Slashdot Mirror

Cops? You mean like these cops?

If deployed in the field, special ops soldiers can approach a terrorist safehouse, and activate this device to hack into any cell phone that may be vulnerable. Then they could simply listen in on the safehouse without ever being even 500 feet away, and can discern their movement if necessary.

Instead of putting troops at risk on the ground trying to hack an individual phone, our intelligence community can just intercept the communication once it reaches a cell tower or satilite. Indeed, intercepted phone messages are a mainstay of the US government's signals intelligence program.

By the time special forces are there on the ground, they aren't going to be using their rifles for hacking.

Computer Science careers at NSA

And I quoteth:

It's been said that the systems environment we offer is a veritable fantasyland for computer science, with vast networks that manipulate huge volumes of data and accomplish information analysis at mind-boggling speeds.

* Consider acres of hardware
* software years ahead of current commercial technology
* microprocessor-based advances
* over-the-horizon supercomputers
* leading-edge activities in programming, signals (including analog control), GUI's, AI, neural nets, information security, the design and implementation of encryption algorithms, and far beyond.


On the other career pages, you'll find that NSA has the philosophy of "building what they cannot buy" (paraphrased).

Or maybe something like SELinux?...

I think $Federal_Government (USA or otherwise) ought to have a team of code security-auditing specialists that go over potentially useful (to the government) open-source projects and certify them as good...

I mean to say that the NSA is watching Linux for the same reason that most of us watch the sidewalk while walking on it. The Security Enhanced Linux project is alive and well. I would hardly call it a mere proof of concept, as they've been keeping up with new kernel releases very actively.

Somebody in the government is using SELinux. The NSA is enhancing it, and auditing it. If you read the NSA Information Assurance mission statement, they are actively involved in internet security - including Linux. It's not a conspiracy if the government is watching the stuff that they are using!

MS does have role-based security build into the kernel, which Linux doesn't.

Nope, sorry.

Look here: a complete RBAC system with Mandatory Acces Controls.

And before you start about the many warnings about its experimental nature, that is only valid if you get it from the source. The version that is currently integrated in the stable production kernel is just that: stable and production ready.

However, I think you are right. So long as they don't distribute outside of thier organization, they are probably under no obligation to share back thier changes.

Just as parent post suggested. Except, the govenment is already auditing open source, and customizing the Linux kernel to it's own needs... Does nobody remember NSA Secure Linux?

I'd say somebody in the government is keeping a very close eye on what happens in the Linux kernel. So much so, that they are submitting patches and code to the kernel themselves.

If it was so bad the NSA would not have their own version.

Of Windows or Linux ?

he he

Could someone explain how one piece of software can have so many severe vulnerabilities? Are Microsoft programmers unbelievably bad at programming? Are Microsoft programmers just people who moved up from the lawn maintenance crew?

Is is possible that Microsoft does not allow its programmers enough time to finish what they write?

Did the U.S. government's NSA spy agency go in after IE was written and add a lot of bugs?

Here's a better view of the same Secunia advisory: Microsoft Internet Explorer Multiple Vulnerabilities, Secunia Advisory: SA12048 This view shows the 4 new vulnerabilities and shows 54 additional older vulnerabilities at the bottom of the page.

Check out their Secure Linux.

Ashcroft and others won't be happy with this. Of course, PKI/PGP/... can be used in non-encryption mode only to sign messages. BUT, they can also be used to encrypt. As soon as this kind of software is ubiquitous, wiretapping would be much more difficult for the NSA and other agencies.

Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...

Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...

Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...

Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...

Take a look at the NSA security guides for Windows NT, 2000, XP, and 2003. Normal users on the machine will have no ability to modify the machine if the policy is applied (especially the policies that apply to the file system.)
I've used these policies for Windows 2000 lab machines, and have no known incidents with virii/trojans/stupid user tricks/etc...

I'd check out what these guys had to say about locking down xp.

I heard on NPR that the winner was a 'mathematician from Laurel Maryland'. I wonder who he works for??

NSA has supported and activly developed SE linux.

What, like say, SELinux or something?

From the article:

"As unlikely as this might seem to the skeptic, the National Security Agency (NSA), that coordinates, directs, and performs highly specialized activities to protect U.S. information systems and produce foreign intelligence information, made the folly of developing GPL-licensed code to improve the Linux operating system. After reading the terms of the Linux GPL, the NSA realized they needed to post this enhancement to the Internet in source code form for the world to see. Unbelievably, any person with a PC and an Internet connection can now logon to the NSA?s website and print out the blueprint for NSA s Security Enhanced Linux software."

