Slashdot Mirror
The NSA and Snowden: Securing the All-Seeing Eye
First time accepted submitter ChelleChelle2 (2908449) writes "Edward Snowden's release of classified material exposing the existence of numerous global surveillance programs (obtained while working as an NSA contractor at Booz Allen Hamilton) has been referred to as 'the most damaging breach of secrets in U.S. history.' Regardless of whether one choses to champion or condemn Snowden's actions, it is apparent that the NSA needs to dramatically rework its security measures. In this article Bob Toxen, renown author of several books and articles on Linux Security, discusses the security practices that could have stopped Snowden. Equally interesting, he weighs in on the constitutionality and morality of the NSA's spying on all Americans."
With all the leaks, corruption scandals (quite a show here in Montreal), and all the law-breaking from those agencies and governments, I wish there were more like Snowden. That's only the tip of the iceberg boys & girls,
I've got better things to do tonight than die.
That's like saying when aliens attack you'll be glad you bought UFO insurance. Just because you can imagine a scenario does not make it likely. I have seen no compelling evidence that terrorism is a battle worth giving up my privacy and freedom for.
I started reading but soon moved on to just skimming the article. It read like a very logical but basic security primer... Until I hit the sidebar. Wow, I've never seen a better laid out, yet brief, history lesson that got straight to the point. Our government needs to remember that its "For the People, by the People" not "For those people, by these people"
Peter.
Personally I see using outside contractors such as Booz Allen Hamilton as the massive security breach.
The easiest fix would be to stop violating our constitutional rights. Snowden would have never leaked anything had the NSA been acting within the bounds of the constitution. Violate the constitution and everyone working for you that is a patriot is bound by honor to thwart you. Righteous anger is a SOB.
1. Take control of your own networks via your own staff again.
No contractors, no private sector, no ex gov staff moving around, people without exhaustive gov staff real world full family tree, education, friends interviewed background results.
2. Drive the private sector contractors out of the gov networks. Fancy 3rd party network wide security software will not stop a trusted system admin, it will just give the security software bosses a nice gov contract bonus.
3. Go back to finding all your staff from top universities after watching them in the wild for a few years. When ready, offer them a great job, for life with academic freedoms and an above great wage. Make sure they feel invited in.
a) Interview them in person using gov staff only staff.
b) If accepted as useful to the gov:
Interview their extended family in person using only gov staff. Interview their recent academic staff in person using gov staff. Drive out to their local community and find friends, cops, ex cops, sealed court records, all teachers at every stage of schooling.... in person using gov only staff.
Look at generations of book lists, magazines, newspapers, payments, gambling, faith with links to other nations, cults with links to other nations, holidays, charities, political causes, the probability of placing another nation/faith/cash/cult interests above all gov security levels.
Build up a real world life story with real world contact with every close person or event and keep looking.
Note: a database search is not a real world interview. A database search by a 3rd party private sector security cleared person is not a real world interview.
Some data on a random gov computer about past good work been seen by a 3rd party private sector security cleared person is not a real world interview.
Keep interviewing, testing, profiling your new staff using trusted gov staff - in house staff, not a 3rd party private sector security cleared person invited in with a new 'system' to rent.
4. The file systems need to be kept air gapped and back to best practice compartmentalization. No new 3rd party cloud, no outside big brand private sector 'helpers' beyond installs.
5.. Dont trust any paperwork from any other sector of the gov/private sector on an individual. If they have great paperwork and want to move jobs, something interesting might be missing from that great 'story'.
6. Stop political suggestions over 'sharing' the cloud and other ways into what should be a sealed gov network.
Some better ways to alter public perception:
Hint at a limited hangout, or partial hangout, the idea that the material was baited provides endless speculation and academic busy work on web 2.0 and beyond.
Drop hints via trusted cutouts to the 'alternative media' that will take years to work out.
A sockpuppet is not a useful cutout.
The hardware and software, junk encryption was for domestic use by 'others' in the wider US legal system. The results of a splitter, tame corporate/academic decryption ended up with any number of diverse ongoing very legal domestic criminal probes is a great talking point.
Hint at a political culture for weakening once strong gov only security clearance levels.
