
NSA director finally greets Defcon hackers - khakimov
http://news.cnet.com/8301-1009_3-57481689-83/nsa-director-finally-greets-defcon-hackers/
======
mindcrime
IMO, when the director of the NSA goes on-stage at DEFCON and the result is
anything other than tomatoes being thrown and him being booed off the stage,
something is wrong.

While it is true that hackers are not a single minded collective, and some
hackers may have sympathy for the NSA, I'd hope that most hackers would see
the NSA as what it is: just one more head of the Medusa that is the US
government, in all it's civil liberty infringing, experimenting on it's own
citizens program, illegal wiretapping, constitution ignoring glory. The NSA
are _not_ \- so far as I'm concerned - the "good guys." Some individuals in
the NSA may be "good guys" but the agency is just a tool of a government that
is out of control.

"We don't keep files on every American citizen" Yeah, right... this guy would
have had more credibility if he'd just said

"Yeah, of course we do. You know it, we know it, so why beat around the bush."

~~~
sliverstorm
_I'd hope that most hackers would see the NSA as what it is: just one more
head of the Medusa that is the US government, in all it's civil liberty
infringing, experimenting on it's own citizens program, illegal wiretapping,
constitution ignoring glory._

The NSA does some questionable stuff, but it also does some awesome stuff. The
first thing that comes to mind is SELinux.

On a tangent, don't forget that we _need_ an organization like the NSA (or at
least like what the NSA should be). The more ubiquitous computing becomes, the
more important that role will become. So, don't advocate chopping off a head
of the Medusa; advocate fixing what you see as wrong.

~~~
davidhollander
> don't forget that we need an organization like the NSA

For those of us who have already forgotten or have never known the reason for
its necessity, could you explain why? Internationally and historically,
similar levels of state communications monitoring are correlated with the need
for self-preservation by authoritarian regimes. There are also many modern day
states which do not possess an agency directly analogous to the NSA.

~~~
sliverstorm
I believe that cyber-warfare, while fanciful-sounding in name, is going to be
a part of the future whether we like it or not. In which case, the NSA seems
the best positioned to conduct the USA's end of it.

~~~
davidhollander
If this is a justified belief rather than a faith-based belief, you'll need to
offer a refutation of Thomas Rid's "Cyber War Will Not Take Place", which
holds that cyber-war is contradictory because acts of cyber-war do not fulfill
the definition of acts of war:
[http://www.tandfonline.com/doi/pdf/10.1080/01402390.2011.608...](http://www.tandfonline.com/doi/pdf/10.1080/01402390.2011.608939)

~~~
sliverstorm
Ok, so cyber-warfare is a shitty word. I know that, but people understand what
it refers to, which is why I used it.

Would you be happier if I said I expect cyber-sabotage, cyber-espionage, and
cyber-subversion to be important parts of future conflicts?

------
mettle
I saw the talk. Much of the talk made the assumption that the hacker community
has the same goals and values of the NSA. This NEEDS to be justified.

This is a hacker community and while not a single minded collective I believe
there are many popular views that are diametrically opposed to some of the
goals of the NSA. He mentioned that he wished the internet would be perfectly
secure and then went on to mention how this would protect American IP laws.
His definition of secure internet does not include values such as censorship
resistance or freedom of expression/information.

He also tried to tell everything how great it would be if we all had IDS's
that reported back to the NSA in realtime.

We were not allowed to ask questions. They brought up a paper with questions
that must have been determined BEFORE the talk happened which isn't fair to
the attendees.

I wish there was a DEFCON panel to discuss this. Everyone just clapped and
seemed cool with him from my perspective. I'm not against the director talking
at DEFCON, but I don't think we shouldn't be accepting his ideas without more
public criticism and discourse.

~~~
tcoppi
The questions weren't scripted, at least some of them weren't. DT was checking
his twitter and I saw at least dave aitel's one about Cyber Command
growth/size on there.

~~~
ipsin
Even if they weren't scripted, they were mostly softballs, and the talk was
more an introduction than a detailed roadmap.

The most interesting question was about whether the NSA would prefer a
perfectly secure internet or a usefully insecure one (roughly paraphrased).

That's not far from what I wanted to ask: given the offensive value of 0-day
exploits (as seen with Stuxnet, regardless of who actually did it), can
agencies in "Cyber Command" really be trusted to give theirs up via
responsible disclosure?

~~~
lawnchair_larry
Your definition of "responsible" is not the same as everyone else. Try asking
an actual question, not a question disguised to inject a moral judgment and
re-ignite the disclosure debate that everyone was sick of 20 years ago.

~~~
ipsin
Late to the party, but... you really couldn't find a question in there? Let me
try again.

My definition of "responsible" doesn't matter. I was suggesting that the
government could adopt a policy _it_ considers responsible, rather than just
sitting on the exploits and using them for strategic advantage.

Unless there's a definition of "disclosure" that involves failing to disclose
things to those in a position to fix the problems.

------
derrida
"We don't keep files on every American citizen": depends how you define
'files' and perhaps there is 1 American citizen they don't keep files on, so
not 'every'. But we have on sworn testimony that the NSA keeps all of your
emails [1] & a large chunk of your electronic communications & spies on
American citizens[2][3].

[1]
[https://www.eff.org/files/filenode/att/section1006summary101...](https://www.eff.org/files/filenode/att/section1006summary101608.pdf)
See in particular ex-NSA officer William Binney's testimony.

[2] <https://www.eff.org/node/55051>

[3] [https://www.eff.org/deeplinks/2012/03/nsa-chief-denies-
abili...](https://www.eff.org/deeplinks/2012/03/nsa-chief-denies-ability-
warrantlessly-wiretap-despite-evidence)

~~~
Joakal
There's also the aspect about law, allowing warrantless wiretapping of anyone,
or, everyone[1].

