One thing that is not talked about enough with NSA is that if they are capable of leaking some of their most sensitive and powerful tools, then they are also capable of leaking the most sensitive and private information they collect on people. Perhaps this has not yet happened, or perhaps it has (someone will no doubt point out any known incidents here if there are any) but the idea is unnerving.
Maybe my wording is not perfect "they are capable of leaking" well you could argue that NSA didn't leak, it was possibly hacked by an outside actor. I don't think the distinction matters much though in this case. The main point is that they can no longer say "trust us" with a straight face.
Yes, and the corollary to that any foreign power that wants to spy on Americans need only focus on a single point of failure... our own security apparatus. It would be much more difficult to develop the data collection, storage, and management of that data on their own. We have paid to do it to our selves.
Now maybe there are counter espionage methods developed... but the idea that our geopolitical competitors don't have a single other mole as a contractor with Snowden's level of access is no longer (and frankly never was) credible. You could probably make a similar argument about our advertising apparatus.
Never develop a tool/weapon you can't afford to be used against you, because in the long term it will.
I'm surprised this isn't used in privacy arguments more often. Every time governments and politicians suggest tracking everything we do for our safety with the assurance our data is safe, surely it's prudent to point out that if (arguably) the most secret and advanced cyber command in the world can't keep their weapons and secrets safe, what chance do you have?
"Don't worry. We are taking all precautions. It is 100% safe. Only a very few, select personell will have access to the data."
They will just give the same bullshit answer as always. Sometimes throw in a new phrase ("24/7 guarded datacenter") to pretend they are not vulnerable to obvious risks.
You also forgot the part about how they always say, "Your data is safe, we can't get it without a court/judges approval." Which means from a FISA court. A closed, secret court no one hears about and no one is there to act as your advocate.
This was covered in a recent kaspersky paper[1], which I found in [2], where it is termed "fourth-party collection". The pdf gives a more complete description on page 2 (I found the increasing level of separation between collector and reciever to be almost comical)
It seems like those kinds of more removed scenarios point to a strategic void in compartmentalization.
We (US, Soviet Union, etc) had this figured out in the 60s when we were primarily using human intel. [1] Except the danger that now, instead of walking out with rolls of film covering a few thousand pages, someone can take everything they have access to in < 24 hours.
My only explanation is all those long-won counter-intelligence lessons were thrown out when the Young Turks showed up with their "we can do it all and more via software" ways. Because they delivered (and you've probably seen this in your org) they were excluded from having all the pain-in-the-ass rules applied to them.
It seems our intelligence agencies now look exactly like our commercial software -- more featureful, more agile, less secure, less stable.
I can assure you that 'taking' data off these systems is non-trivial -- Snowden was one of the few people with physical access and admin access. Attempting to access a large amount of info in 24H would also set off alarms. There is also no end to the pain-in-the-ass rules.
But the gist of what you are saying is correct, a lot more interconnection, a lot more software, using standard (albeit locked down) desktop operating systems. I think there was a realisation that the ultra-compartmented sharing-via-paper approach was killing effectiveness.
What I haven't seen in any of the SB leaks is evidence of access to core NSA systems via implants or a very trusted source. All the powerpoints could all be individual data spills, collected over time. All the TAO tooling could be stuff that sat on the dev system behind some bastion host, ready to be pushed to staging servers. Personally, I would only let binaries get that far out, but operational exigencies occur, high side operators can be phished, etc.
That he was selected for this job is a fault of Congress, for imposing caps on government employee numbers (and salaries), but not contractors, during the greatest period of SIGINT expansion in history (also authorised by Congress), and then outsource their vetting to the cheapest bidder. Oh, and have a President that creates a secret law for side stepping the Constitution.
Of course, given a defective Congress, what should the IC have done? Limit their use of computers? Stop sharing information? Encrypt everything on servers and decrypt client side via special hardware? Have someone watch the admins as if they are all wannabe traitors? Disperse honeypot systems and canary docs everywhere? Tripwire the heck out of every system? Fit explosive collars on systems administrators?
Well, all those things and more have now been contemplated. Everything except 'stop collecting'.
If you go read his story in detail you'll see that he held various jobs, but he applied for a transfer to become a sysadmin specifically (a job downgrade) because he was collecting info to leak by that point, and knew he could access more if he had admin privs.q
I have read his story in detail, he hadn't been a systems admin for a few years when he decided to began copying documents. There wasn't a demotion, he had the same title at two departments. And his decision to become a whistleblower came from what he saw at the new department.
"It seems like those kinds of more removed scenarios point to a strategic void in compartmentalization."
It's on purpose. After 9/11, the intelligence agencies were lambasted for not sharing information. They were told the next one (a) couldn't happen and (b) would be their fault if it did. Lots of other motivations for the expansion in power, too. One side effect of this was compartmentalization was weakened a lot across the board. Over time, the security strength of things such as cross-domain solutions and endpoints had been dropping. The rush to get everything in that could benefit the mission increased that further.
Yeah, they're probably more vulnerable now than they ever were with more information to take with less chance of detection. Government and private sector. Their people like Roger Schell and Brian Snow warned them for a long time. Private contractors warned them. Those such as Aesec, BAE, and Green Hills even built and paid for evaluations of the kind of tech they said they wanted. They just used it less and less with stuff easy to hack being used more and more. In Snowden's case, the level of security was worse than a lot of enterprises with far less money.
The main point is that they can no longer say "trust us" with a straight face.
If the politics of the last few decades has tried to teach us anything, it's that this is not true. No amount of shaming or obvious shortcomings will ever allow some people to bridge the reality/ideology-gaps in question. You don't see less lying as people are confronted with their lies, you're met with a hurricane of new lies, a Gish Gallop of misinformation, over and over. If all goes truly wrong, then people in power embrace the genuinely Orwellian and start talking about freedom in chains, or peace in war.
Nothing shakes them out of it, and nothing really changes how some people view it. Or at least, nothing so minor as what the future might hold; most people seem to struggle with what's actually happening today, under their noses.
Exfiltration is a problem. It's more difficult to exfil terabytes of individual citizen dossiers than ~2GB of malware, implants, tools, scripts, etc from classified and possibly even SCIF environments.
Or it could be more prosaic than that: Money. The market value of NSA tooling is likely far far higher than the threat assessments of Joe Blow Smith in Hoboken, NJ.
I don't think the concern is Joe Smith. The concern is high level people who can easily be blackmailed. Or even just someone who works in a classified setting. The value of blackmailing a few political elites is extremely powerful and profitable. Or even people in big companies like FAANG.
I don't think any blackmail would be effective at this point. When a man gets accused of molesting a teenager then gets elected to the Senate, I think the potential for blackmail has passed.
Agree, though the only thing that gives me any comfort (and it is the same with google, gmail, facebook, etc) is that the amount of data they collect is nearly impossible to ex filtrate because of its sheer size.
When storage and network bandwidth increase sufficiently, when we start measuring storage costs in terabytes rather than gigabytes, the sheer size of the data set is no longer going to be a preventative measure against ex filtrating it.
What are the chances that either corporations or 3 letter agencies are going to voluntarily delete their data on you before we reach that point?
Bandwidth has been increasing very slowly. And I think we will be stuck at 1gbit for a long time (and in many areas: if we ever reach it), just because there are no consumer use for higher bandwidth. Already 4k video resolution is a stretch, most people wouldn’t notice the difference to 1080p on a TV from they couch.
So there will be a need to upgrade wholesale bandwidth just because the internet keeps growing, people are already talking about next gen game consoles to be cloud based (ie the rendering to be made remotely) which will add more traffic. But not 5 orders of magnitude. The amount of data stored by the gmails and facebooks of this world are mind blowing.
But consumer/corporate demand for bandwidth is what should ultimately drive increase in data center bandwidth.
Another point is defeating monitoring. I am sure the NSA (or Google/Facebook) could not notice 1GB of upload, but I like to think that uploading 1PB of data would make all sorts of red lights flash in they network security control room.
I'm with you that copying all of Google's data is unlikely. It's a serious project for Google itself to significantly move around its own data internally. My point is that very extensive, damaging information could amount to a mere 100TB subset of it and it's not implausible that could be copied in a day at 10 gig/s. To obvious? How about 100 hosts each pulling 100 meg/s? That's feasible right now. When you really get down to it the datasets I fear being leaked the most are a lot smaller than that.
Most bandwidth is used sending many copies of the same content. Attackers aren't going to be interested in downloading the popular video 100 million times, they're just going to grab the logs which are nowhere near that size, and although large it's not implausible that even the best security teams wouldn't notice until it's too late.
There is no hard rule that the leaks need to come from the same central database either. That is unlikely considering the fact that large scale services are already, and necessarily, distributed. Imagine thousands of attacker hosts receiving from thousands of compromised hosts.
NSA hacking tools can't necessarily be kept privately within their network, because they have to be used to attack targets across the Internet -- they have to be deployed.
By comparison, the data that the NSA collects can presumably be sucked into their airgapped network, where data has a way in but no way out.
It doesnt even have to be leaked when they are sharing raw data with the Israelis, a country just as active in espionage against the US as China or Russia.
Living in Maryland, I've met several young people who put in a few years at the agency (including TAO) who then left for industry. Millenials don't care about a government pension, especially when you're in a windowless SCIF hacking Perl.
The US Government as a whole has a massive talent retention problem. Only the mediocre will stay at NSA / CIA now and we'll probably see more of these leaks / hacks.
There’s a massive pay disparity between public and private, and those currently in power want to keep it that way and eat away even more at gov functions. That combined without a clear rallying call for public service (like the Cold War or collective pride) are a recipe for disaster.
There is a big pay disparity, but the main thing is that engineers and other technical types have gone from having a big say in how problems get solved to being the problem itself. No amount of pay is going to retain people in those circumstances, except possibly those you don't want to retain.
As far as money is concerned, NSA is way overfunded - it just spends money on the wrong things and wastes lots of resources due to inefficiency.
I'm not even sure it's just pay. The govt is extremely inefficient and bureaucratic. If your thing is writing code, why go to a place like that? You'd spend half your day writing memos and wrangling red tape.
> The US Government as a whole has a massive talent retention problem. Only the mediocre will stay at NSA / CIA now and we'll probably see more of these leaks / hacks.
The CIA were never noted for being the sharpest of government agencies ...
However, the NSA generally had a very good reputation. The big problem with the NSA is who wants to work in a place where you can't actually talk about what you do?
The primary underlying problem is that sharing and security are fundamentally at odds. If the NSA can't even get it right, what chance does everybody else have?
What the hell are they doing spying on american citizens? The people you’ll attract are the people attracted to abusing said power. Good luck weeding out the creeps; let’s hope only a few die as the result of beuracratic negligence.
I think they will still have a steady supply of talented people who consider themselves patriots and whose politics align with the NSA and CIAs stated missions. Just because their politics don't agree with yours doesn't necessarily make the 'mediocre' remember.
> You might say that Perl grew out of the Cold War. I've often told the story about how Perl was invented at a secret lab that was working on a secret NSA project, so I won't repeat that here, since it's no secret
Another notable aspect of that was it used an early secure kernel, GEMSOS, that is still marketed by Aesec but probably in legacy mode in bad way. It did resist penetration during NSA certification and time on market far as what data I have says.
It sucks by design compared to current markets and our job functional areas. Back in the 70s it was absolutely awesome pay in a region that wasn’t terribly expensive, but when the top n% of intelligence community engineers could easily go to a Big Tech company paying twice or three times as much it’s factors like ideology, mismatch of skills, or family that keep people in these jobs. In many other areas of government jobs, private sector pay is abysmal and the government jobs attract the best and brightest.
In my indirect experience with Lockheed, their pay wasn’t that much better than being federal (they’re still a huge federal contractor and aren’t exactly boutique). It seems like a lot when you’re used to $80-90k as a senior engineer though for years to bump into $110k on a whim (this is without being particularly special or niche, the over-funded “cyber” contracts get anyone that can read and write shellcode $140k+ which is a ton of people at NSA).
The much bigger problem hitting defense as a whole is that smaller contractors that specialized in being nimble and elite are basically being driven out of business due to federal contracting trend shifts post-sequester. Myself and many others have permanently left the IC out of exasperation with contractors now getting oftentimes less than their federal counterparts and a severe drought of technologically interesting contracts that make business sense.
