In a gigantic police operation many thousands hackers from a gang calling themselves "Slashdotters" were lifted from their beds and arrested this night for organising a massive DDOS (Distributed Denial Of Service) attack to the main NSA network. It is not yet clear which foreign country payed the leader of this gang known under the name Commander Taco to destabilize the national security of the U.S.
You can actually see the site.
by
paleck
·
· Score: 4
Re:Unplugging the computer...
by
spectecjr
·
· Score: 5
And they forked linux because they could it being open source and all. They would undoubtedly have done the same with win2k, but they can not because it is closed source.
The NSA has the Win2k source code. It's very easy for universities and other establishments to get the source, slightly less easy for large companies, and slightly less easy still for small companies and individuals (although they're changing this as we speak...)
They finally post a/. article that isnt directly attacking windows - and seemingly people crawl out of the woodwork to provide a kneejerk reaction to the words "Windows" and "Secure".
Heres a small dose of insight, from someone who's beta tested MS operating systems for 5 years (or so.)
Microsoft listens to users suggestions. They may not respond to you, they may not integrate them into the OS. But they do listen. MS does not make an insecure operating system on purpose - Beta testers have a whole newsgroup to focus on security and how to improve it before the final build is released. Its part of their role and responsability to test for exploitable security holes - if you don't think they're doing a good enough job, how about you send a request to betareq@microsoft.com and ask to be on the next beta team for windows. Keep in mind though, they usually only want experienced users and there are checks and balances to make sure you're a functional beta tester - not just someone who enjoys bragging about having teh leet XP build #x.
The beta process is not perfect, IMHO - Bugs do get knocked down (i've thought for a long time they should let the beta testers moderate bugs) and i have an extreme distaste for setting a release date before the beta testers agree that testing is complete. XP is remarkable right now, but not perfect. This part is MS's fault.
If you have an intelligent, well-thought-out, non-kneejerk "windows sucks *chortle*" suggestion/comment regarding windows - you may go to http://www.microsoft.com/mswish/
(p.s. - When you list your beta testing experience, the following line is a bad, bad idea: "I tested (unofficially) Windows XP, 2000, ME, 98SE, 98.... you get the idea. har har har *snort*":)
--
if you want to make God laugh, tell him your plans
Yet another DDoS attack logged...
by
cperciva
·
· Score: 5
Anyone care to speculate on what DoD's reaction to a full-scale slashdotting would be? Given that they report routine pings and port scans as "attacks" I imagine their reaction to this unsolicited SYN flood would be similarly excessive.
Unplugging the computer...
by
Carnage4Life
·
· Score: 5
Interesting, there are about 18 comments as I post this and over half are jokes about unplugging the computer to make it safe. The truth of the matter is that by NSA guidelines no popular operating system is secure enough out of the box and has to be extremely looked down.
What is perhaps even more interesting is that at least Win2K can be secured to a level that is suitable for the NSA, they actually had to fork the Linux kernel to get the same functionality out of Linux.
Okay, ignoring the ad-hominem "blatantly false and jingoistic" . . .
Sorry about that, its just sometimes people seem to just be as guilty of spreading FUD as the so-called "evil" corporations that it gets exasperating.
I apologise for those comments.
Now . . . you're saying, if I understand, that the NSA's SE Linux is just hacking the Linux kernel to put in some stuff that's been talked about and even done in other OSes for years?
And stuff that isn't even all that novel for Linux?
Yes and Yes. Actually what regular Linux is implementing (which is different from what the NSA is doing with SE Linux) is POSIX 1.e capabilities or "priviledges" which involves splitting up the permissions typically given to the root user (e.g. can connect to ports under 1024, can mount kernel modules, can change ownership of files, etc) into discrete entities that can be apportioned to other users and processes. This was something that the POSIX folks tried to agree on in the eighties (or is it seventies) but never came to an agreement on how best to implement it. Check out the Linux Capabilities FAQ for more information.
