Slashdot Mirror

All you need to know is that the US, UK, Australia, Canada, and New Zealand are all signatories to the UKUSA agreement, which allows for the signal intelligence agencies of said countries to share a large amount of data. Therefore, some of the information the GCSB has access to is information which originates from the NSA. So Dotcom is not just taking on the GCSB, he's taking on every signal intelligence agency of the primary English-speaking countries.

UKUSA information sharing agreement.

The Cyber Corps is not a high school program; it's a college program. Here's a link to the NSA certified centers of excellence: http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml [nsa.gov]

A target list! That's great!

And they say government is never helpful!

Thanks NSA!

The Cyber Corps is not a high school program; it's a college program. Here's a link to the NSA certified centers of excellence: http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml

To add more detail to the AC's response.

AES is based on a subsitution-permutation network.
DKIM is based on the RSA signature algorithm which relies on the difficulty of factoring large integers.
Elliptic curve public key cryptography is based on the difficulty of solving a discrete logarithm problem.

The difference in the size of keys between one type of algorithm or another is an expression of the difficulty in solving the underlying problem. Factoring a large integer of X bits (RSA) is relatively easy compared to working through the substitutions and permuations of X bits of AES.

The link below provides a guideline for comparing the key sizes of AES, EC, RSA/DH.
http://www.nsa.gov/business/programs/elliptic_curve.shtml

Lock everything down except WoW. They can do all the other crap on the Linux machines. Give them not only a restrictive account but restrict what they can run to as limited use as possible. Just start fully restricted and then allow enough Wow runs correctly.

Prevent browser, email, etc use since that is a game machine and not an internet whore. Remove all browser plugins, remove the browser, remove all email clients, make any non-removable browser unusable on the internet by a firewall block or any more effective block. Block any out going ports and incoming ports except those needed by Wow.

Look for dubious MS practices and thwart them.
http://www.computerworlduk.com/news/security/3236713/microsoft-releases-tool-to-block-dll-hijacking-attacks/ I think win7 has something to prevent this now...after 12 years of it.

Read this but note that I'm an XP person and can't judge quality of it, I am working on that. It seems ok and is what I'd do to XP.
http://www.winfrastructure.net/article.aspx?BlogEntry=Quick-steps-to-Windows-7-OS-hardening

Read the references and adapt them to your system.
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml#microsoft

http://www.nsa.gov/public_info/_files/cryptologic_quarterly/The_Value_of_Working.pdf

'nuff said (or calculated in this case).

Actually, I use "US Person" because it has a very specific meaning as it pertains to US intelligence activities.

Who is considered a U.S. Person?

Federal law and executive order define a U.S. Person as:

- a citizen of the United States;
- an alien lawfully admitted for permanent residence;
- an unincorporated association with a substantial number of members who are citizens of the U.S. or are aliens lawfully admitted for permanent residence; or
- a corporation that is incorporated in the U.S.

In other words, US Person is a lot broader than just saying "American".

Here's the NSAs recommendations for securing Android devices.

FTFY. The NSA has a full blueprint for a government trusted secure android device. Given that the US also built a secure linux distro, I'm thinking that this is the product you want.

Here's the NSAs recommendations for securing iOS devices: http://www.nsa.gov/ia/_files/os/applemac/Apple_iOS_5_Guide.pdf

"Didn't the NSA offer to help 'secure' windows 7 (http://www.computerworld.com/s/article/9141105/NSA_helped_with_Windows_7_development)" - by Sir_Sri (199544) on Friday June 15, @12:54PM (#40336511)

SeLinux bearing distros, specifically? See here -> http://www.nsa.gov/research/selinux/

They didn't just "offer" to help, they did... only question is, per what YOU ARE ALLUDING TO/IMPLYING? How much so and for WHAT reasons??

(Absolutely - so, that "all said & aside", mainly from you regarding the NSA & Windows: CAN YOU TRUST Linux TOO?)

APK

P.S.=> Your 'argument' is like a razor that CUTS BOTH WAYS... & we'll tolerate NO 'FUD' here today!

... apk

http://www.nsa.gov/careers/career_fields/mathematics.shtml

Check it out

http://www.nsa.gov/ia/programs/mobility_program/index.shtml

http://fastest-android-phone.blogspot.com/2012/03/nsa-built-android-phone-for-secret.html

To Wit:

http://www.nsa.gov/careers/career_fields/mathematics.shtml

Plus, any of the Navy's Surface Warfare Commands (NAVSEA), or hell any government agency for that matter. Sure the pay isn't as great as private sector, but you CAN'T beat the benefits, and it (literally) takes an act of Congress to RIF you:

http://www.usajobs.gov/JobSearch/Search/GetResults?Keyword=mathematician&Location=&search=Search!

