Hacker News new | past | comments | ask | show | jobs | submit login

What’s with the doomer mentality. NSA isn’t some magical unicorn that can just walk through everything



They kind of are though. If you have a LOT of money, time, and personnel -- and they do -- you can find a lot of vulnerabilities.


Yes and we've seen their shit get leaked over the years. From that we can see clear patterns in what they view as valuable and where they spend their significant, but still limited focus.


Can you proof that it is a leak, and not a stunt by the NSA itself?


You have be wearing multiple tinfoil hats if you think NSA released DeepBlue as some sort of black flag OP


>NSA released DeepBlue as some sort of black flag OP

EternalBlue...and it was a part of the shadow broker package, but that was just one occasion, Snowden is one of the other.

One must probably wear a Tar-hat to think that this is impossible.


I guess we just have to agree to disagree. There was no benefit for them releasing the zero day.


>NSA isn’t some magical unicorn

With unlimited money and the given job to crack encryption, hack into systems and secure the networks of the wealthiest nation and only superpower on earth atm. It IS pretty much a unicorn, and i am pretty sure they are +20 years in the future technology-wise, and with that:

>>Arthur C. Clarke — 'Magic's just science that we don't understand yet.'

So yes Magic Unicorn describes the NSA pretty well.


Yeah, that's bullshit. For NSA-proof personal tech stack you'd rely more on tamper-evident blocks that's all. Also, security in depth and security through obscurity are much more applicable if you're a person and not an organization. Finally, +20 years head start does not mean much if you distrohop and FOMO into bleeding edge stuff like a tech podcaster.


Not sure if you know what your talking about, you sound a bit like a bot #NSA-proof #distrohop


In case you're genuinely curious, 'NSA-proof' is a portmanteau from NSA and 'idiot-proof'. Distrohopping is when people change (usually GNU/Linux) distributions once a month or so (which is an allusion at tongue-in-cheek conjecture that one can change distributions faster than NSA can break them). Have a good day, fellow human.


>one can change distributions faster than NSA can break them

Oh man i don't know what to say. Does one distrohop the ssd/efi/net/wireless/keyboard/etc-firmware too?

One distrohoped for 15 years and that vuln existed all the time..but hey it would be just that one...it's an exception right? ;)

https://securityaffairs.co/wordpress/115565/security/linux-k...

How many completely different browsers exist? And how many local exploitable user to root exploits exist in the Apple/Linux/BSD world's? If your a valued target and you are connected to a network you WILL be hacked.


Buddy, I'm not gonna follow this thread anymore because you seem to be baiting me to read you a lecture on OPSEC, security in depth and compartmentalization.


Buddy, your distro hopping advice is advice so bad, that the most charitable interpretation is you have no idea what you’re talking about.

Seriously? Distro hop? My brain hurts, I need coffee.


Lol, this is so fucking funny. Distro a day, NSA stays away! Amazing.


Yeah this is bullshit. There is no demonstrated NSA proof setup. If they haven’t broken in to something, they aren’t telling us about it.


Assuming that time travel is impossible, NSA can't break into something that does not exist anymore. Hence the idea when facing such adversary is to provide them a constantly moving target. Although NSA might be able to break any full disc encryption given enough time, they aren't able to decrypt something that no longer exists.

This principle isn't scalable to every computer system out there and will definitely go against other requirements in most organizations, but if you are an individual, it's not hard to pull it off.


This ignores the obvious. What parts are not changing with a distro hop?

Are those parts vulnerable to the NSA?

I believe due to what was made public, that they do have that capability.

I would suggest more research. If you are actually changing distros every month, that seems like a very manual process, with many points to use an insecure config. I think your time could be better spent hardening a current system.

And yes the NSA could own your box every month (and would) if it suited them.

Check out this link, this stuff is fascinating.

> In some cases, the NSA has modified the firmware of computers and network hardware—including systems shipped by Cisco, Dell, Hewlett-Packard, Huawei, and Juniper Networks—to give its operators both eyes and ears inside the offices the agency has targeted. In others, the NSA has crafted custom BIOS exploits that can survive even the reinstallation of operating systems. And in still others, the NSA has built and deployed its own USB cables at target locations—complete with spy hardware and radio transceiver packed inside.

https://arstechnica.com/information-technology/2013/12/insid...


You pose the questions but do not answer them. Assuming distros are selected purposefully you do get quite a lot of variability. Recompiling the kernel with different hardening options alone makes many exploits impractical.

The threat modeling that you see in this thread is laughable. Nobody has infinite resources, not even NSA. They can't throw all their capability at you alone. In fact they are not even interested in any one individual. They might be interested in some groups of people like "terrorist leadership" but even in that case they don't have the need to hack all people matching that group. So at every step of the decision making process there is a cost benefit analysis. And in the end NSA will only hack some terrorist leaders, the ones deemed sufficiently significant but not any more risky then is necessary.

The amount of meetings and paperwork required for carrying out offensive action is significant and everyone involved is very risk averse. Getting superiors to sign up for an operation against an individual capable of detecting attack and thus risking attribution would only be possible if the proposed techniques can be shown to be extraordinarily stealthy. That requires replicating the system in the lab and rigorously testing methodology beforehand.

Yeah, it is hard to protect organizations from nation states. Because all sufficiently complex systems have bugs and given long enough time persistent attackers will find & exploit these bugs. But that's because organizations have other real-world priorities besides fighting NSA. These organizations can't change protocols overnight and replace core systems just for fun of it.

Individuals actually have an advantage here because they can rotate systems at will and have much higher control over their personal lives than any CEO/CTO/CISO has over their organization. As a result, yes you can raise the cost of an attack against you high enough that NSA won't bother hacking you - either because there are other people who are less protected but hacking them would fulfill the same objective or because your ass gets handed to another agency which is able to present more cost-effective solution.

Your link demonstrates this dichotomy between options that NSA has available for hacking organizations vs individuals. Individuals rarely have well documented procurement processes available for third party auditing you know.


> You pose the questions but do not answer them.

I literally answer directly after the questions. Read for comprehension.

I can tell you with 100% certainty that your assumptions are 100% wrong. Interpret that statement as you may and update your threat model accordingly.


You sir have no clue what you talking about, a payload geter in your ssd-firmware survives your distro-hop and can adapt to every OS (if your information is worth the work). And an encrypted disk...on man i stop arguing, it's obvious that you really don't have a clue.


You just keep talking straight past my points without even trying to understand them. Why bother writing answers at all?

I'm not advocating for installing a fresh OS on an exploited hardware and calling it a day, no matter how hard you try to present my words this way.

The point is to keep any single environment around only for a short period of time so that adversaries don't have enough time for replicating your systems and crafting a targeted exploit chain.

It is not meant to be the only line of defense. You would still harden every system you own, putting particular focus on tamper & intrusion detection (including retrospective analysis).

Couple that with strong compartmentalization (e.g. using different hardware for different purposes, Qubes OS style virtualization approaches) and defense in depth (exploit mitigations, traffic anonymization).

Here, I have spelled it out for you. Feel free to outline how you would approach attacking such individual adversary, even with NSA level team at your disposal. Silent assumptions being that 1) if person's physical location is known, CIA is a cheaper option than NSA and 2) failed offensive operation leaving attributable evidence is considered by NSA worse than missed opportunity.

Please, stop low effort ad hominem attacks.


Wow you change your meaning pretty fast, yes if you trow your laptop away after 1 hour you are pretty safe...well if the laptop is from a secure source...like amazon ;)


> adversaries don't have enough time for replicating your systems and crafting a targeted exploit chain. Is this how you think it works?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: