
Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons - Cbasedlifeform
https://www.nytimes.com/2017/06/28/technology/ransomware-nsa-hacking-tools.html
======
apeace
This is merely a taste of what is to come.

When President Obama stated in December[0] that we will deliver a
"proportional response" to Russian hacking at the "time and place of our own
choosing", it seemed that most of the country was proud, almost gleeful at the
thought that we would be striking back. I for one was mortified.

We should not be escalating cyberwar, even if we do have proof of who attacked
us. People are going to die. We can see from this article that hacking can
cause serious real-world problems.

When we strike back, does Russia then strike back again? What does it look
like after four or five volleys? Will entire power grids be down for days or
weeks? Will the stock market crash?

It's time for the American people to demand that the N.S.A. become a defensive
organization, not an offensive one. And it's time for us to demand peace in
general. Cyberwar is war.

[0] [http://www.cnn.com/2016/12/15/politics/obama-russia-
hacking-...](http://www.cnn.com/2016/12/15/politics/obama-russia-hacking-
election/index.html)

~~~
sillysaurus3
I don't want the NSA to become a defensive organization. I like that Iran's
nuclear program is being delayed. That's not a defensive action.

You don't seem to be proposing that the NSA become defensive, either. If
Russia attacks us and we don't respond, that's not even defensive. That's
dismantling.

~~~
Quarrelsome
so you want to live in a world where both countries don't have any power?
Sounds Utopian.

Defence is only card in this game worth playing especially when it comes to
infrastructure attacks.

~~~
thoth
Defense may be the only game worth playing, but how will that work? Unlike the
real military where civilians simply don't own the hardware, in computer
security they do.

NSA isn't a hardware or software vendor, and the corporations that are don't
have much of a profit motive to heavily invest in security. They aren't
actually liable for problems unlike say a car manufacturer that releases a
faulty product, which leaves what exactly... reputation that takes a hit? But
every vendor has bugs and security issues and the market isn't really
punishing anyone.

Is the future effectively an enormous government subsidy to profitable
corporations (i.e. NSA and other US government agencies basically become
extensions of corporate America's QA department)? Is the future heavy
regulations to create the proper financial incentives and/or penalties so
corporations start seriously spending on security?

It's easy to say "the government should do something!!" but what exactly will
that look like?

~~~
Quarrelsome
Regulate operating systems. Fund programs and research to work out how to
create operating systems for our infrastructure that contain less zero days.
Ensure we're the ones that find the zero days first.

The reason we're vulnerable is because we're unwilling to pay the cost of
finding the exploits but people in developing nations ARE because they work
for "less".

Right now our economies and systems reward those that fly by their pants and
don't care for security. That is the problem. The free buffet of infinite
growth from technology startups is the very thing that also gives us this pain
and we need to learn to eat less.

~~~
jessespears
This would take an extraordinary departure from our current politics.
Government intruding on software would (rightly) cause cries from the most
stalwart Free Software advocates and from proprietary software companies.

Can you imagine the outcry if a new Linux fork had to seek government approval
in order to post their distribution?

Can you expect Google or Oracle to fail to lobby the government to make sure
they don't have to get each major revision certified?

~~~
floatboth
Not in order to post their distribution! Approval for usage in _critical
infrastructure_.

Critical infrastructure, IMO, should:

\- not use general purpose operating systems

\- maybe not use general purpose computers (just build custom FPGA logic to
control power grids and stuff)