There's worse choices out there... like public school.

Good Luck.

Some other links I just stole from a comment in TFA from an anonymous poster
 
  NSA recommendations for Apple products (also has recommendations for Linux, Windows and Solaris)
 
  iOS Hardening Configuration Guide from the Australian Department of Defense

I'm absolutely sure that the NSA, like Google, is a monolithic entity, focusing on one particular project. The NSA is the government's executive agency for information security. Therefore, they're very involved in analyzing cyber-attacks. That's a very different part of the NSA than the part that does SIGINT which, though you refuse to believe it, plays by a set of rules so strict that they're still effectively prohibited from passing intelligence to domestic law enforcement agencies. That fact, however, doesn't sell newspapers or villianize GWB.

I'm absolutely sure that the NSA, like Google, is a monolithic entity, focusing on one particular project. The NSA is the government's executive agency for information security. Therefore, they're very involved in analyzing cyber-attacks. That's a very different part of the NSA than the part that does SIGINT which, though you refuse to believe it, plays by a set of rules so strict that they're still effectively prohibited from passing intelligence to domestic law enforcement agencies. That fact, however, doesn't sell newspapers or villianize GWB.

Is it encrypted?

Possibly, yes. The codename is "fishbowl" (https://en.wikipedia.org/wiki/Fishbowl_%28secure_phone%29), and according to the NSA spec document (PDF - http://www.nsa.gov/ia/_files/Mobility_Capability_Pkg_(Version_1.1U).pdf), "the system shall support encrypted SD cards for storage.".

While I suspect part of the intent is certainly for full encryption on the device, currently it seems to be focusing on call security (encrypted VOIP, all non-911 calls must go through a central server, SIP over a VPN, etc).

I am shocked at the lack of facts that the general public holds about the NSA, cryptography, encryption and the state of the art of decryption today. If I had worked for such said Agency for 27+ years (which I absolutely didn't). In various fields, such as cryptography and the construction of the massive "brute force" systems used to break specific codes of interest (which I didn't). I would say the following: NSA truly has better and more important functions, like providing near-realtime intelligence to commanders in the field. This precludes listening in on each and everyone's personal telephone calls (land lines or cells), their e-mails and facebook pages. It's super computers are keep quite busy with the ever increasing amount of "raw" intel that floods back from the "field" to the Ft. Meade complex. Let's say that I retired back in 2004 (which I couldn't have done since I didn't really work for the Agency) but if I had I would have left knowing that breaking AES -128 and AES -256 encryption was child's play, that the Agency had abandoned 4096 bit keys years earlier in favor of "quantum encryption" which didn't really remain "unbreakable" all that long, so it also had to be abandoned. As for the person who thinks encryption was invented solely for "banking" and "something else". I would invite that person to visit the "National Cryptologic Museum" site at http://www.nsa.gov/about/cryptologic_heritage/museum/. I am sure some of the information presented there although old a.k.a. de-classified for public consumption is still very compelling and interesting. Encryption and decryption history goes back quite a ways in history, long before modern banking systems came to be.

Hereâ(TM)s some linkys to the actual NSA website pages that talk about this:

http://www.nsa.gov/public_info/press_room/2012/nash_exhibit.shtml

http://www.nsa.gov/public_info/_files/nash_letters/nash_letters1.pdf

Hereâ(TM)s some linkys to the actual NSA website pages that talk about this:

http://www.nsa.gov/public_info/press_room/2012/nash_exhibit.shtml

http://www.nsa.gov/public_info/_files/nash_letters/nash_letters1.pdf

Just outside the main gates of the NSA compound. http://www.nsa.gov/about/cryptologic_heritage/museum/ Very cool stuff.

The CIA Museum in Langley supposedly has some very interesting, and very geeky, stuff: http://en.wikipedia.org/wiki/CIA_Museum.

Except, it is not open to the public, nobody knows where it is, visiting hours ???, and maybe the place doesn't exist at all. It could be all part of an elaborate counter-intelligence disinformation ruse.

So when you get back from your trip, don't tell us what you didn't see there . . .

Or try the NSA's National Cryptologic Museum http://www.nsa.gov/about/cryptologic_heritage/museum/

They hand out some nice guides to the exhibit, but they are a bitch to decrypt, so you can't even read about what you didn't see there.

Correct link: http://www.nsa.gov/ia/_files/government/MDG/NSA_CSS-EPL-02-01.pdf

The military has been told by GAO and OMB and other bean counters to use COTS --- it's also more expensive to get things developed on proprietary systems and that runs into single source issues.

Arguably everyone should use NSA's security-enhanced Linux:

http://www.nsa.gov/research/selinux/

Or similarly secured systems.

