Slashdot Mirror
NSA Worried About Implications of Leaked Toolkits (businessinsider.com)
Reader wierd_w writes: According to Business Insider, the NSA is worried about the possible scope of information leaked from the agency, after a group calling themselves the 'Shadow Brokers' absconded with a sizable trove of penetration tools and technical exploits, which it plans to sell on the black market. Among the concerns are worries that active operations may have been exposed. Business insider quotes an undisclosed source as stating the possibility of the loss of such security and stealth (eg privacy) has had chilling effects for the agency, as they attempt to determine the fullness and scope of the leak.
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)
It's a trap
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Welcome to how the rest of society feels.
that's just code
Live by the sword, die by the sword.
Now, if you had just disclosed those vulnerabilities they could probably have been fixed by now. Instead, you failed at keeping them a secret and unknown unsavory parties have a handy trove of exploits ready to be used. I'm not sure that this is what "National Security" looks like, and that's kind of your job.
But don't forget they're our guys.
In a pointing pose: "hahhh ha!"
I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power. And this attack is not clandestine, hidden from unwanted eyes, but it is made in public, so as to call NSA bluff and expose your country as a paper tiger.
And this all is compounded by a poorly hidden active measures campaign to benefit one candidate and to destroy another.
I believe that neither Schadenfreude nor sarcastic gleeing over a major f@ck up at the NSA are appropriate in this case, because want it or not, admit it or not, but your country is under attack by a powerful, sophisticated adversary. And it aint good. at all.
They don't know, either.
Welcome to our world, newbie.
WARNING: Smartphones have side effects--most of them undocumented.
Welcome to the world, NSA...
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
You win some, you lose some. You cook with fire long enough and you're bound to get burnt eventually.
Manhattan project also failed to keep its secrets, so did the VENONA project (and many other). Are you going to exercise your smart sense of moral superiority upon their failings?
Seriously.. it's that bad. If this were the 60s the NSA would be dismantled and court marshaled for this kind of slip up.
Goose meet gander
The essense of malware is that you offer software to someone else, in hopes that they run it. It's impossible to not realize that when you offer someone this software, not only might they run it to hurt themselves, but they might also offer it to others (maybe back to your own allies), to hurt them. Malware isn't something you can ever "keep" if you intend to use it against others.
It kind of reminds me of biological weapons. You gave the enemy Anthrax? Great, now your enemy has Anthrax. You'll be seeing that exact same strain of Anthrax again.
If they have nothing to hide, then they have nothing to fear.
Can we then expect that after some analysis, that most antivirus and FW software will be able to counter those tools?
No, we're fine with it.
Thanks for correcting the record.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
It shouldn't matter who the DNC leaker was. Blaming "the Ruskies" is just a diversion.
On the contrary, I think this may be a positive development. Back in the cold war, neither side could use their nuclear weapons since they knew the other would instantly retaliate (Mutually Assured Destruction). It appears we've now reached that phase in the infowar. Both sides know what each other is up to, but they know if they reveal what the other is doing, their own shenanigans will be exposed.
Support Right To Repair Legislation.
The problem here is that the NSA deliberately sacrificed the opportunity to improve our security in order to retain the effectiveness of their toys and couldn't keep them from being directly pilfered, much less independently discovered.
If, hypothetically, the Manhattan Project had squandered the opportunity to make us nuke-resistant in order to preserve the utility of their weapon; then, yes, I'd say that they screwed up pretty atrociously. The difference, of course, is that no such option existed, while the process of disclosing bugs to vendors is very much an option.
The "you aren't the only ones who could exploit those vulnerabilities" argument was previously largely hypothetical; now, not so much.
Because if you really believe that Putin's goons intervene into your elections to promote honesty, integrity, and democracy, you are wrong, very wrong, and I doubt it can be fixed.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
Then see my initial comment of 0 farks given. You think that inside info from TLA places like that hasn't been used against people internally already? It's about time that these organizations and the people in charge get outed and embarrassed. There's been too much power, corruption and insider BS for too long now and it needs to be balanced out.
Instead of worrying about things like the democratic process being broken as demonstrated by the leaks, you are worried about the source of the leaks.
Yeah, I worry about the rest of society but more that they think like you do.
History is a pretty good crystal ball for everything going on. I won't give you any lessons here, you seem content or frightened so remain ignorant. I will simply state that all weapons through history, including espionage devices used for weaponry, have moved from place to place. All political systems have been full of corruption, and it never ends well for the populace. You are focusing on the first, instead of the latter. I have no confidence that you care given the point you are contending.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
NSA had exercised the superiority feeling over everybody else for quite some time. Now they let their tools and legally enforced backdoors get into hands of evildoers who in theory should be the subjects of their eavesdropping but instead did become masters of it. Come to think of it this is perfect - market works and got an upper hand over government once again and this in a mother country of capitalism.
