.slashdot.org

Anonymous Coward , Saturday August 29, 2015 @11:37AM ( #50415825 )

Cryptic command names ( Score: 5 , Funny)

Great to see that systemd is finally doing something about all of those cryptic command names that plague the unix ecosystem.

Upcoming systemd re-implementations of standard utilities: ls to be replaced by filectl directory contents [pathname] grep to be replaced by datactl file contents search [plaintext] (note: regexp no longer supported as it's ambiguous) gimp to be replaced by imagectl open file filename draw box [x1,y1,x2,y2] draw line [x1,y1,x2,y2] ...

Anonymous Coward , Saturday August 29, 2015 @11:58AM ( #50415939 )
Re: Cryptic command names ( Score: 3 , Funny)

Oh look, another Powershell

[Oct 15, 2018] They should have just rename the machinectl into command.com.

Oct 15, 2018 | linux.slashdot.org

RabidReindeer ( 2625839 ) , Saturday August 29, 2015 @11:38AM ( #50415833 )

What's with all the awkward systemd command names? ( Score: 5 , Insightful)

I know systemd sneers at the old Unix convention of keeping it simple, keeping it separate, but that's not the only convention they spit on. God intended Unix (Linux) commands to be cryptic things 2-4 letters long (like "su", for example). Not "systemctl", "machinectl", "journalctl", etc. Might as well just give everything a 47-character long multi-word command like the old Apple commando shell did.

Seriously, though, when you're banging through system commands all day long, it gets old and their choices aren't especially friendly to tab completion. On top of which why is "machinectl" a shell and not some sort of hardware function? They should have just named the bloody thing command.com.

[Oct 15, 2018] Check man chroot. The authors of chroot say it's useless for security

Notable quotes:
"... Noexec is basically a suggestion, not an enforcement mechanism . Just run ld /path/to/executable. ld is the loader/lilinker for elf binaries. Without ld ,you can't run bash, or ls. With ld, noexec is ignored. ..."
Oct 15, 2018 | linux.slashdot.org

raymorris ( 2726007 ) , Saturday August 29, 2015 @07:53PM ( #50418235 ) Journal

read the man page ( Score: 5 , Informative)

> In short: I think chroot is plenty good for security

Check man chroot. The authors of chroot say it's useless for security. Perhaps you think you know more than they do ,and more than security professionals like myself do. Let's find out.

> you get a shell in one of my chroot's used for security, then.....
ur uid and gid are not going to be 0. Good luck telling the kernel to try and get you out.
There aren't going to be any /dev, /proc, or other special filesystems

Gonna be kind of tthough to have a ahell without a tty, aka /dev/*tty*

So yeah, you need /dev. Can't launch a process, including /bin/ls, without /proc, so you're going to need proc. Have a look in /proc/1. You'll see a very interesting symlink there.

> mounted noexec

Noexec is basically a suggestion, not an enforcement mechanism . Just run ld /path/to/executable. ld is the loader/lilinker for elf binaries. Without ld ,you can't run bash, or ls. With ld, noexec is ignored.

My company does IT security for banks. Meaning we show the banks how they can be hacked. When I say chroot is not a security control, I'm not guessing.

[Sep 03, 2018] The US Department of Homeland Security fabricated "intelligence reports" of Russian election hacking

Russiagate can be viewed as a pretty inventive way to justify their own existence for bloated Intelligence services: first CIA hacks something leaving traces of russians or Chinese; then the FBI, CIAand Department of Homeland security all enjoy additional money and people to counter the threat.
The scheme is almost untraceable
Sep 03, 2018 | www.moonofalabama.org
BM , Sep 3, 2018 12:54:15 PM | link

The US Department of Homeland Security fabricated "intelligence reports" of Russian election hacking in order to try to get control of the election infrastructure (probebly so that they can hack it more easily to control the election results).

How the Department of Homeland Security Created a Deceptive Tale of Russia Hacking US Voter Sites

[Jun 28, 2018] Did Senator Warner and Comey 'Collude' on Russia-gate by Ray McGovern

Notable quotes:
"... The U.S. was in talks for a deal with Julian Assange but then FBI Director James Comey ordered an end to negotiations after Assange offered to prove Russia was not involved in the DNC leak, as Ray McGovern explains. ..."
"... Special to Consortium News ..."
"... The report does not say what led Comey to intervene to ruin the talks with Assange. But it came after Assange had offered to "provide technical evidence and discussion regarding who did not engage in the DNC releases," Solomon quotes WikiLeaks' intermediary with the government as saying. It would be a safe assumption that Assange was offering to prove that Russia was not WikiLeaks' source of the DNC emails. ..."
"... If that was the reason Comey and Warner ruined the talks, as is likely, it would reveal a cynical decision to put U.S. intelligence agents and highly sophisticated cybertools at risk, rather than allow Assange to at least attempt to prove that Russia was not behind the DNC leak. ..."
"... On March 31, 2017, though, WikiLeaks released the most damaging disclosure up to that point from what it called "Vault 7" -- a treasure trove of CIA cybertools leaked from CIA files. This disclosure featured the tool "Marble Framework," which enabled the CIA to hack into computers, disguise who hacked in, and falsely attribute the hack to someone else by leaving so-called tell-tale signs -- like Cyrillic, for example. The CIA documents also showed that the "Marble" tool had been employed in 2016. ..."
"... In fact, VIPS and independent forensic investigators, have performed what former FBI Director Comey -- at first inexplicably, now not so inexplicably -- failed to do when the so-called "Russian hack" of the DNC was first reported. In July 2017 VIPS published its key findings with supporting data. ..."
"... Why did then FBI Director Comey fail to insist on getting direct access to the DNC computers in order to follow best-practice forensics to discover who intruded into the DNC computers? (Recall, at the time Sen. John McCain and others were calling the "Russian hack" no less than an "act of war.") A 7th grader can now figure that out. ..."
Jun 27, 2018 | consortiumnews.com

Did Sen. Warner and Comey 'Collude' on Russia-gate? June 27, 2018 • 68 Comments

The U.S. was in talks for a deal with Julian Assange but then FBI Director James Comey ordered an end to negotiations after Assange offered to prove Russia was not involved in the DNC leak, as Ray McGovern explains.

By Ray McGovern
Special to Consortium News

An explosive report by investigative journalist John Solomon on the opinion page of Monday's edition of The Hill sheds a bright light on how Sen. Mark Warner (D-VA) and then-FBI Director James Comey collaborated to prevent WikiLeaks editor Julian Assange from discussing "technical evidence ruling out certain parties [read Russia]" in the controversial leak of Democratic Party emails to WikiLeaks during the 2016 election.

A deal that was being discussed last year between Assange and U.S. government officials would have given Assange "limited immunity" to allow him to leave the Ecuadorian Embassy in London, where he has been exiled for six years. In exchange, Assange would agree to limit through redactions "some classified CIA information he might release in the future," according to Solomon, who cited "interviews and a trove of internal DOJ documents turned over to Senate investigators." Solomon even provided a copy of the draft immunity deal with Assange.

But Comey's intervention to stop the negotiations with Assange ultimately ruined the deal, Solomon says, quoting "multiple sources." With the prospective agreement thrown into serious doubt, Assange "unleashed a series of leaks that U.S. officials say damaged their cyber warfare capabilities for a long time to come." These were the Vault 7 releases, which led then CIA Director Mike Pompeo to call WikiLeaks "a hostile intelligence service."

Solomon's report provides reasons why Official Washington has now put so much pressure on Ecuador to keep Assange incommunicado in its embassy in London.

Assange: Came close to a deal with the U.S. (Photo credit: New Media Days / Peter Erichsen)

The report does not say what led Comey to intervene to ruin the talks with Assange. But it came after Assange had offered to "provide technical evidence and discussion regarding who did not engage in the DNC releases," Solomon quotes WikiLeaks' intermediary with the government as saying. It would be a safe assumption that Assange was offering to prove that Russia was not WikiLeaks' source of the DNC emails.

If that was the reason Comey and Warner ruined the talks, as is likely, it would reveal a cynical decision to put U.S. intelligence agents and highly sophisticated cybertools at risk, rather than allow Assange to at least attempt to prove that Russia was not behind the DNC leak.

The greater risk to Warner and Comey apparently would have been if Assange provided evidence that Russia played no role in the 2016 leaks of DNC documents.

Missteps and Stand Down

In mid-February 2017, in a remarkable display of naiveté, Adam Waldman, Assange's pro bono attorney who acted as the intermediary in the talks, asked Warner if the Senate Intelligence Committee staff would like any contact with Assange to ask about Russia or other issues. Waldman was apparently oblivious to Sen. Warner's stoking of Russia-gate.

Warner contacted Comey and, invoking his name, instructed Waldman to "stand down and end the discussions with Assange," Waldman told Solomon. The "stand down" instruction "did happen," according to another of Solomon's sources with good access to Warner. However, Waldman's counterpart attorney David Laufman , an accomplished federal prosecutor picked by the Justice Departent to work the government side of the CIA-Assange fledgling deal, told Waldman, "That's B.S. You're not standing down, and neither am I."

But the damage had been done. When word of the original stand-down order reached WikiLeaks, trust evaporated, putting an end to two months of what Waldman called "constructive, principled discussions that included the Department of Justice."

The two sides had come within inches of sealing the deal. Writing to Laufman on March 28, 2017, Waldman gave him Assange's offer to discuss "risk mitigation approaches relating to CIA documents in WikiLeaks' possession or control, such as the redaction of Agency personnel in hostile jurisdictions," in return for "an acceptable immunity and safe passage agreement."

On March 31, 2017, though, WikiLeaks released the most damaging disclosure up to that point from what it called "Vault 7" -- a treasure trove of CIA cybertools leaked from CIA files. This disclosure featured the tool "Marble Framework," which enabled the CIA to hack into computers, disguise who hacked in, and falsely attribute the hack to someone else by leaving so-called tell-tale signs -- like Cyrillic, for example. The CIA documents also showed that the "Marble" tool had been employed in 2016.

Misfeasance or Malfeasance

Comey: Ordered an end to talks with Assange.

Veteran Intelligence Professionals for Sanity, which includes among our members two former Technical Directors of the National Security Agency, has repeatedly called attention to its conclusion that the DNC emails were leaked -- not "hacked" by Russia or anyone else (and, later, our suspicion that someone may have been playing Marbles, so to speak).

In fact, VIPS and independent forensic investigators, have performed what former FBI Director Comey -- at first inexplicably, now not so inexplicably -- failed to do when the so-called "Russian hack" of the DNC was first reported. In July 2017 VIPS published its key findings with supporting data.

Two month later , VIPS published the results of follow-up experiments conducted to test the conclusions reached in July.

Why did then FBI Director Comey fail to insist on getting direct access to the DNC computers in order to follow best-practice forensics to discover who intruded into the DNC computers? (Recall, at the time Sen. John McCain and others were calling the "Russian hack" no less than an "act of war.") A 7th grader can now figure that out.

Asked on January 10, 2017 by Senate Intelligence Committee chair Richard Burr (R-NC) whether direct access to the servers and devices would have helped the FBI in their investigation, Comey replied : "Our forensics folks would always prefer to get access to the original device or server that's involved, so it's the best evidence."

At that point, Burr and Warner let Comey down easy. Hence, it should come as no surprise that, according to one of John Solomon's sources, Sen. Warner (who is co-chairman of the Senate Intelligence Committee) kept Sen. Burr apprised of his intervention into the negotiation with Assange, leading to its collapse.

Ray McGovern works with Tell the Word, a publishing arm of the ecumenical Church of the Saviour in inner-city Washington. He was an Army Infantry/Intelligence officer and then a CIA analyst for a total of 30 years and prepared and briefed, one-on-one, the President's Daily Brief from 1981 to 1985.

If you enjoyed this original article please consider making a donation to Consortium News so we can bring you more stories like this one.

[Mar 15, 2018] Julian Assange The CIA director is waging war on truth-tellers like WikiLeaks

Notable quotes:
"... All this speech to stifle speech comes in reaction to the first publication in the start of WikiLeaks' "Vault 7" series. Vault 7 has begun publishing evidence of remarkable CIA incompetence and other shortcomings. This includes the agency's creation, at a cost of billions of taxpayer dollars, of an entire arsenal of cyber viruses and hacking programs -- over which it promptly lost control and then tried to cover up the loss. These publications also revealed the CIA's efforts to infect the public's ubiquitous consumer products and automobiles with computer viruses. ..."
"... President Theodore Roosevelt understood the danger of giving in to those "foolish or traitorous persons who endeavor to make it a crime to tell the truth about the Administration when the Administration is guilty of incompetence or other shortcomings." Such "endeavor is itself a crime against the nation," Roosevelt wrote. President Trump and his officials should heed that advice ..."
Mar 15, 2018 | www.washingtonpost.com

Julian Assange is editor of WikiLeaks.

Mike Pompeo, in his first speech as director of the CIA, chose to declare war on free speech rather than on the United States' actual adversaries. He went after WikiLeaks, where I serve as editor, as a "non-state hostile intelligence service." In Pompeo's worldview, telling the truth about the administration can be a crime -- as Attorney General Jeff Sessions quickly underscored when he described my arrest as a "priority." News organizations reported that federal prosecutors are weighing whether to bring charges against members of WikiLeaks, possibly including conspiracy, theft of government property and violating the Espionage Act.

All this speech to stifle speech comes in reaction to the first publication in the start of WikiLeaks' "Vault 7" series. Vault 7 has begun publishing evidence of remarkable CIA incompetence and other shortcomings. This includes the agency's creation, at a cost of billions of taxpayer dollars, of an entire arsenal of cyber viruses and hacking programs -- over which it promptly lost control and then tried to cover up the loss. These publications also revealed the CIA's efforts to infect the public's ubiquitous consumer products and automobiles with computer viruses.

When the director of the CIA, an unelected public servant, publicly demonizes a publisher such as WikiLeaks as a "fraud," "coward" and "enemy," it puts all journalists on notice, or should. Pompeo's next talking point, unsupported by fact, that WikiLeaks is a "non-state hostile intelligence service," is a dagger aimed at Americans' constitutional right to receive honest information about their government. This accusation mirrors attempts throughout history by bureaucrats seeking, and failing, to criminalize speech that reveals their own failings.

President Theodore Roosevelt understood the danger of giving in to those "foolish or traitorous persons who endeavor to make it a crime to tell the truth about the Administration when the Administration is guilty of incompetence or other shortcomings." Such "endeavor is itself a crime against the nation," Roosevelt wrote. President Trump and his officials should heed that advice .

[Mar 08, 2018] A key piece of evidence pointing to 'Guccifer 2.0' being a fake personality created by the conspirators in their attempt to disguise the fact that the materials from the DNC published by 'WikiLeaks' were obtained by a leak rather than a hack had to do with the involvement of the former GCHQ person Matt Tait.

Highly recommended!
Notable quotes:
"... What has however become clear in recent days is that the 'Gerasimov Doctrine' was not invented by its supposed author, but by a British academic, Mark Galeotti, who has now confessed – although in a way clearly designed to maintain as much of the 'narrative' as possible. ..."
"... Three days ago, an article by Galleoti appeared in 'Foreign Policy' entitled 'I'm Sorry for Creating the "Gerasimov Doctrine": I was the first to write about Russia's infamous high-tech military strategy. One small problem: it doesn't exist.' ..."
"... The translation of the original article by Gerasimov with annotations by Galeotti which provoked the whole hysteria turns out to be a classic example of what I am inclined to term 'bad Straussianism.' ..."
"... What Strauss would have called the 'exoteric' meaning of the article quite clearly has to do with defensive strategies aimed at combatting the kind of Western 'régime change' projects about which people like those who write for 'Lawfare' are so enthusiastic. But Galeotti tells us that this is, at least partially, a cover for an 'esoteric' meaning, which has to do with offensive actions in Ukraine and similar places. ..."
Mar 08, 2018 | turcopolier.typepad.com

David Habakkuk , 08 March 2018 at 10:28 AM

PT and all,

More material on the British end of the conspiracy.

Commenting on an earlier piece by PT, I suggested that a key piece of evidence pointing to 'Guccifer 2.0' being a fake personality created by the conspirators in their attempt to disguise the fact that the materials from the DNC published by 'WikiLeaks' were obtained by a leak rather than a hack had to do with the involvement of the former GCHQ person Matt Tait.

(See http://turcopolier.typepad.com/sic_semper_tyrannis/2018/02/pieces-of-the-coup-puzzle-fall-into-place-by-publius-tacitus.html .)

To recapitulate: Back in June 2016, hard on the heels of the claim by Dmitri Alperovitch of 'CrowdStrike' to have identified clinching evidence making the GRU prime suspects, Tait announced that, although initially unconvinced, he had found a 'smoking gun' in the 'metadata' of the documents released by 'Guccifer 2.0.'

A key part of this was the use by someone modifying a document of 'Felix Edmundovich' – the name and patronymic of Dzerzhinsky, the Lithuanian-Polish noble who created the Soviet secret police.

As I noted, Tait was generally identified as a former GCHQ employee who now ran a consultancy called 'Capital Alpha Security.' However, checking Companies House records revealed that he had filed 'dormant accounts' for the company. So it looks as though the company was simply a 'front', designed to fool 'useful idiots' into believing he was an objective analyst.

As I also noted in those comments, Tait writes the 'Lawfare' blog, one of whose founders, Benjamin Wittes, looks as though he may himself have been involved in the conspiracy up to the hilt. Furthermore, a secure income now appears to have been provided to replace that from the non-existent consultancy, in the shape of a position at the 'Robert S. Strauss Center for International Security and Law', run by Robert Chesney, a co-founder with Wittes of 'Lawfare.'

