
Security Breach and Spilled Secrets Have Shaken the N.S.A. - sgustard
https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html
======
natch
One thing that is not talked about enough with NSA is that if they are capable
of leaking some of their most sensitive and powerful tools, then they are also
capable of leaking the most sensitive and private information they collect on
people. Perhaps this has not yet happened, or perhaps it has (someone will no
doubt point out any known incidents here if there are any) but the idea is
unnerving.

Maybe my wording is not perfect "they are capable of leaking" well you could
argue that NSA didn't leak, it was possibly hacked by an outside actor. I
don't think the distinction matters much though in this case. The main point
is that they can no longer say "trust us" with a straight face.

~~~
cm2187
Agree, though the only thing that gives me any comfort (and it is the same
with google, gmail, facebook, etc) is that the amount of data they collect is
nearly impossible to ex filtrate because of its sheer size.

~~~
Canada
Once upon a time movies were too big to download, and now look.

~~~
cm2187
Bandwidth has been increasing very slowly. And I think we will be stuck at
1gbit for a long time (and in many areas: if we ever reach it), just because
there are no consumer use for higher bandwidth. Already 4k video resolution is
a stretch, most people wouldn’t notice the difference to 1080p on a TV from
they couch.

So there will be a need to upgrade wholesale bandwidth just because the
internet keeps growing, people are already talking about next gen game
consoles to be cloud based (ie the rendering to be made remotely) which will
add more traffic. But not 5 orders of magnitude. The amount of data stored by
the gmails and facebooks of this world are mind blowing.

~~~
Canada
Who says attackers must use home or small office connections? Why can't the
data be exfiltrated to a top tier data center with excellent peering?

~~~
cm2187
But consumer/corporate demand for bandwidth is what should ultimately drive
increase in data center bandwidth.

Another point is defeating monitoring. I am sure the NSA (or Google/Facebook)
could not notice 1GB of upload, but I like to think that uploading 1PB of data
would make all sorts of red lights flash in they network security control
room.

~~~
Canada
I'm with you that copying all of Google's data is unlikely. It's a serious
project for Google itself to significantly move around its own data
internally. My point is that very extensive, damaging information could amount
to a mere 100TB subset of it and it's not implausible that could be copied in
a day at 10 gig/s. To obvious? How about 100 hosts each pulling 100 meg/s?
That's feasible right now. When you really get down to it the datasets I fear
being leaked the most are a lot smaller than that.

Most bandwidth is used sending many copies of the same content. Attackers
aren't going to be interested in downloading the popular video 100 million
times, they're just going to grab the logs which are nowhere near that size,
and although large it's not implausible that even the best security teams
wouldn't notice until it's too late.

There is no hard rule that the leaks need to come from the same central
database either. That is unlikely considering the fact that large scale
services are already, and necessarily, distributed. Imagine thousands of
attacker hosts receiving from thousands of compromised hosts.

------
Wonnk13
Living in Maryland, I've met several young people who put in a few years at
the agency (including TAO) who then left for industry. Millenials don't care
about a government pension, especially when you're in a windowless SCIF
hacking Perl.

The US Government as a whole has a massive talent retention problem. Only the
mediocre will stay at NSA / CIA now and we'll probably see more of these leaks
/ hacks.

~~~
azinman2
There’s a massive pay disparity between public and private, and those
currently in power want to keep it that way and eat away even more at gov
functions. That combined without a clear rallying call for public service
(like the Cold War or collective pride) are a recipe for disaster.

~~~
somnolentsam
There is a big pay disparity, but the main thing is that engineers and other
technical types have gone from having a big say in how problems get solved to
being the problem itself. No amount of pay is going to retain people in those
circumstances, except possibly those you don't want to retain.

As far as money is concerned, NSA is way overfunded - it just spends money on
the wrong things and wastes lots of resources due to inefficiency.

