> "F.B.I. agents on the case, advised by N.S.A. technical experts, do not believe Mr. Martin is fully cooperating, the officials say. He has spoken mainly through his lawyers"
As is his right and what every sensible entirely innocent individual in his position should be doing. If the government (at any level from civic to federal to international) arrests you for any crime with serious charges, it is ABSOLUTELY the most prudent thing to communicate solely through your lawyers.
There is too great of a risk of being convicted due to doubt and natural human inconsistency otherwise.
For anyone that doubts how even the most innocent person can be convicted for not heeding this advice, there is a hilarious and content-dense lecture on the subject: https://www.youtube.com/watch?v=ZGgKLgVNfAo
100 percent agree. If you're speaking through your lawyer, you are cooperating. Never ever speak to law enforcement without a lawyer there to explain the law to you if you've been charged, or sometimes even if you're being questioned, about a crime.
It's not clear (to me) whether the "through his lawyers" comment is intending to convey the reason the FBI doesn't believe he's cooperating. It could just as likely be setting up the next sentence which says the lawyers declined to comment.
If the "through his lawyers" comment was explaining the FBI's level of belief, it should have been stated more explicitly. I kind of doubt it though -- local law enforcement might be suspicious of someone who lawyers up, for the FBI, it must be pretty much standard (or at least not unusual).
Would be cute if a foreign country passed an analogue to JASTA [1] making the United States responsible for damages resulting from its developing, and keeping secret, tools for the exploitation of security vulnerabilities in civilian software.
Indeed. "We had no idea security was a thing until you broke in, so now we're counting the cost of giving a shit going forward as damage you inflicted."
Sorry, I was trying to offer constructive feedback in case the person I was responding to was actually not trolling.
His comment is valid, I suppose, but only with added context. Hence why I suggested: "For instance elaboration on why you like this idea, etc would at least give people something to discuss."
As far as I'm concerned, the NSA are the enemy - so props to anybody who can poke a stick in their eye. I just hope this guy doesn't wind up in Guantanamo for the rest of his life.
What is interesting to me is that even super security gurus at NSA can't contain their most sensitive data (well, maybe tools aren't highest level?).
At some point I think we need a better security strategy than trying to stop data from leaving, and more about how to make sure data is useless outside of its domain.
edit: I say that now in retrospect that security and freedoms of data seem always at odds. DRM being a keen example. Just wish we had better options..
> and more about how to make sure data is useless outside of its domain.
This explains why most enterprise applications and platforms are a nightmare to work with. This class is called "UserView" oh but you see comrade it actually does not have any view or user, in fact its sole purpose is to be compiled and thrown away - nevermind the JIRA issues for bugs in it. Everything is "business logic" "business specific", noone who hasnt been at the place for 3-5 years can understand that this is not actulaly what it says it is.
This kind of feature was called before JCR, "Just for Curious Russians".
I would like to see a massive effort in research and development of unbreakable encryption, privacy tools, and general security.
Everyone, the NSA, rest of our government, all governments, all citizens of the world, all businesses should be protected. If we just spent a small percentage of what we spend on endless wars for profit, then I think we could mostly reach these goals.
I would like to think that we could still catch and prosecute criminals, and I include terrorists when I say criminals, without violating rights to privacy and our general rights.
But the more secure we make our devices, the more opportunities we create for them to be locked down. One person's security update is another's anti-jailbreak patch. Trusted computing can be used to protect against malware and to block users from saving Netflix streams.
I disagree with the notion of a computing system being “secure” in absolute terms, without reference to what the user wants to do with it. A system is secure if it's unlikely to compromise the integrity and/or privacy of information the user deems sensitive, which of course varies from one user to another.
Without reference to a specific user, all you can talk about is a computing system being restricted or unrestricted, and I don't want my computing devices to have restrictions imposed by someone other than myself.
DRM is surprisingly security oriented, if you think about it,the premise of DRM is not trusting the user, which is more extreme than most security models (allow the user root/admin access to the OS is anithetical to not trusting the user).
Much of the base terminology of DRM comes from the military, and it involves the generals "back home" being able to trust that a computer out in the field, containing sensitive data, will not allow non-authorized personnel, never mind the enemy, to access said data.