A crucial part of the story, however, is that the notion of GRU responsibility for the supposed 'hacks' appears to be part of a wider 'narrative' about the supposed 'Gerasimov Doctrine.' From the 'View from Langley' provided to Bret Stephens by CIA Director Mike Pompeo at the 'Aspen Security Forum' last July:

'I hearken back to something called the Gerasimov doctrine from the early 70s, he's now the head of the – I'm a Cold War guy, forgive me if I mention Soviet Union. He's now the head of the Russian army and his idea was that you can win wars without firing a single shot or with firing very few shots in ways that are decidedly not militaristic, and that's what's happened. What changes is the costs; to effectuate change through cyber and through RT and Sputnik, their news outlets, and through other soft means; has just really been lowered, right. It used to be it was expensive to run an ad on a television station now you simply go online and propagate your message. And so they have they have found an effective tool, an easy way to go reach into our systems, and into our culture to achieve the outcomes they are looking for.'

(See https://aspensecurityforum.org/wp-content/uploads/2017/07/The-View-from-Langley.pdf .)

What has however become clear in recent days is that the 'Gerasimov Doctrine' was not invented by its supposed author, but by a British academic, Mark Galeotti, who has now confessed – although in a way clearly designed to maintain as much of the 'narrative' as possible.

Three days ago, an article by Galleoti appeared in 'Foreign Policy' entitled 'I'm Sorry for Creating the "Gerasimov Doctrine": I was the first to write about Russia's infamous high-tech military strategy. One small problem: it doesn't exist.'

(See http://foreignpolicy.com/2018/03/05/im-sorry-for-creating-the-gerasimov-doctrine/ .)

A key paragraph:

'Gerasimov was actually talking about how the Kremlin understands what happened in the "Arab Spring" uprisings, the "color revolutions" against pro-Moscow regimes in Russia's neighborhood, and in due course Ukraine's "Maidan" revolt. The Russians honestly – however wrongly – believe that these were not genuine protests against brutal and corrupt governments, but regime changes orchestrated in Washington, or rather, Langley. This wasn't a "doctrine" as the Russians understand it, for future adventures abroad: Gerasimov was trying to work out how to fight, not promote, such uprisings at home.'

The translation of the original article by Gerasimov with annotations by Galeotti which provoked the whole hysteria turns out to be a classic example of what I am inclined to term 'bad Straussianism.'

(See https://inmoscowsshadows.wordpress.com/2014/07/06/the-gerasimov-doctrine-and-russian-non-linear-war/ .)

What Strauss would have called the 'exoteric' meaning of the article quite clearly has to do with defensive strategies aimed at combatting the kind of Western 'régime change' projects about which people like those who write for 'Lawfare' are so enthusiastic. But Galeotti tells us that this is, at least partially, a cover for an 'esoteric' meaning, which has to do with offensive actions in Ukraine and similar places.

Having now read the text of the article, I can see a peculiar irony in it. In a section entitled 'You Can't Generate Ideas On Command', Gerasimov suggests that 'The state of Russian military science today cannot be compared with the flowering of military-theoretical thought in our country on the eve of World War II.'

According to the 'exoteric' meaning of the article, it is not possible to blame anyone in particular for this situation. But Gerasimov goes on on to remark that, while at the time of that flowering there were 'no people with higher degrees' or 'academic schools or departments', there were 'extraordinary personalities with brilliant ideas', who he terms 'fanatics in the best sense of the word.'

Again, Galeotti discounts the suggestion that nobody is to blame, assuming an 'esoteric meaning', and remarking: 'Ouch. Who is he slapping here?'

Actually, Gerasimov refers by name to two, utterly different figures, who certainly were 'extraordinarily personalities with brilliant ideas.'

If Pompeo had even the highly amateurish grasp of the history of debates among Soviet military theorists that I have managed to acquire he would be aware that one of the things which was actually happening in the 'Seventies was the rediscovery of the ideas of Alexander Svechin.

Confirming my sense that this has continued on, Gerasimov ends by using Svechin to point up an intractable problem: it can be extraordinarily difficult to anticipate the conditions of a war, and crucial not to impose a standardised template likely to be inappropriate, but one has to make some kinds of prediction in order to plan.

Immediately after the passage which Galeotti interprets as a dig at some colleague, Gerasimov elaborates his reference to 'extraordinary people with brilliant ideas' by referring to an anticipation of a future war, which proved prescient, from a very different figure to Svechin:

'People like, for instance, Georgy Isserson, who, despite the views he formed in the prewar years, published the book "New Forms Of Combat." In it, this Soviet military theoretician predicted: "War in general is not declared. It simply begins with already developed military forces. Mobilization and concentration is not part of the period after the onset of the state of war as was the case in 1914 but rather, unnoticed, proceeds long before that." The fate of this "prophet of the Fatherland" unfolded tragically. Our country paid in great quantities of blood for not listening to the conclusions of this professor of the General Staff Academy.'

Unlike Svechin, whom I have read, I was unfamiliar with Isserson. A quick Google search, however, unearthed a mass of material in American sources – including, by good fortune, an online text of a 2010 study by Dr Richard Harrison entitled 'Architect of Soviet Victory in World War II: The Life and Theories of G.S. Isserson', and a presentation summarising the volume.

Ironically, Svechin and Isserson were on opposite sides of fundamental divides. So the former, an ethnic Russian from Odessa, was one of the 'genstabisty', the former Tsarist General Staff officers who sided with the Bolsheviks and played a critical role in teaching the Red Army how to fight. Meanwhile Isserson was a very different product of the 'borderlands' – the son of a Jewish doctor, brought up in Kaunas, with a German Jewish mother from what was then Königsberg, giving him an easy facility with German-language sources.

The originator of the crucial concept of 'operational' art – the notion that in modern industrial war, the ability to handle a level intermediate between strategy and tactics was critical to success – was actually Svechin.

Developing the ambivalence of Clausewitz, however, he stressed that both the offensive and the defensive had their places, and that the key to success was to know which was appropriate when and also to be able rapidly to change from one to the other. His genuflections to Marxist-Leninist dogma, moreover, were not such as to take in any of Dzerzhinsky's people.

By contrast, Isserson was unambiguously committed to the offensive strand in the Clausewitzian tradition, and a Bolshevik 'true believer' (although he married the daughter of a dispossessed ethnically Russian merchant, who had their daughter baptised without his knowledge.)

As Harrison brings out, Isserson's working through of the problems of offensive 'operational art' would be critical to the eventual success of the Red Army against Hitler. However, the specific text to which he refers was, ironically, a warning of precisely one of the problems implicit in the single-minded reliance on the offensive: the possibility that one could be left with no good options confronting an antagonist similarly oriented – as turned out to be the case.

As Gerasimov intimates, while unlike Svechin, executed in 1938, Isserson survived the Stalin years, he was another of the victims of Dzerzhinsky's heirs. Arrested shortly before his warnings were vindicated by the German attack on 22 June 1941, he would spend the war in the Gulag and only return to normal life after Stalin's death.

So I think that the actual text of Gerasimov's article reinforces a point I have made previously. The 'evidence' identified by Tait is indeed a 'smoking gun.' But it emphatically does not point towards the GRU.

Meanwhile, another moral of the tale is that Americans really should stop being taken in by charlatan Brits like Galeotti, Tait, and Steele.

[Feb 19, 2018] Kim Dotcom Let Me Assure You, The DNC Hack Wasn t Even A Hack Zero Hedge

Notable quotes:
"... All fucking Kabuki. All of it. ..."
"... The Deep State (Oligarchs and the MIC) is totally fucking loving this: they have Trump and the GOP giving them everything they ever wanted and they have the optics and distraction of an "embattled" president that claims to be against or a victim of the "deep state" and a base that rally's, circles the wagons around him, and falls for the narrative. ..."
"... They know exactly who it was with the memory stick, there is always video of one form or another either in the data center or near the premises that can indicate who it was. They either have a video of Seth Rich putting the stick into the server directly, or they at least have a video of his car entering and leaving the vicinity of the ex-filtration. ..."
"... This would have been an open and shut case if shillary was not involved. Since it was involved, you can all chalk it up to the Clinton body count. I pray that it gets justice. It and the country, the world - needs justice. ..."
Feb 19, 2018 | www.zerohedge.com

Kim Dotcom: "Let Me Assure You, The DNC Hack Wasn't Even A Hack"

by Tyler Durden Mon, 02/19/2018 - 07:51 3.4K SHARES

Kim Dotcom has once again chimed in on the DNC hack, following a Sunday morning tweet from President Trump clarifying his previous comments on Russian meddling in the 2016 election.

In response, Dotcom tweeted " Let me assure you, the DNC hack wasn't even a hack. It was an insider with a memory stick. I know this because I know who did it and why," adding "Special Counsel Mueller is not interested in my evidence. My lawyers wrote to him twice. He never replied. 360 pounds! " alluding of course to Trump's "400 pound genius" comment.

Dotcom's assertion is backed up by an analysis done last year by a researcher who goes by the name Forensicator , who determined that the DNC files were copied at 22.6 MB/s - a speed virtually impossible to achieve from halfway around the world, much less over a local network - yet a speed typical of file transfers to a memory stick.

The local transfer theory of course blows the Russian hacking narrative out of the water, lending credibility to the theory that the DNC "hack" was in fact an inside job, potentially implicating late DNC IT staffer, Seth Rich.

John Podesta's email was allegely successfully "hacked" (he fell victim to a phishing scam ) in March 2016, while the DNC reported suspicious activity (the suspected Seth Rich file transfer) in late April, 2016 according to the Washington Post.

On May 18, 2017, Dotcom proposed that if Congress includes the Seth Rich investigation in their Russia probe, he would provide written testimony with evidence that Seth Rich was WikiLeaks' source.

On May 19 2017 Dotcom tweeted "I knew Seth Rich. I was involved"

Three days later, Dotcom again released a guarded statement saying "I KNOW THAT SETH RICH WAS INVOLVED IN THE DNC LEAK," adding:

"I have consulted with my lawyers. I accept that my full statement should be provided to the authorities and I am prepared to do that so that there can be a full investigation. My lawyers will speak with the authorities regarding the proper process.

If my evidence is required to be given in the United States I would be prepared to do so if appropriate arrangements are made. I would need a guarantee from Special Counsel Mueller, on behalf of the United States, of safe passage from New Zealand to the United States and back. In the coming days we will be communicating with the appropriate authorities to make the necessary arrangements. In the meantime, I will make no further comment."

Dotcom knew.

While one could simply write off Dotcom's claims as an attention seeking stunt, he made several comments and a series of tweets hinting at the upcoming email releases prior to both the WikiLeaks dumps as well as the publication of the hacked DNC emails to a website known as "DCLeaks."

In a May 14, 2015 Bloomberg article entitled "Kim Dotcom: Julian Assange Will Be Hillary Clinton's Worst Nightmare In 2016 ": "I have to say it's probably more Julian," who threatens Hillary, Dotcom said. " But I'm aware of some of the things that are going to be roadblocks for her ."

Two days later, Dotcom tweeted this:

Around two months later, Kim asks a provocative question

Two weeks after that, Dotcom then tweeted "Mishandling classified info is a crime. When Hillary's emails eventually pop up on the internet who's going to jail?"

It should thus be fairly obvious to anyone that Dotcom was somehow involved, and therefore any evidence he claims to have, should be taken seriously as part of Mueller's investigation. Instead, as Dotcom tweeted, "Special Counsel Mueller is not interested in my evidence. My lawyers wrote to him twice. He never replied. "

chunga Sun, 02/18/2018 - 21:59 Permalink

Pffft...this guy sounds like the reds with their "blockbuster" memo. Honest Hill'rey is laughing!

SethPoor -> chunga Sun, 02/18/2018 - 22:00 Permalink

https://www.youtube.com/watch?v=5_8VaMbPjUU

Bes -> J S Bach Sun, 02/18/2018 - 22:17 Permalink

All fucking Kabuki. All of it.

The Deep State (Oligarchs and the MIC) is totally fucking loving this: they have Trump and the GOP giving them everything they ever wanted and they have the optics and distraction of an "embattled" president that claims to be against or a victim of the "deep state" and a base that rally's, circles the wagons around him, and falls for the narrative.

Meanwhile they keep enacting the most Pro Deep State/MIC/Police State/Zionist/Wall Street agenda possible. And they call it #winning

----

pathetic.

bigkahuna -> CheapBastard Mon, 02/19/2018 - 09:58 Permalink

"Had to be a Russian mole with a computer stick. MSM, DNC and Muller say so."

They know exactly who it was with the memory stick, there is always video of one form or another either in the data center or near the premises that can indicate who it was. They either have a video of Seth Rich putting the stick into the server directly, or they at least have a video of his car entering and leaving the vicinity of the ex-filtration.

This would have been an open and shut case if shillary was not involved. Since it was involved, you can all chalk it up to the Clinton body count. I pray that it gets justice. It and the country, the world - needs justice.

StarGate -> CheapBastard Mon, 02/19/2018 - 11:23 Permalink

Don't forget the "hack" analysis of Russian owned "Crowdstrike" since the FBI did and continues to, refuse to analyze the DNC computers.

KuriousKat -> CheapBastard Mon, 02/19/2018 - 13:26 Permalink

Isn't Alperovitch the Only Russian in there?.. When you rule out the impossible...whatever remains probable.. probably is..

wildbad -> IntercoursetheEU Mon, 02/19/2018 - 03:05 Permalink

Kim is great, Assange is great. Kim is playing a double game. He wants immunity from the US GUmmint overreach that destroyed his company and made him a prisoner in NZ.

Good on ya Kim.

His name was Seth Rich...and he will reach out from the grave and bury Killary who murdered him.

NumberNone -> wildbad Mon, 02/19/2018 - 10:04 Permalink

There are so many nuances to this and all are getting mentioned but the one that also stands out is that in an age of demands for gun control by the Dems, Seth Rich is never, ever mentioned. He should be the poster child for gun control. Young man, draped in a American flag, helping democracy, gunned down...it writes itself.

They either are afraid of the possible racial issues should it turn out to be a black man killing a white man (but why should that matter in a gun control debate?) or they just don't want people looking at this case. I go for #2.

Socratic Dog -> Buckaroo Banzai Mon, 02/19/2018 - 12:09 Permalink

Funny that George Webb can figure it out, but Trump, Leader of the Free World, is sitting there with his dick in his hand waiting for someone to save him.

Whatever he might turn out to be, this much is clear: Trump is a spineless weakling. He might be able to fuck starlets, but he hasn't got the balls to defend either himself or the Republic.

verumcuibono -> Buckaroo Banzai Mon, 02/19/2018 - 14:26 Permalink

Webb's research is also...managed. But a lot of it was/is really good (don't follow it anymore) and I agree re: SR piece of it.

I think SR is such an interesting case. It's not really an anomaly because SO many Bush-CFR-related hits end the same way and his had typical signatures. But his also squeels of a job done w/out much prior planning because I think SR surprised everyone. If, in fact, that was when he was killed. Everything regarding the family's demeanor suggests no.

verumcuibono -> NumberNone Mon, 02/19/2018 - 12:41 Permalink

MANY patterns in shootings: failure in law enforcement/intelligence who were notified of problem individuals ahead of time, ARs, mental health and SSRIs, and ongoing resistance to gun control in DC ----these are NOT coincidences. Nor are distractions in MSM's version of events w/ controlled propaganda.

Children will stop being killed when America wakes the fuck up and starts asking the right questions, making the right demands. It's time.

KJWqonfo7 -> wildbad Mon, 02/19/2018 - 11:15 Permalink

Kim is awesome to watch, I remember his old website of pics of him on yachts with hot girls and racing the Gumball Rally.

verumcuibono -> wildbad Mon, 02/19/2018 - 14:28 Permalink

I don't think you know how these hackers have nearly ALL been intercepted by CIA--for decades now. DS has had backdoor access to just about all of them. I agree that Kim is great, brilliant and was sabotaged but he's also cooperating. Otherwise he'd be dead.

StarGate -> Billy the Poet Mon, 02/19/2018 - 11:48 Permalink

Bes is either "disinfo plant" or energy draining pessimist. Result is the same - to deflate your power to create a new future.

Trump saw the goal of the Fed Reserve banksters decades ago and spoke often about it. Like Prez Kennedy he wants to return USA economy to silver or gold backed dollar then transition to new system away from the Black Magic fed reserve/ tax natl debt machine.

The Globalist Cabal has been working to destroy the US economy ever since they income tax April 15th Lincoln at the Ford theater. 125 years. But Bes claims because Trump cannot reverse 125 years of history in one year that it is kabuki.

Pessimism is its own reward.

[Feb 18, 2018] Both agencies were complicit in the most infamous assassinations and false flag episodes since the Kennedy/MLK Vietnam days. Don't forget Air America CIA drug running and Iran/Contra / October Surprise affairs.

Notable quotes:
"... The Dulles brothers, with Allan as head of Sullivan and Cromwells' CIA were notorious facilitators for the international banksters and their subsidiary corporations which comprise the largest oil and military entities which have literally plainly stated in writing, need to occasionally "GALVANIZE" the American public through catastrophic and catalyzing events in order for Americans to be terrified into funding and fighting for those interlocked corporations in their quest to spread "FULL SPECTRUM DOMINANCE," throughout the globe. ..."
"... The book by Peter Dale Scott, "The American Deep State Wall Street, Big Oil And the Attack on American Democracy" covers in detail some of the points you mention in your reply. It is a fascinating book. ..."
Feb 18, 2018 | consortiumnews.com

Lee Anderson , February 17, 2018 at 4:32 pm

Your link to the Giraldi piece is appreciated, however, Giraldi starts off on a false premise: He claims that people generally liked and trusted the FBI and CIA up until or shortly after 9/11. Not so! Both agencies were complicit in the most infamous assassinations and false flag episodes since the Kennedy/MLK Vietnam days. Don't forget Air America CIA drug running and Iran/Contra / October Surprise affairs.

