The Thin Indictment against Behzad Mesri

/in /by

I have long cautioned against DOJ’s increasingly frequent practice of indicting hackers from other states as some kind of nation-state escalation. Once we normalize that practice, our own nation-state hackers risk a whole lot of new challenges in retaliation.

But at least for the prior cases, DOJ has shown evidence the substantiate its claims. When, in 2014, DOJ indicted some People’s Liberation Army hackers for spying on the negotiations (and, in just one case, stealing IP) from US entities including the Steelworkers, the indictment described the subject lines of phishing emails, the dates malware was implanted, the file names, the computer hostnames, and the command and control domain names used.

When, in 2016, DOJ indicted some Iranians for DDOS attacks on some banks, the described what roles each hacker played, though, they did not substantiate the claim that the hacking groups, Mersad, “performed work on behalf of the Iranian Government, including the Islamic Revolutionary Guard Corps.”

The indictment against two FSB officers and two criminal hackers for pwning Yahoo earlier this year was remarkably detailed, going so far as describing communications between the two FSB officers. It provided a screenshot of the cookie manager used to access a Yahoo engineer’s account. It described a long list of victims both within and outside Russia. It listed the dates on which the hackers had shared passwords of victims and provided the transfer details for payments.

It is admittedly possible DOJ provided so many details because the two FSB officers had already been arrested for treason by the time of the indictment.

When, later this year, DOJ indicted Yu Pingan, who reportedly had a role in the OPM hack but who was indicted in conjunction with some compromises of defense contractors, it described the actual dates of compromise, named the exploit, tied Yu and his co-conspirators to domain names used in the hacks, listed those domain IPs, and then used intercepted communications to tie him to his co-conspirators.

Of course, with both Yu (who was picked up while he visited the US for a conference) and Yahoo defendant Karim Baratov who has since been extradited from Canada and appears to be cooperating), there will be an actual prosecution, which explains why DOJ included so much more detail.

But the indictment against Behzad Mesri, an Iranian DOJ today accused of hacking HBO, includes very little meaningful detail.

The indictment foregrounds, in the first paragraph, claims about Mesri’s past ties to the Iranian state, though it never substantiates that claim.

MESRI as a self-proclaimed expert in computer hacking techniques, and had worked on behalf of the Iranian military to conduct computer network attacks that targeted military systems, nuclear software systems, and Israeli infrastructure.

The actual details proving Mesri’s role in the the attack are far less detailed. While it provides the general timeline of the compromise (May through July), it doesn’t show evidence it knows which accounts got compromised (though it does list the shows that got stolen). It also doesn’t tie Mesri to the pseudonym, Mr. Smith, publicly used by the hackers who released HBO’s files.

Significantly, the most detailed part of the indictment, which describes the extortion, repeatedly describes messages sent from an anonymous email, without tying those emails to Mesri beyond an introductory paragraph alleging he sent them. It asserts Mesri sent emails publicizing his acts — and includes the graphic he included, which made a nice graphic for mainstream reports of the indictment — but doesn’t provide much detail of that, either.

None of that’s to say DOJ doesn’t have the evidence to support this indictment. It just says they seem to have no reason to present it. And why should they? Given that Mesri is almost certainly not going to be extradited, this case will never go to trial.

The thin details here support the reporting from WaPo that DOJ has been pushing prosecutors to unseal indictments in cases against Iranians to support bringing more pressure on the regime.

[T]he HBO case is one of several that senior officials would like to unseal in coming weeks. The push to announce Iran-related cases has caused internal alarm, according to people familiar with the discussions, with some law enforcement officials fearing that senior Justice Department officials want to reveal the cases because the Trump administration wants Congress to impose new sanctions on Iran.

A series of criminal cases could increase pressure on lawmakers to act, these people said.

Asked about that report, [Acting SDNY US Attorney Joon] Kim did not give a direct answer, saying he decided to unseal the charges in the HBO hacking case before the story published. He did acknowledge the short amount of time it took to unseal the charges was unusual for such a case but said that was because of the FBI’s exemplary investigative work.

It may be great investigative work. Perhaps, too, DOJ is just trying to hide any sources and methods that will never need to be disclosed in a trial. But treating this indictment any differently than any other one, particularly than ones that DOJ knows will have to face adversarial challenge, threatens to politicize claims that already carry the potential for international backlash.

By all means, let’s pursue international hackers, and where they have real current ties to their state, lay out that tie. But don’t turn hacking indictments into spectacle to serve larger political whims, because it will diminish the value of other DOJ claims on hacking.

Kaspersky’s Carrot-and-Stick TAO Compromise Incident Report

/32 Comments/in , /by

Last week, Kaspersky released its investigation into the reported collection of NSA hacking tools off an employee’s computer. Kim Zetter did an excellent story on it, so read that for analysis of what the report said.

The short version, though, is that Kaspersky identified a computer in the Baltimore, MD area that was sending a whole slew of alerts in response to a silent signature for Equation Group software from September to November 2014 — a year earlier than the leaked reports about the incident claimed the compromise had happened. Kaspersky pulled in an archive including those signatures as well as some associated files in the normal course of collecting analysis (and, according to Zetter, did not pull other archives of malware also associated with the machine). Kaspersky IDed it as irregular, and — so they’re claiming — the analyst who found it told Eugene Kaspersky (referred to throughout in the third person “CEO” here), who told told the analyst to destroy the source code and related documents immediately. The report claims Kaspersky subsequently instituted a policy mandating such destruction going forward.

As Zetter notes, the timing of events gets awfully murky about when the file got destroyed and the new destruction policy was instituted.

The company didn’t respond to questions about when precisely it instituted this policy, nor did it provide a written copy of the distributed policy before publication of this article.

Meanwhile, during the same period this machine was sending out all the Equation Group alerts, someone hacked it.

It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time,

The report explains this compromise at length, providing (in addition to the precise time), the C&C server URL, a list of 121 other virus signatures found on the machine during the period the Equation Group signatures were alerting. It also links to Kaspersky’s analysis of the backdoor in question, which was developed by Russian criminal hackers.