> So you work for Lockheed or whatever and get most of the attributes of government employment.
Right, and the profits flow to a couple people who essentially own the contract. It’s essentially modern day aristocracy, except the contracts are more valuable to farm out to peasants than land is.
Many state governments pay much better than the Federal government and offer better benefits, and don’t require that you live in the DC crazy corridor. Local governments depend on the locality — big counties and cities pay ok.
Public school systems tend to pay well for people who majored in early elementary education, music, kinesiology, etc. But this isn't the same demographic that would work at NSA.
My mom has a master's in education, and after 30 years across two public school systems, she's finally broken $40k salary. Where do you live that public school systems pay well?
Cost of living is much higher in San Francisco/Sunnyvale vs Cincinnati. I'm saying $77K in an area where you could get a 3 bedroom/2 bath house for under $200K is pretty good, especially if you don't have the skills to compete in the tech realm, which is about the only way you're going to end up paid well in SV.
I don't think it's exactly right to say they should have focused on defense. The first mistake was focusing on installing a surveillance apparatus and using fear mongering to sell it politically while giving short thrift to the actual principles justifying the decision. In doing so they lost the moral high ground and opened the door for Snowdens and worse. I'm not saying the NSA has ever been a paragon of ethics, but you've got to have some standards or no amount of vetting is going to be sufficient to suppress everyone's conscience.
I disagree; it's a focus of their existence that appears to be abandoned by the NSA -
and that's dearly needed right now.
From the front page of nsa.gov: "Defending our Nation. Securing the Future." The second point from their What we do page - "Defends vital networks". In the opening paragraph of Wikipedia: "The NSA is also tasked with the protection of U.S. communications networks and information systems". Etc.
For all the prestige of the TAO, who claims that the US networks are secure and well defended?
I read the news and see the nation's voting, power, media, and other critical infrastructure are all being hacked. Notably Equifax, a steward of all Americans most valuable information, was compromised in trivial fashion.
Our peers working at Google, Facebook, Twitter, etc are being attacked nonstop by foreign actors and they are rightfully being held to account by congress. But in my opinion the social networks are secondary compared to the primary infrastructure that honestly does not have access to the best talent should be aided by NSA.
Yeah but think about it - imagine government employees shift their entire focus onto "securing US networks". What would they do, exactly? Build their own open-source chip designs from scratch? Because that's pretty much step one.
We are very far from trusted hardware. It's very easy to imagine what they would do - step one is helping American networks use the best practices - use open-source software, keep dependencies up-to-date, have bug bounties to find vulnerabilities in popular frameworks, etc.
Step two would be to consider some shared infrastructure, probably subcontracting with a cloud provider (AWS/Azure/GCP), hopefully multiple. Once we get to that step, then you can start considering things like Google's Titan (https://cloudplatform.googleblog.com/2017/08/Titan-in-depth-...). But there's a lot of low hanging fruit before we get there.
In any military force,turning your weapon against your own people is worse than being a traitor,running from battle in cowardice or surrendering to the enemy.
Their continued attack(yes,using malware and implants against someone is an attack) against their own people is in my opinion completely shameful and unpatriotic.
As someone who has no intention of breaking any law or of harming the united states,it is simply not ok for me to have to include my government as part of any threat model or as a potential attacker.
This would be your person opinion, given that the militaries of the US, the UK, China, Russia, Vietnam, Korea, Japan, Mexico, Spain, etc. (probably easier to name those that haven't) have officially performed such actions, with the soldiers in question receiving official honors and rewards?
I don't think that's the case either. Its more of a "ain't broken so why fixit" problem which hasn't affected people on a personal level just yet, so it isn't regulated as much.
Its astonishing to me that in the US it requires a court order to tap someone's phone and yet the NSA collects and analyzes the online data of US citizens...
No, I mean it literally isn't universally shameful. In that in most countries obeying an order to fire on civilians, or doing so because you believe your life is in danger, will not result in penalties. Because "it's what you do" or "us against them" from some perspectives.
See the response to Kent State [1], in which all legal attempts to hold the guardsmen who opened fire responsible failed.
Their soldiers shot their own people and received rewards? I find that hard to believe. Or did you mean computer attacks? In communist and authoritarian nations, monitoring what the people are doing is normal(to account for potential dissent),but they would also shoot/imprison their own people over political dissent.
Maybe the U.S. is no better than those nations. Still doesn't make it right. If a soldier does not protect his people and their rights then he becomes nothing more than a henchman for politicians - worse than a traitor.
Great. I hope this continues. The more the NSA has problems, the better off the rest of the rest of us are. It's unlikely the institution is even lawful--its practices certainly aren't. At the very least, it proves that the government cannot itself keep secrets, so it really needs to shut up about trying to put backdoors into software when it can't protect its own most vital software assets from leaking. I guarantee if Android or iOS had such government mandated backdoors, they keys would leak in under a year. I simply don't see a reason for the NSA to exist, but as long as it exists, I hope its mission of spying on Americans under the disguise of being an international spy agency is thwarted in any way. Unfortunately, I wouldn't be surprised if these leaks were intentional. With the current administration's relationship to Russia, this would hardly be surprising. Instead of a 'shadow war' with Russia, a 'shadow alliance,' at this point is just as likely. Regardless, the NSA shouldn't be stockpiling such software, but once again, since there are absolutely no repercussions for them doing so, they are allowed to do so leading to disastrous consequences.
Unless “us” is other alphabet agencies competing for the same budget, be realistic. The NSA is not the problem, it’s the attitude, culture, and insane funding of their mission which is the problem. The failure of the agency will not change that, just redirect it.
we need to stop thinking of maladaptive institutions as features of society gone askew, but rather as dark patterns that have emerged as a result of historical pressures.
what's the best way to stop a dark pattern at the large scale? trip it up at the small scale, where it can't react with its weight.
leak their information. jam their systems. turn off their water supply. make them show their hand for something that isn't quite worth it.
the shadow war with russia can be brough to peace later-- they know the boundary of the game we play.
AFAIK Jake Williams didn't get singled out because he only "wrote a blog post" about Shadow Brokers - it was because he was involved in a Twitter based dispute with Shadow Brokers.