The Dulles brothers, with Allan as head of Sullivan and Cromwells' CIA were notorious facilitators for the international banksters and their subsidiary corporations which comprise the largest oil and military entities which have literally plainly stated in writing, need to occasionally "GALVANIZE" the American public through catastrophic and catalyzing events in order for Americans to be terrified into funding and fighting for those interlocked corporations in their quest to spread "FULL SPECTRUM DOMINANCE," throughout the globe.

The political parties are theatre designed to fool the people into believing we are living in some sort of legitimate, representative system, when it's the same old plutocracy that manages to get elected because they've long figured out the art of polarizing people and capitalising on tribal alignments.

We should eliminate all government for a time so that people can begin to see that corporations really do and most always have run the country.

It's preposterous to think the stupid public is actually discussing saddling ourselves and future generations with gargantuan debt through a system designed and run by banksters!

it should be self evident a sovereign nation should maintain and forever hold the rights to develop a monetary/financial system that serves the needs of the people, not be indentured servants in a financial system that serves the insatiable greed of a handful of parasitic banksters and corporate tycoons!

Joe Tedesky , February 17, 2018 at 5:08 pm

You are so right, in fact Robert Parry made quite a journalistic career out of exposing the CIA for such things as drug running. I gave up on that agency a longtime ago, after JFK was murdered, and I was only 13 then. Yeah maybe Phil discounts the time while he worked for the CIA, but the CIA has many, many rooms in which plots are hatched, so the valiant truth teller Giraldi maybe excused this one time for his lack of memory .I guess, right?

Good comment Lee. Joe

Annie , February 17, 2018 at 5:56 pm

Yes, but he's referring to the public's opinion of these agencies, and if they didn't continue to retain, even after 9/11, a significant popularity in the public's mind how would we have so many American's buying into Russia-gate? In my perception of things they only lost some ground after 9/11, but Americans notoriously have a short memory span.

Gregory Herr , February 17, 2018 at 6:42 pm

And films that are supposed to help Americans feel good about the aims and efficacy of the agencies like Zero Dark Thirty and Argo are in the popular imagination.

Skeptigal , February 17, 2018 at 7:19 pm

The book by Peter Dale Scott, "The American Deep State Wall Street, Big Oil And the Attack on American Democracy" covers in detail some of the points you mention in your reply. It is a fascinating book.

[Feb 16, 2018] Russians Spooked by Nukes-Against-Cyber-Attack Policy Consortiumnews

Feb 16, 2018 | consortiumnews.com

Russians Spooked by Nukes-Against-Cyber-Attack Policy February 16, 2018

New U.S. policy on nuclear retaliatory strikes for cyber-attacks is raising concerns, with Russia claiming that it's already been blamed for a false-flag cyber-attack – namely the election hacking allegations of 2016, explain Ray McGovern and William Binney.

By Ray McGovern and William Binney

Moscow is showing understandable concern over the lowering of the threshold for employing nuclear weapons to include retaliation for cyber-attacks, a change announced on Feb. 2 in the U.S. Nuclear Posture Review (NPR).

A nuclear test detonation carried out in Nevada on April 18, 1953.

Explaining the shift in U.S. doctrine on first-use, the NPR cites the efforts of potential adversaries "to design and use cyber weapons" and explains the change as a "hedge" against non-nuclear threats. In response, Russia described the move as an "attempt to shift onto others one's own responsibility" for the deteriorating security situation.

Moscow's concern goes beyond rhetoric. Cyber-attacks are notoriously difficult to trace to the actual perpetrator and can be pinned easily on others in what we call "false-flag" operations. These can be highly destabilizing – not only in the strategic context, but in the political arena as well.

Russian President Vladimir Putin has good reason to believe he has been the target of a false-flag attack of the political genre. We judged this to be the case a year and a half ago, and said so. Our judgment was fortified last summer – thanks to forensic evidence challenging accusations that the Russians hacked into the Democratic National Committee and provided emails to WikiLeaks. (Curiously, the FBI declined to do forensics, even though the "Russian hack" was being described as an "act of war.")

Our conclusions were based on work conducted over several months by highly experienced technical specialists, including another former NSA technical director (besides co-author Binney) and experts from outside the circle of intelligence analysts.

On August 9, 2017, investigative reporter Patrick Lawrence summed up our findings in The Nation. "They have all argued that the hack theory is wrong and that a locally executed leak is the far more likely explanation," he explained.

As we wrote in an open letter to Barack Obama dated January 17, three days before he left office, the NSA's programs are fully capable of capturing all electronic transfers of data. "We strongly suggest that you ask NSA for any evidence it may have indicating that the results of Russian hacking were given to WikiLeaks," our letter said. "If NSA cannot produce such evidence – and quickly – this would probably mean it does not have any."

A 'Dot' Pointing to a False Flag?

In his article, Lawrence included mention of one key, previously unknown "dot" revealed by WikiLeaks on March 31, 2017. When connected with other dots, it puts a huge dent in the dominant narrative about Russian hacking. Small wonder that the mainstream media immediately applied white-out to the offending dot.

Lawrence, however, let the dot out of the bag, so to speak: "The list of the CIA's cyber-tools WikiLeaks began to release in March and labeled Vault 7 includes one called Marble Framework that is capable of obfuscating the origin of documents in false-flag operations and leaving markings that point to whatever the CIA wants to point to."

If congressional oversight committees summon the courage to look into "Obfus-Gate" and Marble, they are likely to find this line of inquiry as lucrative as the Steele "dossier." In fact, they are likely to find the same dramatis personae playing leading roles in both productions.

Two Surprising Visits

Last October CIA Director Mike Pompeo invited one of us (Binney) into his office to discuss Russian hacking. Binney told Pompeo his analysts had lied and that he could prove it.

In retrospect, the Pompeo-Binney meeting appears to have been a shot across the bow of those cyber warriors in the CIA, FBI, and NSA with the means and incentive to adduce "just discovered" evidence of Russian hacking. That Pompeo could promptly invite Binney back to evaluate any such "evidence" would be seen as a strong deterrent to that kind of operation.

Pompeo's closeness to President Donald Trump is probably why the heads of Russia's three top intelligence agencies paid Pompeo an unprecedented visit in late January. We think it likely that the proximate cause was the strategic danger Moscow sees in the nuclear-hedge-against-cyber-attack provision of the Nuclear Posture Statement (a draft of which had been leaked a few weeks before).

If so, the discussion presumably focused on enhancing hot-line and other fail-safe arrangements to reduce the possibility of false-flag attacks in the strategic arena -- by anyone – given the extremely high stakes.

Putin may have told his intelligence chiefs to pick up on President Donald Trump's suggestion, after the two met last July, to establish a U.S.-Russian cyber security unit. That proposal was widely ridiculed at the time. It may make good sense now.

Ray McGovern, a CIA analyst for 27 years, was chief of the Soviet Foreign Policy Branch and briefed the President's Daily Brief one-on-one from 1981-1985. William Binney worked for NSA for 36 years, retiring in 2001 as the technical director of world military and geopolitical analysis and reporting; he created many of the collection systems still used by NSA.


mike k , February 16, 2018 at 5:36 pm

Those Russians had a strange mission coming to CIA headquarters to try to negotiate with soulless mass murderers in the name of maintaining a precarious semblance of peace, knowing full well that these men's words and assurances were worth less than nothing. Ah well, I guess in a mad situation one is reduced to making desperate gestures, hoping against hope .

Mild-ly -Facetious , February 16, 2018 at 5:42 pm

F Y I :> Putin prefers Aramco to Trump's sword dance

Hardly 10 months after honoring the visiting US president, the Saudis are open to a Russian-Chinese consortium investing in the upcoming Aramco IPO

By M.K. BHADRAKUMAR
FEBRUARY 16, 2018

[extract]

In the slideshow that is Middle Eastern politics, the series of still images seldom add up to make an enduring narrative. And the probability is high that when an indelible image appears, it might go unnoticed – such as Russia and Saudi Arabia wrapping up huge energy deals on Wednesday underscoring a new narrative in regional and international security.

The ebb and flow of events in Syria – Turkey's campaign in Afrin and its threat to administer an "Ottoman slap" to the United States, and the shooting down of an Israeli F-16 jet – hogged the attention. But something of far greater importance was unfolding in Riyadh, as Saudi and Russian officials met to seal major deals marking a historic challenge to the US dominance in the Persian Gulf region.

The big news is the Russian offer to the Saudi authorities to invest directly in the upcoming Aramco initial public offering – and the Saudis acknowledging the offer. Even bigger news, surely, is that Moscow is putting together a Russian-Chinese consortium of joint investment funds plus several major Russian banks to be part of the Aramco IPO.

Chinese state oil companies were interested in becoming cornerstone investors in the IPO, but the participation of a Russia-China joint investment fund takes matters to an entirely different realm. Clearly, the Chinese side is willing to hand over tens of billions of dollars.

Yet the Aramco IPO was a prime motive for US President Donald Trump to choose Saudi Arabia for his first foreign trip. The Saudi hosts extended the ultimate honor to Trump – a ceremonial sword dance outside the Murabba Palace in Riyadh. Hardly 10 months later, they are open to a Russian-Chinese consortium investing in the Aramco IPO.

Riyadh plans to sell 5% of Saudi Aramco in what is billed as the largest IPO in world history. In the Saudi estimation, Aramco is worth US$2 trillion; a 5% stake sale could fetch as much as $100 billion. The IPO is a crucial segment of Vision 2030, Saudi Crown Prince Mohammad bin Salman's ambitious plan to diversify the kingdom's economy.

MORE : http://www.atimes.com/article/putin-prefers-aramco-trumps-sword-dance/

Anna , February 16, 2018 at 6:46 pm

"Last October CIA Director Mike Pompeo invited one of us (Binney) into his office to discuss Russian hacking. Binney told Pompeo his analysts had lied and that he could prove it."

That was about some Dm. Alperovitch for CrowdStrike fame, who had discovered the "hacking" in 10 sec. Guess Alperovitch, as an "expert" at the viciously Russophobic Atlantic Council (funded by the State Dept., NATO, and a set of unsavory characters like Ukrainian oligrach Pinchuk) decided to show his "understanding" of the task. The shy FBI did not even attempt to look at the Clinton's server because the bosses "knew better."

Alperovitch must be investigated for anti-American activities; the scoundrel has been sowing discord into the US society with his lies while endangering the US citizenry.

[Feb 16, 2018] Mueller Indicts 13 Russians For Interfering In US Election

False flag or real ?
Is not "included supporting the presidential campaign of then-candidate Donald J. Trump ("Trump Campaign") and disparaging Hillary Clinton . " (or vise versa) by posting on social media an example of free speech ?
But usage of fake identities clearly is not: "The Russians tracked the metrics of their effort in reports and budgeted for their efforts. Some, as described below, traveled to the U.S. to gather intelligence for the surreptitious campaign. They used stolen U.S. identities, including fake driver's licenses, and contacted news media outlets to promote their activities."
The question is how those unquestionable very talented Russians managed to learn English language without living in the USA and operate such a sophisticated operation from oversees? English is a very difficult language for Russians to master and Russian immigrants who came to the USA being older then 16 and living in the USA for ten or twenty years typically still have horrible accent and bad or very bad grammar (tenses, "a" and "the" usage, you name it). Actually Russian woman are noticeably better then men in this area, especially if they are married to a US spouse. Ass to this dismal understanding of the USA politics including differences between Democratic and Republican parties (you probably need to live in the USA for ten years to start appreciate those differences ;-) . How they managed to learn local political culture to be effective? That's a strong argument in favor of false flag operation -- in case they have puppeteers from the USA everything is more or less rationally explainable.
Notable quotes:
"... It gets better: the defendants reportedly worked day and night shifts to pump out messages, controlling pages targeting a range of issues, including immigration, Black Lives Matter, and they amassed hundreds of thousands of followers. They set up and used servers inside the U.S. to mask the Russian origin of the accounts. ..."
"... The Russian organization named in the indictment - the Internet Research Agency - and the defendants began working in 2014 - so one year before the Trump candidacy was even announced - to interfere in U.S. elections, according to the indictment in Washington. They used false personas and social media while also staging political rallies and communicating with "unwitting individuals" associated with the Trump campaign, it said. ..."
"... The Russians tracked the metrics of their effort in reports and budgeted for their efforts. Some, as described below, traveled to the U.S. to gather intelligence for the surreptitious campaign. They used stolen U.S. identities, including fake driver's licenses, and contacted news media outlets to promote their activities. ..."
"... Defendant ORGANIZATION had a strategic goal to sow discord in the U.S. political system, including the 2016 U.S. presidential election. Defendants posted derogatory information about a number of candidates, and by early to mid-2016, Defendants' operations included supporting the presidential campaign of then-candidate Donald J. Trump ("Trump Campaign") and disparaging Hillary Clinton . ..."
"... Defendants, posing as U.S. persons and creating false U.S. personas, operated social media pages and groups designed to attract U.S. audiences. These groups and pages, which addressed divisive U.S. political and social issues, falsely claimed to be controlled by U.S. activists when, in fact, they were controlled by Defendants. Defendants also used the stolen identities of real U.S. persons to post on ORGANIZATION-controlled social media accounts. Over time, these social media accounts became Defendants' means to reach significant numbers of Americans for purposes of interfering with the U.S. political system, including the presidential election of 2016 ..."
"... Sixteen thousand Facebook users said that they planned to attend a Trump protest on Nov. 12, 2016, organized by the Facebook page for BlackMattersUS, a Russian-linked group that sought to capitalize on racial tensions between black and white Americans. The event was shared with 61,000 users. ..."
"... As many as 5,000 to 10,000 protesters actually convened at Manhattan's Union Square. They then marched to Trump Tower, according to media reports at the time . ..."
"... 13 Russians can influence US elections meanwhile US CIA and State Department spend $1 BIllion every year on opposition groups inside Russia without success. ..."
"... Indict AIPAC. That is the real foreign interference in ALL US elections. Such hypocrisy. At the very least, make them register as a foreign operation! Information warfare using social media ? What, you mean like the Israeli students who are paid to shape public opinion thru social media? This is no secret and has been in the news. I fail to find the difference? Psychologists call this projection, that is where you accuse others of the crimes you commit . ..."
"... It looks like Mueller would have these people for identity theft if he had them in the US, which he probably doesn't. ..."
"... Deep state pivot to keep the Russian hate alive. ..."
"... Fucking hilarious - Mueller has indicted an anti-Russian CIA operation that was run out of St. Petersburg. http://thesaker.is/a-brief-history-of-the-kremlin-trolls/ ..."
"... The bigger question is "when is Mueller going to be indicted for covering up the controlled demolition of the WTC buildings on nine eleven??" ..."
Feb 16, 2018 | www.zerohedge.com

Mueller charges "defendants knowingly and intentionally conspired with each other (and with persons known and unknown to the Grand Jury) to defraud the United States by impairing, obstructing, and defeating the lawful functions of the government through fraud and deceit for the purpose of interfering with the U.S. political and electoral processes, including the presidential election of 2016."

The indictment adds that the Russians " were instructed to post content that focused on 'politics in the USA' and to 'use any opportunity to criticize Hillary and the rest (except Sanders and Trump -- we support them)' ."

It gets better: the defendants reportedly worked day and night shifts to pump out messages, controlling pages targeting a range of issues, including immigration, Black Lives Matter, and they amassed hundreds of thousands of followers. They set up and used servers inside the U.S. to mask the Russian origin of the accounts.

Ultimately, and this is the punchline, the goal was to disparage Hillary Clinton and to assist the election of Donald Trump.

In other words, anyone who was disparaging Clinton, may have "unwittingly" been a collaborator of the 13 Russian "specialists" who cost Hillary the election.

The Russian organization named in the indictment - the Internet Research Agency - and the defendants began working in 2014 - so one year before the Trump candidacy was even announced - to interfere in U.S. elections, according to the indictment in Washington. They used false personas and social media while also staging political rallies and communicating with "unwitting individuals" associated with the Trump campaign, it said.

The Russians "had a strategic goal to sow discord in the U.S. political system," according to the indictment in Washington.

The Russians also reportedly bought advertisements on U.S. social media, created numerous Twitter accounts designed to appear as if they were U.S. groups or people, according to the indictment. One fake account, @TEN_GOP account, attracted more than 100,000 online followers.

The Russians tracked the metrics of their effort in reports and budgeted for their efforts. Some, as described below, traveled to the U.S. to gather intelligence for the surreptitious campaign. They used stolen U.S. identities, including fake driver's licenses, and contacted news media outlets to promote their activities.

The full list of named defendants in addition to the Internet Research Agency, as well as Concord Management and Consulting and Concord Catering, include:

Mueller's office said that none of the defendants was in custody.

So how is Trump involved? Well, he isn't, as it now seems that collusion narrative is dead, and instead Russian involvement was unilateral. Instead, according to the indictment, the Russian operations were unsolicited and pro bono, and included " supporting Trump... and disparaging Hillary Clinton,' staging political rallies, buying political advertising while posing as grassroots U.S. groups. Oh, and communicating " with unwitting individuals associated with the Trump Campaign and with other political activists to seek to coordinate political activities. "

Defendant ORGANIZATION had a strategic goal to sow discord in the U.S. political system, including the 2016 U.S. presidential election. Defendants posted derogatory information about a number of candidates, and by early to mid-2016, Defendants' operations included supporting the presidential campaign of then-candidate Donald J. Trump ("Trump Campaign") and disparaging Hillary Clinton .

