Comments: 881 • Responses: 103 • Date: 2013-12-25 03:54:20 UTCsource
zolman129 karma2013-12-25 08:59:09 UTC
How's the Intersect Project going?
View HistoryShare Link
navaseminternetu127 karma2013-12-25 09:12:50 UTC
Daniel Shaw stole it last I heard.
PseudoPsychosis75 karma2013-12-25 04:15:40 UTC
What's the most fucked up thing you've found on an "victims" computer/ server?
navaseminternetu187 karma2013-12-25 04:20:14 UTC
I've seen death footage, child pornography, bestiality, pretty much everything you'd find online. I think the footage that always bothered me was footage where you saw victims looking in the camera. This goes for anything seen anywhere, seeing the real despair in their eyes ages your soul quickly.
PseudoPsychosis54 karma2013-12-25 04:29:40 UTC
When you found these videos & photos, what are you required to do with them? Is there some database to store all the shit found?
navaseminternetu82 karma2013-12-25 04:34:01 UTC
In most instances we archive them. It's important to realize that we don't just jump on and grab everything. Ideally we pull the least amount of data necessary and many times it takes hours due to bandwidth limiting / restrictions we place to stay under the radar. In the case of pulling a video, you better have a good justification for that much utilization. In that case we did, so it was archived.
HerbalWine70 karma2013-12-25 04:20:25 UTC
How long have you been doing this and how did you start?
Was there a time when you felt demoralized because of your job?
navaseminternetu164 karma2013-12-25 04:27:59 UTC
over 15 years, there are times when you aren't succesfull.
Example, we were tracking a terrorist group and one of the actors popped up on our radar from his Aim traffic (yes aol instant messenger) and the gist of it is, he suspected we were after them and they made the decision to kill their hostages then and there across the wire. By the time we sent someone in to the location we identified they were dead.
Those are the bad days.
Hass_Avocado25 karma2013-12-25 05:54:40 UTC
I would love to share stories with you. You sound like you've been around the block. :)
navaseminternetu36 karma2013-12-25 06:06:49 UTC
oh that I have, too many to be honest. That's why I like the desk work much more.
RuroniHS61 karma2013-12-25 04:02:20 UTC
Note: This is a hypothetical situation produced merely to satiate my curiosity. I do not condone any illicit activities, nor do I mean to imply that I have participated in anything similar to the scenario about to be described.
Let's say I buy a laptop, giving the store I bought it from false information. I then log onto a public wi-fi source. Let's say I have my face concealed the whole time and avoid identification via cameras. I hack into major corporations with this laptop and copy, and subsequently distribute sensitive data. I do not do this at the same location twice, and I am constantly moving. I use a random number generator to determine my next location. How would you catch me?
navaseminternetu70 karma2013-12-25 04:10:07 UTC
That's a good question, Every attacker has a profile or standard modus operandi so to speak. That said, unless it was something that impacted the federal government directly (or someone in a powerful position) chances are it wouldn't even cross my radar. You'd be surprised though how many people slip up with careless mistakes. Things like not forwarding their DNS requests as well as traffic, or using the same pitch / tunnel for personal work.
RuroniHS35 karma2013-12-25 04:15:57 UTC
Let's say I was publishing classified information from governments of the top 20 most powerful nations in the world and my modus operandum was "you can't catch me!" being left everywhere I visit, in combination with total anonymity. You'd basically just wait for me to slip up?
navaseminternetu58 karma2013-12-25 04:25:56 UTC
You'd be one of hundreds of targets being analyzed.
You start by working with what you know, locations, data types, pretty much any info and start filling back from there. In all actuality it could take years and likely it would be a slip up.
dtg10855 karma2013-12-25 05:35:06 UTC
-what is it like compared to movies/tv?
-what is your daily schedule like?
navaseminternetu87 karma2013-12-25 05:56:26 UTC
it's long hours of a black screen with white text. I wish I could send animated rabits and cookie monsters.
Daily schedule is based on work i'm doing. We're always on call and i've pulled a few days - weeks at my desk sleeping on a cot before with very little leaving the office.
stvv58 karma2013-12-25 10:12:55 UTC
HACK THE PLANET
navaseminternetu64 karma2013-12-25 10:16:38 UTC
I'm surprised you didn't chose They're Trashing our rights
<--- Insert Orbital - Halcyon and on and on --->
stvv29 karma2013-12-25 10:21:23 UTC
Hackers, my all time fav movie
navaseminternetu40 karma2013-12-25 10:28:33 UTC
It's a great one. So cheesy but in a good way. Whenever someone made a noob error or comment at work our collective punishment was to make them watch that in the background on their next operation. That lasted about two weeks. .. Sometime later the Nyan Cat popped up for an 8 hour rotation. Last time I saw anything non news playing on the screens.
stvv8 karma2013-12-25 10:57:21 UTC
Fuckin' Nyan cat
navaseminternetu21 karma2013-12-25 11:04:05 UTC
Thank god it wasn't Nein cat. that would have gone over like a fart in church!
jdonkey7 karma2013-12-25 11:38:35 UTC
What would you have to be monitoring that closely that you'd have to sleep at the computer?
navaseminternetu9 karma2013-12-25 11:47:38 UTC
waiting for a "callback" or response from a computer your operating on, waiting for an opportunity, or possibly a Humint resource to do his task.
Maybe i'm on call for troops on the ground.
Could be anything.
jdonkey5 karma2013-12-25 11:59:10 UTC
interesting , so if you were providing support to troops on the ground what sort of things would that entail? thanks for your response!
navaseminternetu23 karma2013-12-25 12:03:30 UTC
well you could be monitoring for insurgent chatter, maybe you're there to help take down obstacles electronically. If I can do something that keeps troops out of harms way it's worth losing sleep. Maybe they're their to dispatch a small drone to get me closer access or something. Who knows, let your mind run. It'll probably hit one or two correct ideas ;)
VU-SJ34 karma2013-12-25 11:30:34 UTC
navaseminternetu65 karma2013-12-25 11:37:04 UTC
I would say if anything, i'm less paranoid for the most part. I've accepted that a targeted attack would succeed. I obviously follow precautions and have a slightly more robust setup than most, but I still acknowledge that if it leaves my head, it's at risk.
