
NSA releases open-source infosec tool - anigbrowl
http://www.itnews.com.au/News/406509,nsa-releases-linux-based-open-source-infosec-tool.aspx
======
codewithcheese
Using their extraordinary resources to educate industry and peers to improve
the state of the art should be a main operating procedure for a gov funded
security organization.

~~~
MichaelCrawford
I think the NSA is also behind the EDP Audit, Control and Security Newsletter.
I was once invited to contribute a paper but had to cancel because I get a
little loopy sometimes.

There is the CIA World Fact Book. The CIA also has an online library that I
haven't really looked into other than that someone posted a link to some
advice for intelligence analysts, on the general topic of avoiding personal
bias.

entertainmentliason@ucia.gov will send you real spy stories that you may Feed
The Monster, that is, write movie or TV scripts.

Both the CIA and NSA have "For Kids" sections for those of our younguns who
want to grow up to be spies.

One of my very best friends is an FBI agent. A former girlfriend endangered
national security by listing her work address on our alumni website; she's
heavily into math and there aren't many reasons one receives mail at Ft.
Meade. That's what post office boxen are for.

My second cousin Glenn Thobe speaks better Russian than Vladimir Lenin.
Because he had "some connections in the State Department" he was permitted an
unescorted five-month visit to the Soviet Union at a time when the Commies
feared the Free World far, far more than we feared them - and for good reason.

Glenn is a soft-spoken, quiet, good-looking guy, he was young at the time so I
expect the Soviet chicks were hurling themselves at him like beached whales.

He is also a physicist and an electrical engineer. If you want to win a Cold
War when it suddenly grows Hot, you want lots of Physicists and Electrical
Engineer but then Uncle Sam launches an Intercontinental Ballistic Vegetarian
who doesn't even have a driver's license because he prefers public transport.

------
adricnet
This brief writeup from Puppet Labs seems to answer most of the questions I
had about the nature and usefulness of the technology released.

[https://puppetlabs.com/blog/nsa-release-system-integrity-
man...](https://puppetlabs.com/blog/nsa-release-system-integrity-management-
platform-simp)

------
KenanSulayman
This is _not_ by the NSA but by its contractors. Namely employees of Onyx
Point, Inc. and KEYW Corporation.

~~~
devonkim
There are several other contractors that were involved in the creation of the
Puppet modules but those are the top two contributors probably. In fact, I'm
pretty sure I was asked to contribute the Puppet module I hacked a year ago or
so to the project but with a casual search I didn't see any commit by myself.

I had no idea that NSA had anything to do with this project is the thing. I
just thought it was a project to standardize deployments of projects for DoD
IC systems using modern configuration management tools, specifically Puppet.

------
viraptor
The technology transfer project is fun. If you read the document from March
2015, they released a list of patents which can be licensed and used by US gov
and companies.

Or... by a large number of countries for free, where the US patents do not
apply.

~~~
MichaelCrawford
But not by many of the countries we actually trade with. :-D

------
joosters
[https://github.com/NationalSecurityAgency/SIMP](https://github.com/NationalSecurityAgency/SIMP)

~~~
fnord0
"For those out there that just want the goods, the actual code for the SIMP
project is hosted under the SIMP GitHub Organization."

[https://github.com/simp](https://github.com/simp)

------
robert_nsu
Why did I read that comment section? I wonder if any of those people have ever
heard of SELinux.

------
dataker
That's also a move towards transparency, a great tool to control and limit
government.

I'm sure there'll still be classified programs in the future, but I'd urge
people to go beyond "they're evil" and see what it represents.

------
BinaryIdiot
That's a huge amount of repositories. I've been reading through the
descriptions of a few and so far it's hard to gauge what this thing is in its
entirety (or maybe I'm just too tired).

After working with their OWF I'm skeptical that this will be anything better
than commercial but I'll keep an open mind and continue looking through docs.
If anyone has a better summarization that would also be helpful (because
apparently I haven't figured it out yet).

------
helfire
Not their first Opensource project Apache Accumulo was opensourced by them -
[http://www.informationweek.com/applications/nsa-submits-
open...](http://www.informationweek.com/applications/nsa-submits-open-source-
secure-database-to-apache/d/d-id/1099972)?

------
jpdus
The contents of the NSA Tech Transfer program are also quite interesting:

[http://m.nsa.gov/research/_files/tech_transfers/nsa_technolo...](http://m.nsa.gov/research/_files/tech_transfers/nsa_technology_transfer_program.pdf)
[pdf]

------
fcanela
Forbidden message appears to me.

