Since Edward Snowden was considered an administrator and he was employed by Booz Allen Hamilton, this means a supposed large cut in contracts to external legally immune corporations.
First off I doubt much of a cut on spending or a hindrance to the vast expansion of the world's surveillance state.
But if this does mean a cut in those employed it implies less targets to battle back judicially, legislatively, socially. Less 'independent' opinions (dismissing a probable increase of automated bots) attempting to justify their salary. Plus automation is king only to a point, how do most hacker seminars end? "Its always about the people."
With a clearer trail of monetary remuneration to follow that gives those in the dissenting camp a better chance to isolate and make examples of the collaborators who seek to route around justice to enforce their vision of law while hiding in the legal shadows collecting cash.
edit: Be on the look-out for a large increase in marketing of surveillance state tools to nations like Saudi Arabia, or torture loving UAE, typical nations that companies that Booz Allen Hamilton and others whore themselves out to for monies.
I was going to write something and then thought why would I bother sticking my neck out and getting on somebody's list and be hassled for no other reason than needing to spend some bloated budget... Self-censorship sucks.
Honestly this is a terrible idea. Say what you will about their programs, what they don't need to do is CUT DOWN on the Sys Admins, what they need to do is distribute access more cleanly so that no one person can take out a big chuck of classified data.
There's already a good chunk of effort gone into solving the problem of access to Scary Things for nukes & master crypto keying material, such as the Two Man/No Lone Zone[1] rules.
I'm not sure how well it would translate to things like sysadmin tasks which can't all be pre-scripted checklists, but something like a pair-programming model, combined with a full audit log of actions taken, along with actual independent auditors randomly pulling logs and checking for naughtiness could work.
I dread to think of the bureaucracy overhead involved though - I suspect it would probably end up increasing staff headcount several-fold.
With the two-man rule, the two man are the users. They are not the people building and maintaining the hardware switch that implements the two-man rule. Now thats obviously a silly distinction because it was a simple electric circuit, but nowadays everything runs on Linux and real operating systems, and you need people to maintain them continuously.
Lots of enterprise setups have complicated RBAC/ACL/audit setups where sysadmins/DBAs are only given the bare minimum permissions necessary to complete their required roles. I seem to recall an article from a while back about Google changing some policies after a sysadmin was found to be accessing private user data, to require additional oversight/signoff, or maybe even active observation. Unfortunately, I can't find the article I saw it in, so I may be mistaken.
Technical measures and policies can go some of the way, but I think protecting against a motivated internal attacker with some level of elevated permissions is going to be a tough thing to achieve.
Don't get me wrong. I think Snowden is a patriot, but read between the lines here. Security breaks at the interface, and for the NSA, it broke at the interface between itself and it's contractors. Snowden was a Booz Allen Hamilton employee, so just like a diseased appendage threatening the rest of the body, I think the NSA is going to start cutting Booz off. Cronyism between the government and private business only extends so far. Booz has become a liability for the NSA, and they're not going to let that relationship, no matter how cozy, threaten the whole thing.
Cutting sysadmins by 90% is a big indicator. There's also been a lot of talk from former NSA about security risks involved with contractors with top secret security clearances. The writing is on the on wall.
If that's what's going on, then it is pure CYA. There is no practical difference between a contractor and a direct employee. Yes it seems like security clearance vetting has been outsourced (for contractors only?) in recent years. But assuming everybody did their job right an employee is no more trustworthy than a contractor.
I'm entirely willing to believe it is CYA - based on my experience working classified programs practically all security procedures are CYA: Provably follow the checklist and you won't get fired if something goes wrong. Don't worry that the checklist is full of holes like swiss cheese, the checklist is more important than actual security.
I don't see them cutting Booz off. I do see them enforcing stricter standards for employing contractors. Prospects lacking either an elite degree or distinguished military service are likely to encounter significant resistance to employment within the National Business Park and its environs.
Apparently the NSA has never investigated the Milgram experiments of the experiments done as followup?
Yes, most people will just go along and do whatever they are told - even if they are told to hurt or kill people. Very few people will resist if they perceive someone else as being in control and bearing the responsibility. BUT there is an exception to this. Once ONE person decides to rebel and refuses, it spreads like wildfire.
If Snowden had had to work with a team of a dozen people and he decided to resist their secrecy, it's most likely that the rest of the group would agree and join him. At least as likely as it is that the group will go along without question for awhile and that people like Snowden will be rare.