\- not use internet connected computers

\- maybe not use computers at all when possible

------
valine
I’ve never liked the term ‘cyberweapon’. It is subtly misleading and gives the
non-technical masses misconceptions about how exploits actually work.
Cyberweapon implies that exploits are created by governments and let loose on
the world, when in reality exploits are existing flaws that were simply
discovered by governments or individuals. Exploits are like a serious
manufacturing defect in a lock that was only discovered after the fact. I
think this misconception has real implications. If you compare exploits to
Nuclear weapons, the public reaction will be we need more secrecy and more
weapons to protect us from hostile nations. If however you changed the analogy
to something like a defective lock, it become obvious that what we really need
is openness so exploits can be fixed.

~~~
horsawlarway
While I understand where you're coming from, and I agree with you to some
extent, it's not really that simple.

While the majority of exploits we currently see in the wild are things I think
the "defective lock" analogy works well for, there's a subset of attacks that
would be equivalent to cutting the lock with bolt cutters.

In those cases, there are specially crafted tools that aren't exploiting a
defective lock, they're destroying the basic premise that let the lock work.

I'd say that RowHammer fits that description pretty aptly. It's a cyberweapon.
It's not an exploit.

It's so much of a weapon that (as far as I know, someone please correct me if
I'm out of date!) there's still no known mitigation strategy that completely
solves the problem. We have lots of partial mitigations, but nothing surefire
yet.

So... it's both. We certainly have lots of defective locks, but we also have
some very nasty tools that exploit some fundamental premises of our tech in
clearly malicious ways, and were _absolutely_ designed and implemented to do
exactly that.

~~~
wybiral
In this case we're talking about the recent NSA exploits leaked by Shadow
Brokers and then utilized by WannaCry and the Petya attack. Both of those had
a "weapon" (the ransomware itself) that spread by way of an exploit found by
NSA (a defect in Windows that people failed to patch).

In this case, I feel that blaming NSA for the exploit and calling those
"cyberweapons" is wrong. The entity who put the ransomware on top of them and
deployed them built a weapon.

------
mysterydip
Not trying to claim whataboutism, but I think there's an elephant in the room.
The end result of the NSA saying "ok, as of today we've completely disarmed
our cyberweapon stockpile and released patches for all vulnerabilities to the
appropriate software companies" wouldn't be the end of cyberattacks. It would
just be someone else doing them. I don't know what the real solution is. Maybe
there is none.

~~~
3131s
The point is that there would be fewer cyber attacks, both because the NSA
itself would no longer be adding to the number of hacks and because the NSA
would use their sizeable budget to discover and disclose vulnerabilities,
presumably making all of us safer.

~~~
thoth
Their budget is sizeable but less than the annual profits of Google,
Microsoft, Apple, etc. And NSA pays for tons of stuff that those corporations
don't have to deal with like having thousands of linguists.

Where is the responsibility of corporations in all of this? They have a cash
pile that dwarfs the entire intel budget and ought to be the FIRST entities
that invest in fixing their OWN products, right?

~~~
noir_lord
> Where is the responsibility of corporations in all of this?

Somewhere around here :-

> "It is difficult to get a man to understand something, when his salary
> depends upon his not understanding it!"

Sorry shareholders, you'll be getting a tiny dividend this year because we are
spending a huge part of our 'profit' on backfixing all the shit we let slide
said no CEO ever.

------
crasp
> White House officials have deflected many questions, and responded to others
> by arguing that the focus should be on the attackers themselves, not the
> manufacturer of their weapons.

Am i to understand that if somebody would manage to steal nuclear warheads and
launch them we don't hold the people who failed to protect them responsible?

~~~
strictnein
A nuclear weapon is a little different than a patched SMB exploit.

~~~
d33
How's that different in terms of responsibility?

~~~
strictnein
One kills millions.

~~~
blitmap
SMB attacks can be used against medical facilities. I would reframe this as
"both can kill".

------
45h34jh53k4j
With the initial vector being some widely used Ukranian tax software, and the
network vector as psexec/wmic mimikatz harvested credentials, the actual usage
of 'NSA cyberweapons' was just a backup.

I suspect this attack would have had a similar number of victims without
EtBl/DoPu and EtRo.

The existence of 'nation state' offensive tools has little baring on
exploitability for poorly configured enterprise network, when most victims
were exploited by open source offensive tools, even when patched.

~~~
willstrafach
You are correct regarding the most recent ransomware not actually needing
EternalBlue and just adding it if needed (As proof of concept code is widely
available for it).

I think concerns include things like WannaCry too though, which did indeed
rely primarily on use of EternalBlue.

