This feels like support for something Bernard Ingham said, "Many journalists have fallen for the conspiracy theory of government. I do assure you that they would produce more accurate work if they adhered to the cock-up theory."
Then the paranoid part of me wonders if that's the plan. Then the skeptical part of me says, "Occam's Razor". Then I remember that I'm insignificant in relation to these issues and I have some tea.
This is one of my favorite comments ever. It captures so much. I often find myself in an infinite loop of "maybe X, but on the other hand Y" and periodically I just need to `kill -9`... until the next time curiosity forks.
Which i have pointed out time and time again on HN is a logical fallacy on its bare face, it's usually wrong, and is not a useful phrase whatsoever in intellectually honest conversation and should be relegated to the dustbin of phrases where it belongs.
Do you have any evidence to support that or are you just going along with OP's thought loop?
As far as I can tell, incompetence by far seems to be most likely here. I don't think NSA would wittingly give up so many nice zero-days to their first or second most powerful rival agency.
Funny. I reported something similar to comcast after finding several of their engineers' home directories on github. Ssh keys, usernames, passwords, scripts, logs, and even code for a DVR machine (no idea). Thankfully comcast got the GH account deleted fairly immediately. It just took a public reddit post to get in contact with them after their posted routes didn't work.
The person who uploaded them there did government security before joining comcast, so it doesn't surprise me even for a second that this was a mistake. Though, the repo also had updates after his employment there ended.
A junior security operations employee at a company I worked at - who was fired for persistent incompetence - somehow obtained a fairly important position doing security for a government agency. That agency was (shockingly) later revealed to have very publicly embarrassing security issues.
I imagine this sort of thing is pretty common.
I feel like NSA might be able to make a stronger case for themselves if they were at least able to show they could do one of the most basic and fundamental things they're supposed to do be doing.
They said that they were going to work on swapping things out. When I talked to the PR rep about it last, he didn't have much of a clue whether they did or didn't swap anything out. They also mentioned a bug bounty, but that didn't go through either.
If you ship hardware to a customer with software installed and don't have the ability to do automatic security updates on it in 2016, you need to rethink your strategy.
This entire discussion reminds me why James Jesus Angleton drove himself and everyone around him nuts with his CIA mole hunt in the '60s and '70s. The problem with lying and deception as the standard operating procedure for a government agency is that pretty soon it is the SOP for everyone within the agency when dealing with others, even those within the agency and the people they allegedly serve. It becomes a tunnel of lies and speculation from which there is no escape.
Oh, it starts out great when there are clearly defined sides and reasonable evidence of loyalty to a particular party. Real victories and losses can be defined. But it always degrades to this sort of thing after a bit of time and growth in numbers of players, and no one wins or loses. There is just confusion, perhaps even for those at the top of the chain.
>That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.
There are two reasons why I think this could be (very selfishly) sensible from their perspective:
1. They were probably relying on those exploits quite a bit and had frequent success with them, in which case totally burning them would have directly harmed operational capacity.
2. They appear to be huge fans of piggybacking off of other intelligence agencies' footholds and data ("fourth-party collection").
>Fourth party collection appears so successful that agents of the NSA and GCHQ have cracked jokes about it in top secret slide decks. In an NSA presentation titled "fourth party opportunities," the first slide references Daniel Day-Lewis' infamous "I drink your milkshake"
Another intelligence agency acquiring these exploits would give them additional "fourth-party opportunities". As long as the US government's systems were protected against the exploits (were they? no idea), that could mean keeping them secret still meant more pros than cons for their goals. It could give them more intel, and maybe give additional insight into the other nation's goals and interest by who they're targeting.
Pure speculation on my part, though. The real reason could just be regular old incompetence, and/or internal cover-up of the tool leakage.
The logical conclusion of that is that they should deliberate leak some of their best exploits to rival agencies, so I think that argument has to be flawed.
Furthermore, they can't really keep using them after exposure for the same reason the Russians didn't start using them: everyone who knows about them can watch for them being exploited and so gain useful intelligence on their rivals.
>The logical conclusion of that is that they should deliberate leak some of their best exploits to rival agencies, so I think that argument has to be flawed
How do we know they don't? Or at least, some of their exploits.
Also, that's not necessarily the only conclusion. This leak could have have been more harmful than no leak, yet thought to be less harmful than publicly burning every exploit.
>Furthermore, they can't really keep using them after exposure for the same reason the Russians didn't start using them: everyone who knows about them can watch for them being exploited and so gain useful intelligence on their rivals.
True, but they could possibly change them in a way to make them less detectable.
The Russians could have done the same, but maybe their reason for believing it'd be helpful for fourth-party collection is that they already had access to some of Russian intelligence's communications and compromised hosts, devices, and networks.
Anything could be possible here, though. We're all speculating pretty blindly.
> and so gain useful intelligence on their rivals.
The principal rival in the short term for any department whether of government or inside a company is other departments not the corresponding department in another company. In fact it is plausible to think that at least some of the people within agencies like the NSA have more in common and a substantial degree of fellow feeling with their nominal rivals in, for instance, Russia than they have with other US agencies.
thegrugq just wrote a persuasive analysis of the calculus that intelligence agencies must go through with this kind of event. In short, the benefits of revealing that they're aware of the leak aren't worth it. All of the benefit is in passively monitoring what the adversary does with the information. You can find it here, it's quite interesting: https://medium.com/@thegrugq/mind-games-international-champi...
I swear I didn't read any commentary like this before I wrote my post! And I know jack shit about intelligence agencies otherwise. Nice to see my speculation partly validated by none other than thegrugq.
The problem with informing the companies --- and this is a positive statement not a normative one --- is that as soon as the vulnerability is broadly known, NSA's foreign targets can identify any machines NSA has instrumented using those bugs. Doing that could compromise operations in progress. And because NSA does likewise, it has to assume its adversaries have full packet captures of their most sensitive networks. Remember also that many (most?) of the tools disclosed weren't penetration tools but instead persistence tools, and that the disclose could reveal whole chains of other machines and burn additional capabilities.
I'm not saying that I personally would reach the same conclusion, just that the situation is more complex than Reuters makes it out to be.
While the Grugq argues[0] persuasively, that avoiding disclosure was a legitimate strategy. It seems unrealistic to argue that the NSA wanted to avoid more scrutiny in their moment of political weakness in the months after the Snowden revelations.
"One reason for suspecting government instead of criminal involvement, officials said, is that the hackers revealed the NSA tools rather than immediately selling them."
...is the sort of reasoning a kid might put forth.
Nothing like keeping alive the narrative for justification of war with Russia while concurrently obfuscating the flawed and open, contractor policy embraced by US agencies.
>The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers and firewalls from American manufacturers including, Cisco, Juniper, and Fortinet.
I just wonder what generates so much rejection here.
Yes, I've seen it happen. And yes, I've seen it in person, not only on the net. No, I don't think it is the case here, because evidence points other way - not because of this stupid canned thought.
Then the paranoid part of me wonders if that's the plan. Then the skeptical part of me says, "Occam's Razor". Then I remember that I'm insignificant in relation to these issues and I have some tea.