Code dumped online came from “Omnipotent” NSA-tied hacking group

Kaspersky Lab analysis means Monday's leak almost certainly came from Equation Group.

Read the whole story

 

[StillGridlocked]

Modern Major General Thanatos[/url]":3cmw907k]

Novae DeArx[/url]":3cmw907k]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

(3) The NSA is preparing a most epic of honeypots to sell to the highest bidder, and intends to own the bidder.

(4) By publishing the data under the guise of a hack, deniability is created for future hacks using these tools.

They gave up tools they already assume were released by Snowden - so they gave up nothing and they want to see who the bidders are.

Yeah, epic honeypot.

 

[KGFish]

jeromeyers2[/url]":4cr843oh]It seems to me that all the mechanisms used to validate the code could also be used to create a hoax. Not saying that that is the case, but if Kaspersky has code available to check against, perhaps their own vaults were pierced?

This is what I don't understand. Here's the story as I've heard it so far:
1) Unknown group releases code on some site that it claims is all secret NSA stuff.
2) Security people the world over compare the code to what is known to be tied to the NSA.
3) Comparison checks out.

To me, the conclusion is:
People put out code that consists of some known NSA code, and some other code.

However, the general conclusion by the security people is:
People put out code that consists 100% of NSA code.

How did they figure that this isn't just a hoax? I also find the analysis odd: the differences are exactly what I got from CS students who tried to pass off each others code as their own: move a few lines around, pretend it's different. However, I've never seen an actual coder just move a few lines around just to make code look different.

To me, this smells like a hoax. I'm curious why the security people, who have far more experience with this, don't. Anyone want to edumacate me on where I'm wrong?

Edit: and yes, the English of the post isn't the English of someone who's bad at English. Yes, I'm getting into Sicilian death games territory here, but none of this smells right.

 

[tobias88]

nutela[/url]":2jl8dcas]"-0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations"

Those numbers are identical, surely a mistake. What interesting properties does this number have?

Why the downvotes for pointing out a typo? Comments on page 1 and some googling suggest that indeed 0x9E3779B9 is the standard, not 0x61C88647.

 

[ayemel]

vrDrew99[/url]":3bk24yhq]The one thing that I can't quite get away from is this:

The only people who've spoken publicly about this issue happen to be sitting in Moscow right now. Eugene Kaspersky - a trained former Russian intelligence agent. And Edward Snowden, a man who was given sanctuary in Putin's Russia after betraying his employer and his country

There's Bruce Schneier talking about it too at https://www.schneier.com/

 

[lkpentil]

vrDrew99[/url]":3jjftxwh]The one thing that I can't quite get away from is this:

The only people who've spoken publicly about this issue happen to be sitting in Moscow right now. Eugene Kaspersky - a trained former Russian intelligence agent. And Edward Snowden, a man who was given sanctuary in Putin's Russia after betraying his employer and his country.

I think the possibility that one or both of them aren't telling the whole truth about this has to be considered.

Quite what the long-term goal here is, I can only speculate.

But let's keep in mind that it was Kaspersky who revealed the existence of the alleged "Equation Group", and that conveniently all of the files and and codewords and clues he used to back up his claims had dates of 2013 and prior. Or the same time as Snowden fled to Russia.

Is it possible that this entire thing is an elaborate piece of misinformation? That Kaspersky used information he got from Snowden to essentially create the Equation Group out of thin air? Or from bits and pieces of legitimate (if thats the word) NSA code, combined with what Snowden's Russian debrief told him?

And then we need to ask why this is happening now?

And... resident anti-russian conspiracy theorists are back! I have a theory of my own. How about this: Kaspersky created Stuxnet virus and wrecked Iranian nuclear program so that Russia could implicate US in it?

In all seriousness, are you really surprised that the only people who speak freely about NSA are sitting in Moscow? Did it ever occur to you that perhaps people sitting "outside Moscow" are more afraid of NSA than Putin? There was one dude that was brave enough to speak about NSA openly and how did it go? Yes, he is sitting in Moscow now.

 

[divisionbyzero]

Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

 

[lkpentil]

divisionbyzero[/url]":zajx47qd]Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

Another propaganda article from the western mass media. They say that Kaspersky "studied cryptography and math at the KGB Higher School." The link provided for additional information on this school points to the article that says the school was created in 1992, i.e. after the break up of the Soviet Union. So this school never was part of KGB but for a stronger propaganda effect the author still decided to call it KGB Higher School playing on the notion of KGB created by Hollywood.

