It is currently 22-11-2017 11:56

Former NSA employee spoke about his experience in the center of the remote operations

Former NSA employee spoke about his experience in the center of the remote operations

by seo_worker » 2016-08-12 16:15:02

Traces of recent IT conferences, which were made by several former intelligence personnel, his experience in the NSA, a division of TAO (Tailored Access Operations) decided to share and author resource BlindSeeker. We present the translation of his detailed account made by the guys from Digital Security.

The recent conference USENIX Enigma got me thinking about a couple of things. Especially this one guy who got up and polemology on the work of TAO. This one and another one, which, by contrast, couldn't care less, you know people that it worked in TAO. I worked at TAO. Was the operative Center Remote Operations over fifteen years. But before You think "Oh shit, he will be the new Snowden", — to hell. I don't really like the idea of suddenly leaving the black government SUV in an unknown direction, so don't wait here any disclosure of top secret materials. Immediately I apologize for any disappointed expectations. I will begin with pair words about the report at USENIX and walk on his own experience at the NSA.

Actually, I don't want to say anything much bad about the report, Rob Joyce. If more people followed his advice, life would be somewhat easier. The only thing I want to note — the entire report sounds pretty familiar. Where I could hear it all before? Rob tells us nothing we don't already know or didn't do. I have a General impression that if it was not representative of the NSA, who made such a hurdy-gurdy, the report would be removed faster than You would have had time to utter the word "update". And if You don't have enough patience to view the presentation, here are a couple of my findings on the basis of the report:

the top 20 critical security measures is what he had to say throughout the speech (reduction in privileges, segmentation, whitelisting, patch management and the like);
you need to install EMET as soon as possible;
NSM is incredibly powerful. What I predicted long before working at the NSA and relevant to this day;
IAD (Information Assurance Directorate) — guys who are not rigidly attached to the cracking of Your personal information, release notes are good for strengthening protection systems. They should listen.
I also thought that an impromptu comment zeroday 12 minutes sounded pretty funny. I remember the noise on social networks about some kind of statistics, shows that the NSA will report about 90% find their vulnerabilities. More like a white lie, I think.

Let me draw You a completely hypothetical scenario. Let's say You have fuzz farm (a set of stations that are driven programme aimed at creating crashes of the software). Your task — on the basis of these crashes collect several zerodiet. Especially You, of course, interesting vulnerability with RCE, but among other things it'll do, and the vulnerability of elevation of privileges.

Now, the farm finds several vulnerabilities, among which there is no possibility RCE no privilege escalation, but fails with the system and/or denial of service (DOS). Zeroday DOS with no special interest in APT for the state level (rather the opposite). Because You are misleading about these vulnerabilities. Why? It's very simple — if they are not going to tell You, there is always the possibility that they will be used against you (hacktivists, intelligence agencies of other States). In this case they did not succeed to manage first and pile up Your own operations is significantly security reasons due to the fact that the problem will zapechetsya. In any case is the direct benefit for You and Your reports. Not to mention the possibility to show positive statistics for you reportit most vulnerabilities. Neatly, it turns out, isn't it?

My personal reasons for retiring from the NSA lie in insufficient payment compared to the private sector, absolutely swinish relation between people (with some exceptions) and the government shutdown in 2013. That's the main things I will gladly discuss further. But in order to interest you while You are still reading this, I'll also talk about other not so clean things in TAO, though not having any relation to classified information. If it helps at least one inexperienced inquisitive mind to review its decision to work in the TAO, I will consider my job done.

Let's talk about gaining admission process SF86. So, SF86 — it is many unbelievable hell. You must enter all of his life for the last five years in a multi-page document. Places where You have lived, people You knew, yet lived, where you went to rest, and the like. Then comes the turn of private investigators, visiting You, Your current employer, Your friends, Your family, and so on. Then, a set of psychological tests. Further more — on the stage there are lie detectors. Yes, Yes. We give the final decision in the power of pseudo-scientific nonsense, the outcome of which is easily litigated and does not stand up, and seconds in the trial, which will have to prove Your trustworthiness. In the end, this whole procedure took me more than six months, after which I finally made a job offer. And that's not to mention the fact that all of this information ended up compromised.

