Slashdot Mirror
NSA Worried About Implications of Leaked Toolkits (businessinsider.com)
Reader wierd_w writes: According to Business Insider, the NSA is worried about the possible scope of information leaked from the agency, after a group calling themselves the 'Shadow Brokers' absconded with a sizable trove of penetration tools and technical exploits, which it plans to sell on the black market. Among the concerns are worries that active operations may have been exposed. Business insider quotes an undisclosed source as stating the possibility of the loss of such security and stealth (eg privacy) has had chilling effects for the agency, as they attempt to determine the fullness and scope of the leak.
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)
It's a trap
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Welcome to how the rest of society feels.
Now, if you had just disclosed those vulnerabilities they could probably have been fixed by now. Instead, you failed at keeping them a secret and unknown unsavory parties have a handy trove of exploits ready to be used. I'm not sure that this is what "National Security" looks like, and that's kind of your job.
But don't forget they're our guys.
It's possible that you think they are your guys. But you should not suppose they are the everyone else guys. :)
I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power. And this attack is not clandestine, hidden from unwanted eyes, but it is made in public, so as to call NSA bluff and expose your country as a paper tiger.
And this all is compounded by a poorly hidden active measures campaign to benefit one candidate and to destroy another.
I believe that neither Schadenfreude nor sarcastic gleeing over a major f@ck up at the NSA are appropriate in this case, because want it or not, admit it or not, but your country is under attack by a powerful, sophisticated adversary. And it aint good. at all.
The essense of malware is that you offer software to someone else, in hopes that they run it. It's impossible to not realize that when you offer someone this software, not only might they run it to hurt themselves, but they might also offer it to others (maybe back to your own allies), to hurt them. Malware isn't something you can ever "keep" if you intend to use it against others.
It kind of reminds me of biological weapons. You gave the enemy Anthrax? Great, now your enemy has Anthrax. You'll be seeing that exact same strain of Anthrax again.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
It shouldn't matter who the DNC leaker was. Blaming "the Ruskies" is just a diversion.
The problem here is that the NSA deliberately sacrificed the opportunity to improve our security in order to retain the effectiveness of their toys and couldn't keep them from being directly pilfered, much less independently discovered.
If, hypothetically, the Manhattan Project had squandered the opportunity to make us nuke-resistant in order to preserve the utility of their weapon; then, yes, I'd say that they screwed up pretty atrociously. The difference, of course, is that no such option existed, while the process of disclosing bugs to vendors is very much an option.
The "you aren't the only ones who could exploit those vulnerabilities" argument was previously largely hypothetical; now, not so much.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
Then see my initial comment of 0 farks given. You think that inside info from TLA places like that hasn't been used against people internally already? It's about time that these organizations and the people in charge get outed and embarrassed. There's been too much power, corruption and insider BS for too long now and it needs to be balanced out.
Instead of worrying about things like the democratic process being broken as demonstrated by the leaks, you are worried about the source of the leaks.
Yeah, I worry about the rest of society but more that they think like you do.
History is a pretty good crystal ball for everything going on. I won't give you any lessons here, you seem content or frightened so remain ignorant. I will simply state that all weapons through history, including espionage devices used for weaponry, have moved from place to place. All political systems have been full of corruption, and it never ends well for the populace. You are focusing on the first, instead of the latter. I have no confidence that you care given the point you are contending.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
The stolen hacks will be used by adversarial governments and criminals to silently move onto almost anyone's computer. Thanks NSA, for the upcoming super-malware.
I'm still not convinced this isn't some sort of odd false flag operation.
Imagine you're the NSA and you've been unable to get inside of some other countries likely air gapped cyber security operation... putting some juicy tools out there they're likely to snatch up and play with at least get you to see who the players are and maybe these tools work maybe they blow up... As for the vulnerabilities, with so many people playing this game, any vulnerability not found by the NSA is likely to be found by some other organization.
Even the vulnerabilities could be snares... I'm suspect of all of this and think it's just part of a big ruse.