And let me quote the article you linked to:


Soldatov says as far as is known, Kaspersky's relationship with the FSB is little different from other cybersecurity firms' relations with other countries.

"I think in the United States, you have the same thing, when you have companies which help law enforcement to catch cyber criminals. The problem is that relations are not really
transparent," he says.

 

[PokemonPets]

kudos to the ShadowBrokers

it is time for usa and others to leave other countries alone

 

[jopaki]

StillGridlocked[/url]":3mqra861]

Modern Major General Thanatos[/url]":3mqra861]

Novae DeArx[/url]":3mqra861]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

(3) The NSA is preparing a most epic of honeypots to sell to the highest bidder, and intends to own the bidder.

(4) By publishing the data under the guise of a hack, deniability is created for future hacks using these tools.

They gave up tools they already assume were released by Snowden - so they gave up nothing and they want to see who the bidders are.

Yeah, epic honeypot.

I speculate an intentional leak considering possibly new and working attack vectors obsoleting the old toolbag.

 

[Studbolt]

lkpentil[/url]":33nvhqcu]
In all seriousness, are you really surprised that the only people who speak freely about NSA are sitting in Moscow? Did it ever occur to you that perhaps people sitting "outside Moscow" are more afraid of NSA than Putin? There was one dude that was brave enough to speak about NSA openly and how did it go? Yes, he is sitting in Moscow now.

Are we not speaking freely about the NSA? People all over the US speak freely about the NSA. It's mostly people in the NSA that feel somewhat inhibited.

 

[aleph_nought]

All that commenting and no one mentioned the Mass Effect reference?

I think all state-backed hacking groups should stick to non-unique ways of coding instead of putting fingerprints all over their code.

 

[lkpentil]

Studbolt[/url]":3jby2dkp]

lkpentil[/url]":3jby2dkp]
In all seriousness, are you really surprised that the only people who speak freely about NSA are sitting in Moscow? Did it ever occur to you that perhaps people sitting "outside Moscow" are more afraid of NSA than Putin? There was one dude that was brave enough to speak about NSA openly and how did it go? Yes, he is sitting in Moscow now.

Are we not speaking freely about the NSA? People all over the US speak freely about the NSA. It's mostly people in the NSA that feel somewhat inhibited.

Of course we speak freely about NSA. But that's because we do not know anything about it. People with any real facts about NSA on the other hand are much less talkative.

 

[Studbolt]

lkpentil[/url]":18dhken3]

divisionbyzero[/url]":18dhken3]Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

Another propaganda article from the western mass media.

Here in the West, we don't trust our mass media not to be unprofessional or uninformed, but we do trust them not to be working for the State. If they were working the State, the other press would be pointing at them like Body Snatchers.

 

[BotCyborg]

aleph_nought[/url]":2w0j6tpe]All that commenting and no one mentioned the Mass Effect reference?

I think all state-backed hacking groups should stick to non-unique ways of coding instead of putting fingerprints all over their code.

Nah.. NSA should learn something from the likes of RIAA and MPAA. Just copyright their malwares.
Given how effective US copyright enforcement has proven to be in getting hold of and prosecuting offenders hiding in the farthest corners of the galaxy, other hackers would rather write their own. /s

 

[BotCyborg]

aPerson#847[/url]":1eme998r]So, considering the dates on the files and all that, it seems the Snowden did a bit more then reveal the extent of the US's surveillance network. It seems he took a weapon to, and gave it to the Russians. I wonder if he took the system to process the information the weapon collects.

The man just went from being a patriot to being opportunistic traitor selling us out to the highest bidder.

Do you get paid by NSA for posts like these?

 

[KGFish]

Some interesting commentary from probably the only person in the world who can talk with authority about what this is, Snowden: https://twitter.com/Snowden/status/765514891813945344.

So this might be real, might be somewhat dated, and may not mean a complete infiltration of the NSA. We even have motive now.

The murky world of cyber-espionage just got a bit more interesting.

 

[orome]

shadowbroker?

"I know your every secret, while you fumble in the dark."

[somebody had to ...]

 

[orome]

Studbolt[/url]":2nukc0ak]

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

you need russians to cause loss of confidence, alienation, and dysfunction of the US political system? i'd say they have been doing pretty decent job on their own ...

I bet the russians are also spreading potato beetle to ruin the agriculture

 

[beebee]

tobias88[/url]":1z260wtf]

nutela[/url]":1z260wtf]"-0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations"

Those numbers are identical, surely a mistake. What interesting properties does this number have?

Why the downvotes for pointing out a typo? Comments on page 1 and some googling suggest that indeed 0x9E3779B9 is the standard, not 0x61C88647.

