Spinoffs From Spyland: How Some NSA Technology Is Making Its Way Into Industry

← Back to Stories (view on slashdot.org)

Spinoffs From Spyland: How Some NSA Technology Is Making Its Way Into Industry

Posted by timothy on Saturday March 22, 2014 @10:46PM from the from-the-minds-at-huawei dept.

An anonymous reader writes with this news from MIT's Technology Review: "Like other federal agencies, the NSA is compelled by law to try to commercialize its R&D. It employs patent attorneys and has a marketing department that is now trying to license inventions ... The agency claims more than 170 patents ... But the NSA has faced severe challenges trying to keep up with rapidly changing technology. ... Most recently, the NSA's revamp included a sweeping effort to dismantle ... 'stovepipes,' and switch to flexible cloud computing ... in 2008, NSA brass ordered the agency's computer and information sciences research organization to create a version of the system Google uses to store its index of the Web and the raw images of Google Earth. That team was led by Adam Fuchs, now Sqrrl's chief technology officer. Its twist on big data was to add 'cell-level security,' a way of requiring a passcode for each data point ... that's how software (like the infamous PRISM application) knows what can be shown only to people with top-secret clearance. Similar features could control access to data about U.S. citizens. 'A lot of the technology we put [in] is to protect rights," says Fuchs. Like other big-data projects, the NSA team's system, called Accumulo, was built on top of open-source code because "you don't want to have to replicate everything yourself," ... In 2011, the NSA released 200,000 lines of code to the Apache Foundation. When Atlas Venture's Lynch read about that, he jumped—here was a technology already developed, proven to work on tens of terabytes of data, and with security features sorely needed by heavily regulated health-care and banking customers.'"

44 comments

Min score:

Reason:

Sort:

No Such Agency is trying to by invictusvoyd · 2014-03-22 22:55 · Score: 0, Offtopic

commercialize no such technology . hmmm ..
1. Re:No Such Agency is trying to by Anonymous Coward · 2014-03-23 11:09 · Score: 0
  
  I wonder whose computers they stole this R&D from?
Defund the NSA NOW by LookIntoTheFuture · 2014-03-22 23:02 · Score: 1, Troll

Similar features could control access to data about U.S. citizens.
Defund the NSA NOW. It is an abomination of what it was supposed to be and it is morally wrong for them to be doing what they are doing.

A lot of the technology we put [in] is to protect rights
Trust in you is gone. A promise like this is laughable.

--
Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
stovepiping by Gravis+Zero · 2014-03-22 23:35 · Score: 2

i suspected but looked it up anyway.

A stovepipe is a system created to solve a specific problem

--
Anons need not reply. Questions end with a question mark.
1. Re:stovepiping by Marrow · 2014-03-23 02:02 · Score: 2, Informative
  
  Stovepiping was a technique used to arrive at a specific desired answer regardless of the facts. Gaming the system to get it to sign off on the wrong answer.
2. Re:stovepiping by davester666 · 2014-03-23 04:27 · Score: 1
  
  Sounds like that's the system you want to implement for law enforcement.
  
  --
  Sleep your way to a whiter smile...date a dentist!
3. Re:stovepiping by Anonymous Coward · 2014-03-23 04:40 · Score: 0
  
  What the fuck? All of its inventions should be available to anyone who wants to use them. There should be no patents or commercialization.
4. Re:stovepiping by cold+fjord · 2014-03-23 06:13 · Score: 3, Informative
  
  Stovepipes are what emerges when you keep building single purpose systems without integrating them, and often with no thought of integration. It doesn't tend to be a good thing since related data can exist in different systems with no easy way to relate it. It has historically been a real problem in both government and industry.
  In short your answer is pure BS, or as you put it, "a specific desired answer regardless of the facts."
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
5. Re:stovepiping by Anonymous Coward · 2014-03-24 01:09 · Score: 0
  
  a stovepipe is a pipe coming out of a stove.
  an analogy is a comparison between two things, typically on the basis of their structure and for the purpose of explanation or clarification.
Software licence change by Anonymous Coward · 2014-03-22 23:39 · Score: 1, Insightful

A modification to popular open-source software licenses that prohibits using the licensed software for surveillance would be nice.
1. Re:Software licence change by Antique+Geekmeister · 2014-03-23 03:24 · Score: 2
  