“It looks like a huge disaster the way it happened with running all this malware on his machine. It’s almost unbelievable,” [Zetter quotes Kaspersky’s director of the company’s Global Research and Analysis Team Costin Raiu].

Thus far, consider what this report does: it makes it clear that Kaspersky has far more detail about the compromise than the anonymous sources leaking to the press are willing to share (all the time with Eugene Kaspersky inviting them to provide more details). It elaborates on the story it had already shared about who the likely culprit was to have stolen and used the files. And it suggests (though I’m not sure I believe it), that it’s entirely the fault of the hacker who turned off Kaspersky’s AV in order to run a pirated copy of Windows Office.

That’s the carrot. Here, Kaspersky is saying, we’ve figured out who stole those files your idiot developer loaded onto his malware-riddled computer. Go get them. Free incident response, three years after the fact!

But it’s the stick I’m just as interested in.

First, as part of its explanation of the process Kaspersky used to hone in on the incident, the report includes a list of hits and false positives on NSA signatures just from September 2014 — effectively providing a list of (dated) malware signatures. While the report notes many of these alerts are false positives, Kaspersky is nevertheless saying, here’s a list of all the victims of your spying we identified for just one month out of the 40 months we just analyzed. Presumably, the hits after September 2014 would have come to include far more true victims.

Then, the report provides a list of all the Equation Group signatures found on the TAO engineers’ computer, providing a snapshot of what one person might work on, a snapshot that would provide useful for those trying to understand NSA’s work patterns.

Even while it provides lists of signatures that will provide others some insight into NSA activity, the report makes a grand show of concern for privacy, redacting the name of the archive as [undisclosed] and including a discussion about how it could have — but chose not to — include the complete file paths of the archive.

Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users’ privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company’s reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.

Mind you, FSB is the “higher legal authority” in Russia for such things.

Then, in the guise of claiming how little information Kaspersky has on the individual behind all this, the report makes it clear it retains his IP, from which they could reconstitute his identity.

Q3 – Who was this person?

A3 – Because our software anonymizes certain aspects of users’ information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.

In short, along with providing a detailed description of what likely happened — the hacker got pwned by someone else — Kaspersky lays out all the information on NSA’s hacking activities that it could, if it so chose, make public: who NSA hacked when, who the developer in question is, and more details on how the NSA develops its tools.

But (in the interest of privacy, you understand?) Kaspersky’s not going to do that unless some higher authority forces it to.

Of course, Kaspersky’s collection of all that data on NSA’s hacking is undoubtedly one of the reasons the NSA would prefer it not exist.

A carrot, and a stick.

At the end of her piece, Zetter quotes Rob Joyce laying out the more modest attack on Kaspersky (this stuff shouldn’t be run on sensitive government computers, which it shouldn’t), even while admitting that other AV products have the same privileged access to collect such information on users.

Asked about Kaspersky’s discovery of multiple malware samples on the NSA worker’s home computer, Rob Joyce, the Trump administration’s top cybersecurity adviser who was head of the NSA’s elite hacking division when the TAO worker took the NSA files home and put them on his work computer, declined to respond to Kaspersky’s findings but reiterated the government’s contention that Kaspersky software should be banned from government computers.

“Kaspersky as an entity is a rootkit you run on a computer,” he told Motherboard, using the technical term for stealth and persistent malware that has privileged access to all files on a machine.

He acknowledged that software made by other antivirus companies has the same potential for misuse Kaspersky has but said, Kaspersky is “a Russian company subjected to FSB control and law, and the US government is not comfortable accepting that risk on our networks.”

We shall see if this report serves to halt all the (inaccurate at least with respect to timing, if this report is to be believed) leaks to the press or even the other attacks on Kaspersky.

All that said, there are two parts of this story that still don’t make sense.

First, I share Zetter’s apparent skepticism about the timing of the decision to destroy the source code, which the report describes this way:

Upon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named “[undisclosed].7z” was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [note this typo] consumed even to produce detection signatures based on descriptions.

This concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage.

The key sentence — “it was later discovered … the archive file … was removed” — is a master use of the passive voice. And unlike all the other things for which the report offers affirmative data, the data offered here is the absence of data. “It appears” that the archive is no longer in storage, without any details about when it got removed. The report is also silent about whether any of these events — the removal and claimed destruction and the institution of a new policy to destroy such things going forward — were a response to the Duqu 2 hack discovering such files, as well as the one silent signature integrating the word “secret” described elsewhere in the report, on Kaspersky’s servers.

Then there’s the implausibility of an NSA developer 1) running Kaspersky then 2) turning it off 3) to load a bunch of malware onto his computer in the guise of loading a pirated copy of Office 4) only to have a bunch of other malware infect the computer in the same window of time, finally 5) turning the Kaspersky back on to discover what happened after the fact.

Really? I mean, maybe this guy is that dumb, or maybe there’s another explanation for these forensic details.

In any case, the entire report is a cheeky chess move. I eagerly wait to see if the US’ anonymous leakers respond.

 

The Implicit Threat in Julian Assange’s Ambassador Tweet

/37 Comments/in , , /by

The other day, I suggested the Twitter Direct Messages between Wikileaks and Don Jr were underwhelming, in that some of the more damning things we might have expected did not show up in those DMs. Since then, several things have become clear. First, there were some time zone inaccuracies behind the timestamps on one of the most inflammatory claims (that Trump immediately tweeted in response to an October 12 DM from Assange; it probably was 75 minutes). And the password Wikileaks shared with Don Jr had been made available to journalists and may have been passed on by Chuck Johnson, who was currying favor with Assange at the time; that minimizes the possibility that such sharing could be deemed a CFAA or other kind of technical violation though puts Johnson more centrally in this picture.

I didn’t say explicitly enough in that post and I should have, though, that I was speaking about Don Jr, not about Wikileaks.

Wikileaks’ contributions do show the organization (and Assange in particular, in those DMs we know involved him) to be self-interested and rabidly anti-Clinton If you haven’t known the latter fact to be true since Hillary did some pretty crazy things in 2010, then you’re new to this rodeo. That said, the tweets did elicit some righteous betrayal from Barrett Brown, which I totally respect given the price he has paid for the claimed idealism of Wikileaks (see also this story).

