back to article 'NSA' hack okshun woz writ by Inglish speeker trieing to hyde

The perpetrator behind the dumping of tools penned by the probably-the-NSA hacking squad called"Equation Group" appears to be a native English speaker, according to linguistic data researcher Shlomo Argamon. Earlier this month some 300 files were circulated online purporting to be stolen from the Equation Group, which is …

  1. Anonymous Coward
    Anonymous Coward

    Shlomo......drug of choice in Mega City One

    your talkin oot ur harse Mr Argos

  2. Oengus
    Black Helicopters

    Snowden Mk2

    Motherboard cited unnamed NSA sources saying the work reeks of insiders, and that the neat documentation of the dumps suggests the caches were stolen from within the spy agency.

    Do we have another Edward Snowden in the making? I wonder if Snowden has a spare room in Russia...

  3. Sir Runcible Spoon
    Black Helicopters

    Sir

    I'm not sure about US English, but certainly for English English I've noticed that a lot of foreign nationals display a much firmer grasp of grammar and spelling than a considerable number of the natives.

    1. Swarthy

      Re: Sir

      From what I've picked up from British media (including Attack the Block and Ali G) I would guess that the native loose grasp of grammar is more than doubled for US English.

      However, from how it read in the article, the errors were not consistent with the errors of a non-native speaker. Most non-native errors arise from transliteration of thought (IE if you speak Russian as a native, and you think in Russian; your English sentences will follow Russian structure and, perhaps, Russian idiom). The errors that were analyzed did not conform to one particular set, and also used US idiomatic speech, but with errors introduced to seem like a foreign operation.

      Theory: the verbiage was generated by a US speaker who tried to use "Russian" dialog from US movies to misdirect attention. To a USAian this means it is Russian, but to one who studies language it is very much not.

      1. a_yank_lurker

        Re: Sir

        I have been rather suspicious of the knee-jerk reaction to blame the Russians, Chinese, NORKs, etc. That this is someone who speaks US English more or less natively does not surprise me at all. My guess is an insider who saw what happened to Snowdon and decided to cover his tracks as best he could. Probably using insider knowledge about how paranoid feral spookhauses are about the Russians, made it look like a Russian.

        If I remember correctly Russian does not have either the indefinite article (a/an) or the definite article (the) while many Western European languages do.

        1. Anonymous Coward
          Anonymous Coward

          The plot thickens!

          @ a_yank_lurker; "If I remember correctly Russian does not have either the indefinite article (a/an) or the definite article (the)"

          You are correct! This proves it cannot be a work of the Russian and it is a responsibility of us evil Westerners.

          By a way, I am the Yankee just like you. I have nothing to gain from pretending to be the foreigner!

          1. herman
            Devil

            Re: The plot thickens!

            "You correct! This proves cannot be work Russian and is responsibility us evil Westerners.

            By way, I am Yankee just like you. I has nothing gain from pretending be foreigner!"

            TFIFY!

        2. herman

          Re: Sir

          Yup, Slavs tend to speak English without 'a' and 'the', making it sound weirdly staccato.

          I was wearing a CCCP T-shirt to a party and the first thing my (now) wife told me was: "Where you get that shirt? You look like Russian athlete." She still speaks that way.

      2. Tail Up

        Товарищ,

        ваш комментарий заставил меня прочитать саму статью (-: Thanks.

    2. Alan Brown Silver badge

      Re: Sir

      WRT language structure, US/UK/NZ/AU/ZA idiom is one thing, but the idiom and structure of other versions of "native english" show clear influences of other regional languages.

      If you know what you're looking for this makes spotting the lads from Lagos pretty easy, but it's interesting that there's a fair overlap between them and eastern european english.

      The telling thing (as mentioned) was random grammatical errors. People tend to be consistent in their misapplication of structures - but the sentence specifically picked out is what I'd expect to see in southeast asian former colonies. :)

  4. Hollerithevo

    Rather fun if it was an inside job

    If it were, then money would probably be the spur, and what more American motivation could there be?

    1. Version 1.0 Silver badge

      Re: Rather fun if it was an inside job

      Exactly - they might simple be laundering their Bitcoins in preparation for something else.

  5. tiggity Silver badge

    assumptions?

    Why would there be auto correct errors in a script?

    Unlikely to be using a word processor for code.

    Do they know the code did not have multiple authors?

    I'm sure many people who have worked on multi author software know the feeling where, before you even see the style of the code below, from the way the comment describing the mod is structured you know who had added those lines of code.

    Using online translation tools to convert English back to English (via a couple of intervening languages) is a good way to get odd sentence structure that looks non native (though does sometimes need the odd obvious translation total fail fixing)

    Indeed, just using online tarnslate "legitimately" from non English language to English could give suitable junk.looking language.

  6. Dan 55 Silver badge

    Should have ran it through three or four languages on Google Translate

    Or, as Google Translate says, "He ran three or four languages translation from Google".

