Hey John, thanks for this, a much appreciated (and needed) sharing of credit. Too often the press focuses on individual "heroes" to make a better story - community knows the reality is a massive, decentralized effort, and we shouldn't get sucked in to that narrative. More! ;-)
On Mon, Nov 26, 2012 at 6:26 AM, John Scott-Railton <[email protected]>wrote: > Hi All, > > A few thoughts on the article. It uses a thread of one process of dealing > with malware and attacks in Syria to tell its story, and highlights a > couple of people who collaborate with each other and some of what they have > been doing. It makes for an engaging read. But for someone who reads it > and doesn't know the space this article could be read as suggesting that > this group of people is the only game in town. It isn't. By far. > > The reality is decentralized, diverse and very collaborative. A > community, in other words. And these communities are what make things > happen. There are many networks of Syrians, technologists and folks in the > community of activists working on identifying and responding to malware and > other electronic attacks against the Syrian opposition. Or those working on > analyzing the techniques and tools of surveillance deployed at the network > level in SY. The community process by which Dark Comet was first > identified after some false starts and unknown binaries first started > floating around the community are a great example. So was the later > discussion of Dark Comet and the ethical dimensions of the tool. Props to > TCX and their collaborators here, for example. There are many others who've > chosen to keep their names out of the media. The work of all of these > people contributes to all we know now, and serious progress on a lot of > fronts. > > A final note: I also wanted to acknowledge a particular person whose name > was surprisingly missing from the group specifically mentioned in the > Bloomberg piece, and who deserves credit for her role: Eva > Galperin, International Freedom of Expression Coordinator and prolific > blogger at EFF who will be familiar to many you as the co-author > with Morgan Marquis-Boire on every piece of blogging on SY malware that EFF > has posted to date. > > J > > > On Nov 15, 2012, at 12:02 PM, ilf <[email protected]> wrote: > > http://www.businessweek.com/articles/2012-11-15/the-hackers-of-damascus > > Taymour Karim didn’t crack under interrogation. His Syrian captors beat > him with their fists, with their boots, with sticks, with chains, with the > butts of their Kalashnikovs. They hit him so hard they broke two of his > teeth and three of his ribs. They threatened to keep torturing him until he > died. “I believed I would never see the sun again,” he recalls. But Karim, > a 31-year-old doctor who had spent the previous months protesting against > the government in Damascus, refused to give up the names of his friends. > > It didn’t matter. His computer had already told all. “They knew everything > about me,” he says. “The people I talked to, the plans, the dates, the > stories of other people, every movement, every word I said through Skype. > They even knew the password of my Skype account.” At one point during the > interrogation, Karim was presented with a stack of more than 1,000 pages of > printouts, data from his Skype chats and files his torturers had downloaded > remotely using a malicious computer program to penetrate his hard drive. > “My computer was arrested before me,” he says. > > Much has been written about the rebellion in Syria: the protests, the > massacres, the car bombs, the house-to-house fighting. Tens of thousands > have been killed since the war began in early 2011. But the struggle for > the future of the country has also unfolded in another arena—on a > battleground of Facebook (FB) pages and YouTube accounts, of hacks and > counterhacks. Just as rival armies vie for air superiority, the two sides > of the Syrian civil war have spent much of the last year and a half locked > in a struggle to dominate the Internet. Pro-government hackers have > penetrated opposition websites and broken into the computers of Reuters > (TRI) and Al Jazeera to spread disinformation. On the other side, the > hacktivist group Anonymous has infiltrated at least 12 Syrian government > websites, including that of the Ministry of Defense, and released millions > of stolen e-mails. > > The Syrian conflict illustrates the extent to which the very tools that > rebels in the Middle East have employed to organize and sustain their > movements are now being used against them. It provides a glimpse of the > future of warfare, in which computer viruses and hacking techniques can be > as critical to weakening the enemy as bombs and bullets. Over the past > three months, I made contact with and interviewed by phone and e-mail > participants on both sides of the Syrian cyberwar. Their stories shed light > on a largely hidden aspect of a conflict with no end in sight—and show how > the Internet has become a weapon of war. > > The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the > Arab Spring was reaching a crescendo, the government in Damascus suddenly > reversed a long-standing ban on websites such as