Except the author hadn't changed the article, so maybe it is not a typo.

Mind you my mind is still confused how using a negative constant saves time. But I assume there is some nuance someone will explain eventually in the comments.

Down votes are supposed to be when you write how much only your aunt made in her jammies on the Internet.

 

[Einstein76]

Studbolt[/url]":lbr7xsnf]

lkpentil[/url]":lbr7xsnf]

divisionbyzero[/url]":lbr7xsnf]Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

Another propaganda article from the western mass media.

Here in the West, we don't trust our mass media not to be unprofessional or uninformed, but we do trust them not to be working for the State. If they were working the State, the other press would be pointing at them like Body Snatchers.

Do you really believe the media isn't working with the state in the west? Really?

 

[thecrazybishop]

Donald Trump has one simple question about this. Why can't we just nuke them?

 

[v3rlon]

I do not know how by this surprises anyone. We've known since at least the 1980s from movies and more like the plain 80s from anecdotal experience:
Those most capable of creating advanced programs are the easiest to victimize with a pretty face and social engineering. It's not rocket science. It's rocket scientists who want to get laid.

 

[pjlahaie]

beebee[/url]":335xhu0i]Mind you my mind is still confused how using a negative constant saves time. But I assume there is some nuance someone will explain eventually in the comments.

One explanation could be that the CPU can perform an addition faster than a subtraction.

 

[BotCyborg]

thecrazybishop[/url]":3nxk41b2]Donald Trump has one simple question about this. Why can't we just nuke them?

Sane answer to an insane question: Because if "you" nuke "them, be assured "they" will nuke "you" back, with a vengeance.

 

[orome]

pjlahaie[/url]":7nhobn71]

beebee[/url]":7nhobn71]Mind you my mind is still confused how using a negative constant saves time. But I assume there is some nuance someone will explain eventually in the comments.

One explanation could be that the CPU can perform an addition faster than a subtraction.

subtraction and addition are usually the same operation in the ALU, with subtraction adding two's complement transformation before feeding the data to the adder (so you basically do a + ~b + 1). my theory is that you save the time to do the two's complement transformation.
I'd be surprised to see any measurable difference (the transformation can be done in the same cycle). even if there was benefit to doing so, constant transformation is well within capabilities of any modern compiler, so it's probably just a relic of coding habits from the 80's.

PS: this is based on generic CPU architecture knowledge. someone with more detailed info about ALU pipelines, feel free to correct me

 

[bigcheese]

orome[/url]":3fgry4fm]

pjlahaie[/url]":3fgry4fm]

beebee[/url]":3fgry4fm]Mind you my mind is still confused how using a negative constant saves time. But I assume there is some nuance someone will explain eventually in the comments.

One explanation could be that the CPU can perform an addition faster than a subtraction.

subtraction and addition are usually the same operation in the ALU, with subtraction adding two's complement transformation before feeding the data to the adder (so you basically do a + ~b + 1). my theory is that you save the time to do the two's complement transformation.
I'd be surprised to see any measurable difference (the transformation can be done in the same cycle). even if there was benefit to doing so, constant transformation is well within capabilities of any modern compiler, so it's probably just a relic of coding habits from the 80's.

PS: this is based on generic CPU architecture knowledge. someone with more detailed info about ALU pipelines, feel free to correct me

Why do you sssume that the algorithm was altered to increase performance? Is the standard RC6 algo not fast enough?

I would rather think this "optimization" has to do with virus protection tools looking for the commonly used constant and this beeing simply an attempt to throw everyone off.

 

[Fristie Blade]

No need to look at the contents of the code to link it to the US. The dates in the changelog are in MM/DD/YY format. As far as I know that is a US only format. Usage of that pattern and the general ignorance ib the US that others dont use their format gives me enough comfort to assume this is "made in the USA".

 

[pjlahaie]

orome[/url]":1ebl4pfg]subtraction and addition are usually the same operation in the ALU, with subtraction adding two's complement transformation before feeding the data to the adder (so you basically do a + ~b + 1). my theory is that you save the time to do the two's complement transformation.

And you save the energy to do that transform. I'm not saying that's why they did it but it could be. CPUs have always had strange instruction performance characteristics. I (very) vaguely remember of a somewhat common C statement that was best encoded using instruction X on a 486, using Y on a Pentium and back to using X on the Pentium Pro.

Parts of me want to say "* 2" using shift vs the multiply instruction but it was so long ago I forget the details.

