[asher]

Seems like it's trendy to hate the NSA. It gets conflated with an anti-authoritarian mindset. I wish smart people would gain some perspective - I got some by reading Bamford's books and a new one by Fred Kaplan - Dark Territories, about NSAs painful move to cyber. Some key points:

* All the great powers have NSA equivalents. Meaning they play offence and defense in crypto, RF, and cyber. We (USA) can impose restrictions on our NSA but not on anyone else's. Our exploit-riddled networks are a playground for American, Russian and Chinese cyber warriors - and probably many others.

* In cyber, offense and defense become the same. Kaplan's book covers this. So a smart country seeks cyber-superiority. The more we hamper NSA, the more we empower foreign cyber-warriors.

* The focus has moved from RF to cyber. Giant antennas are far less important and giant datacenters are the new stars. Vacuuming up packets is less alarming when you understand we've been vacuuming up radio and telephone signals for decades. When comsats were important, NSA was vacuuming up their downlinks. When international telegrams were punched on paper tape, NSA's predecessors picked up the tape each day.

* The US has tried going "NSA-less". It happened in 1929 under the slogan "Gentlemen do not read each other's mail". That noble slogan led to the US operating at a disadvantage in the lead up to WWII. It doesn't pay to fly blind.

* Fear of an overreaching state is always justified; however we should focus that fear more on how NSA shares data than how it acquires it. For instance fusion centers: https://www.eff.org/deeplinks/2014/04/why-fusion-centers-mat...

[freeflight]

This isn't meant as an attack on the OP, but I have a hard time taking anybody seriously who's using the word "cyber" in such an inflated way. Always reminds me of this:

https://twitter.com/sehnaoui/status/643972826802688000

I also think it's quite troublesome how this very real issue, IT security, is being misused to stage yet another "War on something" even if there isn't anything concrete to wage a war on. If there's such a thing as the MIC, it seems to have found a new business field with "cyber". IT security works on cooperation, even more so on international cooperation. It does not work when international players are constantly trying to shaft each other over by collecting 0-days, like this is some kind of war which has to be won by pummeling the opposition into submission with "cyber weapons".

In that regard agencies like the NSA, and their foreign equivalents, are doing everybody a giant disservice by making the problem worse, not better. We are already at a point where these government agencies tools are being sold to the highest private bidders: https://krypt3ia.wordpress.com/2017/06/22/shadow-brokers-scy...

As a fan of dystopian cyberpunk fiction, I'm not sure if I should geek out over this or just be depressed.

[walshemj]

Like it or not the "cyber" is now the term that is used

[AnthonyMouse]

People don't just make fun of "cyber" because it sounds stupid, they also make fun of it because it is stupid.

The media literally portrays the threat as Tron, when it's actually that critical systems have remotely exploitable vulnerabilities. The only real solution is to find the vulnerabilities before the bad guys do so we can close them before they're exploited.

Hoarding vulnerabilities in secret is the exact opposite of the solution.

[asher]

I used to think like that. But consider two things. The capabilities of the state actors are high. They cooperate with chipmakers and OS makers (or subvert or hack them). They compromise routers and hard drive firmware. Second, Kaplan's book documents multiple waves of cyber-fear in the US government; multiple US presidents starting with Reagan have tried and failed to secure our vulnerable systems. Simply put, corporations are not going to let NSA dictate security practices to them, because they need to make money and can't spend all day on security. Similar problems occur in military/government.

Remember how cannons made castles obsolete? We're in a similar era, where offense is outstripping defense.

Consider stuxnet. You have to assume Iran, which is smart enough to make nuclear weapons, took its best shot at securing that air-gapped network.

I think you have to accept that hoarding vulns is the international reality and difficult to change. Maybe a cyber-SALT treaty could change it.

[AnthonyMouse]

It doesn't matter whether offense is stronger than defense because this is not a mutually assured destruction scenario. Having offensive capabilities doesn't prevent an attack because we already have offensive capabilities -- sanctions and missiles. The problem isn't an inability to strike back, it's attribution. A hoard of vulnerabilities does nothing to solve that.

What governments actually use vulnerabilities for isn't deterrence, it's espionage and sabotage. But those goals can't justify knowingly leaving critical infrastructure vulnerable to criminals and terrorists.

> I think you have to accept that hoarding vulns is the international reality and difficult to change.

