

Protecting Against Leakers - hatchan
https://www.schneier.com/blog/archives/2013/08/protecting_agai.html

======
ams6110
_As a system administrator, he needed access to many of the agency 's computer
systems -- and he needed access to everything on those machines._

He certainly did NOT need this access to administer systems. It still boggles
my mind that the sensitive data on those systems was not encrypted so
administrators could not read it.

In any well-run IT organization, the DBAs cannot read the credit card numbers
stored in the database and the systems administrators cannot read user
passwords. But they can still administer the database and the the servers.

~~~
einhverfr
This is actually easier said than done. One of the major concerns is you don't
want some dude with a security clearance taking work home with him. So a lot
of effort goes into things like selinux being used to control what programs
can access files.

Here you have a fundamental conflict. A root user can reconfigure the controls
to allow access (that is absolutely necessary from a practical perspective),
and so you end up having to trust the sysadmins.

Or you could set up other systems that would read the files, decrypt them only
within special programs. Now you have two problems..... Moreover the sysadmin
might be able to pull passphrases as they are typed, keys as they are
uploaded, etc. It is not that easy to manage.

In the end a determined sysadmin can get the information and there isn't
really a way you can lock him or her out fully.

~~~
GFischer
A determined sysadmin can certainly get the information, but can he do so
undetected?

~~~
einhverfr
A sufficiently careful one probably could for some time, especially if he was
quite aware of what was checked and could work around such checks initially.

------
jacquesm
> More surprising than Snowden's ability to get away with taking the
> information he downloaded is that there haven't been dozens more like him.

Is an assumption on Schneier's part. For all we know there were dozens or
more. They may not have released the data or they may have sold it to some
foreign agency instead.

~~~
narag
_... or they may have sold it to some foreign agency instead._

Don't forget corporations and individuals. And of course blackmail. That could
be very profitable, specially against powerful people, politicians...

~~~
jacquesm
Interesting angle. Makes you wonder if any politicians data was part of
Snowden's haul. If so that opens up another can of worms.

If they didn't have segregated access (and it does not appear that they did)
then that would have surely been too juicy to pass up. 20,000 documents is a
lot.

This might also go some way to explaining the panic, if they don't know what
he's got and he's had access to data like that then some people must really
not be sleeping well right now.

~~~
narag
_Makes you wonder if any politicians data was part of Snowden 's haul._

It's safe to assume that most (every?) politicians data is part of _NSA 's_
haul. Add journalists.

I find the debate about surveillance terribly naive. Politicians get corrupted
as soon as there's no one closely looking.

Creating such a surveillance and secret-keeping mammoth is calling for massive
corruption. And this thing has been running _for years_.

~~~
jacquesm
Yes, that the NSA has it is fairly obvious at this point but the question is
whether or not Snowden took it. Is there any indication that he did?

------
guelo
Part of Assange's philosophy is that secretive unjust organizations will
operate less efficiently and become less effective as they lock down their
internal flow of information in response to leaks. Looks like things are going
according to plan.

~~~
naterator
If we take Schneier's example of the bank president and the ATM, you could
easily argue that is a flawed philosophy. Every day I go to the ATM, money
comes out. Like clockwork, very efficient.

~~~
bruceboughton
Because bank's principal job has been running ATMs for 40 or 50 years and it
is run-the-bank stuff. If you look at internet banking (and how out of date
and clumbsy most of these systems are) you will see this effect. Change-the-
bank stuff is what "suffers" from this.

Retail banks' ATM and overnight payments systems are often 25-year-old pieces
of software and hardware.

------
deveac
_> Think of an employee as operating within a sphere of trust -- a set of
assets and functions he or she has access to. Organizations act in their best
interest by making that sphere as small as possible. The idea is that if
someone turns out to be untrustworthy, he or she can only do so much damage.
This is where the NSA failed with Snowden._

And if you read easily between the lines, this is where the NSA failed _us_ as
well.

Snowden's sphere of access was very large. He broke org procedure for the good
of all Americans and net users on the planet. What is implied is that existing
analysts in like positions have similar access, and can break org procedures
for nefarious purposes (indeed, as they already have countless times according
to reporting), and no amount of official gov't reassurances on "checks and
balances" or "proper procedures" can wipe this fact away.

I wonder how many roles at the NSA have inflated spheres of trust, and about
all the little and big ways their operators break org procedures all the
time...and especially for what reasons...

------
marijn
Finding a balance between paralyzingly complicated processes and having to
trust single employees with all of your secrets is not easy. I think that's
great, since it helps discourage organizations from doing the kind of things
that morally outrage their employees.

------
Ziomislaw
If you are worried about leakers, you probably are doing somehing "bad" and
you are aware of it.

Why would anybody even consider giving such tips to `people which can be
summed up as evil' is beyond me.

