Binary Options Signals: November 2013

Video Encoding in Simple Terms

Video Encoding in Simple Terms
Nowadays, it is difficult to imagine a field of human activity, in which, in one way or another, digital video has not entered. We watch it on TV, mobile devices, and stationary computers; we record it with digital cameras ourselves, or we encounter it on the roads (unpleasant, but true), in stores, hospitals, schools and universities, and in industrial enterprises of various profiles. As a consequence, words and terms that are directly related to the digital representation of video information are becoming more firmly and widely embedded in our lives. From time to time, questions arise in this area. What are the differences between various devices or programs that we use to encode/ decode digital video data, and what do they do? Which of these devices/ programs are better or worse, and in which aspects? What do all these endless MPEG-2, H.264 / AVC, VP9, H.265 / HEVC, etc. mean? Let’s try to understand.

A very brief historical reference

The first generally accepted video compression standard MPEG-2 was finally adopted in 1996, after which a rapid development of digital satellite television began. The next standard was MPEG-4 part 10 (H.264 / AVC), which provides twice the degree of video data compression. It was adopted in 2003, which led to the development of DVB-T/ C systems, Internet TV and the emergence of a variety of video sharing and video communication services. From 2010 to 2013, the Joint Collaborative Team on Video Coding (JCT-VC) was intensively working to create the next video compression standard, which was called High Efficient Video Coding (HEVC) by the developers; it ensured the following twofold increase in the compression ratio of digital video data. This standard was approved in 2013. That same year, the VP9 standard, developed by Google, was adopted, which was supposed to not yield to HEVC in its degree of video data compression.

Basic stages of video encoding

There are a few simple ideas at the core of algorithms for video data compression. If we take some part of an image (in the MPEG-2 and AVC standards this part is called a macroblock), then there is a big possibility that, near this segment in this frame or in neighboring frames, there will be a segment containing a similar image, which differs little in pixel intensity values. Thus, to transmit information about the image in the current segment, it is enough to only transfer its difference from the previously encoded similar segment. The process of finding similar segments among previously encoded images is called Prediction. A set of difference values that determine the difference between the current segment and the found prediction is called the Residual. Here we can distinguish two main types of prediction. In the first one, the Prediction values represent a set of linear combinations of pixels adjacent to the current image segment on the left and on the top. This type of prediction is called Intra Prediction. In the second one, linear combinations of pixels of similar image segments from previously encoded frames are used as prediction (these frames are called Reference). This type of prediction is called Inter Prediction. To restore the image of the current segment, encoded with Inter prediction, when decoding, it is necessary to have information about not only the Residual, but also the frame number, where a similar segment is located, and the coordinates of this segment.
Residual values obtained during prediction obviously contain, on average, less information than the original image and, therefore, require a fewer quantity of bits for image transmission. To further increase the degree of compression of video data in video coding systems, some spectral transformation is used. Typically, this is Fourier cosine transform. Such transformation allows us to select the fundamental harmonics in two-dimensional Residual signal. Such a selection is made at the next stage of coding — quantization. The sequence of quantized spectral coefficients contains a small number of main, large values. The remaining values are very likely to be zero. As a result, the amount of information contained in quantized spectral coefficients is significantly (dozens of times) lower than in the original image.
In the next stage of coding, the obtained set of quantized spectral coefficients, accompanied by the information necessary for performing prediction when decoding, is subjected to entropy coding. The bottom line here is to align the most common values of the encoded stream with the shortest codeword (containing the smallest number of bits). The best compression ratio (close to theoretically achievable) at this stage is provided by arithmetic coding algorithms, which are mainly used in modern video compression systems.
From the above, the main factors affecting the effectiveness of a particular video compression system become apparent. First of all, these are, of course, the factors that determine the effectiveness of the Intra and Inter Predictions. The second set of factors is related to the orthogonal transformation and quantization, which selects the fundamental harmonics in the Residual signal. The third one is determined by the volume and compactness of the representation of additional information accompanying Residual and necessary for making predictions, that is, calculating Prediction, in the decoder. Finally, the fourth set has the factors that determine the effectiveness of the final stage- entropy coding.
Let’s illustrate some possible options (far from all) of the implementation of the coding stages listed above, on the example of H.264 / AVC and HEVC.

AVC Standard

In the AVC standard, the basic structural unit of the image is a macroblock — a square area of 16x16 pixels (Figure 1). When searching for the best possible prediction, the encoder can select one of several options of partitioning each macroblock. With Intra-prediction, there are three options: perform a prediction for the entire block as a whole, break the macroblock into four square blocks of 8x8 size, or into 16 blocks with a size of 4x4 pixels, and perform a prediction for each such block independently. The number of possible options of macroblock partitioning under Inter-prediction is much richer (Figure 1), which provides adaptation of the size and position of the predicted blocks to the position and shape of the object boundaries moving in the video frame.
Fig 1. Macroblocks in AVC and possible partitioning when using Inter-Prediction.
In AVC, pixel values from the column to the left of the predicted block and the row of pixels immediately above it are used for Intra prediction (Figure 2). For blocks of sizes 4x4 and 8x8, 9 methods of prediction are used. In a prediction called DC, all calculated pixels have a single value equal to the arithmetic average of the “neighbor pixels” highlighted in Fig. 2 with a bold line. In other modes, “angular” prediction is performed. In this case, the values of the “neighbor pixels” are placed inside the predicted block in the directions indicated in Fig. 2.
In the event that the predicted pixel gets between “neighbor pixels”, when moving in a given direction, an interpolated value is used for the prediction. For blocks with a size of 16x16 pixels, 4 methods of prediction are used. One of them is the DC-prediction, which was already reviewed. The other two correspond to the “angular” methods, with the directions of prediction 0 and 1. Finally, the fourth — Plane-prediction: the values of the predicted pixels are determined by the equation of the plane. The angular coefficients of the equation are determined by the values of the “neighboring pixels”.
Fig 2. “Neighboring pixels” and angular modes of Intra-Prediction in AVC
Inter- Prediction in AVC can be implemented in one of two ways. Each of these options determines the type of macroblock (P or B). As a prediction of pixel values in P-blocks (Predictive-blocks), the values of pixels from the area located on the previously coded (reference) image, are used. Reference images are not deleted from the RAM buffer, containing decoded frames (decoded picture buffer, or DPB), as long as they are needed for Inter-prediction. A reference list is created in the DPB from the indexes of these images.
The encoder signals to the decoder about the number of the reference image in the list and about the offset of the area used for prediction, with respect to the position of predicted block (this displacement is called motion vector). The offset can be determined with an accuracy of ¼ pixel. In case of prediction with non-integer offset, interpolation is performed. Different blocks in one image can be predicted by areas located on different reference images.
In the second option of Inter Prediction, prediction of the B-block pixel values (bi-predictive block), two reference images are used; their indexes are placed in two lists (list0 and list1) in the DPB. The two indexes of reference images in the lists and two offsets, that determine positions of reference areas, are transmitted to the decoder. The B-block pixel values are calculated as a linear combination of pixel values from the reference areas. For non-integer offsets, interpolation of reference image is used.
As already mentioned, after predicting the values of the encoded block and calculating the Residual signal, the next coding step is spectral transformation. In AVC, there are several options for orthogonal transformations of the Residual signal. When Intra-prediction of a whole macroblock with a size of 16x16 is implemented, the residual signal is divided into 4x4 pixel blocks; each of them is subjected to an integer analog of discrete two-dimensional 4x4 cosine Fourier transform.
The resulting spectral components, corresponding to zero frequency (DC) in each block, are then subjected to additional orthogonal Walsh-Hadamard transform. With Inter-prediction, the Residual signal is divided into blocks of 4x4 pixels or 8x8 pixels. Each block is then subjected to a 4x4 or 8x8 (respectively) two-dimensional discrete cosine Fourier Transform (DCT, from Discrete Cosine Transform).
In the next step, spectral coefficients are subjected to the quantization procedure. This leads to a decrease in bit capacity of digits representing the spectral sample values, and to a significant increase in the number of samples having zero values. These effects provide compression, i.e. reduce the number and bit capacity of digits representing the encoded image. The reverse side of quantization is the distortion of the encoded image. It is clear that the larger the quantization step, the greater is the compression ratio, but also the distortion is greater.
The final stage of encoding in AVC is entropy coding, implemented by the algorithms of Context Adaptive Binary Arithmetic Coding. This stage provides additional compression of video data without distortion in the encoded image.

Ten years later. HEVC standard: what’s new?

The new H.265/HEVC standard is the development of methods and algorithms for compressing video data embedded in H.264/AVC. Let’s briefly review the main differences.
An analog of a macroblock in HEVC is the Coding Unit (CU). Within each block, areas for calculation of Prediction are selected — Prediction Unit (PU). Each CU also specifies the limits within which the areas for calculating the discrete orthogonal transformation from the residual signal are selected. These areas are called the Transform Unit (TU).
The main distinguishing feature of HEVC here is that the split of a video frame into CU is conducted adaptively, so that it is possible to adjust the CU boundaries to the boundaries of objects on the image (Figure 3). Such adaptability allows to achieve an exceptionally high quality of prediction and, as a consequence, a low level of the residual signal.
An undoubted advantage of such an adaptive approach to frame division into blocks is also an extremely compact description of the partition structure. For the entire video sequence, the maximum and minimum possible CU sizes are set (for example, 64x64 is the maximum possible CU, 8x8 is the minimum). The entire frame is covered with the maximum possible CUs, left to right, top-to-bottom.
It is obvious that, for such coverage, transmission of any information is not required. If partition is required within any CU, then this is indicated by a single flag (Split Flag). If this flag is set to 1, then this CU is divided into 4 CUs (with a maximum CU size of 64x64, after partitioning we get 4 CUs of size 32x32 each).
For each of the CUs received, a Split Flag value of 0 or 1 can, in turn, be transmitted. In the latter case, this CU is again divided into 4 CUs of smaller size. The process continues recursively until the Split Flag of all received CUs is equal to 0 or until the minimum possible CU size is reached. Inserted CUs thus form a quad tree (Coding Tree Units, CTU). As already mentioned, within each CU, areas for calculating prediction- Prediction Units (PU) are selected. With Intra Prediction, the CU area can coincide with the PU (2Nx2N mode) or it can be divided into 4 square PUs of twice smaller size (NxN mode, available only for CU of minimum size). With Inter Prediction, there are eight possible options for partitioning each CU into PUs (Figure 3).
Fig.3 Video frame partitioning into CUs is conducted adaptively
The idea of spatial prediction in HEVC remained the same as in AVC. Linear combinations of neighboring pixel values, adjacent to the block on the left and above, are used as predicted sample values in the PU block. However, the set of methods for spatial prediction in HEVC has become significantly richer. In addition to Planar (analogue to Plane in AVC) and DC methods, each PU can be predicted by one of the 33 ways of “angular” prediction. That is, the number of ways, in which the values are calculated by “neighbor”-pixels, is increased by 4 times.
Fig. 4. Possible partitioning of the Coding Unit into Prediction Units with the spatial (Intra) and temporary (Inter) CU prediction modes
We can point out two main differences of Inter- prediction between HEVC and AVC. Firstly, HEVC uses better interpolation filters (with a longer impulse response) when calculating reference images with non-integer offset. The second difference concerns the way the information about the reference area, required by the decoder for performing the prediction, is presented. In HEVC, a “merge mode” is introduced, where different PUs, with the same offsets of reference areas, are combined. For the entire combined area, information about motion (motion vector) is transmitted in the stream once, which allows a significant reduction in the amount of information transmitted.
In HEVC, the size of the discrete two-dimensional transformation, to which the Residual signal is subjected, is determined by the size of the square area called the Transform Unit (TU). Each CU is the root of the TU quad tree. Thus, the TU of the upper level coincides with the CU. The root TU can be divided into 4 parts of half the size, each of which, in turn, is a TU and can be further divided.
The size of discrete transformation is determined by the TU size of the lower level. In HEVC, transforms for blocks of 4 sizes are defined: 4x4, 8x8, 16x16, and 32x32. These transformations are integer analogs of the discrete two-dimensional Fourier cosine transform of corresponding size. For size 4x4 TU with Intra-prediction, there is also a separate discrete transformation, which is an integer analogue of the discrete sine Fourier transform.
The ideas of the procedure of quantizing spectral coefficients of Residual signal, and also entropy coding in AVC and in HEVC, are practically identical.
Let’s note one more point which was not mentioned before. The quality of decoded images and the degree of video data compression are influenced significantly by post-filtering, which decoded images with Inter-prediction undergo before they are placed in the DPB.
In AVC, there is one kind of such filtering — deblocking filter. Application of this filter reduces the block effect resulting from quantization of spectral coefficients after orthogonal transformation of Residual signal.
In HEVC, a similar deblocking filter is used. Besides, an additional non-linear filtering procedure called the Sample Adaptive Offset (SAO) exists. Based on the analysis of pixel value distribution during encoding, a table of corrective offsets, added to the values of a part of CU pixels during decoding, is determined.
In HEVC, the size of the discrete two-dimensional transformation, to which the Residual signal is subjected, is determined by the size of the square area called the Transform Unit (TU). Each CU is the quad-tree of TU’s. Thus, the TU of the upper level coincides with the CU. The root TU can be divided into 4 parts of half the size, each of which, in turn, is a TU and can be further divided.
The size of discrete transformation is determined by the TU size of the lower level. There are four transform block sizes in HEVC: 4x4, 8x8, 16x16, and 32x32. These transforms are discrete two-dimensional Fourier cosine transform of corresponding size. For 4x4 Intra-predicted blocks, could be used another discrete transform — sine Fourier transform.
The quantization of spectral coefficients of residual signal, and entropy coding in AVC and in HEVC, are almost identical.
Let’s note one more point which was not mentioned before. The quality of decoded images, hence the degree of video data compression, is influenced significantly by post-filtering, which applied on decoded Inter-predicted images before they are placed in the DPB.
In AVC, there is one kind of such filtering — deblocking filter. It masking blocking artifacts effect originating from spectral coefficients quantization after orthogonal transformation of residual signal.
In HEVC, a similar deblocking filter is used. Besides, an additional non-linear filtering procedure called the Sample Adaptive Offset (SAO) exists. Sample level correction is based either on local neighborhood or on the intensity level of sample itself. Table of sample level corrections, added to the values of a part of CU pixels during decoding, is determined.

