Slashdot Mirror
Why the NSA Can't Replace 90% of Its System Administrators
An anonymous reader writes "Curious about the recently purposed NSA cuts, Courtney Nash explores a few myths about systems automation 'In the aftermath of Edward Snowden's revelations about NSA's domestic surveillance activities, the NSA has recently announced that they plan to get rid of 90% of their system administrators via software automation in order to "improve security." So far, I've mostly seen this piece of news reported and commented on straightforwardly. But it simply doesn't add up. Either the NSA has a monumental (yet not necessarily surprising) level of bureaucratic bloat that they could feasibly cut that amount of staff regardless of automation, or they are simply going to be less effective once they've reduced their staff.'"
change of title? are all IT workers called system administrators? do all IT works say do stuff maybe 1-2 times an week that classes them as an system administrator? maybe with more automation then that 1-2 times a week can go a way?
This comment has been generated by obligatory troll-bot 10000, an innovation of Huawei and your local NSA front. Have a nice day.
Bye!
Maybe instead of cutting staff numbers they can just outsource the administrators to China?
Apparently they look for clues to organizations that have solved similar problems.
NSA Boosting Automation in Wake of Snowden Leaks
The agency has created a private cloud using OpenStack, a Web standard developed by NASA and Rackspace Hosting Inc. Analysts say this lets the NSA run its IT operations in a way that more closely mirrors that of Amazon.com Inc. or Google Inc. Previously, it took weeks or months for employees at NSA to get access to computing resources, said Nathanael Burton, a computer scientist speaking at the OpenStack Summit in Portland in June. The private cloud “let us grow to a scale that a very small team of 12 to 15 people could manage,” he said.
“We’ve transformed the NSA and over the next few months we’re going to be working with the larger intelligence community to roll out our OpenStack system across the entire intelligence community,” said Mr. Burton in a video of the conference. The NSA did not respond to requests for comment.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Since "anonymous reader" isn't in a position to know anything about how the NSA's systems are set up, what these administrators exactly do, who has/needs administrator privileges vs. who could do their jobs with reduced privileges, etc., etc., then isn't this discussion even more of a waste of time than usual on slashdot?
> or they are simply going to be less effective once they've reduced their staff.
Which wouldn't be such a terrible thing.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The worst thing you can do with a person in a privileged access position is tell that person substantially in advance that they have a 90% chance of being made redundant. The overwhelming majority of people are reasonable, rational and won't do anything - but when you have such a large set of people - some won't be so amenable to being pushed out the door.
In short, I'd be surprised if they haven't created a small army of potential Edward Snowden's through this. Wherever I've worked, if we made a system administrator redundant we'd have disabled their account before they were told and then broke it to them - even if it was under consideration, we'd send them home with pay for the duration - it's just common sense.
-SG
... 100% of potential leakers are now 90% sure that they're going to lose their job anyway.
Carry on, NSA.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
source for that f-22 shitniz? 'cause I call bullshit OR it's very creative definition for a commercial processor. blackbird wasn't ahead in "physics", rather it was and still is a milestone in _manufacturing_(titanium).
but yes, it is far fetched to "thing" that nsa has an AI, since they don't seem to have even a HI. they just said they're cutting down on system admins to get the senate off their backs since what the NSA actually is... is that it is a MASSIVE money pump to private hands(for people who skim the contractor wages).
world was created 5 seconds before this post as it is.
Hello? Have you have your sarcasm detector surgically removed?
And please don't do that fucking boneheaded bit with the fucking asterisks. If you're really fucking old enough to say "fuck" and that's what you fucking mean, then fucking say "fuck", already. Otherwise, just fucking use a different fucking word.
Il n'y a pas de Planet B.
You're joking, right? It's a way to reduce the amount of money you give to MS, but increase the number of admins you have, or increase the pay of your admins.
That's one way to reduce the number of sysadmins effectively.
I don't think that's true in an enterprise environment with thousands of servers.
