How The NSA Secures Computers

An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."

Great Idea..

[digitallystoned]

Leave it to the government to tell us how to secure our computers so they can tap into our data later through some backdoor. Good read, except all they really had to say was 'disconnect your computer from the fucking internet'..

Re:Great Idea..

[aussie_a]

Good read, except all they really had to say was 'disconnect your computer from the fucking internet'..

Uh-huh. And there comes a point where security impinges on usability to an unsatisfactory degree. Sure, not having your computer hooked onto the net will make it incredibly secure compared to if it were hooked to the net. But if you need to use the internet, then this level of security makes it unusable.

Re:Great Idea..

[digitallystoned]

Uh-huh. And there comes a point where security impinges on usability to an unsatisfactory degree. Sure, not having your computer hooked onto the net will make it incredibly secure compared to if it were hooked to the net. But if you need to use the internet, then this level of security makes it unusable. True, but thats basically what the NSA says in their 143-page document from 2003 (which misses, oh, ALL of the patches to XP, for example)... Maybe they released this information as a conspiracy to the UN wanting international control of the Internet. If the NSA's involved, I'd honestly like to know why they take interest at this point in time as opposed to when the zombie machines became a serious and costly area of the internet.

Re:Great Idea..

[thesnarky1]

As far as I'm concerned that IS the only way to secure a computer. And even then, you can have users with malicious intent, some idiot might bring an infected file on removeable media, anything can happen.
I propose a new way, unplug it from the wall.

Re:Great Idea..

[AuMatar]

But someone could still come to your workplace and steal the hard drive! So instead, I suggest the one time use computer- if no key is types for 5 minutes, instead of a screensaver, explosives inside the case will explode. This has the added bonus of killing the thiefs.

Re:Great Idea..

[prell]

I just installed Windows Server 2003 Enterprise, and when I went to use Internet Explorer to download some drivers, it was even more annoying than it usually is: Server 2003 has some "enhanced security" option enabled for IE, which basically makes it so most or all web sites break. And you get to look at a large "warning! Enhanced IE security is on" message every time you go to a URL. I eventually completely uninstalled this "enhanced security" because it made it impossible for me to get anything done.

Re:Great Idea..

[crmartin]

You think you're joking, but when I used to work with the three-letter agencies, they did that. Put the computers and all the workspaces inside a Faraday cage, run the power through an isolation transformer. "Sanitize" used hard disks with thermite.

Re:Great Idea..

[LurkerXXX]

Why couldn't you get anything done? The only place you should be 'surfing' on a MS server is to the manufacturers website to download new drivers, or the OS/applications makers website to download patches. You just add those websites to your whitelist, and your done.

Re:Great Idea..

I propose a new way, unplug it from the wall.

Yeah, but then someone could break in and plug it in.

I suggest throwing away the computer. Get a cardboard box instead, write "computer" on the side, and run some (preferrably black) string from the box to your TV. Periodically check to make sure the box is empty.

Re:Great Idea..

[SilverspurG]

On the same line of thought I'm always amused by the freaks who rant and rave that GNU/Linux can't be secure because there's no accountability for the programmers on all the various core components. Yet MS employes programmers worldwide. So what's the difference? Who's certified that some malicious coder inside MS hasn't inserted a tiny little backdoor gateway in some little-known .dll someplace?

Re:Great Idea..

[LnxAddct]

Except that if you RTFA and looked at the history of the NSA, they've been pretty up front about security. They don't tell us everything they know, but what they do tell us has always been credible and useful (i.e. making SHA more secure without actually telling us how it worked). This guide is for everyone, including securing government systems, those same systems that may need to securely exchange data with the NSA, Pentagon, White House, etc... The NSA has every reason to make this guide as accurate as possible. The NSA's job is not only collecting data, but also securing the nation's data and this fits perfectly within that realm.
Regards,
Steve

Re:Great Idea..

[Martin+Blank]

This is not remotely new. These things have been around for YEARS, and Slashdot covered them at that time. They were written for the use of other government agencies to secure their systems when using the listed products, but they also have a great deal of value to the public. They follow all the things we've been told over the years -- put up layered defenses, stop using old, broken protocols, use those with better hashes, disable unneeded services, reduce your attack surface... Or do you believe that these are things meant to make it easier for attackers to get in?

The guides are a valuable learning tool, too, and a number of companies have followed the idea. In fact, when Microsoft wrote its own guide for securing Windows 2003, the NSA decided that it was comprehensive enough that they didn't have to write one themselves. NSA even went so far as to mirror it themselves, presumably for government convenience.

The pace of the documentation has slowed significantly; for a while, there was a new guide coming out every month or two. But every so often, they cover new topics such as evaluating wireless IDS, as well as some other more esoteric titles like So Your Boss Bought you a New Laptop...How do you identify and disable wireless capabilities. You can see a complete list of titles here.

Go try reading the original material before criticizing it. You might actually learn something and be able to earn your karma through something other than a cheap shot.

Re:Great Idea..

[Flendon]

True, but thats basically what the NSA says in their 143-page document from 2003 (which misses, oh, ALL of the patches to XP, for example)... Maybe they released this information as a conspiracy to the UN wanting international control of the Internet. If the NSA's involved, I'd honestly like to know why they take interest at this point in time as opposed to when the zombie machines became a serious and costly area of the internet.

I just thought I should point out that page has been around for several years. No news here. Just few outside the government bother going there. I have seen it linked on /. several times before however. Didn't it seem odd that you mentioned it was from 2003 yet your complaining that they didn't put it out earlier than now? Sorry to ruin your conspiracy theory. Don't worry though plenty of real conspiracies do exist out there for you to find.

Re:Great Idea..

[xaosflux]

Didn't I see this on a TV show...except you had to hit a code every 108 mins.

Re:Great Idea..

[thesnarky1]

No, I wasn't joking. Well, it was sarcastic, but only at the grandparent's commant. I know just how dangerous the internet is, and how quickly a computer can be infected. I'm a firm believer in only being plugged into it when you're using it, all other time, remove the cable. The unplugging, yea kind of a joke, but if I did have any sort of sensitive data on here, or used this computer for contrating work I would unplug it when its not in use. I also used a BIOS password and a boot password. I change my login password every few months to something completely different, and at least 10 characters. Yes, someone could take the hard drive, true, and at my mother's work, they have removeable hard drives that they lock up when not in use. I, however, don't use this computer for anything sensitive or anything propriatary, so if someone walks off with my hard drive, well, I'll cut my losses and put one of my backups images on.
I guess what I'm getting at here is, I know the risks, and I accept them every day I use my computer. Many users do not (speaking from a college campus where I can see 4 unsecured wireless networks, and 2 "secured" wireless networks broadcasting their SSID as we speak) which is why I agree with what they reccomend "unplug it from the wall".
Sorry if you thought I was kidding, I only wish I were

Re:Great Idea..

If you suspect back doors, use open source. But here's a tip: if they want to spy on you, they don't need back doors, they can use echelon, or tempest. Google 'em.
Chances are though, they're not that interested in your data. And I might point out it's in their best interests to increase the security of their citizen's computers.

Re:Great Idea..

[trick-knee]

well, when they wrote "couldn't get anything done", they weren't necessarily meaning "couldn't get any work done".

Re:Great Idea..

[FLEB]

For a consumer grade box-and-string security method, this will work fine (for about 90% of business users, I'd venture). Like you said, though, malicious types can obscure dangerous worms, bombs, and other "trojan horse" style attacks behind the 3D object opacity filter inherent in this architecture.

For maximum security, you need to disable the 3D features: Shred and discard the box, and run the string to a square drawn on the wall with "computer" printed on it. You'll lose a little functionality, but you'll be rock-solid secure.

Re:Great Idea..

[TidyTibs]

You have no clue what the NSA is about. The NSA has been doing these guides for years and it's just NOW making slashdot news? They even supply a security enhanced linux kernel via http://www.nsa.gov/selinux/.

Re:Great Idea..

[mcsestretch]

Actually it's said that the only secure computer is one that is disconnected from a network, unplugged from the wall, tossed into a dark room and that room is filled with concrete.

Oh, and have the doors guarded by two rabid weasels on crank.

Re:Great Idea..

[jommelli]

You are right: good advice doesn't stop being good advice because it comes from a suspect source. Indeed, if the NSA is using these guides, there is much to be learned here.

One caveat: their coverage of OS X only goes up through "Panther."

huh?

[utnow]

The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

Re:huh?