------
dasil003
I don't think it's exactly right to say they should have focused on defense.
The first mistake was focusing on installing a surveillance apparatus and
using fear mongering to sell it politically while giving short thrift to the
actual principles justifying the decision. In doing so they lost the moral
high ground and opened the door for Snowdens and worse. I'm not saying the NSA
has ever been a paragon of ethics, but you've got to have _some_ standards or
no amount of vetting is going to be sufficient to suppress everyone's
conscience.

~~~
chickenbane
I disagree; it's a focus of their existence that appears to be abandoned by
the NSA - and that's dearly needed right now.

From the front page of nsa.gov: "Defending our Nation. Securing the Future."
The second point from their What we do page - "Defends vital networks". In the
opening paragraph of Wikipedia: "The NSA is also tasked with the protection of
U.S. communications networks and information systems". Etc.

For all the prestige of the TAO, who claims that the US networks are secure
and well defended?

I read the news and see the nation's voting, power, media, and other critical
infrastructure are all being hacked. Notably Equifax, a steward of all
Americans most valuable information, was compromised in trivial fashion.

Our peers working at Google, Facebook, Twitter, etc are being attacked nonstop
by foreign actors and they are rightfully being held to account by congress.
But in my opinion the social networks are secondary compared to the primary
infrastructure that honestly does not have access to the best talent should be
aided by NSA.

~~~
someguydave
Yeah but think about it - imagine government employees shift their entire
focus onto "securing US networks". What would they do, exactly? Build their
own open-source chip designs from scratch? Because that's pretty much step
one.

~~~
peoplewindow
Do the same bug hunting they do now, but send all the exploits back to the
vendors.

Do more work like SELinux.

There's lots they can do.

------
badrabbit
In any military force,turning your weapon against your own people is worse
than being a traitor,running from battle in cowardice or surrendering to the
enemy.

Their continued attack(yes,using malware and implants against someone is an
attack) against their own people is in my opinion completely shameful and
unpatriotic.

As someone who has no intention of breaking any law or of harming the united
states,it is simply not ok for me to have to include my government as part of
any threat model or as a potential attacker.

~~~
ethbro
This would be your person opinion, given that the militaries of the US, the
UK, China, Russia, Vietnam, Korea, Japan, Mexico, Spain, etc. (probably easier
to name those that haven't) have officially performed such actions, with the
soldiers in question receiving official honors and rewards?

~~~
Zelphyr
Just because a lot of countries have done it doesn't make it any less
shameful.

~~~
ethbro
It does mean it's not universally held to be shameful.

~~~
pm90
I don't think that's the case either. Its more of a "ain't broken so why
fixit" problem which hasn't affected people on a personal level just yet, so
it isn't regulated as much.

Its astonishing to me that in the US it requires a court order to tap
someone's phone and yet the NSA collects and analyzes the online data of US
citizens...

~~~
ethbro
No, I mean it _literally_ isn't universally shameful. In that in most
countries obeying an order to fire on civilians, or doing so because you
believe your life is in danger, will not result in penalties. Because "it's
what you do" or "us against them" from some perspectives.

See the response to Kent State [1], in which all legal attempts to hold the
guardsmen who opened fire responsible failed.

[1]
[https://en.wikipedia.org/wiki/Kent_State_shootings#Legal_act...](https://en.wikipedia.org/wiki/Kent_State_shootings#Legal_action)

------
mnm1
Great. I hope this continues. The more the NSA has problems, the better off
the rest of the rest of us are. It's unlikely the institution is even lawful--
its practices certainly aren't. At the very least, it proves that the
government cannot itself keep secrets, so it really needs to shut up about
trying to put backdoors into software when it can't protect its own most vital
software assets from leaking. I guarantee if Android or iOS had such
government mandated backdoors, they keys would leak in under a year. I simply
don't see a reason for the NSA to exist, but as long as it exists, I hope its
mission of spying on Americans under the disguise of being an international
spy agency is thwarted in any way. Unfortunately, I wouldn't be surprised if
these leaks were intentional. With the current administration's relationship
to Russia, this would hardly be surprising. Instead of a 'shadow war' with
Russia, a 'shadow alliance,' at this point is just as likely. Regardless, the
NSA shouldn't be stockpiling such software, but once again, since there are
absolutely no repercussions for them doing so, they are allowed to do so
leading to disastrous consequences.

~~~
ENOTTY
There are plenty of vital secrets that haven't leaked for decades. Why do you
exclude those examples from your reasoning?

~~~
saalweachter
Name one.

------
nikcub
AFAIK Jake Williams didn't get singled out because he only "wrote a blog post"
about Shadow Brokers - it was because he was involved in a Twitter based
dispute with Shadow Brokers.

Somebody created a fake Twitter account and were sending all sorts of tweets
to the Shadow Brokers, someone who was either in the IC or formerly in the IC.

This is why the Shadow Brokers outed him in this post[0]

> TheShadowBrokers is having special invitation message for “doctor” person
> theshadowbrokers is meeting on Twitter. “Doctor” person is writing ugly
> tweets to theshadowbrokers not unusual but “doctor” person is living in
> Hawaii and is sounding knowledgeable about theequationgroup.

