53 comments

[ 3.2 ms ] story [ 122 ms ] thread
./intonation/ns.huawei.com.cn___202.96.135.140/jackladder

Heh, must be fun to be able to own any auto-updating Huawei device.

Oh shit! Dear Equation group: Any incriminating information found in my gmail account was planted there by PUTIN. PS: Being a Huawei device, expect Gyna to have the initiative on said info.
Hard to tell whether the broken English in the post is real or intentional.
Just my personal opinion, but it feels intentional to me. Not that I think the writer is necessarily a native English speaker.
Intentional I think
(comment deleted)
Based on the last paragraph

> How bad do you want it to get? When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out! Swag us out!

it sounds intentional. "Swag us out" is pretty colloquial.

Intentional. It is a happy route to wearing glasses and a beard to deceive the world on your identificational categories.

It's clever because someone will not usually be writing in this manner. The only good identifiers are "Amerikanskis" and "USSA" which could unintentionally slip into conversation on Facebook or Twitter and which are unique enough.

I disagree on those as identifiers - they're pretty clearly conscious affectations.

'amerìkānskī' is an existing word, but it's an adjective describing American-style things. Converting it (via English rules) into a mocking noun for Americans appears novel, and I can only find a few instances of people using it as a joke on forum threads.

Plenty unique, then, but not something the writer would likely stumble into using ever again.

Yeah, I also thought it's just clever linguistic invention.
My first thought reading the post was that it reminds me of Polandball memes.
General consensus from the last round holds that it's intentional.

They may not actually be native English speakers, but it would be hard to tell because the affected, consciously bad English overrides unconsciously bad English. I suppose maybe a linguist could comb through it all for subtler stuff like sentence structure.

"Amerikanskis" alone is a pretty serious tip-off. "amerìkānskī" comes up as a Cyrillic adjective for American-style, but I can't find any non-parody instances of people converting it into a pseudo-English noun.

I am Russian, and I am a native speaker of bad Russian English. :) This is not it.

A Russian wouldn't use "Amerikanski" as a pejorative, we have "pindosy" for that. And we'd never use "SCOTUS", for variety of reasons.

This styling looks intentional to me, and doesn't seem to be Russian.

The post uses "Amerikanskis" (with the "s" at the end) and it's a big tell. Only people who do not understand any Cyrillic language could come up with something like that.
That was my thought exactly. Someone took a Cyrillic adjective, treated as an English noun, and then applied an English pluralization to it.

It's not the first use of the word, but all of the other examples I can find are very similar English-language jokes/insults.

> Someone took a Cyrillic adjective, treated as an English noun, and then applied an English pluralization to it.

So a Russian with a deep background in linguistics intentionally bastardized something so it looks like an English speaker trying to sound Russian. Clever.

An actual English speaker wouldn't even know the root word existed.

Sure they would, it was in every silly American movie about evil Russians in the 80s.
Not necessarily, you're overthinking this. It's just what anyone with basic vernacular knowledge of English but no actual Russian language skills would do to generate 'pseudo-Russian'. It's a pretty common idiom to make an English adjective into a Russian sounding one by adding '-ski' to the end of the word, and then to pluralise it, add -s to that, as in normal English.

So, for many small Russian cats, we have the following:

    'Kitten' -> 'Kittenski' -> 'Kittenskis'
The definition of the '-ski' [1] suffix has some other examples. This advert [2] for yoghurt (and yes, it was for Ski unfortunately, and somehow they spent GBP 8.5 million on it...) from 2003 also used the same formulation. See also 'Eye Dialect' [3] used to show foreign or regional speakers in literature, or the use of a backwards 'R' character to create a faux cyrillic, Russian feel; as seen in the Tetris logo.

