81 comments

[ 3.2 ms ] story [ 123 ms ] thread
> Using technology to automate much of the work now done by employees and contractors

This sounds like they are just trimming a bloated IT department, and just using security as an excuse.

Sounds like an excuse to bring in a different huge company with another huge contract to 'automate' tasks.
As long as they are in the Carlyle Groups portfolio to offset the loss from their company BAH.
I hope none of them read The Mythical Man Month.
(comment deleted)
ah yes, let's cut down on the amount of people who will dob on us.
Hopefully the 90 percent all become Snowdens and the other 10 percent quit.
Since Edward Snowden was considered an administrator and he was employed by Booz Allen Hamilton, this means a supposed large cut in contracts to external legally immune corporations.

First off I doubt much of a cut on spending or a hindrance to the vast expansion of the world's surveillance state.

But if this does mean a cut in those employed it implies less targets to battle back judicially, legislatively, socially. Less 'independent' opinions (dismissing a probable increase of automated bots) attempting to justify their salary. Plus automation is king only to a point, how do most hacker seminars end? "Its always about the people."

With a clearer trail of monetary remuneration to follow that gives those in the dissenting camp a better chance to isolate and make examples of the collaborators who seek to route around justice to enforce their vision of law while hiding in the legal shadows collecting cash.

edit: Be on the look-out for a large increase in marketing of surveillance state tools to nations like Saudi Arabia, or torture loving UAE, typical nations that companies that Booz Allen Hamilton and others whore themselves out to for monies.

According to a source speaking off the record, most of the reduction-in-force will be achieved through mysterious auto accidents.
Just need to get the other 10% and we're good.
I was going to write something and then thought why would I bother sticking my neck out and getting on somebody's list and be hassled for no other reason than needing to spend some bloated budget... Self-censorship sucks.
Afraid to voice your opinions? The terrorist government has already won.
Somehow I just can't see this ending well either.
Good luck, guys! I'll know the singularity is here when computers don't need sysadmins.
Honestly this is a terrible idea. Say what you will about their programs, what they don't need to do is CUT DOWN on the Sys Admins, what they need to do is distribute access more cleanly so that no one person can take out a big chuck of classified data.
There's already a good chunk of effort gone into solving the problem of access to Scary Things for nukes & master crypto keying material, such as the Two Man/No Lone Zone[1] rules.

I'm not sure how well it would translate to things like sysadmin tasks which can't all be pre-scripted checklists, but something like a pair-programming model, combined with a full audit log of actions taken, along with actual independent auditors randomly pulling logs and checking for naughtiness could work.

I dread to think of the bureaucracy overhead involved though - I suspect it would probably end up increasing staff headcount several-fold.

[1] https://en.wikipedia.org/wiki/Two-man_rule

With the two-man rule, the two man are the users. They are not the people building and maintaining the hardware switch that implements the two-man rule. Now thats obviously a silly distinction because it was a simple electric circuit, but nowadays everything runs on Linux and real operating systems, and you need people to maintain them continuously.
Lots of enterprise setups have complicated RBAC/ACL/audit setups where sysadmins/DBAs are only given the bare minimum permissions necessary to complete their required roles. I seem to recall an article from a while back about Google changing some policies after a sysadmin was found to be accessing private user data, to require additional oversight/signoff, or maybe even active observation. Unfortunately, I can't find the article I saw it in, so I may be mistaken.

Technical measures and policies can go some of the way, but I think protecting against a motivated internal attacker with some level of elevated permissions is going to be a tough thing to achieve.

(comment deleted)
What could possibly go wrong?
OK guys we've had a security breach. Let's fire all the guys who look after security!

Oh and everybody has to work with a partner so the work output of our remaining workforce is halved.

Idiots.

I take it you're not a fan of pair programming. ;-)
Those second set of eyes, always judging(helping) and meddling(contributing). Damn(bless) them.
Don't get me wrong. I think Snowden is a patriot, but read between the lines here. Security breaks at the interface, and for the NSA, it broke at the interface between itself and it's contractors. Snowden was a Booz Allen Hamilton employee, so just like a diseased appendage threatening the rest of the body, I think the NSA is going to start cutting Booz off. Cronyism between the government and private business only extends so far. Booz has become a liability for the NSA, and they're not going to let that relationship, no matter how cozy, threaten the whole thing.
What indicates they will be cut off?
Cutting sysadmins by 90% is a big indicator. There's also been a lot of talk from former NSA about security risks involved with contractors with top secret security clearances. The writing is on the on wall.
For employee numbers, not contracts.

If anything it stands there will be a higher concentration of work and monies given to the immune likes of Booz Allen Hamilton.

If that's what's going on, then it is pure CYA. There is no practical difference between a contractor and a direct employee. Yes it seems like security clearance vetting has been outsourced (for contractors only?) in recent years. But assuming everybody did their job right an employee is no more trustworthy than a contractor.

I'm entirely willing to believe it is CYA - based on my experience working classified programs practically all security procedures are CYA: Provably follow the checklist and you won't get fired if something goes wrong. Don't worry that the checklist is full of holes like swiss cheese, the checklist is more important than actual security.

I don't see them cutting Booz off. I do see them enforcing stricter standards for employing contractors. Prospects lacking either an elite degree or distinguished military service are likely to encounter significant resistance to employment within the National Business Park and its environs.
Seriously. At this point the only thing really keeping the gov't in check is their own ineptitude.
How does partners help anything? Snowden knew he was going to get caught, so increasing the chances of him getting caught would have done very little.
Presumably the two-man rule would have caught him before he could leak anything.
Apparently the NSA has never investigated the Milgram experiments of the experiments done as followup?