And what is the result?

Figures 4–7 show the results of encoding of several high-resolution (HD) video sequences by two encoders. One of the encoders compresses the video data in the H.265/HEVC standard (marked as HM on all the graphs), and the second one is in the H.264/AVC standard.
Fig. 5. Encoding results of the video sequence Aspen (1920x1080 30 frames per second)
Fig. 6. Encoding results of the video sequence BlueSky (1920x1080 25 frames per second)
Fig. 7. Encoding results of the video sequence PeopleOnStreet (1920x1080 30 frames per second)
Fig. 8. Encoding results of the video sequence Traffic (1920x1080 30 frames per second)
Coding was performed at different quantization values of spectral coefficients, hence with different levels of video image distortion. The results are presented in Bitrate (mbps) — PSNR(dB) coordinates. PSNR values characterize the degree of distortion.
On average, it can be stated that the PSNR range below 36 dB corresponds to a high level of distortion, i.e. low quality video images. The range of 36 to 40 dB corresponds to the average quality. With PSNR values above 40 dB, we can call it a high video quality.
We can roughly estimate the compression ratio provided by the encoding systems. In the medium quality area, the bit rate provided by the HEVC encoder is about 1.5 times less than the bit rate of the AVC encoder. Bitrate of an uncompressed video stream is easily determined as the product of the number of pixels in each video frame (1920 x 1080) by the number of bits required to represent each pixel (8 + 2 + 2 = 12), and the number of frames per second (30).
As a result, we get about 750 Mbps. It can be seen from the graphs that, in the area of average quality, the AVC encoder provides a bit rate of about 10–12 Mbit/s. Thus, the degree of video information compression is about 60–75 times. As already mentioned, the HEVC encoder provides compression ratio 1.5 times higher.

About the author

Oleg Ponomarev, 16 years in video encoding and signal digital processing, expert in Statistical Radiophysics, Radio waves propagation. Assistant Professor, PhD at Tomsk State University, Radiophysics department. Head of Elecard Research Lab.
submitted by VideoCompressionGuru to u/VideoCompressionGuru [link] [comments]

[Megathread] XMG FUSION 15 (with Intel)


On September 6 at IFA, press released their first reports about our collaboration project with Intel: XMG FUSION 15.
Community Links:

Press Links:

Video Links:

The following key facts have already been revealed:
Prices and availability will be announced on September 17. → Countdown to xmg.gg
Teaser Trailer on YouTube: XMG FUSION 15 Laptop | A Design Collaboration with Intel
We look forward to your questions and your feedback!

XMG FUSION 15 - FREQUENTLY ASKED QUESTIONS (FAQ)

This FAQ represents Q&A's over the last few days here. Fellow redditor u/iterateandgit was so kind to help me putting this document together. Big shout out to him please! The FAQ will be further extended over the coming days and weeks. Please keep the questions coming!

Sales, Shipping, Warranty


Q: Are you going to sell this on Amazon in the EU?
A: We are working on getting the product up and running on Amazon. But our own BTO shop at www.bestware.com will always be our primary sales channel and will be the only one where you can customize and configure memory, storage, OS, extend your warranty and pick other options.

Q: Do you offer student discounts or other sales compaigns like black friday?
A: In general, we don't offer student discounts. Sales campaigns are planned just in time, depending on stock level and cannot be announced early. If you want to keep up to date about sales campaigns, please subscribe to our newsletter.

Q: Do you ship to the UK? Can I pay in GBP?
A: We ship to the UK - the pricing will be in EUR, so your bank will do the conversion. Warranty services will be available from UK, shipping to Germany. Currently, in the single markets, these resturn shipments are free for the end-user. In the worst case there might be additional customs fees for shipping.

Q: What warranty options do you offer?
A: All our laptops come with 2 year warranty. Warranty repairs in the first 6 months are promised to be done within 48 hours (+shipping). Both the "instant repair" service and the warranty itself can be extended to up to 3 years.

Q: Do you sell outside of Europe?
A: We are able to ship anywhere, but warranty for customers outside the region would always involve additional customs cost and paperwork for sending the laptop back to Germany in the rare event of an RMA. There is currently no agreement to let other Local OEMs (like Eluktronics in the US) carry the warranty for XMG customers and vice-versa. Some parts are customized (in our case the LCD lid and the keyboard) and it won't be easy to agree on how to share handling fees etc. - so I wouldn't expect a global warranty anytime soon.


Hardware, Specs, Thermals


Q: What is the difference between XMG FUSION 15 and other laptops based on Intel's reference design?
A: The hardware of the barebone will be identical. Other Local OEMs might use different parts for RAM and SSDs. Our branding and service/warranty options might be different. We apply our own set of performance profiles in the Control Center. This will rebalance the differentiation between Silent, Balanced and Enthusiast modes.

Q: What is the TGP of the NVIDIA RTX 2070 Max-Q?
A: Officially, it is 80W in Balanced profile and 90W in Enthusiast profile. You can toggle between these modes in real-time with a dedicated mode switch button. Inofficially, the TGP can go up to 115W in Enthusiast profile thanks to the Overboost mechanic, working in the background. However, those 115W may only be sustained until the system has reached thermal saturation, i.e. when the GPU is approaching the GPU Temperature Target of 75°C.

Q: Can I upgrade the storage and memory after I buy?
A: On storage: The laptop has two m.2 PCI-Express SSD slots. This will give you currently up to 4 TB of SSD storage. There is no 2.5" HDD slot available. Instead, the battery is enlarged to 93.48Wh. You can see pictures of the interior layouts here, here and here.
On memory: the laptop has two SO-DIMM DDR4 memory sockets. You can chose during BTO configuration, if you want to occupy both of them when you order the product. We recommend running the laptop in Dual Channel for high-performance usage.

Q: How easy is to upgrade and repair this laptop?
A: Here are the key facts:
We would give this a solid 8 out of 10 which is pretty high for such a thin&light design. The 2 remaining points are substracted for BGA CPU and GPU, which is unfortunately unavoidable in such a thin design.

Q: Does it support Windows Hello?
A: A Fingerprint-Reader is not available, but the HD webcam comes with Infrared and supports Windows Hello.

Q: Can I get a smaller, lighter charger for this laptop?
A: XMG FUSION 15 requires a 230W power adaptor to provide full performance. If you max out CPU and GPU with furmark and prime, the 230W adapter will be fully utilized.
There are currently two compatible 230W adapters. They have different dimensions but similar weight. Please refer to this comparison table:
XMG FUSION 15 Power Supply Comparsion Table (Google Drive)
Includes shop links. Will be updated with precise weight numbers in the next few days. I also included 120W, 150W and 180W in this table. They all share the same plug (5.5/2.5,, diameter, 12.5mm length). But 120W and 150W are only rated for 19V but the laptop expect 19.5V. Usually this will be compensated by tolerance but we haven't tested how a system would behave under long-term usage with such an adaptor.
In theory, 120W to 180W are enough for charing the laptop and for browsing/web/media. Even a full CPU stress test could easily be handled. But as soon as you use CPU and GPU together, you'll run into the bottleneck and your performance will be reduced.
Comparison pictures:
These 5 pictures show only the relevant 230W chargers.
Again, the weight is about the same.

Q: Is it possible to boot and run the laptop while the lid is kept closed?
A: Closing the lid under load is not recommended because it will limit the airflow and have a bad effect on keyboard and screen. The laptop likes to take air in from the keycaps. With lid closed, the performance might be limited due to reaching temp targets earlier.

Q: Can I get the laptop without the XMG logo? I will be using it in public presentations and I would not like any brand names visible.
A: We cannot ship without XMG logo, but you can use a dbrand skins to cover our logo. We have not yet decided if we want to invest into integrating XMG FUSION 15 into the dbrand shop. But you can already buy 100% compatible skins by using the page of the Eluktronics MAG-15 at dbrand. The chassis dimensions are exactly the same. Please be aware: you have to manually select the option "No Logo Cutout" if you want to buy these skins for your XMG FUSION 15. According to dbrand, there will be most likely no import fees when ordering from the EU as long as the order is below 100€. Check this thread for details.

Q: Will you offer thermal paste upgrades like Thermal Grizzly Kryonaut or Liquid Metal?
A: Our ODMs are using silicon-based, high-performance thermal compund from international manufacturers like Shin-Etsu (Japan) and M.G. (USA). Intel is using MG-860 in this reference design.
These products are used in the industrial sector, so they have no publicly known brand name. Nevertheless, their high thermal conductivity and guaranteed durability provide optimal and long-lasting cooling of your high-performance laptop. The thermal compounds are applied and sealed automatically by the vendor of the thermal components. They are applied in a highly controlled, standardized manner and provide the best balance of thermal performance, production tolerance and product lifetime.
We are considering offering an upgrade to Thermal Grizzly Kryonaut due to popular demand. Will keep you posted on that.

Q: Could you please provide an estimate for how much regular usage (~10 browser tabs + some IDE) battery backup would this have? Will there be any way to trade-off battery backup with performance?
A: Battery life vs. peak performance can be traded off by using the "Silent" performance profile. You can switch between profiles using a dedicated button on the machine. Your scenario (10 tabs + some IDE) sounds like mostly reading and writing. I would estimate to get at least 7 hours of solid battery life in such a scenario, maybe more. We have achieved 8 hours in 1080p Youtube streaming on WiFi with 50% screen brightness. Adblock and NoScript helps to keep your idle browser tabs in check.


I/O Ports, Peripherals


Q: Why are there not more USB-A 3.1 Gen2 or even USB 3.2 Gen2x2 ports?
A: USB-A 3.1 Gen1 is basically the same as USB 3.0. There aren't a lot of USB-A devices that support more than USB 3.0 speed. Faster devices typically use USB-C connectors and can be used on Thunderbolt 3, which is down-compatible to USB-C 3.1 Gen2. One of the USB-A ports actually supports Gen2 speed.
For the following remarks, please keep in mind that I am not an Intel rep, so everything is based on our own experience.
The mainboard design and the I/O port decisions have been made by Intel. Feedback and requests from LOEM customers have been taken into consideration. We would assume that USB 3.2. Gen2x2 (20 Gbit/s) was not considered to be important enough to safe space for 3rd party IC (integrated circuits) on the motherboard. Right now, all the USB ports and Thunderbolts are supplied by Intel's own IC, so they have full control over the hardware, firmware and driver stack and over power saving and performance control. The more IC you add, the higher your Idle power consumption will be, plus adding potential compatibility or speed issues as it often happens with 1st generation 3rd party USB implementations. I very well remember from my own experience the support stories during the first years of USB 3.0, before it was supported in the Intel chipset. On the one hand, Intel is aiming high in terms of performance and convenience, on the other hand: support and reliability still seem to be Intel's goal #1. Thus they seem to play it safe where they deem it to be reasonable.
Intel is gearing up for USB 4.0 and next-gen Thunderbolt. USB 3.2 2x2 is probably treated as little more than a roadmap accident. Peripheral vendors might see it the same way.

Q: Do you support charging over USB-C/Thunderbolt? Does it support docking stations?
A: The Thunderbolt 3 port in Intel's reference design does not support charging. As you probably know, the 100W limit would not be enough to power the whole system and it would make the mainboard more complex to combine two different ways of charging. Intel consciously opted against it and will probably do so again on future high-end gaming/studio models.
The USB-C/Thunderbolt port supports Dual-Link DisplayPort signals, directly connected to the NVIDIA Graphics. This makes proper docking station usage very convenient. The user still needs to connect the external power adaptor. Both ports (Thunderbolt and DC-in) are in the back of the laptop, making the whole setup appear very neat on the desk.