[thesnarky1]

And how long before they win?

Re:huh?

[kramgr]

Everybody has customers, didn't you know?

Re:huh?

[Nuskrad]

The NSA has customers?

Yeah, they're called taxpayers

Re:huh?

[utnow]

oh? Good! In that case I'd like to fire them immediatly. Whatever funding that they're recieving from me will henceforth be refunded to me.

What? I can't get a refund? WHAT?!?! I can't fire them?! I can't even NOT hire them next time?!?!?!

This is bullshit.

Re:huh?

[prell]

The NSA has customers?

As a government entity, and like all government entities, the NSA has been serving customers since January 20, 2001 :-)

Re:huh?

[bhiestand]

The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

I know you're joking, but I believe the intelligence community generally uses that term. Either "customers" or "consumers", as opposed to "producers", of course. I know most of the government refers to other departments, agencies, and offices as their "customers".

From NSA.GOV on SIGINT:
NSA's SIGINT mission provides our military leaders and policy makers with intelligence to ensure our national defense and to advance U.S. global interests. This information is specifically limited to that on foreign powers, organizations or persons and international terrorists. NSA responds to requirements levied by intelligence customers, which includes all departments and levels of the United States Executive Branch.

And on Information Assurance:
NSA's Information Assurance Directorate invites government employees throughout the nation to take advantage of the products, services, and programs we offer to help you secure your critical information systems. Peruse our TEMPEST product lists and descriptions to find exactly the product you need. Discover what the IAD is doing to ensure the security of the emerging Global Information Grid. Download the latest security guides, or enlist the services of IA professionals to help you engineer secure systems or assess the security of existing systems. Learn more about national-level IA programs like those available through the Interagency OPSEC Support Staff and the Information Assurance Training and Rating Program. Or register for IA-related events and conferences to get up-to-speed on the latest IA technologies. Whatever your Information Assurance needs, the IAD is here to help.

In short, their customers include the entire military, who will receive intelligence reports that may be based on sigint information. Other customers include the state department, which might want to know if the NSA manages to get an intercepted telegram of Germany asking Mexico to declare war on America. Or maybe the president wants to know what kind of porn Usama Bin Laden likes to look at. Either way, according to their website, the NSA is tasked to do this stuff by other agencies, who then use that information to do their job. This gives them bonus points when justifying their budget, so it is the government equivalent of being directly paid to do the work. This is quite definitely a "customer".

On top of that, since the NSA knows so much about communications, networks, computer systems, and the security of these systems, the NSA is the de facto expert, hence they're also responsible for helping ensure that government computer systems are secure. They say they send advisors to help people out, and I'm sure they have some sort of responsibility for classified networks as well. It's in their best interest if the US has a well-secured communications infrastructure. I'd say it's the digital equivalent of using a sniper as a counter-sniper. But this means the entire government is also their customer. At least anyone who needs their computers to be secure.

So yes, I'd say the NSA has a lot of customers.

As for the comments about "the NSA may as well have said that you should just unplug your computer from the internet", I remember an ask.slashdot question a while ago where a guy asked for advice on securing his business computers for some classification certification. A lot of the replies basically said that the computers couldn't be on the internet, period. From my past experiences with having computers online, I'd have to agree that it's a bad idea to have a computer with sensitive data on an open network like the internet.

Re:huh?

[LinuxInDallas]

You're their customer, not their boss. Obviously being someone's customer does not give you the ability to fire them.

Re:huh?

[morcego]

I agree, but it sure should give you the ability to say: I don't want your services.

Re:huh?

[Nuskrad]

You do, you can move to another service (country).

Re:huh?

[utnow]

Being someone's customer is identical to being their boss. When I hire you to cut my grass every weekend, then I am your boss in so long as you are fulfilling the job. As a customer I can very easily fire you by choosing to take my business elsewhere or to discontinue the current job. Where did the idea that customer's aren't bosses come from?

Re:huh?

[utnow]

That was actually alot of really interesting reading. The comment was meant in jest, but thanks anyway. ;) (a truely intelligent post on slashdot... I tip my hat)

Re:huh?

[bhiestand]

thanks! I'm glad I could clear things up a bit.

not only operating systems,

[ivlad]

... but there are also a few guides to the applications security available: http://www.nsa.gov/snac/downloads_all.cfm

my favorite are Cisco IOS and Microsoft CA guides

Crushing defeat.

[Number44]

As an employee of IBM (I work on enterprise storage products) I have this anecdotal story to relate:

The NSA buys lots of our gear, the large multi-terabyte enterprise-class disk storage arrays. In the case I heard about, there were a small handful of boxes. We keep track of the code loaded on each of them for support reasons, so we have a good sense of where each box is and what it's doing.

Our warranty on those arrays is 3 years.

At the end of the warranty period, it is the policy of the NSA to replace the gear outright and start fresh. What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes.

The NSA crushed them. Brand new, unused and perfectly functional with ZERO data on them. Crushed to scrap.

That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them when they can't get support via the original warranty terms. They will never let a shred of data leave their shop for fear of losing control of classified info, but damn, these never had any!

Why do they treat our tax money so callously?

Re:Crushing defeat.

[digitallystoned]

Look at it this way....The government wastes millions of taxpayers money every year on shit we'd never use anyway. The boxes served a purpose, they were a write-off for the government. To them there is no amount of money and no budget when it comes to technology. At least those computers made it under the big LCD screen in the sky instead of rotting next to my neighbors trash bin

Re:Crushing defeat.

[cperciva]

Why do they treat our tax money so callously?

It's cheaper to replace a 3 year old disk array than it is to do all the paperwork necessary to prove that it was never used.

Re:Crushing defeat.

[charlesesl]

Wast of money? It kept you employed did'nt it.

Re:Crushing defeat.

[The+Lerneaen+Hydra]

Why do they treat our tax money so callously?

Welcome to the wonderful and amazing world of bureaucracy.

Please sign here, here and here.

Send at least five paper copies to [insert random important people] and wait five months.



Thank you and have a nice day.

Re:Crushing defeat.

[Sloppy]

Why do they treat our tax money so callously?

What's to stop them? Whatcha gonna do, citizen, hold them accountable? HA! Fire them? HA HA!!

Re:Crushing defeat.

Because one should never trust anecdotal evidence?

Re:Crushing defeat.

[Crouty]

As your posting clearly shows even the fact that the disks were not used is an information worth keeping secret.

Re:Crushing defeat.

[Decker-Mage]

The problem here, familiar to anyone that has dealt with the classified security system regulations, is that as soon as that equipment went in the door it became classified equipment of some certain level. Forever after that equipment, whether it had data on it or not, is set at the level of classification, period. You can never use it with equipment of a lesser classification nor can you declassify it (which in the eyes of the requlations is using it with unclassified equipment). If you can't deal with it, sorry, but that's the way the system works and it isn't going to change as one mistake can cost not just the country but real lives.

Re:Crushing defeat.

[dberstein]

Mod parent up! It's the most insightful post I've seen in this thread. This guy is thinking like governments do. It'a called disuasion. Maybe I have PTb info about you... maybe I don't. Would you take the risk? Smart thinking Crouty!

Re:Crushing defeat.

[chrpai]

I few briefings on OPSEC and you'd understand why this is. Once something is classified TS it can never be declassed below Secret so it must be destoryed. I for one don't want to take the chance that some hard drive that someone placed in the SCIF and thinks it was never used will end up out in the wild.

Re:Crushing defeat.

As a former IBM contractor I can say I once tried to buy out some obsolete hardware provided to me by IBM: DX4-100 boxes at a time Pentium-III were out already, mostly for the sake of cases themselves. The problem was IBM formally owned them but didn't want them back either :). Man, this almost (or really, I don't remember) required approval of the highest level IBM management in the country, do not tell me about NSA now.

Back to your story, this explains a lot about current IBM policy of shipping more processors/memory/storage to customers than they asked so they could just pay to IBM and start using it immediately without waiting for the actual hardware to be shipped.

Re:Crushing defeat.

[lord+sibn]

That was my first thought as well, but then I realised: any machine you pull out of "excess capacity" is in its virgin state. Replace them if they must. It maintains the budget and whatnot. But anything in that room can legitimately be considered "safe" to sell, either through official channels or even on ebay. Suddenly, the budget is not only maintained, it is increased.

Re:Crushing defeat.

