Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Thursday September 03 2015, @01:46AM   Printer-friendly
from the how-can-you-not-trust-the-NSA dept.

El Reg is reporting:

The NSA today revealed it has uploaded source code to GitHub to help IT admins lock down their networks of Linux machines.

The open-source software is called the System Integrity Management Platform (SIMP). It is designed to make sure networks comply with US Department of Defense security standards, but the spy agency says it can be adapted by admins to meet individual security needs as well.

"The open-source software method of transferring technology from the federal laboratory to the marketplace is extremely efficient," said Linda Burger, director of the NSA Technology Transfer Program.

"The open-source community can leverage the work that NSA has produced, and the government can benefit from that community's expertise and perspective. It's a win for everyone – and for the nation itself."

So, not only do they want your secrets, they want you to help them get them. Yes, it's open-source software and the source code can be examined, but the NSA skeptic in me thinks this sounds very dodgy.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by Anonymous Coward on Thursday September 03 2015, @01:52AM

    by Anonymous Coward on Thursday September 03 2015, @01:52AM (#231519)

    It's not that dodgy, in fact one of the NSA's original goals before they got jacked by paranoia was to keep the country secure from cyber threat by fostering sufficient crypto and research. As such, they're everywhere in the field of cryptography and they help push along the bureaucracy of selecting ciphers and the like.

    • (Score: 4, Interesting) by Anonymous Coward on Thursday September 03 2015, @02:07AM

      by Anonymous Coward on Thursday September 03 2015, @02:07AM (#231521)

      Indeed. Unlike the case of them deliberately weakening DUAL_EC_DRBG [wikipedia.org] when it came to DES 30 years earlier they improved the strength of the S-boxes - making them more resistant to differential analysis which had not even been (publicly) invented at the time.. Although they apparently pushed for a reduction in key size, at least that push wasn't a secret.

      It is easy to be suspicious of NSA now, they've really burned up a ton of good will. But, this sort of thing is really their only road to redemption so its better that they release something than nothing.

    • (Score: 4, Informative) by moondoctor on Thursday September 03 2015, @02:29AM

      by moondoctor (2963) on Thursday September 03 2015, @02:29AM (#231532)

      >they're everywhere in the field of cryptography

      Yeah, that's the fundamental issue. Couple that with the fact that they want to compromise crypto and make no bones about it, and I'm pretty skeptical.

      • (Score: 0) by Anonymous Coward on Thursday September 03 2015, @04:33AM

        by Anonymous Coward on Thursday September 03 2015, @04:33AM (#231566)

        What do you think about systemd and Microsoft's analytics campaign happening at the same time?

        • (Score: 0) by Anonymous Coward on Thursday September 03 2015, @07:56AM

          by Anonymous Coward on Thursday September 03 2015, @07:56AM (#231626)

          systemd could be useful if somebody forked and cleansed it from bloat. Too bad nobody will.

          • (Score: 2) by mtrycz on Thursday September 03 2015, @08:38AM

            by mtrycz (60) on Thursday September 03 2015, @08:38AM (#231632)

            Useless is.

            They're short on workforce, tho. Why don't you help?

            --
            In capitalist America, ads view YOU!
            • (Score: 2, Informative) by Deeo Kain on Thursday September 03 2015, @03:33PM

              by Deeo Kain (5848) on Thursday September 03 2015, @03:33PM (#231797)

              Useless is dead:
              http://uselessd.darknedgy.net/ [darknedgy.net]
              «uselessd has entered the final stage of uselessness, its ultimate expression of nihilism - the state of deprecation and utter nonexistence. That's right, goyim shkutzim. uselessd is dead.

              The last release was uselessd-8 on November 16, 2014. An effort to revamp the IPC system away from D-Bus into using a byte stream-based fifodir protocol was staged for uselessd-9, but a growing lack of interest and realization that trying to mangle the systemd architecture into something more minimal was becoming increasingly fruitless and unwieldy lead to the project being orphaned. It was transferred to Tarnyko in January 2015, but no activity of any sort has been seen since then. For all practical purposes, it's over.»

    • (Score: 3, Interesting) by frojack on Thursday September 03 2015, @04:05AM

      by frojack (1554) Subscriber Badge on Thursday September 03 2015, @04:05AM (#231559) Journal

      I believe their SELinux has been thoroughly vetted, and no problems were found it it.

      Nobody has found any holes in it, or hidden features.

      --
      No, you are mistaken. I've always had this sig.
      • (Score: 2) by Hyperturtle on Friday September 04 2015, @12:22AM

        by Hyperturtle (2824) on Friday September 04 2015, @12:22AM (#232050)

        Yes, they have released guides (and nist too, I believe) that are right on the money. They knew and promoted how to secure lots of things.

