Nicholas Weaver on Lawfare continues to report on the apparent breach of the NSA by hackers. He has some questions he’d like Congress to ask the NSA:
When did NSA become aware of the breach? The answer to this initial question affects the subsequent questions. Whether NSA knew about the breach in 2013 or shortly thereafter or whether the agency learned of it approximately when the rest of the world did, there are significant implications.
If the NSA was aware of the breach in 2013, why didn’t they contact Fortinet and Cisco?
…
If NSA only recently learned of the breach, what failed?
Nicholas has a series of good questions, but I’m a little curious as to why we think Congress will be asking these questions when they couldn’t be troubled to properly address the potential Zika outbreak – which appears to be slowly blossoming before our eyes.
I also found this interesting:
Further affecting the calculation as to whether these exploits should have been retained is the ease of exploitation. Although both exploits require a privileged location—namely having previously compromised a system administrator’s computer—the actual exploits themselves are easy to recreate—they are classic “buffer overflow” attacks of the sort that undergraduate computer science students learn to exploit.
Credit: WUHAN MACHINE EQUIPMENT CO LTD
The important point here should really be, How much longer will we continue to use error-prone computer languages in mission critical systems? Honestly, buffer overflow attacks date back 30 years if not more, and we should really be using languages that simply do NOT PERMIT these sorts of errors to occur. This is like using humans to dig huge tunnels these days – it’s a waste of the humans’ time. Instead, you rent a tunnel digger and it does the job without risking human lives.
