A Roundtable of Hackers Dissects 'Mr. Robot' Season 3 Episode 9: 'Stage 3'
Technologists, hackers, and journalists recap the latest episode of the realistic hacking show.
It’s the penultimate episode of Mr. Robot’s third season, and the stakes are higher than ever. We discussed Sentinel, keyloggers, RFID readers, pwning the Dark Army, and more. (The chat transcript has been edited for brevity, clarity, and chronology—wouldn’t want to mess with the timeline.) This week’s team of experts include:
- Bill Budington: a long time activist, programmer, and cryptography enthusiast, and a security engineer and technologist at the Electronic Frontier Foundation.
- Jen Helsby: SecureDrop lead developer at Freedom of the Press Foundation.
- Zachary Julian: a Senior Security Analyst at Bishop Fox, a security consulting firm
- Micah Lee: a technologist with a focus on operational security, source protection, privacy and cryptography, as well as a journalist at The Intercept.
- Matt Mitchell: a hacker who leads cryptoharlem, which aims to teach basic cryptography tools in the inner city. He also trains newsroom journalists (at Global Journalist Security), activists & human rights defenders in digital & operational security.
Micah: So in the Allsafe flashback, did Price decide to take the contract because he briefly saw Angela and took an interest in her? If so, that's incredibly creepy.
Matt: Yeah, seems like he did, but then again, how did they coincidentally pick the place that Elliot Alderson works? So must have been part of a plan. Maybe Angela has more to do with things that we know?
Micah: She came into the room to hand a report to her boss, and the misogynist businessman made her refill his coffee.
Yael: That's the best way to get dudes to like you. That and saying "There's no sexism in this industry. It's a meritocracy!"
Jen: I guess Angela wanting to blow the building up makes more sense given this context. :P
Yael: But maybe she could just hit rewind on that scene to make it unhappen if there is video of it. Okay, so then there’s Elliot looking at the “don’t delete me” email.
Matt: Also he is like, shit I left my computer open....nah dude. #opsec #opsec #opsec close your lid homie. Hoods up. Lids down. Also, Protonmail references. Can I explain that the best way to use it is to use their hidden service address and Tor browser? Both parties emailing need to do this. When Elliot's computer is open, it looks Mr. Robot was reading about Sentinel. In the early late 90s, early 2000 FBI was still using paper folders stamps and different systems for tracking cases. Field agents in different regions of a state in many states in the country didn't have coordinated information sharing. So they wasted $170 million building Virtual Case File System, it was never finished. Sentinel launched in 2012 after almost the same fate. There is a scathing critique by FBI inspector general in 2010. They ended finishing it by using off the shelf products Frankensteined together.
It tracks all cases and agents. Intelligence, personnel (support), administrative data, names, address, social security numbers, telephone numbers, emails, photographs, codes , characteristics, unique IDs, possible gender, race, license plate number, vehicle identifier, financial account info, medical info, educational info, military records of people with contact of an FBI mission. EMC Documentum document management software + Oracle database software + IBM Websphere + Microsoft SharePoint + PKI by Entrust + some custom code.
Yael: So then after visiting Tyrell (whose Trumpian puppet line was hysterical), Elliot shares the email with Darlene.
Bill: So Darlene was trying to get to the keyloggers, which have encrypted vaults on them. The USB keylogger was, according to the 'Romero NYPD chain of custody.pdf,' disguised as a ferrite choke bead, or one of these. Clever.
Zachary: I didn't realize it was that thing on the end of the USB cable. The inclusion of that seems inspired by NSA's COTTONMOUTH. Which interestingly we've seen a bunch of Chinese knockoffs pop up on the market.
Matt: Thank goodness for Romero. RIP brotha.
Yael: He was supposed to be all in! Okay, so now Darlene’s up.
Micah: https://twitter.com/HydeNS33k/status/938504548276162561?s=09. Except in this case, she was trying to clone Dom's RFID.
Zachary: I was pleased to see the return of the Bishop Fox RFID Thief, although I think it should have worked. ;) We've tested it with an FBI special agent.
Yael: I wrote about that RFID reader in season 1. It saves stuff on a microSD card as a text file, to clone badges from.
Zachary: Probably worth mentioning that it is open source and readers can build one themselves.