Q: How many PCIe lanes does the Thunderbolt 3 provide? Are they connected to CPU or Chipset?
A: XMG FUSION 15 supports Thunderbolt 3 with 4 lanes of PCIe 3.0. The lanes come from the chipset because all of the CPU lanes (x16) are fully occupied by the dedicated NVIDIA graphics. We are not aware of any side-effects of running Thunderbolt from the chipset. It is common practice for high-end laptops with high-end graphics. The Thunderbolt solution is of course fully validated and certified by Intel's Thunderbolt labs.

Q: Does it have a standby USB to power USB devices without turning on the laptop?
A: Yes, the USB-A port on the left side supports this feature.


LCD Screen


Q: Which LCD panel is being used? Are there plans for 1440p or 4K panels in the laptop? How about PWM flickering?
A: The panel is BOE NV156FHM-N4G. It is currently not known if the panel will change in later batches. This depends on logistics and stock. At any rate, the panel key specs will remain the same. There are currently no plans to offer resolutions above FHD in the current generation of this laptop.
There are very wide ranges on reports of Backlight Brightness PWM control on this panel in different laptops. Ranging from 200Hz to 1000Hz to no PWM at all - all on the same panel model number. Intel informs us that there are many factors (e.g. freq., display driver, BIOS settings implementation, type of dimmers & compatibility with the driver etc.) that impacts the quality of panel dimming performance. To Intel's knowledge, no kind of flickering has been reported during the validation process. Furthermore, first hands-on data from Notebookcheck indicates that no PWM occurs on this panel. With a DSLR test (multiple burst shots at 1/4000s exposure time) I can confirm that there is not a single frame of brightness dipping or black screen, not even at minimum LCD brightness. Hence, we can confirm: BOE NV156FHM-N4G in XMG FUSION 15 (with Intel) does not use PWM for backlight control.

Q: Some BTO shops, for an additional fee, manually pick out display panels with the least back-light bleed. Do you offer that? Even better, do you do that without the extra fee?
A: Intel has validated this design to avoid backlight bleed as much as possible. Currently no plans to do further binning. All dozens of MP samples we have seen so far have been exceptionally good.

Q: I'm coming from a 13" MacBook with Retina display. How am I going to fare with this 15.6" FHD screen in content creation?
A: If you got used to editing high-res visual content (photography, artwork) on your 13inch retina, things will change. On the one hand, your canvas will be larger and more convenient and ergonomic to work with. On the other hand, you will find yourself zooming in more often in order to make out fine-detail. Assuming that you have sharp 20:20 vision.
As it is, the screen resolution and specs are not planned to change within the lifetime of this product. The first realistic time-window for a refresh would be whenever Intel is releasing the next "H" series CPU generation. But even then, an upgrade on resolution will not be guaranteed.
Comparison:
Laptop Resolution Pixel per inch dot pitch
13.3" MacBook Pro Retina (late 2013) 2560x1600 226.98 PPI 0.1119mm
15.6" XMG FUSION 15 (late 2019) 1920x1080 141.21 PPI 0.1799mm
To compare: 141.21 is ~62% from 226.98. This represents the the metric difference in pixel density and peak sharpness between these two models.
If you know the diagonal size and resolution of your screen, you can make this comparison yourself with the DPI/PPI calculator.


Keyboard, Backlight, Switches, Layout


Q: What can you tell us about the mechanical keyboard of XMG FUSION 15?
A: The keyboard has already been reviewed in our XMG NEO series as being more crisp than typical membrane keyboards. Most reviewers attested it a very good score, both for gaming and for writing long texts.
The keyboard backlight can be configured per-key. Default mode is all white.
Keyboard Switch Specs:
Having no frame around the keycaps actually helps the thermals. The fans can pull in additional air from the top. This improves airflow and helps to keep the keyboard temperature at low levels during gaming. It also prevents long-term RMA issues on the keyboard. This specific keyboard switch is already in its 3rd generation and very mature by now.

Q: Is it possible to dampen the mechanical keyboard with o-rings?
A: The switch design does not lend itself to further dampening. The switch mechanic is too complex and has more moving parts than cherry. The 2mm travel distance also plays a role in not allowing more dampening.
For reference, please use this video (Youtube). We compared XMG NEO with another membrane-type keyboard. XMG NEO and FUSION share the same keyboard mechanics with the silent tactile switch and the same sound profile.

Q: Do you have LED keyboard backlight on the secondary key function, like Fn key icons?
A: Please have a look at this picture.
Btw, my working sample has blank keycaps. I took the 3 printed keycaps (F8, F9, F10) from a different sample just to demonstrate the Fn lighting for this picture.
Facts:
In my assesment, the Fn function symbols are clearly visible from the backlight in a dark room. A user should have no difficulty to recognize the icon and reach its function.

Q: Which keyboard layouts do you offer in the EU?
A: The following layouts are available, in alphabetic order: Belgium, Czech, Danish, Dvorak German, Dvorak US, Estonia, French, German, Greek, Italian, Norwegian, Polish for Typists, Portuguese, Russia Latin, Slovakish, Spanish, Swedish / Finnish, Swiss, Turkish, UK, US International (ISO)All these layouts are based on the ISO matrix. See differences between ANSI vs. ISO here.


Operating System


Q: Do you support Linux and dual-boot on XMG FUSION 15?
A: We are in discussion to sell XMG FUSION 15 over Tuxedo with official Linux support. It might take 1 or 2 months to get this running.

Q: Which LAN, Audio and WiFi card vendors will be used? Asking for a friend.
A: From our HWiNFO64 report. (Google Drive link)
LAN: RealTek Semiconductor RTL8168/8111 [PCI\VEN_10EC&DEV_8168&SUBSYS_20868086&REV_15]Audio: Intel(R) Smart Sound Technology (Intel(R) SST) Audio Controller [PCI\VEN_8086&DEV_A348&SUBSYS_20868086&REV_10]WiFi: Intel(R) Wi-Fi 6 AX200 [PCI\VEN_8086&DEV_2723&SUBSYS_00848086&REV_1A], can be replaced.
For more information, please check the linked report file.


Other questions


Q: What would you say are the advantages and differences with other laptops due to the fact the laptop was designed in collaboration with Intel?
A: Disclaimer: I am \not* an Intel rep. The following remarks are based on my personal experience and opinion.*
Advantages:
  1. Very strict quality control on all levels. I can't quote numbers due to NDA, but Intel NUC has extremely low RMA rates, compared to average PC mainboards and systems. Intel is driven by strict internal regulation that strifes for perfection - this applies to the whole chassis, assembly and firmware, not only the mainboard. There are also certain regulations in place, for example in terms of electro-magnetic regulation and skin temperatures. The rating label is littered with regulatory seals from every region of the world, making this laptop especially safe to use.
  2. Access to high-quality material: we have not seen any Gaming Laptops based on Magnesium alloy yet, especially not in the ODM/LOEM ecosystem. The battery cells are also much more dense than what we usually see. Intel has the buying power and the vision to not settle for mediocre parts.
  3. Down-to-earth design: Intel has made this reference design for the ODM/LOEM eco-system. The design does not try to follow any specific corporate identity, thus it does not have any unneccessary "bling bling" like all the others have. Even the Razer Blade with it's sleek shape is quite obnoxious (iny my oppinion) with it's big backlit green snake logo. With XMG FUSION however, we can continue our typical style of "Undercover Gaming".
  4. Security: you can expect stellar support in terms of BIOS and Firmware (TPM, Management Engine) updates whenever any security issues are found. This might also apply to global brands, but ODM/LOEM systems have not always been so quick to react. This is due to the huge fragmentation/customizations in ODM/LOEM systems. Intel however does now allow any fragmentation: every LOEM partner is getting the same firmware. There are many hooks for configurations in this firmware, but the source code / binaries are always the same. This makes support much easier down the line.
Disadvantages:
  1. I can't name many, of course. But I would say the strict validation also makes the partnership less flexible from a product management perspective. There is no plan currently to phase-in any 4K or 300Hz screen (FHD/144Hz ought to be enough for everyone this year) or any Core i9 in this system. Other ODMs might be more open for costly modifications based on low quantities. Intel however has streamlined their production and logistics in a way that gives us (the LOEM) very short lead times and competitive pricing, but will not allow any short-notice upgrades or customizations.

Q: Will there be a 17 inch version?
A: We can neither confirm nor deny plans for a 17 inch version at this point.


[to be continued]
submitted by XMG_gg to XMG_gg [link] [comments]

Vault 7 - CIA Hacking Tools Revealed

Vault 7 - CIA Hacking Tools Revealed
March 07, 2017
from Wikileaks Website


https://preview.redd.it/9ufj63xnfdb41.jpg?width=500&format=pjpg&auto=webp&s=46bbc937f4f060bad1eaac3e0dce732e3d8346ee

Press Release
Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency.
Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.
The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence (below image) in Langley, Virgina.
It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.
Recently, the CIA lost control of the majority of its hacking arsenal including,
  1. malware
  2. viruses
  3. trojans
  4. weaponized "zero day" exploits
  5. malware remote control systems

...and associated documentation.
This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.
The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.
"Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include,

  1. Apple's iPhone
  2. Google's Android
  3. Microsoft's Windows
  4. Samsung TVs,

...which are turned into covert microphones.
Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA).
The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force - its own substantial fleet of hackers.
The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities.
By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI - below image), had over 5000 registered users and had produced more than a thousand,
hacking systems trojans viruses,
...and other "weaponized" malware.


https://preview.redd.it/3jsojkqxfdb41.jpg?width=366&format=pjpg&auto=webp&s=e92eafbb113ab3e972045cc242dde0f0dd511e96

Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more codes than those used to run Facebook.
The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified.
In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency.
The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons.
Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike.

Julian Assange, WikiLeaks editor stated that,
"There is an extreme proliferation risk in the development of cyber 'weapons'.
Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade.
But the significance of 'Year Zero' goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective."

Wikileaks has carefully reviewed the "Year Zero" disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published.

Wikileaks has also decided to Redact (see far below) and Anonymize some identifying information in "Year Zero" for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout,
Latin America Europe the United States

While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in "Vault 7" part one ("Year Zero") already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks.