> Then “doctor” person is deleting ugly tweets, maybe too much drinking and
> tweeting? Is very strange, so theshadowbrokers is doing some digging.
> TheShadowBrokers is thinking “doctor” person is former EquationGroup
> developer who built many tools and hacked organization in China.

> TheShadowBrokers is thinking “doctor” person is co-founder of new security
> company and is having much venture capital.

It was easy for everyone on Twitter to figure out who he/she/they were
referring to. I think this is important context - Shadow Brokers aren't just
outing random operatives, they're flexing their access and abilities when
being prompted to

I also wonder if this wasn't part of a plan to bring the Shadow Brokers out of
their shell a little - coax them into revealing a little more about themselves
than the usual document and software dumps - which would require the NSA to
spend money to get a picture of what tools are available.

Jake says to the NYTimes that he isn't working with the NSA - but he'd also
say this if he _were_ working with the NSA to get a little more out of Shadow
Brokers

I've never bought the theory that Shadow Brokers is Russia, or that it was
Harold T Martin (or stolen from him). I think the Jake Williams incident lends
further credibility to the theory that it is a former TAO or NSA employee.

The fake Russian style writing of the Shadow Brokers isn't ordinary bad
English Russian (which has a number of characteristics that aren't reflected
in how Shadow Brokers write). As the article mentions, there are also far too
many cultural and infosec "inside baseball" references in the writing of
Shadow Brokers for it to not be someone who is either familiar with the
community or part of it.

I also don't recall Russian ops having OPSEC this good - to the point where
they can't be identified or linked. The good OPSEC suggests the person/people
behind the Shadow Brokers are familiar with what the NSA are capable of, and
what they're not. Most Russian and Chinese ops are usually linked one way or
another back to to them as they're less concerned about OPSEC as they have the
operational advantage of not fearing arrest or extradition

Differences between SB and Fancy Bear or Russian ops: bad security practices
(not locking down bitly) vs good, using clearnet domains[1] emails[3] vs
steemit and onions, using VPNs rather than Tor, the use of Bitcoin vs
Monero/Zcash, speaking only (broken) English vs either plain English or
Russian[2], financial motive vs political motive, etc.

It feels like someone upset with the NSA, who knows the organization very well
and is also motivated financially - but I wouldn't attribute greater than
50-60% certainty to any theory at the moment. If the Shadow Brokers go on to
never be identified it would really be an incredible situation.

[0]
[https://steemit.com/shadowbrokers/@theshadowbrokers/theshado...](https://steemit.com/shadowbrokers/@theshadowbrokers/theshadowbrokers-
monthly-dump-service-july-2017)

[1] [https://www.secureworks.com/research/threat-
group-4127-targe...](https://www.secureworks.com/research/threat-
group-4127-targets-hillary-clinton-presidential-campaign)

[2] [https://www.fireeye.com/blog/threat-
research/2014/10/apt28-a...](https://www.fireeye.com/blog/threat-
research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html)

[3] [https://www.threatconnect.com/blog/fancy-bear-anti-doping-
ag...](https://www.threatconnect.com/blog/fancy-bear-anti-doping-agency-
phishing/)

~~~
zby
> I also don't recall Russian ops having OPSEC this good

Survival bias

~~~
peoplewindow
Yeah? The Shadow Brokers themselves state flat out that they're former USG
employees. The NY Times has - yet again - attempted to manipulate readers into
believing the Brokers have admitted to being Russian, quoting something that
is obviously a joke to try and do so.

Here's what the Shadow Brokers themselves _actually_ say about their origins:

[https://steemit.com/shadowbrokers/@theshadowbrokers/grammer-...](https://steemit.com/shadowbrokers/@theshadowbrokers/grammer-
critics-information-vs-knowledge)

 _TheShadowBrokers shaking heads at arrogant pretentiousness of grammar
critics._

 _Liberal Ivory Tower Logical Fallacies:_

 _A) Deliver Method of Content (Spelling /Grammer/Profanity) = Content is
invalid_

 _B) Only Explanation of Spelling /Grammar/Profanity = Inadequate Education_

 _The ShadowBrokers is writing TRADOC, Position Pieces, White Papers, Wiki
pages, etc for USG. If theshadowbrokers be using own voices, theshadowbrokers
be writing peoples from prison or dead. TheShadowBrokers is practicing
obfuscation as part of operational security (OPSEC). Is being a spy thing. Is
being the difference between a contractor tech support guy posing as a infosec
expert but living in exile in Russia (yes @snowden) and subject matter experts
in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being
operating in country for many months now and USG is still not having fucking
clue. Guessing so called global surveillance is not being as good as @snowden
is claiming?_

