Slashdot Mirror

It's not hard to figure out. A quick Google search for:
Dundee Orange Marmalade jar NSA
came up with this link, right on the NSA's website.

The National Cryptographic Museum is where an old motel used to be (Colony 7 motel) and is a pretty cool place to visit. The Enigma works and you can spin the rotors, type, and encrypt/decrypt messages.

Nearby is the National Vigilance Park, which has some cold war recon aircraft on display.

Being a geek you might as well do the multi-stage geocache which starts at the NVP. The NVP and nearby "unclassified" parking lot have a view of NSA buildings, and typically NSA police are quite visible patrolling the area.

And if you have time, cruise up to the BWI area and visit the National Electronics Museum.

The National Cryptographic Museum is where an old motel used to be (Colony 7 motel) and is a pretty cool place to visit. The Enigma works and you can spin the rotors, type, and encrypt/decrypt messages.

Nearby is the National Vigilance Park, which has some cold war recon aircraft on display.

Being a geek you might as well do the multi-stage geocache which starts at the NVP. The NVP and nearby "unclassified" parking lot have a view of NSA buildings, and typically NSA police are quite visible patrolling the area.

And if you have time, cruise up to the BWI area and visit the National Electronics Museum.

The NSA has a virtual tour of the place on their website. Not exactly an immersible VRML experience or anything, but pretty nice none the less. There are also some nice videos in the flash frame on the main page, including a pretty cool overview of the 2009 CDX contest between the various military academies. The Press release for 2010 notes that Navy won this year (apparently in 2009, NSA Red Cell hacked Navy's website to say "we heart army" as one of their first actions, which probably had them motivated a little bit more this year).

They actually have a lot of publicly available information and seem to be making great steps towards demystifying their image and trying to un-do some recent damage. They're not anything like 'Enemy of the State'.

Are you certain that your Wi-Fi signal is secured? Ok, so maybe you use WPA, but do you really know as much about cryptography as some people? Would you claim a breach of privacy if those people access your unsecured Wi-Fi signal? Ok, so maybe then you'd say you have an "expectation of privacy", even if your Wi-Fi signal is not really secured, but that's what Google's victims believed too.

The NSA is the government agency with excellent expertise to protect against computer based attacks. Unfortunately the NSA's original mission is to gather intelligence from foreign communications, and in fuzzy cases, domestic communications that may possibly turn out to be "foreign communications". Protecting citizens from cyber-attacks is a laudable goal, but is an add-on tacked on to their actual responsibility of protect US national security systems. http://en.wikipedia.org/wiki/National_Security_Agency , http://www.nsa.gov/

This is the conflict of interest for the NSA in protecting citizens' data and computing; they also wish to gather intelligence. Any worker in the NSA will always have the temptation to mix the two purposes slightly. As a result, the internet community tends to suspect solutions provided by the NSA, even if provided in good faith.

One idea I've encountered is to have a separate agency with the unambiguous purpose of protecting citizen's data and computing, something hopefully similar to the CDC, the Center for Disease Control, which prevents diseases. Such an agency may be more transparent than the NSA, which is unfortunately limited in having to serve several purposes.

What happens when the NSA tells you that you have to run Linux? Will you be happy then?

Of course not. They would be taking away your essential liberty to infest yourself and everyone around you with all manner of digital pests so you would be (appropriately) upset.

My point is that they're much likely to require something like SE Linux that forbid it.

You may return to being a good citizen by recycling your hat now.

Speaking of which...

On June 25th, just a few days ago, the original UKUSA agreement that set up Echelon was declassified and published. It includes a number of supporting documents as well.

http://www.nsa.gov/public_info/declass/ukusa.shtml

The United States gets very offended by espionage activity, because we would never do it to anyone else. They promise. Not a single satellite. No high altitude spy planes. No high altitude long range supersonic spy planes (we retired all of these, we promise). No remote control spy planes. No flock of agencies with covert operations world wide. Nope, not the US. Keep your spies out of our country, we don't do it to you.

