NSA Opens GitHub Account, Lists 32 Projects Developed By the Agency

An anonymous reader quotes a report from The Hacker News: The National Security Agency (NSA) -- the United States intelligence agency which is known for its secrecy and working in the dark -- has finally joined GitHub and launched an official GitHub page. GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are "coming soon." "The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page. "OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology." Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.

Not the first

[blueg3]

FYI, they've had things on Github for a while. Just maybe not under the NSA name.

Re:

[Frosty Piss]

I'm sure there are a few of the CIA "incubator" businesses that have stuff on GitHub.

By-the-by, is Sorceforge not a thing anymore?

Re:

[Anonymous Coward]

Sourceforge is a very nice Ad platform.

Re:

[Antique Geekmeister]

Sourceforge had occasionally proven useful if developers insisted on using Subversion rather than Git based source control. I'm aware of several projects that use it in order be able to sync single directories of upstream project code, rather than having to mirror an entire project locally. But the much cleaner and less overwhelmingly ad based interface to the github or gitlab web interfaces is an enormous timesaver over Sourceforge's pages where over 90% of the screen space is pure advertising. I'm also af

Re:

[blueg3]

Probably, but that's a completely different organization.

Re:

[Dan East]

You must be referring to encryption algorithms and commits to help out projects like OpenSSL?

Re:

[tlhIngan]

Not just that, but perhaps the NSA has infected a lot of Android phone and Linux PCs.... perhaps you heard of SELinux?

SELinux is enabled (mandatory) on a lot of Android phones, and it's in practically every Linux distribution... more so than say, systemd.

May want to consider whose security "Security Enhanced Linux" really improves then. They got the tinfoil hat wearing, non-Windows running crowd too!

Re:Not the first

[TheRaven64]

If you want a much better conspiracy theory, consider that there's a whole category of exploit related to null pointer dereferences that was only made possible by SELinux. Either the NSA didn't think about it when they wrote that code, or they intentionally introduced something that made it possible to compromise the systems from a self-selected group of people who care about security.

Re:

[Anonymous Coward]

Can you explain which extra type of NULL dereference vulnerabilities SELinux exposes that wouldn't be exploitable without?

SELinux has some functionality to prevent mapping low pages, which makes exploiting NULL pointer dereference vulnerabilities harder: http://cateee.net/lkddb/web-lkddb/LSM_MMAP_MIN_ADDR.html

Re:

[blueg3]

I mean there are a lot of open-source software projects relevant to their interests that are conspicuously lacking in attribution. REDHAWK, for example.

Honeypot ...

[CaptainDork]

... just sayin'.

Re:

[Sarten-X]

Eh... not so much. The NSA only makes the tools for a honeypot. Actually deploying them is a CIA job.

Then again, the CIA could be running the op, using the NSA as a cover...

Re:

[CaptainDork]

Because the NSA is restricted by jurisdiction, competency, ethics, and the ability to protect its cyber weapons and stuff.

Oh, wait ...

Re:

[TheRaven64]

Almost 5% of all IPv4 addresses are FBI honeypots? I find that quite hard to believe somehow. Unless you're counting IPv6 addresses in that number and they're all in one /64...

Re:

[TechyImmigrant]

>CIA is primarily humint and SAD operations.

They use jet lag as a weapon?

Re:Honeypot ...

[AHuxley]

More hearts and minds. They have to find new staff. In the past it was at the very best US/UK universities.
In the very distant past even draft and national service "tests" got used to find low level staff with useful math or language skills.
Now its all about social media, conventions and been online.
The other method is to set up long term educational efforts but other nations/cults/faiths tend to notice such public efforts and flood such courses with their own long term agents.
The mistakes of using new contractors or just trusting people from good universities have been understood over the decades.
So now its social media and the internet to find and attract skilled, loyal, hard working staff.
Vetting has to be perfect every generation hired or 1930's UK staff issues return. Other faiths, cults, nations will just game the out reach efforts with computer skills and needed languages.
East Germany would often place the most low level staff into West German gov/brands. Decades later it was expected that they could rise up to be middle or upper management.
Other nations have learned from the US need for skills, translators and have taken note of a lack of real vetting due to domestic political considerations.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[CaptainDork]

Let Mikey prove it. He'll prove anything.