It doesn't really matter whether other people are doing it. The solution is to keep the espionage agencies on the hunt for vulnerabilities but require them to be disclosed within e.g. four weeks.

If it really is so easy for entities with state-level resources to find vulnerabilities then they'll be able to find a new one every month and continue to use it for their espionage, and at least the low-hanging fruit will be eliminated which makes it harder for criminals without state-level resources.

If there is not an endless supply of vulnerabilities then soon enough they'll have reported every existing vulnerability in commonly used software, they'll all be patched and there will be nothing for other states to hoard regardless of whether they have the same policy or not.

[freeflight]

> The capabilities of the state actors are high.

Not just of state actors, we are not talking about aircraft carriers or nuclear missiles here, things that need a massive infrastructure behind them, we are talking about tools pretty much anybody with the right knowledge can apply once they get access.

That's the thing barely anybody wants to acknowledge with this situation because it's way more convenient to attribute everything to state actors, it's become the new get-out-of-jail card for shoddy security practices. "Nothing we could do to prevent that, adversary was a mighty state actor ¯\_(ツ)_/¯"

It's also convenient for pointing fingers at the usual suspects and start the war drums (Russia, China, NK) without admitting that attribution pretty much boils down to a guessing game with no guarantees.

In that regard the "who" is pretty much meaningless to the problem, it's all about the "how" and as Wannacry has shown the "how" quite often boils down to "Abused a vuln. that has been known, but hoarded in secret".

> They cooperate with chipmakers and OS makers (or subvert or hack them). They compromise routers and hard drive firmware. Second, Kaplan's book documents multiple waves of cyber-fear in the US government; multiple US presidents starting with Reagan have tried and failed to secure our vulnerable systems.

That's a bit contradictory, why would manufacturers be willing to let themselves get subverted to make less-secure products, but not to make more secure products? Especially considering how security is a big part of the business for quite a few of these companies, like CISCO's firewalls. For that very same reason, MS did act rather quickly and pushed out a fix when NSA informed them about EternalBlue.

> Remember how cannons made castles obsolete? We're in a similar era, where offense is outstripping defense.

That comparison doesn't really hold up. Cannons didn't work because of some obscure vulnerability in castle walls that only cannon makers knew about and which could have been fixed by wall-makers once they knew about it. Cannons simply overpowered walls.

One could argue that offense is outstripping defense due to the simple fact that "state actors" mostly focus on offense, while barely ever bothering with defense because that would also hamper their own offensive capabilities.

IT security always boils down to how much effort an attacker is willing to invest. If government agencies focus most of their efforts (backed by massive resources) on offense then the natural outcome will be that defense (mostly driven by private entities) always lacks behind, because we end up spending more time poking new holes than actually plugging them.

> Consider stuxnet. You have to assume Iran, which is smart enough to make nuclear weapons, took its best shot at securing that air-gapped network.

Their best shot was air-gapping the network, that's about it. To get trough that Stuxnet went wide and deep: https://www.scmagazineuk.com/chevron-confirms-that-it-was-hi...

> I think you have to accept that hoarding vulns is the international reality and difficult to change.

Sure I have to accept that, can't force anybody to do anything. That reasoning still reminds me way too much of the reasoning for selling weapons to questionable nation states, "If we don't do it somebody else is gonna do it", the kind of reasoning that doesn't get us anywhere and only makes the problem worse.

[qb45]

> That's a bit contradictory, why would manufacturers be willing to let themselves get subverted to make less-secure products, but not to make more secure products?

I know that's not exactly what you meant, but allegedly China requires some Western products sold there to have backdoors. I heard reasonably reliable rumors about one specific case, here's some general article to prove I'm not completely talking out of my ass:

http://www.networkworld.com/article/2331257/lan-wan/encrypti...

> Especially considering how security is a big part of the business for quite a few of these companies, like CISCO's firewalls.

Funny that you mention firewalls, a year ago it was discovered that some Juniper firewalls and VPN gateways had a covert master password and an advanced crypto backdoor allowing decryption of the VPN traffic IIRC.

Juniper denied knowledge of this backdoor and it's possible that this wasn't NSA's job at all because it involved the Dual_EC_DRBG algorithm to which they are believed to have a backdoor baked in the standard. But this means that somebody managed to hack them (and specifically their precious security products).

[QuarterReptile]

So, can you explain why 'cyber' is stupid?

Are you saying it's stupid because media can't handle the topic competently? I hope not; that's possibly the lowest bar ever set for stupidity.

