I think of this as part of a broader failure of the USA to build, repair, and fortify infrastructure. We have crumbling roads, failing bridges, and, now, telecom and computing services that are rather unimproved since inception, decades ago.
Now, I realize that, as an intelligence agency, NSA's core mission is to spy. But I take issue with the intentional weakening of our infrastructure, e.g., Dual EC DRBG. You don't see DOT going around sabotaging asphalt production.
Now, I realize that, as an intelligence agency, NSA's core mission is to spy.
Funnily enough, the NSA has a dual mission: spy on their communications, protect ours. Now that everyone uses the same tech, one of those missions has overshadowed the other. Makes their weakening even harder to stomach, eh?
Technically (yes, I am being that guy), their protection mission only extends to the DoD and selected US government agencies. Not to the general public or US business. That's done by NIST and the Department of Commerce. The NSA does occasionally cooperate with NIST on encryption matters, but that's fairly arms-length.
> cooperate with NIST on encryption matters, but that's fairly arms-length
Heh, you might want to read up on Dual_EC_DRBG.
Technically you're right, and I think that people who claim that these missions are fundamentally at odds have not fully games out what options the NSA have; where they see fixing bugs as the only way to increase security, but despite their responsibility being technically only to the government, there has been quite a push for the NSA to help defend civilian networks too since they're being routinely targeted by nation state actors too, and the economic damage there is arguably worse.
'Their' includes anyone outside of the NSA. Not just other nations. Not just normal US citizens and corporations. But also others within the US government.
They gave us SELinux. Also, keep in mind that by freely giving tools to secure everything, they also end up making their own job of spying on others harder.
SELinux was incredible and we should be thankful to the NSA for that. But, not to sound ungrateful, that was 18 years ago now and the NSA's supposed mission to strengthen America's [digital] infrastructure seems to have stalled.
It seemed like pre-9/11 the NSA was doing both of their roles (spy and strengthen) but since 9/11 all they do is spy and ignore the other role.
Maybe that role should be moved out of the NSA completely, and they can just concentrate on spying and let someone else concentrate on improving digital security. It is fair to say that those two roles are somewhat contradictory.
Attackers and security researchers seem to have figured out how to bypass SELinux relatively easily. Looking at any recent major examples of real-life attacks on Linux, SELinux never came up as a roadblock for any of them. It reduces the attack surface which is a good thing, but there are plenty of entry points still available to gain root.
Privilege escalation on stock Linux systems has never been a major challenge, attackers can then simply turn off SELinux or modify the rules once they get root - as plenty of public exploit PoCs have demonstrated. Which is more of a indication of the state of Linux kernel security rather than MAC software.
Sysadmins seem to talk highly of SELinux, but its rare to find people in offensive infosec who do.
I could easily find a dozen plus 0day attacks which SELinux mitigated in Fedora/CentOS/RHEL, but there is no point in responding to a troll with much more than the minimum necessary.
Do you have examples? I haven't seen anything that said SELinux was thwarted in anything, and it is still pretty standard procedure to turn SELinux off instead of learning it.
Even if we leave this aside, the intricate role-based access control paradigm of SELinux has since had plenty of competition with alternatives that provide the same benefits with significantly less cognitive overhead (AppArmor, Smack, Tomoyo...)
SELinux is very much geared in mind to the often baroque security protocols of government agencies, defense companies and certain enterprises. It may be cryptic for many other use cases.
The media told me that recent historic legislation ended mass surveillance, so I can't imagine there's anything to worry about.
Sections 214 and 217 of the Patriot Act arguably authorize this surveillance. Or maybe FISA 702. But journalists have zero imagination or critical thinking skills and need powerpoint slides directly illustrating things. And they'll immediately forget even what the slides show when Congress promises that a new bill outlaws that.
Ironically, the NYT is probably the most guilty of putting this "message" out there that the NSA surveillance was "sharply limited" with the passing of the USA Freedom Act.
There are some people[1] who believe that the NYT will print (or more specifically not print) nearly anything that comes from a top official in the Whitehouse as a way to maintain access.
Lot of journalists have been pointing this out about NYT for a long time. (This is not to say NYT only trumpets what us officials say, just maybe, they don't always provide enough context an skepticism.)
Also worth noting that NYT is hardly the only place that does this.
It's worse than just publishing what the administration wants. They've also demonstrated that they're willing to kill pieces that the administration wants killed (at least until they realize their reporters are just going to write a book with the story anyway...).
In a recent Frontline episode[1], they do a good job of speaking to some primary sources about an interesting specific instance of story killing related to domestic surveillance, and how that fed into Edward Snowden's decision regarding publication venue for his whistle-blowing leaks. In my eyes, they've fallen a long way since the days of the pentagon papers.
This might be less of a popular opinion, but I believe this is exactly when NSA surveillance is rightly placed.
In a world where hacking has left teenage basements and has become weaponized and used by governments around the world - collecting information about foreign hackers is a legitimate use of surveillance powers for Military self defense.
> "hacking has left teenage basements and has become weaponized and used by governments around the world"
Source? Particularly with respect to "weaponized". The worst I saw was North Korea alledgedly being responsible for pirating a crappy movie, and a 10 minute shutdown of github a few months ago.