I'm not going there.

Of course they do

[DivineKnight]

"The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace..." while they are actively engaged in technology transfers from both our allies, enemies, and neutral parties to the US...

Surprising number of German innovations become available to American businessmen, even before German researchers fully publish their results. God Bless America.

Re:

[Plus1Entropy]

Surprising number of German innovations become available to American businessmen, even before German researchers fully publish their results.

Never heard of this before, although I wouldn't be surprised either way. Any notable examples?

Re:

[__aaclcg7560]

Become legit and sell on eBay.

Re:

[__aaclcg7560]

Don't you mean "content creation" and sell trash poetry on deviant art.

Here's a couple of free poetry books that published my haiku poems. Enjoy!

http://www.chuffedbuffbooks.com/wp-content/uploads/2014/03/Final_KIGO_SEASONAL_WORDS_Issue1.pdf [chuffedbuffbooks.com]
http://www.chuffedbuffbooks.com/wp-content/uploads/2014/09/Final_KIGO_SEASONAL_WORDS_Issue2.pdf [chuffedbuffbooks.com]

backdoors

[ghoul]

Who is going to verify that a module you pull from github and use in your code does not have NSA backdoors? Now NSA no longer needs to send its employees to work at Microsoft to write backdoors - all they have to do is convince lazy programmers to reuse NSA modules with backdoors built in and I mean lazy in the best sense of the world - after all, all progress is the result of laziness. If everyone was hardworking we would all live in caves, walk everywhere and rub sticks to start fire.

Re:backdoors

[MangoCats]

Since it's on GitHub, presumably as source, but even some binaries could be analyzed... That would be quite the feather in a White Hat (or Black one for that matter), exposing the NSA backdoor in a supposedly secure module. Plenty of people out there with too much time on their hands and an interest in exposing things like that.

Re:

[GuB-42]

Because it is done under the NSA name, and given its reputation, it is likely to become the most audited code on the planet.
Should they plant backdoors, they should probably do it undercover.

Re:

[LifesABeach]

I've already emailed them asking if they have any public domain stuff for AI. We'll see what happens next...

Late to the party

[nickovs]

The British information security services, GCHQ, have been posting interesting and useful stuff to GitHub [github.com] for a while. In fact if you want to do interesting analytics on graphs with annotations to both arcs and nodes they have released some pretty neat tools, and they're not just useful for finding terrorists on social networks.

Re:

[AHuxley]

All part of a long term political plan to attract any workers.
The UK worked really hard after the many 1930's-1970's security issues.
By the 1970's they had finally worked out how to attract staff, keep staff and ensure staff stayed loyal.
New efforts are more about party political requests to just hire more staff. Any applications have to be considered. Staff to be considered on topics other than security, merit and loyalty. Security issues might again not be a reason not to give someone a job in the

Why would I ever...

[thedarb]

Why would I ever contribute to a spy agency who spy's on it's own people?

Re:

[schleimkeim]

Oh, so you're one of those guys with standards and values huh. That's considered weird nowadays.

Wikileaks ?

[dbateman]

And I thought Wikileaks was the preferred source of NSA source code !!

D.

NSA has had code on GitHub for ages as themselves

[dell623]

See blog entry: https://puppet.com/blog/nsa-re... [puppet.com]

https://github.com/NationalSec... [github.com]
https://github.com/SIMP [github.com]

A great and extremely useful project by the way.

1) If you're a 'tech journalist', make some minimal effort to get facts right (like you know actually looking at dates on the GitHub org page), at least in your fucking headline.

2) I hate this reductive 'anything with the word NSA in it is bad' reasoning. Open source is open source, and useful code is useful. GitHub is full of cool stuff from organizations

We're cool now, right guys?

[e r]

No, fuck you, NSA. You're not our friend, you're not cool, you're not hip, you're not edgy hacker bad asses, you're just plain assholes. Fuck you. Apology not accepted.