Analysis

CIA malware targets iPhone, Android, smart TVs
CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA's DDI (Directorate for Digital Innovation).
The DDI is one of the five major directorates of the CIA (see above image of the CIA for more details).
The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide.
The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984, but "Weeping Angel", developed by the CIA's Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization.
The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS.
After infestation, Weeping Angel places the target TV in a 'Fake-Off' mode, so that the owner falsely believes the TV is off when it is on. In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.
As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.
The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user's geolocation, audio and text communications as well as covertly activate the phone's camera and microphone.
Despite iPhone's minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA's Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads.
CIA's arsenal includes numerous local and remote "zero days" developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop.
The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites.
A similar unit targets Google's Android which is used to run the majority of the world's smart phones (~85%) including Samsung, HTC and Sony. 1.15 billion Android powered phones were sold last year.
"Year Zero" shows that as of 2016 the CIA had 24 "weaponized" Android "zero days" which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors.
These techniques permit the CIA to bypass the encryption of, WhatsApp
  1. Signal
  2. Telegram
  3. Wiebo
  4. Confide
  5. Cloackman
...by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied.
CIA malware targets Windows, OSx, Linux, routers
The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware.
This includes multiple local and remote weaponized "zero days", air gap jumping viruses such as "Hammer Drill" which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ("Brutal Kangaroo") and to keep its malware infestations going.
Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as "Assassin" and "Medusa".
Attacks against Internet infrastructure and webservers are developed by the CIA's Network Devices Branch (NDB).
The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB's "HIVE" and the related "Cutthroat" and "Swindle" tools, which are described in the examples section far below.
CIA 'hoarded' vulnerabilities ("zero days")
In the wake of Edward Snowden's leaks about the NSA, the U.S. technology industry secured a commitment from the Obama administration that the executive would disclose on an ongoing basis - rather than hoard - serious vulnerabilities, exploits, bugs or "zero days" to Apple, Google, Microsoft, and other US-based manufacturers.
Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability.
If the CIA can discover such vulnerabilities so can others.
The U.S. government's commitment to the Vulnerabilities Equities Process came after significant lobbying by US technology companies, who risk losing their share of the global market over real and perceived hidden vulnerabilities.
The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis.
"Year Zero" documents show that the CIA breached the Obama administration's commitments. Many of the vulnerabilities used in the CIA's cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals.
As an example, specific CIA malware revealed in "Year Zero" is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts.
The CIA attacks this software by using undisclosed security vulnerabilities ("zero days") possessed by the CIA but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability.
As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable.
The same vulnerabilities exist for the population at large, including the U.S. Cabinet, Congress, top CEOs, system administrators, security officers and engineers.
By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone at the expense of leaving everyone hackable.
'Cyberwar' programs are a serious proliferation risk
Cyber 'weapons' are not possible to keep under effective control.
While nuclear proliferation has been restrained by the enormous costs and visible infrastructure involved in assembling enough fissile material to produce a critical nuclear mass, cyber 'weapons', once developed, are very hard to retain.
Cyber 'weapons' are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost.
Securing such 'weapons' is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces - sometimes by using the very same 'weapons' against the organizations that contain them.
There are substantial price incentives for government hackers and consultants to obtain copies since there is a global "vulnerability market" that will pay hundreds of thousands to millions of dollars for copies of such 'weapons'.
Similarly, contractors and companies who obtain such 'weapons' sometimes use them for their own purposes, obtaining advantage over their competitors in selling 'hacking' services.
Over the last three years the United States intelligence sector, which consists of government agencies such as the CIA and NSA and their contractors, such as Booz Allan Hamilton, has been subject to unprecedented series of data exfiltrations by its own workers.
A number of intelligence community members not yet publicly named have been arrested or subject to federal criminal investigations in separate incidents.
Most visibly, on February 8, 2017 a U.S. federal grand jury indicted Harold T. Martin III with 20 counts of mishandling classified information.
The Department of Justice alleged that it seized some 50,000 gigabytes of information from Harold T. Martin III that he had obtained from classified programs at NSA and CIA, including the source code for numerous hacking tools.
Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike.
U.S. Consulate in Frankfurt is a covert CIA hacker base
In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa.
CIA hackers operating out of the Frankfurt consulate ("Center for Cyber Intelligence Europe" or CCIE) are given diplomatic ("black") passports and State Department cover.
The instructions for incoming CIA hackers make Germany's counter-intelligence efforts appear inconsequential: "Breeze through German Customs because you have your cover-for-action story down pat, and all they did was stamp your passport" Your Cover Story (for this trip) Q: Why are you here? A: Supporting technical consultations at the Consulate. Two earlier WikiLeaks publications give further detail on CIA approaches to customs and secondary screening procedures.
Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area - including France, Italy and Switzerland.
A number of the CIA's electronic attack methods are designed for physical proximity.
These attack methods are able to penetrate high security networks that are disconnected from the internet, such as police record database. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace.
The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and exfiltrates data to removable media.
For example, the CIA attack system Fine Dining, provides 24 decoy applications for CIA spies to use.
To witnesses, the spy appears to be running a program showing videos (e.g VLC), presenting slides (Prezi), playing a computer game (Breakout2, 2048) or even running a fake virus scanner (Kaspersky, McAfee, Sophos).
But while the decoy application is on the screen, the underlying system is automatically infected and ransacked.
How the CIA dramatically increased proliferation risks
In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of "Vault 7", the CIA's, weaponized malware (implants + zero days) Listening Posts (LP) Command and Control (C2) systems, ...the agency has little legal recourse.
The CIA made these systems unclassified.
Why the CIA chose to make its cyber-arsenal unclassified reveals how concepts developed for military use do not easily crossover to the 'battlefield' of cyber 'war'.
To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet.
If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet.
Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution.
This means that cyber 'arms' manufactures and computer hackers can freely "pirate" these 'weapons' if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets.
Conventional weapons such as missiles may be fired at the enemy (i.e. into an unsecured area). Proximity to or impact with the target detonates the ordnance including its classified parts. Hence military personnel do not violate classification rules by firing ordnance with classified parts.
Ordnance will likely explode. If it does not, that is not the operator's intent.
Over the last decade U.S. hacking operations have been increasingly dressed up in military jargon to tap into Department of Defense funding streams.
For instance, attempted "malware injections" (commercial jargon) or "implant drops" (NSA jargon) are being called "fires" as if a weapon was being fired.
However the analogy is questionable.
Unlike bullets, bombs or missiles, most CIA malware is designed to live for days or even years after it has reached its 'target'. CIA malware does not "explode on impact" but rather permanently infests its target. In order to infect target's device, copies of the malware must be placed on the target's devices, giving physical possession of the malware to the target.
To exfiltrate data back to the CIA or to await further instructions the malware must communicate with CIA Command & Control (C2) systems placed on internet connected servers.
But such servers are typically not approved to hold classified information, so CIA command and control systems are also made unclassified.
A successful 'attack' on a target's computer system is more like a series of complex stock maneuvers in a hostile take-over bid or the careful planting of rumors in order to gain control over an organization's leadership rather than the firing of a weapons system.
If there is a military analogy to be made, the infestation of a target is perhaps akin to the execution of a whole series of military maneuvers against the target's territory including observation, infiltration, occupation and exploitation.
Evading forensics and anti-virus
A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as, Apple
  1. Microsoft
  2. Google
  3. Samsung
  4. Nokia
  5. Blackberry
  6. Siemens
  7. anti-virus companies,
...attribute and defend against attacks.
"Tradecraft DO's and DON'Ts" contains CIA rules on how its malware should be written to avoid fingerprints implicating the "CIA, US government, or its witting partner companies" in "forensic review".
Similar secret standards cover the, use of encryption to hide CIA hacker and malware communication (pdf) describing targets & exfiltrated data (pdf) executing payloads (pdf) persisting (pdf), ...in the target's machines over time.
CIA hackers developed successful attacks against most well known anti-virus programs.
These are documented in, AV defeats Personal Security Products Detecting and defeating PSPs PSP/DebuggeRE Avoidance For example, Comodo was defeated by CIA malware placing itself in the Window's "Recycle Bin". While Comodo 6.x has a "Gaping Hole of DOOM".
CIA hackers discussed what the NSA's "Equation Group" hackers did wrong and how the CIA's malware makers could avoid similar exposure.

Examples

The CIA's Engineering Development Group (EDG) management system contains around 500 different projects (only some of which are documented by "Year Zero") each with their own sub-projects, malware and hacker tools.
The majority of these projects relate to tools that are used for,
penetration infestation ("implanting") control exfiltration
Another branch of development focuses on the development and operation of Listening Posts (LP) and Command and Control (C2) systems used to communicate with and control CIA implants.
Special projects are used to target specific hardware from routers to smart TVs.
Some example projects are described below, but see the table of contents for the full list of projects described by WikiLeaks' "Year Zero".
UMBRAGE
The CIA's hand crafted hacking techniques pose a problem for the agency.
Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity.
This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible.
As soon one murder in the set is solved then the other murders also find likely attribution.
The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation.
With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from.
UMBRAGE components cover,
keyloggers
  1. password collection
  2. webcam capture
  3. data destruction
  4. persistence
  5. privilege escalation
  6. stealth
  7. anti-virus (PSP) avoidance
  8. survey techniques

Fine Dining
Fine Dining comes with a standardized questionnaire i.e menu that CIA case officers fill out.
The questionnaire is used by the agency's OSB (Operational Support Branch) to transform the requests of case officers into technical requirements for hacking attacks (typically "exfiltrating" information from computer systems) for specific operations.
The questionnaire allows the OSB to identify how to adapt existing tools for the operation, and communicate this to CIA malware configuration staff.
The OSB functions as the interface between CIA operational staff and the relevant technical support staff.
Among the list of possible targets of the collection are,
  • 'Asset'
  • 'Liason Asset'
  • 'System Administrator'
  • 'Foreign Information Operations'
  • 'Foreign Intelligence Agencies'
  • 'Foreign Government Entities'
Notably absent is any reference to extremists or transnational criminals. The 'Case Officer' is also asked to specify the environment of the target like the type of computer, operating system used, Internet connectivity and installed anti-virus utilities (PSPs) as well as a list of file types to be exfiltrated like Office documents, audio, video, images or custom file types.
The 'menu' also asks for information if recurring access to the target is possible and how long unobserved access to the computer can be maintained.
This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation.
Improvise (JQJIMPROVISE)
  1. 'Improvise' is a toolset for configuration, post-processing, payload setup and execution vector
  2. selection for survey/exfiltration tools supporting all major operating systems like,
  3. Windows (Bartender)
  4. MacOS (JukeBox)
  5. Linux (DanceFloor)
  6. Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools
based on requirements from 'Fine Dining' questionnaires.
HIVE
HIVE is a multi-platform CIA malware suite and its associated control software.
The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants.
The implants are configured to communicate via HTTPS with the webserver of a cover domain; each operation utilizing these implants has a separate cover domain and the infrastructure can handle any number of cover domains.
Each cover domain resolves to an IP address that is located at a commercial VPS (Virtual Private Server) provider.
The public-facing server forwards all incoming traffic via a VPN to a 'Blot' server that handles actual connection requests from clients.
It is setup for optional SSL client authentication: if a client sends a valid client certificate (only implants can do that), the connection is forwarded to the 'Honeycomb' toolserver that communicates with the implant.
If a valid certificate is missing (which is the case if someone tries to open the cover domain website by accident), the traffic is forwarded to a cover server that delivers an unsuspicious looking website.
The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer, so the toolserver acts as a C2 (command and control) server for the implant.
Similar functionality (though limited to Windows) is provided by the RickBobby project.
See the classified user and developer guides for HIVE.

Frequently Asked Questions

Why now?
WikiLeaks published as soon as its verification and analysis were ready. In February the Trump administration has issued an Executive Order calling for a "Cyberwar" review to be prepared within 30 days.
While the review increases the timeliness and relevance of the publication it did not play a role in setting the publication date.
Redactions
Names, email addresses and external IP addresses have been redacted in the released pages (70,875 redactions in total) until further analysis is complete. Over-redaction: Some items may have been redacted that are not employees, contractors, targets or otherwise related to the agency, but are, for example, authors of documentation for otherwise public projects that are used by the agency.
Identity vs. person: the redacted names are replaced by user IDs (numbers) to allow readers to assign multiple pages to a single author. Given the redaction process used a single person may be represented by more than one assigned identifier but no identifier refers to more than one real person.
Archive attachments (zip, tar.gz, ...), are replaced with a PDF listing all the file names in the archive. As the archive content is assessed it may be made available; until then the archive is redacted.
Attachments with other binary content, are replaced by a hex dump of the content to prevent accidental invocation of binaries that may have been infected with weaponized CIA malware. As the content is assessed it may be made available; until then the content is redacted.
Tens of thousands of routable IP addresses references, (including more than 22 thousand within the United States) that correspond to possible targets, CIA covert listening post servers, intermediary and test systems, are redacted for further exclusive investigation.
Binary files of non-public origin, are only available as dumps to prevent accidental invocation of CIA malware infected binaries.
Organizational Chart
The organizational chart (far above image) corresponds to the material published by WikiLeaks so far.
Since the organizational structure of the CIA below the level of Directorates is not public, the placement of the EDG and its branches within the org chart of the agency is reconstructed from information contained in the documents released so far.
It is intended to be used as a rough outline of the internal organization; please be aware that the reconstructed org chart is incomplete and that internal reorganizations occur frequently.
Wiki pages
"Year Zero" contains 7818 web pages with 943 attachments from the internal development groupware. The software used for this purpose is called Confluence, a proprietary software from Atlassian.
Webpages in this system (like in Wikipedia) have a version history that can provide interesting insights on how a document evolved over time; the 7818 documents include these page histories for 1136 latest versions.
The order of named pages within each level is determined by date (oldest first). Page content is not present if it was originally dynamically created by the Confluence software (as indicated on the re-constructed page).
What time period is covered?
The years 2013 to 2016. The sort order of the pages within each level is determined by date (oldest first).
WikiLeaks has obtained the CIA's creation/last modification date for each page but these do not yet appear for technical reasons. Usually the date can be discerned or approximated from the content and the page order.
If it is critical to know the exact time/date contact WikiLeaks.
What is "Vault 7"
"Vault 7" is a substantial collection of material about CIA activities obtained by WikiLeaks.
When was each part of "Vault 7" obtained?
Part one was obtained recently and covers through 2016. Details on the other parts will be available at the time of publication.
Is each part of "Vault 7" from a different source?
Details on the other parts will be available at the time of publication.
What is the total size of "Vault 7"?
The series is the largest intelligence publication in history.
How did WikiLeaks obtain each part of "Vault 7"?
Sources trust WikiLeaks to not reveal information that might help identify them.
Isn't WikiLeaks worried that the CIA will act against its staff to stop the series?
No. That would be certainly counter-productive.
Has WikiLeaks already 'mined' all the best stories?
No. WikiLeaks has intentionally not written up hundreds of impactful stories to encourage others to find them and so create expertise in the area for subsequent parts in the series. They're there.
Look. Those who demonstrate journalistic excellence may be considered for early access to future parts.
Won't other journalists find all the best stories before me?
Unlikely. There are very considerably more stories than there are journalists or academics who are in a position to write them.
submitted by CuteBananaMuffin to conspiracy [link] [comments]

Oneangrygamer is just not even trying anymore.

https://www.oneangrygamer.net/2019/08/shovel-knight-adds-they-them-gender-pronouns/91912/
"We continue to see our society fall by the wayside. The next step down the rabbit hole of societal decay was commenced by none other than the Yacht Club. They announced that Shovel Knight has added a third gender pronoun option… “they/them”."
How dare they gush gamers an OPTION! It's not like we have a CHOICE on this even though we actually do!
"The responses, thankfully, called out how trying to appease people who suffer from mental delusions is a complete turnoff. Various people noted that they did not accept appeasing the people who are trying to push “non-binary” as a standard, even though it biologically doesn’t exist."
...ok, I have to say that these people are idiots and so are you: overthebrainbow.com/blog/2017/1/7/wired-this-way-sexual-orientation-and-gender-in-the-brain https://web.archive.org/web/20150926035309/https://catholictrans.wordpress.com/2013/11/18/debunking-myth-11-sex-and-gender-are-straightforward/
"It’s basically more virtue signaling, adding in features that don’t actually improve the game in any way, they just placate the sensibilities of people constantly trying to subvert the biological norms of today’s society."
Really? https://web.archive.org/web/20180902070639/https://genderanalysis.net/2018/06/effectiveness-of-vaginoplasty-for-trans-women-confirmed-once-again-in-new-study/ https://web.archive.org/web/20180902070724/https://genderanalysis.net/2018/01/evidence-of-health-benefits-of-medical-transition-gender-dysphoria-body-image-sexual-functioning-and-quality-of-life/
"Unfortunately the people with common sense were in short supply within the Twitter thread. Majority of the comments were people praising Yacht Club Games for caving into the disconcerting demands of a minuscule minority."
As opposed to say, your miniscule minority?
submitted by ryu289 to Gamingcirclejerk [link] [comments]

