Slashdot Mirror

If anyone buys Linux for security, they haven't done their homework.

If you go to this page, or Google around, you can find out about their relationship with Cray. That's not the secret part.

From NSA's online museum: "Working with companies, such as Cray Research Inc., NSA has been a leader in computer development throughout its history. Some of the earliest supercomputers were designed and built for the National Security Agency."

It could also be due to the fact that they are working with a version of Linux that they (the NSA) have worked to secure. The webpage says that this work isn't an attempt to correct any flaws with Linux, but I'm sure they've noticed a few bugs during the course of their work and have either fixed them or have reported them to the appropriate people to have them fixed.

Funny, I see a lot of windows...

I've cracked it! It's a link to https://www.nsa.gov/applyonline/index.html !

I haven't looked at all the posts, but just in case here are some links that might be useful in your search.

http://www.ams.org/employment/
http://www.ams.org/early-careers/
http://www.maa.org/careers/index.html
http://www.ams.org/careers/
http://math.ucsd.edu/~sbuss/GradInfo/index.html
http://www.beanactuary.org/
http://www.nsa.gov/careers/index.cfm
http://www.census.gov/hrd/www/jobs/emp_opp.html

I hope.

Perhaps you've heard of the NSA? Have you heard about Security Enhanced Linux? What about these security guidelines published by the NSA for various operating systems ranging from Windows to OS X?

I hate to break it to you but there are a lot of nerds in various branches of the US government and I'm sure many of them read slashdot.

I feel bad for you pal. I really do.

Disclaimer: I do not work for the US government or the "government" of any of its allies.

I hope.

Perhaps you've heard of the NSA? Have you heard about Security Enhanced Linux? What about these security guidelines published by the NSA for various operating systems ranging from Windows to OS X?

I hate to break it to you but there are a lot of nerds in various branches of the US government and I'm sure many of them read slashdot.

I feel bad for you pal. I really do.

Disclaimer: I do not work for the US government or the "government" of any of its allies.

I hope.

Perhaps you've heard of the NSA? Have you heard about Security Enhanced Linux? What about these security guidelines published by the NSA for various operating systems ranging from Windows to OS X?

I hate to break it to you but there are a lot of nerds in various branches of the US government and I'm sure many of them read slashdot.

I feel bad for you pal. I really do.

Disclaimer: I do not work for the US government or the "government" of any of its allies.

I've been using a free version Agnitum's Outpost firewall for several years now on my w2k machine and its a clever little program, far simpler and thinner than the offererings from the major players. However like any good firewall program it does require the user to make very technical decisions on network traffic permissions whenever a process tries to contact the internet. Now before I praise it for not letting a process (virus/spyware/legitware) do a thing I don't want for the last couple of years, I do have to mention a disclaimer that in addition I've got the latest security updates for w2k, a NATted hardware firewall on the router and generally secured my system according to NSA's manuals.

Unlike in a Unix environment, in Windows the basic security concepts aren't required of the user. Windows computers despite the networking or even server capabilities are still built upon the philisophy of Personal Computer where the user has total control but also total responsiblity for what the software does. Microsoft's attempts to somehow augment security on top of this flawed concept is not going to succeed and in fact seems to be going the opposite way. Certainly my w2k box is easier to make secure than XP with its 'security improvements' and it seems Vista will make it impossible for the user to secure the computer that he's supposed to own and control.

Sadly I will try to stick with poor old w2k as long as possible but eventually I might have to resort to going the OSX way...

Like this?

as a matter of fact, someone DOES have a mirror of MySpace.

http://www.nsa.gov/Careers/students_4.cfm . It does take a long while, however.

The government has patented numerous things.
The link below is just one of those things.
NSA PCMCIA Card Connector
Here is a page about how the NSA specifically creates and licenses these technologies and invention to the public.

Your tax dollars at work, helping to generate more revenue with those tax dollars.

The government has patented numerous things.
The link below is just one of those things.
NSA PCMCIA Card Connector
Here is a page about how the NSA specifically creates and licenses these technologies and invention to the public.

Your tax dollars at work, helping to generate more revenue with those tax dollars.

"Cryptography purists may recoil when the author repeatedly uses the term 'military-grade encryption.' ... there is no real definition of 'military-grade encryption' -- and even if there were, it would be classified."

