NSA Develops USB Storage Device Detector 233
Hugh Pickens writes "Bob Brewin writes on NextGov that the National Security Agency has developed a software tool that detects thumb drives or other flash media connected to a network. The NSA says the tool, called the USBDetect 3.0 Computer Network Defense Tool, provides 'network administrators and system security officials with an automated capability to detect the introduction of USB storage devices into their networks. This tool closes potential security vulnerabilities; a definite success story in the pursuit of the [Defense Department] and NSA protect information technology system strategic goals.' The tool gathers data from the registry on Microsoft Windows machines (PDF) and reports whether storage devices, such as portable music or video players, external hard drives, flash drives, jump drives, or thumb drives have been connected to the USB port. 'I have a hunch that a bunch of other agencies use the detection software,' writes Brewin."
Wow. (Score:5, Funny)
Wow. Clever. Nobody ever thought of that before.
Re:Wow. (Score:5, Insightful)
Re: (Score:2, Insightful)
-1 Troll (Score:3, Insightful)
Oh, please. Like nobody else has ever created duplicate software before.
Yes, there are probably other utilities that do this. Maybe the NSA was unaware of them. Maybe they were incompatible with their legacy tools or infrastrcture. Maybe they didn't do what the NSA needed.
And even then, sometimes it's worth a rewrite, just to make things better.
Re: (Score:2)
Is this an internal NSA MS boondoggle?
Are low level US gov secrets leaking via MS networks and physical access?
+1 Insightful (Score:3, Informative)
Re: (Score:3)
For that matter, you could probably homebrew a shell script that monitors the
Re:Wow. (Score:5, Insightful)
Because clearly the NSA started numbering this program at 3.0 just for the hell of it.
Re: (Score:3, Interesting)
$ ls -l /etc/udev/rules.d/99-mail-on-usb.rules /etc/udev/rules.d/99-mail-on-usb.rules /etc/udev/rules.d/99-mail-on-usb.rules
-rwxr-xr-x 1 root root 159 2010-04-13 21:23
$ cat
ACTION=="add",SUBSYSTEMS=="usb",RUN+="/bin/sh -c 'who | mail root -s Insert'"
ACTION=="remove",SUBSYSTEMS=="usb",RUN+="/bin/sh -c 'who | mail root -s Remove'"
That's my version 1.0 and took almost 30 seconds to create. I don't live in my moms basement though. :(
Re: (Score:2)
Arms race anyone? (Score:4, Insightful)
"USB Detect detects the use of removable drives"
"Shadow Drive evades detection by the following products"
"Latest USB Detect detects Shadow Drive use!"
"New ShadowDrive 2.0!"
Shit, the parent company of both products could make a killing! Hey wait a minute, is this another lame
attempt to bring money in off the books for illegal ops?
-Steve
Re:Arms race anyone? (Score:5, Funny)
"USB Detect detects the use of removable drives" "Shadow Drive evades detection by the following products" "Latest USB Detect detects Shadow Drive use!" "New ShadowDrive 2.0!"
A strange game. The only winning move is not to boot Windows.
Re: (Score:3, Informative)
Or plug it in before booting ... since it detects drives as they are plugged in and unplugged.
Or boot linux off it, and load Windows in a vm if you really really need windows.
Re:Arms race anyone? (Score:5, Insightful)
Re:Arms race anyone? (Score:4, Insightful)
It must suck to be stuck using that old dot-matix printer hanging off the Centronix parallel port. And that serial mouse - a null-modem cable will let me suck the data out of your box just fine. That old-style keyboard plug? Hate to have to buy a new keyboard ... and not be able to plug it in.
Re: (Score:3, Informative)
or you can actually get data off the PS2 keyboard port if you really need to. you can send two bits with parity per transaction just by usage of the caps/num/scroll lock LEDs.
Might be a bit slow, but certainly is an interesting sideband attack...
Re: (Score:3, Informative)
Actually the printers are plugged in to _ethernet_ ports. On network switches, where their MAC addresses have been registered to prevent gangs of street kids from sneaking in their own bulky laser printers and connecting them to the office network because that's the kind of thing that they do now.
Not when the serial port has been disabled i
Re:Arms race anyone? (Score:4, Interesting)
It's trivial to re-enable a serial port that has been disabled in the bios. You can use debug to write to the bios data area under windows, or you can write a small program to do it for you. I used to reassign serial ports on the fly that way - 4 ports and 2 interrupts is not a good situation, but 4 ports and 1 shared interrupt IS good.