It’s worth remembering, as Emma Best notes, because they’ve been under unrelenting surveillance since 2010, “WikiLeaks *knew* the DMs were being monitored in real time. It was inevitable that this would leak. Simply calling this dumb misses the point and ignores the tradecraft at play.” Assange, from the refusal of inside information to the demand for an Ambassadorship, was staging a show, and we should remember that.

That said, I’m far more interested in Assange’s subsequent response to the disclosure of the emails, specifically this tweet. In the full DMs released by Don Jr (I think Wikileaks can fairly claim Atlantic took out some context — Atlantic came close to and I think should have just replicated the content of all the DMs, though Brown disagrees), this was the comment Assange made on December 16 asking to be Ambassador.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

On Tuesday, Assange posted an ostensible follow-up to that one, renewing his offer to serve as Ambassador.

Note, Assange had originally misspelled Don Jr’s twitter handle, so deleted and reposted it.

This has been taking as trolling, with Assange’s notion that he’d open a hotel in DC, as the Trumps have, with “luxury immunity suites” for whistleblowers.

But even that’s not trolling. It’s a public renewal, more explicit this time, of Assange’s request for a pardon from Trump Sr, though here he drops the “offer” of the claims laundered through Dana Rohrabacher that the emails Assange published to help Trump get elected came from an insider and not Russia. Assange wants the fuck out of his embassy closet, and he’s willing to say that explicitly, now, in a public tweet (as Best noted, making this request visible for all).

Remember, Rohrabacher was always clear that someone (or someones, but Chuck Johnson is clearly one of those people) had made clear that Trump wanted this information. Was Don Jr in on that loop?

It’s the rest of the tweet that got less attention. First, Assange’s promise of “a turbo-charged flow of intel about the latest CIA plots to undermine democracy,” a remarkable reference coming as it does in the wake of Mike Pompeo’s consideration of an alternative narrative for how Wikileaks got emails (as I noted, scheduled even as John Kelly thwarted Rohrabacher’s attempts to meet with Trump directly), not to mention Trump’s screed at John Brennan and others over the weekend.

Assange is agreeing with Trump, even if no one else is, even as the two of them both seek to push an alternative narrative that doesn’t have the Russians orchestrating Assange’s actions for Trump’s benefit, that the CIA is undermining Trump’s presidency.

It’s the hashtag, though, that most observers missed: Vault 8.

Vault 8 is the name Wikileaks has given for its release — started just Friday — of actual source code for CIA’s hacking tools, after long releasing “just” the development notes and manuals for the same tools. I noted then both the way Wikileaks was picking up Shadow Brokers’ narrative about Kaspersky, but also the multiple references to Wikileaks having the same set of NSA files as Shadow Brokers had.

I noted last December that with the December 14 Shadow Brokers release of new NSA tools (just days before Assange joked about being ambassador), the persona seemed to be engaging in extortion: “Nice little NSA here, it’d be shame if anything would happen to it.” Since that time, Shadow Brokers made good on the threat, leading to global cyberattacks. What Assange seems to be doing is similar: no longer a quid pro quo for safety in DC, but now a threat, using CIA, and tools released in CIA’s name, as hostage.

Assange is not offering to release secrets about CIA, but instead weapons leaked or stolen from them. Sure, to the extent the Vault 7 releases haven’t already, that’ll allow others to attribute CIA attacks. But it’ll also devastate the agency and badly undermine US power.

That appears to be where Assange’s request for immunity has gotten.

Mueller Has Enough Prosecutors to Continue Walking and Chewing Gum While We’ve Been Watching Manafort

/31 Comments/in , , /by

NBC has a clickbait story reporting that Robert Mueller has enough evidence to indict Michael Flynn that — by describing that Mueller is still interviewing witnesses about Flynn’s lobbying — undermines its headline.

Mueller is applying renewed pressure on Flynn following his indictment of Trump campaign chairman Paul Manafort, three sources familiar with the investigation told NBC News.

The investigators are speaking to multiple witnesses in coming days to gain more information surrounding Flynn’s lobbying work, including whether he laundered money or lied to federal agents about his overseas contacts, according to three sources familiar with the investigation.

Remember: on high profile investigations like this, interested parties sometimes try to force a prosecutor’s hand by leaking stuff like this (we should also expect people to leak to the press to create pressure for pardons), and in this case the leaking is exacerbated because of the multiple congressional investigations.

Moreover, there’s good reason to doubt the notion that Mueller is moving from target to target sequentially, which some have interpreted the description of Mueller “renewing” pressure on Flynn to suggest. Remember: Mueller has 15 prosecutors, every one of whom is capable of leading this kind of investigation themselves. And there’s at least a hint that Mueller has separate teams working on separate parts of the investigation.

Consider this detail from the motion to unseal the Manafort docket. The motion specifically asked for the whole thing to be unsealed except for this redaction at the top of the indictment itself.

[T]he government respectfully moves for an order unsealing the docket, with the exception of the original indictment, which contains, at the top, administrative information relating to the Special Counsel’s Office.

There are a lot of things that the redaction might hide. One of those is some kind of marking that indicates the organization of the investigation, one which would disclose investigative strategy if it were disclosed now, but would be really useful for historians if it were unsealed after whatever happens happens.

Couple that with the fact that there is no overlap between the prosecutors appearing thus far in the Manafort docket, who are:

  • Andrew Weismann
  • Greg Andres
  • Kyle Freeny

Adam Jed, an appellate specialist, has appeared with these lawyers in grand jury appearances.

