
Trove of Stolen Data Is Said to Include Top-Secret U.S. Hacking Tools - tucif
http://www.nytimes.com/2016/10/20/us/harold-martin-nsa.html
======
deanCommie
> "F.B.I. agents on the case, advised by N.S.A. technical experts, do not
> believe Mr. Martin is fully cooperating, the officials say. He has spoken
> mainly through his lawyers"

As is his right and what every sensible entirely innocent individual in his
position should be doing. If the government (at any level from civic to
federal to international) arrests you for any crime with serious charges, it
is ABSOLUTELY the most prudent thing to communicate solely through your
lawyers.

There is too great of a risk of being convicted due to doubt and natural human
inconsistency otherwise.

For anyone that doubts how even the most innocent person can be convicted for
not heeding this advice, there is a hilarious and content-dense lecture on the
subject:
[https://www.youtube.com/watch?v=ZGgKLgVNfAo](https://www.youtube.com/watch?v=ZGgKLgVNfAo)

~~~
JustSomeNobody
100 percent agree. If you're speaking through your lawyer, you are
cooperating. Never ever speak to law enforcement without a lawyer there to
explain the law to you if you've been charged, or sometimes even if you're
being questioned, about a crime.

------
JumpCrisscross
Would be cute if a foreign country passed an analogue to JASTA [1] making the
United States responsible for damages resulting from its developing, and
keeping secret, tools for the exploitation of security vulnerabilities in
civilian software.

[1]
[https://en.wikipedia.org/wiki/Justice_Against_Sponsors_of_Te...](https://en.wikipedia.org/wiki/Justice_Against_Sponsors_of_Terrorism_Act)

~~~
linkregister
What would those damages consist of? The only material impact I can think of
is the apparently U.S.-developed Stuxnet program.

~~~
Zigurd
Look at how US prosecutors pile on the cost estimates in hacking cases.

~~~
closeparen
Indeed. "We had no idea security was a thing until you broke in, so now we're
counting the cost of giving a shit going forward as damage you inflicted."

------
mindcrime
As far as I'm concerned, the NSA are the enemy - so props to anybody who can
poke a stick in their eye. I just hope this guy doesn't wind up in Guantanamo
for the rest of his life.

~~~
spydum
What is interesting to me is that even super security gurus at NSA can't
contain their most sensitive data (well, maybe tools aren't highest level?).
At some point I think we need a better security strategy than trying to stop
data from leaving, and more about how to make sure data is useless outside of
its domain.

edit: I say that now in retrospect that security and freedoms of data seem
always at odds. DRM being a keen example. Just wish we had better options..

~~~
catnaroek
DRM is about neither security nor freedom.

~~~
tetrep
DRM is surprisingly security oriented, if you think about it,the premise of
DRM is _not_ trusting the user, which is more extreme than most security
models (allow the user root/admin access to the OS is anithetical to not
trusting the user).

~~~
vetinari
DRM is more about _who has the keys_ , than security itself.

~~~
rimantas
Modern computer security is all about who has the keys.

~~~
eeZah7Ux
Just like a steel door, when somebody else has the keys, you are not secure -
you are imprisoned.

------
heartsucker
> F.B.I. agents on the case, advised by N.S.A. technical experts, do not
> believe Mr. Martin is fully cooperating, the officials say. He has spoken
> mainly through his lawyers, James Wyda and Deborah Boardman of the federal
> public defender’s office in Baltimore.

It sounds like they're just mad that he didn't confess immediately, instead of
doing the smart thing of having professional handle everything. Do they really
expect someone to cooperate gladly when repercussions could be severe?

~~~
StavrosK
Yes. They're the FBI. They're not used to people exercising their rights.

~~~
bayouborne
The 2 FBI people I've known, both had law degrees..

~~~
JustSomeNobody
So does James Comey and he's a complete idiot.

