Former Spies' Dubious Claim: Release Of NSA's Windows Exploits Has Seriously Harmed National Security
from the protesting-a-bit-much dept
The Shadow Brokers' attempted firesale of NSA exploits didn't go well. After early leaks failed to pique buyers' interest, SB decided to start handing over the agency's hacking tools to the general public.
The most recent dump was the most interesting. It contained a variety of remote access exploits -- several of them zero days -- that gave NSA operatives "God mode" control over compromised computers with fairly-recent versions of the Windows operating system.
But they were of limited use. The most recent exploitable version was Windows 8, and every version still supported by Microsoft was patched before the SB dump, most likely as the result of a belated tip from the NSA. However, older operating systems without Microsoft support are still exploitable, and will remain exploitable until those systems are updated.
Now that most of the stash is out in the open, the Intelligence Community is able to do two things:
1. Determine who is responsible for the leaked toolset.
2. Complain about it.
The latter appears to be what's happening now. A few (anonymous) former members of the Intelligence Community are talking up what a horrible blow this is to the NSA.
Although digital exploits are used for spying rather than destruction, they allow operators to break down invisible doors, pilfering information. Seeing these latest tools published online was “devastating,” the former cyber intelligence employee said.
Three recently retired intelligence employees who worked on hacking tools for the government requested anonymity in order to speak freely about sensitive matters and to protect ongoing work and employability.
“By my estimation, there’s not much left to burn,” another former intelligence official who worked for several three-letter agencies told Foreign Policy. “The tools that were released were pretty critical.
Supposedly, this set of tools was worth millions of dollars to the NSA. If market prices in Bitcoin are anything to go by, criminals and foreign espionage agencies didn't appear to feel they were worth much more than a few thousand dollars. Of course, potential buyers didn't know exactly what they were getting. Others probably figured the exploits would be patched into irrelevance by the time they got their hands on them.
The "sky is falling" narrative tends to follow every leak of national security documents, starting with Snowden's, which damaged the NSA so much it's in better shape than ever. There may have been some valuable tools in the SB stash, but the moment they ended up in someone other than the NSA's hands, they became relatively worthless to the agency.
But what was released, however powerful, was outdated. The stash appeared to be a 2013 vintage -- valuable in its prime, but no longer quite as useful after Microsoft's forced migration of Windows users to version 10. The NSA is undoubtedly sitting on a stash of current exploits far more valuable than what it lost when someone left a bunch of hacking tools behind in a compromised server.
The public gnashing of natsec teeth also serves another purpose: it hopefully encourages surveillance targets to let their guard down a bit. By projecting the image of an intelligence agency fumbling around in the dark, the agency can very likely obtain a few new intercepts from careless foes it catches relaxing.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: exploits, hacking tools, leaks, national security, nsa, surveillance
Reader Comments
Subscribe: RSS
View by: Time | Thread
Slight problem with perceived value
[ link to this | view in thread ]
Two more things the Intelligence Community could do:
2: Explain why they did not buy the tools back in the firesale, just to take them off the market.
Any possible justification for keeping knowledge about security holes secret went out of the door the minute the tools were stolen!
[ link to this | view in thread ]
I agree up to this point. MS may have forced a lot of people to "upgrade", but it was nowhere near 100%. A very large number of those people either reinstalled a pre-Windows 8 version or found ways to by pass the "upgrade", especially when it was forced on people who refused it during the "free" phase.
I'd actually argue that if anything has decreased the US's national security due to these leaks, it's Microsoft's horrific handling of the Metro interface that's caused so many to avoid and reject its newer products. Few would have complained about the patching and security of Windows if it hadn't been so closely tied with the mandatory use of an interface so many people dislike.
[ link to this | view in thread ]
Re: Two more things the Intelligence Community could do:
How would buying digital tools from a digital marketplace take them off the market? Unless you mean bribing the leakers to take them off, but then how would you control the distribution of the tools by anyone who had already obtained them?
[ link to this | view in thread ]
https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advance d-nsa-backdoor/
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Who is "The Nation"?
Because fundamentally if National Security is not about protecting the people, why is it that we keep funding the security theater? FISA, TSA, Homeland Security, militarizing the police, encryption back doors, the Patriot Act, the Patriot Act's younger brother the USA Freedom Act, etc, etc. None of this seems aimed at security for the people but more security and secrecy for the government and it's deep state allies to protect themselves from oversight and for self enrichment.