[walshemj]

as is the way "hacker"'s meaning has changed from its original usage some times you have to accept that meanings change

[majewsky]

Not at all, actually. Usage of words like "hacker" or "cyber", in the meaning ascribed by mass-media et.al., can be very useful to identify someone as "not an actual hacker". Jargon has been used this way for about as long as humanity exists.

I recall a story in which, a few years ago, a few emissaries from police agencies roamed the Chaos Communication Congress to recruit IT personnel. But they came in suits and thus immediately stood out of the crowd which was wearing nerdy T-shirts and hoodies, so no one liked to be seen with them.

[freeflight]

Used mostly by politicians, lobbyists and media, it's become just another meaningless buzzword people throw around to give the impression they know what they are talking about, quite similar to the "cloud".

Even the CCDCOE (NATO Cyber Defense Centre of Excellence) admits that it's a rather undefined term with vastly different interpretations: https://ccdcoe.org/cyber-definitions.html

[asher]

Yes, Kaplan's book touches on the silliness of the term (it was consciously borrowed from William Gibson) but policy makers and advocates seem to use it in discussion. Of course there are more impressive terms when needed, like "Information Warfare".

[hutzlibu]

"In cyber, offense and defense become the same"

More details pls. Because it sounds like bs. It is a difference to secure a network and maybe find out who a attacker is - and then attack back - than to just hack everyone you can and build as much hidden botnets as possible. Which would be "offense"

"Gentlemen do not read each other's mail".

It is indeed a noble statemt. And I'd like to see claims, how that led to US disadvantage in WW2. Because when you have Nazis e.g. they are clearly not gentlemans anymore and can (and were afaik) be spied on. The statement means, that you only spy on enemys.

"We (USA) can impose restrictions on our NSA but not on anyone else's"

You are the still the superpower number one. And for once you lead by example. And you do indeed(or try to) impose restrictions on everyone else all the time.

If you would really stop to spy on everybody in the world and really only on your enemys ... this alone would make a huge impact. But you as a empire does not really want to. The more you know about the worlds secrets, the more you can controll it. And no, I am not saying that the smaller empires like china or russia are any better (not at all). But you are the power number on. You have the choice of leading by fear, violence and intimidating - or by sticking to your old values of respecting your peoples and others freedom(as long as it is mutual) and providing a base for a voluntary coorporation of any kind. If you do this, you stay in leadership. If you just become one more lame empire, using any means necessary to stay in power, you will just fall like any of those empires, as history and current trend shows.

[nickpsecurity]

It's an obvious consequence of the action. They're not getting others' secrets. Their enemies are still getting theirs. So, their enemies will know their plans but not vice versa. Definitely not a smart way to wage war.

[hutzlibu]

So you are saying the whole world is the enemy of the US, including their own population?

(I never said something against spying against enemys)

[nickpsecurity]

They look inside the US (in theory) to find the enemies inside the US. As for the whole world, they're competition when not enemies. Many allies even use spies to get our IP, outbid us on contracts, and so on. Need a spy agency to deal with that or do similar things. They help us stay on top.

[hutzlibu]

"They help us stay on top."

Sure, with the biggest spy agencys and the biggest military(including ready to strike killer squads) stationed around the world, US are the biggest empire and they need all that to stay the biggest empire. Logic of the powerstruggle of empires. No doubt about it.

But I was talking about the other america, the former "leader of the free world" defender of human rights etc. Which is a different thing from an empire. And people all around the world actually did and some still love the former, but an increasing number hates the latter.

So continue to think and act like an empire - and see where that leads to.

Here in germany there are allready many people thinking siding with russia and china could be a better choice, as in their opinion the US is doing more evil stuff. Even though I do not think so, the fact alone should worry you. Because at some point there will be no more US-Dominance, when the whole world turns away.

[nickpsecurity]

"Sure, with the biggest spy agencys and the biggest military(including ready to strike killer squads) stationed around the world, US are the biggest empire and they need all that to stay the biggest empire."

It seems you agree with my comment that the U.S. has need of such spy agencies but disagree with their goals or probable results of their actions. We're in the same boat on the latter.

