Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Government Open Source Security Linux

NSA Releases Open Source Security Tool For Linux 105

Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.
This discussion has been archived. No new comments can be posted.

NSA Releases Open Source Security Tool For Linux

Comments Filter:
  • Fuck yes! (Score:5, Funny)

    by Anonymous Coward on Thursday July 16, 2015 @02:10AM (#50123041)

    I'm installing this thing right away!

  • by Anonymous Coward

    Why does the National Sheep Association in the UK do so much with computer security. Or is this the American NSA?

  • by invictusvoyd ( 3546069 ) on Thursday July 16, 2015 @02:20AM (#50123065)
    PIMP
  • by Anonymous Coward on Thursday July 16, 2015 @02:22AM (#50123079)

    It follows on the heels of another open-source effort from the NSA, aimed at penetration testing of large information silos. Secure Network Operator With Database Encryption Node has been shared internationally, with Russia and China actively pursuing forks and development of the tool.

  • ...fnar fnar

  • by simp ( 25997 ) on Thursday July 16, 2015 @02:44AM (#50123135)

    Now that my slashdot user name is also a NSA acronym I probably have to add a disclaimer to each post saying "This is just a text message, it is perfectly safe to parse this input". Then again some paranoid people might think that this is exactly what the NSA wants you think.

    • oh Aaron simp Burr we hardly knew ye
    • by Anonymous Coward

      Sure, keep spreading the lie that plain text is safe.

      http://web.cs.jhu.edu/~sam/ccs243-mason.pdf

      Now I'm convinced that your username isn't a coincidence.

  • by bugnuts ( 94678 ) on Thursday July 16, 2015 @02:45AM (#50123147) Journal

    Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.

    They did the same thing with XP, iirc.

    It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o

    • by bugnuts ( 94678 ) on Thursday July 16, 2015 @02:48AM (#50123151) Journal

      And now that I think about it, long before that they gave stronger constants for DES when it was originally proposed. They didn't say why their constants were better, but it was later shown to be stronger.

      • by Anonymous Coward

        Yeh right... NSA shortened the key length from 128 to 56 bits making it a $20 million computer needed to crack a key by brute force.

        https://en.wikipedia.org/wiki/Data_Encryption_Standard

        So they chose S boxes that were more resistant to a particular attack they knew, (but had asked IBM to keep secret because it could be used against many encryption schemes) and also made DES weaker by shortening the key length. Weaker till someone with $20 million could crack it. i.e. themselves and other major countries an

        • by mlts ( 1038732 )

          DES did serve its purpose, and I'm surprised it has lasted as long as it has without a real break. 3DES is still usable and secure, although the world is slowly moving to 256 bit encryption algos from 128 bit ones.

          These days, if one was wanting to be sure about encrypted data, it might be best to use a cascade, similar to what TrueCrypt does. AES, Threefish, and Serpent would be ideal, since Threefish doesn't use S-Boxes, Serpent has the best security margin of all the former AES candidates, and AES is...

      • by Dr_Barnowl ( 709838 ) on Thursday July 16, 2015 @03:48AM (#50123319)

        Stronger for everyone except them, perhaps.

        They did something similar, put a couple of specific constants, into the Dual_EC_DRBG [bbc.co.uk] random number generator. It was later shown that they amounted to a skeleton key - if you knew the numbers used to derive the constants, you could predict the future output of a given RNG instance with only a small amount of sample data. So any encryption based on Dual_EC_DRBG could be considered to be broken by the NSA (somewhat conveniently, in a way that only the NSA could actually prove).

        Despite the poor performance of this algorithm which lead most implementers to ignore it, it managed to end up as the default in the product of one of the most trusted vendors, RSA. There was speculation that the NSA bribed them [arstechnica.com] to make this design choice. [1]

        Unsurprisingly, it was withdrawn from the standard [nist.gov] in 2014.

        [1] The only comment on that story makes the same point - that the NSA, in the past, had reinforced weaknesses in DES. In the light of the later evidence about Dual_EC_DRBG, that may bear further examination - if the change was the tweaking of constants, it's entirely possible that this reinforced the standard for everyone but the NSA.

        • by KGIII ( 973947 )

          I hate to say this but they are damned clever. Too clever for their own good. I almost, sort of, wish they were inept and had agents like The Pink Panther. *sighs* Anyhow, I have been poking at Linux a lot lately so I have a bunch of boxed with a variety of distros on them and a VM of pretty much every one of the top 20 (from distro watch) images installed and able to be run. I am no guru, by any means, but I will read the code and do an install later. I have a second DSL line so I can keep it off my home n

          • Not to be pedantically off topic, but I think you mean you wish their agents were more like Inspector Clouseau. Unless you meant that you wish the agents were debonair idle-rich types who do sigint simply for the thrills?