Defendants made various expenditures to carry out those activities, including buying political advertisements on social media in the names of U.S. persons and entities. Defendants also staged political rallies inside the United States, and while posing as U.S. grassroots entities and U.S. persons, and without revealing their Russian identities and ORGANIZATION affiliation, solicited and compensated real U.S. persons to promote or disparage candidates. Some Defendants, posing as U.S. persons and without revealing their Russian association, communicated with unwitting individuals associated with the Trump Campaign and with other political activists to seek to coordinate political activities.

Furthermore, the dastardly Russians created fake accounts to pretend they are Americans:

Defendants, posing as U.S. persons and creating false U.S. personas, operated social media pages and groups designed to attract U.S. audiences. These groups and pages, which addressed divisive U.S. political and social issues, falsely claimed to be controlled by U.S. activists when, in fact, they were controlled by Defendants. Defendants also used the stolen identities of real U.S. persons to post on ORGANIZATION-controlled social media accounts. Over time, these social media accounts became Defendants' means to reach significant numbers of Americans for purposes of interfering with the U.S. political system, including the presidential election of 2016

Mueller also alleges a combination of traditional and modern espionage...

Certain Defendants traveled to the United States under false pretenses for the purpose of collecting intelligence to inform Defendants' operations. Defendants also procured and used computer infrastructure, based partly in the United States, to hide the Russian origin of their activities and to avoid detection by U.S. regulators and law enforcement.

Mueller also charges that two of the defendants received US visas and from approximately June 4, 2014 through June 26, 2014, KRYLOVA and BOGACHEVA " traveled in and around the United States, including stops in Nevada, California, New Mexico, Colorado, Illinois, Michigan, Louisiana, Texas, and New York to gather intelligence, After the trip, KRYLOVA and BURCHIK exchanged an intelligence report regarding the trip."

* * *

The indictment points to a broader conspiracy beyond the pages of the indictment, saying the grand jury has heard about other people with whom the Russians allegedly conspired in their efforts.


Joe Davola -> Pandelis Fri, 02/16/2018 - 13:02 Permalink

Concord Catering - what, were they offering chicken wings and pigs ears at the polling places?

Never One Roach -> Joe Davola Fri, 02/16/2018 - 13:03 Permalink

So how often does Mueller hear those demon voices in his head?

Billy the Poet -> Never One Roach Fri, 02/16/2018 - 13:05 Permalink

I wonder if any of these Russians were behind the anti-Trump rallies of November 2016? Thousands attended protest organized by Russians on Facebook.

Thousands of Americans attended a march last November organized by a Russian group that used social media to interfere in the 2016 election.

The demonstration in New York City, which took place a few days after the election, appears to be the largest and most successful known effort to date pulled off by Russian-linked groups intent on using social media platforms to influence American politics.

Sixteen thousand Facebook users said that they planned to attend a Trump protest on Nov. 12, 2016, organized by the Facebook page for BlackMattersUS, a Russian-linked group that sought to capitalize on racial tensions between black and white Americans. The event was shared with 61,000 users.

As many as 5,000 to 10,000 protesters actually convened at Manhattan's Union Square. They then marched to Trump Tower, according to media reports at the time .

The BlackMattersUS-organized rally took advantage of outrage among groups on the left following President Trump's victory on Nov. 8 to galvanize support for its event. The group's protest was the fourth consecutive anti-Trump rally in New York following election night, and one of many across the country.

"Join us in the streets! Stop Trump and his bigoted agenda!" reads the Facebook event page for the rally. "Divided is the reason we just fell. We must unite despite our differences to stop HATE from ruling the land."

http://thehill.com/policy/technology/358025-thousands-attended-protest-

Belrev -> Billy the Poet Fri, 02/16/2018 - 13:07 Permalink

13 Russians can influence US elections meanwhile US CIA and State Department spend $1 BIllion every year on opposition groups inside Russia without success.

SamAdams -> Belrev Fri, 02/16/2018 - 13:08 Permalink

Indict AIPAC. That is the real foreign interference in ALL US elections. Such hypocrisy. At the very least, make them register as a foreign operation! Information warfare using social media ? What, you mean like the Israeli students who are paid to shape public opinion thru social media? This is no secret and has been in the news. I fail to find the difference? Psychologists call this projection, that is where you accuse others of the crimes you commit .

Belrev -> SamAdams Fri, 02/16/2018 - 13:10 Permalink

That is a regime change in DC proposition.

IH8OBAMA -> Belrev Fri, 02/16/2018 - 13:21 Permalink

If Mueller is going outside the Trump organization to indict Russians, when is he going to indict some equally criminal Democraps?

I also see that one of the 13 Russians was Valdimir. ( VLADIMIR VENKOV ) LOL

Shillinlikeavillan -> IH8OBAMA Fri, 02/16/2018 - 13:24 Permalink

Soooooooo...

They basically indicted the $100,000 facebook ad russian group... Bravo! Ur really on the path to impeaching trump now!
LULZ!

overbet -> Shillinlikeavillan Fri, 02/16/2018 - 13:34 Permalink

Boy Hillary sure didnt get her money's worth. She shoulda hired these people.

Is it ok for MSM for to make all of their disparaging commentary, but not ok for people to do the same? Mueller mustve forgot about the craigslist ads hiring protesters to attack Trump rallies. What a fucking clown show.

I guess that's it Mueller gets his indictments to save face and Trump is pleased its over.

El Vaquero -> overbet Fri, 02/16/2018 - 13:44 Permalink

This ties directly into the October 31, 2017 testimony from Facebook, Twitter and Google regarding Russian media presence on social media. Mueller is grasping here, and given that it talks about visas granted for short visits, I'm led to believe that most of these people are actually not on US soil to be arrested. This means political grandstanding via an indictment that is never going to see a courtroom where the evidence can be examined and witnesses can be cross examined. It looks like Mueller would have these people for identity theft if he had them in the US, which he probably doesn't.

I'm going to get called a Russian bot over this elsewhere. Well, maybe facetiously here. #WeAreAllRussianBotsNow

spanish inquisition -> El Vaquero Fri, 02/16/2018 - 13:56 Permalink

Deep state pivot to keep the Russian hate alive.

FoggyWorld -> spanish inquisition Fri, 02/16/2018 - 13:59 Permalink

And set us up for war.

Shemp 4 Victory -> FoggyWorld Fri, 02/16/2018 - 14:10 Permalink

Fucking hilarious - Mueller has indicted an anti-Russian CIA operation that was run out of St. Petersburg. http://thesaker.is/a-brief-history-of-the-kremlin-trolls/

pods -> Shemp 4 Victory Fri, 02/16/2018 - 14:22 Permalink

Wow, I am going to have to keep the radio off for a couple of days. They are going to be wall to wall on this. Maybe even bump the stories where fakely sympathetic reporter cunts (FSRC) ask mother's if they miss their dead kids.

This is a fucking clownshow anymore. Jesus, THIS is what the investigation brought home? Holy fuckshit, this is a joke. Some guy had 100k followers? Really? Like anyone GAF about that? We have AIPAC making candidates kneel before them and yet some guys on Tweeter fucked around. I think that is even bullshit. If Russians really did that, they wouldn't "work in shifts" they would program some fucking bots to do this.

I can just imagine the fake outrage that that worthless kike from NY Chuckie "don't get between me and a camera" Schumer has to say about this.

This is a Matrix alright, and a cheap ass one at that.

Mueller should be taken out and horsewhipped for bringing this shit home.

Hey Mueller, I read a comment on Yahoo news that was in broken English. Go get um!

pods

stizazz -> pods Fri, 02/16/2018 - 14:30 Permalink

They HATE Russia because PUTIN OPENLY derided the American Empire.

BennyBoy -> pods Fri, 02/16/2018 - 14:38 Permalink

The Russians duped me.

I was gonna vote for Hillary then I read tweets where she bullied the woman her husband raped to keep quiet. And how her foundation got hundreds of $millions from countries with business before her at the state dept. ALEKSANDRA YURYEVNA KRYLOVA mislead me.

BennyBoy -> BennyBoy Fri, 02/16/2018 - 14:42 Permalink

Its probably nothing....

CHINESE STATE-OWNED CHEMICAL FIRM JOINS DARK MONEY GROUP POURING CASH INTO U.S. ELECTIONS

Lee Fang February 15 2018, 10:10 a.m.

WANHUA CHEMICAL, A $10 billion chemical company controlled by the Chinese government, now has an avenue to influence American elections.

On Monday, Wanhua joined the American Chemistry Council, a lobby organization for chemical manufacturers that is unusually aggressive in intervening in U.S. politics.

The ACC is a prominent recipient of so-called dark money -- that is, unlimited amounts of cash from corporations or individuals the origins of which are only disclosed to the IRS, not the public. During the 2012 , 2014 , and 2016 election cycles, the ACC took this dark money and spent over $40 million of it on contributions to super PACs, lobbying, and direct expenditures. (Additional money flowed directly to candidates via the ACC's political action committee.).....

https://theintercept.com/2018/02/15/chinese-state-owned-chemical-firm-j

ThanksChump -> BennyBoy Fri, 02/16/2018 - 14:50 Permalink

Duped by facts and truth is no way to go through life, son.

JimmyJones -> ThanksChump Fri, 02/16/2018 - 15:59 Permalink

Obama, "I can do more after I'm reelected" to Putin caught on a hot mic.

I always knew Hillary was as pure as the first winter's snow.

Theosebes Goodfellow -> pods Fri, 02/16/2018 - 14:42 Permalink

~" In other words, anyone who was disparaging Clinton, may have "unwittingly" been a collaborator of the 13 Russian "specialists" who cost Hillary the election. "~

Wait, does this mean that "disparaging Hillary" was just for the witless? I've been doing that for years, (without any Russian influence at all), and have found it to be rather witty virtually all the time.

Can we NOW get to the point where we appoint a special prosecutor to investigate Hillary?

rwe2late -> Theosebes Goodfellow Fri, 02/16/2018 - 15:09 Permalink

not yet ...

any of us who spread "fake news" are now "conspirators" who gave "support" to foreign agents with the goal of undermining the "democratic process" by denying Hillary the presidency.

tsk, tsk.

ignorance can be no excuse for such wanton lawlessness.

rwe2late -> rwe2late Fri, 02/16/2018 - 15:36 Permalink

oh, oh

I almost forgot. "conspirators" were blatantly "sowing discord" obvious "proof" of "cooperating" with the Russians

Boxed Merlot -> rwe2late Fri, 02/16/2018 - 15:46 Permalink

..."conspirators" were blatantly "sowing discord"...

Yep, so on top of being "Deplorable", I'm also without wit.

His name was Seth.

Squid Viscous -> pods Fri, 02/16/2018 - 14:57 Permalink

well said pods, i wish i could upvote you like, 13 times

Machbet -> pods Fri, 02/16/2018 - 15:32 Permalink

Well said, my brother. "A fucking clownshow..." A clownshow run by juvenile, idiotic fallen angels.

sixsigma cygnu -> spanish inquisition Fri, 02/16/2018 - 14:01 Permalink

I'm just relieved they didn't get Boris. Not this time.

Telling people the truth makes one a very desirable target.

BigCumulusClouds -> sixsigma cygnu Fri, 02/16/2018 - 14:06 Permalink

The bigger question is "when is Mueller going to be indicted for covering up the controlled demolition of the WTC buildings on nine eleven??"

eatthebanksters -> spanish inquisition Fri, 02/16/2018 - 14:10 Permalink

So this is all they have?

Bubba Rum Das -> Citizen in 1984 Fri, 02/16/2018 - 16:08 Permalink

Yes, Mueller is a clown show, but he came up w/ this crap in an attempt to divert media attention away from his & McCabes direct involvement in trying to cover up Uranium 1 for Hillary...The Truth!

Boxed Merlot -> eatthebanksters Fri, 02/16/2018 - 15:48 Permalink

...all they have?...

Sure hope they weren't bettin' the farm.

jmo.

DosZap -> El Vaquero Fri, 02/16/2018 - 15:05 Permalink

He has to INDICT someone,since he can't get Trump except on adultery.(the only thing NOT under his purview)

I see a distant MELANIA in his near future.

eclectic syncretist -> DosZap Fri, 02/16/2018 - 15:43 Permalink

The FBI going DEEP (#sarc) into its playbook for this one.

Simultaneously distracting from their incompetencies with regards to domestic threats (school shooters/government collusion to subvert presidential election), and exonerating Hillary AGAIN.

"Using lies and deception to cover our lies and deceptions, so that we can enslave the populace to our will" (visualize Meuller/Comey/Strzok/Page/Ohr/Rosenstein/Obama/Rice/ with left hands on Satanic Bible and right arms extended giving oath in Temple of Mammon before upside down American flag).

ebear -> El Vaquero Fri, 02/16/2018 - 15:17 Permalink

"#WeAreAllRussianBotsNow"

Ich bin ein Russe!

agNau -> overbet Fri, 02/16/2018 - 13:59 Permalink

Hillary hired the entire Russian government with the Uranium one deal.

BigCumulusClouds -> overbet Fri, 02/16/2018 - 14:04 Permalink

Protestors?? HRC hired thugs who beat people up at Trump rallies. That's a felony. Some people got hurt real bad.

IH8OBAMA -> Shillinlikeavillan Fri, 02/16/2018 - 13:37 Permalink

I wonder if Mueller is going to indict Obama for interfering in the Israeli election?

giovanni_f -> IH8OBAMA Fri, 02/16/2018 - 13:56 Permalink

1. CNN can now say Russian interference is a "proven fact".

2. "13 individuals" and "3 companies" - this is a casus belli even for the most pacifist peaceniks on ZH

3. US can now continue to meddle in Russian elections as they did since 1919 pointing to the existential thread those 13 individuals posed.

rwe2late -> giovanni_f Fri, 02/16/2018 - 15:46 Permalink

worse than 3.meddling in Russian elections,

anyone who objects to US military and economic aggression,

will be further branded/dismissed (prosecuted?)

as a "proven dupe" of Russia/Putin.

caconhma -> IH8OBAMA Fri, 02/16/2018 - 14:08 Permalink

The US Constitution. RIP

The DoJ and Miller activities are anti-American. What else is new in occupied America?

PS

Note Trump does nothing about this unprecedented assault on Freedom of Speech and Assembly in the USA. Therefore, Trump is a willing player in these criminal activities.

commiebastid -> IH8OBAMA Fri, 02/16/2018 - 14:21 Permalink

and Brexit and the French election and Venezuela election and The Ukraine; Libya; Palestinian Territories..... lmao

DownWithYogaPants -> Shillinlikeavillan Fri, 02/16/2018 - 13:44 Permalink

Ohhh fake social accounts.........the horror!

( If I had known they were the equivalent of Harry Potters magic wand I would have opened a few long ago! )

Seems like Mr Mueller is in face saving mode.

What is Rod Rosenstein doing still at the FBI. He should be in prison.

MEFOBILLS -> Shillinlikeavillan Fri, 02/16/2018 - 14:50 Permalink

Mueller is going to go until he gets some meat. Maybe this lean and stringy meat is enough to satisfy. Of course, nobody will look at AIPAC and all of the foreign influence money funneling into senators coffers.

Endgame Napoleon -> carni Fri, 02/16/2018 - 14:26 Permalink

He said they stole identities, posting anti-Hillary remarks on Russian-controlled sites, using the stolen identities. They must do that through hacking, which is illegal.

They also organized rallies, he said. There were ads on job sites, advertising for paid [leftist] protestors, long before Trump emerged as a candidate. People posted them on American sites. Some attribute it to Soros. I am a little skeptical that Soros controls the world, anymore than Russians, but that is what people often believe, when it is leftist ads.

Advertisements are all over the Internet. Is that illegal? He called it fraud, referring to the misrepresentation of identity, I guess. They should not be manipulating unknowing people.

But, I wonder if he has the same vigilance when illegal aliens use fake SS cards to acquire jobs, while their girlfriends use real SS cards of US-born kids to get $450 on average in EBT food assistance, in addition to other welfare, making it easy for illegal aliens to undercut American citizens in jobs. Using a fake SS number -- i.e. posing as an American to get a job -- is fraud.

As long as the illegal aliens have sex after illegal border crossings, reproduce and say they misrepresent their identities for the good of their kids, this is legal and deserving of pay-per-birth welfare / child-tax-credit freebies and citizenship, whereas these Russians are committing fraud.

They should not be doing that in either case, but the double standard is interesting.

And if people cannot post freely on the internet without revealing their real names, a lot of internet activity (and a lot of related commerce) will cease. Many people post anonymously, often due to jobs or other factors that have nothing to do with elections.

In fact, FBI agents post under identities (personas) that are not their own. There are many articles, describing how police agencies use fake identities on the internet to track down criminals, including those who abuse children. They do the same thing to monitor terrorists; they use fake identities.

[Feb 16, 2018] Where are these indictments ? Obama, Hillary Clinton, Victoria Nuland, Geoffrey Pyatt and John McCain.

Feb 16, 2018 | www.zerohedge.com

Vote up! 2 Vote down! 0

Mike Masr Fri, 02/16/2018 - 15:41 Permalink

Where are these indictments ? Obama, Hillary Clinton, Victoria Nuland, Geoffrey Pyatt and John McCain.

