I am regularly asked what is the most surprising thing about the Snowden NSA documents. It’s this: the NSA is not made of magic. Its tools are no different from what we have in our world, it’s just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the backbone. The NSA breaks crypto not with super-secret cryptanalysis, but by using standard hacking tricks such as exploiting weak implementations and default keys. Its TAO implants are straightforward enhancements of attack tools developed by researchers, academics, and hackers; here’s a computer the size of a grain of rice, if you want to make your own such tools. The NSA’s collection and analysis tools are basically what you’d expect if you thought about it for a while.
–Bruce Schneier on the surprising mundanity of the NSA.
Honestly, this isn’t all that surprising. I mean, it’s boring, but it’s not that surprising; most (all?) network security architecture is built around assumptions of attackers not being able to get access to something, from your password right up to TAT-14. The fact that this is possible to circumvent by anyone who’s able to think, ironically, not like a security researcher is not a new concept.
And this isn’t even going into the fact that, for the most part, all the NSA does to get data a hell of a lot of the time is just walk up to companies and ask for it.
It’s sort of sad. Because the INFOSEC community really is hanging out for The Magic. The Magic has been whispered about for years. The Magic was what we were promised when we started out. It’s the idea that there must–there just must–be some kind of James Bond-ish bank of supercomputers decrypting everything on the fly with the might of their 1337 Hax0r Skillz. Somewhere. There must be. If not in our organisation then surely someone else’s. Because the truth of this industry? The truth is it’s actually kinda boring. It isn’t rappelling down the roof and haxxing the HTTPs in the firewall. This isn’t Hollywood. A good 90-99% of all INFOSEC is dealing with one group of people fucking up and another group of people exploiting that fuckup.
No magic, in other words. Only people.