363 comments

[ 2.9 ms ] story [ 333 ms ] thread
(comment deleted)
Would be interesting to hear more details about which software he's using (OS, "Secure File Transfer desktop client", firewall).

Also, it would be interesting to see what one could find on a raw disk image clone (hidden files? rootkits?).

Hello, I'm the person who wrote the blog post.

I am using Transmit for Mac OS X, by Panic Software, version 4.2.

transmit can be scripted so it could be anything running on the machine that is backdoored.

i assume they had connection for sending commands that was separate because the sftp sounds like it was blocked but the uploading stopped apparently in response to external stimuli. seems kind of lame to have some kind of connection sending commands and then using transmit to upload files.

Unless you had logs in Transmit indicating it was used, I would recommend not saying they used Transmit to do it - considering OS X has a builtin command-line sftp client:

http://developer.apple.com/library/mac/documentation/Darwin/...

If you're still concerned your machine is affected, I'd recommend getting Little Snitch - which automatically blocks connections (both in-bound and out-bound) that are not pre-approved. In addition, when it auto-blocks it records the application that was making the connection attempt in the auto-block rule.

(Well, actually I'd suggest you dd a backup of the drive to analyze - then wipe and start anew.)

If they hired anyone of any worth, the person installed a timed launchd (or cron) controlled script to run rarely and at odd hours to upload content from your machine to those remote locations. This kind of setup a.) would use a command-line tool for the upload and b.) unless they knew you had Transmit it would be designed around executables already included in OS X or that they installed.

Unfortunately, if it has stopped, they've probably deleted the scripts and cleaned up the evidence. If you've got Time Machine running, however, you may have backed up some of their handiwork.

OK, the proper way to do this is to not touch the machine at all. Shut it down and leave it alone. Maybe borrow its hard drive and back it up using 'dd'.

Set up a separate Linux (etc) machine with two ethernet ports as a firewall/router, running wireshark in addition to everything else. It can now log all packets in and out of your network, and save them for later analysis.

If nothing interesting happens in the time it takes you to get bored, copy just the files you really need across from your old HDD to a shiny new one.

Given that the author of the blog post seems to understand cryptography - but doesn't seem to have much in the way of the forensics skill set - I did intentionally try to keep my post at the general consumer level (though I did mention dd, like you suggested).

The real -legal- solution is to turn the computer off, stop touching it, and get a lawyer specializing in computer crimes. Get the machine to them so they can make an image of the drive, complete with hashes of the filesystem, so that they can prove it hasn't been tampered with past that point.

Then let -them- do the investigation, with someone that has the documented skills a court would recognize.

Thank you for your response, though. I was just trying to be a little more practical.

Good point(s).

I was more addressing the techical "How can I tell if my computer is haunted?" question than the original poster's legal issues, on which I am not at all qualified to speculate.

Which firewall are you using? The one builtin on OSX?
I don't want to hijack the thread, but I am using the built-in OS X firewall.

Anything wrong with that?

Nope, just want to know (since I use it too but i'm looking for something better)
> Anything wrong with that?

If you want to protect against the kind of attach he hypothesizes to have experienced, yes. Trying to catch root backdoor on your machine by running a firewall on that same machine won't be much help. He called it an "external firewall", so I imagine it was a separate machine that noticed the outgoing requests.

That I understand, but I was wondering if there were inherent problems with the standard FW.
Yes, there are inherent problems with the built-in firewall. The bad guys know it is there so any exploit that they install will likely modify the firewall to cover their tracks. External firewalls can be trusted more than built-in software.
I would be surprised if the built-in firewall even blocks any outgoing connections by default. I'm not on my MBP at the moment so I can't check for sure.
How did they get access to your hardware? No disk encryption?

Might be crazy, but when I travel I setup a webcam in my office to upload to a vps and then ustream 24/7. Highest quality (don't care about bw since nobodies home.)

The post does say Ever since my return from NYC as when the activity has been encountered. Since I'm guessing that he didn't have his external firewall with him on travel, the access could have taken place in an airport or anytime in the US.

It would be interesting to hear if/when he didn't have direct control of his laptop while on travel.

I doubt he brought his desktop with him to NYC. It's the desktop that's acting suspiciously.
True, but if his laptop has been compromised while he was traveling, that could have been used to get access to the home system.
Hello, I left for NYC for five days. Since I develop sensitive cryptography software, I do not store anything sensitive on my desktop, only on my laptop, which is kept with me at all times (even when going on dates and such.) It was my desktop that exhibited this behaviour after my 5 day trip to NYC. Stupidly, I left it on the whole time. I do use full disk encryption.
(comment deleted)
With physical access, one could at least theoretically backdoor the boot partition and then "rootkit" ("bootkit"?) the rest of the machine.
Sure, but a reboot would be obvious, and writing to a partition while the OS has it mounted seems like it could go quite poorly...
It's actually not all that uncommon for well-written rootkits to do just that.
Cool, I learned something. I guess the boot partition is likely to be inactive, and with a ffs-derived file system you can simply overwrite some file in place with your own functionality. E.g., replace some unused driver code with your rootkit, which loads itself on probe.
Do you backup the information stored on the laptop? Are you worried about being "mugged"?
I am reasonably worried about being mugged at this point. The FBI has already tried to entrap me less than a year ago.

In fact, that's why I published this blog post. To protect myself.

Good. Publish everything.
Prepare to be mugged now that it is known where you keep the family jewels.
This is an interesting mindset...I'm inclined to do the inverse, because of how easy it is for someone to steal a laptop.

While yes, a desktop can be breached (as it apparently was in this case), there's more surveillance options you have with which to secure its surroundings. And agents would have to get a warrant anyway.

If you're worried about the prospect of them warantlessly breaking in...I guess that the more likely danger is that if they are willing to resort to that, they are also willing to stage a robbery in which someone punches you in the face and makes off with the laptop. Or hire someone to spike your drink during a date.