This is just wrong. NSA had no requirement to distribute the source since they were using it all in house. But since the people who work at these places are on the mission of creating disinformation, they obviously would ignore this:

From http://www.nsa.gov/selinux/info/faq.cfm:

"Does NSA favor open source software?

NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: Use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products. The objective of the NSA research program is to develop technologic advances that can be shared with the software development community through a variety of transfer mechanisms. NSA does not favor or promote any specific software product or business model. Rather, NSA is promoting enhanced security."

It seems to me that NSA's intentions and reasons can be inferred from that above statement quite easily. But if these think tanks are being used solely for propaganda then I'm not all that surprised.

How about the Great Seal Bug used by the soviets ?
It was passive, and had to be illuminated by a certain frequencey to work. It was used for more than ID purposes though :)

I think the story raises a good point. The best analogy I could pint out would be a dam where new leaks keep popping up and you quickly rush to patch them. You spend so much time patching over the leaks that the fundamental design problems in the dam are never fixed.
There are multiple strategies that will actually improve security far more than just trying to ferret out a new vulnerability. I personally recommend using Java or another type-safe language for programming if at all possible since the most common memory management errors are eliminated. Hoevwer, the best way to stop major security breaches is to have a security layer that will assume software programs will be compromised somehow. Then, the security layer is more interested in enforcing access to the system that program ought to have instead of just trusting the effective user ID of the program to hopefully do the right thing.
A bit of karma-whoring here for my thesis project which is based on earlier work in Mandatory Access Controls in Linux, as well as the much more well-known SELinux
kernel modules.
I personally did my thesis in Domain & Type Enforcment which simply puts running processes into various different domains that have certain access rights to Types. A type is just a name tag assigned to files, and in my case you can also type system calls, network sockets, and eventually even Linux capabilities. It is similar to part of SELinux but also designed to be much simpler to understand & implement as well.
Anyway, these systems all are designed with the assumption that vital processes will be compromised and the onus is on the policy writers to enforce least-privilege on the processes. This may sound difficult to do, but it is actually trivial compared to the approach we are using now which is to try and figure out every possible attack and write perfect software (the point of the article). It is much easier to define what a program is supposed to do than every nasty malicious thing someone on the Internet can dream up that it should not do.
I've ranted long enough, but I think that there are good solutions to stopping about 90% of the crap that we see going on today, and that the other 10% will be fun to keep us security professionals employed :p

If you're interested, have a look at documents from the "Venona" operation, which was created to intercept KGB messages in the 1940s.

Yes, yes, quantum encryption precludes interception; ergo, unlike with IPSEC, "Eve" can't duplicate the QE message during its transfer, store the encoded message for 50 years, and then crack the code with Any Sufficiently Advanced Technological Improvement. So yes, it's useless for protecting storage-- as I noted, the plaintext on either end is still vulnerable-- but it does provide an improvement over IPSEC/IKE PFS transmission, which was what Soul-Burn666 was originally talking about.

And if you think "Eve" wouldn't keep working at a Sufficiently Important message for decades, then you have not studied enough history.

I'm not sure why geeks hate Windows in particular

From a security point of view, Windows is a nightmare. If you work in a sensitive environment, not having access to full source code for review is simply not acceptable. It is amazing how naive users and corps can be when they trust M$, and every 3rd party software vendor, when it comes to security!

BTW, you don't have to work for the NSA to have high security demands. Every R&D dept. in a major corporation has similar concerns, considering the huge amount of industrial espionage that is prevalent nowadays. OSS systems are no panacea (security is a huge field), but a very important brick in the [fire]wall.

Or get in touch with the Crypto Cat

What if I want them to search my mail in advance?

Contact the NSA and ask for "Mr. Echelon".

Hey guys, sorry for the repost! I know this is bad, no TERRIBLE netiquette. But it was attached to a story that only garnered 9 comments, but I really think that more people should know and think about this stuff. I hope the same thing doesn't happen to this story, or my name'll really be mud! :D



A couple of years ago at the last "HOPE" conference was the first time I heard of this idea of the "deep web". This year's shindig is happening July 9th through the 11th. I wonder if chosing those those dates was merely a coincidence this...

