Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Government

NSA Worried About Implications of Leaked Toolkits (businessinsider.com) 272

Reader wierd_w writes: According to Business Insider, the NSA is worried about the possible scope of information leaked from the agency, after a group calling themselves the 'Shadow Brokers' absconded with a sizable trove of penetration tools and technical exploits, which it plans to sell on the black market. Among the concerns are worries that active operations may have been exposed. Business insider quotes an undisclosed source as stating the possibility of the loss of such security and stealth (eg privacy) has had chilling effects for the agency, as they attempt to determine the fullness and scope of the leak.
(Does anyone besides me feel a little tickled about the irony of the NSA complaining about chilling effects of possibly being monitored?)

This discussion has been archived. No new comments can be posted.

NSA Worried About Implications of Leaked Toolkits

Comments Filter:
  • I still think (Score:3, Insightful)

    by Big Hairy Ian ( 1155547 ) on Wednesday August 17, 2016 @09:42AM (#52719229)
    It's a trap
    • by mwvdlee ( 775178 )

      I'm still waiting for the NSA to put out a press release stating "this is for realsies, if you buy this you can spy on us and we can't do anything about it, pinky swear".

      • "This is not a joking matter. You're ALL on a list, now!
        Oh, damn!
        I'm on the bloody list now, too."

      • Re:I still think (Score:5, Insightful)

        by rainmouse ( 1784278 ) on Wednesday August 17, 2016 @10:35AM (#52719579)

        ...if you buy this you can spy on us and we can't do anything about it, pinky swear".

        So they were sitting on a pile of zero day exploits and rather than making the internet a safer place they kept them for personal use.
        I will laugh myself sick if it turns out they were breached by one of the very zero day exploits they decided not to report to the product owner for fixing.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          I don't know...in the series of tweets that Snowden made on the topic, I (believe) he implied that it was more likely someone had access to a secure facility, threw a bunch of files that should have been secured onto a USB thumbdrive and walked right back out. Nothing so dramatic as a zero-day exploit, it almost sounds as if they (amazingly) haven't learned anything from Snowden's example at all...

          I'm not sure what worries me more, the fact that these people are conducting surveillance on a global scale, or

  • by HumanWiki ( 4493803 ) on Wednesday August 17, 2016 @09:42AM (#52719237)

    Welcome to how the rest of society feels.

    • No worries. If the NSA wasn't doing anything wrong they've nothing to hide.
  • that's just code
  • Good work guys! (Score:5, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Wednesday August 17, 2016 @09:45AM (#52719261) Journal
    Now, if you had just disclosed those vulnerabilities they could probably have been fixed by now. Instead, you failed at keeping them a secret and unknown unsavory parties have a handy trove of exploits ready to be used. I'm not sure that this is what "National Security" looks like, and that's kind of your job.
    • Hell, they probably got exploited by exploits they hoarded and were discovered independently.
      • Re:Good work guys! (Score:5, Insightful)

        by Anonymous Coward on Wednesday August 17, 2016 @10:01AM (#52719391)

        Hell, they probably got exploited by exploits they hoarded and were discovered independently.

        But hey, remember folks, everything should have a Government-approved back door in it which only the Government can use, just in case they need access. It'll absolutely be secure...

      • by CODiNE ( 27417 )

        One hopes they would patch local binaries for exploits they've discovered.

        • by MobyDisk ( 75490 )

          I spoke with someone who works for the NSA, about this very topic. It is kinda complicated. Suppose an employee develops an exploit for some OS. The IT department for their network isn't authorized to know that. The NSA probably doesn't have the source code to the OS anyway to patch it. In some cases, they can tell the IT people "Disable feature XYZ on your web server, and don't ask me why." That's a bit dicey already. But what about a buffer overflow or something like that? What if they find a hole

    • by AmiMoJo ( 196126 )

      The latest date on the files is 2003. Could be that whoever release them only released older files, or could be that was when they lost access (it was a few weeks after the Guardian posted the first Snowden leak based stories).

      So if there is anything unpatched in there, it's been aiding the enemy for at over three years now.

    • Now, if you had just disclosed those vulnerabilities they could probably have been fixed by now. Instead, you failed at keeping them a secret and unknown unsavory parties have a handy trove of exploits ready to be used. I'm not sure that this is what "National Security" looks like, and that's kind of your job.

