Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Hacker Chief Explains How To Keep Him Out of Your System (wired.com)

Posted by timothy on from the disinterested-party dept.

An anonymous reader writes: Rob Joyce, the nation's hacker-in-chief, took up the ironic task of telling a roomful of computer security professionals and academics how to keep people like him and his elite corps out of their systems. Joyce himself did little to shine a light on the TAO's classified operations. His talk was mostly a compendium of best security practices. But he did drop a few of the not-so-secret secrets of the NSA's success, with many people responding to his comments on Twitter.

37 of 70 comments (clear)

  1. Same link. by Anonymous Coward · · Score: 3, Informative

    Same link as previous article, copy and paste error.

  2. Is there a link missing? by warm_warmer · · Score: 1

    It seems like the only linked article is relevant to the Slashdot story immediately preceding this one...

    1. Re:Is there a link missing? by warm_warmer · · Score: 5, Informative

      I think I found the right link: http://www.theregister.co.uk/2...

    2. Re:Is there a link missing? by mrsam · · Score: 3, Funny

      It seems like the only linked article is relevant to the Slashdot story immediately preceding this one...

      Must be the new owners of Slashdot, working hard to correct the persistent problem the prior owners with duplicate stories getting posted, all the time. Now, the duplicate links will get posted in completely different stories, going forward!

    3. Re:Is there a link missing? by BlacKSacrificE · · Score: 1

      He could prolly submit the story all over again and it would slide on through. I'd rather a dupe than an abortion..

      --
      [Sorry, this signature is unavailable in your country/region]
    4. Re:Is there a link missing? by Anonymous Coward · · Score: 1

      Here's the Wired article:

      http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/

  3. Slashdot has reached a new low by Anonymous Coward · · Score: 1

    Sorry, the link embedded within the article is http://arstechnica.com/information-technology/2016/01/nsa-gchq-used-open-source-software-to-spy-on-israeli-syrian-drones/, which is a link relevant to the previous story. I have no idea how that would happen, but editors should at least check the links. The correct link is actually http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/.

    1. Re: Slashdot has reached a new low by Anonymous Coward · · Score: 1

      The editor's responsible for the error's in the link's have been sacked. :-)

  4. Step 1 by Anonymous Coward · · Score: 1

    Step 1: Don't listen to anything the NSA (or the US government for that matter) has to say

    1. Re:Step 1 by greenfruitsalad · · Score: 4, Insightful

      the guy picks up a microphone and owns up to breaking constitutional rights, screwing with people's businesses and lives. the people, instead of arresting him, clap their hands and say it was a good talk. what the f**k? not even DMCA? let's all accept this lawless band of crooks, put them on a pedestal and call them elite corps

    2. Re: Step 1 by Anonymous Coward · · Score: 2, Interesting

      That's a common myth in Tea Party circles - but there's tons of legal basis for the NSA's activities in the Constitution:

      http://www.heritage.org/research/reports/2010/06/a-constitutional-basis-for-defense

      And yes, I feel somewhat dirty for linking to Heritage, but you cannot dismiss them as "liberals".

    3. Re: Step 1 by sumdumass · · Score: 5, Insightful

      No need to inject liberals or tea party circles into this. No one mentioned them and I would bet you would/could find several people on any side you picked who think there is a problem too.

      The US constitution does not place national defense above the US constitution though. This is problematic to the national defense trumps all argument because the 9th amendment specifically spells out that the enumeration in the constitution shall not be used to deny other rights held by the people. While the constitution generically spells out national defense, it specifically places reasonableness and warrant requirements for searches and other things.

      but lets explore this a bit. In the name of national security, some say the government can ignore the US constitution and invade a citizen's or local business's network, computer, telephone, whatever. Some say they can hold people without habeas corpus rights or even the right to a trial. Can they also ignore the constitution and just appoint senators and representatives in the name of national security? Can they install judges and such with no congressional oversight so those moves would survive a court challenge? Can they just decree something to be law without congress ever passing it or the president signing it into law? If so or not, I have to ask why and what limits would there be and how do those limits become recognized?

      My naive understanding is that the existence of this group is largely limited to pen testing with approval from network owners or law and assisting in law enforcement operations which presumably would already had warrant requirements satisfied. IT might do a lot more than that but I do not know for sure.

