The Internet Dark Age (Full Disclosure)

8/13/2019 The Internet Dark Age (Full Disclosure)

1/46

Full Disclosure

The Internet Dark Age

Removing Governments on-line stranglehold Disabling NSA/GCHQ major capabilities

( !""R!N / #DG#H$""% Restoring on-line privac& - immediatel&

b&

The Adversaries

Spread the Word'


2/46

Uncovered //NONSA//NOGCHQ//NOGOV - CC BY-ND

Full Disclosure

Internet Wire-Tapping

WARNING:BT BroadbandE uip!ent "ontain

NSA#G"$%Bac& Doors

NSA/GCHQSources and Methods

Uncovered

We e !"a#n ho$ NSA/GCHQ%

Are Internet wiretapping you

Break into your home network

Perform ' Tailored AccessOperations ' (TAO) in your home

Steal your encryption keys

Can secretly plant anything theylike on your computer

Can secretly steal anything theylike from your computer

ow to STOP this Computer!etwork "#ploitation

Dedicated to the Whistle-Blower

Mr Edward J. Snowden.

We e !ose NSA/GCHQ&s 'ostSecret Wea!on - Contro"

and ho$ (ou can de)eat #t*


3/46


Table o' "ontents)re*ace+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Disclos res+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++So rce o* this $n*ormation+++++++++++++++++++++++++++++++++++++++++++++++++++++

r "a0s+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Companies++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2echnical Nat re o* this $n*ormation++++++++++++++++++++++++++++++++++++++++++++)rivac& vs Sec rit&+++++++++++++++++++++++++++++++++++++++++++++++++++++++++3otivation++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2erminolog&+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

6o r Home Net0or7++++++++++++++++++++++++++++++++++++++++++++++++++++++++++2he Hac7+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Ho0 it :or7s++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2he Attac7s++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++$nternal Net0or7 Access+++++++++++++++++++++++++++++++++++++++++++++++++++++3an-$n-2he-3iddle Attac7++++++++++++++++++++++++++++++++++++++++++++++++++++

All SS" Certi;cates Compromised in Real-2ime+++++++++++++++++++++++++++++++++++++2he*t o* )rivate

9


4/46


$s it possible that 2 is na0are o* this++++++++++++++++++++++++++++++++++++++++++++3& e ipment is completel& diFerentB+++++++++++++++++++++++++++++++++++++++++++$Eve never done an&thing 0rong+++++++++++++++++++++++++++++++++++++++++++++++Ho0 can $ veri*& this m&sel*+++++++++++++++++++++++++++++++++++++++++++++++++$ 0o ld li7e to donate and s pport &o r 0or7+++++++++++++++++++++++++++++++++++++++

Ho0 &o can veri*&++++++++++++++++++++++++++++++++++++++++++++++++++++++++++#as& Con;rmation+++++++++++++++++++++++++++++++++++++++++++++++++++++++++Hard Con;rmation+++++++++++++++++++++++++++++++++++++++++++++++++++++++++2he !N-Hac7+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++arriers++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++Social Attac7s on #ngineers+++++++++++++++++++++++++++++++++++++++++++++++++++

Co nter-$ntelligence++++++++++++++++++++++++++++++++++++++++++++++++++++++++++NSA Hone&pots++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Abo t the A thors++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++r 3ission+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Donations+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

>


5/46


(re'ace

Preface

:hen the Government 2elecomm nications companies and $nternet Service)roviders implant secret sp&ing e ipment in &o r home 0itho t &o r7no0ledge or consent nder the g ise o* something else then se thate ipment to in*ect &o r comp ters and sp& on &o r private net0or7 activit&(not the internet % 0e believe &o have a right to &no) +

$t is not possible to ma7e these claims 0itho t act al proo* and 0itho tnaming the act al companies involved+

2hese events coincide 0ith the global s rveillance s&stems recentl& disclosedand the& * rther con;rm the mass scale o* the s rveillance and ho0 deepl&entrenched the Governments are in o r personal lives 0itho t o r 7no0ledge+

2he methods 0e disclose are a violation o* sec rit& and tr st+ Good$n*ormation Sec rit& ($n*oSec% dictates that 0hen 0e discover s ch bac7doors and activit& 0e anal& e nderstand p blici e and ; /patch s chsec rit& holes+ Doing other)ise is !orall* )rong +

:hat is revealed here is the missing piece to the global s rveillance p lethat ans0ers 7e& $n*oSec estions 0hich incl de

Ho0 do the NSA/GCHQ per*orm Comp ter Net0or7 # ploitationB

:e reveal the actual methods sed b& the NSA/GCHQ and others that allo0sthem to instantly peer into &o r personal eFects 0itho t regard *or &o rprivac& 0itho t &o r 7no0ledge and 0itho t legal d e process o* la0 th sviolating &o r H man Rights simpl& beca se the* can +

Disclosures

2he ris7s ta7en 0hen s ch activit& is nderta7en is I Being Disco+ered J andthe activit& being I (ublicl* E,posed J as 0ell as the I oss o' "apabilit* J+

,


6/46


Source of this Information

.The si!ple &no)ledge that )e !a* be clandestinel* obser+ed in our o)nho!es pro+ided the deter!ination to /nd the truth0 )hich )e did12

2his in*ormation is not the res lt o* an& 7no0ledge o* classi;ed doc ments orlea7s b t based on in*ormation in the p blic domain and o r o0n *act ;ndingmission d e to @orensic and Net0or7 Anal&sis $nvestigations o* private S Hnet0or7s located in the !


7/46


"o!panies

2 are directl& responsible *or covertl& embedding secret sp& e ipment inmillions o* homes and b sinesses 0ithin the !< as o r evidence 0ill

demonstrate+

2 have directl& enabled "o!puter Net)or& E,ploitation (CN#% o* all itshome and b siness c stomers+

Technical Nature o' this In'or!ation

2he in*ormation described here is technical this is beca se in order tos bvert technolog& the attac7ers need to be able to *ool and con* se e pertsin the ;eld and 7eep them b s& slowing them down b t regardless theimpact and eFect can be nderstood b& ever&bod&+

6o r main ta7e a0a& *rom this disclos re is to nderstand concept all& ho0these attac7s 0or7 &o can then p t sec rit& meas res in place to prevents ch attac7s+

(ri+ac* +s Securit*

"oss o* privac& is a breach o* personal sec rit& and the legal violation o*privac& is p rel& a conse ence o* that sec rit& loss+