Read:
http://observer.com/2016/08/ns...
https://www.lawfareblog.com/ve...
The stolen hacks will be used by adversarial governments and criminals to silently move onto almost anyone's computer. Thanks NSA, for the upcoming super-malware.
Leaks aren't meddling, leaks are exposing meddling.
I'm still not convinced this isn't some sort of odd false flag operation.
Imagine you're the NSA and you've been unable to get inside of some other countries likely air gapped cyber security operation... putting some juicy tools out there they're likely to snatch up and play with at least get you to see who the players are and maybe these tools work maybe they blow up... As for the vulnerabilities, with so many people playing this game, any vulnerability not found by the NSA is likely to be found by some other organization.
Even the vulnerabilities could be snares... I'm suspect of all of this and think it's just part of a big ruse.
Yes Francis, the world has gone crazy.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
They got what they deserve. Instead of monitoring every single American and putting backdoors in every program they can, the NSA should have focused on monitoring foreign actors while helping to ensure that domestic institutions (companies, political parties, non-profits, and of course the population as a whole) have access to privacy and secure communications. The NSA should be the national equivalent of an IT security department. Leave the detection and investigation of domestic bad actors to the FBI(if you run across any domestic malfeasance then by all means pass it along but don't go looking for it specifically) and coordinate with the CIA when it comes to foreign actors. Develop tools and programs to protect Americans-and this is important: your job is to protect Americans (the people) not "America"- and their homes, not to watch them in them.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
"Spirits that I've cited, My commands ignore." -- The Sorcerer's Apprentice by Johann Wolfgang von Goethe
My worry is that the NSA is likely penetrated by moles or it was successfully penetrated by foreign hackers. Regardless of the actual way those files were exfiltrated, this public stunt is nothing less than a public attack on one of your main intelligence services, by a foreign adversary, a brutal undemocratic and illiberal regime.
The fact that the NSA is under attack (and a public one) is what worries me, not that a bunch of 0-days is made public (and some of them are already fixed).
Its no longer just fed.gov you're trying to defend against, its all the script kiddies now running around with fed.gov's latest and greatest exploit toys.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Imagine if the researchers of the Manhattan project not only discovered how to create a nuclear bomb, but also discovered a defense against nuclear weapons. Then, rather than telling anyone about the defense, they tried to keep it a secret so they alone could use the bomb. That would have been incredibly foolish! But we do not judge the Manhattan project this way, because they didn't actually have a defense against nuclear weapons.
Yet the NSA did. They found security bugs, created exploits for them, then refused to disclose the bugs to vendors so they could be fixed. This intentionally left their own country vulnerable to attack. The security community beseeched them to release this information, and warned them that others could find these exploits too and use them. But the NSA figured that nobody else was as smart as they were and so no one else could discover these exploits. They have been proven wrong.
And that is why we judge them somewhat differently.
It matters because the guy running one of the candidates' campaigns is a registered fucking agent of the government that's perpetrating the cyberattacks against us.
http://www.cnn.com/2016/08/15/...
And that candidate's daughter is besties with Vladimir Putin's girlfriend/sidepiece.
http://www.cnbc.com/2016/08/15...
And that same candidate's platform was recently changed to be more friendly to Russia as opposed to our ally, Ukraine.
http://www.politico.com/magazi...
So that's why it matters who the DNC leak is. Because Donald Trump is a mole.
Ironic that making overall infrastructure less secure might lead to NSA infrastructure being insecure. Actually, probably yet another "gimme ur password" phishing since you can't patch people.
"This is not a joking matter. You're ALL on a list, now!
Oh, damn!
I'm on the bloody list now, too."
"Flyin' in just a sweet place,
Never been known to fail..."
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
Versus not being worried about how before when the NSA was actually covertly owned by foreign states and/or non-state actors since at least 2013 and the NSA apparently either didn't realize it or did realize it and for 3 years failed to warn much of the US industry (or our allies) that a bunch of infrastructure was still completely insecure not only to the NSA but also vulnerable to a more hostile adversary.
Fuck. We have been talking about the possibility of the NSA itself getting hacked for years and Congress again and again was reassured that the NSA could be trusted to find out a bunch of exploits and back doors, not tell anyone to fix the problems with security and then keep them secret and only use those tools to fight the bad guys.
Apparently the rest of the public would rather bury their heads in the sand as our US Government gets completely subverted and only gets worried that it might make the government look bad if the broader public actually knew about it.
The NSA should make it its PRIMARY MISSION to warn industry about the exploits it finds rather than keep them secret for years while our foreign adversaries also utilize them to undermine us.
Fine let the NSA use newly discovered exploits for 90 days to give the US a head start in both fixing our own systems and exploiting the vulnerability, but then mandate that the NSA inform industry to fix the security vulnerabilities WITHOUT EXCEPTION.
