Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Hacker Chief Explains How To Keep Him Out of Your System (wired.com)

Posted by timothy on from the disinterested-party dept.

An anonymous reader writes: Rob Joyce, the nation's hacker-in-chief, took up the ironic task of telling a roomful of computer security professionals and academics how to keep people like him and his elite corps out of their systems. Joyce himself did little to shine a light on the TAO's classified operations. His talk was mostly a compendium of best security practices. But he did drop a few of the not-so-secret secrets of the NSA's success, with many people responding to his comments on Twitter.

15 of 70 comments (clear)

  1. Same link. by Anonymous Coward · · Score: 3, Informative

    Same link as previous article, copy and paste error.

  2. Re:Is there a link missing? by warm_warmer · · Score: 5, Informative

    I think I found the right link: http://www.theregister.co.uk/2...

  3. Relief... by grub · · Score: 5, Insightful

    I was worried that the new overlords would start checking submissions for errors. I'm relieved to see they are taking the 'steady as she goes' approach.

    --
    Trolling is a art,
  4. Re:Is there a link missing? by mrsam · · Score: 3, Funny

    It seems like the only linked article is relevant to the Slashdot story immediately preceding this one...

    Must be the new owners of Slashdot, working hard to correct the persistent problem the prior owners with duplicate stories getting posted, all the time. Now, the duplicate links will get posted in completely different stories, going forward!

  5. NSA strikes again by Anonymous Coward · · Score: 2, Funny

    They've censored their own link from the article!

  6. Sheep by ourlovecanlastforeve · · Score: 3, Informative

    Sheep should not listen to best practice advice from wolves.

  7. Re:Step 1 by greenfruitsalad · · Score: 4, Insightful

    the guy picks up a microphone and owns up to breaking constitutional rights, screwing with people's businesses and lives. the people, instead of arresting him, clap their hands and say it was a good talk. what the f**k? not even DMCA? let's all accept this lawless band of crooks, put them on a pedestal and call them elite corps

  8. Jesus, just link to the talk. by Anonymous Coward · · Score: 4, Informative

    https://www.youtube.com/watch?v=bDJb8WOJYdA

    Personally, he didn't say anything mind blowing.

  9. Re: Step 1 by Anonymous Coward · · Score: 2, Interesting

    That's a common myth in Tea Party circles - but there's tons of legal basis for the NSA's activities in the Constitution:

    http://www.heritage.org/research/reports/2010/06/a-constitutional-basis-for-defense

    And yes, I feel somewhat dirty for linking to Heritage, but you cannot dismiss them as "liberals".

  10. grain of salt, but sound advice by raymorris · · Score: 5, Insightful

    Indeed, I'm skeptical of anything from the NSA, but his advice matches with my experience (I've been doing network security professionally for a long time).

    He made one point that definitely rings true. People get excited about "advanced" stuff like zero-days and jumping air gaps with ultrasound, while their IIS hasn't been updated in three years, their users are opening funnycat.exe, and they've never tested their backups. It's not the NCIS stuff that'll get you, 95% of the time, it's the boring best-practice stuff that's missed; security updates, tested offsite backups, etc.

    1. Re:grain of salt, but sound advice by khasim · · Score: 2

      There's a part I disagree with him on. From TFA:

      "Thereâ(TM)s a reason its called and advanced persistent threat; we'll poke and poke and wait and wait until we get in."

      No. It's called that because it sounds scarier than "got past my mediocre defenses".

      If they did not have to burn a zero-day (or rappel through a skylight) to get in then it is plain-old "cracking". People just prefer to call it "APT" because no one can defend against an "APT attack".

      If they could defend against it then it would be a regular-type-attack that was successfully defended against.

      The rest of his advice is good enough.

  11. Well now it's news! by rebelwarlock · · Score: 4, Funny

    I was worried at first that this wasn't really news, but then I saw the summary said that people responded on Twitter, and now I know it's important.

  12. Re: Step 1 by sumdumass · · Score: 5, Insightful

    No need to inject liberals or tea party circles into this. No one mentioned them and I would bet you would/could find several people on any side you picked who think there is a problem too.

    The US constitution does not place national defense above the US constitution though. This is problematic to the national defense trumps all argument because the 9th amendment specifically spells out that the enumeration in the constitution shall not be used to deny other rights held by the people. While the constitution generically spells out national defense, it specifically places reasonableness and warrant requirements for searches and other things.

    but lets explore this a bit. In the name of national security, some say the government can ignore the US constitution and invade a citizen's or local business's network, computer, telephone, whatever. Some say they can hold people without habeas corpus rights or even the right to a trial. Can they also ignore the constitution and just appoint senators and representatives in the name of national security? Can they install judges and such with no congressional oversight so those moves would survive a court challenge? Can they just decree something to be law without congress ever passing it or the president signing it into law? If so or not, I have to ask why and what limits would there be and how do those limits become recognized?

    My naive understanding is that the existence of this group is largely limited to pen testing with approval from network owners or law and assisting in law enforcement operations which presumably would already had warrant requirements satisfied. IT might do a lot more than that but I do not know for sure.

  13. you can't win by epine · · Score: 2

    Here's a conundrum—a real stumper if you plan to swallow his advice whole—they know what's really in all those automatic patches, and you don't.

    Tuesday a patch arrives. Wednesday a patch for the patch arrives. What exactly happens during that brief episode of 24?

    1. Re:you can't win by jeff4747 · · Score: 2

      It's not that they know what's in the patches.

      It's that they have thousands of extremely skilled and well paid people who do nothing but figure out how to break in.

      Meanwhile, you're trying to defend your network while dealing with users asking where the "any" key is, and your executives demanding to be able to go to malware-infested porn sites at work.

      You will lose against the NSA (or any nation-backed equivalent) because of the massive disparity in knowledge and effort.