Edit: the whole Steemit is really worth a read. The rants here are truly epic.
It's just implausible that this is the work of a government - why would
government employees spend so much time writing such long political rants on
Steemit where approx ~nobody will ever see them except Q Branch and occasional
journalists? It serves no obvious political or espionage related purpose.
Whoever is writing these things seems to be someone who has a lot of hatred
and anger for the political system and wants to get it out. It sounds a lot
like the rantings of a lot of the self-proclaimed libertarians you find in the
Bitcoin community:

 _is funny thing about being rich, powerful, and in control, it comes with
dirty deeds and many skeletons. Violence begets violence but leaks, dumps,
hacks brings evil and corruption into the light. No more secrets. Secrets
Equal Control. Secrets between peoples, spouses, partners, friends, ok two
peoples might be having some problems. But secrets between government and
governed, governed is getting fucked. Secrets between corporations and
peoples, peoples is getting fucked. Why do corporation deserved privacy? FUCK
SCOTUS!!! CORPORATION ARE NOT PEOPLE YOU FUCKING OVER EDUCATED OVER THINKING
CORRUPT RETARDS._

 _No more classifying bullshit. No more black budgets and black ops. If we can
't be surviving and prospering without dirty little secrets, operating in full
daylight, then maybe we don't deserving to being surviving. This being time to
standing up. Standing up against more wars. Standing up to globalist
controllers. Eliminating career politicians. Eliminating money and lobbyist.
Policing corporate and special interest. Investing in ourselves. Investing in
all our children._

~~~
saas_co_de
> Yeah? The Shadow Brokers themselves state flat out that they're former USG
> employees.

But why would you take lying criminals at their word?

TSB started out pretending to be criminals who wanted money, which nobody
bought, and so they switched to pretending to be a Snowden/Assange caricature.

The one objective that TSB has actually delivered on is attacking the NSA.
Everything else is obfuscation.

~~~
peoplewindow
Why would you not? You have no evidence they're lying, you're just assuming
they are because you prefer the alternative explanations. You certainly have
nothing to suggest they're Russian and there's plenty of reasons to believe
that they're probably not.

 _TSB started out pretending to be criminals who wanted money, which nobody
bought_

Their attempt to auction the exploits was one of the most fascinating aspects
of the whole tale because it was verifiably a failure - we don't have to take
their word for it. They published a Bitcoin address and nobody sent them
enough money to reach their min threshold, if I recall correctly. At least,
I'm sure they were using Bitcoin with a static wallet address to do the sale.

 _so they switched to pretending to be a Snowden /Assange caricature._

TSB's personality has been consistent throughout. They aren't pretending to be
a Snowden/Assange cariacture. Their writing makes it quite clear they seem to
have a serious grudge or dislike for Snowden specifically.

~~~
saas_co_de
> You certainly have nothing to suggest they're Russian

I don't think they are Russian. It makes no sense for a state actor like China
or Russia to penetrate the NSA and then disclose it. When they disclose it
they lose the ability to exploit it.

Even if the NSA had already closed all the holes, which we can guess they
didn't because of Microsoft patching them after the leaks, a state level actor
would still not show their hand because keeping your opponents in the dark is
more disruptive to their operations, and showing your hand has the potential
to reveal your own methods.

Whoever it is is specifically focused on attacking, disrupting and
discrediting the NSA. They are not making money off it (even though the op has
to be expensive) and they are not exploiting it for intelligence advantage.

I don't believe it is a Snowden type for the reasons I mentioned and because
the op seems way too complex and long running for any individual or group to
pull off for ideological reasons.

I would tend to believe that it is not a leaker or it was a one time leak to a
third party who is now running the operation.

The NSA knows everyone who worked for them, and who had access to what, and I
am sure they are watching every single one of those people so the only
plausible way it could be a leaker is if the NSA can't connect the leaker to
whatever individual(s) are running the online campaign.

The problem with a long running op like this is that all internet access can
be traced back eventually. Every time you post online, even if you are going
to really extraordinary measures, you are leaving a trail that will eventually
converge on your location. That means you have to stay on the move. But travel
is also observable and so moving all the time will eventually create a pattern
that allows you to be identified.

It is some real Jason Bourne type shit.

It could just be some relatively crazy individual who is playing a high stakes
game spy game for fun.

There are a couple of examples of criminals who engaged in robberies based on
the movie Heat, which seems bizarre, but it happens.

[http://en.wikipedia.org/wiki/North_Hollywood_shootout](http://en.wikipedia.org/wiki/North_Hollywood_shootout)
[https://www.theguardian.com/world/2001/mar/24/gilestremlett](https://www.theguardian.com/world/2001/mar/24/gilestremlett)

The European team that was obsessed with the movie and based their operations
on it pulled off some of the biggest armed robberies in history.

------
appleflaxen
The biggest indictment of the NSA is the fact that there has been no visible
internal dissent after Snowden regarding mass surveillance.

Their willingness to overlook the constitution because it's inconvenient is a
far bigger problem than leaks, IMO.

