Slashdot Mirror

← Back to Stories (view on slashdot.org)

How The NSA Secures Computers

Posted by Zonk on from the wooo-party dept.

An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."

5 of 209 comments (clear)

  1. Crushing defeat. by Number44 · · Score: 5, Interesting

    As an employee of IBM (I work on enterprise storage products) I have this anecdotal story to relate:

    The NSA buys lots of our gear, the large multi-terabyte enterprise-class disk storage arrays. In the case I heard about, there were a small handful of boxes. We keep track of the code loaded on each of them for support reasons, so we have a good sense of where each box is and what it's doing.

    Our warranty on those arrays is 3 years.

    At the end of the warranty period, it is the policy of the NSA to replace the gear outright and start fresh. What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes.

    The NSA crushed them. Brand new, unused and perfectly functional with ZERO data on them. Crushed to scrap.

    That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them when they can't get support via the original warranty terms. They will never let a shred of data leave their shop for fear of losing control of classified info, but damn, these never had any!

    Why do they treat our tax money so callously?

  2. NSA guidelines by Phroggy · · Score: 4, Interesting

    I've read through the NSA's guidelines for securing Mac OS X before; as I recall their instructions included things like deleting the audio input drivers, so software can't record audio in the room by using the built-in microphone. Interesting stuff.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    1. Re:NSA guidelines by hughk · · Score: 4, Interesting

      Many years ago, there was an issue on Sun workstations. The audio driver was world readable by default so code running on your workstation could literally "bug" you.

      --
      See my journal, I write things there
  3. OS X already ready for government? by v1 · · Score: 4, Interesting

    I have done some digging into the less accessible files in the OS, and was quite surprised to find US government things buried deep within the OS. The first thing I found were two images of key cards, and the code to support their use. The other fun thing I ran into were large emblems of the army, navy, air force, marines, FBI, noaa, coast guard, DoD, public health service, and several other US government departments. Clearly OS X has some built-in support for use in US government roles. (no images from non-US governments were found) This is in client as well as server. I'd love to know how to enable those features. Anyone happen to run across this info anywhere?

    (for those interested, in 10.3, do Go, Go to Folder... /System/Library/CoreServices/SecurityAgentPlugins/ SCLoginPlugin.bundle/Contents/Resources/)

    --
    I work for the Department of Redundancy Department.
  4. Re:huh? by bhiestand · · Score: 4, Interesting
    The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

    I know you're joking, but I believe the intelligence community generally uses that term. Either "customers" or "consumers", as opposed to "producers", of course. I know most of the government refers to other departments, agencies, and offices as their "customers".

    From NSA.GOV on SIGINT:
    NSA's SIGINT mission provides our military leaders and policy makers with intelligence to ensure our national defense and to advance U.S. global interests. This information is specifically limited to that on foreign powers, organizations or persons and international terrorists. NSA responds to requirements levied by intelligence customers, which includes all departments and levels of the United States Executive Branch.

    And on Information Assurance:
    NSA's Information Assurance Directorate invites government employees throughout the nation to take advantage of the products, services, and programs we offer to help you secure your critical information systems. Peruse our TEMPEST product lists and descriptions to find exactly the product you need. Discover what the IAD is doing to ensure the security of the emerging Global Information Grid. Download the latest security guides, or enlist the services of IA professionals to help you engineer secure systems or assess the security of existing systems. Learn more about national-level IA programs like those available through the Interagency OPSEC Support Staff and the Information Assurance Training and Rating Program. Or register for IA-related events and conferences to get up-to-speed on the latest IA technologies. Whatever your Information Assurance needs, the IAD is here to help.

    In short, their customers include the entire military, who will receive intelligence reports that may be based on sigint information. Other customers include the state department, which might want to know if the NSA manages to get an intercepted telegram of Germany asking Mexico to declare war on America. Or maybe the president wants to know what kind of porn Usama Bin Laden likes to look at. Either way, according to their website, the NSA is tasked to do this stuff by other agencies, who then use that information to do their job. This gives them bonus points when justifying their budget, so it is the government equivalent of being directly paid to do the work. This is quite definitely a "customer".

    On top of that, since the NSA knows so much about communications, networks, computer systems, and the security of these systems, the NSA is the de facto expert, hence they're also responsible for helping ensure that government computer systems are secure. They say they send advisors to help people out, and I'm sure they have some sort of responsibility for classified networks as well. It's in their best interest if the US has a well-secured communications infrastructure. I'd say it's the digital equivalent of using a sniper as a counter-sniper. But this means the entire government is also their customer. At least anyone who needs their computers to be secure.

    So yes, I'd say the NSA has a lot of customers.

    As for the comments about "the NSA may as well have said that you should just unplug your computer from the internet", I remember an ask.slashdot question a while ago where a guy asked for advice on securing his business computers for some classification certification. A lot of the replies basically said that the computers couldn't be on the internet, period. From my past experiences with having computers online, I'd have to agree that it's a bad idea to have a computer with sensitive data on an open network like the internet.
    --
    SWM seeks new sig for a brief fling