Facebook, Twitter, > YouTube, and the Arabic version of Wikipedia. It was an odd move for a > regime known for heavy-handed censorship; before the uprising, police > regularly arrested bloggers and raided Internet cafes. And it came at an > odd time. Less than a month earlier demonstrators in Tunisia, organizing > themselves using social networking services, forced their president to flee > the country after 23 years in office. Protesters in Egypt used the same > tools to stage protests that ultimately led to the end of Hosni Mubarak’s > 30-year rule. The outgoing regimes in both countries deployed riot police > and thugs and tried desperately to block the websites and accounts > affiliated with the revolutionaries. For a time, Egypt turned off the > Internet altogether. > > Syria, however, seemed to be taking the opposite tack. Just as protesters > were casting about for the means with which to organize and broadcast their > messages, the government appeared to be handing them the keys. > > Dlshad Othman, a 25-year-old computer technician in Damascus, immediately > grew suspicious of the regime’s motives. Young, Kurdish, and recently > finished with his mandatory military service, Othman opposed President > Bashar al-Assad. Working for an Internet service provider, he knew that > Syria—like many other countries, including China, Iran, Saudi Arabia, and > Bahrain—controlled its citizens’ access to the Web. The same technology the > government used to censor websites allowed it to monitor Internet traffic > and intercept communications. Popular services such as Facebook, Skype, > Google Maps, and YouTube gave Syria’s revolutionaries capabilities that > until a couple of decades ago would have been available only to the world’s > most sophisticated militaries. But as long as Damascus controlled the > Internet, they’d be using these tools under the eye of the government. > > Shortly after the Syrian revolution began in March 2011, Othman’s > political views cost him his job. He decided to dedicate himself full time > to the opposition, joining the Syrian Center for Media and Freedom of > Expression in Damascus to document violence against journalists in the > country. He also began teaching his fellow activists ways to stay safe > online. Othman instructed them how to encrypt e-mails and encouraged them > to use tools like Tor software, which enables anonymous Web browsing by > rerouting traffic through a series of distant servers. When Tor turned out > to be too slow to live-stream protests or scenes of government attacks > against civilians, Othman began purchasing accounts on virtual private > networks (VPNs) and sharing them with his friends and contacts. A VPN is > basically a tunnel inside the public Internet that allows users to > communicate in a secure fashion. For a monthly fee, you can buy access to > servers that create encrypted paths between computers; the VPN also > disguises the identities and locations of your machine and others on the > network. Spies can’t read e-mails sent via VPN, and they have a hard time > figuring out where they came from. > > Othman’s efforts worked at first, but very quickly Damascus blocked > off-the-shelf VPNs and upgraded its Internet filters in ways that made the > VPNs inoperative. By the summer of 2011, Othman had become frustrated with > the Western VPN providers, which he felt were too slow to adapt to the > government’s crackdowns. He bought space on outside servers, set up VPNs of > his own, and began actively managing them to make sure safe connections > remained available. > > Othman was still training and equipping activists in October 2011 when he > made a nearly fatal mistake. He gave an on-camera interview to a British > journalist who was later arrested with the footage on his laptop. Warned by > a friend through a Facebook message, Othman turned off his phone, removed > its SIM card—a precaution to avoid being tracked—and hid in a friend’s > Damascus apartment. He never went home. A month and a half later, at the > urging of activists who worried his arrest would compromise their entire > network, he escaped across the border to Lebanon. “I had been a source of > safety for my friends,” he says. “I didn’t want to become a source of > danger.” > > The struggle for Syria has transcended borders. In early 2011, from his > office at the University of California at Los Angeles, John Scott-Railton, > a 29-year-old graduate student in Urban Planning, joined the revolutions in > North Africa and the Middle East. Scott-Railton, working on a dissertation > on how poor communities in Senegal were adapting to climate change, had > spent time in Egypt and had close friends there. When revolutionaries in > Cairo occupied Tahrir Square, he set his studies aside. Working through his > contacts in the country, he helped Egyptians evade Internet censors and get > their message out to the world by calling protesters on the phone, > interviewing them, and publishing their views on Twitter. Later, when the > Arab Spring spread to Libya, he did the same, this time working with > Libyans in the diaspora to broaden his reach. > > In Syria, Scott-Railton recognized that the task would be different. Once > Assad’s