~~~
godzillabrennus
I believe this is the underlying cause of their security issues. People
involved cannot voice their dissent so they act it out.

The NSA and CIA are institutions established to protect a nation that abides
by the rule of law.

When the rule of law is brushed aside the people who are part of that system
rebel.

~~~
JumpCrisscross
I very frankly believe one of the more patriotic things an American with the
ability can do is emulate Snowden, _i.e._ infiltrate and expose the NSA’s
domestic surveillance programs.

~~~
wolf550e
But it's not patriotic to give NSA tools to the Russians, to hurt the ability
of the NSA to spy on Russia.

~~~
ionised
Who gave NSA tools to the Russians?

~~~
wolf550e
Presumably, a traitor within the NSA or a contractor.

See: [https://medium.com/@thegrugq/the-great-cyber-game-
commentary...](https://medium.com/@thegrugq/the-great-cyber-game-
commentary-3f821f0db749)

------
meowface
I wonder why there don't seem to be leaks like these at other superpowers'
intelligence/security organizations, like China's and Russia's? Is it the
threat of torture/execution (and perhaps the same being done to their family)?
Heightened fears due to stronger monitoring of employees? Or genuine loyalty /
indoctrination?

~~~
belorn
I believe part of it must be to basic economics. It is only worth leaking
information if the individual believe that the benefit outweigh the costs (ie,
chance of positive outcome vs risk of negative outcome). if the political
environment is one where a leak would have minimal impact, then the leaker has
less incentive to leak.

Is it likely that a leak would impact the Russian election? Could a leak cause
the Communist Party of China to be voted out of office? How likely is it that
a leak would not simply be suppressed, but rather cause a change in the
political direction?

Leaks in the US has a history of causing real change. That could be the
biggest reason why we don't see much leaks from other superpowers'
intelligence organizations.

~~~
gspetr
> Is it likely that a leak would impact the Russian election?

I'm russian and Russia is more unstable than many believe. This alone[0] is
likely the reason P. postponed his equivalent of the State of the Union
speech, which was unheard of before.

[0][http://russia-insider.com/en/politics/us-senate-attempts-
inc...](http://russia-insider.com/en/politics/us-senate-attempts-incite-
oligarch-rebellion-against-putin/ri20264)

There is also the fact that P. has still not announced that he will run, and
in this case silence is deafening. It means that there is a very severe
conflict behind the scenes - the ruling elites have not agreed whether he
should run or someone else should run as his successor that will guarantee his
personal safety and not let him get the Milosevic treatment in Hague for the
events in Ukraine.

------
SomeStupidPoint
> Some veteran intelligence officials believe a lopsided focus on offensive
> cyberweapons and hacking tools has, for years, left American cyberdefense
> dangerously porous.

> “We have had a train wreck coming,” said Mike McConnell, the former N.S.A.
> director and national intelligence director. “We should have ratcheted up
> the defense parts significantly.”

Yes, I think many have said this for years. I'm glad someone high-up went on
record.

I'm not against what the TAO does, but the NSA (and more broadly, the US
government) has massively failed to develop defensive capabilities.

I hope the NSA will use this as a moment of introspection, and up their
defensive work -- particularly opensource collaborations and research. (The
IAD github page[0] is _awesome_ in this regard; as are things like SELinux. On
the research side, things like HoTT as a basis for verified software; which
has some DoD funding, but would be so much more if NSA researchers
collaborated.)

I get that attacking things is cool -- but we really need help defending the
national infrastructure against constant assault. It's in rough shape. I hope
the people at the NSA -- particularly those comissioned -- will reflect on
_why_ they're there, and take the stance that the safety of the nation is
paramount. Then work towards that, as I know they're more than capable of.

[0] [https://github.com/iadgov](https://github.com/iadgov)

------
snowpanda
It's interesting to see the complete lack of self-reflection on Jake Williams'
part.

