NSA Releases Open Source Security Tool For Linux 105
Earthquake Retrofit writes: The NSA's systems integrity management platform — SIMP — was released to the code repository GitHub over the weekend. NSA said it released the tool to avoid duplication after US government departments and other groups tried to replicate the product in order to meet compliance requirements set by US Defence and intelligence bodies. "By releasing SIMP, the agency seeks to reduce duplication of effort and promote greater collaboration within the community: the wheel would not have to be reinvented for every organisation," the NSA said in a release.
Fuck yes! (Score:5, Funny)
I'm installing this thing right away!
Re:Fuck yes! (Score:5, Funny)
Re:Fuck yes! (Score:5, Interesting)
Re: Fuck yes! (Score:1)
SELinux is not a distribution of Linux. This is a security tool (kernel level). Do a research.
Re:Fuck yes! (Score:5, Funny)
Re: (Score:3)
Well, say what you will, it IS a strangely appropriate name: SIMP, all considered.
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
You could also send some bitcoins to the address in the readme of puppet-memcached to "show some love".
Re:Fuck yes! (Score:5, Informative)
I'm installing this thing right away!
You probably have room right next to SELinux [wikipedia.org]
Re: (Score:2)
C'mon; it's just an OpenBSD install!
Re: (Score:2)
Yeah, me too! Errrr - oh - wait a second. Which NSA is this? THAT NSA? HUH WUT?!?!?! How many experts have evaluated this thing to be sure it's not a trojan?
I'll pass, for now at least.
National Sheep Association? (Score:1, Insightful)
Why does the National Sheep Association in the UK do so much with computer security. Or is this the American NSA?
Re: National Sheep Association? (Score:5, Funny)
The National Sheep Association focuses more on the "penetration testing" side of security, if you know what I mean.
Re: (Score:3)
And in Australia, Bruce is in charge of the sheep dip.
Re: (Score:2)
Why do shepherds wearing flowing robes?
'Cause sheep can hear a zipper from a mile away...
The microsoft Windows version is called (Score:3, Funny)
Re: (Score:2)
Don't you mean WIMP?
Re: (Score:2)
This makes sense. (Score:5, Funny)
It follows on the heels of another open-source effort from the NSA, aimed at penetration testing of large information silos. Secure Network Operator With Database Encryption Node has been shared internationally, with Russia and China actively pursuing forks and development of the tool.
Re: Stay away... (Score:1)
Does it really matter what the source code has when there's probably plenty of hacks like this around.
http://c2.com/cgi/wiki?TheKenThompsonHack
"SIMP" (Score:1)
...fnar fnar
That's just great.. (Score:5, Funny)
Now that my slashdot user name is also a NSA acronym I probably have to add a disclaimer to each post saying "This is just a text message, it is perfectly safe to parse this input". Then again some paranoid people might think that this is exactly what the NSA wants you think.
Re: (Score:2)
Re: That's just great.. (Score:1)
Sure, keep spreading the lie that plain text is safe.
http://web.cs.jhu.edu/~sam/ccs243-mason.pdf
Now I'm convinced that your username isn't a coincidence.
The NSA has done several things to help security (Score:5, Informative)
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
They did the same thing with XP, iirc.
It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o
Re:The NSA has done several things to help securit (Score:5, Informative)
And now that I think about it, long before that they gave stronger constants for DES when it was originally proposed. They didn't say why their constants were better, but it was later shown to be stronger.
They SHORTENED the key length (Score:3, Informative)
Yeh right... NSA shortened the key length from 128 to 56 bits making it a $20 million computer needed to crack a key by brute force.
https://en.wikipedia.org/wiki/Data_Encryption_Standard
So they chose S boxes that were more resistant to a particular attack they knew, (but had asked IBM to keep secret because it could be used against many encryption schemes) and also made DES weaker by shortening the key length. Weaker till someone with $20 million could crack it. i.e. themselves and other major countries an
Re: (Score:3)
DES did serve its purpose, and I'm surprised it has lasted as long as it has without a real break. 3DES is still usable and secure, although the world is slowly moving to 256 bit encryption algos from 128 bit ones.
