Oooh look you can use highlight. Come up with a real argument.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
-
Some users have recently had their accounts hijacked. It seems that the now defunct EVGA forums might have compromised your password there and seems many are using the same PW here. We would suggest you UPDATE YOUR PASSWORD and TURN ON 2FA for your account here to further secure it. None of the compromised accounts had 2FA turned on.
Once you have enabled 2FA, your account will be updated soon to show a badge, letting other members know that you use 2FA to protect your account. This should be beneficial for everyone that uses FSFT.
NSA Exploit Leak is the Gift That Keeps on Giving
- Thread starter DooKey
- Start date
-
- Tags
- exploit leak nsa rediswannamine
Oooh look you can use highlight. Come up with a real argument.
noice
I can't get to this site to read it, anyone know if this article is available elsewhere or based on another work?
... When security, national security at that, is your name and mission then you fucked up big time when you lose tools. Heads should roll, people need to be accountable. Sadly that is not the case in this day and age.
Your arguments are poor because your treating a national security apparatus like a corporation or individual instead of a state actor, no wonder the government is incompetent.
No.
Nothing is perfectly secure. Perfectly secure doesn't exist in the functional world.
If someone stole it from the NSA, it was either negligence, not negligence, or it was by plan and as intended, (which I don't really think is the case, but it's possible so I put it in).
If it's negligence, you can expect the negligent party was punished although we may never hear about it because airing your dirty laundry in public is rarely a good thing to do. It would make them look bad.
If it wasn't negligent then it was an issue of miss-placed trust. The Intelligence community works on a trust system. Mercenaries can always be bought out from under you, and zealots come with their own issues. But trustworthy believers are best but you still have to worry about a believer who "has a crisis of faith" so to speak.
Unless you know which of the three this is, then I think you are being too critical and jumping the gun on a blanket claim of negligence.
Now I really wish I could read this article.
I disagree, given the impact that state level actors can have globally, right up to total annihilation. We should absolutely demand accountability regardless of the complexities involved.
What makes you think that it "walked" out of an NSA facility?
This is an assumption. Not all NSA work is done inside NSA secured facilities. Much of the information the NSA works with is collected by the Military Intelligence units of the US military. In fact, most of the man power inside the NSA is active duty military, not government civilians or contractors.
I know if I were running some program where I was using a bunch of tools loaded on a laptop for operational work, I wouldn't be running the shit out of the downtown office. Fuck that, I'd put a couple of guys on a plane and fly them somewhere where they could operate anonymously, outside of the target's sphere of influence, but with access to the target. If these people I send on this mission are soldiers, well I wouldn't send soldiers off alone like that, they'll do stupid shit like get their laptop stolen. I could send government civilians, but chances are they'll get noticed, (OPM hack for the lose). So maybe contractors who weren't risked by the OPM hack, but that's younger ones again but maybe not too young to be trustworthy ..... not.
What's most likely is while deployed with the tools, someone decided they wanted their own personal copy. From there it just gets more sordid, but there is almost nothing you can do in situations like this except put faith in your people, while you watch for odd behavior, (like buying tickets for Hong Kong), and hoping that they don't get too damned crazy.
After listening to my piece, if you still disagree then that's cool. You don't have to believe like me.
But You should run for President. You'd fit right in with the rest of those narcissists
OK, I found the news elsewhere and it's exactly what I thought, the same old bullshit regurgitated again.
This "new" cryptomining attack uses two methods to propagate, one is EternalBlue. EternalBlue is the same old attack vector software that was used to push Wannacry around, it only is effective against old OSes, has almost zero impact on the Western World unless someone is so stupid as to have not learned their lesson before.
The NSA authored part of this isn't the virus, it's just a rehash of EternalBlue and any Western based security outfit that is screaming fire over this is just more interested in sounding trumpets and bashing the NSA then they are doing real security research on current software that is accepted for use in Government, Business, and Education institutions across the world.
But no one else wanted to look this up, it's only ever me.
This "new" cryptomining attack uses two methods to propagate, one is EternalBlue. EternalBlue is the same old attack vector software that was used to push Wannacry around, it only is effective against old OSes, has almost zero impact on the Western World unless someone is so stupid as to have not learned their lesson before.
The NSA authored part of this isn't the virus, it's just a rehash of EternalBlue and any Western based security outfit that is screaming fire over this is just more interested in sounding trumpets and bashing the NSA then they are doing real security research on current software that is accepted for use in Government, Business, and Education institutions across the world.
But no one else wanted to look this up, it's only ever me.
- Joined
- Dec 1, 2010
- Messages
- 1,825
So an unsecure Security Agency isn't negligent? Gotcha.
