Obama allows NSA to exploit 0-days: report The NSA's denial it knew about or exploited the Heartbleed bug raises an obvious question: does it exploit similar flaws? The answer, according to The New York Times, is yes. Quoting ”senior administration officials”, the paper says US President Barack Obama considered what the NSA should do if it becomes aware of a …
The NSA just asked permission to give Obama the false feeling he was in control.
They didn't really care what he said, they would do - and continue to do - anything they want to.
Did NSA ask permission to spy on Merkel? Perhaps. Did he give permission? Perhaps. But at the end of the day it would not really influence what they actually did - just whether they told Obama about it later.
As far as NSA is concerned, everyone outside the NSA is the enemy. Likely the NSA spy on Obama too.
There is an important line between officially sanctioned and not officially sanctioned acts of the secret service. The spies can get into deep shit if they overstep the boundaries and embarrass their superiors, so they have to be careful what they do and will probably show some restraint.
The problem is that nowadays anything seems to be sanctioned via some secret court or administrative memo (the memorandum seems to be the modern letter of marque and reprisal). The government handed over the keys to the lunatic bin and tries not to look what is going on.
"There is an important line between officially sanctioned and not officially sanctioned acts of the secret service. The spies can get into deep shit if they overstep the boundaries and embarrass their superiors"
Yeah, they can or kill that spy and put another guy there to do the exact same thing, while the media reports on the guy who got in trouble.
The Rules of the New Great Game are ...... There be Zero Day Rules and No Knight Regulation. Step into that Astute Foreign Field and Alien Quantum Space of HyperRadioProActive Engagement at urPeril for IT accepts neither Prisoner nor Parasite for Dead Head Future Lead.
And when spooks are crooks and/or the crooked spooked, are they [booked and cooked] borked and corked and deliberately overlooked to take no further definitive leading prime or sub-prime part in Great IntelAIgent Games Plays ..... AIMOvies .... for that is ITs Advanced IntelAIgent Modus Operandi and C42 Quantum Communication Control Systems Vivendi with Creative CyberSpace Command and Control of Computer Communications and Virtual Machine Firmament Ware ....... which be akin to SMARTR Fare in Essential and Existential Robot Ware.
It's likely a continuation of the time-honoured "if you don't understand, you're obviously not supposed to know" theme. I suspect there are kernels of truth in there, possibly hiding from the Colonels of Truth (@MiniTrue)
Full disclosure: I have seen more than one completely coherent post from amanfromMars, so I know there is definitely sentience there, despite appearances ;)
Isn't this an admission that the NSA is useless? Regardless of whether they think (or you agree) that their most important mission is protecting "friendly" communications or intercepting "enemy" communications, with their funding they should have found this bug. Why didn't they use the old, "neither confirm nor deny" to keep some semblance of competence?
This post has been deleted by its author
We need a law that taints evidence gained by the NSA, makes it a felony to misuse it, and makes invalid any domestic case it touches, irrespective of "parallel construction", which itself ought to be a felony.
In addition, any legislation or law enforcement mentioning terrorism would fall under the same law. If you're getting on a plane and they find a bomb they can stop you. If they find a kilo of marijuana, they give it back and wish you a nice day.
"We need a law that taints evidence gained by the NSA"
I question your sanity.
We see enforcement agencies failing to secure prosecutions against rich & powerful folks all the time, we regularly see investigations into the crimes and failings of authorities and corporations derailed through sabotage and wilful malpractice (eg: the pathologist examining the newspaper seller beaten to death by a Policeman on his way home).
How is a new law going to help if it going to be enforced by the very same mechanisms that have been shown to fail through wilful self-interest time and time again ?
".....the newspaper seller beaten to death by a Policeman on his way home....." If that typically Roo-esque, half-witted bit of police-bashing was a reference to Ian Tomlinson, not only was he not "beaten to death", but the policeman involved, Simon Harwood, was not only kicked out of the force but also charged with manslaughter. The problem with the prosecution of Harwood was that Tomlinson was a known drunk, already having suffered previous brain-damage from alcohol abuse, and having consumed about twenty units of alcohol that day. His liver was so rotten that any minor fall could have killed him. The third and final post-mortem examination (by two pathologists) agreed with the second, that Tomlinson probably died from internal bleeding when he fell on his right elbow, rupturing his cirrhosis-ridden liver, but that it was impossible to confirm if that fall was the one as a result of Harwood hitting him on the leg. What Harwood did was probably at least assault causing bodily harm, possibly manslaughter, but Harwood didn't "beat him to death" and had no intent to murder Tomlinson. Which was why Harwood was declared "not guilty" by jury trial in 2012. Yes, IMHO, Harwood was an over-aggressive moron and unfit to be a copper, but to paint it as some malicious "beating to death" says more about your willfully-limited reading on the matter and your obvious prejudices against figures of authority.