I'm very aware of what's on search engines and social media, i'm actually saddened by the lack of respect a lot of people give this. If I google your name and see pics of you doing shots of a hookers belly, that's not good. By all means do those shots, I would, just don't put it up for everyone to see. People have a false sense of security and think, well it's mine I can control it. Wrong, that's just not how it goes.
If you read below I actually gave an example of work I did with a company in the Valley that scared me more than any government conspiracy would ever.
decemberator26 karma2013-12-25 05:16:58 UTC
Say you find a key to a bazillion bitcoin wallet on a terrorist's computer do you transfer it to your wallet or the government's wallet? ... assuming the gov't has a wallet.
navaseminternetu53 karma2013-12-25 05:21:44 UTC
That's a good question. I'd have to be a long con, i'm pretty sure a transfer that large would be noticed by the majority of the bitcoin universe.
I will say this, black op funds are just that. Not everything is funded from traditional financing. Think of it like this, cops often use drug dealers cars and re purpose them. This sometimes happens for us too. Though never direct, usually into generic fund pools.
davoos25 karma2013-12-25 07:07:52 UTC
navaseminternetu46 karma2013-12-25 07:13:33 UTC
There's risks with all that we do, including every day conversation. It's the appropriate mitigation techniques and the scope of discussion in play that limit them.
A clearance is required for this work.
anon10824 karma2013-12-25 05:00:18 UTC
Can you provide my personal details via pm? :3
navaseminternetu68 karma2013-12-25 05:08:50 UTC
Nope couldn't even if I wanted to. It'd break a few laws and regulations. Plus everyone deserves their privacy :D
LearnAndReflect121 karma2013-12-25 08:35:25 UTC
Plus everyone deserves their privacy
Plus everyone deserves their privacy
coming from a hacker
who works for the government
y ^ _______________ ^
navaseminternetu64 karma2013-12-25 08:56:05 UTC
Doesn't mean I don't believe it ;)
LearnAndReflect17 karma2013-12-25 09:05:26 UTC
hahah i hope i wasn't offensive brother, i was just pointing out the irony in the conversation. made me chuckle
navaseminternetu33 karma2013-12-25 09:21:13 UTC
no offense taken :D
It's definitely ironic. Plus i'm sure plenty think i'm just some shill to say the government is great and infallible.
jaemikehuh33 karma2013-12-25 11:17:04 UTC
either way, I'm afraid to down vote you
navaseminternetu67 karma2013-12-25 11:27:00 UTC
Well I may have told Kim Jon-Un to put his army at the ready! Good choice : )
anon1082 karma2013-12-25 05:14:34 UTC
All right :) Are you capable of infiltrating NSA computers? What is your best hacking moment
navaseminternetu12 karma2013-12-25 05:16:24 UTC
Is it infiltrating if you already have access?
There really isn't a best moment. Some of your greatest success can also be your biggest failure. It's all relative to the end goal. Anytime we've been able to help save lives is good.
navaseminternetu5 karma2013-12-25 05:17:25 UTC
I'd also add that the NSA and other Intel Agencies and partners readily share and provide each other with credentials. There are limits and controls depending, but for the most part there is a lot of co-operation. Though more would always be better.
hello_service_desk1 karma2013-12-25 05:24:31 UTC
But you could, right?
navaseminternetu4 karma2013-12-25 06:30:23 UTC
That's up to the FBI, they're the Domestic team
santanmf21 karma2013-12-25 04:59:20 UTC
What do you make of the 9/11 conspiracy theories?
navaseminternetu43 karma2013-12-25 05:03:15 UTC
Most are crap, it was truly a horrific terrorist attack. I won't deny that it increased spending in the Intel community, but there were plenty of things already in motion kicking that off.
darkangelx11 karma2013-12-25 08:29:15 UTC
Have you seen the other videos from the pentagon other than 1fps vidoe released? Everyone knows there are more than just that video that could be released. Why are those videos not released? (if you know).
navaseminternetu24 karma2013-12-25 08:44:26 UTC
there's always the thought and notion of more videos. If they exist they're well hidden and covered.
There is always a possibility of a larger darker conspiracy, i'll be the first to admit it. I can promise though that something like that wouldn't stay hidden for long, too many people with immense emotions attached to it.
Anything is possible though.
darkangelx16 karma2013-12-25 08:48:39 UTC
there's always the thought and notion of more videos. If they exist they're well hidden and covered.
there's always the thought and notion of more videos. If they exist they're well hidden and covered.
there's always the thought and notion of more videos. If they exist they're well hidden and covered.
There are/were reports of a video from the gas station with a camera pointed at the pentagon.. would love a look at that :)
There is always a possibility of a larger darker conspiracy, i'll be the first to admit it
There is always a possibility of a larger darker conspiracy, i'll be the first to admit it
There is always a possibility of a larger darker conspiracy, i'll be the first to admit it
Not sure if the conspiracy nuts are right, but I want the truth, the whole truth and nothing but the truth. I mean fuck sake we still have JFK docs that are classified.
That is most retarded thing ever.
navaseminternetu22 karma2013-12-25 09:01:55 UTC
I agree, there are a lot of the older generational classified docs that really make no sense. We've come a long way and we have along way to go.
If there's another video, I too want do see it. If i've been lied to i'd be just as pissed as anyone else.
I appreciate the mutal conversational respect we've had thus far.
a1b244nei12atsts08013 karma2013-12-25 10:06:45 UTC
Most are crap
Most are crap
Then which aren't?
navaseminternetu16 karma2013-12-25 10:14:28 UTC
It's a generic statement as i'm not aware of every theory, therefore I can't comment on each one.
a1b244nei12atsts080111 karma2013-12-25 10:16:22 UTC
Well played, in the nicest way possible: when you hack for politics you start to speak like a politician :P
The hackers I've met/been all have about 1/3rd of your social skills.
navaseminternetu11 karma2013-12-25 10:19:20 UTC
And that is one of our problems.
