Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government Microsoft Privacy Windows

Group Linked To NSA Spy Leaks Threatens Sale of New Tech Secrets (reuters.com) 105

Hacker group Shadow Brokers, which has taken credit for leaking NSA cyber spying tools -- including ones used in the WannaCry global ransomware attack -- has said it plans to sell code that can be used to hack into the world's most used computers, software and phones. From a report on Reuters: Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world's biggest commercial secrets. In the blog post, the group said it was setting up a "monthly data dump" and that it could offer tools to break into web browsers, network routers, phone handsets, plus newer exploits for Windows 10 and data stolen from central banks. It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft's latest software system, Windows 10. The post did not identify other products by name. It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.
This discussion has been archived. No new comments can be posted.

Group Linked To NSA Spy Leaks Threatens Sale of New Tech Secrets

Comments Filter:
  • Trolling or stupid? (Score:5, Interesting)

    by TWX ( 665546 ) on Tuesday May 16, 2017 @11:13AM (#54427057)

    It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs, without providing further details.

    Are they attempting to ensure that there's no safe harbor for them anywhere in the whole world? Seems like if one pisses off the USA, Russia, and China, that there's no country in the entire world that wouldn't give up these people to someone if their identities are uncovered.

    This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

    • This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

      I think this last week has proven that, yes, they do have access to these tools.

    • by mfh ( 56 ) on Tuesday May 16, 2017 @11:35AM (#54427187) Homepage Journal

      Either they aren't thinking this through or they are shills for some government to give them an excuse for another scorched earth policy.

      Computers can be made secure most of the time with a little anti-stupidity. Firefox/netflix stops 99.999% of malware unless you whitelist some EvilWebsite. Don't open forwarded emails from your computer-challenged friends & family members.

      Sure there are some nasty exploits on almost every platform but most of them require a javascript call to execute or some poor sap to open an attachment and run it.

      • by Anonymous Coward

        Either they aren't thinking this through or they are shills for some government to give them an excuse for another scorched earth policy.

        Computers can be made secure most of the time with a little anti-stupidity. Firefox/netflix stops 99.999% of malware unless you whitelist some EvilWebsite. Don't open forwarded emails from your computer-challenged friends & family members.

        The problem with this mentality is most of the world is comprised of very stupid and ignorant computer users, which is kind of the main reason ransomware has turned into a very successful business model over the last 12 - 24 months.

        Sure there are some nasty exploits on almost every platform but most of them require a javascript call to execute or some poor sap to open an attachment and run it.

        The number of poor saps in the world is equal to the number of devices running Java/Javascript, proving both can be rather hard to manage.

        • by TWX ( 665546 ) on Tuesday May 16, 2017 @12:12PM (#54427527)

          One of the things that has bothered me about computing developments over the last 20 or so years is that the push for easier and easier UI should have ended about fifteen years ago, and when the realization that an ever-increasingly-connected Internet was to be the future, the focus should have shifted away from UI and to backend security and testing of software products and protocols. Unfortunately that stuff isn't visual, so it's hard to sell a user on a new version of Windows without changing the look.

          In my opinion GUI development peaked sometime around 1996 or 1997. Windows 95 OSR2 with IE4 debuted and integrated the web browser into the filesystem shell in a way that's basically the same as it is today, and most of the elements in Windows that we're used to were implemented. In XWindows the most important elements of each major windowmanager project had been created. Only lagging was Apple, OSX wouldn't debut for another four or five years, but again, there were UI elements similar to Microsoft's or to Common Desktop Environment (CDE) or to KDE, so there wasn't a whole lot that was truly new, and a lot of the OS was borrowed from its predecessor NeXT anyway.

          Sure they've changed the colors, they've shifted back and forth between 3D-looking window frames and icons and 2D-looking window frames and icons, and they rearrange the look of the dialogue boxes or replace the Start Menu with a new menu, but the just seem to be reinventing the wheel, not actually creating anything new. But they aren't focusing on security like they should be either, even though with the UI nailed-down they really should be.

