The implication is that they're working directly with leakers. It's pretty hard to imagine that a PPT would be left on operational assets where tools are traditionally found.
Aren't we overlooking a rather more likely possibility here - that the NSA has itself been hacked? You're right, I see no reason why slideware would be sitting outside the NSA corporate networks and I'm sure they have various procedures to try and prevent exactly that. The two remaining possibilities are:
1. Another leaker who isn't Snowden
2. A third party who has gained access to the insides of the NSA
I don't see why we're apparently ignoring 2 in this thread. The Snowden leaks made it very, very clear that essentially nothing is unhackable. And it's not like the USA has a monopoly on hacking skill. What else do we know about the NSA? That they perform the largest WireSharking in history, they literally parse most of the internet with a giant collection of programs which I will assume are written in C or C++ for the sake of performance (though a lot of Perl seems to crop up for analysis purposes too).
What are the chances that the NSA have managed to build a huge network with hugely complex interfacing to the entire internet, and huge amounts of software, without opening themselves up to attack by equally sophisticated attackers? I'd say close to zero.
"Aren't we overlooking a rather more likely possibility here - that the NSA has itself been hacked?"
That's the most obvious one to me. I thought everyone assumed it until I saw some of these comment threads. If it's Russian, it probably goes back to Kaspersky tracking the Equation Group. They put together about everything about how they operated. Giving Russian intelligence this information combined with trip-wires or tip-offs on live activity by NSA hackers would let Russian hackers attempt to own their boxes. They could just work from there.
Alternatively, it could be result of long-running infiltrations that U.S. government has been talking about for decades. At various points, U.S. TLA's said China is throwing piles of spies at us in a numbers game whereas Russia was using (I think it was) 4x more than during height of the Cold War. We also know they're easy to infiltrate and have terrible security since Snowden did and showed exactly that. Plus Manning just pulling everything they had from an Army private's account in Middle East. The leaks could've come from infiltrators, too.
So, we have infiltrators, hackers via Kaspersky data (or similar), or insiders that for whatever reason want to humiliate them. Whatever Shadow Brokers say about themselves is just propaganda. They're one of the above with probably typical motivations of agents in those categories.
Back when the first half of this stuff was leaked, Snowden suggested that this was likely stuff left on an external machine that the NSA was using for staging and failed to clean up. I'd link the tweet but can't find it at the moment. Given the age of most of this stuff that seemed plausible.
Now that we've seen more than just tools and exploits leaked (powerpoints, other documents), that doesn't seem plausible anymore.
An interesting note on 1: back during the Snowden and Manning leaks, Bruce Schneier strongly believed that there was a still-unknown leaker because some of the data shouldn't have been available to the other leakers.
Not sure if these are related, but the latest round makes pretty clear that there's been either a new leaker or a serious attack.
I don't think I am? A quick look says he was identified in 2012, and Snowden started publishing in 2013. I'll have to track down the Schneier post to be sure of my dates, though.
I recall reading circa Stuxnet that the NSA had recruited criminal malware coders. In particular, that a notorious botnet coder was consulting for them. So I wonder whether some of their consultants left backdoors.
strongest current speculation is the nsa employee who was arrested late last year, harold martin, is the source -- but we really don't know. apparently there was terabytes of nsa data at his home, which seems like a relatively likely source, but perhaps not -- he may have been benign and was only 'incidentally collected' in the hunt for the source
I question this speculation. It seems to me that people start from the assumption that the NSA is unhackable and work backwards from there. There is no reason to believe this.
The NSA uses Windows like everyone else. There are multiple Windows 0day RCEs in this dump, which may not be all of it by far. All it'd take is to find a single Windows server that isn't properly airgapped - and the NSA TAO can't possibly be airgapped given that its job is to hack people over the internet - and you have a foothold.
The incentives for these intelligence agencies are all wrong and I think even if this particular dump isn't traced to a direct compromise of their network, it's bound to happen eventually. They've been operating on the assumption that all nation states work in secret, so even if they get totally hacked by their adversaries the White House will never find out. However, their chain of command would definitely notice if they stopped sending intercepted intel up to them. This means they're strongly incentivised to horde exploits even if they're sure their enemies know the very same exploits and even if they're sure they can't defend themselves.
The Shadow Brokers appear to have at a stroke invalidated the assumption of universal secrecy. These are people who have access to the NSAs most sensitive internal tools and documents, and are simply ... burning it all.
Bingo! Well, a mix of Windows, Linux (esp Red Hat), and Solaris (optionally with trusted extensions). All low-assurance operating systems with history of 0-days plus current ones for at least Windows and Linux. It's not like they didn't know it was coming. High-assurance field, including pioneers in INFOSEC, warned them over and over.
Bad news is they have methods today that work better that they could build on. They recently canceled them in favor of a new program with something like a 90-day evaluation. Something short. I remember reading the protection profiles to find the assurance argument required is EAL1: one so low we thought they'd cancel it. Things will only get worse.
we are already aware of a guy who was arrested for having terabytes of classified info, who worked for TAO. i'm not sure how it would have gotten from martin to the (presumably russian) shadow brokers -- maybe he was paid, maybe he was hacked -- but it doesn't seem like a staggering leap to make.
certain politicians aside, exposing TS networks to the internet is not only difficult inside an organization that 'lives in the dark', it will get you severely reprimanded if not fired from your very well paying job, and possibly scuttle your ability to remain cleared and continue your career. classified networks are designed from above so that as much as possible this isn't an issue, and i'm certain it's only intensified since snowden.
i'm not saying by any means it's an impossibility that they were hacked, but i don't see any reason at all to favor that conclusion. like i said, martin worked for TAO, the source of everything the shadow brokers have released. why would you come to the conclusion that they were hacked vs an already known, very likely source candidate?
So why is the NSA leaking all this shit. What's the leading theory on that? It's like just get it all out there, just to preempt an eventual leak? Maybe see who picks up this stuff and uses it? Mis-lead the other side on the capabilities which are actually far superior than a few things which have been released?
If we do buy into the fact that the NSA is behind the leaks, it would most likely be in response to some sort of loss-aversion or negative leverage play. i.e. they want to severely devalue these assets on the black market.