You're a suspicious fellow, with and without your username.
Since when is Ukraine a US ally? It may be an "enemy of my enemy is my friend" relationship, but don't over state it.
The NSA is a riddle, wrapped in a mystery, inside an enigma. This whole things smells fishy. "bad actors" will buy this software on the black market, use it to spy on other people all the while the NSA actually gets to watch everything over their shoulders: backdoors into the networks of those that installed it, side-channel copies of all the surveillance etc.
Installing stolen NSA software obtained on the black market would be as smart as installing that cool new game downloaded from a warez folder found on a porn site.
- For the complete works of Shakespeare: cat
I am no fan of the surveillance state, but it is a very dangerous position if the US has no intelligence capabilities, while other countries do.
There has to be a balance of concerns and this leak is pushing too far, weakening the NSA too much. If this is done by a wannabe hero, please stop.
I would assume it is done by a foreign intelligence bureau though.
Likewise, I'm sure.
...who watches the watchers watching the watchers' watchers?
Snoop unto the NSA as they would snoop unto us!
The leak was data and exploit code from 2013 apparently... sure some of the 0days still work but nowhere near the latest and greatest.
Since 1994, when Ukraine established relations with NATO, and since 2008, when the Bush administration voiced support for Ukraine joining NATO.
https://en.wikipedia.org/wiki/...
Since then, the official US designation for Ukraine is a "major non-NATO ally" (MSNA):
https://en.wikipedia.org/wiki/...
You are welcome on my lawn.
"No, we swear the tool won't ever get out to the public! We 100% guarantee it!"
6 months later: "well... shit"
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
If the IT industry put out secure products with check and balances built into them, we wouldn't have to fear script kiddies or the NSA or another other nefarious group hacking into our personal or business systems.
OK - the NSA is a 'secret' agency accountable to a very small set of people. Those people are not intelligence experts.
How easy does anyone think that the NSA can pretty much do whatever they want and get away with it and not have the monitors get upset?
The time will come when they will be taken to task for the shenanigans, maybe soon, maybe later.
Meanwhile, the tools exposed are probably being used on corporations, universities, research institutes, congress members, lobbyists, and think tanks.
Maybe even the military.
Just how big this f-up is can be related to by sticking your member in an acetylene torch flame....
Ignore the elections or the change in the political leaders - this needs to be changed regardless of who calls themselves 'Presidente'.
So how does one fire every director/manager/leader of a bureauracracy and rebuild it? Do we have time?
And what about the problem of all the interlocking of the TLAs ? Homeland Security is a collection: CIA, FBI, DOJ, NSA, EPA, NRC, FEMA, and more...
All of them have to be fixed as well... or the problem comes back.
This is precisely why:
:-)
- Apple didn't want to release a tool to unlock iPhones.
- Back doors should never, ever, ever be required for any type of device.
- Encryption keys should never, ever, ever be given/managed by any government agency.
- Etc., etc., etc.
When will the masses wake up and realize that a large, controlling government will never be a good thing for freedom?
Ramley-out!
Seems unlikely. Most of what goes on in an NSA facility is going to be on an airgapped network behind EMF (tempest) shielding with armed guards. Their repositories of data just aren't going to be behind some simple firewall - they will be on isolated computers.
There are obviously computers within the NSA that are connected to the Internet for the purposes of carrying out their attacks and infiltrations but those same computers would not have access to NSA email or be directly connected to an internal network that has access to all of their tools - or they shouldn't be anyway. They would hopefully also be smart enough to not have any persistent data on those Internet connected computers - they would be wiped clean after every login session, perhaps VMs that boot off of clean images at the start of every session.
It's possible they make compromises in OPSEC for the sake of work efficiency but IMO, it's more likely that they have an insider exfiltrating data or a careless TAO operator violated OPSEC procedures and uploaded an entire toolkit to a C&C server (a C&C server would likely be a rented VPS or rented server at a colo).
Interesting. Though your wiki link states that Ukraine, Moldova, and Georgia are proposed members. I don't see that the language has ever actually passed in H.R.5782 - Ukraine Freedom Support Act of 2014 or other similarly named bills. Do you have a reference?
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs
Yes, excatly! That is precisely what NSA does.
I don't give a rat's rectum about NSA spying on their own people. You can go to hell which ever way you want.
Now, what was your point again?
Indeed; if it's the only way our own government is ever held accountable for anything, well.. it's a damn shame, but it is what it is. It means people were not doing their jobs well at some level if it is really a problem.
Imagine the size of the balls on someone to actually hack the NSA. I can't even comprehend...
I'm not concerned at all about these tools being used to penetrate Joe Sixpack's computer.
I am, however, tickled pink that these tools will be used against the tools of the Government and Commerce.
Yes, you tools! Let's see what happens when your sordid affairs, your innermost secrets and every repulsive, nauseating detail of your rape of America for the past half century are revealed!
