
NSA Implementing 'Two-Person' Rule To Stop The Next Edward Snowden - juvoni
http://www.forbes.com/sites/andygreenberg/2013/06/18/nsa-director-says-agency-implementing-two-person-rule-to-stop-the-next-edward-snowden
======
spodek
North Korea also has a three-person rule for its soldiers at the DMZ to make
it harder for any one to defect.

A better solution is to stop making your country one people want to escape
from.

Or in the NSA's case, stop violating the Constitution, lying to Congress, etc
so people don't feel compelled to blow the whistle.

Is it that hard to follow the Constitution?

~~~
quesera
I wonder if NSA really comprehends the breadth of what's going on here. I
don't think Snowden was a singularly disgruntled guy who happened to have
clearance.

His former coworkers are going to be smart, American, and patriotic too. Some
percentage of that class of people will have strong opinions about being
complicit in borderline-Constitutional activities. Snowden was the first to
come forward, but do you really think there isn't a significant pool of
sympathizers still at NSA considering making a similar move?

Requiring cooperation between two analysts does raise the bar somewhat. But I
think NSA would be making a mistake to assume that this is an isolated
problem, with a tactical solution. I hope that the next guy (or pair) to come
forward is as circumspect as Snowden seems to have been. Thank goodness
Bradley Manning didn't work at NSA -- that scenario would have real
consequences for the world, instead of the noisy internal (and important and
necessary) squabbling we'll be doing for the next several months.

~~~
antimagic
Yeah. The worst of it is the corollary - you need to fire people that are
ideologically impure. If people openly start talking about how they consider
the Constitution to be an important document that needs to be protected by
individual actions, then they can easily find an ally to make up the second
person. To make the two person rule effective, you have to eliminate anyone
that openly admits that they may very well break the organisation's rules in
favour of the Constitution.

That will be the NSA's finest hour - firing people for stating that they
support the US Constitution...

------
codeulike
I am reminded of something someone* said about leaks in 2006:

 _The more secretive or unjust an organization is, the more leaks induce fear
and paranoia in its leadership and planning coterie. This must result in
minimization of efficient internal communications mechanisms (an increase in
cognitive "secrecy tax") and consequent system-wide cognitive decline
resulting in decreased ability to hold onto power as the environment demands
adaption._

 _Hence in a world where leaking is easy, secretive or unjust systems are
nonlinearly hit relative to open, just systems. Since unjust systems, by their
nature induce opponents, and in many places barely have the upper hand, mass
leaking leaves them exquisitely vulnerable to those who seek to replace them
with more open forms of governance._

In other words, in an increasingly digital world, its gets easier and easier
for large scale leaks to happen, and although you can take measures to try and
stop that, overall those measures will damage your effectiveness even more.
Some leaks are 'good' and some are 'bad', but over time, in a leaky world, the
overall long term effect should be positive - a move towards more openness.

* its pretty obvious who, but I don't want to derail.

------
ef4
"The more secretive or unjust an organization is, the more leaks induce fear
and paranoia in its leadership and planning coterie. This must result in
minimization of efficient internal communications mechanisms (an increase in
cognitive "secrecy tax") and consequent system-wide cognitive decline
resulting in decreased ability to hold onto power as the environment demands
adaption."

\- Julian Assange, The Nonlinear Effects of Leaks on Unjust Systems of
Governance

~~~
fragsworth
So we as taxpayers:

1\. Did not know about this surveillance

2\. Would not have voted for it to be put in place

3\. Are (for the most part) angry that it happened

4\. Must pay extra taxes so they can be sure to keep it secret next time

I've never been more pissed off about my government.

~~~
hermannj314
I'm not mad about it because I pay taxes. Minor children, tax-exempt
institutions, those with no income: they all deserve to be free of unjust
government surveillance. Conflating the issue with the paying of taxes in a
progressive tax system may introduce the rationale that those that pay the
most taxes are the most deserving to not be watched.

In fact, some of nation's largest taxpayers (in the black corporations) are
actively cooperating in this endeavor, so making this about taxes would seem
to argue that the "taxpayer" has already spoken.

~~~
cavilling_elite
> minor children

You bring up a point (perhaps frivolously)that I haven't seen before. With
many many minors owning cell phones, where does the court stand on collecting
meta-data from children. The law is very clear when it comes to crimes on how
minors are treated, this seems to make assumptions without guardian approval
or regards to their status as minors.