[Jeff+DeMaagd]

I too personally think it's silly to replace computers every three years, simply because the lease and support is up. All of my x86 computers were off-lease and sold for cheap, and the workstations are the most reliable computers I've ever owned, except for one compatibility issue with one hard drive, I've never had a reliability problem attributable to the computer. I think this is one way foreign companies and countries are probably going to beat us just because all they have to do is be smarter about their resources.

Kind of too bad they didn't do that mil-standard drive wipe and re-sell them, but so many large businesses tend to just buy new, small businesses might not necessarily need this or be able to use it.

Re:Crushing defeat.

"Why do they treat our tax money so callously?" - by Number44 (41761) on Sunday October 30, @04:20AM

Because it's not THEIR money, it's OURS (@ least if you're a U.S. taxpayer that is)...

I see a LOAD of that going on myself, & it's NOT just NASA, it extends into "corporate america" as well.

E.G.-> The last job I was on (actually finishing off this week on contract) dovetails into YOUR very statement - disks being secure.

" What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes." - by Number44 (41761) on Sunday October 30, @04:20AM

I am doing this forensics/data security job, right now (finishing this week & going right into another job the week after, thank goodness things are picking up in our field lately) for a major financial organization!

However, unlike the systems you mention?

THEIR systems actually were hooked up into their servers (unlike the ones you mention, which because of what you stated, blows my mind & makes me angry as well), & I wiped nearly 1,000 of them in total on this forensics/security job for them after they migrated to NEW systems from older ones. The systems' disks (DELL leased systems, with this company as the lessee, & DELL as the lessor) actually HAD data on them.

The disks didn't need to be destroyed by ANY means though. There's softwares that work EXCELLENTLY for stopping data recovery of most ANY kind... I used Acronis DataCleanser for this one.

BUT, more on monies wasted imo??

Well, on days I did not have systems delivered to me as they should have been @ a steady stream rate of 30-50 a day?

I had 2 options presented to me, either was OK by the client which blew my mind:

1.) Kick my feet up, & take a nap for 4-8 hours (bullshit, I cannot STAND that, being idle etc./et all)

OR

2.) Leave for that day, billing out hours I only actually worked.

I took the latter!

Now, some people may call me stupid for that, but, I felt it was honest/judicious business to do it that latter way in #2, AND to stay under-budget!

(As well as under the timeframe, this I could vary with overnite batch jobs run using the software I used, Acronis DataCleanser. I couldn't bill for that time, but it kept me caught up with the expected rate of systems ready to "RMA" back to DELL though, easily).

Anyhow, back on my point on how monies get wasted on this particular project, since it relates to data destruction security:

I was told by some of their personell "Hey, 'work' the hours, take a nap if they don't deliver you systems on time" & that's, again, WRONG to do in my eyes. Why?

IT'S WASTING SOMEONE'S MONEY, no matter HOW you cut it, someone's paying it out.

E.G.-> The migration team was WAY over budget & many times they spent large parts of days playing online games... to me?

That's WRONG, dead-up wrong.

The migration team went WAY over-budget & way over time-constraints as well... seems to be a "trend" in business today, & it's a BAD one, no doubt in my mind.

The whole "Hey, it's not MY money being spent on your being idle, but this companies', so no big deal" is the problem - someone's paying the price for it, & guess what?

It's THEIR CUSTOMERS! Could very well be YOU or ME, you know? If not directly, somewhere in the long-run, it is.

Those wages @ $25-$150 an hour for contractors is NOT FREE, it comes from somewhere, & usually it's prices of the product or services being offered by said company, and budgets allotted for those selfsame projects.

APK

P.S.=> It goes on everywhere man, & it's "not my money" seems to make it "ok" to do, etc. it seems - a BAD trend imo!

And, in the case YOU mention specifically? Heck, again, the "it's not my money" seems to be in place as the ethics/morality there

Re:Crushing defeat.

[Woy]

Why do they treat our tax money so callously?

I'm like that too when i'm spending other people's money.

Re:Crushing defeat.

[v1]

Curious, how did you know how these units were used and when they were disposed of? I didn't think that would be information they'd share with anyone.

Re:Crushing defeat.

[mindstrm]

Your operatioin must be small, becuase in any significant number of workstaitons, things DO fail, regularly. Hardware fails, that's a fact of life, and if yours hasn't yet, that's good luck for you.

When you have 500 or 1000 or more machines to look after, you don't want to be fiddling with old machines.. you want to pick up the phone, call dell, and have the replace the part with another new part immediately, and keep on trucking. Tracking individual repairs on a variety of hardware is a royal pain in the ass, and not worth the headache.

Re:Crushing defeat.

[Detritus]

That isn't the way the government works. If they sold the hardware, the proceeds go into the government's general fund, not the NSA's budget. Only Congress has the power to allocate funds and authorize spending. The only way the NSA could get their hands on the money would be to ask Congress for a supplemental appropriation equal in value to the proceeds of the sale. They would probably get laughed at, since that isn't the way the budget process works.

Re:Crushing defeat.

[TeamSPAM]

Maybe this is a wheat and chaffe situation. If they chrush all the used equipment then the remains are all wheat. Now honestly there's propbably no hope of every getting data off of those drives. Now let's say they're a little paranoid, and decide to put some chaffe (unused drives) back into the mix to make it even harder to get at the data.

Re:Crushing defeat.

[SilverspurG]

Honestly, after seeing some of the stuff that makes it to TS, I think we can all safely say that the world would be a better place if all of it were just outright declassified.

1) There'd be no more BS TS classification of useless inanities which does nothing more for national security than create busywork for people pushing pencils.

2) We'd quit wasting taxpayer money safeguarding 20-year old military secrets that other nations discovered independently 10 years ago.

For cripes sakes... won't somebody think of reality sooner or later? Just because something is made TS doesn't safeguard it one bit. More than likely, if it's worthwhile and important, the other nations will figure it out on their own. No level of classification will ever secure the minds of people halfway around the world.

Re:Crushing defeat.

[Damien+Conlon]

... fear of losing control of classified info, but damn, these never had any!

Or so they say?

Re:Crushing defeat.

[ave19]

There a lot of other good replies already posted, but I'd like to underline the potential cost in human lives.

You could create a system that would allow hardware like this to become reused. And if it ever broke down, information improperly classified, a drive left in a system and sent to DRMO, it could cost a human life.

They treat the money callously because it's just money. The alternative is to treat human lives callously.

The government is doing the right thing in this case.

If it were my money, directly, I'd take similiar precautions because I'd want to sleep at night knowing that NOTHING got out of that building.

Ever.

Those aren't credit card numbers they're holding in there.

Re:Crushing defeat.

Please go and read your own company's security policies. As soon as storage is in a secure facility and is removed from that secured area all data has to be destroyed, no matter what. - With this in mind I think it's perfectly reasonable for one of the US-agencies to do that.

It's just better to destroy data that wasn't on there than to lose control of data you didn't know was on the device.

It is still up for discussion, though, if the standard procedure for destroying data in the form of destroying the physical device is really necessary or if it is enough to just destroy the data on the disk.

Re:Crushing defeat.

[(negative+video)]

That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them ...

You think that's tough, what about the guys who sell cruise missiles to the government?

Re:Crushing defeat.

[Threni]

> Why do they treat our tax money so callously?

If you're just worrying about a few PCs then I'm afraid you're missing the larger picture.

Re:Crushing defeat.

Not quite, you can have both unclassified and classified in the same vault. More likely they classified it before they needed it or the story was made up.

Re:Crushing defeat.

[irc.goatse.cx+troll]

Sounds like it was classified too soon, which brings up an interesting point-- Why not have a govt hardware supplier that buys these things in bulk and can custom build per security level needed? Could even do things far better than IBM/Dell as far as security is concerned (think RF emmisions and the like)

Re:Crushing defeat.

[bhiestand]

They could do a bake sale, though. Or do those dirty congressmen take that money too?!?!

Re:Crushing defeat.

[bhiestand]

I few briefings on OPSEC and you'd understand why this is.

Good to know you work in a Single Console Image Facility (SCIF), but I don't see what OPSEC has to do with policies on the handling of magnetic media in accordance with various classification guidelines. OPSEC is more like not changing your milk order for the week so your milkman won't know you're about to deploy.

Re:Crushing defeat.

[Decker-Mage]

Actually such suppliers already exist that provide equipment that is TEMPEST certified. There's a whole GSA catalog section for them.

Missing guide?

Where is the guide for linux?

Re:Missing guide?

[Motherfucking+Shit]

Where is the guide for linux?

Right here.

