back to article NSA SOURCE CODE LEAK: Information slurp tools to appear online

The NSA has decided to let the public have a peek at what it's been up to, for a change, by promising to release some of its data analysis tools under an open-source license. On Tuesday, intelligence-gobbling agency said it hopes to make the code to NiFi – a project previously known internally as Niagarafiles – available as an …

  1. K
    Big Brother

    A proverb comes to mind ..

    Beware of Greeks bearing gifts..

    1. Anonymous Coward
      Anonymous Coward

      Re: A proverb comes to mind ..

      Romulans too.

      1. Trevor_Pott Gold badge

        Re: A proverb comes to mind ..

        I only use it for medicinal purposes!

    2. swampdog

      Re: A proverb comes to mind ..

      Shouldn't that be "Geeks"?

  2. Anonymous Coward
    Anonymous Coward

    Charm offensive?

    No charm and quite offensive, download at your peril!

  3. Anonymous Coward
    Pirate

    In the immortal words of Laurence Olivier....

    Is it safe?

    Or taking repurposed movie lines one step farther, are users in danger of "NiFi phone home!"

  4. Joerg

    All bull.. naive people will believe this crap.

    They are clearly releasing fake stuff to look good.

    Most people nowadays are so naive.. so they hope that just by releasing some nonsense or really ancient algorithms they might have been using in the '70s along with the "open source" silly thing that makes many believe that it's open source so it's the truth, so it's good, so can be clearly understood and so on...

    ..well all this stuff they just hope is enough to make a fool of the majority of people.

    1. Destroy All Monsters Silver badge

      Re: All bull.. naive people will believe this crap.

      > ancient algorithms

      But are they justified?

      1. Frumious Bandersnatch

        Re: All bull.. naive people will believe this crap.

        But are they justified?

        And is that really an ice-cream van driving around outside your estate in the middle of November?

        (thumbs up for the KLF reference)

        1. AbelSoul

          Re: But are they justified?

          And from Mumu?

  5. dan1980

    It good to see the American people getting such excellent return for their investment.

    I am sure their cups of gratitude runneth over.

  6. Will Godfrey Silver badge

    Tinfoil Hat?

    Now I'd be really worried if they were also recommending a specific compiler and version number.

    1. Captain DaFt

      Re: Tinfoil Hat?

      "Now I'd be really worried if they were also recommending a specific compiler and version number."

      If you were truly paranoid, you'd be even more worried that they weren't! (Gahh! They've got their hooks in everything!)

  7. Denarius Silver badge
    Black Helicopters

    not unexpected

    The same people own the US gov as all the other private companies spying. So they are just sharing the code to improve their intrusion on us all. And doing it very cleverly by making it look like niceness. But the code is still used to analyse, track and spy, as if search companies do not do enough of that already.

    1. Preston Munchensonton
      Black Helicopters

      Re: not unexpected

      From the looks of it, the Earth has run out of enough aluminium for +100 thickness of your tinfoil hat...

    2. dan1980

      Re: not unexpected

      "The same people own the US gov as all the other private companies spying."

      Absolutely.

  8. Cipher
    FAIL

    No doubt...

    ...this release has *some* way of being compromised or they wouldn't let it go.

    No Thanks Mister NSA Man...

  9. Anonymous Coward
    Anonymous Coward

    motive

    Almost by definition of who they are and what they are paid to do, there can be no possible benevolent motive in releasing any code, and given that a release has been planned since it's inception, there must be something more clever going on.

    Surely not just PR? Anyone with whit enough to read the source code, isn't stupid enough to buy the PR angle.

    1. Frumious Bandersnatch

      Re: motive

      Surely not just PR? Anyone with whit enough to read the source code, isn't stupid enough to buy the PR angle.

      Might I suggest that the time you're spending looking over the code is time that you're not spending noticing or complaining about the other stuff they're doing? I think that calling it "PR" is totally apt (though of course, PR is just what PR calls itself; they'd never call it "public manipulation", now would they?)

  10. Anonymous Coward
    Anonymous Coward

    You can 100% trust the NSA, they only lie when their lips move.

    The way I now look at the NSA is this financial breakdown:

    25% for military intelligence

    25% for economic intelligence

    50% for diplomatic intelligence

    1% for everybody else on the planet.

