This is a _really_ good article after reading through thousands of emails. It also provides good insights into the bigger picture, and what kind of fascinating glimpse this email leak provides in to a secretive industry.
Please don't think that the information security industry (or penetration testing or malware niche) in general is like this. While many firms have relationships with defence contractors, the local military and intelligence agencies, we're not all writing undetectable rootkits and exploit code for commercial gain. I would say the actions disclosed in the very well written article (in a series of very well written articles) highlight one of a subset of security firms. I'm loathe to use the enron-esque bad apples description, because the truth is I just don't know but I suspect that such actions are limited to a minority of firms.
Considering the amount of money governments are willing to spend on rootkits as compared to more benevolent activities, I suspect that these companies won't stay a minority for long.
The more I hear about the HBGary story, the more concerned I get with their business partners at Palantir and Berico. This can't be the bottom of the rabbit hole.
Apparently both companies are deep into fighting the war on terror, are they seriously pursuing business against U.S. citizens?
Always follow the money. The government is concerned about "cyber-security type things" and there will be no end of shady and less-shady firms willing to charge millions of dollars for providing whatever the government thinks it wants (which is probably not what it needs).
And as you pointed out these firms don't operate in a vacuum, they form networks. They compete with each other but also look for a possible strategic partnership if one comes along.
The real key is to recruit someone who retired from the military or from one of the 3-letter-agencies. (At least ask them to serve on the board). Just that right there nets you an enormous amount of projects. You thought big enterprise runs on golf-ware, but big government projects also run on friend-ware and friend-of-a-friend-ware. It is very much an incestuous family.
Case-in-point:
"For eight years, government officials turned to Dennis Montgomery, a California computer programmer, for eye-popping technology that he said could catch terrorists. Now, federal officials want nothing to do with him and are going to extraordinary lengths to ensure that his dealings with Washington stay secret."
https://www.nytimes.com/2011/02/20/us/politics/20data.html?_...
Interesting that these people brainwashed themselves and believe there are actually lots of Al Qaeda operatives out there hiding in the bushes, researching methods to kill their victims using fecal matter. These are the kinds of people who get lots of government money for "security" related projects...
Having slides claiming ownership of exploits is a very long way away from having the exploits themselves. Such a commodity has substantial financial value - if an intruder came upon them they'd be unlikely to publicly announce their existence but not release them.
It's possible such exploits don't exist, are misrepresented or were never in HBGary's possession. Exploits have a shelf life that degrades as other actors are likely to discover the same bug, maybe 6-18 months in general wisdom. But, it is always possible to claim you have a private cache and then buy them if/when they are needed.
It's possible that it is all a work of fiction, but Greg Hoglund is an accomplished security researcher. It's certainly a realistic scenario that Hoglund discovered them himself, or purchased them from someone else if he didn't have time to do the vulndev. That being said, if it is fiction it wouldn't be the first time a contracter mislead the government about competency.
I agree with you, it's not that I'm trying to say the whole thing is a work of fiction, just that things are often (partially) misrepresented. I believe the breadth of the claimed in house and unused code is unusual, but certainly not impossible. There seems to be a lot of people that attempt to sell/broker other peoples code that they aren't in possession of (since IP protections in these cases are non-existent)
Regardless, it seems anon got a SQL dump, root on a web server and a ticket box, and a google apps admin account - these aren't the types of places marketable vulnerabilities are usually kept.
Anon got more than that. Anon got passwords that got reused. I would be shocked if they did not poke around the network more to see where those passwords would go, and (given that passwords were reused where they shouldn't have been) I would not be surprised if there were not some more interesting places that they got into.
Yes there are two pieces of uber-secret space alien technology Microsoft included in Windows at the behest of the NSA called "autorun" and "plug and play".
Well, there's a piece of Apple-championed technology, Firewire, which doesn't care what OS you're running because it has direct path to the DMA controller, and can read and write physical memory.
This is not true. OSX locks down the FireWire ports to protect system memory. I am not sure exactly how this works but I believe it's firmware/driver dependent and Windows usually lacks the drivers to force the firmware into a protected mode. FireWire having direct access to the system ram is not a requirement of the 1.0 spec, it's a stupid implemention decision by chip designers.
The best part of the article is the obvious sockpuppet in the comments. Same format I saw among many paid stock bashers: Buddy up with the emoticons, claim little, suggest a lot.
Wouldn't researching and discovering 0-day vulnerabilities be treading close to DMCA violations and/or cybercrime laws? I don't see why this information isn't causing Microsoft and/or the Government to go on the offensive legally against the likes of HBGary.
I can't speak to any cybercrime laws (I'm simply not familiar enough with them), but the DMCA 1) only applies to mechanisms which protects copyright, and 2) has very explicit exemptions for the purpose of security research, among other things.
I'm glad this whole thing has happened.