Slashdot Mirror
How The NSA Secures Computers
An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."
Leave it to the government to tell us how to secure our computers so they can tap into our data later through some backdoor. Good read, except all they really had to say was 'disconnect your computer from the fucking internet'..
The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D
... but there are also a few guides to the applications security available: http://www.nsa.gov/snac/downloads_all.cfm
my favorite are Cisco IOS and Microsoft CA guides
As an employee of IBM (I work on enterprise storage products) I have this anecdotal story to relate:
The NSA buys lots of our gear, the large multi-terabyte enterprise-class disk storage arrays. In the case I heard about, there were a small handful of boxes. We keep track of the code loaded on each of them for support reasons, so we have a good sense of where each box is and what it's doing.
Our warranty on those arrays is 3 years.
At the end of the warranty period, it is the policy of the NSA to replace the gear outright and start fresh. What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes.
The NSA crushed them. Brand new, unused and perfectly functional with ZERO data on them. Crushed to scrap.
That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them when they can't get support via the original warranty terms. They will never let a shred of data leave their shop for fear of losing control of classified info, but damn, these never had any!
Why do they treat our tax money so callously?
the guide to securing Windows XP is actually a link to http://distrowatch.com/ so you can choose one of the many different options they have laid out for you.
My UID is a palindrome, that must be good for some type of prize.
I've read through the NSA's guidelines for securing Mac OS X before; as I recall their instructions included things like deleting the audio input drivers, so software can't record audio in the room by using the built-in microphone. Interesting stuff.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Holy shit, have we just slashdotted the NSA? I can't reach the article.
Careful now you might piss of some Vietnamese twins in South Africa if you mention that again.
The problem is that if you start to allow some things to be sold without being destroyed, the possibility that something is classified incorrectly, and thus has data on it increases. When you are dealing with TS/SCI shit, you just don't take the risk.
When it comes to spy games, there's no such thing as "parinoid enough".
I have read the OsX guide a year ago and everything was written there seemed obvious to me. (ie usual "Don't use rsh, use ssh" stuff or similar).
Anyway, not a bad guide for beginners (as it's supposed to be).
So, since the NSA doesn't provide instructions on how to secure a Linux computer, they're either saying Linux is so good it doesn't need to be secured (yay slashdot mentality) or its red commie software that no freedom-loving american would dare use
Why do we have to go hunting round 3rd parties to learn how to secure our O/S? Surely this information (in the form of clear and easy Howtos) should be given as part of the O/S package, as purchased from the vendor.
Computer secures YOU!
If Slashdot takes down a government website so quickly, is it a threat to our national security?
$ whatis themeaningoflife
themeaningoflife: not found
No fucking shit. Suppose somebody said "let's use our resources INEFFICIENTLY! And given our title of NATIONAL SECURITY AGENCY, let's NOT PROMOTE THE BEST SECURITY OPTIONS!" Would anybody really jump up and say "that's a *brilliant* idea!"?
Hell no.
Look, to anybody with any common sense at all, it's implicit in any organization that efficiency is important. But so is security. So is safety. So is customer satisfaction. So is employee satisfaction. So is profit (if a private for-profit org).
Is it *really* especially insightful to say "we should be efficient!" anymore? Or, now that 9/11 has warped our psyche to care singlemindedly about security (almost invariably at the expense of liberty), that another top priority is security? Not to anybody with a brain.
Why do we pay people to make such broad, fucking-obvious statements again? To remind us of what we already have known since we were teenagers?
Oh yes, I swear here and ruthlessly criticize somebody for making statements that have coincided with the goal of economy (implicitly or explicitly) for the last 230 years. Mod me troll now.
Is Capitalism Good for the Poor?
Part of it is that they pretty much have to spend their budget, or it'll get reduced during the next cycle.
The other thing is, lets say that they rip out all the HD's and RAM in order to auction off the hardware... well, someone has to do that, someone has to file a bunch of paperwork (in triplicate, everything is in triplicate), someone else is going to file the paperwork that's just been generated, someone else has to make sure the HD's & RAM get destroyed, more paperwork...
The costs can snowball very quickly. It may seriously be cheaper to de-mill the stuff and buy it again.
[Fuck Beta]
o0t!
I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while.
Getty does this, or something like it, why not ssh?
http://michaelsmith.id.au
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
American tax dollars hard at work to keep my socialist PC running nicely. Got to love the modern world.
Afraid that the US goverment (the one that makes speeches) might be firmly up MS backside but the parts of the US goverment that actually do stuff seem to like linux.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
2) what you want to do is sell people a turnkey solution. i.e. a device which solves the problem, no thought needed. Just make sure to give it a fancy name like, "Airgap Firewall" claim it's 100% effective and slap a $50 price tag on it.
Can you be Even More Awesome?!
Unless you have weak passwords, then this is not much of of a problem.