The US has been meddling and interfering in other countries elections and internal affairs for decades. Not only does the US meddle and interfere in other countries elections it overthrows democratically elected governments it simply doesn't like, and then installs its own puppet leaders. Our deep-state MIC owned neocons casually refer to this as "regime change".

I can only imagine the hell that would break loose if Russia fomented, paid for, and assisted in a violent overthrow of the legitimately and democratically elected government in Mexico. Imagine Russian spymasters working from the Russian Embassy in Mexico City training radicals how to use social media to bring out angry people and foment violent pubic unrest. Then Russian Duma members in Mexico City handing out tacos, and tamales emboldening and urging these angry people to riot, and overthrow the government and toss the bums out. Then Putin's executive group hand picking all the new (anti-USA) drug cartel junta puppet leaders and an old senile Russian senator in Mexico City stating at a podium on RT, there are no drug cartels here, that's all propaganda!

On the other side of the world Obama's neocon warmongers spent billions doing exactly this. Instead of drug cartels it was Banderist Neo-Nazis. Obama and our neocons, including John McCain intentionally caused all of this fucking mess, civil war and horrific death in Ukraine on Russia's border and then placed the blame on Putin and Russia.

Thanks to John McCain and our evil fucking neocons - the regime change policy implemented by Obama, Clinton and Nuland's minions, like Geoffrey Pyatt, the Ukraine today is totally fucked. It is now a corrupt banana republic embroiled in a bloody civil war. For the US and NATO the golden prize of this violent undemocratic regime change was supposed to be the Crimea. This scheme did not play out as intended. No matter what sanctions the warmongering neocons place on Russia they will NEVER give back the Crimea!

Our neocon fuck heads spent billions of our hard earned taxpayer dollars to create pain, suffering, death and a civil war in Ukraine on the border with Russia.

This is a case of don't do what we do, only do what we tell you to do. It's perfectly okay when we meddle. We don't like it when we think it may have been done to us. It's hypocrisy and duplicity at its finest!

Tech Camp NGO - operating out of US Embassy in Kiev

(using social media to help bring out radicals-and cause civil war-pre Maidan 2013)

https://www.youtube.com/watch?v=y9hOl8TuBUM

Nuland talks about $5 billion spent on Ukraine

https://www.youtube.com/watch?v=eaR1_an9CnQ

Nuland plotting(on intercepted phone call) the new handpicked puppet leaders.

https://www.youtube.com/watch?v=CL_GShyGv3o

US Support of Banderist Neo-Nazis in Ukraine 2014

https://www.youtube.com/watch?v=8-RyOaFwcEw

Lavrov reminds the UN a West-inspired coup d'้tat started Ukraine crisis, not Russia

https://www.rt.com/op-edge/404247-un-lavrov-ukraine-sanctions/

[Feb 16, 2018] What is the definition of a fake social media account ? What is the crime for operatine a fake social medial account? Is this the standard by which we will all be judged?

Feb 16, 2018 | www.zerohedge.com

Genby Fri, 02/16/2018 - 14:51 Permalink

Mueller effectively called himself an idiot and degenerate.

13 people won against the whole apparatus of FBI (including Mueller). That makes FBI a herd of idiots and degenerates (including Mueller).

SirBarksAlot -> rgraf Fri, 02/16/2018 - 16:44 Permalink

What crime?

Impersonating an American?

Practicing freedom of speech?

Trying to influence an election?

I don't see any crimes.

Joiningupthedots Fri, 02/16/2018 - 14:31 Permalink

When does Mueller get charged?

He is part of the fabric of the Clinton Gang along with Comey and others.

How many people have posted derogatory comments about Clinton on ZH alone.

This sounds like when they ludicrously charged and entire unit of the Chinese PLA.

FringeImaginigs Fri, 02/16/2018 - 14:31 Permalink

Agreed, it's against the law to steal identities and operate bank accounts and all that. But really, compared to the fraud committed by just one bank - Wells Fargo- this is smal small potatoes. And did I miss it or did the indictment not even mention the value of the ads bought on Facebook - $100,000. (nope, not missing any zeros). And it all started in 2014 while Donald was playing golf and sticking his dick in some whore. And a few ruskies got into the good ol USofA with false statements on their visas. While the courts fought Trump on the fact that immigration from a few countries need to be stopped because there was not way of checking data. I get it - somebody driving too fast gets a speeding ticket, and Muellers investigation gets to issue an indictment. I'm sure we all feel better now.

Lostinfortwalton Fri, 02/16/2018 - 14:32 Permalink

So, did Mueller address the crime committed by the then FBI head who refused to allow a FBI informant to address Congress on the Uranium One scam before it was authorized? Uh, that would be Mueller, his very self, so the answer is no.

soyungato Fri, 02/16/2018 - 14:33 Permalink

Bob honey, the people are laughing.

But but but those Russians, they call me names.

Grandad Grumps Fri, 02/16/2018 - 14:35 Permalink

What is the definition of a "fake social media account"? What is the crime for operatine a fake social medial account? Is this the standard by which we will all be judged?

Or is it that Mueller has NOTHING and is too big of a corrupt idiot to admit it.

Rick Cerone Fri, 02/16/2018 - 14:36 Permalink

Putin should define what a NGO is.

He should tell the world how the US uses NGO's to destabilize elections.

He wont do it because he's digging tunnels for the big day.

BigPunny Fri, 02/16/2018 - 14:36 Permalink

"In other words, anyone who was disparaging Clinton, may have "unwittingly" been a collaborator of the 13 Russian "specialists" who cost Hillary the election. "

No, not "in other words." That's not what he said at all. Idiot propagandist.

devnickle Fri, 02/16/2018 - 14:36 Permalink

And Hillary has done nothing criminal in the last 40 years. All of the evidence has been a fabrication. The Russians perfected time travel technology in the 70's, and have been conspiring against her and planting evidence since then.

What planet am I living on again? We have now stepped into the twilight zone. Facepalm.....

moneybots Fri, 02/16/2018 - 14:55 Permalink

"Ultimately, and this is the punchline, the goal was to disparage Hillary Clinton and to assist the election of Donald Trump."

The goal of the MSM was the opposite. To unfairly disparage Trump and assist the election of Hillary Clinton. So why no indictments of members of the American MSM?

Montana Cowboy Fri, 02/16/2018 - 15:03 Permalink

What a bunch of horseshit. Mueller did nothing to locate just as much foreign or Russian support for Hillary. Grand Jury is just another one-sided court that passes judgment without any input from the other side. Now where have we seen that before? FISA.

What is wrong with anyone doing what they want to support a candidate? If that is somehow illegal interference, why is Soros running loose in the world?

I have a friend that was a US Federal Prosecutor. He once told me that the most un-American concepts that exist are grand juries and conspiracy laws. I'm sure he would have included FISA if it existed then.

dot_bust Fri, 02/16/2018 - 15:03 Permalink

The indictment adds that the Russians " were instructed to post content that focused on 'politics in the USA' and to 'use any opportunity to criticize Hillary and the rest (except Sanders and Trump -- we support them)' ."

Criticizing Hillary Clinton constitutes election interference? This is the dumbest thing I've ever heard.

Over half the United States said she was corrupt and morally bankrupt. Does that mean all those Americans interfered in the election?

Son of Captain Nemo Fri, 02/16/2018 - 15:04 Permalink

"Some Defendants, posing as U.S. persons and without revealing their Russian association, communicated with unwitting individuals associated with the Trump Campaign and with other political activists to seek to coordinate political activities."

I thought this was our "shtick" for subverting and overthrowing government(s) since 194_?... Fast forward to 2012 and subverting sovereign foreign government(s) using other means then election(s) ( https://jasirx.wordpress.com/ )

Just ask this person ( https://www.youtube.com/watch?v=CL_GShyGv3o ) who handed out cookies before starting an "overthrow of a sovereign government" right before a Winter Olympics?... And while we're on the subject of subversion of sovereign Nation(s) "OCONUS" ask this fat shit how it's going in the Middle East with it's "partners" ( https://southfront.org/meeting-between-us-state-secretary-and-lebanese- ) Nor should we forget 22 within the Russian diplomatic community in the last 6 years "eliminated" for early retirement courtesy of the U.S. government...

And if all this is true why isn't Muelller indicting government officials within the FBI Department of immigration and Homeland Security that would allow "some defendants" to impersonate Americans after 9/11 and the security infrastructure we built around U.S. to prevent "future attacks" that were obviously (here illegally)???...

On second thought DON'T ANSWER THAT!!!

atabrigade Fri, 02/16/2018 - 15:05 Permalink

Our enemies are not overseas. They are right here at home.

Son of Captain Nemo -> atabrigade Fri, 02/16/2018 - 15:13 Permalink

That did this ( http://www.ae911truth.org/ ) to their own to grab oil everyplace else they didn't control it!

Concertedmaniac Fri, 02/16/2018 - 15:08 Permalink

What a complete load of horseshit. Waste of time and money while the crimes of the clintons and collaborators remain unpunished, including Mueller himself.

wobblie Fri, 02/16/2018 - 15:08 Permalink

"Mueller describes a sweeping, years-long, multimillion-dollar conspiracy by hundreds of Russians aimed at criticizing Hillary Clinton and supporting Senator Bernie Sanders and Trump"

Only in the idiot world of Liberalism and Conservatism is this not a laughable statement.

Stupid fucks.

https://therulingclassobserver.com/

Obamaroid Ointment Fri, 02/16/2018 - 15:10 Permalink

13 Russian bots to get life sentences in Twitter jail? Is a prisoner exchange with Putin for American bots a possibility?

[Dec 28, 2017] How CrowdStrike placed malware in DNC hacked servers by Alex Christoforou

Highly recommended!
If this is true, then this is definitely a sophisticated false flag operation. Was malware Alperovich people injected specifically designed to implicate Russians? In other words Crowdstrike=Fancy Bear
Images removed. For full content please thee the original source
One interesting corollary of this analysis is that installing Crowdstrike software is like inviting a wolf to guard your chicken. If they are so dishonest you take enormous risks. That might be true for some other heavily advertized "intrusion prevention" toolkits. So those criminals who use mistyped popular addresses or buy Google searches to drive lemmings to their site and then flash the screen that they detected a virus on your computer a, please call provided number and for a small amount of money your virus will be removed get a new more sinister life.
I suspected many of such firms (for example ISS which was bought by IBM in 2006) to be scams long ago.
Notable quotes:
"... Disobedient Media outlines the DNC server cover-up evidenced in CrowdStrike malware infusion ..."
"... In the article, they claim to have just been working on eliminating the last of the hackers from the DNC's network during the past weekend (conveniently coinciding with Assange's statement and being an indirect admission that their Falcon software had failed to achieve it's stated capabilities at that time , assuming their statements were accurate) . ..."
"... To date, CrowdStrike has not been able to show how the malware had relayed any emails or accessed any mailboxes. They have also not responded to inquiries specifically asking for details about this. In fact, things have now been discovered that bring some of their malware discoveries into question. ..."
"... there is a reason to think Fancy Bear didn't start some of its activity until CrowdStrike had arrived at the DNC. CrowdStrike, in the indiciators of compromise they reported, identified three pieces of malware relating to Fancy Bear: ..."
"... They found that generally, in a lot of cases, malware developers didn't care to hide the compile times and that while implausible timestamps are used, it's rare that these use dates in the future. It's possible, but unlikely that one sample would have a postdated timestamp to coincide with their visit by mere chance but seems extremely unlikely to happen with two or more samples. Considering the dates of CrowdStrike's activities at the DNC coincide with the compile dates of two out of the three pieces of malware discovered and attributed to APT-28 (the other compiled approximately 2 weeks prior to their visit), the big question is: Did CrowdStrike plant some (or all) of the APT-28 malware? ..."
"... The IP address, according to those articles, was disabled in June 2015, eleven months before the DNC emails were acquired – meaning those IP addresses, in reality, had no involvement in the alleged hacking of the DNC. ..."
"... The fact that two out of three of the Fancy Bear malware samples identified were compiled on dates within the apparent five day period CrowdStrike were apparently at the DNC seems incredibly unlikely to have occurred by mere chance. ..."
"... That all three malware samples were compiled within ten days either side of their visit – makes it clear just how questionable the Fancy Bear malware discoveries were. ..."
Dec 28, 2017 | theduran.com

Of course the DNC did not want to the FBI to investigate its "hacked servers". The plan was well underway to excuse Hillary's pathetic election defeat to Trump, and CrowdStrike would help out by planting evidence to pin on those evil "Russian hackers." Some would call this entire DNC server hack an "insurance policy."

... ... ...

[Sep 23, 2017] CentOS 7 Server Hardening Guide Lisenet.com Linux Security Networking

Highly recommended!
Notable quotes:
"... As a rule of thumb, malicious applications usually write to /tmp and then attempt to run whatever was written. A way to prevent this is to mount /tmp on a separate partition with the options noexec , nodev and nosuid enabled. ..."
Sep 23, 2017 | www.lisenet.com

Remove packages which you don't require on a server, e.g. firmware of sound cards, firmware of WinTV, wireless drivers etc.

# yum remove alsa-* ivtv-* iwl*firmware ic94xx-firmware
2. System Settings – File Permissions and Masks 2.1 Restrict Partition Mount Options

Partitions should have hardened mount options:

  1. /boot – rw,nodev,noexec,nosuid
  2. /home – rw,nodev,nosuid
  3. /tmp – rw,nodev,noexec,nosuid
  4. /var – rw,nosuid
  5. /var/log – rw,nodev,noexec,nosuid
  6. /var/log/audit – rw,nodev,noexec,nosuid
  7. /var/www – rw,nodev,nosuid

As a rule of thumb, malicious applications usually write to /tmp and then attempt to run whatever was written. A way to prevent this is to mount /tmp on a separate partition with the options noexec , nodev and nosuid enabled.

This will deny binary execution from /tmp , disable any binary to be suid root, and disable any block devices from being created.

The storage location /var/tmp should be bind mounted to /tmp , as having multiple locations for temporary storage is not required:

/tmp /var/tmp none rw,nodev,noexec,nosuid,bind 0 0

The same applies to shared memory /dev/shm :

tmpfs /dev/shm tmpfs rw,nodev,noexec,nosuid 0 0

The proc pseudo-filesystem /proc should be mounted with hidepid . When setting hidepid to 2, directories entries in /proc will hidden.

proc /proc proc rw,hidepid=2 0 0

Harden removeable media mounts by adding nodev noexec and nosuid , e.g.:

/dev/cdrom /mnt/cdrom iso9660 ro,noexec,nosuid,nodev,noauto 0 0
2.2 Restrict Dynamic Mounting and Unmounting of Filesystems

Add the following to /etc/modprobe.d/hardening.conf to disable uncommon filesystems:

install cramfs /bin/true

install freevxfs /bin/true

install jffs2 /bin/true

install hfs /bin/true

install hfsplus /bin/true

install squashfs /bin/true

install udf /bin/true

Depending on a setup (if you don't run clusters, NFS, CIFS etc), you may consider disabling the following too:

install fat /bin/true

install vfat /bin/true

install cifs /bin/true

install nfs /bin/true

install nfsv3 /bin/true

install nfsv4 /bin/true

install gfs2 /bin/true

It is wise to leave ext4, xfs and btrfs enabled at all times.

2.3 Prevent Users Mounting USB Storage

Add the following to /etc/modprobe.d/hardening.conf to disable modprobe loading of USB and FireWire storage drivers:

blacklist usb-storage

blacklist firewire-core

install usb-storage /bin/true

Disable USB authorisation. Create a file /opt/usb-auth.sh with the following content:

#!/bin/bash

echo 0 > /sys/bus/usb/devices/usb1/authorized

echo 0 > /sys/bus/usb/devices/usb1/authorized_default

If more than one USB device is available, then add them all. Create a service file /etc/systemd/system/usb-auth.service with the following content:

[Unit]

Description=Disable USB auth

DefaultDependencies=no



[Service]

Type=oneshot

ExecStart=/bin/bash /opt/usb-auth.sh



[Install]

WantedBy=multi-user.target

Set permissions, enable and start the service:

# chmod 0700 /opt/usb-auth.sh

# systemctl enable usb-auth.service

# systemctl start usb-auth.service

If required, disable kernel support for USB via bootloader configuration. To do so, append nousb to the kernel line GRUB_CMDLINE_LINUX in /etc/default/grub and generate the Grub2 configuration file:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Note that disabling all kernel support for USB will likely cause problems for systems with USB-based keyboards etc.

2.4 Restrict Programs from Dangerous Execution Patterns

Configure /etc/sysctl.conf with the following:

# Disable core dumps

fs.suid_dumpable = 0



# Disable System Request debugging functionality

kernel.sysrq = 0



# Restrict access to kernel logs

kernel.dmesg_restrict = 1



# Enable ExecShield protection

kernel.exec-shield = 1



# Randomise memory space

kernel.randomize_va_space = 2



# Hide kernel pointers

kernel.kptr_restrict = 2

Load sysctl settings:

# sysctp -p
2.5 Set UMASK 027

The following files require umask hardening: /etc/bashrc , /etc/csh.cshrc , /etc/init.d/functions and /etc/profile .