~~~
metalliqaz
That extraordinary claim requires extraordinary evidence. Can I assume you are
also a lawyer?

~~~
thingexplainer
Extraordinary claims don't require more evidence than other claims. A more
accurate statement would be, "claims I'm skeptical of will require convincing
evidence for me to be swayed." The "extraordinary" part makes this razor less
useful, as if there were more than one category of evidence and one of them
simply wasn't good enough for you.

Comey continues to advocate for backdoors in order to stop ISIS from being
able to radicalize marginalized people within the US without them being able
to listen. However, there are two obvious problems with this.

1\. Why don't you just reach out to the marginalized yourself? Spend that $1M
you paid to break into an iPhone on combatting Islamphobia and ISIS will have
a tougher job.

2\. What is to stop ISIS from using software written outside the US, or
software they write themselves, or versions of software older than the
mandated backdoors, or open-source software, or... on and on and on. His plan
transparently will not work. To quote Schneier, "His problem isn't encryption,
it's general purpose computers and a global market for software."

That is stupid.

------
thingexplainer
It seems like contractors are a massive attack surface for the DoD. I do
wonder why they gave a clearance to someone who was apparently a hoarder. If
collecting things that interest you in a compulsory manner doesn't suggest to
you that this person might be abused by foreign powers, but marijuana use
does, your secrets will flow like water.

~~~
gnarbarian
I contract for many large state and federal agencies.

For better or worse, contractors are easier to hire and fire for the federal
government. That gives them more budgetary flexibility. You can also hire
people and companies that specialize in the specifics of the project quickly
through established contracting channels with established reputations.

Contractors are also able to legally bypass red tape and bureaucracy required
of federal employees. For instance if I was directly employed by one of my
clients i would be severely limited in the toolchain that I use and I wouldn't
even be allowed admin access on my development machine (despite having it on
multiple servers which are orders of magnitude more sensitive). If I was their
employee, every time I needed to install a java update I'd have to call up IT
sit on hold and explain to them exactly why I need to install this update
etc.. I've had it literally take a week of futzing around with bizarre errors
(from the crazy policy settings and restrictions on the laptop) on hold with
some poor schmuck at a national level helpdesk four time zones away who has
zero experience with programming trying to get a dev-enviornment set up on a
government laptop which would have taken literally an hour on a computer I
have local admin access on. I would rather be waterboarded than do that again.
Contracting and having our own rules saves literally unending amounts of
pointless bullshit. Many things would probably never get completed internally
because of situations like this. Of course those contractor advantages cut
both ways when considering security.

In OP's situation I'm not sure him being a contractor makes any difference.
Either kind of employee can take a usb stick home and transfer stuff to a
compromised PC. A contractor or employee may have gotten their clearance a
long time ago and unless they have some kind of regular unannounced random
inspection of their home you'd never know if they were a hoarder. And if they
never caused or were involved in a security incident in the past there would
probably be very little desire to bother shaking them down. I'd say problems
in this category may be worse internally. I've met many husks of people in
government positions who have been there for decades and are completely
unemployable. What's worse is they can't be fired easily like a contractor so
as long as they show up sober 9-5 they never leave.

Not saying it's a good situation. The contractor knowingly and clearly broke
laws, policies, and rules. I annually have to take record keeping and security
courses and quizzes to maintain access to the network. I am sure the
contractor implicated here had much more stringent requirements than I have
due to his clearance level. Thus this guy's screwed, his company is screwed
too. legally too. Lord knows this guy can't pull strings at the DoJ to save
his ass like some people from recent memory.

~~~
walshemj
Don't they have random searches? when I went to HMGCC for an interview (at
Hanslope Park) a couple of years back there was a sign up saying that you
could be searched on entry and exit.

~~~
gnarbarian
not where I work. Also, random could mean once every 10 years. I use a laptop
and take it home every night. Unless they banned users from taking everything
with them (phones keychains etc) there's not much a random search would
accomplish.

~~~
walshemj
I know people who worked at places where taking a phone into work with a
camera in was verboten.

And for high security places why on earth would they allow people to work on
laptops that are taken home every night an obvious security risk.

~~~
jhalstead
Indeed. I worked in a secure environment for about 4-5 years, and we couldn't
bring our cellphone (of any type) or any other electronics/storage
devices/etc. into work. In fact, while working there I had surgery that
required me to lug around a medical device 24/7 for a while. And because the
device had an exposed USB port, I wasn't allowed to return to work until after
I no longer needed it. That took roughly 1 month.

------
bsder
So, basically, it looks like there's a reasonable probability that this guy
isn't the leaker.

