There's no specific details of how they're staining. The two clues I can find:
- It's called "User Agent staining"
- "Each stain is visible in passively collected SIGINT and is stamped into every packet, which enables all the events from that stained machine to be brought back together to recreate a browsing session."
I'm wondering if they're not staining the browser user-agent string itself, but somehow modifying another part of the browser fingerprint (e.g., any of the things listed at https://panopticlick.eff.org/index.php?action=log&js=yes). If it's in "every packet", it would have to be a piece of info that is always sent by the browser.
The plugin details seems easiest but they are say "packet" and not http request and not necessarily by a browser. Presuming they have compromised the machine this staining will be affecting the network stack somehow most likely at an IP level.
Yeah, while the Post seems to be talking about the user agent string, I don't think that's what they used, the Post just misinterpreted the document's use of the phrase User Agent to refer to the browser.
Their solution was to re-route traffic to a package management device which clamps on a stain. Ipv6 makes this easy, if the traffic is Ipv4 they tunnel it inside Ipv6 with the stain header in Destination Option header.
Not sure how you would prevent this, besides the obvious answer (dont visit terrorist forums). Jondonym routing traffic through 3 mix servers might help so long as they don't stain your traffic at source by compromising your system. Making your own Tor bridge node is another solution to at least have some sort of safe entrance into the network. Seems they are unwilling to exploit relay nodes and bridges in the leaked slides.
There are probably a lot of 0days that are judiciously used to exploit the browsers of people they're interested in, similar to the one used against the TBB a few months ago. This exploit probably just quietly modifies the UA string, appending something like a GUID. The victim then leaves a nice little Hansel & Gretel trail of breadcrumbs that can be picked up by GCHQ black box intercepts at POPs.
One of the documents from Guardian released yesterday mentioned evercookie in one of the bulleted lists. If this is more "request" level than packet level, that could be the method they are using - http://en.wikipedia.org/wiki/Evercookie
It's most likely just an error in terminology. They likely mean request instead of packet as the user-agent isn't in every packet.
If it was packet level it would likely be in the IP headers, I don't imagine it would be that difficult to rewrite the packets with optional fields and then put a token in the optional headers.
For several days Jacob Appelbaum has been complaining that the Guardian has been sitting on articles about Tor at the request of intelligence agencies.
You could speculate here that their response to his public pressure was to release with additional redaction and on a friday. ::shrugs::
The UK is a terrible place for challenging anything potentially remotely conceviable as a national security concern in journalism. I think Assange said it has the highest concurrent number of active media gag orders of any nation.
Is that significant? I'm honestly curious, I'm not sure what being released on a Friday means as opposed to some other day, do people pay less attention to Friday news?
Regarding the mainstream news cycle and from a PR perspective, you want bad news to come out late Friday to minimize exposure. The typical audience is ready for the weekend and paying less attention. Also staff journalists tend to be off which leaves a weekend crew to man the ship---they're less experienced and have fewer resources available. Since you're likely not going to be pressed for a comment until Monday, the extra days might mean the public outrage subsides by then, or another news story becomes more important.
A lot of bad news comes out late Friday, government reports, financials, etc. It's obvious that the Washington Post was sitting on this particular story and decided to post it only after today's Guardian reports. WaPo has done it quite a lot since the leaks came out, either they aren't particularly interested in breaking these stories, or they're abiding by an earlier deal with Snowden since they wouldn't agree to his release timeline.
I think more telling than this disclosure is a reader's reaction to to it:
> Why is the WaPo obsessed to publish every secret it can?
> If we are going to be kept safe from terrorists, then
> some techniques need to stay secret. However, I expect
> the WaPo would be the first to run articles wondering
> why something gets blown up, after those who would kill
> us, now can plot and organize without fear of being
> caught. Shame on you.
The fact that endpoint attacks are occurring should be obvious to anyone understanding the motivations and capabilities of the agencies. What is not obvious is that the general public fail to understand where this trend leads. They also don't understand how far it has already progressed.
The commenter you cite certainly doesn't articulate it very well - his comment is pretty knee-jerk with a healthy dose of fear mongering. There is a reasonable argument buried in there, though (I think). From a civil liberties point of view, it matters a lot more to convey to the public an understanding of who and why they're targeting rather than how. Here's a hypothetical, admittedly contrived analogy:
We've all seen crime movies where the criminal calls the police from an unknown location to make their demands and state what horrible outcome will occur if their demands aren't met. They're using the communication method to hide their location and (sometimes) identity. The police immediately flip on their call tracing device which starts counting down the time it takes to identify the caller's location. The criminal mastermind always hangs up with 2 seconds left on the clock because he knows it takes exactly N seconds to trace the call, for whichever value of N the scriptwriter chose. Fast forward a few years and our hypothetical police department now has access to technology that allows them to trace calls phone calls instantly. Until the criminals find out about it, they'll continue to call in and make their demands, giving away their location and enabling the protagonist to jump in and save the hostage or defuse the bomb or whatever. When the knowledge becomes widespread that phone calls are instantly traceable, the criminals start conveying their demands through some other non-traceable means. The advantage moves from the side working to protect the public over to the side working to harm it.
The only people it would benefit to have outside knowledge of this technology are the ones being targeted by it. It doesn't matter to general public how the police are getting their information, only that it's being used solely against legitimate targets. What the public needs to know is that independent review is being conducted to ensure the technology isn't abused and turned against them, and to be immediately informed if it ever is. Showing the public the police department's sources and methods in my hypothetical example had the net effect of making the public less safe. In real life, if it turns out that the NSA is establishing a huge Orwellian surveillance network for nefarious purposes then the public needs to see real examples - politicians being blackmailed, backdoor financial manipulation, ordinary people being threatened and coerced, etc. That would enable the public to stand up and take action against the NSA; if the public can't get their elected government officials to stop overt abuse, that's when a leak of sources and methods would be justified so that the public can protect itself. If it turns out that the NSA has been using its technology to collect against legitimate foreign intelligence targets, then the public hasn't benefitted at all from finding out how the NSA collects against its targets.
Personally, I prefer the solution mentioned recently on the EFF website [1] - establish independent oversight panels with both the legal and technical expertise to identify abuse and either stop it or notify the public.
"[redacted] mechanism that leverages GCHQ's huge passive SIGINT access to deliver CNE payloads to targets."
It doesn't sound very passive, if they are delivering content to target machines trough this. If we are discussing "evercookie", this would mean they could have capability to modify http traffic and inject "evercookie code" into it. If they do have capability todo this, it would sound more feasible than actually owning the target machines and using rootkits/malware to deliver things.
From a security operations perspective... if this is simply causing unique markers to be placed on the end user systems, then looking for these to appear in the clear... it's nothing new, really. Still rather cool, but not new or ground breaking.
- It's called "User Agent staining" - "Each stain is visible in passively collected SIGINT and is stamped into every packet, which enables all the events from that stained machine to be brought back together to recreate a browsing session."
I'm wondering if they're not staining the browser user-agent string itself, but somehow modifying another part of the browser fingerprint (e.g., any of the things listed at https://panopticlick.eff.org/index.php?action=log&js=yes). If it's in "every packet", it would have to be a piece of info that is always sent by the browser.