Between Two Nerds: Why hackers and spies don't mix

A

Hello everyone, this is Tom Uran. I'm here with the Gruck for another between two nerds discussion. G' day, Grok, how are you?

B

Good day, Tom. Fine, and yourself?

A

I'm very well. This week's edition is brought to you by Spectrops. I've got an interesting chat with Spectrops Justin Kohler out on the podcast channel this week, all about making sure that your identity provider, your identity platform is working the way you think it's working. So Gruk, you've been thinking about what happens when a hacker turns up and says to a cyber espionage agency, a state backed cyber espionage agency, I want to help. So this is I guess similar to the IT army. And we've got a couple of episodes where we've spoken about the Ukraine IT army, where there were a whole lot of, I guess, hacktivists who turned up and wanted to hack on behalf of Ukraine against Russia. But this, we're looking at it from a slightly different angle, more from the perspective of how those bureaucracies that are cyber espionage agencies, how they would work and how that might fit together with a hacker turning up.

B

We've talked about how they had to figure out how to manage entities like the cyber army and so on. I'm a little bit more interested in what happens when a very skilled group who has sort of skills at the same level as a state and is very much, we want to help, we can do the same thing you can do or even better, how can we aid the war effort or how can we add our skill set to your own? Because in a way, people have looked at the IT army as providing that capability and this could be a solution to personnel problems, capacity constraints or. Right. And I think that that's terrible idea and I think we're going to get into some of why today.

A

So the first thing that occurred to me is that it really depends where you're talking about. So for example, I think if you went right now, today to NSA and said, I'm a very clever hacker, or I represent a group of very capable hackers, like I'm a well resourced pen test organization or something, we've got lots of skills and experience, you'll get absolutely nowhere because there's just nothing to be gained. Right. They don't feel like they're in a.

B

Situation where, yeah, I think they're not hurting for people in a way that they go like this is, you know, finally we can double our capacity by adding this five man team.

A

It's like there's a pathway to get more resources, and it's through, like, senior management and Congress. It's not just going, yes, this random.

B

Person, people who show up at the gate, or someone who sends an email.

A

Now, on the other extreme, you can imagine that in Ukraine, what is it, the gur?

B

Yeah, it's the Military Intelligence group. Yeah. So they've got a cyber.

A

Yeah, yeah. Maybe they're in a different situation because.

B

Right.

A

They're probably trying to opportunistically try and find opportunity. Well, opportunities.

B

Yeah. So there's definitely a spectrum. And I'm curious, because I think that Europe maybe sits somewhere in between, in that a lot of them are looking at what they actually have on staff and they're feeling inadequate and that there must be some secret trick.

A

Right. The cupboard is bare.

B

Right. Like, there's this one secret trick that if they could just figure out what it was, they'd have excellent cyber capability, but they're not sure what it is. And this seems like it might be a cheat code of, like, why don't we just take cyber capability that's offered to us? That would be great. And I think it doesn't work for a lot of reasons. One of them is it's just a cultural mismatch of understanding how things work. Right. So I think that if you're a hacker, you might pick a target that you're interested in that's like, you want to break into Cisco. Like, Cisco's going to be useful to you. And you realize that in order to get there, you're going to have to go through, like, 20 different companies until you can get in a position that gets you into Cisco. That might be your operational plan that you've worked on, and then you ultimately get there. Now you've got access to Cisco, whatever. But if you don't get access to Cisco, you're not necessarily going to be disappointed in having wasted all your time, because you'll have had fun going through those 20. Like, you'll go through those 20 hops, and it'll be an enjoyable thing to do. Right.

A

The journey is the destination.

B

Right. It's the root access we made along the way. But as an intelligence agency, you're going to sit down, you're going to say, we need to be collecting intelligence that will come from Cisco. So gaining access to Cisco is the beginning of our journey. That's just step zero. And then the collection of that intelligence is the thing that's useful to us. So we're going to plan around how we're going to collect it and what we're going to be doing with it and then gaining access there is sort of an afterthought, but it's not the entirety of your planning process. Like, it's not absolutely everything.