:eEve *oc sed on the technical breach o' securit* i+e+ the Comp terNet0or7 # ploitation itsel* and b& ; ing that &o can restore at least some o*&o r personal privac&+

2his ill strates that there is no s ch thing as a balance bet0een sec rit& andprivac& &o have them both or &o have none +

1


8/46


6oti+ation6oti+ationA*ter st d&ing in detail the revelations b& the #d0ard Sno0den 0e reali edthere 0as a large missing part of the puzzle +

2here has been little to nothing p blished on speci;call& ho0 the attac7erstechnicall& achieve their goals+ 3ost in*ormation p blished is based ontheoretical sit ations+

$* 0e donEt 7no0 ho0 hac7ers act all& achieve these sec rit& breaches 0ecannot de*end against s ch breaches +

@or e ample a slide similar to the *ollo0ing 0as p blished o* all the slidesreleased itEs ninteresting and easil& dismissed as it simpl& describes 0hat iscommonl& 7no0n as a theoretical 3 an- $n- 2 he- 3 iddle attac7+

2he media *oc s o* the slide is o* co rse the Google7s Ser+ers and &o r ;rsttho ght might be E this is Google's pro lem to sol!e E b t 0hat i* EGoogle

Ser+er E 0as E6* Ban&s Ser+ers E &o 0o ld probabl& be more concernedbeca se that ma& directl& eFect &o +But )e thought0 )hat i' 0 7Google Ser+er70 )as 7An* Ser+er0 An*)here87

4


9/46


r investigation led to s ncover and nderstand ho0 this attac7 reall&0or7s in practice ho0 it is implemented and the hair-raising realit& o* its tr enat re and that is this not j st a bac7 door b t an entire attac7 plat*orm anddistrib ted architect re+

Ter!inolog* 2o ease e planation 0e are going to se standard sec rit& terms *rom hereon+

Attac&er - GCHQ NSA 2 Gro p or an& combination+

The $ac& K 2he technical method sed b& the attac7ers to illegall& brea7 into&o r home net0or7 comp ters and phones+

5


10/46


Basic Securit* Your Home Network$n order to e plain ho0 these Comp ter Net0or7 # ploitation attac7s 0or7and ho0 this aFects &o personall& 0e m st ;rst loo7 at the architect re o* at&pical home or o?ce net0or7+ "oo7 *amiliar to &o B

3ost $nternet connections consists o* an DS" t&pe modem and one or more#thernet ports attached to the modem that &o connect &o r comp tersdevices and add-on s0itches etc+

2here are t0o sec rit& *actors in operation here

a % NA2 based net0or7ing meaning that &o r home comp ters arehidden and all share a single p blic $) address

b % 6o r modem has a b ilt-in ;re0all 0hich is bloc7s inbo nd tra?c+ The

inherent security assumption is that data cannot pass from the in ound D"# line to a #A$ switch port without %rst eing accepted or re&ected y the uilt-in %rewall

'8


11/46


@or the technical minded these sec rit& ass mptions are * rther re-enforced i* the modems so*t0are is open so rce e+g+ sing "in and that its so rcecode is *reel& and openl& available as per the GN! G)" re irements+

Given that the above is the most common architect re on the $nternet as itapplies to almost ever& home and o?ce ever&0here lets no0 revisit that ;rstslide b t this time )e as& one si!ple uestion

$o) do the attac&ers get bet)een 9ou and Google or so!e otherser+ice8

n closer inspection o* the diagram &o 0ill notice that I Google Re uest Jand the Attac&er ( #og into outer % share the sa!e router 0hen this slide0as released 0e all ass med that this ro ter 0as either GoogleEs o0n ro teror some pstream ro ter that 0a& the attac&er co ld intercept pac7ets andper*orm a 6an-In-The-6iddle (3$23% attac7+

Ho0ever this 0o ld not 0or7 *or ever& 0ebsite or service on the $nternet+2he attac&er 0o ld need to be pstream e!erywhere L

So )here does the attac&er hide8 Where is this "o!!onRouter 8 again )e as& :

$o) do the attac&ers get bet)een 9ou and Google orso!e other ser+ice8

"ets e amine the diagram one last time+

''


12/46


9ou guessed it 0 it7s right inside *our house1 It7s the routersupplied b* *our trusted Internet Ser+ice (ro+ider IS(;1

$* this is tr e it means that &o are being $nternet 0iretapped beca se theattac&er has as entered &o r private propert& and nla0* ll& accessed &o rcomp ter e ipment+

!nli7e a la0* l interception in 0hich a 0arrant is served on the third part&($S)% the intercept happens at the $S)s propert& pstream and o tside &o rpropert&+

2his is happening in &o r home or o?ce 0itho t &o r 7no0ledge 0itho t&o r permission and &o have not been served 0ith a search 0arrant as isre ired la0+

t 0orse is the *act that this architecture is designed *or C&ber Attac7ingin addition to passive monitoring as 0e 0ill detail ne t+

'


13/46


The $ac&

The $ac& 2his e ample is based on the !< version o* 0hat 0e are calling The $ac& sing BT $nternet services+ $* &o are not in the !< and regardless o* theservice &o should al)a*s ass me that the e act same principles detailedhere are al)a*s being sed against &o regardless o* &o r co ntr& or $S)+

The $ac& is based on the 'act that a second secret/hidden net0or7 and

second $) address is assigned to &o r modem+ !nder normal se &o cannotdetect or see this *rom &o r "AN b t the attac&er has direct access to &o rmodem and "AN in &o r ho se *rom the $nternet+

$o) it Wor&s

:hen the DS" connection is established a covert DH P re!uest is sent to asecret !ilitar* net)or& o0ned b& the 41S1 Go+ern!ent D131D1 6o arethen part o* that 41S1 D131D1 militar& net0or7 this happens even be*ore &ohave been assigned &o r p blic $) address *rom &o r act al $S)+

2his sp& net0or7 is hidden *rom the "AN/s0itch sing ;re0all r les andtra?c is hidden sing ="ANs in the case o* 2 et al it ses ="AN b tother vendors modems ma& 0ell se diFerent ="ANs+ 2he original slide has astrange n mber ?@? 0ith gre& bac7gro nd 0e thin7 this represents the="AN n mber/=endor n mber so 2 0o ld be +

2his hidden net0or7 is not visible *rom &o r M (odem's We Interface M andnot sub ect to *our /re)all rules also not s bject to an& limitations as *aras the s0itch portion o* &o r modem is concerned and the hidden net0or7also has all ports open *or the attacker +

ther tools and services are permanentl& enabled inside the modem 0hichgreatl& aid the attac&er s ch as )e ra * ipd routing daemons+ ipta les%rewall+ "", remote shell ser!er+ along with a dhcp client

