As someone who has crushed a hornet's nest in his hand (when he was about 10), and well remembers the 36 stings afterwards (something of a record in these parts) while running away bravely, I'm not sure that's the analogy they should have chosen.
Hopefully, any that aren't already arrested are caught before they retaliate
Certainly they might try to retaliate, but that would be very foolish.
Many decades ago Don Lancaster said "don't fuck with the eagle". This was because the Federal government's resources are vast compared to any individual. The government has the resources to pay 100 people full-time just to take down a forum. That's probably what they just did with Darkode.
Many of those Federal agents are just 9-to-5 guys, probably not too bright, quite content to make a good middle class living. But there are also undoubtedly a number of smart, ambitious people, who are being paid quite well to pursue, capture, and convict the Darkode actors.
So, lets see, you can either roll over and beg for mercy, like one of Ross Ulbrict's henchmen, and get less than 2 years in jail, or you can be a delusional arrogant twit like "mastermind" Ross and get life in Federal prison, without parole.
> Many decades ago Don Lancaster said "don't fuck with the eagle"
I can't find record of this anywhere. Are you talking about Don Lancaster of DL's guru lair? The only hit's I am getting for your quote are from some very country tumblr blogs and song lyrics. I am curious about the context.
>Certainly they might try to retaliate, but that would be very foolish.
This wasn't your original assertion but you do go on to break down why the shouldn't. They won't. This was a business that got shut down, they aren't "after the man" except as a byproduct of running an illegal business and getting away with it.
They are going to disperse and either continue phishing, hacking and cracking regular users and programs anonymously or they will set up another market on tor.
I'm talking about Don Lancaster of TTL Cookbook fame, and yes of Guru's Lair.[1]
The quote, or perhaps the more PG version "don't mess with the eagle", appears in his later book The Incredible Secret Money Machine. That one is more of a philosophy of life book, it's much different than his technical books.
IIRC (it's been many decades since I read it) Don expounds on that theme, it's not just a random quote. E.g. a govt bureaucrat can make your life hell just for the lulz[2]. That's why it's dumb to do stupid things in a high profile manner.
while i don't agree with your characterization of Ulbrict, Don Lancaster seems like an interesting thinker. Checked out his website earlier and I am now planning on checking out The Incredible Secret Money Machine. Do you have any recommendations for books/essays of his that are not technical manuals? Is this book worth a read/relevant as it was penned in the 70s/80s?
Sorry. It's been so long that I don't remember how relevant that book would be today. If pushed, I'd say don't go out of your way to find it. If I still have my copy it's in the garage, in a box that didn't get unpacked from a move a long time ago. But FWIW there are a few positive reviews of it on Amazon.
I am currently re-reading Taleb's Antifragile book[1] and I think it's better the second time thru. But it probably wouldn't be as interesting w/o Fooled By Randomness and The Black Swan for background.
In Antifragile Taleb admires entrepreneurs and risk takers with skin in the game. He abhors bankers and politicians who benefit from the upside and pass the downside on to the taxpayers. But the book isn't for everyone. E.g. there's no chapter of "7 steps to building future wealth". It's more of a philosophy of life book.
I've read Black Swan and heard Antifragile was quite good as well think I'll pick that up instead. Liking these recommendations a lot. Here are a few that are "similar" since I asked you for some recommendations.
I really enjoyed The 48 Laws of Power and a few other titles by Greene. Some of Malcolm Gladwell's books are interesting although they are a tad popsci. Recently finished Zero to One which was good, but if you listen to Thiel often there wasn't much new material. Lords of Finance is a NYTBS that is really well done and reminiscent of Taleb so you might like that.
That's my point. Lumping 9-5 in with "not too bright" gives the false association of "working normal hours" with "not being productive". There are plenty of ambitious, bright workers who manage to get it done in normal hours.
In this context, 9-to-5 most likely means "stops thinking about the job when not on work hours". I doubt it's meant to imply they aren't smart, but they aren't necessarily as ambitious and motivated (or they've determined the cost-benefit ratio of out of work hours work is not worth it). People that go above and beyond in an organization are really who you need to worry about if that organization is your enemy, as they are harder to predict.