    1. https://en.wiktionary.org/wiki/-ski
    2. http://www.campaignlive.co.uk/article/170244/nestle-comes-faux-russian-relaunches-ski
    3. https://en.wikipedia.org/wiki/Eye_dialect
I'm delighted that this whole thing led me to a discussion of 'eye dialect'. I've been fascinated by that sort of writing for years, and I never knew it had an actual name.
"I am Russian, [..] This styling looks intentional to me, and doesn't seem to be Russian"

Well, then I suppose that, if they are Russian, they are doing a great work.

Curiously some of the server names are misspelled, wouldn't expect that from a dump.

s03.informatik.uni-bremin.de -> uni-bremen

It is hostnames and IP addresses, not DNS names and IP addresses.

I've seen boxes inside organizations where the orgs own domain was typoed.

(comment deleted)
Here is the full file tree: http://pastebin.com/HWf43kav

Any idea what this is ?

Edit: this article [1] provides more information stating that the list is the NSA's list of staging servers, compromised machines that they use to launch attacks from. Apparently the list is 9 years old.

[1]: http://www.networkworld.com/article/3137065/security/shadow-...

Seemly this is a list of several NSA "zombies" used for cyberwarfare.

After googling parts of the file, I found a news report that claims they actually put some of the addresses there in SHODAN and actually did get into machines actually infected with NSA cyberwarfare software.

They can't really get in and scrub these, because people are watching them now, so upside, some poor sap isn't having to go in and do a ton of cleanup work, downside is there are a lot of potential honeypots now.
Scrubbing is the least of their issues. This list will make retroactively attributing attacks to the US a lot easier.

Assuming it's real, and not someone "framing" the US by releasing a list of their own relays.

A list of compromised (or C&C) servers, and what tools are being used.

edit: Posted at same time as speeder, what he said.

I was looking through this "dump" yesterday. There's not really much in there other than some hostnames and IP addresses of compromised hosts used by the NSA to launch attacks but some of the "timestamps" were as far back as 2001 (there might be even older, I didn't look through all of the files).
> On November 8th, instead of not voting, maybe be stopping the vote all together?

My idiot buzzer went off at the start, but by this time it had melted the resin casing. There's nothing of value in that blog post, not even analysis or interesting ideas.

I don't think you should pay attention to the prose except to be amused by it; the prose is just there to half-assedly fulfill this "anarchist hacker" role that the Shadowbrokers persona represents.
I did a quick summary of the data to show OS exposure. It's mostly Solaris on SPARC, but there's a smattering of Linux and other stuff in there too (including some DEC OSF, HPUX, Irix, and SCO!).

http://pastebin.com/CsKKLKit

Some of the timestamps I saw (I only looked at a few of the files) were as far back as 2001. Linux servers are obviously extremely popular on the Internet nowadays but I can remember "back in the day" when Solaris/SunOS was the popular platform (and, to a lesser extent, the others mentioned) and one of the primary targets. There were lots of exploits for {sendmail, BIND, the NFS server, ...} running on Solaris -- which was a PITA to keep up-to-date.
It's weird how it's never Chinese or Russian data that gets dumped all over the Internet by these self-proclaimed hacker vigilantes, just American data. Yeah, that's what it is. Weird.
Isn't the consensus that this is a thin veneer of "hacker vigilante" that isn't even meant to be convincing?

Most of the discussion seems to follow the track of "this is a state actor burning old TAO information to embarrass and send a message to the US". The ludicrous aspects of it ('Shadow Brokers', fake accent, scam auction) amount to some plausible deniability and not much else. So there might be the pattern you're mentioning, but it hardly applies in this case because this isn't even meant to pass as real vigilantism.

Agreed, if it was too convincing then the message might be lost by the U.S. government.
It's like the kid who trips someone on the playground and goes "it was an accident, I swear!" Making it look like an actual accident defeats the point, you just want enough ambiguity that no one could prove in court (or the principal's office) that you're guilty.
See also the ongoing investigation of the MH17 incident.
This entire things reads like Teddy KGB (John Malkovich's character in Rounders) wrote it.
Go back and read SB other messages[1]. After the first message, it seemed like a PR stunt by a foreign intelligence agency, with this impossible auction designed to throw people off, but all of their messages since have been designed to explain the auction process more thoroughly.

