"Technical report" meaning "guide created for government system admins." It's crazy that the NSA cybersecurity mission seems so similar to one of a thousand generic tech how-to blogs.
Even the CIA's leaked internal PowerPoints look fairly similar to what you'd get in the valley, for the most part. The budgets big but - especially for defensive operation - it's the same kind of thing most other people do in that sector.
For offensive work, then the motto (of one of the NRO's satellites) comes to mind: Doing god's work with other people's money. Everything is tapped, we should assume at least a proportion of what we take for granted now is unsafe. It's unlikely they'll have broken any big fry protocols or schemes but planting a backdoor is trivial for them (if you can manipulate the entropy on 10% of computers so you should be able to crack it 10 years, think of all the kids you could save!).
Of course it's the same. Their offices are full of the same boring Dells that you'd find in any other office. Best practices are best practices anywhere.
I believe the organization is silo'd into defensive and offensive sub-organizations. My blind guess is the defensive side is pretty separate from the rest of what's going on (any intelligence agency naturally tries to compartmentalize as much as possible). I wouldn't be surprised if there's internal politics where the defensive side may want to release a security advisory or other defensive guidance but the offensive side blocks them due to wanting to hoard something as a potential weapon in the arsenal.
And I'm very likely in the minority of HN on this one, but I think this is generally probably fine and warranted. That kind of hoarding is exactly what I would expect and want them to do, as opposed to the warrantless domestic dragnet surveillance I don't want them doing. If you're in a non-stop ever-changing arms race, you want every edge you can get, as long as there's a carefully considered cost-benefit analysis (which they likely at least attempt to perform).
"any intelligence agency naturally tries to compartmentalize as much as possible"
Why is compartmentalization natural? The business world analog is "silos", and we're forever trying to break them down, or work around them or something. Are intelligence agency compartments just jargon-justification for bureaucratic fiefdoms? We know human organizations tend towards individual small warring tribes, are compartments just a justification of that?
Would an intelligence agency that scraps compartmentalization have an advantage? How would you see that advantage?
Because intelligence agencies are always also concerned with counterintelligence as a major function.
> The business world analog is "silos", and we're forever trying to break them down, or work around them or something.
Most businesses try to keep highly sensitive data that has adverse consequences for release siloed. Unlike intelligence agencies, for most businesses such information is exceptional, rather than the rule.
> Are intelligence agency compartments just jargon-justification for bureaucratic fiefdoms?
They aren't just that, which is why the practice is universal. There is, of course, the perennial risk that the legitimate need gets exploited for that, though.
> Would an intelligence agency that scraps compartmentalization have an advantage?
As long as they were never penetrated by a hostile agency, maybe (though it might also reduce focus, contribute to analysis paralysis, and have other deleterious effects without penetration.) But the impacts of any penetration would be magnified, and while major penetrations may be rare because of compartmentalization, penetrations of intelligence agencies aren't rare enough for magnifying their impact to be discounted.
From what various related sources have said, the defense budget is miniscule compared to the offense one. I get the feeling anyone on the defense team is someone unlikely to try and oppose what else is going on
>That kind of hoarding is exactly what I would expect and want them to do, as opposed to the warrantless domestic dragnet surveillance I don't want them doing
Why do you think they aren't collecting these exploits for more domestic surveillance?
>Why do you think they aren't collecting these exploits for more domestic surveillance?
They may very well be. But, first, because a 0-day in Microsoft Word or something isn't really helpful for spying on hundreds of millions of people; it's for rare, highly targeted spear phishing and other kinds of very precisely-aimed operations, and I think that's the type of stuff they generally discover and/or are given/sold
In theory some kind of major flaw in TLS or networking equipment could enable it, but the latter is risky to be doing all the time (dragnet implies constant surveillance), and the former is as well unless it can be done purely from passive observation of traffic, and I think such a critical vulnerability in modern TLS requiring no active interference (e.g. not Heartbleed) is fairly unlikely and rare - though of course definitely not impossible.