And depending who you work for - working for the government has just landed any close relatives (parents, children, spouse) on a hitlist. You'll be "spared" of course; so you can suffer the rest of your days knowing your decision is what led to your family being killed.
This is the threat many drug rings give dealer who get caught. You do your 10 years and you do not provide the feds with any information or everyone you love will be offed. It's a threat that is very effective at keeping mouths shut.
So the choice isn't always clear-cut "take the government and their protection and work for them".
That is a very good point. A lot of Americans have this romanticized notion of fighting the man, but at the end of the day, our nation's wealth and power (and the stability they require) simply wouldn't be there if our government wasn't so committed to keeping things under its control.
>Many of those Federal agents are just 9-to-5 guys, probably not too bright, quite content to make a good middle class living.
That is not true. I've worked with a few of them, and they are more intelligent than you think. Most of them work 70-80 hours a week, have difficult times with their families ( high divorce rate). They just happen to work for superiors that care for "cases closed" and the cosmetic appearance and the applause from politicians of a case being closed.
> "The FBI has effectively smashed the hornets' nest," said U.S. Attorney David J. Hickton, "and we are in the process of rounding up and charging the hornets."
They didn't smash it "in the hand". They smashed it. With a hammer. Flame thrower. ICBM. MOAB. Smoke generator and nets.
I could imagine a hundred ways to smash a hornets nest that won't get me hurt in any shape or form... and I could imagine a few that would definitely bite back (like, say, crushing it in the hand without gloves).
Once you get past the imagined "hand" part, it's not a bad analogy since they do have to worry about what part of the "swarm" got away...
Overly pedantic, maybe. And it's an awful analogy because he awkwardly abandons it halfway through. Nobody's ever arrested or tried a hornet in a court of law.
The really interesting part is the last paragraph:
In a related case, Aleksandr Andreevich Panin, aka
Gribodemon, 26, of Tver, Russia; and Hamza Bendelladj, aka
Bx1, 27, of Tizi Ouzou, Algeria, pleaded guilty on Jan. 28,
2014, and June 26, 2015, respectively, in the Northern
District of Georgia in connection with developing,
distributing and controlling SpyEye, a malicious banking
trojan designed to steal unsuspecting victims' financial and
personally identifiable information. Bendelladj and Panin
advertised SpyEye to other members on Darkode.
Note that they were arrested in Georgia. Do they mean the country of Georgia, enemy of the Russians and friend of the US? Or do they mean the state of Georgia in the US?
Either way, the US has them in custody, which suggests an arrest on US soil (come visit the US trap style) or a foreign arrest and extradition.
I'm guessing by the tone of that last paragraph that this is how the FBI got in. They flipped them and offered them a pkea bargain. We'll find out at sentencing.
I'd assume they mean the state Georgia, based on the fact that they specifically refer to the "Northern District of Georgia" and the press release came from the DoJ.
One of the arrested ones is 20, and he allegedly created Dendroid — a malware that can take remote control of an Android device. He designed, developed and deployed this software (bypassing Google Play's malware detection system) which seems to be quite complex and capable [0]. This proves that he possess a certain set of marketable skills that are quite south after in the industry.
So I'm wondering - is this really bad news for them, or will it just bring them enough spotlight to be contacted for some security roles that pay better than what they were earning prior to the arrest?
Many former criminals do lead successful careers, so it's quite possible. However it should be noted that circumventing the Google Play store malware detections is not particularly hard - it's definitely a start, and maybe even a conference talk, but for real notoriety in the security industry you'd want to be consistently discovering novel vulnerabilities in Android, not just figuring out how to sneak malware onto the operating system.
Now, all that said, if you are a competent reverse engineer and can reliably circumvent DRM/license protection, develop binary exploits for high-severity vulnerabilities or perform advanced malware analysis, you can easily earn north of half a million dollars a year in this industry. It is an extremely lucrative time to be working in security.