Re:Missing guide?

[SilverspurG]

SELinux is, for the most part, little more than another layer of ACLs. BFD. I don't know anyone who's willing to jump through all the hoops and hurdles of fully configuring SELinux ACLs for their entire system. In all reality the current implementations are more than adequate in all but the most fringe cases. SELinux puts another layer of tin foil shielding around a locked, sealed, time and date controlled, 12 foot concrete shrouded bomb shelter.

As others have said... let the flames commence.

guide to XP

[briancurtin]

the guide to securing Windows XP is actually a link to http://distrowatch.com/ so you can choose one of the many different options they have laid out for you.

Re:guide to XP

Only on slashdot trolls like these are modded insightfull *sic* . Slashdot seem to becomming more and more the FOX of te techsites.

Re:guide to XP

At least FOX used to broadcast Futurama. ;-)

It seems my mod as Redundant wasn't really useful either. I guess I should stop reading /. for the Funny comments too, or maybe downgrade my sense of humour. :-)

Re:guide to XP

Ha ha ha!

Oh gosh that's funny! That's really funny!
Do you write your own material? Do you?
Because that is so fresh.
DistroWatch being the guide to securing Windows.

You know, I've, I've never heard anyone make that joke before.
Hmm. You're the first.
I've never heard anyone reference that website before.
Because that's where you go to get Linux distributions?
Isn't it? DistroWatch.
And, and yet you've taken that and used it out of context to insult Windows in this everyday situation.

God what a clever, smart girl you must be, to come up with a joke like that all by yourself.
That's so fresh too.
Any, any BSD-is-dying jokes you want to throw at me too as long as we're hitting these phenomena at the height of their popularity.

God you're so funny!

Re:guide to XP

[itsthebin]

well...I saw it was a zip file , and I am afraid I do not trust them enough to unzip the file on my system

Re:guide to XP

[briancurtin]

^^must be the PTSD from trying to secure windows boxes only to have them be bombarded days later


calm down, it was simply a post to get some laughs and make people chuckle.

NSA guidelines

[Phroggy]

I've read through the NSA's guidelines for securing Mac OS X before; as I recall their instructions included things like deleting the audio input drivers, so software can't record audio in the room by using the built-in microphone. Interesting stuff.

Re:NSA guidelines

[hughk]

Many years ago, there was an issue on Sun workstations. The audio driver was world readable by default so code running on your workstation could literally "bug" you.

Re:NSA guidelines

[slavemowgli]

Maybe it's just me, but an easier workaround would seem to be to get a computer that doesn't have a microphone (built-in or attached)...

Re:NSA guidelines

[bhiestand]

Maybe it's just me, but an easier workaround would seem to be to get a computer that doesn't have a microphone (built-in or attached)...

Sometimes you just don't know. I'm currently suffering from this with my Dell laptop. I bought it almost three years ago. I still have the original receipt and manuals for the computer, and I assure you nowhere in the manual or order does it say "Built-in hidden microphone". There IS no microphone visible when you visually inspect the laptop.

But a couple of weeks ago a friend called me on googletalk, and I typed to her, "Hold on, let me get my microphone" to which she replied, "I can hear you typing!". I was in shock. I said, out loud, "No you can't." I'm sure by now you know that she replied "Yes, I can. What the hell?" I still don't know where the microphone is, but it's disabled through software right now. I'm tempted to ask Dell for a replacement that isn't bugged.

If a hardcore computer nerd can go over two years without realizing he has a laptop that's bugged, anyone can. I wouldn't be surprised if this shit was in every laptop and they just didn't tell anyone!

Re:NSA guidelines

[Sam+Nitzberg]

In 1996, I did a related ACM (Association for Computing Machinery) publication:
Emerging Security Issues Involving the Presence of Microphones and Video Cameras in the Computing Environment

It is located here:
http://iamsam.com/papers/sigsac/sigsac.htm

It cites the actual CERT (Carnegie Mellon University Computer Emergency Response Team) Microphone Advisory:
CERT CERT ADVISORY CA-93:15

There is also a revised version from 2000 here :
http://iamsam.com/papers/emergent_security_issues_ 2000/emergent_security_issues_involving_microphone s_and_cameras_2000.html

For anyone interested, my other papers are available here: http://www./ iamsam . com

Regards-

Sam

Re:NSA guidelines

[Slashdiddly]

I agree it's kinda scary. I haven't used google talk but is it possible that it was just a sound effect created on the recepient's end?

Re:NSA guidelines

[bhiestand]

No, we carried on a full conversation for about 30 minutes after that, and my microphone remained in the desk drawer. I can't find it in the documentation anywhere, but there IS a fairly high quality microphone hidden somewhere inside my laptop.

Re:NSA guidelines

[hughk]

At the time, it wasn't an option if you wanted to buy a commodity workstation.

Re:NSA guidelines

[hughk]

I think you will find that this first came up in the early nineties. Around that time the first workstations were appearing with integrated sound. These were some of the eariest SPARCstations and the DEC MIPS based Ultrix machines.

Slashdotted?

[Splintax]

Holy shit, have we just slashdotted the NSA? I can't reach the article.

Re:Slashdotted?

[saynt]

Oh crap, I wasn't here, you never saw me.

Re:Slashdotted?

[Tezkah]

Holy shit, have we just slashdotted the NSA? I can't reach the article.

Coral Cache works beautifully, although directly from site wouldn't for me, neither would google's cache.

Re:Slashdotted?

[Crouty]

Maybe they took the traffic for a DDoS and shut down.
Just a guess.

Missing something?

[Phroggy]

These guides are currently being used throughout the government and by numerous entities as a security baseline their systems.

Re:Missing something?

[mikiN]

Yep, that's the electronic version of an ugly black rectangle covering some words in the sentence.

Just be glad they didn't use tags to hide <censored>zis verry secred infurmasiun</censored>, because all the spelling nazis complaining about it would be shoved into unmarked vans, hauled to a secret holding place, then charged with circumventing a censoring device by having their browsers not support those mandatory tags...

Re:do not confuse /. with \.

[digitallystoned]

/. means slashdot" thats troll -1 obviously \. means "heil hitler" or "sieg heil" in use heavily on Counter-Strike servers around Europe. Funny? Well.. not. So be damn sure u write /. and not \. LOL

Careful now you might piss of some Vietnamese twins in South Africa if you mention that again.

Because the data they protect is very sensitive

[Sycraft-fu]

The problem is that if you start to allow some things to be sold without being destroyed, the possibility that something is classified incorrectly, and thus has data on it increases. When you are dealing with TS/SCI shit, you just don't take the risk.

When it comes to spy games, there's no such thing as "parinoid enough".

Re:Because the data they protect is very sensitive

Agreed. Never can be too paranoid.

So, clearly you know too much... *loads double barrel shotgun* You gunna take it like a man or do I have to chase ya?

Re:Because the data they protect is very sensitive

[jhines]

Of course the obvious idea of re-positioning the equipment for less security sensitive applications like federal employee personel files, or any other of a zillion sort of sensitive data items the federal gov keeps, is out of the question.

I can see why they wouldn't want it on the open market, but it is hard to see other branches of our gov as the "enemy".

Re:Because the data they protect is very sensitive

[danielobvt]

Very simple government rule covers this.... Once it has been designated for one security clearance level you may NEVER designate it for use in lower classification level system, though it can be used in an equal or higher level system. And once its in an agency, its way too much of a hassle to share with a different branch, department or agency (the paperwork would eat up any cost savings).

Re:Because the data they protect is very sensitive

When it comes to spy games, there's no such thing as "parinoid enough".

Nor is it at any other time.

Ba-dum-TISH!

Impressions

[josephdrivein]

I have read the OsX guide a year ago and everything was written there seemed obvious to me. (ie usual "Don't use rsh, use ssh" stuff or similar).

Anyway, not a bad guide for beginners (as it's supposed to be).

Re:Impressions

[NightLamp]

I just tried to read one of the provided files for securing Windows 2000:
win2kworkstation.inf
and the only line that made much sense was:

[Profile Description] Description=NSA Enhanced Security Settings for Windows 2000 Professional workstation

The rest of them (about 200) look a bit like entries to the obfuscated perl contest, admittedly I am no windows guru but it would be nice if lines like:

"machine\system",2,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA; ;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"

were commented. For all I know this is what went wrong at the Union Aerospace Corp. Mars Research Facility.

