

NSA and the Pandora’s box of surveillance - ewheeler
http://blogs.reuters.com/jackshafer/2013/06/24/nsa-and-the-pandoras-box-of-surveillance/

======
unreal37
A pretty good article on the response of the NSA.

"We've changed the passwords." Excellent job boys, you deserve a raise. And
two-person requirements to access the data? Yeah, that will take 5 years to
develop, cost $2 billion, and never really work.

There must be thousands of people who knew this system existed. You can't keep
that secret forever, Top Secret clearance or not.

What if the next "national traitor" uses his Top Secret clearance to use that
data stream to his own financial benefit? Blackmailing senators on their
affairs, or exacting revenge on targets given to him by outside crime bosses.

Maybe I watch too many movies... But for every good guy like Snowden, is a bad
guy.

~~~
alan_cx
Hmmm, blackmail.... could be the way to go. Strong word, but, negotiating from
a position of power?

My presumption is that the politicians are playing this down because of
perhaps the information the NSA has on them. I assume the power is in the web
of information people have on each other. So, a balance is maintained, or
something like that. Well, going public seems ineffective. It seems these
people have games to play to mitigate the damage caused by public disclosure.
You know, divide up the issue, make it black and white, make it about traitors
and good guys, and so on. So, maybe the next person who feels a tug of
conscience might decide: OK, I have all this info, I can either release it to
the voters, who will no doubt be manipulated, or I can bowl up to a few
senators and use the information to make them force change, like like the
system already seems to.

Makes me think of the end of Clear and Present Danger, where Ryan has some
information that could kill off the presidency. The President points out that
what he actually has in his hand is a chip which he can play in the halls of
power. Perhaps Bradly and Snowden had it wrong. Perhaps why should have played
their chips?

Dunno. Is that how it should work? Play them according to their rules? Forget
the whole honest, open and decent thing, and get secretly, politically dirty?
Do deals under the table? Get change that way?

I really don't like the idea of that at all, but it seems that anything decent
and honest is easily disposed of as a matter of routine.

~~~
rfugger
If anyone could "negotiate from a position of power" in this situation, it
would be General Alexander himself...

------
pkill17
Briefly interned (two weeks) for Booz Allen this Summer. While the people I
met and interacted with for that short amount of time were excellent and of
good spirit, the general opinion I got was that people did not enjoy their
day. Much like a traitor of a country is usually disgruntled with their
homeland, I can't imagine more leaks aren't right around the corner. Tech
consulting firms do not share in the amazing atmosphere of tech consumer-
facing companies, and as such may be the last place for loyalty.

------
skwirl
How do we know that they haven't been?

His supervisors, by the way, are at Booz Allen, not the NSA. Although
certainly the NSA has to take responsibility for the contractors it does
business with.

~~~
mpyne
And someone at the NSA needs to be taking responsibility for why Snowden had
access to as much as he did, sysadmin or not.

~~~
ImprovedSilence
to further the above, he was also an NSA employee prior to working for Booz
Allen. And a CIA employee before that, I think....

------
basseq
Other BAH personnel and BAH corporate liability are dependent on whether there
was either process negligence (e.g., Snowden's team members didn't enforce
policy) or inadequate measures. One man acting alone, even within a corporate
structure, doesn't implicate his co-workers or the company as a whole. (Of
course, this isn't always the case in court. See also: Arthur Anderson.)

~~~
fnordfnordfnord
A serious organization with a serious mission such as the NSA would be
reckless? hapless? (a lot of very bad things) to rely on the civil courts this
way for operational security. If the NSA had so little or no oversight or
operational security, that's just crazy.

~~~
basseq
Agreed: like closing the barn door after the horse has bolted.

~~~
fnordfnordfnord
Like, these Keystone Cops don't know a damn thing about horses or barns, and
should never have been trusted to look after them.

------
wiredfool
I wonder if this means that the NSA is going to fail it's annual PCI audit?

~~~
tzs
Following PCI is a contractual requirement, not a statutory requirement. If
you want to do certain things with credit cards, such as accept payments using
them, then you have to enter into a contract that says you'll follow PCI.

If you have no need of any service that requires entering into such a
contract, than you can completely ignore PCI.

------
nickodell
Note that the host never asks the general if anyone was fired. Perhaps someone
was fired, and it didn't come up.

After all, if somebody asks why this couldn't happen again, you don't say, "We
fired the guy who designed this system." You say, "We changed this, this, and
this."

He talks about implementing a two-man rule, which is an excellent idea. I'm
not sure how that's going to work in practice, though. Is there a way to make
the linux root password composed of two passwords?

~~~
codyps
> Is there a way to make the linux root password composed of two passwords?

This could certainly be done via a custom PAM module. Of course, we should
also consider that admins will often have physical access to the systems. I
can't think up a purely technical solution to enforce the 2 man rule.

------
codex
Likely nobody has been fired because the investigation is still underway.

------
fnordfnordfnord
Finally, someone other than Greenwald starts asking critical questions.

~~~
uptown
THE critical question (in my mind) isn't whether NSA/FBI agents are listening
to people's phone calls, or reading people's emails. The key question is
whether all of this information is being captured and retained and available
on-demand (regardless of current or future legal authority). Does the
government, or any of its agencies, affiliates, contractors, or allies keep a
repository containing this data available for future analysis.

Answer that question - and answer it without linking it to "this program"
because you've already said "this program doesn't authorize that" and don't
link it to "this country" because you've said the laws of this country forbid
that type of thing.

Plain and simple.

Does any representation of this information exist in any state (analog,
digital, audio, waveform, transcription, encrypted, modified, converted,
fucking pantomime) that differs from a layman's understanding of where their
communications data resides?

