> > This presupposes custom malware written for the specific target. >
Not always. It presumes that someone may pack a binary just for a single target - this is however an automated process for lots of malware packages. > Highly customized spearphish attacks are unlikely to be detected, but > require a lot of smarts per attack. Government does not display > evidence of a lot of smarts. > Here is a counter point that I discovered last week at Oslo Freedom Forum: http://www.economist.com/blogs/erasmus/2013/05/islam-internet-and-privacy This was an extremely lame backdoor and it worked very well. > Government employees are seldom the sharpest blade in the box. Governments hire people with our tax dollars who when paid well, will do better and we see it in the wild. > > They use a standard package written by a private contractor, and use it > over and over again, and use it badly and crudely. And that private > contractor is not going to let them use source code, because it would > leak, and because they would no more know what to do with source code > that your mother would. This is largely false in most cases that I've seen or heard about in the wild. Yes, there are toolkits and frameworks. Source code is escrowed from such companies to governments, I believe this was just reported as having happened in Germany with FinFisher. > > A more likely attack is spearphishing - standard malware with an attack > vector customized to the individual but off the shelf script kiddy code > - social, rather than code, customization. And even that is a stretch. > Cops just don't put that much work in. > > Yes, yes they do: http://www.scmagazine.com/finfisher-command-and-control-hubs-turn-up-in-11-new-countries/article/291252/ >> >> Now suppose instead of the police, it is a foreign government trying to >> get secret research data. Maybe instead of targeting one research >> group, they just target, say, anyone who keeps Matlab source code in a >> git repository. > > By Matlab source code, you presumably mean source code written to be > interpreted by Matlab. > > How many people in government employment can write and understand Matlab > source code? And if they targeted "everyone" that is a lot of people. > Someone is going to notice. While I generally understand your arguments, I think you underestimate the capabilities of even local police officers. There are point and click tools, custom tools and everything in between. > > Now if someone is working on a missile, /him/ they might well target - > but he is not going to have his matlab source code on a public repository. > > If you are targeting "everyone", in the hope of catching a few big fish, > then you are going to do what the botnet operators do, and will be > detected the way botnet operators are detected. Customized solutions are the standard operating procedure. I encourage you to read this: http://www.gpo.gov/fdsys/pkg/CHRG-112hhrg64581/html/CHRG-112hhrg64581.htm =============== "Ms. Chu. Okay. Last question. If we do grant the FBI the authority it seeks, will this stop sophisticated criminals and terrorists from encrypting their communication, or will they simply start using communication tools provided by companies or programmers outside the U.S.? "And what do we do when criminals start using secure communication tools provided by developers associated with the WikiLeaks organization, who will ignore requests by U.S. law enforcement agencies? Ms. Caproni. Thank you for that question. There will always be criminals, terrorists, and spies who use very sophisticated means of communications that are going to create very specific problems for law enforcement. We understand that there are times when you need to design an individual solution for an individual target, and that is what those targets present. We are looking for a better solution for most of our targets, and the reality is, I think, sometimes we want to think that criminals are a lot smarter than they really are. Criminals tend to be somewhat lazy, and a lot of times, they will resort to what is easy. And so, long as we have a solution that will get us the bulk of our targets, the bulk of criminals, the bulk of terrorists, the bulk of spies, we will be ahead of the game. We can't have individual--have to design individualized solutions as though they were a very sophisticated target who was self- encrypting and putting a very difficult encryption algorithm on for every target we confront because not every target is using such sophisticated communications. ============== Governments may be incompetent but that doesn't mean that it is not preying on people. Quite the opposite, I think. All the best, Jacob _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