Finally getting a job offer (which is funny — at Defcon 20, the event from which Jack moss, the fed, advised the rest of the feds to stay away). For me, the irony lies in the fact that it was my first participation in Defcon. I was told that I would be sent for training. How long will it last? For about six months. I am again compelled to omit the details, again because of the risk to ride on the black jeep. Suffice it to say that it was very strict. However, to give at least some idea and set You on the right way, I'll tell you about one remarkable game for the duration of the training.

Once we were submitted to the investigators already working on the TAO, in the form of a small session of questions and answers. Hateful Anshei version of "I'm an operative, ask me what you want". Had a few questions on various topics, most of which I forgot. But there was one most memorable: "What is the staff turnover among investigators?". One of them replied with a straight face: "About a year and a half. Some translated. Some leave the Agency. Are hospitalization due to stress. On account of several suicides". The only thing that came to my head at that moment — a large burning red letters the inscription: "UH... Really? Are you sure this is what you want you told us??". In General, for me it was the first warning bell regarding what we ought to cut bait.

An incredible number of times I was advised that while I'm here and want to participate in conferences or anything like that, I need to write a bunch of requests, evidence of need and requests for reimbursement, up to the last cent. And I wrote. I thought, hell, certain that all security conference have direct relevance to our, ahem, direct activities. All my requests I was refused. The official resolution is always read: "due To lack of funding". What was not reported: "the cuts in funding due to the fact that the intelligence agencies and the GSA are doing stupid things." Despite this, of course, we had the funds to send General Keith Alexander at Defcon and Black Hat, but not mere mortals. Although, it would seem that this was directly related to our work. Everything was over the fact that I paid way to Vegas that year, which in turn did not save me from the horribly boring and wildly obligatory training about OPSEC and DEFCON (the type, not to be a sign "free hugs for the feds" and not participate in the game "mark of the suit on the gait," that is superanalog stuff that is simple — don't draw attention to yourself).

Well, now about the main thing, so to speak, the elephant in the room. About the salary. Here is the link for the mesh calculations this year, which, according to my memories, not much has changed. I was hired at level GS 11, which means paying about $ 70 000. If you have the experience as a sysadmin and several years of personal experience with NSM. Plus a premium for the certificates from the industry, plus a small allowance for belonging to a particular state, and so on. Look at this. You will find that the average wage is 73 000. But the data presented is statistically invalid because in General the list includes the names, not directly related to cyber security. A bit of statistical analysis on my part. But keep in mind that I am not a mathematician and researcher of the data array. And what is the range of salaries from by dimension security County Maryland also does not claim to absolute truth. For the few items that are not related to cybersecurity:

biznesonline SAP $135 000;
students from Baltimore (don't have the slightest idea what this is) – $51 000;
Analyst social services of Baltimore $64 000;
public analyst – $51 000;
software analyst – $78 000.
Let's remove the position data. With the exception of "the security analyst Baltimore $22 000" and all other names guess of $ 80,000 or more income. So, the government no longer pays me about 10 000, based on these data the position is not senior analysts.

Now look at the data with a new medium (for fun even without taking a position on 22 000). Average security analyst/ senior analyst security has already reached the level of 99 000. A difference of almost 29 000. Small debunking the myth that the scale of state revenues in the compartment adjusted for local conditions based on the average figure for the region, isn't it? And that's only if you compare the wages of operative in relation to the dimension of security. You can also look at the salary of specialists and engineers, security... You will see a much larger gap. The moral of the story: the government continues to wonder why it can't attract and retain talents in the field of cybersecurity. And quite simply — it is seriously underpaid those talents which trying to keep. For anybody not a secret that some firms actively do they hunt from IB employees TAO.

As shown above, wages in the Agency is quite limited. People are expected to become greedy and sneaky when it comes to writing reports and passing parameters (and you are required to write progress reports and indicators twice a year. That is why I definitely will not miss). Just because you can stand between them and the next step up the career ladder. Simply put, government employees were completely unethical in relation to each other. Inconsiderate and immoral. They always had something more important than helping You achieve Your goals. I found that to get the support of at least one of the tasks was absolute. Several times that I leaned out and handing people a helping hand himself, led to the fact that I was quite unceremoniously precipitated. On top of all that, inside TAO widespread nepotism. A high percentage of candidates recruited from colleges. These guys always wanted to work inside his own circle and, of course, could tend to place Pets from their friends and peers. The authorities do not care with a high bell tower as long as the goals.