There was a law recently enacted (and repealed, unfortunately) that required Stock Brokers to work in the interest of their customers. We need something like that for Congress and all of the other branches of government and their agencies, that they be required to work in the interest of the people. Right now they are just working for themselves.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Damaged National Security
Once the vulnerabilities are known, the vendors / providers of affected software can patch those vulnerabilities making their software, and our nation more secure against hackers, including other nation states.
Given two conflicting goals, I would rather that our systems be more secure than our adversaries systems be less secure. Both would be nice, but if I can't have both, I would rather our systems be more secure.
[ link to this | view in thread ]
2nd letter
[ link to this | view in thread ]
Dear NSA and American Congress
You constantly hide and play in the shadows. You constantly make secret interpretations of law and emphatically and consistently disregard the Constitution in pursuit of your power & control.
As per the natural cycle there will come a time when citizens have grown tired of the lies, deceit, decadence, and disrespect. When that happens, your greatest enemy will be your own, you already know this because you are already preparing for it. And your preparations for it, will only ensure that it comes. As you tighten that grip, more will only slip through your grasp!
The ONLY lesson learned from history, is that no one learns from it! Especially Governments!
[ link to this | view in thread ]
Re: Damaged National Security
Can patch, yes. Will patch, not necessarily. As noted in the Techdirt article, and in some of the comments upthread, although Microsoft has released free patches to address these vulnerabilities on certain newer Windows OSes, they have not and will not address the vulnerabilities on older Windows that they deem to be "out of support" / "end of life." Additionally, Microsoft's general approach to patching is that if you want anything, you will take what they give you when they deign to give it, including any unwanted changes that they decide to pack along for the ride. You cannot get just spot fixes for vulnerabilities and keep everything else unchanged.
[ link to this | view in thread ]
Re: Who is
[ link to this | view in thread ]
How convenient
[ link to this | view in thread ]
hum
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
How about not creating (or paying to create) cyberweapons in the first place?
[ link to this | view in thread ]
Re: Re: Two more things the Intelligence Community could do:
[ link to this | view in thread ]
Something else not noted and carefully stepped around, is when Vista first came out, the hardware vendors could not come up to snuff on the requirements that Vista needed to run everything. Instead Microsoft downgraded early Vista to allow a "Vista Capable" that would run Vista at bare minimums.
I have one of those early machines. I've tried a couple of times to upgrade it to Vista II, only to have it lock up on reboot and never complete the booting sequence. Without Vista II you can not get the protection needed against these NSA tools.
So in essence, this article is correct. Much of the computing world isn't running Win 8 nor Win 10. The nation is at risk due solely to NSA's developing these tools and then when stolen did not notify the software makers to patch their holes. In this NSA is at fault more than anyone else.
[ link to this | view in thread ]
Here's a thought...
Maybe if they were so concerned about protecting the public they would have informed MS about the vulnerabilities immediately, as soon as they found them, so that they could be patched, rather than waiting years to do so, only when they realized that someone else had rooted through their toys.
Spare me the crocodile tears, the NSA doesn't give a damn about the impact on the public here, the only thing it cares about is that some of the toys it has are now less useful for it to exploit.
[ link to this | view in thread ]
Re: Re: Who is
Recently, there seems to be a contingent of numbsculls (or maybe it's just you?) roaming around here on TD that have decide to necessarily equate the term "Deep State" with some sort of Alex Jones'ish, tin foil hat, conspiracy theory. Please stop, you're making fools of yourselves.
While it's true that the term "Deep State" is often borrowed by conspiracy theorists to make some pretty dubious/unsupportable claims, the existence, mechanics, and motives of the "Deep State" itself is well discussed/documented/analyzed by some very reasonable and respected individuals (e.g., Mike Lofgren, C. Wright Mills, and Dwight Eisenhower). Not to mention, the Deep State operates in plain sight for all to readily observe if they care to look.
To use Lofgren's definition, the Deep State is "a hybrid association of elements of government and parts of top-level finance and industry that is effectively able to govern the United States without reference to the consent of the governed as expressed through the formal political process." Or Mills observation (circa 1956), "American power had become concentrated into three major divisions; the military-industrial complex, Wall Street, and the Pentagon."
So please do tell us, how does that not describe - nearly perfectly - exactly what we're seeing from our government and industry today?
That's not conspiracy theory son, that just looking out your window.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Another reason use freedom software OS
[ link to this | view in thread ]
Re: How about not creating (or paying to create) cyberweapons in the first place?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
[ link to this | view in thread ]