How The NSA Secures Computers

An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."

huh?

[utnow]

The NSA has customers? How long do you think it'll be before Microsoft tries to 'aquire' them as the latest 'innovation' in computer security? :D

not only operating systems,

[ivlad]

... but there are also a few guides to the applications security available: http://www.nsa.gov/snac/downloads_all.cfm

my favorite are Cisco IOS and Microsoft CA guides

Crushing defeat.

[Number44]

As an employee of IBM (I work on enterprise storage products) I have this anecdotal story to relate:

The NSA buys lots of our gear, the large multi-terabyte enterprise-class disk storage arrays. In the case I heard about, there were a small handful of boxes. We keep track of the code loaded on each of them for support reasons, so we have a good sense of where each box is and what it's doing.

Our warranty on those arrays is 3 years.

At the end of the warranty period, it is the policy of the NSA to replace the gear outright and start fresh. What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes.

The NSA crushed them. Brand new, unused and perfectly functional with ZERO data on them. Crushed to scrap.

That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them when they can't get support via the original warranty terms. They will never let a shred of data leave their shop for fear of losing control of classified info, but damn, these never had any!

Why do they treat our tax money so callously?

Re:Crushing defeat.

[cperciva]

Why do they treat our tax money so callously?

It's cheaper to replace a 3 year old disk array than it is to do all the paperwork necessary to prove that it was never used.

Re:Crushing defeat.

[Crouty]

As your posting clearly shows even the fact that the disks were not used is an information worth keeping secret.

Re:Crushing defeat.

[Decker-Mage]

The problem here, familiar to anyone that has dealt with the classified security system regulations, is that as soon as that equipment went in the door it became classified equipment of some certain level. Forever after that equipment, whether it had data on it or not, is set at the level of classification, period. You can never use it with equipment of a lesser classification nor can you declassify it (which in the eyes of the requlations is using it with unclassified equipment). If you can't deal with it, sorry, but that's the way the system works and it isn't going to change as one mistake can cost not just the country but real lives.

guide to XP

[briancurtin]

the guide to securing Windows XP is actually a link to http://distrowatch.com/ so you can choose one of the many different options they have laid out for you.

Slashdotted?

[Splintax]

Holy shit, have we just slashdotted the NSA? I can't reach the article.

Re:Slashdotted?

[saynt]

Oh crap, I wasn't here, you never saw me.

Re:do not confuse /. with \.

[digitallystoned]

/. means slashdot" thats troll -1 obviously \. means "heil hitler" or "sieg heil" in use heavily on Counter-Strike servers around Europe. Funny? Well.. not. So be damn sure u write /. and not \. LOL

Careful now you might piss of some Vietnamese twins in South Africa if you mention that again.

Because the data they protect is very sensitive

[Sycraft-fu]

The problem is that if you start to allow some things to be sold without being destroyed, the possibility that something is classified incorrectly, and thus has data on it increases. When you are dealing with TS/SCI shit, you just don't take the risk.

When it comes to spy games, there's no such thing as "parinoid enough".

Linux

So, since the NSA doesn't provide instructions on how to secure a Linux computer, they're either saying Linux is so good it doesn't need to be secured (yay slashdot mentality) or its red commie software that no freedom-loving american would dare use

Re:Linux

[SecureTheNet]

The NSA has released it's over version of linux, SELinux, the Security Enhanced Linux.

^BumP^

[TubeSteak]

Lol, this probably isn't as far from the truth as we think.

Part of it is that they pretty much have to spend their budget, or it'll get reduced during the next cycle.

The other thing is, lets say that they rip out all the HD's and RAM in order to auction off the hardware... well, someone has to do that, someone has to file a bunch of paperwork (in triplicate, everything is in triplicate), someone else is going to file the paperwork that's just been generated, someone else has to make sure the HD's & RAM get destroyed, more paperwork...

The costs can snowball very quickly. It may seriously be cheaper to de-mill the stuff and buy it again.

Re:Missing guide?

[Motherfucking+Shit]

Where is the guide for linux?

Right here.