
A proverb comes to mind ..
Beware of Greeks bearing gifts..
The NSA has decided to let the public have a peek at what it's been up to, for a change, by promising to release some of its data analysis tools under an open-source license. On Tuesday, intelligence-gobbling agency said it hopes to make the code to NiFi – a project previously known internally as Niagarafiles – available as an …
They are clearly releasing fake stuff to look good.
Most people nowadays are so naive.. so they hope that just by releasing some nonsense or really ancient algorithms they might have been using in the '70s along with the "open source" silly thing that makes many believe that it's open source so it's the truth, so it's good, so can be clearly understood and so on...
..well all this stuff they just hope is enough to make a fool of the majority of people.
The same people own the US gov as all the other private companies spying. So they are just sharing the code to improve their intrusion on us all. And doing it very cleverly by making it look like niceness. But the code is still used to analyse, track and spy, as if search companies do not do enough of that already.
"The same people own the US gov as all the other private companies spying."
Almost by definition of who they are and what they are paid to do, there can be no possible benevolent motive in releasing any code, and given that a release has been planned since it's inception, there must be something more clever going on.
Surely not just PR? Anyone with whit enough to read the source code, isn't stupid enough to buy the PR angle.
Surely not just PR? Anyone with whit enough to read the source code, isn't stupid enough to buy the PR angle.
Might I suggest that the time you're spending looking over the code is time that you're not spending noticing or complaining about the other stuff they're doing? I think that calling it "PR" is totally apt (though of course, PR is just what PR calls itself; they'd never call it "public manipulation", now would they?)
The way I now look at the NSA is this financial breakdown:
25% for military intelligence
25% for economic intelligence
50% for diplomatic intelligence
1% for everybody else on the planet.
99% for R&D into any communications channel that they are currently not spying on yet.
(They have the budget to double down, a secret black budget and a public budget)
Anything that they give is to aid in some aspect of the above and nothing else.
This may be a very bad thing in the hands of Black Hats or miscreants. Or. it's a trap. Compile it and use it and everyone and his brother in the 5-Eyes will be following you. Maybe I'm being paranoid but when a spy agency releases something, one has to wonder what they're getting in return.
The Greeks may have invented the Trojan Horse but the computer age has refined it.
What excellent news. I'm thrilled to hear that our NSA overloads will submit their code for public scrutiny. Kudos to them for making such a smart PR move entirely out of the blue! Bravo, that. I certainly hope this will usher in a bold new era of cooperation between the NSA and the Open Source community.
@ foo_bar_baz
Yes it was and it's crap the better alternative is grSecurity, it works out of the box with a minimum skill set required, you just install the Kernel and in a lot of respects it's better! It protects your machine from Zero_Days!
Secondly none of those NSA lot have yet managed to answer why there password enforcement policy for the Linux Kernel is still using the DES algorithm from 1976!
And if thats the same Niagrafiles (NiFi) from DHS (homeland security) it's got a lot of writeup's about how it exposes entire password databases.. So they can stuff that!
How is this any different than any corporation making their wares "open"? Do you trust chromium or java more less than the NSA?
In the commercial world software can be released into the wild in order to later harvest users who don'tknow how to use all the fancy bells and whistles. This leads to lucrative service contracts.
In the MIPC world, this leads to embedding reporters that know your every move/keystroke.
I guess the benefit to allowing the MIPC harvest my limited interactions is that they will also give them to the rest of the Corpulations. ....wait.
But obviously what we'd all really prefer (besides stopping spying on us) would be for them to work with software makers on a full disclosure basis so that we can all enjoy more secure software. The pretence that you're not hoarding vulnerability info and using it to your own ends has long ago worn paper-thin.
A middle-aged couple walked into the Seattle FBI downtown offices recently, wearing raincoats. They asked to see the Special Agent in Charge. When the agent came to the reception area, the couple stripped off their raincoats and stood before him, naked.
"We're sick of the government spying on everything we do," the man yelled at the agent. "You might as well see everything else we've got!"
"Put your coats on and get out of here before I have you arrested," the agent ordered. "We've seen it all already!"
Pardon my cynicism, but exactly *what* is this supposed to prove?
They're not going to release their *actual* current state-of-the-snooping-art tools, are they? So what is this? Something that they may have used 20 years ago? Something that is now probably completely obsolete, I don't doubt.
