Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Worried About Implications of Leaked Toolkits (businessinsider.com)

Posted by msmash on from the irony-killing-itself dept.

Reader wierd_w writes: According to Business Insider, the NSA is worried about the possible scope of information leaked from the agency, after a group calling themselves the 'Shadow Brokers' absconded with a sizable trove of penetration tools and technical exploits, which it plans to sell on the black market. Among the concerns are worries that active operations may have been exposed. Business insider quotes an undisclosed source as stating the possibility of the loss of such security and stealth (eg privacy) has had chilling effects for the agency, as they attempt to determine the fullness and scope of the leak.
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)

34 of 272 comments (clear)

  1. No Farks Given on NSA feelings by HumanWiki · · Score: 5, Insightful

    Welcome to how the rest of society feels.

  2. Good work guys! by fuzzyfuzzyfungus · · Score: 5, Insightful

    Now, if you had just disclosed those vulnerabilities they could probably have been fixed by now. Instead, you failed at keeping them a secret and unknown unsavory parties have a handy trove of exploits ready to be used. I'm not sure that this is what "National Security" looks like, and that's kind of your job.

    1. Re:Good work guys! by Anonymous Coward · · Score: 5, Insightful

      Hell, they probably got exploited by exploits they hoarded and were discovered independently.

      But hey, remember folks, everything should have a Government-approved back door in it which only the Government can use, just in case they need access. It'll absolutely be secure...

  3. Re:Hate the NSA all you want by lastman71 · · Score: 3, Insightful

    But don't forget they're our guys.

    It's possible that you think they are your guys. But you should not suppose they are the everyone else guys. :)

  4. Your security services are under attack by vityok · · Score: 4, Insightful

    I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power. And this attack is not clandestine, hidden from unwanted eyes, but it is made in public, so as to call NSA bluff and expose your country as a paper tiger.

    And this all is compounded by a poorly hidden active measures campaign to benefit one candidate and to destroy another.

    I believe that neither Schadenfreude nor sarcastic gleeing over a major f@ck up at the NSA are appropriate in this case, because want it or not, admit it or not, but your country is under attack by a powerful, sophisticated adversary. And it aint good. at all.

    1. Re:Your security services are under attack by Anonymous Coward · · Score: 5, Insightful

      Positive is a whole other thing, but really, you don't see it as funny?

      First, the NSA was doing something obviously-stupid on the face of it. Before a single American tax dollar was spent on developing this malware (or spent on intimidating the software industry into keeping our software and protocols insecure), any reasonably-competent "computer dude" knew that America itself was most likely to end up being the victim. (Of course, we spent the money anyway.)

      It's just another example of how we go to so much trouble to shoot ourselves in the foot, and every time we do it, we take away the lesson that we need a bigger gun. Sorry, but this is really is a true-life example of a joke that gets funnier the more times you tell it. Your grandkids are going to think this is hysterical, not merely funny.

      You say it's a foreign power doing this, and technically you're right. But they are robotically doing it, just as predicted. Ultimately, America made the choice for this to happen. This foreign power is (figuratively) our own proxy. The minimax solution path that we chose, included this move within it. We rejected solutions which did not include foreign powers taking advantage of the malware that we created. We rejected solutions where we ran decent OSes which weren't compatibile with malware, where encryption keys are exchanged directly whenever they can, and where public keys are introduced by trustworthy introducers. We want a world of malware, and our choices prove this.

      Second, there might be something you don't understand about America: we don't exactly think of our government as part of our country. (It's complicated.) If you attack our government, I think about 5 out of 10 Americans is ok with that. Our government is just another country, with whom we're sometimes adversaries and sometimes allied, but never ever loved or respected. The NSA isn't our security service; it's someone else's.

    2. Re:Your security services are under attack by Anonymous Coward · · Score: 4, Insightful

      ...your country is under attack...

      It stopped being "my" country when it started keeping secrets in order to aggregate power. "My" country is run by the people, for the people, and of the people.

