Is the government or anyone else trying to develop secure systems? I don't mean stock technology (Intel/Arm + Windows/*nix/etc.) retrofitted or 'locked down', I mean new tech built from the ground up for high security.
Given the exceptionally high value to foreign governents (and other actors) of breaking into US government computers, the latter approach seems like the only potential option. The stock tech just can't be secured effectively enough, IMHO.
----
EDIT: Answering my own question to a degree, here are presentations on High-Assurance Cyber Military Systems (HACMS), which apparently utilize seL4:
If you read the headlines enough, you'll notice the U.S. govt is doing the exact opposite of developing secure systems by forcing corporations to weaken their security.
I think the commenter was generally referring to developing secure systems for themselves.
The NSA 'owns' at least one semiconductor fab[1] in Texas, and used to (or still does) own another secure CMOS facility in Santa Clara [2]. Add in several facilities owned by defense contractors as well as the facilities at places such as Lincoln Lab. When you have the ability to develop and build your own secure technology, it would seem perfectly 'logical' to force others to use lesser, less secure hardware.
Yes. Sandia and others have certified fabs for developing classified stuff. The NSA has their own developments called Government Off The Shelf (GOTS) tools. They also contract out developments from defense contractors through certifications like their Type 1 process. They keep the best stuff for themselves and defense contractors.
Here's an interesting example I copied in a design at one point:
You'd have to go REALLY back to basics... a lot of chipsets have backdoors themselves.. some of which the FBI ironically pushed for. So no matter how securely you make your own OS if you don't also make your own hardware it's all for naught.
Also if the government started making its own computers then private suppliers would raise a fuss about "big government" and hurting private enterprise. Also can you imagine the shitstorm ensuing from: "Government insists every tech company bakes in backdoors. Government then has to create its own computers because consumer models are too insecure."
> if the government started making its own computers then private suppliers would raise a fuss
I imagine they'd be designed and built by Boeing or Raytheon or some other major military contractor, just like all the other specialized government equipment.
They probably have a program that swaps their silicon for others as it's in transit from wholesale, probably called something like FRIEDPOTATOS probably in cooperation with DIGIKEY… jokingly of course.
One project is SeL4, which is a provably correct microkernel. I listened to a talk by one of the developers and it sounded like they were getting funding from DARPA.
I also remember reading on Wikipedia about some proprietary closed-source OS that's used by the US government to work with very highly classified information. Apparently the requirement was that the kernel and every program be formally verified, so it had very limited features. IIRC, it still maintained, but newer versions support a Linux environment for less classified work.
Unfortunately, I don't remember what it was called so I can't link to the page.
You mean like the kind of highly classified information that Hillary Clinton kept on her home server? :) was she running a probably secure microkernel?
The problem is that at a certain level of government, you will have administrators who aren't technical experts and who have no interest in deferring to the opinions of technical experts.
Such folks just don't want to bother with the limitations that a secure system implies, even if such a system became much more featureful than the present ones. They want their Windows/Mac and probably want it for their work-groups.
It's not just a lack of technical know-how but a variety of psychological tendencies that stands against this. It's taken a long time for companies to develop UIs that people want to use but the existence of these "easy to UIs" is a barrier to any UI which requires even a small amount of training to use.
So? Hiring a UI expert to do a trivial amount of user testing is basically all that's required. You don't need to turn something into Windows to make it usable. As long as the basic activities are relatively painless, people have zero problem using an archaic system.
Order a report and make a revision. Repeat a couple times if you have to.
Fine. Then those people don't get access to secure systems or information that needs to be secured. Just don't let them have any kind of job that means they need to work with information that should be secure. Let them have their Windows/Mac machine, and let them work on writing Word docs and Powerpoint about stuff that nobody cares about.
Unforunately that's not how government (or any large institution) works. That person has enough political capital to hold onto that job, or probably they wouldn't have obtained the job in the first place. Try firing or moving them and you might find that someone powerful, whose good will you need in order to get important things done, will be unhappy with you.