No, I'm pretty sure he meant Ft. Meade.

People may not like it, but anyone with a US security clearance has a requirement for "prepublication review". That usually applies to talking about your job or things you learned during your job. Since this guy worked for State, and he posted information about state, I think they have a good point. For all any of us know he knew about that Cable from seeing it at work. Just because it has been publicly disclosed does *not* mean it is not still classified. https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/docs/v41i3a01p.htm http://www.nsa.gov/public_info/prepub/index.shtml

The other comments pretty much say this, but here's the NSA's take:

"Direct root logins should be allowed only for emergency use. In normal situations, the administrator should access
the system via a unique unprivileged account, and use su or sudo to execute privileged commands. Discouraging
administrators from accessing the root account directly ensures an audit trail in organizations with multiple
administrators. Locking down the channels through which root can connect directly reduces opportunities for
password-guessing against the root account. ...

Root should also be prohibited from connecting via network protocols. See Section 3.5 for instructions on
preventing root from logging in via SSH."

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

"One of NSA's units is the Central Security Service, the defensive side, which develops and tests security technologies for Government and military use."

Actually, the defensive side is the Information Assurance Directorate (http://www.nsa.gov/ia/index.shtml) not the CSS, but nice try. Apparently it has been a long time since you used to work on this stuff.

Yep, that one is copyright Apple. Here is NSA's guide to hardening OS X. It does not recommend turning off keychain (though there are several other items it does recommend turning off).

The NSA's guide to security Apples talks about how to make the keychain reasonably secure here. They notably, do not recommend turning it off or using third party software.

What type of hosting are you getting? Shared hosting where you don't have the ability to do anything but setup a database, or you getting bare metal hosting where you can choose the OS and how to setup every detail of it, or you supply the hardware and routing equipment to a hosting facility . I suggest getting the bare metal or sending your own hardware, then using the docs you can get from the NSA on securing the servers. http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml Like many people have said, make sure that you don't have direct access to the MySQL server from the outside, and that it only talks to the webserver to give data from the database. Even setup a management server where you can do WSUS and remote desktop stuff from if you are going Windows, or another Linux box that you can SSH into to then access all the other servers. If you do your own hardware you can supply your own firewall and setup VPN connection to it. Blah Blah Blah, you are getting the idea from what everyone is posting. So you should hopefully have a good starting point.

Where do we find mandatory ACLs or MLS policies in Mac OS X? Or are these systems not being deployed in security sensitive environments?

I don't believe that the MAC system in Mac OS X is intended to be user accessible. See page 23 of the Mac OS X Security Configuration document. You probably can access MAC permissions via the CLI, but it isn't supported.

You can also peruse the NSA/CSS Operating System Guidelines for various operating systems. I'll point out that the MS-Windows systems are supposed to be run in Specialized Security -- Limited Functionality mode which severely limits functionality (as the name implies) and MS recommends it only be used on systems where "compromise would cause the loss of life, the loss of very valuable information, or the loss of lots of money."

I love a good conspiracy, but could you please explain NSA Linux then?

After all the arguing, debating and name calling, finally an actual answer to the question I asked. Thank you.

He made a blanket statemnet that X was better than Y with nothing backing it up.

Personally, I feel SuperPrivate has them all beat!

Come on, admit it. You work for the NSA and you're actually watching me type this right now. You're just playing with us, saying that someday someone will make "...some rather minor modifications" and be able to do exactly what you're doing right now. BTW, I don't feel like getting up to check - can you tell me if the coffee's ready?

Kind of hints at it here:

http://www.nsa.gov/business/programs/elliptic_curve.shtml

This isn't "news", it's a bad blog rant.

The paper is for home users, and they are right to focus on the 99% there that are covered by windos and OS X.

And accusing the NSA of not supporting Linux is the most ridiculous thing I've heard in a decade. These are the guys that brought us SELinux, including fighting on our behalf to get an assurance that there won't be patent troubles with it.

You can accuse the NSA of a lot of things, like covert surveilance and stuff, but certainly not of ignoring Linux. Heck, they even have a hardening guide for Red Hat on their list of official guides, just like they do for windos, OS X and Solaris.

For those who contributed to the above Slashdot summary who are obviously incapable of properly navigating or searching Web sites, the NSA provides advice on securing multiple different computer operating systems and revisions. Yes, that includes Linux and even Solaris, and multiple versions to boot. Furthermore, additional research will yield that the NSA also has articles on securing a variety of common applications, Web browser plugins, and file formats. Then again, should anything less be expected from the organization that created and developed Security-Enhanced Linux in collaboration with Red Hat?

+5, really? This crowd is slacking...