“I felt like I’d been kicked in the gut."

This is to how a lot of people felt after the Snowden leaks.

“Every time it happens, you essentially have to start over.”

This goes both ways too. Every time something is compromised by the NSA, we
have to start encrypting yet another part of our lives.

“It’s embarrassing that the people responsible for this have not been brought
to justice.”

Again, both ways. Why has the NSA not been brought to justice? Closed courts
and hiding behind the "national security" argument comes to mind.

~~~
techsupporter
> It's interesting to see the complete lack of self-reflection on Jake
> Williams' part.

At the risk of putting words in his mouth, but based on chats I've had with
people who do this kind of work: Mr Williams probably sees what he does as
righteous, legal, and noble while The Others he rails against are evil,
immoral, and unlawful. It's not self-reflection because he thinks he was in
the right and those other people are not.

------
sebcat
> The agency regarded as the world’s leader in breaking into adversaries’
> computer networks failed to protect its own.

Those are two very different things. Focusing on one of them doesn't
automatically benefit your efforts on the other.

~~~
kevin_thibedeau
NSA is also responsible for establishing computer security practices for the
rest of the government to follow. That they don't eat their own dogfood is
damning.

~~~
meowface
They do typically eat their own dogfood when it comes to the security
practices they propose. Dual_EC_DRBG is the big exception, but it's generally
considered that most of the rest of their cryptographic standards are secure
and suitable for public and government use.

There are likely many conflicting departments and teams within NSA. Many are
probably trying to fight for the public's security and have for years, with
cryptographers earnestly trying to develop secure and efficient algorithms.
They are probably at odds with the other forces in the organization that seek
to play the espionage game, even if it puts the country at risk.

~~~
retailbuyout
> Many are probably trying to fight for the public's security and have for
> years, with cryptographers earnestly trying to develop secure and efficient
> algorithms. They are probably at odds with the other forces in the
> organization that seek to play the espionage game, even if it puts the
> country at risk.

Directly at odds. I don’t believe you should encourage anyone to trust known
espionage. If it’s good advice, someone else will say it too you can trust
independently.

------
none_to_remain
"Rendition Infosec" \- give me a break, you were a peeping tom secret
policeman, not a kidnapping secret policeman.

~~~
Wonnk13
I love how he refers to himself as an "operator" \- like he's going downrange
with SEALs or some shit.

~~~
walshemj
A quick google finds its a compromise worthy of the laundry file

"We settled on the name ‘operator’ to designate an operational member of the
unit (as opposed to a member of the support staff) due to some legal and
political situations. We couldn’t use ‘operative’ because that name had
certain espionage connotations from the CIA. The term ‘agent’ had some legal
issues. An agent carries a legal commission to perform certain duties and a
governmental authority empowered by a state or federal constitution issues
that commission. In our case, we would perform our duties under the authority
of the federal government as administered by the Department of Defense and the
Department of the Army. But in the military, only officers carry legal
commissions from the President and are confirmed by Congress. Sergeants, who
are noncommissioned officers, are authorized to perform their duties by virtue
of appointment by the Secretary of the Army. Sergeants therefore cannot be
agents of the government. And since almost every operational member of Delta
Force is a sergeant, we needed to choose a different name for ourselves.
Hence, operator. If that sounds sort of convoluted, it’s because it is. But if
you work for any governmental entity, it will make perfect sense to you."

~~~
nyolfen
this sounds more like a joke about government bureaucracy than anything. it
seems much more likely that it's simply derived from 'special operations'.

~~~
walshemj
I have worked for an ex civil service bureaucracy and names and grades still
had serious social and prestige

------
larkeith
Cause for celebration for all who support privacy and security.

~~~
mirimir
I get the sentiment. But now the tools are available to more criminals. And
that's hardly good, is it?

~~~
FooHentai
Yes, it's great. Public availability of these tools means the exploits they
leverage will be swiftly mitigated. They will be of no use to criminals,
outside of the narrow window between disclosure and mitigation.

Had the NSA acted with integrity and disclosed these vulnerabilities rather
than hoarding them, that window would be even smaller.

------
feelin_googley
"Antivirus is the ultimate back door," Blake Darche, a former N.S.A. operator
and co-founder of Area 1 Security. "It provides consistent, reliable and
remote access that can be used for any purpose, from launching a destructive
attack to conducting espionage on thousands or even millions of users."

Humble opinion: s/Antivirus/Automatic updates/

Perhaps antivirus were in fact an early experiment to test the feasbility of
automatic software updates.