At the same time, when employees are not engaged in squabbling among themselves, they concentrated all their efforts on "zelenshchikov". "Selenoprecise" employees under contract to the Agency. As you may have guessed, determine the contractor was on the green icon. The implication was that in all cases, the contractors received more Federal employees. From the feds climbing out of his pants to mix with the dirt, regardless of the nature of the problem and/or did the contractor direct relation to it. I've heard stories about that bus driver could literally eat you alive for being late for 2-3 minutes.

And if you have enough of what you are trying to drag down their own colleagues, on the other hand has always been absolutely clueless management team. Since the beginning of my work in program development, I had few superiors. None of them could clearly explain to me what exactly I'm doing every day, or at least how the day goes. There was so much office space that it almost caused physical pain.

Actually, I usually have no problems to find a common language with others and not abandon their principles, just to be an asshole in the real world (let off steam I'm usually on Twitter). So I still managed to find a few friends in the Agency, why I don't feel quite so sitting deep in the sump (most of these people are now working in other places). Besides, it is necessary to add that the experience of working with people who were not the representatives of Federal and military units, was amazing. Excellent teamwork, coupled with the approach of "just do it" and on a five-point portion of black humor reconciled with the work.

Now for my last complaint — the government shutdown (most likely since there shestnadcatiletnie of interruption of work of the government in October 2013 — approx. transl.). Congress in its infinite idiocy refused to agree to the government's proposed budget. When that happens the history of all public services are in limbo until the budget is approved. Yes, it has affected us. We were ordered to leave without pay, indefinitely, without compensation. In short, "have fun on themselves, as they can". Around the same time my wife became the proud owners of a property. In addition to the mortgage I needed to pay other bills. Well, in fact, the Congress, surely the question of life of thousands of people does not stop from trying to start a stupid fight? Fortunately, the government shutdown was not as long as could be and as many had expected. Besides we were paid for the period when we are actually forced to sit without work. The funny thing is that in fact the Congress had to vote to return us the money. And I could easily say, "damn, there is nothing we will not pay", leaving us in the cold. In the end, they Congress and their concern only own accounts and money. They do not care about you personally or what you do for your country. For me it was the last straw. I have decided that enough is enough and turned the page of his life.

I wrote my opinion and advice for those who are new to information security and for those who may need these tips. It is a kind of transfer of experience from hand to hand experience, which I gained myself, filling their own cones. And my opinion on the topic that you may want to do for your future. I have enough examples of people who came to me and said that from the moment they heard about TAO, they wanted to work there. And I did everything in my power to persuade them. In any case, the private sector pays more. In most places you will never be asked to issue a clearance. In any other place, you will be able to make more friends. Not to mention the social aspect — inability to discuss work problems due to the fact that they are a matter of national security. All I've seen, a lot of this I will carry to my grave and never with anyone to discuss. These things were eating me up inside. Especially considering the fact that in case of extremely bad day you couldn't share any of this with loved ones.

Long before my participation in Defcon, it was widely believed that hackers and professional security it is better not to work "on the uncle". Quite funny to watch how things have changed and now the founder of Defcon and the Black Hat not only works as the Advisor of the Ministry of internal security of the United States, but changed his mind on this occasion, to the complete opposite. I almost beg You to do otherwise. It is in Your power. At least don't mess with the Intelligence community of the United States.
Сообщений: 767
Депозит: 0.005 BTC

Rating: 2

скрипт обфускатор APK

by Admin » 2017-11-22 11:56:59

скрипт обфускатор APK

скрипты обфускации вашего проекта APK


Former NSA employee spoke about his experience in the center of the remote operations

by kartman » 2016-08-13 04:27:40

EBA how many letters
Сообщений: 427
Депозит: 1.04297732 BTC

Rating: 676