The point is to surveil him, not steal his laptop. They would want to know what he's doing, not what's on his hard drive.
It's trivial to put a keylogger+rootkit on an unattended desktop than on a laptop in your bag. Stealing hardware can't be prevented, but the risk is mitigated by good full disk encryption.
You're paranoid, man. Take a deep breath. See a doctor if you can.
Seriously? He has perfectly valid concerns and you call him paranoid? I guess we know who the CSIS agents are.
HN is a public forum. You really shouldn't post this sort of info here (unless you're trying to actively mislead whoever is targeting you).

As somebody else said: take a deep breath, take over 9000 backups, and start reducing your attack surface without falling to complete paranoia.

(comment deleted)
I'm pretty sure that no legitimate covert service operative would identify themselves as such, nor would they brag about going to conferences.
Working for CSIS doesn't mean that you're a covert operative. I know plenty of present and past employees of CSIS, CSEC, CIA, NSA, GCHQ, etc -- my understanding is that the general rule is "don't call attention to your affiliation, but it's ok to say if evading questions would draw even more attention to you".
this whole account sounds patently ridiculous considering the nature of cryptocat.

i would like to think that "CSIS" had better things to do.

Spying on and harassing activists has, for a long time, been a big part of what CSIS does. I personally know tech activists that have been spied on and harassed. The RCMP is also known for this.

Mainstream new story from a couple weeks ago in which activist orgs complained of CSIS harassment:

http://www.ctvnews.ca/activists-warn-against-csis-intimidati...

Spying on and harassing activists has, for a long time, been a big part of what CSIS does.

Give me a break.

Canada has a very open door immigration policy. Unfortunately that open door draws in people who actually don't like what Canada is about (which makes it weird that they would come here) and who conspire against, effectively, Canadian society. I welcome that law enforcement cares about this and does normal investigations.

Further from a corporate perspective it is well known that China, in particular, is going absolutely rampant with corporate espionage in the West. This is a major concern.

Or just call it some sort of "anti-activism" creed.

>Unfortunately that open door draws in people who actually don't like what Canada is about ... Or just call it some sort of "anti-activism" creed.

Sounds like what you're saying is that because CSIS does some legitimate things it means they don't also do less legitimate things, like harass/spy on activists.

Perhaps the confusion is because CSIS spying on people is a legit thing.
Writing cryptography tools, and activism in general, aren't illegal and people who don't break laws should not be spied on or harassed.
If they knew who the lawbreakers were, they wouldn't need to spy on anyone.
Good logic to justify blanket domestic surveillance.
I personally know and have seen the logs from an activist who has CSIS host-names show up in his blog for the past few years. This came after the G8 fiasco in Toronto, where they pulled him in for questioning.
I personally know and have seen the logs from an activist who has CSIS host-names show up in his blog for the past few years.

So? I have the CIA appear in my blog logs and have for years. People work there, and some of them like blogs. Is that, apparently, "harassment"?

They do spy on and harass First Nations activists, notoriously.
Investigating people who are doing unusual things is part of their job. In cases like the Occupy movement, it's entirely appropriate for them to say "gee, something's going on -- it seems mostly peaceful so far, but does it have the potential to become violent later?" and investigate.
Surely all 2500 CSIS agents are busy harassing the other three high-profile 23 year old crypto hacktivists in Canada
Same goes for the DHS. Yet, from the Wikipedia article about Cryptocat:

Cryptocat developer Nadim Kobeissi was detained and questioned at the U.S. border by the DHS in June 2012 about its censorship resistance.

I'd like to know more information.

As it's written this seems to be a very confused article to me. What exactly is the author's point in writing this? And what is his next step moving forward?

What operating system does he use, what software under that operating system (specifically the FTP client), does he have a secure firewall, etc. etc.

Mac OS X, Transmit by Panic Software (v. 4.2) — I blogged this in order to protect myself.
Wow, thanks for the fast reply!

Can you tell me what your next steps in proceeding are, or would this violate the protection you're attempting to set up?

I am currently in a state of shock and rage. I am contacting helpful friends, documenting every shred of detail for my own protection, and mirroring evidence to multiple servers in order to prevent it from being erased.

Helpful advice is more than welcome.

If you feel like having a mirror in an EU country let me know, email in profile.
Nice try, CSIS. (Just kidding.)
The same, in Paraguay :-) Poor bandwidth but enough storage. Just let me know if I can be of any help to you.
You'll be OK :-) Keep calm and carry on. That's all the advice I have.
If you have not shut down the machine, I would do a memory acquisition (http://code.google.com/p/lime-forensics/, can be analyzed with Volatility) and a raw disk acquisition (you can use dd) and get to someone for forensic investigation to look for rootkits and other evidence of tampering.
I'm sure you know very well how to record and preserve data, so I won't advise you on that note.

But you should try to script something quickly which will automate these actions for you. And you should also try to make a bot to investigate the "backdoor" more.

Aside from your evidence, is there anything that has happened in the past that would lead you to being a target for the NCIS?

He is of Lebanese ancestry and studied in Lebanon for 2 years thus he likely speaks Arabic and has Arabic speaking friends. This alone could be enough if someone among his acquaintances has terrorist links. In addition he was one of the first to speak out about Bradley Manning's arrest, in his support, which raises the possibility that he has connections with WikiLeaks, lulzsec, etc. That is enough for CSIS to investigate him. He also has traveled to the USA which is where the FBI gets involved and, of course, anything regarding terrorist connections or lulzsec brings in the CIA. Quite frankly he is not a clean person and should not be developing software like this. If you were a business executive with shady dealings, would you want to use software from this guy? Would you trust him not to install a backdoor? And would you take the risk of travelling across an international border with a copy of this software knowing that 3-letter agencies associate it with terrorism?
What "shady dealings" is he accused of apart from being Lebanese and expressing an opinion on Bradley Manning?
So since he's Arab and involved in activism we shouldn't use his software, interesting. Even more interesting is you seem to be getting upvotes. Congrats, ass.
He is a person. He is being attacked because he has a conscience, actually likes to protect the freedom 3 letter agencies are out to destroy while claiming the opposite, and pays more than lip service to it. Thanks for the bootlicking demonstration.
I don't feel as though you know enough about the man or his situation to make these judgements.
Two bits of advice for what to do after backing up evidence:

1. If you suspect the machine was tampered with, do not use it again. There are a lot of places a backdoor could be hiding, even after you reinstall the OS.

