The NSA's program of tech sabotage created the Shadow Brokers

Originally published at: http://boingboing.net/2016/08/18/the-nsas-program-of-tech-sab.html
…

“Imagine if you didn’t have any Cisco exploits,” he says. “You’d be unable to report on terrorist movements, on Russian and Chinese movements….This is the necessary bread and butter of getting intelligence work done in this day and age. We need to get used to it.”

Assuming, of course, that the “terrorists” use Cisco networks. Instead, perhaps, of using asymmetrical approaches such as burner phones or other methods that don’t involve large fixed assets.

Also assuming that the Russians and Chinese are so dim that they trust Cisco (etc.) with their security because, well, they’re not smart like us. Or something. They certainly aren’t capable of finding bugs without someone (like us) to tell them.

Or, of course, this is just a smokescreen. Security theatre. Because the Russians, Chinese, and “terrorists” aren’t stupid [1] but that’s OK because they aren’t the main targets anyway.

[1] Ask any sophomore engineering or chemistry major to name ten ways to bring down a plane that the TSA doesn’t screen for. You’ll get more than you asked for.

No, its better. All his whole disingenous speech about how this is absolutely necessary for “national security” can be boiled down to this:

For us to do our definition of “national security”, everybody else should be insecure, not only at risk of us using those zero days, but of ANYBODY using this.

So, the price for the NSA doing “their job” is that EVERY SINGLE OTHER ACTOR HAS THE SAME CAPABILITIES. That includes terrorists, foreign goverments, mafias. etc.

So, yea, the price of security is insecurity, great job

War is Peace.
Freedom is Slavery.
Ignorance is Strength.

This guy actually thinks that the sort of people skilled in the art of crafting exploits wouldn’t find getting paid to craft neat exploits rewarding enough to do unless explicitly cancelled?

No, I’m sure it wasn’t 100% giggles; but you don’t exactly use conscripts to do your fancy hackery and the salary probably isn’t competitive with the (risky, but sometimes atmospheric) payouts for successfully floating some social/mobile app nonsense.

They clearly had to sell somebody on the value of the work in order to get it funded; but there’s no reason to suspect that they had to sell anybody on the overall-positive value of their work to ‘national security’ rather than a much narrower pitch to ‘will let us spy on our enemies’.

OMFG - how the idiots at the NSA didn’t see this coming is beyond me - it’s that which should be criminal. How can they “protect us” if they don’t even know how to predict the obvious outcomes of basic actions?!

How much does the NSA get to screw up before they get called to task for it?!?!

The Law of Intended Consequences: When a moderately intelligent and informed actor takes an action that could reasonably be expected to produce something like a certain outcome and that outcome occurs, an observer is justified in concluding that that outcome was intended or at worst considered acceptable.

Locked doors interfere with law enforcement.

Since we discovered a flaw in Schlage locks, we can enter about 30% of homes freely.

Rather than inform Schlage (or the owners of their locks), we’ll search for flaws in other major brands to increase our access.

…for legitimate law enforcement, of course

This is kinda what baffles me about the DNC breach. One of the two main parties in the US, the one that currently controls the levers of power, and probably will continue to for at least the next four years, was breached by a foreign power, the domestic security apparatus knew about it, but did nothing because to reveal knowledge of the breach might reveal “sources and methods”??

WTF is the point, if all they going to do is afterwards say “oh, yeah, we knew about that but didn’t tell anyone, 'cos then we mightn’t know about the next one we wouldn’t do anything about.”

Exactly what ‘national security’ end is being served here? The DNC breach is the latest example, but there are several other, similar cases from around the world over the last few years.

Talk about your self-licking icecream.

We have repeatedly discussed how internet attack is contrary to our own interests. Here is one example from a couple years ago.

The problems with internet attack start with the battleground. Of all the nations in the world, the US is probably the most vulnerable to internet attack. We have the biggest surface area. We also are the most dependent on the internet. We have the most to lose in any internet conflict. Years ago, we rationalized that it was better to wage war via the internet, then to wage war with physical weapons. This assumption has become less and less true over the years. We have now reached the point where internet attack is the easiest and most convenient way to cripple the US. We will soon reach the point where internet attack can be more devastating than any physical attack.

The next crippling aspect to internet conflict is the horrible consequences of internet weapons. We are told that internet weapons can be created, controlled and deployed with no more thought or aftereffects than a tank or a drone. Nothing could be further from the truth. Internet weapons are more like germ warfare than tank warfare:

• Every internet weapon requires tolerated (possibly encouraged and created) vulnerability within your own defenses. We all use the same internet. We all use the same tools. You can't create vulnerability in your potential opponents and somehow eliminate it in yourself.
• Internet weapons have a horribly short lifespan. If you are going to have them, you have to create new ones all the time. You have to tolerate or create new vulnerability within yourself all the time.
• Internet weapons are nothing like nukes. They don't require massive infrastructure. If the vulnerabilities exist, any nation or criminal organization with access to the internet can create and deploy internet weapons.
• You can not deploy an internet weapon against your opponents without giving them the ability to use it against you. In most cases, they can simply record and analyze the attack, and then turn around and use it against you. Also, in most cases, if you deploy an internet weapon against ANYBODY, then all interested opponents immediately get access to it.
• The time between you using an internet weapon on an enemy and somebody using it against you is almost always less than the time it takes to fix the underlying vulnerabilities within yourself.
• Since all internet weapons follow from common vulnerabilities, then any opponent can out-produce and out-deploy internet weapons against you at any time.
• Internet weapons are useless unless they are wielded by practiced people who are expert in penetrating all possible opponents defenses. The only way you have this kind of people is if they are actively attacking all possible opponents all the time. In order to have an effective internet attack force, you have to wage continuous internet war on all important opponents. if you stop attacking, you cripple your ability to attack.

We now know that the US/NSA has launched premeditated, unilateral, unannounced internet war against the entire world (including our own population) for years. We are not the only ones who do this. The first acts of this war has been always been penetration and subversion of everybody’s defenses. The second act of this omnipresent war has been appropriation of resources. It sometimes precedes further.

Based on what we know now, it is clear that waging internet war is a self destructive and criminal act against our own civilian interests. Our only sane action is to immediately engage in diplomatic actions to stop the internet war. We should immediately, unilaterally stop attacking other nations. All nations should levy diplomatic and trade sanctions against any nation found guilty of waging internet war. We should classify internet weapons as weapons of last resort. They should be considered in the same class as nukes and biowar weapons.

This topic was automatically closed after 5 days. New replies are no longer allowed.