Somebody created a fake Twitter account and were sending all sorts of tweets to the Shadow Brokers, someone who was either in the IC or formerly in the IC.
This is why the Shadow Brokers outed him in this post[0]
> TheShadowBrokers is having special invitation message for “doctor” person theshadowbrokers is meeting on Twitter. “Doctor” person is writing ugly tweets to theshadowbrokers not unusual but “doctor” person is living in Hawaii and is sounding knowledgeable about theequationgroup.
> Then “doctor” person is deleting ugly tweets, maybe too much drinking and tweeting? Is very strange, so theshadowbrokers is doing some digging. TheShadowBrokers is thinking “doctor” person is former EquationGroup developer who built many tools and hacked organization in China.
> TheShadowBrokers is thinking “doctor” person is co-founder of new security company and is having much venture capital.
It was easy for everyone on Twitter to figure out who he/she/they were referring to. I think this is important context - Shadow Brokers aren't just outing random operatives, they're flexing their access and abilities when being prompted to
I also wonder if this wasn't part of a plan to bring the Shadow Brokers out of their shell a little - coax them into revealing a little more about themselves than the usual document and software dumps - which would require the NSA to spend money to get a picture of what tools are available.
Jake says to the NYTimes that he isn't working with the NSA - but he'd also say this if he were working with the NSA to get a little more out of Shadow Brokers
I've never bought the theory that Shadow Brokers is Russia, or that it was Harold T Martin (or stolen from him). I think the Jake Williams incident lends further credibility to the theory that it is a former TAO or NSA employee.
The fake Russian style writing of the Shadow Brokers isn't ordinary bad English Russian (which has a number of characteristics that aren't reflected in how Shadow Brokers write). As the article mentions, there are also far too many cultural and infosec "inside baseball" references in the writing of Shadow Brokers for it to not be someone who is either familiar with the community or part of it.
I also don't recall Russian ops having OPSEC this good - to the point where they can't be identified or linked. The good OPSEC suggests the person/people behind the Shadow Brokers are familiar with what the NSA are capable of, and what they're not. Most Russian and Chinese ops are usually linked one way or another back to to them as they're less concerned about OPSEC as they have the operational advantage of not fearing arrest or extradition
Differences between SB and Fancy Bear or Russian ops: bad security practices (not locking down bitly) vs good, using clearnet domains[1] emails[3] vs steemit and onions, using VPNs rather than Tor, the use of Bitcoin vs Monero/Zcash, speaking only (broken) English vs either plain English or Russian[2], financial motive vs political motive, etc.
It feels like someone upset with the NSA, who knows the organization very well and is also motivated financially - but I wouldn't attribute greater than 50-60% certainty to any theory at the moment. If the Shadow Brokers go on to never be identified it would really be an incredible situation.
Yeah? The Shadow Brokers themselves state flat out that they're former USG employees. The NY Times has - yet again - attempted to manipulate readers into believing the Brokers have admitted to being Russian, quoting something that is obviously a joke to try and do so.
Here's what the Shadow Brokers themselves actually say about their origins:
TheShadowBrokers shaking heads at arrogant pretentiousness of grammar critics.
Liberal Ivory Tower Logical Fallacies:
A) Deliver Method of Content (Spelling/Grammer/Profanity) = Content is invalid
B) Only Explanation of Spelling/Grammar/Profanity = Inadequate Education
The ShadowBrokers is writing TRADOC, Position Pieces, White Papers, Wiki pages, etc for USG. If theshadowbrokers be using own voices, theshadowbrokers be writing peoples from prison or dead. TheShadowBrokers is practicing obfuscation as part of operational security (OPSEC). Is being a spy thing. Is being the difference between a contractor tech support guy posing as a infosec expert but living in exile in Russia (yes @snowden) and subject matter experts in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being operating in country for many months now and USG is still not having fucking clue. Guessing so called global surveillance is not being as good as @snowden is claiming?
Edit: the whole Steemit is really worth a read. The rants here are truly epic. It's just implausible that this is the work of a government - why would government employees spend so much time writing such long political rants on Steemit where approx ~nobody will ever see them except Q Branch and occasional journalists? It serves no obvious political or espionage related purpose. Whoever is writing these things seems to be someone who has a lot of hatred and anger for the political system and wants to get it out. It sounds a lot like the rantings of a lot of the self-proclaimed libertarians you find in the Bitcoin community:
is funny thing about being rich, powerful, and in control, it comes with dirty deeds and many skeletons. Violence begets violence but leaks, dumps, hacks brings evil and corruption into the light. No more secrets. Secrets Equal Control. Secrets between peoples, spouses, partners, friends, ok two peoples might be having some problems. But secrets between government and governed, governed is getting fucked. Secrets between corporations and peoples, peoples is getting fucked. Why do corporation deserved privacy? FUCK SCOTUS!!! CORPORATION ARE NOT PEOPLE YOU FUCKING OVER EDUCATED OVER THINKING CORRUPT RETARDS.
No more classifying bullshit. No more black budgets and black ops. If we can't be surviving and prospering without dirty little secrets, operating in full daylight, then maybe we don't deserving to being surviving. This being time to standing up. Standing up against more wars. Standing up to globalist controllers. Eliminating career politicians. Eliminating money and lobbyist. Policing corporate and special interest. Investing in ourselves. Investing in all our children.
> Yeah? The Shadow Brokers themselves state flat out that they're former USG employees.
But why would you take lying criminals at their word?
TSB started out pretending to be criminals who wanted money, which nobody bought, and so they switched to pretending to be a Snowden/Assange caricature.
The one objective that TSB has actually delivered on is attacking the NSA. Everything else is obfuscation.
Why would you not? You have no evidence they're lying, you're just assuming they are because you prefer the alternative explanations. You certainly have nothing to suggest they're Russian and there's plenty of reasons to believe that they're probably not.
TSB started out pretending to be criminals who wanted money, which nobody bought
Their attempt to auction the exploits was one of the most fascinating aspects of the whole tale because it was verifiably a failure - we don't have to take their word for it. They published a Bitcoin address and nobody sent them enough money to reach their min threshold, if I recall correctly. At least, I'm sure they were using Bitcoin with a static wallet address to do the sale.
so they switched to pretending to be a Snowden/Assange caricature.