~~~
zarify
Given their confidence that someone is foreign, I'm sure they have an equally
impressive rate with identifying minors.

On the plus side, "think of the children" is usually something everyone can
get behind, which is why it's rolled out so often :/

~~~
pjeide
There would need to be unilateral storage regardless of potential profiling
during mining -- otherwise the cellular profile of a child, in this case,
would make a secure line.

------
nostromo
The saddest part of the story is that there are two quotes, one from a
democrat and one from a republican, and both are falling all over themselves
in a rush to brand a whistleblower as a traitor.

The second saddest part of the story is that the person responsible for
securing the biggest DWH of all time freely admits that they have no
protection against rogue sysadmins, most of whom don't even work for the NSA.

~~~
cavilling_elite
The "second saddest part" makes me realize why all of the government agencies
get C's or less in the NIST tests for securing systems. When the _NSA_ can't
even employ their own in-house sysadmins, there is no real hope for defense
against political espionage.

If Snowden was the first to leak information, who was the first to sell it?
The way Snowden describes the access seems like a joke.

~~~
scarmig
One has to also wonder: how many have sold it before Snowden leaked it? I have
a hard time guessing the ratio of people willing to silently sell information
versus loud do-gooders, but I have a strong suspicion it is greater than one.
And of course one person can sell multiple times...

------
spikels
Now Sunday's oddly worded press release makes more sense:

"The statement that a SINGLE analyst can eavesdrop on domestic communications
without proper legal authorization is incorrect"

[http://www.dni.gov/index.php/newsroom/press-
releases/191-pre...](http://www.dni.gov/index.php/newsroom/press-
releases/191-press-releases-2013/880-odni-statement-on-the-limits-of-
surveillance-activities)

~~~
jrochkind1
Or perhaps the emphasis should be on ANALYST. An Analyst maybe not, a
sysadmin, oh, yeah, sure (and we have about 1000 of those).

But really, I don't believe anything they say, or believe that I'm capable of
figuring out the true meaning of the careful wording that they think they are
using to 'technically' tell the truth while intentionally making everyone
think they meant something else that was really a lie. I mean, Clapper has
already admitted he lied to Congress, right?

~~~
bigiain
Especially when they're clearly using regular words re-interpreted into jargon
to intentionally mislead the people responsible for their oversight.

"Collect" apparently has an intelligence-community meaning that's quite
different to the regular dictionary definition - when the NSA says they don't
"collect" data, what they seem to mean is that their computer systems
intercept and archive that data, but that human analysts haven't (yet) looked
at it.

In what other profession would you get away with making up a new definition of
a word that's almost 100% opposite to the "regualar" meaning of that word,
then using the word with your meaning when talking to the government? "Oh no,
I didn't 'steal' that money - in the investment-banking-community, 'steal'
means spending stolen money. I haven't spent any of that money yet- it's still
sitting in my bank account - so no, I didn't steal any money."

------
meritt
> "make sure that if another person were to turn against his or her country"

[http://en.wikipedia.org/wiki/Dutch_Ruppersberger](http://en.wikipedia.org/wiki/Dutch_Ruppersberger)

Dear Maryland: Please vote intelligently at your next opportunity.

~~~
hfanson1
Looks like he won the seat in a gerrymandered district. This manipulation of
district boundaries takes advantage of people who vote along party lines
regardless of an individual candidate's qualifications.

~~~
hga
Exquisitely gerrymandered. Wikipedia closes with this note on the current one:

" _In 2012 the district was found to be the eleventh least compact
congressional district in the United States._ "

And a link to this article, which shows that district, and is titled "
_Maryland has least compact congressional districts in nation_ ":
[http://marylandreporter.com/2012/10/03/maryland-has-least-
co...](http://marylandreporter.com/2012/10/03/maryland-has-least-compact-
congressional-districts-in-nation/)

Now, in all fairness they do have a cragy coast, but it is very clear the
districts are unconscionably gamed.

~~~
jmyc
> Now, in all fairness they do have a cragy coast, but it is very clear the
> districts are unconscionably gamed.