Ahem, reference http://www.nsa.gov/ia/industry/crypto_suite_b.cfm

While Suite A is classified, Suite B, specifically AES, is specifically mentioned as being suitable for up to TOP SECRET info.

Military grade is not a useless term, as it is therein defined.

HOO-AH!

www.nsa.gov/jobs

The correct URL is

http://www.nsa.gov/careers/index.cfm

Here's how the NSA recommends redacting files:

http://www.nsa.gov/snac/vtechrep/I333-TR-015R-2005 .PDF

It's a spy plane. From your Wikipedia link: Primary Function: Signals Intelligence (SIGINT) reconnaissance aircraft. What, exactly, do you think happens to the intercepted signals? (Here's a hint.)

Doesn't the government already have a pretty search engine?

Great, time for the NSA to switch from Security-Enhanced Linux to Windows Vista.
What could possibly go wrong?

theres no way in hell i would install anything with either of those filenames.. geez good lord.

See the NSA Degausser Evaluated Product List (DEPL) (PDF).

>There are better ways to redact information from a PDF.

They should have asked the NSA.

No, no, here is the idiocy - the NSA has a VERY good guide to doing the right!

Its call - "Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF "

http://www.nsa.gov/notices/notic00004.cfm?Address= /snac/vtechrep/I333-TR-015R-2005.PDF

You would think that if you are going to give a lame excuse for why you are doing bad things for a governement agency you would at least read the very handy guide on how to file a legal brief with all the naughty bits covered up.

Idiots!!!

Considering they're apparently working with the NSA, it's amazing they were this sloppy. If you've ever seen an NSA release of a classified document that's been scrubbed, it's always very clear that it's either a document that someone has physically overwritten with a black marker and then scanned (such as here), or a document that was edited on a computer, printed out, and then scanned back in again (such as here). They do that precisely so there's no traces of old information left in there. I'm surprised they didn't lend their trick to AT&T.

Considering they're apparently working with the NSA, it's amazing they were this sloppy. If you've ever seen an NSA release of a classified document that's been scrubbed, it's always very clear that it's either a document that someone has physically overwritten with a black marker and then scanned (such as here), or a document that was edited on a computer, printed out, and then scanned back in again (such as here). They do that precisely so there's no traces of old information left in there. I'm surprised they didn't lend their trick to AT&T.

Stopping the terrorists means the military can stand down, just like it did after WWI, WWII, Korea, Viet Nam, and the Cold War. The Army alone is about 30% smaller today than it was in the 80s even after the small boost it was given for this conflict. Why should this conflict be any different from the previous ones? Your theory about the whole purpose of the war against the terrorists being a fabricated excuse to spy on Americans in different political parties is nonesense. (Do you also believe that it was the US government that attacked the World Trade Center (both times)? How about the Murrah building in Oklahoma City? Faked the moon landings?) If you really believe that, why was Al Qaeda attacking during Clinton's term, and planning for more attacks, like 9/11? Do you think this is all a plot to keep the Libertarians down?

By the way, under the term "domestic political "enemies"", do you include Hezbollah, recently inconvenienced in Michigan? They do seem to love being in this country. I wonder what Al Qaeda is up to? Wouldn't it be great if someone was looking into this? I wonder who would be best...who could do it?

What makes you think that the brain dead people in say, the FBI could figure out what an IP address is?

Well, they could always ask these guys what it is... ;)

http://news.yahoo.com/s/ap/domestic_spying;_ylt=Al

By DEVLIN BARRETT, Associated Press Writer Thu May 11, 6:59 AM ET

The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers the necessary security clearance to probe the matter.

The Justice Department's Office of Professional Responsibility, or OPR, sent a fax to Rep. Maurice Hinchey (news, bio, voting record), D-N.Y., on Wednesday saying they were closing their inquiry because without clearance their lawyers cannot examine Justice lawyers' role in the program.

"We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program," OPR counsel H. Marshall Jarrett wrote to Hinchey. Hinchey's office shared the letter with The Associated Press.

Jarrett wrote that beginning in January, his office has made a series of requests for the necessary clearances. Those requests were denied Tuesday.

"Without these clearances, we cannot investigate this matter and therefore have closed our investigation," wrote Jarrett.

Justice Department spokesman Brian Roehrkasse said the terrorist surveillance program "has been subject to extensive oversight both in the executive branch and in Congress from the time of its inception."