These tools allow the attac&er to control .//0 of the modem functionality*rom the $nternet and in an ndetectable manner+ e+g+ the attac&er can

'9


14/46


15/46


2his is an e tremel& comple and covert attac7 in*rastr ct re and itEs b iltright into &o r modems ;rm0are 0hich can also be pdated remotel& asre ired b& the attac&er sing the b ilt-in BTAgent +

The $ac& attac7 is t rned on b& de*a lt b t is selectivel& t rned oF *orspecial p rposes or speci/c dangerous custo!ers *or e ample *or certainso*t0are ;rm0are and hard0are developers/engineers ( which may includeyou % so that these people donEt discover The $ac& +

2he attac&er identi;es these speci;c I threats J and mar7s their $nternetconnections as IN DHC)J s ch that the same dhcpc re ests *rom theirtelephone lines are ignored and 0hile these re ests are ignored the hiddennet0or7 0ill not appear inside their modem and is m ch harder to discover+

@irm0are engineers s all& 0ant to 7no0 i* the modems are sing penSo rce so*t0are s ch as "in and s&bo in 0hich case the& are s bject tothe terms o* the GN! ) blic "icense+

2hese engineers as 0ell as tech savv& sers ma& 0ish to p t their o0nso*t0are (e+g+ pen:R2% on these modems ma&be beca se the& donEt tr sttheir $S) b t are prevented b& their $S) *or obsc re reasons+

3ost modem providers s all& violate cop&right la0 b& not releasing theso rce code and 2 0as no e ception to this r le+ nl& b& the threat o* legalaction did the& release the so rce code+ Ho0ever 2 still prevents themodems *rom being pdated b& their c stomers or third parties+

2 goes to e treme lengths to prevent an*one *rom changing the ;rm0are

and those that come close are ;rst s bjected to (h*sical and (s*chologicalBarriers e plained later and the *e0 that overcome that are s bjected to aseparate NSA/GCHQ targeted Social Attac& designed speci;call& to derailan& engineering progress made this is also e plained later+ 2hese attac7s arealmost al0a&s s ccess* l+

D ring these attac7s 2 ses all the in*ormation discovered b& the engineersto prod ce ;rm0are pdates that prevent an&one else sing those sametechni es nder the g ise o* sec rit& and protecting the c stomer and this isper*ormed 0itho t notice to an& c stomers+

',


16/46


As 0e move to ne0 generations o* hard0are the modems are ver&sophisticated and ver& covert the engineers capable o* even attempting toreplace the ;rm0are become practicall& non-e istent+

As 0e detail the sole p rpose o* loc7ing the modem is to prevent peoplediscovering that the& are act all& being 0iretapped b& 2 on behal* o*NSA/GCHQ+

As a side note NSA describe "in / pen So rce as $ndigeno s and a S$G$N2 target+

NSA doc ments describe this means o* S$G$N2 collection as

thers incl de

and

'.


17/46


9our Real Net)or& 9our Real Net)or& 2he *ollo0ing is a more realistic vie0 o* &o r home net0or7 and 0hat is no0possible given the attac&er no0 has secret access to &o r home "AN+

$t is no0 a simple matter to se other tools and methods available to theattac&er to penetrate &o r internal comp ters this incl des

'1

Steal private =)N/SSH/SS"/)G) 7e&s $n*ect machines 0ith vir ses $nstall 7e& loggers $nstall screen loggers Clone/destro& hard drives !pload/destro& content as re ired

Steal content as re ired Access Corporate =)Ns Clean p a*ter operations Ro te tra?c on demand (e+g+ 3$23% Censorship and


18/46


The Attac&s

The Attac&s2his section lists the attac7s on &o that are no0 possible b& the NSA/GCHQ+

"ater 0e sho0 ho0 &o can de*end against these attac7s and it 0o ld be 0iseto implement o r de*enses 0ith immediate eFect+

!nli7e the reval ations so *ar b& Sno0den 0here the attac7s occ r o t theresome0here on the $nternet these attac&s happen in *our ho!e#o ce +

2he attac7s listed are the most obvio s attac7s some are mentioned in#d0ard Sno0den revelations and re*erred to as om#uter NetworkE$#"oitation (CN#%+

Internal Net)or& Access2he attac7er has direct access to &o r "AN and is inside &o r ;re0all+

6o r modem acts as a server it listens on lots o* ports s ch as SSH ( % and2#"N#2 ( 9% so the attac7er can j st hop on to it (b t &o cannot%+

2his is possible beca se another hidden bridged inter*ace e ists 0ith its o0n="AN+ @ire0all r les do not appl& to this inter*ace so the attac&er can see&o r entire "AN and is not s bject to *our ;re0all r les beca se those r lesappl& to the 2 lin7 ( blac& line % not the attac&ers lin7 ( red lines %+

:hen &o scan &o r 2 ) blic $) address *rom o tside &o ma& 0ell onl& see

port '.' open ( BTAgent more on this later% b t 0hen scanned *rom theattac&ers net0or7 all necessar* ports are open and 0ith an SSH daemonr nning ( e!en the username and password are the asic admin2admin %+

asicall& the attac7er is inside &o r home net0or7 and ironicall& in mostcases right ehind your actual curtain (where the modems are usuallylocated %+

2his is the digital version o* 6artial a) 0ith a C&ber Attac7 Soldier in ever&

home in the co ntr&+2he ;rst tas7 o* the attac&er is to per*orm a site s rve& and learn as m ch as

'4


19/46


possible abo t all the devices attached to &o r net0or7+

All &o r hard0are can be identi;ed b& the speci;c 3AC addresses and then;ngerprinted *or speci;c protocols and so*t0are versions+ All this cannot bedetected nless &o are logged into &o r "ocked modem+

2he above is j st the base plat*orm o* the NSA/GCHQ *rom 0hich h ndreds o* t&pes o* attac7s are no0 possible 0hich no0 incl de all o* the *ollo0ing

6an-In-The-6iddle Attac& 2he attac&er controls all o tbo nd routes he can easil& per*orm an H22)S3an-$n-2he-3iddle attac7 b& *or0arding speci;c tra?c *or port >>9 ordestination net0or7 to a dedicated 3$23 net0or7 0hich he controls ( as perpre!ious slides %+