And the prosecutors appearing in the Papadopoulos docket, who are:

  • Jeannie Rhee
  • Andrew Goldstein
  • Aaron Zelinsky

It would make sense that the teams would be focused on different parts of the investigation. After all, Mueller has drawn on a fair range of expertise, which I laid out here (see this article for Carrie Johnson’s description of where these folks are on loan from); if I were to do this over, I’d add a special category for money laundering:

  1. Mob specialists: Andrew Weissman and [Lisa Page *] are mob prosecutors.
  2. Fraud specialists: Weissman and Rush Atkinson are also fraud prosecutors.
  3. Corporate crime specialists: Weissman also led the Enron Task force. One of Dreeben’s key SCOTUS wins pertained to corporate crime. Jeannie Rhee has also worked on white collar defense. [Kyle Freeny, who was the last attorney to join the team, is a money laundering expert.]
  4. Public corruption specialists: Mueller hired someone with Watergate experience, James Quarles. And Andrew Goldstein got good press in SDNY for prosecuting corrupt politicians (even if Sheldon Silver’s prosecution has since been overturned).
  5. International experts: Zainab Ahmad, who worked terrorism cases in EDNY, which has some of the most expansive precedents for charging foreigners flown into JFK (including Russia’s darling Viktor Bout), knows how to bring foreigners to the US and successfully prosecute them in this country. Aaron Zelinsky has also worked in international law. Elizabeth Prelogar did a Fulbright in Russia and reportedly speaks it fluently. And, as noted, [Greg] Andres has worked on foreign bribery
  6. Cyber and spying lawyers: Brandon Van Grack is the guy who had been leading the investigation into Mike Flynn; he’s got a range of National Security experience. Aaron Zebley, Mueller’s former chief of staff at FBI, also has that kind of NSD experience.
  7. Appellate specialists: With Michael Dreeben, Mueller already has someone on the team who can win any appellate challenges; Adam Jed and Elizabeth Prelogar are also appellate specialists. Mueller’s hires also include former clerks for a number of SCOTUS justices, which always helps out if things get that far.

In other words, the team that has thus far been involved in the Manafort prosecution have experience prosecuting corporate crime and money laundering, as well as flipping people. The team that has thus far handled Papadopoulos includes Goldstein, a top public corruption prosecutor (who curiously would have had visibility into Manafort related prosecutions in SDNY), Zelinsky, who has both mob and international law expertise, and Jeannie Rhee whose relevant experience includes time in Congress, prosecuting national security related conspiracies, and cybersecurity investigations. The experience of the latter team, in particular, suggests where they might be headed, probably including people in or recently in government, but Rhee’s ties to leaks and cybersecurity might suggest the emails are a bigger part of that investigation than most people have noticed.

Notably absent from these two teams is Brandon Van Grack, who started the prosecution of Mike Flynn and presumably has remained focused on that. So there’s no reason to believe Van Grack would have to renew pressure, aside from pointing to the example of Manafort to prove the seriousness of this investigation, because he probably has just kept up the pressure as we’ve been distracted.

Also of note: we’re still not seeing all the mob and international expertise on Mueller’s team.

All of which is to say we’ve only seen the involvement of at most 7 out of the 15 lawyers on Mueller’s team. I’m sure the remaining 8 haven’t been sitting idle while we’ve all been focusing on Manafort and Papadopoulos.

Update: Because it’s related, I’ll remind that in Papadopoulos’ plea deal, Zelinsky said they wanted to sustain the prohibition on FOIA because,

in the process of his ongoing efforts to cooperate, the Government has shared substantial information with the Defendant that has provided a road map of sorts, to information that might be sought on FOIA. And it will chill the Government’s ability to continue to have the Defendant cooperate if the information that’s being provided by the Defendant and the continued efforts to jog his memory are then used to create a road map to the ongoing investigation.

Update: When this post was first posted I accidentally swapped Weissman for Goldstein in one reference. My apologies.

*Update: As Peredonov notes below, Page left the SCO after I wrote the underlying post. I’ve marked it in the quote and adjusted numbers accordingly.

We Have No Idea What Emails the Papadopoulos Plea Refer To

/40 Comments/in , /by

In response to yesterday’s server hiccups and in anticipation that Mueller is nowhere near done, we expanded our server capacity overnight. If you think you’ll rely on emptywheel reporting on the Mueller probe, please consider a donation to support the site

As I’ve noted, the George Papadopoulos plea information, reveals that Papadopoulos learned that Russia had “dirt” consisting of “thousands of emails of Clinton” three days before the DNC learned they had been hacked.

And it makes it clear that on April 26 — three days before the DNC figured out Russia had hacked them — Papadopoulos’ handler told him Moscow had dirt on clinton.

The Professor told defendant PAPADOPOULOS that on that trip he (the Professor) learned that the Russians had obtained “dirt” on then-candidate Clinton. The Professor told defendant PAPADOPOULOS, as PAPADOPOULOS later described to the FBI, that “They [the Russians] have dirt on her”; “the Russians had emails of Clinton”; “they have thousands of emails.”

After learning the Russians had emails on Clinton even before Clinton learned it, Papadopoulos “continued to correspond with Campaign officials,” including his Senior Policy Advisor and a High-Ranking Campaign Official.

From this detail, I’ve seen endless amount of shite premised on what these emails were.

For example, Julian Assange tweeted something bizarre about the emails being the emails released mostly in response to a Jason Leopold FOIA. I thought he was trying to pretend he had no inside information from the Russians?

Others are tying the emails to the registration of the DC Leaks website, which had occurred by this point, but which also released more emails pertaining to Ukraine than Democrats.

Others are suggesting that because no one ever found the emails Hillary deleted from her server, the claim must not be correct because there were no emails of Hillary out there.

Others are tying the comment to Podesta’s emails (he was first hacked on March 19). Or they’re claiming incorrectly that the Papadopoulos report must be wrong because the DNC emails were the ones released early on, not the Podesta ones (in fact, the source for about half the earliest released Guccifer 2.0 “DNC” emails appears to be the Podesta emails, and for most of the rest has not be identified).

Others are pointing out — I’m not sure why — that Russia hacked some Republicans.

All of this suggests that people have this mistaken belief that the general public knows the universe of emails that have been hacked, and that all the hacked emails have been released.

Most annoyingly, most people who know better are saying that Russia started hacking the Democrats in spring 2016. But as the Intelligence Committee Assessment lays out, “In July 2015, Russian intelligence gained access to Democratic National Committee (DNC) networks and maintained that access until at least June 2016.” And the ICA was always deliberately coy about who else the earlier wave of hacking, by APT 29 associated with FSB, may have hacked (I assure you its targets were prominent), to say nothing of the later APT 28 attribution known to be associated with released emails.

