
NSA to cut system administrators by 90 percent to limit data access - kjhughes
http://preview.reuters.com/2013/8/9/nsa-to-cut-system-administrators-by-90-percent-to
======
zaroth
But who will manage the systems that are managing the systems? I'm sure this
will work out brilliantly for them when systems crash, or hackers start
exfiltrating their data, and there's no one left to analyze the logs and
discover and fix the holes.

The problem at the NSA isn't that there are too many sysadmins, although
apparently that plays well with tech illiterate politicians. The problem is
too many morally unconscionable programs which lead to a growing revulsion in
the ranks.

Mr. Alexander defends his agency's conduct and claims the press is distorting
the facts. "No one has willfully or knowingly disobeyed the law or tried to
invade your civil liberties or privacies," he said. "There were no mistakes
like that at all." Except we know that even FISA says that's not true, in a
report so damning apparently even elected members of congress can't read it.

I have news for you Keith, blanket collection of the "meta-data" of every call
on Verizon's network is ex vi termini, invasion of privacy and civil liberty.
DEA's SOD (Special Operations Division) handing off your clandestine
intercepts to civilian law enforcement is just the latest, but not the last,
sickening revelation. The leaks won't stop until you stop, and I hope your
hubris continues to blind you to how close the political tides are to turning
against you. It seems to me that your 'ends justify the means' mentality
conflicts with your sworn oath to uphold the Constitution, and I can only hope
history will look back on this whole endeavor as a dark stain in American
history, and view you like a McCarthy of our time. Machiavelli would be proud
of you, sir.

~~~
rhizome
_The problem is too many morally unconscionable programs which lead to a
growing revulsion in the ranks._

Au contraire, it's extremely morally conscionable to people who see law
enforcement as a noble profession empowered to rid the nation (and beyond) of
people they see as the scum of the earth. These programs are run by people
who, I can guarantee you, do not wake up in the morning wondering what morals
and ethics they can ignore that day.

However.

 _" No one has willfully or knowingly disobeyed the law or tried to invade
your civil liberties or privacies," he said._

And he's right. And that's the problem: these things are likely _not against
the law_. The law has both been perverted inch by inch and the agencies have
been allowed to operate under looser legal interpretations than you and I
receive for parking tickets. This means that to the degree that laws exist
that permit their behavior (PATRIOT Act, FISAA), those who would constrain
them to _even the loose boundaries_ do not (and by all accounts refuse to) do
so. This goes for the FISC as much as Dianne Feinstein and Eric Holder. This
means they can say it's legal for them to do pretty much whatever they want.
So now what?

~~~
acqq
You say now what? Now exactly what Snowden did: if it's "legal" only because
secret court makes secret decisions which are against the Constitution, inform
the people. You are sworn to protect the Constitution not to just say "I've
got an order, I'm just doing it" like some guys managed to kill millions
without losing sleep, thinking "the superiors say it's legal it's not my thing
to even think about it".

~~~
davvolun
Or Bradley Manning. So, basically give up everything in your life for one
chance to do the right thing that just about half of America will call you a
traitor for?

~~~
CamperBob2
That's always been the fate of true patriots. Even in Revolutionary times, my
understanding is that well over half of the colonial population had a neutral
or even positive attitude towards the British. Surprisingly few people wanted
to rock the boat.

It's always easy to do the right thing when everybody agrees with you.

------
mullingitover
Once again the Wikileaks plan succeeding. In order to maintain their dirty
secret, they have to take more and more drastic measures that weaken their
ability to operate their illegal enterprise in an efficient manner.

~~~
angersock
I guess it's a good year to be writing and selling books on puppet and chef?

------
discodave
OK guys we've had a security breach. Let's fire all the guys who look after
security!

Oh and everybody has to work with a partner so the work output of our
remaining workforce is halved.

Idiots.

~~~
u2328
Don't get me wrong. I think Snowden is a patriot, but read between the lines
here. Security breaks at the interface, and for the NSA, it broke at the
interface between itself and it's contractors. Snowden was a Booz Allen
Hamilton employee, so just like a diseased appendage threatening the rest of
the body, I think the NSA is going to start cutting Booz off. Cronyism between
the government and private business only extends so far. Booz has become a
liability for the NSA, and they're not going to let that relationship, no
matter how cozy, threaten the whole thing.

~~~
Sauer_Kraut
What indicates they will be cut off?