In my experience, it takes a larger installation to justify the team size for a well run Windows Server installation (to administer all of the Microsoft System Center components (SCCM, SCOM, etc)), but once that investment in management tool configuration is done, then administering large numbers of Windows Servers doesn't really take more people than administering large numbers of Linux servers. LIke most MS Enterprise products, the MSC components can be complicated to configure and take a certain amount of dedicated resource to configure and use them well.
The same scalability may not hold true once you get to Google Scale with a million servers to manage, since at that point you can justify spending a lot more resource on writing custom management and support tools even down to customizing kernels if you want to.
In a small shop where you may have a few dozen servers, then you may find the MSC tools to be overkill and not worth the effort to set them up well so Linux can be simpler and easier to administer.
Don't you dare try to get rid 90% of system admins.
Better back off, or I will replace your management team with a 5 line shell script, and sell it to Obama as a way of demonstrating that he is serious about more efficient government.
you stop at the DoD??? pfft, the same could be said of ALL federal employees. We could cut the federal government by 90% overnight and the vast majority of americans would not even feel a bee sting out of it. Plain and simple the federal government is suposed to be small, the states are suposed to be the ones with the power. Sometime about 100 years ago (some would argue the progressive movement) things changed and we started giving the federal government more power. First alcohol prohibition (which at least they had the decency to amend the constitution vs what they do these days and just claim power) and so on and so on. to be fair im sure someone will come out with previous abused by the federal government, for example jefferson overstepped when he made the LA purchase, but id say it was between 1915 and 1945 that the country radically changed, and not for the better. well, maybe for the short term but not long term.
have you seen my sig? there are many others like it but none that are the same
Like everything else, they will simply offshore all those sysadmin jobs to India, China, Vietnam and Russia, of course, which is what they normally do, you douchetards!
and in the spirit of pointy-haired bosses everywhere it means little. The administration is going to squeeze whatever good press they can garner from the comment and then do nothing. Oh, wait, there will be a panel of learned IT staff, then a study group, then a plan-for-a-plan group, then a project planning group then a phase I project and then, wait for it, a cut in funding that cancels the project.
Not really increase the number of admins, but I'll give you the last bit about having to pay more.
"Oh no we now have to employ competent people and they want reasonable wages!!!!!"
The only reason why there are as many Windows servers out there as there are is because a cheap IT graduate without a clue can blunder their way through it and eventually get the job done. Its not because they are manned by efficient admins who understand the system well.
I'd be more happy with them returning to their original mission, and understanding that destroying the Constitution to save the Constitution is not a valid option.
I am John Hurt.
No, it is very true in exactly that environment - you don't need a lot of people to run clusters full of a lot of very similar nodes.
In slightly smaller situations where every machine is its own unique little snowflake you may not get that, but at huge scales it has been demonstrated to be true almost universally.
Plain and simple the federal government is suposed to be small, the states are suposed to be the ones with the power.
And who is supposing this? Also, people might have had more sympathy for States' Rights if states didn't use them to oppress people.
That's one way to reduce the number of sysadmins effectively.
I don't think that's true in an enterprise environment with thousands of servers.
In my experience, it takes a larger installation to justify the team size for a well run Windows Server installation (to administer all of the Microsoft System Center components (SCCM, SCOM, etc)), but once that investment in management tool configuration is done, then administering large numbers of Windows Servers doesn't really take more people than administering large numbers of Linux servers. LIke most MS Enterprise products, the MSC components can be complicated to configure and take a certain amount of dedicated resource to configure and use them well.
The same scalability may not hold true once you get to Google Scale with a million servers to manage, since at that point you can justify spending a lot more resource on writing custom management and support tools even down to customizing kernels if you want to.
In a small shop where you may have a few dozen servers, then you may find the MSC tools to be overkill and not worth the effort to set them up well so Linux can be simpler and easier to administer.
I think people claim Linux needs fewer admins because it has a history of bailing twine and bubblegum configuration management with rsync and ssh-while-loops...
At around 3-400 servers we implemented Puppet and MCollective with some in-house plugins. Now that I know it well, I seriously wouldn't run ten servers without it.