2he onl& thing re ired is a valid SS" certi;cates O 7e&s *or a speci;c domain( )hich he alread* has0 see belo) % 2he attac&er is bet0een &o and an&site &o visit or an& service &o se ( not &ust we sites %+ e+g+ S7&pe = $) SSHetc+

2he attac&er simpl& creates a static ro te or more easil& p blishes a Ro ting$n*ormation )rotocol Re est (R$)% re est to the Pebra daemon r nning inthe ro ter *or the target net0or7 address and &o r tra?c *or that net0or70ill then be ro ted to the attac&ers net0or7 ndetectable b& &o +

2he attac&er can then se as&mmetric ro ting and pon e amination o* there ests he can ;lter speci;c re ests he is interested in and respond tothose b t let the target 0ebsite server or service respond to ever&thing else+

2he 7e& here is tra?c *rom the target 0ebsite bac7 to the ser does notthen ha!e to go !ia the attackers hidden network it can go directl& bac7 tosers p blic $) (0hich 0o ld be logged b& the $S)%+

6IT6 can be on an& port or protocol not j st H22)S (>>9% *or e ample &o rSSH connections all !D) or GR# ))2) $)Sec etc+ or an& combination o*an&thing+

'5


20/46


All SS "erti/cates "o!pro!ised in Real-Ti!e

2he sec rit& o* ) blic


21/46


The't o' (ri+ate 5e*sHome net0or7s are s all& ver& insec re mainl& beca se onl& &o or *amil&se them &o r g ard is do0n and &o r SSH =)N )G) SS" 7e&s are all

v lnerable to the*t b& the attac&er and his available methods+

The $ac& is the 7e& mechanism that enables these the*ts+

As an e ample o* the above i* &o se the modems b ilt-in =)N *eat re &os all& add &o r certi;cate and private 7e& to the modem or generate themboth via its 0eb inter*ace at some later time the attac&er can j st cop&these 7e&s to the IC#S )airing databaseJ via his private net0or7 the datacollected *rom S$G$N2 can later be decr&pted oF-line or in real-time+

$n the case o* 7e&s e tracted *rom the ser b ilt-in =)N the IC#S )aringdatabaseJ no0 contains the real 7e&/cert pair meaning the attac7er can no0attac7 the =)N server environment directl& 0hen that server 0o ld have notbeing e ploitable other0ise+

2he attac&er can also mas7 as the gen ine ser b& per*orming the serverattac7 *rom 0ithin the sers modem ( using the correct source I3 address %this 0a& nothing n s al 0ill appear in the =)Ns logs+ nce inside theparameter o* the =)N server the c&cles repeats+

6o sho ld ass me that all I ig rand J =)Ns and ro ters se the e act sameattac7 strateg& and architect re 0ith variances in the speci;c implementatione+g+ ig rand s pports $)Sec "ittle rand s pports ))2)+

2he NSA llr n G ide states

I2he *act that Cr&ptanal&sis and # ploitation Services (C#S% 0or7s 0ithNSA/CSS Commercial Sol tions Center (NCSC% to leverage sensitivecooperative relationships 0ith speci;c ind str& partners J+

Speci;c implementations ma& be identi;ed b& speci*&ing # ipment3an *act rer ( Big Brand 4(ake4(odel % Service )rovider ( I"3 % or 2arget$mplementation ( speci%c modem4router implementation %+

$n this disclos re 0e are interested in I 2arget $mplementation J beca se ino r e ample case 2 has covertl& implanted these devices in homes 0herethere is an a solute e1pectation of pri!acy 0hereas the otherimplementations e ist 0ithin the $S) or large corporations in 0hich &ocannot e pect privac&+

$tEs important to remember that I ig rands J also ma7e small S H DS" and

'


22/46


cable modems+

@ rther evidence o* the mass global distrib tion o* this technolog& to at leastthe '> #&es !SA G R CAN A!S NP" @RA D#! DN< N"D N R #S)$2A #" S:# and almost certainl& man& more co ntries

Q ote *rom GCHQ regarding their abilit& to steal &o r private 7e&s

It is imperati!e to protect the fact that G5,6+ $"A and their "igintpartners ha!e capa ilities against speci%c network security technologiesas well as the num er and scope of successes These capa ilities areamong the "igint community7s most fragile+ and the inad!ertentdisclosure of the simple 8 fact of 9 could alert the ad!ersary and result inimmediate loss of the capa ility

5onse:uently+ any admission of 8 fact of 9 a capa ility to defeat encryptionused in speci%c network communication technologies or disclosure ofdetails relating to that capa ility must e protected y the B;## ;$5


23/46


The 5ill S)itch

Act al capabilities ncovered here incl de the act al abilit& to appl& ph&sicalcensorship on the $nternet b& governments directed at individ als gro pscompanies entire co ntries or the majorit& o* the sers o* the $nternet at

once (given a coordinated go!ernment agreement %+ 2his is something that canbe t rned on globall& 0ithin min tes+

2his I 7ill s0itch J is onl& a small portion o* the total capabilities available thatare in place right no0+ #ssentiall& an& operation that can be applied sing asingle ;re0all or R$) ro ter can be applied to ever& c stomer at once+

4ploading#Do)nload "ontent

2he attac7er can pload or do0nload content via either &o r p blic $S)snet0or7 or via his private hidden net0or7 + 2he diFerences is that &o r $S)co ld con;rm or den& *rom their logs the ser did or did not pload/do0nloadcontent *rom/to a partic lar so rce+

$n other 0ords the possibilities and abilit& to *rame someone cannot ever beoverloo7ed+

:hen the attac&ers steal content that in*ormation al0a&s travels via the

private net0or7+$ac&ing in to a C3I(#Cideo "on'erences in Real-Ti!eAs an e ample itEs a trivial matter *or the attacker to ro te speci;c tra?c *orspeci;c media protocol s ch as = $) (S$)/H+9 9/R2S)% etc+ to his net0or7 inreal-time these protocols are s all& not encr&pted so no 7e& the*t is re ired+

$n the case o* S7&pe itEs no stretch o* the imagination to ass me that3icroso*t handed over the 7e&s on da& one+

2hose the& do not redirect in real-time as 0e 7no0 0ill be collected viapstream S$G$N2+

9


24/46


Tor 4ser#"ontent Disco+er*!sers o* the 2or net0or7 can easil& be discovered b& "AN pac7et;ngerprinting b t also b& those 0ho do0nload the 2or client+ 2he attac7ercan stain pac7ets leaving &o r net0or7 and be*ore entering the 2or net0or7ma7ing tra?c anal&sis m ch easier than 0as previo sl& 7no0n+