~~~
u2328
Cutting sysadmins by 90% is a big indicator. There's also been a lot of talk
from former NSA about security risks involved with contractors with top secret
security clearances. The writing is on the on wall.

~~~
Sauer_Kraut
For employee numbers, not contracts.

If anything it stands there will be a higher concentration of work and monies
given to the immune likes of Booz Allen Hamilton.

------
qq66
Is there any literature on whether a rules/laws violation is more or less
likely in a paired environment than in a single-user environment? The thinking
is that the next Snowden will be stopped by his partner. But I can also see a
possibility where the next Snowden has some misgivings, but doesn't have the
confidence to go through with action until he voices his misgivings to his
partner, and they give each other the courage to proceed.

Which is more likely?

------
smsm42
I seriously hope the NSA actually means to eliminate 90% of sysadmin rights by
reducing the access rights of most of the people to minimal necessary, not 90%
of actual sysadmin positions. Because either NSA is grossly, unbelievably
overstaffed (and for some weird reason with, from all possible positions,
sysadmins) or, if they staffed like any normal organization, firing 90% of
sysadmins would cause unbelievable chaos in all IT systems. Something sounds
very weird here.

~~~
wisty
> either NSA is grossly, unbelievably overstaffed

Can you tell me the last time a President said the military had gotten
bloated, and needed to go on a diet? Not counting screwing over veterans, of
course.

~~~
rdl
[http://www.youtube.com/watch?v=8y06NSBBRtY](http://www.youtube.com/watch?v=8y06NSBBRtY)

President Dwight D. Eisenhower's famous exit speech of 17 JAN 1961 warning of
the dangers of the "military-industrial complex."

------
fixxer
Looks like there are going to be 900 disenfranchised sysadmins out in the
wild.... I wonder what information they'll have...

------
3pt14159
Honestly this is a terrible idea. Say what you will about their programs, what
they don't need to do is CUT DOWN on the Sys Admins, what they need to do is
distribute access more cleanly so that no one person can take out a big chuck
of classified data.

~~~
shabble
There's already a good chunk of effort gone into solving the problem of access
to Scary Things for nukes & master crypto keying material, such as the Two
Man/No Lone Zone[1] rules.

I'm not sure how well it would translate to things like sysadmin tasks which
can't all be pre-scripted checklists, but something like a pair-programming
model, combined with a full audit log of actions taken, along with actual
independent auditors randomly pulling logs and checking for naughtiness could
work.

I dread to think of the bureaucracy overhead involved though - I suspect it
would probably end up increasing staff headcount several-fold.

[1] [https://en.wikipedia.org/wiki/Two-
man_rule](https://en.wikipedia.org/wiki/Two-man_rule)

~~~
revelation
With the two-man rule, the two man are the _users_. They are not the people
building and maintaining the hardware switch that implements the two-man rule.
Now thats obviously a silly distinction because it was a simple electric
circuit, but nowadays everything runs on Linux and real operating systems, and
you need people to maintain them continuously.

~~~
shabble
Lots of enterprise setups have complicated RBAC/ACL/audit setups where
sysadmins/DBAs are only given the bare minimum permissions necessary to
complete their required roles. I seem to recall an article from a while back
about Google changing some policies after a sysadmin was found to be accessing
private user data, to require additional oversight/signoff, or maybe even
active observation. Unfortunately, I can't find the article I saw it in, so I
may be mistaken.

Technical measures and policies can go some of the way, but I think protecting
against a motivated internal attacker with some level of elevated permissions
is going to be a tough thing to achieve.

------
chrismealy
Good luck, guys! I'll know the singularity is here when computers don't need
sysadmins.

------
benjaminRRR
I was going to write something and then thought why would I bother sticking my
neck out and getting on somebody's list and be hassled for no other reason
than needing to spend some bloated budget... Self-censorship sucks.

~~~
quantumpotato_
Afraid to voice your opinions? The terrorist government has already won.

------
jayfuerstenberg
So long as the power to spy on people exists it will be abused. It already has
been and it will only get worse.

The only recourse is better cryptography.