    99% for R&D into any communications channel that they are currently not spying on yet.

    (They have the budget to double down, a secret black budget and a public budget)

    Anything that they give is to aid in some aspect of the above and nothing else.

  11. Mark 85 Silver badge

    Where's my tinfoil hat

    This may be a very bad thing in the hands of Black Hats or miscreants. Or. it's a trap. Compile it and use it and everyone and his brother in the 5-Eyes will be following you. Maybe I'm being paranoid but when a spy agency releases something, one has to wonder what they're getting in return.

    The Greeks may have invented the Trojan Horse but the computer age has refined it.

  12. BenjaminHare

    Excellent news, I love the NSA

    What excellent news. I'm thrilled to hear that our NSA overloads will submit their code for public scrutiny. Kudos to them for making such a smart PR move entirely out of the blue! Bravo, that. I certainly hope this will usher in a bold new era of cooperation between the NSA and the Open Source community.

    1. Anomalous Cowturd
      Joke

      Re: Excellent news, I love the NSA

      <sarc>

      I think you forgot something!

      </sarc>

    2. foo_bar_baz
      Linux

      Re: Excellent news, I love the NSA

      Yawn. SELinux was open sourced 14 years ago by NSA.

      1. MustyMusgrave
        Devil

        Re: Excellent news, I love the NSA

        @ foo_bar_baz

        Yes it was and it's crap the better alternative is grSecurity, it works out of the box with a minimum skill set required, you just install the Kernel and in a lot of respects it's better! It protects your machine from Zero_Days!

        Secondly none of those NSA lot have yet managed to answer why there password enforcement policy for the Linux Kernel is still using the DES algorithm from 1976!

        And if thats the same Niagrafiles (NiFi) from DHS (homeland security) it's got a lot of writeup's about how it exposes entire password databases.. So they can stuff that!

  13. elDog

    How is this any different than any corporation making their wares "open"? Do you trust chromium or java more less than the NSA?

    In the commercial world software can be released into the wild in order to later harvest users who don'tknow how to use all the fancy bells and whistles. This leads to lucrative service contracts.

    In the MIPC world, this leads to embedding reporters that know your every move/keystroke.

    I guess the benefit to allowing the MIPC harvest my limited interactions is that they will also give them to the rest of the Corpulations. ....wait.

  14. Frumious Bandersnatch

    Nice PR move

    But obviously what we'd all really prefer (besides stopping spying on us) would be for them to work with software makers on a full disclosure basis so that we can all enjoy more secure software. The pretence that you're not hoarding vulnerability info and using it to your own ends has long ago worn paper-thin.

  15. Gray
    Devil

    A naked couple

    A middle-aged couple walked into the Seattle FBI downtown offices recently, wearing raincoats. They asked to see the Special Agent in Charge. When the agent came to the reception area, the couple stripped off their raincoats and stood before him, naked.

    "We're sick of the government spying on everything we do," the man yelled at the agent. "You might as well see everything else we've got!"

    "Put your coats on and get out of here before I have you arrested," the agent ordered. "We've seen it all already!"

  16. Graham Marsden
    Thumb Down

    "release some of its data analysis tools"

    Pardon my cynicism, but exactly *what* is this supposed to prove?

    They're not going to release their *actual* current state-of-the-snooping-art tools, are they? So what is this? Something that they may have used 20 years ago? Something that is now probably completely obsolete, I don't doubt.

    This is spin, pure and simple, they're saying "Look, look at this! Be impressed! See, we're being open and honest and you should not pay any attention to the man behind the curtain...

  17. Gary Bickford

    For all those doubters ...

    Most folks aren't aware that NSA has multiple directorates, for different missions. The Signals Intelligence Directorate are the infamous spooks, whose job is to collect information. They're the ones that most people think NSA is all about. There is also an IT directorate, that keeps everything running.

    And there is also the Information Assurance Directorate, which is chartered with defending US industry and government against groups who do the same thing as the SID - whether foreign governments or independent operators and hackers. They're pretty much the good guys. I suspect that they are the ones funding Tor, and releasing bug fixes to known vulnerabilities in security software. They have helped US businesses - 'saved their ass' - multiple times in the last several years when they discovered attempts to penetrate the business. Source - someone who has worked with NSA in the past in this very area.

