Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Releases Open Source Security Tool For Linux

Posted by samzenpus on from the here-you-go dept.

Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.

14 of 105 comments (clear)

  1. Fuck yes! by Anonymous Coward · · Score: 5, Funny

    I'm installing this thing right away!

    1. Re:Fuck yes! by Panoptes · · Score: 5, Funny

      Beware of Geeks bearing gifts.

    2. Re:Fuck yes! by cold+fjord · · Score: 4, Informative

      I'm installing this thing right away!

      You probably have room right next to SELinux

      --
      much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
    3. Re:Fuck yes! by Big+Hairy+Ian · · Score: 4, Interesting

      Actually my first thought was how will hackers use this tool ti identify and exploit security issues in vulnerable sites. As ever any tool used to increase security can be used to exploit it.

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    4. Re:Fuck yes! by behrooz0az · · Score: 5, Funny

      Kexit, He uses KDE.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  2. This makes sense. by Anonymous Coward · · Score: 5, Funny

    It follows on the heels of another open-source effort from the NSA, aimed at penetration testing of large information silos. Secure Network Operator With Database Encryption Node has been shared internationally, with Russia and China actively pursuing forks and development of the tool.

  3. That's just great.. by simp · · Score: 5, Funny

    Now that my slashdot user name is also a NSA acronym I probably have to add a disclaimer to each post saying "This is just a text message, it is perfectly safe to parse this input". Then again some paranoid people might think that this is exactly what the NSA wants you think.

  4. The NSA has done several things to help security by bugnuts · · Score: 4, Informative

    Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.

    They did the same thing with XP, iirc.

    It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o

  5. Re:The NSA has done several things to help securit by bugnuts · · Score: 5, Informative

    And now that I think about it, long before that they gave stronger constants for DES when it was originally proposed. They didn't say why their constants were better, but it was later shown to be stronger.

  6. Re:The NSA has done several things to help securit by EzInKy · · Score: 4, Insightful

    Still, until the NSA really stands for Security and not spying, I think most of us will only touch this with a ten foot pole.

    --
    Time is what keeps everything from happening all at once.
  7. Re:The NSA has done several things to help securit by Dr_Barnowl · · Score: 5, Informative

    Stronger for everyone except them, perhaps.

    They did something similar, put a couple of specific constants, into the Dual_EC_DRBG random number generator. It was later shown that they amounted to a skeleton key - if you knew the numbers used to derive the constants, you could predict the future output of a given RNG instance with only a small amount of sample data. So any encryption based on Dual_EC_DRBG could be considered to be broken by the NSA (somewhat conveniently, in a way that only the NSA could actually prove).

    Despite the poor performance of this algorithm which lead most implementers to ignore it, it managed to end up as the default in the product of one of the most trusted vendors, RSA. There was speculation that the NSA bribed them to make this design choice. [1]

    Unsurprisingly, it was withdrawn from the standard in 2014.

    [1] The only comment on that story makes the same point - that the NSA, in the past, had reinforced weaknesses in DES. In the light of the later evidence about Dual_EC_DRBG, that may bear further examination - if the change was the tweaking of constants, it's entirely possible that this reinforced the standard for everyone but the NSA.

  8. Re: National Sheep Association? by chill · · Score: 5, Funny

    The National Sheep Association focuses more on the "penetration testing" side of security, if you know what I mean.

    --
    Learning HOW to think is more important than learning WHAT to think.
  9. so i am supposed to trust this thing? by FudRucker · · Score: 4, Interesting

    security software from the biggest spy organization in the world that have violated the law in order to spy on EVERY us citizen,

    no thanks, the NSA is going to have to continue spying on me the old fashioned way

    --
    Politics is Treachery, Religion is Brainwashing
  10. Most of it isn't code... by Loco3KGT · · Score: 4, Informative

    There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.

    --
    Blessed be he who reads this post, Cursed be he who tells my boss.