Tuesday, August 30, 2016

Guest Post: "The NSA Was Hacked", or Only Idiots Need "Security" by Friendly Rich

This guest post is rather timely, seeing as how the new American college semester has begun and a million new laptops and tablets are in circulation.
 
"The NSA Was Hacked", or Only Idiots Need "Security"

by Friendly Rich


Someone I know recently sent these links on various mailing lists, and they deserve some outside comment:

> https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/
> http://www.theregister.co.uk/2016/08/19/snowden_docs_shadow_brokers_nsa_exploits/

Not mentioned in the articles, but visible in the main FOXACID document: this stuff is almost exclusively aimed at Microsoft Windows. The basis is a set of tools to break into Internet Explorer via Javascript/XML malware. Just disabling Javascript on a browser, or using Firefox with NoScript, will probably stop FOXACID exploits. The NSA does have exploits for Linux, Solaris and Free-BSD, and so presumably OSX as well, but other OSes aren't mentioned anywhere in this set of documents. The NSA uses Linux heavily for internal systems, especially Red Hat/Fedora and their own SELinux, so I assume they have break-in methods for various versions of Linux. But I will bet you it is more difficult than cracking a Windows machine.

Evidently most of the NSA's "secret methods" depend on the idiocy of browser users, just like any common hacker malware. The "CNO Course" document talks about handing out infected flash drives to random people and leaving them in internet cafes. Really? That's what the mighty Uncle Sam uses to crack PCs? Obviously it works. Because there are idiots in every organization.

The FOXACID server runs Windows Server 2003. Which is just hilarious. Ten years behind the times. And they get MIT to load the software on the servers before deployment. Why? Do they not trust their own employees and customers? They even have bogus SSL certificates. Hey, isn't that illegal in some places? Not that anyone seems to care.

All of this shit was originally aimed at breaking into PCs in Afghanistan and Pakistan. The Pakistani government's Green Line network was explicitly mentioned as a major target. So where's the diplomatic complaint? And the CNO Course shows a BLINDDATE PC using a wireless packet-injection exploit while driving around....Kabul. Again, it depends on web browser weaknesses to install malware on a PC. Field personnel aren't expected to know how to write malware nor understand how all the tools they use actually work. This is a classic case of idiots hacking other idiots.

It's an old "joke" and rumor: Microsoft has grown to such size and arrogance because Bill Gates cheerfully negotiated "special deals" with the US government back in the late 1980s. And they've gotten closer and closer since then. The NSA, CIA and Microsoft's operating-system division routinely exchange developers and knowledge. This is supposedly why the 1997 attempt to prosecute MS for breaking antitrust laws failed so massively.

Their "Shared Source Initiative" in 2001 was an attempt to calm their big corporate users, and I'm not sure it really helped much. Googling gets plenty of Microsoft press releases and very little honest discussion of the SSI. "Shared source" is Microsoft official jargon; nothing is "shared". Accessing the source code is very costly, there are numerous restrictions, and extremely harsh nondisclosure agreements are demanded of anyone allowed into the SSI.

But bring any of this up in mixed company and IT "professionals" will accuse you of being a conspiracy freak. Even though the signs have been visible for many years online.

https://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data

http://falkvinge.net/2013/11/17/nsa-asked-linus-torvalds-to-install-backdoors-into-gnulinux/

http://www.eteknix.com/nsa-has-code-running-in-the-linux-kernel-and-android/

This Gates interview from 2014 is notable. He ever-so-delicately tiptoes around the issue of surveillance and security. But does manage to splutter about Ed Snowden being a "criminal". An interview that communicates very little otherwise.

"Even so, do you think it's better now that we know what we know about government surveillance?"
"The government has such ability to do these things. There has to be a debate. But the specific techniques they use become unavailable if they're discussed in detail. So the debate needs to be about the general notion of under what circumstances should they be allowed to do things." LOLWUT?

And here's a 2004 article about Windows vs. Linux security. Despite being 12 years old, I've never seen any indications that the general situation has changed much. PC operating systems became more-or-less "stable" a long time ago and any updates tend to include new hardware support, new multimedia formats, and other improvements outside the kernel.

This is the glorious state of the glorious software world today. It's all badly designed, insecure, and sooner-or-later compromised by our wonderful government. Because there is so little real choice in the way of modern operating systems for PCs today, the NSA spooks have a variety of ways to break into machines. Evidently they don't even need "sneaky back doors" any longer. If you don't want anyone to sort through your hard drive, either don't connect your machine to the internet, or use a VPN exclusively; and don't do stupid things with a browser. Think before clicking on things.

No comments:

Post a Comment