The NSA is working on "true capabilities" which is being able to grant and revoke extremely granular permissions to all objects/entities in the system. This concept is similar to java.policy files being maintained for every entity in the system. Making sure that policies can be tracked in such a manner that they are revokable is the most difficult part (e.g. if I lose permissions to connect on a certain port or write to a certain file, then every process or file that I've created should lose those permissions as well).
This is only to be used for non-spying means. Really. There is no need for users to worry about invasion of privacy as we at the NSA are above that.
Additionally, please ensure that you give your files clear names such as "Nuke blueprints" or "Kiddie Porn". We suggest this purely to help you organise your file system.
Backdoors are possible in Open Source - if you put them in the compiler.
Suppose I set up a website with my new compiler. I give a binary download and a source download. What I don't tell people is that the binary download contains extra code which adds a backdoor to the software it compiles. It also recognises when it is compiling itself and adds all this extra code.
So now you've got a corrupt compiler which generates back doors.
Of course you have to persuade someone to download the binary compiler first. But if they're working on a system without a compiler - that's exactly what they'll do. Or they installed the compiler direct from the CD.
I'm afraid the only way to 100% sure that your compiler is not corrupt in this way is to write your own. At least one that's good enough to compile another one.
We've been using these "Security Baselines" as we call them in our organization for a while.
We have a *LOT* of Win2K boxes spread over a continent, and whenever one's compromised, we always find that the administrator or operator was not following the baseline. I don't know of any baselined machines being compromised.
Reams of NSA information on how to make your Win2k box "secure" just points out that Win2k was not meant for the large majorities of home users. Microsoft expects your Win2k system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet, right out of the box. It is not set up by default to be the gateway computer to the net.
I came up with a step-by-step checklist a while back for all my friends that were running non-networked Win2k home systems directly connected to the net. I don't know how good an idea it was to give step-by-step directions on how to change registry settings, but hey, no one has locked themselves out of their computer yet (at least that I know of). You can see it here:
http://www.gpick.net/sbr/security/w2ksecuritytips. htm
Slashdot Mirror
In a gigantic police operation many thousands hackers from a gang calling themselves "Slashdotters" were lifted from their beds and arrested this night for organising a massive DDOS (Distributed Denial Of Service) attack to the main NSA network. It is not yet clear which foreign country payed the leader of this gang known under the name Commander Taco to destabilize the national security of the U.S.
For some reason you have to go to http://www.nsa.gov/winsecurity and then proceed from there.
And they forked linux because they could it being open source and all. They would undoubtedly have done the same with win2k, but they can not because it is closed source.
The NSA has the Win2k source code. It's very easy for universities and other establishments to get the source, slightly less easy for large companies, and slightly less easy still for small companies and individuals (although they're changing this as we speak...)
Simon
Coming soon - pyrogyra
They finally post a /. article that isnt directly attacking windows - and seemingly people crawl out of the woodwork to provide a kneejerk reaction to the words "Windows" and "Secure".
:)
Heres a small dose of insight, from someone who's beta tested MS operating systems for 5 years (or so.)
Microsoft listens to users suggestions. They may not respond to you, they may not integrate them into the OS. But they do listen. MS does not make an insecure operating system on purpose - Beta testers have a whole newsgroup to focus on security and how to improve it before the final build is released. Its part of their role and responsability to test for exploitable security holes - if you don't think they're doing a good enough job, how about you send a request to betareq@microsoft.com and ask to be on the next beta team for windows. Keep in mind though, they usually only want experienced users and there are checks and balances to make sure you're a functional beta tester - not just someone who enjoys bragging about having teh leet XP build #x.
The beta process is not perfect, IMHO - Bugs do get knocked down (i've thought for a long time they should let the beta testers moderate bugs) and i have an extreme distaste for setting a release date before the beta testers agree that testing is complete. XP is remarkable right now, but not perfect. This part is MS's fault.
