[legrande]

We all know it's the National Insecurity Agency[0], and that the NSA hoards & stockpiles 0day. They very rarely release tools and research papers designed to strengthen our IT infra, since they sit on so much 0day. There's no balance.

I don't buy that they're 50% red team, and 50% blue team. More like 99% red team and 1% blue team.

[0] https://en.wikipedia.org/wiki/Doublespeak

[Closi]

> We all know it's the National Insecurity Agency[0], and that the NSA hoards & stockpiles 0day. They very rarely release tools and research papers designed to strengthen our IT infra, since they sit on so much 0day. There's no balance.

Well if the NSA does have loads of 0day then it's still better for them to give good security advice to strengthen infra, because it will limit the access adversary's have while they still have all the 0day's anyway.

i.e. they are advanced enough to not need to walk through an open door, so they might as well encourage others to close the doors because that will increase national security (while presumably not limiting their own access).

[imwillofficial]

One of their missions is infrastructure security of nationally important assets. Usually this is military stuff. But think power grids, etc… NSA ironically puts out some good security stuff. Their “manageable network plan” pdf is a must read for anyone hacking to wrangle a new environment, even if it isn’t followed by the owners of said environment.

I’ve been recommending it to various localities after my security assessments for years now. https://apps.nsa.gov/iaarchive/library/ia-guidance/security-...

[10bass]

I get a "cannot find requested file" page when trying to get the actual file. The IAD library stopped being updated in 2018 and the link has apparently bitrotted. Cryptome still has a copy, FWIW [0].

Having said that, the last thing I tried implementing from the NSA was a simple systemd service to disable ptrace [1]. The provided service definition had at least three errors, and the instructions themselves were incomplete. Not exactly a confidence builder, but I'll take a look at this one so thank you.

[0] https://cryptome.org/2016/01/nsa-16-0114.pdf

[1] https://media.defense.gov/2019/Jul/16/2002158062/-1/-1/0/CSI...

[imwillofficial]

Thanks for the update!

[texasbigdata]

Have absolutely zero background knowledge here, but just to be pendantic your argument is structured as a logical fallacy [1].

While we maybe could estimate the relative sizes of the groups you mention and compare them relative to each other to guess the strategy/policy/tactics it's not clear that would be accurate; or maybe we could infer based on some heuristic or metric (like budget being a proxy for headcount), and even then it's not clear how certain that guess would be, so it's not obvious how "we all know" it's 99/1 vs 50/50, vs any other permutation.

Push come to shove would probably agree with your premise and conclusion, and really have no idea, so apologies for being nitpicky; without a background on the technical details it's likely I'm wrong.

[1] https://www.logicallyfallacious.com/logicalfallacies/Alleged...

[bredren]

To add to this, GP: it is enough to simply state facts and how they influence your opinion.

No individual can speak for all readers here on how they view this agency. Attempting to weakens the comment.

[kgarten]

Yes, there is a logical fallacy here. Yet, that does not mean that the initial comment doesn't have a point.

(that's another logical fallacy ...) https://www.logicallyfallacious.com/logicalfallacies/Argumen...