But who will manage the systems that are managing the systems? I'm sure this will work out brilliantly for them when systems crash, or hackers start exfiltrating their data, and there's no one left to analyze the logs and discover and fix the holes.
The problem at the NSA isn't that there are too many sysadmins, although apparently that plays well with tech illiterate politicians. The problem is too many morally unconscionable programs which lead to a growing revulsion in the ranks.
Mr. Alexander defends his agency's conduct and claims the press is distorting the facts. "No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said. "There were no mistakes like that at all." Except we know that even FISA says that's not true, in a report so damning apparently even elected members of congress can't read it.
I have news for you Keith, blanket collection of the "meta-data" of every call on Verizon's network is ex vi termini, invasion of privacy and civil liberty. DEA's SOD (Special Operations Division) handing off your clandestine intercepts to civilian law enforcement is just the latest, but not the last, sickening revelation. The leaks won't stop until you stop, and I hope your hubris continues to blind you to how close the political tides are to turning against you.
It seems to me that your 'ends justify the means' mentality conflicts with your sworn oath to uphold the Constitution, and I can only hope history will look back on this whole endeavor as a dark stain in American history, and view you like a McCarthy of our time. Machiavelli would be proud of you, sir.
The problem is too many morally unconscionable programs which lead to a growing revulsion in the ranks.
Au contraire, it's extremely morally conscionable to people who see law enforcement as a noble profession empowered to rid the nation (and beyond) of people they see as the scum of the earth. These programs are run by people who, I can guarantee you, do not wake up in the morning wondering what morals and ethics they can ignore that day.
However.
"No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said.
And he's right. And that's the problem: these things are likely not against the law. The law has both been perverted inch by inch and the agencies have been allowed to operate under looser legal interpretations than you and I receive for parking tickets. This means that to the degree that laws exist that permit their behavior (PATRIOT Act, FISAA), those who would constrain them to even the loose boundaries do not (and by all accounts refuse to) do so. This goes for the FISC as much as Dianne Feinstein and Eric Holder. This means they can say it's legal for them to do pretty much whatever they want. So now what?
You say now what? Now exactly what Snowden did: if it's "legal" only because secret court makes secret decisions which are against the Constitution, inform the people. You are sworn to protect the Constitution not to just say "I've got an order, I'm just doing it" like some guys managed to kill millions without losing sleep, thinking "the superiors say it's legal it's not my thing to even think about it".
Or Bradley Manning. So, basically give up everything in your life for one chance to do the right thing that just about half of America will call you a traitor for?
That's always been the fate of true patriots. Even in Revolutionary times, my understanding is that well over half of the colonial population had a neutral or even positive attitude towards the British. Surprisingly few people wanted to rock the boat.
It's always easy to do the right thing when everybody agrees with you.
I've noticed all along that the NSA is relying VERY heavily on the idea that an automated system collecting, analyzing, and drawing conclusions from spied data is entirely legal so long as no humans are involved. This was the legal defense that whistleblowers claimed they were using (but which has never been tested in court, and they would like to avoid that testing of course) years ago. And for some reason I can't guess, everyone seems to just be going along with it.
"Oh, agents don't have easy access to our personal information? You've just got it all recorded on your servers and you constantly datamine it, but the analysts only look at outputs from the mining and not the specific data? Well OK then" seems to be the response of the press at least.
Once again the Wikileaks plan succeeding. In order to maintain their dirty secret, they have to take more and more drastic measures that weaken their ability to operate their illegal enterprise in an efficient manner.
Don't get me wrong. I think Snowden is a patriot, but read between the lines here. Security breaks at the interface, and for the NSA, it broke at the interface between itself and it's contractors. Snowden was a Booz Allen Hamilton employee, so just like a diseased appendage threatening the rest of the body, I think the NSA is going to start cutting Booz off. Cronyism between the government and private business only extends so far. Booz has become a liability for the NSA, and they're not going to let that relationship, no matter how cozy, threaten the whole thing.
If that's what's going on, then it is pure CYA. There is no practical difference between a contractor and a direct employee. Yes it seems like security clearance vetting has been outsourced (for contractors only?) in recent years. But assuming everybody did their job right an employee is no more trustworthy than a contractor.
I'm entirely willing to believe it is CYA - based on my experience working classified programs practically all security procedures are CYA: Provably follow the checklist and you won't get fired if something goes wrong. Don't worry that the checklist is full of holes like swiss cheese, the checklist is more important than actual security.
I don't see them cutting Booz off. I do see them enforcing stricter standards for employing contractors. Prospects lacking either an elite degree or distinguished military service are likely to encounter significant resistance to employment within the National Business Park and its environs.
