Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interview With An 'NSA Hacker' Published By The Intercept (theintercept.com)

Posted by EditorDavid on from the he-talked,-I-listened dept.

The Intercept published a 4,000 word article based on a journalist's three-hour interview with an "NSA hacker" who recently left the agency for a career in cybersecurity. Offering a portrait of life within the U.S. intelligence agency, "Lamb" says he worked on "ridiculously cool projects that I'll never forget... Technically challenging things are just inherently interesting to me."

He's the author of some of the memos leaked by Edward Snowden about how the NSA tries to identify Tor users or break into sys-admin accounts. ("One of his memos outlined the ways the NSA reroutes (or "shapes") the internet traffic of entire countries, and another memo was titled "I Hunt Sysadmins.") "If you tell me, 'This can't be done,' I'm going to try and find a way to do it."
It's interesting that he ended one memo with "Current mood: devious" and wrote in another that Tor "generally makes for sad analysts". But in his interview, he warns that "There is no real safe, sacred ground on the internet. Whatever you do on the internet is an attack surface of some sort and is just something that you live with."

40 of 93 comments (clear)

  1. no sacred ground by turkeydance · · Score: 4, Insightful

    includes the NSA's lawn.

    1. Re:no sacred ground by rmdingler · · Score: 1

      What everyone forgets about that era, is that by using gene pool culls like the Jarts game, we were still weeding the garden.

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    2. Re:no sacred ground by Anonymous Coward · · Score: 1

      No offense, but Breitbart isn't exactly the most trustworthy of sources. I'm sure that I am not alone in this opinion. I'm completely unable to find anything other than Breitbart listing Rodham as the owner of the company, but I can find multiple sources listing him as a member on the board of advisors.

      The Common Sense Show is just another right-wing conspiracy-tard site. FFS, they're talking about those dumbass Bundy and Hammonds.

      Please find better sources. I'd sure like to believe you.

    3. Re:no sacred ground by AmiMoJo · · Score: 3, Insightful

      The NSA must surely be compromised. If Snowden could do it, you have to figure that professional spies from other countries have too. The NSA is a very attractive target, having virtual dossiers on all US and many European citizens that are ripe for plundering. Access to NSA backdoors and non-public vulnerabilities would be quite valuable too.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:no sacred ground by sumdumass · · Score: 1

      Either the information is accurate or it isn't. The source doesn't matter outside that regard. If you have reasons to believe it is inaccurate outside of you not wanting to believe it, then list it. If not, either accept it or understand that you are wilfully remaining stupid and blindly ignoring information presented. You will be no better than a flat earther.

    5. Re:no sacred ground by sumdumass · · Score: 1

      The links seem referenced enough to be just as valid as anything on Wikipedia or any other site. If you are dismissing it out of hand because of your dislike of the politics of the site you literally are no different than a flat earther. You even proudly proclaim it just like they do.

      This isn't some hocus pocus alternative health link but your reaction is typical of the antivaxers. They made specific charges and backed them up from what i can tell with a cursory glance. You can close your eyes and claim it isn't happening all you want. It doesn't make it true. It just makes you wilfully stupid. Your argument boils down to "no way and I am not going to look " which fits the stupid model exactly. It is borderline dishonest.

    6. Re:no sacred ground by epine · · Score: 1

      Either the information is accurate or it isn't.

      The problem of inference is that the information in hand is usually not enough, whether or not you succeed in determining it's accuracy, considered in isolation.

      The gap between a smattering of accurate information and assembling an accurate world view is a real doozy.

      You can't assess the representativeness of your "smattering" without also considering your sources and the net they weave.

    7. Re:no sacred ground by sumdumass · · Score: 1

      If you think it is all a conspiracy, you can present evidence of such. If all you are doing is ignoring something because you don't want to believe the source, you are anti-intellectual and unthinking. If you choose to ignore it and keep it to yourself, no one will know you are intentionally stupid. If you bragg about it, then don't be upset or surprised when you get called out on it.

      All it would take for you to become a blundering idiot (as in the original meaning) is for sources you think are valid for whatever reason to ignore it too. This in and of itself is cause to at least investigate the claims. Otherwise you become a mindless puppet of powers greater than you.

    8. Re: no sacred ground by sumdumass · · Score: 1

      Nice deflection there. I bet you even won your kindergarten debate class too. The links cite references for fucks sake. It is absolutely nothing like that. It if anything is like Wikipedia having factual content because they do the exact same thing - cite their reference.