I'm not sure how it was done in the source for that news article, but
gerrymandering-detection algorithms should ignore natural borders in that
regard. See, for example, this paper which measures gerrymandering in terms of
convexity:
[http://mathdl.maa.org/images/upload_library/22/Polya/Hodge20...](http://mathdl.maa.org/images/upload_library/22/Polya/Hodge2011.pdf)

------
bobwaycott
The most disturbing comment from the article:

> * "We have to learn from these mistakes when they occur,” Representative
> Charlies Ruppersberger said to Alexander in the hearing. “What system are
> you or the director of national intelligence administration putting into
> place to make sure that if another person were to turn against his or her
> country we would have an alarm system that would not put us in this
> position?"*

So now the good Representative Ruppersberger is taking part in the automatic
branding of Mr. Snowden as one who has turned against his country. _For
whistleblowing_.

This is the wrong path.

~~~
a3n
But it's the easier path. It's hard to fix the problems they have. It's easy
to throw someone under the bus, dust your hands off and declare "job well
done."

------
corford
From the article: Representative Michelle Bachmann emphasized that the NSA
should answer “how a traitor could do something like this to the American
people,”

After watching the USA Today interview with Binney, Drake, Weibe and Radack
([http://www.usatoday.com/story/news/politics/2013/06/16/snowd...](http://www.usatoday.com/story/news/politics/2013/06/16/snowden-
whistleblower-nsa-officials-roundtable/2428809/)), Bachmann's demand and the
language she used make me incandescent with rage.

I cannot get over the ignorance of the woman to be able to come out with
something like that in good faith.

~~~
dragonwriter
> I simply cannot understand the ignorance of the woman to be able to say
> something like that in good faith.

What makes you think she said it in good faith?

~~~
corford
Heh yeah. I guess I'm desperately clutching to the (futile?) belief that US
congress is primarily stuffed with politicians of the dangerously incompetent
and naive kind rather than the evil lizard people kind. People like Bachmann
make me wonder though.

~~~
rdouble
The House is stuffed with politicians who appeal to their constituency.
Unfortunately, the area Bachmann is from is filled with people who are similar
to her.

~~~
corford
I can understand that but surely one should be able to expect a member of
congress to possess sufficient intelligence and moral judgement to be capable
of recognising the stark truth of a situation when it's been laid out so
unequivocally?

I mean, after watching the USA Today interview, it takes some pretty
spectacular mental gymnastics to paint what Snowden has done as anything other
than being in the public interest. Her constituents may be ill informed but
she's a fucking member of congress for christ's sake.

~~~
rdouble
_surely one should be able to expect a member of congress to possess
sufficient intelligence_

Knowing the history of and present state of congress, I don't know why anyone
would expect that.

~~~
corford
You're right I guess. I just found it shocking to see it so nakedly on
display.

------
chm
“When one of those persons misuses their authority it’s a huge problem.”

But of course, this doesn't apply to the Government.

Why can't someone in power admit that surveillance has gotten out of bounds,
maybe illegally, rather than devise ways to counter such divulgations?

~~~
jivatmanx
The Roman republic actually did have a copresidency (two consuls).

~~~
jlgreco
They also had a _functional_ Dictatorship system. Well, functional for a
time... until it went wrong. I think they were actually onto something with
that idea though. The flaws likely could have been corrected. A common theme
with most dictatorships gone awry is a rogue general, but the _real_ problem
is a military comprised of men that are willing to follow a rogue general.

~~~
narrator
More like their conquer and receive tribute strategy started to not work any
more and military technology and techniques were transferred to their
conquered territories.

~~~
jlgreco
That was the downfall of the Roman Empire; the downfall/transition of the
Roman Republic (the one with dictators, not emperors) was of a different
nature, which is not quite as easy to sum up:
[http://en.wikipedia.org/wiki/Crisis_of_the_Roman_Republic](http://en.wikipedia.org/wiki/Crisis_of_the_Roman_Republic)

------
mullingitover
I believe this was the kind of thing that Wikileaks has been shooting for all
along--make the keeping of dirty secrets so cumbersome that it becomes
infeasible to keep them. This chicken has already flown the coop: the next
leak will likely come from elsewhere, and again the government will be forced
to scramble and plug hole that already leaked.

