Slashdot Mirror

I know these guys should know what they are talking about, but it feels a bit strange to take technical advice from someone who claims that "To download and uncompress zipped files you need to have winzip loaded on your local machine." on their XP advice page. I thought even XP could do that without addons, not to mention other OS:es which also seem to manage it just fine.

Maybe they are just sponsored. Or is that "bribed" when it comes to governments? :)

This is not remotely new. These things have been around for YEARS, and Slashdot covered them at that time. They were written for the use of other government agencies to secure their systems when using the listed products, but they also have a great deal of value to the public. They follow all the things we've been told over the years -- put up layered defenses, stop using old, broken protocols, use those with better hashes, disable unneeded services, reduce your attack surface... Or do you believe that these are things meant to make it easier for attackers to get in?

The guides are a valuable learning tool, too, and a number of companies have followed the idea. In fact, when Microsoft wrote its own guide for securing Windows 2003, the NSA decided that it was comprehensive enough that they didn't have to write one themselves. NSA even went so far as to mirror it themselves, presumably for government convenience.

The pace of the documentation has slowed significantly; for a while, there was a new guide coming out every month or two. But every so often, they cover new topics such as evaluating wireless IDS, as well as some other more esoteric titles like So Your Boss Bought you a New Laptop...How do you identify and disable wireless capabilities. You can see a complete list of titles here.

Go try reading the original material before criticizing it. You might actually learn something and be able to earn your karma through something other than a cheap shot.

This is not remotely new. These things have been around for YEARS, and Slashdot covered them at that time. They were written for the use of other government agencies to secure their systems when using the listed products, but they also have a great deal of value to the public. They follow all the things we've been told over the years -- put up layered defenses, stop using old, broken protocols, use those with better hashes, disable unneeded services, reduce your attack surface... Or do you believe that these are things meant to make it easier for attackers to get in?

The guides are a valuable learning tool, too, and a number of companies have followed the idea. In fact, when Microsoft wrote its own guide for securing Windows 2003, the NSA decided that it was comprehensive enough that they didn't have to write one themselves. NSA even went so far as to mirror it themselves, presumably for government convenience.

The pace of the documentation has slowed significantly; for a while, there was a new guide coming out every month or two. But every so often, they cover new topics such as evaluating wireless IDS, as well as some other more esoteric titles like So Your Boss Bought you a New Laptop...How do you identify and disable wireless capabilities. You can see a complete list of titles here.

Go try reading the original material before criticizing it. You might actually learn something and be able to earn your karma through something other than a cheap shot.

This is not remotely new. These things have been around for YEARS, and Slashdot covered them at that time. They were written for the use of other government agencies to secure their systems when using the listed products, but they also have a great deal of value to the public. They follow all the things we've been told over the years -- put up layered defenses, stop using old, broken protocols, use those with better hashes, disable unneeded services, reduce your attack surface... Or do you believe that these are things meant to make it easier for attackers to get in?

The guides are a valuable learning tool, too, and a number of companies have followed the idea. In fact, when Microsoft wrote its own guide for securing Windows 2003, the NSA decided that it was comprehensive enough that they didn't have to write one themselves. NSA even went so far as to mirror it themselves, presumably for government convenience.

The pace of the documentation has slowed significantly; for a while, there was a new guide coming out every month or two. But every so often, they cover new topics such as evaluating wireless IDS, as well as some other more esoteric titles like So Your Boss Bought you a New Laptop...How do you identify and disable wireless capabilities. You can see a complete list of titles here.

Go try reading the original material before criticizing it. You might actually learn something and be able to earn your karma through something other than a cheap shot.

The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

They secure computers using SELinux

They do have one about securing a laptop with wireless capabilities...
Howto identify and disable wireless...

Informative? Show us a link, because their Current Security Configuration Guides list does not have one.

Where is the guide for linux?

The NSA has released it's over version of linux, SELinux, the Security Enhanced Linux.

... but there are also a few guides to the applications security available: http://www.nsa.gov/snac/downloads_all.cfm

my favorite are Cisco IOS and Microsoft CA guides

I didn't know there was a Linux distro, so I googled it.

Here is a link for the rest of the curious.

Is there a replica of this in the NSA crytography museum?