All 2or tra?c can be redirected to a dedicated pri+ate Tor net)or&controlled b& the attac&er in this 0a& the attac7er controls A"" 2or nodesand so can see ever&thing &o do *rom end-to-end+

2his is not something the 2or project can ; it can onl& be ; ed b& the ser*ollo0ing o r methods+

2or hidden services sho ld drop all tra?c *rom n-tr sted 2or nodes this 0a&clients r nning in the sim lated 2or net0or7 0ill *ail to connect to theirdestination+

Encr*pted "ontent

2he attac&er is in &o r net0or7 and has all the tools necessar& (s ch asoperating s&stem bac7 doors% or ero da& v lnerabilities to hac7 into &o rcomp ters and steal &o r =)N )G) SSH 7e&s as 0ell as an& other 7e&s the&desire+ Also content that is encr&pted can be capt red be*ore encr&ption viaan& n mber o* methods 0hen the attac7er is alread& inside &o r net0or7+

"o+ert International Tra c Routing2he attac&er can secretl& ro te &o r tra?c to the !+S+ 0itho t &o rpermission consent or 7no0ledge th s b& passing an& # ropean dataprotection or privac& la0s+

Acti+ists:e have seen man& activist gro ps protest organi ers identi;ed and silencedover the *e0 &ears 0e believe this is the primar& method sed to capt reactivists+


25/46


"ensorship2he attac&er has control o* the hidden ;re0all it is eas& *or the attac&er tosimpl& bloc7 tra?c based on speci;c ports or based on destination address ornet0or7 ro te *or e ample the government can bloc7 port 4999 at so rceand there*ore bloc7 all itcoin transactions+

A coordinated attac7 on the itcoin net0or7 is possible b& bloc7ing ports o*3inors aro nd the 0orld+ Red cing the hash rate and bloc7ing transactions+

6obile WIFI Attac&s 3obile devices phones/tablets etc are as easil& accessible once the& connectto &o r :$@$ net0or7 0hich is *rom the attac7ers perspective j st anothernode on the &o r "AN that the attac&er can ab se+

2he level o* sophistication or advanced encr&ption in se b& &o r :$@$ is node*ense beca se the attac7er has gained a tr sted position in &o r net0or7+

All 3AC addresses gathered *rom &o r "AN are stored in the


26/46


The 6obile $ac&

?G#G% is almost certainl& s bject to this same attac7

architect re beca se *rom the attac&ers perspective his side o* thein*rastr ct re 0o ld remain the same regardless o* device being attac7ed+

A mobile phone these da&s is simpl& a 0ireless broadband !ode! O phoneso an& encr&pted messaging s&stem *or e ample can be capt red be*oreencr&ption+ 2here*ore mobile phones are s bject to all the same and manymore attac7s as per The $ac& +

This would mean that mo ile phone makers may well e in collusion with the

$"A4G5,6 ecause they would need to implement the e:ui!alent routingand %rewall a ility in each mo ile phone as part of the


27/46


28/46


29/46


3utbound De'ense

3utbound De'ense2his de*ense method sho ld be sed against all NSA/GCHQ Inbound and3utbound attac7s+ 2his is the onl& s re ;re method to protect 2or clients+

2his de*ense re ires that &o (control/ own4rent % a Server or =3 else0hereon the $nternet (*ar a0a& *rom &o r IS( % and pre*erabl& in a diFerent co ntr&+

R n a =)N s ch as pen=)N bet0een &o r "in @ire0all ( blue % and the

&o r =)S server ( green cloud % there &o r n S id )ro & and DNS andbloc7 all inbo nd access e cept *rom &o r =)N+ Al0a&s r n &o r o0n DNSservice on &o r =3/Server+

5


30/46


An alternative short-term de*ense is to se 3penWRT ro ter so*t0are that&o install into the modem &o rsel* so that &o can con;rm no hiddennet0or7s or $) addresses e ists and that the ;re0all act all& * nctions+

Ho0ever this is technicall& impossible *or m st sers+

@or open so rce ro ter so*t0are visit https //open0rt+org/

6ore De'ense Tips

$solate &o r :$@$ *rom &o r "AN and limit b& 3AC address O strongpass0ords alternati!ely $solate &o r :$@$ *rom &o r "AN and leave itopen as a *ree hot-spot+

$* &o are capable install &o r o0n ro ter ;rm0are (open0rt% 2ell &o r $S) &o do N 2 0ant a ro ter 0ith bac7 doors or mal0are in it

as7 them to con;rm in 0riting that bac7 doors do not e ist this 0ill help &o in co rt 0hen s ing them

Stop sing an& operating s&stems that is 7no0n to contain bac7 doors nl& se 2or i* &o are sing 3utbound De'ense method other0ise &o

co ld be sing a NSA/GCHQ 0onderland version o* the 2or net0or7 $t cannot be emphasi ed eno gh never tr st closed so rce ro ters Never se &o r $S) DNS servers

98
https://openwrt.org/https://openwrt.org/


31/46


6IT6 De'ense

6IT6 De'ense!ntil no0 it 0as not * ll& nderstood ho0 a 3$23 act all& 0or7ed 0ithregard to ho0 the attac&er co ld get in the middle o* an* connection+

No0 0e 7no0 0ith '88 con;dence that the man is not in the middle b t inthe !ode! and thatEs ho0 an* individ al can be s bjected to 3$23 attac7+:e hereb& rename this attac7 6an-In-The-6ode! attac7+

As an alternative de*ense *or the * t re in place o* the previo s ( admittedlycomple1 out ound defense % &o co ld se 2cpCr&pt+ 6o can prevent thisattac7 b& ens ring that &o r client and servers are r nning 2cpCr&pt 0hich isa 2C) protocol e tension+ $t 0or7s 0itho t an& con;g ration anda tomaticall& encr&pts 2C) connections i* both server and client s pport it orit 0ill *all bac7 to no encr&ption+ $tEs also '88 NAT 'riendl* +

nce installed this 0or7s *or an& port not j st port 48 it 0ill also protectsH22)S S32) SSH and ever& other service+

9'


32/46


T"("R9(T

T"("R9(T2cpCr&pt is a ver& sec re approach to man& o* the problems posed b& theNSA/GCHQ beca se its tr e native end-to-end encr&ption and does notre ire a certi;cate a thorit& and is *ree open so rce so*t0are+

2he NSA have tried to 7ill this project a n mber o* times and 0ill contin e todo so or limit its se &o m st not let that happen+

