80 comments

[ 2.5 ms ] story [ 115 ms ] thread
Do you want insecure systems, massive fallout from leaked pwning tools and thieves taking the world prisoner? Because the NSA's strategy so far is how you get insecure systems, massive fallout from leaked pwning tools and thieves taking the world prisoner.

I wonder how the dialectic will play out in a worst-case scenario if we get to that point.

It would be worth months of serious global computer outages, to bring NSA under control of elected officials. I fear we'll get the former without the latter...
Elected officials in charge of the NSA isn't a desirable result. They will just replace the leaders with people loyal to them and we're in the same situation.
If elected officials aren't already in charge of the NSA, who is?

Does the NSA literally report to no one?

Technically the military is in charge, who report to the elected officials. But a battle between politicians and an intelligence//counterintelligence agency seems one sided.
The idea that NSA are under military control is also pretty fanciful. That almost plays against the spooks in the current situation, however. It inspires some skeptics to notice the puppeteer's hand the spooks have run up the media's ass, constantly searching for any narrative that could bring the current officeholder under their thumb.
Don't kid yourself, he is already under their thumb. Look at his proposed budget, three things had a budget increase and two of them contain intelligence organizations. These groups aren't unified.
Haha yeah that's tough. It's kind of a bleak view, that all of the big tribulations of our world are nothing but the dog being wagged while different factions of the intelligence complex play petty meaningless games of king of the mountain.
This logic doesn't quite hold up. The NSA discovered the flaw. No one knew about it before them.

If the NSA didn't discover it, the world would be equally insecure. The fact that they weaponized it and then lost control of it is a secondary effect at best.

> No one knew about it before them.

That we know of, it's entirely possible that other governments have been using the same exploit and that this could have been prevented with NSA disclosure.

...and yet, no one has anything to say about the companies that have been complicit in maintaining backdoors.

Really, I hear so many parrot the party line about how Windows simply has more exposure due to volume, and so that's where the money is, so that's where the hacks open up. But I really just don't believe that's why Windows security is just swiss cheese sealed off with duct tape.

Again and again, since oh... 2006-ish? It's like Munchausen Syndrome by Proxy. Eventually the child is ill frequently enough, that the doctor has to question what the mother is doing wrong.

Windows has been this smoldering dumpster fire of nothing slightly secure. At first, it was reasonable to suspect that ubiquitous broadband was some kind of game changer, and people had to adapt to new realities.

But a decade later and it's still happening. So, do we get to say the magic word yet?

Who dispells the taboo of whispering "backdoor" about these kinds of things?

Oh dude, downvotes on Hacker News... double-plus-ungood!

Much disdain! Such taboo!

We've banned these accounts for violating the HN guidelines and for using multiple accounts abusively in the same thread.
Eh is there a bigger taboo on a claiming to be open minded comunity then "i dont want this discussed - i want this censored by the vox populi"
There's no taboo, there's just not enough evidence to rule out incompetence.
Projects the size of Windows may easily contain enough "organic" bugs to keep all the NSAs of the world happy without adding anything new.

However, backdooring of security and cryptographic products by the NSA and others is a thing:

https://news.ycombinator.com/item?id=14335730

There is no hard proof that NSA did any of these backdoors, but they clearly do something of this kind, given data in the last link.

> But I really just don't believe that's why Windows security is just swiss cheese sealed off with duct tape.

If you're basing your argument solely on what you, personally, believe or don't believe in, can you provide some credentials to back up your status as a security expert? Or, at the very least, OS developer?

What is there to gain, say for example, if this wasn't an accident?
very little? nsa loses both the ability to use their classified exploits when they're burned (or at least use them as effectively), and they lose out in the PR arena for looking like they can't keep a lid on their own secret weapons, at everyone else's cost. those are extremely severe costs, particularly the latter. i really can't think of any potential upside that isn't trivial in their shadow -- the $30k in bitcoin ransoms people have ponied up?
> the $30k in bitcoin ransoms people have ponied up?

Smokescreen for your $N if you're a rogue agent selling your exploits to another organization - or simply claiming some part of the ransomware pie? Just because the NSA as an organization is paying the price, doesn't mean you as an individual agent are.

Of course, this requires the gumption to think you'll get away with it.

Draconian laws to ensure "security".
Liability.