  This is infeasible. Network tools like "tripwire" have powerful, legitimate uses.
Not trustworthy by Anonymous Coward · 2014-03-22 23:39 · Score: 0, Insightful

The NSA has proven that it cannot be trusted, nor can be its code or official information coming from this agency. They are a bunch of liars.
1. Re:Not trustworthy by Anonymous Coward · 2014-03-23 02:05 · Score: 0
  
  It is code they used themselves. Are you saying they lied to themselves and tried to hack themselves? That is a special kind of stupid even for Slashdot.
  They built and used the code and decided to give back to the open source community. You know, like everyone here keeps claiming they want businesses and government to do?
2. Re: Not trustworthy by Anonymous Coward · 2014-03-23 02:22 · Score: 0
  
  It is code they used themselves.
  No, it is code they SAY they used themselves. The Greek army SAYS they used that wooden horse they left just in their camp, and it brought them luck.
Time for a code review? by Gravis+Zero · 2014-03-22 23:42 · Score: 4, Insightful

In 2011, the NSA released 200,000 lines of code to the Apache Foundation.
it may be time for people to start looking for the backdoors that the NSA may have put into Apache.

--
Anons need not reply. Questions end with a question mark.
1. Re:Time for a code review? by LookIntoTheFuture · 2014-03-23 01:13 · Score: 3, Interesting
  
  In 2011, the NSA released 200,000 lines of code to the Apache Foundation.
  it may be time for people to start looking for the backdoors that the NSA may have put into Apache.
  You know what scares me most? Code obfuscation.
  
  --
  Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
2. Re:Time for a code review? by Anonymous Coward · 2014-03-23 01:28 · Score: 0
  
  Or they could simply discard the code from the NSA on security / espionage grounds.
3. Re:Time for a code review? by VortexCortex · 2014-03-23 03:10 · Score: 5, Insightful
  
  Or they could simply discard the code from the NSA on security / espionage grounds.
  The code that is obviously the NSA's contribution is not the back door. The back door likely would leverage some edge case created by their contributions, or another part of the system altogether while the NSA part is fully legit. Attributing the secret agencies goodwill is a huge part of disinformation and image management to convince people to accept the FBI & NSA anti-activism campaign.
  Perhaps it would be something like this:
  // Change the file permission. if ( option == CHANGE_OWNER && sessionState == VALID && user = ROOT ) { // ... } // Current user is now root priveledged.
  A single equal char is missing, it looks like it could be a legitimate mistake. Perfect plausible deniability. Such would be contributed by someone else who seems innocuous. Perhaps even by a change nearby which happens to change the formatting or constant name, and thus the logic change is easier to miss.
  Point being, it really doesn't matter either way. They won't admit to all the shit they do, and have a long history of being against the populace, even committing illegal acts. So, the only answer is to demand eradication of secrecy in governance. Otherwise the people can never know whether their government is or is not operating in the best interest of citizens. We shouldn't have to wonder if their concern is just lies to manufacture consent for a more draconian dystopia; We should be able to prove our governments are not acting against us.
4. Re:Time for a code review? by cold+fjord · 2014-03-23 04:22 · Score: 3, Interesting
  
  In 2011, the NSA released 200,000 lines of code to the Apache Foundation.
  it may be time for people to start looking for the backdoors that the NSA may have put into Apache.
  I'm sure you wouldn't want another "disaster" like SELinux (also from NSA) would you?
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
5. Re:Time for a code review? by ToasterMonkey · 2014-03-23 06:31 · Score: 1
  
  In 2011, the NSA released 200,000 lines of code to the Apache Foundation.
  it may be time for people to start looking for the backdoors that the NSA may have put into Apache.
  When a /. post conflating Apache Foundation and Apache HTTP Server gets moderated up highly "Insightful", a hacker dies.
  Nobody has ever thought of scouring httpd, the "The Number One HTTP Server On The Internet", the most common application you'll find exposed directly to the Internet, for back doors or security vulnerabilities. No, nobody never thought of that, thanks for your insightful comment.
6. Re:Time for a code review? by Anonymous Coward · 2014-03-23 07:31 · Score: 0
  
  "The Apache Foundation" != Apache the web server.
  The code was the Accumulo code base.
  Way to moderate this "Insightful" Slashdot.
7. Re:Time for a code review? by Anonymous Coward · 2014-03-23 07:38 · Score: 0
  
  "...the only answer is to demand eradication of secrecy in governance."
  This will never be the answer. Governments, like cops, will tell you anything and then do anything. The only answer is for YOU to get and setup the means to protect YOURSELF.
InfoTourettes announce partnership with the NSA! by Hal_Porter · 2014-03-22 23:42 · Score: 1

http://news.slashdot.org/comme...