~~~
ig1
Pretty much every company has confidential information. When a company
administrator sells the internal address book to a recruiter or when a
salesperson makes a copy of the prospects database before joining a competitor
- that's leaking too.

~~~
JulianMorrison
It would be interesting to consider a world that is truly without secrets,
even of obscurity. It's possible we might get there. I think the way companies
and so forth do their work could end up being adjusted to cope.

~~~
jacquesm
'The dead past'.

Isaac Asimov, 1956.

~~~
jloughry
I just read that. Thanks for pointing it out. The parallels to the present day
are striking and disturbing.

------
einhverfr
Two points seemed to contradict eachother. The first was cutting classified
sysadmin positions by 90%. the second was requiring doubling up for work on
classified systems.

Does this mean that the sysadmins will each be responsible for 20x as much
information or work? With such a workload how can the doubling up be
effective?

I guess my rule is that when confronted with a crisis, organizations will
usually react in such a way as to preserve or even exacerbate all pre-existing
problems.

~~~
tel
Or cut the need for sysadmins to 5% and fire all but 10% of them.

------
dlitz
> A public or private organization's best defense against whistle-blowers is
> to refrain from doing things it doesn't want to read about on the front page
> of the newspaper.

I feel like this hasn't been said enough in the debates surrounding the
surveillance leaks.

------
Decstasy
Every nation need secrets but not in that way it is currently handled. There
must be a kind of balance like a committee which decides in every single case
"should this information be classified or not". When this procedure would be
consistently applied there might wont be a prism program. Leakers should get a
chance to contact this committee and get exemption from punishment. I hope all
of you know what I mean - I know my english is not the best.

~~~
icebraining
That's a _lot_ of power granted to some committee. Who verifies that it's
working well, and its members aren't actually selecting what to publish for
their own benefit? What guarantees would a leaker have that the committee will
protect her/him?

------
nullc
The best protection is having nothing to leak.

------
stcredzero
In a sense, Snowden was whistle-blowing on _himself!_ whenever you have lower
level employees given such tremenous power without auditing and checks, the
system is open to abuse. He has shown that a conspiracy of one can engage in
very significant and very bad actions. What if he did such things and told no
one?

------
spin
I'm baffled. One the one hand, the NSA wants their employees to "uphold and
defend the constitution". On the other hand, they want their employees to keep
secrets.

(... It is possible for these two things to not be in conflict with each
other...)

They want their employees to honor the commitments they've made. At the same
time they're lying to congress and the FISC.

Dear NSA: Let me help you un-fuck your business: Stop requiring your employees
to uphold and defend the constitution. Stop hiring people who believe that the
NSA should be held accountable to the citizens and/or to the congress.

(Perhaps you should start by creating a cult of personality around a strong,
charismatic leader. And for the signing-in ceremony, instead of swearing to
"defend the constitution against all enemies, foreign and domestic", maybe
they could just wipe their asses with a copy of the Bill of Rights.)

If you do this, you will never have another Edward Snowden again. I guarantee
it.

~~~
GFischer
Apparently they employ pre-brainwashed employees (Mormons).

Edit: okay, that was offensive to Mormons, but they do apparently employ a lot
of them. If one group is overrepresented, so will their views (which might
diverge from the rest of the population).

------
contingencies
How about being an ethical organization that people would feel morally
compelled to support versus harm? How about not creating secrets around ills
committed but actually being candid about such issues when eventually
discovered and reforming openly? It seems organizational psychology is partly
to blame.

------
tomelders
I'm not happy hearing the unqualified statement "we need secrecy" being banded
around without any opposition.

~~~
zby
How about replacing it with 'privacy'? We all need privacy and politicians are
not an exception.

~~~
btbuildem
I would argue that politicians ARE an exception. They are the most public
figures, and they do enjoy a unique status. They should have no professional
privacy whatsoever; their personal privacy can be on par with celebrities etc.