There isn't anything really special about Linux that enables these tools to work, and I actually think the Windows Puppet agent gets off easy with NT services vs. init scripts with sketchy status commands, registry vs hundreds of different config syntaxes, and so on.
So anyway, when I see someone brag about Linux needing fewer admins, I take it the same was as someone saying they get better gas mileage by turning the AC off and rolling the windows down... I guess if you tolerate that you can spend less on a car. Whoopie...
Windows server management is much more SysAdmin intensive than Linux server management. Most Linux Boxes are "fire and forget" after they have been configured. Windows boxes decay quickly, and need a great deal more upkeep from the SysAdmin.
Why do you think that? Sure, unskilled Windows Admins have to fiddle with it relatively often, but not good Windows admins. I have a couple of SAP, Exchange and other Windows servers I have to manage. They don't require any more babysitting that any of the linux boxes do. They're all VMs on Hyper V or Xen or ESX and I worry more about patching the host firmware than anything else.
I choose to check up on them, and verify that backups are really restorable, etc, but in terms of HAVING to manully manage them? Not this year. And I do it all with built in tools, no "enterprise" level management either. Just bandwidth, scheduling and lots of disk space and scripts.
Ya I have to day at my work at least the Linux servers are certainly NOT easier than the Windows servers to administer. The Linux lead spends a lot of time dicking around in the command line messing with scripts and settings to get everything working and managed nice. It works, don't get me wrong, we have a functional setup and process, but this idea that it is somehow easy and magic is false and speaks to a lack of experience.
When I see someone who proposes something like "replace Windoze (lol I totally stuck it to Microsoft misspelling their software!) with Linux" as a magic fix for needing less people in a big enterprise to me it says this is someone who has installed Linux on their desktop, and maybe a personal web server, and somehow thinks that means they know all about enterprise administration. They figure what is true for them must be true for 50,000 systems. I mean after all, the fact that they had Windows crash on them one time clearly means it is unstable and unsupportable!
Windows does a lot right for the enterprise. Their authentication service is really good. AD really does the trick for managing a large collection of systems and users. We use it as the backend for everything, Windows, Linux and Mac and yes, we've tried it other ways (we used to do Sun LDAP and IDsync as the backend, what a nightmare to make work). Anyone who says Microsoft doesn't have good tools for large scale management is really just saying they don't have experience in a large scale setting with Windows and other OSes.
Also that suggestion is funny, given that the NSA likes and uses Linux for a number of things. You might want to look up who gave us SELinux (hint: the NSA). Ever wonder why it has such paranoid, granular, control if you want it? That's why.
To be fair when you work force is made up of a lot of computer scientists, cryptographers, mathematicians, etc you could probably turn over some responsibility for administration to the workforce with out losing much.
HA HA HA HA HA!
Hoo.
Competence with algorithms does not carry over into competence with administering systems (which is equal parts programming, psychology, resource management, customer service, and arcane lore).
Another way is to completely scrap the computer systems and go back to paper. It is a lot harder to get a hold of 500,000 classified documents and walk out of the office with them. I think it'd get flagged if Mr. Manning all of a sudden was at the photo copier 24x7 for a few weeks.
Actually, I would bet that it is Option A AND Option B. This is a government agency we are talking about. They are perfectly capable of having a monumental level of bureaucratic bloat and firing all of their competent people in the effort to reduce it.
The truth is that all men having power ought to be mistrusted. James Madison
Perhaps NSA is not kidding
Perhaps they will just go ahead and lay off 90% of their admins, who are American citizens
And then, they will hire admins from Bangladesh as replacement
NSA doesn't need to be troubled by admins who are American citizens who understand the concept of Liberty, Human Rights, and Democracy - they can hire replacement admins from 4th world countries where nobody cares about any of those "Western Luxuries"
Actually this is a good point. If the sysadmins are not American citizens and are not based in America then the NSA can legally spy on them with no problems.
So yeah NSA outsourcing system administration to India might be a winner!