These days, if one was wanting to be sure about encrypted data, it might be best to use a cascade, similar to what TrueCrypt does. AES, Threefish, and Serpent would be ideal, since Threefish doesn't use S-Boxes, Serpent has the best security margin of all the former AES candidates, and AES is...
Re:The NSA has done several things to help securit (Score:5, Informative)
Stronger for everyone except them, perhaps.
They did something similar, put a couple of specific constants, into the Dual_EC_DRBG [bbc.co.uk] random number generator. It was later shown that they amounted to a skeleton key - if you knew the numbers used to derive the constants, you could predict the future output of a given RNG instance with only a small amount of sample data. So any encryption based on Dual_EC_DRBG could be considered to be broken by the NSA (somewhat conveniently, in a way that only the NSA could actually prove).
Despite the poor performance of this algorithm which lead most implementers to ignore it, it managed to end up as the default in the product of one of the most trusted vendors, RSA. There was speculation that the NSA bribed them [arstechnica.com] to make this design choice. [1]
Unsurprisingly, it was withdrawn from the standard [nist.gov] in 2014.
[1] The only comment on that story makes the same point - that the NSA, in the past, had reinforced weaknesses in DES. In the light of the later evidence about Dual_EC_DRBG, that may bear further examination - if the change was the tweaking of constants, it's entirely possible that this reinforced the standard for everyone but the NSA.
Re: (Score:1)
I hate to say this but they are damned clever. Too clever for their own good. I almost, sort of, wish they were inept and had agents like The Pink Panther. *sighs* Anyhow, I have been poking at Linux a lot lately so I have a bunch of boxed with a variety of distros on them and a VM of pretty much every one of the top 20 (from distro watch) images installed and able to be run. I am no guru, by any means, but I will read the code and do an install later. I have a second DSL line so I can keep it off my home n
Re: The NSA has done several things to help securi (Score:1)
Not to be pedantically off topic, but I think you mean you wish their agents were more like Inspector Clouseau. Unless you meant that you wish the agents were debonair idle-rich types who do sigint simply for the thrills?
Re: (Score:1)
It is okay (as was the AC above you) and was a good spotting. I should have thought a bit more but I did not.
Re: (Score:3, Interesting)
Yeah, but in the case of DES, it was actually proven many, many years later that they picked constants that really were just for improved strength. IBM knew about that too, as it turns out, but the NSA muzzled them and got them to shut up on *why* those were the best constants.
Surprising, but it really does seem like DES was them just trying to help improve US security.
Re: (Score:2)
I suspect the reasons is the s-box numbers help with an ECC/parity like feature that weakens things that has been known for more than 4 decades, at least to some people.
Hack your friendly crypto program that does des/aes/whatever to dump out s-box state at the end of each round and ask your self why are some bits always in a known state for a given key every so many rounds. Then ask can this be used to do an inside-out attack and then ask why is there only one non-s-box related cypher in TLS 1.1 and 1.2 an
Re:The NSA has done several things to help securit (Score:4, Insightful)
Still, until the NSA really stands for Security and not spying, I think most of us will only touch this with a ten foot pole.
Re: (Score:2)
Just like SELinux, right?
Ignorant people are ignorant. News at 11. Blah blah.
Re: (Score:1)
I've got nothing to hide!! Still, do you seriously expect everyone to incorporate NSA back doors into their systems just on their say so?
Re: (Score:1)
(Or whatever the equivalent is for your distro).
Shows anything?
Re: (Score:2)
every sysadmin I talk to disables selinux.
you tout that as a GOOD solution to security? *laughs*
Re:The NSA has done several things to help securit (Score:4, Interesting)
Only if you are dumb.
This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
Odds are really good it is rock solid.
Re: (Score:2)
Only if you are dumb.
This is Open Source from the NSA every security deeb on the planet will tear into it hopping to get a paper out of some exploit and big consulting contracts.