    1. Tom_

      Re: Should have ran it through three or four languages on Google Translate

      But then Google would have the original text and that might mean the NSA do too.

  7. Joe Harrison

    double bluff?

    If this guy thinks he can detect fake grammarisms then it would logically have been equally possible for the originator to be able to generate credible fakes to put people off the trail?

    When I worked for an international company with its HQ outside the UK we were quite good at mimicking other regions' use of English when responding to the many "employee surveys"

  8. Anonymous Coward
    Anonymous Coward

    Deer Hatter

    wa se'ro dae? u wan san bi-con? San bery Bee-con? En Ass Ay? wat? u Hat En Ass en wan san Bee-con? I cann ow'den stand wat u sat, tall two mei inn engrish,

  9. Cuddles

    Threat?

    "It continues that the Russians have taken the unprecedented action of dumping the contents publicly in a veiled threat to the NSA after the Democratic National Committee breach, which the US blames on Moscow."

    "Stop claiming we hacked you or we'll hack you some more. Also, here's some stuff we hacked from you."

    Apparently the threat is rather too veiled for me to understand. Demonstrating to the world that you've already done the thing you're threatening to do isn't generally how threats work, and doing the exact thing you're being accused of is not generally the best way get accusations to stop.

    1. P. Lee

      Re: Threat?

      >Apparently the threat is rather too veiled for me to understand.

      Something along the lines of expelling diplomats known *not* to be spies, to show you know exactly who the spies are and you aren't worried by them.

      I'm not bothered, its nice to see the NSA's bad behaviour proven and spoilt a bit. Chipping away at the public respect for those who are so lost in their games that they've forgotten what they are supposed to be protecting.

  10. Rick Shaw
    Megaphone

    Not Seemples

    Outcaught! Cock a whatup!

  11. Anonymous Coward
    Anonymous Coward

    The 'insider' theory

    One would presume there are logs kept of who accesses what files, so copying that repository could only be done by someone with a job related reason to do so. But does anyone have a job related reason to copy the ENTIRE repository? Perhaps not, but I doubt it would trigger any alerts as if you needed most of the files, it would be easier to copy the whole thing rather than pick and choose only the ones you need.

    Assuming someone can copy it, they'd have to copy it into some media they can bring in and sneak out. Snowden used a CD marked "Lady Gaga", but the question is: could a non sysadmin copy data on a CD, USB stick or SD card? One would hope their secure systems have no CD drive, the USB ports blocked up (or at least the drivers for the USB storage class removed) and no SD slot.

    However, some employees will have to copy data onto such devices as part of their work - how else to get it off the secure system onto the internet to be able to actually hack someone? So some employees must have a system available to them capable of writing to removable media. Since Snowden was able to sneak out a CD with little trouble, one would assume a USB stick or SD card would be even easier to smuggle in, especially if you didn't need to "smuggle" it because you are SUPPOSED to be removing it and if checked contains the files you are supposed to be taking to the outside world! (With maybe a little extra since you copied the whole thing, but that could be easily explained away in the unlikely event he was checked and that fact was noticed)

    I wonder how many people this would narrow it down to for the NSA security people who would try to track down the leaker? Hundreds? Thousands? The contents were several years out of date, which makes it more difficult - is that because the leaker no longer works at NSA, because they wanted you to think that, or because they wanted to leak the material (for whatever reason) but didn't want to risk ongoing operations by leaking the "latest and greatest" tools?

    1. Danny 2

      Re: The 'insider' theory

      Snowden used a CD marked "Lady Gaga"

      That was Manning.

      If you can get remote access to everything on a server then you can likely ammend the log files too. Various crypto gurus are already recommending we look to a post-cypto future where you assume you are hacked and concentrate on blocking exfiltration, either by DVD as you said or straight over the network.

      1. Anonymous Coward
        Anonymous Coward

        Re: The 'insider' theory

        Amending log files would require admin access though, which restricts it to a Snowden type. More to the point, if the logs are sent over the network to another machine or stored on write once / sequential media even admin access won't let you modify the logs.

        1. Sir Runcible Spoon

          Re: The 'insider' theory

          Suspend the logging process for the duration of the data copy, or even just change the destination IP of the log server for a few minutes while you do the deed.

          I'm sure there are other (cleverer) ways.

          1. Anonymous Coward
            Anonymous Coward

            Re: The 'insider' theory

            Your logging isn't worth much if you can suspend it without anyone becoming the wiser. There are plenty of ways to detect such a thing, which I would hope the NSA would be using.

            1. Sir Runcible Spoon
              Happy

              Re: The 'insider' theory

              "which I would hope the NSA would be using."

              That's a bit like saying you expect the banks to be using all the latest super-secure technologies etc.