      Now you could look at the links and decide they are unsubstantiated opinions or they are factual. Anything else is intellectually dishonest and judging from your comment, you are comfortable with dishonesty.

    9. Re: no sacred ground by sumdumass · · Score: 1

      I checked the first link and it references a book making the claim as well as the website of the company who got the gold permit bragging to investors that they are one of only two able to exploit the gold in hati.The website of the company also listed Hillary's brother as being on the board of directors.

      I'm not sure how you consider that not relevant. I'm betting you never bothered looking and are just spouting nonsense in order to justify your wilful stupidity.

    10. Re: no sacred ground by sumdumass · · Score: 1

      It doesn't say illegal stuff. No one that I know of said illegal stuff. It says that the co chair of a relief fund bill was in charge of is now on the board with her brother and they got a sweet deal after dishing out relief funds. If you go to the vcs website and select press, you will see that the two people in question recently resigned.

      I'm going to say it is unethical and looks badly but you are the only one I know of saying it was illegal. Maybe you should do more than pinky swear. When friends and family get a sweet deal after you give aid funds, it doesn't take a rocket surgeon to put 2+2 together.

  2. Legit story? by Robert+Goatse · · Score: 1

    I was looking forward to the story but when I saw things like smiley faces and the current mood=devious junk, I'm doubting this cat was really a spook. No way would someone put that kind of gibberish in a presentation unless, of course, it was presented to his office buddies who probably got a kick out of it. No way a 4-star would be looking at some hand-scribbled, 2nd grade inspired drawing.

    1. Re:Legit story? by pepsikid · · Score: 2

      Legit-ish. "Lamb" was in one of the terrariums full of haxxors that the spooks keep for research and observation. Obviously, he wasn't even valuable enough for them to aggressively hold on to.

    2. Re:Legit story? by Fire_Wraith · · Score: 1

      The Federal Government is generally terrible on several levels when it comes to job retention. The biggest thing they have to offer is that it's one of the few places that actually offers a pension, and that's increasingly going away. In anything requiring tech skills, they're not remotely competitive on salary or benefits.

      The biggest thing that a place like the NSA can offer is "this work is really really cool, even if you can't tell anyone about it." But at some point, that just doesn't measure up to other things. In a normal workplace, there would be ways for the higher ups to intervene and arrange for appropriate truckloads of money to make sure someone doesn't leave (or at least make it worth their while to stay), even if they may not be smart enough to do so. In the government, they generally can't do that even if they want to - it'd take an act of congress, basically.

  3. Re:NSA sucks at technology by Nehmo · · Score: 1

    They can't hack for shit.

    I suspect you are right. We certainly don't have any evidence they accomplished any major incursion. There is the Iranian centrifuge story, but I have my doubts about it, and we don't really have any reliable details.

    I *do* have experience in assessing state governments' level of technological prowess, and it is beyond pitiful. Basically, they pay for everything, and if nobody is offering, there is no internal means to accomplish anything. I should clarify my "assessment" is way old by now, but I would guess this is still valid with the current state of the game.

    Are the federal agencies similar to the state ones? Probably. They have the same kind of people.

    --
    (||) Nehmo (||)
  4. NSA is just like the other digital thungs. by Anonymous Coward · · Score: 1

    NSA buys their exploits on the black market just like all the other criminal skiddies do.

    They even point and click to deploy their attacks, like skiddies using babby's first pre-packaged metasploit-ready exploit vector.

    "Devious" is buying exploits from real black hat hackers? Pretty much, yeah.

    With everything having such shit security there's not much incentive to spend a lot of money on "really neat projects" aside from running a fuzzer on new software, or fingerprinting a sysadmin's systems then deploying the existing library of vulns against them. Why crack the safe combination when the bank vault door is standing wide open?

    NSA is having problems with recruiting. TFA is propaganda. It's a smidge better than their prior attempts though.

  5. Worthless article by pellik · · Score: 4, Informative

    The only story is that the journalist did a three hour interview with a NSA hacker. There's no content in there.

    1. Re:Worthless article by khallow · · Score: 1

      Which is EXACTLY why The Guardian, Glenn Greenwald, The Intercept, and all the other bullshit journalists... suck. They're in it for themselves... content, truth, openness, sharing, facts and publishing the whole thing unredacted and without permission from authority... are completely secondary.

      So what? This is real life, not some fairy tale movie where the journalist hero saves the world and wins the girl. There will never be a side of pure good. There will never be a clear victory over evil.