I recall many years ago, pre-smartphone, users being advised to leave their
computers online 24/7 "so antivirus could download updates". Yikes.

------
jhiska
Proves that no computer network can be secured, and is specially interesting
given that the _entire US military_ is moving to operate as a giant computer
network where everyone is a node in the system.

They're setting themselves up for a hack so devastating that it will bring
down their own country.

~~~
SmooL
I think that it proves that it's _difficult_ to secure a computer network, not
that it's impossible.

------
saas_co_de
This is something I have been wondering about: how did both the CIA and NSA
have their toolkits leaked within months of each other?

Either one of these agencies suffering such a major security breach would be
extraordinary but both at the same time is unprecedented.

~~~
Scipio_Afri
I would guess that their cyber offensive operation computers, which if I were
to design from a systems level their IT department probably is distinct from
other parts of their network, is different than their intelligence gathering
and storing methods because sources and methods are the most tightly held
secrets of any intelligence agency.

Plus you probably don't want your computers that you're using for offensive
operations to look any different than a normal computer on the internet.. so
my guess is that is that there was an exploit of an offensive computer somehow
through that back to a secured network where those tools were developed and
deployed... probably through the method of remote command and control.

I'm surprised they haven't found the method of infiltration yet. But my guess
is they should seriously look into unknown vulnerabilities. But it's also true
(if Wikipedia is to believe believed) that agencies work together in joint
operations. In that case it would only take one rouge agent to get physical
access to leaking materials that would effect both agencies if they were part
of the joint operations.

~~~
retailbuyout
A) this doesn’t require a rogue agent, just an insecure one. B) you just need
the same attack to work twice; less extraordinary than an uncorrelated
coincidence C) possibly some might have access to both. I think this is
unlikely, but again, less unlikely than an uncorrelated coincidence.

------
floofyfloofer
Has anyone done a TCO of the NSA? Like, if the NSA takes $X bn / year to run,
and has $Y bn / year in negative externalities for US companies by leaking
their malware, then just how much have they cost the US economy?

------
c3534l
> N.S.A. employees have been subjected to polygraphs

Oh,good to see an organization entrusted with an unconstitutional amount of
data on Americans is defending against those threats with rank pseudoscience.
Maybe they should hire a psychic to find that mole of theirs.

~~~
Sebguer
Realistically, they probably have.

------
cm2187
I like to think of malware and security vulnerabilities as biological weapons.
They have in common that is you lose control of them, they become very hard to
control and will indiscriminately hurt your own population and the enemy.

------
yeukhon
This is a tricky industry. NSA hires a lot of folks from the underground
world. The problem is most of these folks do not pledge any allegiances - not
that it really matters, as we have seen many of the leaks from the past 6-7
years are leaked by U.S. citizens. But the fact NSA is hiring freelancers to
do the work should be an alarm when it comes to "national security" as NSA
claims its mission. I am sure NSA does have a vetting, but how much? How good
is the vetting? Is there a post-work surveillance? We don't know.

------
audiometry
That ex-NSA guy calling his company "Rendition Infosec" \-- how disgusting.
Gives insight to his character.

------
pdimitar
Whoever is hitting NSA is doing it expertly.

What I managed to extract from the article (do point out any flaws, I am open
to them and I am just trying to do some mini-analysis here without taking
sides):

\- The attackers understand that warning the wide public will net zero
results, now and centuries in the future. Homo Sapiens hasn't evolved enough
of a collective conscience to actually act on revelations such as Snowden's,
that's the historically obvious fact. Even the words of the biggest security
experts like Schneier fall on deaf ears either because the politicians are
better at rhetoric or because the public is too busy posting their food
pictures on Instagram, or (as I believe) a mix of both. So they opted for the
nuclear approach: release the hacking tools and _demonstrate practically_ to
the world the dangers of these hidden-under-the-table hacking tools. And now
many more business people and politicians pay more attention than before. This
is a sound psychological attack technique. Demonstrate that your opponent's
claims for doing the best for the populace are not holding to reality. Even
though I find this immoral and potentially dangerous IMO none of us can deny
the devastating results to NSA's reputation.