In other words, Commerce and Government, fuck you with a splintered phonepole. I hope it hurts every bit as bad as what you've done to this country.
(Provided this toolkit is as powerful as claimed, and its leak isn't some False Flag operation.)
The "Civilized World" jumped the shark ca. 1973.
It goes back before that. It was signed into law in October of 1992.
In 1992, George H.W. Bush signed the FREEDOM Support Act, which also started US economic support of Ukraine.
https://en.wikipedia.org/wiki/...
And the United States continues to support Ukraine membership in NATO.
You are welcome on my lawn.
A diversion from what?
If you talk about "coup junta in Ukraine" you're nothing but a Kremlin troll.
Paid or not paid, I have no idea, but you're still a Kremlin troll.
Catalin Braescu
Ofaly.com
But we do not judge the Manhattan project this way, because they didn't actually have a defense against nuclear weapons.
How do we know that? Maybe they were very, very good at keeping it secret and took the secret to their graves. #Conspiracy theories
There is wikileaks putting a bounty on the killer of dnc voter registration directory in IT.
The reality is its probably yet again an inside job done by people that look at snowden/drake/whistleblowing.
I'd be more interested in seeing an article on the massive hacking fraud of the blackbox voting machines with 0 paper trail and the statisticians that came out proving the math that said it was fraud. SLASHDOT WHERE IS OUR MATH AND COMPUTER INFO ARTICLES ON VOTER FRAUD VIA COMPUTERS?
I'm more worried that parts of my society might actually see exposing political parties' communications, as being akin to "meddling in our affairs" or even more absurdly as "intervening in our elections."
I hope that these people are lying, faux-outraged in an attempt to get their crappy party an emotional edge over another crappy party, but I fear they're being honest, every bit as disconnected as they claim to be.
"Believe me!" -- Donald Trump
Wait, so an agency that hacks/exploits into others people's devices and data traffic with complete disregard for due process doesn't like it when it happens to them? Say it ain't so Tommy!!
You don't get it. These jokers can only spy on us because they've purchased or discovered vulnerabilities in the systems we use. Instead of going all noble, protect the American citizen--their job--and notified the appropriate parties of these vulnerabilities they keep them for themselves to exploit wherever possible. An argument might be formulated in their defense if this was a one-sided deal. But, it's not, if they can discover/purchase these vulnerabilities so can others. If they can exploit them, so can others.
The more these types of agencies can have their curtains drawn back to expose their shenanigans the better. Its time to change the culture away from thinking the world is a grand RTS game with zero real world consequences. For the former generations I have a simple suggestion: "video games." It's time to give a sh*t about the people you're hurting. If you need to play your "Cloak and Dagger," "Master and Commander," "The Spy that Shagged Me" bullsh*t go buy yourself a console.
Two of my imaginary friends reproduced once
Looks like they got a taste of their own medicine and they don't like it a bit, just like us.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
We are mostly okay with that because Capitalism. See Facebook, Microsoft, Google, Apple and Amazon. This time around it's just a different person looking to make a profit.
Until we as a society actually take a stand on privacy and stop sharing every meal and bowel movement with all of our friends, this kind of crap will always fly under the radar to "ZOMG Zac Efron at the olympics!"
Is that the NSA of all people knowing how vulnerable systems can be and then failing to seriously protect their own.
^^^^ couldn't agree more. That's the problem with the NSA. It has 2 charters. One is to secure, the other to spy, and they just don't mix like oil and water.
I'm starting to think this whole story is an NSA ploy. They're pretending to be worried about the toolkits, so more people will install this trojan horse.
...so I 'sploited your 'sploits so you can be 'sploited while you're 'sploiting.
Don't hold on to exploits with the idiotic belief that you're the only one who is going to ever have them. This is like a government agency that knows which dams are at risk of failing sitting on that information instead of telling the dam operator about the issues. Sure a few people "in the know" can use the info to get their assets out of harms way but it leaves the rest of the public (the people who pay their salaries) at risk. But I suppose who am I kidding, that is probably the point of the NSA, to give well connected individuals a leg up on their competition by utilizing publicly funded intelligence resources.
The inability to keep secrets in itself has nothing to do with morality. The nature of the secrets being kept does. We judge all these projects equally and your listed projects as well as many others come up far better than the NSA.
and damned if you don't.
IF this whole thing has any truth to it at all, the NSA has a serious dilemma.
In one hand, they have a bunch of tools complete with unpublished exploits now in the hands of the masses. ( oh noes ! )
In the other, they have a desire to keep their tools and unpublished exploits their dirty little secret so they can continue to spy on folks the easy way.