If the NSA was actually forced to be liable for the damage of their hoarded 0-day's should they leak, that might have a bigger effect than any 'guidance' I would imagine politicians might pass in a law. I hate to suggest something that involves yet more lawyers, but its amazing how effective that can be to make people in charge do some serious risk-assessment analysis about what they hoard and for how long.

How would this work for a private individual? Would this help create a precedent for private security researchers where they might be held liable for not disclosing 0days?

I agree that this would definitely curb potential damage, but I'm not sure if this is exactly the right way to go about it. NSA is first and foremost an intelligence agency. What do you think the best policy is for maintaining an effective arsenal and maintaining "0day responsibility"?

There isn't one. Report the vulnerabilities to the vendor and move on. The trade off is too dangerous. Do you stockpile munitions that can damage global infrastructure so you can target a small number of individuals? No that's just stupid and irresponsible.
Is there any legitimate reason to hold 0 days without disclosing them to the vendor? There probably are reasons I haven't thought of, but do they apply to as active a company as Microsoft?

Edit: I think I misread this and you're asking in the context of the NSA holding them. I still doubt there's a way to do it responsibly, so they probably shouldn't be doing it.

Sure there is a legitimate reason to withhold them, though many would say it's not a very ethical one: money. Private researchers hold them for sale to the NSA and other agencies all the time. Here are a few exchanges (there are also high end "agents" - akin to Hollywood agents - that broker these deals):

[1] https://zerodium.com/

[2] https://www.mitnicksecurity.com/shopping/absolute-zero-day-e...

And some info on this market: https://en.wikipedia.org/wiki/Market_for_zero-day_exploits

Every possible job doesn't need to exist. We shouldn't put the whole online world at risk so a handful of people can make a buck.
I would say there is a difference between having a bare-bones proof of concept and a fully developed malware.
>>What do you think the best policy is for maintaining an effective arsenal and maintaining "0day responsibility"?

I think the best policy is for them to not maintain an "effective arsenal" at all, the second they find a vulnerability they should report it.

It's not a crazy thought to think people may actually sue the government.

Under centuries old law, all someone would have to prove to make the government liable is that the government (1) was the cause (2) of damage (3) that was the result of their negligence. The negligent part will be tricky, as the NSA was probably using the best tech available to protect their secrets. Also, proving #1 may be tricky as most of the information you would need to prove it is highly classified.

NSA is also responsible for the defense of government computer systems and communications. There may be a duty there, to ensure email from a the government is virus free. If someone can show their worm came from a .gov address, there might be something there.

The NSA made the dangerous part of the weapon, and then they lost it. They knew they lost it, and didn't do enough to harden fed computers. The government isn't allowed to just randomly attack someone, but attacked my hypothetical person that can prove the attack vector anyway.

Of course, i'm not a lawyer.

> NSA is also responsible for the defense of government computer systems and communications.

Incorrect, with the exception of DOD (and even there it's shared with DISA).

> didn't do enough to harden fed computers.

Interesting statement considering there have so far been 0 cases of fed computers being exploited. That figure is from US-CERT, the entity actually responsible for defending Federal systems.

1) looks like the mission has been adjusted, they simply take the lead in information assurance now. Although, a foreign power seizing control of government computers to make unauthorized transmissions sounds like something a jury would think the NSA should be responsible for.

2) Indeed, my entire argument depends critically on the existence of a .gov propagating the worm.

what do you expect them to do - (as long as they exist?) Threaten their employees with torture for leaks?

I mean these things are pretty much why the NSA exists, it's kind of its mandate. It's not like their employees don't know they're really, really, really, really not supposed to leak their whole horde of zero days, or protect it to the utmost. these things weren't in a dropbox with the password "password123" or something...

what do you expect greater "liability" to do exactly? (Of course this is assuming the agency continues to exists, which you're kind of presupposing when you write "if the NSA were actually forced to be liable")

Edit:

Don't know why I'm getting downvoted...could you explain what changes to their operating procedured you would expect them to make, if they had greater liability?

It's important to remember that the NSA isn't why the world was insecure. The NSA discovered the flaw. That's their job.

We need the NSA just like we need a military. As an offensive cyberweapon, this exploit was operationally one of the most effective weapons that the NSA had at its disposal. Most of the world runs unpatched Windows systems, as Stuxnet showed us. This would've been the perfect tool for a similar operation.

Unless your stance is that computers should never be used by a state actor to intentionally cause harm, like the military, then you can't logically also hold the position that the NSA should voluntarily neuter its own arsenal.

I don't like it either. But the alternatives seem objectively worse.