TSB's personality has been consistent throughout. They aren't pretending to be a Snowden/Assange cariacture. Their writing makes it quite clear they seem to have a serious grudge or dislike for Snowden specifically.
> You certainly have nothing to suggest they're Russian
I don't think they are Russian. It makes no sense for a state actor like China or Russia to penetrate the NSA and then disclose it. When they disclose it they lose the ability to exploit it.
Even if the NSA had already closed all the holes, which we can guess they didn't because of Microsoft patching them after the leaks, a state level actor would still not show their hand because keeping your opponents in the dark is more disruptive to their operations, and showing your hand has the potential to reveal your own methods.
Whoever it is is specifically focused on attacking, disrupting and discrediting the NSA. They are not making money off it (even though the op has to be expensive) and they are not exploiting it for intelligence advantage.
I don't believe it is a Snowden type for the reasons I mentioned and because the op seems way too complex and long running for any individual or group to pull off for ideological reasons.
I would tend to believe that it is not a leaker or it was a one time leak to a third party who is now running the operation.
The NSA knows everyone who worked for them, and who had access to what, and I am sure they are watching every single one of those people so the only plausible way it could be a leaker is if the NSA can't connect the leaker to whatever individual(s) are running the online campaign.
The problem with a long running op like this is that all internet access can be traced back eventually. Every time you post online, even if you are going to really extraordinary measures, you are leaving a trail that will eventually converge on your location. That means you have to stay on the move. But travel is also observable and so moving all the time will eventually create a pattern that allows you to be identified.
It is some real Jason Bourne type shit.
It could just be some relatively crazy individual who is playing a high stakes game spy game for fun.
There are a couple of examples of criminals who engaged in robberies based on the movie Heat, which seems bizarre, but it happens.
You all are forgetting about a tweet early on. The first time ShadowBrokers called out Jake was based on a gripe that’s kind of inside baseball. I’m pretty sure they saw Jake running his mouth, making stupid commentary as usual, and decided to remind him of this incident. At least one of the ShadowBrokers is an employee who is mad about a very specific event in 2013, which relatively few people know about, that is centered around Jake. This is why they talk shit to him all the time.
I very frankly believe one of the more patriotic things an American with the ability can do is emulate Snowden, i.e. infiltrate and expose the NSA’s domestic surveillance programs.
I don't think that from their perspective they are overlooking the constitution.
All of their "illegal" programs are duly authorized by executive orders and DOJ legal opinions and signed off on by the intelligence committees.
You or me may view those operations as illegal but they are following orders given by democratically elected officials and signed off on by every level of the judiciary.
Ultimately I don't think it is productive to scapegoat the intelligence community for what is fundamentally a breakdown in the rule of law and democratic process. They are participants in that, but so is every voter, and every politician, not to mention all the corporations that happily do their work for them in exchange for money or favors and then lie about it.
If you look at the Snowden leaks, it talks of filters limiting access to collected data to foreign nationals and people contacting foreign nationals only, as per laws allowed under the US constitution.
Why would a TOP SECRET program have these filters if their operations were illegal?
Everything the NSA does is legal. It's now up to the public to accept that fact.
I think it’s because there’s way more context to All of the stories we’ve been exposed to. We can’t judge their opinions or thoughts when we don’t know the additional details they have that would skew or change context.
I wonder why there don't seem to be leaks like these at other superpowers' intelligence/security organizations, like China's and Russia's? Is it the threat of torture/execution (and perhaps the same being done to their family)? Heightened fears due to stronger monitoring of employees? Or genuine loyalty / indoctrination?
>I wonder why there don't seem to be leaks like these at other superpowers' intelligence/security organizations, like China's and Russia's?
1. Leaks have happened in Russia, for example the KGB archives that Mitrokhin stole [0].
2. Somewhere above 845,000 people have TOP SECRET clearances in the US intelligence community[1]. I can't find size of the Russia and Chinese intelligence community but I would guess it is an order of magnitude smaller.
3. Privacy is not viewed with the same level of importance in Russia or China. The US and European intelligence communities are tasked with a mission which directly contradicts the core culture values of those societies. Additionally the US and EU countries have large non-state controlled media outlets allowing someone to blow the whistle.
4. Because of the Pentagon papers all leakers/whistleblowers have an example of intelligence leaks being beneficial and good for the country. Are there any similar role models in Russia or China that might motivate a whistleblower?
5. When the US captures intelligence from Russia or China the US generally does not leak it to make Russia or China look bad. Russia, and before that the Soviet Union, have been using espionage to make the US look bad for have 60 years.
From my perspective, on one side, they messed up on compartmentalization/access control. On the other side, the US is and should be held to a higher standard than China or Russia. Insiders are sworn to uphold and defend the Constitution, and when they see secret mass warrantless surveillance, and wars fought on dubious pretenses, one has to decide if you follow orders or do what you think is right by the Constitution. Additionally, from what I have seen, and I think this was pointed out by Ed Snowden, whistleblowers have been strongly disincentivized to use official internal channels. I don't know how Russia and China do it, but the US's open and free society has always been the source of its strength, and I hope it continues to be so.
The disparity in pay (and prestige) between public and private sectors is larger in the US than in most of the rest of the world. The NSA's counterpart agencies in other countries can recruit stronger talent, retain them longer, and offer them more professional pride.
I believe part of it must be to basic economics. It is only worth leaking information if the individual believe that the benefit outweigh the costs (ie, chance of positive outcome vs risk of negative outcome). if the political environment is one where a leak would have minimal impact, then the leaker has less incentive to leak.
Is it likely that a leak would impact the Russian election? Could a leak cause the Communist Party of China to be voted out of office? How likely is it that a leak would not simply be suppressed, but rather cause a change in the political direction?
Leaks in the US has a history of causing real change. That could be the biggest reason why we don't see much leaks from other superpowers' intelligence organizations.
> Is it likely that a leak would impact the Russian election?
I'm russian and Russia is more unstable than many believe. This alone[0] is likely the reason P. postponed his equivalent of the State of the Union speech, which was unheard of before.
There is also the fact that P. has still not announced that he will run, and in this case silence is deafening. It means that there is a very severe conflict behind the scenes - the ruling elites have not agreed whether he should run or someone else should run as his successor that will guarantee his personal safety and not let him get the Milosevic treatment in Hague for the events in Ukraine.
