How The NSA Secures Computers 209
An Anonymous Reader wrote to mention an NSA site covering secure configuration guidelines for a number of operating systems. From the site: "NSA initiatives in enhancing software security cover both proprietary and open source software, and we have successfully used both proprietary and open source models in our research activities. NSA's work to enhance the security of software is motivated by one simple consideration: use our resources as efficiently as possible to give NSA's customers the best possible security options in the most widely employed products."
Great Idea.. (Score:3, Insightful)
Re:Great Idea.. (Score:4, Insightful)
Uh-huh. And there comes a point where security impinges on usability to an unsatisfactory degree. Sure, not having your computer hooked onto the net will make it incredibly secure compared to if it were hooked to the net. But if you need to use the internet, then this level of security makes it unusable.
Re:Great Idea.. (Score:1)
Re:Great Idea.. (Score:2)
Re:Great Idea.. (Score:2)
Re:Great Idea.. (Score:2)
Re:Great Idea.. (Score:2, Insightful)
Re:Great Idea.. (Score:5, Informative)
The guides are a valuable learning tool, too, and a number of companies have followed the idea. In fact, when Microsoft wrote its own guide for securing Windows 2003, the NSA decided that it was comprehensive enough that they didn't have to write one themselves. NSA even went so far as to mirror it themselves [nsa.gov], presumably for government convenience.
The pace of the documentation has slowed significantly; for a while, there was a new guide coming out every month or two. But every so often, they cover new topics such as evaluating wireless IDS, as well as some other more esoteric titles like So Your Boss Bought you a New Laptop...How do you identify and disable wireless capabilities [nsa.gov]. You can see a complete list of titles here [nsa.gov].
Go try reading the original material before criticizing it. You might actually learn something and be able to earn your karma through something other than a cheap shot.
Re:Great Idea.. (Score:3, Funny)
BOOM! (Score:3, Interesting)
Re:Great Idea.. (Score:3, Interesting)
huh? (Score:5, Funny)
Re:huh? (Score:2)
Yeah, they're called taxpayers
Re:huh? (Score:2)
Re:huh? (Score:2)
Re:huh? (Score:2)
Re:huh? (Score:4, Interesting)
I know you're joking, but I believe the intelligence community generally uses that term. Either "customers" or "consumers", as opposed to "producers", of course. I know most of the government refers to other departments, agencies, and offices as their "customers".
From NSA.GOV on SIGINT [nsa.gov]:
NSA's SIGINT mission provides our military leaders and policy makers with intelligence to ensure our national defense and to advance U.S. global interests. This information is specifically limited to that on foreign powers, organizations or persons and international terrorists. NSA responds to requirements levied by intelligence customers, which includes all departments and levels of the United States Executive Branch.
And on Information Assurance [nsa.gov]:
NSA's Information Assurance Directorate invites government employees throughout the nation to take advantage of the products, services, and programs we offer to help you secure your critical information systems. Peruse our TEMPEST product lists and descriptions to find exactly the product you need. Discover what the IAD is doing to ensure the security of the emerging Global Information Grid. Download the latest security guides, or enlist the services of IA professionals to help you engineer secure systems or assess the security of existing systems. Learn more about national-level IA programs like those available through the Interagency OPSEC Support Staff and the Information Assurance Training and Rating Program. Or register for IA-related events and conferences to get up-to-speed on the latest IA technologies. Whatever your Information Assurance needs, the IAD is here to help.
In short, their customers include the entire military, who will receive intelligence reports that may be based on sigint information. Other customers include the state department, which might want to know if the NSA manages to get an intercepted telegram of Germany asking Mexico to declare war on America. Or maybe the president wants to know what kind of porn Usama Bin Laden likes to look at. Either way, according to their website, the NSA is tasked to do this stuff by other agencies, who then use that information to do their job. This gives them bonus points when justifying their budget, so it is the government equivalent of being directly paid to do the work. This is quite definitely a "customer".
On top of that, since the NSA knows so much about communications, networks, computer systems, and the security of these systems, the NSA is the de facto expert, hence they're also responsible for helping ensure that government computer systems are secure. They say they send advisors to help people out, and I'm sure they have some sort of responsibility for classified networks as well. It's in their best interest if the US has a well-secured communications infrastructure. I'd say it's the digital equivalent of using a sniper as a counter-sniper. But this means the entire government is also their customer. At least anyone who needs their computers to be secure.
So yes, I'd say the NSA has a lot of customers.
