back to article 'NSA' hack okshun woz writ by Inglish speeker trieing to hyde

The perpetrator behind the dumping of tools penned by the probably-the-NSA hacking squad called"Equation Group" appears to be a native English speaker, according to linguistic data researcher Shlomo Argamon. Earlier this month some 300 files were circulated online purporting to be stolen from the Equation Group, which is …

Anonymous Coward

Shlomo......drug of choice in Mega City One

your talkin oot ur harse Mr Argos

1
1
Silver badge
Black Helicopters

Snowden Mk2

Motherboard cited unnamed NSA sources saying the work reeks of insiders, and that the neat documentation of the dumps suggests the caches were stolen from within the spy agency.

Do we have another Edward Snowden in the making? I wonder if Snowden has a spare room in Russia...

6
0
Silver badge
Black Helicopters

Sir

I'm not sure about US English, but certainly for English English I've noticed that a lot of foreign nationals display a much firmer grasp of grammar and spelling than a considerable number of the natives.

29
0
Silver badge

Re: Sir

From what I've picked up from British media (including Attack the Block and Ali G) I would guess that the native loose grasp of grammar is more than doubled for US English.

However, from how it read in the article, the errors were not consistent with the errors of a non-native speaker. Most non-native errors arise from transliteration of thought (IE if you speak Russian as a native, and you think in Russian; your English sentences will follow Russian structure and, perhaps, Russian idiom). The errors that were analyzed did not conform to one particular set, and also used US idiomatic speech, but with errors introduced to seem like a foreign operation.

Theory: the verbiage was generated by a US speaker who tried to use "Russian" dialog from US movies to misdirect attention. To a USAian this means it is Russian, but to one who studies language it is very much not.

11
0
Silver badge

Re: Sir

I have been rather suspicious of the knee-jerk reaction to blame the Russians, Chinese, NORKs, etc. That this is someone who speaks US English more or less natively does not surprise me at all. My guess is an insider who saw what happened to Snowdon and decided to cover his tracks as best he could. Probably using insider knowledge about how paranoid feral spookhauses are about the Russians, made it look like a Russian.

If I remember correctly Russian does not have either the indefinite article (a/an) or the definite article (the) while many Western European languages do.

1
0
Silver badge

Re: Sir

WRT language structure, US/UK/NZ/AU/ZA idiom is one thing, but the idiom and structure of other versions of "native english" show clear influences of other regional languages.

If you know what you're looking for this makes spotting the lads from Lagos pretty easy, but it's interesting that there's a fair overlap between them and eastern european english.

The telling thing (as mentioned) was random grammatical errors. People tend to be consistent in their misapplication of structures - but the sentence specifically picked out is what I'd expect to see in southeast asian former colonies. :)

1
0

Товарищ,

ваш комментарий заставил меня прочитать саму статью (-: Thanks.

1
0
Anonymous Coward

The plot thickens!

@ a_yank_lurker; "If I remember correctly Russian does not have either the indefinite article (a/an) or the definite article (the)"

You are correct! This proves it cannot be a work of the Russian and it is a responsibility of us evil Westerners.

By a way, I am the Yankee just like you. I have nothing to gain from pretending to be the foreigner!

1
0
Bronze badge

Re: Sir

Yup, Slavs tend to speak English without 'a' and 'the', making it sound weirdly staccato.

I was wearing a CCCP T-shirt to a party and the first thing my (now) wife told me was: "Where you get that shirt? You look like Russian athlete." She still speaks that way.

0
0
Bronze badge
Devil

Re: The plot thickens!

"You correct! This proves cannot be work Russian and is responsibility us evil Westerners.

By way, I am Yankee just like you. I has nothing gain from pretending be foreigner!"

TFIFY!

0
0
Silver badge

Rather fun if it was an inside job

If it were, then money would probably be the spur, and what more American motivation could there be?

3
0
Silver badge

Re: Rather fun if it was an inside job

Exactly - they might simple be laundering their Bitcoins in preparation for something else.

1
0
Silver badge

assumptions?

Why would there be auto correct errors in a script?

Unlikely to be using a word processor for code.

Do they know the code did not have multiple authors?

I'm sure many people who have worked on multi author software know the feeling where, before you even see the style of the code below, from the way the comment describing the mod is structured you know who had added those lines of code.

Using online translation tools to convert English back to English (via a couple of intervening languages) is a good way to get odd sentence structure that looks non native (though does sometimes need the odd obvious translation total fail fixing)

Indeed, just using online tarnslate "legitimately" from non English language to English could give suitable junk.looking language.

4
1
Silver badge

Should have ran it through three or four languages on Google Translate

Or, as Google Translate says, "He ran three or four languages translation from Google".

