Released under the MIT license with crown copyright. Looks like a plain ol' Flask application. I don't know what I was expecting from the government. Maybe more Microsoft and more Oracle, more "enterprise". And the git history goes back ten months with an initial commit of December 21, 2016.
I'm actually surprised to learn that CSE would be in charge of such a thing. I would have thought that this fell under the role of Canadian Security Intelligence Services. We definitely don't hear a lot about CSIS or CSE in the news to the point that I think most Canadians might have a hard time expanding those acronyms or know what they mean. It's good to see a little more transparency from them and to not have to wait for NSA leaks to figure out what their Canadian counterparts are up to.
CSE is comparable to America's NSA in general function and scope. While CSIS does intelligence work with computers and hires a lot of programmers and analysts, CSE is traditionally the more technologically-focused of the two. You also hear significantly less about it than even CSIS.
Well we do know they successfully hacked the Brazilian government in the interests of private oil companies? That's something isn't it?
> CSEC had been meeting with the heads of our country’s largest energy companies and debriefing them on all the secrets they’ve stolen from Brazil’s mining and energy ministries.
CSIS likes very much to not be in the news. They seem to actively work to stay unknown. I've heard, but cannot verify, that they are the only government agency that is not required to have a "Government of Canada dept X" sign outside their buildings. They do have them outside some buildings, but not all buildings.
I had a colleague that applied, and was subsequently interviewed for a position with CSIS. He said he was instructed to go to a large office tower in Toronto, go to x floor and ask for a particular person. Nothing was labelled as CSIS.
I had a friend in Israel who, for part of her induction into her mandatory 18mo IDF service, was scheduled for an interview with the Israeli intelligence service.
In preparation for the interview, they sent her the address, a map showing the building, and marked three separate entrances and how to get to their office from them: the main entrance, a side entrance, and one off the alley behind the building (which I assume is closer to parking? maybe?).
It was very weird. I think she decided just to go in through the lobby.
Yup. I also can't verify much, but I know a person who performed electrical work in one of their buildings and you wouldn't even know that building belonged to CSIS.
If you read through the Snowden leaks you'll see just how normal the CSE is. If you're a reasonably good hacker think how you'd do it. They probably do it kinda like that.
They've been given additional powers lately to expand surveillance on regular citizens, so I wonder how much that "sweet innocence" of theirs will last and how long until they also become more like the NSA, especially under a conservative government in the (near) future.
They can spy on Americans, the NSA can spy on Canadians, and the two governments can freely share information between eachother. (Because it's not information about their own citizens.) Canada is one of the five eyes, after all.
Anecdotal, but I was in an Oracle University training course last year with someone who confirmed, in an indirect and vague way, that he worked for the CSE. We were training on Oracle Database 12. He had plenty of "real world scenario" questions.
> Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. On the way out, every file is given a score...
This sounds like it could sit nicely between Github and CI (Jenkins/Travis/Circle/etc), and be a pre-integration security scan. Can we name it Sherlock?
A cynic, and, perhaps, a realist could consider their motivation to be fairly similar to that of a private blackhat attempting to purge foreign malware on hosts that they own, or may want to own. Exclusive control being always preferable to competing control.
I'd be far more impressed and grateful if these state services released disclosures and actual patches for complex zero-day vulns, particularly in unmaintained, widely deployed closed-source products such as WinXP. 8-Ball says that is 'Unlikely' though.
I don't find my answer, I just have one question: does it send any "usage stats" or "unknown files" back to them? If your computer establishes any kind of connection with their center it wouldn't be only something for the public, they'd also benefit.
That isn't necessarily a bad thing but seems important enough to be discussed.
Interesting, Kaspersky is constantly maligned for simply being USED by Russian spy agencies, or "having associations with" them. Russia and China now demand audits of security software from the USA. Countries build their own national Linuxes now that Windows phones home all your passwords, for the CIA and NSA to easily backdoor or get via an order.
So, why would anyone trust a spy agency's software? Only if it's all open source.
An interesting inclusion but it makes sense as it seems to work by hitting up all possible scanners (both remote and local). The consensus from security people seems to be use multiple AV products, if you insist on using them at all...
This tool will get extra scrutiny given it's coming from a spy agency and is OSS. That's not usually how spy agencies operate, too overt. Besides, they seem to have no problem quietly hacking your browser remotely with the click of a button with Quantum anyway.
I'm still not going to use it but I wouldn't personally be overly worried vs any other mainstream antivirus.
> … files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. On the way out, every file is given a score, which lets analysts sort old, familiar threats from the new and novel attacks that typically require a closer, more manual approach to analysis.
Again, unsurprising since the CSE / CST main page doesn't have HSTS.
3. This part of the original version of the README is interesting:
<README SNIPPET>
#### License (or lack thereof) and Conditions of use
As is fairly evident, we haven't selected a license for this project as of yet. As discussed when members were first granted read access to the repository, dissemination is based on the premise of originator controlled. If you feel there are other partners that would benefit from an early view and would be able to contribute, please contact the project leads and we should be able to sort it out.
We will soon be splitting the platform and services into two separate repo's, so please treat the services as slightly more sensitive than the platform itself, ie: release it and perish!!! ... but seriously, we do not grant anyone the right to do anything other than deploy the platform and use it. No sharing, presenting, etc without our knowledge.
We hope to have a clear release plan soon.
</README SNIPPET>
So it looks like they passed it around a bit either internally in the CSE or to a wider audience that may have included other departments. Probably getting more eyes on it to stop something stupid from going out.
Its a Canadian government rule that even URLs have to be bilingual.
eg You can't have http://host.ca/news (with bilingual text on the page) it has to be http://host.ca/news_nouvelles
This is only for fed government sites.
I bet its because advocates for exact language equality don't look at the code. They can see the url in the browser. But they look no deeper. Probably just as well as you demonstrate.
https://bitbucket.org/cse-assemblyline/assemblyline/src
Released under the MIT license with crown copyright. Looks like a plain ol' Flask application. I don't know what I was expecting from the government. Maybe more Microsoft and more Oracle, more "enterprise". And the git history goes back ten months with an initial commit of December 21, 2016.
I'm actually surprised to learn that CSE would be in charge of such a thing. I would have thought that this fell under the role of Canadian Security Intelligence Services. We definitely don't hear a lot about CSIS or CSE in the news to the point that I think most Canadians might have a hard time expanding those acronyms or know what they mean. It's good to see a little more transparency from them and to not have to wait for NSA leaks to figure out what their Canadian counterparts are up to.