    Excuse me, there are a couple nice men in black suits knocking at my door that just want to ask me a few questions.

Right on! It's not like the federal government created the internet. And they certainly didn't create multiple generations of software that actively monitor almost all internet traffic. And it's not like they have some agency that specializes in developing additional security onto our current technology.

And congratulations on entirely missing the point. Regardless of whether or not the federal government is capable of securing civilian nets by taking control, the point is that this system could be abused too easily to silence the portions of the net with dissenting political views.

Right on! It's not like the federal government created the internet. And they certainly didn't create multiple generations of software that actively monitor almost all internet traffic. And it's not like they have some agency that specializes in developing additional security onto our current technology.

And congratulations on entirely missing the point. Regardless of whether or not the federal government is capable of securing civilian nets by taking control, the point is that this system could be abused too easily to silence the portions of the net with dissenting political views.

Ever wondered what would happen if they had NOT used nukes? Remember, Japan didn't look like it was going to surrender. The planned invasion would certainly have caused several million deaths, mainly civilians.

Yes, I have wondered and thought Japan would have surrendered anyway. They had nothing left. No invasion was necessary, Japan was ready for truce, if not total surrender. All they wanted was to keep their Emperor's dignity. US didn't want that. Or maybe something was lost in translation. http://www.nsa.gov/public_info/_files/tech_journals/mokusatsu.pdf

Don't forget: SELinux

yeah - you're pretty much an idiot. You're of the same ilk that believe the moon landings were faked, that there really is a loch ness monster, and that McDonald's chicken nuggets are made from chicken feet and heads (ok..that last one might be true). The Liberty conspiracy theories mostly died when the NSA released its radio intercepts - all of which can be listened too here (or you can read the transcripts or any number of the reports about the incident on the site.) By the way, you're next move (as delineated in the Conspiracy Theorist's Handbook) is to accuse me (and the NSA) as being part of the conspiracy.

you will HAVE to run Windows. Linux and OSX will be seen as security flaws

Err, actually the NSA see Windows ('Mainstream Operating Systems') as a security flaw:

SELINUX

...the National Security Agency has long been involved with the computer security research community in investigating a wide range of computer security topics including operating system security...

Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation...

The results of several previous research projects in this area have yielded a strong, flexible mandatory access control architecture called Flask...

The architecture has been subsequently mainstreamed into Linux and ported to several other systems, including the Solaris operating system, the FreeBSD® operating system, and the Darwin kernel, spawning a wide range of related work.

It is not sourced, and most likely an assumption since the NSA isn't in the habit of telling anybody how their $#!+ works.

Yup, that darn NSA never tells anybody about their stuff or lets them see how it works. Nosireebob.

It is not sourced, and most likely an assumption since the NSA isn't in the habit of telling anybody how their $#!+ works.

Yup, that darn NSA never tells anybody about their stuff or lets them see how it works. Nosireebob.

The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information. The Signals Intelligence mission collects, processes, and disseminates intelligence information from foreign signals for intelligence and counterintelligence purposes and to support military operations. This Agency also enables Network Warfare operations to defeat terrorists and their organizations at home and abroad, consistent with U.S. laws and the protection of privacy and civil liberties. Mission

I don't see where "the American people need to be spied on" is part of their mission, in fact they've done some pretty major work like SElinux to keep Americans from being spied on, by anybody. If you don't like what the NSA is doing, write your congressman and have him change the laws.

Who you calling kid-o? Give up the ad-hominem, I won't bite.

Got any sources to cite?

I didn't say "Linux is a solution to all security concerns," I pointed to a specific case study about specific security concerns. There are others.

ftfy

Then it sounds like we have another country that should be on this list.

SELinux and VistA occur, off the top of my head.

"The Vista and Windows 7 security model is vastly more sophisticated than out-of-the-box Linux implementation"

SELinux is enabled by default on Fedora. I wouldn't call UAC "vastly more sophisticated".

