
NSA Chief Hacker Explains How to Avoid NSA Spying - awqrre
http://techlog360.com/2016/01/nsa-chief-hacker-explains-how-to-avoid-nsa-spying/
======
nickpsecurity
He's misdirecting people. Sure this is good advice. The problem is they only
protect upper layers of the stack. NSA TAO hits the lower ones, too. Some NSA
tooling even attacks in ways that require TEMPEST-style shielding. An old
enumeration of issues I put together shows more of the places they're hitting
plus assurance activities that stopped their hackers in the past:

[http://pastebin.com/y3PufJ0V](http://pastebin.com/y3PufJ0V)

Suffice it to say, the TAO is going to breach most of what people use. What
people in high-assurance security usually did was a combination of airgaps,
embedded hardware, micro/separation kernels, things like serial ports to avoid
DMA risk, and so on. You have to get all the attack surface out of the
equation. Then, you make the TCB simple and strong for the rest.

It's more work than most will do. It also counters the mainstream favorites
like Linux/BSD, at least usual usage. So, uptake of high-security methods
stayed low enough for TAO to have an easy job. Snowden leaks haven't changed
that: economic and social factors remain for proprietary and FOSS. So, follow
this advice or not, they'll still probably get in because root problems are
still there. Might stop others, though.

~~~
meowface
Absolutely. His advice is accurate and something everyone should follow, but
it really only scratches the surface. Presenting it as "follow these 6 weird
tips to keep TAO out!" is an attempt to give a false sense of security.

That said, the NSA is technically in charge of defensive information security
for the country, so he can't be dismissed as wholly disingenuous, either.

~~~
zipwitch
When it comes to securing ourselves, anything coming from the NSA should be
treated as some form of disinformation. The NSA betrayed its "information
security" brief long ago and can _never_ be trusted on that front again.

We are all better off keeping up with and following consensus best practices
and ignoring the NSA, rather than trying to out-think their latest bit of
disinformation.

~~~
rosser
While I trust the NSA about as far as I could throw the Puzzle Palace, I think
you're overstating. Part of their brief, however obscured by their
reprehensible behavior of late, _is_ to help defend US-based economic
interests against foreign intelligence, governmental or private.

------
irickt
These seem to be live notes from a conference talk and are a little rough. The
article refers to [1] which is better journalism. [1]
[http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_bos...](http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions)

~~~
jlgaddis
Yes, The Register's article is much better/higher quality.

~~~
cpncrunch
Ugh, this article is terrible. Who upvotes this crap? It's difficult to read
because of all the grammatical problems, and doesn't really give much
information anyway (apart from the link to the Register article, which is
indeed much better).

Flagged due to general crapness.

------
rrggrr
THIS is exactly what NSA should be doing domestically. Help us harden against
foreign threats. Talks are great. Even better ... Give small American
businesses tools or services so we can harden. My business would smile paying
taxes if the USGOV had our back on commercial cybersecurity... Even in
partnership with private companies.

------
blakesterz
You can watch the talk on YouTube now:
[https://www.youtube.com/watch?v=bDJb8WOJYdA](https://www.youtube.com/watch?v=bDJb8WOJYdA)

------
sarciszewski
TL;DR - "If you really want to protect your network you have to know your
network, including all the devices and technology in it"

There, saved you a click.

~~~
nickpsecurity
I've always found it better to emulate high-security engineers at defense
contractors and IAD instead of listening to their hackers. The hackers are
good for spotting problem areas. As in my other comment, the defense side in
academia and high-assurance market has been effectively countering them for
decades. People just don't apply what was learned.

On my end, being limited back then, I combined whatever proven method I could
with obfuscation across the board. That by itself, per monitoring, stopped
very sophisticated attacks that common approaches failed to. They'd have to
hack it to even figure out how it worked and was configured. Then they could
hack it normally. See how that doesn't work out for them? ;) The attacks would
transition to physical infiltration (never happened I think...) or social
engineering (mitigated many).