    It's too easy to lump everything together, painting everything with the same brush. But that limits one's ability to see the real, complicated, picture.

    1. MustyMusgrave
      Facepalm

      Re: For all those doubters ...

      Well here's why I am a little dubious, we (the hackers) have had pretty good elaborate reports so far from symantic about state sponcered malware that looks like stuxnet, we know it targetted the european union, secondly there are some interesting factors you can learn all about implants in hardware, those ARM chips are made in texas and they're not as closed source as you think, the major players buy those secure (misdescribed) tamper proof chips via a company called INSIDE Secure who also use the MatrixSSL and whilst the rest of the world is getting pwned with Heartbleed & Poodle, the partners at INSIDE Secure seem to have remained totally Secure. What does come out of these documents so far is that most of the software being attacked belongs to one company, so it kind of gives the impression that we're dealing with a load of script kiddies who dont really understand the finer two points and those are the following

      1> This is not a WarZone

      2> Windows is Rubbish

      If any of these so called cyber-guys where any good at there Job they'd understand that with the right tools and the right application of those tools with the right kind of advanced skill set, yes those systems do become impenitrable, that's the whole idea! I'm sure they notice the malware long ago and these guys in the industry are only just starting to get pissed off. It's supposed to be a security organisation not the script kiddies R us and we'll hack everybody organisation!

  18. Anonymous Coward
    Anonymous Coward

    they just want help from the public

    "automating data flows across multiple networks, even where data formats and protocols differ"

    Maybe they just need the public to help relay the data and make it easier for them to siphon off data from networks? It's more convenient if everybody has the tools already installed ;P

  19. MustyMusgrave
    FAIL

    Fail...

    They still havent quite worked out the finer points of security vs hackers and directory traversal...

    Case in point: https://incubator.apache.org/projects/ <~ ahh!

    Now every single one of there little secret projects is open source!

    Highly insightful to see that most of it is either apache based, (.((dot))net) based or Javascript, you have to laugh when you hear about microsoft wanting to make it's (dot) Net open source, good for them, now who gets the head-ache of trying to write it all in C# ?

    1. MustyMusgrave
      WTF?

      Re: Fail...

      Here's an interesting one....

      Shame about the name!

      https://incubator.apache.org/projects/isis.html

      1. MustyMusgrave
        Devil

        Re: Re: Fail...

        Here's a good one: Storm: It is scalable, fault-tolerant, guarantees your data will be processed, and is easy to set up and operate.

        1> It's apache, if it's not running in Chroot using Mod_Security - it shouldnt be hosting pages on the web!

        2> It's a Javascript Library - See LibreJS

        3> Since when has apache been fault-tolerant? Shouldnt you be using Shttpd!

  20. MustyMusgrave
    Angel

    Re: Re: Re: Fail...

    Oop's no my bad I meant sthttpd - the one with no scriptable modules, it's more there speed!

    @NSA - stop hosting webpages with Web 2.0 standards applied, there horrible standards and they very rarely work the way they where intended unless your a nerdy guru, who's going to take the 3 months 24 hours and 64 minutes to sit there configuring all the options to be bullet proof!

    & Thats why you pay for an expert to come and set it all up and dont let someone who's done a few security course's and is under the age of 40 + loose on your server!

  21. MustyMusgrave
    IT Angle

    Security

    Good security is a mindset - people shoveling heavily script driven database engines that are all web-facing deserve to end up getting hacked for being so stupid...

    Here's something for them all...

    It's called a "Dancing Banana!"

    http://cdn.videogum.com/files/2011/11/bananagrape5.gif

  22. MustyMusgrave
    Trollface

    if your going to do it...

    If your going to do it, get it right, first you setup your home-page with sthttpd in chroot, it runs the same pretty site pictures coded in base64 and sadly there's no links with roll-over special effects - ie: Java, PHP or other such Candy or pop-up advertising! But you can still navigate with http 1.0!

    Then and only then, if your customer has to make a secure payment, then, you - redirect them to your internal NAT apache page with the submission details for them to login!

    MySQL driven? No... Not unless you've sanitised the statements first!

    Javascript Driven.. No .. Absolutely not!

    Perl Driven.. No

    JSON.. No

  23. shovelDriver

    "Now you can run your own intelligence agency"

    Yes, and feed those backdoors to help make the NSA's collection system even better!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021