"You are playing a definition game. McCarthy wasn't simply looking for Communists, he was looking for a threat to the American way of life. Oddly enough, it wasn't there."

Actually, yes it was. It just wasn't where he was looking.

McCarthy was an opportunist who destroyed a lot of lives while running a witch hunt for communists - more or less taking what the FBI was doing and running rampant with it. And, up until the mid-1990s, the history books didn't have the information the FBI did from the NSA. So, accepted history was that it was only a witch hunt, and the wasn't really a communist threat.

And then, in the mid-1990s, the NSA declassified the Venona intercepts.

In fact, there WAS a serious Soviet infiltration of the United States government at some of the highest levels. It was detected because of duplication of some of the one-time pads (an otherwise unbreakable type of code) that allowed some Soviet intelligence communications to be decoded, and revealed the spy rings.

You can read about it here: http://www.nsa.gov/public_info/declass/venona/index.shtml

Bugs are an error in the process, not the code. If you find a bug, you need to find the process error that allowed that bug to occur.

Agreed!

I read, with interest, the referenced article. I was expecting FUD - but I didn't find much, until I reached the Conclusion.

eg.

The many eyeballs argument is neat, tidy, compelling, and wrong.

The article starts with

Eric S. Raymond wrote , “Given enough eyeballs, all bugs are shallow.” He calls this Linus’ law.

and then attempts to refute. Fair enough. Except - the link leads to The Cathedral And The Bazaar - where I cannot find the quote... Hmmm

Now this might be relevant if the "many eyes" routine was the only form of audit used in GNU/Linux - but is not the only form of review/audit used. I'm sure other, more knowledgable posters will be able to provide more evidence than I could find in a quick search.

I call FUD

They let people in the NSA look at /. Who knew?

Did daily when I worked there...

Aside from that quip- 'the good guys' would probably want to do things in the open like the Linux community does. Sharing data and methodology and so on. I do not see a lot of that coming from the NSA. I'd be happy to be proven wrong.

Well there are the NSA Security Configuration Guides that give you their recommended configurations of pretty much every major OS you might need good security guidelines for. There have been the countless submissions they've tried to make to the OSS community, such as SE Linux... NSA has contributed a ton to the high performance computing side of the house on everything from monitoring tools to improving open source compilers.

Hmm, let's not forget that one time the NSA recommended changes to a common publicly used cipher. If I recall correctly, they had discovered a weakness which they could/would not disclose, but recommended the fix anyways. Everybody accused them of intentionally crippling the cipher and refused to follow the NSA's advice... until years later someone discovered the weakness and acknowledged that the NSA fix corrected it.

But let's not let facts get in the way of our opinions.

They let people in the NSA look at /. Who knew?

Did daily when I worked there...

Aside from that quip- 'the good guys' would probably want to do things in the open like the Linux community does. Sharing data and methodology and so on. I do not see a lot of that coming from the NSA. I'd be happy to be proven wrong.

Well there are the NSA Security Configuration Guides that give you their recommended configurations of pretty much every major OS you might need good security guidelines for. There have been the countless submissions they've tried to make to the OSS community, such as SE Linux... NSA has contributed a ton to the high performance computing side of the house on everything from monitoring tools to improving open source compilers.

Hmm, let's not forget that one time the NSA recommended changes to a common publicly used cipher. If I recall correctly, they had discovered a weakness which they could/would not disclose, but recommended the fix anyways. Everybody accused them of intentionally crippling the cipher and refused to follow the NSA's advice... until years later someone discovered the weakness and acknowledged that the NSA fix corrected it.

But let's not let facts get in the way of our opinions.

I find it hard to believe the NSA really has better computer experts than Google...the real question is, what is Google really getting out of this?