If he got caught before he could leak any data, that would've been a win for the forces that want to keep this stuff under wraps (I hesitate to say a win for the NSA, because I actually believe there might be a few people there still that want to try to fulfil the original mission, as opposed to commit as many criminal acts as possible).
It's a little like pairing up soldiers when you order them to commit a war crime: refusal to obey orders will get you shot -- it raises the bar of refusal by having to convince someone else to risk their life by not taking yours.
I'll be happier if the administrators cut NSA's current data-sets down by 90%. Just leave the 10% data that points to communications of the Government and their secret agents.
Parsing that data will help us figure out moles and real traitors.
Once again the Wikileaks plan succeeding. In order to maintain their dirty secret, they have to take more and more drastic measures that weaken their ability to operate their illegal enterprise in an efficient manner.
Is there any literature on whether a rules/laws violation is more or less likely in a paired environment than in a single-user environment? The thinking is that the next Snowden will be stopped by his partner. But I can also see a possibility where the next Snowden has some misgivings, but doesn't have the confidence to go through with action until he voices his misgivings to his partner, and they give each other the courage to proceed.
"Other security measures that Alexander has previously discussed include requiring at least two people to be present before certain data can be accessed on the agency's computer systems."
CORRECT:
Before admins or analysts view native text, a preprocessor regex substitutes innocuous synonym barium canaries for parts of speech, puncuation, possibly with Google capable proper noun recognition, places and people too. These substitution events are hashed with each specific tractable viewers, and the viewers, so informed of this preprocessor, know it, so they don't rat.
This is also `panopticonable', say this occurs only 10% of the time.
Agreed, the rogue suicide in the wild is a problem.
and...with theguardian.com currently:
Breaking news:
US orders non-essential staff to leave consulate in Lahore, Pakistan, citing terrorist threat. More details to follow ...
you suppose whatever intercepted intel causing all these embassy closures are `tainted' with `barium' so the threat
is scanning NSA's global surveillance to see what activates a hwall alert and what does not? Eg, peaking traffic volume, how to do this with a machine generated sustained random crypto-noise spike?
This is just plain wrong. Instead of admitting that what they did was immoral and attempting to repair faith with the tech community and the country, they're now trying to automate IT so that they don't have to worry about SysAdmins with a conscience.
So their big plan is, "if our agents can use a UI to get all the info they need, we won't need to worry about those pesky left-leaning IT types."
The amount of stupid here is unbearable!! Good luck to them when they need another feature developed.
Encryption is now a means of making yourself a suspect. Referencing or communicating with suspects is means to make yourself a suspect.
There is no technical solution away from this.
edit: What, no rebuttal? No eloquent summary on how crypto can lead people out of this? My assertion of no technical solution has no more or no less merit than the one above. But in addition I provided reason on how crypto makes one a suspect, how associating with suspects makes one a suspect as well, a refutation of the above comment.
I believe encryption is a very reasonable goal, but if anything the fact that encryption including stenography is highly detectable and is now known as reasons for suspicion and analysis, I do not agree with it being "the only recourse."
This is a technical oriented community so I do feel the need to highlight the problem with focusing on technical solutions, let alone touting them as the only recourse. The writing so to speak was on the wall when recent exposed wrong-doings were made legal, immunity rendered with payments processed to the collaborators. Attempts at technical solutions have brought drone missiles upon Yemenis and others, Australians trapped in diplomatic buildings, valiant whistle-blowers imprisoned/deposed to Russia, data researchers jailed for gazing upon contractor information[1].
There is no technical solution to this. Technical solutions are getting people killed, renditioned, deposed, hunted, prosecuted, tracked, analyzed. Enough with the technical solutions already.
"No one has willfully or knowingly disobeyed the law or tried to invade your civil liberties or privacies," he said. "There were no mistakes like that at all."
81 comments
[ 3.2 ms ] story [ 123 ms ] threadThis sounds like they are just trimming a bloated IT department, and just using security as an excuse.
First off I doubt much of a cut on spending or a hindrance to the vast expansion of the world's surveillance state.
But if this does mean a cut in those employed it implies less targets to battle back judicially, legislatively, socially. Less 'independent' opinions (dismissing a probable increase of automated bots) attempting to justify their salary. Plus automation is king only to a point, how do most hacker seminars end? "Its always about the people."
With a clearer trail of monetary remuneration to follow that gives those in the dissenting camp a better chance to isolate and make examples of the collaborators who seek to route around justice to enforce their vision of law while hiding in the legal shadows collecting cash.
edit: Be on the look-out for a large increase in marketing of surveillance state tools to nations like Saudi Arabia, or torture loving UAE, typical nations that companies that Booz Allen Hamilton and others whore themselves out to for monies.