As the NSA, do you:
1) Keep your mouth shut and hope those exploits aren't used against unintended targets ( us ) in order to keep your push-button spy operation working
2) Inform the vendors of the exploits their tools are designed to utilize so they can get patched at the cost of losing all the work put into the tools so far
*My guess is they'll go with #1 and just blame this weeks boogey-man. ( Iran, China, Russia, Terrorists, Islam, Trump, Hillary, whatever )
This quote fits rather well: " Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should. -Ian "
Now that their jewels have been stolen, will they still remain so arrogant to NOT release all these vulnerabilities so they can be patched? Or will their ego allow thieves to make huge bank off their wounded pride, with the entire first world laid low by the devastation? Also, cue the right-wing to blame all of this on Snowden instead of the proper source.
Lastly, if the POTUS does not publicly demand the resignation of the senior management of this TLA, our suspicions will be confirmed: the NSA now answers to no one.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
I'd be worried if the rest of society isn't worried. I mean, this is the same government that wants to weaken encryption for the rest of us. How the fuck can anyone swallow the pill of "oh, but only we will have access", when they cannot even keep their own shit secure???
The analogy works better like this:
There are an unknown amount of variations to the nuclear bomb, the Manhattan project discovered 3 variations with defenses against them that as far as they know, no one else knows about. They are left with the decision to release the defenses to the 3 variants for the public good or leverage the weapons ability to stop Hitler. Hitler may already know about all three and their weapon is useless but he might not know about them and after the three defenses are released he uses that knowledge to discover another one that we do not know about. Now we are vulnerable to the as of yet unknown 4th variant and we lose the war. Welcome to the United States of Nazi Germany.
The analogy obviously doesn't make any sense with the way physics works but it more closely reflects the problem we are faced with cyber security. You have to assume there are an infinite number of security holes and so you will never be 100% secure even if you publish all the vulnerabilities you find. This then presents the interesting dilemma, do I make the nation more secure by knowing what the enemy is doing by exploiting this vulnerability or by patching it not knowing whether my enemy knows about it? We can sit here and argue about specific vulnerabilities and whether they are wide reaching enough to cause significant damage to warrant public release but to say all vulnerabilities should be reported is foolish for any nation state to do.
The Gatling Gun. The Gatling Gun was "so fearsome" that it would "put an end to warfare".
The NSA created the weapons and now everyone has them. In so doing they directly contradicted their own mandate to make and keep the citizens safe. Will someone finally get fired at the NSA now? No, of course not. They undermine security, privacy, civil liberties and the constitution. Then they call it a day's work and go home satisfied. Just how incompetent do you have to be to work at the NSA these days? Inquiring minds want to know.
the loss of such security and stealth (eg privacy) has had chilling effects for the agency
lol
The vulnerability equities process, where lawyers decide whether to disclose to US citizens a vulnerability or keep it to themselves, seems pointless if NSA tools are going to leak to the black market anyway. This is yet another reason why the government cannot be trusted with defensive security measures, they are too conflicted about actually doing it.
So the spooks are running around like their hair is on fire screaming "who let my gremlins loose, I'll kill the bastard" instead of "why did I ever conjure those Gremlins up". Eh life is like that, so you thought nobody would know about your dirty little secrets and now your just scurrying about for someone to shift the blame on. Well shit happens when the septic tank explodes, everyone in range gets a sample and since your the closest you get the appropriate amount.
I have been wrestling with this quandary recently. Illegal activities performed by unknown perpetrators (Yes they are still unknown, no we don't know for sure they are Russians, put down the Kool Aid) have resulted in the first inkling of transparency the American people have seen from their government and their government officials in a long time. I'm a law-and-order kind of guy on most subjects. This concerns me greatly.
What has allowed me to sleep is simple. Whoever is making these leaks is acting not as an adversary, but an advocate. Their actions are those of an advocate of the people, not the government. Sadly, but truthfully, it is increasingly easy to draw the line between the government and the people, as our government treats the people like an enemy. Greater transparency, unveiling deception, getting emails into the public record before they can be deleted (Lois Lerner/IRS, Hillary, etc.) seems to be the only way the people can be assured that the truth is available after the fallout of a scandal. And it may be the only way to hold our government accountable for any illegal actions they perform.
When the only tool you have is a claw hammer every problem starts to look like the back of someone's skull.
An important thing to note about NSA operations - they intentionally do not keep access logs. They do not allow for auditing tools or any other such nonsense. Claiming that such infrastructure will endanger security of operations. Now, they will try to figure out what/who/where. Good thing they know when: 3 years ago.
The NSA should make it its PRIMARY MISSION to warn industry about the exploits it finds rather than keep them secret for years while our foreign adversaries also utilize them to undermine us.
Fine let the NSA use newly discovered exploits for 90 days to give the US a head start in both fixing our own systems and exploiting the vulnerability, but then mandate that the NSA inform industry to fix the security vulnerabilities WITHOUT EXCEPTION.