Roehrkasse noted the OPR's mission is not to investigate possible wrongdoing in other agencies, but to determine if Justice Department lawyers violated any ethical rules. He declined to comment when asked if the end of the inquiry meant the agency believed its lawyers had handled the wiretapping matter ethically.

Hinchey is one of many House Democrats who have been highly critical of the domestic eavesdropping program first revealed in December. He said lawmakers would push to find out who at the NSA denied the Justice Department lawyers security clearance.

"This administration thinks they can just violate any law they want, and they've created a culture of fear to try to get away with that. It's up to us to stand up to them," said Hinchey.

In February, the OPR announced it would examine the conduct of its own agency's lawyers in the program, though they were not authorized to investigate NSA activities.

Bush's decision to authorize the largest U.S. spy agency to monitor people inside the United States, without warrants, generated a host of questions about the program's legal justification.

The administration has vehemently defended the eavesdropping, saying the NSA's activities were narrowly targeted to intercept international calls and e-mails of Americans and others inside the U.S. with suspected ties to the al-Qaida terror network.

Separately, the Justice Department sought last month to dismiss a federal lawsuit accusing the telephone company AT&T of colluding with the Bush administration's warrantless wiretapping program.

The lawsuit, brought by an Internet privacy group, does not name the government as a defendant, but the Department of Justice has sought to quash the lawsuit, saying it threatens to expose government and military secrets.

___

On the Net:

Justice's Office of Professional Responsibility: http://www.usdoj.gov/opr/index.html [usdoj.gov]

National Security Agency: http://www.nsa.gov/home_html.cfm [nsa.gov]

http://news.yahoo.com/s/ap/domestic_spying;_ylt=Al tzCvZmCXzQ.QsFg5wYT2Os0NUE;_ylu=X3oDMTA2Z2szazkxBH NlYwN0bQ--

By DEVLIN BARRETT, Associated Press Writer Thu May 11, 6:59 AM ET

The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers the necessary security clearance to probe the matter.

The Justice Department's Office of Professional Responsibility, or OPR, sent a fax to Rep. Maurice Hinchey (news, bio, voting record), D-N.Y., on Wednesday saying they were closing their inquiry because without clearance their lawyers cannot examine Justice lawyers' role in the program.

"We have been unable to make any meaningful progress in our investigation because OPR has been denied security clearances for access to information about the NSA program," OPR counsel H. Marshall Jarrett wrote to Hinchey. Hinchey's office shared the letter with The Associated Press.

Jarrett wrote that beginning in January, his office has made a series of requests for the necessary clearances. Those requests were denied Tuesday.

"Without these clearances, we cannot investigate this matter and therefore have closed our investigation," wrote Jarrett.

Justice Department spokesman Brian Roehrkasse said the terrorist surveillance program "has been subject to extensive oversight both in the executive branch and in Congress from the time of its inception."

Roehrkasse noted the OPR's mission is not to investigate possible wrongdoing in other agencies, but to determine if Justice Department lawyers violated any ethical rules. He declined to comment when asked if the end of the inquiry meant the agency believed its lawyers had handled the wiretapping matter ethically.

Hinchey is one of many House Democrats who have been highly critical of the domestic eavesdropping program first revealed in December. He said lawmakers would push to find out who at the NSA denied the Justice Department lawyers security clearance.

"This administration thinks they can just violate any law they want, and they've created a culture of fear to try to get away with that. It's up to us to stand up to them," said Hinchey.

In February, the OPR announced it would examine the conduct of its own agency's lawyers in the program, though they were not authorized to investigate NSA activities.

Bush's decision to authorize the largest U.S. spy agency to monitor people inside the United States, without warrants, generated a host of questions about the program's legal justification.

The administration has vehemently defended the eavesdropping, saying the NSA's activities were narrowly targeted to intercept international calls and e-mails of Americans and others inside the U.S. with suspected ties to the al-Qaida terror network.

Separately, the Justice Department sought last month to dismiss a federal lawsuit accusing the telephone company AT&T of colluding with the Bush administration's warrantless wiretapping program.

The lawsuit, brought by an Internet privacy group, does not name the government as a defendant, but the Department of Justice has sought to quash the lawsuit, saying it threatens to expose government and military secrets.

___

On the Net:

Justice's Office of Professional Responsibility: http://www.usdoj.gov/opr/index.html

National Security Agency: http://www.nsa.gov/home_html.cfm

Apple users are not encouraged to turn off the administrator account, indeed, as the system is configured by default, they're encouraged to use it as their main account. No warnings are given that this is bad practice, and no user manual that might document this is provided with the operating system.