As for the comments about "the NSA may as well have said that you should just unplug your computer from the internet", I remember an ask.slashdot question a while ago where a guy asked for advice on securing his business computers for some classification certification. A lot of the replies basically said that the computers couldn't be on the internet, period. From my past experiences with having computers online, I'd have to agree that it's a bad idea to have a computer with sensitive data on an open network like the internet.
not only operating systems, (Score:5, Informative)
... but there are also a few guides to the applications security available: http://www.nsa.gov/snac/downloads_all.cfm [nsa.gov]
my favorite are Cisco IOS and Microsoft CA guides
Crushing defeat. (Score:5, Interesting)
The NSA buys lots of our gear, the large multi-terabyte enterprise-class disk storage arrays. In the case I heard about, there were a small handful of boxes. We keep track of the code loaded on each of them for support reasons, so we have a good sense of where each box is and what it's doing.
Our warranty on those arrays is 3 years.
At the end of the warranty period, it is the policy of the NSA to replace the gear outright and start fresh. What we learned was, these boxes had never been put into operation and sat on their shop floor as "excess capacity" (happens in the larger shops, it's a good idea). They had never been attached as storage to their mainframes.
The NSA crushed them. Brand new, unused and perfectly functional with ZERO data on them. Crushed to scrap.
That hurts, guys. It really does. My tax dollars paid for them, my sweat and tears makes them run, and the gov't just hauls them outside and crushes them when they can't get support via the original warranty terms. They will never let a shred of data leave their shop for fear of losing control of classified info, but damn, these never had any!
Why do they treat our tax money so callously?
Re:Crushing defeat. (Score:5, Insightful)
It's cheaper to replace a 3 year old disk array than it is to do all the paperwork necessary to prove that it was never used.
^BumP^ (Score:5, Insightful)
Part of it is that they pretty much have to spend their budget, or it'll get reduced during the next cycle.
The other thing is, lets say that they rip out all the HD's and RAM in order to auction off the hardware... well, someone has to do that, someone has to file a bunch of paperwork (in triplicate, everything is in triplicate), someone else is going to file the paperwork that's just been generated, someone else has to make sure the HD's & RAM get destroyed, more paperwork...
The costs can snowball very quickly. It may seriously be cheaper to de-mill the stuff and buy it again.
Re:^BumP^ (Score:3, Interesting)
I work in the French civil service, and the rule here is that we change computers every 3 years. I'm due to get a new toy in December.
I told the person in charge that I'm happy with my current machine, and was willing to keep it. I was answered that by using a machine out of warranty, I risk creating extra hassle when it breaks down, and that the salary I'd spend on changing a disk drive would more than offset any savings.
How you should argue back. (Score:2)
By that same token, we have a couple servers that date back to
Re:^BumP^ (Score:2)
Hmm.. I'm afraid I sympathize more with the original poster, since he actually did work and felt emotions about this hardware. I certainly wouldn't want to make something so that it could be destroyed, regardless of the reasons. And if the NSA has to destroy things in order to keep their budget, that makes me suspicious that their budget is too large. And something makes me doubt that the NSA has to re-defend and earn its budget every single year. It's probably more
Re:^BumP^ (Score:2)
Re:Crushing defeat. (Score:2)
Because the data they protect is very sensitive (Score:5, Insightful)
When it comes to spy games, there's no such thing as "parinoid enough".
Re:Because the data they protect is very sensitive (Score:2)
I can see why they wouldn't want it on the open market, but it is hard to see other branches of our gov as the "enemy".
Re:Because the data they protect is very sensitive (Score:2, Informative)
Because it could eventually leak to the public (Score:3, Interesting)
Well some foriegn spy agency then buys the hardware, and usin
Beware bad players (Score:4, Insightful)
Re:Crushing defeat. (Score:4, Funny)
Re:Crushing defeat. (Score:5, Insightful)
Re:Crushing defeat. (Score:5, Insightful)
Re:Crushing defeat. (Score:2)
Re:Crushing defeat. (Score:2)
Re:Crushing defeat. (Score:2)
Re:Crushing defeat. (Score:2)
When you have 500 or 1000 or more machines to look after, you don't want to be fiddling with old machines.. you want to pick up the phone, call dell, and have the replace the part with another new part immediately, and keep on trucking. Tracking individual repairs on a variety of hardware is a royal pain in the
Re:Crushing defeat. (Score:2)
Dealing with gov. entities (Score:2)
If you must talk about stuff here, do NOT say which federal agency it is.
If you must say some thing, it is best not to be too specific as to the situation.
If you have a difficult time not talking about something like this, then avoid the areas that piss you off so you are not tempted to post here concerning these kind of incidents.
Yes, I know that you did not take a loyality oath, and likewise, you do not see how this info can possible be used against the feds. But even this po
Re:Crushing defeat. (Score:2)
You could create a system that would allow hardware like this to become reused. And if it ever broke down, information improperly classified, a drive left in a system and sent to DRMO, it could cost a human life.
They treat the money callously because it's just money. The alternative is to treat human lives callously.
The government is doing the right thing in this case.
If it were my money, directl
How could you know this? (Score:2)
Some classic examples of this in practice? One fa
Re:Crushing defeat. (Score:2)
Re:Crushing defeat. (Score:2)
1) There'd be no more BS TS classification of useless inanities which does nothing more for national security than create busywork for people pushing pencils.
2) We'd quit wasting taxpayer money safeguarding 20-year old military secrets that other nations discovered independently 10 years ago.
For cripes sakes... won't somebody think
guide to XP (Score:5, Funny)
NSA guidelines (Score:5, Interesting)
Re:NSA guidelines (Score:5, Interesting)
Re:NSA guidelines (Score:2)
Re:NSA guidelines (Score:2)
Re:NSA guidelines (Score:2)
Emerging Security Issues Involving the Presence of Microphones and Video Cameras in the Computing Environment
It is located here:
http://iamsam.com/papers/sigsac/sigsac.htm [iamsam.com]
It cites the actual CERT (Carnegie Mellon University Computer Emergency Response Team) Microphone Advisory:
CERT CERT ADVISORY CA-93:15
There is also a revised version from 2000 here
http://iamsam.com/papers/emergent_security_issues_ 2000/emergent_security_issues_ [iamsam.com]
Re:NSA guidelines (Score:2)
Nonsense (Score:2, Interesting)
Just as an example in the computer class of my university they tried to deny us access to floppy drives by clearing FDD type in BIOS and setting the BIOS password. This didn't h
Re:Nonsense (Score:2)
Re:Nonsense (Score:3, Insightful)
Don't be silly. There are no certainties in security, just probabilities. Every obstacle you add filters out a few more bad guys who don't have sufficient time and skill to overcome that obstacle, thus reducing the probability of compromise.
Slashdotted? (Score:5, Funny)
Re:Slashdotted? (Score:5, Funny)
Re:Slashdotted? (Score:5, Informative)
Coral Cache works beautifully [nyud.net], although directly from site wouldn't for me, neither would google's cache.
Impressions (Score:3, Informative)
Anyway, not a bad guide for beginners (as it's supposed to be).
Linux (Score:5, Funny)
Re:Linux (Score:5, Informative)
Re:Linux (Score:3, Informative)
SELinux is a neat solution to a problem that few users have.
Re:Linux (Score:2)
Eheh (Score:4, Insightful)
American tax dollars hard at work to keep my socialist PC running nicely. Got to love the modern world.
Afraid that the US goverment (the one that makes speeches) might be firmly up MS backside but the parts of the US goverment that actually do stuff seem to like linux.
Re:Linux (Score:2)
Why do we get this from the NSA? (Score:2, Insightful)
Re:Why do we get this from the NSA? (Score:2, Insightful)
MOD PARENT UP AS FUNNY (Score:2)
IN SOVIET RUSSIA.... (Score:2, Funny)
Slashdot and national security (Score:3, Insightful)
Goddamn brainless manager-speak (Score:3, Funny)
No fucking shit. Suppose somebody said "let's use our resources INEFFICIENTLY! And given our title of NATIONAL SECURITY AGENCY, let's NOT PROMOTE THE BEST SECURITY OPTIONS!" Would anybody really jump up and say "that's a *brilliant* idea!"?
Hell no.
Look, to anybody with any common sense at all, it's implicit in any organization that efficiency is important. But so is security. So is safety. So is customer satisfaction. So is employee satisfaction. So is profit (if a private for-profit org).
Is it *really* especially insightful to say "we should be efficient!" anymore? Or, now that 9/11 has warped our psyche to care singlemindedly about security (almost invariably at the expense of liberty), that another top priority is security? Not to anybody with a brain.
Why do we pay people to make such broad, fucking-obvious statements again? To remind us of what we already have known since we were teenagers?
