Slashdot Mirror
Hacks Raise Fear Over NSA's Hold on Cyberweapons (nytimes.com)
Nicole Perlroth, and David Sanger, writing for The New York Times: Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States -- Britain and Ukraine. The N.S.A. has kept quiet, not acknowledging its role in developing the weapons (alternative source). White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons. But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands. On Wednesday, the calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul. Representative Ted Lieu, a California Democrat and a former Air Force officer who serves on the House Judiciary and Foreign Affairs Committees, urged the N.S.A. to help stop the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.
the focus should be on the attackers themselves, not the manufacturer of their weapons... or the weapons themselves.
Only my opinion, but I really dislike this ter, "cyberweapon". Actually, anything with "cyber" other than "cybersex" sets me off a bit...
If you want news from today, you have to come back tomorrow.
Even worse than that is they expect us to believe that they can securely escrow master keys to break all encryption. What a bunch of jokers.
That's news to me.
It's not really a weapon if it only works on a vulnerability.
Never create a weapon that you wouldn't want to fall into the hands of your worst enemy.
Anons need not reply. Questions end with a question mark.
I mean, seriously. That's the motto for pretty much all their operation and its role in securing a democracy.
There is no NSA
No cyber weapons
No hacks
No internet
No technology
No fear
none of that. It's all fake news. It's all good, dude.
Truer words have never been spoken
the NRA apologists are always out in force telling us that in light of the tragedy it's really not the time to talk about gun control.
The NSA. It pooped it's pants right there in the public square. And rather than trying to clean up, it just stands there yelling "MY SHIT DON'T STINK!" while continuing to make squeaky farts..
This is probably go to a new school next year level public humiliation, but they apparently have no shame.
If you should see someone who works for the NSA, hand them a roll of toilet paper.
NOTICE: IF YOU ARE NOT A MUSLIM, YOU ARE NOT AUTHORIZED TO READ THIS POST. PLEASE COMMIT SUICIDE IMMEDIATELY, YOU FUCKING INFIDEL. (IF YOU ARE GAY, ALSO PLEASE COMMIT SUICIDE)
74. 29. 49. 32434. 320. 20. 10. 30293. 405. 2-1. 384. 54345612 23454954. 933. 92224. 94950393 82930493.
The butter covered boy must be kidnapped, and made to be a sex slave. For men.
95933. 3495. 91002993. 493023. 4994. 2043994905049. 9320 939 495002.
As the cloud spreads and drops the rain, the moon smiles. In pain.
39. 455. 102332. 59030 390200039549. 49200 382. 38483. 930020934.
Jump inside the puddle. Remain inside the mandelbrot set.
The market would be tanking.
How can anyone innovate, compete, and do business when everything they make can be destroyed 'with a click of a button'?
This situation is enforcing the status quo to a hideous degree. The time is long past for violent revolt.
But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses.
IMHO it's just getting started. The source code to a whole BUNCH of their tools has gotten out - a treasure trove for the bad guys. Now they don't have to design this stuff themselves - it's all there, ready to be customized. We're just seeing the leading edge from the early adopters.
Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands.
Well, DUH! If you've got the source it's anywhere from reasonably easy to trivial to disable or change any kill switch. Changing vulnerable mechanisms key to the operation are more difficult, but still doable. So even if they did spend extra engineer time to build in the equivalent of "gun smart chips" - and they worked - it would, at best, be initially mitigating but ultimately futile.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
....or introduce security flaws that let the enemy use your own stock against you
Twinstiq, game news
"create digital weapons that they cannot keep safe from adversaries or disable..."
We can't un-invent nuclear, chemical or bacterial weapons, But we can fix the vulnerabilities exploited by cyber weapons. The NSA **chose** not to tell the vendors about the vulnerabilities they found.
The thing is, the vulnerabilities are the valuable code anyways. The rest of the stuff, the command and control, etc are shit that can be cobbled together by a random kid out of MIT in a weekend.
So once those are leaked the vendors are able to patch pretty quickly. Then it's a matter of patch deployment which is unfortunately a hot mess.
We could have very strong encryption, hardware, and software as well as very secure infrastructure. But noooo. The NSA and other 3 letter organizations got industry to put out weak versions of all of this just so they could easily hack into anything. And now it is coming full circle. What private industry needs to do is blow the whistle on all the crap the NSA, CIA, FBI, etc. have forced them to do in regards to weakening their products. And then go about strengthening everything.
There is plenty of speculation to be made over have many of the current 'epidemics' we've had in the recent world are simply mutations, versus being field testing of refined biological agents against captive populations.
Dump a slightly modified flu virus in your own, or a foreign nation's livestock, one intended to hop into humans, then wait and watch and document its effectiveness, issues, etc. Make individual changes across dozens of mild contagions, then use the resulting field data to help refine the 'master agent' combining each technique you utilized on individual samples to create something far more effective.
It is about as farfetched as a US Space Corps...
I find it odd that a kid has to be from MIT to do this, you place the bar pretty high. Actually, anyone with basic coding skills can do this stuff, especially the latest ransomware. These are criminal gangs, I doubt they recruit MIT students.
One other aspect to keep in mind- For YEARS now, the intelligence services of the USA have been pouring millions of dollars a year into the Black Hat Black Markets, where these vulnerabilities are traded and sold. They aren't some bit player, occasionally picking up a new trick, they are the primary source of funding to many of these marketplaces.
