Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency (thehackernews.com)

Posted by BeauHD on from the open-up dept.

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.

64 comments

  1. Not the first by blueg3 · · Score: 4, Funny

    FYI, they've had things on Github for a while. Just maybe not under the NSA name.

    1. Re:Not the first by Frosty+Piss · · Score: 1

      I'm sure there are a few of the CIA "incubator" businesses that have stuff on GitHub.

      By-the-by, is Sorceforge not a thing anymore?

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:Not the first by Dan+East · · Score: 2

      You must be referring to encryption algorithms and commits to help out projects like OpenSSL?

      --
      Better known as 318230.
    3. Re:Not the first by Anonymous Coward · · Score: 1

      Sourceforge is a very nice Ad platform.

    4. Re:Not the first by Anonymous Coward · · Score: 0

      are you talking about the projects that they infiltrated?

    5. Re:Not the first by tlhIngan · · Score: 1

      Not just that, but perhaps the NSA has infected a lot of Android phone and Linux PCs.... perhaps you heard of SELinux?

      SELinux is enabled (mandatory) on a lot of Android phones, and it's in practically every Linux distribution... more so than say, systemd.

      May want to consider whose security "Security Enhanced Linux" really improves then. They got the tinfoil hat wearing, non-Windows running crowd too!

    6. Re:Not the first by TheRaven64 · · Score: 3, Interesting

      If you want a much better conspiracy theory, consider that there's a whole category of exploit related to null pointer dereferences that was only made possible by SELinux. Either the NSA didn't think about it when they wrote that code, or they intentionally introduced something that made it possible to compromise the systems from a self-selected group of people who care about security.

      --
      I am TheRaven on Soylent News
    7. Re:Not the first by Anonymous Coward · · Score: 1

      Can you explain which extra type of NULL dereference vulnerabilities SELinux exposes that wouldn't be exploitable without?

      SELinux has some functionality to prevent mapping low pages, which makes exploiting NULL pointer dereference vulnerabilities harder: http://cateee.net/lkddb/web-lkddb/LSM_MMAP_MIN_ADDR.html

    8. Re:Not the first by Antique+Geekmeister · · Score: 1

      Sourceforge had occasionally proven useful if developers insisted on using Subversion rather than Git based source control. I'm aware of several projects that use it in order be able to sync single directories of upstream project code, rather than having to mirror an entire project locally. But the much cleaner and less overwhelmingly ad based interface to the github or gitlab web interfaces is an enormous timesaver over Sourceforge's pages where over 90% of the screen space is pure advertising. I'm also afraid that the "download" pages for source code or binaries are deliberately cluttered with misleading links designed to install adware on your system.

      Sourceforge used to be a very good repository for open source projects, but I'm afraid became quite unsafe and even unusable for most developers or software users due to the deliberately misleading download links.

    9. Re:Not the first by Anonymous Coward · · Score: 0

      http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html

      POC: https://isc.sans.edu/forums/diary/A+new+fascinating+Linux+kernel+vulnerability/6820/

      Patch to change uid switching behaviors have sense made it into the kernel, but still a function example against the very 'protection' you linked.

    10. Re:Not the first by Anonymous Coward · · Score: 0

      Fascinating! Citations please?!@?!

    11. Re:Not the first by blueg3 · · Score: 1

      Probably, but that's a completely different organization.

    12. Re:Not the first by blueg3 · · Score: 1

      I mean there are a lot of open-source software projects relevant to their interests that are conspicuously lacking in attribution. REDHAWK, for example.

  2. Honeypot ... by CaptainDork · · Score: 3, Insightful

    ... just sayin'.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Honeypot ... by Sarten-X · · Score: 1

      Eh... not so much. The NSA only makes the tools for a honeypot. Actually deploying them is a CIA job.

      Then again, the CIA could be running the op, using the NSA as a cover...

      --
      You do not have a moral or legal right to do absolutely anything you want.
    2. Re:Honeypot ... by Anonymous Coward · · Score: 0

      IT'S A TRAP!