$* &o 0o ld li7e to see ho0 NSA and GCHQ agents tr& to 7ill projects li7ethis in p blic vie0 the video http //000+tcpcr&pt+org/tal7+php and go to. and hear the voice o* the NSA and then GCHQ+

9

et7s get all T"( connectionsEncr*pted b* de'ault

Available no0 *ree open so rce *or "in :indo0s and S visit

http //000+tcpcr&pt+org/


33/46


're!uent"% Ask (uestions

Wh* Full Disclosure8:e are nder no obligation to 0ithhold this in*ormation *rom citi ens o*# rope speci;call& 0e are not s bject to an& provisions o* the ?cialSecrets Act o* '554 as )e ha+e ne+er been

a member o* the sec rit& and intelligence services a Cro0n servant or a government contractor

But !ore i!portantl* because: 2his in*ormation 0as discovered on private propert& As sec rit& conscio s sers o* the internet 0e identi;ed serio s

intentional sec rit& a0s 0hich need to be ; ed and *ast 2he needs o* the man& o t0eigh the needs o* the *e0 !nder the r le o* la0 the tr th is an absol te de*ense and that is 0hat

0e present here lastl& Because )e can

Who should read this in'or!ation2he intended a dience is citi ens o* # rope b t an&one 0ho is or co ld be avictim o* global s rveillance s&stems this incl des ever&bod& in the 0orld

no0 and in the * t re+

Wh* does this docu!ent e,ist

:hen a person(s% or government ta7es a0a& &o r inalienable rights s ch as&o r Right to )rivac& (especiall& in &o r o0n home% *ou ta&e it bac& + 2his isnot something that can be negotiated or traded+

What about the debate0 the balance8

2here is no s ch thing as a balance bet0een privac& and sec rit& &o eitherhave them both or &o have none +

I7! an A!erican0 does this appl* to !e2he NSA 0o ld onl& se this techni e in the !+S+ i* the& reall& tho ght the&co ld go ndetected+

$n the !< the& have gone ndetected ntil no0 (since 8'8% &o sho ld

ass me that the !+S+ is doing the same to all A!ericans and &o sho ld sethe de*enses as detailed herein as a preca tion+ :e can turn o the lights o rselves+

99


34/46


Will stopping BTAgent so't)are stop these Attac&sNo +BTAgent is j st misdirection+ $t is not re ired or directl& sed in theattac7s+ $t can be sed to pdate the ;rm0are o* a target modem sho ld theattac&er need speci;c * nctionalit& on the modem b t this 0o ld ben s al+ So 7illing BTAgent is does not help ( you should kill it anyway %+

Is it possible that BT is una)are o' thisNo this is their ;rm0are controlled b& 2 p blish b& 2 pdated b& 2the& also loc7 the modems+

6* e uip!ent is co!pletel* di erent8The $ac& is an NSA#G"$% Global Strateg* and its architect re is

independent o* a speci;c ma7e or model o* modem or mobile phone it is alsoindependent o* the method transport e+g+ dial- p vs+ ADS" D CS$S =DS"Cable modem etc++ $t sits at the top o* the stac7 (2C)/!D) etc% so ho0ever&o connect it connects+ #ach implementation 0ill var& and improve 0itheach generation+

6o sho ld onl& se * ll& open so rce ;rm0are that is p blicl& veri;ed+

I7+e ne+er done an*thing )rong

6es &o have &o have allo0ed hac7ers to enter &o r home net0or7 and plantmal0are that in*ects &o r comp ters 0hich ma& no0 have become part o* aombie arm& 0ith tentacles controlled b& the NSA/GCHQ+ 2his is 0orst thanan& vir s or 0orm &o can imagine+

$o) can I +eri'* this !*sel' @ollo0ing the instr ctions in the *ollo0ing sections &o can also createsim lations oF-line b t that is more technical+

I )ould li&e to donate and support *our )or& 2han7 &o please see the last page o* this doc ment *or details+

9>


35/46


How %ou can verif%

2he *ollo0ing section e plains ho0 &o can con;rm that &o r modem has theGCHQ/NSA bac7 door+

$n these e amples 0e se t0o BT 3penReach 0hite modems ( ut moreaccurately descri ed as )T *ver+each % models

$ua)ei Echo i'e $G >? and E"I B-F3"uS CDS ? !ode!1

2hese t0o loo7 almost identical+ 2he HG.' is an earlier model+

2he process o* con;rmation is slightl& diFerent *or each modem+

:e 0ill sho0 t0o o* 0a&s to veri*& the bac7 door the ;rst is somethingan&one can do and re ires j st the ping command+ 2he second re ires re-ashing the ;rm0are so &o can login to the modem itsel*+

"aims of Huawei modems ,-eft havin/ 0ack&doors are fa"se1 the vendor,e./. )T 0ui"d and insta"" the *S for these modems. Huawei sim#"%#rovided hardware. E I Te"ecom -td1 is the #rovider of the second modem,+i/ht 2 the more dan/erous of the two.

9,


36/46


Eas* "on/r!ation

Step >1 Remove )o0er *rom the modem and disconnect the telephone line+

Step ?1 n &o r )C (ass med "in % add an $) address '5 +'.4+'+'88 i+e T i'con/g eth=:> > ?1> H1>1>== up

Step ?1> H1>1>

Step @1 Connect a net0or7 cable to "AN'

Step 1 )l g-in the po0er cable to the modem and 0ait *or abo t 98 seconds*or the device to boot &o 0ill then notice

@ b*tes 'ro! > ?1> H1>1>: ic!pJse K>> ttlK @ ti!eK=1 ?< !s@ b*tes 'ro! > ?1> H1>1>: ic!pJse K>> ttlK @ ti!eK=1@ ? !s@ b*tes 'ro! > ?1> H1>1>: ic!pJse K>>L ttlK @ ti!eK=1 >@ !s

6o ma& notice p to ten responses then it 0ill stop+

:hat is happening is the internal "in 7ernel boots the start p scripts thencon;g re the internal and virt al inter*aces and then t rn on the hidden;re0all at 0hich point the pings stop responding+

$n other 0ords there is a short 0indo0 (9-'8 seconds% bet0een 0hen the7ernel boots and the hidden ;re0all 7ic7s in+

6o 0ill not be able to detect an& other signs o* the hidden net0or7 0itho tact all& logging into the modem 0hich is e plained in the ne t section+

9.