Find a topic you know something about before posting. As every OS X owner on /. undoubtedly knows, Apple users are not presented with any option to run as an administrator/root/superuser/God and have to be knowledgeable in the ways of BSD-flavored UNIX to make an administrator account accessible (which is what they would have to do to mimic a Microsoft standard level of vulnerability on an OS X box). The initial "owner" account, and other accounts designated later as users are added, can be designated as "Admin" accounts, allowing them to add and remove users, install applications that require Admin access to install, etcetera. The system allows designated Admin accounts to perform privileged functions typically after a re-authentication step in which the user enters their password to empower a specific system task to execute a privileged function.

Unlike Windows, where outside of rarified, highly managed IT environments a user runs and usually must run only privileged tasks to operate effectively. BTW, unlike Windows the OS X security model and many best practices are well documented on the Apple site in the developer areas (ADC includes a free membership level that provides access to some wonderful papers on the OS X tasking model, security issues, etc.), and there is an excellent and surprisingly short piece by the US National Security Agency on OS X security issues and recommended procedures http://www.nsa.gov/snac/downloads_macX.cfm?MenuID= scg10.3.1.1.

A user is slightly safer running in a non-Admin OS X account than otherwise, and in a professional environment that may be a reasonable precaution for some organizations. Were Steve Jobs to suddenly dictate that his consumer-level customers must operate with knowledge, precision, and accuracy of IT professionals, maintaining and using a completely separate account for performing any administrative functions, to achieve an acceptable level of safety on what is already the safest consumer platform in the world, he would be an idiot. (And he is not an idiot.)

As far as the well-being of OS X users, they are better served by a serious and knowledgeable explanation of these issues and their real levels of risk than the usual FUD.

http://www.nsa.gov/snac/downloads_voip.cfm?MenuID= scg10.3.1

Every OS is buggy. Every OS is vunerable. Windows has a dominating market share, so Windows is targeted. UNIX systems, Linux systems, OSX systems, Windows systems - all have been hacked, cracked, broken, virused up, exploited, and brought to its knees.

So, isn't RISE (Randomized Instruction Set Emulation) similar in concept to PIC (Position Independent Code)?

If you want to secure computers via the Linux route then with Hardened Gentoo is a good way (Follow the Resources links in sections 6).

PaX is a hardened Linux kernel using ASLR (Address Space Layout Randomization) to support applications built as a PIE (Position Independent Executable) and to provide non-executable memory (NX).
PaX home.

PIE/SSP (Position Independent Executable)/(Stack Smashing Protector) (follow PaX link)
When an application is built as a PIE (Position Independent Executable) the code is able to be randomize on load up and NX bit set on certain parts of the application. At run time, when a buffer is created, SSP adds a secret random value called the 'canary' to the end of the buffer.

MAC (Mandatory Access Control) (follow Hardened Gentoo link)
Hardened Gentoo supports 3 access control solutions, SELinux , grsecurity , and RSBAC .

PIC Introduction and Internals.

Other references:
Hardened Gentoo Primer
SeLinux is supported by the NSA (National Security Agency) of the USA.

So, isn't RISE (Randomized Instruction Set Emulation) similar in concept to PIC (Position Independent Code)?

If you want to secure computers via the Linux route then with Hardened Gentoo is a good way (Follow the Resources links in sections 6).

PaX is a hardened Linux kernel using ASLR (Address Space Layout Randomization) to support applications built as a PIE (Position Independent Executable) and to provide non-executable memory (NX).
PaX home.

PIE/SSP (Position Independent Executable)/(Stack Smashing Protector) (follow PaX link)
When an application is built as a PIE (Position Independent Executable) the code is able to be randomize on load up and NX bit set on certain parts of the application. At run time, when a buffer is created, SSP adds a secret random value called the 'canary' to the end of the buffer.

MAC (Mandatory Access Control) (follow Hardened Gentoo link)
Hardened Gentoo supports 3 access control solutions, SELinux , grsecurity , and RSBAC .

PIC Introduction and Internals.

Other references:
Hardened Gentoo Primer
SeLinux is supported by the NSA (National Security Agency) of the USA.