2. If you do not do so already, use smartcards for crypto. Don't store keys on your machine. It is easier to carry a card around than a computer, and smartcards are harder to brute force.

Can you recommend a smartcard?
The easiest one to buy in small quantities is probably the GPG smartcard, although I have not had much luck with it in the low-end reader that my laptop has (YMMV but the same folks that sell GPG smartcards also sell card readers that should work). Otherwise, I am only aware of cards that are only sold in bulk i.e. for corporate and government use.
Very curious to look at your logs. Pastebin?
Why do you use Transmit? Panic's software is known (amongst people who do reverse engineering) for having many holes.

If you're doing really security sensitive work don't run questionable software which you don't have the source code for.

As someone who uses Transmit... what would you recommend instead? Command-line sftp?
And now his server is down?
Nothing to do with traffic, must be the agents trying to silence the truth.
Or that it is Wordpress.
"Never attribute to malice that which can be adequately explained by Wordpress"
Definitely isn't anything to do with the thousands of geeks who like conspiracy theories pounding his server on a Saturday evening?!...
No, this seems like overload. To be fair, HN isn't exactly gentle on WordPress sites to begin with, especially if they're not aggressively being cached.
What a wonderful creature that young man is. Eyes of the hero.
"Whats that abeut? Are they not your friends buddy?"
Is the OP sure those were CSIS peeps? Just wondering based on how they bumbled through their attempts at making contact. Thought intelligence agents would be slicker than that.
Maybe this is the new guy, and it's his first assignment. Maybe it's not CSIS, but some other interested party. Seriously though, they're gov't employees, the hiring process does not guarantee the highest quality in every case.
Fair point, until the bit where his PC is trying to send information to the CSIS.
Actually they're not agents, but officers. IIRC the agents are the informants who are not working for the agency.
This guy should widely distribute the SFTP creds being used by the backdoor agent on his computer. Then we could all be helpful by uploading useful data to the Canadian government's spy server.
While an amusing suggestion, I sincerely hope everyone realises that such a move would be ... incompatible with a long and healthy lifestyle. Both for Nadim and anyone foolish enough to do so.
On the other hand, anyone who has reason to believe there might be information critical to their investigation embedded in the full version of Two Girls One Cup, it is their civic duty to submit that video to the authorities.
But sneaking it in through a backdoor and smearing it on their server is probably not going to be well received. (any unintentional puns are entirely unintentional).
Why?

Are you suggesting the CSIS kill people? Who are going to be missed because they have said they are under surveilance? Or even abroad?

I am suggesting pissing off CSIS, or any law enforcement body, is not a good idea. I doubt you will be outright killed on purpose, but arrested, detained and interrogated is a reasonable risk. Worst (reasonable) case is being jailed for "interfering in an investigation" or "unauthorised access to computers" or such like.

Magikarp is doing everything right so far. He doesn't need to cross a line by exposing CSIS servers to attack. And nobody else needs to play with CSIS servers either.

Protest and demonstration is one thing, but playing with law enforcement servers is like throwing bottles at police cars for the lulz and is just asking for the book to be thrown back at you.

CSIS is not nearly as eager to unjustly violate personal freedoms out of spite as its American counterparts seem to be.
even though i am not "allowed" in canada currently, i found the govt folks to be pretty reasonable when i had to interact with them.
What did you do to cause yourself to consider your Canada privileges revoked? Felony conviction as a non-Canadian-Citizen?
I have asked before, but why would you want to live in countries where this train of thought is a possible reality? Although chances are not great 'it will happen to you', anything over 0% is far too great for my taste.
I entirely agree, which is the main reason why I am not interested in working in China again. But we don't live in a perfect world, compromises need to be made and living in a Western democracy is about the best you can do for your rights. Beyond that I feel you get into diminishing returns. At some point your treatment is based on the whims of the law enforcement officers and their particular culture which is very hard to measure and changes and evolves over time and political environments anyway.

Do you have evidence of any particularly good countries?

If he was backdoored by a 3/4-letter and he is not skilled[1] in malware analysis how likey do you think it is that he will recover the credentials? Do you think it is as easy as:

  $ ls -l ~/.ssh
  total 80
  -rw-------+   1 nadim  staff   737 Aug 22 01:39 authorized_keys
  -rw-------+   1 nadim  staff    35 Jan  5 21:32 config 
  -rw-------+   1 nadim  staff  3243 Aug 18 10:57 id_rsa
  -rw-------+   1 nadim  staff   735 Aug 18 10:57 id_rsa.pub
  -rw-------+   1 nadim  staff  3326 Feb  2 21:41 id_rsa_CSIS
  -rw-------+   1 nadim  staff   749 Feb  2 21:41 id_rsa_CSIS.pub
  -rw-------+   1 nadim  staff  3198 Feb  2 21:46 known_hosts



[1] I have no reason to think he does or does not posses this skill. I only mention it in the negative because it was not in his wikipedia bio.
I'm somewhat surprised that the cryptocat project has been ruffling so many feathers (assuming that the story is in fact what it appears to be).
i know the author (nadim) is in here and this is all a bit fantastic. cryptocat is one of many crypto snake-oil products that i would never consider using for any kind of secure communication.

using defective crypto products is much riskier than not using any crypto at all and exercising caution. cryptocat has always seemed a poorly disguised honeypot to me.

I think a statement like that needs a little more in the way of support.

Cryptocat has been fairly well reviewed by a number of fairly smart people. While flaws have certainly been found, they've mostly been addressed, AFAIK.

"Snake oil" has been a popular term to throw around ever since the original PGP user's guide, but simply labeling something "snake oil" without any actual proof is a dangerous thing to do (especially when it's an open source product, and you should be able to point to any defects specifically).

