Slashdot Mirror
NSA Releases Open Source Security Tool For Linux
Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.
I'm installing this thing right away!
NSA, patch all vulnerabilities of Linux you know. That's all.
Why does the National Sheep Association in the UK do so much with computer security. Or is this the American NSA?
PIMP
It follows on the heels of another open-source effort from the NSA, aimed at penetration testing of large information silos. Secure Network Operator With Database Encryption Node has been shared internationally, with Russia and China actively pursuing forks and development of the tool.
Is it a cover of 2 Guys N the Parque track?
SIMP
Would you like this software from an untrusted provider to make changes to your computer? I would stay mile away from this, or at least inspect extremely carefully what the code does. It might include some very subtle backdoor.
...fnar fnar
Now that my slashdot user name is also a NSA acronym I probably have to add a disclaimer to each post saying "This is just a text message, it is perfectly safe to parse this input". Then again some paranoid people might think that this is exactly what the NSA wants you think.
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
They did the same thing with XP, iirc.
It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o
And now that I think about it, long before that they gave stronger constants for DES when it was originally proposed. They didn't say why their constants were better, but it was later shown to be stronger.
Still, until the NSA really stands for Security and not spying, I think most of us will only touch this with a ten foot pole.
Time is what keeps everything from happening all at once.
Just like SELinux, right?
Ignorant people are ignorant. News at 11. Blah blah.
I've got nothing to hide!! Still, do you seriously expect everyone to incorporate NSA back doors into their systems just on their say so?
Time is what keeps everything from happening all at once.
My router is a computer, you insensitive clod!
Yeh right... NSA shortened the key length from 128 to 56 bits making it a $20 million computer needed to crack a key by brute force.
https://en.wikipedia.org/wiki/Data_Encryption_Standard
So they chose S boxes that were more resistant to a particular attack they knew, (but had asked IBM to keep secret because it could be used against many encryption schemes) and also made DES weaker by shortening the key length. Weaker till someone with $20 million could crack it. i.e. themselves and other major countries and major corps back in the 1970s.
And of course computers progressed making it trivial to crack and abandoned.
My computer is a router, YOU insensitive clod!
Stronger for everyone except them, perhaps.
They did something similar, put a couple of specific constants, into the Dual_EC_DRBG random number generator. It was later shown that they amounted to a skeleton key - if you knew the numbers used to derive the constants, you could predict the future output of a given RNG instance with only a small amount of sample data. So any encryption based on Dual_EC_DRBG could be considered to be broken by the NSA (somewhat conveniently, in a way that only the NSA could actually prove).
Despite the poor performance of this algorithm which lead most implementers to ignore it, it managed to end up as the default in the product of one of the most trusted vendors, RSA. There was speculation that the NSA bribed them to make this design choice. [1]
Unsurprisingly, it was withdrawn from the standard in 2014.
[1] The only comment on that story makes the same point - that the NSA, in the past, had reinforced weaknesses in DES. In the light of the later evidence about Dual_EC_DRBG, that may bear further examination - if the change was the tweaking of constants, it's entirely possible that this reinforced the standard for everyone but the NSA.
Yes, it definitely makes sense for government computers.
But the next question is : does it make sense for any personal computer ? Of course not. SIMD is largely based on puppet (who wants to be NSA's puppet ? :-)) which only makes sense for sysadmin to keep control over workstations.
Other governments or organization could have found find this project helpful, but the cost in reading every single line of code (because, you know, it's the NSA) completely kills the interest of reusing someone else' effort.
but there may be a pony at the other end.
The NSA has made a number of useful contributions to computing. I can't think of any right now.
[some time later] I still can't think of any. Oh wait, they dedicated resources to this.
I'll take a look. Maybe it's like watching COPS - you know it's slanted and mostly bullshit, and that in itself is useful information (unless you're the clicketty type fool).
SELinux, is useful. Of course there are any number of people who believe otherwise, but I'd rather build security on facts than unsubstantiated beliefs (even cathedrals aren't made from wishful thunking).
That'd be your cue, oh psychic leaders of the Aquarian Awakeninging (troofers, DogCow and others), to put your money where your mouth is - then you can grin, and I'll modify my "beliefs". Sounds like a fair trade to me.
security software from the biggest spy organization in the world that have violated the law in order to spy on EVERY us citizen,
no thanks, the NSA is going to have to continue spying on me the old fashioned way
Politics is Treachery, Religion is Brainwashing
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
That's the interesting part about NSA. While they generally are dickheads who can eavesdrop anything anywhere, they also have bunch of security geniuses, as smart as John Carmack, who have exceptional skills making extremely robust hardened systems and taking security to a completely new level.
