NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency (thehackernews.com)

← Back to Stories (view on slashdot.org)

NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency (thehackernews.com)

Posted by BeauHD on Wednesday June 21, 2017 @12:45PM from the open-up dept.

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.

33 of 64 comments (clear)

Min score:

Reason:

Sort:

Not the first by blueg3 · 2017-06-21 12:50 · Score: 4, Funny

FYI, they've had things on Github for a while. Just maybe not under the NSA name.
1. Re:Not the first by Frosty+Piss · 2017-06-21 14:10 · Score: 1
  
  I'm sure there are a few of the CIA "incubator" businesses that have stuff on GitHub.
  By-the-by, is Sorceforge not a thing anymore?
  
  --
  If you want news from today, you have to come back tomorrow.
2. Re:Not the first by Dan+East · 2017-06-21 14:43 · Score: 2
  
  You must be referring to encryption algorithms and commits to help out projects like OpenSSL?
  
  --
  Better known as 318230.
3. Re:Not the first by Anonymous Coward · 2017-06-21 14:55 · Score: 1
  
  Sourceforge is a very nice Ad platform.
4. Re:Not the first by tlhIngan · 2017-06-21 18:58 · Score: 1
  
  Not just that, but perhaps the NSA has infected a lot of Android phone and Linux PCs.... perhaps you heard of SELinux?
  SELinux is enabled (mandatory) on a lot of Android phones, and it's in practically every Linux distribution... more so than say, systemd.
  May want to consider whose security "Security Enhanced Linux" really improves then. They got the tinfoil hat wearing, non-Windows running crowd too!
5. Re:Not the first by TheRaven64 · 2017-06-21 23:30 · Score: 3, Interesting
  
  If you want a much better conspiracy theory, consider that there's a whole category of exploit related to null pointer dereferences that was only made possible by SELinux. Either the NSA didn't think about it when they wrote that code, or they intentionally introduced something that made it possible to compromise the systems from a self-selected group of people who care about security.
  
  --
  I am TheRaven on Soylent News
6. Re:Not the first by Anonymous Coward · 2017-06-21 23:40 · Score: 1
  
  Can you explain which extra type of NULL dereference vulnerabilities SELinux exposes that wouldn't be exploitable without?
  SELinux has some functionality to prevent mapping low pages, which makes exploiting NULL pointer dereference vulnerabilities harder: http://cateee.net/lkddb/web-lkddb/LSM_MMAP_MIN_ADDR.html
7. Re:Not the first by Antique+Geekmeister · 2017-06-22 00:49 · Score: 1
  
  Sourceforge had occasionally proven useful if developers insisted on using Subversion rather than Git based source control. I'm aware of several projects that use it in order be able to sync single directories of upstream project code, rather than having to mirror an entire project locally. But the much cleaner and less overwhelmingly ad based interface to the github or gitlab web interfaces is an enormous timesaver over Sourceforge's pages where over 90% of the screen space is pure advertising. I'm also afraid that the "download" pages for source code or binaries are deliberately cluttered with misleading links designed to install adware on your system.
  Sourceforge used to be a very good repository for open source projects, but I'm afraid became quite unsafe and even unusable for most developers or software users due to the deliberately misleading download links.
8. Re:Not the first by blueg3 · 2017-06-23 09:02 · Score: 1
  
  Probably, but that's a completely different organization.
9. Re:Not the first by blueg3 · 2017-06-23 09:03 · Score: 1
  
  I mean there are a lot of open-source software projects relevant to their interests that are conspicuously lacking in attribution. REDHAWK, for example.
Honeypot ... by CaptainDork · 2017-06-21 12:52 · Score: 3, Insightful

... just sayin'.