D
Deleted member 93354
Guest
Then obviously you have a security problem. It's still the organizations responsibility to prevent these kind of leaks.
The CONTRACTOR was compromised with a FULL SET of source code. What the hell is he doing with a full set of source? What the hell is it doing at home? How the f- did it get there? Even field agents don't need source if they are just running attack vectors.
Jebus, I can control labs halfway around the world using a secure private connection from my desktop at my OLD job, and you are telling me NSA can't do that with an appropriate uplink and exit node at the attack point? I guess there could be extenuating circumstances (like subs), but you still shouldn't have source code on a sub. Executable only.-encrypted until runtime at that.
Last edited by a moderator:
What if your sub is the developer?
What if they modify the source code on the fly, it's a small attack tool, not an Office App.
What if someone reporting on something is just the damned public spokesperson and uses fancy words that they really don't know what they mean, or a news writer who's clueless themselves but still has to write the article.
I'm not ever going to say these guys don't fuck up. But I think that if it sounds completely fucking stupid, then it probably didn't happen the way someone is making it sound like it happened.
You're an IT guy like me, you've never had a problem, told someone what happened, and they not only can't explain it right, they started a whole shitstorm cause they just don't know anything about what they are doing?
I know you've seen that yourself, everyone in this business has.
BTW, it looks like you are quoting something specific about how this was exposed, I haven't read anything really detailed like that about the actual incident, didn't know it was available. I would like a link, I'll use anything I find against you, but I know what hat tastes like too so
Mugato
Muh Feelz!
- Joined
- Feb 25, 2014
- Messages
- 933
You got it, all you need is a jumping off point. Or, you could scan the printer/memory for credentials. I've seen plain text in some cases.
D
Deleted member 93354
Guest
When I was at UofM there was a novel netware server that ran for years. Hardly anyone used it but it ran non stop. When it came time to shut it down, they couldn't find it. They looked everywhere. Finally it came down to testing switches and finally tracing network cables. When they traced one cable it went into a wall and disappeared.
Turns out when they renovated the cs building, they accidentally dry-walled a closet room which contained the server.
Ran for years without any maintenance what so ever.
True story handed down to me from the network administrator.
Last edited by a moderator:
They don't, you are still incapable of understanding that.
At least you're right that this hasn't changed. Of course if you knew anything at all about what you were talking about instead of referencing people who are just as ignorant as yourself then maybe we could have a discussion on it. But no matter how often people who do know something try to explain to you what's actually happening, you would rather ignore that and keep believing this tired bullshit.
In fact, if you could even give me the correct definition of "collects" regarding Intelligence Activities it would be the start of something new.
defaultluser
[H]F Junkie
- Joined
- Jan 14, 2006
- Messages
- 14,398
It's sarcasm because these are the same government agencies that want a backdoor to ALL ENCRYPTION. If they can't be trusted with their own exploits, how can we trust them with a universal key to everything?
The government needs to learn better Cyber Security. That is the MEAT of the article. Cellphones are a lot tougher to patch than servers are, AND YET THERE ARE STILL UNPATCHED SERVERS BEING EXPLOITED HERE!
You admitted it last time. Flip flopped LOL
No I didn't, you still don't understand the meaning of the word "collected" used by the Intel Community.
I'll give you an example.
I'm doing voice collection listening to radios.
I am rolling up and down through the frequency range that I am tasked to monitor and I hit a signal and start listening, I also hit the voice recorder because if it's a valid collection target I don't want to miss anything they've said.
3 minutes later the exchange is over, it was a good intercept, and I now must log it and report it. Later on, I'll send the taps in for other linguists to go over in detail. This was a valid collection target.
Now I continue looking for the next signal and I roll onto a new one, start the tape recorder and start listening. Almost right away I hear Spanish so I keep listening, but the signal is very strong and the direction of the signal puts it crossing some US Territory, within Twenty seconds of listening I realize this is not a target I am tasked to collect on and it's probably Spanish speaking US Persons, I roll off the frequency, annotate in my log that the intercept wasn't a valid target and probably US persons.
I am not allowed to collect on US Persons, I rolled off the frequency as soon as I was aware that it was likely US persons talking, but the part of the conversation I intercepted will not be deleted until later after the tap is analyzed. My log will Identify that the second intercept was US persons, the Analysts will skip that part of the tap. When the tape isn't needed anymore it will be erased and reused, but no additional effort is required to "wipe the information off the tap or anything". It's just that no analysis will be done, and the conversation won't be data-based.
This is the difference between "Collection" and just an intercept. They still have part of the conversation on tape, but no analysis was done and it wasn't stored in a manner that they can readily retrieve the conversation.