    2. Re:Worthless article by khallow · · Score: 2

      And with that kind of support... you will never be free.

      In the real world, you use the tools you have to make the world a better place. Not the magic pink unicorns you wish you had.

    3. Re:Worthless article by rtb61 · · Score: 1

      In the real world fuckwits abuse tools meant to make the world a better place, in order to enrich and empower themselves, regardless of how much those tools now make the world a far worse place. Until they starting testing to psychopathy and rejecting those shown to be psychopaths, this problem will get far worse.

      The whole nonsense of NSA power is insane, want to effectively castrate them, simply deploy EMP because that is exactly where all this will end up. Losing the hacking war, just EMP the opposition and you are done. There internal systems might still be going but they will have nothing to hook into and control and the ability to pay them to keep them going will similarly disappear.

      --
      Chaos - everything, everywhere, everywhen
    4. Re:Worthless article by 93+Escort+Wagon · · Score: 2

      So what? This is real life, not some fairy tale movie where the journalist hero saves the world and wins the girl.

      I don't believe Glenn Greenwald is particularly interested in winning the girl.

      --
      #DeleteChrome
    5. Re:Worthless article by khallow · · Score: 1

      Until they starting testing to psychopathy and rejecting those shown to be psychopaths, this problem will get far worse.

      I too want those magic pink unicorns to catch all the bad people. The thing you don't seem to get here is that psychopathy is a normal human reaction to great power and unaccountability. There's no magic test for this.

    6. Re:Worthless article by khallow · · Score: 1

      As for the original purpose and intent of the internet - it's just as naiive. It was deigned by people who were privileged and grew up in a free country and never read history books and never dared to step outside their extremely comfortable comfortable zones and imagine how it could be abused.

      And the above paragraph was written by someone who didn't think. If you're trying to fix human tyranny via modding the TCP/IP stack, then you're doing it wrong.

    7. Re:Worthless article by drinkypoo · · Score: 1

      If you're trying to fix human tyranny via modding the TCP/IP stack, then you're doing it wrong.

      On one hand, you are very right. On the other hand, it still might help, and trusting the network so much is foolish.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:Worthless article by khallow · · Score: 1

      Oh, psychopathy would happen even with accountability. It just means the psychopath has to get rid of one extra thing before going full throttle on the psychopathy.

      If your accountability is well designed, then it's a very big obstruction which is the whole point of accountability.

      When we act with intent to better the world, we just get socialism, and we know that doesn't work.

      Self-parody right? Socialism without accountability is a playground for the sort of behavior you claim to care about.

    9. Re:Worthless article by khallow · · Score: 1

      Doesn't matter. If the power being watched is great enough, psychopaths will appear to try and take it, no matter how big or how many obstructions you put in the way. That's the point of great power.

      Which is why division of power happens. And what again was the point of testing for psychopathy as the original AC proposed? That's just another thing to work around. At least, accountability works better than that.

    10. Re:Worthless article by khallow · · Score: 1

      You answered your own question: it's a division of power thing.

      Having a new entity that tests for psychopathy will mean a redistribution of power, some of it going to this new entity. So it really is just another form of accountability aka another thing to work around.

      I don't buy it. My view is that the testing is useless except as an arbitrary exercise of power. If you're going to do things like that, why not do something useful with that entity, like passing laws or judging breaches of the law (the traditional two divisions of power common to most democracies)?

      See, you act like what the other AC propose and what you think works are different things and that one is better or worse. To a psychopath, they aren't, and they'll both work just as well or not.

      Again, I don't buy this. I'm not a psychopath and hence, don't share this alleged equivalence.

  6. Re:NSA sucks at technology by Nehmo · · Score: 1
    You must be the same anonC as you are answering. Either that, or you both have the habit of beginning with "Yeah," and you both have stuck keys.

    Anyhow, there are other illustrations of NSA's ineptitude.

    --
    (||) Nehmo (||)
  7. This can't be done by b783719 · · Score: 2

    "If you tell me, 'This can't be done,' I'm going to try and find a way to do it."

    How to be rich in 10 seconds:
    1) say, "I can't have your bank account. This can't be done."
    2)He's 'going to try and find a way to do it'
    3)????
    4)Profit

  8. Re:NSA sucks at technology by vux984 · · Score: 2

    Its pretty common when mocking a post to respond in the same style.

    For example, one might have responded to yours with:

    You must be [insult] ; either that or [insult]; and you [insult].
    Anyhow [final insult]....