The topic was something called "Hacking National Security" in wchich the speaker, Robert Steele, first brought up this concept and mentioned what he described as a "deep web search engine" called Copernic. However, I've found that product (there is a free variant) basically queries a list of different search engines. This is not what I would consider a "deep web search" now that I have learned a little more about the term. But that was the first I'd heard of it.

Robert Steele can be forgiven for being a bit technically naive. Because his specialty is National Security and not technology. But he had a lot to say that was of salient interest to technology minded folks. Why else would he have had a panel discussion at a hacker conference?

What I learned from him is that search engines like google and others only are able to skim roughly 5% of the total content of the web. Everything underneath that 5% is the "Deep Web". This is what he claimed the global terror networks are using to communicate with each other. And, most alarmingly, that the NSA - Amerca's Information Processing branch of the government was COMPLETELY ill equiped, even ignorant of terror groups freely trafficking their plans on the web. Talk about our most "advanced" information processing governmental body! Note the lack of a CNAME entry in their DNS record! Don't forget the "www" now! yeesh! At any rate I read an interesting book about them way back in the 80s called The Puzzle Palace. But I'm sure it's way dated by now. I read it way back in 87. Did you know that they are roughly 3 times the size and girth of the CIA...and yet hardly any of the lay populace seems to have heard of them! I once dated a "know it all" (how do you ever learn anything if you already "know it all"?) bad-poetry, arty farty girlfriend who claimed that I was "making the whole thing up" when I tried explaining to her about the NSA! May I say again, "yeesh"? Literally COULD NOT convince her otherwise...I digress...

Now hold on a minute here! Just how dated would you suppose that book to have been? One of Robert Steele's pet peeves was the extreme datedness of NSA tecnology. Being a government agency (FLAGSHIP of intelligence agencies!) a good hunk of their computer technology dated back to the 70s. This was still the case as of 2002, mind you, and if I understood him correctly.

Now, another of his compaints was the lack of native speakers hired by the agency. That is, instead of hiring a native Pashto speaker, they will instead almost unerringly hire the "blond haired, blue eyed, cocky midwestern jock" (his words not mine)

Security-Enhanced Linux is sponsored by the NSA

A couple of years ago at the last "HOPE" conference (this year's is happening July 9-11, this summer) was the first time I heard of this idea of the "deep web".

The topic was something called "Hacking National Security" in wchich the speaker, Robert Steele, first brought up this concept and mentioned what he described as a "deep web search engine" called Copernic. However, I've found that product (there is a free variant) is basically queries a list of different search engines. This is not what I would consider a "deep web search" now that I have learned a little more about the term. But that was the first I'd heard of it.

Robert Steele can be forgiven for being a bit technically naive. Because his specialty is National Security and not technology. But he had a lot to say that was of salient interest to technology minded folks. Why else would he have had a panel discussion at a hacker conference?

What I learned from him is that search engines like google and others only are able to skim roughly 5% of the total content of the web. Everything underneath that 5% is the "Deep Web". This is what he claimed the global terror networks are using to communicate with each other. And, most alarmingly, that the NSA - Amerca's Information Processing branch of the government was COMPLETELY ill equiped, even ignorant of terror groups freely trafficking their plans on the web. Talk about our most "advanced" information processing governmental body! Note the lack of a CNAME entry in their DNS record! Don't forget the "www" now! yeesh! At any rate I read an interesting book about them way back in the 80s called The Puzzle Palace. But I'm sure it's way dated by now. I read it way back in 87. Did you know that they are roughly 3 times the size and girth of the CIA...and yet hardly any of the lay populace seems to have heard of them! I once dated a "know it all" (how do you ever learn anything if you already "know it all"?) bad-poetry, arty farty girlfriend who claimed that I was "making the whole thing up" when I tried explaining to her about the NSA! May I say again, "yeesh"? Literally COULD NOT convince her otherwise...I digress...

Now hold on a minute here! Just how dated would you suppose that book to have been? One of Robert Steele's pet peeves was the extreme datedness of NSA tecnology. Being a government agency (FLAGSHIP of intelligence agencies!) a good hunk of their computer technology dated back to the 70s. This was still the case as of 2002, mind you, and if I understood him correctly.