> I wonder why there don't seem to be leaks like these at other superpowers' intelligence/security organizations, like China's and Russia's?
I think we just don't know what happens. I would be surprised if an article like this one would appear in the Chinese or Russian press. And if you were an American journalist, would you really want to touch the leaked FIS material? The First Amendment won't protect you.
If malware with ties to Russia was suddenly used in an attack, we would just blame the FSB. Something like an anonymous poster claiming to be responsible would be seen as obvious disinformation.
And it isn't like these leaks are a frequent event here, the equation group is really the only one.
> Some veteran intelligence officials believe a lopsided focus on offensive cyberweapons and hacking tools has, for years, left American cyberdefense dangerously porous.
> “We have had a train wreck coming,” said Mike McConnell, the former N.S.A. director and national intelligence director. “We should have ratcheted up the defense parts significantly.”
Yes, I think many have said this for years. I'm glad someone high-up went on record.
I'm not against what the TAO does, but the NSA (and more broadly, the US government) has massively failed to develop defensive capabilities.
I hope the NSA will use this as a moment of introspection, and up their defensive work -- particularly opensource collaborations and research. (The IAD github page[0] is awesome in this regard; as are things like SELinux. On the research side, things like HoTT as a basis for verified software; which has some DoD funding, but would be so much more if NSA researchers collaborated.)
I get that attacking things is cool -- but we really need help defending the national infrastructure against constant assault. It's in rough shape. I hope the people at the NSA -- particularly those comissioned -- will reflect on why they're there, and take the stance that the safety of the nation is paramount. Then work towards that, as I know they're more than capable of.
> It's interesting to see the complete lack of self-reflection on Jake Williams' part.
At the risk of putting words in his mouth, but based on chats I've had with people who do this kind of work: Mr Williams probably sees what he does as righteous, legal, and noble while The Others he rails against are evil, immoral, and unlawful. It's not self-reflection because he thinks he was in the right and those other people are not.
NSA is also responsible for establishing computer security practices for the rest of the government to follow. That they don't eat their own dogfood is damning.
They do typically eat their own dogfood when it comes to the security practices they propose. Dual_EC_DRBG is the big exception, but it's generally considered that most of the rest of their cryptographic standards are secure and suitable for public and government use.
There are likely many conflicting departments and teams within NSA. Many are probably trying to fight for the public's security and have for years, with cryptographers earnestly trying to develop secure and efficient algorithms. They are probably at odds with the other forces in the organization that seek to play the espionage game, even if it puts the country at risk.
> Many are probably trying to fight for the public's security and have for years, with cryptographers earnestly trying to develop secure and efficient algorithms. They are probably at odds with the other forces in the organization that seek to play the espionage game, even if it puts the country at risk.
Directly at odds. I don’t believe you should encourage anyone to trust known espionage. If it’s good advice, someone else will say it too you can trust independently.
We should also keep in mind that finding an exploit or two is much easier than making sure that nothing on your network can be exploited. I wouldn't expect even the best in the world to be able to thwart all attacks.
> Focusing on one of them doesn't automatically benefit your efforts on the other.
Uh, yeah. It isn't saying, "why did defense fail to automatically follow from offense?" It's literally just saying they failed to protect their own network, whether technically or organizationally.
If you have the best then you should test your systems against being exploited by the best. And then harden from there. If you have the knowledge - knowing you're a prome target- why not double its value?
As it is, their approach strikes me as one of arrogance, or (ironically) lack of intelligence about foreign threats, or worse...both.
A quick google finds its a compromise worthy of the laundry file
"We settled on the name ‘operator’ to designate an operational member of the unit (as opposed to a member of the support staff) due to some legal and political situations. We couldn’t use ‘operative’ because that name had certain espionage connotations from the CIA. The term ‘agent’ had some legal issues. An agent carries a legal commission to perform certain duties and a governmental authority empowered by a state or federal constitution issues that commission. In our case, we would perform our duties under the authority of the federal government as administered by the Department of Defense and the Department of the Army. But in the military, only officers carry legal commissions from the President and are confirmed by Congress. Sergeants, who are noncommissioned officers, are authorized to perform their duties by virtue of appointment by the Secretary of the Army. Sergeants therefore cannot be agents of the government. And since almost every operational member of Delta Force is a sergeant, we needed to choose a different name for ourselves. Hence, operator. If that sounds sort of convoluted, it’s because it is. But if you work for any governmental entity, it will make perfect sense to you."
Yeah, his background was "paramedic" not a mathematician or programmer. So I wonder if his role was more like Script Kiddy on steroids than a brilliant programmer-hacker...
Yes, it's great. Public availability of these tools means the exploits they leverage will be swiftly mitigated. They will be of no use to criminals, outside of the narrow window between disclosure and mitigation.
Had the NSA acted with integrity and disclosed these vulnerabilities rather than hoarding them, that window would be even smaller.
"Antivirus is the ultimate back door," Blake Darche, a former N.S.A. operator and co-founder of Area 1 Security. "It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users."
Humble opinion: s/Antivirus/Automatic updates/
Perhaps antivirus were in fact an early experiment to test the feasbility of automatic software updates.
I recall many years ago, pre-smartphone, users being advised to leave their computers online 24/7 "so antivirus could download updates". Yikes.
Proves that no computer network can be secured, and is specially interesting given that the entire US military is moving to operate as a giant computer network where everyone is a node in the system.
They're setting themselves up for a hack so devastating that it will bring down their own country.
I would guess that their cyber offensive operation computers, which if I were to design from a systems level their IT department probably is distinct from other parts of their network, is different than their intelligence gathering and storing methods because sources and methods are the most tightly held secrets of any intelligence agency.
Plus you probably don't want your computers that you're using for offensive operations to look any different than a normal computer on the internet.. so my guess is that is that there was an exploit of an offensive computer somehow through that back to a secured network where those tools were developed and deployed... probably through the method of remote command and control.
I'm surprised they haven't found the method of infiltration yet. But my guess is they should seriously look into unknown vulnerabilities. But it's also true (if Wikipedia is to believe believed) that agencies work together in joint operations. In that case it would only take one rouge agent to get physical access to leaking materials that would effect both agencies if they were part of the joint operations.