 

[beebee]

pjlahaie[/url]":19do3q3e]

beebee[/url]":19do3q3e]Mind you my mind is still confused how using a negative constant saves time. But I assume there is some nuance someone will explain eventually in the comments.

One explanation could be that the CPU can perform an addition faster than a subtraction.

In twos compliment, the operation is the same.

One thing to keep in mind is these crypto guys don't always run compilers at the highest level of optimization, so maybe with optimization turned off or at a low setting, using the negative constant is more efficient.

If you run at too high of an optimization level, tricks these crypto coders do for security get undone. For instance if you set a variable or array to zero so it won't be left on the stack to be hacked, a compiler can see you wrote to the variable or array but didn't read it, which to the compiler is not efficient coding, but to the security freak, is something that should be done.

 

[PenGun]

ROTFLMFAO

Sure, accuse the Russians of all kinds of trivial crap, hacking email servers and threatening the democratic process. So this is a notice about what is possible, and the proof of that fact.

 

[pjlahaie]

beebee[/url]":2k82fmcd]

pjlahaie[/url]":2k82fmcd]

beebee[/url]":2k82fmcd]Mind you my mind is still confused how using a negative constant saves time. But I assume there is some nuance someone will explain eventually in the comments.

One explanation could be that the CPU can perform an addition faster than a subtraction.

In twos compliment, the operation is the same.

Except performing the ~ operation might add a cycle to the the execution time. It can also require extra energy to perform.

One thing to keep in mind is these crypto guys don't always run compilers at the highest level of optimization, so maybe with optimization turned off or at a low setting, using the negative constant is more efficient.

Also if there is a performance/power advantage to using the addition, a good optimizing compiler will automatically convert the - <constant> operation into a + (~<constant>+1) operation which would negate doing it in the code.

Another reason (as was somewhat pointed to earlier) is that the well known constant won't show up while disassembling the code. Chances are if you see subtract 0x9E3779B9 in the instruction stream you're looking at code implementing RC6.

 

[MalEbenSo]

Einstein76[/url]":1h62wn58]

Studbolt[/url]":1h62wn58]

lkpentil[/url]":1h62wn58]

divisionbyzero[/url]":1h62wn58]Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

Another propaganda article from the western mass media.

Here in the West, we don't trust our mass media not to be unprofessional or uninformed, but we do trust them not to be working for the State. If they were working the State, the other press would be pointing at them like Body Snatchers.

Do you really believe the media isn't working with the state in the west? Really?

By and large ... yes.

I will see your response with anecdotal evidence, where western mass media was working with the state, and raise you two examples of the opposite.
(Actually, I could make that ten or more ... I picked "two" out of laziness. )

 

[AxMi-24]

Studbolt[/url]":3lfdc6p4]Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

2. The advanced measures include a great deal of agitprop, being released through a lot of websites. I hear versions being repeated word for word out of the mouths of street people and political candidates and everyone in between, from every corner of the political spectrum. Lots of useful idiots and fellow travelers out there right now.

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

4. Syria is a weapon to pump refugees into Europe and the USA and destabilize NATO countries.

I'm just beginning to be aware of the scope of everything that's happening, but there are lots of other people more paranoid than I who have been aware of what's going on long before I got there. Generally they're people who study Russian history. Some time, when I feel like I have the time to do so, I'm going to sit down and write out the various narratives, strategic goals, and attack vectors, just for organizational edification. That's about all I can do.

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

1) US is doing the exact same to Russia and many other countries (see recent "electsions" in South America for quality US approach).

2) It's not like US media is all objective as holy fuck. Most of americans on this very site are making fun of Fox for being nothing but PR. It's obvious that reality is grey rather than black/white which means there are many points of view and just because you don't agree with them doesn't mean that they are wrong.

3) See 2. Every side is pushing its own narrative. Even inside a same country the stories are different based on who owns the media you are looking at.

4) It is US and its Arab pets that are supporting the Jihadists in Syria and have created the whole war, just like Libya. It is NATO member Turkey that is threatening EU with refugees and has our dear Merkel needing a change of pants.

 

[AxMi-24]

MalEbenSo[/url]":21obq2pe]

Einstein76[/url]":21obq2pe]

Studbolt[/url]":21obq2pe]

lkpentil[/url]":21obq2pe]

divisionbyzero[/url]":21obq2pe]Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

Another propaganda article from the western mass media.

Here in the West, we don't trust our mass media not to be unprofessional or uninformed, but we do trust them not to be working for the State. If they were working the State, the other press would be pointing at them like Body Snatchers.

Do you really believe the media isn't working with the state in the west? Really?