We're segmented. Those that can speak in groups and the techies. It's vary hard to traverse both and that's where many redditors can make an impact. Even if they grasp 1/3 of what we're talking about, it's more than the average person knows.
On the plus side, my mom can't tell a pc from a toaster and even she's afraid of virus's. Though she though Norton caused them, because of what she heard on NPR. :P
alphabubba18 karma2013-12-25 12:01:22 UTC
Are you a wizard?
navaseminternetu37 karma2013-12-25 12:05:12 UTC
Well I can make packets do tricks, but I suck and spells.
So a Muggle with a stolen broken wand maybe?
90817 karma2013-12-25 09:07:55 UTC
May be you can do a little favor here,
The girl I m dating - is she currently seeing someone else or is it just a suspicion,
Who did she call last night?
navaseminternetu36 karma2013-12-25 09:24:13 UTC
I wish I could tell you one way or the other. I've been there and it sucks.
I'd hope she called family or an old friend to wish them well for the holidays.
TIGit17 karma2013-12-25 03:59:02 UTC
What questions should we be asking?
navaseminternetu13 karma2013-12-25 04:02:25 UTC
Whatever you want I'll censor what I need to.
TIGit16 karma2013-12-25 04:10:43 UTC
No, my question was what should I ask you? I'm obviously not as informed as you are, and my questions would be superficial at best and terribly ignorant at worst. I don't know enough to even comprehend what I don't know.
So I asked you, what questions I should be asking. So if you were me, what would you want to know and ask about? What's important knowledge?
navaseminternetu19 karma2013-12-25 04:14:33 UTC
Well, you can ask me about clarity with anything in the leaked docs. Ask about anything you want really.
A question I'd always ask is, do you consider yourself good or evil?
To which I replied, it's subjective. One countries hero is another's terrorist. I like to think I live a moral life, but as we know morality is a flawed notion.
JD_and_ChocolateBear10 karma2013-12-25 05:26:39 UTC
What'd the attitude towards snowden and what he did?
navaseminternetu18 karma2013-12-25 05:47:39 UTC
I think information is important and some should be shared. I think in the context of Snowden, the issue you have is he didn't work in any of the directorates he stole from, nor was he privy to all the info. It's easy to paint a picture when certain parts are withheld. I believe he did what he felt was right and that's what matters to him.
I will say that these things often backfire though making things much worse in the long run. Things will be more compartmentalized and it will make it harder for those of us that have concerns to voice them and address them.
s_for_scott16 karma2013-12-25 06:34:59 UTC
Do you have any favorite stories from your work? I understand if you can't disclose any of that but I figured it doesn't hurt to ask!
navaseminternetu53 karma2013-12-25 06:40:50 UTC
Well one fun one is, we one evening while I was working on a project we broke out into what started as an impromptu nerf/soft toy war and ended up becoming this crazy venting point (as i'm sure happens everywhere), usually not a problem after hours. The problem was as soon as someone went crazy and started throwing foam footballs one of the Senior aids to the President walked in un-announced. This was crazy because it just doesn't happen like that, there's always a heads up and and an entourage with everyone putting on their a game. We all just stood there with a "whats up" look not realizing who they were.
It wasn't until after the incident in the next days morning brief that we were informed. Apparently he though it was funny.
toastedbread115 karma2013-12-25 07:04:07 UTC
How did you start hacking?
navaseminternetu18 karma2013-12-25 07:08:32 UTC
Hacking is a generic term. I think anyone intrigued by how things work and follows through with learning is essentially hacking their mind. So in that regard I went that way. I learned a lot messing with Bulletin board systems in the early 90's, that's also where I learned the power of social engineering and leveraging resources. From there it was school and then work applying everything up to that point.
SimplyMarvelousG15 karma2013-12-25 04:25:35 UTC
I've actually had my eye on computer science and specifically network security and would love to get some info or pointed towards some resources that you'd recommend? :)
navaseminternetu34 karma2013-12-25 04:30:48 UTC
I'd say it 10% school and 90% on the job. Reach out to your school network admins / comp sci departments and get that hands on time. If you have passion, you'll make it.
SimplyMarvelousG7 karma2013-12-25 04:34:22 UTC
Thanks so much. :) I've actually been putting in the effort to reach out to my school IT to see if I could follow him around, and then I mess around on the comp quite often(being all the time), so there's that haha. You rock man!
navaseminternetu23 karma2013-12-25 04:37:31 UTC
a good cheap learning method is a Virtual Lab - the Deice iso's are great.
People specialize in different focus's here. We have the firewall / router guys, the unix guys, the windows guys, the web app guys etc.. Find something that intrigues you and sponge it up!
Best of luck!
pr0cedural13 karma2013-12-25 05:51:24 UTC
How common is it for government hackers to be former black hats?
navaseminternetu44 karma2013-12-25 06:06:09 UTC
Not very common, Most would fail the background checks.
pogiface13 karma2013-12-25 06:54:28 UTC
How do you feel about Edward Snowden? Maybe you can't answer that, so what type of operations have you been involved in, as in were you able to achieve the wanted end result?
How do you "hack" these people, lets say they run linux or whatever? Or is it on the people using aol and unpatched windows xp that are easy ones?
navaseminternetu9 karma2013-12-25 07:04:56 UTC
I responded to this a bit below with a question.
I have no personal opinions of him as a person as I don't know him. I'm not entirely sure I agree with his methods, but I do believe he truly feels he's right. His decision was his and his alone, he'll deal with the consequences for himself and the rest of us will deal with the consequences for his actions.
I would say a large part is simple laziness on the targets perspective. Work smarter not harder. Things like using FTP with credentials in the clear text. On the harder tasks, maybe there's a human intelligence piece, maybe there's a targeted attacked on a lateral target (girlfriend or mother that may use their systems). There are hundreds of possibilities. There isn't one system that is weaker, it's the implementation and adherence to security policies that are the keys to the city.
ub3rm3nsch13 karma2013-12-25 09:26:15 UTC
1) Were you specifically asked/assigned/approved to do this IAMA?
2) In general, what are the biggest threats presented to democracy and civil society by people in your line of work?
3) What risks do Intel structures that lack transparency have of being captured by undemocratic interests? And how would that capture affect our society? And how could that be reversed?