And as I was bitching about this, I was reminded by a Kaspersky researcher that APT 29 had spent the previous year hacking the White House and State Department.

All of which is to say, without more evidence (which Mueller has chosen not to give us yet) we cannot conclude anything about Papadopoulos learning, in April, that Russians were talking about having dirt against Hillary with regards to which emails were on offer; we can only conclude that a person in the campaign learned (and probably shared that knowledge, though Mueller is deliberately withholding that detail too) very early on that Russians were offering up emails as campaign dirt.

Update: In related news, the AP got ahold of a list of APT 28’s targets (though doesn’t emphasize, as it should, that these targets may not have been successfully breached).

Shorter Kaspersky: Our Home AV Found NSA’s Lost Tools Six Months Before NSA Did

/19 Comments/in /by

Kaspersky has what it calls a preliminary investigation into the allegations that it obtained NSA tools by taking them from an NSA hacker who loaded them onto his home computer. It follows by just a few days and directly refutes the silly accusations made by Rick Ledgett the other day in Lawfare, most notably that Kaspersky found the tools by searching on “TS/SCI,” much less the “proprietary” Ledgett claimed. I assume the word “preliminary” here means, “Okay, you’ve made your public accusation, now Imma badly discredit you, but I’m holding other details back for your next accusation.”

Instead of finding the hacking tools in early 2015, Kaspersky says, they found the GrayFish tool back on September 11, 2014, probably six months before the anonymous government sources have been saying it was discovered.

And they found it with their home AV.

  • The incident where the new Equation samples were detected used our line of products for home users, with KSN enabled and automatic sample submission of new and unknown malware turned on.
  • The first detection of Equation malware in this incident was on September 11 2014. The following sample was detected:
    • 44006165AABF2C39063A419BC73D790D
    • mpdkg32.dll
    • Verdict: HEUR:Trojan.Win32.GrayFish.gen

After that, what Kaspersky describes as “the user” disabled the AV and downloaded a pirated Microsoft copy onto his computer, which created a backdoor that could have been used by anyone.

  • After being infected with the Backdoor.Win32.Mokes.hvl malware, the user scanned the computer multiple times which resulted in detections of new and unknown variants of Equation APT malware.

Once that backdoor was loaded, “the user” scanned the computer and found other Equation Group tools.

What Kaspersky is not saying is that this probably wasn’t the TAO hacker, but probably was someone pretending to be the user (perhaps using NSA’s own tools?!), who stole a slew of files then.

Two other points: Kaspersky claims to have called the cops — or probably the FBI, which would have been the appropriate authority, and he claims to call the cops whenever they find malware in the US.

  • Some of these infections have been observed in the USA.
  • As a routine procedure, Kaspersky Lab has been informing the relevant U.S. Government institutions about active APT infections in the USA.

It’s possible that Kaspersky did inform the FBI, and that FBI routinely gets such notice, but that FBI routinely ignores such notice because they don’t care if NSA is hacking people in the US (which given what we know, is at least sometimes, and would have been during this period, Americans approved for 705(b) surveillance that doesn’t get turned off as is legally required when they return to the US).

In other words, it’s possible that FBI learned about this, but ignored it because they ignore NSA’s illegal hacking the US. Only this time it wasn’t NSA’s illegal hacking, but NSA’s incompetence, which in turn led an NSA hacker to get hacked by … someone else.

Finally, there’s this bit, which is the least credible thing in this announcement. The Kaspersky statement says Eugene himself was informed of the discovery, and ordered the tool (in a kind of one-man Vulnerabilities Equities Process) to be destroyed.

  • After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.

I don’t so much doubt that Eugene ordered the malware to be destroyed. Once Kaspersky finished its analysis of the tool, they would have no use for it, and it would add to risk for Kaspersky itself. I just find it remarkable that he would have made the personal decision to destroy this malware at some point after its discovery, but not have raised it until now.

Unless, of course, he was just waiting for someone like Rick Ledgett to go on the sort of record.

Though note how Kaspersky gets conspicuously silent about the timing of that part of the story.

One final point: this new timeline doesn’t explain how Israel (possibly with the involvement of the US) would have found this tool by hacking Kaspersky (unless the decision to destroy the tool came after Kaspersky discovered the hack). But it does suggest the Duqu chicken was chasing the TAO hacker egg, and not vice versa as anonymous sources have been claiming.

That is, the scenario laid out by this timeline (which of course, with the notable exceptions of the Duqu hack and the destruction date for GrayFish, comes with dates and file names and so at least looks more credible than Rick Ledgett’s farcical “proprietary” claims) is that Kaspersky found the file, reported it as an infection to the cops, which likely told NSA about it, leading to the attack on Kaspersky to go try to retrieve it or discover how much else they obtained. That is, Duqu didn’t hack Kaspersky and then find the file. They hacked Kaspersky to find the file that some dopey TAO hacker had made available by running Kaspersky home AV on his computer.

Update: Changed “probable” involvement of US in Duqu hack to “possible.”

Update: Changed “stolen” in title to “lost.”

Ron Wyden Is Worried the Government Will Use FISA Process to Force Companies to Make Technical Changes

/4 Comments/in , /by

Ron Wyden and Rand Paul just introduced their bill to fix Section 702. It’s a good bill that not only improves Section 702 (by prohibiting back door searches, prohibiting the 2014 exception, and limiting use of 702 data), but also improves FISC and PCLOB.

The most alarming part of the bill, though, is Section 14. It prohibits the Attorney General and Director of National Intelligence from asking for technical assistance under Section 702 that is not narrowly targeted or explicitly laid out and approved by the court.

(B) LIMITATIONS.—The Attorney General or the Director of National Intelligence may not request assistance from an electronic communication service provider under subparagraph (A) without demonstrating, to the satisfaction of the Court, that the assistance sought—

(i) is necessary;

(ii) is narrowly tailored to the surveillance at issue; and

(iii) would not pose an undue burden on the electronic communication service provider or its customers who are not an intended target of the surveillance.