    4. Re: Step 1 by greenfruitsalad · · Score: 1

      ease up on that ganja or you'll soon claim they have legal basis for anal probing at all railway crossings.

    5. Re: Step 1 by Anonymous Coward · · Score: 1

      The Constitution is not a suicide pact. Policies targeting domestic US citizens deserve open scrutiny and debate but actions targeting foreign countries are not Constitutionally protected nor are those actions required to be publicly disclosed. If you want to see a real life example of the elasticity of the Constitution just look at what FDR did prior to the US entering WW2. He blatantly violated the Neutrality Act using the subterfuge of the Lend-Lease Act while also "donating" a fleet of mothballed US navy ships to Britain. He unilaterally extended the US Atlantic oceanic boundaries so US warships could escort British convoys further and then used the sinking of a US ship by a German sub to bolster his attempts to gain public support for the US to openly declare war. Congress unanimously made it illegal for the government to wiretap suspected German spies in the US and he immediately ordered the Justice Department to ignore the law and proceed with the wire taps. Almost every action FDR took before the US entered the war was illegal according to strict interpretations of the Constitution. He also sent US fighters to China to support operations against Japan. All the pilots sent over had resigned from the US military prior to deployment but were quickly reinstated when the US declared war.

  5. Relief... by grub · · Score: 5, Insightful

    I was worried that the new overlords would start checking submissions for errors. I'm relieved to see they are taking the 'steady as she goes' approach.

    --
    Trolling is a art,
    1. Re:Relief... by Anonymous Coward · · Score: 1

      It's Timmy boy... I found that you can never set your expectations low enough around here.

      On the other hand, given that he seems to be the only editor left... and apparently spends all day and night scouring the internet for days-old news to post... you have to cut him some slack. Lack of sleep probably plays a part

  6. NSA strikes again by Anonymous Coward · · Score: 2, Funny

    They've censored their own link from the article!

  7. Sheep by ourlovecanlastforeve · · Score: 3, Informative

    Sheep should not listen to best practice advice from wolves.

    1. Re:Sheep by Anonymous Coward · · Score: 1

      Of course, of course. You should never take advice from a group of people considered the best at cracking systems worldwide, known for their ability to get into systems running on hundreds of varieties of hardware. Why, that would be foolish! Can you image, asking security experts what some of the general security practices are?

      Also, never, EVER, go to a doctor.

    2. Re:Sheep by ACE209 · · Score: 1

      Also, never, EVER, go to a doctor.

      If that doctor has a rich history of malpractice lawsuits, you are even right.

      Though changing your intelligence agency might not be as easy as changing your doctor.

      --
      "we are all atheists about most of the gods that societies have ever believed in. Some of us just go one god further."
  8. Jesus, just link to the talk. by Anonymous Coward · · Score: 4, Informative

    https://www.youtube.com/watch?v=bDJb8WOJYdA

    Personally, he didn't say anything mind blowing.

  9. grain of salt, but sound advice by raymorris · · Score: 5, Insightful

    Indeed, I'm skeptical of anything from the NSA, but his advice matches with my experience (I've been doing network security professionally for a long time).

    He made one point that definitely rings true. People get excited about "advanced" stuff like zero-days and jumping air gaps with ultrasound, while their IIS hasn't been updated in three years, their users are opening funnycat.exe, and they've never tested their backups. It's not the NCIS stuff that'll get you, 95% of the time, it's the boring best-practice stuff that's missed; security updates, tested offsite backups, etc.

    1. Re:grain of salt, but sound advice by khasim · · Score: 2

      There's a part I disagree with him on. From TFA:

      "Thereâ(TM)s a reason its called and advanced persistent threat; we'll poke and poke and wait and wait until we get in."

      No. It's called that because it sounds scarier than "got past my mediocre defenses".

      If they did not have to burn a zero-day (or rappel through a skylight) to get in then it is plain-old "cracking". People just prefer to call it "APT" because no one can defend against an "APT attack".

      If they could defend against it then it would be a regular-type-attack that was successfully defended against.

      The rest of his advice is good enough.

  10. Well now it's news! by rebelwarlock · · Score: 4, Funny

    I was worried at first that this wasn't really news, but then I saw the summary said that people responded on Twitter, and now I know it's important.

  11. You have nothing to fear if by burtosis · · Score: 1

    You have nothing to hide.

