Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Releases Open Source Security Tool For Linux

Posted by samzenpus on from the here-you-go dept.

Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.

19 of 105 comments (clear)

  1. Fuck yes! by Anonymous Coward · · Score: 5, Funny

    I'm installing this thing right away!

    1. Re:Fuck yes! by Panoptes · · Score: 5, Funny

      Beware of Geeks bearing gifts.

    2. Re:Fuck yes! by GoonDuIO · · Score: 3, Funny

      Remember to open all ports, the more the merrier!

    3. Re:Fuck yes! by cold+fjord · · Score: 4, Informative

      I'm installing this thing right away!

      You probably have room right next to SELinux

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    4. Re:Fuck yes! by Big+Hairy+Ian · · Score: 4, Interesting

      Actually my first thought was how will hackers use this tool ti identify and exploit security issues in vulnerable sites. As ever any tool used to increase security can be used to exploit it.

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    5. Re:Fuck yes! by behrooz0az · · Score: 5, Funny

      Kexit, He uses KDE.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  2. This makes sense. by Anonymous Coward · · Score: 5, Funny

    It follows on the heels of another open-source effort from the NSA, aimed at penetration testing of large information silos. Secure Network Operator With Database Encryption Node has been shared internationally, with Russia and China actively pursuing forks and development of the tool.

  3. That's just great.. by simp · · Score: 5, Funny

    Now that my slashdot user name is also a NSA acronym I probably have to add a disclaimer to each post saying "This is just a text message, it is perfectly safe to parse this input". Then again some paranoid people might think that this is exactly what the NSA wants you think.

  4. The NSA has done several things to help security by bugnuts · · Score: 4, Informative

    Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.

    They did the same thing with XP, iirc.

    It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o

  5. Re:The NSA has done several things to help securit by bugnuts · · Score: 5, Informative

    And now that I think about it, long before that they gave stronger constants for DES when it was originally proposed. They didn't say why their constants were better, but it was later shown to be stronger.

  6. Re:The NSA has done several things to help securit by EzInKy · · Score: 4, Insightful

    Still, until the NSA really stands for Security and not spying, I think most of us will only touch this with a ten foot pole.

    --
    Time is what keeps everything from happening all at once.
  7. They SHORTENED the key length by Anonymous Coward · · Score: 3, Informative

    Yeh right... NSA shortened the key length from 128 to 56 bits making it a $20 million computer needed to crack a key by brute force.

    https://en.wikipedia.org/wiki/Data_Encryption_Standard

    So they chose S boxes that were more resistant to a particular attack they knew, (but had asked IBM to keep secret because it could be used against many encryption schemes) and also made DES weaker by shortening the key length. Weaker till someone with $20 million could crack it. i.e. themselves and other major countries and major corps back in the 1970s.

    And of course computers progressed making it trivial to crack and abandoned.

  8. Re:The NSA has done several things to help securit by Dr_Barnowl · · Score: 5, Informative

    Stronger for everyone except them, perhaps.

    They did something similar, put a couple of specific constants, into the Dual_EC_DRBG random number generator. It was later shown that they amounted to a skeleton key - if you knew the numbers used to derive the constants, you could predict the future output of a given RNG instance with only a small amount of sample data. So any encryption based on Dual_EC_DRBG could be considered to be broken by the NSA (somewhat conveniently, in a way that only the NSA could actually prove).

    Despite the poor performance of this algorithm which lead most implementers to ignore it, it managed to end up as the default in the product of one of the most trusted vendors, RSA. There was speculation that the NSA bribed them to make this design choice. [1]

    Unsurprisingly, it was withdrawn from the standard in 2014.

    [1] The only comment on that story makes the same point - that the NSA, in the past, had reinforced weaknesses in DES. In the light of the later evidence about Dual_EC_DRBG, that may bear further examination - if the change was the tweaking of constants, it's entirely possible that this reinforced the standard for everyone but the NSA.

  9. Re: National Sheep Association? by chill · · Score: 5, Funny

    The National Sheep Association focuses more on the "penetration testing" side of security, if you know what I mean.

    --
    Learning HOW to think is more important than learning WHAT to think.
  10. so i am supposed to trust this thing? by FudRucker · · Score: 4, Interesting

    security software from the biggest spy organization in the world that have violated the law in order to spy on EVERY us citizen,

    no thanks, the NSA is going to have to continue spying on me the old fashioned way

    --
    Politics is Treachery, Religion is Brainwashing
  11. Most of it isn't code... by Loco3KGT · · Score: 4, Informative

    There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.

    --
    Blessed be he who reads this post, Cursed be he who tells my boss.
  12. Re:The NSA has done several things to help securit by LWATCDR · · Score: 3, Interesting

    Only if you are dumb.
    This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
    Odds are really good it is rock solid.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  13. Re:The NSA has done several things to help securit by Anonymous Coward · · Score: 3, Interesting

    Yeah, but in the case of DES, it was actually proven many, many years later that they picked constants that really were just for improved strength. IBM knew about that too, as it turns out, but the NSA muzzled them and got them to shut up on *why* those were the best constants.

    Surprising, but it really does seem like DES was them just trying to help improve US security.

  14. Re:The NSA has done several things to help securit by Actually,+I+do+RTFA · · Score: 3, Interesting

    The NSA has a couple of departments. One wants to secure computers. The other to break in. Thankfully, because they are different fiefdoms, we can get actual information on how to secure things from that one group.

    And yeah, the NSA can access pretty much any information it wants on me already. Why would it even want to waste it's time looking at my computer. They know more about me than my computer does.

    --
    Your ad here. Ask me how!