      How much longer are people going to believe that foreign is bad, homegrown is good ?

      Think about their actions when evaluating them, not their ancestry.

  • by vityok ( 1040682 ) on Wednesday August 17, 2016 @09:52AM (#52719307)

    I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power. And this attack is not clandestine, hidden from unwanted eyes, but it is made in public, so as to call NSA bluff and expose your country as a paper tiger.

    And this all is compounded by a poorly hidden active measures campaign to benefit one candidate and to destroy another.

    I believe that neither Schadenfreude nor sarcastic gleeing over a major f@ck up at the NSA are appropriate in this case, because want it or not, admit it or not, but your country is under attack by a powerful, sophisticated adversary. And it aint good. at all.

    • On the contrary, I think this may be a positive development. Back in the cold war, neither side could use their nuclear weapons since they knew the other would instantly retaliate (Mutually Assured Destruction). It appears we've now reached that phase in the infowar. Both sides know what each other is up to, but they know if they reveal what the other is doing, their own shenanigans will be exposed.
      • by PPH ( 736903 ) on Wednesday August 17, 2016 @10:24AM (#52719523)

        But Shadow Brokers isn't an agent of a nation with a lot to lose like the NSA is. MAD only works if both sides have a lot to lose. Neither will want to start a war. This is like a major power versus a crazy guy who just happens to have a nuke in his tool shed.

        I'm not arguing for major powers alone possessing such tools. Unlike nukes, these can be built by poorly funded but highly educated groups. The NSA should have prioritized its mission to ensure that we (gov't and private entities alike) would have adequate defenses above deploying this stuff.

        • But Shadow Brokers isn't an agent of a nation with a lot to lose like the NSA is.

          Read this. [businessinsider.com] Shadow Brokers ARE the Russians. A lone, non-state-sponsored hacker did NOT break into an NSA server and then keep it secret for over three years.

          • by PPH ( 736903 )

            Shadow Brokers ARE the Russians

            Are an arm of the Russian government? A Russian contractor that works for the FSB on occasion? Or just a group that happens to be operating from within Russia.

            I have a hard time believing that a government espionage agency would turn around and sell goods that it stole on the black market. Shadow Brokers may have intended to sell this stuff to the gov't, been turned down and now are seeking to unload this stuff for cash just to get some ROI. The fact that Snowden (a guest of the Russians) felt comfortable

            • Maybe they're just selling the outdated crap and keeping the good stuff for themselves.
              • by PPH ( 736903 )

                An intelligence service won't tip their hand by revealing that they possess even the garbage. Because their counterpart would work backwards, figure out what good stuff they might have, which is now compromised, and plug those security holes.

    • I believe that neither Schadenfreude nor sarcastic gleeing over a major f@ck up at the NSA are appropriate in this case, because want it or not, admit it or not, but your country is under attack by a powerful, sophisticated adversary.

      A foreign, or domestic adversary?

    • by Anonymous Coward on Wednesday August 17, 2016 @10:35AM (#52719573)

      Positive is a whole other thing, but really, you don't see it as funny?

      First, the NSA was doing something obviously-stupid on the face of it. Before a single American tax dollar was spent on developing this malware (or spent on intimidating the software industry into keeping our software and protocols insecure), any reasonably-competent "computer dude" knew that America itself was most likely to end up being the victim. (Of course, we spent the money anyway.)

      It's just another example of how we go to so much trouble to shoot ourselves in the foot, and every time we do it, we take away the lesson that we need a bigger gun. Sorry, but this is really is a true-life example of a joke that gets funnier the more times you tell it. Your grandkids are going to think this is hysterical, not merely funny.

      You say it's a foreign power doing this, and technically you're right. But they are robotically doing it, just as predicted. Ultimately, America made the choice for this to happen. This foreign power is (figuratively) our own proxy. The minimax solution path that we chose, included this move within it. We rejected solutions which did not include foreign powers taking advantage of the malware that we created. We rejected solutions where we ran decent OSes which weren't compatibile with malware, where encryption keys are exchanged directly whenever they can, and where public keys are introduced by trustworthy introducers. We want a world of malware, and our choices prove this.

      Second, there might be something you don't understand about America: we don't exactly think of our government as part of our country. (It's complicated.) If you attack our government, I think about 5 out of 10 Americans is ok with that. Our government is just another country, with whom we're sometimes adversaries and sometimes allied, but never ever loved or respected. The NSA isn't our security service; it's someone else's.