Linux

So, since the NSA doesn't provide instructions on how to secure a Linux computer, they're either saying Linux is so good it doesn't need to be secured (yay slashdot mentality) or its red commie software that no freedom-loving american would dare use

Re:Linux

They probably don't provide specific instructions because they maintain SELinux, their internally developed set of mandatory access control extensions to the Linux kernel and userspace. SELinux has tons of documentation on its own. Allegedly it is used quite extensively within the NSA now, so there is no reason to have yet another FAQ like for the other operating systems.

Re:Linux

[SecureTheNet]

The NSA has released it's over version of linux, SELinux, the Security Enhanced Linux.

Re:Linux

They do cover it: the Linux guidance is in the generic UNIX document.

Re:Linux

[laptop006]

SELinux isn't a distribution, it's a kernel patch and some utilities to enable mandatory access control. Fedora and RHEL both ship with SELinux enabled as standard, full SELinux support has just come through in debian (although much of it has been there for years).

SELinux is a neat solution to a problem that few users have.

Re:Linux

...or maybe securing Linux to NSA expectations of privacy is a bit harder than a quick blurb for beginners can easily explain?

Re:Linux

[sydb]

Informative? Show us a link, because their Current Security Configuration Guides list does not have one.

Re:Linux

So, since the NSA doesn't provide instructions on how to secure a Linux computer, they're either saying Linux is so good it doesn't need to be secured (yay slashdot mentality) or its red commie software that no freedom-loving american would dare use

Silly Joe McCarthy -- he was looking for Communists in Hollywood, when they were actually using Linux at the NSA!

Re:Linux

[petermgreen]

i was under the impression that selinux allowed you to make your systems a lot more secure and it really comes down to if you are prepared to take the trouble to set everything up right.

Why do we get this from the NSA?

Why do we have to go hunting round 3rd parties to learn how to secure our O/S? Surely this information (in the form of clear and easy Howtos) should be given as part of the O/S package, as purchased from the vendor.

Re:Why do we get this from the NSA?

[digitallystoned]

Why do we have to go hunting round 3rd parties to learn how to secure our O/S? Surely this information (in the form of clear and easy Howtos) should be given as part of the O/S package, as purchased from the vendor.

Yeah, but then people like you wouldn't know how to get online. Shit, I'm writing my Congressman now....

Re:Why do we get this from the NSA?

[Decker-Mage]

Actually Microsoft has had guides like these for quite a while and I've been using their guides and the ones from the NSA for years now as baselines for the networks and computer systems that I've been locking down for clients. So, I'm a bit puzzled about why you can't go to a website (Microsoft Downloads) and download them. It's not like they are hard to find. There's also a heck of a lot of this information built into the help files that come with XP, for instance, and the other MS operating systems under the best practices entries you'll find all over the place in there. Then again, so far as I can tell, no one except yours truly bothers to read the help files (I do it during betas to catch mistakes). Perhaps it's for the same reason most men seem incapable of asking directions, although one must ask why women are also affected? Whatever.

What really puzzles me is why this article came along. Slow /. news day or something? As I said above I've been using the NSA guides for years now so what changed?

Re:Why do we get this from the NSA?

Actually Microsoft has had guides like these for quite a while and I've been using their guides and the ones from the NSA for years now as baselines for the networks and computer systems that I've been locking down for clients. So, I'm a bit puzzled about why you can't go to a website (Microsoft Downloads) and download them. It's not like they are hard to find.

Because one size does not fit all when it comes to securing systems. Some users are more willing to put up with security barriers in exchange for increased security, other users will pitch a fit and complain that the product is broken. Then there are the users who can manage to screw things up by attempting to follow guidelines that they don't understand.

IN SOVIET RUSSIA....

Computer secures YOU!

Re:IN SOVIET RUSSIA....

Wait, wait, wait. Your telling me in Soviet Russia computers' secure humans while in America humans' secure computers?

Shit, those Soviet Russians must have really smart computers to be able to do this crazy stuff.

While you Americans must have really dumb computers that even really dumb humans' can secure.

Re:IN SOVIET RUSSIA....

Please to shut the fuck up, comrade.

New OS'es are "secure" by NSA std...

Try to look at Windows 2003 Server...
xBSD is also missing btw...
This is btw. old news (or a dupe).

not needed! Re:Missing guide?

[phsdv]

The list of guides on the NSA page:

Security Configuration Guides
> Operating Systems
> Apple Mac OS X
> Apple Server Operating Systems
> Microsoft Windows NT
> Microsoft Windows XP
> Microsoft Windows 2000
> Microsoft Windows Server 2003
> Sun Solaris 8
> Sun Solaris 9

I guess linux does not need it ;-)! Before you start bashing me, yes, you can make an insecure linux box. And I really would like to see a guide for linux as well! But hey, I am not a NSA customer.

Re:not needed! Re:Missing guide?

[HungSquirrel]

Of course you can make an insecure Linux box. Your average Linux distro is nearly as insecure out-of-the box as Windows. (Let the flames commence, but it gets old doing a fresh install and seeing more than a few ports open by default, with no good reason for any to be open.)

Re:not needed! Re:Missing guide?

[Hymer]

NSA is deeply involved in SeLinux, as far as I remember... and they have btw. forgotten to mention xBSD too... and AIX... and HPUX... and Tru64...

Re:not needed! Re:Missing guide?

[smallfeet]

HP has forgotten to mention Tru64, if I remember correctly. Isn't this going away soon?

Re:not needed! Re:Missing guide?

[Hymer]

Yes it is... but Win NT4 has been officially dead for years and the guide is still there.
I'm just a Tru64 fan...

Slashdot and national security

[HungSquirrel]

If Slashdot takes down a government website so quickly, is it a threat to our national security?

Goddamn brainless manager-speak

[Money+for+Nothin']

NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."

No fucking shit. Suppose somebody said "let's use our resources INEFFICIENTLY! And given our title of NATIONAL SECURITY AGENCY, let's NOT PROMOTE THE BEST SECURITY OPTIONS!" Would anybody really jump up and say "that's a *brilliant* idea!"?

Hell no.

Look, to anybody with any common sense at all, it's implicit in any organization that efficiency is important. But so is security. So is safety. So is customer satisfaction. So is employee satisfaction. So is profit (if a private for-profit org).

Is it *really* especially insightful to say "we should be efficient!" anymore? Or, now that 9/11 has warped our psyche to care singlemindedly about security (almost invariably at the expense of liberty), that another top priority is security? Not to anybody with a brain.

Why do we pay people to make such broad, fucking-obvious statements again? To remind us of what we already have known since we were teenagers?

Oh yes, I swear here and ruthlessly criticize somebody for making statements that have coincided with the goal of economy (implicitly or explicitly) for the last 230 years. Mod me troll now.

Re:Goddamn brainless manager-speak

You are arguing semantics.

It's just an effort to appear more friendly to the common public in clear terms. Sometimes things need to be restated a bazillion times before people "get it". Otherwise they go off on bizzare rants that have nothing to do with what was said. Kinda like how you missed the point on this one.

Re:Goddamn brainless manager-speak

[slavemowgli]

Or, now that 9/11 has warped our psyche to care singlemindedly about security (almost invariably at the expense of liberty) [...]

Actually, it hasn't — 9/11 has warped our psyche(s) to single-mindedly care about *fear*, which is pretty much the exact opposite of what you need if you want security. We're all just running around like chickens scared by the hawk, and those who want to curtail our civil liberties are just using the chance to push through their legislation now, in the name of "security", and we're dumb enough to even swallow that.

There has been pretty much no legislative or administrative measure so far that has *actually* made us more secure.

Re:Goddamn brainless manager-speak

[Money+for+Nothin']

Good distinction...

I should've more-accurately said that our *rhetoric* is single-mindedly about security, even if our actual *practice* is single-minded fear. :-/ (guards in airports with automatic M16's will do absolutely nothing to stop any terrorist who manages to get on a plane)

Re:Goddamn brainless manager-speak

[Money+for+Nothin']

Kinda like how you missed the point on this one.

Considering my quote was of the NSA's guiding principles (efficiency, security), the project derives itself from the things I quoted.

I then proceeded to ridicule those guiding principles. How is that unrelated to the project? And in turn, since the point of this article was relating to that project, how was my post "missing the point"?

Also, look up the word "semantics" sometime. Semantics is the linguistic study meaning of language, but my post has nothing to do with meaning; the meaning of the NSA's principles here are pretty clear...