Yes Francis, the world has gone crazy.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
They got what they deserve. Instead of monitoring every single American and putting backdoors in every program they can, the NSA should have focused on monitoring foreign actors while helping to ensure that domestic institutions (companies, political parties, non-profits, and of course the population as a whole) have access to privacy and secure communications. The NSA should be the national equivalent of an IT security department. Leave the detection and investigation of domestic bad actors to the FBI(if you run across any domestic malfeasance then by all means pass it along but don't go looking for it specifically) and coordinate with the CIA when it comes to foreign actors. Develop tools and programs to protect Americans-and this is important: your job is to protect Americans (the people) not "America"- and their homes, not to watch them in them.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
But Shadow Brokers isn't an agent of a nation with a lot to lose like the NSA is. MAD only works if both sides have a lot to lose. Neither will want to start a war. This is like a major power versus a crazy guy who just happens to have a nuke in his tool shed.
I'm not arguing for major powers alone possessing such tools. Unlike nukes, these can be built by poorly funded but highly educated groups. The NSA should have prioritized its mission to ensure that we (gov't and private entities alike) would have adequate defenses above deploying this stuff.
Have gnu, will travel.
My worry is that the NSA is likely penetrated by moles or it was successfully penetrated by foreign hackers. Regardless of the actual way those files were exfiltrated, this public stunt is nothing less than a public attack on one of your main intelligence services, by a foreign adversary, a brutal undemocratic and illiberal regime.
The fact that the NSA is under attack (and a public one) is what worries me, not that a bunch of 0-days is made public (and some of them are already fixed).
Its no longer just fed.gov you're trying to defend against, its all the script kiddies now running around with fed.gov's latest and greatest exploit toys.
Lawyers, MBA's, RIAA? A jedi fears not these things!
Imagine if the researchers of the Manhattan project not only discovered how to create a nuclear bomb, but also discovered a defense against nuclear weapons. Then, rather than telling anyone about the defense, they tried to keep it a secret so they alone could use the bomb. That would have been incredibly foolish! But we do not judge the Manhattan project this way, because they didn't actually have a defense against nuclear weapons.
Yet the NSA did. They found security bugs, created exploits for them, then refused to disclose the bugs to vendors so they could be fixed. This intentionally left their own country vulnerable to attack. The security community beseeched them to release this information, and warned them that others could find these exploits too and use them. But the NSA figured that nobody else was as smart as they were and so no one else could discover these exploits. They have been proven wrong.
And that is why we judge them somewhat differently.
Live by the hack, die by the hack.
"This is not a joking matter. You're ALL on a list, now!
Oh, damn!
I'm on the bloody list now, too."
"Flyin' in just a sweet place,
Never been known to fail..."
The NSA is a riddle, wrapped in a mystery, inside an enigma. This whole things smells fishy. "bad actors" will buy this software on the black market, use it to spy on other people all the while the NSA actually gets to watch everything over their shoulders: backdoors into the networks of those that installed it, side-channel copies of all the surveillance etc.
Installing stolen NSA software obtained on the black market would be as smart as installing that cool new game downloaded from a warez folder found on a porn site.
- For the complete works of Shakespeare: cat
I'm more worried about "our" guys these days than any foreign country. The government has a much easier time fucking me personally over than Russia, China, etc.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Since 1994, when Ukraine established relations with NATO, and since 2008, when the Bush administration voiced support for Ukraine joining NATO.
https://en.wikipedia.org/wiki/...
Since then, the official US designation for Ukraine is a "major non-NATO ally" (MSNA):
https://en.wikipedia.org/wiki/...
You are welcome on my lawn.
"No, we swear the tool won't ever get out to the public! We 100% guarantee it!"
6 months later: "well... shit"
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
This is precisely why:
:-)
- Apple didn't want to release a tool to unlock iPhones.
- Back doors should never, ever, ever be required for any type of device.
- Encryption keys should never, ever, ever be given/managed by any government agency.
- Etc., etc., etc.
When will the masses wake up and realize that a large, controlling government will never be a good thing for freedom?
Ramley-out!
I'm not concerned at all about these tools being used to penetrate Joe Sixpack's computer.
I am, however, tickled pink that these tools will be used against the tools of the Government and Commerce.
Yes, you tools! Let's see what happens when your sordid affairs, your innermost secrets and every repulsive, nauseating detail of your rape of America for the past half century are revealed!
