Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Government IT

NSA Hacker Chief Explains How To Keep Him Out of Your System (wired.com) 70

An anonymous reader writes: Rob Joyce, the nation's hacker-in-chief, took up the ironic task of telling a roomful of computer security professionals and academics how to keep people like him and his elite corps out of their systems. Joyce himself did little to shine a light on the TAO's classified operations. His talk was mostly a compendium of best security practices. But he did drop a few of the not-so-secret secrets of the NSA's success, with many people responding to his comments on Twitter.
This discussion has been archived. No new comments can be posted.

NSA Hacker Chief Explains How To Keep Him Out of Your System

Comments Filter:
  • Same link. (Score:3, Informative)

    by Anonymous Coward on Sunday January 31, 2016 @09:26AM (#51408571)

    Same link as previous article, copy and paste error.

  • It seems like the only linked article is relevant to the Slashdot story immediately preceding this one...
  • by Anonymous Coward

    Sorry, the link embedded within the article is http://arstechnica.com/information-technology/2016/01/nsa-gchq-used-open-source-software-to-spy-on-israeli-syrian-drones/ [arstechnica.com], which is a link relevant to the previous story. I have no idea how that would happen, but editors should at least check the links. The correct link is actually http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/ [wired.com].

  • by Anonymous Coward

    Step 1: Don't listen to anything the NSA (or the US government for that matter) has to say

    • Re:Step 1 (Score:5, Insightful)

      by greenfruitsalad ( 2008354 ) on Sunday January 31, 2016 @10:15AM (#51408705)

      the guy picks up a microphone and owns up to breaking constitutional rights, screwing with people's businesses and lives. the people, instead of arresting him, clap their hands and say it was a good talk. what the f**k? not even DMCA? let's all accept this lawless band of crooks, put them on a pedestal and call them elite corps

      • Re: Step 1 (Score:2, Interesting)

        by Anonymous Coward

        That's a common myth in Tea Party circles - but there's tons of legal basis for the NSA's activities in the Constitution:

        http://www.heritage.org/research/reports/2010/06/a-constitutional-basis-for-defense

        And yes, I feel somewhat dirty for linking to Heritage, but you cannot dismiss them as "liberals".

        • Re: Step 1 (Score:5, Insightful)

          by sumdumass ( 711423 ) on Sunday January 31, 2016 @10:48AM (#51408831) Journal

          No need to inject liberals or tea party circles into this. No one mentioned them and I would bet you would/could find several people on any side you picked who think there is a problem too.

          The US constitution does not place national defense above the US constitution though. This is problematic to the national defense trumps all argument because the 9th amendment specifically spells out that the enumeration in the constitution shall not be used to deny other rights held by the people. While the constitution generically spells out national defense, it specifically places reasonableness and warrant requirements for searches and other things.

          but lets explore this a bit. In the name of national security, some say the government can ignore the US constitution and invade a citizen's or local business's network, computer, telephone, whatever. Some say they can hold people without habeas corpus rights or even the right to a trial. Can they also ignore the constitution and just appoint senators and representatives in the name of national security? Can they install judges and such with no congressional oversight so those moves would survive a court challenge? Can they just decree something to be law without congress ever passing it or the president signing it into law? If so or not, I have to ask why and what limits would there be and how do those limits become recognized?

          My naive understanding is that the existence of this group is largely limited to pen testing with approval from network owners or law and assisting in law enforcement operations which presumably would already had warrant requirements satisfied. IT might do a lot more than that but I do not know for sure.

          • by Anonymous Coward

            The Constitution is not a suicide pact. Policies targeting domestic US citizens deserve open scrutiny and debate but actions targeting foreign countries are not Constitutionally protected nor are those actions required to be publicly disclosed. If you want to see a real life example of the elasticity of the Constitution just look at what FDR did prior to the US entering WW2. He blatantly violated the Neutrality Act using the subterfuge of the Lend-Lease Act while also "donating" a fleet of mothballed US na

        • ease up on that ganja or you'll soon claim they have legal basis for anal probing at all railway crossings.

  • Relief... (Score:5, Insightful)

    by grub ( 11606 ) <slashdot@grub.net> on Sunday January 31, 2016 @09:46AM (#51408609) Homepage Journal
    I was worried that the new overlords would start checking submissions for errors. I'm relieved to see they are taking the 'steady as she goes' approach.
    • by Anonymous Coward

      It's Timmy boy... I found that you can never set your expectations low enough around here.

      On the other hand, given that he seems to be the only editor left... and apparently spends all day and night scouring the internet for days-old news to post... you have to cut him some slack. Lack of sleep probably plays a part

  • by Anonymous Coward

    They've censored their own link from the article!