    3. Re:Your security services are under attack by AmiMoJo · · Score: 4, Insightful

      I think most of us had assumed it was happening already. If Snowden could get in and pilfer so much material, an well resourced and skilled adversary such as China or Russia certainly could too. This is merely confirmation.

      Some good may come of it. We will patch some vulnerabilities, add some new malware detection signatures. We will see some of their techniques and learn to defend against them. And it should put some pressure on the government to reign them in a bit.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Your security services are under attack by StormReaver · · Score: 5, Insightful

      I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power.

      Then you're not looking very hard. This is the best possible event for the defense of online freedom, for our Government has just proven that the world's most advanced security agency can't defend against online intrusion. It is the most powerful argument for unfettered end-to-end encryption that we could have possibly hoped for.

      If it is hopeless for the NSA to secure unencrypted data, then it is also hopeless for everyone else to do the same. Therefore, powerful encryption is not only wise, it is necessary. All those Congress-critters and Government agencies calling for back doors, golden keys, and weakened encryption algorithms are actively aiding and abetting terrorists, child pornographers, pedophiles, and enemy governments.

      This is the smoking gun that proves the essentialness of strong end-to-end encryption.

    5. Re:Your security services are under attack by Plugh · · Score: 5, Informative

      It stopped being "my" country when it started keeping secrets in order to aggregate power. "My" country is run by the people, for the people, and of the people.

      Many of us feel the same way, and are concentrating our efforts in one small geographic distribution. We've elected dozens into the State legislature and many more municipally across the state. Maybe you should vote with your feet. Free State Project

      --
      Part of the Second American Revolution!
    6. Re:Your security services are under attack by Gravis+Zero · · Score: 4, Insightful

      I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power. And this attack is not clandestine, hidden from unwanted eyes, but it is made in public,

      it's not the NSA that is under attack, it's the entire world. when you create an exploit, you create a weapon but when you submit a fix, you make that weapon ineffective. so now instead of have the world's best armor, we have an absurd cache of weapons and those weapons have been stolen. the moral isn't to protect your weapons better, it's that you should be making better armor.

      --
      Anons need not reply. Questions end with a question mark.
    7. Re:Your security services are under attack by sjames · · Score: 4, Insightful

      It also demonstrates once and for all that creating a gold key to all the things and trusting a government agency to never leak it is folly.

  5. Duh? by Anonymous Coward · · Score: 4, Insightful

    The essense of malware is that you offer software to someone else, in hopes that they run it. It's impossible to not realize that when you offer someone this software, not only might they run it to hurt themselves, but they might also offer it to others (maybe back to your own allies), to hurt them. Malware isn't something you can ever "keep" if you intend to use it against others.

    It kind of reminds me of biological weapons. You gave the enemy Anthrax? Great, now your enemy has Anthrax. You'll be seeing that exact same strain of Anthrax again.

  6. Re:Why do you speak on behalf of the rest of socie by Anonymous Coward · · Score: 4, Insightful

    What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.

    It shouldn't matter who the DNC leaker was. Blaming "the Ruskies" is just a diversion.

  7. Re:Manhattan project also failed to keep its secre by fuzzyfuzzyfungus · · Score: 5, Insightful

    The problem here is that the NSA deliberately sacrificed the opportunity to improve our security in order to retain the effectiveness of their toys and couldn't keep them from being directly pilfered, much less independently discovered.

    If, hypothetically, the Manhattan Project had squandered the opportunity to make us nuke-resistant in order to preserve the utility of their weapon; then, yes, I'd say that they screwed up pretty atrociously. The difference, of course, is that no such option existed, while the process of disclosing bugs to vendors is very much an option.

    The "you aren't the only ones who could exploit those vulnerabilities" argument was previously largely hypothetical; now, not so much.

  8. Re:Why do you speak on behalf of the rest of socie by HumanWiki · · Score: 3, Insightful

    What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.

    Then see my initial comment of 0 farks given. You think that inside info from TLA places like that hasn't been used against people internally already? It's about time that these organizations and the people in charge get outed and embarrassed. There's been too much power, corruption and insider BS for too long now and it needs to be balanced out.