Just don't let them have any kind of job that means they need to work with information that should be secure.
No, you don't understand that "those people" are in charge of the American state already. This is what the ruling elite looks like, not geeks or technical experts - lawyers, business school grads and ideologues generally. No one else is going to tell them they don't get access ... because they are in charge.
Hillary Clinton's email server and Sarah Palin's hotmail account were both symptoms of this.
Always good to see someone familiar with them. Unfortunately, NSA is transitioning to some new program that allows rapid certification of COTS security products at what looks like EAL1 and in IIRC about 90 days. Great for time to market and COTS acquisition but bad for security.
Fortunately, DARPA, NSF, and other organizations are funding a lot of good work. Here's a few:
Much of Galois Inc's work is government funded. That includes CRYPTOL language, Ivory language, Xen work, Haskell work, and so on. NSA partly funded demo's from Praxis (now Altran) on their Correct by Construction process with Z specs and SPARK Ada code. They built SPARK, too.
So, lots of stuff going on that is already practical. There's even more that are academic prototypes or exist in simulation. Leaving them off for now.
Somewhere in the depths of my brain I recall IBM developing a "secure" architecture from hardware up a long time ago, but the project was killed for some reason. Pretty sure HN user nickpsecurity originally posted about it.
The famed IBM "Future Systems" project (to replace the S/360-descended mainframe architecture) was a failure, but it survived by evolving into System/38, then AS/400, later renamed to i5/OS and now IBM i. Hardware-based capability security was part of the architecture.
One of the founders and best performers of INFOSEC, Paul Karger, was on that project. Later did their smartcard OS, Caernarvon, for an anticipated EAL7 evaluation. In the past, he did MULTICS security evaluation and VAX VMM Security kernel among other things.
Far as HWMAC, they sort of just dropped it on us in 2011 and I haven't heard about it since. (shrugs) Meanwhile, Cambridge already has FreeBSD running on the CHERI processor with code available and a less-aggressive, legal team. :)
There exists a series of OS'es in use in DoD/Darpa/etc that are designed from the ground up for high security, but almost all of them are closed source/proprietary, which really frustrates me. QubesOS is promising, but has many issues to work through, and minix3 is interesting, but I'm not aware of any new FOSS secure OS movements.
The NSA actually has a lot of useful PDFs related to hardening existing OS's up on its site that you can find through Google:
Search: site:nsa.gov filetype:pdf hardening
(works in DuckDuckGo as well)
The search will probably get you noticed, but I remember spending like 2 days in highschool just scraping and going through every PDF I could find for useful things to know. ~
All the more reason why the US government shouldn't be running mass surveillance programs. You may trust the US government with your data, but what if they can't protect your data once they've obtained it?
Do you trust the Chinese government with your personal information? How about organized crime groups with the resources to hire expert black-hats?
We're talking about people who haven't done anything wrong, and aren't suspected of any wrongdoing. Innocent people are having private data gathered without their consent (and arguably in violation of the constitution) by people who have had a series of embarrassing security blunders in recent years.
You might argue that the NSA has tighter security standards than the OPM and whichever departments were compromised in this attack. In response to that, I'd point out that Edward Snowden was only a contracter, and shouldn't have had access to the information he leaked to the press. Clearly security wasn't that great at the NSA.
Forget surveillance data -- we have a veritable treasure trove of zero-day exploits. The US Gov (and many other's) are very active in the zero-day market with an impressive stockpile.
We have so much effort into offence that we ended up forgetting about defence, and losing the latter makes the former largely ineffective. This completely destroys the credibility of the NSA's argument that they deserve ever-more expanding powers to reach around the globe, especially given that we will have hands following the neat trail that we have behind ourselves.
Why do we give them the power to act with impunity and without oversight, trusting them to reach around the globe, when we expose ourselves the whole length of the way?
It's like leaving the door open at Fort Knox because we're too busy spying on our neighbours.
