Slashdot Mirror
How The NSA Secures Computers
An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."
As an employee of IBM (I work on enterprise storage products) I have this anecdotal story to relate:
The NSA buys lots of our gear, the large multi-terabyte enterprise-class disk storage arrays. In the case I heard about, there were a small handful of boxes. We keep track of the code loaded on each of them for support reasons, so we have a good sense of where each box is and what it's doing.
Our warranty on those arrays is 3 years.
At the end of the warranty period, it is the policy of the NSA to replace the gear outright and start fresh. What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes.
The NSA crushed them. Brand new, unused and perfectly functional with ZERO data on them. Crushed to scrap.
That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them when they can't get support via the original warranty terms. They will never let a shred of data leave their shop for fear of losing control of classified info, but damn, these never had any!
Why do they treat our tax money so callously?
I've read through the NSA's guidelines for securing Mac OS X before; as I recall their instructions included things like deleting the audio input drivers, so software can't record audio in the room by using the built-in microphone. Interesting stuff.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while.
Getty does this, or something like it, why not ssh?
http://michaelsmith.id.au
The costs can snowball very quickly.
I work in the French civil service, and the rule here is that we change computers every 3 years. I'm due to get a new toy in December.
I told the person in charge that I'm happy with my current machine, and was willing to keep it. I was answered that by using a machine out of warranty, I risk creating extra hassle when it breaks down, and that the salary I'd spend on changing a disk drive would more than offset any savings.
If I own your machine, is it hard for me to install drivers back? Is it hard for me to hide the fact of installation? Is it hard for me to access hardware directly if I'm really after you? This is a good example of advice giving false sense of security. If their other advices are really like this your country is in a big big trouble.
Just as an example in the computer class of my university they tried to deny us access to floppy drives by clearing FDD type in BIOS and setting the BIOS password. This didn't hold for one month.
I have done some digging into the less accessible files in the OS, and was quite surprised to find US government things buried deep within the OS. The first thing I found were two images of key cards, and the code to support their use. The other fun thing I ran into were large emblems of the army, navy, air force, marines, FBI, noaa, coast guard, DoD, public health service, and several other US government departments. Clearly OS X has some built-in support for use in US government roles. (no images from non-US governments were found) This is in client as well as server. I'd love to know how to enable those features. Anyone happen to run across this info anywhere?
/System/Library/CoreServices/SecurityAgentPlugins/ SCLoginPlugin.bundle/Contents/Resources/)
(for those interested, in 10.3, do Go, Go to Folder...
I work for the Department of Redundancy Department.
You think you're joking, but when I used to work with the three-letter agencies, they did that. Put the computers and all the workspaces inside a Faraday cage, run the power through an isolation transformer. "Sanitize" used hard disks with thermite.
I know you're joking, but I believe the intelligence community generally uses that term. Either "customers" or "consumers", as opposed to "producers", of course. I know most of the government refers to other departments, agencies, and offices as their "customers".
From NSA.GOV on SIGINT:
NSA's SIGINT mission provides our military leaders and policy makers with intelligence to ensure our national defense and to advance U.S. global interests. This information is specifically limited to that on foreign powers, organizations or persons and international terrorists. NSA responds to requirements levied by intelligence customers, which includes all departments and levels of the United States Executive Branch.
And on Information Assurance:
NSA's Information Assurance Directorate invites government employees throughout the nation to take advantage of the products, services, and programs we offer to help you secure your critical information systems. Peruse our TEMPEST product lists and descriptions to find exactly the product you need. Discover what the IAD is doing to ensure the security of the emerging Global Information Grid. Download the latest security guides, or enlist the services of IA professionals to help you engineer secure systems or assess the security of existing systems. Learn more about national-level IA programs like those available through the Interagency OPSEC Support Staff and the Information Assurance Training and Rating Program. Or register for IA-related events and conferences to get up-to-speed on the latest IA technologies. Whatever your Information Assurance needs, the IAD is here to help.
In short, their customers include the entire military, who will receive intelligence reports that may be based on sigint information. Other customers include the state department, which might want to know if the NSA manages to get an intercepted telegram of Germany asking Mexico to declare war on America. Or maybe the president wants to know what kind of porn Usama Bin Laden likes to look at. Either way, according to their website, the NSA is tasked to do this stuff by other agencies, who then use that information to do their job. This gives them bonus points when justifying their budget, so it is the government equivalent of being directly paid to do the work. This is quite definitely a "customer".
On top of that, since the NSA knows so much about communications, networks, computer systems, and the security of these systems, the NSA is the de facto expert, hence they're also responsible for helping ensure that government computer systems are secure. They say they send advisors to help people out, and I'm sure they have some sort of responsibility for classified networks as well. It's in their best interest if the US has a well-secured communications infrastructure. I'd say it's the digital equivalent of using a sniper as a counter-sniper. But this means the entire government is also their customer. At least anyone who needs their computers to be secure.
So yes, I'd say the NSA has a lot of customers.
As for the comments about "the NSA may as well have said that you should just unplug your computer from the internet", I remember an ask.slashdot question a while ago where a guy asked for advice on securing his business computers for some classification certification. A lot of the replies basically said that the computers couldn't be on the internet, period. From my past experiences with having computers online, I'd have to agree that it's a bad idea to have a computer with sensitive data on an open network like the internet.
SWM seeks new sig for a brief fling
Actually, such anti-tamper devices exist -- the one I've seen was an otherwise-ordinary hard drive with a block of explosive attached, and the idea was that if it was powered up on the 'wrong' machine, it would explode (taking out not only the HD but the entire area).
~REZ~ #43301. Who'd fake being me anyway?
Let's say you have equipment orignally for the NSA and it's holding the most critical secret data. It's not supporsed to be sold, but is confused for something that is. However policy says sell it only to the federal govrenment. So it's sold to the IRS. The IRS uses it for non-confidental storage, not even people's information. So when they get rid of it, it's just public surplus. After all? Who cares if someone gets the data, it wasn't sensitive.
Well some foriegn spy agency then buys the hardware, and using some super secret platter analysis techniquie is able to recover the NSA data, even though it was overwritten multiple times.
Oops.
It sounds sily but you have to remember that the spu agencies are willing to spend a tremendous amount of money to get information form each other, and try all sorts of oddball tricks.
I mean in reality, a multiple pass random data overwrite of a disk probably destroys the data beyond anybody's ability to recover. I've heard random people talk up how you can recover it 40 levels back or whatever, but never from anyonw who would know what the hell they are talking about. Electronics would dictate that pretty soon, the entropy introduced would make any minute signal that was there lower than the inherant randomness on the disk, and thus useless.
However, with national security, you don't take that risk. Yes it's wasteful but it's jsut how it goes. You never know what new and imaginative method the other guys might have to get at your stuff, so you just don't risk it.