NSA Hacker Chief Explains How To Keep Him Out of Your System (wired.com) 70
An anonymous reader writes: Rob Joyce, the nation's hacker-in-chief, took up the ironic task of telling a roomful of computer security professionals and academics how to keep people like him and his elite corps out of their systems. Joyce himself did little to shine a light on the TAO's classified operations. His talk was mostly a compendium of best security practices. But he did drop a few of the not-so-secret secrets of the NSA's success, with many people responding to his comments on Twitter.
Same link. (Score:3, Informative)
Same link as previous article, copy and paste error.
Is there a link missing? (Score:1)
Re:Is there a link missing? (Score:5, Informative)
Re: (Score:1)
Here's the Wired article:
http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/
Re:Is there a link missing? (Score:4, Funny)
It seems like the only linked article is relevant to the Slashdot story immediately preceding this one...
Must be the new owners of Slashdot, working hard to correct the persistent problem the prior owners with duplicate stories getting posted, all the time. Now, the duplicate links will get posted in completely different stories, going forward!
Re: (Score:2)
Slashdot has reached a new low (Score:1)
Sorry, the link embedded within the article is http://arstechnica.com/information-technology/2016/01/nsa-gchq-used-open-source-software-to-spy-on-israeli-syrian-drones/ [arstechnica.com], which is a link relevant to the previous story. I have no idea how that would happen, but editors should at least check the links. The correct link is actually http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-your-system/ [wired.com].
Re: Slashdot has reached a new low (Score:1)
The editor's responsible for the error's in the link's have been sacked. :-)
Step 1 (Score:1)
Step 1: Don't listen to anything the NSA (or the US government for that matter) has to say
Re:Step 1 (Score:5, Insightful)
the guy picks up a microphone and owns up to breaking constitutional rights, screwing with people's businesses and lives. the people, instead of arresting him, clap their hands and say it was a good talk. what the f**k? not even DMCA? let's all accept this lawless band of crooks, put them on a pedestal and call them elite corps
Re: Step 1 (Score:2, Interesting)
That's a common myth in Tea Party circles - but there's tons of legal basis for the NSA's activities in the Constitution:
http://www.heritage.org/research/reports/2010/06/a-constitutional-basis-for-defense
And yes, I feel somewhat dirty for linking to Heritage, but you cannot dismiss them as "liberals".
Re: Step 1 (Score:5, Insightful)
No need to inject liberals or tea party circles into this. No one mentioned them and I would bet you would/could find several people on any side you picked who think there is a problem too.
The US constitution does not place national defense above the US constitution though. This is problematic to the national defense trumps all argument because the 9th amendment specifically spells out that the enumeration in the constitution shall not be used to deny other rights held by the people. While the constitution generically spells out national defense, it specifically places reasonableness and warrant requirements for searches and other things.
but lets explore this a bit. In the name of national security, some say the government can ignore the US constitution and invade a citizen's or local business's network, computer, telephone, whatever. Some say they can hold people without habeas corpus rights or even the right to a trial. Can they also ignore the constitution and just appoint senators and representatives in the name of national security? Can they install judges and such with no congressional oversight so those moves would survive a court challenge? Can they just decree something to be law without congress ever passing it or the president signing it into law? If so or not, I have to ask why and what limits would there be and how do those limits become recognized?
My naive understanding is that the existence of this group is largely limited to pen testing with approval from network owners or law and assisting in law enforcement operations which presumably would already had warrant requirements satisfied. IT might do a lot more than that but I do not know for sure.
Re: (Score:1)
The Constitution is not a suicide pact. Policies targeting domestic US citizens deserve open scrutiny and debate but actions targeting foreign countries are not Constitutionally protected nor are those actions required to be publicly disclosed. If you want to see a real life example of the elasticity of the Constitution just look at what FDR did prior to the US entering WW2. He blatantly violated the Neutrality Act using the subterfuge of the Lend-Lease Act while also "donating" a fleet of mothballed US na
Re: (Score:2)
ease up on that ganja or you'll soon claim they have legal basis for anal probing at all railway crossings.
Relief... (Score:5, Insightful)
Re: (Score:1)
It's Timmy boy... I found that you can never set your expectations low enough around here.
On the other hand, given that he seems to be the only editor left... and apparently spends all day and night scouring the internet for days-old news to post... you have to cut him some slack. Lack of sleep probably plays a part
Re: (Score:1)
Keep systemd off your machines, as it contains NSA access and backdoors built in - aside from the system stability issues introduced.