The bugs would still exist either way, but the government has been intentionally funding organized crime into developing these vulnerabilities, and making the situation much worse. Since they are the primary entity putting money into this marketplace, they are playing the key role to allow black hats to quit their day job and focus on writing exploits.
The thing about vulnerabilities is one single entity can't find everything. If you're then disclosing those to get everything patched you are harming your offensive capabilities. It may impact another party's offensive capabilities as well, but it's very likely they have vulnerabilities that you don't know about. So then you have a double edged sword. Do you keep the exploit to use offensively and risk the undisclosed exploit being used against you, or disclose it and still risk another undisclosed exploit you don't know about still being used against you? Exploits are a limited resource and they expire. Once used they have an even shorter shelf life before discovery. You don't know when things will get discovered by another party as well. They need a constant influx of new vulnerabilities because the ones they have may not be useful against an assigned target tomorrow. Your warhead, information collection, and mission ability is all determined by the offensive software you have at your disposal. Everyone else will call it malware. A reachable known target can be implanted with a non-replicating tool. These are the most covert, but also the most difficult as you may not have a direct path to the target machine. That goes into getting access to a well defended network. That requires something that spreads on it's own so it can possibly reach the machines you need coverage on. This is also a double edged sword as putting in limitations to spreading also gives away the fact it's not a random infection. Those type of tools always end up spreading to unintended places and getting examined by security researchers. If a worm component is added then you cross into the realms of epidemiology and outbreaks though without geographic isolation as a barrier. It only takes one user in a network to get infected and then it'll spread until AV and OS patches catch up. So disclosing vulnerabilities isn't always an option if you want to remain effective offensively. It becomes a lot like a classic game theory problem The strategic choice would be to hang onto as many vulnerabilities as long as they can, and that's what everyone does.
it's about doing a NON-SERICE.
logically thought through, hording code bugs is to keep systems buggy overall.
they don't believe in improving the computing environment but instead believe
in creating a global environment of buggy software(*) for their benefit.
if the 3 l3tt3rs were guys with moral they would subscribe to the tough but worthy
cause of improving the global computing environment.
some might argue, that it is not possible to make computing 100% secure but just throwing out the baby with the bath water is not the impression that the American founding fathers had in mind when creating the nation?
in other words, they are saboteurs not builders and creators!
(*)considering that this is a american governmental branch and that a lot of computer tech,
like cpus and software is created in the same country (and pays some taxes) this is extremely astonishing: the state doing you a DISSERVICE!
If a couple 0dayz (+ a month or two) can cause this kind of a mess. Then how many guys worldwide are actively writing exploits? I think the skill should have at least a few thousand practitioners, so where is the daily chaos?
I do see to some extent the frustration the NSA must have over this. If the abusers weren't dropping ransom ware everywhere this wouldn't have had such a huge impact.
Nasty 0days come out every week.
Cwm, fjord-bank glyphs vext quiz
Maybe work on something that improves your grip?
It was alleged (and since debunked) that during WW II Churchill sacrificed Coventry to mask the fact that the British had compromised German military ciphers. Does the sequestering of these exploits really serve the greater good? By its actions, the NSA has failed in what SHOULD be it's primary goal to preserve the life, liberty, and property of the citizens of our nation and our allies.
Sure, leaks are illegal. But, unless they are also considered wrong, people will keep doing them — for publicity or other aggrandizement, etc.
The constant harping on the US in general and the NSA in particular creates the perception, that hurting and embarrassing both somehow improves the world — a demonstrable falsehood.
Similarly, the worshiping of Snowden, who fully bought into the above-mentioned falsehood, and of Manning, who leaked the classified data not even to make the world a better place, but simply to impress acquaintances — make leaking glamorous even if still dangerous. And copy-cats follow.
This traitor-worship ought to stop. Even if you do (foolishly) believe, NSA is evil, you still can not betray the secrets entrusted to you — just as you would not murder, for example, to "raise awareness". Not only because it is illegal, but also because it is wrong.
In Soviet Washington the swamp drains you.
Soon enough these exploits will be patched.
The NSA would be insane to get involved.
I am very small, utmostly microscopic.
The phrase "fall into the wrong hands" is often used in articles like these. I would say that with the U.S. past 70 years of history, these weapons were in the wrong hands the moment they were created.
Another Slashdot article that will draw so many foreign opinions (er, scripted talking points) about American intelligence apparatus!
Seriously as long as you don't use Microsoft Windows on the Intel chip set you should be safe. And who exactly had their fear raised over this. What I would like to know is what retard made the decision to store all his hacking tools on the Internet.
From my essay: http://www.pdfernhout.net/reco... ... ... irony. :-)"
"Likewise, even United States three-letter agencies like the NSA and the CIA, as well as their foreign counterparts, are becoming ironic institutions in many ways. Despite probably having more computing power per square foot than any other place in the world, they seem not to have thought much about the implications of all that computer power and organized information to transform the world into a place of abundance for all. Cheap computing makes possible just about cheap everything else, as does the ability to make better designs through shared computing.
There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based approach to using such technology ultimately is just making us all insecure. Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all.
So, while in the past, we had "nothing to fear but fear itself", the thing to fear these days is ironcially
Thanks for the interesting link to the harvardpolitics site.
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
Isn't Wikileaks somewhat responsible here, after all one can't just drop loaded guns on a playground and then disavow all responsibility for the mayhem that would follow.
And they're both wrong.