government lifted restrictions on the Internet, activists were > having little trouble getting their voices heard; graphic videos alleging > government atrocities were lighting up Facebook and YouTube. The challenge > would be keeping them safe. “If we’re going to talk about how important the > Internet has been in the Arab Spring, we need to think about how it also > brings a whole new set of vulnerabilities,” says Scott-Railton. “Otherwise, > we’re going to be much too optimistic about what can be done.” > > The first documented attack in the Syrian cyberwar took place in early May > 2011, some two months after the start of the uprising. It was a clumsy one. > Users who tried to access Facebook in Syria were presented with a fake > security certificate that triggered a warning on most browsers. People who > ignored it and logged in would be giving up their user name and password, > and with them, their private messages and contacts. > > In response, Scott-Railton began nurturing contacts in the Syrian > opposition, people like Othman with wide networks of their own. “It wasn’t > that different from the strategy I had worked out in Libya: Figure out who > was trustworthy and then slowly build up,” he says. In the meantime, he > contacted security teams at major American technology companies whom he > could alert when an attack was detected. Scott-Railton declined to name > specific companies but confirmed he was in touch with security experts at > some of the biggest brand names. In the past year and a half, > pro-government hackers have successfully targeted Facebook pages, YouTube > accounts, and logins on Hotmail, Yahoo! (YHOO), Gmail, and Skype. > > Scott-Railton’s involvement in the Syrian cyberwar wasn’t high-tech. Over > several months, he set himself up as a bridge between two worlds, passing > reports of hacking on to various companies who could investigate attacks on > their users, take down bogus websites, and configure browsers to flag > suspect sites as potential threats. > > For Syrians, the system provided a quick, sure way to limit damage as > attempts to break into accounts affiliated with the opposition became more > sophisticated. For tech companies, it was an opportunity to address > violations as they happened—though those violations have also exposed the > vulnerabilities of some of the world’s most popular social networking > services. > > Facebook, which in 2011 responded to hacking attempts in Tunisia by > routing communications through an encrypted server and asking users to > identify friends when logging in, wouldn’t comment on what, if anything, > the company is doing in Syria. Contacted by Bloomberg Businessweek, a > spokesperson provided a statement saying: “Security is a top priority for > Facebook and we devote significant resources to helping people protect > their accounts and information, wherever they live and whatever the > circumstances. … We will respond quickly to reports—whether from formal or > informal channels—about worrying and problematic security threats from > groups, organizations and, on occasion, from governments.” > > As the war intensified, the cyberattacks waged by pro-government Syrian > hackers became more ambitious. In the weeks before his arrest in December > 2011, Karim, the young doctor, had begun to suspect his hard drive had been > compromised. His Internet bill—which in Syria varies according to the > traffic being used—had more than quadrupled, though he still isn’t sure > exactly how his computer was infected. He suspects the malware may have > been transmitted by a woman using the name Abeer who contacted him on Skype > last autumn and sent him photos of herself. Another possibility is a man > who sent Karim an Excel spreadsheet and said he could provide monetary > support for the revolution. > > In prison, Karim’s captors mentioned both people. His interrogators knew > about his high Internet bills, as well: “The policeman told me, ‘Do you > remember when you were talking to your friend and you told him you had > something wrong and paid a lot of money? At that time we were taking > information from your laptop.’ ” > > Before the Syrian revolution, Karim had never participated in politics. “I > would just go to work and then go home,” he says. But the Arab Spring > awakened something inside him, and when demonstrators gathered for a second > week of major demonstrations, Karim joined them. The first protest he > attended was also the first in which the regime deployed the army to crush > dissent, killing dozens of demonstrators across the country. Shortly > afterward, Karim signed up to man field hospitals, caring for wounded > activists. The worst injuries were from snipers, he recalls. “Sometimes > people would be shot in the back, and they’d be paralyzed. Sometimes we > found bullets in the face, and all the bones in the face were broken. When > we found people shot in the abdomen, sometimes we couldn’t do anything > because we didn’t have the proper equipment.” > > When it came to the Internet, Karim was typical of many of his fellow > activists: enthusiastic, naive, and all too often complacent where security > was concerned. “Sometimes we’d say to each other, ‘If there was