4) Do you believe the American system, specifically in reference to the beneficiaries of the current socio-political and educational structure, is meritocratic, or oligarchical?
5) Why do you think people continue to adhere to the illusion that we are separate from one another?
6) what will the world look like in 10 years? 100 years? 1000 years? 10,000 years?
navaseminternetu32 karma2013-12-25 09:44:18 UTC
1) Nope, the risk is all my own.
2) The fragile dependance on electronics in general
3) The risk is lower than you'd think, but a risk none the less. Domestically it wouldn't crush us as it's just not how things are setup. Internationally, they're all already doing the same thing.
4). I think it's a bit of both. I know a cop out answer. I think whom you're born to or where you're born can give you advantages in life, making it much harder for honest hard working individuals to reap the same benefits. I think technology is the gift changing that. All the old rules really don't apply. Any kid in his basement as often said, could be the next billionaire.
5) I think people over estimate their individual importance. No species survives because of one, it's because of group effort and sacrifice. Free will sorta messes this up a bit.
6) 10 years, I hope we've really made 3d printing economical and domestic goods are able to be produced as cheaply and efficiently as foreign made goods.
100 years, I hope we have the ability transcend more of our differences. Africa as a continent has been given new life, partially restored to it's pre imperialist state. That we've eradicated many diseases and can cure if not manage cancer to where it's negligible.
1000. I hope we make it beyond that.
Good questions, thanks!
ub3rm3nsch2 karma2013-12-25 09:50:44 UTC
Thanks for taking the time to answer my questions. As someone who works in the DC human rights community, it's great that you're humanizing a very confusing process for a lot of people. I think most of the conspiracy theories come about because of a lack of knowledge about specific details that on a daily level turn out to be pretty boring and routine.
Best of luck with your career, and don't forget which values you work to promote.
navaseminternetu2 karma2013-12-25 09:53:59 UTC
Thanks and same to you.
OneOfTheSmurfs11 karma2013-12-25 08:31:16 UTC
I don't know if it's been asked already.. But, how much money do you make per year?
navaseminternetu15 karma2013-12-25 08:49:56 UTC
Federal pay scales are made public, there's the GS system band with multiple variables and then it goes extended. There are also Private entities owned and operated that sub contract to the government for certain positions as well. This is to keep pay fair and commensurate.
My highest pay i've held private was just shy of $200k. For the Government the average for a 5 -7 year analyst is GS9-11 pay. Most of us started at GS 13 depending on experience. It's convoluted. I'm not going to revel my pay band and or stepping now because of identifiable information. Bottom line is you can make good money. The positions advertised will give you the starting ranges.
stealthXY10 karma2013-12-25 06:02:40 UTC
What's the most corrupt country? Have anything bad happened to you in the times of your career? What is it feel like being a hacker?
navaseminternetu15 karma2013-12-25 06:08:37 UTC
I mentioned on another question corrupt is subjective. I would say the worse the human rights violations are the worse the actor.
I have had bad things happen, i've made mistakes and taken gambles that didn't always pay off as I'd like.
I consider it a job of learning daily and for that sole fact it's great!
sgtgary10 karma2013-12-25 12:29:02 UTC
Actually, I'm curious. We hear about high-profile cyber activists working for Russia, China, Eastern Europe, etc and they often seem to have some sort of governmental support. How much does the government know about pro-government hackers operating within its borders?
I would think they might be supported and possibly even receive coordination so they don't interfere with official government ops, but are you able to elaborate?
navaseminternetu9 karma2013-12-25 12:39:57 UTC
Feigned ignorance is bliss. You can deny deny deny.
That's all I'll say on that one.
There are instances where internal groups will battle each other for credibility in those countries, that's always fun to watch. The power struggle, the victor and the spoils. All the while emotions cause sloppiness.
firmkillernate10 karma2013-12-25 07:37:22 UTC
You said you've worked around the globe. What was the biggest shithole that you've been to? As for the various governments, do they themselves think of the work you do as more glamorous than it really is? (Do the expect you to just "hack" your way through anything?) Thanks for the AMA!
navaseminternetu17 karma2013-12-25 07:42:40 UTC
Biggest shithole, probably Western Sahara figuratively and literally.
Yes the majority of policy / decision makers in the various forms of government are very far from understanding what's going on let alone how it's handled. I think this is where a lot of questionable or confusing statements are made. Sadly, you're taught to give a presentation to the lowest possible denominator (aim for a 4th grade level and build up as needed). It really is time we re-assess and move younger more tech savy individuals into the decision making process. Limit the duration on congressional and senate terms, bring in the young blood.
One time we mirrored one computer across multiple systems (and I mean dozens) and sat whomever we could find in a chair to pretend otherwise they would think it was impossible for small teams to handle an operation. It really is a dog and pony show and that detracts from quality work and decision making.
I'm not an ageist, there are a few that get it, most though are playing the politics game and trying to make a few bucks with no real interests.
rethrowawayMZ8 karma2013-12-25 08:49:43 UTC
I spend 90% of my day reverse engineering malware most of it is mass distributed common shit behind custom packers, but every now and then we find an interesting targeted attack and some custom stuff targeting big oil, or government's (Nkorea v Skorea earlier this year). I assume you guys take care not to leave your tools around. I also assume you aren't on the level of a laughable pen tester using loltrack or scriptkiddy metasploit so how does recruiting for this position work? I would think most of the talent would have to come from someone with a similar background to mine, but of all the recruitment emails I've received over the years from different AV companies trying to snipe me I've never once received a recruitment email for this line of work.
TL;DR - How to make the jump from malware / vulnerability researcher to e-mercenary.
navaseminternetu9 karma2013-12-25 08:55:17 UTC
You're correct. Interestingly you can analyze and attribute random malware quite easily when you tear it apart. So much code reuse, and honestly why not. That usually saves us a lot of time, there are full divisions that handle it day in and day out. I salute you, it's daunting work reversing a lot of that stuff.
Much of the work is contributed back to the Av companies and there are open lines of communication. Don't discredit everything for face value. If you're really interested, visit one of the agency websites and apply. You may even find companies willing to flip the cost of your clearance themselves. Look at the big ones. Booz Allen, CSC, etc.. Throw your resume in the air in D.C. and someone will eat it up.
