Slashdot Mirror
NSA Releases Open Source Security Tool For Linux
Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.
I'm installing this thing right away!
PIMP
It follows on the heels of another open-source effort from the NSA, aimed at penetration testing of large information silos. Secure Network Operator With Database Encryption Node has been shared internationally, with Russia and China actively pursuing forks and development of the tool.
Now that my slashdot user name is also a NSA acronym I probably have to add a disclaimer to each post saying "This is just a text message, it is perfectly safe to parse this input". Then again some paranoid people might think that this is exactly what the NSA wants you think.
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
They did the same thing with XP, iirc.
It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o
And now that I think about it, long before that they gave stronger constants for DES when it was originally proposed. They didn't say why their constants were better, but it was later shown to be stronger.
Still, until the NSA really stands for Security and not spying, I think most of us will only touch this with a ten foot pole.
Time is what keeps everything from happening all at once.
Yeh right... NSA shortened the key length from 128 to 56 bits making it a $20 million computer needed to crack a key by brute force.
https://en.wikipedia.org/wiki/Data_Encryption_Standard
So they chose S boxes that were more resistant to a particular attack they knew, (but had asked IBM to keep secret because it could be used against many encryption schemes) and also made DES weaker by shortening the key length. Weaker till someone with $20 million could crack it. i.e. themselves and other major countries and major corps back in the 1970s.
And of course computers progressed making it trivial to crack and abandoned.
Stronger for everyone except them, perhaps.
They did something similar, put a couple of specific constants, into the Dual_EC_DRBG random number generator. It was later shown that they amounted to a skeleton key - if you knew the numbers used to derive the constants, you could predict the future output of a given RNG instance with only a small amount of sample data. So any encryption based on Dual_EC_DRBG could be considered to be broken by the NSA (somewhat conveniently, in a way that only the NSA could actually prove).
Despite the poor performance of this algorithm which lead most implementers to ignore it, it managed to end up as the default in the product of one of the most trusted vendors, RSA. There was speculation that the NSA bribed them to make this design choice. [1]
Unsurprisingly, it was withdrawn from the standard in 2014.
[1] The only comment on that story makes the same point - that the NSA, in the past, had reinforced weaknesses in DES. In the light of the later evidence about Dual_EC_DRBG, that may bear further examination - if the change was the tweaking of constants, it's entirely possible that this reinforced the standard for everyone but the NSA.
Yes, it definitely makes sense for government computers.
But the next question is : does it make sense for any personal computer ? Of course not. SIMD is largely based on puppet (who wants to be NSA's puppet ? :-)) which only makes sense for sysadmin to keep control over workstations.
Other governments or organization could have found find this project helpful, but the cost in reading every single line of code (because, you know, it's the NSA) completely kills the interest of reusing someone else' effort.
The National Sheep Association focuses more on the "penetration testing" side of security, if you know what I mean.
Learning HOW to think is more important than learning WHAT to think.
but there may be a pony at the other end.
The NSA has made a number of useful contributions to computing. I can't think of any right now.
[some time later] I still can't think of any. Oh wait, they dedicated resources to this.
I'll take a look. Maybe it's like watching COPS - you know it's slanted and mostly bullshit, and that in itself is useful information (unless you're the clicketty type fool).
SELinux, is useful. Of course there are any number of people who believe otherwise, but I'd rather build security on facts than unsubstantiated beliefs (even cathedrals aren't made from wishful thunking).
That'd be your cue, oh psychic leaders of the Aquarian Awakeninging (troofers, DogCow and others), to put your money where your mouth is - then you can grin, and I'll modify my "beliefs". Sounds like a fair trade to me.
security software from the biggest spy organization in the world that have violated the law in order to spy on EVERY us citizen,
no thanks, the NSA is going to have to continue spying on me the old fashioned way
Politics is Treachery, Religion is Brainwashing
...but not safe to use. Since this is open source its doubtful there is any malicious code, though the jury is still out on that fact...doubtful anyone who knows anything about IT and the NSA would be jazzed about the release of something like this. I'd be more suspicious of this purposefully overlooking the stealthier ways they have of accessing networks that may not be widely known. 'Cause if this was found to have backdoors or whatever else the ~10% of tech-knowledgeable people who don't already mistrust them might grow to about ~11%. Really, anyone who didn't already not trust them...even if this tool turned the machine it ran on into a direct line to Fort Meade they wouldn't think much of it- they probably are pretty set in their patriotic mindset.
My computer is the clod
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
And in Australia, Bruce is in charge of the sheep dip.
Avoid duplication? That's not how government rolls!
Well, I guess they will spend the savings on some other stimulus jobs program instead rather than reduce the deficit a microgram.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.
Blessed be he who reads this post, Cursed be he who tells my boss.
I would like to see an audit on this, before I would want to start using it. The NSA has never been particularly interested in letting others have secure systems.
Only if you are dumb.
This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
Odds are really good it is rock solid.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Yeah, but in the case of DES, it was actually proven many, many years later that they picked constants that really were just for improved strength. IBM knew about that too, as it turns out, but the NSA muzzled them and got them to shut up on *why* those were the best constants.
Surprising, but it really does seem like DES was them just trying to help improve US security.
The Github link in the summary isn't to the code.
https://github.com/simp
The NSA has a couple of departments. One wants to secure computers. The other to break in. Thankfully, because they are different fiefdoms, we can get actual information on how to secure things from that one group.
And yeah, the NSA can access pretty much any information it wants on me already. Why would it even want to waste it's time looking at my computer. They know more about me than my computer does.
Your ad here. Ask me how!
The NSA has two sides, and two primary missions. One of those is signals intelligence, the other is communications security/information assurance. These are in separate directorates within NSA, so it's not the same people working on them, even if they both ultimately work for the same senior executives when you go far enough up the chain. The Comsec/IA folks are responsible for making sure the communications/networks/etc of the U.S. government/military are secure.
The problem is that these two things are in conflict, even moreso now that the entire world is on the same platform/architecture as opposed to the old days, when everyone had their own crypto machines (like the Germans using ENIGMA in WW2, etc). You find a vulnerability - do you patch it to protect yourself, or exploit it? I have no insight into how they make that decision, or who does, but if I had to guess, in the post 9/11 world the intelligence side probably has had the upper hand.
Anyway, it's important to remember that there IS a 'benign' side of NSA that does stuff like this, SELinux, etc. The fact that it's open source means you can look at the code yourself and review it. Could they hide something in there? Possibly. Would they? Not likely, especially if this is something they expect other government agencies to use.