A

The way I am thinking about this is that hackers do projects, whereas intelligence agencies do pipelines. So when I joined asd, one of the nicknames for the place was the factory. And that that had benefits because it was both a word that you could use outside of work that meant something for people in the know, but it also reflected that there were like these production lines. I mean, there were definitely projects, but there were projects to set up production lines that would last hopefully forever. Like, your ideal production line is something where you get access to something you want and you just keep milking that access and producing intelligence forever. It's a sad day when an access disappears because you've got to do more, more work. And the kind of description that you gave of a hacker is, I've got a time limited project where I'll try this for a certain amount of time and then I expect it to end and I expect to move on to something else.

B

Right. I think that a nightmare for a hacker would be gaining access to one thing and then just maintaining it for 20 years. That's fair.

A

This is your job now. Forever.

B

Yeah, exactly. You're going to have to do malware updates every patch Tuesday to make sure that you don't get detected. And that's.

A

Yeah, that's our life now, I guess in our hypothetical situation, let's call it a small hacker group, very capable, turns up and they say, we want to join in. And from the espionage agency's point of view, it's like, well, how do I integrate these people into the production lines that I've got? And it's not immediately clear to me that that suits either party's purpose particularly.

B

Well or even their capabilities. Because, like, say you do have this really capable hacker group, they're going to probably have ideas about good things you could be doing which don't necessarily match with what you should be doing. Right. So they might be like, look, if we gain access to the Kremlin's email servers, like, that's boring as, like, who cares? You might find that interesting. But what we think would be cool is if we can get into like their phone switch network and then reroute calls internally so that it's difficult for them to conduct business that would be funny.

A

Or play the Ukrainian national anthem or something like that.

B

Right, right. Yeah. Replace everyone's ringtone with The Ukrainian national anthem. That's a whole bunch of work for stuff that just does not make sense for an espionage agency at all. It doesn't fit into their operational concepts, like the way that things work. I mean, part of it is they have a mission and a mandate and authorities, and it's unlikely that their authority extends to changing people's ringtones.

A

Yeah, yeah. So you could take the people and you could find jobs for them in your organization, but that's just recruitment. We're really talking about something slightly different, which is collaboration. Yeah, yeah. Well, independent groups, sort of helping out.

B

Yeah.

A

Now, I think one extreme is if they actually turned up and said, we've somehow hacked Putin's phone. I don't even know if he has a phone or his chief of staff or whoever, someone close to him, for sake of argument.

B

Right. It's Putin's personal phone.

A

And I imagine in that case this is like, I guess in humint it would be called a walk in, where you get someone who turns up. Like the dynamic is slightly different, but that particular device is so important. If you believe them, I guess they would have to prove it somehow. That would be something you'd absolutely follow up. But that seems like extremely unlikely.

B

I think the risk analysis would be like, if there's a 1% chance that this is true, it would be amazing.

A

Let's pull the thread a little bit.

B

Yeah. Like, let's actually explore this just because it might pan out in such a wonderful way. Whereas on the other hand, I think if you show up, you said, like, I've got access to the personal device of the chef of Putin's mother in law's neighbor, which I'm pretty sure you could develop into access to the mother in law, which could maybe get you to the, the wife, which would then bring you within one hop. I think that that might be a. That would go in the circular file. Thanks a lot for your help, citizen. Don't let the door hit you on the way out. I think that dynamic can be very disappointing from the other side. Right. Because if you look at it, here you are with these genius ideas and this great stuff, and you're giving it to these people who have just no appreciation. You can sit there and be like, here are creative and clever things that I could do. Those things require resources and planning and integration and agencies, like, unless there's a very compelling reason, they're not going to disrupt all of their existing.

A

Yeah, yeah. And the compelling reason in this hypothetical is that it's Putin's phone.

B

Right, right.

A

Yeah, yeah. So I actually would see that dynamic internally. Like, there's, you know, a lot of people. You'd have clever people think of clever ideas, and then there'd be this frustration that none of them ever got done. Or maybe I should say hardly any of them ever got done. Very few, and I think we've spoken about this before, that if you had a very good idea and you could get the attention of the director, then it maybe would come into fruition, because they were the one person in the organization who could set a priority that would be high enough to pull people out of their usual jobs, basically, and create this kind of special project. But until you reach that higher level, that wasn't going to happen. And I guess in this sort of scenario where you've got a hacker or hackers turning up from outside, they've got to be able to pitch that one special idea that will get the attention of the director of. And they've got multiple hurdles. It's not an internal person who we know and trust. It's some random person.

