Hey, NSA! Here's $300,000, all of you go on a long holiday
and take your time coming back.
The NSA is funding development of an architecture for a "safer" Internet of Things (IoT), in the hope of incorporating better security at a product's design phase. The controversial US intelligence agency is bestowing a $299,000, one-year grant to the University of Alabama in Huntsville (UAH) for a project that aims to build a …
"a lightweight virtualisation architecture"
i.e. so we can put our traffic sniffer in the hypervisor, and the running OS and applications will be completely unaware of it and unable to detect it.
Applicants must demonstrate putting code into the boot rom so that the hypervisor patches are reinstalled even on complete device wipe.
I'm trying to understand the schizophrenic nature of the NSA.
On the one hand they want access to literally everything on the planet. On the other they do things like this.
Makes me wonder exactly why the UAH received the funding. Is it because the NSA has little to no confidence that the people at UAH will accomplish anything but want to be seen as trying to help secure the world? or is it because they honestly do want things to be more secure?
Barring any evidence to the contrary the NSA's stated goal is Total Information Awareness. Helping create secure devices is anathema to that. So, I have to go with the idea that this is simply a PR move by the NSA and that they don't really expect the $300k to accomplish anything.
Especially considering $300k would fund maybe 4 people for a year - assuming 3 of them are unpaid interns. That's not a staggering amount and certainly wouldn't even qualify as a Good Effort. Now if they add a couple of zero's and spread it around to a few more groups then I'd be inclined to believe that maybe, just maybe, they actually want to help us become more secure.
$300K is barely enough to get Booze-Alien, CSC, SAIC to even crack their eyelids. No one that deals with these agencies can afford to set up a fake company/bank account for less than several $MM. This is probably a throw-off to appease some pesky SBA/FOIA query.
Why not just have every IP address directed to Langley? They can decide whether to forward to their 15-Eyes partners, sell for megabucks, titillate the masses, or actually send to the intended recipient (with minor mods.)
Seriously, why would anyone in his/her right mind trust the NSA's attempts?
That's like allowing the Fox to build the hen house!! What a sad, sad way to make "improvements!" Should be STOPPED IMMEDIATELY to save both money and our basic rights! Why should we allow this obvious farce to even be considered? Are we that stupid?
That's like allowing the Fox to build the hen house!! What a sad, sad way to make "improvements!"
The USA has been on this kick for a couple of years now. Having their industrial espionage exposed to the public has only sped up attempts to increase it , not slown it down. Microsoft should be ashamed of their previous cooperation and handing over all data to the NSA.
But what do they do ?
They make a new operating system that identifies each individual user so they can be spied up and the data kept on a per person basis , instead of a per computer basis. They don't even hide this , they want to link you to all your personal accounts and hand over everything to the NSA.
They're not kidding. They're just stupid.
Sometimes a lot of people forget a simple fact about the NSA:
They are at the end of the day still tasked with ensuring that national security is not compromised.
So when it comes to security they have two divisions effectively. One which is tasked with trying to break various security mechanisms, in order to spy on it's citizens to ensure there is no uprise against the government/rich, and the other which is to ensure that their own security and that of US citizens is effective and working to try to prevent competing governments from being able to spy on its citizens.
This is why the NSA helped create SELinux, it is also why they are doing this. Bear in mind SELinux is entirely open source and viewable by anybody so it's unlikely that it contains a backdoor.
It is hard to believe when you consider how much stuff they do in order to break security and spy on you, but it is still true.
Thus, not everything the NSA do is bad. Albeit a lot of the stuff they do is.
"Given its history, particularly when it comes to intercepting the supply chain of routers to plant backdoors, it might be tempting to think that the NSA wants to backdoor IoT devices too. But it's hardly worth the effort on kit that is wide open and insecure in the first place."
John, you aren't being cynical enough.
The NSA's thinking is that at some point, there's a chance that end users will finally wake up and smell the coffee and start insisting that these things be properly secured* - so they're doing this to get in early and ensure that if these things are to be made secure, it's using something in which they've already paid for back doors.
* Granted, it's a slim chance, because most of the general public are more interested in the new shiny being convenient, which decent security can be a hindrance to. However, a slim chance - even an anorexic one - is still a chance.