Slashdot Mirror
NSA Worried About Implications of Leaked Toolkits (businessinsider.com)
Reader wierd_w writes: According to Business Insider, the NSA is worried about the possible scope of information leaked from the agency, after a group calling themselves the 'Shadow Brokers' absconded with a sizable trove of penetration tools and technical exploits, which it plans to sell on the black market. Among the concerns are worries that active operations may have been exposed. Business insider quotes an undisclosed source as stating the possibility of the loss of such security and stealth (eg privacy) has had chilling effects for the agency, as they attempt to determine the fullness and scope of the leak.
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)
Welcome to how the rest of society feels.
Now, if you had just disclosed those vulnerabilities they could probably have been fixed by now. Instead, you failed at keeping them a secret and unknown unsavory parties have a handy trove of exploits ready to be used. I'm not sure that this is what "National Security" looks like, and that's kind of your job.
The problem here is that the NSA deliberately sacrificed the opportunity to improve our security in order to retain the effectiveness of their toys and couldn't keep them from being directly pilfered, much less independently discovered.
If, hypothetically, the Manhattan Project had squandered the opportunity to make us nuke-resistant in order to preserve the utility of their weapon; then, yes, I'd say that they screwed up pretty atrociously. The difference, of course, is that no such option existed, while the process of disclosing bugs to vendors is very much an option.
The "you aren't the only ones who could exploit those vulnerabilities" argument was previously largely hypothetical; now, not so much.
What if the rest of society is really worried over the fact that a sophisticated adversary is meddling into your domestic affairs (via DNCLeak and DCLeaks, incl Wikileaks) and at the same time confronts one of your main intelligence agencies in public, calling it bluff.
They got what they deserve. Instead of monitoring every single American and putting backdoors in every program they can, the NSA should have focused on monitoring foreign actors while helping to ensure that domestic institutions (companies, political parties, non-profits, and of course the population as a whole) have access to privacy and secure communications. The NSA should be the national equivalent of an IT security department. Leave the detection and investigation of domestic bad actors to the FBI(if you run across any domestic malfeasance then by all means pass it along but don't go looking for it specifically) and coordinate with the CIA when it comes to foreign actors. Develop tools and programs to protect Americans-and this is important: your job is to protect Americans (the people) not "America"- and their homes, not to watch them in them.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
But Shadow Brokers isn't an agent of a nation with a lot to lose like the NSA is. MAD only works if both sides have a lot to lose. Neither will want to start a war. This is like a major power versus a crazy guy who just happens to have a nuke in his tool shed.
I'm not arguing for major powers alone possessing such tools. Unlike nukes, these can be built by poorly funded but highly educated groups. The NSA should have prioritized its mission to ensure that we (gov't and private entities alike) would have adequate defenses above deploying this stuff.
Have gnu, will travel.
Imagine if the researchers of the Manhattan project not only discovered how to create a nuclear bomb, but also discovered a defense against nuclear weapons. Then, rather than telling anyone about the defense, they tried to keep it a secret so they alone could use the bomb. That would have been incredibly foolish! But we do not judge the Manhattan project this way, because they didn't actually have a defense against nuclear weapons.
Yet the NSA did. They found security bugs, created exploits for them, then refused to disclose the bugs to vendors so they could be fixed. This intentionally left their own country vulnerable to attack. The security community beseeched them to release this information, and warned them that others could find these exploits too and use them. But the NSA figured that nobody else was as smart as they were and so no one else could discover these exploits. They have been proven wrong.
And that is why we judge them somewhat differently.
Live by the hack, die by the hack.
Positive is a whole other thing, but really, you don't see it as funny?
First, the NSA was doing something obviously-stupid on the face of it. Before a single American tax dollar was spent on developing this malware (or spent on intimidating the software industry into keeping our software and protocols insecure), any reasonably-competent "computer dude" knew that America itself was most likely to end up being the victim. (Of course, we spent the money anyway.)
It's just another example of how we go to so much trouble to shoot ourselves in the foot, and every time we do it, we take away the lesson that we need a bigger gun. Sorry, but this is really is a true-life example of a joke that gets funnier the more times you tell it. Your grandkids are going to think this is hysterical, not merely funny.
You say it's a foreign power doing this, and technically you're right. But they are robotically doing it, just as predicted. Ultimately, America made the choice for this to happen. This foreign power is (figuratively) our own proxy. The minimax solution path that we chose, included this move within it. We rejected solutions which did not include foreign powers taking advantage of the malware that we created. We rejected solutions where we ran decent OSes which weren't compatibile with malware, where encryption keys are exchanged directly whenever they can, and where public keys are introduced by trustworthy introducers. We want a world of malware, and our choices prove this.
Second, there might be something you don't understand about America: we don't exactly think of our government as part of our country. (It's complicated.) If you attack our government, I think about 5 out of 10 Americans is ok with that. Our government is just another country, with whom we're sometimes adversaries and sometimes allied, but never ever loved or respected. The NSA isn't our security service; it's someone else's.
"No, we swear the tool won't ever get out to the public! We 100% guarantee it!"
6 months later: "well... shit"
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
This is precisely why:
:-)
- Apple didn't want to release a tool to unlock iPhones.
- Back doors should never, ever, ever be required for any type of device.
- Encryption keys should never, ever, ever be given/managed by any government agency.
- Etc., etc., etc.
When will the masses wake up and realize that a large, controlling government will never be a good thing for freedom?
Ramley-out!
I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power.
Then you're not looking very hard. This is the best possible event for the defense of online freedom, for our Government has just proven that the world's most advanced security agency can't defend against online intrusion. It is the most powerful argument for unfettered end-to-end encryption that we could have possibly hoped for.
If it is hopeless for the NSA to secure unencrypted data, then it is also hopeless for everyone else to do the same. Therefore, powerful encryption is not only wise, it is necessary. All those Congress-critters and Government agencies calling for back doors, golden keys, and weakened encryption algorithms are actively aiding and abetting terrorists, child pornographers, pedophiles, and enemy governments.
This is the smoking gun that proves the essentialness of strong end-to-end encryption.
It stopped being "my" country when it started keeping secrets in order to aggregate power. "My" country is run by the people, for the people, and of the people.
Many of us feel the same way, and are concentrating our efforts in one small geographic distribution. We've elected dozens into the State legislature and many more municipally across the state. Maybe you should vote with your feet. Free State Project
Part of the Second American Revolution!