By and large ... yes.

I will see your response with anecdotal evidence, where western mass media was working with the state, and raise you two examples of the opposite.
(Actually, I could make that ten or more ... I picked "two" out of laziness. )

Remember Sony email hack? The one that showed White House reaching out to media industry to get "correct" narrative in the media? Remember how everyone concentrated on the "NK hacked us, bad NK" instead of on actual content?

 

[n233g16]

mehaase[/url]":3qse07pp]

nutela[/url]":3qse07pp]"-0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations"

Those numbers are identical, surely a mistake. What interesting properties does this number have?

According to this (http://www.agner.org/optimize/instruction_tables.pdf), addition and subtraction are equivalent operations. But the geniuses at NSA can't be entirely wrong. Can anybody explain this optimization?

"“In most publicly available RC5/6 code, this constant is usually stored as 0x9E3779B9 , which is basically - 0x61C88647…Since an addition is faster on certain hardware than a subtraction, it makes sense to store the constant in its negative form and adding it instead of subtracting” -Kaspersky pdf p. 23"

It all depends on the Arithmetic and Logic Unit (ALU), I believe. If the ALU is designed in a way that it uses 2 clocks for SUB and 1 clock for ADD, it makes sense to use one of the operands as a negative.

 

[cbreak]

beebee[/url]":i67x74yo]

pjlahaie[/url]":i67x74yo]

beebee[/url]":i67x74yo]Mind you my mind is still confused how using a negative constant saves time. But I assume there is some nuance someone will explain eventually in the comments.

One explanation could be that the CPU can perform an addition faster than a subtraction.

In twos compliment, the operation is the same.

One thing to keep in mind is these crypto guys don't always run compilers at the highest level of optimization, so maybe with optimization turned off or at a low setting, using the negative constant is more efficient.

If you run at too high of an optimization level, tricks these crypto coders do for security get undone. For instance if you set a variable or array to zero so it won't be left on the stack to be hacked, a compiler can see you wrote to the variable or array but didn't read it, which to the compiler is not efficient coding, but to the security freak, is something that should be done.

If you rely on not compiling optimized for security, then you're an idiot. There are proper ways to do this, i.e. by using a library function for secure erase, or by using volatile writes.

 

[orome]

bigcheese[/url]":3bt6mtw0]

orome[/url]":3bt6mtw0]
subtraction and addition are usually the same operation in the ALU, with subtraction adding two's complement transformation before feeding the data to the adder (so you basically do a + ~b + 1). my theory is that you save the time to do the two's complement transformation.
I'd be surprised to see any measurable difference (the transformation can be done in the same cycle). even if there was benefit to doing so, constant transformation is well within capabilities of any modern compiler, so it's probably just a relic of coding habits from the 80's.

PS: this is based on generic CPU architecture knowledge. someone with more detailed info about ALU pipelines, feel free to correct me

Why do you sssume that the algorithm was altered to increase performance? Is the standard RC6 algo not fast enough?

I would rather think this "optimization" has to do with virus protection tools looking for the commonly used constant and this beeing simply an attempt to throw everyone off.

performance is mentioned both in the article:

.. to speed up subtraction operations ..."

and the kaspersky blog:

Since an addition is faster on certain hardware than a subtraction,

 

[r3loaded]

Maybe it's an NSA false-flag op to create plausible deniability for future Equation Group attacks?

 

[orome]

pjlahaie[/url]":37lzcw7q]

orome[/url]":37lzcw7q]subtraction and addition are usually the same operation in the ALU, with subtraction adding two's complement transformation before feeding the data to the adder (so you basically do a + ~b + 1). my theory is that you save the time to do the two's complement transformation.

And you save the energy to do that transform. I'm not saying that's why they did it but it could be. CPUs have always had strange instruction performance characteristics. I (very) vaguely remember of a somewhat common C statement that was best encoded using instruction X on a 486, using Y on a Pentium and back to using X on the Pentium Pro.

Parts of me want to say "* 2" using shift vs the multiply instruction but it was so long ago I forget the details.

it'd be strange to see hackers concerned about energy use of their victim computers , monitoring energy use would be a novel way of detecting malware.

there are plenty of old school asm tricks in the x86 world:
using xor %eax, %eax instead of mov %eax, 0,
using shifts instead of multiplication and division,
using NOP instructions of different width based on how much padding you want, ...

modern compilers know these tricks and use them when it's beneficial. occasionally an instruction gets more optimized micro-op implementation in never CPU generation. that's why compilers have per CPU instruction latency tables to pick the one most fitting for the target machine