~~~
a3n
Pretty soon NSA employees won't be allowed to bring small pocket knives and
shampoo into the office.

~~~
sireat
For some reason I am reminded of Feds in Snow Crash. Unfortunately, in real
life, we can not opt out of states so easily.

~~~
a3n
Coincidentally, I'm re-reading Snow Crash, read it first in the nineties.

When I first read it I felt a little like a snickering boy looking up dirty
words in the dictionary, reading about failed institutions and government
military and intelligence services as spun off corporations.

Now if you skim off the entertaining over-the-topness from the book, you have
today. Booz Hamilton anyone? That program's never going away, there's too many
jobs, billions, and lobbying money at stake.

------
jrochkind1
> was one of close to a thousand systems administrator

Huh, that gives some idea as to the operational scale of NSA systems.

It's ironic how much we're learning about how the secretive NSA does
things.... from public releases by the NSA themselves, in their attempts at PR
damage control.

~~~
kragen
This may or may not be true.

------
diminoten
I dunno, from a purely tech standpoint, it's a classic problem isn't it? How
do you stop your sysadmin from fleeing with all of your company's data?

I think the current solution is to just trust that your sysadmin's career
would be over if he/she took your data. Kind of doesn't work as well for stuff
like this, though, considering the person who'd steal your data probably at
this point doesn't care.

------
blahyawnblah
"The rule required that anyone copying data from a secure network onto
portable storage media does so with a second person who ensures he or she
isn’t also collecting unauthorized data."

Don't mind me over here by myself, I'm not copying anything...

~~~
jessaustin
Hmmm. The impression I have is that Snowden had access as a sysadmin, not as
an analyst. That is, he didn't really have any duties that called for him to
access the "secret" data. If the systems allow sysadmins to bypass proper
authorization procedures, what good is another authorization procedure?
Perhaps they'd be better off auditing the ACLs. In the Cloud Era, very few
machines ever need to allow root access.

However, this scheme would seem to prevent previous "laptop leaks", so I think
it's a good idea.

------
corin_
OK so here's the question: who thinks that everything the NSA does should be
public knowledge - not just what they do, but everything they have, all their
data, everything.

I'm sure some people do, but would imagine most don't. Most want a public
overview of what they are doing and what rights they have, but understand that
specifics/data need to stay secret.

For this to be the case, surely they _do_ need to make sure security is as
tight as possible. But on the flip side, if they were able to 100% prevent all
leaks, it would mean that nothing like this could happen again, i.e. the kind
of leaks that we _want_ to see. So where should the line be drawn?

------
joshguthrie
I guess I shouldn't have expected less than badmouthing from the cynical HN
crowd!

Why is it that everyone chooses to omit the most important thing about this
new rule? It was designed especially to make sure the next Edward Snowden
would have an accomplice when taking vac...fleeing to another country and
would feel less homesick thanks to the presence of a fellow motherland-er.

I for one, welcome the attention and kindness of our new NSA overlords.

PS: Dear NSA agent reading this, I lost access to my old Yahoo! Mail account
where I still have love letters sent by my ex-girlfriend and goth poetry I
wrote when I was 18. Think you could help me? Thanks for your help! XOXO

------
craftsman
I once worked at a company which had a form of the two-person rule for
production changes. The company's change control team thought that by
requiring a second person on the development team to 'certify' that the change
was 'good', they could cut down on some vaguely imagined problems.

What really happened:

Bob (via IM): Hey Mary, here's a change request link, can you hit 'approve'
real quick? Mary: Done

I bet that some slightly more sophisticated version of this will happen with
this new 'two-person' rule.

------
anaptdemise
I seem to remember watching a documentary of the Berlin wall in which soldiers
in the guard towers were not in casual communication with soldiers walking the
wall/fenced area. None of them were there to keep people out, but in. Watchers
monitoring watchers... Wish I could remember which documentary it was.

------
glenra
I though this question was interesting:

 _“What system are you or the director of national intelligence administration
putting into place to make sure that if another person were to turn against
his or her country we would have an alarm system that would not put us in this
position?”_

The thing is, Snowden didn't _turn against his country_. Snowden turned
_towards_ his country...and _against_ the schnooks who were undermining it.