    • by Anonymous Coward on Wednesday August 17, 2016 @10:43AM (#52719629)

      ...your country is under attack...

      It stopped being "my" country when it started keeping secrets in order to aggregate power. "My" country is run by the people, for the people, and of the people.

      • by Plugh ( 27537 ) on Wednesday August 17, 2016 @11:55AM (#52720077) Homepage

        It stopped being "my" country when it started keeping secrets in order to aggregate power. "My" country is run by the people, for the people, and of the people.

        Many of us feel the same way, and are concentrating our efforts in one small geographic distribution. We've elected dozens into the State legislature and many more municipally across the state. Maybe you should vote with your feet. Free State Project [freestateproject.org]

    • Foreign countries are always trying to hack infrastructure. What's new

    • by AmiMoJo ( 196126 ) on Wednesday August 17, 2016 @11:05AM (#52719797) Homepage Journal

      I think most of us had assumed it was happening already. If Snowden could get in and pilfer so much material, an well resourced and skilled adversary such as China or Russia certainly could too. This is merely confirmation.

      Some good may come of it. We will patch some vulnerabilities, add some new malware detection signatures. We will see some of their techniques and learn to defend against them. And it should put some pressure on the government to reign them in a bit.

    • by StormReaver ( 59959 ) on Wednesday August 17, 2016 @11:48AM (#52720029)

      I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power.

      Then you're not looking very hard. This is the best possible event for the defense of online freedom, for our Government has just proven that the world's most advanced security agency can't defend against online intrusion. It is the most powerful argument for unfettered end-to-end encryption that we could have possibly hoped for.

      If it is hopeless for the NSA to secure unencrypted data, then it is also hopeless for everyone else to do the same. Therefore, powerful encryption is not only wise, it is necessary. All those Congress-critters and Government agencies calling for back doors, golden keys, and weakened encryption algorithms are actively aiding and abetting terrorists, child pornographers, pedophiles, and enemy governments.

      This is the smoking gun that proves the essentialness of strong end-to-end encryption.

    • by Gravis Zero ( 934156 ) on Wednesday August 17, 2016 @12:16PM (#52720211)

      I don't really see anything funny or positive in the fact that one of your main intelligence services is under attack by a hostile power. And this attack is not clandestine, hidden from unwanted eyes, but it is made in public,

      it's not the NSA that is under attack, it's the entire world. when you create an exploit, you create a weapon but when you submit a fix, you make that weapon ineffective. so now instead of have the world's best armor, we have an absurd cache of weapons and those weapons have been stolen. the moral isn't to protect your weapons better, it's that you should be making better armor.

    • by sjames ( 1099 )

      The NSA struck the colors years ago. They ARE the powerful and sophisticated adversary that has been attacking the United States. And they've been making us pay for it.

    • The organization previously used these exploits against Americans.
      Now another organization is using them against Americans.
      It's way past time for both of these to change.
  • They don't know, either.

    Welcome to our world, newbie.

  • You win some, you lose some. You cook with fire long enough and you're bound to get burnt eventually.
  • Duh? (Score:4, Insightful)

    by Anonymous Coward on Wednesday August 17, 2016 @10:01AM (#52719389)

    The essense of malware is that you offer software to someone else, in hopes that they run it. It's impossible to not realize that when you offer someone this software, not only might they run it to hurt themselves, but they might also offer it to others (maybe back to your own allies), to hurt them. Malware isn't something you can ever "keep" if you intend to use it against others.

    It kind of reminds me of biological weapons. You gave the enemy Anthrax? Great, now your enemy has Anthrax. You'll be seeing that exact same strain of Anthrax again.

  • by ITRambo ( 1467509 ) on Wednesday August 17, 2016 @10:17AM (#52719491)
    The stolen hacks will be used by adversarial governments and criminals to silently move onto almost anyone's computer. Thanks NSA, for the upcoming super-malware.
  • Still not conviced (Score:4, Interesting)

    by Mysticalfruit ( 533341 ) on Wednesday August 17, 2016 @10:21AM (#52719501) Homepage Journal
    I'm still not convinced this isn't some sort of odd false flag operation.

    Imagine you're the NSA and you've been unable to get inside of some other countries likely air gapped cyber security operation... putting some juicy tools out there they're likely to snatch up and play with at least get you to see who the players are and maybe these tools work maybe they blow up... As for the vulnerabilities, with so many people playing this game, any vulnerability not found by the NSA is likely to be found by some other organization.

    Even the vulnerabilities could be snares... I'm suspect of all of this and think it's just part of a big ruse.
    • by AHuxley ( 892839 )
      Thats an interesting aspect. The issue with that is its a one time digital trick most nations really want to save up for use on a person, site, group, cult, faith, journalist before they can ever think to tell or even know what to share with the worlds computer experts or their lawyers.
      Bespoke code fragments for each mission get lost in logs, as apps, ads, malware, random bots.
      Risking MI6, SAS, Australian, Canadian, CIA teams globally to track down users and clean up after downloaded files could invok
    • I'm still not convinced this isn't some sort of odd false flag operation.

      Imagine you're the NSA and you've been unable to get inside of some other countries likely air gapped cyber security operation... putting some juicy tools out there they're likely to snatch up and play with at least get you to see who the players are and maybe these tools work maybe they blow up... As for the vulnerabilities, with so many people playing this game, any vulnerability not found by the NSA is likely to be found by some other organization.

      Even the vulnerabilities could be snares... I'm suspect of all of this and think it's just part of a big ruse.

      MEMO

      To: Equation Group
      From: General Keith B. Alexander
      CC: Not China; Definitely not Russia
      Subject: OPERATION INCOMPETANCE -- TOP SECRET

      Since your nerdy version of what I'm pretty sure is some kind of witchcraft has failed to breach the enemy's 'cyber security operation', I've come up with a plan of my own. We simply need to make our entire agency look wildly inept with regard to what is supposed to be our core specialty by publicly posting years worth of your teams research to a public github account, clai

  • by Indy1 ( 99447 ) on Wednesday August 17, 2016 @10:25AM (#52719529)

    Its no longer just fed.gov you're trying to defend against, its all the script kiddies now running around with fed.gov's latest and greatest exploit toys.

  • Tojan detected! (Score:5, Insightful)

    by hoggoth ( 414195 ) on Wednesday August 17, 2016 @10:44AM (#52719631) Journal

    The NSA is a riddle, wrapped in a mystery, inside an enigma. This whole things smells fishy. "bad actors" will buy this software on the black market, use it to spy on other people all the while the NSA actually gets to watch everything over their shoulders: backdoors into the networks of those that installed it, side-channel copies of all the surveillance etc.

    Installing stolen NSA software obtained on the black market would be as smart as installing that cool new game downloaded from a warez folder found on a porn site.

  • by GrandCow ( 229565 ) on Wednesday August 17, 2016 @10:56AM (#52719725)

    "No, we swear the tool won't ever get out to the public! We 100% guarantee it!"

    6 months later: "well... shit"

  • Precisely Why... (Score:5, Insightful)

    by Ramley ( 1168049 ) on Wednesday August 17, 2016 @11:07AM (#52719815)
    This is precisely why:

    - Apple didn't want to release a tool to unlock iPhones.
    - Back doors should never, ever, ever be required for any type of device.
    - Encryption keys should never, ever, ever be given/managed by any government agency.
    - Etc., etc., etc.

    When will the masses wake up and realize that a large, controlling government will never be a good thing for freedom?
    Ramley-out! :-)
  • by TigerPlish ( 174064 ) on Wednesday August 17, 2016 @11:27AM (#52719913)

    I'm not concerned at all about these tools being used to penetrate Joe Sixpack's computer.

    I am, however, tickled pink that these tools will be used against the tools of the Government and Commerce.

    Yes, you tools! Let's see what happens when your sordid affairs, your innermost secrets and every repulsive, nauseating detail of your rape of America for the past half century are revealed!

    In other words, Commerce and Government, fuck you with a splintered phonepole. I hope it hurts every bit as bad as what you've done to this country.

    (Provided this toolkit is as powerful as claimed, and its leak isn't some False Flag operation.)

  • Wait, so an agency that hacks/exploits into others people's devices and data traffic with complete disregard for due process doesn't like it when it happens to them? Say it ain't so Tommy!!
  • Looks like they got a taste of their own medicine and they don't like it a bit, just like us.