I know that if I wanted to actually blow the whistle on somebody like the NSA,
I would make sure to plant the evidence on somebody else to give them a juicy
target to latch onto.

~~~
thingexplainer
How principled of you to ruin someone's career and let them spend the rest of
their life in prison.

~~~
bsder
I turned down working for the NSA so I wouldn't even be in the position to
have to worry about things like that, thanks.

We should be talking about the fact whistleblowers need legal protection. The
current treatment of whistleblowers leaves those who wish to defend the
principles of the country no good options.

We should also be talking about _how easy it is to frame someone_ and have
them found guilty. The fact that we both have zero problem believing that it's
that easy to set someone up should be terrifying.

------
ryanlol
The Shadow Brokers are still active online.
[https://www.reddit.com/r/DarkNetMarkets/comments/57le5u/thes...](https://www.reddit.com/r/DarkNetMarkets/comments/57le5u/theshadowbrokers_leaks_bill_clinton_lorretta/)

However nothing in the message proves that it was written recently.

~~~
KMag
Have any of you checked if the same secret key was used to sign the original
and this message?

------
kordless
The advantage gained by welding advanced technologies is driven by exponential
sales cycles. If we allow the government to continue their "back room"
rationalizations, there will be a point our demand for more faster will come
back and haunt us from a cost standpoint. With exponential advances in
technology come several orders of magnitude more oversight capacity by a
government who continues to make serious errors in calculations when doing
things in secret.

The government isn't currently bad because people in it are bad. It's bad
because our government has some bad ideas on what it means to govern
successfully externally, in an age that is accelerating internal change in
individuals. We want it better faster, too.

If we're going to continue to have government, the government needs to
immediately become 90% more transparent and start setting the vision for us to
do what we need to do to manage these changes.

And then I look at our current election and just shrug my shoulders.

------
joewee
odd things about this story:

1) were the tools taken out of a secure environment? Or did he download it
from the net when it was published?

2) how could he have taken such sensitive tools out?

3) why so many leaks of an ongoing investigation?

------
matt_wulfeck
> He always thought of himself like a James Bond-type person, wanting to save
> the world from computer evil

Maybe the NSA needs less James Bond characters and more engineers.

~~~
walshemj
So? your not really making sense here "engineers" may well think that working
for the good of the state is more ethical than working on an improved algo for
google/facebook to monetize peoples private data.

~~~
pabloski
Good of the State or good of the oligarchs? That is the question!

------
yk
Question, did NYT break their website for noScript users or did I manage
somehow to break the NYT website for myself? (I tested with chromium and no
plugins and the website works there, but if I try to access it with FF and
noScript, the articles only display a log-in form, even if I grant permissions
to everything.)

------
basicplus2
The fundamental flaw is employing contractors.. Governments should be doing
all things they are responsible for in house.

Contracting anything out costs in terms of added security risk and in profits
a contractor will want.

~~~
KMag
Former DoD contractor here. Contracting is a description of legal contracts
and payment flows, independent of security arrangements. I sat in the same
SCIF as my directly employed colleagues, and the same security officer was in
charge of our site and everything I did at the site. My employer's security
officer had to handle getting my clearance and forwarding the paperwork to my
site's security officer.

It's not like DoD contractors are doing classified work from home in their
sleepwear. They're still subject to the same security procedures, and in fact
the same security people are overseeing the contractors and direct employees.

I would still roll in before sunrise during what looked to be a beautiful day
and work in a windowless chainsaw-resistant room with a steel door. I'd
daydream of a nice sunny lunch break just like my direct employee colleagues,
and be just as disappointed that it was raining when I exited isolation.

~~~
logfromblammo
Except they would get Columbus Day and MLK Day as paid holidays, while you had
to sit at home and eat a PTO day, because the work site cannot be used with no
government employees there, and your company doesn't coordinate its holiday
schedule for on-site employees.

And then they would have some morale event (read: party/picnic) on base, and
they could go to it while on the clock, while you were nominally invited, but
if you attended it would have to be off the clock.

Then the funding for your project is interrupted. They get furloughed, and
will probably be repaid later when the funding is restored, but you just get
straight-up laid off, and have to find a new job with zero notice.

But at least you got paid more. That almost makes the crap treatment
worthwhile.