> "Military self defense."
Who and what are you afraid of? And how does this policy help with that? No truly dangerous information would ever come close to US borders. This, just like massive traffic collection, can only be said to be an invasion of privacy for the average man. The people we'd like to catch were never at risk at all.
I just don't buy into the fear, and I see the consequences as huge.
> > "hacking has left teenage basements and has become weaponized and used by governments around the world"
> Source? Particularly with respect to "weaponized". The worst I saw was North Korea alledgedly being responsible for pirating a crappy movie, and a 10 minute shutdown of github a few months ago.
Arguably it has been "weaponized" by the NSA and their allies. See, stuxnet and related threats. There is good reason to believe other nation state actors also have "weaponized" threats. For instance the recent "man-on-the-side" DDOS attack via the great firewall on github. There is also a healthy business for buying and selling vulnerabilities and exploits and the .gov organizations are known buyers.
So yes, I think it is fair to say that "hacking has left teenage basements". That part of the statement the gp's statement it obviously true when you look at say sophisticated carder rings.
Yes, sure. But it's modern day McCarthyism viewed through the lens of loss of profits from the collapse of the Soviet Union. That is, without a Russian Bear to scare people with, the US intelligence community can't get money at will. Once Osama bin Laden was shot to pieces, Al Queda lost a lot of its terrorizing power, so now it's "ISIS" or "ISIL" or "Islamic State". There's Al Shabab and Iran and probably some others to have always been at war with waiting in the wings.
"Irishmen," "Germans," "Communists," "Terrorists," "Pedophiles," "Terrorists" (again), and now "Hackers." Just add it to the list of justifications the government uses to impede people's freedoms (or to generally act immorally).
Soon I'm sure they will find another moral hazard to use to justification whatever overreaching powers they want this week.
Oh, sure - BILLIONS for "foreign hacker threats" that probably don't matter much, but NOTHING to track down "Anne from Cardholder Services".
That's my takeaway. The US executive branch is letting the NSA and FBI, spy on its own citizens, but doesn't do anything that would practically reduce real problems.
Monitoring a relatively docile citizenry to ensure it doesn't create a threat to those in power is much easier, especially if you can scare them into it with the terrorism boogeyman.
I'm sure there are individuals and even small groups within the NSA and FBI doing legitimate work to track down and neutralize real threats to the United States. I suspect, however, that they and their budgets are greatly overshadowed by the Keith Alexander types who see their organizations as an authoritarian playground and a stage for creating further personal private-sector opportunities.
There was a time when working in such agencies, if acknowledged, was a badge of honor. Now, it should be a mark of shame.
The real problem I want them to solve, that they are in a unique position to solve, is that of the super-annoying robocallers like "Anne" or "Rachel" or "Barbara", that claim to be from a credit card organization, and claim to be able to lower your credit card rate. I'm pretty sure that these companies are using hacked PBXs to do their work, but at the very least, they're spoofing caller ID information, and doing things that verge on fraud. Oh, and calling numbers on the "Do Not Call" list.
The FTC seems powerless to stop Cardholder Services, or perhaps is actually in cahoots with them. None of the phone companies care, they're still getting their monthly payments for your cell phone, so they'd almost rather have "Anne" robocall you. It's up to someone outside of the telecom system, and it's captive regulatory apparatus, to stop Cardholder Services. Who better than the NSA and their domestic tools, the FBI? They can find the hacked PBXs, track the boiler rooms, and send in SWAT teams to make sure the boiler rooms are shut down, and salt is plowed into the ground there. That would be a real problem they could deal with, and not even reveal their Sekrit Teknolgie!
The FCC doesn't care. If they cared, they would end up killing fake callers and robodiallers very quickly. Only the most stupid and flagrant offenders get fined.
The FCC just needs to start handing out fines, tracing the liability up. So if little VoipCo signs up some guy from XX and lets him set any calling number without verification or lets him make a high rate of calls, bam, fine VoipCo.
It's easy and the FCC could clean it up in a couple of months. They choose not to.
We could even put "Security" in that agency's name. That would surely do the trick.
I'm not sure how we can change the government's (executive mostly) mind on this. Right now it thinks more offensive capabilities + more surveillance = cybersecurity. Just like with the War on Terror, they're using "cyber terror" to give themselves even more power, instead of actually solving the problem.
Thanks to the Iraq war, the USA set in action what led to the creation of ISIS, and with its war on strong security and encryption, it's making all of us less secure, and therefore more open to cyber attacks.
So it's worse than "not having a real solution" to these problems. They are actually exponentially making the situation worse with their "solutions".
Honestly, at this point, the only solution I can see is to end the NSA altogether. It is clear that it cannot be in check. It is also clear that it mocks rule of law. If the US still likes to call itself a country ruled by law, this is one of many necessary steps at this point. Otherwise, let's call the situation as it is: we do not live under rule by law. It seems that the ambiguous wrath one faces when pissing off the king (NSA, gov't, big corps) today is no different today than it was under feudalism and that in fact, while other countries actually make an effort and succeed at being ruled by law, the US is not even making an effort. And we have the gall to call out other countries on their human rights abuses. What a disgusting, primitive, uncivilized, and sick country the US is these days.