Point is that if a group breaks-in and steals all the zero days, backdoor access, etc. - they very might be able to end the world if they wanted to do so. Further, by not focusing on defense, which is assumed by the fact that APT6 was able to get in, there's the remote chance that this might happen; hell Snowden likely could have done this if he wanted, but didn't.
Give them the power? No that's not how it works in the USA.
Companies have free reign to do what they will, its up to us the people to demonstrate why / decide what they are doing is illegal and demand laws around it.
I think the question is why aren't more people pissed off about this? Some would say its apathy, I would say its simple lack of knowledge and understanding. Nobody wants to be spied on.
This isn't an argument in favor of the espionage state, upfront clarification. People typically aren't afraid of things they haven't yet personally been given a reason to be afraid of.
Americans are told the spying makes them safer. Americans fear terrorism, and they're told the focus of the spying is terrorism. Very, very, very few Americans have seen negative repercussions from the spying (so far as they personally notice or 'feel' going about their daily lives). So far, to that typical American, it's almost all theoretically helpful and not harmful.
I agree that a lack of understanding - properly comprehending the full historical scope and risks of such power - is at the root of why it's tolerated. I think inside of most Americans, you'll find a belief that their government can't be fundamentally evil (thus they don't fear the really bad potential outcome scenarios of such spying), even if it occasionally does something bad.
You've noted something very interesting. People in the West seem to have forgotten the essence of government. Government is not a charity. For better or for worse, it's a monopoly on violence. Any action it takes is ultimately predicated on the threat (or use) of force. IMHO the sooner people realize this, the better.
> You may trust the US government with your data, but what if they can't protect your data once they've obtained it?
I've never understood this idea. The US government is dangerous to anyone located in the US. The Russian government is not. It will never matter to you if the Russian government has your data; it can matter a lot if the US does.
Until the next presidential candidate that Russia doesn't like has all his porn and affairs and other secrets dumped online. But yes it doesn't seem like the worst thing in the world.
> It will never matter to you if the Russian government has your data
How do you figure that? Aside from the obvious credit card data/identity theft, there is also freedom of speech persecutions that can routinely happen should a foreign actor have your data and you traveled to their country.
Example: you are openly gay on your social media posts, and want to vacation in a foreign country that bans homosexuality. Maybe you are critical of the current Chinese leadership but still want to see the Great Wall. These are just low-hanging-fruit examples.
It's misguided to be so careless with your personal data, especially with regards to foreign actors.
> Example: you are openly gay on your social media posts, and want to vacation in a foreign country that bans homosexuality. Maybe you are critical of the current Chinese leadership but still want to see the Great Wall. These are just low-hanging-fruit examples.
It's much more likely that they will use your to arrest their own citizens for being guilty by association... which is shitty, but far less dangerous than if your own government knows your "dirty" secrets.
At worst maybe Malaysia profiles a pot-smoking Washingtonian, but even then that person still has to break the law through possession...
Fill in your own special circumstances. Going just based on his name, he sounds like he had a severely elevated risk of exposure to the Russian government. I'm pretty sure he knew about it. None of that applies to actsasbuffoon.
As an American in the US, my special circumstances dictate that the US government is very dangerous, and the largest, possibly only, risk that I'd suffer from the Russian government getting my data is that they'd share it with the US government.
> I've never understood this idea. The US government is dangerous to anyone located in the US. The Russian government is not. It will never matter to you if the Russian government has your data; it can matter a lot if the US does.
It does if I have to visit Moscow airport on my way somewhere.
There is one main law in Russia - don't mess with Putin and his goons. So if you don't intend to do that - you are completely safe from being a target.
Uncle Sam has the power to obtain all American citizen's data with relative ease, but what's worse is Uncle Sam's servers (which are numerous and disorganized[1]) are hacked even easier. [1]
TLS is cat & mouse game at this point, and we count on closed-sourced systems like Whisper to be the holy grail. It's a sad sate of affairs.
