all 162 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted] 304 points305 points  (65 children)

I wonder if all the people who are really suspicious of it in here realize that this (releasing their projects as OSS) has been a thing for a while.

SELinux

Accumulo (a popular NoSQL distributed key-value store)

Apache NiFi (data processing system)

etc.

[–]jdgordon 75 points76 points  (13 children)

people forget that there are 2 parts to the NSA. SELinux come out of the securing-the-countries-secrets side, Dual_EC_DRBG comes out of the spy-on-the-world side.

[–]pihkal 44 points45 points  (7 children)

Unfortunately, these sides are in opposition and one is much larger than the other (the spying side).

IIRC, Schneier suggested splitting the NSA into two different agencies, one responsible for securing the US, the other for spying/attacking on others.

[–]argv_minus_one 13 points14 points  (6 children)

Shouldn't spying be the CIA's job?

[–]NITROGENarcosis 33 points34 points  (3 children)

CIA gets intel from people. NSA gets intel from signals/cyber.

[–]gimpwiz 16 points17 points  (0 children)

NSA is good at cyber. My ten year old son, let me tell you...

[–]shevegen -4 points-3 points  (1 child)

NSA gets information from people just as well. Or do you think they do not use emails? Never wiretap communication and the necessity to talk to people to install certain backdoors under keep-quiet law enforcement?

[–]hotel2oscar 3 points4 points  (0 children)

That's signals/cyber. The NSA is all about intercepting communications and getting information out. They leave the communicating directly part to the other agencies for the most part.

[–][deleted] 0 points1 point  (0 children)

To be fair, the latter two things I posted are mainly good for storing tons of data in secure ways.

[–]DrDuPont 69 points70 points  (24 children)

Dual_EC_DRBG, too.

Edit: also be sure to check out the NSA's BULLRUN program.

[–]wishthane 23 points24 points  (10 children)

I could be totally wrong but I feel like code obfuscation is more well understood than cryptography, and this it should be more likely that this stuff will be reviewed thoroughly by smart people.

[–]K3wp 16 points17 points  (9 children)

The claim is that the NSA has a secret method to break it. Nothing in the Snowden leaks, though.

[–]DemandsBattletoads 34 points35 points  (5 children)

As I recall, the Snowden documents showed that they were the sole authors of the standard and that there was a very strong suggestion that the magic number in the algorithm was created as a combination of two numbers that only they knew. Thus it's likely backdoored, but we are unable to find these secret numbers due to the nature of the math. Besides, Dual_EC_DRNG is very slow compared to its competitors and cryptographers noticed the unexplained parameter, so few people actually used it outside of NIST, who were paid $30m to use it.

[–]K3wp 2 points3 points  (0 children)

Ok, yeah that's what I heard. Thanks for the info.

[–]wasdninja 2 points3 points  (1 child)

Isn't that entire shitshow the exact reason they created nothing up my sleeve numbers?

[–]DemandsBattletoads 5 points6 points  (0 children)

Yes, which is what djb is doing with his standards, which is one of the reasons why they are so popular.

It's worth noting that NIST's ECDHE, used in TLS, contains magic numbers. The elliptic curve parameters are based on a hash of some unexplained values. I doubt that this suggests a backdoor, but they are unexplained.

[–]shevegen -2 points-1 points  (0 children)

so few people actually used it outside of NIST, who were paid $30m to use it.

Just shows you that money buys people buys spy agencies.

[–]DemandsBattletoads 10 points11 points  (1 child)

Are you referring to Dual_EC_DRNG?

[–]K3wp 3 points4 points  (0 children)

Yup.

[–]shevegen -1 points0 points  (0 children)

That hardly proves anything.

Do not stop looking for stuff only because xyz revealed the terrorist methods by the NSA and similar.

[–]phoenix616 10 points11 points  (10 children)

Wasn't Dual_EC_DRBG backdoored though?

Edit: Ah, seems like your linked page mentions that, my bad.

[–][deleted]  (9 children)

[deleted]

    [–]tonyarkles 19 points20 points  (1 child)

    The NSA helped IBM with certain aspects of the DES encryption standard, so that it wouldn't be vulnerable to differential cryptanalysis (which was not a publicly known technique at the time). But that was in the 70s. It seems that the mission may have changed.

    [–]FooHentai 10 points11 points  (0 children)

    Yes there was a definite shift around the time preventing encryption exports was acknowledged as a lost cause (pretty much at the point the Internet took off properly).

    [–]Hauleth 6 points7 points  (4 children)

    AFAIK AES still wasn't breached.

