Shadow Broker Breakdown

The Insider Threat Angle Is Bullshit

I’ve been pretty busy recently, so I haven’t had much time to analyze and comment on the exciting new developments in the continuing cyber spat between the great powers. I do have time to tear down one issue though – the source of the Firewall ops kit.

TL;DR: some idiot TAO operator made a mistake, loaded a full kit onto a bounce box. Oops.

We have three options:

• H1: idiot TAO operator
• H2: TAO operator with balls of steel and luck
• H3: Snowden with excessive access

A Plethora Of Observations

The strongest case is for H1, and I’ll illustrate my reasoning with a few observations.

1. If the dates are to be believed, the Firewall ops kit was acquired months after Snowden walked out the door with a USB stick. NSA was in full on panic mode, witch hunt, kill the USB bearers. This is not the optimal time to load a super TS//SCI ops kit onto a USB and try to walk out the door… the middle of a witch hunt for people walking out the door with exactly this sort of thing.
2. Many files post date Snowden. Does that matter because: “you can change a timestamp”? I think we’ll have to say this info is not reliable, although I, personally, suspect it is accurate. Obviously the way to check is to compare the changes in the files with the dates they were made in the version control system and find changes which happened after Snowden left. Only NSA can do that, and, lets be honest, they aren’t gonna tell us squat about their findings. So, we can disregard this data. (At face value I’d say it disqualifies the Snowden H3, but lets continue.)
3. Snowden, well, frankly, I just don’t think he would have access to ops kits. This is pure TAO operational tooling. Only DNT and the TAO operators doing firewall work had access to this kit. I think it is not likely that the access he had, and the scraping he did, would get him this sort of data (see: Compartmentation 101.) He was getting documentation, not operational tools.
4. The way this sort of ops kit is supposed to be used is that a minimal set of tools is made available on the (compromised, etc) box the operator is using. From there, that operator does their hacky hacky thing. The released kit is not a minimal set (very obviously.) I read that as “human error.” It supports H1 because it is so easy to see happen. I know, “it should never happen,” but I can see some idiot mounting the wrong share, doing their job, unmounting it and just hoping that it worked out ok (because what are the odds that this box is popped? right? right??)… that just feels real to me.
5. If there were operational toolkits with working exploits in them in the Snowden docs then the Intercept would not be publishing office circulars from 2003. Killing 0day and dropping ops kits would be a huge boost to them. They wouldn’t sit on it for 3 years. “NSA Tools To Hack America’s Firewalls!” would’ve been the headline back in 2013, … Now, it is possible that Snowden got an ops kit and didn’t give it to Greenwald but did give it to the Russians, however that doesn’t fit with [redacted — a whole bunch of shit I won’t say publicly about the sacred cow.] “I thought Ecuador was supposed to be warmer?”
6. Timing. There is no reason an NSA employee who walked out with a TAO ops kit up their keister (or however they got it out) in 2013, would sit on that 30yr federal sentence until sometime 3 years later in the middle of an escalating cyber spat between the US and Russia they decide, “fuck it, lets burn the NSA, harm US national interests and security, and turn this fucker up a notch.” NSA dudes are super patriotic (much like their Chinese and Russian counterparts, but don’t tell them that.) They really aren’t likely to do something for shits and giggles that hurts the US and helps her enemies. Not to mention that infowar is hardly a TAO forte, they wouldn’t think to do it, it’s just not their style.
7. [Optional: skip this one if you think an ex NSA staffer can live in Moscow under FSB protection for 3 years and remain 100% independent.] Snowden’s tweet storm. He is, at this point, essentially an FSB asset. That means he is under management. That doesn’t mean he is a robot who will repeat whatever is given to him verbatim (I mean, sure, he might…) but it does mean that he’ll take suggestions and hints about how to do things. “What do you think this ShadowBroker thing is? You know what I think, I think it is probably someone sending the Americans a message. Probably about when they messed with someone else’s election, thats what I think. How about you?” … “You know, Ed, I bet it would be good to do an analysis of this message that these ShadowBroker guys are sending the Americans. Maybe something to let people know this is how NSA do things too? Just a thought, up to you…” (Feel free to disregard this one if you can’t imagine Snowden being influenced by the FSB after 3 years of constant monitoring. 🙄)

I think given the available evidence, nothing can be ruled out, but if we go Bayesian on this, the only hypothesis that has a strong case is: TAO operator makes a mistake on the wrong day on the wrong box.

Occam’s Razor

This is why I think it was TAO operator error — because it requires only one dumb mistake by one person to happen. Every other scenario requires complicity, or really unusual behaviour, from a number of people over years.

I have faith in the ability of human beings to make mistakes. I have no faith in the ability of Glenn Greenwald to keep a full firewall ops kit under wraps for 3 years while he’s left publishing office circulars…And, I just can’t see an NSA operator risking 30 years of “Federal vacation” just to harm the US. (Hopefully I don’t have to explain why the auction is fake, but: to monetize an NSA ops kit, put it on a USB and walk into any non FVEY embassy, walk out with money. Rinse, repeat.)

Parting shots

The operation was well planned. The tar balls were packed in late July. The tumblr, mega, github, etc. etc. were all created days or weeks before the upload. The uploads all happened in order of “biggest, but least obvious, to smallest and most damning”… then, a couple days after everything is in place, they start tweeting the media. Amusingly, the first tweet and the first @ was to RT and then to CNN and other tier one news agencies… implying parity, or just a coincidence? Maybe just a funny random thing…

Anyway, thats all I have time for. :)

Update: five weeks after this was published, Reuters reports that my analysis was correct. Although they used interviews with NSA and FBI as a framing device ;)