    Actually, when Trump gets elected and has a full dossier on every political AND financial rival you really should have an escape plan.

    1. Re:You have nothing to fear if by MobSwatter · · Score: 1

      You have nothing to hide.

      Exactly, the people are broke and no amount of corporate espionage is going to preserve the District of Columbia.corp at this point with international shipping halted and 200+ countries that will not accept the US petro dollar as currency. Here's a question: If said spook hacker is not over there seeking refuge with Snowden, and not under indictment and/or already in jail, then does this mean that this is a sign that the republic is in process of being restored?

      The implications of this could truly be astounding.

    2. Re:You have nothing to fear if by ProfanityHead · · Score: 1

      You forgot about Texas and Kentucky.

  12. I am so scared about Trump by Latent+Heat · · Score: 1

    . . . that he will have all the information to sell me junk that I don't need?

  13. Re:#1 best practice by Anonymous Coward · · Score: 1

    Keep systemd off your machines, as it contains NSA access and backdoors built in - aside from the system stability issues introduced.

    As much of a ClusterF**K that Systemd is , you cannot make a claim like that without SOME evidence.. otherwise shut up.

  14. you can't win by epine · · Score: 2

    Here's a conundrum—a real stumper if you plan to swallow his advice whole—they know what's really in all those automatic patches, and you don't.

    Tuesday a patch arrives. Wednesday a patch for the patch arrives. What exactly happens during that brief episode of 24?

    1. Re:you can't win by jeff4747 · · Score: 2

      It's not that they know what's in the patches.

      It's that they have thousands of extremely skilled and well paid people who do nothing but figure out how to break in.

      Meanwhile, you're trying to defend your network while dealing with users asking where the "any" key is, and your executives demanding to be able to go to malware-infested porn sites at work.

      You will lose against the NSA (or any nation-backed equivalent) because of the massive disparity in knowledge and effort.

    2. Re:you can't win by justthinkit · · Score: 1

      I remember when antivirus companies began talking about heuristics. The idea that they could dynamically figure out threat levels. Then I noticed a strange thing -- updates got bigger, DAT files grew and grew -- and they shut up about heuristics. They realized that this would kill the need to buy next year's AV product.

      So, given that best practices for all kinds of stuff have been around for decades, isn't it at least a little curious how often patches come out? Grandparent's point is the most likely explanation. And is the same reason for the so called "data breaches" -- "Here you go, NSA, knock yourself out," followed by "We found a weakness and here's the patch".

      By way of deception...

      --
      I come here for the love
    3. Re:you can't win by justthinkit · · Score: 1

      Eloquent, and full of specifics. And I don't believe it.

      Qualcomm's Eudora email program is proof you can create a perfect program. And proof that when you do, your income stream stops.

      In the Eudora case they took the high road so few do and gave it all away. Until October 11, 2006 [needle scratching across a record].

      Perfection is a different mindset from profit.

      --
      I come here for the love
  15. If you think by JustAnotherOldGuy · · Score: 1

    If you think he's actually telling you anything that would really keep him out, then you're exactly as gullible as he wants.

    Oh, sure, he'll give you some bullshit, low-level tips, but do you really think that the "NSA Hacker Chief" is going to do anything that's going to make his job harder? I sure don't.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  16. Laws? by Quinn_Inuit · · Score: 1

    Once upon a time, I thought those would have been sufficient.

    --

    Stop learning! Only you can prevent esoterrorism.
  17. Medicine worse than the disease by Tony+Isaac · · Score: 1

    Remedies like whitelisting might be effective, but if you've ever worked in a corporation--typically large ones--that use it, you know that it's a nightmare to manage. When you need to get something done, waiting for your whitelist request to be approved can take so long that you might as well not try to use the tool.

    It's interesting that the author said NOTHING about password complexity. This is one of the stupidest security measures, at least in the way it is typically implemented. For example, you must change your password every month, it must have three different punctuation characters, numbers, upper, and lower case, and can't be any one of your last 50 passwords. All this type of rule list does is make people write down their passwords (because they can't remember them) or find some pattern that defeats the system. Two-factor authentication is far better and more secure.

  18. Re: Letting a great man say why I did those... apk by Redmancometh · · Score: 1

    I'm agreeing with APK...the new owners of slashdot are! already making things weird.