Slashdot Mirror
Why the NSA Can't Replace 90% of Its System Administrators
An anonymous reader writes "Curious about the recently purposed NSA cuts, Courtney Nash explores a few myths about systems automation 'In the aftermath of Edward Snowden's revelations about NSA's domestic surveillance activities, the NSA has recently announced that they plan to get rid of 90% of their system administrators via software automation in order to "improve security." So far, I've mostly seen this piece of news reported and commented on straightforwardly. But it simply doesn't add up. Either the NSA has a monumental (yet not necessarily surprising) level of bureaucratic bloat that they could feasibly cut that amount of staff regardless of automation, or they are simply going to be less effective once they've reduced their staff.'"
Maybe instead of cutting staff numbers they can just outsource the administrators to China?
Apparently they look for clues to organizations that have solved similar problems.
NSA Boosting Automation in Wake of Snowden Leaks
The agency has created a private cloud using OpenStack, a Web standard developed by NASA and Rackspace Hosting Inc. Analysts say this lets the NSA run its IT operations in a way that more closely mirrors that of Amazon.com Inc. or Google Inc. Previously, it took weeks or months for employees at NSA to get access to computing resources, said Nathanael Burton, a computer scientist speaking at the OpenStack Summit in Portland in June. The private cloud “let us grow to a scale that a very small team of 12 to 15 people could manage,” he said.
“We’ve transformed the NSA and over the next few months we’re going to be working with the larger intelligence community to roll out our OpenStack system across the entire intelligence community,” said Mr. Burton in a video of the conference. The NSA did not respond to requests for comment.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
> or they are simply going to be less effective once they've reduced their staff.
Which wouldn't be such a terrible thing.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The worst thing you can do with a person in a privileged access position is tell that person substantially in advance that they have a 90% chance of being made redundant. The overwhelming majority of people are reasonable, rational and won't do anything - but when you have such a large set of people - some won't be so amenable to being pushed out the door.
In short, I'd be surprised if they haven't created a small army of potential Edward Snowden's through this. Wherever I've worked, if we made a system administrator redundant we'd have disabled their account before they were told and then broke it to them - even if it was under consideration, we'd send them home with pay for the duration - it's just common sense.
-SG
... 100% of potential leakers are now 90% sure that they're going to lose their job anyway.
Carry on, NSA.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Hello? Have you have your sarcasm detector surgically removed?
And please don't do that fucking boneheaded bit with the fucking asterisks. If you're really fucking old enough to say "fuck" and that's what you fucking mean, then fucking say "fuck", already. Otherwise, just fucking use a different fucking word.
Il n'y a pas de Planet B.
That's one way to reduce the number of sysadmins effectively.
I don't think that's true in an enterprise environment with thousands of servers.
In my experience, it takes a larger installation to justify the team size for a well run Windows Server installation (to administer all of the Microsoft System Center components (SCCM, SCOM, etc)), but once that investment in management tool configuration is done, then administering large numbers of Windows Servers doesn't really take more people than administering large numbers of Linux servers. LIke most MS Enterprise products, the MSC components can be complicated to configure and take a certain amount of dedicated resource to configure and use them well.
The same scalability may not hold true once you get to Google Scale with a million servers to manage, since at that point you can justify spending a lot more resource on writing custom management and support tools even down to customizing kernels if you want to.
In a small shop where you may have a few dozen servers, then you may find the MSC tools to be overkill and not worth the effort to set them up well so Linux can be simpler and easier to administer.
Don't you dare try to get rid 90% of system admins.
Better back off, or I will replace your management team with a 5 line shell script, and sell it to Obama as a way of demonstrating that he is serious about more efficient government.
Windows server management is much more SysAdmin intensive than Linux server management. Most Linux Boxes are "fire and forget" after they have been configured. Windows boxes decay quickly, and need a great deal more upkeep from the SysAdmin.