Now, this is based on about thirty years of accepted procedure. Now if you ask them, "Do you collect radio communications of US Citizens" then the answer is no, but if you see those log files and dig up the tapes, you might be convinced otherwise. But that would be because the word collect has a specific meaning to the Intelligence Community and they have to be very serious about it.
Last edited:
Long winded flip flopper, I guess.
If I wasn’t lazy I’d just quote you, but I’m busy doing nothing.
So you call me out, I not only refute it, but take my time to carefully explain it, even after you seemingly won't take the time to at least look up a definition for one word, or look up what you claim is the proof for your own claim.
Perhaps it just isn't important enough to you after all ?
Maybe you're not really interested in the truth at all and just want to enjoy your ......... opinion.
Nah you cried and pissed and moaned and I’m pretty sure called me a smart ass, but I was right.
Your long winded explanations to yes and no questions always make me laff. So long and thanks for them.
If you were right, then I apologized?
I'm known to do that, not above it.
Maybe you just imagine that I am pissing and moaning. Just like now, you want to act like I'm entertaining you but I'm not trying to entertain you. Educate you yes, not entertain.
But the NSA has nothing at all to do with this. The NSA isn't law enforcement, they don't give a damn if your iPhone is encrypted, that's not their business. The FBI, yes, the NSA nope, not really.
So since we are off topic and you are admittedly too lazy to really do anything but make up shit for your comfortable fantasy life, or fruitlessly try to troll me, I'll let you get on with it and allow this thread to return to it's purpose.
If you’re worried about it and have enough time on your hands go look.
I’m booked with this doing nothing shit though.
Master_shake_
Fully [H]
- Joined
- Apr 9, 2012
- Messages
- 17,794
https://www.reuters.com/article/us-...uses-ex-lovers-watchdog-idUSBRE98Q14G20130927
Then this shouldn't be possible
But it happened. So.....
What shouldn't be possible?
Can you explain what happened to know what you are saying?
In that entire article there was only one single instance of an NSA Employee misusing NSA collection resources on a US Person. That one individual, upon realizing her mistake, immediately reported her error, and was punished, and she did it without knowing the person she had requested the information on was a US Person.
All of the rest either failed to access information on a US person or accessed information on foreigners, not Americans. Read it yourself, look up how many years the report goes back, think of how many hundreds of thousands of workers you are talking about over all those years.
Actually read it for once with a critical eye, it says far more good about the Agency than bad.
Master_shake_
Fully [H]
- Joined
- Apr 9, 2012
- Messages
- 17,794
They are collecting data on Americans
It's right here when they use the word collection system.
https://nsa.gov1.info/data/
Is this a legit NSA site?
Gottla love then if you have nothing to hide you have nothing to fear bs line.
Where does it say that?
Sitting at a computer terminal and making an attempt to access data from a database using an American's information, and being caught, doesn't mean the data was there to begin with, it means the search tools allows you to submit phone numbers and email addresses. Gaining access to the database but not getting the data means what to you? To me it means that either the data isn't there, at all, or it's somewhere else.
I'm pretty sure that's a fake site. It actually looks like a "spoof" site, as in comedy. Some of the captions for images and such are actually kind of funny if you try not to be too serious when you look at it.
EDITED;
This line from the first main page is immediately suspect;
I know you have heard me say over and over the NSA doesn't do Law Enforcement. They also wouldn't suggest that they do LE. This is a fake site by someone who doesn't understand this at all, or doesn't care if they say something patently false.
So no classified site will have a .gov ending to it, so anything with a .gov ending will be the open public facing sites put up for the public to interface with. I'm pretty sure .info is bogus.
I never really tried to look up their org chart before, but from what I have seen so far, it's not easy to find, plus a lot of people are "making their best guesses which makes it hard to put any faith in them. I would love to find it buried in some DoD document inside a .pdf, but if others are really trying to figure it out, it's probably not easy to locate.
This site could have something, I haven't dug into it yet.
https://www.nsa.gov/news-features/initiatives/nsa21/
OK, if you go here and click or expand the "New Mission Model", you'll get something like a mission oriented org chart.
https://www.nsa.gov/news-features/initiatives/nsa21/
The bottom lists four Enterprise locations, Colorado, Georgia, Hawaii, and Texas.
Use a site that can trace an IP address to a location;
Ping www.nsa.gov and record the IP, do the same for nsa.gov1.info
Run both IPs through the IP tracker site and see what matches up and what doesn't.
EDIT: For IT guys, this might be interesting;
https://www.iad.gov/iad/help/site/index.cfm
Last edited:
#fakenews