I hate to say this but they are damned clever. Too clever for their own good. I almost, sort of, wish they were inept and had agents like The Pink Panther. *sighs* Anyhow, I have been poking at Linux a lot lately so I have a bunch of boxed with a variety of distros on them and a VM of pretty much every one of the top 20 (from distro watch) images installed and able to be run. I am no guru, by any means, but I will read the code and do an install later. I have a second DSL line so I can keep it off my home network. I will rattle it and see what shakes out but no promises.
"So long and thanks for all the fish."
...but not safe to use. Since this is open source its doubtful there is any malicious code, though the jury is still out on that fact...doubtful anyone who knows anything about IT and the NSA would be jazzed about the release of something like this. I'd be more suspicious of this purposefully overlooking the stealthier ways they have of accessing networks that may not be widely known. 'Cause if this was found to have backdoors or whatever else the ~10% of tech-knowledgeable people who don't already mistrust them might grow to about ~11%. Really, anyone who didn't already not trust them...even if this tool turned the machine it ran on into a direct line to Fort Meade they wouldn't think much of it- they probably are pretty set in their patriotic mindset.
(Or whatever the equivalent is for your distro).
Shows anything?
Watch this Heartland Institute video
My computer is the clod
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
Avoid duplication? That's not how government rolls!
Well, I guess they will spend the savings on some other stimulus jobs program instead rather than reduce the deficit a microgram.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.
Blessed be he who reads this post, Cursed be he who tells my boss.
SIMP = Single Instruction Multiple Penetration?
It is good to see them using low level parallelism.
I would like to see an audit on this, before I would want to start using it. The NSA has never been particularly interested in letting others have secure systems.
I agree, the revelations over how much the NSA has been undermining it really has made more people in IT start taking security seriously.
Only if you are dumb.
This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
Odds are really good it is rock solid.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
My router IS a computer.
I've got a lot to hide, so does everyone else. That doesn't mean it's any of the NSA's business.
And there are hundreds of Scandinavian teenagers who can break through anything the NSA creates.
It's safe, secure, trustful, dependable. Would we lie to you?
Small Print: If you do not install our software you may notice black SUVs with tinted windows and antenna arrays on the roof parked outside your house, they may knock on your door (or not) and offer to check your electronic equipment free of any charges. Our technicians may call you identifying themselves as "This is Windows calling" to help you better secure your equipment.
Yeah, but in the case of DES, it was actually proven many, many years later that they picked constants that really were just for improved strength. IBM knew about that too, as it turns out, but the NSA muzzled them and got them to shut up on *why* those were the best constants.
Surprising, but it really does seem like DES was them just trying to help improve US security.
The Github link in the summary isn't to the code.
https://github.com/simp
Facebook, twitter, google mail, linkedin, etc...
Why do you believe anyone cares about encryption to care about a backdoor?
The NSA has a couple of departments. One wants to secure computers. The other to break in. Thankfully, because they are different fiefdoms, we can get actual information on how to secure things from that one group.
And yeah, the NSA can access pretty much any information it wants on me already. Why would it even want to waste it's time looking at my computer. They know more about me than my computer does.
Your ad here. Ask me how!
I suspect the reasons is the s-box numbers help with an ECC/parity like feature that weakens things that has been known for more than 4 decades, at least to some people.
Hack your friendly crypto program that does des/aes/whatever to dump out s-box state at the end of each round and ask your self why are some bits always in a known state for a given key every so many rounds. Then ask can this be used to do an inside-out attack and then ask why is there only one non-s-box related cypher in TLS 1.1 and 1.2 and they aren't the same.
Then sleep well at night knowing your crypto is safe.
I suggest we all become collaborators and inject lots of back doors...
Reap what you sow bitches
The NSA has two sides, and two primary missions. One of those is signals intelligence, the other is communications security/information assurance. These are in separate directorates within NSA, so it's not the same people working on them, even if they both ultimately work for the same senior executives when you go far enough up the chain. The Comsec/IA folks are responsible for making sure the communications/networks/etc of the U.S. government/military are secure.
The problem is that these two things are in conflict, even moreso now that the entire world is on the same platform/architecture as opposed to the old days, when everyone had their own crypto machines (like the Germans using ENIGMA in WW2, etc). You find a vulnerability - do you patch it to protect yourself, or exploit it? I have no insight into how they make that decision, or who does, but if I had to guess, in the post 9/11 world the intelligence side probably has had the upper hand.
Anyway, it's important to remember that there IS a 'benign' side of NSA that does stuff like this, SELinux, etc. The fact that it's open source means you can look at the code yourself and review it. Could they hide something in there? Possibly. Would they? Not likely, especially if this is something they expect other government agencies to use.
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
They did the same thing with XP, iirc.
It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o
But you can bet this won't close holes that the rest of 5 eyes needs. If GCHQ, ASIS, NZSIS or CSIS are using some vulnerability the NSA wouldn't be doing their jobs if they blocked it.
In the free world the media isn't government run; the government is media run.
Only if you are dumb.