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
New and improved!!! by Anonymous Coward · 2014-03-23 00:04 · Score: 1

Apache(TM) ......Now with 47% more backdoors!! Brought to you by the fine folks at the NSA's Tailored Access Program!
"the NSA is compelled by law" by Anonymous Coward · 2014-03-23 00:13 · Score: 5, Funny

Yes, in the same way that my cat is compelled by my commands.
WTF by fullback · 2014-03-23 00:40 · Score: 1

Patent attorneys and a marketing department?
It has to be true because you can't make up shit like this.
So what? by russotto · 2014-03-23 01:07 · Score: 3, Insightful

Spinoffs from Nazi technology got us to the moon. That some good can come out of evil does not make the evil less evil.
1. Re:So what? by thoth · 2014-03-23 09:25 · Score: 2
  
  How is heck is this insightful?
  I thought Slashdot was the bastion of "technology is inherently neutral; anything can be used for various purposes and that doesn't make them bad". See previous argument as applied to guns, encryption, laser pointers, chemistry, hell scientific progress in general.
SELinux by Anonymous Coward · 2014-03-23 01:12 · Score: 0

Don't forget the only really useful thing done by the NSA to improve computer security: Mandatory Access Control in Security Enhanced Linux.
1. Re: SELinux by Anonymous Coward · 2014-03-23 04:15 · Score: 0
  
  There's a reason real sysadmins don't use selinux. It's from the NSA.
break laws but not licenses? by morethanapapercert · 2014-03-23 02:07 · Score: 2, Interesting

Let me get this straight; the NSA (and the other three letter agencies it serves) are willing to blatantly and flagrantly violate the US Constitution, US law, international treaties, the trust of US allies and probably even the boy scout oath along the way, but it heeds the open source licensing model???
I think there are a few problems with this:
Like others have posted, the open source community is going to have to look at the released code very very carefully. The public has to assume that the NSA will include backdoors or obscure weaknesses if at all possible.
The other half of this is how in the hell this release of code passed any internal security review in order to have the release authorized. If *I* were in charge of an intelligence agency, I certainly would use Open Source code when and where practical, but I would NOT submit my code to any third party external to my nations intelligence community. My reasoning is that any code my organization released could be used as clues to figure out my agencies capabilities and current operations. Even something as seemingly innocuous as the code for mandatory access restrictions could be helpful to an enemy because analysis of it would at least allow the enemy to rule out certain forms of attack.
Oh sure, you could make the argument that releasing better code to the world makes everybody using that code base safer, depriving malicious agents of any existing exploits they have in their tool kits and that was probably among the reasons the NSA based its decision on. The problem I have with that argument is that, in other areas the NSA has proven that it is willing to deliberately weaken code that is in public use so as to add to their own tool kits. To fix existing weaknesses while also deliberately creating others seems illogical and self defeating to me...

--
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
1. Re:break laws but not licenses? by Antique+Geekmeister · 2014-03-23 03:15 · Score: 2
  
  > Like others have posted, the open source community is going to have to look at the released code very very carefully. The public has to assume that the NSA will include backdoors or obscure weaknesses if at all possible.
  And look for licensing violations. Various "open source" license models allow modifying and republishing software without publishing your modifications. But if they inserted back doors into, for example, GPL licensed software without publishing the back doors, they'd be violating the software licenses.
2. Re:break laws but not licenses? by ahabswhale · 2014-03-23 08:11 · Score: 1
  
  I hate to break this to you but the vast majority of what the NSA does is perfectly legal. Don't blame the NSA for the PATRIOT act and other absurd privacy violating laws. And feel free to educate me on what treaties they've violated.
  