This is spin, pure and simple, they're saying "Look, look at this! Be impressed! See, we're being open and honest and you should not pay any attention to the man behind the curtain...
Most folks aren't aware that NSA has multiple directorates, for different missions. The Signals Intelligence Directorate are the infamous spooks, whose job is to collect information. They're the ones that most people think NSA is all about. There is also an IT directorate, that keeps everything running.
And there is also the Information Assurance Directorate, which is chartered with defending US industry and government against groups who do the same thing as the SID - whether foreign governments or independent operators and hackers. They're pretty much the good guys. I suspect that they are the ones funding Tor, and releasing bug fixes to known vulnerabilities in security software. They have helped US businesses - 'saved their ass' - multiple times in the last several years when they discovered attempts to penetrate the business. Source - someone who has worked with NSA in the past in this very area.
It's too easy to lump everything together, painting everything with the same brush. But that limits one's ability to see the real, complicated, picture.
Well here's why I am a little dubious, we (the hackers) have had pretty good elaborate reports so far from symantic about state sponcered malware that looks like stuxnet, we know it targetted the european union, secondly there are some interesting factors you can learn all about implants in hardware, those ARM chips are made in texas and they're not as closed source as you think, the major players buy those secure (misdescribed) tamper proof chips via a company called INSIDE Secure who also use the MatrixSSL and whilst the rest of the world is getting pwned with Heartbleed & Poodle, the partners at INSIDE Secure seem to have remained totally Secure. What does come out of these documents so far is that most of the software being attacked belongs to one company, so it kind of gives the impression that we're dealing with a load of script kiddies who dont really understand the finer two points and those are the following
1> This is not a WarZone
2> Windows is Rubbish
If any of these so called cyber-guys where any good at there Job they'd understand that with the right tools and the right application of those tools with the right kind of advanced skill set, yes those systems do become impenitrable, that's the whole idea! I'm sure they notice the malware long ago and these guys in the industry are only just starting to get pissed off. It's supposed to be a security organisation not the script kiddies R us and we'll hack everybody organisation!
"automating data flows across multiple networks, even where data formats and protocols differ"
Maybe they just need the public to help relay the data and make it easier for them to siphon off data from networks? It's more convenient if everybody has the tools already installed ;P
They still havent quite worked out the finer points of security vs hackers and directory traversal...
Case in point: https://incubator.apache.org/projects/ <~ ahh!
Now every single one of there little secret projects is open source!
Highly insightful to see that most of it is either apache based, (.((dot))net) based or Javascript, you have to laugh when you hear about microsoft wanting to make it's (dot) Net open source, good for them, now who gets the head-ache of trying to write it all in C# ?
Here's a good one: Storm: It is scalable, fault-tolerant, guarantees your data will be processed, and is easy to set up and operate.
1> It's apache, if it's not running in Chroot using Mod_Security - it shouldnt be hosting pages on the web!
2> It's a Javascript Library - See LibreJS
3> Since when has apache been fault-tolerant? Shouldnt you be using Shttpd!
Oop's no my bad I meant sthttpd - the one with no scriptable modules, it's more there speed!
@NSA - stop hosting webpages with Web 2.0 standards applied, there horrible standards and they very rarely work the way they where intended unless your a nerdy guru, who's going to take the 3 months 24 hours and 64 minutes to sit there configuring all the options to be bullet proof!
& Thats why you pay for an expert to come and set it all up and dont let someone who's done a few security course's and is under the age of 40 + loose on your server!
Good security is a mindset - people shoveling heavily script driven database engines that are all web-facing deserve to end up getting hacked for being so stupid...
Here's something for them all...
It's called a "Dancing Banana!"
http://cdn.videogum.com/files/2011/11/bananagrape5.gif
If your going to do it, get it right, first you setup your home-page with sthttpd in chroot, it runs the same pretty site pictures coded in base64 and sadly there's no links with roll-over special effects - ie: Java, PHP or other such Candy or pop-up advertising! But you can still navigate with http 1.0!
Then and only then, if your customer has to make a secure payment, then, you - redirect them to your internal NAT apache page with the submission details for them to login!
MySQL driven? No... Not unless you've sanitised the statements first!
Javascript Driven.. No .. Absolutely not!
Perl Driven.. No
JSON.. No