(C) COMPLIANCE.—An electronic communication service provider is not obligated to comply with a directive to provide assistance under this paragraph unless

(i) such assistance is a manner or method that has been explicitly approved by the Court; and

(ii) the Court issues an order, which has been delivered to the provider, explicitly describing the assistance to be furnished by the provider that has been approved by the Court.

This suggests that Wyden is concerned the government might use — or has used — FISA to make sweeping onerous technical demands of companies without explicitly explaining what those demands are to the Court.

The most obvious such application would involve asking Apple to back door its iPhone encryption.

As a reminder, national security requests to Apple doubled in the second half of last year.

The number of national security orders issued to Apple by US law enforcement doubled to about 6,000 in the second half of 2016, compared with the first half of the year, Apple disclosed in its biannual transparency report. Those requests included orders received under the Foreign Intelligence Surveillance Act, as well as national security letters, the latter of which are issued by the FBI and don’t require a judge’s sign-off.

We would expect such a jump if the government were making a slew of new requests of Apple related to breaking encryption on their phones.

The Senate Intelligence Committee 702 Bill Is a Domestic Spying Bill

/16 Comments/in , /by

Richard Burr has released his draft Section 702 bill.

Contrary to what you’re reading about it not “reforming” 702, the SSCI bill makes dramatic changes to 702. Effectively, it makes 702 a domestic spying program.

The SSCI expands the kinds of criminal prosecutions with which it can use Section 702 data

It does so in Section 5, in what is cynically called “End Use Restriction,” but which is in reality a vast expansion of the uses to which Section 702 data may be used (affirmatively codifying, effectively, a move the IC made in 2015). It permits the use of 702 data in any criminal proceeding that “Affects, involves, or is related to” the national security of the United States (which will include proceedings used to flip informants on top of whatever terrorism, proliferation, or espionage and hacking crimes that would more directly fall under national security) or involves,

  • Death
  • Kidnapping
  • Serious bodily injury
  • Specified offense against a minor
  • Incapacitation or destruction of critical infrastructure (critical infrastructure can include even campgrounds!)
  • Cybersecurity, including violations of CFAA
  • Transnational crime, including transnational narcotics trafficking
  • Human trafficking (which, especially dissociated from transnational crime, is often used as a ploy to prosecute prostitution; the government also includes assisting undocumented migration to be human trafficking)

This effectively gives affirmative approval to the list of crimes for which the IC can use 702 information laid out by Bob Litt in 2015 (in the wake of the 2014 approval).

Importantly, the bill does not permit judicial review on whether the determination that something “affects, involves, or is related to” national security. Meaning Attorney General Jeff Sessions could decide tomorrow that it can collect the Tor traffic of BLM or BDS activists, and no judge can rule that’s an inappropriate use of a foreign intelligence program.

“So what?” you might ask, this is a foreign surveillance program. So what if they find evidence of child porn in the course of spying on designated foreign targets, and in the process turn it over to the FBI?

The reason this is a domestic spying program is because of two obscure parts of 702 precedent.

The 2014 exception permits NSA to collect Tor traffic — including the traffic of 430,000 Americans

First, there’s the 2014 exception.

In 2014, the FISC approved an exception to the rule that the NSA must detask from a facility when it discovers that a US person was using it. I laid out the case that the facilities in question were VPNs (collected in the same way PRISM would be) and Tor (probably collected via upstream collection). I suggested then that it was informed speculation, but it was more than that: the 2014 exception is about Tor (though I haven’t been able to confirm the technical details of it).

NSA is collecting Tor traffic, including the traffic of the 430,000 Americans each day who use Tor.

One way to understand how NSA gets away with this is to consider how the use of upstream surveillance with cybersecurity works. As was reported in 2015, NSA can use upstream for cybersecurity purposes, but only if that use is tied to known indicators of compromise of a foreign government hacking group.

On December 29 of last year, the Intelligence Community released a Joint Analysis Report on the hack of the DNC that was considered — for cybersecurity purposes — an utter shitshow. Most confusing at the time was why the IC labeled 367 Tor exit nodes as Russian state hacker indicators of compromise.

But once you realize the NSA can collect on indicators of compromise that it has associated with a nation-state hacking group, and once you realize NSA can collect on Tor traffic under that 2014 exception, then it all begins to make sense. By declaring those nodes indicators of compromise of Russian state hackers, NSA got the ability to collect off of them.

NSA’s minimization procedures permit it to retain domestic communications that are evidence of a crime

The FISC approved the 2014 exception based on the understanding that NSA would purge any domestic communications collected via the exception in post-tasking process. But NSA’s minimization procedures permit the retention of domestic communications if the communication was properly targeted (under targeting procedures that include the 2014 exception) and the communication 1) includes significant foreign intelligence information, 2) the communication includes technical database information (which includes the use of encryption), 3) contains information pertaining to an imminent threat of serious harm to life or property OR,

Such domestic communication does not contain foreign intelligence information but is reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed. Such domestic communication may be disseminated  (including United States person identities) to appropriate law enforcement authorities, in accordance with 50 U.S.C. § 1806(b) and 1825(c), Executive Order No 12333, and, where applicable, the crimes reporting procedures set out in the August 1995 “Memorandum of Understanding: Reporting of Information Concerning Federal Crimes,” or any successor document.

So they get the data via the 2014 exception permitting NSA to collect from Tor (and VPNs). And they keep it and hand it off to FBI via the exception on NSA’s destruction requirements.

In other words, what Richard Burr’s bill does is affirmatively approve the use of Section 702 to collect Tor traffic and use it to prosecute a range of crimes, some of them potentially quite minor.

 

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Rick Ledgett Claims NSA’s Malware Isn’t Malware

/4 Comments/in /by

I was beginning to be persuaded by all the coverage of Kaspersky Labs that they did something unethical with their virus scans.

Until I read this piece from former NSA Deputy Director Rick Ledgett. In it, he defines the current scandal as Kaspersky being accused of obtaining NSA hacking tools via its anti-virus.

Kaspersky Lab has been under intense fire recently for allegedly using, or allowing Russian government agents to use, its signature anti-virus software to retrieve supposed National Security Agency tools from the home computer of an NSA employee.