Because it works both ways. I can send my data to a server and have it do things to it without ever actually knowing it. You can't let me watch a video without letting me watch a video.
I think it's dependent on what the data is. We still haven't seen the JFK files... I'm guessing they were smart enough to only keep physical copies of that.
Uhm, per his story, he was working for "the enemy" and took his work home so he could get better at it. Shouldn't you be angry at someone so diligently working to harm you?
Well, I don't think we really know what happened yet, but yes, you have a good point IF that is the case. I have to admit, I let my own biases creep in and was probably assuming he leaked the stuff intentionally.
> F.B.I. agents on the case, advised by N.S.A. technical experts, do not believe Mr. Martin is fully cooperating, the officials say. He has spoken mainly through his lawyers, James Wyda and Deborah Boardman of the federal public defender’s office in Baltimore.
It sounds like they're just mad that he didn't confess immediately, instead of doing the smart thing of having professional handle everything. Do they really expect someone to cooperate gladly when repercussions could be severe?
Extraordinary claims don't require more evidence than other claims. A more accurate statement would be, "claims I'm skeptical of will require convincing evidence for me to be swayed." The "extraordinary" part makes this razor less useful, as if there were more than one category of evidence and one of them simply wasn't good enough for you.
Comey continues to advocate for backdoors in order to stop ISIS from being able to radicalize marginalized people within the US without them being able to listen. However, there are two obvious problems with this.
1. Why don't you just reach out to the marginalized yourself? Spend that $1M you paid to break into an iPhone on combatting Islamphobia and ISIS will have a tougher job.
2. What is to stop ISIS from using software written outside the US, or software they write themselves, or versions of software older than the mandated backdoors, or open-source software, or... on and on and on. His plan transparently will not work. To quote Schneier, "His problem isn't encryption, it's general purpose computers and a global market for software."
It seems like contractors are a massive attack surface for the DoD. I do wonder why they gave a clearance to someone who was apparently a hoarder. If collecting things that interest you in a compulsory manner doesn't suggest to you that this person might be abused by foreign powers, but marijuana use does, your secrets will flow like water.
The government has all sorts of pay guidelines on what people can make, which makes it near impossible for them to retain talent. Most of the NSA guys I know put in 18 or so months, then go to Booz Allen and get contracted right back to the department they left at 4x the pay (one guy even got his same desk back).
Every time someone points out the "why'd they give a clearance to X person" argument, I point out that there are close to a million people with security clearances. No screening system is perfect, but for something being ran by the government it is pretty damn good.
I contract for many large state and federal agencies.
For better or worse, contractors are easier to hire and fire for the federal government. That gives them more budgetary flexibility. You can also hire people and companies that specialize in the specifics of the project quickly through established contracting channels with established reputations.
Contractors are also able to legally bypass red tape and bureaucracy required of federal employees. For instance if I was directly employed by one of my clients i would be severely limited in the toolchain that I use and I wouldn't even be allowed admin access on my development machine (despite having it on multiple servers which are orders of magnitude more sensitive). If I was their employee, every time I needed to install a java update I'd have to call up IT sit on hold and explain to them exactly why I need to install this update etc.. I've had it literally take a week of futzing around with bizarre errors (from the crazy policy settings and restrictions on the laptop) on hold with some poor schmuck at a national level helpdesk four time zones away who has zero experience with programming trying to get a dev-enviornment set up on a government laptop which would have taken literally an hour on a computer I have local admin access on. I would rather be waterboarded than do that again. Contracting and having our own rules saves literally unending amounts of pointless bullshit. Many things would probably never get completed internally because of situations like this. Of course those contractor advantages cut both ways when considering security.
In OP's situation I'm not sure him being a contractor makes any difference. Either kind of employee can take a usb stick home and transfer stuff to a compromised PC. A contractor or employee may have gotten their clearance a long time ago and unless they have some kind of regular unannounced random inspection of their home you'd never know if they were a hoarder. And if they never caused or were involved in a security incident in the past there would probably be very little desire to bother shaking them down. I'd say problems in this category may be worse internally. I've met many husks of people in government positions who have been there for decades and are completely unemployable. What's worse is they can't be fired easily like a contractor so as long as they show up sober 9-5 they never leave.