"Here in germany there are allready many people thinking siding with russia and china could be a better choice, as in their opinion the US is doing more evil stuff. "

That shouldn't worry me. What people think is often a consequence of the media they view. I know people believed what you wrote and sometimes killed/died for it in the 1930's-1940's in Germany. We're educated about that extreme example but I don't know your current trends. I do know you also have different sides of politics with media groups focusing on each. I also know you're a huge player in exported goods. So, I can't predict anything except that Germany's choice will be significant. I do know the government wanted to be part of Five Eyes giving a lot of concessions for that. And BND is as devious externally and internally as the CIA. So, more similarities on this topic than differences except for the large scale nature of foreign involvement that American government has done. Those pricks meddle with everyone.

[eksemplar]

It's not the role of a democratic and free government to use mass surveillance against its own citizens. It's something you do in a tyranny to weed out dissidents and quill rebellions before they happen.

I'm sure you can put up a lot of good points as to why he NSAs of the world help, but the simple truth is, that we are not free when we live under a surveillance state.

[walshemj]

And in what "democratic and free" state are there not bad actors who do need investigating?

Hanson, Philby etc.

[eksemplar]

Safety is a common argument, but mass surveillance doesn't seem to be keeping us safe. https://goo.gl/images/ciNqLM

[sametmax]

It's like saying peace is trendy and we should not try to go weaponless.

That makes no sense.

We all want peace. We all know that peace is not there yet and that without weapons the other countries would take advantage of it.

Yet we all know that the weapon oriented society the US has become is a major issue.

It's not contradictory, just being honest with yourself.

[dom0]

> We all want peace.

I don't think that's true, there are clearly many people bent on fueling conflicts and wars, both in- and outside the US.

[sametmax]

*In HN.

I don't think many people on this forum are war lords.

Anyway "we all" is always false, and is just another form of "most people". You must be really lacking of ideas to nitpick on that.

[mowenz]

I don't think he is nitpicking at all. The US has too many conflicts, incl wars. 26,000 bombs dropped last year. Extremist fighters funded by the US Gov't (Syria, Iran Contra, and who knows what else has yet to be proven). We have 7 cities with higher murder rates than any country in Africa or the Middle East, including Afghanistan. Largest prison population, a publicly known torture camp... I could go on. But I think a lot on HN are obviously absorbed in their comfortable occupations--they're challenging, interesting and demanding, and also rewarding. It's easy to get lost in this and forget what less fortunate are dealing with.

[JumpCrisscross]

> It's like saying peace is trendy and we should not try to go weaponless

In physical warfare, the only way to increase your defensive (i.e. deterring) military advantage, relative to an adversary, is to add better materiel. (The other option is to reduce the adversary's material, i.e go to war, which itself requires a military advantage to make sense.)

In "cyber," that's not the case. A hoarded vulnerability may end up being used against your own country. Adding vulnerabilities to your stockpile increases your offensive capability while simultaneously forcing you to leave an opening in your defenses unrepaired. We don't have a good analogy for this in meatspace, which is why it's hard to debate at the political level.

I don't think all vulnerabilities should be automatically extinguished. At the other end of the spectrum, the NSA hoarding bugs in the software that runs disproportionately American infrastructure systems is patently silly.

[benchaney]

> * All the great powers have NSA equivalents. Meaning they play offence and defense in crypto, RF, and cyber. We (USA) can impose restrictions on our NSA but not on anyone else's. Our exploit-riddled networks are a playground for American, Russian and Chinese cyber warriors - and probably many others.

So?

> * In cyber, offense and defense become the same. Kaplan's book covers this. So a smart country seeks cyber-superiority. The more we hamper NSA, the more we empower foreign cyber-warriors.

Does this hold even when your "offense" involves hoarding vulnerabilities (instead of responsibly disclosing them) and then leaking them?

> * The focus has moved from RF to cyber. Giant antennas are far less important and giant datacenters are the new stars. Vacuuming up packets is less alarming when you understand we've been vacuuming up radio and telephone signals for decades. When comsats were important, NSA was vacuuming up their downlinks. When international telegrams were punched on paper tape, NSA's predecessors picked up the tape each day.

I don't see how "we have been doing this for a long time" makes it less bad.

> * The US has tried going "NSA-less". It happened in 1929 under the slogan "Gentlemen do not read each other's mail". That noble slogan led to the US operating at a disadvantage in the lead up to WWII. It doesn't pay to fly blind.

The US did pretty ok in WWII.

> * Fear of an overreaching state is always justified; however we should focus that fear more on how NSA shares data than how it acquires it. For instance fusion centers: https://www.eff.org/deeplinks/2014/04/why-fusion-centers-mat....