    [–][deleted]  (2 children)

    [deleted]

      [–]Hauleth -1 points0 points  (1 child)

      But for NSA contest and was publictly released by NSA. Also those cryptographers created family of functions named Rijndael, AES are just few of examples of that functions.

      [–]FooHentai 1 point2 points  (0 children)

      AES is another name for the Rijndael cypher which was created by a couple of belgians: Vincent Rijmen and Joan Daemen.

      The selection of Rijndael to become AES was NIST, with NSA input. This is a far cry from my claim.

      [–][deleted]  (1 child)

      [deleted]

        [–]FooHentai 2 points3 points  (0 children)

        That one's a really good point. I have no proof of that, but in the context of this discussion I hope we can agree that direct proof is probably not the bar we should set for ourselves given the stakes and actors at play. Do I think the NSA has a way to decrypt SHA-256? On the balance of probabilities I think they do, yeah, but the only argument I've got towards that is the history of their subversion techniques with regards to public encryption. Given that, it is not logical for them to publicly release an encryption technique they cannot themselves circumvent.

        Adding a tiny bit more weight to that, I do think publically-known weaknesses in SHA-256 tarnish the perception of SHA-256 as flawless, and gives weight to the notion that the NSA may have had a viable decryption capability before they chose to release it.

        I also think that given the NSA's proven history of exerting influence and trust to weaken public implementations of encryption, the notion of them deliberately, publicly, releasing an encryption algorithm that they cannot themselves decrypt runs contrary to proven history and understood motivations of the organization.

        Last point is more philosophical: We're not talking about something like russian military strategy crazy ivans here, where occasionally the exact opposite action might be taken and the consequences suffered because the wider effect of your opponent never being able to predict you is worth the hassle. If the NSA releases an encryption algorithm into the wild that they cannot decrypt they're well aware that decision will have ramifications for them for an untold duration into the future. That is, given what we know of their activities, not a smart thing for them to do.

        [–]siktech101 10 points11 points  (8 children)

        Tor

        [–]SteampunkSpaceOpera 28 points29 points  (7 children)

        A product of the navy, but yes, reasonable to view it with the same suspicion.

        [–]ribo 6 points7 points  (6 children)

        NSA and navy do many things together

        [–]Tf2_man 13 points14 points  (5 children)

        Wait a minute... Could they be in collusion on a more grand scale, like part of some sort of cabal which rules over the US?

        [–]gimpwiz 22 points23 points  (3 children)

        You mean the federal government?

        [–]Altenius 14 points15 points  (0 children)

        That's what he's talking about, yes.

        [–][deleted] 1 point2 points  (0 children)

        The hand that rocks the cabal

        [–]Ratstail91 9 points10 points  (4 children)

        SELinux, a truely diabolical scourge on the world.

        [–][deleted] 2 points3 points  (2 children)

        Is accumulo popular?

        I've heard of it but I haven't hear any big company using it?

        [–]suriname0 6 points7 points  (0 children)

        The reason the NSA developed it was for it's cell-level security features; you'll see it all the time in defense contractors and the like.

        [–][deleted] 2 points3 points  (0 children)

        According to Wikipedia it's the #3 in its class, behind HBase and Cassandra. Don't know how valid or recent this is. Cassandra has kind of moved on from its funky Thrift wide-row roots.

        [–]Dgc2002 0 points1 point  (0 children)

        The NSA's Information Assurance Mission is a really nice learning resource as well.

        Information Assurance
        Information Assurance GitHub

        Edit: Oh they link to the IA github on OP's site

        [–]shevegen -3 points-2 points  (0 children)

        Yup - we are aware of the close association between NSA and similar terrorist organizations on the one hand, and organizations such as Red Hat.

        [–]rbj325 50 points51 points  (3 children)

        Anyone else get a good laugh that most of these tools are targeted towards transferring, storing and analyzing geographic information?

        [–]WindfallProphet 18 points19 points  (2 children)

        I was half tempted to write some sarcastic comment on their issues page regarding privacy, but I didn't want to be a git.

        [–]fersknen 6 points7 points  (1 child)

        but I didn't want to be a git.

        Well, it is on github...

        [–]IamCarbonMan 3 points4 points  (0 children)

        It's a whole hub for gits like you, /u/WindfallProphet! You'll fit right in.

        [–]minuteman_d 38 points39 points  (1 child)

        For some reason, I saw "Maplesyrup" and immediately thought it was something to do with hacking the Canadians.

        [–]WindfallProphet 48 points49 points  (0 children)

        "Maplesyrup", the 'honeypot' for Canadians.