Just answered my own question:

http://www.nsa.gov/museum/museu00029.cfm

The incident in the above-linked article occurred in Moscow, not Hawaii. I don't know whether or not these were seperate instances, or if the grandparent poster was in error.

OBLinux: They even have their own linux distro you can download: http://www.nsa.gov/selinux/

Uh oh, looks like the NSA needs to watch what gets made public on their site.

Crypto gear revealed!

Some of these links are kind of interesting. How many tax dollars have been spent on stuff like this (flash)?

Uh oh, looks like the NSA needs to watch what gets made public on their site.

Crypto gear revealed!

Some of these links are kind of interesting. How many tax dollars have been spent on stuff like this (flash)?

Well in defense of the FBI & CIA, both of their sites provide a lot more information. The SIS site provides minimal information so its easier to keep it clean. Regardless, the SIS site is not as cool as the NSA's :) (In particular the flash based one, its one of the few flash sites that are done well).
Regards,
Steve

I appreciate your clarification but think your deluding yourself if you don't think your being nationalistic.

"We did not send out armies of technicians to secretly wire your countries with network cable. "

    Really? To my knowledge the US spies on everyone far more than any nation on earth. Here is some more "grand links" for you. What are these 30000 people and billions of dollars for then? (http://www.nsa.gov/).

"the US made the investment in money, time, knowledge, material."

      Who exactly is this "US' fellow? Could you please introduce him to me? Did the rest of the world contribute nothing to the Internet and only he/she solitarily invent and support every aspect of it?

    I can appreciate that US citizens have spent money on infrastructure. Many citizens of many nations have spent money and effort on various things throughout history. Does this mean we should be indebted to them for the rest of time? (the point of my previous links)

      The problem here is what is mine is mine and what is yours is ours. We all know the pitfalls of extreme left wing nationlism. The citizens of the world are also quickly learning the dangers of extremist rightwing nationistic mentalities as well.

    What is freedom if not the ability to share ideas without interference from the state-- whatever and whatever that state may be? Nationlistic attitudes create barriers to free exchange of ideas AND infrastructure.

      I don't say this with any malice but if you truly viewed yourself as a global citizen-- you wouldn't chose to qualify yourself as part of your tribe/clan "US citizen".

Warmest regards,

Citizen of earth

Yes they do http://www.nsa.gov/selinux/info/faq.cfm#I2, the mentioned security enhancements are more like ACL's and policies.

There's an easy answer: restrict what root can do. Other things that generally will help include:

• Use a "default deny" policy for *everything*
• Use secure OSes (OpenBSD is probably a good choice if you can't or don't want to use SElinux)
• Keep up with patches
• Ensure that evidence can't (easily) be tampered with (for example, use a remote, dedicated host for syslogging)
• Monitor your logs efficiently; in particular, employ a filter that allows you to suppress messages that are just noise (security-wise, that is) but that shows every log line it does not recognise (there are also filters which will try to do the reverse, but that means you'll risk overlooking important messages)
• Use hardware protection when available (for example, some (?) SCSI disks can be write-protected with a jumper setting - turn it on for the disks you have your /boot and / partitions on; if yours can't, boot from CD)
• Try to actively detect anomalies (for example, use Snort, tripwire and similar tools)
• Perform penetration tests yourself
• Be paranoid - none of your systems should trust any of the other just because they *your* systems

That's some general advice I can think of right now. None of it is specific to rootkits, of course, but if you do things right, then you most likely won't ever get bitten by something bad - and if you still do, you'll at least be able to keep the damage to a minimum and also find out afterwards just what led to the compromise in the first place.

"I'm really tired of people claiming that not running as root is a miracle cure. Yes, it prevents some really nasty trivial attacks, but it doesn't protect your most valuable data (e.g. -- yours)..."

Vista (n) -"A distant view or prospect, especially one seen through an opening, as between rows of buildings or trees"

How apt, because I'm struggling to see through the Microsoft PR to see what Vista really is. We had this problem about five years ago when the marketing team got hold of .NET. .NET was mentioned everywhere from in the server family, to Office, to development tools. When PR gave way to reality, .NET was a only a development tool and was really just Microsoft's (good) answer to Java. Nothing like the revolution the PR machine would have you believe.