You don't need to start out as a criminal though. If you want to do things like this then work through CTFs like Microcorruption and OverTheWire and learn how to develop privilege escalation and sandbox escape exploits on very widely used software and operating systems.
>It is an extremely lucrative time to be working in security.
Is it though? The average salary of a security engineer seems to be lower than that of a software engineer, and there seem to be considerably fewer positions available. Those very high paid positions seem few and far between.
These are probably at least half the software engineer positions that pay more than $150k+ in the DC area. Most of the software jobs among start-ups and even commercial software development pretty much capped out a fair bit below that. I know I was dropped from several interviews just asking for a base of only $130k and not being very good exactly.
There's a demand for people that are actually serious security professionals in the engineering sense just as much as there is a massive demand for the bureaucratic "security" folks (that focus upon certificates and such to get their feet in the door of some random defense contractor).
I wonder if the high power security positions just aren't publicly listed. That seems like the sort of job you fill exclusively by recommendation or pursuit of candidates, rather than a job listing on LinkedIn.
Bingo. I'm not talking about "cybersecurity" positions. I'm talking about people doing advanced work in exploitation, reverse engineering and cryptography on a consulting basis or those who work in boutique shops.
I pass the $300k mark annually through AppSec consulting, and this is not at maximum utilization, nor is it a particularly "hard" discipline in security.
I definitely do not mean bug bounties. While it is possible to make a full salary pursuing bug bounties, they are a poor investment of time.
For example, if I am paid to do an exhaustive penetration test and source code review for a company I'll be paid $10,000/week. I might not find a single vulnerability (doesn't happen often), but I still did the work.
If I pursue a bug bounty for the same company I might find nothing at all, which means I earn nothing. I also most likely won't earn $10,000 in bug bounties in a week.
Aside from this, there is a bit of classism in the security industry. Bug bounty hunters are predominantly people from developing countries who do not know how to find even the most simple CSRF flaw, which is really quite sad. They do not have access to the same education and they are mostly hopefuls who want to "break in" to the security industry.
The "crowdsourced security" model touted by HackerOne and BugCrowd doesn't really work, where "work" means you can replace a real penetration test from a real security engineer with it. It works if you have people like Frans Rosen, fin1te or bitquark (famous bug bounty participants) pursue bug bounties on your software, but it doesn't work for the other 9/10 people who will fill your inbox with pointless, invalid reports. For this reason, bug bounty participants are not very well respected unless they have a reputation for good work because of how much noise the average bug bounty generates instead of valid reports. On the other hand, you'll find most successful security engineers don't spend much time pursuing them.
I'd be surprised if OP meant bug bounties. Most rewards seem to be in the $2,000 - 10,000 range. They take time to discover so you'd have to be pretty productive (and perhaps lucky) to regularly find enough bugs to earn a salary in that range.
From what I've seen of these, bug bounties are quite low. I, like GP, would assume consulting. Either for companies acting defensively or with nation states acting offensively.
I guess if people have that level of knowledge, the market dangles money, and they are still willing to take risks to do something different, it could be seen as evidence about how damn boring writing normal code for phones is!
Nothing guarantees that they weren't monitoring this from the start. Nothing guarantees they haven't set-up the successor to this board already themselves.
We know the FBI actually engages in systematic lying about how they gain information about criminals - see "parallel construction".
We know that in efforts to end drug cartels, the DEA will enter into long term alliances with one cartel to eliminate others.[1] We know the US tolerates the rule of the drug-track caste in Afghanistan for the pursuit of "higher ideals".
Just in general, the paradox of mafias, cartels and so-forth is that it easier to use state power to take over such operations than to root them out. Moreover, taking them over has many appealing aspects. The problem is that the more the state moves into simply managing rackets, the greater the temptation to corruption gets, for both the high policy makers and for the low level operatives (you remember the FBI agent engaging in his own embezzlement etc during the Silk Road investigation). But this problem has been around for a long, the state by now are probably at a "steady state" in their corruption.
So it seems very possible that the FBI already knows what comes next but can only tip it's hand when the next raid comes in another two years.
