

NSA targeting domestic computer systems in secret test - intel_
http://news.cnet.com/8301-1023_3-57560644-93/revealed-nsa-targeting-domestic-computer-systems-in-secret-test/

======
joshfraser
If only the NSA did more sensible stuff like this, and less spying on American
citizens.

~~~
revelation
The NSA has a history of keeping very serious faults in security to themselves
[1].

It's like the government detected a structural problem in bridges and then
decides not to fix it because that could make it harder to destroy other
countries' bridges.

1: <http://en.wikipedia.org/wiki/Differential_cryptanalysis>

~~~
jackowayed
Chris Soghoian, principal technologist of the ACLU, wrote about this issue
with respect to the hotel lock vulnerability that was revealed a few months
ago (as well as general statements). [http://www.aclu.org/blog/national-
security/hotel-lock-securi...](http://www.aclu.org/blog/national-
security/hotel-lock-security-vulnerability-reminder-governments-ambiguous-
role)

~~~
tptacek
This is very silly. As Cody would tell you, the Onity flaw he found was so
basic (it is the electronic equivalent of the Bic cap trick that unlocked
Kryptonite locks) that any EE grad working at DoD or NSA would have had it
instantly. The idea that there'd be some huge conspiracy involving the
government reaching out to private firms to enable them to break into
trivially breakable locks rings false.

You should simply assume that the government has always, always, always been
technically capable enough to break into hotel rooms undetected.

~~~
dsl
To back up your point:

Two years before Cody's talk, an unknown entity (assumed by local police to be
Mossad), used a third party device to reprogram VingCard hotel door locks in
the field as part of the assassination of Mahmoud Al-Mabhouh in Dubai.

------
revelation
So the NSA is spending taxpayers money on contracting with Raytheon (who else)
so they can hire people that will then use nmap, nessus and netcat.

What is the NSA being paid to do?!

~~~
phaus
It's not like they needed 28 people, assigned 28 feds to work on the project
and then hired 28 contractors so the feds didn't have to do anything, but that
appears to be what you are implying.

Like most large organizations, the government has tons of different projects
going on at the same time. When they take on a new project, sometimes they use
actual federal employees, sometimes they use contractors with federal
oversight. Sometimes they use a mix of both feds and contractors. It usually
depends on what kind of funding they can get approved. They do not often hire
more people than they need for a particular project, because right now it's
pretty hard to get money for anything, and most politicians remain grossly
uninformed about the significance of anything having to do with computers.

It's a fact that an enormous amount of taxpayers' money that gets wasted each
year, but pen testing vital SCADA systems across the U.S. doesn't seem like a
waste of time to me. I know that the article mentioned nessus, netcat, and
nmap, but the tools that are used in the security world don't matter nearly as
much as the people who are using them. Also, do you think that the NSA is
really going to tell you every single piece of software that they are using
for penetration testing? They were merely giving examples.

------
nnq
> Whoops! You broke the Internet!

...I just imagined my mom coming across such a "funny" error page and freaking
out. Way to go, cnet!

------
ck2
Why are critical systems like powerplant control on the internet?

Or are they talking about the old "drop a usb stick in the parking lot and
hope some idiot plugs it into their control panel computer" approach?

In which case I say crazy-glue the usb ports and devices like mouse/keyboard
into the system.

~~~
tptacek
Because it is 2012, and every networked digital system in the world uses IP,
and every business in the world has an Internet connection the same way every
business in the world has a phone. Incidentally: there is nothing new under
the sun: these same critical systems used to be exposed via the phone network.

I don't know what they're saying, but yes, I assure you, there is crazy stuff
that is one or two pivot hosts away from an Internet attacker.

------
kylemaxwell
I'm not really all that concerned by the project itself. This is what the NSA
is for (protecting US communications and finding ways to attack communication
systems). However, I _would_ like to know who NAMES these things? "Perfect
Citizen", really?!

------
neurotech1
Does anyone have a mirror of the article? CNET is giving a 404 error on this
one.

Edit: CNET are having site issues, its not just this one page. @redtuxx Thanks
for the link

~~~
redtuxx
[http://webcache.googleusercontent.com/search?q=cache%3Anews....](http://webcache.googleusercontent.com/search?q=cache%3Anews.cnet.com%2F8301-1023_3-57560644-93%2Frevealed-
nsa-targeting-domestic-computer-systems-in-secret-
test%2F&oq=cache%3Anews.cnet.com%2F8301-1023_3-57560644-93%2Frevealed-nsa-
targeting-domestic-computer-systems-in-secret-
test%2F&sugexp=chrome,mod=15&sourceid=chrome&ie=UTF-8)