  --
  Are agnostics skeptical of unicorns too?
3. Re:break laws but not licenses? by thoth · 2014-03-23 09:57 · Score: 1
  
  >violate the US Constitution, US law, international treaties, the trust of US allies
  Dude, they are an intelligence agency, what the fuck do you think they do? Except the constitutional violation part, that should be reigned in. Violate treaties and trust? Hello are you that naive? If you want to get all butthurt about US violations, start with the wars in Iraq and Afghanistan, which killed thousand, pissed away trillions, and had us take a dump on the world. That an intel agency is developing exploits - this confuses you?
  I'm not sure you'll get that much out of studying the Accumulo source code, honestly. Secure coding practices have been widely knows for decades at this point, and it isn't as if they've got some magic way to call sprintf() securely, that nobody else has figured out.
  High performance data storage and retrieval? So basically they are interested in dealing with lots of data? I could have told you that without bothering to look at Accumulo (and I haven't). Where their magic lies isn't in the software, it is the DATA, which they aren't releasing (obviously) and don't want to talk about gathering.
  It isn't as if they are giving out do_mitm_attack.a or break_encryption.dll.
  >To fix existing weaknesses while also deliberately creating others seems illogical and self defeating to me...
  Makes perfect sense to me. Think of the low hanging fruit theory. Fix a weakness that adversaries and script kiddies can find (thus, the weakness has no actual long term value) and create ones that take nation-state levels of effort to get.
I must have missed that law: by king+neckbeard · 2014-03-23 04:35 · Score: 1

Like other federal agencies, the NSA is compelled by law to try to commercialize its R&D.
The closest thing I'm aware of is Bayh-Dole, which applies to grants from non-federal agencies. Such a policy would seem contrary to our philosophy on copyright regarding federal entities, which prohibits them from obtaining copyright on works created by the US government. I realize that copyright and patents are two different entities, but they have very similar intentions in their constitutional basis.

--
This is my signature. There are many like it, but this one is mine.
Whose rights does the NSA protect? by buybuydandavis · 2014-03-23 05:51 · Score: 1

" 'A lot of the technology we put [in] is to protect rights," says Fuchs.
Yeah, their right to read our data, and their right to control *who* gets to read our data.
Anyone else notice the typo in their spokesman's name, Fuchs Yu?
No, my definition is based on how the word is by Marrow · 2014-03-23 06:47 · Score: 1

being used by the press to describe how intelligence was mishandled in the run-up to the Iraq war. In that context, it was being used interchangeably with the phrase "cherry picking" to describe gaming the system to get the desired result.
1. Re:No, my definition is based on how the word is by cold+fjord · 2014-03-23 07:11 · Score: 1
  
  Two things. First, "stovepipes" has decades of use in describing the sort of IT systems mentioned in the article.
  Second, as far as I can see even when used in reference to intelligence it tends to be used in a generally similar manner, not as "cherry picking."
  There are several examples in the Wikipedia article and they don't appear to support your usage. One might "cherry pick" data from a "stovepipe," but that isn't necessarily implied as far as I see.
  
  Stovepiping (also stove piping) is a metaphorical term which recalls a stovepipe's function as an isolated vertical conduit, and has been used, in the context of intelligence, to describe several ways in which raw intelligence information may be presented without proper context. It is a system created to solve a specific problem. The lack of context may be due to the specialized nature, or security requirements, of a particular intelligence collection technology. It also has limited focus and data within is not easily shared.
  
  --
  much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Licensing? by symbolic · 2014-03-23 07:18 · Score: 1

Why should the government be licensing anything (the NSA no less)? It is not a commercial enterprise. Furthermore, it seems like the "technologies" at stake would be those that facilitate the kinds of illegal and unconstitutional activities that have been going on, unchecked, until Snowden exposed them.
Permission patents? by Anonymous Coward · 2014-03-23 08:14 · Score: 0

Obvious patents are the least of the worries when it comes to the NSA, but no doubt this is part of their larger plan with dreams of having secure software illegal due to patent violations so the only option will be their backdoored versions.
open data? by Anonymous Coward · 2014-03-23 09:23 · Score: 0

It's nice if they open source some of their software, but what about the data? Come on, guys. You're doing research with public money, publish your data.