37/46


$ard "on/r!ation

@or this method &o 0ill need to re- ash the modem b& *ollo0ing theinstr ctions in the doc ment called hg >?Junloc&JinstructionsJ+>-? J on the rightpanel+

nce &o have re- ashed &o r modem &o 0ill be able to login to the modemvia telnet as *ollo0s

Note: $* &o r net0or7 is not '5 +'.4+'+8 &o 0ill need to add the $) addressto &o r )C as e plained previo sl& i+e+

T i'con/g eth=:> > ?1> H1>1>== upT telnet > ?1> H1>1> then loginT !sername ad!in )ass0ord ad!inT then t&pe shell to get the s& o shell prompt+

6o r telephone line sho ld remain disconnected+

91
http://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdfhttp://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdfhttp://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdfhttp://huaweihg612hacking.files.wordpress.com/2011/11/hg612_unlock_instructions_v1-3.pdf


38/46


6o 0ill be s rprised to learn there e ists '. net0or7 inter*aces inside thedevice most are legitimate b t others are part o* The $ac& +

All $) O 3AC addresses have been redacted to protect victims identities+

# ifconfig -a

br0 Link encap:Ethernet HWaddr 10:C6:1F:C1:25:A2


39/46


"ets e amine the ro ting table

# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0

# ip route show 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1

# netstat -nActive Internet connections (w/o servers)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 192.168.1.1:23 192.168.1.100:57483 ESTABLISHED # telnettcp 0 0 127.0.0.1:2600 127.0.0.1:33287 ESTABLISHED # Z->riptcp 0 0 127.0.0.1:33287 127.0.0.1:2600 ESTABLISHED # rip->ZActive UNIX domain sockets (w/o servers)Proto RefCnt Flags Type State I-Node Pathunix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # SPIES Socket

$ets see what processes are running% (duplicate and uninteresting linesremove for brevity)

# ps PID Uid VSZ Stat Command 1 0 336 S init

101 0 SW [dsl0] 116 0 SW [eth0] 127 0 504 S mc

131 0 380 S /bin/msg msg136 0 1124 S /bin/dbase146 0 1680 S /bin/cms147 0 1148 S /bin/cwmp191 0 328 S zebra -f /var/zebra/zebra.conf193 0 332 S ripd -f /var/zebra/ripd.conf548 0 396 S dhcpc -i ptm1.301 -I ptm1.301


40/46


N3TE: :e have redacted some $) addresses assigned to s b& the attac&er V redacted address+

# route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br030.150.xx.0 0.0.0.0 255.255.xxx.0 U 0 0 0 ptm1.3010.0.0.0 30.150.xx.1 0.0.0.0 UG 0 0 0 ptm1.301

Ho$ c"ose #s the attac+er , ver( c"ose . 's

# ping 30.150. xx .1PING 30.150. xx .1 (30.150. xx .1): 56 data bytes64 bytes from 30.150. xx .1: seq=0 ttl=64 time=7.174 ms64 bytes from 30.150. xx .1: seq=1 ttl=64 time=7.648 ms64 bytes from 30.150. xx .1: seq=2 ttl=64 time=7.685 ms

NOTE: You are now pinging the NSA/GCHQ

Now lets see what is happening at a socket level (comments on right after #):

# netstat -anActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN # This is BTAgenttcp 0 0 127.0.0.1:2600 0.0.0.0:* LISTEN # This is Zebra Router tcp 0 0 127.0.0.1:8011 0.0.0.0:* LISTEN # T ransparent tproxy tcp 0 0 30.150.xx.xx:8081 0.0.0.0:* LISTEN # This NSA/GCHQ Servicestcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN # This is DNS tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN # This is SSH Servertcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN # This is TELNET

tcp 0 55 192.168.1.1:23 192.168.1.100:57484 ESTABLISHED # This telnet sessiontcp 0 0 127.0.0.1:2600 127.0.0.1:36825 ESTABLISHED # This is zebra-riptcp 0 0 127.0.0.1:36825 127.0.0.1:2600 ESTABLISHED # This is rip->zebraudp 0 0 0.0.0.0:69 0.0.0.0:* # TFTP Server for upgrades Active UNIX domain sockets (servers and established)Proto RefCnt Flags Type State I-Node Pathunix 3 [ ] STREAM CONNECTED 766 /var/BtAgentSocket # Special Agent BT

The &e ice is now awaiting the hu PC to issue a PPPO" &isco er re*uest+ atwhich point you will recei e your ,-eal Pu lic IP./

At this point the attac+er has complete control of the mo&em an& your $A!+e#tra 0rewall rules are a&&e& the moment the ptm1/231 4$A! &e ice isena le& y the dhc!c comman&/

>8


41/46


The 4N-$A"5

The 4N-$ac& $* &o are able to login to &o r ro ter (via serial port or "AN% there is ade*ense 0hich 0ill prevent A the attac7s sing The $ac& + 2his 0ill un-hac& the modem and needs to be done a*ter each reboot+

Step >1 !npl g the telephone cable and boot the 3odem then login and iss ethe *ollo0ing commands (in bold% the hash is the prompt (donEt t&pe that%

1

'


42/46


Special AgentBTSpecial AgentBT

2his I special I so*t0are installed on all modems provided b& 2 calledBTAgent +

2his so*t0are listens on port '.' 0hich is the $ANA assigned port *or SimpleNet0or7 3anagement )rotocol (SN3)% an&one loo7ing at this process 0o lda tomaticall& ass me this to be the case+ SN3) t&pe programs are o*tenre*erred to as SN3) Agents+

2he primar& p rpose o* BTAgent is np blished b t a version has beenpartiall& reverse engineered and the so*t0are does do0nload ;rm0are andpdate the modems ash+

2 responses to eries abo t their BTAgent is to claim that the& need to8remotely manage modems for security purposes9

!ser concerns 0ith 2Agent

. It's closed source

@ ;sers cannot turn it o

The secreti!e nature and responses from BT

>+ !sers cannot pgrade the ;rm0are sing 2Agent,+ )ort '.' is open to the p blic internet

2he second (special% p rpose o* the BTAgent is p rel& reverse reverseps&cholog& and designed to 7eep &o 0ondering abo t it to ca se &o to0aste &o r time reverse engineering it 0hen it ma& 0ell be 0hat it sa&s onthe tin and 0hile &o r thin7ing abo t BTAgent &o Ere not thin7ing abo t theother net0or7 inter*aces s ch as pt!>1 and the dhcpc re ests 0hich allloo7 innocent b t act all& per*orm the dirt& deeds right in the open+