The US government should develop (when needed) and deploy everywhere things such as OSS solutions that eliminate attack vectors like the Quark web browser (formally verified via shim verification), Hardened OSS operating systems, OSS software routing (no hidden back doors in things implementing network isolation), RSA-based authentication TFA with physical elements (and physical key pads on the secure elements for pin entry, ban internal wireless communications (no office wifi and no Bluetooth equipment), destroy equipment if it is suspected to be compromised, etcetera.
The idea would be to put mitigations into place for every imagationable attack vector by breaking everything but the things that are necessary and isolating the things that are left. That ought to make breaking into systems harder. It will likely never happen though. If anyone in charge of IT for even a portion of the US government did this, he would probably get fired as soon as those who can fire him experience proper security.
Presumably you can never know you are clean from this point on. Any state sponsored group that has been in government servers this long will have spread to pretty much every part.
Hardly surprising when most resources are spent on mass surveillance, reliant on weak security.
Snowden's leaks show the focus is to "prevent public debate about the mass surveillance program." - GCHQ, leaked slide.
> "The mass surveillance program has done nothing to prevent terrorist attacks, it has not stopped a single one.", concludes Obama's 2014 report chaired by the ex-deputy director of the CIA.
Compromising public safety by starving resources from real investigative intelligence.
> "If you collect it all, you understand nothing." Snowden
They were warned of the Belgian Bombers by Turkish Intelligence. Warned he had just returned from training camps. Warned a Tsarnev brother had been at a training camp just before he bombed Boston.
Real warnings about activated radical, single dangerous individuals - not a needle in haystack - direct advance warnings. Same with London 7/7 and in all cases the response is "we didn't have sufficient resources to target these individuals."
If these attacks were preventable - why weren't they ?
This question must be asked again and again and we should be unsatisfied with 'closing the stable door' answers like 'because they had burner phones'. Because that is not their focus is the awful, sad, inescapable truth.
When we first heard about how Snowden actually got access to the files which he leaked, I remember being astounded that the USG was so incompetent about information security. My next thought was, how could Snowden be the first to get this stuff when there are professional spies from several nations, not to mention organized crime, who also want access to the info.
In fact it is entirely possible that deep cover agents within the USG had rigged the system so that info security was practically non-existent but only if you had the eyes of a UNIX system administrator like Snowden. Or some foreign spy agency operatives.
Remember that supposed cyber attack on Ukraine's power systems. It is precisely the same thing. Incompetence in security administration, nobody even caring to do the simplest things to secure systems and networks, no real security audits. Just handwaving and powerpoints and lots of impressive jargon, and no doubt, impressive checks being written.
Can we do better than this? Serious question, can we?
People get the security they pay for. Look how much a security expert will get paid. Look at the training offered in our society to developer people into security experts, be it during childhood, at college, or once they are part of the work force.
Now look at how our society handles sport stars. Their pay. The training kids get which is needed to give rise to the stars.
I'm not convince our society cares about being secure when you measure by actions instead of words.
When we first heard about how Snowden actually got access to the files which he leaked, I remember being astounded that the USG was so incompetent about information security. My next thought was, how could Snowden be the first to get this stuff when there are professional spies from several nations, not to mention organized crime, who also want access to the info.
In fact it is entirely possible that deep cover agents within the USG had rigged the system so that info security was practically non-existent but only if you had the eyes of a UNIX system administrator like Snowden. Or some foreign spy agency operatives.
Remember that supposed cyber attack on Ukraine's power systems. It is precisely the same thing. Incompetence in security administration, nobody even caring to do the simplest things to secure systems and networks, no real security audits. Just handwaving and powerpoints and lots of impressive jargon, and no doubt, impressive checks being written.
Can we do better than this? Serious question, can we?
80 comments
[ 2.2 ms ] story [ 146 ms ] threadGiven the exceptionally high value to foreign governents (and other actors) of breaking into US government computers, the latter approach seems like the only potential option. The stock tech just can't be secured effectively enough, IMHO.