Oh, my. What quaint naivete. Child, what makes you think the NSA is not sharing it's intel with it's corporate overlords? The fact that it isn't shared publicly? If you were in a position to do so, wouldn't you insist on an exclusivity clause? That's a huge competitive advantage, worth a fair chunk of change. Why in the world would you let that "investment" be squandered by some bullshit, social responsibility notion? Poke fun at my foil hat if you like, but for amount of money that we're talking about here, not much is really in the "too paranoid" category, and certainly not the notion that there are other customers of the NSA's output.
"No, we're fine with it."
It even feels good.
C|N>K
OPSEC was great for keeping East Germany and its decades of well placed next generation of graduate spies out.
The US gov has now been sold on the "cloud" at a city, state and federal level. Every agency has to share more contracts with the private sector, upgrade and share with friendly nations.
A lot of the more useful software is now created by contractors, rented back to the US gov, shared with other nations (5 eye and well beyond)
Lots of private sector and telco staff now have full access to and are working on that "rented server at a colo" to try and keep collection projects working 24/7 for years.
If too much is kept hidden from contractors, they go to political leaders and tell of how much the free market has to offer and that they want their great products considered too.
More outside experts are invited in, contractors get their products sold and everyone is happy. Cold war OPSEC hurts profits and is seen as talking points protecting old private sector monopolies. The gov has to be more open to the needs of new innovative, private sector consultants. Why should just a few no bid contracts be given out under the cover of decades of old OPSEC to the same few US brands? Lots of people with new security clearances have bight ideas to suggest... think of all the new well paying local jobs..
Domestic spying is now "Benign Information Gathering"
This is such a huge travesty for America. I mean trillions upon trillions in debt ALREADY and wait..
Some hackers pulled a Snowden and could at any moment sell their hacker apps on the mysterious and dangerous...
DEEP
DARK
WEB
OF
DOOM
stfu faggots. You ripped of America and now you want the public to join you in treason. Fuck all your mamas. You ain't gettin no warez back punks.
A more mature/adult discussion of this issue can be found at Schneier on Security.
When Apple said that if it made a special version of IOS that would bypass all the security features , that eventually it would be hacked which is why they would not do it, I guess they were right.
Capitalism, if you bothered bothered to read the theories and books instead of listening to what people want you to believe, has a specific role for the Government. Anti-Corruption. This includes a need for Government to protect against monopolization, racketeering, blackmail, bribery, and collusion to commit those crimes. Such that You and I can not collude to prevent other people from entering the market so that we are not technically a monopoly, but act as one.
Profit is not a bad thing, in fact it is the most normal part about any economy. It's instinctive to want profit. If you only hunted for equilibrium you would have starved to death at a Flood, or Fire, or illness, or injury, etc... Marxists and people who believe that ideology want people to believe it's bad to want profit, but they are morons who believe in a way of life where the people don't matter (except for themselves that is).
How about instead of being a horses ass and repeating all the negative crap the Progressives (aka Marxists) want you to, you study and come back to us with some facts. Facts like how all of the Socialist countries have been crumbling at the expense of the populace. You do know how bad unemployment rates are in every country in the EU right? Those are mild in comparison to the problems in China, Russia, Nigeria, Saudi Arabia, and countless other countries which morons like you attempt to look up to.
Snowden's leaks showed us the real problem with the NSA and the story continues.
You see, I don't think the problem with the NSA is all the the spying and data collection they do. After all they are an intelligence agency, spying is their job. Or actually half their job. The second half of their job is keeping secrets. And this is where they fail.
Just look at what Snowden, a simple subcontractor without external help managed to do. And now they leak their toolkits to random blackhat groups. No imagine what a big nation like China or Russia can do... that's scary.
I like the idea of "don't attribute to malice what you can attribute to stupidity". And right now, I think the NSA is stupid.
They are bloated, eating more data than they can chew. They seem to prioritize projects that gets them large budgets and jobs for their friends rather that doing actual security. Building massive datacenters to process massive amount of useless data, sure, that's big, that's important. Putting millions of people on "watch lists", sure, it will keep people busy. Implementing sensible security policies to actually keep secrets secret, boring.
It's funny how arrogant they think they are :)
+1 where are my mod points when I need them.
Imagine if the researchers of the Manhattan project not only discovered how to create a nuclear bomb, but also discovered a defense against nuclear weapons.
Nonono. Its far worse than that. Imagine the government build a nuclear weapon, and then let someone walk off with it. Individual exploits come and go, this is letting someone walk off with a MIRV ICBM. And now they are trying to sell it. On the Internet.
To the NSA: Dear god, you fuckups. Please call your friend over at the CIA who does wet work and black ops, and put these people who walked off with your software and put them into the ground before it gets sold to China or Russia. And then, have a review meeting with your people about the 'S' part of NSA.
HA! I just wasted some of your bandwidth with a frivolous sig!
People spy on NSA.
Requiem for the American Dream
That isn't fair criticism.