Here is the google cached version:
[http://webcache.googleusercontent.com/search?q=cache:Iac_dvJ...](http://webcache.googleusercontent.com/search?q=cache:Iac_dvJSWqkJ:www.itnews.com.au/News/406509,nsa-
offers-cybersecurity-tool-to-businesses.aspx+&cd=1&hl=en&ct=clnk&gl=en)

~~~
fcanela
Aims to avoid duplication of effort for govt agencies.

The US National Security Agency has offered up one of its cyber security tools
for government departments and the private sector to use freely to help
counter threats and raise their security posture.

The systems integrity management platform - SIMP - was released to the code
repository GitHub over the weekend.

SIMP helps to keep networked systems compliant with security standards, the
NSA said, and should form part of a layered, "defence-in-depth" approach to
information security.

NSA said it released the tool to avoid duplication after US government
departments and other groups tried to replicate the product in order to meet
compliance requirements set by US Defence and intelligence bodies.

"By releasing SIMP, the agency seeks to reduce duplication of effort and
promote greater collaboration within the community: the wheel would not have
to be reinvented for every organisation," the NSA said in a release.

Currently Red Hat Enterprise Linux versions 6.6 and 7.1 and CentOS versions
6.6 and 7.1-1503-01 are the only supported operating systems for SIMP.

The NSA, which has in recent years faced heat over its mass surveillance and
bulk data collection activities as exposed by former contractor Edward
Snowden, has increased its efforts to share its technology in recent months.

It recently debuted its 'technology transfer' program, which aims to further
the development of new capabilities and technologies within both government
and the private sector.

The program allows the NSA to offer internally-developed technology to
industry and researchers. It has so far opened up a range of products in eight
categories spanning networking, optics, processing, security, and
microelectronics, among others [pdf].

Director of the program, Linda Burger, said the open source method of
"transferring technology from the federal laboratory to the marketplace is
extremely efficient".

“The open source community can leverage the work that NSA has produced, and
the government can benefit from that community’s expertise and perspective.
It’s a win for everyone – and for the nation itself," she said in a statement.

Despite the secrecy of its intelligence gathering work, the NSA has a history
of producing and publishing security-related work, and holds annual
competitions that seek to find the best cybersecurity papers.

The spy agency’s trusted systems research group has also produced a hardened,
mandatory access control architecture called Security Enhanced Linux that has
found its way into several distributions, as well as Google’s Android mobile
operating system, FreeBSD, and Oracle’s Solaris.

~~~
UserRights
Do you remember that backdoor that was found in SELinux a few years ago?

~~~
bitmapbrother
No, could you elaborate on this "back door"?

------
cmattoon
That "Report Abuse" button...

------
MichaelCrawford
I applied for the US Air Force Cyber Command in 2008. While there is no way I
could get a clearance I hoped to work in a purely defensive position.

At the time every branch of the military wanted its own computer security
force; eventually they were unified under the Joint Forces Cyber Command,
which is under the Stategic Command (STRATCOM); the Strategic Command is the
joint successor to the Strategic Air Command.

(The military is heavily into the word "Joint". I cannot possibly speculate as
to why.)

Each branch has its own force, MARFORCYBER for the Marines and so on.

They are all based in Ft. Meade however Ft. Meade really isn't that big. I
expect they just use Ft. Meade to receive snail mail, but if you look up its
Zip Code at [http://www.usps.com/](http://www.usps.com/) in bright red text
the resulting page says "The Postal Service does not deliver mail to Ft.
Meade" but then provides the Zip Code.

(At least it did last time I checked.)

Also at Ft. Meade and open to the public is the National Cryptological Museum.
You can see stuff like a U-2 and a real Enigma machine there.

You can apply to work for These United States at
[http://www.usajobs.gov/](http://www.usajobs.gov/)

I watched some recruiting videos when I applied to the USAF Cyber Command; one
of pointed out that cell phones are not permitted in secure areas because they
have a maintenance mode that enables The Phone Company to listen in without
your knowledge. Have A Nice Day.

~~~
jonnybgood
> (The military is heavily into the word "Joint". I cannot possibly speculate
> as to why.)

Joint refers to a multibranch organization. The Joint Forces Cyber Command,
for example, doesn't belong to a specific branch, but employs multiple
branches. The commander can be Air, Army, Navy, or Marine. When any two
branches work together it becomes _joint_.

~~~
valarauca1
>The commander can be Air, Army, Navy, or Marine.

In non-combat joint operations. Like technological development, R&D, etc. The
Marines are represented by the Navy, as they're part of the Navy.