----
EDIT: Answering my own question to a degree, here are presentations on High-Assurance Cyber Military Systems (HACMS), which apparently utilize seL4:
http://www.cyber.umd.edu/sites/default/files/documents/sympo...
https://www.youtube.com/watch?v=YqRdbgRPYw8
The NSA 'owns' at least one semiconductor fab[1] in Texas, and used to (or still does) own another secure CMOS facility in Santa Clara [2]. Add in several facilities owned by defense contractors as well as the facilities at places such as Lincoln Lab. When you have the ability to develop and build your own secure technology, it would seem perfectly 'logical' to force others to use lesser, less secure hardware.
[1] http://www.chron.com/news/houston-texas/houston/article/NSA-...
[2] http://www.militaryaerospace.com/articles/print/volume-9/iss...
I didn't know antennaes could interfere with transmission.?
Just another one of those fantastic science/technology/journalistic chain phone calls that result in nonsense being communicated to the public.
Here's an interesting example I copied in a design at one point:
https://www.nsa.gov/ia/programs/inline_media_encryptor/index...
Compare that to the average tool for disk encryption. I bet the commercial one leaves off some requirements or countermeasures. ;)
Also if the government started making its own computers then private suppliers would raise a fuss about "big government" and hurting private enterprise. Also can you imagine the shitstorm ensuing from: "Government insists every tech company bakes in backdoors. Government then has to create its own computers because consumer models are too insecure."
I imagine they'd be designed and built by Boeing or Raytheon or some other major military contractor, just like all the other specialized government equipment.
[1] http://www.militaryaerospace.com/articles/print/volume-9/iss...
[2] http://www.manufacturingnews.com/news/04/0203/art1.html
[1] http://www.chron.com/news/houston-texas/houston/article/NSA-....
[2] http://www.militaryaerospace.com/articles/print/volume-9/iss....
One project is SeL4, which is a provably correct microkernel. I listened to a talk by one of the developers and it sounded like they were getting funding from DARPA.
https://sel4.systems/About/seL4/
I also remember reading on Wikipedia about some proprietary closed-source OS that's used by the US government to work with very highly classified information. Apparently the requirement was that the kernel and every program be formally verified, so it had very limited features. IIRC, it still maintained, but newer versions support a Linux environment for less classified work.
Unfortunately, I don't remember what it was called so I can't link to the page.
edit: found it:
https://en.wikipedia.org/wiki/XTS-400
https://en.wikipedia.org/wiki/Trusted_Computer_System_Evalua...
> Examples of A1-class systems are Honeywell's SCOMP, Aesec's GEMSOS, and Boeing's SNS Server.
Such folks just don't want to bother with the limitations that a secure system implies, even if such a system became much more featureful than the present ones. They want their Windows/Mac and probably want it for their work-groups.
It's not just a lack of technical know-how but a variety of psychological tendencies that stands against this. It's taken a long time for companies to develop UIs that people want to use but the existence of these "easy to UIs" is a barrier to any UI which requires even a small amount of training to use.
Order a report and make a revision. Repeat a couple times if you have to.
No, you don't understand that "those people" are in charge of the American state already. This is what the ruling elite looks like, not geeks or technical experts - lawyers, business school grads and ideologues generally. No one else is going to tell them they don't get access ... because they are in charge.
Hillary Clinton's email server and Sarah Palin's hotmail account were both symptoms of this.
Fortunately, DARPA, NSF, and other organizations are funding a lot of good work. Here's a few:
http://www.crash-safe.org/
https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/
http://www.cs.rutgers.edu/~santosh.nagarakatte/softbound/ (See hardware papers like Hardbound and Watchdog)
http://safecode.cs.illinois.edu/sva.html
http://scholar.lib.vt.edu/theses/available/etd-10112006-2048...