My post rants not about syntax or semantics, but about the value of making overarching, broad statements like the one I quoted to begin with. Such statements might useful as a kickoff to a project, but then again, as I pointed-out, they are implicit in pretty much everything we do now. So I ask again: why do we pay people to make such statements?

And the answer that you gave -- that of beating the message into peoples' minds -- is probably as good an answer as I'll find. :)

Wow.

[Alien+Venom]

Even the NSA can get Slashdotted. Who woulda thought...

Re:Wow.

We have not been slashdotted, we have just throttled our connection down until the reason for the massive hitrate was identified.

--
The agency previously known as No Such Agency

BSDs?

[putko]

Any instructions on what to do for the BSDs? I didnt' see anything there.

I'm assuming there isn't much to do to OpenBSD and NetBSD.

Re:BSDs?

[MichaelSmith]

and NetBSD.

I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while.

Getty does this, or something like it, why not ssh?

Re:BSDs?

[Vario]

Either a small script which parses the sshd logs or a couple of things you can find on sourceforge should do the task.
I had a lot of dictionary attacks on my sshd. My first solution was a one hour blacklisting of every IP address which tries dictionary attacks. Now I switched to port knocking, which seems even more secure and convenient to me. I use a relatively simple port knocking sequence but that is more than enough to fight off any script kiddie.

Re:BSDs?

[Homology]

I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while. Getty does this, or something like it, why not ssh?

Unless you have weak passwords, then this is not much of of a problem.

In the sshd_config you may disable password logins, and login using a certificate. In addition, you may specify which users/groups that may login:

Protocol 2
PermitRootLogin no
PasswordAuthentication no
ClientAliveCountMax 5
ClientAliveInterval 30
AllowTcpForwarding no
AllowUsers someuser

Many of those automated attempts to bruteforce sshd is run from a Linux machine, so a simple fix (if you use the OpenBSD packet filter that is ported to NetBSD) is qute simply to drop all packets to sshd that is sendt from a Linux computer.

Re:BSDs?

[Poeir]

I wrote a script that did this not so long ago on OpenBSD; unfortunately, that system isn't immediately accessible. What it boiled down to was grepping /var/log/messages for any failed logins, sedding out everything but the IP address, piping the output to sort, doing uniq -c, finding any IPs listed "many" times (for whatever definition of "many" is reasonable), and then piping those IPs to pfctl to add to a blacklist. Since the logs rotate every week, if anyone tries to log in too many times, they'll be permanently blacklisted. Stick the script in a cronjob and call it good. Not exactly user-friendly to implement, but highly adaptable.

Re:BSDs?

[PostItNote]

http://denyhosts.sourceforge.net/

Does the same thing and uses other peoples' bugfixes.

Re:BSDs?

[exekewtable]

I use portknocking - FGI.
it works damn great

dave

^BumP^

[TubeSteak]

Lol, this probably isn't as far from the truth as we think.

Part of it is that they pretty much have to spend their budget, or it'll get reduced during the next cycle.

The other thing is, lets say that they rip out all the HD's and RAM in order to auction off the hardware... well, someone has to do that, someone has to file a bunch of paperwork (in triplicate, everything is in triplicate), someone else is going to file the paperwork that's just been generated, someone else has to make sure the HD's & RAM get destroyed, more paperwork...

The costs can snowball very quickly. It may seriously be cheaper to de-mill the stuff and buy it again.

Re:^BumP^

[killjoe]

I seriously doubt the NSA is subject to the same budgeting process as the rest of the federal govt. Most of their money comes from the black budget anyway.

With the current war on terrorism the NSA can ask for and receive any amount of money they want. It looks like there will be at least one more war against either syria or iran by the time the next election rolls around and I bet there is a lot of activity at NSA in preparations for those wars.

Re:^BumP^

The costs can snowball very quickly.

I work in the French civil service, and the rule here is that we change computers every 3 years. I'm due to get a new toy in December.

I told the person in charge that I'm happy with my current machine, and was willing to keep it. I was answered that by using a machine out of warranty, I risk creating extra hassle when it breaks down, and that the salary I'd spend on changing a disk drive would more than offset any savings.

Re:^BumP^

[TubeSteak]

I seriously doubt the NSA is subject to the same budgeting process as the rest of the federal govt

Are you joking? Of course they are.
Just because its not a public process doesn't mean the NSA isn't jumping through the exact same hoops everyone else has to.

Assuming for a moment, that at the Senate/Congressional level, you're right, the NSA folks are still dancing the same internal budgetary jig that any other gov't agency is doing.

As for the NSA being able to ask for and recieve whatever they want, I'll be an asshat and quote Donny Rumsfeld at you: As you know, you go to war with the XXXX you have and not the XXXX you might want or wish to have at a later time.

Re:^BumP^

[prell]

The costs can snowball very quickly.

Hmm.. I'm afraid I sympathize more with the original poster, since he actually did work and felt emotions about this hardware. I certainly wouldn't want to make something so that it could be destroyed, regardless of the reasons. And if the NSA has to destroy things in order to keep their budget, that makes me suspicious that their budget is too large. And something makes me doubt that the NSA has to re-defend and earn its budget every single year. It's probably more like every 2, or 4, or even more years.

Re:^BumP^

[SilverspurG]

Part of it is that they pretty much have to spend their budget, or it'll get reduced during the next cycle.

Considering the fact that their budget comes straight out of my paycheck, tell me how this is a bad thing if their budget is reduced?

Re:^BumP^

[Neoprofin]

That makes quite a bit of sense from that perspective. If you have thousands of computers it's probably cheaper to replace them when they're off warrenty than to have a full time IT staff dedicated to keeping your P3 700 box running all the new software. I don't know that it's infact less costly monitarily, but in terms of increased hassel and paperwork they're probably much better off.

Re:^BumP^

Welcome to democracy!

Re:^BumP^

[danheretic]

Mmm. Considering that someone has to operate the machinery to crush the hardware, someone has to certify the operator of the machinery, someone has to supervise the operation, someone has to file the paperwork etc etc... I don't see a cost savings here.

Coral cache

http://www.nsa.gov.nyud.net:8090/snac/downloads_os .cfm?MenuID=scg10.3.1.1

At least we didn't goatse the NSA...

... now that would be embarrassing, especially on a page about securing your computer.

Re:NSA guidelines de-solder

I would still go in and desolder the sucker. I guess im more than paranoid..

Eheh

[SmallFurryCreature]

I use parts of SElinux and am right now running a linux tool called foremost wich seems to be written by some part of the US airforce.

American tax dollars hard at work to keep my socialist PC running nicely. Got to love the modern world.

Afraid that the US goverment (the one that makes speeches) might be firmly up MS backside but the parts of the US goverment that actually do stuff seem to like linux.

Re:Eheh

[ShakiirNvar]

vi VS emacs arguments are pointless and a waste of time

cause both are as bad as each other :p (sorry, my bad, couldn't help but comment on that, have had fun in the past trying to use both of them when debugging friends code).

back on topic, was an interesting read, half-tempted to pass it onto my parents so I won't have to clean their computer of adware/spyware/etc next time I go home ... of course, it would be even better if we could just stop the whole adware/spyware/etc thing altogether, but we won't get into that now.

Google Cache Link for OS X users

[Bueller_007]

The site is Slashdotted.

Mac OS X users can view the Google cached version of the Mac OS X report here:
http://66.102.7.104/search?q=cache:hQm4gx2gJcsJ:ww w.nsa.gov/snac/os/applemac/osx_client_final_v_1_1. pdf+&hl=en

I can't be bothered to find the URLs for all of the reports, so if anybody has one, please post it.

Missing Option(s). Kinda.

[Legendof_Pedro]

Microsoft Windows (Any Version)
1. Unplug the square deeley from the back of your computer (RJ-45 plug)
2. ???
3. Profit!

Re:Missing Option(s). Kinda.

[zippthorne]

2) what you want to do is sell people a turnkey solution. i.e. a device which solves the problem, no thought needed. Just make sure to give it a fancy name like, "Airgap Firewall" claim it's 100% effective and slap a $50 price tag on it.

Re:Missing Option(s). Kinda.

[Hymer]

They do have one about securing a laptop with wireless capabilities...
Howto identify and disable wireless...

Your linux box must be insecure

[freaker_TuC]

I got completely different results on my linux box; therefor your box must be insecure...

$ whatis themeaningoflife
themeaningoflife: nothing appropriate

(laugh it's a joke; although the command output is not!)

Re: Dictionary attack on sshd

[johnjaydk]

I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while.