no > Internet, there would be no revolution,’ ” he says. > > Just 18 percent of Syrians use the Internet, and government restrictions > along with sanctions by the U.S. and Europe have limited Syrians’ access to > updated software and antivirus programs. Karim occasionally used the Tor > application recommended by Othman but found the connection too slow for > video. A friend in Qatar sent him a link to a secure VPN, but he wasn’t > able to download the necessary software. > > On Dec. 25, 2011, Karim met with a group of doctors to put the final > touches on a plan to better coordinate the opposition’s field hospitals. > The next day he spoke with a friend on Skype and agreed to meet him to film > a Christmas video he hoped would be a show of unity between faiths. When he > left his safe house, the police were waiting for him. They knew where they > would find him and where he was going. “Skype was the best way for us, for > communication,” he says. “We heard that Skype was very safe and that nobody > can hack it, and there is no virus for Skype. But unfortunately, I was the > first victim of it.” > > In a statement to Bloomberg Businessweek, a spokesperson for Skype, which > is owned by Microsoft (MSFT), said, “Much like other Internet communication > tools with a very large user base—be it e-mail, IM, or Voip—Skype has been > used by persons with malicious intent to trick or manipulate people into > following nefarious links. … This is an ongoing, industrywide issue faced > by all peer-to-peer software companies. Skype is committed to the safety > and security of its users, and we are taking steps to help protect them.” > > Karim spent 71 days in Syrian detention before being released on bail > pending a military trial. After his release he fled the country, sneaking > from village to village until he arrived in Jordan. There he discovered > that many other activists had been contacted by the woman named Abeer. A > few weeks after his release, he received a message from her on Facebook > offering to send him more pictures. He refused. > > In January 2012, less than a month after Karim’s arrest, Othman—by then in > Lebanon—came across a laptop belonging to an international aid worker. The > worker believed the laptop had been compromised. After making a preliminary > analysis, Othman sent an image of the entire hard drive to Scott-Railton. > Among the people Scott-Railton reached out to was a dreadlocked New > Zealander named Morgan Marquis-Boire, a security engineer at Google (GOOG) > in California. In his spare time, Marquis-Boire had begun investigating > cyberattacks on opposition figures in the Middle East after being > approached by activists who saw him speak at a conference. “I’m a firm > believer in the facilitation of freedom of expression on the Internet,” he > says. “The censorship that occurs when people are afraid to speak is > actually the most powerful type of censorship that’s available.” > > Marquis-Boire, 33, wasn’t the first person to analyze the infected hard > drive, but his examination was deep and thorough. The laptop, he > determined, had been successfully hacked three times in rapid succession. > The first piece of malware had arrived on Dec. 26, 2011, during the early > hours of Karim’s detention. It had been sent to the computer’s owner > through Karim’s Skype account, embedded in the proposal for the > coordination of field hospitals he had finalized the night before his > arrest. > > The malware, DarkComet, was a remote access “trojan.” It allowed its > sender to take screenshots of the victim’s computer, monitor her through > the video camera, and log what she typed. Every digital move the laptop’s > owner made was being recorded—and the reports were being routed back to an > IP address in Damascus. > > The network Scott-Railton had set up was faced with a new challenge. The > people behind the attacks were no longer casting a wide net and waiting to > see who they caught. They were specifically targeting revolutionaries such > as Karim and his contacts. Security experts at major tech companies can > restore access to hacked accounts or issue takedown orders when hackers set > up fake versions of their websites. But there’s little they can do for a > user whose computer has been captured by hackers. > > Scott-Railton and his collaborators began to study their opponent. Syrians > like Othman with close contacts to the opposition began gathering > suspicious files that might contain malware and funneling them to > Scott-Railton. He passed them on to Marquis-Boire, who published his > findings in blog posts for the Electronic Frontier Foundation, an advocacy > organization based in San Francisco that promotes civil liberties on the > Internet. A pattern soon emerged. The attacks used code widely available > online. In the case of the DarkComet trojan that had been sent from Karim’s > computer, the malware had been developed by a French hacker in his twenties > named Jean-Pierre Lesueur who offered it as a free download on his website. > > What made the hacks so effective was their deviousness. Malware was > discovered in a fake plan to help protesters besieged in the city of > Aleppo; in a purported proposal for the