If you're in the SFBAY / Valley, it can be hard to move around.
fuuupa6 karma2013-12-25 04:49:43 UTC
Hacker or IA? Because offensive hacking is not an every IC branch ordeal. Contractor or civilian? And by hack, do you mean CNA or CNE? Or just analysis after the red team has done their thing? I can ask a million questions but they don't really matter much without the previous being answered.
navaseminternetu5 karma2013-12-25 04:59:53 UTC
The operations are directed by the IC in charge. Each agency has its own rights and restrictions. 99% of the work is CNE across the IC. CNA is not something that's just done on a whim, it requires a lot of boxes to be checked by a lot of people. Most CNA would be field related operations in a somewhat controlled environment. There isn't a whole, lets take down wallstreet time operation going on, more of the shut down these forums, or this communications tower etc.
rarely is CNA directly authorised or sanctioned. If so those operations are directed by military personnel
DaCrazyKoala6 karma2013-12-25 09:14:12 UTC
Could you talk about the data gathering practices of private companies?
navaseminternetu19 karma2013-12-25 09:28:43 UTC
One company in the valley had a cluster with multiple petabytes of raw live user data that anyone could perform research on with no restrictions. In addition to acccess to live data as needed.
It was the wild west there, and they wondered why hackers were exfiling so much data. Sigh
It's probably not who you think either
Tublerone6 karma2013-12-25 05:47:15 UTC
Why do the goverments work against each other? Instead of doing the next step towards a better world, we basicly are on a good way to extinct ourselfs. Or is it a fight against corrupt goverments?
navaseminternetu24 karma2013-12-25 06:03:52 UTC
It's all about power plain and simple. Always will be as long as man has free will and the ability to want more.
SerLaidaLot4 karma2013-12-25 05:26:17 UTC
Could you walk me through what exactly you do in your line of work?
Like, I very much doubt they go "Yo navaseminternetu, hack this site" or whatever.
Hypothetically, if you were told to infiltrate a database of any form, how would you go about it? I know only the most basic of basics of hacking, but you can be as detailed as you want in your answers.
Like, would you look for SQL vulns or what? If so, how would you look for these? How would you ensure your anonymity? Would you use a proxy, or if possible multiple proxies? Anything further?
Your employers, are they aware of your current actions? What is your take on Ankit Fadia, the asian "hacker"?
If I wanted to steal money of a bank website, how exactly would I go about that? Would I have to do the cliché'd "find their admin page" whatever, and if I made off with the money, would I have to patch it up with fake code?
Are you a complete white hat, or a few spots of grey here and there?
I have so much to ask you, please respond.
EDDIT : Another user mentioned that you should change his username for proof. While I find it a stupid request, I wish to know how you would go about doing that. Would you have to find reddits admin page? I don't see how you could get into alienth's account or that of any other admin with the necessary ability to perform the task of changing his username.
navaseminternetu12 karma2013-12-25 05:43:45 UTC
Well the thing to understand is that there are millions of potential operations that could help someone. There are systems that rate and levy importance. Based upon this operation plans are drawn up. Some operations are extended for months or years and require basic maintenance or a lot of hurry up and wait. Other ops are smash and grab and move on.
As far as a database, likely the original analyst would have tasked up and researched a lot of the information i'd need. Systems and their related com info (ip etc) and usually they would have already had an advanced vulnerability scan performed. From there i'd attempt to leverage an exploit through some means (attack directly or in most instances latterly) , priv escalate, do a bunch of recon and most likely sit on it for a few days.
No one is every numb to what is going on, it's their level of response that you worry about. I won't comment on specific individuals or groups.
To steal from a bank.... millions of scenarios. You'd have to start with solid research and then look at your resources and go from there.
I don't believe in white, grey, or black. Primarily because one guys white hat is black hat to others. I believe there is a general rule / moral compass but that too can be based upon your understandings of the world.
GerBill444 karma2013-12-25 05:15:17 UTC
In one response you said you were in a country that didn't want you to be there. Why do you have to travel to other countries for your job at all? Sorry if this is a really dumb question, but I really don't have much of a background in this subject.
navaseminternetu5 karma2013-12-25 05:19:45 UTC
Some operations are geographically restricted. In many instances this is due to poor infrastructure.
kane553 karma2013-12-25 05:19:27 UTC
Thanks for the AMA. I have two questions:
Do you have any information that is secret/classified that would shock the general public if it were released?
What branch of the government do you officially work for. Is it NSA, CIA, FBI or something more mundane?
navaseminternetu12 karma2013-12-25 05:27:19 UTC
I think anything could be shocking given the wrong context. You would be surprised at how many people are really victims to fraud and more so the businesses unaware of the IP theft. I once sat in on a meeting with a firm trying to sell a multi million dollar platform to the government, only they didn't realize we had already pulled the source code of a foreign adversary network.
I work for the US IC community. I've performed operations for all three and each of them are different, the tools, techniques, procedures all have restrictions and specific requirements. I mostly operate CNE which by default is an NSA covered operation.
kane552 karma2013-12-25 05:35:56 UTC
Thanks for the answers. I guess I never really thought about how big and involved fraud and IP theft is, but once you say it, it makes perfect sense.
navaseminternetu5 karma2013-12-25 05:58:04 UTC
everyone always says numbers are exaggerated. Their not, no one knows how much, but i've seen billions personally.
brainattacker3 karma2013-12-25 04:47:46 UTC
How did you get into this field?
navaseminternetu7 karma2013-12-25 04:51:44 UTC
I was recruited through acquaintances, started out in analysis. Over time as you're vetted and move with your career opportunities arise. There was extensive testing, internal schooling, and practical work before they let you even do the mundane stuff. It's a bit of a good ole boys club, but that's mostly because you need to be able to rely on each other for their part. Most people started out working in the NTOC (threat operations center), red team or blue team and then were asked to join another organization (where the above took place).
itwontdie3 karma2013-12-25 09:24:19 UTC
Which operating system do you use for work and or home?
navaseminternetu7 karma2013-12-25 09:33:10 UTC
I have slews of *Nix machines, Windows, and Mac OS. They're all necessary.