Now, another of his compaints was the lack of native speakers hired by the agency. That is, instead of hiring a native Pashto speaker, they will instead almost unerringly hire the "blond haired, blue eyed, cocky midwestern jock" (his words not mine) with a degree from an Ivy League school in linguistics who has a generalists knowledge. What's wrong with a young PHD in linguistics tending to these matters? According to Mr Steele that even the best generalists knowledge will not catch the flavor or nuance of language spoken on the terror sites. What's lost in the translation? Not much...if you don't count our National Security.

Also according to him, the "terrorist community" (I know that's an over-used term in this day and age...please try to bear with me, here) knows this and thrives doing so.

One major point of contention he had wa

It's a similar way too forward-looking military thing. The plan is that by 2020, every soldier will have an IP address.

Exactly. If you want to find out if your crypto implementation is secure, ask the US government. If they say yes, you've got bugs.


Depends who in the US government you ask. Groups like the US State Department, the Dept of Commerce, CSRC of the NIST and half of the NSA (who has two purposes - one to protect against foreign intelligent threats, and one to exploit against foreign intelligent adverseries.) they want to protect most of the US public (and NAFTA, G8, and NATO interests) - including US businesses - from foreign governments. These groups can give you an idea of what is likely secure as we know in the non-classified knowledge outside the cloak and dagger world of the NSA, GCHQ, CSE, etc.

Mind you, I'm not sure why anyone would need to ask permission to export a public standard like AES. I'm pretty sure there aren't any secrets happening there.

AES was selected through a very open public process, so no knowledge about AES requires export permission. The US Dept of Commerce does regulate Dual-Use items (i.e. items that have a military/dangerous/hostile use and non-military use) including information security software implementations such as toolkits, libraries, and binaries (and object code). Humanly readable source code is still somewhat in disupte, but based on some US state level court cases (Phil Karn and Bernstein) it appears that human readable source code is not regulated.

Han Solo will probably show up as a junior officer on some Republic ship and he'll end up going AWOL after being sentenced to death for refusing to follow some outlandishly brutal order from Palpatine.

I think SELinux could help here, but while I think SELinux is the best thing since sliced bread, it is still non-trivial to setup and configure and this has been one of its major stumbling blocks to widespread acceptance. The newer mandatory access control systems need to be simple enough for the average administrator to tackle.

Security is somewhere at 10th or fiteenth

I firmly believe that the current largest flaw in existing security systems is that they are generally too difficult to use -- that they require significant additional effort on the part of the user. Security needs to be *especially* intuitive to help avoid misconfiguration (with security, misconfigurations are often hard to detect and can have catastrophic results), and easy and relatively low-effort to use to encourage people to use them.

From what I understand, SElinux divides the root privileges somewhat. Instead of root being able to do everything, things such as "bind to ports under 1024" "write to any file" are subdivided. By default, you get all (for backwards compatibility) but programs can drop privileges when they need to. In this case, I don't think it would help, the privs are too coarse grained.

I believe that you're thinking of POSIX capabilities, another set of security features in Linux 2.2 and above. This allows giving certain "root-like" capabilities to processes. SELinux is rather more fine-grained. (Also, this brief overview may be useful).

The folks putting SELinux together are the sort of folks that aren't going to overlook rewriting. :-)

NetBSD has the ability to restrict syscalls.

SELinux supports higher-level constructs than just syscall blocking, so you aren't limited to just blocking on a per-syscall level -- see the links I dropped in here.

The trick there is getting the perms permissive enough to allow the install, yet secure enough to stop some of the evil stuff. No curent OS really does this. Maybe some of the stillborn Java OS could, with their security properties, but computers in current use are designed to be very permissive.

Yup.

SELinux is complex enough (most end users don't know what a syscall is) that most people will probably just use a very high-level interface to it. Packagers can set up some policy (for example, having apache run without disk-writing access or something along those lines) and software developers other stuff. It's not quite just like setting up a chroot jail. It's more like mucking about with tc or something.

If you use "root", someday you will be rooted.