\- Spread FUD and never share anything truly revealing. They use language
fuzzing techniques, occasionally engage in political debates without clarify
which side they ally with (saying they are on Trump's side means nothing), use
both old and new hacking tools and other files, use vague speak to shift
suspicion to former NSA employees or contractors (I imagine this is done so
they exhaust the agency while it tries to plug yet another leak which might as
well be imaginary -- but they can't risk it and the attackers know it) -- all
of these tarnish the image of the NSA _and_ forces them to work extra to try
and find moles, fix bugs in their own defense systems, go on internal witch
hunts, double down on efforts to find the remote hackers, compartmentalize
their physical and virtual clearance levels, etc. As mentioned in the
parentheses, the attackers seem to aim to exhaust the agency and IMO it's
working -- although none of us keyboard warriors in HN can't know for sure of
course.

\- Have time work for you. The fact that Shadow Brokers are hunted by a lot of
law-enforcement agencies for like what, 15 months now? -- is projecting a
clear image to the world that these agencies aren't as ubiquitous as they
would want us to think. This probably encourages other people to try and hit
other (or same) agencies all over the world. Not sure if that is good or bad
-- opponents of this approach might say it will lead to anarchy and chaos but
in my opinion (partially founded by rudimentary knowledge of chaos theory and
game theory) the living systems like ours have plenty of emergency levers to
pull them back into a more balanced state. It's 50/50 though, I don't claim
anything either way. In any case though, the agencies' inability to catch
these people makes the wide public lose confidence in them.

\----

Please note I am not taking sides here. I do believe NSA does a lot of
unethical things and should be held much more accountable than it is right
now, but I am uncertain if what Shadow Brokers is doing is the right way to
achieve that result. It might as well make NSA and friends become even more
paranoid and actually become much better and more subtle in its mass
surveillance... which is a loss for everybody but them.

Oh well, time will tell. In any case, this is interesting news and development
and I am slightly pleased that the intelligence agencies get some run for
their money. And slightly terrified of the possible consequences.

------
dmitrygr
Good. Working as intended. They could use some slowing and shaking.

    
    
      > calling into question [..] its very value to national security
    

Its what now?

~~~
jhiska
When Americans rejoice that their own institutions are failing... it speaks to
how they view their own government as an enemy.

What are elections for in a representative democracy if the people elected
don't represent the majority?

~~~
marssaxman
America would like to become a representative democracy when it grows up, but
it has a long way to go yet.

------
a-dub
This is why friends don't let friends run Windows. It's not that hard.

~~~
ilikeATMs
More than one exploit released by the shadow brokers was specifically targeted
at Linux/Unix/Cisco and other operating systems... Its naive to think that
other operating systems are somehow invulnerable to nation-state attackers.

~~~
a-dub
Yes but at least with open source software, you have a fighting chance of
knowing what you're running.

What's the open source equivalent of DUAL_EC_DRBG or Kaspersky Anti-Virus?

------
bitmapbrother
The NSA are habitual liars. Of course this is what they want you to believe.
It makes their job easier.

------
yuhong
My favorite is how NSA is funded by government debt, which is their way of
printing money. This is also true for the FBI too with the scare against
encryption. One of the reasons we got off the gold standard decades ago was
military spending.

~~~
retailbuyout
Currency is just printed debt. What’s your point?

~~~
yuhong
The point is that the debt can increase forever since we got off gold.

~~~
retailbuyout
This isn’t necessarily hard or bad, though. If I take $100 and loan it to my
neigbor, the debt appears from nowhere. Heck, theoretically, he could loan it
right back under different terms and create more debt. Debt isn’t necessarily
bad—the fear is you’re builidng on jenga blocks, not that some guy is going to
show up with a wrench.

~~~
yuhong
In this case we are talking about government debt though. Congress does have
some control over it with "appropriations" I think.

------
leeoniya
> "The fundamental purpose of intelligence is to be able to effectively
> penetrate our adversaries in order to gather vital intelligence. By its very
> nature, that only works if secrecy is maintained and our codes are
> protected."

lol "codes"

~~~
saltcured
When I was roaming the halls of UC Berkeley 25 years ago, the use of countable
"codes" was idiomatic in the numerical computing sphere at the intersection of
computer science, mathematics, and parallel computing. A code was more or less
a program or application. A frequently linked idiom was "kernel" to refer to
the inner-loop of a particular numerical simulation, generalizing a "filter
kernel" (matrix of coefficients) in signal processing/convolution.

I have heard similar usage from academics working in various US national labs,
so it was not confined to a single coffee klatch. Some of the professors and
postdocs using it back then are probably lab directors and program managers by
now. I can easily imagine that this usage would be widespread among academic
and federal lab computing environments. Like many kinds of jargon, it is both
more precise in its meaning when used properly, but also what you might
consider a "dog whistle" used for virtue signaling.