Why do you think that? Sure, unskilled Windows Admins have to fiddle with it relatively often, but not good Windows admins. I have a couple of SAP, Exchange and other Windows servers I have to manage. They don't require any more babysitting that any of the linux boxes do. They're all VMs on Hyper V or Xen or ESX and I worry more about patching the host firmware than anything else.
I choose to check up on them, and verify that backups are really restorable, etc, but in terms of HAVING to manully manage them? Not this year. And I do it all with built in tools, no "enterprise" level management either. Just bandwidth, scheduling and lots of disk space and scripts.
Ya I have to day at my work at least the Linux servers are certainly NOT easier than the Windows servers to administer. The Linux lead spends a lot of time dicking around in the command line messing with scripts and settings to get everything working and managed nice. It works, don't get me wrong, we have a functional setup and process, but this idea that it is somehow easy and magic is false and speaks to a lack of experience.
When I see someone who proposes something like "replace Windoze (lol I totally stuck it to Microsoft misspelling their software!) with Linux" as a magic fix for needing less people in a big enterprise to me it says this is someone who has installed Linux on their desktop, and maybe a personal web server, and somehow thinks that means they know all about enterprise administration. They figure what is true for them must be true for 50,000 systems. I mean after all, the fact that they had Windows crash on them one time clearly means it is unstable and unsupportable!
Windows does a lot right for the enterprise. Their authentication service is really good. AD really does the trick for managing a large collection of systems and users. We use it as the backend for everything, Windows, Linux and Mac and yes, we've tried it other ways (we used to do Sun LDAP and IDsync as the backend, what a nightmare to make work). Anyone who says Microsoft doesn't have good tools for large scale management is really just saying they don't have experience in a large scale setting with Windows and other OSes.
Also that suggestion is funny, given that the NSA likes and uses Linux for a number of things. You might want to look up who gave us SELinux (hint: the NSA). Ever wonder why it has such paranoid, granular, control if you want it? That's why.
Another way is to completely scrap the computer systems and go back to paper. It is a lot harder to get a hold of 500,000 classified documents and walk out of the office with them. I think it'd get flagged if Mr. Manning all of a sudden was at the photo copier 24x7 for a few weeks.
Perhaps NSA is not kidding
Perhaps they will just go ahead and lay off 90% of their admins, who are American citizens
And then, they will hire admins from Bangladesh as replacement
NSA doesn't need to be troubled by admins who are American citizens who understand the concept of Liberty, Human Rights, and Democracy - they can hire replacement admins from 4th world countries where nobody cares about any of those "Western Luxuries"
Actually this is a good point. If the sysadmins are not American citizens and are not based in America then the NSA can legally spy on them with no problems.
So yeah NSA outsourcing system administration to India might be a winner!
In the free world the media isn't government run; the government is media run.
SILLY RABBIT!
The NSA will just set up shop in Dubai, with their other Haliburton friends... They will import labor that can barely speak English, and with Dubai's labor laws they can literally padlock the employees to the desks.
Manning and Snowden both prove anybody not an "Inquisitor" for the team is a liability to the cause. They consider themselves OUTSIDE the law, don't expect them to learn the lessons we think they should.
My guess is a change of title, too.
I don't understand why the news and journals report what the NSA announces. For a long time this agency didn't even exist officially. They are allowed and expected to lie about absolutely everything, there are not even reliable records on how many people they employ. Their official statements are and have always been deliberate bullshit and disinformation. It's pointless to take into account anything they say about themselves at all.
Perhaps NSA is not kidding
Perhaps they will just go ahead and lay off 90% of their admins, who are American citizens
And then, they will hire admins from Bangladesh as replacement
NSA doesn't need to be troubled by admins who are American citizens who understand the concept of Liberty, Human Rights, and Democracy - they can hire replacement admins from 4th world countries where nobody cares about any of those "Western Luxuries"
Actually this is a good point. If the sysadmins are not American citizens and are not based in America then the NSA can legally spy on them with no problems.
So yeah NSA outsourcing system administration to India might be a winner!
Pakistan would be even better, then if any of them cause problems they can just send in a drone