In the free world the media isn't government run; the government is media run.
Albert Einstein did all the hard stuff when it came to the atom bomb.
Einstein didn't do diddly with the atom bomb besides help persuade Roosevelt to get out ahead of the Germans in developing one.
Have gnu, will travel.
SILLY RABBIT!
The NSA will just set up shop in Dubai, with their other Haliburton friends... They will import labor that can barely speak English, and with Dubai's labor laws they can literally padlock the employees to the desks.
Manning and Snowden both prove anybody not an "Inquisitor" for the team is a liability to the cause. They consider themselves OUTSIDE the law, don't expect them to learn the lessons we think they should.
Nicest dude I've ever met in my life is from bangladesh. On his behalf I am respectfully informing you and anyone who bothers to read this that Bangladesh is not India. They are two separate countries. They are close to each other, but they are different countries. As you're here I know you're too proud to be comfortable with being incorrect on technical subjects, so I apologize for telling you you're wrong.
Be well, my friend.
Seems to me that in order to succeed the NSA has to disband itself.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
You might want to google Amanda.
Sent from my ASR33 using ASCII
The problem with the NSA is, they think they can see all their systems as "a larger installation" and as such, automation would work. By connecting all their systems into one "larger installation" they are effectively putting all their data in a single place. That's something you really don't want to do. Before you know it, someone tasked with migrating the data to a newer instance of "a larger installation" makes a copy of it and runs off to Hong Kong with it.
By giving "everyone" access to the Business Intelligence systems you have set up on your data pools, the chance that someone will abuse it, will grow exponentially. By not giving anyone access, there is no use for these systems.
The only way to prevent people to run off with any significant amount of imformation, is to keep that information out of their reach. This means you will need a lot of isolated installations and people tasked to do just a few things. Even if they go rogue, the damage is contained to the information they were able to access, not the motherlode. In practice, this means you'll need a lot of "system administrators" doing lots of "manual tasks" that could easily be automated if there would be enough scale for it to make it worthwhile. The NSA wants their cake and eat it too, but they'll keep on moving the risk, not removing it.
I was promised a flying car. Where is my flying car?
My guess is a change of title, too.
I don't understand why the news and journals report what the NSA announces. For a long time this agency didn't even exist officially. They are allowed and expected to lie about absolutely everything, there are not even reliable records on how many people they employ. Their official statements are and have always been deliberate bullshit and disinformation. It's pointless to take into account anything they say about themselves at all.
Perhaps NSA is not kidding
Perhaps they will just go ahead and lay off 90% of their admins, who are American citizens
And then, they will hire admins from Bangladesh as replacement
NSA doesn't need to be troubled by admins who are American citizens who understand the concept of Liberty, Human Rights, and Democracy - they can hire replacement admins from 4th world countries where nobody cares about any of those "Western Luxuries"
Actually this is a good point. If the sysadmins are not American citizens and are not based in America then the NSA can legally spy on them with no problems.
So yeah NSA outsourcing system administration to India might be a winner!
Pakistan would be even better, then if any of them cause problems they can just send in a drone
Let me know when puppet allows me to login to a Windows server and type "yum install exchange-server" :)
The job of a sys-admin is ultimately to avoid manually typing in commands. At least that's how I run my windows build boxes ;)
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Uhhhhhh no. The job of a sysadmin is _not_ to avoid typing in commands.
expletives deleted
The job of a sysadmin is to administer the system performance in a cost-effective manner. Sheesh.
That's like saying the job of a programmer is to avoid typing but instead choose commands from a dropdown list.
Do not confuse process with result. The job of a programmer is to provide a working program that does what it is supposed to do.
Reminds me of the Windows sysadmin who complained about how long it took for our Linux servers to boot up after a catastrophic failure of the server room.
I reminded her that we only ever reboot when we're forced to so the five minutes it takes is irrelevant.
by the way, we had 8 servers and one sysadmin and one dba (me).
They had 12 servers and 12 sysadmins and a lot less functionality.