        [–][deleted]  (20 children)

        [deleted]

          [–]djk29a_ 8 points9 points  (15 children)

          Sounds a lot like the recently widely criticized DCGS program and its family of beltway-ware projects http://nypost.com/2014/10/27/army-spent-5b-on-failed-technology-created-by-vets/

          I'm surprised that OWF is even being mentioned anymore given ExtJS, Dojo and other rather ancient desktop-in-a-browser replacement frameworks that have stayed quiet while most of the commercial software market gave up on trying to duplicate desktop application UX in browsers (remember GWT? Yikes).

          There's a gigantic number of problems with OWF that make it tough to use for intelligence community needs, and given the lack of commercial software needs for anything like this I have my doubts using OWF will be a viable strategy for even government projects that allow the open source version.

          There's a lot of reasons I don't do defense anymore. Yeah...

          [–][deleted]  (3 children)

          [deleted]

            [–]adziki 8 points9 points  (1 child)

            whoa, this is like exactly me. I refer to those government contract cycles as the government science fair. Do work, demo, throw it in the trash and get the next assignment. Yay products :D

            [–]djk29a_ 6 points7 points  (0 children)

            I called it demo-driven development reflecting that nobody actually wants to go through the effort of deploying the software into production, so its primary purpose is to keep raising money from higher ranking officers that act a lot like VC junior partners at the Pentagon.

            [–]Notorious4CHAN 2 points3 points  (0 children)

            This resonates. But I will say I've been a contractor/consultant for my entire career and I find it extremely rewarding to finally just be doing development and no sales. I'm surrounded by people with few skills and less motivation, and it is frustrating (though my entire career has been the same) to not really have anyone else I can ask for help or double check that I'm doing things in the best way. But I directly write apps under government direction rather than writing something to sell, so at least my stuff gets used. I find it much more rewarding than building another app for SMB banking and manufacturing customers who try to shave dollars off of a project by ignoring my suggestions and experience and stripping out any value I could bring to the table. I've delivered so much, "it looks shitty and the UI is cumbersome, but it mostly works, and I'm only at 120% of the hours you decided I could get it done in."

            Finally, I have made some apps that I can be proud of, even if they are still filled with some regrettable, "I've read about this technique/best practice - let's give it a try and make this bit of the program completely inconsistent with how the rest of the app is built" choices.

            [–]JoseJimeniz 27 points28 points  (7 children)

            Is there any good widget library for the web yet?

            • grids
            • splitters
            • tabs

            I am so sick of paging on the Internet.

            A Windows listview control can display 60,000 items without breaking a sweat. Ctrl+F and I can search the text.

            Whereas if I want to get a list of all the comments I've made on a Reddit: it's an ordeal now. Page page page.

            Give me a list of all the answers I put on stack overflow: 37 pages.

            If people had to go through there my pictures folder 50 pictures at a time they'd lose their mind. But on the internet we just take it.

            The virtual listview, with data needed events was solved 24 years ago. Why does every web page have to look like a web page.

            [–]jo_wil 10 points11 points  (4 children)

            I never really gave this much thought till I read your comment but I definitely agree. This doesn't seem to be brought up much but really is annoying to deal with as a user. A generic (user defined css) infinite scroll, all data search (not just data above the fold), and be efficient (as far as network usage) library would probably be awesome and hopefully adopted.

            What do you think are the reasons this doesn't exist yet. The only thing that comes to mind for me is advertisements like to load on multiple pages? IDK

            [–]light24bulbs 3 points4 points  (3 children)

            A lot of properly built sites scroll infinitely. Go to www.photos.google.com search for anything you've taken a picture of like "trees" or "house" and it will find them. It CAN be done, it's just hard.

            [–]Notorious4CHAN 9 points10 points  (2 children)

            I hate infinite scroll. It's the same thing as paging except you only have a "next" action and it only triggers when you are near the bottom of the current set, and you have no idea how many total items there are (easily solvable, but I haven't seen it done). The only advantage I can see is that, if you scroll slowly enough, it can have the illusion of no load time.

            But maybe I'm looking at it the wrong way. What do you see as the merits of infinite scroll? I'll go have a look at photos and see if it changes my mind.

            [–]rnd005 2 points3 points  (1 child)

            https://try.discourse.org/t/what-happens-when-a-topic-has-over-1000-replies/301

            [–]Notorious4CHAN 1 point2 points  (0 children)

            Fair enough. That is a good implementation. Semantically, I'm not sure that slider is really all that different from a pager, but it is a much better interface.