Edit: I realize the term 'snake oil' predates PGP, I was referring to the crypto community's penchant for it.

The fact that he's young, brilliant, and identifies as a hacktivist make it more feasible. He's a future threat.
That's how the US has treated its hackers since ... the beginning. And that's why the Chinese are almost certainly eating our crypto-lunch. You'd almost think the authorities are compelled to help CN.
It would be nice if you could meet me for coffee and say this to my face, friend.

I am trying to protect myself and my open source project, which, by the way, has been audited countless times and has progressed greatly towards security. If you have a problem with me, then call me up and discuss it instead of stressing me out even more when I just discovered that the government is building a case against me.

If you don't like my work, file a bug report. Check out our documentation. Review our OTR implementation. Submit a pull request. Hack some code. Just don't say hurtful and untrue things like that in public. You can do better.

They can't help it, friend. :-) It's what the human brain does.
Law enforcement officers come to you with a correctly formed legal document - a court order, or a warrant, or somesuch - and ask you to serve a malformed client to some cryptocat users. This malformed client will give the impression of encrypted communication, but will actually allow the law enforcement officers full access to the plain text (but only for the specified users). What do you do?

This is the Hushmail attack, and it seems like Cryptocat is vulnerable to it.

Cryptocat is a browser plugin. You need to download it like everything else. The source code is on Github.

I swear upon my father's grave I will never do something so dishonest and evil towards everyone who has supported Cryptocat, the most meaningful thing I have made with my life.

Unfortunately, I don't think you have a choice in these cases, I think you are obligated by law to do it.
You always have a choice. In this case, you can refuse and go through the legal system. If you've made that choice already, then you can further raise a big stink about it and hope public pressure forces the gov't to back down.
Oh, interesting, I didn't know that. Thanks for clarifying.
Ask the law enforcement officers to send you a pull request instead?
Except he's distributing his client via the Google Chrome Web Store, so if law enforcement had a way of requesting that a particular user's software be backdoor-ed [1], they'd go to Google, which would also be significantly less likely to engage in civil disobedience.

1. I'm not a lawyer, but I'd be surprised if this were legal.

You are handling things exceptionally well under the circumstances. If anything, I find it incredulous how eminently sensible you are being. You have my respect.

Some people are fanatics who will never believe. Perhaps there wasn't enough hacking in terminals with falling green letters or he doesn't think crypto software can possibly be easy for non-security professionals.

Again, you are doing the right thing. I'm only sorry the only thing I can give you is my support.

I think that the reason you are seeing this response towards your project is that it's not entirely clear what it is intended for. As in who cares about security enough to encrypt their messages but not enough to install a standalone client, which has a stricter security model.

That being said, I think it's a cool project and it seems to be pissing off all the right people, so keep it up. And I'm not a lawyer but I don't think that the gov't has a case against you (or am I missing something). In fact, it would appear that this might be warrantless wiretapping so you might have a case against them, but I'm not sure if that is something you want to pursue.

"As in who cares about security enough to encrypt their messages but not enough to install a standalone client, which has a stricter security model."

this is so spot on. secure comms have no place in a web browser, which is a complex beast with a large set of underlying dependencies. webkit vulnerabilities leading to comms being blown is a crappy architecture.

people who care about comms use a standalone client and a separate server. if you care about the integrity of the server, you run some disk crypto, DDR3 memory, secure it physically, etc.

Are you recommending DDR3 memory because you think it's resistant to cold boot or reset attacks?

That is not the case. DDR3 memory will not help you.

maybe they meant ECC memory?
Is ECC more secure than regular consumer grade memory?
More "secure" from single bit errors, but not for recovery -- kind of the opposite goal. The big difference is DRAM (mostly the same, including DDR3) vs. SRAM (of several types -- relevant due to use in HSMs, cpu cache, etc.). DRAM has been getting worse/longer duration as it becomes lower power, so arguably DDR3 (being relatively new) would be worse than 1985 RAM.

CPU registers are the safest place against this attack (hence stuff like TRESOR where AES keys are held in CPU registers), but are by necessity limited (especially on x86; SPARC was better, and some of the new extensions to x86 help (SSE, etc.)

Most of this has been mitigated to some extent by periodic inversion of sensitive strings in main memory (keys, usually) -- this has been implemented in ~all crypto libraries.

SRAM's huge advantage is you can clear it faster than DRAM, but that doesn't help if you can somehow prevent the clearing from happening.

Certainly DDR3 memory (as a type of main memory) has less permanence than hard disks (i.e. secondary storage). It's a side effect not a desired goal.

Especially if you're bit-flipping sensitive stuff, there's probably a good hope for protection from recovery at normal temperature after what, 30-60 seconds? So reset is an issue, but "keep sensitive things in RAM vs. on disk" is still a reasonable security precaution.

"secure comms have no place in a web browser," Agreed. Any good stand alone stuff you could suggest? Also, why cryptocat is browser plugin? Why not also make stand alone version? Like with contacts and such ( I know aka "skype with list of contacts you have secret conversations with that you don't want anyone to know about" would be silly but would have it's uses if it would also keep cryptocat style of "join public room and then go to private conversation")
your original product was riddled with problems, so much so you had to entirely change the architecture. a stream of ppl popped out of the woodwork and had a laundry list of problems with your original work. making security products that are not built properly endangers those who use it, as i am sure you have heard many times before.

you are clearly very talented with marketing yourself and the project, so cryptocat getting lots of media coverage led to an essentially crowdsourced design for cryptocat 2, very similar to mega. sure enough, this design has held up relatively well and gotten through audits without too many serious issues. as someone who cares a lot about secure comms, i have seen and continue to see no reason to use cryptocat.

i find it particularly ridiculous that a supposed proponent of free speech suggest i am not entitled to my (negative) opinion of your project. i see no point in filing bug reports for software i will never use. i believe in people doing their own homework, it is not my job to improve your project.

if i assume that your govt troubles are indeed legitimate, there are a couple things that seem inconsistent to me:

- you seem very concerned about the negative ramifications of angering your local govt, and all this is linked to (1) your dev work and (2) your prominence in the media. if you are so truly concerned about govt action against you, why are you publicizing the harrassment you have experienced? it only serves to promote your dev work and elevate your media presence, which i would expect to further aggravate your local govt.