Odds are really good it is rock solid.
It won't have backdoors; it'll have omissions. The NSA will have had this approved by the rest of 5 eyes (Canadian, Australian, New Zealand and British spy agencies) and will have taken great care to make sure that it doesn't fix security holes that they want left open.
Re: (Score:2)
If true.
1. Those are already open.
2. It does improve security by closing other holes.
So why not use it?
Re: (Score:2)
If true.
1. Those are already open.
2. It does improve security by closing other holes.
So why not use it?
False sense of security
Re: (Score:2)
So it is better to leave the exploits that it does close open?
Now this is heading into crazytown.
Re: (Score:3)
The problem is that these two things are i
Re: (Score:2)
you are far too trusting; and you have zero reason to trust thives and robbers and villians.
go ahead and trust the spooks. hey, enjoy! ignorance is bliss.
but to trust anyone from those orgs, now that we truly know the mentality of those in control, THAT's what the definition of crazy-talk is.
zero cred. sorry, but anything from the spooks is untrustable and probably always has been. the fact that they act like they are trying to 'help' just makes matters even worse.
and the old chestnut about 'but its ope
Re: (Score:2)
Their mandated function is to bolster national security through spying using both SIGINT and HUMINT. Questioning their activities in the US domestic space may be warranted but all foreign activities are fair game. And if they only released an executable it might be prudent to not install it. However, they released the source code to the world at large. And this particular tool is for companies and organizations that provide contracted services to the NSA and need to satisfy a certain level of security aware
Re: (Score:2)
Re: (Score:2)
Yes, it definitely makes sense for government computers.
But the next question is : does it make sense for any personal computer ? Of course not. SIMD is largely based on puppet (who wants to be NSA's puppet ? :-)) which only makes sense for sysadmin to keep control over workstations.
Other governments or organization could have found find this project helpful, but the cost in reading every single line of code (because, you know, it's the NSA) completely kills the interest of reusing someone else' effort.
Re: (Score:1)
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
That's the interesting part about NSA. While they generally are dickheads who can eavesdrop anything anywhere, they also have bunch of security geniuses, as smart as John Carmack, who have exceptional skills making extremely robust hardened systems and taking security to a completely new level.
Re:The NSA has done several things to help securit (Score:4, Interesting)
The NSA has a couple of departments. One wants to secure computers. The other to break in. Thankfully, because they are different fiefdoms, we can get actual information on how to secure things from that one group.
And yeah, the NSA can access pretty much any information it wants on me already. Why would it even want to waste it's time looking at my computer. They know more about me than my computer does.
Re: (Score:1)
Re: (Score:2)
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
They did the same thing with XP, iirc.
It makes sense. It's useful for the NSA to keep computers secure from script kiddies. Doesn't matter to them -- they break into routers, not computers, for the most part :o
But you can bet this won't close holes that the rest of 5 eyes needs. If GCHQ, ASIS, NZSIS or CSIS are using some vulnerability the NSA wouldn't be doing their jobs if they blocked it.
Re: (Score:2)
Long ago, they released configuration steps and tools to lock down windows 2000. It wasn't just sent to government agencies, but opened up for businesses, too.
The key phrase here being long ago.
Long ago was when they could be trusted.
Re: (Score:2)
Doesn't really matter much what they intend this time versus what they corruptly intend every other time. "The Boy Who Cried Wolf", https://en.wikipedia.org/wiki/... [wikipedia.org], I seem to need to include a link to teach the story, once you get caught out telling lies and deceiving people, no matter how much you try to help there in after, people no longer believe anything you have to say and ignore you.
Kind of way, WAY, too late for that corrupt organisation, to help secure anything in any way shape of form, no one
It may be a bucket of manure... (Score:3)
but there may be a pony at the other end.
The NSA has made a number of useful contributions to computing. I can't think of any right now.
[some time later] I still can't think of any. Oh wait, they dedicated resources to this.
I'll take a look. Maybe it's like watching COPS - you know it's slanted and mostly bullshit, and that in itself is useful information (unless you're the clicketty type fool).