I actually use a Mac for casual stuff / video editing / music etc. and I have two laptops (one Windows and one Linux). There are of course a few random machines here and there including my nas etc.
They're all pretty equal and have their pros and cons. I don't buy the one is better crowd. There are ups and downs and just as many variables. Use what you like and roll with it.
itwontdie4 karma2013-12-25 09:40:38 UTC
Would it be possible to quantify by which OS's are easiest to compromise?
navaseminternetu7 karma2013-12-25 09:50:17 UTC
Windows would always place highly simply because of it's adoption rate. Linux has a lot of fragmentation with varying binaries (that's why a lot of tools are statically built.. also for security reasons), Mac OS simply is small. Granted the iOS boom has swayed that quite a bit in the past few years. I'd almost argue that people with Mac's are just as gullible if not more because they have a false sense of security.
It all boils down to following security best practices and guidelines. We're all vulnerable, its more or less the difficulty we present. The hard we are, the easier to move to the next target.
itwontdie3 karma2013-12-25 10:01:57 UTC
Thanks for the replies!
I noticed you did not mention OpenBSD is this due to the adaption rate being low or to legitimately being more difficult to attack?
navaseminternetu2 karma2013-12-25 10:05:41 UTC
It's generally bundled with most nix derivatives. Usually if you can cross compile applications they're pretty universal. You just don't see it much *in the wild
sixtine3 karma2013-12-25 11:42:58 UTC
Hi, and thanks for your AMA.
You've answered a few times questions regarding enrolment, degrees or "how do you get into this field". I'm wondering if you could tell us more about the background checks.
What's in them?
What findings during a background check would be a deal-breaker?
Are they executed right after you apply somewhere (i.e. right after you sent an email, before you get any replies)? Like some previous screening?
Or rather when you've already been considered for an interview and it becomes an integral part of the interview process?
navaseminternetu2 karma2013-12-25 11:52:12 UTC
Background checks are interesting. There are your traditional screenings for your security clearance. Depending on the level, you may go back 2 years, 7, 13 or even more if you're getting specific caveat access. Additionally there are routine background checks during your employment. The more sensitive the job, the more frequent. Sometimes they'll do them before they even approach you about specific opportunities. Sometimes you'll have plants in your office there specifically to observe you in your normal habbit. It's pretty sur-real sometimes.
Deal break would be serious offenses, robbed a bank, child molestation, burn down your school (I actually saw this one, and they made it past initial inspections to get a temp clearance).
Minor infractions, including drug use can be waived. If you're truthful and people give you a good recommendation (they'll ask people you'd never even think to ask) then you'll be ok.
Hope that answers your questions (the last one I kinda answered with the first.)
hello_service_desk3 karma2013-12-25 05:26:18 UTC
Is there any "truth" being spread out there about the govt/whatever you do that you'd like to refute because it's just too exaggerated?
navaseminternetu18 karma2013-12-25 05:45:29 UTC
No one has the time to listen to phone calls or read the emails of everyone in the world.
Lets stop and think about how much data that is, then how many man hours it would take. Just not feasible. It's like throwing a rock at the moon and hoping to hit it (even though we know it'd never make it). It's very specific and focused or else it'd be a waste of resources.
Vikslol3 karma2013-12-25 11:16:05 UTC
Could you hack my school marks on my college website ?
navaseminternetu10 karma2013-12-25 11:25:23 UTC
Could or would?
Besides i'd only be cheating you. Don't put too much strain on grades though. I think that education is seriously lacking behind with technology. That and most are forced into Uni vs Vocational and applied skills.
If you enjoy something, work at it and make it a job. That's what matters most. Just make sure you figure that out sooner than later, don't want a horrible bill.
_fins3 karma2013-12-25 09:06:38 UTC
Blondes or brunettes?
navaseminternetu22 karma2013-12-25 09:22:57 UTC
Brunettes, though I'm never one to turn away a beautiful woman.
CharlieKillsRats3 karma2013-12-25 04:00:14 UTC
Can you hear a good story about you shitting your pants? I have lots of them myself, but this thread isn't about me. So...
navaseminternetu11 karma2013-12-25 04:05:25 UTC
I've literally shit my pants more than once (though that was usually because of shitty 3rd world sanitation and food quality),
One time while on an operation in the field my laptop got hit by a 7.62 round.
That made me pucker up a slight bit. Fortunately most work was from the safety of a desk and that wasn't too often.
aradagg2 karma2013-12-25 04:52:22 UTC
Can I ask why your laptop got hit by a bullet?
navaseminternetu4 karma2013-12-25 05:04:53 UTC
We weren't exactly welcome where we were at and the general though there was shoot first, question later (if they even questioned afterwards).
a1b244nei12atsts08012 karma2013-12-25 10:11:56 UTC
How many times do you type "nmap" on any given day?
navaseminternetu3 karma2013-12-25 10:15:23 UTC
Trick question.. anything repeated more than twice you script ;)
ajtattack46552 karma2013-12-25 04:00:34 UTC
What is your opinion on the whole Snowden thing? Do you think that you would have done the same given the opportunity?
navaseminternetu4 karma2013-12-25 04:07:37 UTC
I think the dissemination of information is important. When it is shared in simple dumps without all the factual data that goes with it, it can easily be misinterpreted. Leaks are ok, the way it was handled probably not the best.
That said, there is good and bad going on, but there are a lot of people that work the job that are honest just like the vast majority of you. There are always ways to air grievances appropriately.
Tornada2 karma2013-12-25 11:50:52 UTC
reddit is outraged at everything NSA at the mo
yet half the posters in here seem to be gunning for a job doing what you do
navaseminternetu2 karma2013-12-25 11:54:32 UTC
I think people are outraged most at the handling of the situation. There definitely needs to be more open communication from the government. I'm hoping I can answer or at a minimum give a little bit better of a perspective rather than the canned pr crap.
What's the saying.. hate the player not the game?