B

It's some random.

A

Yeah, yeah, yeah. And so I was thinking of the analogy to walk ins. And so a walk in is occasionally both the Soviet and US And I'm sure other countries would get people who would walk into their embassies or consulates and say, you know, I'm Colonel Yuri whatever of the KGB and I want to defect. Something like that.

B

Right.

A

And that has some similarities, but it's also very different.

B

Like, that's a good analogy. But where it differs a lot is that there is a pipeline for walk ins. If you show up as a walk in and you say, I'm Colonel Yuri of the KGB counterintelligence for Bogota, where we are both stationed, I want to defect. The head of security at the embassy will be like, do you have your ID with you? What do you have to prove who you are? They would take that and then they would go and they'd speak to their security people and their espionage people who would then verify. Like, yeah, that's the guy that we know. They could do all the checking and then they would know what they want to do. Like, if this guy ever showed up, we would want to keep him in place and get as much information as we could and exploit him for whatever because he's got great access. So let's get him out the door as quickly as possible so no one knows he's here, smuggle him out if we have to and set up a future meeting where we can start exploiting this opportunity. It fits into an operation that they understand. You recruit someone and you run them to gain access to their secrets.

A

Yeah, yeah. So there would be a file in the site which is like when you get a walk in, do A, B, C, D. Right, yeah. These are the steps.

B

You know, I think that this is partially because cyber is so different that you can't actually have a file like that. Cyber is very unique in how it works, unlike human stuff. So with humans, like, you get a person and you exploit them by recruitment and then getting access to their stuff, that's just like, it's well known and tested. Whereas with cyber, if as a hacker, you show up and you say, look, I've got the signing keys to Huawei's Harmony os. The way that you exploit that is very different from if someone says, I've got access to the email server for the research and development department of Huawei's car deficient.

A

I guess what you're saying is that with a human, a person, the walk in, you've got both the provenance and the potential all in one package. And it's relatively easy to say because of who they are and where they sit within the, let's say, KGB hierarchy. We know this is valuable. Right. Whereas with the cyber examples, those two things are split apart. You've got a hacker who may or may not be like, you don't know, who knows? And then you've also got this other, the actual information. It's not immediately clear, without doing maybe more work, what you would actually do with that. So they're harder to sort of wrap up and assess in the first place.

B

Right. And you might get a thing that enables you to do stuff. So, you know, here's the signing key for the os, which means that you can now insert your own backdoors and have them signed. And like, that's a very exciting thing for some types of attacks. Whereas having access to the email servers would allow you to monitor a large amount of traffic and see what's coming down the pipeline. Whereas access to the president of Huawei's email account would be a different stream of information that you're getting that you would exploit in a different way, because you've got this sort of limited interface to the world as opposed to these other things. And I think that with just three examples of access to Huawei, you can see just how diverse the opportunities are. And it's hard to sort of have a plan in place of, like, here's how we integrate this into our existing pipeline of things that we know how to exploit. Like if you show up with access to Huawei, we will just go through our access checklist and plug it into our production pipeline and we're away to the races like that. It can't work that way because so much depends on what access actually means and what you plan on doing with it. And I think where this sort of starts falling down badly is that a lot of the time agencies are not set up to do things like steal the signing keys and start inserting malware into like the official builds for potential exploitation far down the line. Like that would be irresponsible cyber, for example. But on the other hand, do you want to turn down the signing keys? Like that seems like a cool thing to have.

A

I mean, I think all those examples, when you said them to me, I was immediately thinking it just raises a whole lot more questions. And it seems like for an organization it would be actually a lot of work to try and figure out the answers to those questions.

B

Yeah.

A

So it's like, what would we do with this? Is this even useful? Does it help satisfy?

B

Is this part of our requirements? Are there any of our customers asking what is Huawei's research and development pipeline for the next 12 months? Because if no one cares, then you're just.