Not saying it's a good situation. The contractor knowingly and clearly broke laws, policies, and rules. I annually have to take record keeping and security courses and quizzes to maintain access to the network. I am sure the contractor implicated here had much more stringent requirements than I have due to his clearance level. Thus this guy's screwed, his company is screwed too. legally too. Lord knows this guy can't pull strings at the DoJ to save his ass like some people from recent memory.
What I find astonishing is that these machines have working USB ports at all. And even if there are some external media connections like DVD burner or USB, wouldn't it make sense to at least hardwire them to some tamper-resistant logging device that protocols who used them at which time?
You have to trust your employees at some point. If he was writing code he also could have written back doors to access and download it from somewhere else.
As an outsider looking in, it seems like there have been a lot of DLEs due to contractors though. Theres the obvious example of Snowden, but also the QinetiQ breach (https://www.bloomberg.com/news/articles/2013-05-01/china-cyb...). Moonlit Maze might be a counterexample.
I think that's because most of the people doing the work are contractors. Not because of some notion of contractors being less secure/loyal/honest/organized than gov employees.
For one federal organization I work for literally everyone I work with and talk to at all levels seems to be a contractor except for a couple people. the ratio is at least 20:1 contractors to federal employees. As for why this is, it's mostly related to the reasons I mentioned in my wall of text
I agree, I never meant to imply that I thought contractors were less loyal. I appreciate the depth of your responses and hope I haven't given offense.
There are just so many of them that it projects the attack surface of the DoD out; now you can attack contractors which aren't as tightly regulated, and they might hire people to, say, build their website that aren't even cleared. So now I can steal some web dev's credentials and pivot towards classified networks.
No offense taken. And yes external contractors can pose additional security vulnerabilities since they are not always under the same security policies on their own machines. I know that some departments are changing things so all work must be performed on government equipment with government source control on internal networks. If my client does this I will definitely quit. I am already pretty burned out on the work (their policy is all internal projects must be in cold fusion)
Don't they have random searches? when I went to HMGCC for an interview (at Hanslope Park) a couple of years back there was a sign up saying that you could be searched on entry and exit.
Ever hear a plastic Wal-Mart shopping bag referred to as a "cloaking device"? Also, in some places, items that are banned when referred to by their proper names are allowed when they are instead called "contractor equipment".
The problem is that the level of control required for actual security prevents people from being able to do their jobs effectively. And if no one can get anything done, there's nothing to secure. So this leads to an environment where everything is oversecured by default, and bypassing the nominal level of security is simple, easy, and commonplace--sometimes even expected.
For instance, you don't have local administrator access on your workstation. But you have Visual Studio and its debugger, and can compile and run any source you can type in. You also have physical access to the machine, with its 5.25" removable-media drive. It becomes faster and easier to reimplement an unzip utility from a printed spec than to get 7zip installed on your machine. And the hand-rolled utility probably has a larger exposed attack surface than the open source program.
not where I work. Also, random could mean once every 10 years. I use a laptop and take it home every night. Unless they banned users from taking everything with them (phones keychains etc) there's not much a random search would accomplish.
Indeed. I worked in a secure environment for about 4-5 years, and we couldn't bring our cellphone (of any type) or any other electronics/storage devices/etc. into work. In fact, while working there I had surgery that required me to lug around a medical device 24/7 for a while. And because the device had an exposed USB port, I wasn't allowed to return to work until after I no longer needed it. That took roughly 1 month.
well we don't even work onsite. I write my code on my company laptop. Test against a sanitized database on my companies network and whatnot. Then commit to my companies source control. Then I pickup my government issued locked down laptop, vpn in, remote desktop to the server across the US and svn-update.
I am not dealing with TS stuff here. There are files on the government network which are confidential and having access does require a clearance, but I don't actually work with confidential data directly.
Apple are well known for being ridiculously paranoid about products being leaked before their announcement, so much so that at one point they put eye-height frosting (not the cake type) on the glass walls to stop people accidentally looking in to the factory floor.