I fully expect the worst to hit me in a few hours when the rest of the US starts waking up.
halovidnoob2 karma2013-12-25 07:12:16 UTC
what is the most damage you can do to the world with your hacking skills?
navaseminternetu4 karma2013-12-25 07:21:17 UTC
Well that's sort of a trick question. It would depend on my goal and what I quantify as damage.
Now if you were to ask what the worst types of hacks would be;
* Hacks on financial trading indexes (this could have serious global ramifications)
* Hacks on critical infrastructure (water, power, and even internet transport lines).
djfromhell1 karma2013-12-25 12:17:39 UTC
What is the weirdest middle eastern country in your opinion and what middle eastern country has the strongest/scariest intelligence agency (aside from Israel)?
navaseminternetu3 karma2013-12-25 12:27:00 UTC
If you're basing weird on cultural norms, I don't find any particularly weird in that regard. What disturbs me the many places i've visited is the lack of interest in learning alternate perspectives. Culturally the middle east is firm, and very few are truly open to compromise.
Well if you talk to anyone that's been interrogated by an Egyptian, they swear they're the worst. Honestly though I think a lot are horrid simply because of the lack of general human rights let alone equality. No country is perfect, but I've seen things that are pretty horrid.
Throwawayalwayz1 karma2013-12-25 09:22:02 UTC
I heard the government can listen to your calls but not read your texts... true?
navaseminternetu4 karma2013-12-25 09:29:58 UTC
Depends, where are you located?
Located outside the US, then yes there is a possibility. As far as texts, they're sent in the command and control channel of an S7 signal structure (T1, E1 etc) usually 32 channels. So if there is voice, there is most definitely text.
FYAC1 karma2013-12-25 10:36:05 UTC
How much do you get paid?
Sorry, don't want to come off rude, but I'm dying to know. >.<
navaseminternetu2 karma2013-12-25 10:42:34 UTC
See the questions below. Federal scales are GS and the Extended scales.
I made just under 200k private (not including equity and other perks).
The passion and job are where it's at and i'm well taken care of as long as congress doesn't snooze and hold our paychecks.
dub18081 karma2013-12-25 04:43:11 UTC
u/karmanaut or someone can you please verify this
navaseminternetu8 karma2013-12-25 04:45:51 UTC
mods were sent the proof, should be verified shortly :)
THATguyFromMinnesota1 karma2013-12-25 12:04:14 UTC
navaseminternetu5 karma2013-12-25 12:14:56 UTC
Favorite OS - Probably the generic Linux* distros vary, but all in all it holds up well.
I have taught internally many times, i'm actually considering taking time off and putting out lessons and resources for everyone online (within limits of course). Finances shouldn't hinder your ability to learn and I really like the open education. Plus there are just too many damn snake oil training companies. Someone needs to beat through the ridiculousness. It'd have to be donation based though I doubt I could cover all the costs myself.
When i've given private talks and presentations (usually to cleared / classified environments) outside of work (with authorization) they've gone over well. I also may or may not have been present on a few panels at a few conferences ;)
As for speed on hackthissite i'd probably be pretty average. I get distracted easily at home and would likely be watching tv shows I'd missed through the week. Sometimes At work I multitask.. at home I Multi-lazy :D
Maybe i'll give it a shot before the new year and PM you the results.
Bartimas1 karma2013-12-25 07:46:02 UTC
I don't know if you're still on, or if you have answered this question already, and I didn't read all of the previous questions. But do you work for the NSA? And regardless of that question, what is your opinion on surveillance on the internet?
navaseminternetu2 karma2013-12-25 07:50:32 UTC
I have answered both, but I work / have worked for all of the IC community (to include US and partner countries).
Surveillance is relational to what is being looked at really. There will always be a need to look at traffic, it's when you dig into the content or context that sometimes oversteps that boundary.
There will always be a need for intel, but we can shape and control who views it, how it's used and in what context.
I believe we all have an right to privacy and if those boundaries are being overstepped then i'm completely for auctioning on that.
I do go into this a bit more with a few questions below. Very few people in the intel community believe in the right of blanket surveillance.
Bartimas1 karma2013-12-25 07:57:09 UTC
So do you think you are doing the right thing by monitoring people? I guess I should rephrase that. I assume that you monitor suspected criminals, but do you think it is right to hack into their computers?
Also, do you like your job? I have always wanted to be something along the lines of this, but I wouldn't know where to start.
navaseminternetu2 karma2013-12-25 08:07:19 UTC
The way I see it is this, if we've got to the stage of actionable intelligence, there is enough evidence that you are related or potentially close to the target. There is always collateral, maybe you're the boyfriend or girlfriend. In those instances, it's simply because you associated with the wrong person.
As far as monitoring, there isn't a system in place where the government can say where someone is at any given point. It's way too much data and processing and little intrinsic value. The system as it works is targeted and it's the most effective way of handling with the biggest respect of personal privacy.
The other piece is that anything domestic is signed off by the FBI, the NSA cannot look at anything without their approval. Incidents where data is accidentally viewed (perhaps two way conversation without understanding one person was a us citizen) are immediately documented and noted. There are checks and balances in place to keep this from happening. Too many flags and it's retraining, repeat again and you'll lose your position and possible your career and access.
It's a rewarding field. I've answered a few questions on where you can start and where to go below. I'm not an expert, but I believe knowledge is power so take everything I say as not the answer but one of many possible avenues of attaining your goal.
Best of luck.
TeleportationBeam1 karma2013-12-25 07:55:36 UTC
What was the most eye-opening or shocking experience you've had while on the job?
What is your opinion on the NSA and related spying in the US? Do you think that what is happening should be allowed/legal?
navaseminternetu2 karma2013-12-25 08:01:19 UTC
I've seen large amounts of money invested in research / analysis that yielded no result. Granted hindsight is 20/20. I'd never really contemplated money being spent the way a government does.
Blanket spying is bad, I believe privacy is everyone's right. That said, if you blast info on a public site where everyone can see, that's on you. As far as domestic spying as it's been put. It simply doesn't happen the way people believe it does. Most data is collected at egress points (out or in simply because of the traversal points in use.) In order for your data to be seen let alone scrapped or kept you have to have hit on some selector of sorts. A few responses earlier will answer this a bit more.
