
Probe of leaked U.S. NSA hacking tools examines operative’s ‘mistake’ - aburan28
http://www.reuters.com/article/us-cyber-nsa-tools-idUSKCN11S2MF
======
M_Grey
This feels like support for something Bernard Ingham said, "Many journalists
have fallen for the conspiracy theory of government. I do assure you that they
would produce more accurate work if they adhered to the cock-up theory."

Then the paranoid part of me wonders if that's the plan. Then the skeptical
part of me says, "Occam's Razor". Then I remember that I'm insignificant in
relation to these issues and I have some tea.

~~~
schizoidboy
This is one of my favorite comments ever. It captures so much. I often find
myself in an infinite loop of "maybe X, but on the other hand Y" and
periodically I just need to `kill -9`... until the next time curiosity forks.

~~~
contingencies
The more general form is known as _Hanlon 's razor_: _Never attribute to
malice that which is adequately explained by stupidity_.
[https://en.wikipedia.org/wiki/Hanlon's_razor](https://en.wikipedia.org/wiki/Hanlon's_razor)

~~~
arca_vorago
Which i have pointed out time and time again on HN is a logical fallacy on its
bare face, it's usually wrong, and is not a useful phrase whatsoever in
intellectually honest conversation and should be relegated to the dustbin of
phrases where it belongs.

~~~
kobayashi
In what way is it a logical fallacy?

------
bpchaps
Funny. I reported something similar to comcast after finding several of their
engineers' home directories on github. Ssh keys, usernames, passwords,
scripts, logs, and even code for a DVR machine (no idea). Thankfully comcast
got the GH account deleted fairly immediately. It just took a public reddit
post to get in contact with them after their posted routes didn't work.

The person who uploaded them there did government security before joining
comcast, so it doesn't surprise me even for a second that this was a mistake.
Though, the repo also had updates after his employment there ended.

~~~
mynameislegion
IIRC there are services archiving all github repos. It would be better to just
change all the codes that were leaked.

~~~
daurnimator
easier said than done when it's the keys for rolled out consumer premises
equipment

~~~
londons_explore
If you ship hardware to a customer with software installed and don't have the
ability to do automatic security updates on it in 2016, you need to rethink
your strategy.

------
sverige
This entire discussion reminds me why James Jesus Angleton drove himself and
everyone around him nuts with his CIA mole hunt in the '60s and '70s. The
problem with lying and deception as the standard operating procedure for a
government agency is that pretty soon it is the SOP for everyone within the
agency when dealing with others, even those within the agency and the people
they allegedly serve. It becomes a tunnel of lies and speculation from which
there is no escape.

Oh, it starts out great when there are clearly defined sides and reasonable
evidence of loyalty to a particular party. Real victories and losses can be
defined. But it always degrades to this sort of thing after a bit of time and
growth in numbers of players, and no one wins or loses. There is just
confusion, perhaps even for those at the top of the chain.

------
ryanlol
>That person acknowledged the error shortly afterward, they said. But _the NSA
did not inform the companies of the danger when it first discovered the
exposure of the tools_ , the sources said. Since the public release of the
tools, the companies involved have issued patches in the systems to protect
them.

~~~
meowface
There are two reasons why I think this could be (very selfishly) sensible from
their perspective:

1\. They were probably relying on those exploits quite a bit and had frequent
success with them, in which case totally burning them would have directly
harmed operational capacity.

2\. They appear to be huge fans of piggybacking off of other intelligence
agencies' footholds and data ("fourth-party collection").

[http://www.theverge.com/2015/1/17/7629721/nsa-is-pwning-
ever...](http://www.theverge.com/2015/1/17/7629721/nsa-is-pwning-everyone-and-
having-a-chuckle-about-it)

>Fourth party collection appears so successful that agents of the NSA and GCHQ
have cracked jokes about it in top secret slide decks. In an NSA presentation
titled "fourth party opportunities," the first slide references Daniel Day-
Lewis' infamous "I drink your milkshake"

Another intelligence agency acquiring these exploits would give them
additional "fourth-party opportunities". As long as the US government's
systems were protected against the exploits (were they? no idea), that could
mean keeping them secret still meant more pros than cons for their goals. It
could give them more intel, and maybe give additional insight into the other
nation's goals and interest by who they're targeting.

Pure speculation on my part, though. The real reason could just be regular old
incompetence, and/or internal cover-up of the tool leakage.

~~~
caf
The logical conclusion of that is that they should deliberate leak some of
their best exploits to rival agencies, so I think that argument has to be
flawed.

Furthermore, they can't really keep using them after exposure for the same
reason the Russians didn't _start_ using them: everyone who knows about them
can watch for them being exploited and so gain useful intelligence on their
rivals.

~~~
meowface
>The logical conclusion of that is that they should deliberate leak some of
their best exploits to rival agencies, so I think that argument has to be
flawed

How do we know they don't? Or at least, some of their exploits.

Also, that's not necessarily the only conclusion. This leak could have have
been more harmful than no leak, yet thought to be less harmful than publicly
burning every exploit.

>Furthermore, they can't really keep using them after exposure for the same
reason the Russians didn't start using them: everyone who knows about them can
watch for them being exploited and so gain useful intelligence on their
rivals.

True, but they could possibly change them in a way to make them less
detectable.

The Russians could have done the same, but maybe their reason for believing
it'd be helpful for fourth-party collection is that they already had access to
some of Russian intelligence's communications and compromised hosts, devices,
and networks.

Anything could be possible here, though. We're all speculating pretty blindly.

------
zmanian
While the Grugq argues[0] persuasively, that avoiding disclosure was a
legitimate strategy. It seems unrealistic to argue that the NSA wanted to
avoid more scrutiny in their moment of political weakness in the months after
the Snowden revelations.

[0][https://medium.com/@thegrugq/mind-games-international-
champi...](https://medium.com/@thegrugq/mind-games-international-championship-
cc143febb793#.df24tujuk)

------
seomilwaukee
The argument used...

"One reason for suspecting government instead of criminal involvement,
officials said, is that the hackers revealed the NSA tools rather than
immediately selling them."

...is the sort of reasoning a kid might put forth.

Nothing like keeping alive the narrative for justification of war with Russia
while concurrently obfuscating the flawed and open, contractor policy embraced
by US agencies.

------
matt_wulfeck
It seems there's some incompetence involved if somebody "accidentally" leaves
the keys to the kingdom on a server.

------
oyebenny
What are the tools that were leaked?

~~~
RickS
>The files mostly contained installation scripts, configurations for command-
and-control (C&C) servers, and exploits allegedly designed to target routers
and firewalls from American manufacturers including, Cisco, Juniper, and
Fortinet.

[https://thehackernews.com/2016/08/nsa-hacking-
tools.html](https://thehackernews.com/2016/08/nsa-hacking-tools.html)

------
martincmartin
_Never attribute to malice that which is adequately explained by stupidity._

[https://en.wikipedia.org/wiki/Hanlon's_razor](https://en.wikipedia.org/wiki/Hanlon's_razor)

~~~
marcosdumay
That's certainly the favorite phrase of malicious people. They just need to
act stupid to get de-facto pardoned.

~~~
marcosdumay
I just wonder what generates so much rejection here.

Yes, I've seen it happen. And yes, I've seen it in person, not only on the
net. No, I don't think it is the case here, because _evidence_ points other
way - not because of this stupid canned thought.