They question is whether Windows Vista going to solve a problem for me? The one thing that made XP a solution to my family was the welcome screen. Once they could select their username from a list that made it possible to give each family member an individual and run them in low privileged accounts. This has turned the family computer maintainence problem from a daily hastle to a once in a year activity.

What is Vista going to give me to make my job any easier? The only thing I would have bought Vista for is IE7 because of its nice anti-phishing features but this is going to be available in XP too. Even if this was ever a reason to upgrade, Firefox will likely have these features too in the next couple of months negating the need for Vista.

Feature after feature has been culled from Vista. We've got all these security "enhancements" in it but I can achieve the same in XP by following the NSA's Hardening Guide. Okay, this same level of hardening may be easier for the laymen to achieve in Vista but the layman doesn't care about security. When his PC fucks up due to a huge malware problem he just buys a new computer.

The man off the street does not need vista. In fact the man on the street doesn't even need XP. There are plenty of people still using Windows 98 and having a good time. Lord knows how they keep malware off their machine but they do it.

And what about business. WinFS might have been useful, but it was cut. Monad might have been useful, but it was cut too. They've wasted time with Maestro when the open, widely deployed PDF format already exists.

A reorganisation of Microsoft will not help these problems and I suspect the PR team will not save them from interia this time..

Simon

Solaris too, and even everyone's favorite: Windows

http://www.nsa.gov/snac/downloads_os.cfm?MenuID=sc g10.3.1.1

NSA did a pretty good writeup of Securing Mac OS X Panther Server earlier this year. One can still apply all the recommendations to Tiger Server.

http://www.nsa.gov/snac/

http://www.net-security.org/dl/articles/Securing_M ac_OS_X.pdf

http://eq.rsug.itd.umich.edu/software/radmind/

http://homepage.mac.com/hogfish/PhotoAlbum2.html

Best tip (not a flame) - simply don't run any Microsoft software, support open or other vendors software please, also W3C standards, thanks.

Oops, guess it was the NSA

NSA Guide to Securing Mac OS X (10.3.x)

Although not necessary for very good overall security, the security processes discussed are an interesting read nonetheless.

• nsa.gov's own page on Security-Enhanced Linux.
• nist.gov's own page on OS X as a Common Criteria Certified OS in its default install.
• The complete list of certified OSes includes Windows 2K Professional, Server, and Advanced Server, but not XP, while Red Hat Enterprise 3 and SuSE Enterprise V8 are certified.

The NSA, on the other hand, has some very interesting listings under the Computer Science section of their career fields page. They look suspiciously like pleasant euphemisms for very devious behaviour.

• Information Systems Security
• Vulnerability Discovery

I was going to add the NSA guidelines (http://www.nsa.gov/snac/) but they seem to be off line at the moment.
Fun reading, that :)

Good luck.

http://www.nsa.gov/snac/index.cfm?MenuID=scg10.3.1

Is a good place to look for information about securely configuring various devices and operating systems. And I completely agree with what was said above; talk to your SSO!

Here's a little how the NSA makes there Macs secure.
http://www.nsa.gov/snac/downloads_macX.cfm/
There is also some more info there on how to secure other platforms,
Combine that with stickers, biometrics http://bssc.sel.sony.com/Professional/puppy/index. html/ and such, your on your way to very secure computing.

Cheers

Hey, yell at the Ho Chi Minh revisionist, not me. I'm talking about OPEN agents, not spies or moles.

This might be your cites:

http://www.nsa.gov/venona/index.cfm

I have read ALL of this, btw. Plus lots of other stuff.

The Rosenbergs deserved to die.

Implementing a program that encrypts with an OTP is a no-brainer. Any program capable of doing a bitwise XOR can do it (basically because the algoriths IS a XOR).

There are two BIG problems with OTP:

1) You need a lot of random bits (the good stuff, like this, not your cheap pseudo random numbers). You need exactly as many as your plaintext.

2) You need to securely send a copy to the intended receiver, and make sure the pads are destroyed once used.

Basically, no one does it because it's a real bitch to implement correctly (pad creation) and it's not worth the effort (unless you're using them in a hotline from Washington to Moscow or something like that).

You probably don't want a OTP. If you want something to encrypt your files and recover them with a password, you CERTAINLY don't want a OTP (in fact, you can't have one because the pad is not random, it's pseudo random, generated from the password and thus lacks the important properties of an OTP).

