Slashdot Mirror
It's Time To Split Up NSA Between Spooks and Geeks
Hugh Pickens writes "Noah Shachtman writes in Wired that most of us know the National Security Agency as the supersecret spook shop that allegedly slurped up our email and phone calls after the September 11 attacks, but not so many know that the NSA is actually home to two different agencies under one roof: the signals-intelligence directorate, who can tap into any electronic communication, and the information-assurance directorate, the cybersecurity nerds who make sure our government's computers and telecommunications systems are hacker- and eavesdropper-free. 'The problem is, their goals are often in opposition,' writes Shachtman. 'One team wants to exploit software holes; the other wants to repair them.' Users want to know that Google is safeguarding their data and privacy. The trouble is that when Google calls the NSA, everyone watching sees it as a package deal. Google wants geeks, but it runs the risk of getting spies, too."
Hats of all colors welcome!
Aren't they smart enough and rich enough to hire their own geeks? SIGINT is the main job of NSA, period. If you want to hire the wolf to guard the hen house, you take the consequences.
How about a moderation of -1 pedantic.
How can one side do their job if the other doesn't point out the exploit?
I feel the same about AV software. If the big AV companies don't have at least a few virus/worm writers on the payroll, how else do they know if their defense software is any good?*
*Less assume for a moment that AV software is somewhat decent.
"There is no real right or wrong, just what the majority accepts at the time."
Okay, so TFA is arguing that creating a new agency 'that didn’t include the spooks would' avoid conflict and bring about 'acceptance across the government and the private sector'.
But right in the beginning, it says '[Google] wants geeks, but it runs the risk of getting spies' when it contacts the NSA.
If there is no guarantee that Google doesn't end up getting spooks from the NSA, who can say this new agency won't have spooks in there from the NSA?
Am I missing something here, or is there some magical reason why this new agency won't have spooks embedded there, and it should be trusted any more than the NSA?
'If Christ had tweeted the sermon on the mount, it might have lasted until nightfall.' - John Perry Barlow
How exactly will splitting the NSA fix this? It's a government agency. If the government wants to give you spies, you get spies. Doesn't matter which 3-letter acronym organization they get their paychecks from.
Who do you think comes up with the technology to crack encryption of intercept signals?
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
'Tension normally results in balance.'
... and equally commonly in a broken spring.
Great minds think alike; fools seldom differ.
We do not need yet another federal agency. Splitting them in two will only result in two bigger agencies with an ever ravenous appetite for more tax funds.
One of the worst things Bush did post 9/11 was creating the spate of new federal agencies. Can anyone say that their flying experience is actually better after TSA was created? Anyone?
How much good did creating yet another layer of intelligence bureaucracy do us? Did intelligence get any better after we made the Director of Central Intelligence obsolete by creating a Director of National Intelligence? Not one damn whit. It just grew the federal payroll some more, and added more bloat and bureaucracy.
Vital intelligence work needs to be done, but we need to be trimming down these agencies, not creating new ones.
Life is hard, and the world is cruel
Keeping our systems secure, and breaking into the other guys' systems, are damn near the same job. It is a good thing to have the people responsible for both working together, and maybe trading jobs occasionally. There is no American computer security and Russian computer security and Chinese computer security: there is only computer security, and systems which are more or less secure. The NSA has historically been about the only government agency that really seems to get this, and it would be a real mistake to break it up.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
and you can't have Red Hat without a subscription (well support at least).
The teachers will crack any minute, purple monkey dishwasher.
This is old info, but NSA used to have a big internal division - the important stuff was at Fort Meade, and the less important stuff was at "FANX", the "Friendship Annex" (out near Friendship Airport, now called Baltimore Washington International). Support functions like personnel were at FANX, and still are.
Computer security was at FANX. Which was a problem. Being banished to FANX was bad for your career. The top NSA people didn't go to the computer security side of the house. So computer security languished for years.
All this was back when the USSR was the enemy, and NSA has changed a lot since then. But they still have Fort Meade and FANX, and less important stuff is still at FANX.
For a while, in the 1980s and 1990s, NSA did do serious computer security evaluations. Industry hated it, because products could fail. The original policy was that a company could submit products for evaluation by NSA. In the first round of evaluation, the NSA people told the company what was wrong, and gave them a chance to fix it. The second round was pass/fail; if NSA could break into it, it failed. There was no third round. Some highly secure systems did pass the tests, but they were not mainstream systems.
