Lebowski Enlightenment #B

I have not had a Lebowski Enlightenment for a while. I don’t understand the reason, will have to pay attention to why they seem to come in waves.

This one happened as I was writing a note to go along with a link I was sending to friends :

This came off of Drudge, Breitbart is not unbiased, although I often am confused by how they are on any particular topic. I think there can’t be any doubt wrt Clintons, so at least grains of salt. Then add the fact that Eric Prince of Blackwater fame is the one spilling the beans, well, it could take the government a while to get around to trying to refute this, not necessarily because it was true.

If this kind of evidence ties Clinton’s non-existent, lets admit it, non-existent is the correct word for her email security, to that man’s death, we can expect at least a few political ramifications, people willing to say words, at least. I am not making it up, I have read more than a few security professionals who say what I said and for the reasons I thought : Everyone read Hillary’s email, it was a Windows Server running a Windows Application, nothing was encrypted and it had many open ports. Every nation that has spies these days has exploits for every combination of those, they begin with newbies tools and progress upward, but the oldest and simplest open many setups just because nobody gets the gd patches. No kidding, it is a separate expense item in most IT organizations “MS patch management”. Hundreds of hours in a year for any sizeable organization, just keeping track of patches and licenses, installation extra.

I forget the details, but hers was at least not up-to-date. Which doesn’t matter anyway, major intelligence services purchase the product of, and thereby keep clever software security researchers making very good $ for their talents in finding new exploits, new 0Day exploits, and also provide a continuous string of Nth-day exploits at ever dropping price.

NSA et al, by deciding to focus on cyber attack rather than defense, established a new ceiling, an always-highest bidder. Probably those are not the most transparent markets, one suspects suppliers will cooperate in pushing the price for the 6-month exclusive use of a new exploit very high.  Probably other intelligence services, also. NSA is a big-budget import economic power in the 0Day exploit market, prices are, from things I have read, in 6 figures.

The supply of 0Day exploits is thereby considerably larger than had not NSA begun purchasing those exploits. It is pretty clear that the government both obtains 0Day exploits on its own and via purchase and also monitors for discussions of them. Some Federal agency pretty clearly knew it was not going to be able to suppress knowledge of the various remote control of automobiles hacks for much longer, it chose to expose one by using it to close Michael Hastings’s investigations of something close to that agency’s interests.

The academic paper describing the security researcher’s results  and how the accelerator could be regulated to maximum at the same time as braking was disabled came out a month after Michael Hastings’s very hackable automobile both smashed into a tree at high speed AND burst into flames. ‘Bursting into flames must have been caused by being so close to Hollywood, as it never happens except in their movies. Michael Hastings was left an incinerated corpse. You don’t see that in many auto accidents, I believe.

Considering about this led me to a peculiar understanding, of a consequence, a very direct and inevitable consequence, of that decision to find and purchase exploits, to go on the offensive in extracting secrets from those who might wish to keep their secrets private.

NSA can’t both hoard 0Day exploits and have the government’s computers patched, that would give the exploit away. So, NSA’s decision to go offensive is the flip side of the same decision to allow America’s databases, government and private, to be hacked by foreign powers.

NSA was, in these decisions, clearly making a decision to favor itself* as compared to the nation as a whole. The decision to employ hacking tools in espionage was in diametrical conflict with any duty it may have had to the nation to protect the nation’s communications. We cannot know what NSA’s duties are, however, as their charter is secret. That makes it difficult to evaluate whether they have failed to fulfill them by deciding not to take steps, clearly within their powers, to protect the nation’s information from spies and thieves.

It has taken me most of a year, from the initial grasp of the fact that NSA decided to do offense rather than defense, to grasp this flip side implication. Obvious, and obviously I can’t be the first to think the thought. I cannot remember having read it, I read Schneier’s Newsletter, etc. Obvious to every security professional, but not something they discuss in public? Lebowski Enlightenments galore lie down that line of thought, I think.

Thus, this JRandom Nobody blogger has been first to state, so far as I know, “If you can’t protect it, and you can’t, don’t collect it”, which pretty much removes any role for the NSA, as Snowden showed they can’t protect it, and now “Choosing to attack is choosing to not defend“, which makes NSA distinctly less purely pro-American in goals and effects than American citizens might have wanted to believe.

Which leads to the question, “Why do they continue?” Are America’s spy agencies entirely devoted to insider trading and the power derived from their searchable blackmail database? We know those uses are among the most successful, certainly they can’t find spies or terrorists and cases such as Dennis Hastert being the CIA’s man in Congress are apparently normal, CIA and FBI have informants throughout government, including the courts.

Why do you think this question is not a major issue in public life? It is, imho, one aspect of the growing power of America’s Deep State. 9/11 False Flag and Sandy Hoaxen are others. I think America’s Deep State is our most dangerous enemy, not least because of their incessant actions trying to focus attention on Russia, China, ISIS as significant enemies.

*NSA has a fig leaf defense : “We can’t find them all! In Windows? Are you kidding, finding and patching all the exploits in Windows is emptying the Pacific with a cup!” That is a standard security professionals’ view, the reason perimeter defense and fast detection of successful penetration is so very necessary and their major focus : if someone can access a Windows system, they can penetrate it.

So obviously, nobody serious about security can use Windows, every security professional on the planet realizes that. But, just as obviously, it is possible to put together systems with arbitrarily tight security.  I can see how to do that, surely NSA’s serious security people can see deeper and do it more elegantly. Also, in a design that is far more usable than the capability-based system they provided for SELinux, which I never saw anyone actually use, as system administration for SELinux is a serious PITA.

And, of course, very likely some of the hacks of Hillary Clinton’s email server. This is where their figleaf kicks in : that would have been hacked at one or more points in its changes of management and hardware in any cases, it was never protected enough, her guy didn’t even understand the concepts, from anything I read. Not even basic protections. And all of the script kiddies exploits were not found and prevented from being fixed by NSA’s attack groups, so NSA isn’t entirely responsible.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s