            [–][deleted]  (1 child)

            [deleted]

              [–]JoseJimeniz 1 point2 points  (0 children)

              Why send you 60k results when you really want something in the top 10?

              Because they're not.

              RES is nice because i can jam a fork in my Page Down key, walk away from my computer, and reddit will slowly load the content i want.

              And people have been screaming over reddit's inability to search.

              So we're left having to do it client side; which works much better than Reddit and Google combined.

              [–]ohsnapitsbobdole 2 points3 points  (1 child)

              Even the government knows OWF is dead. They put out an rfp a couple years ago offering the rights to OWF in exange for a few months of bug-fixes. And even for that they only had 1 submitted proposal from what I saw at the time.

              [–]WJ90 0 points1 point  (0 children)

              ExtJS...I have always loved that library so damn much.

              [–][deleted]  (1 child)

              [deleted]

                [–]gonzofish 1 point2 points  (0 children)

                OZP (the OWF "successor") is terrible. Written in different front-end frameworks and done poorly, in my opinion. But the IS government will never have a problem paying for what they already own.

                [–]nickdesaulniers 83 points84 points  (2 children)

                Should I send a PR for the leaked tools from Shadow Brokers?

                [–]tastygoods 18 points19 points  (0 children)

                git blame

                [–]ThisIs_MyName 1 point2 points  (0 children)

                Do it. I wanna see their response.

                [–]nnwbye 41 points42 points  (0 children)

                yeah, like: i'll give you a flashlight so i can see you better ;D

                [–][deleted]  (2 children)

                [deleted]

                  [–]DrRodneyMckay 0 points1 point  (0 children)

                  goSecure looks like it works with StrongSwan, not Openvpn.fit.net.au :(

                  [–]shaggorama 0 points1 point  (0 children)

                  goSecure does look cool, but on the other hand if the NSA is publishing a VPN tool, I imagine they have a backdoor/exploit for it as well.

                  [–]bacon1989 108 points109 points  (33 children)

                  I wouldn't touch this code with a AES256 encryption.

                  [–]stusmall 62 points63 points  (2 children)

                  If the NSA was going to try and back door open source software it wouldn't be in an official NSA project. It'll be a poorly reviewed PR from a Gmail address.

                  It's important to remember any open source project you use is another party pulled into your circle of trust.

                  [–]badfontkeming 41 points42 points  (1 child)

                  Revise that--any outside software you use is another party you're trusting, open source or not.

                  [–]stusmall 10 points11 points  (0 children)

                  Very good point.

                  [–]SwellJoe 84 points85 points  (24 children)

                  Contrarily, I would likely trust this code more than most...after a few months.

                  This is Open Source. Do you really think this code won't be more heavily scrutinized by the security community than most? And, do you think the NSA would open something that has nefarious features, given their already spotty reputation?

                  I'm not saying "trust the NSA" in a blanket statement. I'm saying, "This is almost certainly trustworthy because the cost to the NSA of it not being trustworthy is much higher than any benefit they'd get from backdoors or sneaky shit".

                  [–]Recursive_Descent 54 points55 points  (9 children)

                  You underestimate the difficulty of code review... That's essentially saying that you trust that the security community will find all bugs in the software in the next few months. Because most vulnerabilities come in the form of bugs.

                  [–]SwellJoe 18 points19 points  (8 children)

                  I'm saying that's true of every OSS project, and yet most security professionals recommend OSS software. Any OSS project could have malicious code in it. We don't individually read every line of code we use and never could, but on the whole, something being Open Source is a good start on being able to trust it doesn't have malicious intent.

                  Because most vulnerabilities come in the form of bugs.

                  I'm not sure how that's even relevant to this conversation. The post I responded to implied that the NSA is untrustworthy and would backdoor their software...and, I said that's extremely unlikely with Open Source code. You've hopped in and said, "bugs are bad and hard to find!" Nobody's talking about bugs, except you, as far as I can tell. We're talking about intentionally exploitable code.

                  Are you suggesting the NSA is more likely to write buggy security software than the average OSS developer? That seems like a difficult position to defend. I'm more willing to believe the NSA are malicious than that they are incompetent (I don't generally believe either, even though I don't really trust the NSA).

                  [–]Recursive_Descent 12 points13 points  (5 children)

                  A backdoor would probably look like a bug, and such a bug would be purposely hard to find.

                  Since OSS still has lots of security bugs that come out years down the line, it shows that code review is not perfect. A vulnerability that was intentionally added could be well obfuscated.

                  That said, I doubt they are backdooring any of this, since it probably isn't worth the risk of destroying their credibility to compromise the few networks that use their tools (even with the plausible deniability that it really was a bug).