~~~
mattlutze
The USMC will still have personnel stationed in these organizations, it won't
all be Navy.

~~~
MichaelCrawford
Do Marines serve aboard Naval vessels?

I do understand that the Marine Corps was created because the Navy wasn't
having a whole lot of luck with attacking the Barbary Pirates on land, so the
Navy delivered the Marines to Tunisia or Morocco or what have you then the
Marines dealt with the pirates after going ashore in a Ground Effect Vehicle.

I have only been aboard just one of my father's boats, the USS Springfield in
Gaeta, Italy in 1970 and '71\. I clearly remember this huge battleship but
when I visited in 1997 what I expect was the same kind of ship looked more
like a canoe.

I think the Springfield was either a Light Cruiser or a Missile Cruiser but
Dad never made a whole lot of sense when he tried to explain things verbally.

Anyway I don't recall ever seeing any Marines there in Gaeta.

I do understand that in These Modern Times the United States Marine Corps jets
around aboard Virgin Air.

~~~
mattlutze
I imagine Marines will be deployed at least on Naval vessels with combat or
combat support missions. I imagine Marines fly missions from aircraft carriers
alongside Navy pilots, albeit fewer. And, land-based research or other
commands (like the previous poster had mentioned) will still have Marines --
it's more than just a large infantry unit.

------
logicrime
A similar headline might read: "ISIS releases freedom of speech app" or
perhaps "KKK releases geocaching app" or "LAPD releases Snitcharoo app" etc.

I wouldn't be against a Dept of Cyber Affairs, but the NSA absolutely needs to
be stopped, at any cost.

------
gorgak
any hacker who supports the NSA or GCHQ is a traitor to the hacker culture and
to the human race. these disgusting people must be stopped. the americans and
british geopolitical meddling made their own enemies which they implore you to
give your freedoms up for (or did, your freedoms are gone right about now) -
the NSA and GCHQ need to be completely abolished and the money put into
sustainable communities and fuck their terrorist mindset bullshit ideology.
they create the fucking terrorists not us. ahem :)

~~~
grkvlt
> traitor to the hacker culture

I don't understand the weird disconnect between HN and the intelligence
community. It's almost the _perfect_ job for a 'hacker' type: work with
cutting edge technology and thousands of other incredibly intelligent people
to try and out-think adversaries to gain access to their resources. You get to
build defensive _and_ offensive software to attack computer systems, and
actually use it, something that would get you arrested if you did it
personally. This was why I loved penetration testing, and an obvious extension
of financial security would be working in national security. Yet somehow,
these guys are 'evil' now, notwithstanding the IRA and otehrs in the UK, the
9/11 and 7/7 attacks, and so on - those were all perpetrated by _actual_ evil
people, who deserved to be investigated and followed and found. And, looking
at the leaked documents, there is a huge amount of auditing and checking -
don't do this, because it's illegal, don't search for that because it's
against the law - not the wild west free-for-all that people seem to imagine.

Anyway, if I could get a clearance, I'm sure I'd love working for GCHQ or SIS
in the infosec arena, as would most hackers. The cognitive diasonance is
strong in many people!

~~~
RRRA
This one sided view of their marketing pitch is exactly what's wrong with them
and, to some extent HN in general, in it's Californian money & tech bubble...

Seen from the outside, this kind of tech-trip-before-thinking-globally, or
solutionism, is why people are upset, and rightly so. Snowden has shown, as
many others have before and after, that they spy for economic and political
gain against ally, they don't even respect local American's laws and could
hardly be described as democratic or even accountable.

I'm not saying there isn't a need for law enforcement or surveillance, but it
has to be accountable, targeted and justified. Not simply a secret digital war
machine disguised under the "omg, everything is now terrorism! Save the
children! --fox" and cool marketing to entrap the young mind and throw them
away once their time has passed...

I wish I would want to work there, IF and only IF, they would fix all those
issues.

In the mean time, yes, they are an enemy of democracy, and a very hypocritical
one at that.

The public servants that work there deserve to be put to work for the greater
good.

~~~
caskance
Criticising the NSA for spying on the wrong targets makes as little sense as
criticising soldiers because your country is at war with the wrong enemy.

~~~
JupiterMoon
The army doesn't normally go off and attack another country in secret without
even telling their own government.

~~~
caskance
heh.

------
typon
Probably has hidden backdoors

------
kyloon
It would be interesting if there is an intentional hidden vulnerability within
the code that NSA could use as a backdoor into companies that end up
implementing the tool into their system.

------
AnonymousPlanet
See? They're not evil at all! It's just like Microsoft. Opensourcing stuff
proves they are good now. They're going to be the organisation we all love.
You'll see. /s