1
0

Re: Should have ran it through three or four languages on Google Translate

But then Google would have the original text and that might mean the NSA do too.

6
0

double bluff?

If this guy thinks he can detect fake grammarisms then it would logically have been equally possible for the originator to be able to generate credible fakes to put people off the trail?

When I worked for an international company with its HQ outside the UK we were quite good at mimicking other regions' use of English when responding to the many "employee surveys"

2
0
Anonymous Coward

Deer Hatter

wa se'ro dae? u wan san bi-con? San bery Bee-con? En Ass Ay? wat? u Hat En Ass en wan san Bee-con? I cann ow'den stand wat u sat, tall two mei inn engrish,

0
0
Silver badge

Threat?

"It continues that the Russians have taken the unprecedented action of dumping the contents publicly in a veiled threat to the NSA after the Democratic National Committee breach, which the US blames on Moscow."

"Stop claiming we hacked you or we'll hack you some more. Also, here's some stuff we hacked from you."

Apparently the threat is rather too veiled for me to understand. Demonstrating to the world that you've already done the thing you're threatening to do isn't generally how threats work, and doing the exact thing you're being accused of is not generally the best way get accusations to stop.

6
0
Silver badge

Re: Threat?

>Apparently the threat is rather too veiled for me to understand.

Something along the lines of expelling diplomats known *not* to be spies, to show you know exactly who the spies are and you aren't worried by them.

I'm not bothered, its nice to see the NSA's bad behaviour proven and spoilt a bit. Chipping away at the public respect for those who are so lost in their games that they've forgotten what they are supposed to be protecting.

8
0
Megaphone

Not Seemples

Outcaught! Cock a whatup!

4
0
Silver badge

The 'insider' theory

One would presume there are logs kept of who accesses what files, so copying that repository could only be done by someone with a job related reason to do so. But does anyone have a job related reason to copy the ENTIRE repository? Perhaps not, but I doubt it would trigger any alerts as if you needed most of the files, it would be easier to copy the whole thing rather than pick and choose only the ones you need.

Assuming someone can copy it, they'd have to copy it into some media they can bring in and sneak out. Snowden used a CD marked "Lady Gaga", but the question is: could a non sysadmin copy data on a CD, USB stick or SD card? One would hope their secure systems have no CD drive, the USB ports blocked up (or at least the drivers for the USB storage class removed) and no SD slot.

However, some employees will have to copy data onto such devices as part of their work - how else to get it off the secure system onto the internet to be able to actually hack someone? So some employees must have a system available to them capable of writing to removable media. Since Snowden was able to sneak out a CD with little trouble, one would assume a USB stick or SD card would be even easier to smuggle in, especially if you didn't need to "smuggle" it because you are SUPPOSED to be removing it and if checked contains the files you are supposed to be taking to the outside world! (With maybe a little extra since you copied the whole thing, but that could be easily explained away in the unlikely event he was checked and that fact was noticed)

I wonder how many people this would narrow it down to for the NSA security people who would try to track down the leaker? Hundreds? Thousands? The contents were several years out of date, which makes it more difficult - is that because the leaker no longer works at NSA, because they wanted you to think that, or because they wanted to leak the material (for whatever reason) but didn't want to risk ongoing operations by leaking the "latest and greatest" tools?

2
0

Re: The 'insider' theory

Snowden used a CD marked "Lady Gaga"

That was Manning.

If you can get remote access to everything on a server then you can likely ammend the log files too. Various crypto gurus are already recommending we look to a post-cypto future where you assume you are hacked and concentrate on blocking exfiltration, either by DVD as you said or straight over the network.

2
0
Silver badge

Re: The 'insider' theory

Amending log files would require admin access though, which restricts it to a Snowden type. More to the point, if the logs are sent over the network to another machine or stored on write once / sequential media even admin access won't let you modify the logs.

0
0
Silver badge

Re: The 'insider' theory

Suspend the logging process for the duration of the data copy, or even just change the destination IP of the log server for a few minutes while you do the deed.

I'm sure there are other (cleverer) ways.

1
0

Re: The 'insider' theory

At one point it was part of my job to read log files to spot hacks. I must confess I am not sure I did it very well. My boss was better at it, but he always did it after the event. Once you know something has happened then it is relatively simple to look back for tell-tale signs. It was complicated by the fact we never got to choose what was logged, some invisible developer decided that months before without our input. So spotting it in real time requires pattern recognition skills that I doubt even Assange has. You stare at logs over and over and you can, sometimes, tell if something looks a bit different. If you are well slept and and not on 24 hour call out, and you didn't just have an argument with your girlfriend.