The facts are there was no provision for impeachment of a sitting president under their constitution at the time, and yet it happened.
It does not matter they guy was corrupt and in the pocket of the Russians, a coup is still a coup. The rule of law should matter. The people should live with the consequences of who they voted for or use a predefined process for impeachment or recall. You don't get to make one up after the fact.
We saw the same thing with the Muslim brotherhood in Egypt. Are the people there better off having removed them, oh probably but it was NOT legal or democratic.
What is even worse is in the case of both Ukraine and Egypt we violate our own laws and sacrifice our own integrity continuing to provide aide and honor treaties with these countries after these coups have occured, despite the fact our laws say we can't do that. We could/should probably recognize the new governments as new governments and consider it a diplomatic reset, but that is bad for business and our State Department / Congress is lazy and corrupt itself.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
That's why you install it in a VM, or an air gaped hardware network, possibly with a few computer with a NSA "ip" or US "ip" to see what is tried to be accessed. That is, if you care. Most black hat would not care, they are in to steal stuff to get money.
Nuclear bombs are hard to copy, you should add in that anyone could copy the bomb simply and easily and use it on anyone anywhere anytime.
It's only complicated because the NSA wants it to be complicated.
Hey, I get the institutional inertia, bureaucracy and the Need To Know stuff. But you know who is ultimately in charge of all that? The NSA. They either fix those things or deal with the consequences.
What's more, the NSA has an organizational level bias towards control, secrecy, wanting secrets that can control, and not wanting to share vulnerability information. The inside joke is that NSA stands for "Never Say Anything". You know who is in control of all that? The NSA...
Also, don't bother telling me how the NSA is actually a puppet that must do the bidding of their political masters. While there is some truth to this, here's another truth. The NSA has a seat at the Big Boy's Table. They are the ultimate insiders in establishment Washington. The NSA has a level of input that can adjust their mandate, adjust their funding, adjust the rules they operate under, all of it. The NSA actually has access to the levers of power and can change many of the rules of the game. They are not passive bystanders just doing what they are told.
We don't even have a complete set of corresponding source code 99.999995% of devices. Besides a handful of routers from ThinkPenguin the closest hope we have for fixing that is EOMA68. By modularizing key components we can cut the cost to design and manufacture devices while playing the companies designing key components like CPUs/SOCs off each other to obtain complete sets of code for all components needed to produce a given device. Crowd funding campaign here: https://www.crowdsupply.com/eo...
+1
If you have a backdoor, a key, or some other way to get into other peoples computers/device/files, then no matter how hard you try to keep it secret, it will eventually leak and become common knowledge, and be abused. (Assuming the original owner/discoverer wasn't already abusing it as well.)
This is why no security developer in the world that's worth even one molecule of salt will ever allow a backdoor or master key.
And hey, these guys now have a chunk of the NSA trove of nasty tricks, so even going blackmarket (not like they could sell it aboveboard) is bound to net them several million, assuming they don't get caught/shot beforehand.
How is life in Ukraine after you firstly lost Crimea, then the Donbass region, and finally you went bankrupt? Surely a wonderful track record for country that "chose" to go west (with a coup) and a very encouraging example for others to follow.
It shouldn't matter who the DNC leaker was. Blaming "the Ruskies" is just a diversion.
The question here isn't 'who leaked?', so much as 'if it's the Russians, what are they holding back?'
I'm a fan of leakers, but would prefer leaks from people who don't have a horse in the race. The age-old question 'cui bono?' (who benefits?) is a key element to establishing the value and completeness of a leak. I say this, by the way, as a professional journalist who has relied on leaks and whistleblowers for some big stories.
Crumb's Corollary: Never bring a knife to a bun fight.
Most of the rest of society is not American. We are, in fact, worried that a sophisticated adversary is meddling into our domestic affairs (via dictatorships and coups in Latin America and arming terrorists/"moderate rebels" in the Middle East).
And they would have gotten away with it too, if it weren't for those meddling kids.
The Shadow Brokers github repo was taken down but not before it was mirrored :)
https://github.com/nneonneo/eqgrp-free-file
Everything (that was made available in the sample tarball) is inside the Firewall folder.
Most of the human readable stuff is in Firewall/OPS and Firewall/SCRIPTS.
From the very little scanning I did, it seems most of the stuff is meant to attack Cisco PIX and Cisco ASA firewalls/routers.
There are quite a few scripts for preparing/setting up an ops terminal from which an antagonist can launch attacks.
One of the attack techniques involves instructing a pix/asa to fetch an implant over http (or ftp) from a web server running on an ops terminal.
So some of scripts install an http server (apache or tiny httpd) on the ops terminal.
The antagonist supplies the implant (the software bug) on the ops terminal.
Then they use vulnerabilities in the pix to instruct it to fetch the implant, upgrade the target's OS or load a module into the running system and then that gives them full access.