This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
Odds are really good it is rock solid.
It won't have backdoors; it'll have omissions. The NSA will have had this approved by the rest of 5 eyes (Canadian, Australian, New Zealand and British spy agencies) and will have taken great care to make sure that it doesn't fix security holes that they want left open.
In the free world the media isn't government run; the government is media run.
Not to be pedantically off topic, but I think you mean you wish their agents were more like Inspector Clouseau. Unless you meant that you wish the agents were debonair idle-rich types who do sigint simply for the thrills?
If true.
1. Those are already open.
2. It does improve security by closing other holes.
So why not use it?
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
If true.
1. Those are already open.
2. It does improve security by closing other holes.
So why not use it?
False sense of security
In the free world the media isn't government run; the government is media run.
NIST also has directions for locking down popular operating systems. They are intended for government use (FISMA compliance), and tend to be obvious in some places, but it gives a good guide, even for newer operating systems like Windows 8.1 and RedHat 7.x.
SELinux, although not infallible is another solid tool. If something manages to get context as the webserver, then use an exploit to run as root, it still only has the webserver's access and can't leave the directories where those files are.
I'm just glad -someone- is taking the steps to spend money and help contribute to overall Internet security. Not many private companies would take the time to do this unless it was needed for PR.
So it is better to leave the exploits that it does close open?
Now this is heading into crazytown.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
and had agents like The Pink Panther.
You wish their agents were like large pink diamonds? The agent was Inspector ("Chief Inspector!") Clouseau, The Pink Panther was the diamond in the first and fourth movies. The second Clouseau moview was "A Shot in the Dark", the third "Inspector Clouseau", the diamond reappears (or re-disappears) in "The Return of the Pink Panther", after which they reverted to using Pink Panther in Clouseau movies whether or not the diamond (and The Phantom) was involved.
(ok, pedant mode off)
Or that security tool the guys at RBN released.
Decisions, decisions...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Close the exploits yourself. Why do you need help from nsa?
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
The key phrase here being long ago.
Long ago was when they could be trusted.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
every sysadmin I talk to disables selinux.
you tout that as a GOOD solution to security? *laughs*
--
"It is now safe to switch off your computer."
you are far too trusting; and you have zero reason to trust thives and robbers and villians.
go ahead and trust the spooks. hey, enjoy! ignorance is bliss.
but to trust anyone from those orgs, now that we truly know the mentality of those in control, THAT's what the definition of crazy-talk is.
zero cred. sorry, but anything from the spooks is untrustable and probably always has been. the fact that they act like they are trying to 'help' just makes matters even worse.
and the old chestnut about 'but its open source!' means nothing. how many of us are truly qualified to read and understand well-crafted back-door and unsafe code? given how many security breaks we have in every bit of running code mankind has ever written, I would say that almost no one can truly be sure that the source you are reading is really safe and has no ill side-effects. systems are very complex. even experts can be fooled; and with agencies that have more money than god, they can afford to hire and retain the 'best' (and most evil) minds in existence.
go ahead and trust them. but I won't. not in a million years.
--
"It is now safe to switch off your computer."
Doesn't really matter much what they intend this time versus what they corruptly intend every other time. "The Boy Who Cried Wolf", https://en.wikipedia.org/wiki/..., I seem to need to include a link to teach the story, once you get caught out telling lies and deceiving people, no matter how much you try to help there in after, people no longer believe anything you have to say and ignore you.
Kind of way, WAY, too late for that corrupt organisation, to help secure anything in any way shape of form, no one is going to believe anything they say or do, and with sound reason. So a complete waste of time and money for that organisation to help secure anything. First requirement of security is TRUST, the NSA has none and everyone knows they will more readily lie to you than tell you the truth and that's not a little bit more but orders of magnitude more.
Chaos - everything, everywhere, everywhen
It is okay (as was the AC above you) and was a good spotting. I should have thought a bit more but I did not.
"So long and thanks for all the fish."
Their mandated function is to bolster national security through spying using both SIGINT and HUMINT. Questioning their activities in the US domestic space may be warranted but all foreign activities are fair game. And if they only released an executable it might be prudent to not install it. However, they released the source code to the world at large. And this particular tool is for companies and organizations that provide contracted services to the NSA and need to satisfy a certain level of security awareness before they are granted a contract.
every sysadmin I talk to disables selinux.
you tout that as a GOOD solution to security? *laughs*
They do that because they're bad at system administration and because SELinux mandatory access policies are an absolute beast to configure properly. So the default procedure for the lazy is to simply disable the security software that's "getting in the way".
They aren't different fiefdoms anymore. They haven't been for about a decade. That's the whole problem.
Not HUMINT. Never was.
Maybe they do It because when something is complicated even when you know It it's dangerous for security after all. Expecially when other staf members are not used with the technology and you're the one getting called late at night.