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          Yeah, but in the case of DES, it was actually proven many, many years later that they picked constants that really were just for improved strength. IBM knew about that too, as it turns out, but the NSA muzzled them and got them to shut up on *why* those were the best constants.

          Surprising, but it really does seem like DES was them just trying to help improve US security.

      • by thogard ( 43403 )

        I suspect the reasons is the s-box numbers help with an ECC/parity like feature that weakens things that has been known for more than 4 decades, at least to some people.

        Hack your friendly crypto program that does des/aes/whatever to dump out s-box state at the end of each round and ask your self why are some bits always in a known state for a given key every so many rounds. Then ask can this be used to do an inside-out attack and then ask why is there only one non-s-box related cypher in TLS 1.1 and 1.2 an

    • by EzInKy ( 115248 ) on Thursday July 16, 2015 @02:52AM (#50123165)

      Still, until the NSA really stands for Security and not spying, I think most of us will only touch this with a ten foot pole.

      • by Dog-Cow ( 21281 )

        Just like SELinux, right?

        Ignorant people are ignorant. News at 11. Blah blah.

        • by EzInKy ( 115248 )

          I've got nothing to hide!! Still, do you seriously expect everyone to incorporate NSA back doors into their systems just on their say so?

        • every sysadmin I talk to disables selinux.

          you tout that as a GOOD solution to security? *laughs*

      • by LWATCDR ( 28044 ) on Thursday July 16, 2015 @07:47AM (#50124041) Homepage Journal

        Only if you are dumb.
        This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
        Odds are really good it is rock solid.

        • Only if you are dumb.
          This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
          Odds are really good it is rock solid.

          It won't have backdoors; it'll have omissions. The NSA will have had this approved by the rest of 5 eyes (Canadian, Australian, New Zealand and British spy agencies) and will have taken great care to make sure that it doesn't fix security holes that they want left open.

          • by LWATCDR ( 28044 )

            If true.
            1. Those are already open.
            2. It does improve security by closing other holes.
              So why not use it?

            • If true.
              1. Those are already open.
              2. It does improve security by closing other holes.

                So why not use it?

              False sense of security

              • by LWATCDR ( 28044 )

                So it is better to leave the exploits that it does close open?
                Now this is heading into crazytown.

      • The NSA has two sides, and two primary missions. One of those is signals intelligence, the other is communications security/information assurance. These are in separate directorates within NSA, so it's not the same people working on them, even if they both ultimately work for the same senior executives when you go far enough up the chain. The Comsec/IA folks are responsible for making sure the communications/networks/etc of the U.S. government/military are secure.

        The problem is that these two things are i
        • you are far too trusting; and you have zero reason to trust thives and robbers and villians.

          go ahead and trust the spooks. hey, enjoy! ignorance is bliss.

          but to trust anyone from those orgs, now that we truly know the mentality of those in control, THAT's what the definition of crazy-talk is.

          zero cred. sorry, but anything from the spooks is untrustable and probably always has been. the fact that they act like they are trying to 'help' just makes matters even worse.

          and the old chestnut about 'but its ope

      • Their mandated function is to bolster national security through spying using both SIGINT and HUMINT. Questioning their activities in the US domestic space may be warranted but all foreign activities are fair game. And if they only released an executable it might be prudent to not install it. However, they released the source code to the world at large. And this particular tool is for companies and organizations that provide contracted services to the NSA and need to satisfy a certain level of security aware

    • Yes, it definitely makes sense for government computers.

      But the next question is : does it make sense for any personal computer ? Of course not. SIMD is largely based on puppet (who wants to be NSA's puppet ? :-)) which only makes sense for sysadmin to keep control over workstations.

      Other governments or organization could have found find this project helpful, but the cost in reading every single line of code (because, you know, it's the NSA) completely kills the interest of reusing someone else' effort.

    • by Anonymous Coward

      Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.

      That's the interesting part about NSA. While they generally are dickheads who can eavesdrop anything anywhere, they also have bunch of security geniuses, as smart as John Carmack, who have exceptional skills making extremely robust hardened systems and taking security to a completely new level.

    • by Actually, I do RTFA ( 1058596 ) on Thursday July 16, 2015 @08:36AM (#50124327)

      The NSA has a couple of departments. One wants to secure computers. The other to break in. Thankfully, because they are different fiefdoms, we can get actual information on how to secure things from that one group.

      And yeah, the NSA can access pretty much any information it wants on me already. Why would it even want to waste it's time looking at my computer. They know more about me than my computer does.

    • Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.

      They did the same thing with XP, iirc.

      It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o

      But you can bet this won't close holes that the rest of 5 eyes needs. If GCHQ, ASIS, NZSIS or CSIS are using some vulnerability the NSA wouldn't be doing their jobs if they blocked it.

    • Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.

      The key phrase here being long ago.

      Long ago was when they could be trusted.