Those things are both issues, and we can discuss them both.

[walshemj]

urm no there was stupid inter service rivalry that lead to bizarre things like the army and navy working on decrypting intercepts on alternate days instead of having one organisation like BP and GCHQ

[jimnotgym]

I recommend a very health disrespect of organisations like the NSA. This article was shared recently on here apologies for stealing it

http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-...

It really made me laugh, and think about the pointlessness of the whole organisation of British Intelligence.

Are we really clear that MI5/6, NSA, GCHQ etc have any benefit at all. Isn't it just a matter of of an arms race, where each country keeps raising the stakes? It is already clear that the NSA have produced dangerous cyber weapons which have escaped into the wild.

The secrecy is the perfect excuse for empire building. You can imagine they are filled with paranoid idiots who want every bit of information going, but never analyse it into anything useful.

RE WW2 it is not clear at all that the USA was at a disadvantage due to lack of intelligence. In the UK we love to celebrate our great code breaking efforts, whilst simultaneously the Germans were breaking ours...

[skrebbel]

Trendy or not trendy, your argument boils down to "we should trade liberty for security in this global surveillance arms race".

[fweespeech]

> Seems like it's trendy to hate the NSA. It gets conflated with an anti-authoritarian mindset. I wish smart people would gain some perspective - I got some by reading Bamford's books and a new one by Fred Kaplan - Dark Territories, about NSAs painful move to cyber. Some key points:

> * All the great powers have NSA equivalents. Meaning they play offence and defense in crypto, RF, and cyber. We (USA) can impose restrictions on our NSA but not on anyone else's. Our exploit-riddled networks are a playground for American, Russian and Chinese cyber warriors - and probably many others.

> * In cyber, offense and defense become the same. Kaplan's book covers this. So a smart country seeks cyber-superiority. The more we hamper NSA, the more we empower foreign cyber-warriors.

Reducing domestic surveillance doesn't substantially impact that mission.

> * Fear of an overreaching state is always justified; however we should focus that fear more on how NSA shares data than how it acquires it. For instance fusion centers: https://www.eff.org/deeplinks/2014/04/why-fusion-centers-mat....

The CIA/NSA can't hold onto its intelligence as shown by various security breaches, whistleblowers, etc.

Not gathering domestic surveillance data in the first place avoids that problem. The NSA can keep an eye on China, Russia, etc. all they want.

[justicezyx]

Your argument is in the same vein as why us has the largest military force. I don't think it's irrational, but I would say it does not address the new security threats.

[3131s]

I was trying to put a word on it too. It's irrational if minimization of harm is the goal. And it's totally blind to the externalities of pouring massive amounts of money into the surveillance industry and really the war industry more generally, as these two are highly interconnected.

The arguments are almost insidiously constructed.

> Vacuuming up packets is less alarming when you understand we've been vacuuming up radio and telephone signals for decades.

No.

> Seems like it's trendy to hate the NSA

Leading with an ad hominem.

> The US has tried going "NSA-less". It happened in 1929

Didn't something else happen in 1929 that impacted the overall stability and thereby war readiness of the US?

[type0]

NB! Cyber Warning:

Please, you Sir,

no one knows what the heck you're talking about

[1001101]

> I wish smart people would gain some perspective - I got some by reading Bamford's books and a new one by Fred Kaplan - Dark Territories, about NSAs painful move to cyber.

All smart people, or those that disagree with your findings from reading two books?

[someguydave]

The NSA might have more credibility if there were some basic policy discussions about its purpose after the Cold War ended and indefinite wars on terror/drugs began.

[morsch]

Cyber? Really?!

[pokemongoaway]

Ya he probably eats up their literature :P

[mtgx]

> Seems like it's trendy to hate the NSA.

Yes, that tends to happen when the NSA abuses its power to illegally spy on its own citizens for its own gain and profit, and also when it tends to compromise security of networks in 99% of the cases for its own surveillance benefits.

[pokemongoaway]

You seem to accept "the ends justify the means" on such a deep level. Have you considered that human history on earth is quite brief - and that our level of experience and confidence in our methods are mismatched? Another question would be: why do you have confidence in authorities while their objectives, desires, names, and alliances are opaque?

[43224gg252]

>Seems like it's trendy to hate the NSA

Because they make us LESS SECURE.

They are an anti-security organization.