If you have an intelligent, well-thought-out, non-kneejerk "windows sucks *chortle*" suggestion/comment regarding windows - you may go to http://www.microsoft.com/mswish/
(p.s. - When you list your beta testing experience, the following line is a bad, bad idea: "I tested (unofficially) Windows XP, 2000, ME, 98SE, 98.... you get the idea. har har har *snort*"
The site nsa.gov is running Apache/1.3.11 (Unix) on Solaris.
if you want to make God laugh, tell him your plans
Anyone care to speculate on what DoD's reaction to a full-scale slashdotting would be? Given that they report routine pings and port scans as "attacks" I imagine their reaction to this unsolicited SYN flood would be similarly excessive.
Tarsnap: Online backups for the truly paranoid
Interesting, there are about 18 comments as I post this and over half are jokes about unplugging the computer to make it safe. The truth of the matter is that by NSA guidelines no popular operating system is secure enough out of the box and has to be extremely looked down.
What is perhaps even more interesting is that at least Win2K can be secured to a level that is suitable for the NSA, they actually had to fork the Linux kernel to get the same functionality out of Linux.
--
Okay, ignoring the ad-hominem "blatantly false and jingoistic" . . .
Sorry about that, its just sometimes people seem to just be as guilty of spreading FUD as the so-called "evil" corporations that it gets exasperating.
I apologise for those comments.
Now . . . you're saying, if I understand, that the NSA's SE Linux is just hacking the Linux kernel to put in some stuff that's been talked about and even done in other OSes for years? And stuff that isn't even all that novel for Linux?
Yes and Yes. Actually what regular Linux is implementing (which is different from what the NSA is doing with SE Linux) is POSIX 1.e capabilities or "priviledges" which involves splitting up the permissions typically given to the root user (e.g. can connect to ports under 1024, can mount kernel modules, can change ownership of files, etc) into discrete entities that can be apportioned to other users and processes. This was something that the POSIX folks tried to agree on in the eighties (or is it seventies) but never came to an agreement on how best to implement it. Check out the Linux Capabilities FAQ for more information.
The NSA is working on "true capabilities" which is being able to grant and revoke extremely granular permissions to all objects/entities in the system. This concept is similar to java.policy files being maintained for every entity in the system. Making sure that policies can be tracked in such a manner that they are revokable is the most difficult part (e.g. if I lose permissions to connect on a certain port or write to a certain file, then every process or file that I've created should lose those permissions as well).
--
This is only to be used for non-spying means. Really. There is no need for users to worry about invasion of privacy as we at the NSA are above that.
Additionally, please ensure that you give your files clear names such as "Nuke blueprints" or "Kiddie Porn". We suggest this purely to help you organise your file system.
Backdoors are possible in Open Source - if you put them in the compiler.
Suppose I set up a website with my new compiler. I give a binary download and a source download. What I don't tell people is that the binary download contains extra code which adds a backdoor to the software it compiles. It also recognises when it is compiling itself and adds all this extra code.
So now you've got a corrupt compiler which generates back doors.
Of course you have to persuade someone to download the binary compiler first. But if they're working on a system without a compiler - that's exactly what they'll do. Or they installed the compiler direct from the CD.
I'm afraid the only way to 100% sure that your compiler is not corrupt in this way is to write your own. At least one that's good enough to compile another one.
We've been using these "Security Baselines" as we call them in our organization for a while.
We have a *LOT* of Win2K boxes spread over a continent, and whenever one's compromised, we always find that the administrator or operator was not following the baseline. I don't know of any baselined machines being compromised.
Use these; they're a Good Thing.
1:40am PDT, and you guys have slashdotted the NSA, I am so proud of you all :)
Reams of NSA information on how to make your Win2k box "secure" just points out that Win2k was not meant for the large majorities of home users. Microsoft expects your Win2k system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet, right out of the box. It is not set up by default to be the gateway computer to the net. I came up with a step-by-step checklist a while back for all my friends that were running non-networked Win2k home systems directly connected to the net. I don't know how good an idea it was to give step-by-step directions on how to change registry settings, but hey, no one has locked themselves out of their computer yet (at least that I know of). You can see it here: http://www.gpick.net/sbr/security/w2ksecuritytips. htm