Blindspot Whitepaper: Specialized Threat Assessment and Protection (STAP) for the Blockchain

BlindSpot™
Stop attacks before ”zero day” and stop the Advanced Persistent Threat (APT)
We live in a dangerous world — our information technology systems face that danger every single day. Hackers are constantly attempting to infiltrate systems, steal information, damage government and corporate reputations, and take control of systems and processes.
Hackers share and use a variety of tools and techniques to gain access to, and
maintain access to, IT systems, including groups and techniques so dangerous
they have their own category - the Advanced Persistent Threat (APT). At the
center of the APT are sophisticated techniques using malware to exploit vulnerabilities in systems. Traditional cyber security technologies use file signatures to locate these tools and hacker malware, but hackers are now actively camouflaging their tools by changing, customizing, and “morphing” them into new files that do not match any known signatures (‘Polymorphic Malware’). This introduces a massive gap in malicious file detection which leaves the enterprise open to exploitation — and it’s just not possible for traditional signature-based systems to keep up. In fact, signature-based anti-virus and anti-malware systems are only around 25% effective today. BlindSpot™ sees through it all, even as the files morph and change in a futile attempt to remain camouflaged.
Digital File Fingerprints
Any File Type, Any Language, Partial Matches, Exact Matches
BlindSpot™, the adaptive security solution from BlindSpot™, can see through the
Polymorphic camouflage used by the worlds most advanced hackers by utilizing
digital file fingerprints and our proprietary adaptive BlindSpot™ ‘brain’ that constantly analyzes the fingerprints of known malicious files and tools to locate partial matches within the files on your systems - servers, laptops, desktops, USB drives, and even mobile devices. BlindSpot™ can cut right through the Polymorphic files, revealing the true hacking tools underneath, even if they are only fragments or pieces of a more complete set of hacking tools and technologies.
Most cyber attacks happen weeks or even months after their initial penetration and access to a network or system, and even the simplest attacks tend to have a fuse that is typically several days. It takes them time to map out a system, probe for the information they want, and obtain or forge credentials with the type of access they need. But from the moment their tools first land on your network and systems, BlindSpot™ sees them. If fact, BlindSpot™ can see them sitting on a newly inserted USB drive even if the files are not copied to your systems. This means BlindSpot™ can identify and alert you to malicious files and potential illicit activities before the attack happens - before zero day!
How does BlindSpot™ work? BlindSpot™ sits on the endpoint and continuously monitors file activity. Digital fingerprints, which can be used to find partial matches of any file type in any language, are reported back where they are kept forever in a temporal repository.
BlindSpot™ looks through all of the digital fingerprints — both those from files on your systems and those in a constantly updated database of known malicious files and hacking tools, to locate and alert you to any indication of hacking, malicious files, or illicit activity. BlindSpot™ is a disruptive technology that can see polymorphic malware and stop attacks before zero day.
Digital File Fingerprints are created from a file or a piece of digital data/information by using advanced mathematics to look at all of the small pieces of data that make up the file to create a very small, unique piece of mathematical data — a digital file fingerprint. Files may be of any file type and in any language - digital fingerprints can find partial and exact matches regardless of what is in the file itself.
Just like with humans, once a fingerprint has been taken, you no longer need the
person to identify them. The fingerprint is enough. Even a partial fingerprint is
enough, and sometimes a smudge will do. Digital fingerprints work on the same
principle. Once BlindSpot™ has taken a digital fingerprint of a file, the file is no longer needed to identify it or to compare it with other files. And because digital fingerprints are tiny, they are easy to store. Even a multi-gigabyte file has a digital fingerprint that is no larger than 10k bytes.
Once you have two sets of digital fingerprints, you can compare them. Because BlindSpot™ starts with full fingerprints of known malicious files, it can identify matching files even when the digital fingerprint is only partially there. And with BlindSpot™’s advanced processing capabilities, file fragments, recovered data from a hard drive, partially downloaded documents, damaged files (both intentional and accidental) and other incomplete file structures can be properly fingerprinted in a way that still allows matches to be found.
Other technologies and software use static signatures, which do not work if any part of a file, regardless of how small, is different from another, or if the file is damaged in any way. BlindSpot™ and digital fingerprints enable partial matching, and can see through the camouflage that has become the industry standard for hackers across the globe. Static signature based solutions simply cannot do this.
Imagine your favorite detective drama on TV. The prosecutor says “This partial
fingerprint was found at the crime scene and the video camera across the
street recorded a perfect image of the person’s face.” The jury deliberates and
compares the picture and fingerprints of the defendant that were taken the day
before. They conclude, because the fingerprint was not all there and was not 100% identical, and because one picture showed a mustache that looked identical but was one millimeter longer than the other picture, that the two people were not identical - and set the criminal free. Well, that show wouldn’t be on TV long because crime would run rampant. Now imagine they had BlindSpot™. Criminals would be caught, the town would be a much safer place, and the show would be on for years to come.
Now imagine your network and systems without BlindSpot™, where traditional
exact match signature software is on your front line of defense. All kinds of
malicious files could walk right through and sit down on your hard drives, just
waiting for hackers to activate them. But you don’t have to imagine what your
systems would be like with BlindSpot™ — instead, simply contact us, get BlindSpot™ in place, and we’ll work with you to show you what’s really on your systems and help you keep those systems safe.
Ensuring System Compliance
Take the guesswork out of compliance assessment
All Government systems go through Certification and Accreditation. BlindSpot™ can help you with malicious code protection, for both security considerations and required compliance. Guidelines found in NIST 800-53 Revisions 3+ Security Requirements for System Integrity, SI-3 Malicious Code Protection, state that malicious code protection mechanisms must be employed at information system entry and exit points, including workstations, notebook computers, and mobile devices, to detect and eradicate malicious code.
BlindSpot™, with its continuous monitoring of the files on your endpoints and its
continuous updating of its known malicious file repository, will provide the
required real-time and full monthly re-scans of your files, will alert your
administrative staff when malicious code is found, will provide reports on
potential malicious files, illicit activity, and follow-up with very short false positive reports. BlindSpot™’s false positive rate is less than 0.01%. BlindSpot™ helps organizations meet the security requirements set forth and ensure compliance.
Intellectual Property Protection
Track sensitive information as it changes and moves around the enterprise
BlindSpot™ uses digital file fingerprints to identify partial and exact matches between files, regardless of file type or language. This ability can be used to track movements of and changes to files on a network of computers.
Government entities and corporations need to addresses the issue of monitoring
documents and files that contain sensitive information intellectual property, and it
is no longer sufficient to simply store them on a secure server and require specific credentials to access the information. People, both unintentionally and sometimes with malicious intent, copy and paste parts of documents, move files to USB drives, and otherwise edit and transfer files in order to get them on to a laptop, share them with a co-worker, or exfiltrate confidential information to outside networks and systems. BlindSpot™ carefully watches all of the files on your network, including what’s going with USB drives. If someone copies part of a file that has sensitive data to another file, BlindSpot™ sees it. Furthermore, BlindSpot™ can alert you when it sees questionable activity with certain documents/files or with specific computers/individuals.
Your sensitive files now have a watchdog that catches both unintentional and
malicious exposure to non-secure systems. Use BlindSpot™ to set up a custom
database of the locations where your sensitive files are stored, and BlindSpot™ will create a set of digital file fingerprints that can be used to track those files across your network and systems. This ensures that an organization can know where its proprietary and sensitive information is 365/7/24, in real-time.
Supervisory Control and Data Acquisition (SCADA) Systems
Supervisory Control and Data Acquisition (SCADA) is a system for remote monitoring and control that operates with coded signals over communication channels (using typically one communication channel per remote station).
SCADA networks contain computers and applications that perform key functions in providing essential services and commodities (e.g. electricity, natural gas, gasoline, water, waste treatment, transportation) to all Americans. They are part of the nation’s critical infrastructure, provide great efficiency, are widely used, and require protection from a variety of cyber threats.
One of the most significant threats is benign files residing on the computers on
the network that morph into tools that hackers can use to gain access to the
network and the equipment it monitors and/or controls. These files might be part
of the operating system (binary files), might be a normal file that includes
scripting, or can even be a general data file moved onto the computer through a
network or a USB drive. By morphing, these files circumvent detection and
countermeasures. This is just one example of how a hacker can compromise and
exploit the system and the worst part is that you will never know until it is too late!
The recent Department of Justice announcement charging Iranian hackers
believed to be tied to the 2013 hacking of a New York dam illustrates this threat
clearly.
Enter BlindSpot™’s BlindSpot™ Adaptive Security — BlindSpot™ monitors all files of all types (any format or language) without the requirement of a translator or human operator. BlindSpot™ can see right through the hacker’s camouflage of
morphing files to quickly identify problems and threats before hackers have the
opportunity to active and use their tools. For U.S. and foreign based systems,
BlindSpot™ is a must have cyber security solution.
The BlindSpot™ team has extensive experience with SCADA systems and critical infrastructure. Our BlindSpot™ solution is critical to the overall security framework of such systems as it was designed to find the morphing, malicious files and associated illicit file activity that can lead to compromise of the integrity, confidentiality and/or availability of the system. Threats loom on both the inside and outside, and the dynamic nature of these systems require continuous, temporal monitoring to stop cyber attacks before they happen.
Stop Ransomware
Identify and remove Ransomware before it encrypts your files
Ransomware attacks are on the rise and affect Fortune 500 companies, Federal
organizations, and consumers. This vicious type of attack affects your user’s ability to get their work done and prevents users from accessing files on a device or network by making the device or network unusable, by encrypting the files your users need to access, and/or by stopping certain applications from running (e.g. the web browser). A ransom is then demanded (an electronic payment of currency or bitcoins) with the promise that your data will be unencrypted and accessible again following the payment.
If the ransom payment is made, there is no guarantee that the data will be
unencrypted or returned to a state of integrity and/or availability. Furthermore,
there is also no guarantee that the people behind the ransom will not re-infect
your systems again with a variant of what was initially used. Payment encourages future attacks because they know you cannot detect it and will pay again next time. Surprisingly, there are only a handful of known ransomware files in use today (e.g. Crowti, Fakebsod). Safeguards exist that use static signatures to find exact matches for these known files, but the moment these files morph or are changed in any way they become undetectable by these solutions. BlindSpot™ digs deeper with digital file fingerprints and can find the new files, enabling you to analyze, quarantine, or delete them before they activate. This pro-active approach can be the difference between a system being protected and a system being made completely unavailable with encrypted data being held hostage for a ransom. The image below is an actual Fakebsod notification message.
BlindSpot™ uses digital file fingerprints to detect the ransomware by looking at
both partial and exact matches and can report the problem before it happens.
Ransomeware of the past attacked your personal computer and today’s variant
attacks the servers — BlindSpot™ can detect both.
Case Study: March 2016 - Two more healthcare networks are hit by ransomware targeting servers. Advice from law enforcement — pay the ransom! (They did). File backups are insufficient. Paying ransoms is costly and only encourages repeat attacks.
BlindSpot™ is the most comprehensive solution available to detect and root out
ransomware. Take charge of the situation and put BlindSpot™ to work continuously monitoring your systems.
Get BlindSpot™ Now
Commercial or Government, with multiple contract vehicles available
How Can I Get BlindSpot™?
CYBR develops and sells its adaptive enterprise cyber security software product, BlindSpot™, and provides professional services and support for BlindSpot™ implementations.
Product
BlindSpot™ Adaptive Security is a continuous monitoring enterprise solution that tracks file-based activity on the endpoint using digital file fingerprints, can identify problems and cyber threats before zero day, and can see through morphing, camouflaged (polymorphic) files to make accurate determinations of malicious files and illicit activity.
Deployment Options
BlindSpot™ can deployed as a secure cloud application for maximum flexibility, a standalone Enterprise implementation for maximum security, or the two combined in an Enterprise implementation augmented through a secure cloud gateway.
Professional Services and Training
BlindSpot™’s team of cyber security experts have the expertise to support
you by creating a holistic, enterprise security framework that consists of people,
policy, procedures and technology that will ensure a security posture that implements the best risk management strategies, tactics and operations available.
Email us at [[email protected]](mailto:[email protected]) for more information.
BlindSpot Solution Brief
June 29, 2018
POC: Shawn R. Key CEO, President
[[email protected]](mailto:[email protected])
Executive Summary and Estimated Pricing
CYBR’s BlindSpot is an enterprise cyber security solution that pro-actively identifies unknown and known malicious files and circumventive activity on endpoint devices. It is designed to interact with the CYBR Ecosystem and associated Web Portal. Distributed clients serve as the connection to the various BlindSpot server tiers.
BlindSpot identifies Illicit File Activity (IFA) and associated hacker activity via perceptive, industry standard algorithms. BlindSpot identifies exact AND similar files regardless of file type and/or language. This applies to ALL file types (e.g. documents, images, audio and video, carrier, etc.). Currently implemented safeguards and counter measures (such as anti-virus (AV), content filters and malware analysis tools) cannot address polymorphic/adaptive files and emerging threats. This introduces a massive gap in illicit file detection and leaves the enterprise open to exploitation. BlindSpot fills that void.
Additionally, corporations and government entities have a need to address known files and associated activity with regards to content and data management. The uncertainty of Intellectual Property (IP) location and propagation poses significant risk to the organization. The ability to identify the life cycle of a file (origin, source, destination, attributes and proliferation) ensures an organization knows where its proprietary, sensitive and privacy information is 365/24/7, in near real-time.