Jen: Dom needs an RFID blocking wallet. All the cool kids are using them.
Yael: I think she had one? The thing didn't work, right? And yeah, shoulder surfing and memorizing a numerical combo worked better at getting into the safe that hacking did. Poor Dom. Even though Darlene got caught and is in deep doo doo now despite her good intentions, I still felt bad for Dom. I think Darlene is pretty good at social engineering! She had me convinced she was into Dom for a second there.
Matt: Cisco (RIP) knows how charming she is.
Yael: Then there was the Elliot/Angela scene.
Micah: Does Angela have an imaginary friend that she talks to now, like Elliot? I think maybe she does.
Jen: Being a terrorist ain’t easy. It damages the mind.
Micah: She was telling her imaginary friend that if she goes into the subway, White Rose will find her. And she was right?
Zachary: I like how she still has Elliot's fish. That was a nice touch.
Yael: What were all of the pictures she had up?
Matt: I was trying to peep her reading collection. Anyone get that?
Yael: When she said "we're ready," did she mean her and the fish?
Matt: Maybe to Micah's point, it’s her other personality. Maybe her mom?
Yael: Oh. :( It's kind of weird and sad, especially how earnest she is about it, like any other cult member. I hope she goes to see Krista to get sorted out.
Micah: She's also paranoid. She thinks Elliot is working against her. But to be fair, she's kind of right.
Yael: It was too hard for me to parse who was thinking what… "Your girl is tripping." \
Matt: Leon! Stage 3. He seemed surprised to see him.
Micah: Elliot's plan to hack the Dark Army was pretty awesome. Social engineer their interest with talk of Stage 3 to compel them to put malware on his laptop, then use memory forensics tools to reverse engineer their malware and send a malicious document to their command and control server to take over one of their clients.
Jen: The scene of Elliot using American fuzzy lop to fuzz Evince (the PDF reader) to find an exploitable vulnerability was pretty cool. (Fuzzing is a technique to find software bugs by crafting test inputs.)
Zachary: Yeah, I really like the whole plotline to backdoor the PDF with an 0day in Evince while he knows he's owned. Crazy, but technically possible.
Bill: Elliott crafted a malicious PDF (ecoin_vuln_notes.pdf) which gave him access to the Dark Army's management interface. Once there, he was able to see everything - all the DA targets on a map.
Yael: It just seems weird that DA wouldn't use a sandbox or something? Or like a laptop that's never been online, what do you call those again? Or like Qubes?
Jen: Airgap machines (computers never connected to the internet) are a usability nightmare (since they’d have to ferry documents into the airgap to open) - Qubes would be a good solution for the Dark Army.
Yael: Ooh, Jen, you'd make so much money doing consulting for the Dark Army! (I know you wouldn't.)
Jen: Haha. Sounds like an interesting second job
Bill: Yeah, but it's weird; they make you wear masks.
Yael: Don't work for the DA you'll end up like poor Angela. It's not worth it, man!
Micah: I think it's realistic that the Dark Army is just using Ubuntu for their C2 clients. Qubes is much farther along today that it was a few years ago. And even with Qubes being so awesome, how many people do you know who use it?
Zach: I like how in the Dark Army's CnC dashboard their implants are installed at real organizations targeted by the Chinese government, like Tibet Action Institute and World Uyghur Congress.
Bill: So once Elliot lands there, you see the URL in his browser: 220.127.116.11. If you navigate there, you get to https://zyajcl2.bxjyb2jvda.net/index. This brings up a login interface, which I couldn't log in to with the same credentials Elliot extracted - username: "garyhost" and password: "hunter2". Guess they changed their passwords.
Matt: So the usernames, hostnames, and malware all reference Gary Host, which was one of the aliases Aaron Swartz used when trying to liberate educational materials from MIT.
Bill: In the scene where Elliot is running the Volatility Foundation Volatility Framework, there's a running process that executes a command from http://192.168.68.228/index. When you visit that URL, you're redirected to https://zyajcl2.bxjyb2jvda.net/index, which gives you a base64 encoded file that looks like a PKZIP file (and that’s what the file command tells you it is), but I couldn't extract it.
Yael: What will happen now? Will Elliot get killed?
Zachary: I hope not, although sounds like it based on what White Rose's assistant said at the end.