        2. Danny 2

          Re: The 'insider' theory

          At one point it was part of my job to read log files to spot hacks. I must confess I am not sure I did it very well. My boss was better at it, but he always did it after the event. Once you know something has happened then it is relatively simple to look back for tell-tale signs. It was complicated by the fact we never got to choose what was logged, some invisible developer decided that months before without our input. So spotting it in real time requires pattern recognition skills that I doubt even Assange has. You stare at logs over and over and you can, sometimes, tell if something looks a bit different. If you are well slept and and not on 24 hour call out, and you didn't just have an argument with your girlfriend.

          I used to be stuck between a yearly battle between Belgian and Dutch hacking conventions. These genius idiots weren't actual criminals as such, but they were trying their best to take us down for lolz. It was bloody annoying, and I had the best of support. As soon as they jabbed us, we'd get a direct patch from MS or whoever and have to install it organisation wide. You know how Space Invaders gets annoying after an hour or four? It was very tempting just to leave work, go to the convention and spike their drinks with LSD.

        3. Joe Montana

          Re: The 'insider' theory

          Depends how hard it is to acquire admin privileges...

          On most windows based networks, simply being on the LAN is enough to very quickly get admin credentials with a moderate level of skill and publicly available tools.

          1. Surreal
            Big Brother

            Re: The 'insider' theory

            "Depends how hard it is to acquire admin privileges..."

            I expect an NSA insider with access to, or who coded some of these tools (the dreaded Nation-State-level threat) shouldn't have trouble elevating privs. (S)he might even just break out an exploit from the toolkit being auctioned and apply it.

            p.s. мое судно на воздушной подушке полно угрей

  12. Alistair
    Windows

    NSA budget cuts.

    Auctioning off old stock!

    Cheap bidding war!

    wat? Flag? there aint no flag?

    who me?

    Paranoid? cynical? naaaaaaaaaah.

  13. amanfromMars 1 Silver badge

    Hunt for Reds in Threads

    Argamon says the author's native tongue could be a Slavic language such as Russian or Polish, but that is far less likely than the writer is a native English speaker.

    One theory posited by NSA leaker Edward Snowden is that the authors are Russian spies who leaked the contents of a NSA command and control server they hacked in 2013.

    Any advance on a native English speaker Russian spy group?

    How about a hot renegade rogue and/or virile freelancing viral enterprise cell? One of those engaging non-state actor types just doing IT for kicks and kick backs/handsome ransom payments in return for stopping what one is doing or changing sides to play nice with new partners?

    Naked feudal feral capitalism working at its finest.

  14. Danny 2

    Short changed

    I don't know if this is true or not but a commentator on another website said ten million Cisco shares were shorted in the weeks leading up to this story. I know El Reg pokes around in technical details but there might be a story in following the money.

  15. Shadow Systems

    Hats off to Shlomo Argamon...

    He's truely a cunning linguist! =-D

    *Cough*

    I'll get my coat...

  16. Kratoklastes

    I hinted at much the same thing myself...

    In a comment on ZH - which is worth reprising here.

    ---------------------------------------------------

    Told ya (that the talent-rich phyles are starting to understand the relative merit of uncorking .gov).

    Is funny press release like written by Russian, da? Da.

    Is lucky we not step in it.

    The thing about national-level artificial monopolies - be they in 'justice', 'law enforcement', 'intelligence' - is that they are always <b>fragile</b> (in the NNT sense).

    Firstly, they are entirely populated by second-raters: everyone above GS5 is either a 'True Believer' (i.e., gullible as a newborn, and therefore easily soc-eng'd) or a careerist bullshit-artist (i.e., useless for anything except toadying towards superiors and taking credit for underlings' work). At the very top, everyone is employed/installed based on their proximity to that most vile of pseudo-humans - politicians.

    Secondly... think what it means when procurement is overseen by, and facilitated by, the types of people in 'firstly'. It means that tech procurement is done in an environment that contains nobody with the chops to evaluate the product.

    So everything is acquired by a 'proximity model' - people get contracts because they're linked to, e.g., Chertoff... and once they've had one contract whose flaws didn't get exploited on 0-day, they are at the trough forever.

    I fully support everything Snowden did after he left (except that he should have blasted half the entire corpus into cyberspace, and kept the other half as insurance, rather than installing 'curators' - be they never so well intentioned). But bear this right at the front of your mind: <strong>he is not that bright</strong>. Snowden was a high-school washout, and not because he was 'too smart to excel' (I know plenty of people who are like that, and he's not one of them). Yet he rose through the ranks of the alphabet soup agencies <strong>like a fucking boss</strong>.

    The security-theatre industry is not staffed with the 'best and brightest'. 'Mudge' - always a nappy in hacker circles - is one of .gov's best, and he's fucking useless. Mudge is the hacker equivalent of Dumb Shitbird (Domscheit-Berg) - someone who tried to coddle up to a genuine talent, then betrayed them the moment someone turned up with enough pieces of silver.

    Ask yourself who wants to work for NSA: they have to 'believe in the mission', which makes them obviously incapable of adult levels of cognition, let alone genuine talent.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like