1996-10-29 - [NOISE][no-cripto-here]Re: Rumours of NSA breakin

Header Data

From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: hallam@ai.mit.edu
Message Hash: fc8f3384ce320935cabfc675a7bafacfc755ead62e6d81c332f4a3852f72da6b
Message ID: <Pine.BSF.3.91.961029155328.15195B-100000@mcfeely.bsfs.org>
Reply To: <9610291723.AA05462@etna.ai.mit.edu>
UTC Datetime: 1996-10-29 22:20:44 UTC
Raw Date: Tue, 29 Oct 1996 14:20:44 -0800 (PST)

Raw message

From: Rabid Wombat <wombat@mcfeely.bsfs.org>
Date: Tue, 29 Oct 1996 14:20:44 -0800 (PST)
To: hallam@ai.mit.edu
Subject: [NOISE][no-cripto-here]Re: Rumours of NSA breakin
In-Reply-To: <9610291723.AA05462@etna.ai.mit.edu>
Message-ID: <Pine.BSF.3.91.961029155328.15195B-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: text/plain




On Tue, 29 Oct 1996 hallam@ai.mit.edu wrote:

> 
> Hi,
> 
> 	I've been hearing rumours of an alledged compromise
> of the NSA Web server but no hard evidence. The claim made is
> that several Mb of files were downloaded from the server and
> posted to the "Internet". I can't see it in sci.crypt or 
> alt.conspiracy though.

I have not heard this one, though every damn mailing list I'm on has 
people posting messages about "web servers being hacked" on a daily 
basis. Most of these have turned out to be "spoof" sites, like "nasa.com" 
instead of "nasa.gov." Big deal. Some nut even started posting the url to 
his "hacked nasa.com mirror site." Free advertising for a group that 
registers piles of domain names, and re-sells them.

I've set up a number of networks for gubmint agencies, and all but one of
these put their web servers on a completely different network with its own
feed to a commercial ISP, and no other link to any internal agency
network. If you look at the address range assigned to the web server,
you'll see that it falls within a commercial CIDR block and isn't part of
the gubmint agency's usual range. Many use "co-locate" sites AT an ISP,
and contract out the web server - it isn't on the agency network OR the
agency premesis.

If anyone does compromise the site, they won't get any proprietary info, 
can't use the systems to attack other "trusted" systems, etc. About all 
they do is prove the agency hired a less-than-thorough contractor to run 
the web system.

I would not be too concerned about threats to "National Security" 
regarding this alleged "incident."

In my experience, most of the agencies putting up web servers are fairly 
security aware and capable. The holes are generally elsewhere, on legacy 
systems set up ages ago, located at under-staffed locations still 
using systems installed and maintained by someone who retired (or died) 
years ago.

Just my $.02.

-r.w.






Thread