You are wrong. In Gentoo community, Debian is completely irrelevant, not critical, as well as Red Hat is.

For example, does NSA use Debian? No, they are backing and contributing Gentoo with selinux.

In mission critical systems, marketing propaganda (as in Red Hat or Microsoft) does not count.

Yes spying and everything is wrong. But with the NSA having more power than ever and needing to acquire/sift through more and more information all the time, wouldn't it be a very cool place to work.

http://www.nsa.gov/careers/ has links to all the areas. The only thing I found extraordinarily interesting is that computer programming type skills (ie Software Engineering) is more under the Computer Engineering/Electrical engineering career track than the computer science one.

The only question is that if you should decide to leave the NSA or are fired, does termination extend to more than your employment? Although seriously it does seem like a very geek friendly place to work.

Just take a look, the Defense Intelligence Agency has a "kids' site", the CIA has a kids' site, the NSA has a website, and even the State Department has a kid's site where you can learn exciting things about SecState Rice meeting Elmo...

Sure, some of them have a little bit of recruiting-type material on them, but most of it links back to the "grown-up" site and I've yet to meet a 4th grader who wants to be an analyst or diplomat when he or she grows up. There's a fair amount of "say no to drugs" material as well, which makes sense in any case.

I wonder if there's legislation somewhere requiring all government agencies to put up a kid's site. My money is that yes, there's some requirement somewhere for this. It's the only possible explanation for some of these exceedingly lame websites - they just gave them to an intern or flunkie to throw together real fast to meet regulations.

You could check out some of the schools which the NSA reccomends for security in general. They have a list of National Centers of Academic Excellence in Information Assurance Education (CAEIAE). The link is http://www.nsa.gov/ia/academia/caeiae.cfm

I have a relative that works at the NSA in the Information Assurance/Threat Assessment area, and both of his machines (both classified and non) are Macs running OS X (not sure what version, hopefully Tiger).

For excellent security guides, there is a NIST guide to securing XP, and an NSA guide for securing Mac OS X.

Also be sure to check out their hilarious CryptoKids(TM) site.

???
You posted a correction to say that the Windows default with SP1 is "secure"
???

Try running nessus or even nmap against it.
Try referring to NSA guidelines for securing a windows 2003 server environment.
http://www.nsa.gov/snac/downloads_win2003.cfm?Menu ID=scg10.3.1.1

Or read some of the SANS whitepapers:
http://www.sans.org/rr/whitepapers/windows/

Windows machines can be hardened to a degree, but never as much as it's possible to harden linux or bsd's because they can be streamlined much much more by tossing out all of the unused components and modifying the components you do use to be slightly nonstandard and less succeptible to known attack vectors.

The NSA gave us SELinux.

Instead of inane, immature competitions such as this one, I'd rather have a nice manual (RTNM -- Read The Nice Manual) on how to improve/lock down an OS X machine.

This has been done already, TNM can be found here. Two caveats:

1) The manual is for OS.X Panther although it should be mostly just as valid for OS.X Tiger.
2) The publisher has a dubious reputation with the tinfoil-hat crowd.

I found it to be interesting to read and it should be fairly easy for moderately computer-literate users to understand.

The National Security Agency has a PDF based handbook on securing OS X. It's a bit outdated (written for Panther 10.3.x). Is that what you were looking for?

Corsaire - Securing Mac OS X Tiger

NSA - Mac OS X Security Configuration Guide (not yet updated for Mac OS X 10.4)

Apple - Common Criteria configuration guide

And for the "average joe"?

- Keep your machine patched
- Don't randomly open ports for services you don't use
- Have a personal firewall/router
- Don't run software you don't trust

And this doesn't "prove" anything, except that the initial ZDnet article was totally vague and sensationalistic, making it seem to an average person reading that article that a Mac OS X box could just be "hacked" by being on the internet. That is wrong, and I'm showing that. Simple. It's all explained on http://test.doit.wisc.edu/

[quote]I'd rather have a nice manual ... on how to improve/lock down an OS X machine.[/quote] There's this..... http://www.nsa.gov/snac/downloads_macX.cfm

The NSA has just such a document.

http://www.nsa.gov/snac/downloads_macX.cfm?MenuID= scg10.3.1.1

Next time, considering knowing what you're writing about, before...you know...writing.

Security-Enhnaced Linux

I don't beleive they use it internally as it's still part of a research project, but it wouldn't be a bad place to start.