        Of course, when we later find out about NSAKey and such, in hindsight we were secured from lots of things -- except them. If we followed the guides to the letter.

        In those cases, I think that the tax dollars were well spent, since I know of no commercial entity (that I worked for, at least) that has followed their guides to the letter. The guides, even if used to make a half assed attempt at security, is immeasurable better than the typical small business with a vanilla monolithic infrastructure ripe for the taking. Those places are all windows in a workgroup and a dlink combo device for internet and local network access...on Comcast. then the NSA can't help you. You have to invest in your security a little bit.

        I deeply despise how many different external interests have in prying into data that should be private -- but I also respect many of those enemies for their demonstration of skill and tenacity at achieving their goals--even if I would not choose to socialize with them. There are brilliant creepy people, after all, and some places are full of them.

  • (Score: 0) by Anonymous Coward on Thursday September 03 2015, @02:52AM

    by Anonymous Coward on Thursday September 03 2015, @02:52AM (#231535)

    So, not only do they want your secrets, they want you to help them get them. Yes, it's open-source software and the source code can be examined, but the NSA skeptic in me thinks this sounds very dodgy.

    Indeed. I would think that calling this source code SIMP should be a big clue.

    • (Score: 1) by Deeo Kain on Thursday September 03 2015, @03:30PM

      by Deeo Kain (5848) on Thursday September 03 2015, @03:30PM (#231795)

      It falls short of being simple.

  • (Score: 0) by Anonymous Coward on Thursday September 03 2015, @03:03AM

    by Anonymous Coward on Thursday September 03 2015, @03:03AM (#231539)

    this is towards NSA's and *our* interests. Of course we shall fork and audit.

  • (Score: 3, Interesting) by Anonymous Coward on Thursday September 03 2015, @03:54AM

    by Anonymous Coward on Thursday September 03 2015, @03:54AM (#231550)

    From readme at github:

    Redshat only
    It comes with its own puppet master!
    Not sure if you can use your own credential store, but it comes with an LDAP server too.

    Even if this was from the EFF, I would have to pass. We already have management infrastructure for our organization, thank you.

    Seems this should have just been released as a bunch of puppet modules instead.

    • (Score: 5, Insightful) by q.kontinuum on Thursday September 03 2015, @05:03AM

      by q.kontinuum (532) on Thursday September 03 2015, @05:03AM (#231574) Journal

      As I understand the submission, they neither intended nor claimed to release a "product". They open source their own implementation so others will be able to turn it into a community asset. Which was the idea of open source in the first place: Not some big companies feeding freeloaders but developers publishing what they already have (because it doesn't add costs for them) and others picking up what is useful.

      --
      Registered IRC nick on chat.soylentnews.org: qkontinuum
      • (Score: 2) by Zz9zZ on Thursday September 03 2015, @07:11AM

        by Zz9zZ (1348) on Thursday September 03 2015, @07:11AM (#231614)

        I modded you up because I'm glad you pointed out the importance of sharing, and how it can be picked apart.

        That said, the gp said nothing about a product, just pointed out that this is more of a configuration so "source code" makes it seem a little disingenuous even if accurate.

        What's with the "big companies feeding freeloaders"? That is a very slanted statement, quite presumptuous about the meaning of open source, and not even applicable here! The "big company" is actually a community organization, funded by everyone, and impossible to "freeload" as it is the wrong way around...

        There are plenty of open source projects where people freely give their time and don't worry about monetary benefits. It would be nice if our world was more conducive to people being able to allocate their time in projects that they believe in and/or can be useful for.

        --
        ~Tilting at windmills~
        • (Score: 2) by q.kontinuum on Thursday September 03 2015, @10:39AM

          by q.kontinuum (532) on Thursday September 03 2015, @10:39AM (#231656) Journal

          the gp said nothing about a product, just pointed out that this is more of a configuration so "source code" makes it seem a little disingenuous even if accurate.

          Ok, maybe I got that wrong; I didn't look at the repository, and as far as I understood the gp, he just quoted from github that this NSA-thing comes with a puppet instance, which to me does not imply that there isn't any additional software with source code etc. The gp post sounds to me like by installing from the NSA submission, I will install a new puppet master in addition to the actual software, and to circumvent that I'd have to modify the scripts to e.g. use an existing puppet instance instead. To me this sounds exactly as open source was initially planned: The code does what the NSA needs, but can be adapted to other needs. Only the NSA doesn't provide a nice configuration front-end, but instead just publishes their code as-is and expects others to do any adaptation-work.

          What's with the "big companies feeding freeloaders"? That is a very slanted statement, quite presumptuous about the meaning of open source, and not even applicable here!