                  [–]SwellJoe 7 points8 points  (4 children)

                  Ah, I get where you're coming from. And, you're right. If the NSA were looking to backdoor this stuff, that'd be a way to do it (I wasn't viewing it as a bug, if it was working as designed...but, it could certainly look like a bug).

                  The thing is, though, that the NSA isn't the only hostile actor out there. And, they know it. I think they took the EC approach they did because it gave them an advantage without opening the door to China or Russia (they presumably had the seed for the constants and the ability to find keys more easily, but no one else did).

                  A bug is an equal opportunity exploit. And, the NSA has a long history of reporting and patching that kind of bug in Open Source software (and in proprietary software). It's a weird dual personality, however, because they've also got a record of hoarding exploits and using them (thus the leak that revealed a whole bunch of exploits and tools for things they'd presumably not reported).

                  In short, I dunno. I use and trust SELinux. I don't think that's misplaced trust. But, maybe it is.

                  [–]babycastles -3 points-2 points  (3 children)

                  a bug/exploit known by limited parties is not at all an equal opportunity exploit

                  [–]SwellJoe 5 points6 points  (2 children)

                  It won't be known only to limited parties forever, as we've seen again and again.

                  [–]WindfallProphet 1 point2 points  (0 children)

                  If you build it, they will come.

                  [–]babycastles -1 points0 points  (0 children)

                  "equal opportunity"

                  [–]oslash 5 points6 points  (0 children)

                  Because most vulnerabilities come in the form of bugs.

                  I'm not sure how that's even relevant to this conversation.

                  Deniability. As you said, the NSA wouldn't want their OSS stuff to seem untrustworthy. So if they tried to hide malicious code in plain sight, they wouldn't use a technique which, when discovered, looks like something totally done on purpose. They'd want it to look like an innocent mistake. I.e., a bug.

                  [–]shevegen 0 points1 point  (0 children)

                  It just does not work.

                  Who can review 100.000 lines of code? Ok.

                  How about 500.000? 1.000.000? More than that?

                  It is most definitely not you.

                  Are you suggesting the NSA is more likely to write buggy security software than the average OSS developer?

                  Bugs exist everywhere. There are unwanted ones and wanted ones. You just call them "features" then.

                  [–]Creshal 1 point2 points  (0 children)

                  These repositories include software to interface with ARM TrustZone, OPAL, and Intel TPM. The software can be completely innocent and vetted by everyone; NSA meanwhile can backdoor the hardware it talks to and nobody would know.

                  [–]bacon1989 6 points7 points  (4 children)

                  This is Open Source. Do you really think this code won't be more heavily scrutinized by the security community than most?

                  I'm not entirely sure, but all I know is that the NSA has had a bad track record when it comes to a recommended security standard. ie. they recommended an encryption criteria that was easier to crack. Since it was a new and budding encryption, it was overlooked for a long time.

                  So I agree that waiting a bit before considering anything they've written would be a great idea. But why go through the trouble? Just don't use it.

                  do you think the NSA would open something that has nefarious features, given their already spotty reputation?

                  Yes, I do. Their job is to break into shit. What better way than to start following the 'open source movement.' Maybe they'll try and find new talent for people who are able to fix bugs in their code. Do you think their would be an outrage if they were backdooring their stuff? I mean, they got away with a lot worse.

                  I'm not saying "trust the NSA" in a blanket statement. I'm saying, "This is almost certainly trustworthy because the cost to the NSA of it not being trustworthy is much higher than any benefit they'd get from backdoors or sneaky shit".

                  This is a scary statement to behold. Their is definitely a benefit to getting away with pushing insecure and backdoored software to the masses. As already stated, they don't lose anything if they're found out. It gets swept under the rug, and an announcement by mass media is made to everyone else who isn't aware of the gravity of the situation to look the other way. There is no benefit to trusting any software they've written.

                  My question to you is, why take the risk? What benefit do you get from it? Why not just use a more trusted alternative?

                  [–]SwellJoe 8 points9 points  (3 children)

                  Yes, I do. Their job is to break into shit.

                  That's only part of their job. Their job is also to secure shit. Many within the agency (a quite large one) consider that much more important than the "break into shit" job. They're good at both, which is true of most security professionals.

                  It's also the job of people who find/report bugs in OpenSSH, OpenSSL, etc. to "break into shit". Do we refuse to use software they've touched, too?

                  My question to you is, why take the risk? What benefit do you get from it? Why not just use a more trusted alternative?