Your "bios blocked with an unremovable admin password" is also bs - while you sometimes have to open the cover and short out a couple of pins for a few seconds, sometimes it's possible to do it entirely in software as well - but you miss the point - the bios is read at startup, but I can monkey with it as much as I want afterwards.
also, serial cards are cheap. So are ethernet cards. So plug all the ports you want with epoxy, and people will still get the data out. Or they can just take a picture with their cell phone.
A notebook - even if you plug all the usb AND the card reader, my mini philips screwdriver will have the hd out in seconds - it's a LOT easier to remove and replace than a desktop. I'll also reconnect the wireless (it's just one wire, after all, and nowadays even if you rip it out it's field-serviceable and replacements are cheap). Pop the hd into the second drive bay on my laptop, make an image of it with dd, and I'm good :-)
If someone has physical access, you cannot stop them from getting the data if they really want it.
Re: (Score:2)
Or plug it in before booting ... since it detects drives as they are plugged in and unplugged.
Wrong. I've used the tool and its nothing special. It just queries a range of computers and queries the registry keys for usb devices that the OS knows about, and whether they are currently plugged in. So as soon as windows says "detected new device" then its been found. It happens to detect SATA drives plugged as well if they show up under "unplugged devices".
One trick for evading this tool is changing the registry permission on that key, but the tool will flag it as access denied. Still it was nice
Re: (Score:2)
All the good nuke stuff is never classically networked and only known by the US techs and the Russians who turn them
Re: (Score:2)
We did that. Now where's my Linux version of USB Detect please?
Re: (Score:3, Interesting)
Why not just do what we did? Create some udev rules so that anytime someone inserts a USB, instead of mounting it, the system silently logs the event and sends an alert. As far as the user can tell, the USB key just won't mount. And no, the users do not have root access to change this.
With some clever udev rules and a shell script, you can even record the make, model, and serial number of the USB key that was inserted.
Re:Arms race anyone? (Score:5, Interesting)
In order for the USB device to do anything, the host OS has to load the appropriate driver. Until it does so, you aren't getting anything other than 100ma at 5V(higher amperages quite possible, depending on the situation).
Getting the OS to load a driver without noticing that it has loaded a driver(and without the benefit of exploit code, since you don't get to access that until the drive is mounted) would be quite a trick. Assuming this monitoring software isn't completely braindead, the fact that a USB mass storage device has been inserted, along with any interesting ID strings, will have already be sent to a monitoring server before your filesystem is even mounted. Any tampering you do at that point will just introduce suspicious discrepancies.
Now, there is(for instance, I'm sure the suitably creative can think of others) nothing stopping a truly dedicated exfiltrator from obtaining the USB device and vendor IDs and so forth for the brand of keyboard used at that particular establishment, then building a USB device(using one of the common and inexpensive USB-capable microcontrollers) that presents exactly those IDs, and is thus detected as a USB-HID keyboard, rather than a USB-MSC device. They could then use the fact that the keyboard LEDs are under software control as a method of getting data off the system. At least on a unixlike, anybody with some basic script-fu could probably be piping arbitrary files off the system with xset led [computerhope.com] in about 10 minutes. Your custom USB device would have a slab of flash, which it would fill according to the LED commands it received. I don't know if there is anything equivalent on Windows.
Using tricks like that, you could probably get something of an arms race going(though, still, anything that involves doing suspicious program/script execution is going to get your ass busted in any reasonably paranoid environment); but for USB MSC stuff, it is only the pure apathy of the administration, or the fact that they recognize that mass storage devices are extremely convenient and beloved by users, that lets you get away with it.
Re: (Score:3, Interesting)
boot from USB drive with hypervisor that then boots the standard OS. Hypervisor presents the USB as a real hard drive or some other read/write non-removable device.
Re: (Score:2)
Unless the HDD is encrypted, allowing removable media boot means that anyone with physical access can tamper with the OS more or less freely. Overwrite hashes to gain local admin access, disable unwanted monitoring software, change permissions on files and registry objects, the works.
The hypervisor approach would be technologically impressive, if pulled off. Most off-the-shelf offerings either emulate a limit
Re: (Score:2)
Try typing 'dmesg' if you are using Linux - that will give you the kernel message logs.
There is also 'lsusb', which lists all USB devices, along with 'usb-devices' There are other utilities which allow you to snoop on all USB traffic.