Them working with the industry on making your country secure doesnt seem like a bad alternative.
Iran becoming a nuclear superpower seems objectively worse. And it was thanks to cyberweapons that this was delayed.
Sure, lets ignore deplomacy failures and the CIAs misdoings in actually enabling and even partially triggering that pathway and make sure we endanger the whole planets network to get an edge in a war were too proud\patriotic to think differently about.

That way of thinking is whats making us need cyber weapons. Not to mention it shapes foriegn policy.

Iran becoming nuclear is a direct result of US Intervention in the region. so yes if we did not have a CIA then Iran likely would not be attempting to become Nuclear today

CIA is attempting to clean up their mess

I agree, but I also think it's an incomplete answer to the situation.

I think that it's unreasonable to expect there not to be some sort of acting technology strike force within the US government, on the sole basis that they wouldn't let themselves fall behind as a super power in this manner. For the sake of one-upmanship alone I imagine this is happening. But as to what it should be doing? That needs to be reviewed.

Cyber weapons aren't traditional weapons - cyber weapons are nigh-infinitely replicable, easier to lose control over, fast and easy to redistribute, and they're just as harmful to US civilian targets as they are to political/miiltary targets. They're unconventional warfare in that once you let it go, it's almost impossible to reel it back in, and the current state of technology just lends itself to so much collateral damage by the nature of software dependencies. A lot of places have no control over the dependencies for their mission critical software, and either no money for better alternatives or legitimately no alternative.

Cyber weapons are going to be a weird thing for a very long time, since they have the same uncontrollable nature that a lot of banned weapons have, but they don't have the same immediate impact or lasting effect [1] that munitions, chemicals, and so on have. The lack of an immediate real world impact (read: a 'boom' or something toxic) is going to make it a challenge for people to see how damaging this an really be.

[1] - I mark this because I think it's arguable how lasting the impact for any given bit of malware can be. There can be a lot of long-lasting damage if major infrastructure pieces are targeted, or downing entire networks, ruining small to medium businesses, and so on.

And how would that liability work, exactly?
This kind of thing is going to just keep happening, and there's really not a whole lot anyone can do to stop it.

It's been an escalating war of intrusion capabilities among nation-states for the past 20 years, and when some of those weapons are released into the wild, this is sometimes the result.

It's even more horrifying that, as a US citizen, I'm one of the people who paid for this work.
Huh? The NSA didn't create the exploit. Oh, it's Gizmodo. Why is this garbage on HackerNews.
Yes they did. Nobody so far has posted a reverse engineering of exactly how EternalBlue works (I saw an article in Chinese but it was hard to tell if it had a real explanation given the auto-translate). WannaCry is simply using the actual NSA exploits, compiled, direct from the ShadowBrokers leaks, along with the DOUBLEPULSAR "implant".
The commentary within the metasploit module for MS17-010 [1] should count for posting 'a reverse engineering' or at least some meaningful analysis of moving parts within EternalBlue SMB exploit.

The researchers involved are @zerosum0x0 and @JennaMagius on twitter. Their work has been impressive (including eliminating a 10 second delay in some of the exploit chain iirc) if you ask me.

Of course I don't disagree with the content of your post - it does appear that the release of a working exploit has driven the release of this malware, rather than the release of the MS patch, or a description of the vulnerability in general (such as within the CVE).

[1] https://github.com/RiskSense-Ops/MS17-010

I looked there. It doesn't explain anything beyond mentioning that the exploit involves heap manipulation.

The Metasploit eternalblue module simply runs an interpreter for a long set of commands that send massive binary blobs over the wire in a particular sequence. To me this looks like a cleaned up WireShark trace rather than anything based on true understanding of what it really does. As far as I can tell the only people who understand what these packets are doing to Windows are TAO and probably one or two developers at Microsoft.

You actually believe that the NSA created this exploit? I'm struggling to understand the logic on this page. I've never seen so much misunderstanding and misleading nonsense on a HackerNews topic.
> NSA created this exploit

I don't believe that, however I do believe they sat on this vulnerability without disclosing it to Microsoft. This particular piece of software may not be theirs, but it may as well be.

Doesn't particularly make a difference, given that this issue is about users not upgrading (for whatever reason) their windows XP installations. Would the exploit having being disclosed by the NSA or by someone else have changed the fact that these users would not have upgraded and gotten a patch?
Can I have my cake and eat it too?

People should keep systems under their responsibility up to date.