- the govt likely knows that actions like this, properly publicized, only lead to an increase in the reach and use of your product, in direct contradiction to your suggestion that they don't want to have your product circulate. it seems that "cui bono" in the context of your story is that you and your project directly benefit by getting lots of publicity.

i found it a bit difficult to fish out details on the ciphers and modes you use with cryptocat 2, which doesn't exactly inspire confidence. i am not a fan of using a stream cipher (AES-CTR) to protect non-streaming comms due to the nonce re-use issues your audit found. ssh using AES-CTR makes sense to me, an IM protocol, not so much.

So what would you recommend people to you for secure communications?
You can be critical without being outright hostile. If this is how you would phrase your criticism to magikarp's face, you are not very courteous.
>i know the author (nadim) is in here and this is all a bit fantastic.

What aspect seems "fantastic" to you? Have you yourself been involved in activism?

It just seems exceptionally incompetently handled. The inconsistent stories? Repeated connection attempts to send data to "obvious" places instead of more careful probes and innocent looking transmission attempts to less suspicious locations.

The whole thing sounds like a bad b-movie or someone playing a practical joke, rather than a genuine attempt.

Then again, who knows, idiots manage to get hired everywhere.

from my own personal experience, govt folks like to follow. the business of knowing usually doesn't involve overt intimidation that is demonstrable to outside parties.
>govt folks like to follow

Do you mean trailing people and surveillance?

Snake-oil? I am not sure I would go that far. I am somewhat concerned about crypto that runs in-browser after the Hushmail debacle, but the term "snake-oil" is usually reserved for cryptosystems that follow proprietary designs or "roll your own crypto," and cryptocat does not seem to fall into either category.
I have spent a fair bit of time discussing Cryptocat with Nadim in person. He is sincere in his development goals for Cryptocat and does not intend for it to be a honeypot.
Well probably because you did something wrong. Turn yourself in and reflect on your wrongdoings. Put yourself together and stop causing harm to the society.
(comment deleted)
Haha, it's his fault for living in Canada! Canada sucks, move to Japan!
In other news, Canada's internal security agency is using "PG" to entrap people...(read the article for context)

I guess they read HN too.

This PG approached him with a "business opportunity" -- so the Canadian security folk probably did mean to confuse him into thinking that this PG is our HN pg.
s/Canadian security folk/unknown party/
They really should have tried harder. For some reason, I really can't picture pg in a black suit.
If this is true - we live in a scary world. If not, the guy has talent in marketing.
It seems ridiculous that an "intelligence" organization would upload files to a server that identified themselves so blatantly like that. Could it be that it is some ruse of some sort? I don't doubt that someone broke in, but would it really be CSIS?
CSIS aren't the most competent intelligence organization in the world.
For the limited scope of the work that they do (which is essentially limited to what the NSA does in the US. They don't really do what the CIA does), and with a relatively small $600 million dollar public budget, they're known to be quite competent.

This story sounds...weird. I doubt it is quite as he suspects it is.

>which is essentially limited to what the NSA does in the US.

The NSA doesn't do field intelligence work, AFAIK, unlike CSIS.

>This story sounds...weird. I doubt it is quite as he suspects it is.

It's weird, but I'm not sure who else other than CSIS would have the motivation to hack an activists computer so it sends data to CSIS-affiliated servers.

The author said "Hostnames that appear to belong to CSIS.". Reverse DNS should not be trusted. Saying that a hostname "appears to belong" to someone is a naive statement.
Indeed, spoofing reverse DNS is not hard -- and spoofing reverse DNS to appear like an intelligence agency is straight out of every 1990s IRC script kiddie's cookbook.
I think you've got it mixed up: CSIS [0] is the Canadian CIA, having been created in the wake of shutting down Department D of the RCMP after one too many scandals in the 1970s. The Canadian NSA is the CSE [1].

[0] http://en.wikipedia.org/wiki/Canadian_Security_Intelligence_...

[1] http://en.wikipedia.org/wiki/Communications_Security_Establi...

CSEC, now. I'm thinking of interning there in the summer.
You aren't now.

I happen to know that upon applying you are directly told not to tell anyone you applied, or even that you were thinking of applying.

(comment deleted)
Which one is? I put the Mosad up there, but most are summed up by the statement: Reward for failure. Screw up, get given a bigger budget so it doesn't happen again.
Even high-profile organizations have a spectrum of competence within their offices.
An actual exploit like this designed to monitor the hacked computer would likely either talk to a small range of IPs in the infiltrating organization, or a widely scattered botnet.

Trying to contact a small variety of servers of various disparate government agencies seems more like an attempt to generate false evidence that the victim is actually a dangerous hacker.

Or at least that's what Stephenson, Doctorow, and Gibson have trained me to think.

I was thinking it was a false-flag scenario as well. Other than the network identifiers, there's nothing to say it was the Canadians behind it.
Don't assume they act intelligently, just because they have "intelligence" in the name. Many people who make the decisions aren't IT experts at all.
Hackernews captivated by a schizophenic...
Correction: Lightly schizoid/paranoid may suspect hidden cameras in implausible situations. Schizophrenic screams at cars.

In this case, it's plausible enough suspicion, let's give him the benefit of the doubt, eh?

There are a few types of schizophrenia - paranoid schizophrenia being one of them.
That'd have been an awesome trolling opportunity.
Contact a lawyer immediately.

There are many actions you could take to mess with the investigation that might seem like fair game, but you should discuss each one with an attorney so you don't provide some arcane justification for them to arrest you (by hacking back, or even maybe "interfering with an investigation").

Once you get past that stage, the attorney can help you petition to stop the behavior or demand more information about it.

Legal advice is what you need now, not tech advice.