    • by Anonymous Coward on Tuesday May 16, 2017 @11:57AM (#54427373)

      The NSA knows what the Shadow Brokers have (basically, everything the NSA has). The NSA knows how much damage they can do. Further, the NSA, and ONLY the NSA, are in a position to disclose the remaining weaponized vulnerabilities to Microsoft, to get them fixed, and protect the rest of us from harm.

      It's beautiful, you see. The NSA MUST voluntarily surrender the weapons that they have been sitting on, or they will be directly responsible for the use of those weapons against us. And this time, there is no head start...if the NSA doesn't disclose them, Microsoft can't fix them, and the ensuing hacks will make WannaCry look like a preshock.

      • Agreed. NSA bears a huge responsibility for any bad things that happen.

        NSA not only kept zero-days exploits secret, but they weaponized them. And, apparently, even wrote manuals for these weapons. Then they failed to keep these weapons secure –– now they are out there.

        Every day that NSA lets this stuff just sit out there, without doing anything to mitigate potential damage from their weapons, puts more and more responsibility on their shoulders.

      • I wonder if there is now some means for whole countries to sue the USA government under current trade agreements. After all, it can be shown that the US government (via its agencies) knows about these flaws but is choosing to hold them back to stop them from being patched. This causes financial harm to countries who may have the rights to sue under trade agreements. THAT could get interesting.
    • This makes me wonder about the legitimacy of the claims, and if they're really from a group with this kind of power or if they're just someone trolling for teh lulz.

      RULE #1: Don't hold the whole world for ransom –– where would you go once they paid-up?

      • Who said financial reward was their ultimate goal ?

        Maybe its to force the US government into revealing all their exploits so they can be patched.

        The alternate is that US allies will feel betrayed, that loss of trust will get reflected in attitudes to the USA, make it a tipping point where US citizens get scrutinised more heavily at international boarders, need Visas for entry, trade goods will need closer (and more expensive) inspection, US owned transport given lower priority at ports and airports, red
        • Who said financial reward was their ultimate goal ?

          . . .

          One way or another, this is a huge setback for the USA. And if that's the goal, the money is a smoke screen.

          Hmmn. $300 does seem kind of low for a ransom, doesn't it?

          • Its small enough that some will pay anyway, and who knows maybe its going to them, or maybe to a 3rd party.

            But the hit that spy/law enforcement agencies and the US is going to take to their reputation is probably priceless.

            And as they dribble out more exploits, this is going to be the gift that keeps on giving and its going to take YEARS to recover, if they ever do.

            It may even be that if this is state sponsored, they have made themselves much safer while leaving everyone else open to the exploits they
  • to hunt them down and hose em down with machinegun fire
    • Americans "We come in peace, shoot to kill".

      Can I assume that you also believe any foreign government has a right to retaliate ?

      No matter what you have been told, American lives are not automatically worth more than anyone elses.
  • by DatbeDank ( 4580343 ) on Tuesday May 16, 2017 @11:15AM (#54427077)
    It's only a matter of time before some hair brained bureaucrat suggests blocking bitcoin transactions as a means to prevent criminals from funding themselves.
    • by Anonymous Coward
      Well, there is a reason that the $100 is America's largest commonly circulated currency. Not saying it would be right to regulate or end it. Just that if they CAN'T regulate it, they will inevitably try to end it.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Actually, I wonder if Bitcoin will prove their undoing.

      Contrary to popular belief, Bitcoin is not anonymous. It's pseudonymous. Every single bitcoin transaction is recorded in the shared ledger of which account it went from, and which account it went to - it's HEAVILY tied to an identity. The thing is anyone can set up a bitcoin wallet with an encryption key, so we don't know which real person each wallet is associated with.

      Why is this relevant? Because AT SOME POINT, the criminals need to get their mon

      • Couldn't a criminal just use a bitcoin mixer to mitigate this?
      • Same way that they do it now with bank phising: Hire some bum off the street to go into the Western Union to cash in the money from the transaction slip you give him. He gets to keep a few pennies and hands you the rest of the dough.

      • by cfalcon ( 779563 )

        > . And at that point, they need to sell bitcoins out of some wallet, and exchange them for cash

        Yea, but like any burgeoning semicriminal area, there's a reasonable amount of mitigations for this risk.