    3. Re:Honeypot ... by AHuxley · · Score: 4, Interesting

      More hearts and minds. They have to find new staff. In the past it was at the very best US/UK universities.
      In the very distant past even draft and national service "tests" got used to find low level staff with useful math or language skills.
      Now its all about social media, conventions and been online.
      The other method is to set up long term educational efforts but other nations/cults/faiths tend to notice such public efforts and flood such courses with their own long term agents.
      The mistakes of using new contractors or just trusting people from good universities have been understood over the decades.
      So now its social media and the internet to find and attract skilled, loyal, hard working staff.
      Vetting has to be perfect every generation hired or 1930's UK staff issues return. Other faiths, cults, nations will just game the out reach efforts with computer skills and needed languages.
      East Germany would often place the most low level staff into West German gov/brands. Decades later it was expected that they could rise up to be middle or upper management.
      Other nations have learned from the US need for skills, translators and have taken note of a lack of real vetting due to domestic political considerations.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:Honeypot ... by CaptainDork · · Score: 2

      Because the NSA is restricted by jurisdiction, competency, ethics, and the ability to protect its cyber weapons and stuff.

      Oh, wait ...

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re: Honeypot ... by Anonymous Coward · · Score: 0

      Yea sorry that's not true at all.

      CIA is primarily humint and SAD operations.

    6. Re:Honeypot ... by Anonymous Coward · · Score: 0, Flamebait

      I don't think you can question the NSA's competency unless you have full access to every thing they have done. The documents Snowden released did not contain any information that was truly a secret. There are classified security levels above the classification of any information he stole. His information basically boiled down to proving that the covert intelligence agencies actually spy.
      One thing they do need to do is shoot the next fucker who thinks releasing classified information concerning the nations Intelligence and counter Intelligence programs is a good idea. That should give anyone else thinking of doing the same thing pause. For extra protection they should also shoot the person or persons who were asleep at the wheel when classified information was being carted out the front door. This should make sure their replacements do a better job.

    7. Re: Honeypot ... by Anonymous Coward · · Score: 0

      My first tought while I was reading the headline, lol.

    8. Re:Honeypot ... by houghi · · Score: 1

      Prove it. It is open source.
      Or are you talking that they will go after people who look at the source? Because they also look at those who don't look at the source.

      --
      Don't fight for your country, if your country does not fight for you.
    9. Re:Honeypot ... by CaptainDork · · Score: 1

      Let Mikey prove it. He'll prove anything.

      I'm not going there.

      --
      It little behooves the best of us to comment on the rest of us.
    10. Re: Honeypot ... by TechyImmigrant · · Score: 1

      >CIA is primarily humint and SAD operations.

      They use jet lag as a weapon?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  3. Of course they do by DivineKnight · · Score: 1

    "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace..." while they are actively engaged in technology transfers from both our allies, enemies, and neutral parties to the US...

    Surprising number of German innovations become available to American businessmen, even before German researchers fully publish their results. God Bless America.

    1. Re:Of course they do by Plus1Entropy · · Score: 1

      Surprising number of German innovations become available to American businessmen, even before German researchers fully publish their results.

      Never heard of this before, although I wouldn't be surprised either way. Any notable examples?

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  4. Cutting out the middle men... by Anonymous Coward · · Score: 0

    Now what will Shadow Brokers do for a living??? Think of the hackers!

    1. Re:Cutting out the middle men... by __aaclcg7560 · · Score: 1

      Become legit and sell on eBay.

    2. Re:Cutting out the middle men... by Anonymous Coward · · Score: 0

      Don't you mean "content creation" and sell trash poetry on deviant art.

    3. Re:Cutting out the middle men... by __aaclcg7560 · · Score: 1

      Don't you mean "content creation" and sell trash poetry on deviant art.

      Here's a couple of free poetry books that published my haiku poems. Enjoy!

      http://www.chuffedbuffbooks.com/wp-content/uploads/2014/03/Final_KIGO_SEASONAL_WORDS_Issue1.pdf
      http://www.chuffedbuffbooks.com/wp-content/uploads/2014/09/Final_KIGO_SEASONAL_WORDS_Issue2.pdf

    4. Re:Cutting out the middle men... by Anonymous Coward · · Score: 0

      I'm afraid to click on the link to "chuffed buff." Are these more of your naked pctures?

    5. Re:Cutting out the middle men... by Anonymous Coward · · Score: 0

      "You're a fat retard!" :-)

    6. Re: Cutting out the middle men... by Anonymous Coward · · Score: 0

      IF you've come to slashdot to make a name for yourself, well I'm sorry but you've come to the wrong place.