  • Is that the NSA of all people knowing how vulnerable systems can be and then failing to seriously protect their own.
  • by nehumanuscrede ( 624750 ) on Wednesday August 17, 2016 @12:37PM (#52720365)

    and damned if you don't.

    IF this whole thing has any truth to it at all, the NSA has a serious dilemma.

    In one hand, they have a bunch of tools complete with unpublished exploits now in the hands of the masses. ( oh noes ! )
    In the other, they have a desire to keep their tools and unpublished exploits their dirty little secret so they can continue to spy on folks the easy way.

    As the NSA, do you:

    1) Keep your mouth shut and hope those exploits aren't used against unintended targets ( us ) in order to keep your push-button spy operation working
    2) Inform the vendors of the exploits their tools are designed to utilize so they can get patched at the cost of losing all the work put into the tools so far

    *My guess is they'll go with #1 and just blame this weeks boogey-man. ( Iran, China, Russia, Terrorists, Islam, Trump, Hillary, whatever )

    This quote fits rather well: " Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should. -Ian "

  • by ThatsNotPudding ( 1045640 ) on Wednesday August 17, 2016 @12:38PM (#52720375)
    Now that their jewels have been stolen, will they still remain so arrogant to NOT release all these vulnerabilities so they can be patched? Or will their ego allow thieves to make huge bank off their wounded pride, with the entire first world laid low by the devastation? Also, cue the right-wing to blame all of this on Snowden instead of the proper source.

    Lastly, if the POTUS does not publicly demand the resignation of the senior management of this TLA, our suspicions will be confirmed: the NSA now answers to no one.
  • by ZeroWaiteState ( 3804969 ) on Wednesday August 17, 2016 @01:06PM (#52720557)
    The vulnerability equities process, where lawyers decide whether to disclose to US citizens a vulnerability or keep it to themselves, seems pointless if NSA tools are going to leak to the black market anyway. This is yet another reason why the government cannot be trusted with defensive security measures, they are too conflicted about actually doing it.
  • An important thing to note about NSA operations - they intentionally do not keep access logs. They do not allow for auditing tools or any other such nonsense. Claiming that such infrastructure will endanger security of operations. Now, they will try to figure out what/who/where. Good thing they know when: 3 years ago.
  • When Apple said that if it made a special version of IOS that would bypass all the security features , that eventually it would be hacked which is why they would not do it, I guess they were right.
  • by GuB-42 ( 2483988 ) on Wednesday August 17, 2016 @02:29PM (#52721183)

    Snowden's leaks showed us the real problem with the NSA and the story continues.

    You see, I don't think the problem with the NSA is all the the spying and data collection they do. After all they are an intelligence agency, spying is their job. Or actually half their job. The second half of their job is keeping secrets. And this is where they fail.
    Just look at what Snowden, a simple subcontractor without external help managed to do. And now they leak their toolkits to random blackhat groups. No imagine what a big nation like China or Russia can do... that's scary.

    I like the idea of "don't attribute to malice what you can attribute to stupidity". And right now, I think the NSA is stupid.
    They are bloated, eating more data than they can chew. They seem to prioritize projects that gets them large budgets and jobs for their friends rather that doing actual security. Building massive datacenters to process massive amount of useless data, sure, that's big, that's important. Putting millions of people on "watch lists", sure, it will keep people busy. Implementing sensible security policies to actually keep secrets secret, boring.

  • If you have a backdoor, a key, or some other way to get into other peoples computers/device/files, then no matter how hard you try to keep it secret, it will eventually leak and become common knowledge, and be abused. (Assuming the original owner/discoverer wasn't already abusing it as well.)

    This is why no security developer in the world that's worth even one molecule of salt will ever allow a backdoor or master key.

    And hey, these guys now have a chunk of the NSA trove of nasty tricks, so even going blackma
  • The Shadow Brokers github repo was taken down but not before it was mirrored :)

    https://github.com/nneonneo/eqgrp-free-file [github.com]

    Everything (that was made available in the sample tarball) is inside the Firewall folder.
    Most of the human readable stuff is in Firewall/OPS and Firewall/SCRIPTS.

    From the very little scanning I did, it seems most of the stuff is meant to attack Cisco PIX [wikipedia.org] and Cisco ASA [cisco.com] firewalls/routers.

    There are quite a few scripts for preparing/setting up an ops terminal from which an antag

Never test for an error condition you don't know how to handle. -- Steinbach

Working...