The delay setup you outline should not be step one but step two. The first step is to use tcpwrapper around sshd to limit your exposure. The kiddies cant do their dictionary attack if they cant reach sshd in the first place.

Special type of Linux

[Moby+Cock]

They secure computers using SELinux

Re:Special type of Linux

[metternich]

I used SELinux for a while. It was rather difficult to use. Setting permissions correctly was a really big pain, so we ended up turning it off. It's a good concept, but it still needs a little fleshing out.

Nonsense

[marat]

If I own your machine, is it hard for me to install drivers back? Is it hard for me to hide the fact of installation? Is it hard for me to access hardware directly if I'm really after you? This is a good example of advice giving false sense of security. If their other advices are really like this your country is in a big big trouble.

Just as an example in the computer class of my university they tried to deny us access to floppy drives by clearing FDD type in BIOS and setting the BIOS password. This didn't hold for one month.

Re:Nonsense

[Lehk228]

sure it can be gotten around with ROOT access to the system. with OSX you don't run constantly as root. just because it is possible that an attacker would escalate privlidges enough to install drivers doesn't mean you should give up and not even try to protect yourself.

Re:Nonsense

[(negative+video)]

If I own your machine, is it hard for me to install drivers back? Is it hard for me to hide the fact of installation? Is it hard for me to access hardware directly if I'm really after you? This is a good example of advice giving false sense of security.

Don't be silly. There are no certainties in security, just probabilities. Every obstacle you add filters out a few more bad guys who don't have sufficient time and skill to overcome that obstacle, thus reducing the probability of compromise.

news?

how is this 'news', or 'stuff that matters'? these pages have been available
for a long long time now - I first came across them when checking out some
IOS settings. did the poster think they had stumbled across some cool hidden
thing that shouldnt be public? perhaps.

I think these guides are a great start to having a secure system - they even
explain WHY you should change a setting, what that setting is for - unlike
many other guides.

Alternative source of info

[Linker3000]

If you find the main site slashdotted, I have a link to someone hosting all the docs on their own PC - the guy's name is Frank and he works in some government office in Washington DC - you'll find all the docs in a sub-folder just next to the MP3 and porn store managed by someone called ZoM61e Kar1.
.
.
.
.
.
.
.
Note to NSA and FBI: This is a Joke. Honest.

Re:Alternative source of info

Note to NSA and FBI: This is a Joke. Honest.
We know... Honest.
"Frank" has just been arrested and we are investigating his connections with ZoM61e Kar1.

--
The agency formerly known as No Such Agency.

Link to NIST Server Guide?

[mpapet]

I found the NIST WindowsXP Security guide,
http://csrc.nist.gov/itsec/guidance_WinXP.html

Is there a comparable server guide?

Re:Link to NIST Server Guide?

It's always good to read something before using it. I downloaded an XP guide from your link and opened up the inf. Look what I found.

Revision History:
---------------------
2003-08-24
R1.0.2 12.19 - correct typo (replace TcpMaxHalfOpenRetired with TcpMaxHalfOpenRetried)
                12.15 - delete the NoNameReleaseOnDemand registry value

2004-07-04
R1.0.1 5.26 - Correct typo in the DOJ message.
                12.5 - Correct typo in the registry value.

2004-06-24
R1.0 Initial Release.

These guys are GOOOOOD if they can work backwards in time. Version R1.0.2 came out a year before R1.0!!!! The really funny part is they made a typo on a line describing the fixing of a typo.

OS X already ready for government?

[v1]

I have done some digging into the less accessible files in the OS, and was quite surprised to find US government things buried deep within the OS. The first thing I found were two images of key cards, and the code to support their use. The other fun thing I ran into were large emblems of the army, navy, air force, marines, FBI, noaa, coast guard, DoD, public health service, and several other US government departments. Clearly OS X has some built-in support for use in US government roles. (no images from non-US governments were found) This is in client as well as server. I'd love to know how to enable those features. Anyone happen to run across this info anywhere?

(for those interested, in 10.3, do Go, Go to Folder... /System/Library/CoreServices/SecurityAgentPlugins/ SCLoginPlugin.bundle/Contents/Resources/)

Re:OS X already ready for government?

[phillymjs]

Anyone happen to run across this info anywhere?

There's some information here about the additional secure authentication methods OS X supports.

~Philly

Re:OS X already ready for government?

[od05]

Wow there is surely a backdoor is OS X somewhere

Re:OS X already ready for government?

[Frumious+Wombat]

Just wait until you see the iNavy and iMarines posters next year. One button mouse, 24 iCBMs, It Just Works(tm)!

Re:OS X already ready for government?

Just wait until you see the iNavy and iMarines posters next year. One button mouse, 24 iCBMs, It Just Works(tm)!

1000 Warheads. Impossibly Small.

It's like the Army

I once read of a guy serving in the army in some office capacity, and he initialed a form that he didn't need to. It was sent back down the chain to him with with a note saying the form didn't need his initials, please erase his initials and initial the erasure.

Ah

[crmartin]

... but was the reader really anonymous?

Now wonder its been ./ed

[dxminxs]

W2K http://toolbar.netcraft.com/site_report?url=http:/ /nsa.gov

They already have

GWB owes MS a lot.

This is not new!

[sysiphus474]

Background: I work for Uncle Sam in an "Enlisted" capacity. The facility I work in uses several OSs: Alpha, VAX, UNIX, M$, etc. Use a little FORTRAN IV and some proprietary stuff as well. I had the idea(still have it, BTW) that all of this could be rolled into a Linux-exclusive environment. Downloaded the SELinux kernel about 4 years ago, and pitched it to the IS guy at work. Said it could be used for all applications on both the red and black sides of the house, started trying to get the code to start setting everything up on 1 "box". Found myself beating my head against the wall because the IS guy was an MCSE who just had a bunch of cheat sheets on how to use the other stuff. All he could do was start/stop processes and reboot. Now, the security level of the info is quite high, and it seems that the ultimate goal would be to have it as secure as possible. The only security some of this stuff has is obscurity! (Well, that and the crypto equipment-old KGs and whatnot) You would think that IT departments would tire of pushing security fixes and try to find alternatives to the buggy, insecure crap we are using these days. As a side note, we had an in-house mailserver running on an old 486 stuffed in a corner, used primarily for Squad leaders to push info to subordinates. Got a call from the NSA telling us we had to take it down or provide root access, as they could not access it remotely! This super secret squirrel secure box? Mandrake--without IPCHAINS!

Re:This is not new!

[ScriptedReplay]

we had an in-house mailserver running on an old 486 stuffed in a corner [...] Mandrake--without IPCHAINS!

yeah, that seems to be an interesting trend - old Linux distros that were hackable at the time no longer are to the same extent, as the current scripted attacks have no option for vulnerabilities in ancient versoins of software. Don't rest on your laurels though, if one decides your box is interesting enough to target, one still has the means to - as long as the benefits for time spent are big enough.

Re:This is not new!

[dysk]

Got a call from the NSA telling us we had to take it down or provide root access, as they could not access it remotely!

And you were sure that that was the NSA?

Re:This is not new!

several OSs: Alpha, VAX
That would be OpenVMS, you're describing the hardware.

Got a call from the NSA telling...
That sounds extremely unlikely, in the totally untrue sense.

Nice troll though.

Re:This is not new!

[sysiphus474]

unless someone both knew of the mailserver AND spoofed their STU-III key material.

Dealing with gov. entities

[WindBourne]

Loose lips sink ships.

If you must talk about stuff here, do NOT say which federal agency it is.

If you must say some thing, it is best not to be too specific as to the situation.

If you have a difficult time not talking about something like this, then avoid the areas that piss you off so you are not tempted to post here concerning these kind of incidents.

Yes, I know that you did not take a loyality oath, and likewise, you do not see how this info can possible be used against the feds. But even this posting could cost you your job at IBM. At the very least, they may consider moving you.

BTW, if all you know about is a waste of money, then you really have little to be upset about. Keep in mind, that the agency probably did not fill you in on what the system really did.

If you do not like all that goes on, try to support the congressmen that support your POV, or even send the info to them (I would suggest a libertarian or a democrat as the republicans have shown that they do not care about your taxes or their deficits).

Did I mention the golden rule of Loose lips sink ships?

Re:Dealing with gov. entities

Loose lips sink ships. If you must talk about stuff here, do NOT say which federal agency it is. If you must say some thing, it is best not to be too specific as to the situation.