As much of a ClusterF**K that Systemd is , you cannot make a claim like that without SOME evidence.. otherwise shut up.
NSA strikes again (Score:2, Funny)
They've censored their own link from the article!
Sheep (Score:4, Informative)
Re: (Score:1)
Of course, of course. You should never take advice from a group of people considered the best at cracking systems worldwide, known for their ability to get into systems running on hundreds of varieties of hardware. Why, that would be foolish! Can you image, asking security experts what some of the general security practices are?
Also, never, EVER, go to a doctor.
grain of salt, but sound advice (Score:5, Insightful)
Indeed, I'm skeptical of anything from the NSA, but his advice matches with my experience (I've been doing network security professionally for a long time).
He made one point that definitely rings true. People get excited about "advanced" stuff like zero-days and jumping air gaps with ultrasound, while their IIS hasn't been updated in three years, their users are opening funnycat.exe, and they've never tested their backups. It's not the NCIS stuff that'll get you, 95% of the time, it's the boring best-practice stuff that's missed; security updates, tested offsite backups, etc.
Re: (Score:3)
There's a part I disagree with him on. From TFA:
No. It's called that because it sounds scarier than "got past my mediocre defenses".
If they did not have to burn a zero-day (or rappel through a skylight) to get in then it is plain-old "cracking". People just prefer to call it "APT" because no one can defend against an "APT attack".
If they could defend against it then it would be a reg
Re: (Score:2)
Also, never, EVER, go to a doctor.
If that doctor has a rich history of malpractice lawsuits, you are even right.
Though changing your intelligence agency might not be as easy as changing your doctor.
Jesus, just link to the talk. (Score:4, Informative)
https://www.youtube.com/watch?v=bDJb8WOJYdA
Personally, he didn't say anything mind blowing.
Re: Letting a great man say why I did those... apk (Score:2)
I'm agreeing with APK...the new owners of slashdot are! already making things weird.
Well now it's news! (Score:5, Funny)
You have nothing to fear if (Score:2)
Actually, when Trump gets elected and has a full dossier on every political AND financial rival you really should have an escape plan.
I am so scared about Trump (Score:2)
Re: (Score:1)
You have nothing to hide.
Exactly, the people are broke and no amount of corporate espionage is going to preserve the District of Columbia.corp at this point with international shipping halted and 200+ countries that will not accept the US petro dollar as currency. Here's a question: If said spook hacker is not over there seeking refuge with Snowden, and not under indictment and/or already in jail, then does this mean that this is a sign that the republic is in process of being restored?
The implications of this could truly be asto
Re: (Score:1)
You forgot about Texas and Kentucky.
you can't win (Score:3)
Here's a conundrum—a real stumper if you plan to swallow his advice whole—they know what's really in all those automatic patches, and you don't.
Tuesday a patch arrives. Wednesday a patch for the patch arrives. What exactly happens during that brief episode of 24?
Re: (Score:3)
It's not that they know what's in the patches.
It's that they have thousands of extremely skilled and well paid people who do nothing but figure out how to break in.
Meanwhile, you're trying to defend your network while dealing with users asking where the "any" key is, and your executives demanding to be able to go to malware-infested porn sites at work.
You will lose against the NSA (or any nation-backed equivalent) because of the massive disparity in knowledge and effort.
Re: (Score:2)
So, given that best practices for all kinds of stuff have been around for decades, isn't it at least a little curious how often patches come out? Grandparent's point is the most likely
Re: (Score:2)
Eloquent, and full of specifics. And I don't believe it.
Qualcomm's Eudora email program is proof you can create a perfect program. And proof that when you do, your income stream stops.
In the Eudora case they took the high road so few do and gave it all away. Until October 11, 2006 [needle scratching across a record].
Perfection is a different mindset from profit.
If you think (Score:2)
If you think he's actually telling you anything that would really keep him out, then you're exactly as gullible as he wants.
Oh, sure, he'll give you some bullshit, low-level tips, but do you really think that the "NSA Hacker Chief" is going to do anything that's going to make his job harder? I sure don't.
Laws? (Score:2)
Once upon a time, I thought those would have been sufficient.
Medicine worse than the disease (Score:2)
Remedies like whitelisting might be effective, but if you've ever worked in a corporation--typically large ones--that use it, you know that it's a nightmare to manage. When you need to get something done, waiting for your whitelist request to be approved can take so long that you might as well not try to use the tool.
It's interesting that the author said NOTHING about password complexity. This is one of the stupidest security measures, at least in the way it is typically implemented. For example, you mus