Oh yes, I swear here and ruthlessly criticize somebody for making statements that have coincided with the goal of economy (implicitly or explicitly) for the last 230 years. Mod me troll now.
Re:Goddamn brainless manager-speak (Score:2)
Actually, it hasn't — 9/11 has warped our psyche(s) to single-mindedly care about *fear*, which is pretty much the exact opposite of what you need if you want security. We're all just running around like chickens scared by the hawk, and those who want to curtail our civil liberties are just using the chance to push through their legislation now, in the name of "security
Re:Goddamn brainless manager-speak (Score:2)
I should've more-accurately said that our *rhetoric* is single-mindedly about security, even if our actual *practice* is single-minded fear.
Re:Goddamn brainless manager-speak (Score:2)
Considering my quote was of the NSA's guiding principles (efficiency, security), the project derives itself from the things I quoted.
I then proceeded to ridicule those guiding principles. How is that unrelated to the project? And in turn, since the point of this article was relating to that project, how was my post "missing the point"?
Also, look up the word "semantics" [google.com] sometime. Semantics is the linguistic study meaning of language, but my post has nothing
BSDs? (Score:2)
I'm assuming there isn't much to do to OpenBSD and NetBSD.
Re:BSDs? (Score:3, Interesting)
I run two colocated web servers on NetBSD. Both are stock installations and I haven't had any problems. The one thing I would like to see change is that a single IP address can do a dictionary attack on sshd for hours on end without OpenSSH saying "ok lets not listen to that IP address for a while.
Getty does this, or something like it, why not ssh?
Re:BSDs? (Score:2)
I had a lot of dictionary attacks on my sshd. My first solution was a one hour blacklisting of every IP address which tries dictionary attacks. Now I switched to port knocking, which seems even more secure and convenient to me. I use a relatively simple port knocking sequence but that is more than enough to fight off any script kiddie.
Re:BSDs? (Score:5, Informative)
Unless you have weak passwords, then this is not much of of a problem.
In the sshd_config you may disable password logins, and login using a certificate. In addition, you may specify which users/groups that may login:
Many of those automated attempts to bruteforce sshd is run from a Linux machine, so a simple fix (if you use the OpenBSD packet filter that is ported to NetBSD) is qute simply to drop all packets to sshd that is sendt from a Linux computer.
Re:BSDs? (Score:4, Informative)
Re: Dictionary attack on sshd (Score:2)
The delay setup you outline should not be step one but step two. The first step is to use tcpwrapper around sshd to limit your exposure. The kiddies cant do their dictionary attack if they cant reach sshd in the
Special type of Linux (Score:2)
Re:Special type of Linux (Score:2)
Alternative source of info (Score:4, Funny)
.
.
.
.
.
.
.
Note to NSA and FBI: This is a Joke. Honest.
Link to NIST Server Guide? (Score:4, Informative)
http://csrc.nist.gov/itsec/guidance_WinXP.html [nist.gov]
Is there a comparable server guide?
OS X already ready for government? (Score:5, Interesting)
(for those interested, in 10.3, do Go, Go to Folder...
Re:OS X already ready for government? (Score:3, Informative)
There's some information here [apple.com] about the additional secure authentication methods OS X supports.
~Philly
Re:OS X already ready for government? (Score:2, Funny)
1000 Warheads. Impossibly Small.
Ah (Score:3, Funny)
Now wonder its been ./ed (Score:2, Funny)
NSA.com (Score:2)
Re:NSA.com (Score:2)
In related news (Score:3, Funny)
*blinks*
Winzip claim and credibilty (Score:3, Funny)
Maybe they are just sponsored. Or is that "bribed" when it comes to governments?
Re:do not confuse /. with \. (Score:5, Funny)
Careful now you might piss of some Vietnamese twins in South Africa if you mention that again.
not needed! Re:Missing guide? (Score:2, Informative)
I guess linux does not need it ;-)!
Before you start bashing me, yes, you can make an insecure linux box. And I really would like to see a guide for linux as well! But hey, I am not a NSA custome
Re:not needed! Re:Missing guide? (Score:3, Informative)
Re:not needed! Re:Missing guide? (Score:2)
Your linux box must be insecure (Score:2)
$ whatis themeaningoflife
themeaningoflife: nothing appropriate
(laugh it's a joke; although the command output is not!)
Re:Missing guide? (Score:5, Informative)
Re:Missing guide? (Score:2)
As others have said... let the flames commence.
Re:Missing Option(s). Kinda. (Score:4, Funny)