Why is that? They done major linux developement in SELinux and have been using computers since hollerith cards and magnetic drum storage. Their own website talks about things like

We develop the means to dominate the global computing and communications network. .... Imagine working with the most sophisticated tools available and over-the-horizon technologies that won't come into commercial mainstream use for many years. ... Today, our work takes us into the worlds of knowledge discovery, advanced mathematics, quantum computing, nanotechnology, networking technologies, and, of course, computer systems security. ... We especially need computer scientists, mathematicians, and engineers. Come see what we see. We think you will find a career at NSA to be engaging and challenging.

Sounds like a computer geek's wetdream to me.

I find it hard to believe the NSA really has better computer experts than Google...the real question is, what is Google really getting out of this?

Why is that? They done major linux developement in SELinux and have been using computers since hollerith cards and magnetic drum storage. Their own website talks about things like

We develop the means to dominate the global computing and communications network. .... Imagine working with the most sophisticated tools available and over-the-horizon technologies that won't come into commercial mainstream use for many years. ... Today, our work takes us into the worlds of knowledge discovery, advanced mathematics, quantum computing, nanotechnology, networking technologies, and, of course, computer systems security. ... We especially need computer scientists, mathematicians, and engineers. Come see what we see. We think you will find a career at NSA to be engaging and challenging.

Sounds like a computer geek's wetdream to me.

In a modern distro, it would be impossible for an individual to vet the entire code base, it would not be impossible for an organized, determined group of a few thousand experts to do so. I believe that the NSA does just this with selinux, or at least thats the claim.

http://www.nsa.gov/research/selinux/index.shtml
http://www.cs.utah.edu/flux/fluke/html/flask.html

Indeed, SELinux is based on the FLASK kernel architecture which is formally verified. This means that flask has a mathematical model (specification) which researchers use to test for bugs and check for correctness. They CANNOT guarantee that the whole architecture is free of bugs, however they totally guarantee that for all the tests and validations performed the architecture is 100% free of bugs.
If the software (in this case a kernel) is developed exactly following the formal specification, then we can guarantee that the software will behave like the tested specification (mathematical model).

I'm not from formal methods but I believe it is something like that.

"Working in partnership with Microsoft and elements of the Department of Defense, NSA leveraged our unique expertise and operational knowledge of system threats and vulnerabilities to enhance Microsoft's operating system security guide without constraining the user to perform their everyday tasks, whether those tasks are being performed in the public or private sector,"

DISA and the NSA produce guides.

http://iase.disa.mil/stigs/stig/index.html
http://www.nsa.gov/ia/guidance/security_configuration_guides/index.shtml

They're patting one another on the back because they worked on the guide before Windows 7 was released.

All concerns about NSA and Windows 7 could also be applied to SE Linux http://www.nsa.gov/research/selinux/

I think it's much more likely that the NSA would partner with Microsoft to ensure that Windows is actually more secure

It's not "likely." It's their job.

The NSA work on an operating system? Scandalous!

Anything funded by the federal government including private work should be considered the property of the people and thus released into the public domain.

I'll generally agree with you, but there is privately developed software in use by the government, and the military in particular that isn't going to be released on the basis that releasing it would help our enemies more than it'd help citizens of the United States. Stuff like nuclear explosion simulation programs, ballistic missile targeting/flight programs, etc...

Now, things like the NSA linux build is available.

There's other software available, if you know where to look, but most of it isn't that useful to the average person.

Then again, such private work isn't exactly going to be 'free use' for the contractor either - it's developed for the government, with all rights handed over to the government.

Commodore, here is what you are looking for: http://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml and google: information assurance scholarship program. Purdue, Carnegie Mellon, James Madison, George Mason are just some of the Universities that have a very strong IA/CND/CNA program... Telecommunication Engineer, Electrical Engineer, Computer Science, and Computer Engineering provide a solid B.S. for this field but please note, that most of these classes will be dominated by our foreign friends. As a worker bee in this field, we need folks that have time in a seat looking at packets, writing custom protocol filters-IDS/IPS, using correlation tools such as ArcSite or MARS (etc!), performing flow analysis, writing extended ACL's, and staying on top of the open source tool (e.g., Bro, Argus) etc.... CISSP's are nice, especially the one's that put it in their email... Our CyberCorp's does not need to consist of more policy "accreditation" and "managerial Information Assurance" types, but REAL engineers that understand packet analysis and have a diverse background on all critical monitoring stacks. Even with these degree's, it takes time to understand the network and the tools of the network you are working on. There are very few large networks that these CYBER CORP engineers will be able to grow and establish their skill sets on (another big picture problem), as when the annual budgets come down to the folks that actually do the monitoring, the same security and network monitoring that is supposed to be the backbone of the network, is falling apart at the seems.