The process is now more "industry friendly". Evaluations are made by outside labs, paid by the companies being evaluated. Companies can keep trying over and over until they pass. Failures are not publicized. There are versions of Windows that have passed some level of Common Criteria testing.
The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.
Um, internal security is a function of the FBI not the NSA - the NSA's job is to gather [electronic, CIA and DIA deal with humInt] on other governments/organizations. It is the FBI's job to investigate domestic ends of these sorts of things and for that, we have warrants, etc. to ensure liberty.
The entire idea behind the NSA isn't to spy on Americans. It's to spy on EVERYONE. They spend a fortune monitoring all they can on just about every country on the planet.
Who ever said that was the entire idea behind the NSA? You do realize that the NSA spies on other countries as well? Just ban them from listening in on Americans, as an official policy, and don't worry about it.
Besides, it's not like disbanding the NSA would actually do anything. There is a reason people say NSA stands for No Such Agency...
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Just ban them from listening in on Americans, as an official policy, and don't worry about it.
The NSA's policy notwithstanding, isn't it actually against the law for them to gather intelligence domestically? I know, I know, here I go with my pre-9/11 thinking again.
sic transit gloria mundi
I don't see where "the American people need to be spied on" is part of their mission, in fact they've done some pretty major work like SElinux to keep Americans from being spied on, by anybody. If you don't like what the NSA is doing, write your congressman and have him change the laws.
Apocalypse Cancelled, Sorry, No Ticket Refunds
But who watches the watchers? Who ensures the NSA does not conduct warrantless tapping? The Attorney General?
You wouldn't actually do it, you'd just tell people you'd done it and hope some of them are gullible enough to fall for it.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Just ban them from listening in on Americans, as an official policy, and don't worry about it.
I'm sorry but that's purely wishful thinking on your part.
In 1976, the Church Committee reports found NSA obtained copies of millions of private telegrams sent from, to or through the United States in its SHAMROCK program.
On August 17, 2006, District Court Judge Anna Diggs Taylor ruled in ACLU v. NSA that NSA violated the First and Fourth amendment by warrantless tapping American citizens in the aftermath of 9/11.
In April 2009, intelligence officials admits that NSA had been engaged in “overcollection” of domestic communications of Americans. In one extreme case they even wiretapped a congressmen while he was overseas.
Please note that I am not wearing tinfoil hats and all my sources came from either from Congressional hearings or court rulings.
Splitting the two seems like an unfortunate way to let otherwise socially responsible geeks do morally questionable things. Keep the two groups together. Let them be totally aware that they are spies and there is a heavy price for deception and living a lie.
"Eve of Destruction", it's not just for old hippies anymore...
I'm not sure having a PhD in math grants expertise in computer and network security.
It doesn't but you're going to find a pretty heavy correlation between the two. Someone good in math is far more likely than average to have or be able to develop expertise in any given use of computers. The skill sets are different but the skills do overlap to a non-trivial degree. I'm sure a PhD is not required to work in computer security at the NSA but I also suspect they have more PhDs in that role than most employers. Just a guess I'll admit but it seems likely.
My guess is their expertise is used largely in encryption efforts.
I think you are probably correct.
I really see no evidence that the NSA has scooped up the smartest math PhDs.
Certainly they have no monopoly on smarts. Academia, private industry, finance, NASA and others employers unquestionably have a big share. The only safe thing to say is that the NSA apparently has a goodly number of very bright individuals working there. What portion of the talent pool they have is something that I'm sure is heavily classified if anyone even knows.
And how about SIGHUP?
It all depends on what level of Common Criteria evaluation you are talking about. At the higher levels, there is a lab authorized to conduct a product inspection and, once you pass that test, you get a medium level NIAP certificate. If you wish a higher level of CC approval in the US, after this original process NSA itself takes control and does its tests. So the process is still a two step process with NSA involvement...or was about 4 years ago when I was involved in taking an "Orange Book" product through CC evaluation.
I don't deny any of it. All I'm saying is that "disbanding" the NSA won't stop any of it. They'll just change their name and set up shop completely secretly, just like before.
Really? You consider that an extreme case? If anyone needs to be wiretapped it's the corrupt US politicians who are responsible for all of this, and if wire-tapping should be occurring anywhere, it should be occurring outside the country...