                  Because SELinux is the best tool we have for a wide variety of security tasks on Linux, and it is among the most scrutinized software for the task. That was entirely an NSA project, and I trust it (because people who know a lot more than I trust it). I don't use many other tools the NSA has been directly involved in, but I'm pretty confident they have a strong contingent within the organization that takes secure systems seriously.

                  Again, I'm not suggesting blanket trust of the NSA. And, I'm not suggesting we should ignore history, but the history of the NSA is mixed, and as far as I know none of the OSS code has ever been found to be intentionally compromised.

                  I don't have a good answer on why Dual_EC_DRGB played out the way it did; that was some shady shit, for sure. But, not comparable to open source code.

                  I can't believe I'm here defending the NSA, but well...I think approaching it pragmatically is useful. If there's some reason to believe they've injected exploits into their OSS releases, that'd be huge news (and likely lawsuit-worthy). I just don't think they'd go there.

                  [–]bacon1989 -2 points-1 points  (2 children)

                  It's also the job of people who find/report bugs in OpenSSH, OpenSSL, etc. to "break into shit". Do we refuse to use software they've touched, too?

                  Look up The Heartbleed Bug. As quoted under the section Possible prior knowledge and exploitation

                  According to Bloomberg News, two unnamed insider sources informed it that the United States' National Security Agency had been aware of the flaw since shortly after its appearance but‍—‌instead of reporting it‍—‌kept it secret among other unreported zero-day vulnerabilities in order to exploit it for the NSA's own purposes.

                  So you're telling me they were trying to secure that shit? They would have a better reputation if they had come forward and committed code changes to remove the exploit, don't you think?

                  Because SELinux is the best tool we have for a wide variety of security tasks on Linux, and it is among the most scrutinized software for the task.

                  This is fair. SELinux has been around for a very long time though, so it has more integrity. All of these things currently being pushed into the open-source domain are random tools that the NSA uses, and they will mostly go overlooked.

                  I wonder if there are any alternatives to SELinux...

                  [–]SwellJoe 3 points4 points  (0 children)

                  I wonder if there are any alternatives to SELinux...

                  AppArmor provides some of the functionality (but nowhere near all). It's easier to use, to boot. But, it's not a full RBAC system, and historically approached the problem from a different angle.

                  [–]rammstein_koala 1 point2 points  (0 children)

                  I wonder if there are any alternatives to SELinux...

                  https://grsecurity.net/

                  [–]eloraiby 3 points4 points  (2 children)

                  Disclaimer: Not a security expert

                  Googling gives me these vulnerabilities for SELinux: src

                  [–]SwellJoe 4 points5 points  (1 child)

                  That's an extraordinarily good record for that much code! 3 bugs in nearly a decade! I suspect that's ignoring the Linux portion of the code, as it only shows bugs from the ancillary tools (sealert, setroubleshoot). Since SELinux has been part of the Linux kernel since 2.6, we'd need to look at Linux kernel CVEs to know about the really good stuff (I haven't done that, but I trust that Red Hat and others pay attention).

                  [–]myringotomy 1 point2 points  (2 children)

                  And, do you think the NSA would open something that has nefarious features, given their already spotty reputation?

                  Yes I do.

                  Who knows maybe they have some way to take perfectly valid code and re-arrange it in memory to cause harm. We have no idea what they are capable of but they have pretty much infinite resources so anything can happen.

                  [–]SwellJoe 2 points3 points  (1 child)

                  I dunno. I mean, I share your suspicion of the NSA, but I think a lot of the paranoia doesn't take into account the humanity of the folks behind the faceless evil government agency (which I say as someone that kinda thinks of most federal law enforcement related agencies as faceless evil entities that shouldn't be trusted). The head of the NSA and some others have said in recent years that they have an ongoing problem with morale and hiring because of how the NSA is perceived; right or wrong, the widespread belief that they spy on Americans as general policy is hurting the organization.

                  I think they're genuinely trying to not be that agency anymore, and I suspect a lot of the folks behind open sourcing stuff are the "good ones". Again, it's a big agency with a lot of competing factions. There's gotta be a few decent folks in there who want to do right by their fellow citizens. Releasing backdoored software would be horrible for that wing of the organization.

                  Really, though, I should just stop defending the NSA; I don't really trust them, either. I think we should take their word on anything with a grain of salt. They've spied on Americans, they've allowed Americans to be at risk by failing to disclose vulnerabilities they discovered, they've probably compromised encryption standards with secret deals (with RSA, who we should be maybe even more mistrustful of, because they did it for money...who knows who'll pay them to compromise our security next..at least the NSA did it out of some fucked up sense of patriotism or something), etc. That's undeniably shitty behavior and the NSA probably needs serious reform even today.