Whenever a device is inserted or removed from a USB socket, it generates a notification event which is logged by the kernel. It isn't going to be too difficult to have those events sent across the network to a central server, or to have a central server to poll each system for
Re: (Score:2)
In order for the USB device to do anything, the host OS has to load the appropriate driver. Until it does so, you aren't getting anything other than 100ma at 5V(higher amperages quite possible, depending on the situation).
You've never dealt with some motherboard that don't regulate the current at all, eh? I've had a few, including some Dells that just fed 5-volts with a 1-amp limit to all the usb ports regardless.
Getting the OS to load a driver without noticing that it has loaded a driver(and without the benefit of exploit code, since you don't get to access that until the drive is mounted) would be quite a trick. Assuming this monitoring software isn't completely braindead, the fact that a USB mass storage device has been inserted, along with any interesting ID strings, will have already be sent to a monitoring server before your filesystem is even mounted. Any tampering you do at that point will just introduce suspicious discrepancies.
This tool isn't a monitor. You run it and it queries computers, enumerating the drivers/devices that it know about. It produces a list of computers, the vendor-ids/make/model of the usb devices that computer has seen, and if they are currently mounted.
Re: (Score:3, Interesting)
If they aren't, in fact, doing it right(and quite possibly
Re: (Score:2)
I've seen a number of PCs with a universal flash card/stick reader that is itself a USB device similar to a flash drive. I'll bet those things are gonna set off all the alarms.
You can send a ton of data to a device mimicking a Logitech G15 Keyboard, I would think.
Kinda silly I think, but I'm sure this will get very serious treatment in all sorts of pseudo-IT-security mags and blogs. Once again, I'm in the wrong goddammed business!
3.0? (Score:3, Insightful)
So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?
Re: (Score:2)
They aren't. Someone leaked it.
Re: (Score:3, Funny)
They're actully running version 4.0, but don't tell anyo!7*0 ,.;
lno carrier
Re: (Score:2)
They aren't. Someone leaked it.
It's been available on several NSA and DISA websites for at least a few years. It's being freely given away to Federal agencies as a tool to help secure their networks (something NSA and DISA are suppoed to be doing). Not exactly much of a leak, eh?
It's not hard to gin up your own version of this with a little wmi scripting.
Re: (Score:3, Insightful)
So if this is 3.0 can I assume they have had the tool for some time. Why are bothering to tell anyone at this point?
Check out the comments on this article. They just need a quick dredger to go through and find out what additional security measures need to be programmed into 4.0. No need to do their own research, since they have a million know-it-alls at slashdot happy to tell them how they'd hack the NSA if they were to do it via thumbdrive.
Too easy to circumvent (Score:4, Insightful)
It relies on information from the OS. The OS is too easy to circumuvent. For example, it doesn't report on whether or not the system has been booted from a USB device. Given that they are the NSA, maybe they have the luxury of making the assumption that USB boot is disabled and the BIOS is password protected?
Re: (Score:2, Interesting)
I looked into making a viable product like this a while back. You run into too many issues.
First you have to set up the bios on all machines to prevent booting off any device other then the hard disk.
Then you have to password the bios
Then you need to put a physical lock on the computer to prevent some one from opening the case and resetting the bios.
If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you n
Re: (Score:2)
Re:Too easy to circumvent (Score:4, Interesting)
If you manage to do this you then need a dope slap because you can always use ssh or even plain email to get files out. Then what about the occasion where you need usb drives.
This is almost certainly aimed at preventing classified information leaks. Machines with classified information are not connected to any network containing unclassified machines, and definitely not the internet. Even if it were connected, sending that e-mail leaves a record of the transmission, meaning the spy can be easily identified.
USB drives are the most likely way to get info off a classified machine, which is precisely why they're forbidden. There is no legitimate occasion where a USB drive is needed in this case.
Re: (Score:2)
kind of pointless though, because there are still printers and pencils, and human memory if that fails.
Re: (Score:2)
easy fix:
http://xkcd.com/294/ [xkcd.com]
Re: (Score:2)
kind of pointless though, because there are still printers and pencils, and human memory if that fails.
If your employees are trying to violate your security, you'll never stop them reliably.
Instead you assume your employees are stupid and/or lazy. You make policies that when followed will prevent them from becoming a victim of social engineering or accidently leaking info. Plus if thumbdrives are prohibited then the act of having a thumbdrive on you is a security incident that's pretty hard to explain.