          Maybe I was projecting a little too much. The point is that with Canonical, Mozillla, J-Frog and others, there are lots of companies offering consumer grade products for free. I like that, I like to use them, and I don't want to slander anyone who does the same. But these are companies offering free products which happen to be open source, and they have some other kind of business-model to make money with it. Therefore it is OK to expect a working product, and to complain if it doesn't match the expectations - the companies business-modell builds on the product, so they will probably be happy to be informed of any shortcomings.

          But this is not how Open Source started, or how it grew strong, or what it was meant for. The idea is rather that any developer should publish his code per default, and whatever there is can be useful to other coders, even if it doesn't work. In such cases it can be discouraging to receive feedback that the code you wrote exclusively for your own purposes and published just because you are philosophically convinced this is the way code should be treated, that this code is crappy because it doesn't match someones expectations. It reflects an expectation that others should not only open the gates to make it easier for me to learn and help myself, but that people should actually mouth-feed me their stuff the way it benefits me. This is what I call a freeloader mentality.

          It's a bit like in linux support-forums: If I go into a Canonical-supoprted Ubuntu forum and ask my questions, I expect to be helped by those Canonical-employees, because even if I'm not paying, they want to promote their product, They have an interest in helping and I might have an expectation of receiving help.
          In non-commercial forums I expect there are people who like to discuss technical things and will probably be willing to provide guidance on a give-and-take base, but this requires I invest the time to read some man-pages to learn the basics first, I show respect and ask politely, and I try to think for myself to fill in the blanks in a proposed answer.

          Or maybe use soylentnews as an example: This is a community-driven website. If I'm not content, I can try to get involved to improve the situation, or make some nice proposal on how to improve. Even if I subscribe and pay, it is clearly understood that I just help to cover the operation expenses; no-one is employed here, it is still a community-site where every work that goes into it is a gift. Appropriately friendly I will try to make improvements suggestions. If on the other hand Amazon Prime stops working for me, I'd probably complain loud and clear,

          --
          Registered IRC nick on chat.soylentnews.org: qkontinuum
  • (Score: 2) by deimios on Thursday September 03 2015, @05:24AM

    by deimios (201) Subscriber Badge on Thursday September 03 2015, @05:24AM (#231580) Journal

    Well if we have the source code then the software is safe right? No way to hide malicious backdoors in open source right?

    (Rhetorical question, if you don't already know go check out http://www.ioccc.org/ [ioccc.org] )

    • (Score: 2) by q.kontinuum on Thursday September 03 2015, @05:33AM

      by q.kontinuum (532) on Thursday September 03 2015, @05:33AM (#231584) Journal

      s/safe/safer/g

      Ftfy

      --
      Registered IRC nick on chat.soylentnews.org: qkontinuum
    • (Score: 2) by skater on Thursday September 03 2015, @11:58AM

      by skater (4342) on Thursday September 03 2015, @11:58AM (#231683) Journal

      If the NSA was trying to sneak a backdoor into Linux, would they really do it this openly? No, they'd have some submitter submit valid, useful patches for a period of time to build up a reputation, then slip in the goods. And for all we know this has already happened. I'm more inclined to think this code is likely exactly what they said it is.

      • (Score: 3, Interesting) by edIII on Thursday September 03 2015, @09:12PM

        by edIII (791) Subscriber Badge on Thursday September 03 2015, @09:12PM (#231972)

        I think everyone in the thread may be missing something. Sure.. The NSA is good at compromising code. We all know that.

        What they also happen to be very VERY good at are side channel attacks. This code would seem to have something to do with security, and the NSA being able to understand that code... would seem to allow them greater precision and ability with side channel attacks against target systems running *their* very own security code.

        I'd take it and look at it, but as far as running it? Not unless I was very assured that the "operating profile" it gives off is *not* what the NSA was expecting. There's a reason why a big part of attacking target systems is understanding the specific versions of the code they are running. For both exploit purposes *and* tuning side channel attacks.

        At this point I would be highly suspicious if the NSA was just offering an apparent no-strings-attached blowjob. They act as if their charter was to protect the American public or something.

        --
        Technically, lunchtime is at any moment. It's just a wave function.
  • (Score: 0) by Anonymous Coward on Thursday September 03 2015, @05:28AM

    by Anonymous Coward on Thursday September 03 2015, @05:28AM (#231582)

    "The NSA today revealed it has uploaded source code to GitHub to help IT admins lock down their networks of Linux machines."

    "today" ... that made the rounds in early July, if you care to look at the linked article date

  • (Score: 1) by Deeo Kain on Thursday September 03 2015, @03:28PM

    by Deeo Kain (5848) on Thursday September 03 2015, @03:28PM (#231794)

    Protected Integrity Management Platform (PIMP) is how I knew it was called. Is this a fork?