A

Yeah, yeah. It's also like getting Huawei signing key is not a goal in itself. Like it's a ways to, a means potentially. But what means would we use and what intelligence requirements would it satisfy? That seems like it would be hard if you're the sort of public face of the organization talking to this cyber walk in. Well, who am I going to talk to to figure out, Right? It's not a lay down misere like we've got Putin's phone or. I mean, since you brought up Huawei, it also strikes me that it also depends on the structure of how you set up your cyber espionage. So like the US, Australia, UK, etc.

B

These are very structured bureaucratic organizations with rules, authorities and yeah, processes and everything. Yeah.

A

Whereas the Chinese model is just a whole lot of small hacker groups.

B

They've literally just operationalized that process.

A

So from the various leaks we've seen, it's clear that they're trying to sell to the Chinese espionage agencies like the Ministry of State Security and the Ministry of Public Security. And so I don't know if there's actual like markets or if it's just based on relationships or how that exactly works, but I guess for the Chinese state, dealing with a walk in is business as usual. And it's like how much money is this worth?

B

Yeah. So, like, it's an interesting compare and contrast sort of thing as well, because that allows you to sort of get the. The best of, you know, your creative, smart people who want to do things that are exciting to them and you can still benefit from that without having to figure out how to integrate them inside what you're doing. You just, you let them run their own intelligence agencies and sell your product.

A

Right, right. And I guess in this hypothetical example, it would be coming to us with the signing key isn't good enough. You've got to figure out yourself what you're going to do with it and come to us with the finished product. And I suppose it relies on having some idea of what people actually care about. So, like, one of the great examples from one of the leaks was the hacker was trying to sell access to Jens Stoltenberg, who was the head of NATO at the time. And he was like, it's Jens Stoltenberg, he's the head of NATO. And the reply was, yes, not worth anything.

B

Yeah, well, what was the thing that we read last week? There's a great line in there which was something like, secrets are just not worth very much.

A

Should US spies steal commercial secrets?

B

Here we go. After my career working with intelligence agencies, the most surprising and durable insight I've gained is this. If you want to be a good producer of intelligence, you need a demanding and sophisticated consumer of intelligence. Is because a lot of secret information, including information that a target works hard to hide, isn't actually very useful. And no matter how good a spy is at stealing secrets, he or she likely doesn't know what nuggets matter the most.

A

Yeah, yeah. So I guess in the Chinese example, they're placing the risk, like the opportunity cost of stealing something that's worthless on contractors. And so from the Ministry's point of view, it's like, oh, well, whatever. They do the work and it's sort.

B

Of like panning for gold, I think, in a way. Right. Like it's. They wait until someone has found nuggets and then they can choose which ones they want. They don't have to go out there and do all the hard work themselves.

A

Yeah, yeah. Whereas the NSA view is, well, we will identify where the nuggets are, then we'll go out and find them.

B

Right.

A

I'm not sure how the Ukrainians are operating. I imagine that you would try and do both models if you're in a very serious war.

B

Yeah. I think you'd probably figure out a way of having, of Being able to make use of nuggets that are handed to you, but you're not going to rely on them and you're going to have this problem of people will show up and be like, I don't have a nugget, I've got a ruby. Is that any good? And you'll be like, but we're a gold company. They're like, yeah, it's a precious stone. It's pretty much the same thing that speaks to the dynamic we're talking about here is that if you're set up to process and handle one sort of thing, like you break into email servers and you steal emails and you read them and you learn about stuff, then someone shows up with signing keys. There's a lot of like, that's great. What am I supposed to do with this? Like, this is not part of a thing that I know anything about. Like, it's not part of what we do. Like we would have to just retool huge amounts of how we work in order to take advantage of this, if we even could. Because we don't know how it fits into what we're trying to do. Because the people that we work for want emails. That's what they want. They don't want us to put backdoors into operating systems.

A

Yeah. So one of the things that this makes me think about is the XZ backdoor, or as Americans would say, the XZ backdoor. So that was a plan to subvert an open source project with social engineering to insert a backdoor. I think the backdoor was ultimately going to be into ssh, is that right?

B

That's correct, yeah.

A

Was it going to give you keys or credentials or something like that?