BlindSpot, is significantly different from solutions in the emerging Specialized Threat Assessment and Protection (STAP) marketplace, as it scales to meet the needs of enterprise organizations and the commercial marketplace. BlindSpot’s proprietary database consists of millions of unique, digital identifiers (hash values) that identify exact AND similar, modified files. This ensures that files existing in their original state or those which have been intentionally modified, do not circumvent detection. Our algorithms ensure near zero false positive return rates. The combinatory effect and the rare expertise of our executives and development thwarts potential competition as BlindSpot is an enterprise solution; not a tool.
The enterprise solution is provide as a license per IP address with associated appliance and/or server hardware requirements.
CYBR BlindSpot Technical Deep Dive
CYBR’s BlindSpot product is currently available as a Software as a Service) (SaaS) deployment blockchain solution and will be available as a full enterprise-install by Q2 2019. In both implementations, end-point agent software monitors the hard drive(s) of a computer or server, analyses any files that change, and reports [multiple] file hashes back to the main system. This enables the main system to effectively monitor which files could be malicious or represent intellectual property on the computers and servers within the customer’s network. By using fuzzy hashing algorithms, the system can detect polymorphic malware and intellectual property that has been partially hidden or obfuscated.
Applications
End-point (client) agent: native to each major OS as a fat client. Currently we have end-point agents for Microsoft Windows-based systems using MS .NET c# 2.0/4.5 and C++, although the c# portion will be replaced with all c++ code to increase scalability, efficiency, and security, in Q1 2016. End-point agents for Mac OS (written in Objective-C) and popular Linux platforms (written in c++) will ship in Q1/Q2 2016. Development work on the CentOS linux agent will begin in December 2015.
The Control Application enables system administrators to configure each end-point agent, the system itself, and to actively monitor and access reports on files that have been identified by the system as problematic or of interest. At this time the Control Application is able to provide configuration and monitoring services but is not yet ready for customer on-site deployment and is therefore only available in a SaaS model.
The middle-tier of the system, the Portal sever, currently runs in MS .NET and is written in c#. This tier will be upgraded to a full c++ implementation to increase scalability, efficiency, and security, in Q1 2016, and will run as a standard web server extension on a Linux platform (CentOS/Apache).
The data-tier of the system currently is running in MS SQL Server 2008/2012 and uses transact-SQL tables, but does not use any stored procedures or transactions. Although this tier is sufficient for scalability through mid to late 2016, a no-SQL version of the data tier will be developed in 2016.
The Crush server (hashing services) currently runs on MS Server 2008/2012, is written in c#/c++ and is a) being ported to run as a (c++) daemon on a standard Linux (CentOS) server, and b) being re-engineered to function as a massively parallel application (c/c++) running on NVIDIA Tesla GPU accelerated systems. The Crush server communicates with the data-tier directly and the C2 server indirectly. Multiple Crush servers can run simultaneously and are horizontally scalable and fault-tolerant.
The C2 (Command and Control) server, written in c# and being moved to c++, communicates with the data-tier directly and the Crush server and Control Application indirectly to provide scheduling, system health and integrity, and prioritization services, as well redirecting jobs to maintain fault tolerance of the back-end server components. Multiple C2 servers can run simultaneously and are horizontally scalable.
Hardware and Network:
The basic architecture of the system has two different stacks of software. First, a typical 3-tier approach isolates data storage from end-point and Control Application access with a middle-man protocol altering Portal server. In the SaaS model, the end-point and Control Application software reside on-site with the customer, and the remaining stack components reside at the SaaS hosting datacenter. The second stack consists of multiple horizontally-scalable server components that run entirely in the backend as daemons and interact primarily through the data area to provide the services that are being marketed and sold to the customers. The two stacks are kept somewhat separate from each other in order to buffer one against the other in times of extreme load and for enhanced security.
Following is a description of each software module in the system and how it relates to the others:
The system has one component for data collection (the end-point agent software, which resides on the desktop computers and servers within a deployed customer site), one component for system administration (the Control Application, which resides on a desktop computer that the customer has access to or that an analyst can access through the SaaS system), and a collection of software processes/daemons and a data storage area that comprise the back-end.
The end-point agent collects data from the end-point computer, passes it to the Portal server, which in turn stores it in the data area.
The C2 server monitors the in-flow of data from the end-points, and tasks the Crush server(s) to analyze the data and compare it to databases of known good, known bad, and watch list files, in an efficient manner.
The C2 server also provides notification to the customer of any problematic or watch-list files following the completion of the Crush server tasks.
The Crush server monitors the data area, and performs batch or real-time processing of data as instructed to by the C2 server.
Technology
CYBR’s BlindSpot software is a commercially available product that combines a small footprint end-point agent with a centralized monitoring and management system to track files and file changes on the end-point using partial-match digital fingerprints rather than rigid full-match-only file signatures. As files and data buffers are created, edited/altered, and moved either through the network or via removable media devices including USB drives, the product uses its unique and proprietary technologies in combination with industry standard technologies to identify and locate both known malware and unknown [polymorphic] malware on end-points that are continuously monitored by the product. Staff is notified, depending on the urgency or type of digital fingerprint identified, through integrations with 3rd party SIEM solutions, email/SMS transmissions, and reports that are available using the central management system. A false positive rate of partial digital fingerprint matching of ~1 in 10-12 means staff will not be bombarded with unnecessary alerts, maintaining staff efficiency.
Overview: Traditional anti-malware products use static file signatures to locate known malware but have no means of detecting unknown malware, CYBR’s product uses digital file fingerprints that can identify both partial file matches as well as full file signature matches and in doing so can locate and identify both known and unknown malware within the deployed enterprise. A combination of industry standard and publicly available algorithms and CYBR’s own proprietary algorithms, trade secrets, methods, optimizations, and intellectual property for which a patent is currently pending (which is owned solely by CYBR) are combined to form a comprehensive anti-malware platform and continuous end-point monitoring product that is completely unique in the marketplace. Through the use of our proprietary algorithms and optimizations, the product has the ability to scale to the enterprise level and can track desktops/servers as well as mobile/phone/tablet/Internet of Things (IoTs) devices.
Project Implementation: The implementation of this product would include both the commercially available BlindSpot product as well as prototypes of integration packages to connect with the on-site Security Information and Event Management (SIEM) and other systems and prototypes of end-point agents running on operating systems that are not yet available in the currently available version of the product. Both the integration and end-point agent prototypes would be based on existing modular code/functionality and would extend functionality past the currently available modules to ensure the full needs and requirements of the project are met. A full version of BlindSpot would be deployed on servers at/on the enterprise site, and prototypes of both SIEM integrations and new end-point agents would be deployed to augment the full production system. Information flow between all areas of the full system and prototypes would be tested and verified with increasing scale to ensure the level of performance required is available prior to the completion of the project.
End-point Agents: Each end-point is installed with native low-profile proprietary agent software that minimizes both its file system footprint and CPU use. The current product has a native end-point available for Microsoft Windows OSs (both desktops/tablets and servers) in production, and has native end-point agents in development/prototype stage for iOS, Android, MacOS, and RHEL/CentOS, with additional popular Linux derivatives to follow. The main job of the end-point agent is to communicate with the OS and monitor the file system for any changes in files that occur. When changes are detected, a digital file fingerprint of the file is taken and reported to the centralized data store, or cached until a later time if the centralized data store is unreachable (e,g, no cell coverage, laptop not connected to internet). The agent normally runs in “stealth-mode” and uses minimal CPU, RAM, and file system footprint so as not to disrupt the end-user’s workflow or impact system performance. Taking a digital fingerprint of a file and reporting it is very fast and thus the main job of the end-point agent is not system resource intensive. The “heavy lifting” is done on the back-end and does not burden the users or the end-point devices. Configuration of each end-point agent is conducted through the centralized management system, and changes in configuration are transmitted to the end-point agent within a few seconds (provided there is network connectivity).
Central Data Store: A collection of databases on the back end store file watch lists, known good and known bad digital file fingerprints (whitelists and blacklists containing digital file fingerprints of known malware), priority lists and configurations, end-point configurations, last-seen lists, and the full temporal accounting of all digital file fingerprints reported by end-point agents. As new threats are identified they are added to the central data store. As files on end-points change or are edited, their new digital fingerprints are added to the central data store as well. As new threats are identified though polymorphic partial matching, they are added to the known bad list as well.
Identification of Known and Unknown Malware: By comparing the databases of digital file fingerprints of known malware and digital file fingerprints of files on end-points, the product’s Crush server(s) use sophisticated algorithms to compare the partial digital file fingerprints, regardless of content of the files themselves. The product looks at the raw data (bytes) in the files when creating the digital file fingerprints and as such all file types/formats/languages are handled. This means that all file types and data in any and all languages can be compared with similar files. Binary DLLs, MS Word documents and spreadsheets (MS Excel, csv, …), JPEG images, Javascript, HTML, Executable files (.exe) — all of these files are handled by the product and known/unknown malware within them can be located using the digital file fingerprints in the centralized data store and Crush server’s analysis.
Scale, System Throughput, and Priority: A single Crush server can serve a small enterprise (100s or 1,000s of end-points), and a horizontally scalable array of Crush servers can be used to provide identification of malware for large enterprises. Similarly, databases in the central data store can be split and maintained/mirrored on several servers or run in a monolithic configuration. This makes the system highly scalable and able to be adapted to enterprises of varying sizes/scales while maintaining a good price/performance ratio. Priority lists can be designated for Crush servers such that high-priority end-points and/or high-priority malware fingerprints can be compared and identified in real-time, and similarly, low-priority lists (e.g. malware fingerprints that have not been seen in months or years) can be run in the evenings or when the system is running below normal load to ensure both immediate analysis of high-priority threats and comprehensive analysis of low-priority threats.
Integration: Several modular integration points within the product enable the straight-forward integration with 3rd party SIEM software and other reporting/management tools and systems. Distinct “notification channels” within the product are used based on the type of threat detected, the priority level of the specific threat detected, the confidence of the match (low percentage match of digital fingerprint vs high), and the location of the match (specific end-point list). Each notification channel has integration points that can be linked in with 3rd party systems so that staff are notified using software and procedures they are already familiar with and trained on (i.e., through a SIEM solution that is already begin monitored by dedicated, trained staff). Prototypes of each specific integration would need to be developed as a part of this project to match/communicate with the exact SIEM (or other) system that is in use at the deployment site in the mannemethod desired. Such a prototype would be developed for the purpose of evaluating the technical interconnectivity between systems to meet the requirements of the deployment, and following the prototype testing period, would be load-tested and stress-tested to ensure it’s performance meets the demands of a highly scalable environment, leading to a mature integration over a period of 3-6 months following the initial prototype period of 1-3 months.
Technology Section Summary: With end-points being continuously monitored by the product, both known and unknown malware threats delivered by the network and removable media will be detected and reported through SIEM system integration and direct email/SMS messages with minimal impact to the end-point (on all major OSs, including desktop and mobile). Centralized management and temporal monitoring of digital fingerprints enables the system to proactively locate and identify malware threats before zero day as well as enabling the staff to conduct their own investigations of systems either in the present or the past for forensic investigations. This makes CYBR’s BlindSpot a complete product that reaches all of the end-point devices to ensure safety and security from all types of malware threats.
Defense Utility
The blockchain’s cyber security posture will be greatly enhanced by BlindSpot. CYBR’s executive team works with various military and federal organizations and has a deep understanding of the cyber security challenges that face the enterprise today including advanced persistent threat (APT), polymorphic and pleomorphic malware, zero day attacks and the need to locate white and black files in real time. These threats have now permeated to the blockchain and must be secured.
Company and Customers
The proposed team includes CYBR, Inc. executive management and staff. The company is a works closely with its sister company, 21st Century Technologies, Inc. (21CT), which is a HUBZone certified, Small Business entity. 21CT serves as a value added reseller (VAR) for CYBR, Inc. and is currently a teammate on the DOMino classified DHS contract as a subcontractor to Raytheon.
Existing, paying customers include Stratford University, Test Pros and Devitas. The company also has integrator and VAR partner relationships with Anomali (formerly Threatstream), Lockheed Martin (Cyber and Space) and various commercial entities, which the company believes will become paying customers in 2019.
Transition and Commercialization
Our technology is a commercially available product and commercial sales have been made. The company is actively working to scale this solution to hundreds of thousands of users, which the company has deemed do-able and is in the process of horizontally scaling.
Data Rights Assertions
CYBR, Inc. currently holds a provisional patent and incorporates other trade secrets into the solution. No unreasonable restrictions (including ITAR) are placed upon the use of this intellectual property with regards to global sales.
submitted by CYBRToken to u/CYBRToken [link] [comments]