Re: (Score:2)
You hit it in your last sentence. The NSA isn't concerned about booting from a USB device. For the system to be certified and contain sensitive information, the BIOS would have to be protected and USB boot would be disabled.
You have to take into consideration, the NSA isn't looking to keep out hackers. Well they are...of course they are...but they also know hackers are hackers and will find their way into a machine. They're looking to lock out and detect/prevent lay people from being able to put in a US
Impervious (Score:3, Insightful)
...because the Windows Registry is a secure source of information...
Re: (Score:2)
Because it's not trivially easy to prevent people from modifying the registry? Oh wait it is.
Re: (Score:2)
But if you monitor in real time, then by the time you can edit the registry you have already been busted.
Re: (Score:2)
A non-administrative user could not delete those registry keys.
Flaw? (Score:2)
Re: (Score:2, Troll)
does the NSA run completely on -gulp- windows?
You can rest assured that of all of the organizations on the planet this is one that will never be using Windows for its core mission. The tool is for the defense department dweebs, contractors, secretaries, suits, etc., where you expect to find Windows.
Re: (Score:2)
I log in, move the cursor, type, reboot, log in, move the cursor, type and over charge the US tax payer another million, then make coffee?
I did have a dream home and a consulting job waiting for me back home
I move the cursor, log in, move the cursor, type, reboot
I did have a family waiting for me back home
M
Re: (Score:2)
It runs on BSD too?
Re: (Score:2)
I thought the story was about Windows not Linux.
The problem is that now if you want to get into NSA's network (being an employee, I mean), you will HAVE to run Windows. Linux and OSX will be seen as security flaws because their program doesn't run in them. Now you have the NSA forcing all its employees that want access to the network to run Windows.
Re: (Score:2, Interesting)
The problem is that now if you want to get into NSA's network (being an employee, I mean), you will HAVE to run Windows.
Says who?
Linux and OSX will be seen as security flaws because their program doesn't run in them.
By whom? And with what evidence do you say so?
Now you have the NSA forcing all its employees that want access to the network to run Windows.
Really? Care to cite the exact policy where they have done so? And by "the network" what network are you referring to? If you say the Internet then you are really highlighting that you know jack and shit what you are talking about.
Re: (Score:2)
The problem is that now if you want to get into NSA's network (being an employee, I mean), you will HAVE to run Windows.
Says who?
Have you tried setting up SELinux? It being invented by the NSA is proof that NSA doesn't use linux. No sane person would want to use it.
Re: (Score:2)
My bad. The many announcements that 20xx is the Year of the Linux Desktop just sort of run together anymore.
Re: (Score:2)
Ignore them, Unfortunately, it will never happen, for the simple reason that the average user is lazy, brain-dead, and thinks Windows is the computer.
And her boss is even worse.
It's not even a question of there being "too much choice". The vast majority don't care. They're used to crap. Take it away from them and they're lost. They'd rather click through 10 screens to hit-or-miss change some se
Re: (Score:2)
Don't worry, you're still a dummy, since you don't know that "the year of linux on the desktop" means more than just you.
Re: (Score:3, Informative)
"I sense the force has a strong hold on this one, master!"
I see the Steve Jobs Reality Distortion Field claims another victim. Call me when I can buy a copy and install it on the hardware of my choice without Apple claiming I'm violating their license, even though I bought a full retail copy off the shelf.
Apple OSX is even more locked in than Microsoft Windows. Get over it, or I'll throw another chair at you!
Re: (Score:2)
You can't fight the system, man.
Useless Tool... (Score:5, Informative)
Since you can set the security policy on a domain to ban USB and External devices, and since you can also unplug a machine from the network this tool seems to serve little to no real world purpose. It might inform you after the fact if a device has been plugged in or heck even during, but by then you've just learned that you have configured your systems incorrectly and you will need to re-image your network either way.
Sorry if I'm being negative but Microsoft closed this "hole" a long time ago.
Re:Useless Tool... (Score:5, Informative)
Agreed. You can either change the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor and/or deny anyone who is not an admin access to the following files in the NTFS %SystemRoot%\Inf\Usbstor.pnf and %SystemRoot%\Inf\Usbstor.inf and they wont be able to mount a US drive... Password protect the bios and disable the USB storage there too.