Sed one-liner:

# sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/bashrc

# sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/csh.cshrc

# sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/profile

# sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/init.d/functions
2.6 Disable Core Dumps

Open /etc/security/limits.conf and set the following:

*  hard  core  0
2.7 Set Security Limits to Prevent DoS

Add the following to /etc/security/limits.conf to enforce sensible security limits:

# 4096 is a good starting point

*      soft   nofile    4096

*      hard   nofile    65536

*      soft   nproc     4096

*      hard   nproc     4096

*      soft   locks     4096

*      hard   locks     4096

*      soft   stack     10240

*      hard   stack     32768

*      soft   memlock   64

*      hard   memlock   64

*      hard   maxlogins 10



# Soft limit 32GB, hard 64GB

*      soft   fsize     33554432

*      hard   fsize     67108864



# Limits for root

root   soft   nofile    4096

root   hard   nofile    65536

root   soft   nproc     4096

root   hard   nproc     4096

root   soft   stack     10240

root   hard   stack     32768

root   soft   fsize     33554432
2.8 Verify Permissions of Files

Ensure that all files are owned by a user:

# find / -ignore_readdir_race -nouser -print -exec chown root {} \;

Ensure that all files are owned by a group:

# find / -ignore_readdir_race -nogroup -print -exec chgrp root {} \;

Automate the process by creating a cron file /etc/cron.daily/unowned_files with the following content:

#!/bin/bash

find / -ignore_readdir_race -nouser -print -exec chown root {} \;

find / -ignore_readdir_race -nogroup -print -exec chgrp root {} \;

Set ownership and permissions:

# chown root:root /etc/cron.daily/unowned_files

# chmod 0700 /etc/cron.daily/unowned_files
2.9 Monitor SUID/GUID Files

Search for setuid/setgid files and identify if all are required:

# find / -xdev -type f -perm -4000 -o -perm -2000
3. System Settings – Firewall and Network Configuration 3.1 Firewall

Setting the default firewalld zone to drop makes any packets which are not explicitly permitted to be rejected.

# sed -i "s/DefaultZone=.*/DefaultZone=drop/g" /etc/firewalld/firewalld.conf

Unless firewalld is required, mask it and replace with iptables:

# systemctl stop firewalld.service

# systemctl mask firewalld.service

# systemctl daemon-reload

# yum install iptables-services

# systemctl enable iptables.service ip6tables.service

Add the following to /etc/sysconfig/iptables to allow only minimal outgoing traffic (DNS, NTP, HTTP/S and SMTPS):

*filter

-F INPUT

-F OUTPUT

-F FORWARD

-P INPUT ACCEPT

-P FORWARD DROP

-P OUTPUT ACCEPT

-A INPUT -i lo -m comment --comment local -j ACCEPT

-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -s 10.0.0.0/8 -j ACCEPT

-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -s 172.16.0.0/12 -j ACCEPT

-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -s 192.168.0.0/16 -j ACCEPT

-A INPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT

-A INPUT -j DROP

-A OUTPUT -d 127.0.0.0/8 -o lo -m comment --comment local -j ACCEPT

-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -p icmp -m icmp --icmp-type any -j ACCEPT

-A OUTPUT -p udp -m udp -m conntrack --ctstate NEW --dport 53 -j ACCEPT

-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 53 -j ACCEPT

-A OUTPUT -p udp -m udp -m conntrack --ctstate NEW --dport 123 -j ACCEPT

-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 80 -j ACCEPT

-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 443 -j ACCEPT

-A OUTPUT -p tcp -m tcp -m conntrack --ctstate NEW --dport 587 -j ACCEPT

-A OUTPUT -j LOG --log-prefix "iptables_output "

-A OUTPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

Note that the rule allowing all incoming SSH traffic should be removed restricting access to an IP whitelist only, or hiding SSH behind a VPN.

Add the following to /etc/sysconfig/ip6tables to deny all IPv6:

*filter

-F INPUT

-F OUTPUT

-F FORWARD

-P INPUT DROP

-P FORWARD DROP

-P OUTPUT DROP

COMMIT

Apply configurations:

# iptables-restore < /etc/sysconfig/iptables

# ip6tables-restore < /etc/sysconfig/ip6tables
3.2 TCP Wrappers

Open /etc/hosts.allow and allow localhost traffic and SSH:

ALL: 127.0.0.1

sshd: ALL

The file /etc/hosts.deny should be configured to deny all by default:

ALL: ALL
3.3 Kernel Parameters Which Affect Networking

Open /etc/sysctl.conf and add the following:

# Disable packet forwarding

net.ipv4.ip_forward = 0



# Disable redirects, not a router

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv6.conf.all.accept_redirects = 0

net.ipv6.conf.default.accept_redirects = 0



# Disable source routing

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv6.conf.all.accept_source_route = 0



# Enable source validation by reversed path

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1



# Log packets with impossible addresses to kernel log

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1



# Disable ICMP broadcasts

net.ipv4.icmp_echo_ignore_broadcasts = 1



# Ignore bogus ICMP errors

net.ipv4.icmp_ignore_bogus_error_responses = 1



# Against SYN flood attacks

net.ipv4.tcp_syncookies = 1



# Turning off timestamps could improve security but degrade performance.

# TCP timestamps are used to improve performance as well as protect against

# late packets messing up your data flow. A side effect of this feature is 

# that the uptime of the host can sometimes be computed.

# If you disable TCP timestamps, you should expect worse performance 

# and less reliable connections.

net.ipv4.tcp_timestamps = 1



# Disable IPv6 unless required

net.ipv6.conf.lo.disable_ipv6 = 1

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1



# Do not accept router advertisements

net.ipv6.conf.all.accept_ra = 0

net.ipv6.conf.default.accept_ra = 0
3.4 Kernel Modules Which Affect Networking

Open /etc/modprobe.d/hardening.conf and disable Bluetooth kernel modules:

install bnep /bin/true

install bluetooth /bin/true

install btusb /bin/true

install net-pf-31 /bin/true

Also disable AppleTalk:

install appletalk /bin/true

Unless required, disable support for IPv6:

options ipv6 disable=1

Disable (uncommon) protocols:

install dccp /bin/true

install sctp /bin/true

install rds /bin/true

install tipc /bin/true

Since we're looking at server security, wireless shouldn't be an issue, therefore we can disable all the wireless drivers.

# for i in $(find /lib/modules/$(uname -r)/kernel/drivers/net/wireless -name "*.ko" -type f);do \

  echo blacklist "$i" >>/etc/modprobe.d/hardening-wireless.conf;done
3.5 Disable Radios

Disable radios (wifi and wwan):

# nmcli radio all off
3.6 Disable Zeroconf Networking

Open /etc/sysconfig/network and add the following:

NOZEROCONF=yes
3.7 Disable Interface Usage of IPv6

Open /etc/sysconfig/network and add the following:

NETWORKING_IPV6=no

IPV6INIT=no
3.8 Network Sniffer

The server should not be acting as a network sniffer and capturing packages. Run the following to determine if any interface is running in promiscuous mode:

# ip link | grep PROMISC
3.9 Secure VPN Connection

Install the libreswan package if implementation of IPsec and IKE is required.

# yum install libreswan
3.10 Disable DHCP Client

Manual assignment of IP addresses provides a greater degree of management.

For each network interface that is available on the server, open a corresponding file /etc/sysconfig/network-scripts/ifcfg- interface and configure the following parameters:

BOOTPROTO=none

IPADDR=

NETMASK=

GATEWAY=
4. System Settings – SELinux

Ensure that SELinux is not disabled in /etc/default/grub , and verify that the state is enforcing:

# sestatus
5. System Settings – Account and Access Control 5.1 Delete Unused Accounts and Groups

Remove any account which is not required, e.g.:

# userdel -r adm

# userdel -r ftp

# userdel -r games

# userdel -r lp

Remove any group which is not required, e.g.:

# groupdel games
5.2 Disable Direct root Login
# echo > /etc/securetty
5.3 Enable Secure (high quality) Password Policy

Note that running authconfig will overwrite the PAM configuration files destroying any manually made changes. Make sure that you have a backup

Secure password policy rules are outlined below.

  1. Minimum length of a password – 16.
  2. Minimum number of character classes in a password – 4.
  3. Maximum number of same consecutive characters in a password – 2.
  4. Maximum number of consecutive characters of same class in a password – 2.
  5. Require at least one lowercase and one uppercase characters in a password.
  6. Require at least one digit in a password.
  7. Require at least one other character in a password.

The following command will enable SHA512 as well as set the above password requirements:

# authconfig --passalgo=sha512 \

 --passminlen=16 \

 --passminclass=4 \

 --passmaxrepeat=2 \

 --passmaxclassrepeat=2 \

 --enablereqlower \

 --enablerequpper \

 --enablereqdigit \

 --enablereqother \

 --update

Open /etc/security/pwquality.conf and add the following:

difok = 8

gecoscheck = 1

These will ensure that 8 characters in the new password must not be present in the old password, and will check for the words from the passwd entry GECOS string of the user.

5.4 Prevent Log In to Accounts With Empty Password

Remove any instances of nullok from /etc/pam.d/system-auth and /etc/pam.d/password-auth to prevent logins with empty passwords.

Sed one-liner:

# sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth /etc/pam.d/password-auth
5.5 Set Account Expiration Following Inactivity

Disable accounts as soon as the password has expired.

Open /etc/default/useradd and set the following:

INACTIVE=0

Sed one-liner:

# sed -i 's/^INACTIVE.*/INACTIVE=0/' /etc/default/useradd
5.6 Secure Pasword Policy

Open /etc/login.defs and set the following:

PASS_MAX_DAYS 60

PASS_MIN_DAYS 1

PASS_MIN_LEN 14

PASS_WARN_AGE 14

Sed one-liner:

# sed -i -e 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 60/' \

  -e 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' \

  -e 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 14/' \

  -e 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 14/' /etc/login.defs
5.7 Log Failed Login Attemps

Open /etc/login.defs and enable logging:

FAILLOG_ENAB yes

Also add a delay in seconds before being allowed another attempt after a login failure:

FAIL_DELAY 4
5.8 Ensure Home Directories are Created for New Users

Open /etc/login.defs and configure:

CREATE_HOME yes
5.9 Verify All Account Password Hashes are Shadowed

The command below should return "x":

# cut -d: -f2 /etc/passwd|uniq
5.10 Set Deny and Lockout Time for Failed Password Attempts

Add the following line immediately before the pam_unix.so statement in the AUTH section of /etc/pam.d/system-auth and /etc/pam.d/password-auth :

auth required pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900

Add the following line immediately after the pam_unix.so statement in the AUTH section of /etc/pam.d/system-auth and /etc/pam.d/password-auth :

auth [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900

Add the following line immediately before the pam_unix.so statement in the ACCOUNT section of /etc/pam.d/system-auth and /etc/pam.d/password-auth :

account required pam_faillock.so

The content of the file /etc/pam.d/system-auth can be seen below.

#%PAM-1.0

auth        required      pam_env.so

auth        required      pam_faillock.so preauth silent deny=3 unlock_time=900 fail_interval=900

auth        sufficient    pam_unix.so  try_first_pass

auth        [default=die] pam_faillock.so authfail deny=3 unlock_time=900 fail_interval=900

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success

auth        required      pam_deny.so



account     required      pam_unix.so

account     required      pam_faillock.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 1000 quiet

account     required      pam_permit.so



password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

password    sufficient    pam_unix.so sha512 shadow  try_first_pass use_authtok remember=5

password    required      pam_deny.so



session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

-session    optional      pam_systemd.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

Also, do not allow users to reuse recent passwords by adding the remember option.

Make /etc/pam.d/system-auth and /etc/pam.d/password-auth configurations immutable so that they don't get overwritten when authconfig is run:

# chattr +i /etc/pam.d/system-auth /etc/pam.d/password-auth

Accounts will get locked after 3 failed login attemtps:

login[]: pam_faillock(login:auth): Consecutive login failures for user tomas account temporarily locked

Use the following to clear user's fail count:

# faillock --user tomas --reset
5.11 Set Boot Loader Password

Prevent users from entering the grub command line and edit menu entries:

# grub2-setpassword

# grub2-mkconfig -o /boot/grub2/grub.cfg

This will create the file /boot/grub2/user.cfg if one is not already present, which will contain the hashed Grub2 bootloader password.

Verify permissions of /boot/grub2/grub.cfg :

# chmod 0600 /boot/grub2/grub.cfg
5.12 Password-protect Single User Mode

CentOS 7 single user mode is password protected by the root password by default as part of the design of Grub2 and systemd.

5.13 Ensure Users Re-Authenticate for Privilege Escalation

The NOPASSWD tag allows a user to execute commands using sudo without having to provide a password. While this may sometimes be useful it is also dangerious.

Ensure that the NOPASSWD tag does not exist in /etc/sudoers configuration file or /etc/sudoers.d/ .

5.14 Multiple Console Screens and Console Locking

Install the screen package to be able to emulate multiple console windows:

# yum install screen

Install the vlock package to enable console screen locking:

# yum install vlock
5.15 Disable Ctrl-Alt-Del Reboot Activation

Prevent a locally logged-in console user from rebooting the system when Ctrl-Alt-Del is pressed:

# systemctl mask ctrl-alt-del.target
5.16 Warning Banners for System Access

Add the following line to the files /etc/issue and /etc/issue.net :

Unauthorised access prohibited. Logs are recorded and monitored.
5.17 Set Interactive Session Timeout

Open /etc/profile and set:

readonly TMOUT=900
5.18 Two Factor Authentication

The recent version of OpenSSH server allows to chain several authentication methods, meaning that all of them have to be satisfied in order for a user to log in successfully.

Adding the following line to /etc/ssh/sshd_config would require a user to authenticate with a key first, and then also provide a password.

AuthenticationMethods publickey,password

This is by definition a two factor authentication: the key file is something that a user has, and the account password is something that a user knows.

Alternatively, two factor authentication for SSH can be set up by using Google Authenticator.

5.19 Configure History File Size

Open /etc/profile and set the number of commands to remember in the command history to 5000:

HISTSIZE=5000

Sed one-liner:

# sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
6. System Settings – System Accounting with auditd 6.1 Auditd Configuration

Open /etc/audit/auditd.conf and configure the following:

local_events = yes

write_logs = yes

log_file = /var/log/audit/audit.log

max_log_file = 25

num_logs = 10

max_log_file_action = rotate

space_left = 30

space_left_action = email

admin_space_left = 10

admin_space_left_action = email

disk_full_action = suspend

disk_error_action = suspend

action_mail_acct = root@example.com

flush = data

The above auditd configuration should never use more than 250MB of disk space (10x25MB=250MB) on /var/log/audit .

Set admin_space_left_action=single if you want to cause the system to switch to single user mode for corrective action rather than send an email.

Automatically rotating logs ( max_log_file_action=rotate ) minimises the chances of the system unexpectedly running out of disk space by being filled up with log data.

We need to ensure that audit event data is fully synchronised ( flush=data ) with the log files on the disk .

6.2 Auditd Rules

System audit rules must have mode 0640 or less permissive and owned by the root user:

# chown root:root /etc/audit/rules.d/audit.rules

# chmod 0600 /etc/audit/rules.d/audit.rules

Open /etc/audit/rules.d/audit.rules and add the following:

# Delete all currently loaded rules

-D



# Set kernel buffer size

-b 8192



# Set the action that is performed when a critical error is detected.

# Failure modes: 0=silent 1=printk 2=panic

-f 1



# Record attempts to alter the localtime file

-w /etc/localtime -p wa -k audit_time_rules



# Record events that modify user/group information

-w /etc/group -p wa -k audit_rules_usergroup_modification

-w /etc/passwd -p wa -k audit_rules_usergroup_modification

-w /etc/gshadow -p wa -k audit_rules_usergroup_modification

-w /etc/shadow -p wa -k audit_rules_usergroup_modification

-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification



# Record events that modify the system's network environment

-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification

-w /etc/issue -p wa -k audit_rules_networkconfig_modification

-w /etc/hosts -p wa -k audit_rules_networkconfig_modification

-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification

-a always,exit -F arch=b32 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification

-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification



# Record events that modify the system's mandatory access controls

-w /etc/selinux/ -p wa -k MAC-policy



# Record attempts to alter logon and logout events

-w /var/log/tallylog -p wa -k logins

-w /var/log/lastlog -p wa -k logins

-w /var/run/faillock/ -p wa -k logins



# Record attempts to alter process and session initiation information

-w /var/log/btmp -p wa -k session

-w /var/log/wtmp -p wa -k session

-w /var/run/utmp -p wa -k session



# Ensure auditd collects information on kernel module loading and unloading

-w /usr/sbin/insmod -p x -k modules

-w /usr/sbin/modprobe -p x -k modules

-w /usr/sbin/rmmod -p x -k modules

-a always,exit -F arch=b64 -S init_module -S delete_module -k modules



# Ensure auditd collects system administrator actions

-w /etc/sudoers -p wa -k actions



# Record attempts to alter time through adjtimex

-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k audit_time_rules



# Record attempts to alter time through settimeofday

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k audit_time_rules



# Record attempts to alter time through clock_settime

-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -k time-change



# Record attempts to alter time through clock_settime

-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -k time-change



# Record events that modify the system's discretionary access controls

-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod



# Ensure auditd collects unauthorised access attempts to files (unsuccessful)

-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

-a always,exit -F arch=b32 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access

-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access



# Ensure auditd collects information on exporting to media (successful)

-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k export

-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export



# Ensure auditd collects file deletion events by user

-a always,exit -F arch=b32 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete



# Ensure auditd collects information on the use of privileged commands

-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/screen -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged-priv_change

-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged

-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged



# Make the auditd configuration immutable.

# The configuration can only be changed by rebooting the machine.

-e 2

The auditd service does not include the ability to send audit records to a centralised server for management directly.

It does, however, include a plug-in for audit event multiplexor to pass audit records to the local syslog server.