8. Talk the the UK about decades of tell all books, newspapers, interviews and 'documents' ie the magical "why" nothing ever got much traction beyond academic history books and obscure university level history papers.
9.. As all this is now in the open and telco immunity is/was in place move forward with a domestic locked box for all telco metadata. Move in front of "damaging breach" to a post telco immunity budget and gov security expansion needs.
Domestic spying is now "Benign Information Gathering"
In the light let's correct the the heading. Edward Snowden did not cause the 'the most damaging breach of secrets in U.S. history.', he exposed the 'the most damaging breach of secrets in U.S. history.'. Let's be clear on this, it was the NSA that was conducting the illegal breach of secrets of people from all over the globe, no one was safe and no countries laws were respected, not the US not anyones. It was the NSA that was the completely unrepentant criminally insane computer network hacker, hacks not in the hundreds or thousands but very likely in the millions. This had nothing to do with securing anything for the US but everything to do with empowering the insane head of the NSA and his backers in their grab for power. He is now protected status by the secrets he holds, he knows more about the criminal activity of politicians from all over the globe than any other person in US history. As the the puppet president Uncle Tom Obama the choom gang coward, well, he runs nothing and has not done so for years, he just does as he is told to do and smile when he reads his instructions in front of the public on the teleprompter, the puppet prompter, what a way to go no in history, really lame.
Chaos - everything, everywhere, everywhen
Except there is also the fact that some of the NSA's main goals, despite its draconian and probably unconstitutional methods, are still counterterrorism and counterintelligence. When a friend or family member is killed in a terrorist attack because the NSA's security wasn't adequate you can be proud you encouraged it.
The NSA's mass-surveillance techniques have not been proven effective for counter-terrorism, nor do those techniques represent a cost-effective method of lowering the overall US death rate, nor are they worth (in my opinion) the egregious violation of our Constitutional rights.
I believe that a cursory glance at global affairs — in particular, which entities commit terror attacks upon which nations; the attackers' motives; and attacked nations' foreign policies — suggest that the most effective counter-terrorism results come from not interfering in the sovereignty or affairs of foreign governments, and not violating the human/civil rights of foreign and domestic populaces.
Were a friend or family member killed in a terror attack, I'd be upset they died even though their Constitutional rights were being violated, and I'd be upset that they likely died as a result of blowback from unilateral US action abroad intended to increase or maintain the power and wealth of US oligarchs, likely in violation of international law. If mass-surveillance were ended and a friend or family member were killed in a terror attack, I would take solace in death(s) as free people.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
...is somewhere along the line SOMEONE has to be trusted. That secure program that transfers files? How do you know it doesn't have a back door/hidden features? You audit that source code..do you trust the auditor? How do you know he's not in collusion with the programmer? Hmm, better get someone or someones to audit them. And so on....
Technical restrictions are good, but they're not the be-all. Technically, the best locked down systems aren't usable (any geezers here remember C2 [orange book] Windows NT 4 systems? Very secure (especially for NT in the day)...and wholly unusable).
His comments about securing ssh are just common sense and best practices (for once they coincide). As he pointed out, metal detectors would have caught the egress of the thumb drives. Just as locks on reinforced cockpit doors would have prevented 9/11, sometimes the low-tech scalable solution is the best solution.
Um, no. The Whiskey Rebellion had nothing to do with "shitting on veterans". Veterans rallied around George Washington to put down the rebels.
George Washington was a millionaire at the time because he owned some extremely popular Whiskey distilleries, so when he imposed the first taxes of the nation (largely to pay our war debts), the first thing he did was put on a tax that hit himself hardest. This was considered fair. Even in those days, it was well known that alcohol came with severe social consequences, so this Sin Tax was generally accepted as the best way to raise national funds.
So what drove the Whiskey Rebellion? Largely it was early Borderlander (Scott/Irish) culture, one of the american nations, which simply wanted all the benefits of living the United States without having to pay a dime for its upkeep. This attitude, by the way, still completely dominates in these regions 200 years later, driving much of our politics: right wingers who pretend to "speak for the veterans" while at the same time refusing to pay for their benefits. Clyde Bundy is a poster child for borderlander culture
Thinking about it, I suppose you could say that "shitting on veterans" was the point of the revolution - it was just the rebels who were trying to do the shitting.