(Because the server is crushed, I'm only getting the basic gist - forgive me if you've already done this.)

If anyone knows a good lawyer in Montreal, please let me know!

nadim@nadim.cc

Don't. They take forever as they have only so few lawyers and they're all backlogged for months. They're also not equipped for this kind of thing. Their lawyers focus more on civil suits, not criminal..
> EFF maintains a list of attorneys, called the Cooperating Attorneys list, who have told us that they are passionate about the same things we're passionate about, and who have indicated that they have some of the same areas of expertise. If we can't help you, but feel that your case is something our cooperating attorneys may be able to assist with, we'll offer to refer you to one of them.
Take that with a grain of salt. They want to sound more helpful than they actually are on their website so people will donate.
I am an attorney on the Cooperating Attorneys list. EFF regularly sends emails asking for people interested in assisting.
Do you have something to back your statements?
Your claim is based on the knowledge of what actual facts?

(That said, I can see another problem in cases such as this: what if some of the "volunteering lawyers" are set by the government?).

> (That said, I can see another problem in cases such as this: what if some of the "volunteering lawyers" are set by the government?).

My IANAL guess is that they would still be bound by client/attorney privilege, and they'd be committing a crime if they violated that.

More to the point the EFF's lawyers are US lawyers. Canada is an entirely different beast from the US in terms of legal system. Their separate mailing list may have Canadian lawyers, but I'd suspect that the vast majority are US lawyers.
So what you are saying is that there is a chance they might be of assistance? My thoughts exactly
(comment deleted)
Don't rely solely on EFF, but also don't avoid contacting them. I have a friend of a friend who contacted the EFF and was given immense help on short notice. Their lawyers do work they find interesting. Explain your situation and see what comes of it.
I would also contact someone familiar with forensic analysis of malware, so you have lots of data about the monitoring that was conducted.
I'm not a lawyer nor do I know any who can deal with this kind of thing. However I do know that in Canada CSIS will not spy on citizens unless they have a warrant for it. So getting a lawyer is a great idea at this point. If the government is spying on you they have reasons to believe you are tied to someone who might pull you indadvertedly into something illegal.
The only relevant piece of advice here. This is, after all, Canada: if it is indeed CSIS who setup backdoor the OP's computer, there is a paper trail. Lawyers know how to obtain this paper trail. I don't know Canadian law, but the worst I could possibly think of in any of US/UK/AU jurisdiction is that the paper trail says "confidential, pending investigation".

I should add that while the malware in question may indeed talking to CSIS servers, this could be the case the CSIS servers themselves are hacked -- more likely by an automated worm in service of spammers (and honestly this is what the 'PG' person sounds like to me -- a scammer/spammer) than any scary entity.

Regardless, this is a legal, not technical matter at this point. Get recommendations for a lawyer in your area (you could also try contacting the university staff for this -- they may well be required to help you find an attorney), talk to them. Avoid posting anything else to a public forum.

Re: "Hacking Back"

I heard that Canadian sysops are the ones that apologise when you hack them. ;-)

How about he contact CSIS directly, and clarify...?
"Hello, I'm sure this is all a big misunderstanding, but did you happen to root my computer?"

Not trying to be sarcastic, but I'm really curious what such an email could possibly achieve. If they tell you they haven't done anything, they're either lying or not - you wouldn't know. And really, what are the chances they would tell you that they have rooted your PC if they had?

It'd likely only achieve something if someone else is trying to pull a prank either on him or CSIS, in which case drawing their attention to it might not be so bad (and of course if it's them, they already likely knows he knows, so who cares).

  I have to wonder what you'd see
  If you used style as ID.

  Styles change from time to time
  But style stays from line to line.

  Names can change and faces too
  But writing tells you who is who.[0]

  Many say they are a crowd
  But fewer do once lost their shroud.

  Traps and snares one will find
  Many more if kept their wits about their mind

  Still plenty that you see
  Hide their face behind IP.
Just a thought.

[0]: http://33bits.org/2012/02/20/is-writing-style-sufficient-to-...

[1]: EDIT: It seems to me that it is very possible that not all accounts here, though not necessarily in this thread, correspond to a single individual.

Could you... elaborate more on this, perhaps?
Sure. While I don't want to start a witch hunt, I often wonder while reading discussions who it is behind the handle. To the point where I can't help but think that a little careful observation might uncover an army of sockpuppets.

With the help of the HN api, you could probably fingerprint a lot of users.

If you need donations for any legal pursuits, set up a page accepting bitcoins or similar.

I'd totally support this.

Illegally monitoring a citizen has to about as bad as it gets in my books. Especially someone who has never done anything illegal and only received attention by building tools to help free speech/privacy.

Illegally monitoring anyone, citizen or not, is excessive and supremely uncool.
Actually it is not excessive. It is legal for CSIS to monitor non-citizens and it is even legal for them to investigate citizens if they may be assisting foreigners that Canada disapproves of. I was interviewed by CSIS because I did some technical work on a server for a foreign-born Canadian who was suspected of being involved in white-power/neo-nazi orgs. The goal of CSIS was to find out if a certain prominent foreign white-power speaker might sneak into Canada. There was a well-known leaky spot in the US border not far from the town where this guy lived.

This Nadim fellow is a suspicious guy doing suspicious things who travels to terrorist hot-spots and to the USA, which is also suspicious. And I bet that CSIS is reading every word on HN right now. After all, where do you think that CSIS finds the hackers to set up the kind of hacks that Nadim has described? Same goes for CIA, NSA, FBI, DHS.

> Actually it is not excessive. It is legal for CSIS to monitor non-citizens and it is even legal for them to investigate citizens if they may be assisting foreigners that Canada disapproves of.

Just because something is legal doesn't mean its not excessive. Just because the government does something, doesn't make it right.

> After all, where do you think that CSIS finds the hackers to set up the kind of hacks that Nadim has described?

From the description of what happened I'd guess probably at the local high school, by asking if anyone likes Bond movies.

> "And I bet that CSIS is reading every word on HN right now."

