This isn’t the evidence you think it is. Pretty much every publicly discovered piece of high-end malware has a component designed to clean up and remove all evidence of its passing. It isn’t particularly difficult to do that 100% perfectly. In fact I’d even go so far as to say that if evidence was found, the simplest explanation would be that the someone was trying to leave fake evidence to implicate someone else. This is squarely within the expected behavior of LARPing intelligence officers, and I believe there are public reports of intelligence agencies localizing their malware’s string tables into each others’ languages for just this reason.
I don’t think it was a software issue. I forget the document I was reading, but I vaguely remember hearing it reported that a hardware malfunction that caused the cameras to fail. If it was a “bug” that turned the camera off at all I would have considered that suspicious, because it would probably be the easiest way of disabling a prison camera.
I completely disagree in general with your sentiment about computer forensics. It is very difficult to cover up evidence of a breach 100% perfectly. Of course, it’s not necessary to do so in most cases, because it’s usually much easier to let there be no investigation at all, but just covering your tracks by e.g. deleting and then shredding windows log files is much less difficult than rigging your malware to remove all evidence of compromise, and removing all evidence of your removing evidence, etc. This isn’t really relevant because I’m not saying the NSA couldn’t do it, but the obvious methods that occur to regular software engineers or malware developers won’t fool the FBI. The first thing they do is check to see if there are suspicious gaps in records or event logs.
I don’t think it was a software issue. I forget the document I was reading, but I vaguely remember hearing it reported that a hardware malfunction that caused the cameras to fail. If it was a “bug” that turned the camera off at all I would have considered that suspicious, because it would probably be the easiest way of disabling a prison camera.
What I would find convincing is if there was a specific diagnosed hardware issue, which couldn’t be triggered by software at all, like one of the chips had a bad solder joint or there was a burnt insect lying across two contacts. I haven’t heard anything like that, though.
I completely disagree in general with your sentiment about computer forensics. It is very difficult to cover up evidence of a breach 100% perfectly.
I think you’re really overstating the difficulty. Especially in the context of a denial-of-service attack on a camera system, which really is easy mode: there’s no need for persistence, the storage is being continuously rewritten so there’s not much free space to worry about, and an approximately-identical copy of the whole security system can probably be bought from the same camera vendor to use as a testbed.
I think you’re really overstating the difficulty. Especially in the context of a denial-of-service attack on a camera system, which really is easy mode: there’s no need for persistence, the storage is being continuously rewritten so there’s not much free space to worry about, and an approximately-identical copy of the whole security system can probably be bought from the same camera vendor to use as a testbed.
The best analogy I can make: Start with editing and submitting a spliced Zelda speedrun to speedrun.net before you say it’s easy to keep the FBI from uncovering pretty clear evidence of a your DOS attack against CCTV inside a monitored internal network.
This isn’t the evidence you think it is. Pretty much every publicly discovered piece of high-end malware has a component designed to clean up and remove all evidence of its passing. It isn’t particularly difficult to do that 100% perfectly. In fact I’d even go so far as to say that if evidence was found, the simplest explanation would be that the someone was trying to leave fake evidence to implicate someone else. This is squarely within the expected behavior of LARPing intelligence officers, and I believe there are public reports of intelligence agencies localizing their malware’s string tables into each others’ languages for just this reason.
I don’t think it was a software issue. I forget the document I was reading, but I vaguely remember hearing it reported that a hardware malfunction that caused the cameras to fail. If it was a “bug” that turned the camera off at all I would have considered that suspicious, because it would probably be the easiest way of disabling a prison camera.
I completely disagree in general with your sentiment about computer forensics. It is very difficult to cover up evidence of a breach 100% perfectly. Of course, it’s not necessary to do so in most cases, because it’s usually much easier to let there be no investigation at all, but just covering your tracks by e.g. deleting and then shredding windows log files is much less difficult than rigging your malware to remove all evidence of compromise, and removing all evidence of your removing evidence, etc. This isn’t really relevant because I’m not saying the NSA couldn’t do it, but the obvious methods that occur to regular software engineers or malware developers won’t fool the FBI. The first thing they do is check to see if there are suspicious gaps in records or event logs.
What I would find convincing is if there was a specific diagnosed hardware issue, which couldn’t be triggered by software at all, like one of the chips had a bad solder joint or there was a burnt insect lying across two contacts. I haven’t heard anything like that, though.
I think you’re really overstating the difficulty. Especially in the context of a denial-of-service attack on a camera system, which really is easy mode: there’s no need for persistence, the storage is being continuously rewritten so there’s not much free space to worry about, and an approximately-identical copy of the whole security system can probably be bought from the same camera vendor to use as a testbed.
The best analogy I can make: Start with editing and submitting a spliced Zelda speedrun to speedrun.net before you say it’s easy to keep the FBI from uncovering pretty clear evidence of a your DOS attack against CCTV inside a monitored internal network.