And very important: most companies that sell "One time pad" software usually sell snake oil, so be very careful.

And if you think you can get away with a pseudo random pad, the soviets spent some big time making pads for diplomatic and espionage messages, and made the little mistake of using the pads more than once, you can see the results here.

Best internship I've had? NSA's Gifted and Talented program.

That Tommy H. went to mickeysoft for a web server, citing security as a feature of mickeysoft is a dumbfsck decision. If he were my CXO, I would fire him (kick his butt out the door, and sue him for damages to the company). With Linux, I can get millitary grade security and stability (quite literally). I can get security enhanced Linux (courtesy of the National Security Agency: http://www.nsa.gov/selinux), and on top of the most-popular-on-the-internet Apache web server, lay down network level security via Fort-Knox-For-Linux, courtesy of the Space and Surface Warfare Command Center, San Diego (U.S. Navy: http://fortknox.sourceforge.net/). I know that Linux can perform extremely well on multi-million dollar computer hardware in the most demanding environments (http://www.forbes.com/home/enterprisetech/2005/03 /15/cz_dl_0315linux.html), so with all of the compelling data, I would fire his sorry self, sue him for damages, and beg the Linux distributor to come back. He is either an idiot, or a paid marketing dummy, or both, and shouldn't be in charge of anything more demanding than official pen click-tester.

You should watch the selinux talks (which is a framework for linux to do what you say).

I remember there being a few problems, such as most apps talk to X, so you have to let that through, and then X connects to everything else, so it's like you have a big hole in your sieve.

Also it gets more difficult when you have shared memory etc.

http://www.nsa.gov/selinux/info/faq.cfm

A better link is here. Lots of good stuff from these guys. Worth a look.

Dude, it might be THE freakin' NSA, that's why you can't find the North Shore Agency on the net. Hell, they probably posted the GP post just to trick people into thinking it was safe to fuck with them. It's all some sick game to destroy some hapless geek. I read about this sort of thing on that timecube website.

Pay the money, unplug the phone, burn any magnetic media you have and put on a tinfoil hat when you sleep. Then you might just get away with it.

I've used the NSA guide for Cisco IOS extensively, and have looked through the Mac OS X one. It's a great running start to securing a new box. But like any security process, you can't stop there.

Considering that the CIA's World Fact Book is regualrly cited on slashdot, and the majority of the data they analyse is from public sources I'm sure you'd be surprised at how much you could probably get from them(You can even take a virtual ture of their campus). Also remember that Larry Wall used to work over at the NSA when he started developing Perl for internal use and that the "No Such Agency" is the hub of SE Linux developement. Our secretive spooks are surprisingly will to share when they can.

Linux is somewhat ahead in this in that protected memory is part of its "DNA", unlike Windows which ultimately comes from the culture of DOS, which has no protected memory and is not multi-user.

But still, Linux is only just a little bit better. We need to move to real secure designs such as:

• Coyotos
• Jnode
• SE Linux (already incorporated in Fedora)
• EROS - has now become Coyotos, above

I don't even think the NSA was around back in the 60's when this was going on.

Yes. They were.

"The National Security Agency was created in November 1952."

And as far as is known, they may well have beaten GCHQ to it, but there's no verifiable record that they did - they say they did, but it's up to you whether you believe them.

Sure you can learn just what kind of supercomputer NSA has operating. Just head on over to https://www.nsa.gov/applyonline/index.html and let them know you are interested.

I seriously doubt NSA can secretly keep a state-of-the-art processor fab running.

Me too.

It doesn't seem to be secret at all.

Maybe they should have talked to the NSA. Have you seen their security guides? I can't find it right now, but I remember reading one that involved removing all optical drives, blocking all access to other computers, having your computer hidden by Saddam Hussein's WMD team, etc.

Maybe they should have talked to the NSA. Have you seen their security guides? I can't find it right now, but I remember reading one that involved removing all optical drives, blocking all access to other computers, having your computer hidden by Saddam Hussein's WMD team, etc.

And we can trust Cisco to not sell us out either? Implementing anything from another company is risky. Which makes Linux a great thing, an open OS so that the people that deploy it knows whats in it. The NSA thinks so, since they make their own located at http://www.nsa.gov/selinux/.

http://www.nsa.gov/selinux/ Security-Enhanced Linux!