Well, on that off chance, let me be the one to say to our CSIS guys and gals: for fsck sake, don't do something like this. We could all use some better role models, and the number of comments and votes on this thread reflect how monumentally-offensive the suggestion is.

> "This Nadim fellow is a suspicious guy doing suspicious things"

Nadim is a smart guy working in computer science. What would the reaction be if he were Dr. Kobeissi and a computer science professor?

I would wait for some proof before throwing this kid money.
I don't know you and I don't know the world you live in, but just from your worried tone, and the rate at which you're responding to comments in this thread, I just want to say: take a breath. Engaging in a wild HN thread, full of well meaning but varied techy suggestions/speculation might not be the best approach right now. Have some friends sift through it for good information and disengage. Seek legal advice, and take it slow.
Sorry. I am very stressed and am knocked into full self-defense/damage control mode. Not sure I am in a state to meet people IRL at the moment.
I think that you actually should meet someone IRL, have them stay over with you or stay over with them.
Yes.. and in the meantime, I suggest all of us watch this 29c3 talk by Jacob Applebaum, "Not My Department" ( http://www.youtube.com/watch?v=7mnuofn_DXw ), and think about all our roles in all this. It's not going to stop unless we make it.
There seems to be a new pattern where anyone involved in promoting free speech and privacy through encryption gets harassed by the state, regardless if they actually did anything illegal.

http://en.wikipedia.org/wiki/Jacob_Appelbaum#Investigation_a...

It really shows how those in power are scared of the liberating powers of technology.

Although the details of the gov's investigation and harassment of Jake are largely shrouded in secrecy, his harassment at the border began right after giving a keynote at HOPE 2010 in place of Julian Assange, as the only US citizen identified in the media as a member of the Wikileaks team.

Although I think what the US government has done to Jake is quite clearly a disgusting abuse of power, let us not kid ourselves by somehow believing that the state has gone after him because he has publicly advocated for the use of strong crypto.

What about moxie?
IIRC, moxie said at some point that he was being harassed because he was a contact on Jake's phone which was confiscated by the US government at some point, so now he's associated with him.
I don't really know anything about this story, but do you have any guesses as to why they did go after him?

  | his harassment at the border began right after
  | giving a keynote at HOPE 2010 in place of Julian
  | Assange

  | the only US citizen identified in the media as
  | a member of the Wikileaks team.
I'm thinking that these two pieces of information are part of it.
However, Phil Z did get harassed over strong crypto, but that was in the bad old days.
I know good part of why crypto creators are being hunted. Bit if I explain most people will just think I am crazy, so I won't.

But yes, there are a reason that crypto people get hunted in general ( not only wikileaks) and there are even a ground war going on in other fronts.

Enlighten us with your craziness please. No judgement here.
Ok, to explain in the least charged way as possible.

First, I will tell there are "groups", mind you, I only mean a collective of individuals and organisations, that many times are fighting amont themselves, also individually they may have different aims and purposes, but the "group" thing simplify the things.

Second, the subject is very ancient, so I will try to talk only about the last 100 years, because otherwise it will become a too complex thing to write about in a short post.

Also, I will not name the groups, because whatever name I use for each of them, have different meanings and charges to each person, resulting in a flamewar (and the reason people think I am crazy).

I will list the groups in order of theoretical and legal (not necessarily de facto) power.

Group A: This group is in power in several states, run some huge international organisations, and wants more power centralisation, individuals within it want more power to themselves.

The Group A is very much against cryptography technology leaking (the weapons of choice of Group E), Group A also tend to help Group C if they think it will be a blow to Group B or E, otherwise they currently use Group C as scapegoat and target to fool their subjects in giving them more power.

Group B is very much alike Group A, but with fundamentally different economic beliefs, Group B realised it cannot beat Group A directly, so they right now work by mostly promoting ideologies and morals that will undermine Group A centralisation of power and capacity to react, Group B also don't like Group E, and don't like crypto on Group E hands, but sometimes they might allow Group E to get that tech if it means improving their own to use against Group A.

Group C currently is like Group A and B, but based on religion, also Group C recently took over 4 countries, with great help of Group E and Group A, much to the regret of Group E that only now realised it was against their interests to this happen.

Group D only want to be left alone, but are frequently caught in the crossfire.

Group E are the opposite of Group A, they want more freedom, more decentralisation, and of course, more power to themselves too, but not in a hierarchy, and more splintered. Group E loves cryptography, and the reason OP is being hunted, is because he is helping Group E (on purpose or not).

The only one i think i can't figure out is Group D. Also, if my guesses are right, the economic beliefs of Group B are not so different from Group A anymore.
I'm unsure about E also.

I'm really hanging on for someone to provide some names or additional info so I can do my own research rather than taking stuff at face value :/

Group A, and B, have names, that they used themselves, but those names are too charged for me to use, people will misunderstand things, and think I am talking about something else.

Group C probably has a name, but I don't know it.

All Groups, maybe with exception of B, are not much cohesive and are easier to say who belong in them.

So, I will say some organizations that BELONG to some groups (they are NOT the groups, they are PART of them, a small part by the way).

Group A: Has on it the UN, and several countries. Also has on it some esoteric organizations and religions.

Most people don't notice, but Thelemites (followers of Thelema) frequently align with Group A, so if you want some extra information, read about that.

Group B has on it the followers of Gramsci, Frankfurt School, several atheist evangelists, and part of their strategy was very much well explained by a guy named Yuri Alexandrovich Bezmenov, see if you find his interview.

Group C has on it Muslim Brotherhood, and Al Quaeda, "Al Quaeda" means "The Foundation", and Osama Bin Laden has read the foundation series by Isaac Asimov, so if you want to know what Group C is doing, read those books, and think about how you would apply them to present age...

Group D has people like the guy above that claimed to be part of F, also has countries that don't want to be dragged in all the A, B, C craziness, like some african countries, some asiatic countries, and so on.