Of course this only works for Windows, linux users and Mac users can simply be denied access to the device chain in /dev/
Re: (Score:2)
I think the point of this is to be used on computers where the users are not administrators, e.g. most corporate environments, in such case you couldn't edit the registry or install "USB Detection Blocker" software, etc.
I don't think there is anything wrong with this. Very useful for companies keeping data secure.
Re:Useless Tool... (Score:4, Interesting)
Re: (Score:2, Informative)
password protecting the bios does nothing unless you put a lock on the computer case. password resets are really easy to do on a bios
Re:Useless Tool... (Score:4, Informative)
I tested this extensively on WinXP SP2 for a hospital worried about HIPAA. These methods only work if the UsbStor key hasn't already been created. Once it's there you can keep plugging devices in and they will all install normally (new or old).
Under Vista and 7 there's supposed to be a new Group Policy that will prevent USB drives, but I'm not sure how it works.
Preventing USB use-- (Score:2)
I prefer 3 inch drywall screws.
They're system agnostic...
Re: (Score:2)
Re: (Score:2)
Well, since they are in the espionage business, maybe they want to trap whomever does it by making it possible to mount the drive but triggering a silent alarm.
Re:Useless Tool... (Score:4, Interesting)
Well, since they are in the espionage business, maybe they want to trap whomever does it by making it possible to mount the drive but triggering a silent alarm.
Not quite, the NSA can really be seen as two groups. The Data Processing NSA and the Anti-Network-Intrusion/Espionage & Policy NSA. But you are correct that they probably want the ability to determine and track before simply blocking all access.
I'm quite sure on the computer I'm at right now I could go hog-wild and do all sorts of things. Things that would be logged and flag my account/use as one to watch.
Re: (Score:2)
This is software being used by the NSA. It is much better in their opinion to detect espionage than prevent it.
If it is being done by a government employee, they can "execute" a "termination" of employment.
Re: (Score:2)
When a government employee is found to have gone over "execute" is such a strong word, its mostly hanging, multiple gun shot suicide or out sourced artistic home invasion.
Meeeeliionnns (Score:5, Funny)
5 or so meeeliionnns of well spent money....our brilliant govt at work.
filter driver??? (Score:2)
The "geniuses" at the NSA couldn't even come up with a filter driver to detect the connection in real time (and block access)? I worked at a company years ago that had such a tool commercially available. Sweeping the registry is sort of "after the fact".
On Linux, you could control users' (not "root", but if they've got local "root" access ...) ability to mount USB/Firewire/... removable storage with a simple change to the udev rules.
Re: (Score:2)
Maybe they think it's more valuable to identity what data was being smuggled (and by whom) than just blocking it outright. More to the point, since they've been using this for years, and since they created the specs for it, I'm sure it already does exactly what they want it to-- so why question it?
Windows already does this (Score:2)
And there are 100's of ways to monitor/report on windows activities as they happen.
This post... (Score:4, Informative)
Re: (Score:2)
Yup, that darn NSA never tells anybody about their stuff [nsa.gov] or lets them see how it works [nsa.gov]. Nosireebob.
Everyone is missing the point here... (Score:3, Interesting)
If you work for the government and you want to get a co-worker in trouble, go buy an iPod and plug it into his computer whenever he's away from his desk. The next time there's a security audit, he be taken to some windowless office, denying everything and not being believed.
Zen Endpoint Security for the win? (Score:2)
Good plan (Score:2)
Halfway to completing the suite, and offering a tool to detect and READ USB storage devices on networks.
NSA is nothing if not ambitious. Good job, guys!
If you have physical access to a machine... (Score:2)
The security game has already been lost.
Re:If you have physical access to a machine... (Score:4, Insightful)
The intent here is to make it more difficult for insiders to surreptitiously export data without going through proper security controls. This kind of argument always puzzles me. It's like you're saying that because there is no perfect security, we should therefore do nothing.
In a locked-down environment, a user with physical access to a machine may still have difficulty exporting large gobs of data. Transfer over the network may be difficult, and certainly is monitored. Data can be printed out, but this requires a printer, and a way to smuggle paper out of the facility without suspicion. A cell phone with a camera could be used to photograph a computer screen, but this is very low-bandwidth, and certainly looks strange to anyone happening to observe. A USB stick is easily hidden, easily plugged and unplugged, and can have a very large capacity. It's an important vector of attack.