Much of Galois Inc's work is government funded. That includes CRYPTOL language, Ivory language, Xen work, Haskell work, and so on. NSA partly funded demo's from Praxis (now Altran) on their Correct by Construction process with Z specs and SPARK Ada code. They built SPARK, too.
So, lots of stuff going on that is already practical. There's even more that are academic prototypes or exist in simulation. Leaving them off for now.
None of that matters if you are using it in a modern processor full of backdoors and malicious technologies like AMT/IME/PSP.
The famed IBM "Future Systems" project (to replace the S/360-descended mainframe architecture) was a failure, but it survived by evolving into System/38, then AS/400, later renamed to i5/OS and now IBM i. Hardware-based capability security was part of the architecture.
https://domino.research.ibm.com/library/cyberdig.nsf/papers/...
One of the founders and best performers of INFOSEC, Paul Karger, was on that project. Later did their smartcard OS, Caernarvon, for an anticipated EAL7 evaluation. In the past, he did MULTICS security evaluation and VAX VMM Security kernel among other things.
Far as HWMAC, they sort of just dropped it on us in 2011 and I haven't heard about it since. (shrugs) Meanwhile, Cambridge already has FreeBSD running on the CHERI processor with code available and a less-aggressive, legal team. :)
Search: site:nsa.gov filetype:pdf hardening
(works in DuckDuckGo as well)
The search will probably get you noticed, but I remember spending like 2 days in highschool just scraping and going through every PDF I could find for useful things to know. ~
Do you trust the Chinese government with your personal information? How about organized crime groups with the resources to hire expert black-hats?
We're talking about people who haven't done anything wrong, and aren't suspected of any wrongdoing. Innocent people are having private data gathered without their consent (and arguably in violation of the constitution) by people who have had a series of embarrassing security blunders in recent years.
You might argue that the NSA has tighter security standards than the OPM and whichever departments were compromised in this attack. In response to that, I'd point out that Edward Snowden was only a contracter, and shouldn't have had access to the information he leaked to the press. Clearly security wasn't that great at the NSA.
We have so much effort into offence that we ended up forgetting about defence, and losing the latter makes the former largely ineffective. This completely destroys the credibility of the NSA's argument that they deserve ever-more expanding powers to reach around the globe, especially given that we will have hands following the neat trail that we have behind ourselves.
Why do we give them the power to act with impunity and without oversight, trusting them to reach around the globe, when we expose ourselves the whole length of the way?
It's like leaving the door open at Fort Knox because we're too busy spying on our neighbours.
Companies have free reign to do what they will, its up to us the people to demonstrate why / decide what they are doing is illegal and demand laws around it.
I think the question is why aren't more people pissed off about this? Some would say its apathy, I would say its simple lack of knowledge and understanding. Nobody wants to be spied on.
Americans are told the spying makes them safer. Americans fear terrorism, and they're told the focus of the spying is terrorism. Very, very, very few Americans have seen negative repercussions from the spying (so far as they personally notice or 'feel' going about their daily lives). So far, to that typical American, it's almost all theoretically helpful and not harmful.
I agree that a lack of understanding - properly comprehending the full historical scope and risks of such power - is at the root of why it's tolerated. I think inside of most Americans, you'll find a belief that their government can't be fundamentally evil (thus they don't fear the really bad potential outcome scenarios of such spying), even if it occasionally does something bad.
Pew reports most Americans have modified their online behaviour since Snowden.
An illusion of consent produced by fear.
I expect the other guys have them as well.
I've never understood this idea. The US government is dangerous to anyone located in the US. The Russian government is not. It will never matter to you if the Russian government has your data; it can matter a lot if the US does.
How do you figure that? Aside from the obvious credit card data/identity theft, there is also freedom of speech persecutions that can routinely happen should a foreign actor have your data and you traveled to their country.
Example: you are openly gay on your social media posts, and want to vacation in a foreign country that bans homosexuality. Maybe you are critical of the current Chinese leadership but still want to see the Great Wall. These are just low-hanging-fruit examples.
It's misguided to be so careless with your personal data, especially with regards to foreign actors.