Cutting sysadmins by 90% is a big indicator. There's also been a lot of talk from former NSA about security risks involved with contractors with top secret security clearances. The writing is on the on wall.
Apparently the NSA has never investigated the Milgram experiments of the experiments done as followup?
Yes, most people will just go along and do whatever they are told - even if they are told to hurt or kill people. Very few people will resist if they perceive someone else as being in control and bearing the responsibility. BUT there is an exception to this. Once ONE person decides to rebel and refuses, it spreads like wildfire.
If Snowden had had to work with a team of a dozen people and he decided to resist their secrecy, it's most likely that the rest of the group would agree and join him. At least as likely as it is that the group will go along without question for awhile and that people like Snowden will be rare.
If he got caught before he could leak any data, that would've been a win for the forces that want to keep this stuff under wraps (I hesitate to say a win for the NSA, because I actually believe there might be a few people there still that want to try to fulfil the original mission, as opposed to commit as many criminal acts as possible).
It's a little like pairing up soldiers when you order them to commit a war crime: refusal to obey orders will get you shot -- it raises the bar of refusal by having to convince someone else to risk their life by not taking yours.
Is there any literature on whether a rules/laws violation is more or less likely in a paired environment than in a single-user environment? The thinking is that the next Snowden will be stopped by his partner. But I can also see a possibility where the next Snowden has some misgivings, but doesn't have the confidence to go through with action until he voices his misgivings to his partner, and they give each other the courage to proceed.
I seriously hope the NSA actually means to eliminate 90% of sysadmin rights by reducing the access rights of most of the people to minimal necessary, not 90% of actual sysadmin positions. Because either NSA is grossly, unbelievably overstaffed (and for some weird reason with, from all possible positions, sysadmins) or, if they staffed like any normal organization, firing 90% of sysadmins would cause unbelievable chaos in all IT systems. Something sounds very weird here.
Can you tell me the last time a President said the military had gotten bloated, and needed to go on a diet? Not counting screwing over veterans, of course.
Honestly this is a terrible idea. Say what you will about their programs, what they don't need to do is CUT DOWN on the Sys Admins, what they need to do is distribute access more cleanly so that no one person can take out a big chuck of classified data.
There's already a good chunk of effort gone into solving the problem of access to Scary Things for nukes & master crypto keying material, such as the Two Man/No Lone Zone[1] rules.
I'm not sure how well it would translate to things like sysadmin tasks which can't all be pre-scripted checklists, but something like a pair-programming model, combined with a full audit log of actions taken, along with actual independent auditors randomly pulling logs and checking for naughtiness could work.
I dread to think of the bureaucracy overhead involved though - I suspect it would probably end up increasing staff headcount several-fold.
With the two-man rule, the two man are the users. They are not the people building and maintaining the hardware switch that implements the two-man rule. Now thats obviously a silly distinction because it was a simple electric circuit, but nowadays everything runs on Linux and real operating systems, and you need people to maintain them continuously.
Lots of enterprise setups have complicated RBAC/ACL/audit setups where sysadmins/DBAs are only given the bare minimum permissions necessary to complete their required roles. I seem to recall an article from a while back about Google changing some policies after a sysadmin was found to be accessing private user data, to require additional oversight/signoff, or maybe even active observation. Unfortunately, I can't find the article I saw it in, so I may be mistaken.
Technical measures and policies can go some of the way, but I think protecting against a motivated internal attacker with some level of elevated permissions is going to be a tough thing to achieve.
I was going to write something and then thought why would I bother sticking my neck out and getting on somebody's list and be hassled for no other reason than needing to spend some bloated budget... Self-censorship sucks.
Encryption is now a means of making yourself a suspect. Referencing or communicating with suspects is means to make yourself a suspect.
There is no technical solution away from this.
edit: What, no rebuttal? No eloquent summary on how crypto can lead people out of this? My assertion of no technical solution has no more or no less merit than the one above. But in addition I provided reason on how crypto makes one a suspect, how associating with suspects makes one a suspect as well, a refutation of the above comment.
I believe encryption is a very reasonable goal, but if anything the fact that encryption including stenography is highly detectable and is now known as reasons for suspicion and analysis, I do not agree with it being "the only recourse."
This is a technical oriented community so I do feel the need to highlight the problem with focusing on technical solutions, let alone touting them as the only recourse. The writing so to speak was on the wall when recent exposed wrong-doings were made legal, immunity rendered with payments processed to the collaborators. Attempts at technical solutions have brought drone missiles upon Yemenis and others, Australians trapped in diplomatic buildings, valiant whistle-blowers imprisoned/deposed to Russia, data researchers jailed for gazing upon contractor information[1].
