[NOISE][no-cripto-here]Re: Rumours of NSA breakin

Rabid Wombat wombat at mcfeely.bsfs.org
Tue Oct 29 14:20:44 PST 1996




On Tue, 29 Oct 1996 hallam at ai.mit.edu wrote:

> 
> Hi,
> 
> 	I've been hearing rumours of an alledged compromise
> of the NSA Web server but no hard evidence. The claim made is
> that several Mb of files were downloaded from the server and
> posted to the "Internet". I can't see it in sci.crypt or 
> alt.conspiracy though.

I have not heard this one, though every damn mailing list I'm on has 
people posting messages about "web servers being hacked" on a daily 
basis. Most of these have turned out to be "spoof" sites, like "nasa.com" 
instead of "nasa.gov." Big deal. Some nut even started posting the url to 
his "hacked nasa.com mirror site." Free advertising for a group that 
registers piles of domain names, and re-sells them.

I've set up a number of networks for gubmint agencies, and all but one of
these put their web servers on a completely different network with its own
feed to a commercial ISP, and no other link to any internal agency
network. If you look at the address range assigned to the web server,
you'll see that it falls within a commercial CIDR block and isn't part of
the gubmint agency's usual range. Many use "co-locate" sites AT an ISP,
and contract out the web server - it isn't on the agency network OR the
agency premesis.

If anyone does compromise the site, they won't get any proprietary info, 
can't use the systems to attack other "trusted" systems, etc. About all 
they do is prove the agency hired a less-than-thorough contractor to run 
the web system.

I would not be too concerned about threats to "National Security" 
regarding this alleged "incident."

In my experience, most of the agencies putting up web servers are fairly 
security aware and capable. The holes are generally elsewhere, on legacy 
systems set up ages ago, located at under-staffed locations still 
using systems installed and maintained by someone who retired (or died) 
years ago.

Just my $.02.

-r.w.







More information about the cypherpunks-legacy mailing list