~~~
Sauer_Kraut
This is absolutely wrong.

Encryption is now a means of making yourself a suspect. Referencing or
communicating with suspects is means to make yourself a suspect.

There is no technical solution away from this.

edit: What, no rebuttal? No eloquent summary on how crypto can lead people out
of this? My assertion of no technical solution has no more or no less merit
than the one above. But in addition I provided reason on how crypto makes one
a suspect, how associating with suspects makes one a suspect as well, a
refutation of the above comment.

Let's further discussion.

~~~
jayfuerstenberg
We're already suspects, we might as well have the encryption too.

Privacy is a basic human right and cannot be granted or taken away. But you
need to defend it all the same.

~~~
Sauer_Kraut
I believe encryption is a very reasonable goal, but if anything the fact that
encryption including stenography is highly detectable and is now known as
reasons for suspicion and analysis, I do not agree with it being "the only
recourse."

This is a technical oriented community so I do feel the need to highlight the
problem with focusing on technical solutions, let alone touting them as the
only recourse. The writing so to speak was on the wall when recent exposed
wrong-doings were made legal, immunity rendered with payments processed to the
collaborators. Attempts at technical solutions have brought drone missiles
upon Yemenis and others, Australians trapped in diplomatic buildings, valiant
whistle-blowers imprisoned/deposed to Russia, data researchers jailed for
gazing upon contractor information[1].

There is no technical solution to this. Technical solutions are getting people
killed, renditioned, deposed, hunted, prosecuted, tracked, analyzed. Enough
with the technical solutions already.

[1] [http://motherboard.vice.com/blog/the-doj-is-suing-barrett-
br...](http://motherboard.vice.com/blog/the-doj-is-suing-barrett-browns-
intelligence-research-site)

------
darwinGod
Alright,so how long does it take for disgruntled soon-to-be-ex-system-
administrator of the 90% of sysadmins to do the next leak?

~~~
woah
Whoever does it will be a hero!

------
Raticide
Just need to get the other 10% and we're good.

~~~
helloNSA_
You read my mind.

------
hobs
Does anyone else hate when a website tries not to let you read it when you
have javascript disabled? This one is so lame I had to view the source.

------
jimworm
1\. Increase efficiency.

2\. Reduce leak surface area.

3\. Would-be whistleblowers might be more tempted to exchange information for
money, ie become spies, at which point you could nail them and nobody bats an
eyelid.

4\. At least spies sell their information in secret instead of blurting it out
all over the place.

5\. Dead people/prisoners don't count in unemployment statistics.

It's a win-win-win-win-win situation. Brilliant move.

------
wereHamster
> "No one has willfully or knowingly disobeyed the law or tried to invade your
> civil liberties or privacies," he said. "There were no mistakes like that at
> all."

"Not at all" is such a strong statement. Like Iraq had no WMD at all, right?
The US is really bad at admitting its own mistakes.

------
btbuilder
It's difficult to say, from this article, whether they are actually laying off
these admins or whether they are reducing the number of people with
administrator access.

I don't see many downsides to reducing the number of people with administrator
access. The more administrators there are the more possibility there is for
abuse as it is normally very easy for administrators to bypass audit controls
as well as, obviously, access controls. The rule of least privilege should
apply.

Call me cynical of the human race but I worry more about rogue admins selling
information to criminal elements than cutting off would-be whistleblowers.

------
e3pi
WRONG:

"Other security measures that Alexander has previously discussed include
requiring at least two people to be present before certain data can be
accessed on the agency's computer systems."

CORRECT:

Before admins or analysts view native text, a preprocessor regex substitutes
innocuous synonym barium canaries for parts of speech, puncuation, possibly
with Google capable proper noun recognition, places and people too. These
substitution events are hashed with each specific tractable viewers, and the
viewers, so informed of this preprocessor, know it, so they don't rat.