There is no technical solution to this. Technical solutions are getting people killed, renditioned, deposed, hunted, prosecuted, tracked, analyzed. Enough with the technical solutions already.
3. Would-be whistleblowers might be more tempted to exchange information for money, ie become spies, at which point you could nail them and nobody bats an eyelid.
4. At least spies sell their information in secret instead of blurting it out all over the place.
5. Dead people/prisoners don't count in unemployment statistics.
It's a win-win-win-win-win situation. Brilliant move.
> "No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said. "There were no mistakes like that at all."
"Not at all" is such a strong statement. Like Iraq had no WMD at all, right? The US is really bad at admitting its own mistakes.
It's difficult to say, from this article, whether they are actually laying off these admins or whether they are reducing the number of people with administrator access.
I don't see many downsides to reducing the number of people with administrator access. The more administrators there are the more possibility there is for abuse as it is normally very easy for administrators to bypass audit controls as well as, obviously, access controls. The rule of least privilege should apply.
Call me cynical of the human race but I worry more about rogue admins selling information to criminal elements than cutting off would-be whistleblowers.
"Other security measures that Alexander has previously discussed include requiring at least two people to be present before certain data can be accessed on the agency's computer systems."
CORRECT:
Before admins or analysts view native text, a preprocessor regex substitutes innocuous synonym barium canaries for parts of speech, puncuation, possibly with Google capable proper noun recognition, places and people too. These substitution events are hashed with each specific tractable viewers, and the viewers, so informed of this preprocessor, know it, so they don't rat.
This is also `panopticonable', say this occurs only 10% of the time.
Agreed, the rogue suicide in the wild is a problem.
and...with theguardian.com currently:
Breaking news:
US orders non-essential staff to leave consulate in Lahore, Pakistan, citing terrorist threat. More details to follow ...
you suppose whatever intercepted intel causing all these embassy closures are `tainted' with `barium' so the threat
is scanning NSA's global surveillance to see what activates a hwall alert and what does not? Eg, peaking traffic volume, how to do this with a machine generated sustained random crypto-noise spike?
"No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said. "There were no mistakes like that at all."
"No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said. "There were no mistakes like that at all."
Since Edward Snowden was considered an administrator and he was employed by Booz Allen Hamilton, this means a supposed large cut in contracts to external legally immune corporations.
First off I doubt much of a cut on spending or a hindrance to the vast expansion of the world's surveillance state.
But if this does mean a cut in those employed it implies less targets to battle back judicially, legislatively, socially. Less 'independent' opinions (dismissing a probable increase of automated bots) attempting to justify their salary. Plus automation is king only to a point, how do most hacker seminars end? "Its always about the people."
With a clearer trail of monetary remuneration to follow that gives those in the dissenting camp a better chance to isolate and make examples of the collaborators who seek to route around justice to enforce their vision of law while hiding in the legal shadows collecting cash.
edit: Be on the look-out for a large increase in marketing of surveillance state tools to nations like Saudi Arabia, or torture loving UAE, typical nations that companies that Booz Allen Hamilton and others whore themselves out to for monies.
I'll be happier if the administrators cut NSA's current data-sets down by 90%. Just leave the 10% data that points to communications of the Government and their secret agents.
Parsing that data will help us figure out moles and real traitors.
This is just plain wrong. Instead of admitting that what they did was immoral and attempting to repair faith with the tech community and the country, they're now trying to automate IT so that they don't have to worry about SysAdmins with a conscience.
So their big plan is, "if our agents can use a UI to get all the info they need, we won't need to worry about those pesky left-leaning IT types."
The amount of stupid here is unbearable!! Good luck to them when they need another feature developed.
The problem at the NSA isn't that there are too many sysadmins, although apparently that plays well with tech illiterate politicians. The problem is too many morally unconscionable programs which lead to a growing revulsion in the ranks.
Mr. Alexander defends his agency's conduct and claims the press is distorting the facts. "No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said. "There were no mistakes like that at all." Except we know that even FISA says that's not true, in a report so damning apparently even elected members of congress can't read it.
I have news for you Keith, blanket collection of the "meta-data" of every call on Verizon's network is ex vi termini, invasion of privacy and civil liberty. DEA's SOD (Special Operations Division) handing off your clandestine intercepts to civilian law enforcement is just the latest, but not the last, sickening revelation. The leaks won't stop until you stop, and I hope your hubris continues to blind you to how close the political tides are to turning against you. It seems to me that your 'ends justify the means' mentality conflicts with your sworn oath to uphold the Constitution, and I can only hope history will look back on this whole endeavor as a dark stain in American history, and view you like a McCarthy of our time. Machiavelli would be proud of you, sir.