It is no secret that the NSA exists and has a massive budget. Any moral outrage about its activities should either have been consistently expressed for the last few decades or, if only recently felt, should be based on revelations concerning who they target rather than how they do it.
I don't have a big problem with the NSA using a 0-day to spy on (say) North Korea.
Well, both those have been happening: Some people have been saying for a very long time, "these powers are dangerous to democracy", and, recently, lots of people have been shocked that the targets have included USA citizens and allies.
However, the problem with 0-days is that, not only do they allow the good guys to spy on the bad guys, they allow the bad guys to spy on the good guys. Of course, there is a lot of context-specific risk balancing. If the NSA find a 0-day in "the most popular encryption software used in North Korea, rarely used outside", then there could be a reasonable argument for keeping it hidden. Or, if the nature of the 0-day makes the NSA confident that it can detect when someone else discovers it, they could plan to reveal it at that time, and use it until then. Heartbleed is the opposite of both of these: the library is used almost everywhere, and it is (virtually?) impossible to tell if someone else discovered and used it.
Anyone who discovered Heartbleed and kept it hidden deliberately reduced everyone's security.
Actually this is about pork but not just the contractors. Now the war on terrorism has wound down the warhawks need to find some new sexy way to get pork and pushing the new cool cyberwar threat is a way to do it. Its more in vogue and lucrative to start a new war than to boringly secure our current infrastructure.
With all those 0 day floating around is it not obvious that the it security community is just sitting on their hands ? Security researchers seem to be totally inadequate in their jobs to protect us. Which brings me to the annoyance ... Are security researchers in the bag of the agencies ? Certainly looks that way and i am truly suspicious of ANY encryption being in the same backdoored 0 day on purpose category to let totalitarian regimes ( ex USA ) and police states ( again USA ) regimes to crack down on people and attack civil liberties the world around. I do not trust security researchers . Not one dang bit. IMHO they are in the pockets of the security agencies to deliver them the goods to attack us civilians .
1: The establishment of a new protocol, 'to improve and centralise the ability of the US to respond to threats to public information security' - all discovered exploits and bugs in communications or crypto to be reported to a single government authority. The authority will be solely responsible for relaying them to 'stakeholders' 'as they find appropriate'.
2: To avoid inciting unnecessary panic and potentially placing US industry at a disadvantage, the protocol is modified so that all such reports are to be made without publicity or other recognition.
3: To allow a more streamlined and efficient response to such threats, the protocol is modified such that:
a: It is a criminal offence _not_ to report any discovered exploits or bugs
b: It is a criminal offence to tell anyone _except_ the central agency
c: It is a criminal offence to tell anyone that you have submitted a report to the central agency.
I know. It would never happen. Right? Er.... right?
And there are other people - Garry McKinnon, Mr K DotCom, arguably Mr Assange, who have experienced, or fear experiencing, how little not being American and not, in theory at least, being subject to US law is actually relevant.
And in any wise, I didn't actually mean to imply that in some fashion the US would be able to make everyone in the world subject to such a US protocol - but where the goose flies, the gander follows (as my old gran used to say). Are we that far from different governments making vulnerabilities into a 'national security resource'? To be collected, hoarded and never, ever made public under pain of, well, pain?
Yes. Of course. We are. I mean - we are... right?
One could make a very strong argument that no other country in the world can be harmed as much by zero days as the United States (infrastructure, business, etc). Zero days are almost always a double edged sword with it being virtually impossible to know if you are the only one who knows about it and exploiting it (the bad guys will probably figure out if only your country gets the patches). Therefore you would think if the NSA truly cared about protecting Americans they would more defensive than offensive. Seems pretty obvious that defending the US public is not their number one priority.
The NSA has already proven that the historical "collect everything" bias is going to trump their newer responsibility to "protect everything". Its dangerous to the U.S., the tech industry in general and the other 6.7 billion people on this rock.
...that this bunch of arrogantly smiling lying PoC paper-pushers eg Gen Alexander and his ilks are STILL THERE - just what is it they use to blackmail Obama et all that allows them to repeatedly LIE to Congress and STILL keep their jobs, with that arrogant smile on their faces, instead of being prosecuted and tried...?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