This is also `panopticonable', say this occurs only 10% of the time.

~~~
tedivm
None of that helps for someone like Snowden, who prepared to get caught.

~~~
e3pi
Agreed, the rogue suicide in the wild is a problem.

and...with theguardian.com currently:

Breaking news: US orders non-essential staff to leave consulate in Lahore,
Pakistan, citing terrorist threat. More details to follow ...

you suppose whatever intercepted intel causing all these embassy closures are
`tainted' with `barium' so the threat is scanning NSA's global surveillance to
see what activates a hwall alert and what does not? Eg, peaking traffic
volume, how to do this with a machine generated sustained random crypto-noise
spike?

~~~
Torkild
Oh, that is genius.

But I have problems believing in the existence of conspirators though.
Opportunists, yes, but not conspirators. Our species blows at foresight.

------
FrankenPC
"No one has willfully or knowingly disobeyed the law or tried to invade your
civil liberties or privacies," he said. "There were no mistakes like that at
all."

LOL!!! In their eyes, we are total morons.

------
beedogs
Hopefully the 90 percent all become Snowdens and the other 10 percent quit.

------
mathattack
Somehow I just can't see this ending well either.

------
greendata
love it! Hey NSA how does it feel to have your privacy violated. If you have
nothing to hide, you should care

------
Vivtek
Or, you know, they could have and enforce data access rules to limit data
access.

------
spin
From the article:

"No one has willfully or knowingly disobeyed the law or tried to invade your
civil liberties or privacies," he said. "There were no mistakes like that at
all."

... then why did they lie about it to congress?

~~~
smsm42
Because they are the good guys, so it's ok for them to lie to the congress.
For you it is a felony, but for them it's not even a mistake.

------
gojomo
According to a source speaking off the record, most of the reduction-in-force
will be achieved through mysterious auto accidents.

------
berkezerker
Whoa, the NSA finally cares about privacy!

------
smegel
All while bribing sysadmins overseas to install NSA listening devices. What's
good for the goose...

------
jared314
> Using technology to automate much of the work now done by employees and
> contractors

This sounds like they are just trimming a bloated IT department, and just
using security as an excuse.

~~~
a2tech
Sounds like an excuse to bring in a different huge company with another huge
contract to 'automate' tasks.

~~~
e3pi
I hope none of them read The Mythical Man Month.

------
ohazi
What could _possibly_ go wrong?

------
thejosh
ah yes, let's cut down on the amount of people who will dob on us.

------
antihero
Good luck.

------
Sauer_Kraut
Since Edward Snowden was considered an administrator and he was employed by
Booz Allen Hamilton, this means a supposed large cut in contracts to external
legally immune corporations.

First off I doubt much of a cut on spending or a hindrance to the vast
expansion of the world's surveillance state.

But if this does mean a cut in those employed it implies less targets to
battle back judicially, legislatively, socially. Less 'independent' opinions
(dismissing a probable increase of automated bots) attempting to justify their
salary. Plus automation is king only to a point, how do most hacker seminars
end? "Its always about the people."

With a clearer trail of monetary remuneration to follow that gives those in
the dissenting camp a better chance to isolate and make examples of the
collaborators who seek to route around justice to enforce their vision of law
while hiding in the legal shadows collecting cash.

edit: Be on the look-out for a large increase in marketing of surveillance
state tools to nations like Saudi Arabia, or torture loving UAE, typical
nations that companies that Booz Allen Hamilton and others whore themselves
out to for monies.

------
monsterix
I'll be happier if the administrators cut NSA's current data-sets down by 90%.
Just leave the 10% data that points to communications of the Government and
their secret agents.

Parsing that data will help us figure out moles and real traitors.

/sarcasm. I prefer they shut down NSA completely.

------
bengrunfeld
This is just plain wrong. Instead of admitting that what they did was immoral
and attempting to repair faith with the tech community and the country,
they're now trying to automate IT so that they don't have to worry about
SysAdmins with a conscience.

So their big plan is, "if our agents can use a UI to get all the info they
need, we won't need to worry about those pesky left-leaning IT types."

The amount of stupid here is unbearable!! Good luck to them when they need
another feature developed.

------
avty
We are legion!