In the sshd_config you may disable password logins, and login using a certificate. In addition, you may specify which users/groups that may login:
Many of those automated attempts to bruteforce sshd is run from a Linux machine, so a simple fix (if you use the OpenBSD packet filter that is ported to NetBSD) is qute simply to drop all packets to sshd that is sendt from a Linux computer.
If I own your machine, is it hard for me to install drivers back? Is it hard for me to hide the fact of installation? Is it hard for me to access hardware directly if I'm really after you? This is a good example of advice giving false sense of security. If their other advices are really like this your country is in a big big trouble.
Just as an example in the computer class of my university they tried to deny us access to floppy drives by clearing FDD type in BIOS and setting the BIOS password. This didn't hold for one month.
If you find the main site slashdotted, I have a link to someone hosting all the docs on their own PC - the guy's name is Frank and he works in some government office in Washington DC - you'll find all the docs in a sub-folder just next to the MP3 and porn store managed by someone called ZoM61e Kar1.
.
.
.
.
.
.
.
Note to NSA and FBI: This is a Joke. Honest.
AT&ROFLMAO
I found the NIST WindowsXP Security guide,
http://csrc.nist.gov/itsec/guidance_WinXP.html
Is there a comparable server guide?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
I have done some digging into the less accessible files in the OS, and was quite surprised to find US government things buried deep within the OS. The first thing I found were two images of key cards, and the code to support their use. The other fun thing I ran into were large emblems of the army, navy, air force, marines, FBI, noaa, coast guard, DoD, public health service, and several other US government departments. Clearly OS X has some built-in support for use in US government roles. (no images from non-US governments were found) This is in client as well as server. I'd love to know how to enable those features. Anyone happen to run across this info anywhere?
/System/Library/CoreServices/SecurityAgentPlugins/ SCLoginPlugin.bundle/Contents/Resources/)
(for those interested, in 10.3, do Go, Go to Folder...
I work for the Department of Redundancy Department.
... but was the reader really anonymous?
W2K http://toolbar.netcraft.com/site_report?url=http:/ /nsa.gov
I wrote a script that did this not so long ago on OpenBSD; unfortunately, that system isn't immediately accessible. What it boiled down to was grepping /var/log/messages for any failed logins, sedding out everything but the IP address, piping the output to sort, doing uniq -c, finding any IPs listed "many" times (for whatever definition of "many" is reasonable), and then piping those IPs to pfctl to add to a blacklist. Since the logs rotate every week, if anyone tries to log in too many times, they'll be permanently blacklisted. Stick the script in a cronjob and call it good. Not exactly user-friendly to implement, but highly adaptable.
Sigs are like bumper stickers.
You don't just have to worry about something being classified incorrectly, you have to worry about bad players who deliberately make "mistakes" when declassifying hardware. That's not acceptable so you need to second- and triple-check everything, and that drives the cost way up since everyone must have the appropriate clearances, all of the paperwork is classified, etc.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The NSA has customers...
*blinks*
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Actually, such anti-tamper devices exist -- the one I've seen was an otherwise-ordinary hard drive with a block of explosive attached, and the idea was that if it was powered up on the 'wrong' machine, it would explode (taking out not only the HD but the entire area).
~REZ~ #43301. Who'd fake being me anyway?
I know these guys should know what they are talking about, but it feels a bit strange to take technical advice from someone who claims that "To download and uncompress zipped files you need to have winzip loaded on your local machine." on their XP advice page. I thought even XP could do that without addons, not to mention other OS:es which also seem to manage it just fine.
:)
Maybe they are just sponsored. Or is that "bribed" when it comes to governments?
Spine World
Let's say you have equipment orignally for the NSA and it's holding the most critical secret data. It's not supporsed to be sold, but is confused for something that is. However policy says sell it only to the federal govrenment. So it's sold to the IRS. The IRS uses it for non-confidental storage, not even people's information. So when they get rid of it, it's just public surplus. After all? Who cares if someone gets the data, it wasn't sensitive.
Well some foriegn spy agency then buys the hardware, and using some super secret platter analysis techniquie is able to recover the NSA data, even though it was overwritten multiple times.
Oops.
It sounds sily but you have to remember that the spu agencies are willing to spend a tremendous amount of money to get information form each other, and try all sorts of oddball tricks.
I mean in reality, a multiple pass random data overwrite of a disk probably destroys the data beyond anybody's ability to recover. I've heard random people talk up how you can recover it 40 levels back or whatever, but never from anyonw who would know what the hell they are talking about. Electronics would dictate that pretty soon, the entropy introduced would make any minute signal that was there lower than the inherant randomness on the disk, and thus useless.
However, with national security, you don't take that risk. Yes it's wasteful but it's jsut how it goes. You never know what new and imaginative method the other guys might have to get at your stuff, so you just don't risk it.