Spy Games: the NSA and GCHQ Offer Their Software to the Open Source Community
Spies worth their salt are generally expected to be good at keeping secrets. With dead drops, encryption, cyanide pills and the like, openly sharing useful information isn’t supposed to be a part of the job description.
So it caught more than a few of us off guard when a couple years ago, some of the top spy agencies began contributing code to GitHub, making it available to the masses by open-sourcing some of their software.
The National Security Agency, the American signals intelligence organization that is tasked with the majority of the cyber-snooping, has released two separate pages on GitHub. The first is the NSA's primary account on GitHub that has 17 listed repos, followed up by its more substantive “NSA Cybersecurity” page with its 31 repositories.
Even though the NSA appears to have been posting some of its software as open source since 2017, presumably a result in part of the effort from the US government to make more of the code produced by the USG available to the public, the agency made news in early January when it announced plans to release a new product to the Open Source community.
The software is called GHIDRA, and it has been described as a tool for reverse-engineering malware. According to reports, GHIDRA has been referenced in the past during the Vault7 document leaks and is available for use across all the major operating systems. Those who are curious for more information on this tool and how to use it can catch a glimpse at a demonstration that the NSA has committed to putting on at this year’s RSA conference.
However, with perhaps less fanfare, it would seem as though it was the Brits who first made the move to take some of their code open source. The British SigInt agency GCHQ released its first piece of open-source tooling with the Gaffer graph database back in 2015, beating the Americans by two years. At the time of writing, the good folks at Her Majesty’s cyber-snooping agency have 39 repositories on offer for all to try out, including one called the CyberChef, which is billed as the “Cyber Swiss Army Knife—a web app for encryption, encoding, compression, and data analysis”.
Your Open-Source Component If You Choose to Accept It
By the looks of their GitHub pages, these agencies’ software is generally updated pretty regularly, and some of their repositories seem to have pretty respectable stats of commits to back them up, albeit hardly competitive with any of the more mainstream types of projects.
I am sure that more than a few developers are probably wary of adding software produced by spies into their own products. The intel community has broken a lot of trust in recent years (Snowden, Eternal Blue and so on), so a rather lackluster adoption of the code that they are putting out should be expected.
They have also engaged in some top-level trolling as seen in exhibit A here below. Thank you, Rob Joyce, for all that you give us.
In statements surrounding the release of GHIDRA, the NSA has made noises about hoping that the Open Source community will help the NSA make its software better, fixing issues and improving code. This feels like a bit of a stretch, as I highly doubt the NSA is turning to the wisdom of the crowd to get a leg up on improving its software—although perhaps it should. If you thought that your organization had to go through a ton of regulations when it comes to managing its open-source risk responsibly, just imagine what it must be like for these spy agencies.
What is far more likely is that the NSA and GCHQ are actually doing something much smarter here. All government agencies, along with the industry at large, have had some serious problems when it comes to recruiting and retaining top talent. Lower pay, a more formal atmosphere and pesky drug testing all play a role in making government a less attractive employer for a lot of quality developers and cyber types despite the opportunity to play with some pretty shiny toys.
The hope here is that engaging with the Open Source community gives these agencies a way to reach out with some pretty smart PR. By making some of their less sensitive but still useful tools available to the public, the spooks are stepping out of their shells to meet the community. Moreover, developers love open source, since it lets them code faster and more efficiently, as well as providing an opportunity to be a part of a larger community.
Well played guys and gals. Well played. Whether it will pay off is another question, but the effort is a smart one. I guess we are going to have to see how GHIDRA pans out at RSA this year.
Searches for similar efforts by other SigInt agencies failed to turn up results, but we can probably expect to see the other Five Eyes opening up some of their code to the public in the near future.
The Other Side of the Coin
Not all those who post their tools to GitHub are developers dedicated to democracy.
I would be remiss if we left the Shadow Brokers, a hacking group long suspected to be connected to Russian military intelligence, out of our discussion of posting spy tools to GitHub.
In August 2016, the group posted to GitHub a series of exploits that were reported to have been stolen from the NSA. GitHub quickly deleted the links to the stolen code, citing that posting the pilfered goods was a violation of its terms of service.
The Shadow Brokers case is not the only time that the popular hosting platform has been used for storing various exploit tools. Seedworm, an espionage group that has been active in the Middle East, Af/Pak and Russia has been known to use GitHub for keeping their open-source attacking tools. Then there was the Hacking Team breach that had their exploit tools end up on GitHub, although I doubt that too many people were clamoring to defend those dudes whose business is hacking for hire.
There are a number of advantages to posting these dangerous tools on public repositories. First is that it allows different actors to access them without having to transfer them to one another directly. Second, it muddies the waters when it comes to attributing attacks to the guilty party. This is a tactic used often by criminal groups and other malicious actors like we saw in the Mirai botnet attacks. Sometimes the best camouflage is just hiding in the open.
While the good folks at GitHub have faced some heat for hosting controversial code, we as a community should perhaps not be so quick to come down on them for it. Allowing for the free flow of ideas and speech, and protecting the internet from censorship and repression can be a messy game.
If you consider Tor as an example, many forget that Tor was actually the invention of the US intelligence community, and that it's used by political dissidents and journalists around the world to circumvent authoritarian systems of control.
Sometimes you need to leave the public square open, even if you don’t like everything that pops up there, since you never know when the shoe will be on the other foot.
GitHub with its open platform allows developers from across the spectrum, white and black hat, to share code. Hopefully, we will continue to discover delightful contributions like those from the intel community and other interesting folks. Here’s looking at you Cozy Bear.