How can such a goal be attained? There are many ways available now. The most obvious one is a VM system with security policies, such as the JVM. That's not the only one, though. Another method is a capabilities-based system, so when a process starts, it has only a defined set of capabilities to work with. OpenBSD has a similar, but more limited system called systrace. The TrustedBSD project and SELinux have similar aims, and SELinux is being integrated into mainstream Linux distros. Another way to run untrusted things is with user-mode Linux, which I believe is integrated with Linux 2.6

The editor is right, though, that on currently-used systems like OSX and MS Windows, you have to be careful what you click on. But the problem is that we have come to accept that as "the way things are", when there is no reason for that to be the case. You should be able to run hostile code, see what it does, laugh at it, and delete it without any harm. The technology to do that exists, and has existed for years, but we have come to accept broken products and systems that don't allow that.

---------
WAP news

> > "The report warns governments
> > against relying on open-source software
>
> Since the government is busy sponsoring open source software, I think this warning falls (happily) on deaf ears.
Yes, but these guys must be quite specialists of national security since they have the nerve to question the doings of this governmental organization with track record for not having that nonchalant attitude towards security issues :)

> > "The report warns governments
> > against relying on open-source software
>
> Since the government is busy sponsoring open source software, I think this warning falls (happily) on deaf ears.
Yes, but these guys must be quite specialists of national security since they have the nerve to question the doings of this governmental organization with track record for not having that nonchalant attitude towards security issues :)

"...more detail to security will have to be maintained to ensure the safety of the systems you are running."

Oh you mean like SELinux, UML Linux, File System ACL's, and Chroot jails? Oh I feel much more comfortable about Linux's security future than Windos.

Note: SELinux is a very good solution for security if you're going down the Linux road.

Scott Richter and other high profile spammers are conducting a sustained full-scale DDoS attack against the NSA's ability to monitor E-Mail traffic.

One of NSA's main sources of informations in the war against terror is traffic analysis. Terrorists are using strong cryptography nowadays, so it is difficult (even for the NSA) to decrypt. However, traffic analysis exposes pattern of communications that can be extremely useful in tracking down terrorist networks. If A sends a message to B, it would normally mean, that both parties have a common relationship which should be investigated.

With the constant flow of spam, traffic analysis is effectively thwarted. One can hide in the unending stream of spams, simulating an infected Windows PC drone. It is always possible to deny having sent a message: "Hey, how could I know that my PC was infected by that damn worm again?"

Spam is an excellent vehicle for steganography too. With all this random nonsense designed to circumvent spam filters, hiding an encrypted message there is a piece of cake.

Lobbying Ashcroft or Congress to outlaw spam is difficult. The DMA proved to be much stronger this time.

Write to your representative, and point out that CAN SPAM provides terrorists with an effective method to escape detection and surveilliance. Point out that CAN SPAM, as it is written today, harms the National Security in unintended ways.

With all this terror hysteria in Washington DC, you could even make an impression!

I think you're forgetting about the NSA funded SELinux project. It's also a kernel level MAC security patch. I prefer SELinux over GrSec for many reasons, one of which is the fact a team of well trained NSA kernel hackers coded SELinux. (As opposed to GrSec whose head coder and inventor is a punk who uses his security knowledge to keep his exploits as 0days. Sounds pretty fishy to me; I won't trust anything that has his name on it.) SELinux is in the official 2.6 kernel branch. Check it out here.

As opposed to the conservative regime in another country with its henchmen?

How much electricity they use
- "the 2nd largest user of electrical power in Maryland. ... yearly electrical bill is more than $21 million. "
How big in # of people and budget
- "if ... considered a corporation in terms of dollars spent, floor space occupied, and personnel employed, it would rank in the top 10 percent of the Fortune 500 companies."

Wonder how google ranks in those metrics - and we may get a good ballpark feel of how much data they can store and process.

How much electricity they use
- "the 2nd largest user of electrical power in Maryland. ... yearly electrical bill is more than $21 million. "
How big in # of people and budget
- "if ... considered a corporation in terms of dollars spent, floor space occupied, and personnel employed, it would rank in the top 10 percent of the Fortune 500 companies."

Wonder how google ranks in those metrics - and we may get a good ballpark feel of how much data they can store and process.

...in those attacks, like they have in the numerous Microsoft leaks. Imagine the strife we'd be in if they stole the source to Debian!

But seriously, how shall I put this? ChkRootKit, TripWire, AIDE, FICC, ProSum, Toby, msec, Nessus, LSAT, Saint, LIDS and of course if you want totally proactive, try SELinux, Medusa DS9 or OpenWall. That's hardly an exhaustive list, but it does hit many of the highlights. Boy, youse bin livin in a monoculture too damn long!