        The simplest one is overt laundering. You put some amount of your illegally gained money into a pool that is trusted to spit out some fraction of that at a later time, to an entirely different account. Because the pool is constantly spewing bitcoin at arbitrary accounts, it is not always obvious which goe

      • by AHuxley ( 892839 )
        For that to work the person of interest has to be in a nation that keeps CCTV for 6 months and does the final cash transaction in person in front of a nice HD camera.
        Or who drives their own car to do the cash exchange and gets caught in a nation thats keeps car park CCTV for 12 months and can find that date and time weeks or months later.
  • Odd Behavior (Score:4, Interesting)

    by nehumanuscrede ( 624750 ) on Tuesday May 16, 2017 @11:23AM (#54427131)

    Considering their last attempt to sell such data was somewhat lacking in buyers, I'm curious why they don't just ring up WikiLeaks, get a semi-decent payday and be done with it.

    Unless, of course, it's the intel agencies themselves playing the part of TSB seeing who they can reel in on their fishing expedition.

    • Interesting view. Fishing expedition. But I guess any buyer will be careful enough not to reveal his real identity, and will for sure hide behind strong anonymization services. Then how would they really catch their fish? It's a pretty risky way to go fishing...
    • by Anonymous Coward

      They better act quickly, before Donald gives it away for free.

    • An alternate approach that may make more money, and would definitely be both more legit and less likely to piss everyone off, would be to use the exploits to get payouts from each company's bug bounty program. Unless the NSA went ahead and preempted this approach by releasing all of their zero-day exploits to the vendors (seems unlikely), they could do this for years, maybe at 10-50k a pop depending on how bad they are.

  • Last time they pulled that stunt I think the bid went up to 3 or even 5 bitcoins.

  • Releasing exploits and sensitive data that harms the USA is understandable as the US government is just a pussy (and yes I live in the US). Piss on Russia or China and they may find there cohorts dead with their genitals in their mouths or polonium in their veins. Do you really think the Russian equivalent of Snowden would still be alive today????
  • by OverlordQ ( 264228 ) on Tuesday May 16, 2017 @01:05PM (#54427951) Journal

    > Using trademark garbled English,

    I wonder if they translate and reverse their releases to help defeat style-analysis on what they write.

  • I was just watching Pearl Harbor - not a great film, but it brought back to me that the greatest threat to these people is the sheer force of American willpower. The Japanese military machine tugged at the tail of a sleeping tiger, and they lived to regret it.

    Well, America, it is time to hit back at those that seek to disrupt our way of life through these attacks. We are seeing just the beginning of this new warfare, but we need to hark back to the spirit that was awoken in us in 1941, and we need to hit
    • 1. You are not the leader of the free world.
      2. You do not automatically have the right to attack any country or their citizens
      3. ALL you will do is create enemies and loose allies.
    • We have a difficult problem facing society, one that cannot be solved by the usual declaration of War on (ISSUE HERE). As we've seen before, the unintended consequences ended up being worse than the original problem.

      Currently we still have something resembling an open internet. Those that fall sway to jingoistic buzzwords to justify knee-jerk overreactions is why we can't have nice things.

    • I was just watching Pearl Harbor - not a great film, but it brought back to me that the greatest threat to these people is the sheer force of American willpower. The Japanese military machine tugged at the tail of a sleeping tiger, and they lived to regret it.

      I doubt American willpower was a serious contender considering the other side had people litter lay training to be suicide bombers. Americans troops typically were the first to break and run away. We had some advantages in that Americans were also the first to rally and run back into battle with more resolve, and with a different plan to make sure the last mistake didn't happen. The first mistake the Japanese did was mistakenly think that bombing people would make them want to give up. If anything, actively

  • If you're so scary smart, lets see Trump's taxes.
  • I figured they are going to piss off someone with some real money that's going to put a price on their heads. I wish I had the money to do it.
  • youusa people gonna die?
  • Signaling the abundant and high-risk nature of hack-attacks, CEO Brian Moynihan says the Charlotte-based lender (NYSE:BAC) has no spending limits in place for its cyber security teams. Currently at $400M.

    "The only place in the company that doesn't have a budget constraint is that area."

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Working...