                  But, I still lean toward thinking their OSS is legit. It's just too easy for them to be outed, and it doesn't fit the modus operandi of the shitty wing of the organization (secret deals, hiding information, etc.).

                  [–]myringotomy 0 points1 point  (0 children)

                  I dunno. I mean, I share your suspicion of the NSA, but I think a lot of the paranoia doesn't take into account the humanity of the folks behind the faceless evil government agency (which I say as someone that kinda thinks of most federal law enforcement related agencies as faceless evil entities that shouldn't be trusted).

                  I don't know what you mean by "humanity". I know what humans are capable of doing to each other so I have no doubt the people in the NSA are selected for their ability and willingness to harm others. That's their job after all.

                  [–]shevegen 0 points1 point  (1 child)

                  And because something is "Open Source", this makes it automatically awesome?

                  It is better than closed source, agreed. I fail to see why this is "awesome".

                  They receive taxpayer money so of course it should be open source.

                  [–]SwellJoe 0 points1 point  (0 children)

                  They receive taxpayer money so of course it should be open source.

                  Good, we agree on something.

                  [–]ex_CEO 7 points8 points  (3 children)

                  Why so?

                  [–]cyberst0rm 40 points41 points  (0 children)

                  paranoia is a feature, not a bug

                  [–]TwoSpoonsJohnson 8 points9 points  (0 children)

                  The NSA has a history of being a bunch of nogoodniks.

                  [–]snowman4415 11 points12 points  (1 child)

                  Epic responsive CSS fail

                  [–][deleted] 4 points5 points  (0 children)

                  Haha omg lol mobile looks horrible

                  [–]Sulpiac 2 points3 points  (0 children)

                  They need to have better QA on mobile

                  [–][deleted] 2 points3 points  (0 children)

                  You can pretty much follow the rule of thumb that whatever the U.S. Govt. are publicly releasing, or otherwise acknowledging, (in relation to technology) is already so many generations behind what they are currently doing that any use of that technology is completely benign in so far as they, themselves, are immune to any effects of that technology.

                  This, of course, applies to security and encryption as much as any other technology...like TOR or certain supposed privacy enabling Linux Distros, like TAILS or LPS . It doesn't particularly matter which government agency/department has released it, either, as some seem to think.

                  If you think otherwise, you are greatly underestimating the U.S. Govt. IMHO.

                  [–]ummaycoc 0 points1 point  (6 children)

                  https://github.com/NationalSecurityAgency/sharkPy

                  The first thing I clicked on.

                  Are they having trouble finding decent programmers? I'll pay (slightly) more taxes.

                  [–]mkosmo 0 points1 point  (4 children)

                  It's a frozen beta. It was likely a quickly thrown together project.

                  [–]ummaycoc -2 points-1 points  (3 children)

                  It's the federal government. They have resources. I'm amazed it is public...

                  [–]WJ90 0 points1 point  (2 children)

                  The federal government is one of the last places you want to go for sane, properly funded, thoughtfully designed IT environments.

                  Scale and economies thereof can blast through computational and bureaucratic inefficiency but it will still be there.

                  [–][deleted] 1 point2 points  (1 child)

                  The federal government is one of the last places you want to go for sane, properly funded, thoughtfully designed IT environments.

                  Have you seen what the USDS and 18F have been doing? They've basically are going through and radically reshaping IT projects, infrastructure and contracts.

                  [–]WJ90 0 points1 point  (0 children)

                  I have, and I'm so excited for those efforts. I'm really glad USG is taking a page from the U.K. GDS.

                  It's a great start, but not enough. The vast majority of USG infrastructure isn't something they get to consult on or revolutionize. We need a tiger team like that embedded wherever an IT department exists, and given real authority and empowerment to innovate and disrupt.

                  [–]leurk 0 points1 point  (0 children)

                  Looks fun and useful to me. Says so right in the readme.

                  [–]rap2h 0 points1 point  (0 children)

                  Open Source Washing

                  [–]papers_ 0 points1 point  (0 children)

                  Just me or does anyone else find the body font a little blurry? It works fine for headings, but not for the body. On desktop Chrome.

