On 2013-05-22 4:20 AM, Benjamin Kreuter wrote:
On Tue, 21 May 2013 14:17:02 +1000
"James A. Donald" <jam...@echeque.com> wrote:
Police install malware by black bagging, and by the same methods as
botnets. Both methods are noticeable.
I do not think the following scenario is terribly far-fetched:
Suppose the police want to target a grad student in a CS department at
a major university. The police enter the server room, insert some
malware into the student's research group's git repository, and waits
for the student to merge the changes. The next time the student runs
whatever code she is working on, the malware will be installed; the
malware then installs a keystroke logger, enables the microphone, etc.
The malware can be even more secretive, only activating on a specific
computer (the target's) or perhaps the police could modify the software
on the server to only send the malware to the target.
Now, let's change this somewhat. Instead of sneaking into a server
room (or presenting the school with a court order), the police
compromise another grad student's computer, and simply commit their
malware to the group's repository (do you think researchers actually
read commit logs, when they have a deadline in a few days?).
This presupposes custom malware written for the specific target.
Highly customized spearphish attacks are unlikely to be detected, but
require a lot of smarts per attack. Government does not display
evidence of a lot of smarts.
Government employees are seldom the sharpest blade in the box.
They use a standard package written by a private contractor, and use it
over and over again, and use it badly and crudely. And that private
contractor is not going to let them use source code, because it would
leak, and because they would no more know what to do with source code
that your mother would.
A more likely attack is spearphishing - standard malware with an attack
vector customized to the individual but off the shelf script kiddy code
- social, rather than code, customization. And even that is a stretch.
Cops just don't put that much work in.
Now suppose instead of the police, it is a foreign government trying to
get secret research data. Maybe instead of targeting one research
group, they just target, say, anyone who keeps Matlab source code in a
git repository.
By Matlab source code, you presumably mean source code written to be
interpreted by Matlab.
How many people in government employment can write and understand Matlab
source code? And if they targeted "everyone" that is a lot of people.
Someone is going to notice.
Now if someone is working on a missile, /him/ they might well target -
but he is not going to have his matlab source code on a public repository.
If you are targeting "everyone", in the hope of catching a few big fish,
then you are going to do what the botnet operators do, and will be
detected the way botnet operators are detected.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
