NSA and the Pandora’s box of surveillance
blogs.reuters.comA pretty good article on the response of the NSA.
"We've changed the passwords." Excellent job boys, you deserve a raise. And two-person requirements to access the data? Yeah, that will take 5 years to develop, cost $2 billion, and never really work.
There must be thousands of people who knew this system existed. You can't keep that secret forever, Top Secret clearance or not.
What if the next "national traitor" uses his Top Secret clearance to use that data stream to his own financial benefit? Blackmailing senators on their affairs, or exacting revenge on targets given to him by outside crime bosses.
Maybe I watch too many movies... But for every good guy like Snowden, is a bad guy.
How many times has it happened already that we're unaware of? I think it's safe to assume that there wouldn't have been any public hearings on that. It is terrifying enough to imagine all of the ways for the NSA to abuse their power/capabilities for their own purposes. It is a whole other kind of terrifying to contemplate the notion that the NSA's capabilities are in the hands of bumbling idiots.
The problem that the article author doesn't mention is that trust is itself a heinously difficult problem.
The NSA knew a lot about AQ prior to 9/11. They had intel that could have prevented the USS Cole bombing. If they had worked together better with FBI and CIA prior to 9/11 that attack likely could have been averted as well.
That's the reason no General got fired for Manning. Congress themselves foisted the much-closer integration of intel community elements to prevent another 9/11. Instead of agency in-fighting there would be close cooperation. The analysts doing the actual intel work would no longer have barricades placed in the way of doing their jobs.
Manning betrayed that trust. That alone should have been enough for NSA to change their own internal information security controls so there is definitely more recrimination that should follow (if it hasn't already)... but at the end of the day you can't get around the fact that the less you trust your employees to do their jobs, the more difficult it becomes to do the job at all.
> What if the next "national traitor" uses his Top Secret clearance to use that data stream to his own financial benefit?
Who's to say this hasn't already happened? I wouldn't put it past the 'Gang of Eight'[1] to use the NSA as a means to maintain their seat in power by quashing opposition, especially since it's been widely reported that the thorough congressional oversight has as many holes as Swiss cheese.
[1] http://en.wikipedia.org/wiki/Gang_of_Eight_(intelligence)
Hmmm, blackmail.... could be the way to go. Strong word, but, negotiating from a position of power?
My presumption is that the politicians are playing this down because of perhaps the information the NSA has on them. I assume the power is in the web of information people have on each other. So, a balance is maintained, or something like that. Well, going public seems ineffective. It seems these people have games to play to mitigate the damage caused by public disclosure. You know, divide up the issue, make it black and white, make it about traitors and good guys, and so on. So, maybe the next person who feels a tug of conscience might decide: OK, I have all this info, I can either release it to the voters, who will no doubt be manipulated, or I can bowl up to a few senators and use the information to make them force change, like like the system already seems to.
Makes me think of the end of Clear and Present Danger, where Ryan has some information that could kill off the presidency. The President points out that what he actually has in his hand is a chip which he can play in the halls of power. Perhaps Bradly and Snowden had it wrong. Perhaps why should have played their chips?
Dunno. Is that how it should work? Play them according to their rules? Forget the whole honest, open and decent thing, and get secretly, politically dirty? Do deals under the table? Get change that way?
I really don't like the idea of that at all, but it seems that anything decent and honest is easily disposed of as a matter of routine.
If anyone could "negotiate from a position of power" in this situation, it would be General Alexander himself...
Briefly interned (two weeks) for Booz Allen this Summer. While the people I met and interacted with for that short amount of time were excellent and of good spirit, the general opinion I got was that people did not enjoy their day. Much like a traitor of a country is usually disgruntled with their homeland, I can't imagine more leaks aren't right around the corner. Tech consulting firms do not share in the amazing atmosphere of tech consumer-facing companies, and as such may be the last place for loyalty.
How do we know that they haven't been?
His supervisors, by the way, are at Booz Allen, not the NSA. Although certainly the NSA has to take responsibility for the contractors it does business with.
(original HN title was something like: if Snowden's leaks were so damaging, why aren't his NSA supervisors being fired?)
I think we know that they haven't been because if they truly believe (as they are publicly claiming) that the leaks caused "irreversible and significant damage", then they would publicly fire anyone with any potential role in allowing such a leak to happen (read: failing to prevent it from happening). The responsibility in the chain of command goes all the way up, so in an organization like NSA the security failure cannot be blamed only on Snowden.
And someone at the NSA needs to be taking responsibility for why Snowden had access to as much as he did, sysadmin or not.
to further the above, he was also an NSA employee prior to working for Booz Allen. And a CIA employee before that, I think....
Other BAH personnel and BAH corporate liability are dependent on whether there was either process negligence (e.g., Snowden's team members didn't enforce policy) or inadequate measures. One man acting alone, even within a corporate structure, doesn't implicate his co-workers or the company as a whole. (Of course, this isn't always the case in court. See also: Arthur Anderson.)
A serious organization with a serious mission such as the NSA would be reckless? hapless? (a lot of very bad things) to rely on the civil courts this way for operational security. If the NSA had so little or no oversight or operational security, that's just crazy.
Agreed: like closing the barn door after the horse has bolted.
Like, these Keystone Cops don't know a damn thing about horses or barns, and should never have been trusted to look after them.
I wonder if this means that the NSA is going to fail it's annual PCI audit?
Following PCI is a contractual requirement, not a statutory requirement. If you want to do certain things with credit cards, such as accept payments using them, then you have to enter into a contract that says you'll follow PCI.
If you have no need of any service that requires entering into such a contract, than you can completely ignore PCI.
Note that the host never asks the general if anyone was fired. Perhaps someone was fired, and it didn't come up.
After all, if somebody asks why this couldn't happen again, you don't say, "We fired the guy who designed this system." You say, "We changed this, this, and this."
He talks about implementing a two-man rule, which is an excellent idea. I'm not sure how that's going to work in practice, though. Is there a way to make the linux root password composed of two passwords?
> Is there a way to make the linux root password composed of two passwords?
This could certainly be done via a custom PAM module. Of course, we should also consider that admins will often have physical access to the systems. I can't think up a purely technical solution to enforce the 2 man rule.
Likely nobody has been fired because the investigation is still underway.
Finally, someone other than Greenwald starts asking critical questions.
THE critical question (in my mind) isn't whether NSA/FBI agents are listening to people's phone calls, or reading people's emails. The key question is whether all of this information is being captured and retained and available on-demand (regardless of current or future legal authority). Does the government, or any of its agencies, affiliates, contractors, or allies keep a repository containing this data available for future analysis.
Answer that question - and answer it without linking it to "this program" because you've already said "this program doesn't authorize that" and don't link it to "this country" because you've said the laws of this country forbid that type of thing.
Plain and simple.
Does any representation of this information exist in any state (analog, digital, audio, waveform, transcription, encrypted, modified, converted, fucking pantomime) that differs from a layman's understanding of where their communications data resides?