--
It little behooves the best of us to comment on the rest of us.
1. Re:Honeypot ... by Sarten-X · 2017-06-21 12:55 · Score: 1
  
  Eh... not so much. The NSA only makes the tools for a honeypot. Actually deploying them is a CIA job.
  Then again, the CIA could be running the op, using the NSA as a cover...
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
2. Re:Honeypot ... by AHuxley · 2017-06-21 14:05 · Score: 4, Interesting
  
  More hearts and minds. They have to find new staff. In the past it was at the very best US/UK universities.
  In the very distant past even draft and national service "tests" got used to find low level staff with useful math or language skills.
  Now its all about social media, conventions and been online.
  The other method is to set up long term educational efforts but other nations/cults/faiths tend to notice such public efforts and flood such courses with their own long term agents.
  The mistakes of using new contractors or just trusting people from good universities have been understood over the decades.
  So now its social media and the internet to find and attract skilled, loyal, hard working staff.
  Vetting has to be perfect every generation hired or 1930's UK staff issues return. Other faiths, cults, nations will just game the out reach efforts with computer skills and needed languages.
  East Germany would often place the most low level staff into West German gov/brands. Decades later it was expected that they could rise up to be middle or upper management.
  Other nations have learned from the US need for skills, translators and have taken note of a lack of real vetting due to domestic political considerations.
  
  --
  Domestic spying is now "Benign Information Gathering"
3. Re:Honeypot ... by CaptainDork · 2017-06-21 14:40 · Score: 2
  
  Because the NSA is restricted by jurisdiction, competency, ethics, and the ability to protect its cyber weapons and stuff.
  Oh, wait ...
  
  --
  It little behooves the best of us to comment on the rest of us.
4. Re:Honeypot ... by houghi · 2017-06-21 21:24 · Score: 1
  
  Prove it. It is open source.
  Or are you talking that they will go after people who look at the source? Because they also look at those who don't look at the source.
  
  --
  Don't fight for your country, if your country does not fight for you.
5. Re:Honeypot ... by CaptainDork · 2017-06-22 04:36 · Score: 1
  
  Let Mikey prove it. He'll prove anything.
  I'm not going there.
  
  --
  It little behooves the best of us to comment on the rest of us.
6. Re: Honeypot ... by TechyImmigrant · 2017-06-22 05:01 · Score: 1
  
  >CIA is primarily humint and SAD operations.
  They use jet lag as a weapon?
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Of course they do by DivineKnight · 2017-06-21 12:57 · Score: 1

"The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace..." while they are actively engaged in technology transfers from both our allies, enemies, and neutral parties to the US...
Surprising number of German innovations become available to American businessmen, even before German researchers fully publish their results. God Bless America.
1. Re:Of course they do by Plus1Entropy · 2017-06-21 23:53 · Score: 1
  
  Surprising number of German innovations become available to American businessmen, even before German researchers fully publish their results.
  Never heard of this before, although I wouldn't be surprised either way. Any notable examples?
  
  --
  Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
Re:Cutting out the middle men... by __aaclcg7560 · 2017-06-21 13:19 · Score: 1

Become legit and sell on eBay.
backdoors by ghoul · 2017-06-21 13:28 · Score: 1

Who is going to verify that a module you pull from github and use in your code does not have NSA backdoors? Now NSA no longer needs to send its employees to work at Microsoft to write backdoors - all they have to do is convince lazy programmers to reuse NSA modules with backdoors built in and I mean lazy in the best sense of the world - after all, all progress is the result of laziness. If everyone was hardworking we would all live in caves, walk everywhere and rub sticks to start fire.