It's much more likely that they will use your to arrest their own citizens for being guilty by association... which is shitty, but far less dangerous than if your own government knows your "dirty" secrets.
At worst maybe Malaysia profiles a pot-smoking Washingtonian, but even then that person still has to break the law through possession...
Oh yeah, because police never plant drugs.
As an American in the US, my special circumstances dictate that the US government is very dangerous, and the largest, possibly only, risk that I'd suffer from the Russian government getting my data is that they'd share it with the US government.
And his mistake was trusting a friend. Not some data collection Russian operation.
If you enter that game - you know the risks.
That's a poor justification for executing somebody without trial.
It does if I have to visit Moscow airport on my way somewhere.
That is a painfully naive declaration.
TLS is cat & mouse game at this point, and we count on closed-sourced systems like Whisper to be the holy grail. It's a sad sate of affairs.
[1] http://www.zone-h.org/archive/special=1?zh=1
There's nothing arguable about it.
/s
https://news.ycombinator.com/item?id=11426849
(On topic: the more data they collect, the more tempting of a target they become.)
A compiler that inserts a backdoor ( and the backdoor inserter ) into anything it compiles but contains no backdoor in the source code.
Infect one compiler and then everything that follows has a backdoor.
IMO that attack is as grandiose as it is unlikely.
The idea would be to put mitigations into place for every imagationable attack vector by breaking everything but the things that are necessary and isolating the things that are left. That ought to make breaking into systems harder. It will likely never happen though. If anyone in charge of IT for even a portion of the US government did this, he would probably get fired as soon as those who can fire him experience proper security.
is there anyway to break the cycle?
Snowden's leaks show the focus is to "prevent public debate about the mass surveillance program." - GCHQ, leaked slide.
> "The mass surveillance program has done nothing to prevent terrorist attacks, it has not stopped a single one.", concludes Obama's 2014 report chaired by the ex-deputy director of the CIA.
Compromising public safety by starving resources from real investigative intelligence.
> "If you collect it all, you understand nothing." Snowden
They were warned of the Belgian Bombers by Turkish Intelligence. Warned he had just returned from training camps. Warned a Tsarnev brother had been at a training camp just before he bombed Boston.
Real warnings about activated radical, single dangerous individuals - not a needle in haystack - direct advance warnings. Same with London 7/7 and in all cases the response is "we didn't have sufficient resources to target these individuals."
If these attacks were preventable - why weren't they ?
This question must be asked again and again and we should be unsatisfied with 'closing the stable door' answers like 'because they had burner phones'. Because that is not their focus is the awful, sad, inescapable truth.
All sources from this debate between Greenwald, Chomsky & Snowden: https://theintercept.com/2016/03/30/edward-snowden-noam-chom...
In fact it is entirely possible that deep cover agents within the USG had rigged the system so that info security was practically non-existent but only if you had the eyes of a UNIX system administrator like Snowden. Or some foreign spy agency operatives.
Remember that supposed cyber attack on Ukraine's power systems. It is precisely the same thing. Incompetence in security administration, nobody even caring to do the simplest things to secure systems and networks, no real security audits. Just handwaving and powerpoints and lots of impressive jargon, and no doubt, impressive checks being written.
Can we do better than this? Serious question, can we?
Now look at how our society handles sport stars. Their pay. The training kids get which is needed to give rise to the stars.
I'm not convince our society cares about being secure when you measure by actions instead of words.
In fact it is entirely possible that deep cover agents within the USG had rigged the system so that info security was practically non-existent but only if you had the eyes of a UNIX system administrator like Snowden. Or some foreign spy agency operatives.
Remember that supposed cyber attack on Ukraine's power systems. It is precisely the same thing. Incompetence in security administration, nobody even caring to do the simplest things to secure systems and networks, no real security audits. Just handwaving and powerpoints and lots of impressive jargon, and no doubt, impressive checks being written.
Can we do better than this? Serious question, can we?