------
thrillgore
Cyberwar hasn't necessarily led to the massive loss of life associated with
nuclear or chemical weapons. Until that happens (or like with nuclear weapons,
we can culturally show how much of a zero-sum game it is), ordinary people
won't have an incentive to take action. Technically minded people may carry
capital, but we're vastly outnumbered by the dwindling working class
politically.

~~~
Pigo
The only way a nuclear system could be compromised is if there was some idiot
surfing the internet on it, or if someone intricately familiar with the
systems and network tailored an exploit to target it. If we have teams of
people targeting specific systems like this, and just hovering over the
execution button, then I'd say this is a huge problem. Nothing in this article
really described the nature of the threat these weapons pose.

------
snarfy
If history has told us anything, it's that this won't be fixed until we wake
up one day and the majority of the computers in the world are bricked. Then
the government will act. Not before.

------
tomglynch
Hopefully these issues will also put a stop to government's requesting
software backdoor access.

~~~
mtgx
Five Eyes are meeting this week to develop a backdoor plan...There should
definitely be a big backlash against it, especially in light of recent events.

Backdoors in US infrastructure = invitation to Russia and China to go right
through it.

------
omginternets
Prediction: as this becomes more frequent, the only thing that will
substantively change is the frequency at which newspapers report that fear is
raised.

------
flyweight
Closed source vs open source. Why are such exploits not so evident on mac,
linux, bsd etc? Is it only because microsoft dominates the desktop market?
Edward snowden clearly showed MS relation to the NSA. I do not believe at all
such exploits are ${Discovered} by the NSA. But the exploits are backdoors
that MS provides. That is why they are now blaming the NSA and putting on a
marketing campain to show how much they care about everyone ${Security}. So
what if this is the case? To me its pretty obvious who created this mess.

~~~
Qub3d
For all his quirks, RMS has made points in the past that I'm kicking myself
for not taking seriously. I just wish that the FSF wasn't so tied up in
minutiae -- it turns people off.

It's a sad fact that the face of proprietary tech is that of a handsome young
generic "disruptor", while Open Source / Free Software / Libre / GNU//blah is
less-cheerful Steve Wozniak.

------
throwasehasdwi
This does NOT bode well for the future of humanity. It seems that war is only
war when people on your side are dying. Once everything is sufficiently
automated it will be possible to wage war without risking any of your humans.
I don't want to know where that leads

~~~
infimum
> Once everything is sufficiently automated it will be possible to wage war
> without risking any of your humans.

i don't see how that could possibly work. just because people won't die
directly from a weapon anymore doesn't mean they aren't negatively impacted in
this hypothetical scenario. i'm thinking of attacks crippling key
infrastructure which could lead to large scale supply shortages

------
r721
Related thread by Rob Graham:

[https://twitter.com/ErrataRob/status/880536274913771521](https://twitter.com/ErrataRob/status/880536274913771521)

------
fdanconia21
How does one protect themselves, or loved ones? I feel this may come across as
a silly question, but if escalation continues, I believe I won't be the only
one asking this question.

~~~
r721
Frequent offline backups, software updates, disabling software features you
don't need.

------
alinspired
i'd speculate that nsa might be working on some hardware solution to secure
their tools, ie purpose built chips/compilers

------
microcolonel
For what it's worth, NSA is not the only agency with a stockpile of 0days. I
figure they should give 'em up only when everyone else does.

------
EGreg
Terrorism is a problem of technology.

------
Pigo
Two questions

1\. Why do they not simply take the weapons of a network? Maybe store it on
some physical media, or a computer not networked unless it's time to take a
Kim down a notch?

2\. Are these "weapons" really that dastardly? Most of these common ransom-
ware and viruses are easily avoided, and only succeed because of naive users.
Backdoors aren't a weapon, they're there on purpose. Sniffing, spying, and
logging can potentially cause some chaos. But are these really some kind of
Zero-cool level hyrda's that they can sink oil-tankers with?

~~~
naibafo
> Most of these common ransom-ware and viruses are easily avoided, and only
> succeed because of naive users.

The problem is that the large majority of the users is naive.

~~~
Pigo
So you think this stockpile is mostly viruses/trojans that would target random
users and hope it spreads to important systems, or hope there's important
systems manned by naive people? These kind of exploits are everywhere, and I'd
say the NSA is hardly the biggest threat in that arena.

~~~
castis
It's probably not a stockpile of viruses/trojans.

It's more likely a list of exploits across different devices that give you
various levels of access to do as you wish with. Some are probably nothing to
worry about, some might be something that gives you the ability to get into
the machine and encrypt whole sections.