:hen &o reverse engineer BTAgent and p blish &o r res lts this allo0s theNSA/GCHQ to target &o *or other t&pe o* attac&s +

:e sho ld remember that 0ith a single @irm0are pdate *rom BTAgent itco ld morph itsel* and into 0hat 0e originall& *earedL

>


43/46


(s*chological and(h*sical Barriers

Barriers2he NSA/GCHQ 0ill do an&thing and ever&thing to stop the The $ac& beingdiscovered+ 2he ;rst step is to deal 0ith the majorit& o* sers and preventthem *rom even thin7ing abo t opening it p or even to ching the modem+

Some o* the s ggestions listed here ma& seem e treme b t the less interestcreated in this bo the less attention it receives *rom cons mers+

'+ $tEs a 0hite bo ps&chologicall& itEs not a Iblac7 bo J so it sho ld be sa*e+ $t comes in a plain bro0n cardboard bo 0hich contain no 0ords or

graphics 0hatsoever 0ith a single 0hite bar-code label 0ith ma7e/modelo* the modem

9+ 2he 2 engineer personall& carries and installs it in &o r home 0hileother components s ch as 2 Home H b the more e pensive componentare sent thro gh the postal s&stem+ 2 cannot leave this shin& 0hitemodem hanging aro nd *or a 0ee7 0hile the& allocate &o r connection

&o ma& tr& to open it or do research abo t it online and the& 0ant to

7no0 0ho is researching it>+ 2he telephone soc7et (RW''% is designed s ch that 0hen &o pl g in thetelephone cable it becomes ver& di?c lt to remove it m ch more sothan a standard telephone RW''+ $ts not j st a case o* pinching the lever

&o have to pinch and p sh * rther in then remove+ 2his is s btle b t it0ill prevent a lot o* people *rom even attempting to disconnect thetelephone cable j st in case the& brea7 it

,+ 2he older model 0as eas& to open j st a *e0 scre0s the ne0er modelsis almost impossible to open beca se it is clip loc7ed closed meaning

that &o 0ill damage it i* &o attempt to open it.+ Red :arning Stic7er on the bac7 K IDonEt cover Air HolesJ 0ise b tscar&

1+ 2he onl& doc mentation is a single piece o* 0hite paper detailing ho0 itsho ld be mo nted there is no instr ctions abo t 0hich cables go0here this is designed never to be to ched

4+ All internal serial port headers are removed so &o can easil& hac7 it5+ 2he modem is plain 0hite and s are e tremel& ninteresting boring

I Nothin/ to see here1 move a"on/ J

All o' this subtle . Anti-6ar&eting 2 'or the !ost ad+anced BT product8

>9


44/46


Social Attac&s onEngineers

Social Attac&s on EngineersHaving discovered the attac7 architect re and disabled it 0e decided to visitsome *or ms online 0e 0ere interested to see i* an&one an&0here is closeto ncovering The $ac& and ho0 the NSA/GCHQ react to s ch iss es+

Generall& there are engineers chatting and sharing pict res o* their modemsand ho0 the& solder 0ires on to the ( s all& hidden% serial ports thedisc ssions s all& leads to login and gaining root access o* the modem orreplacing the ;rm0are altogether+

:hen engineers start to get reall& close something s all& e tra-ordinar&happens almost li7e I su#erman to the rescue3 someone 0ho is highl&ali;ed someone 0ho has b ilt p a rep tation o* being a ethical

hac7er/sec rit& e pert introd ces themselves and prod ces 0hat appears tobe major brea7-thro gh in gaining access to the modems+

Ho0ever beca se o* the I ethical J element super!an instead o* sharing themethod contacts 2 or 2 contacts super!an directl& and the& agree toallo0s 2 to ; the a0 ( e g gi!ing BT a / days head start % a*ter 0hichsuper!an 0ill p blish the method he sed+

All things being e al this is *air eno gh b t things are not all e al beca sethis 0as a complete smo7e screen pla&ed o t to disco rage the engineers*rom * rther development 7no0ing that in a *e0 0ee7s I super!an J 0ill givethem access+

3an& o* the engineers/enth siast 0aiting end- p getting ca ght b& pgradeso* their modems ;rm0are 0hich then loc7s them o t o* the game+

2his is a cat and mo se game and engineers sho ld be ver& 0ar& o* thosebearing gi*ts their agenda is to slo0 &o do0n and prevent &o *rom ma7ingan& progress hoping &o 0ill j st give p+

6o can clearl& see this on the 2 *or ms as 0ell others s ch ashttp //000+psidoc+com http //000+ 7its+co+ 7/ http //http //comm nit&+bt+com

and others+ Reverse engineering is legal legitimate and it is a great so rce o*innovation+

>>
http://www.psidoc.com/http://www.kits.co.uk/http://www.kits.co.uk/http://http//community.bt.comhttp://www.psidoc.com/http://www.kits.co.uk/http://www.kits.co.uk/http://http//community.bt.com


45/46


46/46


A0out the Authors

2he a thors o* this doc ment 0ish to remain anon&mo s+ Ho0ever 0e are* ll& prepared to stand in a co rt o* la0 and present o r evidence+

:e are a gro p o* technical engineers 0e are not associated 0ith an&activists gro ps 0hatsoever+ :e donEt have a name b t i* 0e did it 0o ldprobabl& be I The Ad+ersaries J according to NSA/GCHQ+

3ur 6issionCreedom is only appreciated when lost We are on the rink of a irre!ersi letotalitarian multi-go!ernment regime and e!en though the uropean3arliament has stated that citizens should not ha!e to defend themsel!esagainst state sponsored 5y ercrime+ the fact remains that our ownGo!ernments continue to attack us in our own homes while we sleep

r mission is de*ensive and legal+ r objectives are to e pose the so rcesand methods sed b& those that harms o r personal *reedoms and rights andto provide practical in*ormation to individ als aro nd the 0orld allo0ing themto de*end themselves against s ch c&ber attac7s+

We elie!e this as well as future disclosures to e in the pu lic interest

Donationsr ongoing 0or7 is technical slo0 tedio s and e pensive an& donations are

ver& 0elcome+ :e onl& accept bitcoins at this time+

bitcoin 'D.Hj91DS m)2)m5 12 S,ocdd)H jma 4

6o can also s pport s b& sending this docu!ent to a 'riend or host it on&o r 0ebsite+

"icensed nder the "reati+e "o!!ons Attribution-NoDeri+s (CC 6-ND%

Documents

The Internet Dark Age (Full Disclosure)