A) this doesn’t require a rogue agent, just an insecure one.
B) you just need the same attack to work twice; less extraordinary than an uncorrelated coincidence
C) possibly some might have access to both. I think this is unlikely, but again, less unlikely than an uncorrelated coincidence.
Has anyone done a TCO of the NSA? Like, if the NSA takes $X bn / year to run, and has $Y bn / year in negative externalities for US companies by leaking their malware, then just how much have they cost the US economy?
> N.S.A. employees have been subjected to polygraphs
Oh,good to see an organization entrusted with an unconstitutional amount of data on Americans is defending against those threats with rank pseudoscience. Maybe they should hire a psychic to find that mole of theirs.
I like to think of malware and security vulnerabilities as biological weapons. They have in common that is you lose control of them, they become very hard to control and will indiscriminately hurt your own population and the enemy.
This is a tricky industry. NSA hires a lot of folks from the underground world. The problem is most of these folks do not pledge any allegiances - not that it really matters, as we have seen many of the leaks from the past 6-7 years are leaked by U.S. citizens. But the fact NSA is hiring freelancers to do the work should be an alarm when it comes to "national security" as NSA claims its mission. I am sure NSA does have a vetting, but how much? How good is the vetting? Is there a post-work surveillance? We don't know.
What I managed to extract from the article (do point out any flaws, I am open to them and I am just trying to do some mini-analysis here without taking sides):
- The attackers understand that warning the wide public will net zero results, now and centuries in the future. Homo Sapiens hasn't evolved enough of a collective conscience to actually act on revelations such as Snowden's, that's the historically obvious fact. Even the words of the biggest security experts like Schneier fall on deaf ears either because the politicians are better at rhetoric or because the public is too busy posting their food pictures on Instagram, or (as I believe) a mix of both. So they opted for the nuclear approach: release the hacking tools and demonstrate practically to the world the dangers of these hidden-under-the-table hacking tools. And now many more business people and politicians pay more attention than before. This is a sound psychological attack technique. Demonstrate that your opponent's claims for doing the best for the populace are not holding to reality. Even though I find this immoral and potentially dangerous IMO none of us can deny the devastating results to NSA's reputation.
- Spread FUD and never share anything truly revealing. They use language fuzzing techniques, occasionally engage in political debates without clarify which side they ally with (saying they are on Trump's side means nothing), use both old and new hacking tools and other files, use vague speak to shift suspicion to former NSA employees or contractors (I imagine this is done so they exhaust the agency while it tries to plug yet another leak which might as well be imaginary -- but they can't risk it and the attackers know it) -- all of these tarnish the image of the NSA and forces them to work extra to try and find moles, fix bugs in their own defense systems, go on internal witch hunts, double down on efforts to find the remote hackers, compartmentalize their physical and virtual clearance levels, etc. As mentioned in the parentheses, the attackers seem to aim to exhaust the agency and IMO it's working -- although none of us keyboard warriors in HN can't know for sure of course.
- Have time work for you. The fact that Shadow Brokers are hunted by a lot of law-enforcement agencies for like what, 15 months now? -- is projecting a clear image to the world that these agencies aren't as ubiquitous as they would want us to think. This probably encourages other people to try and hit other (or same) agencies all over the world. Not sure if that is good or bad -- opponents of this approach might say it will lead to anarchy and chaos but in my opinion (partially founded by rudimentary knowledge of chaos theory and game theory) the living systems like ours have plenty of emergency levers to pull them back into a more balanced state. It's 50/50 though, I don't claim anything either way. In any case though, the agencies' inability to catch these people makes the wide public lose confidence in them.
----
Please note I am not taking sides here. I do believe NSA does a lot of unethical things and should be held much more accountable than it is right now, but I am uncertain if what Shadow Brokers is doing is the right way to achieve that result. It might as well make NSA and friends become even more paranoid and actually become much better and more subtle in its mass surveillance... which is a loss for everybody but them.
Oh well, time will tell. In any case, this is interesting news and development and I am slightly pleased that the intelligence agencies get some run for their money. And slightly terrified of the possible consequences.
The only thing this tells me is that you did not read the text surrounding those mentions.
They all portray him in a rather neutral light, except perhaps the "again on Saturday disputed his intelligence agencies’ findings on Russia and the election". You can hardly criticize that though.
You could even argue that the last mention paints him in a somewhat positive light,
>The Trump administration says it will soon announce revisions to the system, making it more transparent.
What I got from the article is that the NYT is leaning towards publishing articles regarding hacking or other meddling into US affairs, especially by Russia, in order to generate public perception of the Russia issue as a large and embarrassing failure.
>"again on Saturday disputed his intelligence agencies’ findings on Russia and the election". You can hardly criticize that though.
In Hanoi yesterday, Trump made the statement that, "I'm with our agencies, especially as currently constituted with their leadership," regarding Russian intervention in the election. USA Today reported that, "Trump says he believes intelligence assessment that Russia interfered in election — but Putin does not."
>Russia issue as a large and embarrassing failure.
Are you saying it is not?
>In Hanoi yesterday, Trump made the statement that, "I'm with our agencies, especially as currently constituted with their leadership," regarding Russian intervention in the election. USA Today reported that, "Trump says he believes intelligence assessment that Russia interfered in election — but Putin does not."
Sure, he said that. But he also said the other things. Does intentionally making conflicting statements somehow justify the ones that don't sound so good?
Whether you like the guy or you believe he is a scoundrel who should be impeached, it's a little strange to put anything on him for this, considering the dates involved and how far removed the situation is from him.
> Mr. Obama did not act on the advice, in part because Admiral Rogers’ agency was at the center of the investigation into Russia’s interference in the 2016 election. Mr. Trump, who again on Saturday disputed his intelligence agencies’ findings on Russia and the election, extended the admiral’s time in office. Some former intelligence officials say they are flabbergasted that he has been able to hold on to his job.
In other words "Obama couldn't take care of business because of the Russia investigation, and Trump kept the guy around, to the chagrin of other intelligence people."
The North Korean nucelear+missile programs are a tangible example of how Obama was the right leader. Under Obama these programs spun their wheels without traction for 8 solid years thanks to a huge amount of covert action from our intelligence agencies. Missiles blew up, centrifuges didn't work, etc, and all with little to no loss of American life.