Group E has among them the OP, Julian Assange, Punks (the ones from 70s), Cyberpunks, Cipherpunks, Anonymous, Libertarians, Far right groups, non-aligned christians (those that follow the bible and reject mainstream churches), a small amount of catholics, secularist arabs, conspiracy theorists, nutjobs, normal people that dislike their constitution torn apart, federalists, Catalan/Scotch/Chechen/Kurd/Touareg/Xeer/Somalilandi/Gaucho/etc... independence/autonomy movements, Occupy X/Y/Z, Indignados, Golden Dawn Party, the norwegian serial killer, lots of other random people.

Groups that I don't know their alignment: Shia countries (Syria, Iran, Iraq, Lebanon), seemly those are related to D, several people in E are helping them (and A and C are attacking them).

For those wondering where is Israel, Zionists and Roman Catholic Church. I will leave those out on purpose.

After watching a few Bezmenov videos, i wonder if your Group B is still trying to subvert the west?

My believe was that the KGB had degenerated into some sort of mafia and russia was now playing the capitalist game (by their own rules of course). But then again i don't know much about those things.

I guess group C is Islam?
Israel seems more plausible imo.
Israel has an interesting relationship with its neighbour's land, but I don't think anyone would claim Israel took over 4 countries recently.
(comment deleted)
I'd go with a combination of pro-democracy Islamic youth groups, MB, and AQ -- the countries being Tunisia, Libya, Egypt, and...Syria?
That's a very smart way to discuss global factions (using "group A", etc.).
Hello, Group F here.

I'd like to point out that we like cake and tea, and amuse ourselves with getting on with stuff, while groups A-E do their best to screw it up. If A-E could just naff off and let the rest of get on with it, we'd be in a much better place.

You're covered as a part of Group D, the most dangerous group: content with at best an "enlightened hedonism" (work diligently, but only so that you could afford that 60" TV), while groups A-C strip away your liberty and safety.
What good books/resources are there to read for those who want to know more about this?
Good question...

First, you will understand lots of things easier if you read at least the first book of the Isaac Asimov "Foundation" series.

Then, I've been researching this for a looooong time.

Also you will waddle through lots of crazy stuff, trying to find the gems.

I only started to find out, what information matters, and what don't, what is real and what is just nutjob ideas, after I met some particular people in real life.

Also there are deep religious issues on this, and some fringe stuff (for example: the ex-wife and some more people related to a known member of Group A claimed that he rose to power in his country using black magic).

But a good start, is research about what is Thelema (and its followers), who is Antonio Gramsci, what is Frankfurt School, what is Muslim Brotherhood, the islamic plans for gold standard, Colonel Gadaffi push for gold standard, Punks, Cyberpunks and Cypherpunks, Saddam Hussein push for oil be sold for Euro (instead of USD), Sunni vs Shia wars, pro-Assad christians.

These are the stuff I remember where real facts are easier to find.

Other things that I would mention here are too bizarre and hard to understand, and filled with misinformation.

Also if you decide to research this stuff, caution to who you talk, you might get dragged into the thing (and let me tell you, it is not pretty, I had two serious close calls recently).

Of course, like the OP, you might get dragged into it anyway.

It may sound cliche, but fiddling with that stuff, that I learned how serious the phrase "And when you gaze long into an abyss the abyss also gazes into you" is dead serious.

Tell us what you can about your two serious close calls recently. I am really intrigued now :)
I cannot say much, in fact I wrote a post that now I just deleted and will make a even shorter version with less information.

But let's say that I had a online friend, that I decided to help, and found out that this friend was a unwilling weapon of "Group A" that escaped, and was being searched for, and I got tangled into very hair raising stuff (including death threats toward me).

And I learned lots of stuff, that I wish I had not learned, the sort of stuff that make people say that "Ignorance is Bliss", but now that I learned, I must act upon it, there not much else to be done.

It was a hell of a adventure. The most scary shit I ever faced in my life, and made me get much more mature and responsible.

Also I almost lost my family in the process (they were very much against some actions that I did and became incredibly upset).

Happily they later understood everything that I did and now we are happy again.

"First, I will tell there are "groups", mind you, I only mean a collective of individuals and organisations, that many times are fighting amont themselves, also individually they may have different aims and purposes, but the "group" thing simplify the things."

No chance of humoring us?

In what sense? I don't understood.
naming the groups by their most conventional names, you gone so far as to create the dynamics of these groups, why forgo naming them? not really understanding the cloak and dagger element
Probably because the name for the groups is something like "Illuminati." It's possible he could just be talking about A and B being capitalists and communists though.
exactly, just want to know if he is making an insightful geo-political theory on interactions between groups, or if it is hagbard celine and the yellow submarine.
I strongly suggest you take a week off - don't expend valuable energyon trying to control the things that are stressing you. Check in and say hi to friends on Twitter (or suchlike) by all means, so that nobody has to worry about you, but don't put pressure on yourself to get to the bottom of this or resolve it within a certain timeframe. You haven't done anything wrong that I can see so there's no particular reason you should knock yourself out trying to untangle the situation.

Watch some movies, catch your regular classes (or skip a couple if you can), read that fat sci-fi novel - fill in the blank. FI anyone you don't know calls you on the phone just tell them you're not interested, goodbye, and take a rest from the internet. After a week, chat to a lawyer and work on the fact that someone is harrassing you - might be an intelligence service, might be criminals, but make it your lawyer's problem. The best thing for you right now is to recharge your batteries and that putting some distance between yourself and the source of your stress. The best way to deal with your computer being hacked is to leave it switched off; not least because your lawyer might advise handing it over to a forensic analyst for an audit.

But primarily, take it easy and be good to yourself. Nothing obliges you to wear yourself out responding to the behavior of others if it is making you stressed or unhappy.

Isn't that what got Sandra Bullock's character in "The Net"?

Speak to a lawyer and/or some journalists.

I think you're a little fucked man
We are watching. Everything.
lol. you must have seen me at the border, eh? ;)
I'm just surprised you guys even exist - I thought "Canadian Agents" were something they'd just made up for Quantum of Solace.