Submitter was making a joke about this. Try and keep up.

I guess no one involved in green lighting this read the PDF.

The NSA pamphlet was only for Windows and Mac users, it didn't mention migrating to LINUX or BSD because it wasn't about alternative OSes, just what current users should go to.

They have a bunch of these fact sheets, shocking the securing iPhones and iPads one doesn't talk about migrating to Android or Win 7.
http://www.nsa.gov/ia/guidance/security_configuration_guides/fact_sheets.shtml

If you want to see another cool, but not as well known, spy museum drive up to Fort Meade and checkout the NSA SIGINT/Cryptological museum off of the GW parkway, about 30-45 mins by car out of DC or you can take the Metro to close by and ride a bus over:
http://www.nsa.gov/about/cryptologic_heritage/museum/virtual_tour/museum_tour_text.shtml

That's not necessarily true.

NSA has a technology transfer program.

I leave it as an exercise to the googler to find out what things you're currently using that came from their labs.

Um... not NASA... it's NSA which is the National Security Agency.

The Feds love *NiX "The architecture has been subsequently mainstreamed into Linux and ported to several other systems, including the Solaris operating system, the FreeBSD® operating system, and the Darwin kernel, spawning a wide range of related work" http://www.nsa.gov/research/selinux/index.shtml

Dickie George says the way to fight the cyber cold war is by building security into technology, making it transparent to the end user

In contrast where the NSA has had the potential to hide backdoors (since Windows 95) and make everything so non-tranparent as they work on MS Windows security.

Since the work is undisclosed no one can confirm or deny these backdoors.

Makes you wonder what they're up to now.

http://support.microsoft.com/kb/885409
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml

And people wonder why the NSA and is trying to promote education.

Of course, it's damned if you do, damned if you don't. Sure, they're a bureaucracy, and therefore inefficient (or whatever you want to call it). If they do nothing, then it's their fault for not doing anything. If they do something, they get ridiculed for doing it wrong (even if it's an improvement).

We all know there is an insane amount of holes in all sorts of industries, yet it hardly appears as what is currently being done is enough. People tend to be all hat and no cattle. It's nice to walk around and talk about how bad the problem is, but it's better to actually do something about it.

For those of you in/visiting the DC area you can check out a couple of old Crays @ the National Cryptologic Museum on the outskirts of Ft Meade. http://www.nsa.gov/about/cryptologic_heritage/museum/virtual_tour/index.shtml

On exhibit in the museum are two Cray supercomputers. The XMP-24 on display is the upgrade to the original XMP-22 that was the first supercomputer Cray ever delivered to a customer site. It was in operation from 1983 to 1993 and was arguably the most powerful computer in the world when it was delivered. It used serial processing to conduct 420 million operations per second.

The second generation Cray, the YMP, replaced the older version in 1993. It had a 32 gigabyte (32 billion bytes) memory capacity. In 1993 most personal computers held only 16 million bytes. The YMP used vector processing, a very powerful form of overlapping, parallel processing to conduct 2.67 billion operations per second. The YMP was decommissioned and went on display at the museum in 2000.

The museum is lots of fun and definitely worth a visit.

researchers

No, you aren't. I don't know why people working in IT security have the ego to always add the word "researcher" to their title. Just because your job involves problem solving it doesn't mean you're a "researcher" as the term is understood everywhere else. Anyway, where does your R&D budget come from for this team of "researchers", and what do you get back?

at Last Line of Defense

Who? So many overgrown hax0rs slapping a stupid name on their activities and calling themselves a business, using inflated claims of leet-sounding achievements for PR then pushing security "solutions" to idiots.

a security intelligence firm

lol. k guise. security intelligence. security intelligence. yuo.

Look, it's cool what you've done. But would you kindly put yourself into context and stop adopting a pompous vocabulary unique to your trade? Perhaps the state of PC security wouldn't be so dire if it wasn't such a mixture of AV vendors enjoying protection money and ADHD-crippled scene d00ds lacking formal grounding and in a permanent state of 14 year old.

Posting AC because the kid has a water pistol and it's too early in the morning to get wet.

Y'know, I'm really glad Google wants to provide a new API for managing security. We need somebody to do this for us - somebody who really knows security, somebody who may as well have security as their middle name, to come out with an API framework for Mandatory Access Controls, preferably built right into th operating system kernel of a major distribution.

Yes, I'm really glad Google took the initiative on this.

Y'know, I'm really glad Google wants to provide a new API for managing security. We need somebody to do this for us - somebody who really knows security, somebody who may as well have security as their middle name, to come out with an API framework for Mandatory Access Controls, preferably built right into th operating system kernel of a major distribution.

Yes, I'm really glad Google took the initiative on this.