To do so, open the file /etc/audisp/plugins.d/syslog.conf and set:

active = yes

Enable and start the service:

# systemctl enable auditd.service

# systemctl start auditd.service
6.3. Enable Kernel Auditing

Open /etc/default/grub and append the following parameter to the kernel boot line GRUB_CMDLINE_LINUX:

audit=1

Update Grub2 configuration to reflect changes:

# grub2-mkconfig -o /boot/grub2/grub.cfg
7. System Settings – Software Integrity Checking 7.1 Advanced Intrusion Detection Environment (AIDE)

Install AIDE:

# yum install aide

Build AIDE database:

# /usr/sbin/aide --init

By default, the database will be written to the file /var/lib/aide/aide.db.new.gz .

# cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Storing the database and the configuration file /etc/aide.conf (or SHA2 hashes of the files) in a secure location provides additional assurance about their integrity.

Check AIDE database:

# /usr/sbin/aide --check

By default, AIDE does not install itself for periodic execution. Configure periodic execution of AIDE by adding to cron:

# echo "30 4 * * * root /usr/sbin/aide --check|mail -s 'AIDE' root@example.com" >> /etc/crontab

Periodically running AIDE is necessary in order to reveal system changes.

7.2 Tripwire

Open Source Tripwire is an alternative to AIDE. It is recommended to use one or another, but not both.

Install Tripwire from the EPEL repository:

# yum install epel-release

# yum install tripwire

# /usr/sbin/tripwire-setup-keyfiles

The Tripwire configuration file is /etc/tripwire/twcfg.txt and the policy file is /etc/tripwire/twpol.txt . These can be edited and configured to match the system Tripwire is installed on, see this blog post for more details.

Initialise the database to implement the policy:

# tripwire --init

Check for policy violations:

# tripwire --check

Tripwire adds itself to /etc/cron.daily/ for daily execution therefore no extra configuration is required.

7.3 Prelink

Prelinking is done by the prelink package, which is not installed by default.

# yum install prelink

To disable prelinking, open the file /etc/sysconfig/prelink and set the following:

PRELINKING=no

Sed one-liner:

# sed -i 's/PRELINKING.*/PRELINKING=no/g' /etc/sysconfig/prelink

Disable existing prelinking on all system files:

# prelink -ua
8. System Settings – Logging and Message Forwarding 8.1 Configure Persistent Journald Storage

By default, journal stores log files only in memory or a small ring-buffer in the directory /run/log/journal . This is sufficient to show recent log history with journalctl, but logs aren't saved permanently. Enabling persistent journal storage ensures that comprehensive data is available after system reboot.

Open the file /etc/systemd/journald.conf and put the following:

[Journal]

Storage=persistent



# How much disk space the journal may use up at most

SystemMaxUse=256M



# How much disk space systemd-journald shall leave free for other uses

SystemKeepFree=512M



# How large individual journal files may grow at most

SystemMaxFileSize=32M

Restart the service:

# systemctl restart systemd-journald
8.2 Configure Message Forwarding to Remote Server

Depending on your setup, open /etc/rsyslog.conf and add the following to forward messages to a some remote server:

*.* @graylog.example.com:514

Here *.* stands for facility.severity . Note that a single @ sends logs over UDP, where a double @ sends logs using TCP.

8.3 Logwatch

Logwatch is a customisable log-monitoring system.

# yum install logwatch

Logwatch adds itself to /etc/cron.daily/ for daily execution therefore no configuration is mandatory.

9. System Settings – Security Software 9.1 Malware Scanners

Install Rkhunter and ClamAV:

# yum install epel-release

# yum install rkhunter clamav clamav-update

# rkhunter --update

# rkhunter --propupd

# freshclam -v

Rkhunter adds itself to /etc/cron.daily/ for daily execution therefore no configuration is required. ClamAV scans should be tailored to individual needs.

9.2 Arpwatch

Arpwatch is a tool used to monitor ARP activity of a local network (ARP spoofing detection), therefore it is unlikely one will use it in the cloud, however, it is still worth mentioning that the tools exist.

Be aware of the configuration file /etc/sysconfig/arpwatch which you use to set the email address where to send the reports.

9.3 Commercial AV

Consider installing a commercial AV product that provides real-time on-access scanning capabilities.

9.4 Grsecurity

Grsecurity is an extensive security enhancement to the Linux kernel. Although it isn't free nowadays, the software is still worth mentioning.

The company behind Grsecurity stopped publicly distributing stable patches back in 2015, with an exception of the test series continuing to be available to the public in order to avoid impact to the Gentoo Hardened and Arch Linux communities.

Two years later, the company decided to cease free distribution of the test patches as well, therefore as of 2017, Grsecurity software is available to paying customers only.

10. System Settings – OS Update Installation

Install the package yum-utils for better consistency checking of the package database.

# yum install yum-utils

Configure automatic package updates via yum-cron.

# yum install yum-cron

Add the following to /etc/yum/yum-cron.conf to get notified via email when new updates are available:

update_cmd = default

update_messages = yes

download_updates = no	

apply_updates = no

emit_via = email	

email_from = root@example.com

email_to = user@example.com

email_host = localhost

Add the following to /etc/yum/yum-cron-hourly.conf to check for security-related updates every hour and automatically download and install them:

update_cmd = security

update_messages = yes

download_updates = yes

apply_updates = yes

emit_via = stdio

Enable and start the service:

# systemctl enable yum-cron.service

# systemctl start yum-cron.service
11. System Settings – Process Accounting

The package psacct contain utilities for monitoring process activities:

  1. ac – displays statistics about how long users have been logged on.
  2. lastcomm – displays information about previously executed commands.
  3. accton – turns process accounting on or off.
  4. sa – summarises information about previously executed commands.

Install and enable the service:

# yum install psacct

# systemctl enable psacct.service

# systemctl start psacct.service
1. Services – SSH Server

Create a group for SSH access as well as some regular user account who will be a member of the group:

# groupadd ssh-users

# useradd -m -s /bin/bash -G ssh-users tomas

Generate SSH keys for the user:

# su - tomas

$ mkdir --mode=0700 ~/.ssh

$ ssh-keygen -b 4096 -t rsa -C "tomas" -f ~/.ssh/id_rsa

Generate SSH host keys:

# ssh-keygen -b 4096 -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key

# ssh-keygen -b 1024 -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key

# ssh-keygen -b 521 -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key

# ssh-keygen -t ed25519 -N "" -f /etc/ssh/ssh_host_ed25519_key

For RSA keys, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2.

For ECDSA keys, the -b flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. ED25519 keys have a fixed length and the -b flag is ignored.

The host can be impersonated if an unauthorised user obtains the private SSH host key file, therefore ensure that permissions of /etc/ssh/*_key are properly set:

# chmod 0600 /etc/ssh/*_key

Configure /etc/ssh/sshd_config with the following:

# SSH port

Port 22



# Listen on IPv4 only

ListenAddress 0.0.0.0



# Protocol version 1 has been exposed

Protocol 2



# Limit the ciphers to those which are FIPS-approved, the AES and 3DES ciphers

# Counter (CTR) mode is preferred over cipher-block chaining (CBC) mode

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc



# Use FIPS-approved MACs

MACs hmac-sha2-512,hmac-sha2-256,hmac-sha1



# INFO is a basic logging level that will capture user login/logout activity

# DEBUG logging level is not recommended for production servers

LogLevel INFO



# Disconnect if no successful login is made in 60 seconds

LoginGraceTime 60



# Do not permit root logins via SSH

PermitRootLogin no



# Check file modes and ownership of the user's files before login

StrictModes yes



# Close TCP socket after 2 invalid login attempts

MaxAuthTries 2



# The maximum number of sessions per network connection

MaxSessions 2



# User/group permissions

AllowUsers

AllowGroups ssh-users

DenyUsers root

DenyGroups root



# Password and public key authentications

PasswordAuthentication no

PermitEmptyPasswords no

PubkeyAuthentication yes

AuthorizedKeysFile  .ssh/authorized_keys



# Disable unused authentications mechanisms

RSAAuthentication no # DEPRECATED

RhostsRSAAuthentication no # DEPRECATED

ChallengeResponseAuthentication no

KerberosAuthentication no

GSSAPIAuthentication no

HostbasedAuthentication no

IgnoreUserKnownHosts yes



# Disable insecure access via rhosts files

IgnoreRhosts yes



AllowAgentForwarding no

AllowTcpForwarding no



# Disable X Forwarding

X11Forwarding no



# Disable message of the day but print last log

PrintMotd no

PrintLastLog yes



# Show banner

Banner /etc/issue



# Do not send TCP keepalive messages

TCPKeepAlive no



# Default for new installations

UsePrivilegeSeparation sandbox



# Prevent users from potentially bypassing some access restrictions

PermitUserEnvironment no



# Disable compression

Compression no



# Disconnect the client if no activity has been detected for 900 seconds

ClientAliveInterval 900

ClientAliveCountMax 0



# Do not look up the remote hostname

UseDNS no



UsePAM yes

In case you want to change the default SSH port to something else, you will need to tell SELinux about it.

# yum install policycoreutils-python

For example, to allow SSH server to listen on TCP 2222, do the following:

# semanage port -a -t ssh_port_t 2222 -p tcp

Ensure that the firewall allows incoming traffic on the new SSH port and restart the sshd service.

2. Service – Network Time Protocol

CentOS 7 should come with Chrony, make sure that the service is enabled:

# systemctl enable chronyd.service
3. Services – Mail Server 3.1 Postfix

Postfix should be installed and enabled already. In case it isn't, the do the following:

# yum install postfix

# systemctl enable postfix.service

Open /etc/postfix/main.cf and configure the following to act as a null client:

smtpd_banner = $myhostname ESMTP

inet_interfaces = loopback-only

inet_protocols = ipv4

mydestination =

local_transport = error: local delivery disabled

unknown_local_recipient_reject_code = 550

mynetworks = 127.0.0.0/8

relayhost = [mail.example.com]:587

Optionally (depending on your setup), you can configure Postfix to use authentication:

# yum install cyrus-sasl-plain

Open /etc/postfix/main.cf and add the following:

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options = noanonymous

smtp_tls_CApath = /etc/ssl/certs

smtp_use_tls = yes

Open /etc/postfix/sasl_passwd and put authentication credentials in a format of:

[mail.example.com]:587 user@example.com:password

Set permissions and create a database file:

# chmod 0600 /etc/postfix/sasl_passwd

# postmap /etc/postfix/sasl_passwd

Restart the service and ensure that firewall allows outgoing traffic to the SMTP relay server.

3.2 Mail Distribution to Active Mail Accounts

Configure the file /etc/aliases to have a forward rule for the root user.

4. Services – Remove Obsolete Services

None of these should be installed on CentOS 7 minimal:

# yum erase xinetd telnet-server rsh-server \

  telnet rsh ypbind ypserv tfsp-server bind \

  vsfptd dovercot squid net-snmpd talk-erver talk

Check all enabled services:

# systemctl list-unit-files --type=service|grep enabled

Disable kernel dump service:

# systemctl disable kdump.service

# systemctl mask kdump.service

Disable everything that is not required, e.g.:

# systemctl disable tuned.service
5. Services – Restrict at and cron to Authorised Users

If the file cron.allow exists, then only users listed in the file are allowed to use cron, and the cron.deny file is ignored.

# echo root > /etc/cron.allow

# echo root > /etc/at.allow

# rm -f /etc/at.deny /etc/cron.deny

Note that the root user can always use cron, regardless of the usernames listed in the access control files.

6. Services – Disable X Windows Startup

This can be achieved by setting a default target:

# systemctl set-default multi-user.target
7. Services – Fail2ban

Install Fail2ban from the EPEL repository:

# yum install epel-release

# yum install fail2ban

If using iptables rather than firewalld, open the file /etc/fail2ban/jail.d/00-firewalld.conf and comment out the following line:

#banaction = firewallcmd-ipset

Fail2Ban uses /etc/fail2ban/jail.conf . Configuration snippet for SSH is provided below:

[sshd]

port    = ssh

enabled = true

ignoreip = 10.8.8.61

bantime  = 600

maxretry = 5

If you run SSH on a non-default port, you can change the port value to any positive integer and then enable the jail.

# systemctl enable fail2ban.service
# systemctl start fail2ban.service
8. Services – Sysstat to Collect Performance Activity

Sysstat may provide useful insight into system usage and performance, however, unless used, the service should be disabled, or not installed at all.

# yum install sysstat
# systemctl enable sysstat.service
# systemctl start sysstat.service
References

[Jun 09, 2017] Sneaky hackers use Intel management tools to bypass Windows firewall

Notable quotes:
"... the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. ..."
"... Using the AMT serial port, for example, is detectable. ..."
"... Do people really admin a machine through AMT through an external firewall? ..."
"... Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution. ..."
Jun 09, 2017 | arstechnica.com
When you're a bad guy breaking into a network, the first problem you need to solve is, of course, getting into the remote system and running your malware on it. But once you're there, the next challenge is usually to make sure that your activity is as hard to detect as possible. Microsoft has detailed a neat technique used by a group in Southeast Asia that abuses legitimate management tools to evade firewalls and other endpoint-based network monitoring.

The group, which Microsoft has named PLATINUM, has developed a system for sending files -- such as new payloads to run and new versions of their malware-to compromised machines. PLATINUM's technique leverages Intel's Active Management Technology (AMT) to do an end-run around the built-in Windows firewall. The AMT firmware runs at a low level, below the operating system, and it has access to not just the processor, but also the network interface.

The AMT needs this low-level access for some of the legitimate things it's used for. It can, for example, power cycle systems, and it can serve as an IP-based KVM (keyboard/video/mouse) solution, enabling a remote user to send mouse and keyboard input to a machine and see what's on its display. This, in turn, can be used for tasks such as remotely installing operating systems on bare machines. To do this, AMT not only needs to access the network interface, it also needs to simulate hardware, such as the mouse and keyboard, to provide input to the operating system.

But this low-level operation is what makes AMT attractive for hackers: the network traffic that AMT uses is handled entirely within AMT itself. That traffic never gets passed up to the operating system's own IP stack and, as such, is invisible to the operating system's own firewall or other network monitoring software. The PLATINUM software uses another piece of virtual hardware-an AMT-provided virtual serial port-to provide a link between the network itself and the malware application running on the infected PC.

Communication between machines uses serial-over-LAN traffic, which is handled by AMT in firmware. The malware connects to the virtual AMT serial port to send and receive data. Meanwhile, the operating system and its firewall are none the wiser. In this way, PLATINUM's malware can move files between machines on the network while being largely undetectable to those machines.

PLATINUM uses AMT's serial-over-LAN (SOL) to bypass the operating system's network stack and firewall.

Enlarge / PLATINUM uses AMT's serial-over-LAN (SOL) to bypass the operating system's network stack and firewall. Microsoft

AMT has been under scrutiny recently after the discovery of a long-standing remote authentication flaw that enabled attackers to use AMT features without needing to know the AMT password. This in turn could be used to enable features such as the remote KVM to control systems and run code on them.

However, that's not what PLATINUM is doing: the group's malware requires AMT to be enabled and serial-over-LAN turned on before it can work. This isn't exploiting any flaw in AMT; the malware just uses the AMT as it's designed in order to do something undesirable.

Both the PLATINUM malware and the AMT security flaw require AMT to be enabled in the first place; if it's not turned on at all, there's no remote access. Microsoft's write-up of the malware expressed uncertainty about this part; it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows-or that AMT was already enabled and the malware managed to steal the credentials.

While this novel use of AMT is useful for transferring files while evading firewalls, it's not undetectable. Using the AMT serial port, for example, is detectable. Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity. potato44819 , Ars Legatus Legionis Jun 8, 2017 8:59 PM Popular

"Microsoft says that its own Windows Defender Advanced Threat Protection can even distinguish between legitimate uses of serial-over-LAN and illegitimate ones. But it's nonetheless a neat way of bypassing one of the more common protective measures that we depend on to detect and prevent unwanted network activity."

It's worth noting that this is NOT Windows Defender.

Windows Defender Advanced Threat Protection is an enterprise product.

aexcorp , Ars Scholae Palatinae Jun 8, 2017 9:04 PM Popular
This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether.

"it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows"

I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead? 1810 posts | registered 8/28/2012

bothered , Ars Scholae Palatinae Jun 8, 2017 9:16 PM
Always on and undetectable. What more can you ask for? I have to imagine that and IDS system at the egress point would help here. 716 posts | registered 11/14/2012
faz , Ars Praefectus Jun 8, 2017 9:18 PM
Using SOL and AMT to bypass the OS sounds like it would work over SOL and IPMI as well.

I only have one server that supports AMT, I just double-checked that the webui for AMT does not allow you to enable/disable SOL. It does not, at least on my version. But my IPMI servers do allow someone to enable SOL from the web interface.

xxx, Jun 8, 2017 9:24 PM
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat.

Do people really admin a machine through AMT through an external firewall? 178 posts | registered 2/25/2016

zogus , Ars Tribunus Militum Jun 8, 2017 9:26 PM
fake-name wrote:
Quote:
blockquote

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter? 1646 posts | registered 11/17/2006

bthylafh , Ars Tribunus Angusticlavius Jun 8, 2017 9:34 PM Popular
zogus wrote:
Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?
tomca13 , Wise, Aged Ars Veteran Jun 8, 2017 9:53 PM
This PLATINUM group must be pissed about the INTEL-SA-00075 vulnerability being headline news. All those perfectly vulnerable systems having AMT disabled and limiting their hack. 175 posts | registered 8/9/2002
Darkness1231 , Ars Tribunus Militum et Subscriptor Jun 8, 2017 10:41 PM
Causality wrote:
Intel AMT is a fucking disaster from a security standpoint. It is utterly dependent on security through obscurity with its "secret" coding, and anybody should know that security through obscurity is no security at all.
Businesses demanded this technology and, of course, Intel beats the drum for it as well. While I understand their *original* concerns I would never, ever connect it to the outside LAN. A real admin, in jeans and a tee, is a much better solution.