  5. backdoors by ghoul · · Score: 1

    Who is going to verify that a module you pull from github and use in your code does not have NSA backdoors? Now NSA no longer needs to send its employees to work at Microsoft to write backdoors - all they have to do is convince lazy programmers to reuse NSA modules with backdoors built in and I mean lazy in the best sense of the world - after all, all progress is the result of laziness. If everyone was hardworking we would all live in caves, walk everywhere and rub sticks to start fire.

    --
    **Life is too short to be serious**
    1. Re:backdoors by MangoCats · · Score: 3, Interesting

      Since it's on GitHub, presumably as source, but even some binaries could be analyzed... That would be quite the feather in a White Hat (or Black one for that matter), exposing the NSA backdoor in a supposedly secure module. Plenty of people out there with too much time on their hands and an interest in exposing things like that.

    2. Re:backdoors by Anonymous Coward · · Score: 0

      Code can be audited. Of course there are some clever ways to disguise backdoors, even in source code (see the underhanded C contest), but it's pretty hard to get away with it when code gets scrutinized as much as it will be since it's coming from the NSA.

    3. Re:backdoors by GuB-42 · · Score: 1

      Because it is done under the NSA name, and given its reputation, it is likely to become the most audited code on the planet.
      Should they plant backdoors, they should probably do it undercover.

    4. Re: backdoors by Anonymous Coward · · Score: 0

      Don't be silly, they hid and cleaned up all the backdoors before posting them to github.

  6. Good idea, bad timing. by Anonymous Coward · · Score: 0

    Man, they are about to be inundated with MRs to include their recently leaked exploit code on Github.

    1. Re:Good idea, bad timing. by LifesABeach · · Score: 1

      I've already emailed them asking if they have any public domain stuff for AI. We'll see what happens next...

  7. NSA = ew! by Anonymous Coward · · Score: 0

    no thanks, billy. i'm not about to willingly compromise my privacy with your backdoored software.

    1. Re:NSA = ew! by Anonymous Coward · · Score: 0

      That must be why you run SELinux.

    2. Re:NSA = ew! by Anonymous Coward · · Score: 0

      Do you run Linux?

      BSD?

      Then you already have NSA contributed code with kernel permissions on your machine.

    3. Re: NSA = ew! by Anonymous Coward · · Score: 0

      What code in BSD is from the NSA?

  8. Late to the party by nickovs · · Score: 4, Interesting

    The British information security services, GCHQ, have been posting interesting and useful stuff to GitHub for a while. In fact if you want to do interesting analytics on graphs with annotations to both arcs and nodes they have released some pretty neat tools, and they're not just useful for finding terrorists on social networks.

    --
    If intelligent life is too complex to evolve on its own, who designed God?
    1. Re:Late to the party by AHuxley · · Score: 2

      All part of a long term political plan to attract any workers.
      The UK worked really hard after the many 1930's-1970's security issues.
      By the 1970's they had finally worked out how to attract staff, keep staff and ensure staff stayed loyal.
      New efforts are more about party political requests to just hire more staff. Any applications have to be considered. Staff to be considered on topics other than security, merit and loyalty. Security issues might again not be a reason not to give someone a job in the "security services".
      So a lot of effort is now been made to attract people to gov work but other nations, faiths will also use the new hiring practices.
      The UK had great success in the 1970-90's in Ireland as it had perfect collection security.
      By having to be fully open to any random gov job seeker that ability to keep secrets will be lost in a generation.
      Not so much late to the party, more political parties changed once secure hiring policies.

      --
      Domestic spying is now "Benign Information Gathering"
  9. WRONG by Anonymous Coward · · Score: 0

    in 2001 i was given access to 65 million honeypot ip addresses the FBI were using .....its nearing 3 times that now...

    ergo i have a lot less to fear then all of you in my net travels in anything i do

    1. Re:WRONG by TheRaven64 · · Score: 2

      Almost 5% of all IPv4 addresses are FBI honeypots? I find that quite hard to believe somehow. Unless you're counting IPv6 addresses in that number and they're all in one /64...

      --
      I am TheRaven on Soylent News
  10. The Project List by Anonymous Coward · · Score: 0

    Is there a project for NSA Technology Transfer Program (NTTP), the system and a protocol for securely transferring technology over the Internet?