I used to be stuck between a yearly battle between Belgian and Dutch hacking conventions. These genius idiots weren't actual criminals as such, but they were trying their best to take us down for lolz. It was bloody annoying, and I had the best of support. As soon as they jabbed us, we'd get a direct patch from MS or whoever and have to install it organisation wide. You know how Space Invaders gets annoying after an hour or four? It was very tempting just to leave work, go to the convention and spike their drinks with LSD.

1
0

Re: The 'insider' theory

Depends how hard it is to acquire admin privileges...

On most windows based networks, simply being on the LAN is enough to very quickly get admin credentials with a moderate level of skill and publicly available tools.

0
0
Silver badge

Re: The 'insider' theory

Your logging isn't worth much if you can suspend it without anyone becoming the wiser. There are plenty of ways to detect such a thing, which I would hope the NSA would be using.

0
0
Silver badge
Happy

Re: The 'insider' theory

"which I would hope the NSA would be using."

That's a bit like saying you expect the banks to be using all the latest super-secure technologies etc.

0
0
Big Brother

Re: The 'insider' theory

"Depends how hard it is to acquire admin privileges..."

I expect an NSA insider with access to, or who coded some of these tools (the dreaded Nation-State-level threat) shouldn't have trouble elevating privs. (S)he might even just break out an exploit from the toolkit being auctioned and apply it.

p.s. мое судно на воздушной подушке полно угрей

0
0
Silver badge
Windows

NSA budget cuts.

Auctioning off old stock!

Cheap bidding war!

wat? Flag? there aint no flag?

who me?

Paranoid? cynical? naaaaaaaaaah.

1
0
Silver badge

Hunt for Reds in Threads

Argamon says the author's native tongue could be a Slavic language such as Russian or Polish, but that is far less likely than the writer is a native English speaker.

One theory posited by NSA leaker Edward Snowden is that the authors are Russian spies who leaked the contents of a NSA command and control server they hacked in 2013.

Any advance on a native English speaker Russian spy group?

How about a hot renegade rogue and/or virile freelancing viral enterprise cell? One of those engaging non-state actor types just doing IT for kicks and kick backs/handsome ransom payments in return for stopping what one is doing or changing sides to play nice with new partners?

Naked feudal feral capitalism working at its finest.

1
0

Short changed

I don't know if this is true or not but a commentator on another website said ten million Cisco shares were shorted in the weeks leading up to this story. I know El Reg pokes around in technical details but there might be a story in following the money.

1
0

Hats off to Shlomo Argamon...

He's truely a cunning linguist! =-D

*Cough*

I'll get my coat...

2
0

I hinted at much the same thing myself...

In a comment on ZH - which is worth reprising here.

---------------------------------------------------

Told ya (that the talent-rich phyles are starting to understand the relative merit of uncorking .gov).

Is funny press release like written by Russian, da? Da.

Is lucky we not step in it.

The thing about national-level artificial monopolies - be they in 'justice', 'law enforcement', 'intelligence' - is that they are always <b>fragile</b> (in the NNT sense).

Firstly, they are entirely populated by second-raters: everyone above GS5 is either a 'True Believer' (i.e., gullible as a newborn, and therefore easily soc-eng'd) or a careerist bullshit-artist (i.e., useless for anything except toadying towards superiors and taking credit for underlings' work). At the very top, everyone is employed/installed based on their proximity to that most vile of pseudo-humans - politicians.

Secondly... think what it means when procurement is overseen by, and facilitated by, the types of people in 'firstly'. It means that tech procurement is done in an environment that contains nobody with the chops to evaluate the product.

So everything is acquired by a 'proximity model' - people get contracts because they're linked to, e.g., Chertoff... and once they've had one contract whose flaws didn't get exploited on 0-day, they are at the trough forever.

I fully support everything Snowden did after he left (except that he should have blasted half the entire corpus into cyberspace, and kept the other half as insurance, rather than installing 'curators' - be they never so well intentioned). But bear this right at the front of your mind: <strong>he is not that bright</strong>. Snowden was a high-school washout, and not because he was 'too smart to excel' (I know plenty of people who are like that, and he's not one of them). Yet he rose through the ranks of the alphabet soup agencies <strong>like a fucking boss</strong>.

The security-theatre industry is not staffed with the 'best and brightest'. 'Mudge' - always a nappy in hacker circles - is one of .gov's best, and he's fucking useless. Mudge is the hacker equivalent of Dumb Shitbird (Domscheit-Berg) - someone who tried to coddle up to a genuine talent, then betrayed them the moment someone turned up with enough pieces of silver.

Ask yourself who wants to work for NSA: they have to 'believe in the mission', which makes them obviously incapable of adult levels of cognition, let alone genuine talent.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017