SELinux, is useful. Of course there are any number of people who believe otherwise, but I'd rather build security on facts than unsubstantiated beliefs (even cathedrals aren't made from wishful thunking).
That'd be your cue, oh psychic leaders of the Aquarian Awakeninging (troofers, DogCow and others), to put your money where your mouth is - then you can grin, and I'll modify my "beliefs". Sounds like a fair trade to me.
Re: (Score:2)
Cathedrals are maybe not the best example you could cite to make your point, considering that most of them would never ever be approved under today's building laws considering the rather fragile statics behind them. Seriously, you could NOT get a medieval cathedral approved under today's laws.
And the same applies to security. What used to be secure a decade ago is at best deprecated today, at worst considered criminal negligence. The bottom line is that the source of the tool is not trustworthy. It has been
Re: (Score:2)
Cathedrals are maybe not the best example you could cite to make your point,
That'd be the obvious point that you failed to grasp. That building, whether or not you irrelevantly retrospectively apply current building codes to them, are build of substance - not conjecture.
And the same applies to security. What used to be secure a decade ago is at best deprecated today, at worst considered criminal negligence.
Did I say it was a great security project? Did I say it should be trusted? Did the "bucket of manure" Comment Subject fly over your sunken head?
How did you learn to write without learning to read - or did you get your mum to write your misguided and misinformed speel for you?
Do you have any facts to contribute or ar
so i am supposed to trust this thing? (Score:5, Interesting)
no thanks, the NSA is going to have to continue spying on me the old fashioned way
Probably Safe To Install... (Score:3)
...but not safe to use. Since this is open source its doubtful there is any malicious code, though the jury is still out on that fact...doubtful anyone who knows anything about IT and the NSA would be jazzed about the release of something like this. I'd be more suspicious of this purposefully overlooking the stealthier ways they have of accessing networks that may not be widely known. 'Cause if this was found to have backdoors or whatever else the ~10% of tech-knowledgeable people who don't already mistrust them might grow to about ~11%. Really, anyone who didn't already not trust them...even if this tool turned the machine it ran on into a direct line to Fort Meade they wouldn't think much of it- they probably are pretty set in their patriotic mindset.
And that's how we roll! (Score:2)
Avoid duplication? That's not how government rolls!
Well, I guess they will spend the savings on some other stimulus jobs program instead rather than reduce the deficit a microgram.
Re: (Score:2)
Since when does HR have any say when it comes to hiring C-Level?
Re: (Score:2)
It's probably the other departments' inferior results instead of a money saving solution.
And reducing the deficit a microgram would we worthless. First, literally, a microgram of US currency at the highest distributed denomination is literally a rounding error from a rounding error from penny. But more importantly, the government can and should buy useful things.
Most of it isn't code... (Score:5, Informative)
There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.
Re: (Score:1)
There's a lot of "they're just trying to backdoor you" type talk. For those who didn't bother to look at the code repos -> it's almost entirely Puppet manifests, not code.
I looked at it in the past week and saw that. But, I have no prior knowledge of Puppet; so, I decided it was NOT something I could pass judgement on. Tim S.
Audit first, trust never! (Score:2)
Re: (Score:2)
Given the source, I would not even trust it after the entire security community did a full audit of it, all the tools used in its creation and compilation.
Sorry, but no. NSA, you lost our trust. We don't believe you having our best interest in mind anymore. Fool me once and all that shit.
The code... (Score:3)
The Github link in the summary isn't to the code.
https://github.com/simp [github.com]
Re: (Score:2)
The Github link in the summary isn't to the code.
https://github.com/simp [github.com]
My apologies. When I submitted the story I didn't check that link because.... well I guess because I chickened out.
Excellent New! (Score:2)
I suggest we all become collaborators and inject lots of back doors...
Reap what you sow bitches
Hmm... should I use it? (Score:2)
Or that security tool the guys at RBN [wikipedia.org] released.
Decisions, decisions...