  9. Criminals now have superior tools by ITRambo · · Score: 3, Insightful

    The stolen hacks will be used by adversarial governments and criminals to silently move onto almost anyone's computer. Thanks NSA, for the upcoming super-malware.

  10. Still not conviced by Mysticalfruit · · Score: 3, Interesting

    I'm still not convinced this isn't some sort of odd false flag operation.

    Imagine you're the NSA and you've been unable to get inside of some other countries likely air gapped cyber security operation... putting some juicy tools out there they're likely to snatch up and play with at least get you to see who the players are and maybe these tools work maybe they blow up... As for the vulnerabilities, with so many people playing this game, any vulnerability not found by the NSA is likely to be found by some other organization.

    Even the vulnerabilities could be snares... I'm suspect of all of this and think it's just part of a big ruse.

    --
    Yes Francis, the world has gone crazy.
  11. Re:Why do you speak on behalf of the rest of socie by Nidi62 · · Score: 5, Insightful

    What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.

    They got what they deserve. Instead of monitoring every single American and putting backdoors in every program they can, the NSA should have focused on monitoring foreign actors while helping to ensure that domestic institutions (companies, political parties, non-profits, and of course the population as a whole) have access to privacy and secure communications. The NSA should be the national equivalent of an IT security department. Leave the detection and investigation of domestic bad actors to the FBI(if you run across any domestic malfeasance then by all means pass it along but don't go looking for it specifically) and coordinate with the CIA when it comes to foreign actors. Develop tools and programs to protect Americans-and this is important: your job is to protect Americans (the people) not "America"- and their homes, not to watch them in them.

    --
    The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  12. Re:Infowar equivaltent of M.A.D. by PPH · · Score: 5, Insightful

    But Shadow Brokers isn't an agent of a nation with a lot to lose like the NSA is. MAD only works if both sides have a lot to lose. Neither will want to start a war. This is like a major power versus a crazy guy who just happens to have a nuke in his tool shed.

    I'm not arguing for major powers alone possessing such tools. Unlike nukes, these can be built by poorly funded but highly educated groups. The NSA should have prioritized its mission to ensure that we (gov't and private entities alike) would have adequate defenses above deploying this stuff.

    --
    Have gnu, will travel.
  13. We are probably talking about different things by vityok · · Score: 3, Insightful

    My worry is that the NSA is likely penetrated by moles or it was successfully penetrated by foreign hackers. Regardless of the actual way those files were exfiltrated, this public stunt is nothing less than a public attack on one of your main intelligence services, by a foreign adversary, a brutal undemocratic and illiberal regime.

    The fact that the NSA is under attack (and a public one) is what worries me, not that a bunch of 0-days is made public (and some of them are already fixed).

    1. Re:We are probably talking about different things by Nidi62 · · Score: 3, Insightful

      My worry is that the NSA is likely penetrated by moles or it was successfully penetrated by foreign hackers.

      Wikipedia estimates that 30-40k people work for the NSA. Some of those people are bound to not be happy with the direction the NSA has taken over the past few years.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
  14. And yet another reason to run NSA proof encryption by Indy1 · · Score: 4, Insightful

    Its no longer just fed.gov you're trying to defend against, its all the script kiddies now running around with fed.gov's latest and greatest exploit toys.

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  15. Re:Manhattan project also failed to keep its secre by MobyDisk · · Score: 5, Insightful

    Imagine if the researchers of the Manhattan project not only discovered how to create a nuclear bomb, but also discovered a defense against nuclear weapons. Then, rather than telling anyone about the defense, they tried to keep it a secret so they alone could use the bomb. That would have been incredibly foolish! But we do not judge the Manhattan project this way, because they didn't actually have a defense against nuclear weapons.

    Yet the NSA did. They found security bugs, created exploits for them, then refused to disclose the bugs to vendors so they could be fixed. This intentionally left their own country vulnerable to attack. The security community beseeched them to release this information, and warned them that others could find these exploits too and use them. But the NSA figured that nobody else was as smart as they were and so no one else could discover these exploits. They have been proven wrong.

