Linux Kernel Hacked by NSA/GCHQ

agraham agraham at g-b.net
Sat Aug 31 01:24:43 UTC 2013 

On 08/30/2013 10:53 PM, Fernando Cassia wrote:
> On Fri, Aug 30, 2013 at 4:35 PM, agraham<agraham at g-b.net>  wrote:
>> "I KNOW" we can overcome this adversary and regain the freedom that the
>> internet once offered.
>
> What?
> You must have been living under a rock. The Echelon spy network was
> exposed back in 1999, way before even 9/11
> http://news.bbc.co.uk/2/hi/503224.stm
>
> There are no secrets, get over it. If you want privacy use encryption
> for email, and if you want anonymity surf using a public hotspot and
> not login to any service
>
> FC


Those are not the types of solutions I was thinking of and in fact 
before solutions, we need to know if/what/was/when compromised in the 
kernel, or did you miss the "Give me a list of compromised machines".

Given what we now know, then we apply that knowledge as far as 
capabilities are concerned to events of the past (particularly those 
that misdirected us) you have to consider that all Linux machines were 
compromised (while we were asleep), that's really my point, such that 
the methods you mentioned above are also compromised.

But this means you would need to get into certain subsystems, assuming 
that they have compromised the firewall / netfilter.

So, what Snowdown exposed is, I'm guessing is really just Stage 1 of 
this global rootkit.

Stage 2 is going to be much much more aggressive and intrusive as this 
would be the logical extension of Stage 1 and may even be even more 
invisible.

Now before you dismiss this argument, if I said "Windows", you would 
probably agree, yep, we're in Stage 2 of the attack, because we know 
(and always have) that windows is compromised and I know for a fact 
because I personally spent a year dis-assembling parts of the Windows 
kernel about 15 years ago with CodeView and a hardware debugger.

I now believe we are already in Stage 2, but most don't realize it yet.

Let me give you another example, think back over the past few years, say 
even 3 years, if you check your firewall logs for any server you have 
install for a customer, you may have noticed a huge number of port scans 
from China?. For example, I noticed, at a customer site that within the 
first 24 hours of getting an IP address block, I had about 100,000 
scans, mostly from China.

I know it was from China because WHOIS database says so.

So, I'm trusting that WHOIS database which is controlled by Government, 
and guess what, the packets are not coming from China, but from the West!

So, I believe this is all part of the misinformation based on 
information that we had reason to implicitly trust in. So, what I'm 
saying now is that as we install new servers/VMs, they are being probing 
and finger printing the servers.

Also, I suggest that pattern analysis on these probes be done as that 
may also reveal more about the attacker.

The kernel compromise I'm talking about could be very very subtle that 
only provides enough information that allows the attacker to select 
their next subversion technique.

This attacker, albeit many world government working together, is 
nonetheless an attacker, and is using well known techniques that come 
from many open source projects to enact this global attack of computers.

As an example of the tools (most will know them well already, checkout 
the NSA job spec 
http://s3.documentcloud.org/documents/716069/boozallenhamiltonnsa.pdf)

Also, we must also assume that Stage 2 or 3 will include isolation and 
destruction not just observation. This will probably be known as the 
global virus control program etc..

If you think about it we are now inside the virtualized machine which is 
why we cannot see it.

Until we defeat this, we may all be trapped in wonderland forever.

I mean, technically, this could be kernel bug, and the patch will 
probably  be a single line of code, but we don't know what that bug is!

The prize for this attacker is not just a Linux server, it's the control 
of the entire world and the future.

Make no mistake about it, we are under attack.

Albert.

p.s, And, I'll buy a free beer for the first one who submits a fix for this.

More information about the users mailing list