Wow, another NSA leak: Network security code appears on GitHub The NSA today revealed it has uploaded source code to GitHub to help IT admins lock down their networks of Linux machines. The open-source software is called the System Integrity Management Platform (SIMP). It is designed to make sure networks comply with US Department of Defense security standards, but the spy agency says it …
What's not to like about a gov't funded product that gets full control of your system?
If they were even worth the purported 1BN$/month per the article, they should have already installed it, run it without you detecting, and sent the reports to the appropriate places.
"What's not to like about a gov't funded product that gets full control of your system?...." It's now open source code, anyone can review it. Well apart from those too blinded by the foil wrapped round their heads, it seems.
You'd have a chance with SkyNet.
The USA has no business dictating computer and security policy to anyone when it can't even protect itself.
I would love the recent 21 million record data theft to be traced back to an NSA introduced weakness in the Ethernet, SSL, or crypto protocols. Karma, what a concept.
//The NSA today revealed it has uploaded source code to GitHub to help IT admins lock down their networks of Linux machines.//
//To use the software, you'll need to be running Red Hat Enterprise Linux 6.6 or 7.1, or the same versions of CentOS.//
Are Red Hat Enterprise Linux 6.6 and 7.1 compromised?
Are Red Hat Enterprise Linux 6.6 and 7.1 compromised?
I would guess those two versions are listed because they are what are authorized for use on DoD networks. As the article pointed out, the tool was developed for in-house use so it would surprise me if there were another Linux version given.
"Install at your own risk."
I wear far more tin foil than you are ever likely to see in your lifetime but I am reading the source code at the moment as a background task and so far it looks fine. Unfortunately I can't do that for many systems that I have to hold my nose whilst managing them.
Have a look at their GitHub page. There are some pretty good docs on there and I am grateful to the US taxpayer for funding eg this:
https://www.nsa.gov/ia/_files/app/Spotting \
_the_Adversary_with_Windows_Event_Log_Monitoring.pdf
I'll take good advice wherever I find it.
Open source... some of us are reading it. My only concern is are there holes that even NSA doesn't know about? If it's so damn secure, why are other governmental departments running it... like OPM for example?
NSA has a seriously tarnished image and it would help if the code does what it says on the label with no surprises. It'll be interesting to see what those with the expertise see in the code. It might be a good thing.
If it's so damn secure, why are other governmental departments running it... like OPM for example?
Apples and oranges. The key challenge for US government security is the amount of fragmentation and power plays that undermine any attempt at coherence. There isn't a single party that is neutral enough to prescribe to the others what needs to happen and have a hope in hell of the advice being listened to, let alone being followed.
This is not the first time the NSA has brought some code into the public that was worth looking at, and they know full well that it will be taken to pieces before anyone will deploy it.
Agreed, to a point. For a billion USD per month, one should expect decent code. A sea change that indicates TLAs are truly more interested in exposing and countering vulnerabilities (as opposed to hoarding and exploiting them) in pursuit of the public interest would be very welcome. A more secure internet world is in everyone's interest, even cold warrior dinosaurs. Self interested bottom feeders need to be removed from the process.
But I wear tinfoil too, and fear that this could just be another highly motivated PR and damage control exercise. It will be some time before the general public ever feels relaxed about code that was "good enough for government work" again. On the other hand, if gov/sec/intel starts playing by the same rules as the rest of the internet, there may be hope.
So bring on the open source eyeballs, check it out, and trust n0one.
I don't.
"It is designed to make sure networks comply with US Department of Defense security standards,"
"So using it on a secure network downgrade that network to the cheese cloth security of the US DoD"
Seems like it would be easy enough to do yourself, without their help:
Set username: admin
Set password: password
There. Fully as secure as most government networks seem to be.
When I first read it I wondered if there were a couple of lines of code that could be hooked into other lines of code from their other "updates" that when joined together make a nice NSA owned backdoor. I wonder at times if I am wearing too much tinfoil or not enough. The neck brace help with the load at the moment.
Don't we learn from the past? The NSA has deliberately and consistently dumped compromised and back-doored code on its victims. We want more of the same? I don't think so.
Report: NSA paid RSA to make flawed crypto algorithm the default
The NSA apparently paid RSA $10M to use Dual EC random number generator.
http://arstechnica.com/security/2013/12/report-nsa-paid-rsa-to-make-flawed-crypto-algorithm-the-default/
How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last
"Equation Group" ran the most advanced hacking operation ever uncovered.
http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