>The problem is that the more the state moves into simply managing rackets, the greater the temptation to corruption gets, for both the high policy makers and for the low level operatives
Well, that is if you ignore the far larger elephant in the room of the government running an illegal operation. It reminds me of the times I hear of the FBI taking over some TOR server hosting abusive images and continuing to host it as a honeypot. By their own admission, looking at, hosting, sharing, etc. those images constitutes concrete abuse of a child, yet they directly engage in such. It would be like if the FBI busted up a brothel with children and kept running it to catch more criminals. The ends in no way justify the means.
The ends don't justify the means, yet it is also useful to explain, to the people who think they do, that nefarious means generally only lead to nefarious ends.
Is the current state of the law such that possession of these tools themselves is illegal? I would have thought that possession of most "hacking" tools would be legal i.e. for penetration testing and defense - usage against a non-consenting entity would then be the illegal act. I guess I could see some of the cell phone hacking stuff being illegal via FCC regulations...
Note that most of the convictions are for conspiracy to commit crimes or for selling tools expressly to commit them. Spam botnets, selling malware (probably advertised as a criminal tool), etc. While I didn't exhaustively read every charge, it looks like they're arresting people who either used said tools or profited from their criminal use. Didn't see anything related to "possession."
I don't think so, no. I think they also need overt acts in furtherance of a conspiracy to use the tools. It's probably not as cut and dry as "you have to actually use the tools to break into someone". It's a bit of a tightrope, though, because if you're a predecessor on the graph of people involved in an actual crime, sharing tools can drag you into a prosecution.
So far as I know (this is sort of my profession), there's no federal "burglars tools" law regarding malware.
> So far as I know (this is sort of my profession), there's no federal "burglars tools" law regarding malware.
To be fair, many "burglars tools" laws require possession of the tools WITH INTENT to perform a criminal action. The intent piece is key. Merely possessing lock picks is usually fine. But sulking around masked in bushes outside an office building with a pickset, rope, and an empty duffel bag might get you in trouble.
A good list of Lockpick laws collected and indexed state-by-state at http://toool.us/laws.html. You see that in most jurisdictions intent is required.
While malware laws are still much less mature, I would hope that similarly there'd be an intent requirement. Possessing malware for purposes of reverse engineering to develop protections is obviously important, and clearly an activity we would want to remain lawful (and hopefully unlicensed/regulated).
Conspiracy is probably the easier route to a conviction.
Executive orders cannot create new prosecutable crimes.
In this case, the EO exercises rulemaking delegated the President through the IEEPA, and is confined by the powers defined in the IEEPA, which governs foreign transactions.
I always wonder about these sort of sites, exploit marketplaces, etc. Of course since I'm nowhere near being in the loop on such matters (I don't even know where the loop is or what it looks like), I probably would never even see one before it's shut down and moved elsewhere.
At least in theory, in a democratic society, "the government" should only do things that we've decided to allow. In the US, these decisions are made by representatives we've elected. As far as I know, the USG doesn't sell people's private information to anyone willing to pay to blackmail them, and uses your tax money to enforce the values of our society and the social contract we've constructed more so than to simply further its own power.
Now, obviously, different governments fall are at different points on the "furthering institutional power" versus "supporting ideals" spectrum, as do other institutions who work in the security space, but equating the actions of anyone who's ever used or traded an exploit hardly seems accurate.
It was meant as a sarcastic comment, of course it is inaccurate. :)
IMHO:
Unfortunately democracy doesn't work, in practice, as the theory might suggest. What we have in the majority of countries are people in power focused on either:
- Preserving their power (status quo), or tangentially the power of those who put them in office
- Shifting the power structure, so that they (and their group) can take control
There are few and far between examples of politicians (let alone governments) that act with true altruistic purposes, favoring the interests of "the people". The built-in incentives in our society (and some might argue, our own nature) unfortunately make this a rare occurrence.
By the way... I might argue that the government doesn't sell our information because there is no buyer. It is the user of this information. It is used to control (mainly to control dissent). ;)
Hah, thanks for clarifying, I had a suspicion, but still wanted to write out the argument in case there was some truth to the sarcasm.