IF the programmers of Apple OSX, Linux, and BSD can make mostly malware-free software, Microsoft can also. Those operating systems have fewer vulnerabilities because they were designed to be secure.

Microsoft have made secure software in the past. I recall them touting one of the earlier stable NT releases passing some DoD standard or other for security.

What the morons from marketing did not tell you, was that the DoD had some qualifications attached to an NT system meeting their standard - the key one being: Not connected to the Internet.

I still wonder if the No Such Agency still has thousands of VMS systems. I've not used VMS (or, as it became, OpenVMS) in the last five years. I know many Unix fans really hated it, but the entire development of the OS was done using good, tested Software Engineering principles. It was fun when everyone was screaming about the world ending because of the Y2K problem. Alas, I can't find the great response one of the engineers - basically saying that Y2K was not an issue due to the internal date format, and Y10K would only be a problem for displaying the dates.

Several years ago I visited the National Cryptologic Museum at Ft Meade MD. http://www.nsa.gov/about/cryptologic_heritage/museum/

At the time you had to go through a gate with armed military types then make your way around to the museum parking lot. Once inside, I remembered that I had forgotten to lock my car doors, and mentioned to the guard that I was going to go back out to the parking lot to do this. He looked at me and said, "Don't worry about it, your car is being watched".

In any case, I highly recommend visiting this museum if you are a geek type. from a real Enigma that you can touch, to a Cray II that you can sit on, this place is cryptogeek heaven. A truly interesting experience.

Any of the contact addresses here:

http://www.nsa.gov/public_info/contacts/index.shtml

I loved the National Cryptologic Museum just outside Fort Meade in Maryland.

The facility isn't flashy, but they have real Enigma machines, a cipher that may have been owned by Thomas Jefferson (they can trace it to near Jefferson during his lifetime - he described something similar in his writings), the US "Cryptographic Bombe" used to break Enigma 4-wheel machines after Bletchley Park initially cracked the code, Super Computers, government crypto gear, and displays on US missions involving cryptology.

We were fortunate to get a very helpful dosant who was ex-NSA. Best way to see it

If you're in DC, you'll see ads for the "Spy Museum", which is interesting, but half fluff. The National Cryptologic Museum is the real thing.

As for the possibility of present-day humans guiding manned secret UFO aircrafts, unlikely.

If it was a cover to hide US aerospace designs there would be reams of paperwork describing operating procedures that would have turned up in court enforced FOI discoveries and fact-finding inquiries demanded by congressional committees some 50-60 years after the fact. We also wouldn't have people like Milton Torres coming forward saying they were told to shoot down UFOs. It also wouldn't make sense for the US to buzz their own planes. Likewise, why would the US conduct massive studies in to a phenomenon (Project Twinkle, Project Sign, Grudge, Blue Book, etc) which could be attributed to its own manufacture? It would be a waste of time, resources, and man-power with potential to expose the cover project.

Also consider that if all unexplained UFO sightings represent secret American aircrafts then the United States has "spent hundreds of billions of dollars on known and highly inferior aircraft to be used in a cover-up of such deeply classified activities. These inferior aircraft must have been used and continue to be used while far superior aircraft have been kept in hiding instead of being employed to prevent or win wars which have cost many lives and endangered many more."(1)

It simply doesn't make sense.

I've found the NSA hardening guides, on what used to be called the SNAC, pretty useful: http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml#linux2

...