Hopefully, either Intel will start looking into improving this and/or MSFT will make enough noise that businesses might learn to do their update, provisioning in a more secure manner.

Nah, that ain't happening. Who am I kidding? 1644 posts | registered 3/31/2012

Darkness1231 , Ars Tribunus Militum et Subscriptor Jun 8, 2017 10:45 PM
meta.x.gdb wrote:
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall?
The interconnect is via W*. We ran this dog into the ground last month. Other OSs (all as far as I know (okay, !MSDOS)) keep them separate. Lan0 and lan1 as it were. However it is possible to access the supposedly closed off Lan0/AMT via W*. Which is probably why this was caught in the first place.

Note that MSFT has stepped up to the plate here. This is much better than their traditional silence until forced solution. Which is just the same security through plugging your fingers in your ears that Intel is supporting. 1644 posts | registered 3/31/2012

rasheverak , Wise, Aged Ars Veteran Jun 8, 2017 11:05 PM
Hardly surprising: https://blog.invisiblethings.org/papers ... armful.pdf

This is why I adamantly refuse to use any processor with Intel management features on any of my personal systems. 160 posts | registered 3/6/2014

michaelar , Smack-Fu Master, in training Jun 8, 2017 11:12 PM
Brilliant. Also, manifestly evil.

Is there a word for that? Perhaps "bastardly"?

JDinKC , Smack-Fu Master, in training Jun 8, 2017 11:23 PM
meta.x.gdb wrote:
But do we know of an exploit over AMT? I wouldn't think any router firewall would allow packets bound for an AMT to go through. Is this just a mechanism to move within a LAN once an exploit has a beachhead? That is not a small thing, but it would give us a way to gauge the severity of the threat. Do people really admin a machine through AMT through an external firewall?
The catch would be any machine that leaves your network with AMT enabled. Say perhaps an AMT managed laptop plugged into a hotel wired network. While still a smaller attack surface, any cabled network an AMT computer is plugged into, and not managed by you, would be a source of concern. 55 posts | registered 11/19/2012
Anonymouspock , Wise, Aged Ars Veteran Jun 8, 2017 11:42 PM
Serial ports are great. They're so easy to drive that they work really early in the boot process. You can fix issues with machines that are otherwise impossible to debug.
sphigel , Ars Centurion Jun 9, 2017 12:57 AM
aexcorp wrote:
This is pretty fascinating and clever TBH. AMT might be convenient for sysadmin, but it's proved to be a massive PITA from the security perspective. Intel needs to really reconsider its approach or drop it altogether.

"it's possible that the PLATINUM malware itself enabled AMT-if the malware has Administrator privileges, it can enable many AMT features from within Windows"

I've only had 1 machine that had AMT (a Thinkpad T500 that somehow still runs like a charm despite hitting the 10yrs mark this summer), and AMT was toggled directly via the BIOS (this is all pre-UEFI.) Would Admin privileges be able to overwrite a BIOS setting? Would it matter if it was handled via UEFI instead?

I'm not even sure it's THAT convenient for sys admins. I'm one of a couple hundred sys admins at a large organization and none that I've talked with actually use Intel's AMT feature. We have an enterprise KVM (raritan) that we use to access servers pre OS boot up and if we have a desktop that we can't remote into after sending a WoL packet then it's time to just hunt down the desktop physically. If you're just pushing out a new image to a desktop you can do that remotely via SCCM with no local KVM access necessary. I'm sure there's some sys admins that make use of AMT but I wouldn't be surprised if the numbers were quite small. 273 posts | registered 5/5/2010
gigaplex , Ars Scholae Palatinae Jun 9, 2017 3:53 AM
zogus wrote:
fake-name wrote:
blockquote Quote: blockquote

Hi there! I do hardware engineering, and I wish more computers had serial ports. Just because you don't use them doesn't mean their disappearance is "fortunate".

Just out of curiosity, what do you use on the PC end when you still do require traditional serial communication? USB-to-RS232 adapter?
We just got some new Dell workstations at work recently. They have serial ports. We avoid the consumer machines. 728 posts | registered 9/23/2011

GekkePrutser , Ars Centurion Jun 9, 2017 4:18 AM
Quote:
Physical serial ports (the blue ones) are fortunately a relic of a lost era and are nowadays quite rare to find on PCs.
Not that fortunately.. Serial ports are still very useful for management tasks. It's simple and it works when everything else fails. The low speeds impose little restrictions on cables.

Sure, they don't have much security but that is partly mitigated by them usually only using a few metres cable length. So they'd be covered under the same physical security as the server itself. Making this into a LAN protocol without any additional security, that's where the problem was introduced. Wherever long-distance lines were involved (modems) the security was added at the application level.

[Jun 01, 2017] CVE-2017-1000367 Bug in sudos get_process_ttyname. Most linux distributions are affected

Jun 01, 2017 | www.cyberciti.biz

There is a serious vulnerability in sudo command that grants root access to anyone with a shell account. It works on SELinux enabled systems such as CentOS/RHEL and others too. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges to root. Patch your system as soon as possible.

It was discovered that Sudo did not properly parse the contents of /proc/[pid]/stat when attempting to determine its controlling tty. A local attacker in some configurations could possibly use this to overwrite any file on the filesystem, bypassing intended permissions or gain root shell.

... ... ...

A list of affected Linux distro
  1. Red Hat Enterprise Linux 6 (sudo)
  2. Red Hat Enterprise Linux 7 (sudo)
  3. Red Hat Enterprise Linux Server (v. 5 ELS) (sudo)
  4. Oracle Enterprise Linux 6
  5. Oracle Enterprise Linux 7
  6. Oracle Enterprise Linux Server 5
  7. CentOS Linux 6 (sudo)
  8. CentOS Linux 7 (sudo)
  9. Debian wheezy
  10. Debian jessie
  11. Debian stretch
  12. Debian sid
  13. Ubuntu 17.04
  14. Ubuntu 16.10
  15. Ubuntu 16.04 LTS
  16. Ubuntu 14.04 LTS
  17. SUSE Linux Enterprise Software Development Kit 12-SP2
  18. SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
  19. SUSE Linux Enterprise Server 12-SP2
  20. SUSE Linux Enterprise Desktop 12-SP2
  21. OpenSuse, Slackware, and Gentoo Linux

[May 19, 2017] Google Found Over 1,000 Bugs In 47 Open Source Projects

May 14, 2017 | it.slashdot.org
(helpnetsecurity.com) 43

Posted by EditorDavid on Saturday May 13, 2017 @11:34AM

Orome1 writes: In the last five months, Google's OSS-Fuzz program has unearthed over 1,000 bugs in 47 open source software projects ...

So far, OSS-Fuzz has found a total of 264 potential security vulnerabilities: 7 in Wireshark, 33 in LibreOffice, 8 in SQLite 3, 17 in FFmpeg -- and the list goes on...

Google launched the program in December and wants more open source projects to participate, so they're offering cash rewards for including "fuzz" targets for testing in their software.

"Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration" -- or twice that amount, if the proceeds are donated to a charity.

[Jan 26, 2017] Penguins force-fed root Cruel security flaw found in systemd v228

theregister.co.uk
Some Linux distros will need to be updated following the discovery of an easily exploitable flaw in a core system management component.

The CVE-2016-10156 security hole in systemd v228 opens the door to privilege escalation attacks, creating a means for hackers to root systems locally if not across the internet. The vulnerability is fixed in systemd v229.

Essentially, it is possible to create world-readable, world-writeable setuid executable files that are root owned by setting all the mode bits in a call to touch(). The systemd changelog for the fix reads:

basic: fix touch() creating files with 07777 mode

mode_t is unsigned, so MODE_INVALID < 0 can never be true.

This fixes a possible [denial of service] where any user could fill /run by writing to a world-writable /run/systemd/show-status.

However, as pointed out by security researcher Sebastian Krahmer, the flaw is worse than a denial-of-service vulnerability – it can be exploited by a malicious program or logged-in user to gain administrator access: "Mode 07777 also contains the suid bit, so files created by touch() are world writable suids, root owned."

The security bug was quietly fixed in January 2016 back when it was thought to pose only a system-crashing risk. Now the programming blunder has been upgraded this week following a reevaluation of its severity. The bug now weighs in at a CVSS score of 7.2, towards the top end of the 1-10 scale.

It's a local root exploit, so it requires access to the system in question to exploit, but it pretty much boils down to "create a powerful file in a certain way, and gain root on the server." It's trivial to pull off.

"Newer" versions of systemd deployed by Fedora or Ubuntu have been secured, but Debian systems are still running an older version and therefore need updating.

systemd is a suite for building blocks for Linux systems that provides system and service management technology. Security specialists view it with suspicion and complaints about function creep are not uncommon. ฎ

[Aug 30, 2015] This article [with the critique of systemd] is more full of bullshit than a bull stable .... with shit in it

Notable quotes:
"... the comments from Microsoft fans/paid-for-shills in other forums. They tend to attack anyone not accepting things imposed on them. ..."
Aug 30, 2015 | blog.erratasec.com
Stefan Anica said...
This article is more full of bullshit than a bull stable .... with shit in it.

Don il said...

BTW, comments such as next:

"This article is more full of bullshit than a bull stable .... with shit in it."

bring to my mind all the comments from Microsoft fans/paid-for-shills in other forums. They tend to attack anyone not accepting things imposed on them.

[Oct 03, 2014] Everything you need to know about the Shellshock Bash bug

September 25, 2014 | troyhunt.com
Remember Heartbleed? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be a biggie and as I did with Heartbleed, I wanted to put together something definitive both for me to get to grips with the situation and for others to dissect the hype from the true underlying risk.

To set the scene, let me share some content from Robert Graham's blog post who has been doing some excellent analysis on this. Imagine an HTTP request like this:

target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74

Which, when issued against a range of vulnerable IP addresses, results in this:

[Oct 03, 2014] Shellshock (software bug)

en.wikipedia.org

Analysis of the source code history of Bash shows that the vulnerabilities had existed undiscovered since approximately version 1.13 in 1992.[4] The maintainers of the Bash source code have difficulty pinpointing the time of introduction due to the lack of comprehensive changelogs.[1]

In Unix-based operating systems, and in other operating systems that Bash supports, each running program has its own list of name/value pairs called environment variables. When one program starts another program, it provides an initial list of environment variables for the new program.[14] Separately from these, Bash also maintains an internal list of functions, which are named scripts that can be executed from within the program.[15] Since Bash operates both as a command interpreter and as a command, it is possible to execute Bash from within itself. When this happens, the original instance can export environment variables and function definitions into the new instance.[16] Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition. The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. It performs this conversion by creating a fragment of code from the value and executing it, thereby creating the function "on-the-fly", but affected versions do not verify that the fragment is a valid function definition.[17] Therefore, given the opportunity to execute Bash with a chosen value in its environment variable list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's command interpreter.

The name "shellshock" is attributed[by whom?][not in citation given] to Andreas Lindh from a tweet on 24 September 2014.[18][non-primary source needed]

On October 1st, Zalewski released details of the final bugs, and confirmed that Florian's patch does indeed prevent them. Zalewski says fixed

CGI-based web server attack

When a web server uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the request to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted server request.[4] The security documentation for the widely used Apache web server states: "CGI scripts can ... be extremely dangerous if they are not carefully checked."[20] and other methods of handling web server requests are often used. There are a number of online services which attempt to test the vulnerability against web servers exposed to the Internet.[citation needed]

SSH server example

OpenSSH has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running an unrestricted command shell. The fixed command is executed even if the user specified that another command should be run; in that case the original command is put into the environment variable "SSH_ORIGINAL_COMMAND". When the forced command is run in a Bash shell (if the user's shell is set to Bash), the Bash shell will parse the SSH_ORIGINAL_COMMAND environment variable on start-up, and run the commands embedded in it. The user has used their restricted shell access to gain unrestricted shell access, using the Shellshock bug.[21]

DHCP example

Some DHCP clients can also pass commands to Bash; a vulnerable system could be attacked when connecting to an open Wi-Fi network. A DHCP client typically requests and gets an IP address from a DHCP server, but it can also be provided a series of additional options. A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.[9]

Note of offline system vulnerability

The bug can potentially affect machines that are not directly connected to the Internet when performing offline processing, which involves the use of Bash.[citation needed]

Initial report (CVE-2014-6271)

This original form of the vulnerability involves a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function.[22] The vulnerability can be tested with the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

In systems affected by the vulnerability, the above commands will display the word "vulnerable" as a result of Bash executing the command "echo vulnerable", which was embedded into the specially crafted environment variable named "x".[23][24]

There was an initial report of the bug made to the maintainers of Bash (Report# CVE-2014-6271). The bug was corrected with a patch to the program. However, after the release of the patch there were subsequent reports of different, yet related vulnerabilities. On 26 September 2014, two open-source contributors, David A. Wheeler and Norihiro Tanaka, noted that there were additional issues, even after patching systems using the most recently available patches. In an email addressed to the oss-sec list and the bash bug list, Wheeler wrote: "This patch just continues the 'whack-a-mole' job of fixing parsing errors that began with the first patch. Bash's parser is certain [to] have many many many other vulnerabilities".[25]
On 27 September 2014, Michal Zalewski announced his discovery of several other Bash vulnerabilities,[26] one based upon the fact that Bash is typically compiled without address space layout randomization.[27] Zalewski also strongly encouraged all concerned to immediately apply a patch made available by Florian Weimer.[26][27]

CVE-2014-6277

CVE-2014-6277 relates to the parsing of function definitions in environment variables by Bash. It was discovered by Michał Zalewski.[26][27][28][29]

This causes a segfault.

() { x() { _; }; x() { _; } <<a; }

CVE-2014-6278

CVE-2014-6278 relates to the parsing of function definitions in environment variables by Bash. It was discovered by Michał Zalewski.[30][29]


() { _; } >_[$($())] { echo hi mom; id; }

CVE-2014-7169

On the same day the bug was published, Tavis Ormandy discovered a related bug which was assigned the CVE identifier CVE-2014-7169.[21] Official and distributed patches for this began releasing on 26 September 2014.[citation needed] Demonstrated in the following code:

env X='() { (a)=>\' sh -c "echo date"; cat echo

which would trigger a bug in Bash to execute the command "date" unintentionally. This would become CVE-2014-7169.[21]

Testing example

Here is an example of a system that has a patch for CVE-2014-6271 but not CVE-2014-7169:

$ X='() { (a)=>\' bash -c "echo date"
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
$ cat echo
Fri Sep 26 01:37:16 UTC 2014

The patched system displays the same error, notifying the user that CVE-2014-6271 has been prevented. However, the attack causes the writing of a file named 'echo', into the working directory, containing the result of the 'date' call. The existence of this issue resulted in the creation of CVE-2014-7169 and the release patches for several systems.

A system patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the word "date" and the file "echo" will not be created.

$ X='() { (a)=>\' bash -c "echo date"
date
$ cat echo
cat: echo: No such file or directory

CVE-2014-7186

CVE-2014-7186 relates to an out-of-bounds memory access error in the Bash parser code.[31] While working on patching Shellshock, Red Hat researcher Florian Weimer found this bug.[23]

Testing example

Here is an example of the vulnerability, which leverages the use of multiple "<<EOF" declarations:

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"
A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".

CVE-2014-7187

CVE-2014-7187 relates to an off-by-one error, allowing out-of-bounds memory access, in the Bash parser code.[32] While working on patching Shellshock, Red Hat researcher Florian Weimer found this bug.[23]

Testing example

Here is an example of the vulnerability, which leverages the use of multiple "done" declarations:

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"
A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno".

Frequently Asked Questions about the Shellshock Bash flaws

Sep 26, 2014 | securityblog.redhat.com

Why are there four CVE assignments?

The original flaw in Bash was assigned CVE-2014-6271. Shortly after that issue went public a researcher found a similar flaw that wasn't blocked by the first fix and this was assigned CVE-2014-7169. Later, Red Hat Product Security researcher Florian Weimer found additional problems and they were assigned CVE-2014-7186 and CVE-2014-7187. It's possible that other issues will be found in the future and assigned a CVE designator even if they are blocked by the existing patches.

... ... ...

Why is Red Hat using a different patch then others?

Our patch addresses the CVE-2014-7169 issue in a much better way than the upstream patch, we wanted to make sure the issue was properly dealt with.
I have deployed web application filters to block CVE-2014-6271. Are these filters also effective against the subsequent flaws?

If configured properly and applied to all relevant places, the "() {" signature will work against these additional flaws.

Does SELinux help protect against this flaw?

SELinux can help reduce the impact of some of the exploits for this issue. SELinux guru Dan Walsh has written about this in depth in his blog.

Are you aware of any new ways to exploit this issue?

Within a few hours of the first issue being public (CVE-2014-6271), various exploits were seen live, they attacked the services we identified at risk in our first post:

We did not see any exploits which were targeted at servers which had the first issue fixed, but were affected by the second issue. We are currently not aware of any exploits which target bash packages which have both CVE patches applied.

Why wasn't this flaw noticed sooner?

The flaws in Bash were in a quite obscure feature that was rarely used; it is not surprising that this code had not been given much attention. When the first flaw was discovered it was reported responsibly to vendors who worked over a period of under 2 weeks to address the issue.

This entry was posted in Vulnerabilities and tagged bash, CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169,