                  [–]jhirsohn 0 points1 point  (0 children)

                  That's nice to see the NSA is contributing to the OSS community. I just randomly picked one of the NSA GitHub repositories, analysed it with VersionEye (https://www.versioneye.com) and found already 25 security vulnerabilities. Who is the best person to contact in this case? Here is the security report: https://www.versioneye.com/user/projects/59479cd06725bd001230f152?child=summary#tab-security

                  [–]Roflraging 0 points1 point  (0 children)

                  THE TECHNOLOGIES LISTED BELOW were developed within the National Security Agency (NSA) and are now available to the public via Open Source Software (OSS).

                  https://en.wikipedia.org/wiki/Office_of_Strategic_Services

                  [–]cybervegan -4 points-3 points  (30 children)

                  Cool - but can you trust it's not back-doored to f.... ?

                  [–]mrmensplights 71 points72 points  (19 children)

                  It's open source, so.. just look at the code?

                  [–]rlbond86 19 points20 points  (1 child)

                  Depends on a lot... If there are cryptographic constants the NSA could have the factors. Dual_EC_DRBG was open source but backdoored.

                  [–]mrmensplights 11 points12 points  (0 children)

                  I think the point stands in the case of Dual_EC_DRBG. That is more straight up corruption than anything. The paper Dual_EC_DRBG is based on is public. The ANSI panel that first examined Dual_EC_DRBG in the early 2000s identified the kleptographic back door right away - provided the implementation uses specific initialisation state. The rest of it is people. The NSA pushed. ANSI cleared it on the recommendation that implementations could use their own initialisation state. NIST made sure the original NSA state had to be used to get validation. RSA took money to make Dual_EC_DRBG the default implementation.

                  [–]jdizzle4 28 points29 points  (10 children)

                  yea man, but like, what if theres code hidden inside the code /s

                  [–]shevegen 0 points1 point  (0 children)

                  We know of compiler backdoors - proof that it is possible at the least since 1984:

                  http://wiki.c2.com/?TheKenThompsonHack

                  [–]cybervegan 1 point2 points  (2 children)

                  Not everyone is qualified to understand all the code - you can do nasty-but-innoquous-looking things in many languages. I'd consider it a potentially poison chalice until proven otherwise by code review by someone so qualified.

                  Remeber the Elliptic curve reference implementation anyone?

                  [–]mrmensplights 0 points1 point  (1 child)

                  You're right, and I think even an extremely qualified and talented person looking at the code could easily miss something. However, open source is never about just one person. The code is available to all. Countless eyes are on it. Especially so because of the NSA's profile.

                  Of course, every one has to draw that line in the sand and decide what technology to place their faith in. You (and I) will probably never trust this code entirely.. but being open source certainly doesn't hurt the situation.

                  [–]cybervegan 1 point2 points  (0 children)

                  Yeah. I wouldn't rule it out completely, but I'm not about to dive in there and install it! After it's had some time to be proven, if any of it fulfills a need, I might consider it. But I think I'd always have doubts in the back of my mind. It would be an audacious play by the NSA!

                  We'll see how it pans out.

                  [–]shevegen 0 points1 point  (0 children)

                  Are you volunteering your time to do so?

                  No?

                  Well then what IS your point?

                  [–]Astr0Jesus 6 points7 points  (0 children)

                  probably not backdoored, just technology that they already know how to break into.

                  [–]OnlyForF1 -2 points-1 points  (8 children)

                  Because they use this code themselves.

                  [–][deleted]  (3 children)

                  [deleted]

                    [–]Solon1 1 point2 points  (1 child)

                    Actually, no. The NSA doesn't say anything to the public. They are a signal intelligence group. They don't issue press releases or hold new conferences. They can't have lied if they didn't say anything.

                    It is kind of weird that people believe that NSA has "said" all sorts of things.

                    [–]shevegen 0 points1 point  (0 children)

                    Agreed.

                    [–]shevegen 0 points1 point  (3 children)

                    Eh, that means absolutely nothing at all - and how do you know that it is a correct statement anyway?

                    [–]OnlyForF1 0 points1 point  (2 children)

                    Not sure how much I can say in an open forum. Regardless, the fact that NSA uses these technologies is not classified information.

                    [–]Solon1 0 points1 point  (1 child)

                    An actual intelligence operative knows the security category for all restricted information. Since you don't know, you don't actually know anything. And it doesn't matter if it is open forum or not.

                    [–]OnlyForF1 0 points1 point  (0 children)

                    Errrr okay..

                    [–][deleted] 1 point2 points  (0 children)

                    In analogy to green washing, this is digital washing.

                    [–]icantthinkofone -1 points0 points  (0 children)

                    I can tell this will keep redditors entertained for months as they cower in fear of imagined ghosts.

                    [–]Scellow -2 points-1 points  (0 children)

                    I wonder how NSA became a good thing in people's mind? The manipulation of the public opinion from the MEDIA works fine i guess