    You might be right and its the same AC; but its just as likely to be using style imitation as part of the mockery.

  9. Re:NSA sucks at technology by cfalcon · · Score: 1

    I think you are comparing apples to oranges. The NSA has a charter that includes expertise in this field. That's very different from having license to engage in computer drama in the course of discharging duties, as state governments would have.

  10. Unprecidented by Velox_SwiftFox · · Score: 2

    Oh for the old days when no one wondered why >50% of European Internet connections were routed through MAE East.

  11. NSA has a lot of resources, no superheroes. Easy by raymorris · · Score: 2

    Being in the information security field myself, I've hung out with some federal government infosec people once or twice. My read is that the feds have a lot of money and other resources. They don't have superheroes on staff. "Garcia" from the TV show CSI doesn't work there. So they're good, but cerrainly not orders of magnitude better than those of of us in the private sector. We can't get billion dollar datacenters, though, to record information about every phone call in the country.

    HOWEVER, most of the time it doesn't matter. Spear phishing isn't that difficult, and most people can be spear phished. (Note the qualifier SPEAR, not bulk phishing).

    What about hacking high-value targets like major governments? Is it easy to hack the US state department? Well the head of the department, the secretary of state, DOES communicate in CLEAR TEXT via an unpatched server in her basement. It doesn't take genius hackers to read top secret informatiom that isn't encrypted and is sent in the clear over the public internet. The NSA doesn't NEED geniuses. They just need to be patient and persistent to exploit a particular target.

      Of course they don't have to attack the primary target directly. Once they have access to the email account of Clinton's good friend Debbie Wasserman-Schultz, they can set a filter that intercepts emails she sends to HRC and add a trojan to an attached file. Then they have a foothold on HRC's computer and phone. None of this is that difficult, they just have to be patient if they want to get a value target.

  12. So does this mean.. by fred911 · · Score: 1

    he's turning in his back hat for a white one?

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    1. Re:So does this mean.. by Anonymous Coward · · Score: 3, Insightful

      It means he sold his soul and now he repents. But in reality it's like Satan posing as a humanitarian worker.

      His curiosity toward IT was exploited by a rogue agency, no doubt. I just hope he realizes all the damage he's done to the basic and human rights, let alone diluting the values outlined in the US Constitution. There's no amount of "cyber security" he could ever do to make up for that and there's no amount of righteousness he can hide behind to justify his actions. What he did was pure evil.

  13. Re:NSA sucks at technology by arth1 · · Score: 2

    Flawed as SELinux is, it's on top of other security measures. It cannot give permissions that aren't already there.

    Most of the criticism I see about SELinux is that it's too cumbersome to use correctly, so those without a special interest often turns it off. Often by the same people who don't understand acl either, and think 666 and 777 permissions are practical. Many of them even rely on Windows-like privilege escalation like gratuitous ALL=(ALL) ALL in /etc/sudoers.

  14. Re:CNE? by rjh · · Score: 1

    Computer Network Exploitation.

    CNO = Computer Network Operations, an umbrella term which covers offense and defense. CNE is offensive CNO.

  15. Re:NSA sucks at technology by drinkypoo · · Score: 1

    Most of the criticism I see about SELinux is that it's too cumbersome to use correctly, so those without a special interest often turns it off

    The criticism is that the tools do not exist to make it convenient to create new SELinux profiles, so those without a special interest rarely turn it on — at least, for anything that some application or distribution doesn't include for their benefit. There have been efforts to create such tools in the past, but last time I looked it wasn't convenient to even build the tools, and they were outdated in other ways as well. If you know better, I'm interested.

    Often by the same people who don't understand acl either, and think 666 and 777 permissions are practical.

    They are practical for many purposes, when combined with proper use of accounts, and containers are making them decreasingly relevant. But yes, that it's inconvenient to modify ACLs on the command line is an annoyance that does lead to their underuse — much as the tools missing from SELinux do the same in that case.

    Many of them even rely on Windows-like privilege escalation like gratuitous ALL=(ALL) ALL in /etc/sudoers.

    It's no less secure than su -.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  16. Re:Trouble by F.Ultra · · Score: 1

    Nah they will just upgrade him to Windows 10.

  17. Re:what utility are NSA skills to the civilian sec by pepsikid · · Score: 1

    What I got from it was that Lamb wants to be a security consultant. You'd pay him to run Nessus against your network or whatever.