He then describes both Jeanne Shaheen’s efforts to prohibit KAV use on government computers, and Eugene Kaspersky’s efforts to defend his company. Ledgett than describes how anti-virus works, ending with the possibility that an AV company can use its filters to search on words like “secret” or “confidential” or “proprietary” (as if NSA’s hacking tools were only classified proprietary).

This all makes perfect sense for legitimate anti-virus companies, but it’s also a potential gold mine if misused. Instead of looking for signatures of malware, the software can be instructed to look for things like “secret” or “confidential” or “proprietary”—literally anything the vendor desires. Any files of interest can be pulled back to headquarters under the pretext of analyzing potential malware.

He then claims that’s what Kaspersky is accused of doing.

So that is what Kaspersky has been accused of doing: using (or allowing to be used) its legitimate, privileged access to a customer’s computer to identify and retrieve files that were not malware.

Except, no, it’s not.

The only things Kaspersky is accused of having retrieved are actual hacking tools. Which, if anyone besides the NSA were to use them, would obviously be called malware. As Kim Zetter explains KAV and other AV firms use silent signatures to search for malware.

Silent signatures can lead to the discovery of new attack operations and have been used by Kaspersky to great success to hunt state-sponsored threats, sometimes referred to as advanced persistent threats, or APTs. If a Kaspersky analyst suspects a file is just one component in a suite of attack tools created by a hacking group, they will create silent signatures to see if they can find other components related to it. It’s believed to be the method Kaspersky used to discover the Equation Group — a complex and sophisticated NSA spy kit that Kaspersky first discovered on a machine in the Middle East in 2014.

It’s unclear whether Kaspersky found the malware by searching on “TS/SCI,” actual tool names (which NSA stupidly uses in its code), or code strings that NSA reuses from one program to another.

“[D]ocuments can contain malware — when you have things like macros and zero-days inside documents, that is relevant to a cybersecurity firm,” said Tait, who is currently a cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin. “What’s not clear from these stories is what precisely it was that they were looking for. Are they looking for a thing that is tied to NSA malware, or something that clearly has no security relevance, but intelligence relevance?”

If Kaspersky was searching for “top secret” documents that contained no malicious code, then Tait said the company’s actions become indefensible.

“In the event they’re looking for names of individuals or classification markings, that’s not them hunting malware but conducting foreign intelligence. In the event that the U.S. intelligence community has reason to believe that is going on, then they should … make a statement to that effect,” he said, not leak anonymously to reporters information that is confusing to readers.

Kaspersky said in a statement to The Intercept that it “has never created any detection in its products based on keywords like ‘top secret’, or ‘classified.’”

One thing no one has discussed is whether Kaspersky could have searched on NSA’s encryption, because that’s how Kaspersky has always characterized NSA’s tools, by their developers’ enthusiasm for encryption.

In any case, what’s clear is no one would ever find a piece of NSA malware by searching on the word “proprietary,” so we can be sure that’s a bogus accusation.

I asked Susan Hennessey on Twitter, and she confirms that NSA did a prepublication review of this, so any “new” news in this is either bullshit (as the claim Kaspersky searched on the word “proprietary” surely is) or “no[t] inadvertent declassification,” meaning NSA wanted Ledgett to break new news.

Which I take to mean that Ledgett is pretending that NSA’s malware is not malware but … Democracy Ponies or something like that. American exceptionalism, operating at the level of code.

Anyway, Ledgett goes on to suggest that Kaspersky can get beyond this taint by agreeing to let others spy on their malware detection to make sure it’s all legit. Except that is precisely what we’re all worried Russia did against Kaspersky, find malware as it transited from the TAO guy back to Kaspersky’s servers!

If Eugene Kaspersky really wanted to assuage the fears of customers and potential customers, he would instead have all communications between the company’s servers and the 400 million or so installations on client machines go through an independent monitoring center. That way evaluators could see what commands and software updates were going from Kaspersky headquarters to those clients and what was being sent back in response. Of course, the evaluators would need to sign non-disclosure agreements to protect Kaspersky’s intellectual property, but they would be expected to reveal any actual misuse of the software. It’s a bold idea, but it’s the only way anyone can be sure of what the company is actually doing, and the only real way to regain trust in the marketplace. Let’s see if he does it.

What are the chances that NSA would have this “independent monitoring center” pwned within 6 hours, if it really even operated independently of NSA?

Like I said, I was beginning to be persuaded that Kaspersky did something wrong. But this Ledgett piece leads me to believe this is just about American exceptionalism, just an attempt to protect NSA’s spying from one of the few AV companies that will dare to spy on it.

ShadowBrokers’ Kiss of Death

/19 Comments/in /by

In the ShadowBrokers’ latest post, I got a kiss of death. At the end of a long rambling post, TSB called me out — misspelled “EmptyWheel” with initial caps — as “true journalist and journalism is looking like.”

TSB special shouts outs to Marcy “EmptyWheel” Wheeler, is being what true journalist and journalism is looking like thepeoples!

TheShadowBrokers, brokers of shadows.

Forgive me for being an ingrate, but I’m trying to engage seriously on Section 702 reform. Surveillance boosters are already fighting this fight primarily by waging ad hominem attacks. Having TSB call me out really makes it easy for surveillance boosters to suggest I’m not operating in the good faith I’ve spent 10 years doing.

Way to help The Deep State, TSB.

Worse still, TSB lays out a load of shit. A central focus of the post (and perhaps the reason for my Kiss of Death) is the latest fear-mongering about Russian AV firm, Kaspersky.

Are ThePeoples enjoying seven minutes of hate at Russian hackers and Russian security company? Is after October 1st, new moneys is being in US government budgets for making information warfares payments. Is many stories of NSA + lost data. Is all beings true? Is NSA chasing shadowses? Is theequationgroup still not knowing hows thems getting fucked? Is US government trying out storieses to be seeing responses? TheShadowBrokers be telling ThePeoples year ago how theshadowbrokers is getting data. ThePeoples is no believing. ThePeoples is got jokes. ThePeoples is making shits up. So TheShadowBrokers then saying fucks it, theshadowbrokers can be doings that too.