Try imagining yourself as a young sysadmin who stumbled across an entire dump of Equation Group while investigating an infection. You realize the value of such a thing, but have no underground contacts to use to fence it. You can't walk into a Chinese embassy and try to sell it, they might kill or report you. So now you have to try to get rid of the thing and maximize your return while not sacrificing complete anonymity. You don't want NSA on your ass for the rest of your life. How would you proceed?

The messages are getting a bit more desperate. They went from the $1,000,000BTC in the first message (which SB says was interpreted incorrectly), to a public release if 10,000BTC was crowdfunded, and now they want a cool $million.

One of the Q&A questions answers the "why trust us to deliver?" argument. They say this is about reputation. No delivery=no reputation. Imagine the kind of deals SB could make in the future with SB PGP key signing stuff if they delivered on this transaction. You would catapult yourself to the worlds most famous cyber arms dealer in one day.

Reminds me a bit of Trainspotters or the guy in Neuromancer who steals the mechanical talking head and fences it to The Finn. People who come across extremely valuable items with no way to easily sell. It rarely ends well.

Of course this could be all misdirection, but I'm leaning towards the much more interesting notion that this is legit. I just hope we hear about how it ends. It would be pretty boring if they quietly sold the data to some foreign service and we never learned anything more about one of the most interesting chapters in recent cyber warfare history.

[1] https://medium.com/@shadowbrokerss/

The language is intentionally crap. Attribution is always difficult.
If this was accidentally 'found', what are the chances of 'zi Russians' deliberately stumbling across something by accident? More likely to be lowest common denominator? Attribution is difficult, but it seems people who should know better are running with the Russian hypothesis.

eg: toddandclair Premise connection is deemed obviously a misdirect, yet Guccifer 2.0's blatantly Soviet era metadata and Cyrillic type is not? I mean, if anything, at least with the Premise connection, they made it 'seem' like a mistake.

And the phishing email in Podesta's inbox, when multiple people already had his password/access to his inbox. So the conclusion is it was the Russians that leaked? Wouldn't it make sense to use Podesta's emails to increase the attack surface size for more targets?? Why would you want to relinquish that access when there was a good chance Hillary would get into power? And then all these other people with access, why couldn't they have leaked it? Hillary's campaign's attrition rate and cynicism was high even within ring of closest advisers. All you have to do is read the human side of the emails to know there are many, many, many, much more likely sources for the leak.

It doesn't seem far-fetched to stumble across this "by accident".

Imagine you're working in IT or InfoSec for the Russian (or any other state/national) government. You see attacks coming in from IP addresses in another country -- maybe they were successful and you're investigating a compromised host. You find these IP addresses in the logs, do some investigating and find the host that attacked you is running a vulnerable version of sendmail (for example). So you compromise the host as well and, once you get in, you find the previously released exploits and such sitting in a user's home directory.

I don't think this scenario is that outlandish.

OK, hyperbola aside, stumbling, as in finding the tools still there, and yes, what you said is one of the many possible examples certain people are pushing. Looking at the addresses of all those command and control servers, however, it literally could have been anyone else from any country in the world, regardless of who they were attacking. What are the chances the one with the bad clean-up job is the one found by Russian govt specifically. Esp since they were targeting routers, presumably any response team/curious admin, or one of the million scaning haxors could have either followed the crumbs, or simply stumbled upon the doors left open at the cc end.

Or there's this hypothesis: http://arstechnica.com/security/2016/08/hints-suggest-an-ins...

Which makes a hell of a lot more sense than assuming any of the aforementioned (not least any of the smaller subset of said unlikely scenarios leading to PUTIN).

Oh, I completely agree with you that what I described is not very likely to be what happened here. There are a number of other theories that are much more likely (including things like you described), I just don't think that "my scenario" can be completely ruled out. Stranger things have happened.
My God, it's full of nameservers and mail exchangers! Many at our nominal allies.