Examples for your amusement: (a) using obscure processors + OS's + network-
layer guards while advertising they're x86 Linux boxes; (b) sandwiching a
custom, randomly-generated, messaging protocol or middleware w/ security
features between others; (c) my polymorphic ciphers w/ several AES candidates,
random iteration, and random counter values; (d) _real_ port-knocking like
SILENTKNOCK variant that doesn't advertise itself; (e) hiding authentication
or taint (for tracing) data in checksums at various layers; (f) straight
ripping privileged code out of a system while using minimal, unusual libraries
for stdlib etc; (g) tools like Softbound + CETS to automatically make stuff
safe or languages that do by default.

Lots of tricks that require almost no work, don't negate the security of
proven components, require almost no maintenance (outside OS stripping) once
you deploy them, and stop or detect all kinds of attacks. Proven against
nation-state attackers time and time again. Just wait till I integrate stuff
from SecureCore, Air Force's HAVEN, SAFE, or CHERI processors plus my
randomization/obfuscation shit at HW level. Need funding & specialists for
that but I'm still doing high-level designs & research in case I ever get it.
NSA already failed to breach weaker versions of that. TAO gonna scream when
next-gen versions get rolled out into production. ;)

~~~
arca_vorago
I'm convinced that its wrong to say there is no security in obscurity. It's
just one more layer in what should be many, and it has many benefits(simple
example: ssh port changing at least reduces alert fatigue so I know when I get
a lvl 10 from OSSEC I know I need to dig into it asap!)

Port knocking is great as well.

Sounds like you are doing great work!

~~~
nickpsecurity
"and it has many benefits(simple example: ssh port changing at least reduces
alert fatigue so I know when I get a lvl 10 from OSSEC I know I need to dig
into it asap!)"

Interesting point. False alarms were small enough that I never thought to
measure the impact of alert fatigue in these changes. Might consider it in the
future.

"I'm convinced that its wrong to say there is no security in obscurity."

It might help to just call what we're doing obfuscation. That's the proper
term. Security by obscurity is either defined as or is connected to the
concept that _only_ hiding the details would keep you safe. In our examples,
we're using a strong, security technique plus hiding a critical aspect of how
we use it. Take away the hidden part, it's still at least as strong as a good,
security technique.

Hence, we're obfuscating otherwise good security rather than doing security by
obscurity.

"Sounds like you are doing great work!"

Appreciate it! Email me if you want to see other solutions or essays I did. I
let people copy them without fee so long as they give credit. No blog so it's
currently a lot of text files and links to master copies on Schneier's blog.

------
Cartwright2
Are there any "reputation-based" tools available for home users? I have always
wanted a tool that would visually show me every device on my network and give
a clear indication when a new device was added.

~~~
onlycommenting
NMAP. I'm sure you can find a gui-like program for it. Just scan your routers
subnet.

------
bad_alloc
Question: If I did somehow manage to avoid being spied on, wouldn't I stand
out because there is very little data available about me?

~~~
ionised
Yes.

------
ejcx
In case you already weren't aware there is no news here.

This is all just high-level, best practice, straight from the CEH or CISSP
exam, textbook information.

His information was applicable for big organizations with a network and not
really individuals. Like anti-virus is going to help you against the NSA?

------
matt_wulfeck
The nsa knows that it's very difficult to implement security. Nothing new
here: look for the weakest link then pivot once inside.

That being said, I really feel the future is in predictive and reactive
machine learning algos on data.

------
gaur
What a waffle. Can anyone extract useful information from this meandering
trainwreck of an article?

------
SeanDav
OT:

Interesting how submission sometimes works. I submitted a link to this from
Wired:
[https://news.ycombinator.com/item?id=10994795](https://news.ycombinator.com/item?id=10994795)
more than a day ago which got just about no interest and here it is now
trending on the front page.

Not complaining, just making an observation!

------
fuck_dang
Our friend Zoz of Defcon fame has a talk about NSA spying that enumerates and
gives details to some of the ways that the NSA can 'see' you.

[https://www.youtube.com/watch?v=J1q4Ir2J8P8](https://www.youtube.com/watch?v=J1q4Ir2J8P8)

~~~
dang
As I posted before, usernames like this are distracting and you should make
one that doesn't implicitly troll every thread:
[https://news.ycombinator.com/item?id=10837069](https://news.ycombinator.com/item?id=10837069)

I admit it's amusing to try to get around the restriction by mocking the
moderator. But not amusing enough.

------
rdiddly
Very first sentence is glaringly shitty. It's a tech "log" all right. Life's
too short.