Vault 7 release info from actual files

sorry for the mess. copy paste....
Press Release Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency. The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election. Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive. "Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones. Since 2001 the CIA has gained political and budgetary preeminence over the U.S. National Security Agency (NSA). The CIA found itself building not just its now infamous drone fleet, but a very different type of covert, globe-spanning force — its own substantial fleet of hackers. The agency's hacking division freed it from having to disclose its often controversial operations to the NSA (its primary bureaucratic rival) in order to draw on the NSA's hacking capacities. By the end of 2016, the CIA's hacking division, which formally falls under the agency's Center for Cyber Intelligence (CCI), had over 5000 registered users and had produced more than a thousand hacking systems, trojans, viruses, and other "weaponized" malware. Such is the scale of the CIA's undertaking that by 2016, its hackers had utilized more code than that used to run Facebook. The CIA had created, in effect, its "own NSA" with even less accountability and without publicly answering the question as to whether such a massive budgetary spend on duplicating the capacities of a rival agency could be justified. In a statement to WikiLeaks the source details policy questions that they say urgently need to be debated in public, including whether the CIA's hacking capabilities exceed its mandated powers and the problem of public oversight of the agency. The source wishes to initiate a public debate about the security, creation, use, proliferation and democratic control of cyberweapons. Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by rival states, cyber mafia and teenage hackers alike. Julian Assange, WikiLeaks editor stated that "There is an extreme proliferation risk in the development of cyber 'weapons'. Comparisons can be drawn between the uncontrolled proliferation of such 'weapons', which results from the inability to contain them combined with their high market value, and the global arms trade. But the significance of "Year Zero" goes well beyond the choice between cyberwar and cyberpeace. The disclosure is also exceptional from a political, legal and forensic perspective." Wikileaks has carefully reviewed the "Year Zero" disclosure and published substantive CIA documentation while avoiding the distribution of 'armed' cyberweapons until a consensus emerges on the technical and political nature of the CIA's program and how such 'weapons' should analyzed, disarmed and published. Wikileaks has also decided to redact and anonymise some identifying information in "Year Zero" for in depth analysis. These redactions include ten of thousands of CIA targets and attack machines throughout Latin America, Europe and the United States. While we are aware of the imperfect results of any approach chosen, we remain committed to our publishing model and note that the quantity of published pages in "Vault 7" part one (“Year Zero”) already eclipses the total number of pages published over the first three years of the Edward Snowden NSA leaks. Analysis CIA malware targets iPhone, Android, smart TVs CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within CCI (Center for Cyber Intelligence), a department belonging to the CIA's DDI (Directorate for Digital Innovation). The DDI is one of the five major directorates of the CIA (see this organizational chart of the CIA for more details). The EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA in its covert operations world-wide. The increasing sophistication of surveillance techniques has drawn comparisons with George Orwell's 1984, but "Weeping Angel", developed by the CIA's Embedded Devices Branch (EDB), which infests smart TVs, transforming them into covert microphones, is surely its most emblematic realization. The attack against Samsung smart TVs was developed in cooperation with the United Kingdom's MI5/BTSS. After infestation, Weeping Angel places the target TV in a 'Fake-Off' mode, so that the owner falsely believes the TV is off when it is on. In 'Fake-Off' mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server. As of October 2014 the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks. The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations. The CIA's Mobile Devices Branch (MDB) developed numerous attacks to remotely hack and control popular smart phones. Infected phones can be instructed to send the CIA the user's geolocation, audio and text communications as well as covertly activate the phone's camera and microphone. Despite iPhone's minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA's Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA's arsenal includes numerous local and remote "zero days" developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop. The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites. A similar unit targets Google's Android which is used to run the majority of the world's smart phones (~85%) including Samsung, HTC and Sony. 1.15 billion Android powered phones were sold last year. "Year Zero" shows that as of 2016 the CIA had 24 "weaponized" Android "zero days" which it has developed itself and obtained from GCHQ, NSA and cyber arms contractors. These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the "smart" phones that they run on and collecting audio and message traffic before encryption is applied. CIA malware targets Windows, OSx, Linux, routers The CIA also runs a very substantial effort to infect and control Microsoft Windows users with its malware. This includes multiple local and remote weaponized "zero days", air gap jumping viruses such as "Hammer Drill" which infects software distributed on CD/DVDs, infectors for removable media such as USBs, systems to hide data in images or in covert disk areas ( "Brutal Kangaroo") and to keep its malware infestations going. Many of these infection efforts are pulled together by the CIA's Automated Implant Branch (AIB), which has developed several attack systems for automated infestation and control of CIA malware, such as "Assassin" and "Medusa". Attacks against Internet infrastructure and webservers are developed by the CIA's Network Devices Branch (NDB). The CIA has developed automated multi-platform malware attack and control systems covering Windows, Mac OS X, Solaris, Linux and more, such as EDB's "HIVE" and the related "Cutthroat" and "Swindle" tools, which are described in the examples section below. CIA 'hoarded' vulnerabilities ("zero days") In the wake of Edward Snowden's leaks about the NSA, the U.S. technology industry secured a commitment from the Obama administration that the executive would disclose on an ongoing basis — rather than hoard — serious vulnerabilities, exploits, bugs or "zero days" to Apple, Google, Microsoft, and other US-based manufacturers. Serious vulnerabilities not disclosed to the manufacturers places huge swathes of the population and critical infrastructure at risk to foreign intelligence or cyber criminals who independently discover or hear rumors of the vulnerability. If the CIA can discover such vulnerabilities so can others. The U.S. government's commitment to the Vulnerabilities Equities Process came after significant lobbying by US technology companies, who risk losing their share of the global market over real and perceived hidden vulnerabilities. The government stated that it would disclose all pervasive vulnerabilities discovered after 2010 on an ongoing basis. "Year Zero" documents show that the CIA breached the Obama administration's commitments. Many of the vulnerabilities used in the CIA's cyber arsenal are pervasive and some may already have been found by rival intelligence agencies or cyber criminals. As an example, specific CIA malware revealed in "Year Zero" is able to penetrate, infest and control both the Android phone and iPhone software that runs or has run presidential Twitter accounts. The CIA attacks this software by using undisclosed security vulnerabilities ("zero days") possessed by the CIA but if the CIA can hack these phones then so can everyone else who has obtained or discovered the vulnerability. As long as the CIA keeps these vulnerabilities concealed from Apple and Google (who make the phones) they will not be fixed, and the phones will remain hackable. The same vulnerabilities exist for the population at large, including the U.S. Cabinet, Congress, top CEOs, system administrators, security officers and engineers. By hiding these security flaws from manufacturers like Apple and Google the CIA ensures that it can hack everyone &mdsh; at the expense of leaving everyone hackable. 'Cyberwar' programs are a serious proliferation risk Cyber 'weapons' are not possible to keep under effective control. While nuclear proliferation has been restrained by the enormous costs and visible infrastructure involved in assembling enough fissile material to produce a critical nuclear mass, cyber 'weapons', once developed, are very hard to retain. Cyber 'weapons' are in fact just computer programs which can be pirated like any other. Since they are entirely comprised of information they can be copied quickly with no marginal cost. Securing such 'weapons' is particularly difficult since the same people who develop and use them have the skills to exfiltrate copies without leaving traces — sometimes by using the very same 'weapons' against the organizations that contain them. There are substantial price incentives for government hackers and consultants to obtain copies since there is a global "vulnerability market" that will pay hundreds of thousands to millions of dollars for copies of such 'weapons'. Similarly, contractors and companies who obtain such 'weapons' sometimes use them for their own purposes, obtaining advantage over their competitors in selling 'hacking' services. Over the last three years the United States intelligence sector, which consists of government agencies such as the CIA and NSA and their contractors, such as Booze Allan Hamilton, has been subject to unprecedented series of data exfiltrations by its own workers. A number of intelligence community members not yet publicly named have been arrested or subject to federal criminal investigations in separate incidents. Most visibly, on February 8, 2017 a U.S. federal grand jury indicted Harold T. Martin III with 20 counts of mishandling classified information. The Department of Justice alleged that it seized some 50,000 gigabytes of information from Harold T. Martin III that he had obtained from classified programs at NSA and CIA, including the source code for numerous hacking tools. Once a single cyber 'weapon' is 'loose' it can spread around the world in seconds, to be used by peer states, cyber mafia and teenage hackers alike. U.S. Consulate in Frankfurt is a covert CIA hacker base In addition to its operations in Langley, Virginia the CIA also uses the U.S. consulate in Frankfurt as a covert base for its hackers covering Europe, the Middle East and Africa. CIA hackers operating out of the Frankfurt consulate ( "Center for Cyber Intelligence Europe" or CCIE) are given diplomatic ("black") passports and State Department cover. The instructions for incoming CIA hackers make Germany's counter-intelligence efforts appear inconsequential: "Breeze through German Customs because you have your cover-for-action story down pat, and all they did was stamp your passport"
Your Cover Story (for this trip) Q: Why are you here? A: Supporting technical consultations at the Consulate. Two earlier WikiLeaks publications give further detail on CIA approaches to customs and secondary screening procedures. Once in Frankfurt CIA hackers can travel without further border checks to the 25 European countries that are part of the Shengen open border area — including France, Italy and Switzerland. A number of the CIA's electronic attack methods are designed for physical proximity. These attack methods are able to penetrate high security networks that are disconnected from the internet, such as police record database. In these cases, a CIA officer, agent or allied intelligence officer acting under instructions, physically infiltrates the targeted workplace. The attacker is provided with a USB containing malware developed for the CIA for this purpose, which is inserted into the targeted computer. The attacker then infects and exfiltrates data to removable media. For example, the CIA attack system Fine Dining, provides 24 decoy applications for CIA spies to use. To witnesses, the spy appears to be running a program showing videos (e.g VLC), presenting slides (Prezi), playing a computer game (Breakout2, 2048) or even running a fake virus scanner (Kaspersky, McAfee, Sophos). But while the decoy application is on the screen, the underlaying system is automatically infected and ransacked. How the CIA dramatically increased proliferation risks In what is surely one of the most astounding intelligence own goals in living memory, the CIA structured its classification regime such that for the most market valuable part of "Vault 7" — the CIA's weaponized malware (implants + zero days), Listening Posts (LP), and Command and Control (C2) systems — the agency has little legal recourse. The CIA made these systems unclassified. Why the CIA chose to make its cyberarsenal unclassified reveals how concepts developed for military use do not easily crossover to the 'battlefield' of cyber 'war'. To attack its targets, the CIA usually requires that its implants communicate with their control programs over the internet. If CIA implants, Command & Control and Listening Post software were classified, then CIA officers could be prosecuted or dismissed for violating rules that prohibit placing classified information onto the Internet. Consequently the CIA has secretly made most of its cyber spying/war code unclassified. The U.S. government is not able to assert copyright either, due to restrictions in the U.S. Constitution. This means that cyber 'arms' manufactures and computer hackers can freely "pirate" these 'weapons' if they are obtained. The CIA has primarily had to rely on obfuscation to protect its malware secrets. Conventional weapons such as missiles may be fired at the enemy (i.e into an unsecured area). Proximity to or impact with the target detonates the ordnance including its classified parts. Hence military personnel do not violate classification rules by firing ordnance with classified parts. Ordnance will likely explode. If it does not, that is not the operator's intent. Over the last decade U.S. hacking operations have been increasingly dressed up in military jargon to tap into Department of Defense funding streams. For instance, attempted "malware injections" (commercial jargon) or "implant drops" (NSA jargon) are being called "fires" as if a weapon was being fired. However the analogy is questionable. Unlike bullets, bombs or missiles, most CIA malware is designed to live for days or even years after it has reached its 'target'. CIA malware does not "explode on impact" but rather permanently infests its target. In order to infect target's device, copies of the malware must be placed on the target's devices, giving physical possession of the malware to the target. To exfiltrate data back to the CIA or to await further instructions the malware must communicate with CIA Command & Control (C2) systems placed on internet connected servers. But such servers are typically not approved to hold classified information, so CIA command and control systems are also made unclassified. A successful 'attack' on a target's computer system is more like a series of complex stock maneuvers in a hostile take-over bid or the careful planting of rumors in order to gain control over an organization's leadership rather than the firing of a weapons system. If there is a military analogy to be made, the infestation of a target is perhaps akin to the execution of a whole series of military maneuvers against the target's territory including observation, infiltration, occupation and exploitation. Evading forensics and anti-virus A series of standards lay out CIA malware infestation patterns which are likely to assist forensic crime scene investigators as well as Apple, Microsoft, Google, Samsung, Nokia, Blackberry, Siemens and anti-virus companies attribute and defend against attacks. "Tradecraft DO's and DON'Ts" contains CIA rules on how its malware should be written to avoid fingerprints implicating the "CIA, US government, or its witting partner companies" in "forensic review". Similar secret standards cover the use of encryption to hide CIA hacker and malware communication (pdf), describing targets & exfiltrated data (pdf) as well as executing payloads (pdf) and persisting (pdf) in the target's machines over time.
CIA hackers developed successful attacks against most well known anti-virus programs. These are documented in AV defeats, Personal Security Products, Detecting and defeating PSPs and PSP/DebuggeRE Avoidance. For example, Comodo was defeated by CIA malware placing itself in the Window's "Recycle Bin". While Comodo 6.x has a "Gaping Hole of DOOM". CIA hackers discussed what the NSA's "Equation Group" hackers did wrong and how the CIA's malware makers could avoid similar exposure. Examples The CIA's Engineering Development Group (EDG) management system contains around 500 different projects (only some of which are documented by "Year Zero") each with their own sub-projects, malware and hacker tools. The majority of these projects relate to tools that are used for penetration, infestation ("implanting"), control, and exfiltration. Another branch of development focuses on the development and operation of Listening Posts (LP) and Command and Control (C2) systems used to communicate with and control CIA implants; special projects are used to target specific hardware from routers to smart TVs. Some example projects are described below, but see the table of contents for the full list of projects described by WikiLeaks' "Year Zero". UMBRAGE The CIA's hand crafted hacking techniques pose a problem for the agency. Each technique it has created forms a "fingerprint" that can be used by forensic investigators to attribute multiple different attacks to the same entity. This is analogous to finding the same distinctive knife wound on multiple separate murder victims. The unique wounding style creates suspicion that a single murderer is responsible. As soon one murder in the set is solved then the other murders also find likely attribution. The CIA's Remote Devices Branch's UMBRAGE group collects and maintains a substantial library of attack techniques 'stolen' from malware produced in other states including the Russian Federation. With UMBRAGE and related projects the CIA cannot only increase its total number of attack types but also misdirect attribution by leaving behind the "fingerprints" of the groups that the attack techniques were stolen from. UMBRAGE components cover keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques. Fine Dining Fine Dining comes with a standardized questionnaire i.e menu that CIA case officers fill out. The questionnaire is used by the agency's OSB (Operational Support Branch) to transform the requests of case officers into technical requirements for hacking attacks (typically "exfiltrating" information from computer systems) for specific operations. The questionnaire allows the OSB to identify how to adapt existing tools for the operation, and communicate this to CIA malware configuration staff. The OSB functions as the interface between CIA operational staff and the relevant technical support staff. Among the list of possible targets of the collection are 'Asset', 'Liason Asset', 'System Administrator', 'Foreign Information Operations', 'Foreign Intelligence Agencies' and 'Foreign Government Entities'. Notably absent is any reference to extremists or transnational criminals. The 'Case Officer' is also asked to specify the environment of the target like the type of computer, operating system used, Internet connectivity and installed anti-virus utilities (PSPs) as well as a list of file types to be exfiltrated like Office documents, audio, video, images or custom file types. The 'menu' also asks for information if recurring access to the target is possible and how long unobserved access to the computer can be maintained. This information is used by the CIA's 'JQJIMPROVISE' software (see below) to configure a set of CIA malware suited to the specific needs of an operation. Improvise (JQJIMPROVISE) 'Improvise' is a toolset for configuration, post-processing, payload setup and execution vector selection for survey/exfiltration tools supporting all major operating systems like Windows (Bartender), MacOS (JukeBox) and Linux (DanceFloor). Its configuration utilities like Margarita allows the NOC (Network Operation Center) to customize tools based on requirements from 'Fine Dining' questionairies. HIVE HIVE is a multi-platform CIA malware suite and its associated control software. The project provides customizable implants for Windows, Solaris, MikroTik (used in internet routers) and Linux platforms and a Listening Post (LP)/Command and Control (C2) infrastructure to communicate with these implants. The implants are configured to communicate via HTTPS with the webserver of a cover domain; each operation utilizing these implants has a separate cover domain and the infrastructure can handle any number of cover domains. Each cover domain resolves to an IP address that is located at a commercial VPS (Virtual Private Server) provider. The public-facing server forwards all incoming traffic via a VPN to a 'Blot' server that handles actual connection requests from clients. It is setup for optional SSL client authentication: if a client sends a valid client certificate (only implants can do that), the connection is forwarded to the 'Honeycomb' toolserver that communicates with the implant; if a valid certificate is missing (which is the case if someone tries to open the cover domain website by accident), the traffic is forwarded to a cover server that delivers an unsuspicious looking website. The Honeycomb toolserver receives exfiltrated information from the implant; an operator can also task the implant to execute jobs on the target computer, so the toolserver acts as a C2 (command and control) server for the implant. Similar functionality (though limited to Windows) is provided by the RickBobby project. See the classified user and developer guides for HIVE.
Frequently Asked Questions Why now? WikiLeaks published as soon as its verification and analysis were ready. In Febuary the Trump administration has issued an Executive Order calling for a "Cyberwar" review to be prepared within 30 days. While the review increases the timeliness and relevance of the publication it did not play a role in setting the publication date. Redactions Names, email addresses and external IP addresses have been redacted in the released pages (70,875 redactions in total) until further analysis is complete. Over-redaction: Some items may have been redacted that are not employees, contractors, targets or otherwise related to the agency, but are, for example, authors of documentation for otherwise public projects that are used by the agency. Identity vs. person: the redacted names are replaced by user IDs (numbers) to allow readers to assign multiple pages to a single author. Given the redaction process used a single person may be represented by more than one assigned identifier but no identifier refers to more than one real person. Archive attachments (zip, tar.gz, ...) are replaced with a PDF listing all the file names in the archive. As the archive content is assessed it may be made available; until then the archive is redacted. Attachments with other binary content are replaced by a hex dump of the content to prevent accidental invocation of binaries that may have been infected with weaponized CIA malware. As the content is assessed it may be made available; until then the content is redacted. The tens of thousands of routable IP addresses references (including more than 22 thousand within the United States) that correspond to possible targets, CIA covert listening post servers, intermediary and test systems, are redacted for further exclusive investigation. Binary files of non-public origin are only available as dumps to prevent accidental invocation of CIA malware infected binaries. Organizational Chart The organizational chart corresponds to the material published by WikiLeaks so far. Since the organizational structure of the CIA below the level of Directorates is not public, the placement of the EDG and its branches within the org chart of the agency is reconstructed from information contained in the documents released so far. It is intended to be used as a rough outline of the internal organization; please be aware that the reconstructed org chart is incomplete and that internal reorganizations occur frequently. Wiki pages "Year Zero" contains 7818 web pages with 943 attachments from the internal development groupware. The software used for this purpose is called Confluence, a proprietary software from Atlassian. Webpages in this system (like in Wikipedia) have a version history that can provide interesting insights on how a document evolved over time; the 7818 documents include these page histories for 1136 latest versions. The order of named pages within each level is determined by date (oldest first). Page content is not present if it was originally dynamically created by the Confluence software (as indicated on the re-constructed page). What time period is covered? The years 2013 to 2016. The sort order of the pages within each level is determined by date (oldest first). WikiLeaks has obtained the CIA's creation/last modification date for each page but these do not yet appear for technical reasons. Usually the date can be discerned or approximated from the content and the page order. If it is critical to know the exact time/date contact WikiLeaks. What is "Vault 7" "Vault 7" is a substantial collection of material about CIA activities obtained by WikiLeaks. When was each part of "Vault 7" obtained? Part one was obtained recently and covers through 2016. Details on the other parts will be available at the time of publication. Is each part of "Vault 7" from a different source? Details on the other parts will be available at the time of publication. What is the total size of "Vault 7"? The series is the largest intelligence publication in history. How did WikiLeaks obtain each part of "Vault 7"? Sources trust WikiLeaks to not reveal information that might help identify them. Isn't WikiLeaks worried that the CIA will act against its staff to stop the series? No. That would be certainly counter-productive. Has WikiLeaks already 'mined' all the best stories? No. WikiLeaks has intentionally not written up hundreds of impactful stories to encourage others to find them and so create expertise in the area for subsequent parts in the series. They're there. Look. Those who demonstrate journalistic excellence may be considered for early access to future parts. Won't other journalists find all the best stories before me? Unlikely. There are very considerably more stories than there are journalists or academics who are in a position to write them.
submitted by JonBendini to conspiracy [link] [comments]