TheShadowBrokers is thinkings The Peoples is missings most important part of storieses. Corporate media company (WSJ) publishes story with negative financial impacts to foreign company (Kaspersky Labs) FROM ANONYMOUS SOURCE WITH NO PHYSICAL EVIDENCE. WTF? Can they being doing that? Libel law suits? But is ok, Kaspersky is Russian security peoples. Russian security peoples is being really really, almost likes, nearly sames as Russian hackers. Is like werewolves. Russian security peoples is becoming Russian hackeres at nights, but only full moons. AND AMERICA HATES RUSSIAN HACKERS THEY HACKED OUR ELECTION CIA, GOOGLE, AND FACEBOOK SAID. If happening to one foreign company can be happening to any foreign company? If happening to foreign company can be happen to domestic? Microsoft Windows 10 “free” = “free” telemetry in Microsoft cloud.

TSB tries to claim that the Kaspersky stories are a US government attempt to explain how TSB got the files he is dumping. But as I have pointed out — even the NYT story on this did — it doesn’t make sense. That’s true, in part because if the government had identified the files the TAO hacker exposed to Kaspersky in spring 2016 as Shadowbrokers’, they wouldn’t have gone on to suggest the files came from Hal Martin when they arrested him. Mind you, Martin’s case has had a series of continuations, which suggests he may be cooperating, so maybe he confessed to be running Kaspersky on his home machine too? But even there, they’d have known that long before now.

Plus, TSB was the first person to suggest he got his files from Kaspersky. TSB invoked Kaspersky in his first post.

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic.

And TSB more directly called out Kaspersky in the 8th message, on January 8, just as the US government was unrolling its reports on the DNC hack.

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

The latter is a point fsyourmoms made in a post and an Anon made on Twitter; I had made it in an unfinished post I accidentally briefly posted on September 15.

But I don’t think the Kaspersky call-out in January is as simple as people make it out to be.

First, as Dan Goodin and Jake Williams noted collectively at the time, the numbers were off, particularly with regards to whether all of them were detected by Kaspersky products.

The post included 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers. While, according to this analysis, 43 of them were detected by antivirus products from Kaspersky Lab, which in 2015 published a detailed technical expose into the NSA-tied Equation Grouponly one of them had previously been uploaded to the Virus Total malware scanning service. And even then, Virus Total showed that the sample was detected by only 32 of 58 AV products even though it had been uploaded to the service in 2009. After being loaded into Virus Total on Thursday, a second file included in the farewell post was detected by only 12 of the 58 products.

Most weren’t uploaded to Virus Total, but that’s interesting for another reason. The dig against Kaspersky back in 2015 — based off leaked emails that might have come from hacking it — is that in 2009 they were posting legit files onto Virus Total to catch other companies lifting its work.

At that level, then, the reference to Kaspersky could be another reference to insider knowledge, as TSB made elsewhere.

But there are several other details of note regarding that January post.

First, it was a huge headfake. It came four days after TSB had promised to post the guts of the Equation Group warez — Danderspritz and the other powerful tools that would eventually get released in April in the Lost in Translation post, which would in turn lead to WannaCry. Having promised some of NSA’s best and reasonably current tools (which may have led NSA to give Microsoft the heads up to patch), TSB instead posted some older ones that mostly embarrassed Kaspersky.

And that was supposed to be the end of things. TSB promised to go away forever.

So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and bullshit, not many bitcoins.

As such, the events of that week were almost like laying an implicit threat as the US intelligence community’s Russian reports came out and the Trump administration began, but backing off that threat.

But I’m not sure why anyone would have an incentive to out Kaspersky like this. Why would TSB want to reveal the real details how he obtained these files?

Two other things may be going on.

First, the original TSB post was accompanied by the characters shi pei.

I haven’t figured out what that was supposed to mean. It might mean something like “screw up,” or it might be reference using the wrong characters to Madame Butterfly (is this even called a homophone in Mandarin, where intonations mean all?), Shi Pei Pu, the drag Chinese opera singer who spied on France for 20 years. [Update: Google Translate says it is “loser”.] I welcome better explanations for what the characters might mean in this context. But if it means either of those things, they might be a reference to the December arrest, on treason charges, of Kaspersky researcher Ruslan Stoyanov, who along with cooperating with US authorities against some Russian spammers, may have also received payment from foreign companies. That is, either one might have been a warning to Kaspersky as much as an expose of TSB’s sources.

[Update on shi pei, from LG’s comment: “It’s a polite formula meaning: “excuse me (I must be going)” or simply “goodbye”, which would make sense given that the post indicated that they intended to retire.”]

All of which is to say, I have no idea what this January post was really intended to accomplish (I have some theories I won’t make public), but it seems far more complex than an early admission that Russia was stealing NSA files by exploiting Kaspersky AV. And if it was meant to expose TSB’s own source, it was likely misdirection.

For what it’s worth, with respect to my Kiss of Death, my post on the possibility TSB shares “the second source” with Jake Appelbaum got at least as much interesting attention as my briefly posted post on the earlier TSB Kaspersky post.

In any case, I think the far more interesting call out than mine in TSB’s post is that he gives Matt Suiche. Ostensibly, TSB apologizes for missing his Black Hat talk.

TheShadowBrokers is sorry TheShadowBrokers is missing you at theblackhats or maybe not? TSB is not seeing hot reporter lady giving @msuiche talk, was that not being clear required condition? TheShadowBrokers is being sures you understanding, law enforcements, not being friendly fans of TSB. Maybe someday. Dude? “…@shadowbrokerss does not do thanksgiving. TSB is the real Infosec Santa Claus…” really? “Trick or Treet”, cosplay and scarring shits out of thepeoples? TheShadowBrokers favorite holiday, not holiday, but should be being, Halloween!

Of course, TSB could have done that in last month’s post. Instead, this reference is a response to this thread on whether he might dump something on Thanksgiving to be particularly disruptive. In which case, it seems to be a tacit threat: that he will dump on Halloween, just a few weeks away.