The binaries and implants are provided in the repo as well.
Which is how the current 'secure and breach' duality came into existence. Originally they were supposed to help gain intelligence on foreign signals while helping protect domestic infrastructure from similiar exploits or surveillance.
The problem is when the internet hit, they chose to try and compromise everyone, rather than secure everyone (since the internet causes 'domestic security' to translate to 'international and possibly adversarial security' as a result of the relative instantaneous communication it allows.
The problem however was there was no breach of sufficient scale to put the need for technical security even at the cost of foreign intelligence gathering as a priority, so instead they either passively learned, or actively induced security issues in major national and international software projects, which lead to a treasure trove of 0 days for them, but also increased the exploit potential for both foreign and domestic systems, resulting in a local breach compromising security for everyone, foreign and domestic.
The one who digs a pit for another will one day fall into it himself.
Hell, they probably got exploited by exploits they hoarded and were discovered independently.
But hey, remember folks, everything should have a Government-approved back door in it which only the Government can use, just in case they need access. It'll absolutely be secure...
Just like that time Microsoft thought the Clipper chip was a great idea and lost the master key to their entire Surface subscriber encrypted disks?
http://www.theregister.co.uk/2...
Make sure everyone's vote counts: Verified Voting
But we do not judge the Manhattan project this way, because they didn't actually have a defense against nuclear weapons.
How do we know that? Maybe they were very, very good at keeping it secret and took the secret to their leader Leslie Graves. #Conspiracy theories
There is more than one interpretation to your statement.
There is no more hostile agency.
...then there's nothing to worry about, NSA.
Bits and bytes can't hurt
...and you want to be my backdoor provider?
This couldn't happen to a nicer bunch of blokes.
As Bruce stated - either were all secure or none of us are.
Get up!
I think a better "public defense or private offense" analogy would be bioweapons:
1. An enemy can easily copy it if they get a sample.
2. They work based on secrets, against an unprepared population.
3. They can easily rebound and harm all the people you're supposed to defend.
4. Vaccinating all your own people would potentially reveal information that nullifies how well your weapons works on others.
Put in those terms, the NSA's choice to prioritize "offense" is even more odious.
Maybe they're our guys, maybe they're not.
Country A is full of citizens, businesses, and government orgs which routinely depend on working computers and networks. Country B is similar, but a little behind, because they're not as wealthy.
Both countries' citizens, businesses and government orgs pretty much run the same code. Same OSes, same big applications, etc.
For the most part, everyone's computers run pretty badly, and outages and various fuckup are frequent. Criminals in both countries are very happy with the situation. Both countries have a pretty easy time with espionage, but a nearly impossible problem with counter-espionage. Everyone can attack, but hardly anyone seems to be able to defend.
Well, they're about the same, but not exactly. In Country B, due to the lower tech, more people use cash, more things are done low-techy, etc. Computer crime isn't quite as easy there. Fewer government systems (both civilian and military) are vulnerable to cyber-attack simple because they're not as computerized. Fewer businesses depend on networks. The airlines' schedules in Country B are run by a guy who has a big notebook, but Country A has an airline schedule that's run in some datacenter.
A group of nerdy people figure out part of the problem with everyone's fucked up computers. Turn out, there are bugs in popular software. Sometimes the symptoms just happen (bad luck) and sometimes they are exploited by adversaries.
The nerds have to make a decision: "Do we tell software industry about the bugs and have them fixed, so that everyone (both our country and the other country) get a defense advantage? Or do we not talk about the bugs, thereby preserving everyone's attack advantage?"
The group of nerds chooses the latter, opting to not have the bugs fixed.
Tell me this: judging from the nerds' actions, which country do you infer they working for? Who has more to win or lose from the computers continuing to work so badly?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
It is so hilarious they got hacked. So much for the security of any "backdoor" access they want to be incorporated into our devices.
I'm just excited to see the Hollywood Movie to follow!
Personally, I hope they make such a massive mockery of the NSA that the entire department gets disbanded permanently. And hopefully most of the leaders end up in jail, or worse for treason.
Control is an illusion.
kanye west mode on
"they dont care about graphical interface people"
where are my fucking buttons man? how the fuck im supossed to use that thing to "hack" some chicks facebook account when you dont put buttons on the tools?
graphical interface people matters!!!
Why worry?
It's not like we can do anything about it anyway.
the NSA should have focused on monitoring foreign actors while helping to ensure that domestic institutions (companies, political parties, non-profits, and of course the population as a whole) have access to privacy and secure communications.
This conflicts with their mission to spy on Americans and help other agencies to spy on Americans.
Maybe NIST should be helping to provide private and secure communications ... oh, nevermind.
Yikes! Those tools will now be in the wrong hands.
Well, more wrong hands. (The NSA already had them.)
There's no time like the present. Well, the past used to be.