  11. Not a honeypot ... they're realized the benefit of by Anonymous Coward · · Score: 0

    Not a honeypot ... they're realized the benefit of crowdsourcing :)

    WannaCry helped prove to the NSA that if they provide the exploits, the community will provide a better user interface, payload, and bring experience to the table, for lower costs and of higher quality than NSA contractors, all for the low low price of sharing their own source code :)

    I do hope they remembered to license all their exploit code AGPLv3 so all network accessable copies of it must legally have the source released :)

  12. Why would I ever... by thedarb · · Score: 1

    Why would I ever contribute to a spy agency who spy's on it's own people?

    --
    This sig intentionally left blank.
    1. Re:Why would I ever... by schleimkeim · · Score: 1

      Oh, so you're one of those guys with standards and values huh. That's considered weird nowadays.

  13. A Very Potent Reminder by kelanos · · Score: 0

    The richest man in the world (that no one today has heard of) once owned the mine and the mill in this town and fueled the World Wars in part with its products.

    https://en.wikipedia.org/wiki/...

    http://faculty.frostburg.edu/p...

    A reminder that the downsizing of jobs led to the World Wars, and that automation will lead to much worse than world war; our annihilation.

    Karl Wittgenstein was a very cunning man, but a proxy for the globalist cabal. They killed all of his sons except the famous Ludwig and bled away the fortune. Another reminder that no matter how well you do for them, they will never accept you and will always betray you to the end of your line.

    Perhaps this is too much for some of you to accept, but can you really deny that automation prioritized profit ahead of people? That it in fact automation totally disregards the people? Is this the point when you parrot your masters' notions that some must fall for progress to continue? Exactly what portion of this progress benefits you?

    There are no forces of nature standing plain in sight for us to conquer. We cannot overcome our limitations with material. No amount of capital will take us beyond the Earth. The people are the only thing we have; only by investing in them will the solutions to our progress be found. We must stop the class of madmen that bred themselves to accumulate capital for its own end. Left alone they would kill us all to stop us from competing for their capital.

  14. Fun! Cool! by Anonymous Coward · · Score: 0

    Conducting espionage and sabotage against sovereign, peaceful countries, is now a fun and cool things you can share with others on GitHub. America is getting sicker by the day.

    I propose people do what the NSA does: try to sneak malware and send pull requests that compromise their software.

  15. Fake news! by Anonymous Coward · · Score: 0

    NSA had a GitHub account for years. It just didn't use the "NSA" term in its name. Leave it to the idiots at TheHackerNews to not notice it. If you don't believe me, then check out Apache NiFi, a project the NSA open-sourced and donated to the Apache Foundation years ago. It was first released on GitHub, then donated to Apache.

  16. Stolen article by Anonymous Coward · · Score: 0

    This article has been copy-pasted and re-worded from TheNextWeb.
    Please stop featuring these indian cunts from TheHackersNews. All they do is steal content. Usually from Motherboard, TNW, TheRegister, BleepingComputer, or ThreatPost.
    They steal content, space out their text so the page is longer. All for the purpose of showing more ads on their site.

  17. Wikileaks ? by dbateman · · Score: 1

    And I thought Wikileaks was the preferred source of NSA source code !!

    D.

  18. NSA has had code on GitHub for ages as themselves by dell623 · · Score: 1

    See blog entry: https://puppet.com/blog/nsa-re...

    https://github.com/NationalSec...
    https://github.com/SIMP

    A great and extremely useful project by the way.

    1) If you're a 'tech journalist', make some minimal effort to get facts right (like you know actually looking at dates on the GitHub org page), at least in your fucking headline.

    2) I hate this reductive 'anything with the word NSA in it is bad' reasoning. Open source is open source, and useful code is useful. GitHub is full of cool stuff from organizations that don't get much love here - Walmart, Facebook etc.

  19. We're cool now, right guys? by erapert · · Score: 1

    No, fuck you, NSA. You're not our friend, you're not cool, you're not hip, you're not edgy hacker bad asses, you're just plain assholes. Fuck you. Apology not accepted.

  20. Patent trolls by Anonymous Coward · · Score: 0

    So what happens when the patent trolls go looking through the code and decide they own something they find in there? Do they go after the NSA or keep their mouths shut?