And people should disclose security vulnerabilities.

Um, a LOT of drivers broke on the change from XP to Vista.

If you controlled a piece of hardware, you may not have had a choice to upgrade.

The lesson is that closed-source is anathema to a good security policy.

No, I don't believe it. I believe that they sat on it, during which time their salaries were being paid by the taxpayers.

It's a bit horrendous because the NSA would have us believe that they're supposed to work proactively on the behalf of Americans. But then again, we all know that's not what the NSA actually does.

Didn't they?

My understanding is this happened:

* Microsoft writes codes with bugs

* NSA writes exploits for said bugs and a worm based on them

* ShadowBrokers leak the NSA exploits and worm

* Random hackers take the NSA worm and combine it with a ransomware payload

So the NSA wrote the exploits and by not reporting the vulnerabilities they found they exposed the public to others finding the vulns or their findings and/or exploits leaking.

I guess it will unfortunately take a long time for the world to realize that the rules of "cyberwar" are different from the conventional military. (Of course, there's a lot of literature from security and cyberwar researchers, but that doesn't seem to reach the politicians.)

You can't just pour money in offensive capabilities of your intelligence agencies, as is currently done in most countries, and hope to "win". Your exploits and zero days will be stolen, your critical systems will be weaker (because you intentionally weakened them or didn't disclose vulnerabilities) and you simply can't control the weapons you created. Worst of all, the weapons developed by state actors will fall into the hands of ordinary criminals, which makes for an even more complicated world.

How is that any different from manufacturing physical arms that somehow end up in the possession of some enemy foreign power?
It's vastly faster and more reproducible, enough so as to make it a different environment with different considerations.
It's more akin to manufacturing portable arms factories, that can also replicate themselves.

Lose one and you're SOL.

SOL except that the arms can be rendered useless with a simple update in defenses.
Except it could be a simple update after substantial damage has been done.
(comment deleted)
Yeah, and when the US power grid is offline for three days due to latest NSA cyber toy to get out of fucking Fort Meade, I'm sure the priority of those people stuck in an elevator or families watching their loved ones die due to a life support system failure will be to fucking update Windows XP.
If that were to happen it would be more the fault of power companies that do not have critical systems well protected. Fort Meade is hardly the only entity developing these sorts of exploits, so you have to expect them. The patch for this has been out for a while now.
A simple update applied to a few hundred thousand of people, most of which don't work for you or know enough to care.
If the vulnerability had come from Google Project Zero, the same worm could have been created. The only difference is a lower barrier to entry, but with enough malware authors out there, even GPZ's descriptions are enough to cause vulnerabilities to turn into exploits in the wild. Why does the discoverer of a vulnerability matter if the vulnerability was patched before it was publicly announced?
Physical objects take dollars and time to design and produce at scale. Most of these vectors take time to design and money for living and the initial computer, but the implementation of them takes almost no money nor time (ok, yes a few miliseconds and the electrical power, but it's basically nothing). Corey Doctorow has said it best : "A lot of threat modeling is based on something like economic rationality by your adversary: you assume that no one would spend $10 to steal $1 from you. But with nitwits, all bets are off: this isn't about designing a safe to keep out a smart mastermind cat-burglar, it's trying to figure out if a drunk and belligerent dudebro will walk up to you on the street and punch you in the face to blow off some pent-up hormonal steam."

(https://boingboing.net/2017/05/13/heroism-through-domain-squ...)

That's exactly right. The strongest offence is a good defense.
The US government will attack Bitcoin - both technologically and politically instead of taking responsibility for this.
Why can't Microsoft or NSA or whatever good samaritan use the same vulnerability and attack vector to force-spread the update or at least a patch of some kind?
It would be a good thing if they were releasing something like that asap, but the network effects of the existing attacks will continue to dominate for quite some time.
Because such entities, even when acting in the public good, would be breaking the law if they did. Those who publicly act in the public good usually try not to break the law to do so.
Could not the president easily issue an executive order asking NSA to use the hack to protect everyone?
EOs cannot violate the law, or compel someone to violate the law. Could the president issue such an executive order? Potentially. But that does not mean it gets carried out, or is legal.

Do you think this president would? I don't think it terribly likely, and if I heard that he was about to, I'd probably start booting Linux for a few months, because I would wholeheartedly suspect that it did more than just patch effected systems.

If you want to stop this arms race of ransomware, STOP HOARDING ZERO DAYS