I'm not sure how well it would translate to things like sysadmin tasks which can't all be pre-scripted checklists, but something like a pair-programming model, combined with a full audit log of actions taken, along with actual independent auditors randomly pulling logs and checking for naughtiness could work.
I dread to think of the bureaucracy overhead involved though - I suspect it would probably end up increasing staff headcount several-fold.
[1] https://en.wikipedia.org/wiki/Two-man_rule
Technical measures and policies can go some of the way, but I think protecting against a motivated internal attacker with some level of elevated permissions is going to be a tough thing to achieve.
Oh and everybody has to work with a partner so the work output of our remaining workforce is halved.
Idiots.
If anything it stands there will be a higher concentration of work and monies given to the immune likes of Booz Allen Hamilton.
I'm entirely willing to believe it is CYA - based on my experience working classified programs practically all security procedures are CYA: Provably follow the checklist and you won't get fired if something goes wrong. Don't worry that the checklist is full of holes like swiss cheese, the checklist is more important than actual security.
Yes, most people will just go along and do whatever they are told - even if they are told to hurt or kill people. Very few people will resist if they perceive someone else as being in control and bearing the responsibility. BUT there is an exception to this. Once ONE person decides to rebel and refuses, it spreads like wildfire.
If Snowden had had to work with a team of a dozen people and he decided to resist their secrecy, it's most likely that the rest of the group would agree and join him. At least as likely as it is that the group will go along without question for awhile and that people like Snowden will be rare.
It's a little like pairing up soldiers when you order them to commit a war crime: refusal to obey orders will get you shot -- it raises the bar of refusal by having to convince someone else to risk their life by not taking yours.
Parsing that data will help us figure out moles and real traitors.
/sarcasm. I prefer they shut down NSA completely.
Which is more likely?
"Other security measures that Alexander has previously discussed include requiring at least two people to be present before certain data can be accessed on the agency's computer systems."
CORRECT:
Before admins or analysts view native text, a preprocessor regex substitutes innocuous synonym barium canaries for parts of speech, puncuation, possibly with Google capable proper noun recognition, places and people too. These substitution events are hashed with each specific tractable viewers, and the viewers, so informed of this preprocessor, know it, so they don't rat.
This is also `panopticonable', say this occurs only 10% of the time.
and...with theguardian.com currently:
Breaking news: US orders non-essential staff to leave consulate in Lahore, Pakistan, citing terrorist threat. More details to follow ...
you suppose whatever intercepted intel causing all these embassy closures are `tainted' with `barium' so the threat is scanning NSA's global surveillance to see what activates a hwall alert and what does not? Eg, peaking traffic volume, how to do this with a machine generated sustained random crypto-noise spike?
But I have problems believing in the existence of conspirators though. Opportunists, yes, but not conspirators. Our species blows at foresight.
So their big plan is, "if our agents can use a UI to get all the info they need, we won't need to worry about those pesky left-leaning IT types."
The amount of stupid here is unbearable!! Good luck to them when they need another feature developed.
The only recourse is better cryptography.
Encryption is now a means of making yourself a suspect. Referencing or communicating with suspects is means to make yourself a suspect.
There is no technical solution away from this.
edit: What, no rebuttal? No eloquent summary on how crypto can lead people out of this? My assertion of no technical solution has no more or no less merit than the one above. But in addition I provided reason on how crypto makes one a suspect, how associating with suspects makes one a suspect as well, a refutation of the above comment.
Let's further discussion.
Privacy is a basic human right and cannot be granted or taken away. But you need to defend it all the same.
This is a technical oriented community so I do feel the need to highlight the problem with focusing on technical solutions, let alone touting them as the only recourse. The writing so to speak was on the wall when recent exposed wrong-doings were made legal, immunity rendered with payments processed to the collaborators. Attempts at technical solutions have brought drone missiles upon Yemenis and others, Australians trapped in diplomatic buildings, valiant whistle-blowers imprisoned/deposed to Russia, data researchers jailed for gazing upon contractor information[1].
There is no technical solution to this. Technical solutions are getting people killed, renditioned, deposed, hunted, prosecuted, tracked, analyzed. Enough with the technical solutions already.
[1] http://motherboard.vice.com/blog/the-doj-is-suing-barrett-br...
LOL!!! In their eyes, we are total morons.