  • Sheep (Score:4, Informative)

    by ourlovecanlastforeve ( 795111 ) on Sunday January 31, 2016 @10:02AM (#51408667)
    Sheep should not listen to best practice advice from wolves.
    • by Anonymous Coward

      Of course, of course. You should never take advice from a group of people considered the best at cracking systems worldwide, known for their ability to get into systems running on hundreds of varieties of hardware. Why, that would be foolish! Can you image, asking security experts what some of the general security practices are?

      Also, never, EVER, go to a doctor.

      • by raymorris ( 2726007 ) on Sunday January 31, 2016 @10:33AM (#51408783) Journal

        Indeed, I'm skeptical of anything from the NSA, but his advice matches with my experience (I've been doing network security professionally for a long time).

        He made one point that definitely rings true. People get excited about "advanced" stuff like zero-days and jumping air gaps with ultrasound, while their IIS hasn't been updated in three years, their users are opening funnycat.exe, and they've never tested their backups. It's not the NCIS stuff that'll get you, 95% of the time, it's the boring best-practice stuff that's missed; security updates, tested offsite backups, etc.

        • by khasim ( 1285 )

          There's a part I disagree with him on. From TFA:

          "Thereâ(TM)s a reason its called and advanced persistent threat; we'll poke and poke and wait and wait until we get in."

          No. It's called that because it sounds scarier than "got past my mediocre defenses".

          If they did not have to burn a zero-day (or rappel through a skylight) to get in then it is plain-old "cracking". People just prefer to call it "APT" because no one can defend against an "APT attack".

          If they could defend against it then it would be a reg

      • by ACE209 ( 1067276 )

        Also, never, EVER, go to a doctor.

        If that doctor has a rich history of malpractice lawsuits, you are even right.

        Though changing your intelligence agency might not be as easy as changing your doctor.

  • by Anonymous Coward on Sunday January 31, 2016 @10:24AM (#51408741)

    https://www.youtube.com/watch?v=bDJb8WOJYdA

    Personally, he didn't say anything mind blowing.

  • by rebelwarlock ( 1319465 ) on Sunday January 31, 2016 @10:35AM (#51408789)
    I was worried at first that this wasn't really news, but then I saw the summary said that people responded on Twitter, and now I know it's important.
  • You have nothing to hide.

    Actually, when Trump gets elected and has a full dossier on every political AND financial rival you really should have an escape plan.
    • . . . that he will have all the information to sell me junk that I don't need?
    • You have nothing to hide.

      Exactly, the people are broke and no amount of corporate espionage is going to preserve the District of Columbia.corp at this point with international shipping halted and 200+ countries that will not accept the US petro dollar as currency. Here's a question: If said spook hacker is not over there seeking refuge with Snowden, and not under indictment and/or already in jail, then does this mean that this is a sign that the republic is in process of being restored?

      The implications of this could truly be asto

  • by epine ( 68316 ) on Sunday January 31, 2016 @12:06PM (#51409143)

    Here's a conundrum—a real stumper if you plan to swallow his advice whole—they know what's really in all those automatic patches, and you don't.

    Tuesday a patch arrives. Wednesday a patch for the patch arrives. What exactly happens during that brief episode of 24?

    • It's not that they know what's in the patches.

      It's that they have thousands of extremely skilled and well paid people who do nothing but figure out how to break in.

      Meanwhile, you're trying to defend your network while dealing with users asking where the "any" key is, and your executives demanding to be able to go to malware-infested porn sites at work.

      You will lose against the NSA (or any nation-backed equivalent) because of the massive disparity in knowledge and effort.

      • I remember when antivirus companies began talking about heuristics. The idea that they could dynamically figure out threat levels. Then I noticed a strange thing -- updates got bigger, DAT files grew and grew -- and they shut up about heuristics. They realized that this would kill the need to buy next year's AV product.

        So, given that best practices for all kinds of stuff have been around for decades, isn't it at least a little curious how often patches come out? Grandparent's point is the most likely
  • If you think he's actually telling you anything that would really keep him out, then you're exactly as gullible as he wants.

    Oh, sure, he'll give you some bullshit, low-level tips, but do you really think that the "NSA Hacker Chief" is going to do anything that's going to make his job harder? I sure don't.

  • Once upon a time, I thought those would have been sufficient.

  • Remedies like whitelisting might be effective, but if you've ever worked in a corporation--typically large ones--that use it, you know that it's a nightmare to manage. When you need to get something done, waiting for your whitelist request to be approved can take so long that you might as well not try to use the tool.

    It's interesting that the author said NOTHING about password complexity. This is one of the stupidest security measures, at least in the way it is typically implemented. For example, you mus

Only great masters of style can succeed in being obtuse. -- Oscar Wilde Most UNIX programmers are great masters of style. -- The Unnamed Usenetter

Working...