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
Mate, Government Rule Number 1: It's only against the law if you get caught, and there's proof.
Um, sorry to point this out to you, but you run the risk of getting spies by contracting with just a "geek-only" NSA or contracting overseas with other countries.
As the wars in Iraq & Afghanistan are winding down the government "especially the republican party" sees the need for a new war. What better way to grease up lucrative contracts between the U.S gov & it's most successful companies than a "cyber" war. The Google breach is clearly an intel/political issue. The technical aspects are minimal & we all knew that great firewall compromised any chance of IT security there yet the story is portrayed as a technical one. Oh my! google was hacked by the chinese. They must need technical government support. Rarely is the story portrayed simply as an international policy issue. It's war I tell you & the economy loves a good fight.
This is only part of cover story on Chinese vs. Google fiasco.
Obviously, Chinese used earlier Google "teaming up" with NSA as part of action pretext, and now someone is wrapping up things. That was not so, it is this, and so on. A bit oblique, but it must be...
Too bad Chinese won't buy it.
One possibility is - they already "did". And stories like these are to cover tracks when both Google and Chinese pull their moves back.
http://opencm3.net, http://www.nongnu.org/gm2/
doesn't mean they won't cooperate (e.g. State Department/CIA).
"from" the United States: foreign
"to" the United States: foreign
"through" the United States: foreign
(the missing possibility is "within")
Wouldn't it just be easier to abolish the NSA?
Don't blame me, I didn't vote for either of them!
The NSA's policy notwithstanding, isn't it actually against the law for them to gather intelligence domestically? I know, I know, here I go with my pre-9/11 thinking again.
They've been spying on Americans for decades now. The Patriot Act just legitimized it.
'Political power grows out of the barrel of a gun.' - Mao Tse-tung
Observing this interplay between the two separate groups is the only way to reliably oversee and glean reliable data that either or both are not compromised, or "rooted." It's a brilliant solution. Be glad they implemented it. The next obvious question is, how do they have the oversight mechanisms kept secret and in redundancy? They'd have to be pretty much 100% passive.
The NSA has no business existing. Shut down the agency. Secret government agencies have no place operating in an open, free democracy.
Software is engineering. Cryptography is research.
This is my sig.
We don't know all of what the NSA does, what it spends, how often it succeeds/fails (or even what that means). Nobody is measuring the NSA for cost/effectiveness. One of the few things we _do_ know about the NSA is that some of the shit they pull violates U.S. citizens' constitutional rights.
What we should do is shitcan the current NSA and start over again. But this time build something that is monitored to ensure that, whatever it does, it does that effectively.
Of course the same could be said about the CIA, FBI and hundreds of other government agencies. But we spend so much more on the NSA. It is a true budgetary black hole.
I don't like Noah Shachtman or his work. I last thought about him when he wrote something about Los Alamos, NM, which I know well. His article was misleading and had a misplaced sense of excitement and drama. At the time, I checked out some of his other work and found that it was similar.
I put him in with Dvorak. I ignore what he says.
How are they in opposition? Isn't the aim to exploit the ones in their systems, and plug the holes in ours.
At the bottom of the
Actually, Congress has oversight of NSA. Select committees are briefed on what they do and how the money is being budgeted. What you are complaining about is that you are out of the loop. If Congress wanted you to be in the loop, you'd be in the loop. The same can be said for the CIA, FBI, but I doubt there are hundreds of these other government agencies you apparently believe to exist. But then people believe in UFOs too.
Shitcanning the NSA and starting over would create....the NSA. Of course, you'd lose all the employees and institutional memory, they'd be starting from scratch which would be a huge waste of money. You still wouldn't get NSA memos because broadcasting what the NSA knows about foreign terrorists can be used by foreign terrorists. Only part of Congress would be kept in the loop because it is too large and political to expect it could keep secrets. So your congress-critter would most likely not get the memos. There would be few committees that would provide oversight and we'd have what we have now.
The NSA isn't cost-effective and it's a wasteful duplication of effort by other agencies: we don't need to spend trillions on electronic monitoring. We need feet on the ground in enemy territory. That isn't the NSA's domain.
It looks like the Americans want to split up The NSA to make the Google-NSA relationship look less evil.
Security Nerd.