My bag was checked once in the 5 weeks I worked there - on the way in. The passwords I created for their new servers (containing metrics from the factory's build and test processes) was at one point walking around Cork in their admin's wallet. I used my own laptop (because OSX bleugh) plugged straight into their corporate lan.
But they did have a room which was out of bounds.
Nobody gets security right, however "high security" they think they are.
Oh and let's not get started on what the MoD thinks it's achieving in its immigration office.
So, basically, it looks like there's a reasonable probability that this guy isn't the leaker.
I know that if I wanted to actually blow the whistle on somebody like the NSA, I would make sure to plant the evidence on somebody else to give them a juicy target to latch onto.
I turned down working for the NSA so I wouldn't even be in the position to have to worry about things like that, thanks.
We should be talking about the fact whistleblowers need legal protection. The current treatment of whistleblowers leaves those who wish to defend the principles of the country no good options.
We should also be talking about how easy it is to frame someone and have them found guilty. The fact that we both have zero problem believing that it's that easy to set someone up should be terrifying.
With all sorts of current issues, I wouldn't be surprised if the poor guy was the fall guy. Heck, the guy was part of an elite team for NSA and at some point you have take your work home so you could finish it after dinner or over the weekend. Given the circumstances the story doesn't add up looking at it from software perspective to the least.
If he was the one (with full proof) trying to sell secrets then I won't blink twice.
The advantage gained by welding advanced technologies is driven by exponential sales cycles. If we allow the government to continue their "back room" rationalizations, there will be a point our demand for more faster will come back and haunt us from a cost standpoint. With exponential advances in technology come several orders of magnitude more oversight capacity by a government who continues to make serious errors in calculations when doing things in secret.
The government isn't currently bad because people in it are bad. It's bad because our government has some bad ideas on what it means to govern successfully externally, in an age that is accelerating internal change in individuals. We want it better faster, too.
If we're going to continue to have government, the government needs to immediately become 90% more transparent and start setting the vision for us to do what we need to do to manage these changes.
And then I look at our current election and just shrug my shoulders.
So? your not really making sense here "engineers" may well think that working for the good of the state is more ethical than working on an improved algo for google/facebook to monetize peoples private data.
Question, did NYT break their website for noScript users or did I manage somehow to break the NYT website for myself? (I tested with chromium and no plugins and the website works there, but if I try to access it with FF and noScript, the articles only display a log-in form, even if I grant permissions to everything.)
Former DoD contractor here. Contracting is a description of legal contracts and payment flows, independent of security arrangements. I sat in the same SCIF as my directly employed colleagues, and the same security officer was in charge of our site and everything I did at the site. My employer's security officer had to handle getting my clearance and forwarding the paperwork to my site's security officer.
It's not like DoD contractors are doing classified work from home in their sleepwear. They're still subject to the same security procedures, and in fact the same security people are overseeing the contractors and direct employees.
I would still roll in before sunrise during what looked to be a beautiful day and work in a windowless chainsaw-resistant room with a steel door. I'd daydream of a nice sunny lunch break just like my direct employee colleagues, and be just as disappointed that it was raining when I exited isolation.
Except they would get Columbus Day and MLK Day as paid holidays, while you had to sit at home and eat a PTO day, because the work site cannot be used with no government employees there, and your company doesn't coordinate its holiday schedule for on-site employees.
And then they would have some morale event (read: party/picnic) on base, and they could go to it while on the clock, while you were nominally invited, but if you attended it would have to be off the clock.
Then the funding for your project is interrupted. They get furloughed, and will probably be repaid later when the funding is restored, but you just get straight-up laid off, and have to find a new job with zero notice.
But at least you got paid more. That almost makes the crap treatment worthwhile.
As is his right and what every sensible entirely innocent individual in his position should be doing. If the government (at any level from civic to federal to international) arrests you for any crime with serious charges, it is ABSOLUTELY the most prudent thing to communicate solely through your lawyers.
There is too great of a risk of being convicted due to doubt and natural human inconsistency otherwise.
For anyone that doubts how even the most innocent person can be convicted for not heeding this advice, there is a hilarious and content-dense lecture on the subject: https://www.youtube.com/watch?v=ZGgKLgVNfAo