It's hard to talk without going down into specifics. Different people got into power in different countries in different ways and are kept in power by different means. Switching out the hierarchy that's in power seems healthy for a society, and happens every once in awhile, as well (e.g. in Nigeria's recent election).
I don't think we should expect politicians to be altruistic and I think democracy is a spectrum. America has a somewhat democratic system, although almost half the eligible people don't vote, and a large portion of the population that does vote appears to mirror campaign spending, which is controlled by a much smaller, but still relatively diverse number of donors. Increasing the number of people with enough discretionary spending to give to campaigns makes this system more democratic, as does lowering the max amount an individual can contribute.
Perhaps one day we will have a society where everyone contributes ideas evenly to this distributed system that is democratic government, but for now, I think it's important simply to look for steps in that direction - get more people thinking and talking about political ideas, understanding the issues, and weighing the consequences of their vote.
Personally, I find the electoral college system the biggest barrier to engaging people... "what does it matter, our state is going for candidate X anyway".
I don't think the IC uses their capabilities to advise campaigns or blackmail dissidents anymore. They might have under J Hoover, but I imagine that to be wholly a blemish of the past.
Maybe, maybe not? I'd bet it depends on the people, depends on the job. Are you an anarchist assigned government drudgework? Bad news. Are you a chaotic neutral "forced" into fascinating meaningful government work? Might be great for everyone even if you wouldn't have taken the job normally.
"Those indicted include Johan Anders Gudmunds, identified by federal documents as an administrator of Darkode who created a large botnet of hacked computers that stole private information "on approximately 200,000,000 occasions.""
And on such a paltry amount of private information events compared to what the NSA captures!
Because of the embarrassing back of the Office of Management and Budget, the feds needed a high-profile "win" to give the voting public the appearance of competence.
The website was important only for facilitating the illegal activities. Keeping the website alive while being under surveillance by FBI wouldn't be of much benefit to the members of the community.
> Investigators say that while the forum's existence was widely known, they hadn't been able to penetrate it until recently. Darkode operated under password protections and required referrals to join. On Wednesday, the site consisted of an image saying that it had been seized by authorities.
> The arrests come after a two-year FBI undercover operation that infiltrated the forum, said FBI Special Agent in Charge Scott S. Smith. Wednesday's announcement reflects work in countries that range from Brazil and Costa Rica to Latvia and Macedonia, the Justice Department says.
For various meanings of the term "Recently". So they've been trying to get in for 2 years and only just now got in, by pretending to be from Latvia?
So you're saying that they couldn't even get in on their own? They had to find someone with what I'll call a "legitimate reason" for connecting to the darkforum, and had to sneak in that way?
Yes it would seem that way. Check out the top comment, it has a quite where it looks like they turned someone in January and someone else in June. So the first was the person who got them onto the board, probably just a user\low level carder, the second was likely an admin with more privileges, perhaps even access to PMs. Once they had the admin they were able to close it all down.
The really interesting part is the last paragraph:
In a related case, Aleksandr Andreevich Panin, aka
Gribodemon, 26, of Tver, Russia; and Hamza Bendelladj, aka
Bx1, 27, of Tizi Ouzou, Algeria, pleaded guilty on Jan. 28,
2014, and June 26, 2015, respectively, in the Northern
District of Georgia in connection with developing,
distributing and controlling SpyEye, a malicious banking
trojan designed to steal unsuspecting victims' financial and
personally identifiable information. Bendelladj and Panin
advertised SpyEye to other members on Darkode.
Note that they were arrested in Georgia. Do they mean the country of Georgia, enemy of the Russians and friend of the US? Or do they mean the state of Georgia in the US?
Either way, the US has them in custody, which suggests an arrest on US soil (come visit the US trap style) or a foreign arrest and extradition.
I'm guessing by the tone of that last paragraph that this is how the FBI got in. They flipped them and offered them a pkea bargain. We'll find out at sentencing.
Replacing the site with a takedown image seems almost comically stupid. Why announce it to anyone? Why not keep the site running indefinitely under your own control to track and catch the people who continue to use it?