Also, I think after all the leaks and recent high-ranking court rulings, it's just not very tenable for them to keep that going as it existed before. Even if only due to future leaks and backlash. Plus, PRISM and XKEYSCORE are cool and have rad cyberpunk codenames and stuff, but from what I can tell the actual valuable, actionable intelligence they got out of it wasn't worth even 1% of what they put into it, due to having so much raw data to deal with. Trying to filter the signal out of the noise is like a needle in a galaxy-sized haystack. Future ML and other software developments could maybe make finding the needle, but it'll always be a very technically challenging problem.
And now that there's a precedent of leaking, there's a higher risk that a future dragnet surveillance program might get exposed by people who otherwise wouldn't have exposed different programs. "Vacuum everything, ask questions later" / "collect them all and let God sort them out" just seems technically, politically, legally, and practically not worth continuing. I'd also like to think some percentage of employees have probably been swayed and now morally oppose it, even if they wouldn't say it openly.
And, finally, I actually don't personally care much about being caught in that dragnet myself, so the thought of it doesn't really bother me. I work in infosec and am very privacy-conscious, too, to the point of some friends thinking I'm paranoid - I've just been in enough positions to know that it's like being the Earth: you feel important, but relative to the universe you're so small you might as well not exist. My threat model and risk profile is just very different. However, it's of course unconstitutional and unethical, and the fact that many other people feel very violated by it is more than enough reason for me to oppose it, even if it's more on abstract, philosophical grounds.
This was the same in the UK: GHCQ had offensive and defensive arms. But they’ve since officially split; the defensive role is now taken by NCSC. Having said that, GCHQ is still its parent organisation and I have no doubt that they maintain strong ties.
Why should they not be on the offensive also? Wouldn’t it be a bit naive to think that the US would sustain from offensive cyber ops, when the other major world powers actively do so?
We already know they’re on the offense, so much so that if you asked any random American on the street what the NSA did their response would likely be “spying on me/other countries/terrorists”. Very few people know that the NSA is expected to (and sometimes does) spend its effort on defensive measures, and it would be a good idea for the agency to improve this record.
> Wouldn’t it be a bit naive to think that the US would sustain from offensive cyber ops
you mean 'abstain'?
and no, it would be responsible to abstaint because offensive cyber relies on knowledge of vulnerabilities in software and hence creates a incentive to not fix them which in turn weakens security for everyone.
You could still read their charter online 10 or so years ago. Their mission was defense. Today they have replaced it with "Mission & Values" which they define without any immediately apparent legal basis.
Would you extend that to bioweapons and depleted uranium munitions that are well documentated to have caused tens of thousands of birth defects in innocent children?
X terrorist does it, so why can't the US right? Is this line in the sand really drawn at cyber? And does cyber not kill people in meatspace? Last I looked you drone strike weddings based on metadata.
TPM should still be scrutinized in my opinion. It is mainly used to bind licenses to hardware. The keys act as a identifiable serial number. Yes, it is possible to shield against third party manipulation and there are some cryptographic benefits, but not in any practical sense. Not supporting it can even be a security boon, spies probably would have incentives to not use it.
So I think it is fair to stay critical if the NSA supports unique identifiers for hardware.
The TPM is not a DRM enforcement mechanism if you set it up for your own use. It is a very useful tool for taking control of machine that you own - it provides a way to prove* to yourself that the system booting with the firmware that you've approved, in the configuration that you setup, and running the kernel and initrd that you've signed. https://safeboot.dev/attestation/#i-thought-remote-attestati...
No it is not, but I am fairly sure that is one of the main use cases. And you have a uniquely identifiable machine which creates new security problems.
We also know from smartphones that manufacturers can indeed be motivated to lock bootloaders. I think the main reason we don't have that on PC is that there are still multiple manufacturers and legacy considerations.
I cannot read the minds of Microsoft, but I have my assumptions that I believe are quite safe.
https://trustedcomputinggroup.org/ has rebranded themselves because they got a bad name. Justified in my opinion. People have identified the motivation on day one.
But again, yes, it can have some security advantages against the numerous disadvantages. I think it is bad for open computing overall. There are certainly mechanisms to secure your OS that don't rely on TPM. It may benefit you, but I would actually like to see it removed from my machine with all the consequences (which would be not being able to play DRM protected media).