    And that is why we judge them somewhat differently.

  16. Re:Karma by McLae · · Score: 5, Insightful

    Live by the hack, die by the hack.

  17. Re:I still think by rainmouse · · Score: 4, Insightful

    ...if you buy this you can spy on us and we can't do anything about it, pinky swear".

    So they were sitting on a pile of zero day exploits and rather than making the internet a safer place they kept them for personal use.
    I will laugh myself sick if it turns out they were breached by one of the very zero day exploits they decided not to report to the product owner for fixing.

  18. Tojan detected! by hoggoth · · Score: 4, Insightful

    The NSA is a riddle, wrapped in a mystery, inside an enigma. This whole things smells fishy. "bad actors" will buy this software on the black market, use it to spy on other people all the while the NSA actually gets to watch everything over their shoulders: backdoors into the networks of those that installed it, side-channel copies of all the surveillance etc.

    Installing stolen NSA software obtained on the black market would be as smart as installing that cool new game downloaded from a warez folder found on a porn site.

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  19. Re:Hate the NSA all you want by TangoMargarine · · Score: 4, Insightful

    I'm more worried about "our" guys these days than any foreign country. The government has a much easier time fucking me personally over than Russia, China, etc.

    --
    Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
  20. Re:"Right! That DOES It!" by FatdogHaiku · · Score: 4, Funny

    Let's face it, not being on the list is noteworthy enough to have you put on a list... so at least you avoided that!

    --
    You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  21. Re:Why do you speak on behalf of the rest of socie by PopeRatzo · · Score: 4, Informative

    Since when is Ukraine a US ally?

    Since 1994, when Ukraine established relations with NATO, and since 2008, when the Bush administration voiced support for Ukraine joining NATO.

    https://en.wikipedia.org/wiki/...

    Since then, the official US designation for Ukraine is a "major non-NATO ally" (MSNA):

    https://en.wikipedia.org/wiki/...

    --
    You are welcome on my lawn.
  22. Remember this next time the FBI sues Apple by GrandCow · · Score: 5, Informative

    "No, we swear the tool won't ever get out to the public! We 100% guarantee it!"

    6 months later: "well... shit"

    --
    "Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
  23. Precisely Why... by Ramley · · Score: 5, Insightful

    This is precisely why:

    - Apple didn't want to release a tool to unlock iPhones.
    - Back doors should never, ever, ever be required for any type of device.
    - Encryption keys should never, ever, ever be given/managed by any government agency.
    - Etc., etc., etc.

    When will the masses wake up and realize that a large, controlling government will never be a good thing for freedom?
    Ramley-out! :-)

  24. The $570 million dollar question by ThatsNotPudding · · Score: 4, Insightful

    Now that their jewels have been stolen, will they still remain so arrogant to NOT release all these vulnerabilities so they can be patched? Or will their ego allow thieves to make huge bank off their wounded pride, with the entire first world laid low by the devastation? Also, cue the right-wing to blame all of this on Snowden instead of the proper source.

    Lastly, if the POTUS does not publicly demand the resignation of the senior management of this TLA, our suspicions will be confirmed: the NSA now answers to no one.

  25. Re:Why do you speak on behalf of the rest of socie by DarkOx · · Score: 3, Interesting

    That isn't fair criticism.

    The facts are there was no provision for impeachment of a sitting president under their constitution at the time, and yet it happened.

    It does not matter they guy was corrupt and in the pocket of the Russians, a coup is still a coup. The rule of law should matter. The people should live with the consequences of who they voted for or use a predefined process for impeachment or recall. You don't get to make one up after the fact.

    We saw the same thing with the Muslim brotherhood in Egypt. Are the people there better off having removed them, oh probably but it was NOT legal or democratic.

    What is even worse is in the case of both Ukraine and Egypt we violate our own laws and sacrifice our own integrity continuing to provide aide and honor treaties with these countries after these coups have occured, despite the fact our laws say we can't do that. We could/should probably recognize the new governments as new governments and consider it a diplomatic reset, but that is bad for business and our State Department / Congress is lazy and corrupt itself.

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html