--
**Life is too short to be serious**
1. Re:backdoors by MangoCats · 2017-06-21 15:04 · Score: 3, Interesting
  
  Since it's on GitHub, presumably as source, but even some binaries could be analyzed... That would be quite the feather in a White Hat (or Black one for that matter), exposing the NSA backdoor in a supposedly secure module. Plenty of people out there with too much time on their hands and an interest in exposing things like that.
2. Re:backdoors by GuB-42 · 2017-06-21 20:10 · Score: 1
  
  Because it is done under the NSA name, and given its reputation, it is likely to become the most audited code on the planet.
  Should they plant backdoors, they should probably do it undercover.
Re:Good idea, bad timing. by LifesABeach · 2017-06-21 13:34 · Score: 1

I've already emailed them asking if they have any public domain stuff for AI. We'll see what happens next...
Re:Cutting out the middle men... by __aaclcg7560 · 2017-06-21 14:04 · Score: 1

Don't you mean "content creation" and sell trash poetry on deviant art.
Here's a couple of free poetry books that published my haiku poems. Enjoy!
http://www.chuffedbuffbooks.com/wp-content/uploads/2014/03/Final_KIGO_SEASONAL_WORDS_Issue1.pdf
http://www.chuffedbuffbooks.com/wp-content/uploads/2014/09/Final_KIGO_SEASONAL_WORDS_Issue2.pdf
Late to the party by nickovs · 2017-06-21 14:32 · Score: 4, Interesting

The British information security services, GCHQ, have been posting interesting and useful stuff to GitHub for a while. In fact if you want to do interesting analytics on graphs with annotations to both arcs and nodes they have released some pretty neat tools, and they're not just useful for finding terrorists on social networks.

--
If intelligent life is too complex to evolve on its own, who designed God?
1. Re:Late to the party by AHuxley · 2017-06-21 15:29 · Score: 2
  
  All part of a long term political plan to attract any workers.
  The UK worked really hard after the many 1930's-1970's security issues.
  By the 1970's they had finally worked out how to attract staff, keep staff and ensure staff stayed loyal.
  New efforts are more about party political requests to just hire more staff. Any applications have to be considered. Staff to be considered on topics other than security, merit and loyalty. Security issues might again not be a reason not to give someone a job in the "security services".
  So a lot of effort is now been made to attract people to gov work but other nations, faiths will also use the new hiring practices.
  The UK had great success in the 1970-90's in Ireland as it had perfect collection security.
  By having to be fully open to any random gov job seeker that ability to keep secrets will be lost in a generation.
  Not so much late to the party, more political parties changed once secure hiring policies.
  
  --
  Domestic spying is now "Benign Information Gathering"
Why would I ever... by thedarb · 2017-06-21 17:54 · Score: 1

Why would I ever contribute to a spy agency who spy's on it's own people?

--
This sig intentionally left blank.
1. Re:Why would I ever... by schleimkeim · 2017-06-21 19:12 · Score: 1
  
  Oh, so you're one of those guys with standards and values huh. That's considered weird nowadays.
Re:WRONG by TheRaven64 · 2017-06-21 23:32 · Score: 2

Almost 5% of all IPv4 addresses are FBI honeypots? I find that quite hard to believe somehow. Unless you're counting IPv6 addresses in that number and they're all in one /64...

--
I am TheRaven on Soylent News
Wikileaks ? by dbateman · 2017-06-22 00:17 · Score: 1

And I thought Wikileaks was the preferred source of NSA source code !!
D.
NSA has had code on GitHub for ages as themselves by dell623 · 2017-06-22 00:44 · Score: 1

See blog entry: https://puppet.com/blog/nsa-re...
https://github.com/NationalSec...
https://github.com/SIMP
A great and extremely useful project by the way.
1) If you're a 'tech journalist', make some minimal effort to get facts right (like you know actually looking at dates on the GitHub org page), at least in your fucking headline.
2) I hate this reductive 'anything with the word NSA in it is bad' reasoning. Open source is open source, and useful code is useful. GitHub is full of cool stuff from organizations that don't get much love here - Walmart, Facebook etc.
We're cool now, right guys? by erapert · 2017-06-22 10:30 · Score: 1

No, fuck you, NSA. You're not our friend, you're not cool, you're not hip, you're not edgy hacker bad asses, you're just plain assholes. Fuck you. Apology not accepted.