Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3
Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.
FeedSource: [SchneierOnSecurity]
Time: 2017-04-10 14:17:17 UTC
Original URL: https://www.schneier.com/blog/archives/2017/04/shadow_brokers_.html [schneier.com] using utf-8 encoding.
Title: Shadow Brokers Releases the Rest of Their NSA Hacking Tools
--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
Shadow Brokers Releases the Rest of Their NSA Hacking Tools
Arthur T Knackerbracket has found the following story [schneier.com]:
Blog [schneier.com] >
Last August, an unknown group called the Shadow Brokers released [schneier.com] a bunch of NSA tools to the public. The common guesses were that the tools were discovered on an external staging server, and that the hack and release was the work of the Russians (back then, that wasn't controversial). This was me:
Okay, so let's think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."
They published a second, encrypted, file. My speculation:
They claim to be auctioning off the rest of the data to the highest bidder. I think that's PR nonsense. More likely, that second file is random nonsense, and this is all we're going to get. It's a lot, though.
I was wrong. On November 1, the Shadow Brokers released some more [schneier.com] documents, and two days ago they released [medium.com] the key to that original encrypted archive [github.com]:
EQGRP-Auction-Files is CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN
I don't think their statement [medium.com] is worth reading for content. I still believe the Russia are more likely to be the perpetrator than China.
There's not much yet on the contents of this dump of Top Secret NSA hacking tools, but it can't be a fun weekend at Ft. Meade. I'm sure that by now they have enough information to know exactly where and when the data got stolen, and maybe even detailed information on who did it. My guess is that we'll never see that information, though.
I only hope the full disclosure of these attack tools and software/firmware implants will help developers fix the remaining bugs and make the world a bit safer.
cc: current squid
https://www.schneier.com/blog/archives/2017/04/friday_squid_bl_573.html#comments [schneier.com]
> will help developers fix the remaining bugs
You forgot to say, "for free". Everybody should work "for free" in the computing industry.
But what I don't understand is why the fixes do not exist already.
Can you be a highly costy gouvernment agency and keep a list of single day exploit on a computer which is not protected against those exploits?
Also, how a society can accept computers in their police and their justice departments not to be protected against complete remote control? Aren't there already organisations offering selected information wipe-out on any of those computers and their backups (for a fee)?
That statement, though... What an ugly, racist slur of a statement, looks more than anything like mentally unstable ramblings. If this indeed is (on directions) from a government, why wrap it up in #### like that? What's the strategy behind it?
Mangling the text like that (probaly with the help of a translation-bot) may be to avoid traces of the author's own vocabulary/speech patterns
@ Beamboom
It's a message to Mr. Trump that says, "We, the people who got you elected, are displeased with what you just did. (Continue to defy us at your peril.)" The clever bit is that the fundamental meaning remains the same regardless of whether you understand the message is coming from the Kremlin.
To briefly answer ATN's three questions:
1. Yes, if someone makes a mistake
2. You ask "How can society accept..." That means "look in the mirror and ask yourself...." But regardless, protecting yourself against intrusion is very, very difficult.
3. Sort of, but even if the answer were "Yes", that's not a solution. (See #2)
More generally, ATN's comment made me wonder if there's a "Computer Security 101" brief, or blog entry, or whitepaper, or the like. Not something like the Wikipedia page, which is exactly what you would expect (and want) from an encyclopedia entry. I'm thinking more along the lines of "why computer security is so hard", to provide context so that questions like these are more refined before they're asked.
I did a little poking, and the best I could find was
Internal to schneier.com: https://www.schneier.com/essays/archives/1999/11/why_computers_are_in.html [schneier.com]
External: https://www.cs.utexas.edu/~byoung/cs361/lecture2.pdf [utexas.edu]
But I'm not sure those really answer the mail, so to speak. I wonder if it's worth the effort to put something like that together?
I can't decide if ATN was serious about people working for free? Why should we work for free? Providing security fixes for free, sure. Working for free, no way!
Is this in retaliation for the strikes, or just coincidental?
It is not a matter of working for free or not.
Some of us are writing software either open source, free or commercial. Those of us that work on open source or free software do it for different reasons. Mines? I love what I do, I want to give something useful to the world as a gift, and I am developing software that is very useful for my own goals so my work and —even more important— the work of other members of the project are making my life much easier by writing software that is better than most commercial software products available. Others are working for corporations, developing commercial software, writing firmware that runs on computers and other appliances, and getting paid for that work.
I do not care on what branch of the software ecosystem (either "free" or "paid") developers of the affected products are. A bug is something that must be fixed. A bug is our responsibility —when a bug is found it must be fixed, period.
And, eventually, Linux and *BSD stuff. I thought it would never happen!
@Who?
First off, let's understand that no one is a slave. If you use software, it's your responsibility to understand the warranty - with open source, that is generally none. The point of open source is that you are not dependent on anyone else to fix it, but unless you are paying someone specifically to fix something for you then no one is under any obligation to fix any bugs whatsoever, security or otherwise.
Government bureaucracy: numerous legal technicalities.
In a practical sense, conclusion #1 is a consequence of simple reality: we are deluding ourselves if we think we can use our most sophisticated "hacking tools" against our most sophisticated enemies without effectively disclosing those methods to the enemy. Conclusions #2 and #3 are basic concepts of trade law. Patent law is irrelevant. We cannot expect patent law to prevent hostile nation-state use of patented inventions.
@Anura
Absolutely correct. If you want it done right, do it yourself. That is really the point of open source. With proprietary software, the source code withheld by trade secrecy, and the executables distributed under onerous copyright conditions, you do not even have that option.
Realize, too, that all too many people have an aggressive interest in sabotaging open source for everyone else because they have a competing proprietary solution for sale.
@Anura,
"...If you use software, it's your responsibility to understand the warranty - with open source, that is generally none....".
"warranty"? Look it up, then read Microsofts EULA.
They absolve themselves of -any- responsibility for -anything-.
Yes, I'm overstating for emphasis.
@Who? is talking about -personal- responsibility. It's a big difference. Corporate 'responsibility' entails keeping the users from abandoning their products.
. .. . .. --- ....
@albert
Not all commercial software comes without warranty - just generally not software directed at the general public unless it simply allows for a refund without requirements to fix bugs. Generally speaking, whenever software needs to be regulated (e.g. flight software) any software is going to require a warranty.
And no, there is no personal responsibility to fix that software either. If you aren't getting paid, then you have no personal responsibility to maintain any of the software you wrote. If you wrote software and it turned out there was a bug that is causing havoc to those using it then you can lie back, decide not to worry about it, and sleep comfortably knowing that unless you advertised otherwise, you have absolutely no responsibility to take any corrective action whatsoever. As long as you provided the source code, they can fix it themselves or pay someone else to fix it.
@Anura,
You totally missed the point I was trying to make.
. .. . .. --- ....
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient [resilientsystems.com].
I've been writing about security issues on my blog [soylentnews.org] since 2004, and in my monthly newsletter [soylentnews.org] since 1998. I write books [soylentnews.org], articles [soylentnews.org], and academic papers [soylentnews.org]. Currently, I'm the Chief Technology Officer of IBM Resilient [resilientsystems.com], a fellow at Harvard's Berkman Center [harvard.edu], and a board member of EFF [eff.org].
-- submitted from IRC