On the other hand, I know plenty of people running active commercial anti-virus software that's been plagued with virii.

The reason?
1. No Awareness.
2. No Patching.
3. No Prudence.
4. Running Windows

There. Fixed that for you.

Worm/Virus are spread so fast these days, the AV software just can't catch up in time to prevent the infection and in quite a few cases, the Worm/Virus disables the AV software, making it more difficult (in some cases impossible) to remove the infection without booting to another OS (Live OS from a CD/USB Drive).

Except that spreading fast is nothing new. Most worms hit peak a few hours sooner than the average time it takes for the AV makers to create and push out a new profile.

That's why I use ClamWin for occasional scanning.

ClamWin, ClamAV are fine for remedial action. The best remedy, as in all things, is prevention and that can be accomplished by moving to systems that are resistant to malware. Here even the consumer unions fall flat on their faces and fail to mention the Linux distros. Most mainstream distros are years ahead of Windows as far as ease of use, maintenance and speed. The main weakness of real systems (non-M$) is that Web 2.0 script crap.

If someone wanted to make a really hardened desktop or netbook appliance, the following steps can be taken:

• Split up the file system hierarchy and partitions W^X
• Don't run the regular user with any admin privileges or the ability to escalate to admin.
• Set up a systrace profile
• Set up a SELinux profile

I wrote the word appliance above, because with extreme settings like that, you are not going to want to try to add, remove or radically reconfigure any packages.

the world's most secure means of isolating x86 software

I seriously doubt this claim...

What about? http://www.nsa.gov/research/tech_transfer/fact_sheets/nettop.shtml
Or its predecessor? http://www.nsa.gov/ia/programs/h_a_p/releases/hapr1.shtml

the world's most secure means of isolating x86 software

I seriously doubt this claim...

What about? http://www.nsa.gov/research/tech_transfer/fact_sheets/nettop.shtml
Or its predecessor? http://www.nsa.gov/ia/programs/h_a_p/releases/hapr1.shtml

You don't need supercomputers for handling AT&T's data. You need them for decrypting foreign signals. You know, their mission and stuff.

The NSA's mission is securing the nation's communications, something you would have known if you googled for "NSA mission" (even if you were feeling lucky.) Maybe you should just quit while you're way, way, WAY behind? Kind of pathetic that you got modded up to +5 when you are WRONG.

The parent to your post is correct, something you would know had you ever worked there. You, however, would much rather be Olberman's and Stewart's Bobblehead, agreeing with them only as long as they let you stop smoking their respective poles as they issue left-wing talking points to get up the ire of an ignorant populace. You ass-rods have no idea of what goes on in our "spy" agencies, and you don't need or have the right to know.

You don't need supercomputers for handling AT&T's data. You need them for decrypting foreign signals. You know, their mission and stuff.

The NSA's mission is securing the nation's communications, something you would have known if you googled for "NSA mission" (even if you were feeling lucky.) Maybe you should just quit while you're way, way, WAY behind? Kind of pathetic that you got modded up to +5 when you are WRONG.

The NSA also has an already existing and mature Information Assurance mission with experts publishing freely available cyber security guidance, configuration guides and software.

In my opinion the NSA already has the expertise and experience required. Not everyone working there is assigned to domestic espionage.

The NSA also has an already existing and mature Information Assurance mission with experts publishing freely available cyber security guidance, configuration guides and software.

In my opinion the NSA already has the expertise and experience required. Not everyone working there is assigned to domestic espionage.

The NSA also has an already existing and mature Information Assurance mission with experts publishing freely available cyber security guidance, configuration guides and software.

In my opinion the NSA already has the expertise and experience required. Not everyone working there is assigned to domestic espionage.

The NSA also has an already existing and mature Information Assurance mission with experts publishing freely available cyber security guidance, configuration guides and software.

In my opinion the NSA already has the expertise and experience required. Not everyone working there is assigned to domestic espionage.