B

So the way that it worked was if you had a signed packet that you could send to it, like it did a cryptographic signature so you could connect to one of these backdoored SSHs with a special key and it would give you access, execute a file. The sort of the usual basic malware access stuff.

A

Yeah, yeah. So that to me felt like in a way a special project that was trying to set up an access. So it would be, we'll do this one off project and then we'll have this never ending opportunity. Ideally, yeah.

B

So I think what would happen is if, for example, someone ran that operation as a side project, me as an independent hacker, I'm going to worm my way into an open source project, gain control over the commit rights and all that, and then have the ability to insert an arbitrary thing into the build process that could then be exploited in some way in the future. And now I go to an agency and I'm like, look, I'm in this position of power within this project, I can compromise it in this way for you. Let's work out something we can do. I think they're just going to be like, what? Like, it's just, it's too weird and unique.

A

So does that mean you think that they tried the XZ backdoor and the reporting at the time, everyone seemed to think it was Russian. I can't remember why. So they tried the XZ backdoor and then went, oh, it didn't work, let's go home, we'll focus on something else. Or are they still trying? Like, does the fact that it got so close and got detected put you off or does it encourage you?

B

So I think one of the things is you could say it was technically a success in that they managed to get the backdoor inserted and compiled and all that. It just was never deployed.

A

Like it was detected within a day or something, right?

B

Yeah, it was detected like the same week that it went out, essentially. And so technical success is like, it's not exactly a backhanded compliment. It's like one of the worst things you can say about an intelligence operation. I mean, yes, it didn't actually produce anything and everyone got killed, but technically it was a success if you're only looking at whether we gained access. So technically they did all of the things, they were just never able to exploit it and it got burned.

A

It was a glorious failure.

B

I think that would put them off doing it again. That's my feel is that if you got so close and then failed, it's going to interrupt someone's career.

A

Right? But once you've done that work, you've got, in a way, a mental model of subvert, open source profit. Oh, yeah, like you've filled in. You're not in the underpants gnome world.

B

Yeah. You've got a lot of lessons learned as well, right? Like going into it, you'll have some ideas of how things should happen and then when you do it, you're going to find out these ideas don't work, but these ones do.

A

So what I'm thinking is, now you've got a mental model. The bureaucracy has a mental model. They've got a con op they had done the work already to fit in, subverted open source project into some way that we can profit. They've got step one, step two, step three. Now if they get a walk in, who says, I'm the maintainer of this open source project that.

B

Right. They can go to the shelf and pull off a plan and be like.

A

Right, you know, yeah, they know how to fit it in.

B

Yeah, yeah. I think that that is accurate as well. If you're an independent hacker and you come up with a thing that they're used to dealing with like access to email servers or compromised email account, they, they absolutely know what to do with those things and how to exploit them. So they can do a risk assessment of whether it's worth taking it from you or not, etc. Etc. And then they can just plug it into one of their pipelines of things that they exploit, assuming it's a target that is interesting to them at the time. But I don't think a lot of hackers are super excited by the sorts of targets that excite intelligence agencies. I don't think hackers look for how can we find a steady, low key, reliable way of getting just a lot of data constantly, all the time. That is not fun. That's not the exciting stuff.

A

Yeah, yeah. So if you're a hacker, the way to kill your soul is to go and work for a SIGINT agency. Yeah, I guess, sort of. Another analogy I thought of is that there's massive companies that make cars and there's also hobbyist car enthusiasts who mod cars and you would never expect that a world famous top notch car modder. Are they called modders? I've seen some videos on YouTube that's my extensive. Would turn up at a factory and go, I've got this really cool car, you know, what can you do?

B

I've turned the entire back into one subwoofer.

A

That's right. Like they're two entirely different beasts. They're sort of achieving different purposes even.

B

Yeah, very much. And part of the difference there is one's a sort of bespoke tailored, not necessarily one off, but a very, very unique customized thing. And the other one has to produce the same stuff every day because there's a daily intelligence briefing. You need to just produce and produce and produce a thing for people who want the information so that they can make decisions.

A

Right, yeah, yeah. The motivations are very different. It's sort of personal satisfaction versus whatever a state wants.

B

State satisfaction.

A

Thanks a lot, Crack.

B

Thanks a lot, Tom.