    • by rtb61 ( 674572 )

      Doesn't really matter much what they intend this time versus what they corruptly intend every other time. "The Boy Who Cried Wolf", https://en.wikipedia.org/wiki/... [wikipedia.org], I seem to need to include a link to teach the story, once you get caught out telling lies and deceiving people, no matter how much you try to help there in after, people no longer believe anything you have to say and ignore you.

      Kind of way, WAY, too late for that corrupt organisation, to help secure anything in any way shape of form, no one

  • by Demonoid-Penguin ( 1669014 ) on Thursday July 16, 2015 @04:18AM (#50123381) Homepage

    but there may be a pony at the other end.

    The NSA has made a number of useful contributions to computing. I can't think of any right now.

    [some time later] I still can't think of any. Oh wait, they dedicated resources to this.

    I'll take a look. Maybe it's like watching COPS - you know it's slanted and mostly bullshit, and that in itself is useful information (unless you're the clicketty type fool).

    SELinux, is useful. Of course there are any number of people who believe otherwise, but I'd rather build security on facts than unsubstantiated beliefs (even cathedrals aren't made from wishful thunking).

    That'd be your cue, oh psychic leaders of the Aquarian Awakeninging (troofers, DogCow and others), to put your money where your mouth is - then you can grin, and I'll modify my "beliefs". Sounds like a fair trade to me.

    • Cathedrals are maybe not the best example you could cite to make your point, considering that most of them would never ever be approved under today's building laws considering the rather fragile statics behind them. Seriously, you could NOT get a medieval cathedral approved under today's laws.

      And the same applies to security. What used to be secure a decade ago is at best deprecated today, at worst considered criminal negligence. The bottom line is that the source of the tool is not trustworthy. It has been

      • Cathedrals are maybe not the best example you could cite to make your point,

        That'd be the obvious point that you failed to grasp. That building, whether or not you irrelevantly retrospectively apply current building codes to them, are build of substance - not conjecture.

        And the same applies to security. What used to be secure a decade ago is at best deprecated today, at worst considered criminal negligence.

        Did I say it was a great security project? Did I say it should be trusted? Did the "bucket of manure" Comment Subject fly over your sunken head?
        How did you learn to write without learning to read - or did you get your mum to write your misguided and misinformed speel for you?

        Do you have any facts to contribute or ar

  • by FudRucker ( 866063 ) on Thursday July 16, 2015 @04:43AM (#50123431)
    security software from the biggest spy organization in the world that have violated the law in order to spy on EVERY us citizen,

    no thanks, the NSA is going to have to continue spying on me the old fashioned way
  • by Guy From V ( 1453391 ) on Thursday July 16, 2015 @05:21AM (#50123535) Homepage

    ...but not safe to use. Since this is open source its doubtful there is any malicious code, though the jury is still out on that fact...doubtful anyone who knows anything about IT and the NSA would be jazzed about the release of something like this. I'd be more suspicious of this purposefully overlooking the stealthier ways they have of accessing networks that may not be widely known. 'Cause if this was found to have backdoors or whatever else the ~10% of tech-knowledgeable people who don't already mistrust them might grow to about ~11%. Really, anyone who didn't already not trust them...even if this tool turned the machine it ran on into a direct line to Fort Meade they wouldn't think much of it- they probably are pretty set in their patriotic mindset.

  • to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements

    Avoid duplication? That's not how government rolls!

    Well, I guess they will spend the savings on some other stimulus jobs program instead rather than reduce the deficit a microgram.

    • It's probably the other departments' inferior results instead of a money saving solution.

      And reducing the deficit a microgram would we worthless. First, literally, a microgram of US currency at the highest distributed denomination is literally a rounding error from a rounding error from penny. But more importantly, the government can and should buy useful things.

  • by Loco3KGT ( 141999 ) on Thursday July 16, 2015 @06:37AM (#50123729)

    There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.

    • by TimSSG ( 1068536 )

      There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.

      I looked at it in the past week and saw that. But, I have no prior knowledge of Puppet; so, I decided it was NOT something I could pass judgement on. Tim S.

  • I would like to see an audit on this, before I would want to start using it. The NSA has never been particularly interested in letting others have secure systems.
    • Given the source, I would not even trust it after the entire security community did a full audit of it, all the tools used in its creation and compilation.

      Sorry, but no. NSA, you lost our trust. We don't believe you having our best interest in mind anymore. Fool me once and all that shit.

  • by TFlan91 ( 2615727 ) on Thursday July 16, 2015 @08:22AM (#50124233)

    The Github link in the summary isn't to the code.

    https://github.com/simp [github.com]

  • I suggest we all become collaborators and inject lots of back doors...

    Reap what you sow bitches

  • Or that security tool the guys at RBN [wikipedia.org] released.

    Decisions, decisions...

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...