Slashdot Mirror
NSA Releases Open Source Security Tool For Linux
Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
They did the same thing with XP, iirc.
It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o
And now that I think about it, long before that they gave stronger constants for DES when it was originally proposed. They didn't say why their constants were better, but it was later shown to be stronger.
Yeh right... NSA shortened the key length from 128 to 56 bits making it a $20 million computer needed to crack a key by brute force.
https://en.wikipedia.org/wiki/Data_Encryption_Standard
So they chose S boxes that were more resistant to a particular attack they knew, (but had asked IBM to keep secret because it could be used against many encryption schemes) and also made DES weaker by shortening the key length. Weaker till someone with $20 million could crack it. i.e. themselves and other major countries and major corps back in the 1970s.
And of course computers progressed making it trivial to crack and abandoned.
Stronger for everyone except them, perhaps.
They did something similar, put a couple of specific constants, into the Dual_EC_DRBG random number generator. It was later shown that they amounted to a skeleton key - if you knew the numbers used to derive the constants, you could predict the future output of a given RNG instance with only a small amount of sample data. So any encryption based on Dual_EC_DRBG could be considered to be broken by the NSA (somewhat conveniently, in a way that only the NSA could actually prove).
Despite the poor performance of this algorithm which lead most implementers to ignore it, it managed to end up as the default in the product of one of the most trusted vendors, RSA. There was speculation that the NSA bribed them to make this design choice. [1]
Unsurprisingly, it was withdrawn from the standard in 2014.
[1] The only comment on that story makes the same point - that the NSA, in the past, had reinforced weaknesses in DES. In the light of the later evidence about Dual_EC_DRBG, that may bear further examination - if the change was the tweaking of constants, it's entirely possible that this reinforced the standard for everyone but the NSA.
I'm installing this thing right away!
You probably have room right next to SELinux
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.
Blessed be he who reads this post, Cursed be he who tells my boss.