[1] [http://www.washingtonpost.com/world/national-security/us-
int...](http://www.washingtonpost.com/world/national-security/us-intelligence-
collection-initiative-violated-rights-at-least-once-government-
says/2012/07/20/gJQAtJjFzW_story.html)

------
sp332
Fabio Pietrosanti pointed out on twitter
<https://twitter.com/fpietrosanti/status/229113274698981376> "My view from
Italy (without ever crossing US border): DEFCON: NSA is a friendly agency to
work for HOPE: NSA is a unfriendly agency to fight". There was a NSA
whistleblower at HOPE Number Nine barely 2 weeks ago, William Binney. He
detailed some of the abuses there.
<http://www.hopenumbernine.net/speakers/#binney> You can listen to his talk
here <http://www.hopenumbernine.net/schedule/#binney>

------
learc83
I can't believe the director of the NSA (also an Army General) showed up in
bluejeans and a t-shirt. I'm sure it was a PR move, but I still can't believe
it.

~~~
eliasmacpherson
probably a recruitment drive for the interception center they are building.
That 260 million people statement is pretty stupid, considering facebook is in
and around 4 times that. How stupid does he think people are?
<http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/>

~~~
nikcub
Not just for the interception center, but they are recruiting the best pen
testers and vulnerability writers since they run the main offensive arm for
the US Government.

Stuxnet was written at the NSA, the other worms were almost certainly were
partially written there. The MD5 signature collision attack was almost
certainly developed there. You could imagine that they now have dozens, if not
hundreds of developers working on finding 0day and integrating new exploits
into their attack arsenal of worms.

I suddenly have a handful of friends form the old underground who went from
working openly in the security industry on papers, audits etc. to no longer
talking about who they work for.

I can only put two and two together and conclude that the NSA has been on a
hiring binge the past few years and are hiring all the best security guys
(exploit developers, more specifically).

------
rdl
It was the most condescending speech I've ever witnessed given to adults. It
certainly didn't raise my opinion of the NSA. Once you see the video, you will
agree.

~~~
ipsin
It did seem half-aimed at children. Especially after the corny opening to
introduce one of the Defcon Kids ("help grandpa find his arrow keys", or
whatever he was going for).

Right. Defcon Kids. An actual con within DEFCON sponsored by the NSA and AT&T,
among others. That alone is the creepiest thing I've seen all week, enough so
that the first time I saw the posters I was absolutely sure they were some
kind of vicious parody.

~~~
comex
I think Defcon Kids is awesome - hacking is a very fun skill which, like
programming in general, interested kids should be encouraged to learn.

That said, don't be dishonest. The media should not be calling someone who
discovered they could make time-based events in games happen by changing the
time a "hacking prodigy"[1], and the website of a hacking con, whose others
should know better, should not be saying it "allow[s] for exploit code to run
on servers"[2]. It devalues the real thing :)

[1] [http://www.darkreading.com/blog/231300589/tween-hacker-s-
tim...](http://www.darkreading.com/blog/231300589/tween-hacker-s-time-travel-
trick.html) [2] <http://www.defconkids.org/?page_id=505>

------
runjake
There's a lot of angry comments, but this is a step in the right direction for
the NSA. Hayden would've never showed. He had a disdain for hacker types and
so-called privacy advocates.

~~~
mcantelon
It's pragmatic to bring one's propaganda to every available avenue and to try
to coopt movements with anti-authoritarian roots.

------
Joakal
There's more said here: [http://www.abc.net.au/news/2012-07-28/hackers-asked-
to-help-...](http://www.abc.net.au/news/2012-07-28/hackers-asked-to-help-us-
secure-internet/4160966)

"He held firm that the internet defences could be ramped up without
sacrificing privacy or civil liberties."

However, he seems to be a staunch pro-IP advocate with this statement: "Look
at all the intellectual property we've lost over the past decade,"

He should be asked how does one prevent an idea from being easily copied.
Because, that's the fundamental problem behind criminalising altruistic IP
infringements.

Personally; my hunch is that congress has no idea how to tackle widespread
piracy, even NSA doesn't. There's also many 'cyber' companies that are
complaining about security issues (Decentralised/Centralised attackers such as
Anon/Wikileaks). So, NSA is requested to get into those. One step is a careful
PR spokesperson to recruit (Notably, the clothes and charm). Also, to instil
uncertainty and doubt among hackers.

~~~
jauer
If you watch some of his earlier speeches it is pretty clear that
"intellectual property loss" is code for "chinese industrial espionage". This
guy doesn't care about your game of thrones torrents.

------
bashzor
Only, what has this 10 year old to do with it?