Even without malicious intent, a user might decide for some reason that transferring data via USB stick is more convenient than another method. They may have good intentions, but the data still leaks onto the USB stick and you lose control over it. Just because something could be defeated doesn't make it worthwhile. And software which monitors connected machines for insertion/removal of media is not exactly hard to design. It doesn't cost you a billion dollars.
Re: (Score:2)
" It's like you're saying that because there is no perfect security, we should therefore do nothing."
This is the key. The biggest security risk is the lay person who uses the system on a daily basis, not the enemy. This is a key reason why credit checks are a regular part of gaining a security clearances. Most sensitive information leaks are from internal sources, not from enemy infiltration.
Yeah, I wrote one of those once. (Score:4, Insightful)
Management eventually figured out that if you couldn't trust the guys you hired, you were screwed from go. More effective to treat your employees fairly in the first place. We stopped installing the service on new machines.
Fun to write though.
eeeh... okay... (Score:2)
How is that different from group policy now?
(kick off usb storage drivers towards the stairwells, disable usb hubs)
I use my USB drive to fix security holes (Score:2)
I formatted it with a bootable Ubuntu installation image!
Obligatory xkcd reference (Score:2)
Obligatory xkcd reference
http://xkcd.com/463/ [xkcd.com]
Uh... Plenty of software to do this already... (Score:2)
The company I work for makes to different pieces of security/monitoring software that can both detect this.
It's not exactly a new thing...
Re: (Score:2)
The thing is, the software is useless to the NSA if they don't have full access to all of the source and no one else does. They have to make sure that there are no holes are security issues with the software and they have to make sure no one else has access to the software source to find potential security holes.
The fact that this software exists isn't any big news....big whoop, it's not really any amazing feat that hasn't been done already. The fact that the NSA has software for this that is approved is
So THAT'S what that means? (Score:2)
Re: (Score:2)
So you're one of those "network is the computer" guys or you misread/didn't read either of the first two sentences of the summary... I'm gonna go with "didn't read" on this one.
Re: (Score:2)
I suppose it's a coincidence that you posted that around lunch-time.
Re:Why only USB? (Score:4, Interesting)
USB just makes it easy to copy files off the system(assuming your environment hasn't already disabled that). Most modern corporate-issue computers let you shut off USB ports at the BIOS level, if you want, and you can block the loading of Mass Storage drivers or the mounting of unauthorized filesystems in any modern OS.
Re:Why only USB? (Score:5, Insightful)
Because DOD got pwned back in November 2008 when some schmuck used a thumbdrive to transfer files between the NIPR and SIPR networks, and they still haven't figured out how to fix the vulnerability.
Re: (Score:3, Interesting)
Yeah? Where's the OPSEC problem here? I didn't disclose specific details about how the network was compromised. Moreover, the incident took place 30 months ago, and it was strictly against regulations even then to use thumbdrives on the SIPRNet.
I'm all for OPSEC, but it shouldn't be used as a cover for someone's moronic behavior.
Re: (Score:2)
My jumpdrive happily fits into that internet hole on the HP swatch thing... never could get it to read though.
(No... I really don't miss late 90's tech support)
Re: (Score:2)
Re: (Score:2)
The US mil has had many people walk out with their data in hard copy and digital form.
Their "John May Lives" moments.
Some have been low level, some from good trusted families.
Re: (Score:2)
Is that what the government is wasting our tax dollars on these days? Detecting thumbdrives on networks? Come on, it shouldn't take the NSA to come up with something like this. I'll bet money that somebody has already written a piece of software to do just this. Even if they haven't there are loads of ways within Windows to watch and report stuff like this. I guess if they could upgrade it to work remotely on computers outside a network it might be useful (and if and only if, it gives specific details on the media and extends to other types beyond USB), but I don't really see the point on a network.
A few points:
Given it was developed in house, the NSA probably has done all the testing and certification need to allow an install without having t jump through the purchasing / getting approval to use a COTS product. That alone is worth something, especially if you are installing it on classified networks (where it would be most useful).
TFA did not say what it does or how. Just that it's free to US government agencies.
As a tool, it allows you to determine who is doing what and watch for patterns that may
Re: (Score:2)
You raise interesting points, because if you have physical access to a computer, that's half the battle. In theory, they COULD lock down a computer so it can't be opened or tampered with, but that would just make everything a pain in the ass for IT to work on. Though, I'm sure the unions at those particular government facilities would love that.
Re: (Score:2)
What do you suggest? CP/M?