mailing list archives
From: Warren Bailey <wbailey () satelliteintelligencegroup com>
Date: Fri, 14 Jun 2013 17:48:54 +0000
I would imagine the people running an ultra ninja spy network would have people working for them in their enemies
national hardware supply chain, you can put your code in their gear. I don't know why everyone thinks their email or
router password being comprised is the end result. A worm was placed into a SCADA (Seimens) controller that manipulated
the rotation of centrifuges. If I can do THAT.. Why would I care about some lame box at your office? I would love to
know how much effort the NSA puts into playing with other national covert surveillance programs. The Chinese have been
saying for years they aren't rooting dot com and dot gov, but I would bet money the NSA has been watching them do it
for as long as it has been around (which REALLY passes off the Chinese) . When you have endless money and time, there
are no bounds. We (Americans) think in terms of Presidential cycles and Holidays. They (Chinese) tend to have a little
different view on things, time is progress.
I encourage all of you to watch Vice on HBO tonight. If you enjoy it, there is an episode a week or two back showing
these massive (3-5k units) housing developments that are sitting completely empty. As it turns out, the Chinese are
building because that is how they measure their economic growth. If they are building, they are growing. Never mind
they have no one to sleep there, let alone ever intend to make their money back.
I suppose I should wrap up my rant with:
Government (world wide) spends a tremendous amount of time and money on keeping things secure. They used to house
sensitive information in vaults with guys standing 24x7 with Uzis, but as the information age has approached they have
lost touch with reality. All of these security screenings, background checks, spying, and a 29 year old anime fan with
a smokin' girlfriend smuggled thumb drives out and flew to China. He mentioned he had access to the location of every
CIA station and operative in the world - which means he had access to their AD controller. This shit isn't mystical,
Sent from my Mobile Device.
-------- Original message --------
From: Scott Helms <khelms () zcorum com>
Date: 06/14/2013 10:23 AM (GMT-08:00)
To: Rich Kulawiec <rsk () gsp org>
Cc: NANOG <nanog () nanog org>
Subject: Re: huawei
On Fri, Jun 14, 2013 at 8:47 AM, Rich Kulawiec <rsk () gsp org> wrote:
On Thu, Jun 13, 2013 at 09:11:35PM -0400, Scott Helms wrote:
I challenge your imagination to come up with a
common scenario where a non targeted "I'm/they're here" that's useful to
either the company or the Chinese government keeping in mind that you
no fore knowledge of where these devices might be deployed.
How about "code that watches for password changes on the device,
captures them, quietly and slowly leaks them a bit at a time"?
And I do mean "slowly": passwords don't change all that often,
so if it takes a week to transmit one, that's not a concern.
This is feasible, but frankly unlikely because AFAIK no one disputes that
backdoors (intentional or not) are in most if not all gear. Having said
that, it would still be pretty obvious in mass and over time to have
packets going to a predesignated host. Its not really possible for a box
to know whether its in a "real" network or a lab with Spirent or other
traffic generator hooked to it.
Passwords also get reused, so knowledge of the pair (Device1, Password1)
is often useful when considering (Device2, Device3, ... DeviceN).
You're right: nobody would know a priori where the devices are going.
But why would [some of the] attackers care?
It really depends on what someone wants to accomplish. There are lots of
things that are possible, but not feasible simply because there are
cheaper/faster/better ways of accomplishing the same thing. Shutting down
a network is pretty easy so if you have a kill switch and a backdoor (both
likely and easy) then why do you care about the passwords of the devices
near by? You can knock out a core router in other ways.
And it's not strictly necessary to have the devices transmit the info
to a pre-designated listener: it could be inserted in ALL traffic 
so that the device is always (slowly) broadcasting its own password.
Yes, this is very inefficient; yes, that might mean that transmission
of the password back to the attackers isn't guaranteed; yes that might
mean that it takes a much longer time to harvest passwords.
How? There is truly not that much room in the IP packet to play games and
if you're modifying all your traffic this would again be pretty easy to
spot. Again, the easiest/cheapest method is that there is a backdoor there
But if the attackers' goal is to harvest as many passwords as possible,
then efficiency and speed aren't important. (After all, many of the
devices might sit in boxes for a long time. Or be installed on networks
that are air-gapped. Or otherwise might never report anything useful.)
What's much more important is undetectability, and given that almost
all the detection mechanisms in play look for something like "lots of
traffic to/from an unexpected location" the best way to avoid that is
to be very slow, very quiet and very undirected.
Yeah, yeah, yeah, I know: far-fetched. But yesterday's "far-fetched"
keeps turning out to be today's reality with monotonous regularity.
Not really, things that are far fetched can become reality but only in
cases where something underlying changes.
And: suppose *you* were an attacker with a multi-billion dollar budget,
thousands of people, and years to work: don't you think you could pull
this off, too?
I could certainly and as I've pointed out, I wouldn't even consider routers
outside of disruptive attacks. If you want to steal information you want
to be as close to the end user target as you can be so your signal to noise
ratio is better. If I wanted to do this and had the resources of the
Chinese government then I'd be much more focused on Lenovo than Huawei.
The parts that are most interesting in Huawei aren't the core pieces but
rather the consumer and office gear.
 Perhaps disused packet header fields. Or perhaps, more cleverly,
buried in the packet itself. Or otherwise concealed in other ways that
make it very hard to pick out unless you know, a priori, what you're
There are a couple of places you could stick something, but it would stick
out like a sore thumb in Wireshark.