Price Action Binary Options Signals That Work - YouTube NEW 100% WIN BINARY OPTION FREE TRADING SIGNALS - YouTube BINARY OPTION TELEGRAM SIGNAL 2020  BINARY MONSTER ... BOSIGNAL.COM - Professional Binary Options Signals Service Binary Options Trading Signals Demo - BOTS Live Trading ... BINARY MONSTER TODAY SILVER VIP AND GOLD VIP RESULT ... Free Binary Options Signals - YouTube IQ Option Robot Signal CROSS PRO - Beginer Winning ... Binary Options signals that work, using IQ Option - YouTube BINARY OPTIONS TRADING STRATEGY - You Can Win Without Any ...

Binary Today is a cutting edge binary options review site with the main goal of providing helpful tools and information on brokers, signals, strategies and more. We hope to develop a large community of successful traders and condemn the vendors that aren't responsible for their actions or respectful to their customers. Binary Options Signals Membership is $65/month or FREE if you join and fund Stockpair through my link. Pages. Home; How it works; Get Free Signals; Terms & Recommendations; Validation Form; Saturday, 7 December 2013. Break for Holiday Season. No more signals during the holiday season. Signals will continue on Monday 13 Jan 2014. I hope you all have a good festive season and spend the time with ... Monthly Archives: July 2013 Binary Options Trading Signals Franco – Is It Really Good ? Posted on July 11, 2013 by jacob0711. Make the effort to discover the necessary aspects of binary options trading. If you would such as attain excellence at exactly what you do and be competitive with a few of the specialists inside the industry, you should have a certain understanding of every little ... http://tinyurl.com/o4d67o8The Binary Options Trading Signals 2013. The,Binary,Options,Trading,Signals,2013 Binary Options Signals Membership is $65/month or FREE if you join and fund Stockpair through my link. Pages. Home; How it works; Get Free Signals; Terms & Recommendations; Validation Form; Friday, 29 November 2013. Signal 29 Nov 2013. Here is the signal for 29 Nov 2013. To receive live signals follow the link on the right-hand side and complete the 3 steps. Currency Pair: EURUSD Trade Type ... Binary options signals are a very useful tool when used correctly. They allow you to become a successful trader from day one without having to spend hours every day analyzing market movements. They allow you to start trading tomorrow with the same opportunities to make money as anyone else. All you need to be able to use these signals is a brokerage account with a binary options broker that ... "I have been following your signals and I think that you are the most reliable and honest person who I met during my journey in binary options signals so far. I have learned from you very useful things which I use in my trading. I'm really happy that you're a dream come true and I'm (HAPPY) that I had the privilege to join you. You have my full support in your efforts and I believe that we ...

[index] [12170] [27038] [6041] [3228] [3596] [28367] [12892] [6910] [14870] [8867]

Price Action Binary Options Signals That Work - YouTube

Do not miss! DEMO ACCOUNT: https://bit.ly/2Lq3NUt You can use this strategy in binary options to win every time but you have to keep following things in mind... Binary Options Trading Signals Demo - BOTS Live Trading Room It's Time To Try And Improve Together With The BOTS Community Strategy Development Room For Fore... One minute strategy to trade price action trading signals. Watch how I use simple trading rules to increase win rate. Get 10x Trading System: https://trading... Bot Cross Bot Download: https://bit.ly/crossbot-iqoption Store Binary Bot : https://robotbinarysignals.ecwid.com/ Free Signals : https://bit.ly/signalbinaryo... Published on May 17, 2013. BOSIGNAL is the world largest binary options signals provider platform. Over 20000+ traders share their binary options trade in real-time at BOSIGNAL.COM. You can follow ... Our preferred trading platform can be found here:https://bit.ly/3fyX4VMWe provide Free daily signals (with Before and After results)You can follow us:Facebook: ... WELCOME TO BINARY MONSTER ***** In this channel we are give price action learning videos and best binary option signal service ... http://binarysignalsapp.com With Binary Signals App, Trading Binary Options has never been Easier! Download Binary Signals to enjoy: 1. Highest winning perce... WELCOME TO BINARY MONSTER ***** In this channel we are give price action learning videos and best binary option signal service ... BINARY OPTIONS TRADING STRATEGY - You Can Win Without Any Help! Binary Options Signals ★ TRY STRATEGY ON DEMO http://iqopts.com/demo ★ WORK ON REAL MONEY ...

https://arab-binary-option.cuhabarhurscons.cf