Yes, most people will just go along and do whatever they are told - even if they are told to hurt or kill people. Very few people will resist if they perceive someone else as being in control and bearing the responsibility. BUT there is an exception to this. Once ONE person decides to rebel and refuses, it spreads like wildfire.

If Snowden had had to work with a team of a dozen people and he decided to resist their secrecy, it's most likely that the rest of the group would agree and join him. At least as likely as it is that the group will go along without question for awhile and that people like Snowden will be rare.

If he got caught before he could leak any data, that would've been a win for the forces that want to keep this stuff under wraps (I hesitate to say a win for the NSA, because I actually believe there might be a few people there still that want to try to fulfil the original mission, as opposed to commit as many criminal acts as possible).

It's a little like pairing up soldiers when you order them to commit a war crime: refusal to obey orders will get you shot -- it raises the bar of refusal by having to convince someone else to risk their life by not taking yours.

Alternate interpretation: Hey guys, let's try this DevOps thing I read about in InfoWorld; it says you can reduce the number of sysadmins by 90%.
"First rule of government spending: why buy one when you can have two for twice the price?"
I'll be happier if the administrators cut NSA's current data-sets down by 90%. Just leave the 10% data that points to communications of the Government and their secret agents.

Parsing that data will help us figure out moles and real traitors.

/sarcasm. I prefer they shut down NSA completely.

Whoa, the NSA finally cares about privacy!
Once again the Wikileaks plan succeeding. In order to maintain their dirty secret, they have to take more and more drastic measures that weaken their ability to operate their illegal enterprise in an efficient manner.
I guess it's a good year to be writing and selling books on puppet and chef?
(comment deleted)
love it! Hey NSA how does it feel to have your privacy violated. If you have nothing to hide, you should care
Alright,so how long does it take for disgruntled soon-to-be-ex-system-administrator of the 90% of sysadmins to do the next leak?
Whoever does it will be a hero!
Is there any literature on whether a rules/laws violation is more or less likely in a paired environment than in a single-user environment? The thinking is that the next Snowden will be stopped by his partner. But I can also see a possibility where the next Snowden has some misgivings, but doesn't have the confidence to go through with action until he voices his misgivings to his partner, and they give each other the courage to proceed.

Which is more likely?

(comment deleted)
WRONG:

"Other security measures that Alexander has previously discussed include requiring at least two people to be present before certain data can be accessed on the agency's computer systems."

CORRECT:

Before admins or analysts view native text, a preprocessor regex substitutes innocuous synonym barium canaries for parts of speech, puncuation, possibly with Google capable proper noun recognition, places and people too. These substitution events are hashed with each specific tractable viewers, and the viewers, so informed of this preprocessor, know it, so they don't rat.

This is also `panopticonable', say this occurs only 10% of the time.

None of that helps for someone like Snowden, who prepared to get caught.
Agreed, the rogue suicide in the wild is a problem.

and...with theguardian.com currently:

Breaking news: US orders non-essential staff to leave consulate in Lahore, Pakistan, citing terrorist threat. More details to follow ...

you suppose whatever intercepted intel causing all these embassy closures are `tainted' with `barium' so the threat is scanning NSA's global surveillance to see what activates a hwall alert and what does not? Eg, peaking traffic volume, how to do this with a machine generated sustained random crypto-noise spike?

Oh, that is genius.

But I have problems believing in the existence of conspirators though. Opportunists, yes, but not conspirators. Our species blows at foresight.

Or, you know, they could have and enforce data access rules to limit data access.
This is just plain wrong. Instead of admitting that what they did was immoral and attempting to repair faith with the tech community and the country, they're now trying to automate IT so that they don't have to worry about SysAdmins with a conscience.

So their big plan is, "if our agents can use a UI to get all the info they need, we won't need to worry about those pesky left-leaning IT types."

The amount of stupid here is unbearable!! Good luck to them when they need another feature developed.

Looks like there are going to be 900 disenfranchised sysadmins out in the wild.... I wonder what information they'll have...
(comment deleted)
So long as the power to spy on people exists it will be abused. It already has been and it will only get worse.

The only recourse is better cryptography.

This is absolutely wrong.

Encryption is now a means of making yourself a suspect. Referencing or communicating with suspects is means to make yourself a suspect.

There is no technical solution away from this.

edit: What, no rebuttal? No eloquent summary on how crypto can lead people out of this? My assertion of no technical solution has no more or no less merit than the one above. But in addition I provided reason on how crypto makes one a suspect, how associating with suspects makes one a suspect as well, a refutation of the above comment.

Let's further discussion.

We're already suspects, we might as well have the encryption too.

Privacy is a basic human right and cannot be granted or taken away. But you need to defend it all the same.

I believe encryption is a very reasonable goal, but if anything the fact that encryption including stenography is highly detectable and is now known as reasons for suspicion and analysis, I do not agree with it being "the only recourse."

This is a technical oriented community so I do feel the need to highlight the problem with focusing on technical solutions, let alone touting them as the only recourse. The writing so to speak was on the wall when recent exposed wrong-doings were made legal, immunity rendered with payments processed to the collaborators. Attempts at technical solutions have brought drone missiles upon Yemenis and others, Australians trapped in diplomatic buildings, valiant whistle-blowers imprisoned/deposed to Russia, data researchers jailed for gazing upon contractor information[1].

There is no technical solution to this. Technical solutions are getting people killed, renditioned, deposed, hunted, prosecuted, tracked, analyzed. Enough with the technical solutions already.

[1] http://motherboard.vice.com/blog/the-doj-is-suing-barrett-br...

"No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said. "There were no mistakes like that at all."

LOL!!! In their eyes, we are total morons.