Oh, go away, you little spy-wannabe. Ooooh, you are *so* security conscious and leet, why, I bet you've seen every James Bond movie twice, maybe three times...

NSA uses Winodws - maybe

How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

Microsoft may not need to aquire the NSA. Netcraft reports www.nsa.gov has been using Windows 2003 since 1996. Now I don't believe that. What I do believe is they have more control over the internet than anyone realizes. Maybe the NSA is a sponsor of Microsoft which might explain why anti-trust laws are frequently ignored for Microsoft. Maybe there is more to that NSAKey than meats the eye.

NSA.com

[Doc+Ruby]

"Customers"? How about "citizens"? How come serving customers is a higher calling than serving citizens, for a government agency?

Re:NSA.com

[VENONA]

It's just corporate IT speak for 'users'. Not sure how it got so far into government (maybe the IT and/or biz edu system?), but it's everywhere. Look at government sites that provide datasets related to climate, GIS, etc., and everything is a 'product'.

When I worked at one or another of the semiconductor manufacturers, we had to attend various training courses to learn that everyone was a customer. The only difference was internal or external. This is the same sort of corp-think.

It's sad that sounding corporate and acquainted with the latest management fad, and/or using the latest buzzword(s) is now regarded as cool. So many people trying to sound like the latest and greatest suit!

My favorite buzz phrases are 'going forward', which swept the friggin' planet in about three months, and 'due diligence', which has long been popular, typically with those that don't know that 'due diligence' is only half the story. The other half is 'due care', and both are necessary to meet 'standard of care' requirements. And 'due x' comes from corporate governance requirements. Yet normal employees, not just execs, are just all over it, using it in wildly incorrect contexts.

They should only be seeing the term(s) in relation to why management is launching a project (if then), as *only* execs have legal 'due x' responsibilities. Instead, from some new-hire slacker, you get things like, "I'm reading /. looking for new security news. It's just due diligence."

Again, it's a sad friggin' world when so many people are using the suits (who will outsource their jobs to low-wage country du jour in a heartbeat) as their role models.

Re:NSA.com

[Doc+Ruby]

I still want my "due process" served fresh and tasty.

Re:NSA.com

[Call+Me+Black+Cloud]

OT: Great user name to use in a reply to a thread about the NSA.

Re:NSA.com

[VENONA]

Nice catch, Call Me Black Cloud. I was wondering who would be the first to snap to that. :)

In Related News

News site, Slashdot has been shut down for terrorists activity after a recent exploding of NSA's Servers. President Bush will address the country on this matter with in a few moments. In other news Microsoft's share price has gone up by 500% today...

Re:In related news

[whackco]

Yes, the people they are busy selling state secrets too would be 'customers'

/me waits for door to be broken down

Beware bad players

[coyote-san]

You don't just have to worry about something being classified incorrectly, you have to worry about bad players who deliberately make "mistakes" when declassifying hardware. That's not acceptable so you need to second- and triple-check everything, and that drives the cost way up since everyone must have the appropriate clearances, all of the paperwork is classified, etc.

How could you know this?

[coyote-san]

One of the basic tenets of security is that you don't let ANY information leak. Knowing how many machines were sold is an unavoidable leak, but knowing how many were "excess capacity" combined with that number tells you how much computing power the NSA actually uses. Double seriously uncool. If the security manager is doing his job there's going to be a random, but substantial, number of excess machines but nobody outside of the agency will know how many.

Some classic examples of this in practice? One facility had color-coded badges that identified the area where an employee worked. This makes it easy to identify somebody out of place (unless they can get a fake badge, of course). Only problem was that the exit checkpoint was close to the public exit and most of the workers walked outside with their badges on. An agent could determine staffing levels by simply counting the badges on a public street. Associating the badges with projects is relatively easy down at the neighborhood bar. (You can't expect people to avoid talking about work at the "oh, so you're a machinist too?" level.) The solution was to move the exit checkpoint out of public sight and require workers to remove their badges.

Another classic example is secure communications lines. One of the most basic forms of traffic analysis is monitoring how much traffic (or "chatter") is occuring. If traffic jumps 200%, pay attention. The solution is to fill the gaps with encrypted noise, although that's sometimes impractical.

A variant of that is the notorious "Domino's Pizza" effect. How do you know something is up at the White House? The local Domino's is delivering more pizzas. There's enough transparency that this probably doesn't provide a much information that you couldn't get elsewhere, but it's an interesting footnote.

In related news

[merc]

The NSA has customers...

*blinks*

How you should argue back.

[edunbar93]

Yeah, but that's not the point. The point is that why not just use it until it breaks (or it's obsolete, whichever comes first), *then* replace it. It's not a cost-saving thing really either. It's a usability and productivity thing. At my work, we're super nervous every time we do an upgrade or add new servers because the new and untested hardware may not be entirely reliable and you will never know until it's been running under load for a while.

By that same token, we have a couple servers that date back to the mid-90s. Every time my boss tells me we should upgrade that clunky old P133 that lives as our secondary name server, I ask him "Why? It works just fine, and we have no idea how reliable the new hardware will be," and then he goes away. Some hardware just *refuses* to die.

Re:How you should argue back.

[hepwori]

why not just use it until it breaks

Because unplanned downtime is more expensive than planned downtime. It's the breaking-unexpectedly that's expensive.

It's not a cost-saving thing really either. It's a usability and productivity thing

Huh? Companies pay for productivity. Lack of productivity == wasted money. That *is* the cost-saving.

Re:This is BS

I work there (NSA). That's not how we operate. There are a few things wrong with your story. First, laws prevent the use of data on US citizens or people physically in the US without a court order (look up USSID 18). If there was a court-sanctioned investigation going on no one from the NSA would be calling up and asking for access to a machine. No one would call if it wasn't court sanctioned either. Second, there are other ways to get at e-mail without access to the box (think passive collection).

I'd say there was some social engineering going on, and if you fell for it you're an idiot. "Hi, this is Bob from the NSA. Please open your box to us. Thanks. By the way, what's the number printed on the front of your Visa card?"

BOOM!

[Reziac]

Actually, such anti-tamper devices exist -- the one I've seen was an otherwise-ordinary hard drive with a block of explosive attached, and the idea was that if it was powered up on the 'wrong' machine, it would explode (taking out not only the HD but the entire area).

Winzip claim and credibilty

[Kristoffer+Lunden]

I know these guys should know what they are talking about, but it feels a bit strange to take technical advice from someone who claims that "To download and uncompress zipped files you need to have winzip loaded on your local machine." on their XP advice page. I thought even XP could do that without addons, not to mention other OS:es which also seem to manage it just fine.

Maybe they are just sponsored. Or is that "bribed" when it comes to governments? :)

Because it could eventually leak to the public

[Sycraft-fu]

Let's say you have equipment orignally for the NSA and it's holding the most critical secret data. It's not supporsed to be sold, but is confused for something that is. However policy says sell it only to the federal govrenment. So it's sold to the IRS. The IRS uses it for non-confidental storage, not even people's information. So when they get rid of it, it's just public surplus. After all? Who cares if someone gets the data, it wasn't sensitive.

Well some foriegn spy agency then buys the hardware, and using some super secret platter analysis techniquie is able to recover the NSA data, even though it was overwritten multiple times.

Oops.

It sounds sily but you have to remember that the spu agencies are willing to spend a tremendous amount of money to get information form each other, and try all sorts of oddball tricks.

I mean in reality, a multiple pass random data overwrite of a disk probably destroys the data beyond anybody's ability to recover. I've heard random people talk up how you can recover it 40 levels back or whatever, but never from anyonw who would know what the hell they are talking about. Electronics would dictate that pretty soon, the entropy introduced would make any minute signal that was there lower than the inherant randomness on the disk, and thus useless.

However, with national security, you don't take that risk. Yes it's wasteful but it's jsut how it goes. You never know what new and imaginative method the other guys might have to get at your stuff, so you just don't risk it.

Why is this news?

This site has been serving those docs for YEARS now, since the NT4 days.

Anyone rembemer DES?

I wonder if we should really be trusting the people who intentionally built DES weaker than it could have been. For those who don't know, the NSA recommended the key size for the DES encryption alogorithm be decreased to 56 bits. The original DES design used 64 bits. At the time, a 63 bit key was computationally infeasible to crack, but the NSA did have the resources to crack 56 bits. Chances are your ATM uses DES or triple DES.

MOD PARENT UP AS FUNNY

[alizard]

see subject