

Edward Snowden's lesson to both businesses and NSA - rdl
http://qz.com/92509/edward-snowdens-lesson-to-both-businesses-and-the-nsa-your-it-people-are-your-biggest-risk/

======
u2328
Is anybody else reading this guy's twitter account? He comes off like a
_massive_ asshole, and he throws around his PhD like Officer Farva. Is this
indicative of the people who run the country's intelligence community?

It feels like they have no sense of perspective for the rest of society; it's
like they're saying, "trust us you nerds, the ends-justify-the-means." Do they
not realize that this nation is democracy, and the country decides as a whole
our course, not just a select few? Wonder what his opinion on Aaron Schwartz
is.

~~~
doktrin
After reading through some of his tweets, I find myself more confused than
not. Bizarre name-calling aside, his views are pretty inconsistent.

For instance, in the tweets cited in the linked article, he repeatedly
mentions that IT [dorks / weenies / etc.] have low status and wide access.
This is in line with the general premise, and makes sense.

However, some of his other tweets paint a starkly different picture, namely
one in which Snowden is a "poseur", and agrees with other commenters'
disparaging comments such as "he probably only had access to a printer and
copier" or "was given powerpoint 100 training and has delusions of grandeur".

~~~
u2328
I agree. It all comes off as super-defensive, 'you guys just wouldn't
understand' rhetoric. Not to mention all the insider backslapping. And the
consistent claims that Snowden defected to China is clearly taking the
situation out of context. Terrible PR for their side of the argument, at
least, but fascinating (if not terrifying) insight into a bit of the minds
behind the curtains at the NSA.

~~~
anonymous
Maybe it's damage control? "No you guys, there are definitely absolutely no
true Americans who are against the NSA. This guy? Oh, this guy is a Chinese
spy!"

~~~
u2328
Character assassination. They are going to try and rip Snowden apart. I don't
think they'll succeed though.

------
betterunix
This is news? Your IT people have to have privileged access to your computers;
they maintain security policies, they issue smartcards, they reimage hard
drives. They have physical access to the machines. _Of course_ they are your
biggest risk.

~~~
rdl
1) NSA had official policies in the 1980s/1990s which would have prevented
individual sysadmins from having broad authority.

A few changes have happened: explosion in number of systems, decline in
quality of NSA staff (due to better opportunities elsewhere) on the tech/IT
side, increase in contractors (who also tend to suck), politicization (since
in the 1990s there was no clear mission, and in the 2000s there was not as
morally justifiable a mission).

The NSA IT people I've met in the 2000s would not be people I'd hire to do
IT/security. The older "former NSA" people I know are people I would gladly
work with.

2) It appears Snowden has somewhat overrepresented the level of access he had.

~~~
fruchtose
Re point 2: The PowerPoint that was leaked has TOP SECRET on it. That is one
of the highest levels of access imaginable.

~~~
mpyne
eeeehhhhh... not really. A surprisingly large number of people have TS
clearances, otherwise he'd have been making even more money.

~~~
rdl
I think the published numbers are 4.5mm clearance holders (mostly S or the DOE
L; I've personally never met a C-holder); 900k TS+ (including TS/SSBI, etc.)

Essentially every military officer is S or better, I think, and virtually
everyone in certain military units is S (IT, etc.) or in some cases TS (CI).
That is a _lot_ of people. A lot of 18 year olds :(

------
Glyptodon
To be honest, when these things happen 6 out of 7 times I empathize with the
'disgruntled' IT guy more than the object of his revenge. IT is thankless and
when smart people end up being forced to work for sickening immoral egos you
can't expect it to end well. We're probably lucky that most of them use
computers for their revenge and don't go for violence.

~~~
Glyptodon
Oh, and the way these "blue badgers" talk is sickening. It's like they think
they're the nobility or something. They should go join a monarchy if they want
to act like they're the only ones who can make judgments or comprehend things.

~~~
u2328
They've already got it. It's called the NSA.

------
pinaceae
This has been true for a long time, however I am wondering if there is an
opportunity here.

Why do IT admins get full rights to read data? Their job is to get the systems
running, but somehow right now this means carte blanche from a systems
perspective. It is easier to build a tool like that of course.

The problem arises with configuration of access rights, whoever has edit
rights on that config, controls the system. Nuclear launch procedures have the
famous 2 keys sequence where at least two people need to be involved - even if
this is only Hollywood, the idea itself is quite interesting.

In IT systems this would mean some sort of approval process where any risky
operation would need to get requested and confirmed by another party. You want
a full data dump? Wait a sec, care to explain why?

Of course this wouldn't be foolproof, but better than the systems today, no?