In other words, Commerce and Government, fuck you with a splintered phonepole. I hope it hurts every bit as bad as what you've done to this country.
(Provided this toolkit is as powerful as claimed, and its leak isn't some False Flag operation.)
The "Civilized World" jumped the shark ca. 1973.
It goes back before that. It was signed into law in October of 1992.
In 1992, George H.W. Bush signed the FREEDOM Support Act, which also started US economic support of Ukraine.
https://en.wikipedia.org/wiki/...
And the United States continues to support Ukraine membership in NATO.
You are welcome on my lawn.
But we do not judge the Manhattan project this way, because they didn't actually have a defense against nuclear weapons.
How do we know that? Maybe they were very, very good at keeping it secret and took the secret to their graves. #Conspiracy theories
and damned if you don't.
IF this whole thing has any truth to it at all, the NSA has a serious dilemma.
In one hand, they have a bunch of tools complete with unpublished exploits now in the hands of the masses. ( oh noes ! )
In the other, they have a desire to keep their tools and unpublished exploits their dirty little secret so they can continue to spy on folks the easy way.
As the NSA, do you:
1) Keep your mouth shut and hope those exploits aren't used against unintended targets ( us ) in order to keep your push-button spy operation working
2) Inform the vendors of the exploits their tools are designed to utilize so they can get patched at the cost of losing all the work put into the tools so far
*My guess is they'll go with #1 and just blame this weeks boogey-man. ( Iran, China, Russia, Terrorists, Islam, Trump, Hillary, whatever )
This quote fits rather well: " Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should. -Ian "
Now that their jewels have been stolen, will they still remain so arrogant to NOT release all these vulnerabilities so they can be patched? Or will their ego allow thieves to make huge bank off their wounded pride, with the entire first world laid low by the devastation? Also, cue the right-wing to blame all of this on Snowden instead of the proper source.
Lastly, if the POTUS does not publicly demand the resignation of the senior management of this TLA, our suspicions will be confirmed: the NSA now answers to no one.
The vulnerability equities process, where lawyers decide whether to disclose to US citizens a vulnerability or keep it to themselves, seems pointless if NSA tools are going to leak to the black market anyway. This is yet another reason why the government cannot be trusted with defensive security measures, they are too conflicted about actually doing it.
When Apple said that if it made a special version of IOS that would bypass all the security features , that eventually it would be hacked which is why they would not do it, I guess they were right.
Snowden's leaks showed us the real problem with the NSA and the story continues.
You see, I don't think the problem with the NSA is all the the spying and data collection they do. After all they are an intelligence agency, spying is their job. Or actually half their job. The second half of their job is keeping secrets. And this is where they fail.
Just look at what Snowden, a simple subcontractor without external help managed to do. And now they leak their toolkits to random blackhat groups. No imagine what a big nation like China or Russia can do... that's scary.
I like the idea of "don't attribute to malice what you can attribute to stupidity". And right now, I think the NSA is stupid.
They are bloated, eating more data than they can chew. They seem to prioritize projects that gets them large budgets and jobs for their friends rather that doing actual security. Building massive datacenters to process massive amount of useless data, sure, that's big, that's important. Putting millions of people on "watch lists", sure, it will keep people busy. Implementing sensible security policies to actually keep secrets secret, boring.
That isn't fair criticism.
The facts are there was no provision for impeachment of a sitting president under their constitution at the time, and yet it happened.
It does not matter they guy was corrupt and in the pocket of the Russians, a coup is still a coup. The rule of law should matter. The people should live with the consequences of who they voted for or use a predefined process for impeachment or recall. You don't get to make one up after the fact.
We saw the same thing with the Muslim brotherhood in Egypt. Are the people there better off having removed them, oh probably but it was NOT legal or democratic.
What is even worse is in the case of both Ukraine and Egypt we violate our own laws and sacrifice our own integrity continuing to provide aide and honor treaties with these countries after these coups have occured, despite the fact our laws say we can't do that. We could/should probably recognize the new governments as new governments and consider it a diplomatic reset, but that is bad for business and our State Department / Congress is lazy and corrupt itself.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html