I don't know a single person that believes in spying on everyday people.
TeleportationBeam3 karma2013-12-25 08:05:26 UTC
Thanks for answering! Some really interesting stuff in this thread. Is there any possibility of demonstrating your skills against someone here?
EDIT: Also, could you provide an estimate in regard to how much storage space the US has for data gathering, etc.?
navaseminternetu5 karma2013-12-25 08:10:10 UTC
No, It wouldn't warrant it.
The only exception is if we already had plenty of intel that you were questionable in nature.. and in that case Mr. Jacob Jordans of 1132 West Aleghaney way.. we're on to you. ;D j/k ... or am I?
Dun Dun Dun!!!
navaseminternetu4 karma2013-12-25 08:12:01 UTC
As far as storage space, I have over 50TB's at my house myself.. so maybe like twice that?
ArmyyStrongg1 karma2013-12-25 08:35:31 UTC
How do you become qualified for a job like that. Do they recruit out of college and what degree do you have to have to do something like that?
navaseminternetu2 karma2013-12-25 08:51:51 UTC
I've answered a few times below.
Supra1041 karma2013-12-25 09:04:00 UTC
What are some books you would recommend, hacking and otherwise ?
navaseminternetu6 karma2013-12-25 09:19:12 UTC
I've mentioned the following already as reference
Stevens TCP/IP vol 1 - understand packet structure (the dirty bits and where people hide C&C in plain sight)
Opearting system concepts is a good primer into the basics.
From there I actually recommend working through Rootkits and keeping windows and linux system internals books around too.
One of my all time favorites is Unix in a nutshell simply for command reference. That damn thing on the front creeps me out!
ILoveThisWebsite1 karma2013-12-25 11:40:06 UTC
What's the best life lesson you learned on the job?
navaseminternetu6 karma2013-12-25 11:48:43 UTC
Don't take it for granted. Tell those you love that you love them, don't let petty things ruin friendships. I've seen people come and go in the blink of an Eye. I've lost friends and I can only imagine the pain of losing families.
As cliche as it sounds, love each other. You don't have to agree, but you can still care.
KingJeet1 karma2013-12-25 09:31:51 UTC
How much do you make a year?
navaseminternetu2 karma2013-12-25 09:46:58 UTC
answered below as best as I could.
Tarlen1 karma2013-12-25 12:24:22 UTC
Have this career had any serious affect on your personal life? I mean, do you still have free time in which to pursue personal interests, family and hobbies outside of work, or will a high level security job eat it all up?
navaseminternetu3 karma2013-12-25 12:38:19 UTC
You do, but you are always at a heightened sense of security. Almost paranioa to an extent. Eventually you learn to let it take it's toll.
One interesting thing people don't realize is, when you go on a combat deployment, you have a return date and decompression time. Those of us in high risk / reward jobs like this and UAV pilots, are on and off in matters of minutes. It does wear you down. luckily there are resources to help you with stress and coping.
The harder part is working out with your SO on how to handle the fact that you just can't say why. You really have to put in a lot more effort with them and kids, make sure they're loved. After all, that's why you do the things you do.
You have free time, there are some that work 9-5 every day. It's relative you, your position and interests. I could pretty much roll out of work as need (I'm sure I have over a years comp time if we kept track). No one abuses the system for the most part and everyone puts in an honest effort.
It's tough, but you'll make it work if you want it to.
chewmus1 karma2013-12-25 12:19:42 UTC
What kind of porn genres does a government hacker such as yourself enjoy?
navaseminternetu3 karma2013-12-25 12:29:25 UTC
I'm a classier porn kinda guy, I like a little left to the imagination. Build up the suspense and enjoyment. I'm not a fast food porn Connoisseur. Keep the Cherry high gloss mags away from me (you older guys will remember the non airbrushed rawness). That said, every once in a while we all like to order from the value menu over at Youporn or the likes :D
DaCrazyKoala1 karma2013-12-25 07:37:33 UTC
Is the proliferation of social media one of the best things to ever happen for the intelligence community?
How useful is it? Could you give some examples if possible (hypothetical or real)
navaseminternetu2 karma2013-12-25 07:45:08 UTC
Yes and no. Social media can be beneficial in some regard but that vast majority of actors are smart enough to keep things separate so it's not nearly leveraged as much as you'd think.
That said a good example where it is leveraged would be an actor using a specific system (pitch / tunnel box) for both personal and nefarious reasons. Through that association you can now build a human intelligence profile and start to place pictures. In turn, often times you'll see pictures of locations that can help validate or destroy your hypothesis on whom, what, where, etc.
Tyrannist1 karma2013-12-25 10:35:16 UTC
Hopefully you are still doing this, there has been a question lingering in my mind for months now.
Polygraph test. Is it more psychology or science? Lets say my nam is Bob. If I was asked " Is your name Bob " but on the spot I can absolutely convince myself that my name is " Jim " would the polygraph detect the lie?
Do they throw off the wall questions at you to make you uneasy and then follow up with a critical question such as " Have you ever done drugs? "
I'm assuming you are not able to detail the process of a polygraph test. If you are though.. I would love to be enlightened.
navaseminternetu2 karma2013-12-25 10:40:23 UTC
100% Psychological. How many of the major arrested spies passed theirs? All of them, not one failed. If you believe something to be true or can tell yourself it is (mental gymnastics) than nothings will change that fact. They're good at making you uncomfortable and for most people you'll tell the truth. I highly doubt that you're getting a good reading though. People with anxiety are naturally nervous, does that mean they're always lying? Nope. If you take certain medications, you're numbed to an extent, that keeps you flat on the reader. Does that mean you've been coached to cheat the system? Too many variables and i'm not sure I agree. I go through the motions, but I have my doubts.
They indeed throw off the wall q's "Have you ever watched your poop flush?" I got that once. Without hesitation I said yes and smiled. The guy didn't like that.
It's pretty open about what a poly is and how its taken. Plenty of videos on youtube.
Copyright © 2014 BestofAMA.com, All rights reserved.
reddit has not approved or endorsed BestofAMA, reddit design elements are trademarks of reddit inc.