Under Trump they are not taken seriously and they have made significant progress in less than a year, and it's quite probable that military intervention will be necessary before Trump's term is up. It's well-known in the IC and Congress that Trump is a childlike senile fool who has no real grasp of any issue that can't be summarized in 160 characters. Certainly foreign leaders are well aware of it, ask Merkel what she thinks about him, let alone the less scrupulous countries like Saudi Arabia that are openly playing to it.
People don't appreciate how many things were quietly going right under Obama, and now the world's trouble spots are being allowed to fester under Trump. Some career State Department roles are down 60% in less than a year. Putin picked a great leader for his purposes, American leadership in the world has been diminished significantly and the basic machinery of our government is grinding to a halt. A+++ would hack again.
(of course there's no evidence that vote tallies were changed... yet. But the Trump campaign coordinated heavily with Russia and virtually everything short of changing vote tallies has been confirmed, so I just wouldn't be surprised to hear it at this point. There were quite a few "surprise wins" that nobody expected. It's quite likely that it can never be proved either way, thanks to the lack of paper trails and the active purge of some electronic records by state governments.)
> "People don't appreciate how many things were quietly going right under Obama..."
Yes, but quietly works both ways.
- Fracking hockey stick'ed on Obama's watch. In the context of climate change that's unimaginable.
- Wall Street consolidated it's power (8 major banks down to 7) and there was no significant response. Not single WS exec was prosecuted after the 2008 crash.
- The usage of drones - built by the MIC led by the CIA - increased as a proxy for foreign policy under Obama. Those civilian deaths, of which there are plenty, will eventually come back to haunt the USA.
- Snowden happened on Obama's watch and the response... (editorial) I don't feel any safer, nor my rights any more protected.
- BLM was on BO's watch and plenty of influential figures have been critical of Obama's response.
- Flint MI happened on Obama's watch. A local issue perhaps but when the greatest country in the history of the world poisons its own with lead and the POTUS just gives another "that's not who we are speech" something isn't right.
Finally, the USA empire has been on the decline for sometime. Neither Trump nor HRC were going to stop that slide.
I'm not picking on Obama. He did a good job all in all. What concerns me is how willing the media has been not to paint the complete picture on some very significant issues / events. Things that will having a long lasting impact on the future of the USA, as well as the world.
I think it’s everybody else that’s “easily distracted”. He uses his Twitter as a laser pointer with a cat, and he has been doing so for years. You don’t win an election against the Clinton political dynasty if you’re “easily distracted”.
Are you suggesting running a company is the same as leading a country?
As for the election, history says otherwise. DNC incompetence as well as Clinton arrogance all but handed Trump & Co the win. In addition, the fact that a "political unknown" was able to bubble to the top of the GOP ticket is more of an indictment of that party than any significant skill on Trump's part. Who did he beat? Cruz? Rubio? That's a notworthy accomplishment?
Pardon me for saying so (as it's not very HN) but...you're funny.
And you try to beat Cruz or Rubio (let alone “arrogant” Clinton and the entirety of mainstream press), and then come here and tell us if it’s a noteworthy accomplishment.
Um. You're telling me the party that had 7+ years to plan for the repeal & replace of ACA but completely failed at that has able leadership? Those who campaigned for the ticket was the cream of the GOP crop. They're not competent. How is Trump punching his way out of a wet paper bag a sign of significance?
I'm being snarky. I'm curious as to how anyone can see the rest of the GOP'ers that tried to get the nomination as being worthy or it.
Hillary wasn't worthy of her nomination, and yet here we are. Jeb Bush attempted the same thing, but failed very early on.
You're failing to recognize that GOP establishment hates Trump just as much as Democratic establishment does. They would rather fail themselves than let him win, because they feel it in their guts that if he wins, he won't keep them around for long. He's an anti-establishment candidate. That's the platform he ran on, and that's the platform he will run on in 2020 (and likely win again, unless Democrats can suppress their utter disdain for rural, working class voters).
Actually. I'm well aware - and have been preaching since he won - that both parties want Trump to fail. Imagine a non-politician coming in and actually getting things done. Are you kidding me? That would not make the rest of W.DC look good.
So at this point, regardless of what you think about Trump, it's 4 more years of "let them eat cake" for we the people. That's guaranteed at this point.
I'm just saying the NYT has clearly demonstrated that it has taken sides as a publication, and this bias doesn't make for good journalism, whether you agree with the bias or not.
More than one exploit released by the shadow brokers was specifically targeted at Linux/Unix/Cisco and other operating systems...
Its naive to think that other operating systems are somehow invulnerable to nation-state attackers.
My favorite is how NSA is funded by government debt, which is their way of printing money. This is also true for the FBI too with the scare against encryption. One of the reasons we got off the gold standard decades ago was military spending.
This isn’t necessarily hard or bad, though. If I take $100 and loan it to my neigbor, the debt appears from nowhere. Heck, theoretically, he could loan it right back under different terms and create more debt. Debt isn’t necessarily bad—the fear is you’re builidng on jenga blocks, not that some guy is going to show up with a wrench.
> "The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. By its very nature, that only works if secrecy is maintained and our codes are protected."
When I was roaming the halls of UC Berkeley 25 years ago, the use of countable "codes" was idiomatic in the numerical computing sphere at the intersection of computer science, mathematics, and parallel computing. A code was more or less a program or application. A frequently linked idiom was "kernel" to refer to the inner-loop of a particular numerical simulation, generalizing a "filter kernel" (matrix of coefficients) in signal processing/convolution.
I have heard similar usage from academics working in various US national labs, so it was not confined to a single coffee klatch. Some of the professors and postdocs using it back then are probably lab directors and program managers by now. I can easily imagine that this usage would be widespread among academic and federal lab computing environments. Like many kinds of jargon, it is both more precise in its meaning when used properly, but also what you might consider a "dog whistle" used for virtue signaling.
Maybe my wording is not perfect "they are capable of leaking" well you could argue that NSA didn't leak, it was possibly hacked by an outside actor. I don't think the distinction matters much though in this case. The main point is that they can no longer say "trust us" with a straight face.