[Cryptography] Equation Group Multiple Malware Program, NSA Implicated

ianG iang at iang.org
Fri Feb 20 07:37:56 EST 2015 

On 20/02/2015 11:02 am, Arnold Reinhold wrote:
> On Wed, 18 Feb 2015 11:58 ianG wrote:
>> The insider theft has always been a huge difficulty.  But the NSA is
>> more a victim of changing circumstances than any huge laxness.  A
>> scratch list:
>>
>>    * They haven't had a major spy case in years.
>>
> The Bradley (Chelsea) Manning incident in 2010 should have been more than enough warning to the NSA. Manning siphoned off vast swaths of SIPRNET content with little effort, not that different from what Snowden did more than 3 years later. How much of a heads up does the world’s largest information security agency need?


2 heads (up) it seems :)

> The reliability equation is in play here. Say a system has N components any one of which failing will cause an overall system failure. It could be links in an anchor chain or in this case trusted employees. If each employee is 99% reliable how big does N have to be for a 50% probability of failure? Answer 69 employees. If the vetting process is 99.9% reliable, N goes up to 692 employees. With thousands of people having access to highly classified information and easy ability to copy it, a leak is inevitable. Maybe it was only sysadmins at NSA who had access and the tools to copy without being noticed, but how many of them did NSA have?

Yes, precisely my point.  The organisation is so large that this has to 
be a statistical thing.  And as they have offended their people's 
constitution and other sensibilities, the statistics lean against them, 
not for them.

> Did NSA conduct a lessons learned security review after Pvt. Manning? If so, I’d love to know what what actions were recommended and which were carried out.

3 years is not a long time to roll out a change of the size needed to 
stop a Pvt. Manning episode, in an org the size of the NSA.

Dragging this back to security and the use of cryptography to protect 
the assets of the corporation and its clients.  To channel a recent 
perceptive comment

    "our people are security cleared, it's your software we don't trust"

it is the case that people are a risk as much as software is a risk, and 
a balanced approach is needed.  Hot crypto is nothing without 
people-aligned architecture and behaviour.

The NSA is under attack from within.  It will likely respond.

USA corporations are under attack from without.

Yet, they are less likely to respond.  Have any?  I'm happy to help 
people work through that, but the first thing to understand is:  you are 
under attack [0].


> It’s great fun to read all the juicy details of NSAs activities, but the government's inability to keep anything secret should be troubling too. Think about nuclear weapon design software.


Postgrads with physics PhDs know how to build bombs, but it hasn't 
caused a problem as yet.

What's far more troubling is the friends they keep and the friends they 
share those secrets with.  And the enemies of the friends and the 
friends of the enemies and the enemies of the enemies of the friends of 
the friends...

"No foreign entanglements" makes sense, and it isn't the morals.

iang


[0] http://wiki.cacert.org/Risks/SecretCells/ThreatsAndAssumptions

More information about the cryptography mailing list