formation of a post-revolution > government; and on Web pages that claimed to show women being raped by > Syrian soldiers. > > Whenever possible, the people behind the attacks would use a compromised > account to spread the malware further. In April 2012, the Facebook account > of Burhan Ghalioun, then the head of the Syrian opposition, was taken over > and used to encourage his more than 6,000 followers to install a trojan > mocked up to look like a security patch for Facebook. > > Scott-Railton’s network allowed antivirus companies to update their > software so it would recognize the malware and warn Syrian activists. Once > Marquis-Boire identified DarkComet, a group of hackers who went by the name > Telecomix began putting pressure on its creator, Lesueur, to take it down. > In February 2012, less than a month after the trojan had been discovered, > he released a patch that would remove his program from an infected > computer. “i was totally shocked to see that the syrian gouv used my tool > to spy other people,” he wrote in a typo-laden post on his personal blog. > “Since now 4 years i code DarkComet for people that are interested about > security, people that wan’t to get an eye on what their childs doing on the > internet, for getting an eye to notified employees, to administrate their > own machines, for pen testing but NOT AS A WAR WEAPON.” > > In July, Lesueur took the program down altogether. The weapon that had > been launched from Karim’s computer—and very likely the one that landed him > in jail—had been disarmed. > > The cyberwar in Syria rages on. Othman and others like him spend hours > fending off attacks on their VPNs. He says he knows of at least two > activists who were detained and killed after their computers were > undermined. Scott-Railton continues to relay reports of compromised > accounts and fake Web pages to contacts in the tech industry. “Every day, I > get contacted by Syrians with security concerns,” he says. Marquis-Boire is > doing his best to trace the attacks back to their source. > > Since Karim’s release from detention and his escape from Syria earlier > this year, he has lived in Jordan. When he recently ran a scan on his new > computer, he found he had been infected once again. “I receive thousands of > e-mails, videos, and requests and images from activists and friends,” he > says. “And there are a lot of people who I don’t know who they are.” In > July the Syrian Electronic Army, a pro-government group, released what it > said were 11,000 user names and passwords of “NATO supporters,” meaning > members of the Syrian opposition. > > In October, I attempted to contact the Syrians involved in the > government’s cyberwar. Before doing so, I changed most of my passwords. I > set up two-step verification on my Gmail account, an extra layer of > security that makes it harder for hackers to take over an account remotely. > I installed the Tor Browser Bundle and updated the WordPress software on my > website. And then I dropped a line on Twitter to @Th3Pr0_SEA, an account > that describes itself as belonging to the leader of the Special Operations > Department of the Syrian Electronic Army, the most visible virtual actor on > the government side. @Th3Pr0_SEA wrote back soon after, and we agreed to > meet on Google Chat. Minutes later, somebody tried to reset the password of > my Yahoo Mail account. > > @Th3Pr0_SEA wouldn’t tell me much about himself. Two members of his > organization had been kidnapped and murdered by members of the opposition, > he said, after posting under their real names on Facebook. He told me he > had been a student when the uprising began. When I asked his religion, he > answered, “i’m Syrian :)” > > Researchers have described the Syrian Electronic Army as a > paramilitary-style group working in coordination with the country’s secret > services and linked to the Syrian Computer Society, a government > organization once headed by Assad himself before he became president. In > our chat, @Th3Pr0_SEA denied the connection, repeating the group’s claims > that it’s not an official entity and that its membership is unpaid, > motivated only by patriotism. When I asked why the group’s website was > hosted on servers owned by the Syrian Computer Society, he answered that > his group paid for the service. “If we host our website outside of Syria > servers, it will get deleted and probably hacked,” he wrote. > > Before I finished my interview with @Th3Pr0_SEA, I asked him whether he > had been the one who tried to reset my Yahoo password. He denied it. “i > think someone saw you,” he said, “when you talked me on twitter.” He also > told me, “there is a big surprise from Special Operations Department coming > soon, but i can’t tell you anything about it.” > > -- > ilf > > Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg! > -- Eine Initiative des Bundesamtes für Tastaturbenutzung > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > John Scott-Railton > www.johnscottrailton.com > > PGP key ID: 0x3e0ccb80778fe8d7 > Fingerprint: FDBE BE29 A157 9881 34C7 8FA6 3E0C CB80 778F E8D7 > > > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech >
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