There's a balance here. There is danger in making it _too hard_ for somebody
with a conscience to use it to make things better. The fact that it took _this
long_ for the truth to get out suggests to me that the controls they already
have in place (along with whatever social pressures surround them) might be
fine or even a little too strict.

------
donrhummy
I'm surprised they weren't already using a threshold-scheme. (Similar to this:
[http://en.wikipedia.org/wiki/Threshold_cryptosystem](http://en.wikipedia.org/wiki/Threshold_cryptosystem)
)

~~~
fragmede
Political implications aside, I'm glad to hear about the technical methods for
implementing this.

I've heard of high-security facilities prohibiting cameras, of any sort, so no
cellphone to take pictures of the screen, either.

------
j_baker
I'm simply dumbfounded by this. Why is nobody at the top taking any steps to
do anything about the fact that Snowden had almost unhindered access to spy on
whoever he wanted? That seems like a far more concerning security hole to me.

~~~
btbuildem
It's a feature not a bug, apparently.

------
astangl
How well will the "two-person" rule work, once the second person starts to
treat it like a rubber-stamp process? How do you prevent that from happening
without introducing big inefficiencies?

~~~
Daniel_Newby
It will work pretty damn well when the NSA is constantly planting fake spies
and the death penalty is in play.

------
cpeterso
> _“We have to learn from these mistakes when they occur,” Representative
> Charlies Ruppersberger said to Alexander in the hearing. “What system are
> you or the director of national intelligence administration putting into
> place to make sure that if another person were to turn against his or her
> country we would have an alarm system that would not put us in this
> position?”_

So the lesson is not how to prevent the NSA's domestic spying, but how to
prevent getting caught?

------
HaloZero
Am I the only one who thinks the NSA should be doing something to ensure that
this doesn't happen again, as in precautions against the gathering of data by
an individual?

While Snowden did have proper justifications and reasons for the exposure, the
fact that he was able to is still not a good thing for the NSA isn't it?
Someone else who might not have America's interest could do the same thing
theoretically which is bad.

------
rz2k
>... “When one of those persons misuses their authority it’s a huge problem.”

Since people working in groups never abuse their authority, this sounds like a
foolproof plan.

------
tkiley
If they are operating according to the laws of the land, they have "nothing to
hide" from Edward Snowden and his ilk. This move looks pretty suspicious to
me...

;-)

------
marcamillion
Don't they realize that no matter what they try, they can't stop leaks.

Just like you can't get 100% security.

------
throwaway10001
Hey Booz Allen, we need another 6000 analysts to double team your other 6000
analysts.

Truly yours,

Current NSA Chief, and future Booz Allen Hamilton CEO.

~~~
rhizome
"...and we will pay handsomely for this requirement."

------
drivebyacct2
Right. When you find a way to magically control the bits read from one hard
drive and can ensure that same sequence of bits isn't "copied" and written to
a different storage medium... without a "second person".... well, you let me
know.

I guess with some right group policy settings, a TPM and BitLocker, you could
get close maybe. Still going to be challenging to keep me from booting the
machine, logging into it and catting that file... somewhere. Give me `wget`
and a script and I could transmit data using only GETs.

~~~
fragsworth
I think they mean that two people must be working together at all times
whenever dealing with classified information.

You can't even access your own work computer without another person present.

It works. It's just _extremely_ inefficient.

~~~
Amadou
Most systems will not have any sort of external media - no floppy drives, no
removable hard disks, no cd burners. USB ports will be filled with epoxy and
any peripherals will also be physically secured to their ports. Wherever
possible drivers for external media will simply be removed from the OS
installation image for those systems.

That will leave a handful of system that do have external media. Those will
have extreme access restrictions - at a minimum account restrictions and audit
logs that will be regularly correlated with a hand-written log that contains
timestamps and signatures of both people. They may even put the system in a
room with keycard access that requires two different keycards and associated
PINs to be entered before the door opens.

~~~
drivebyacct2
Are you speculating or speaking from experience? Either way, I'd like to
imagine in these scenarios that the really, really secure stuff is kept
offline or somehow on a non-Internet connected network.

~~~
Amadou
I am speaking from experience on non-NSA programs.

It goes without saying that their entire operational network is firewalled
with an air-gap. If a user needs to have internet (or other extranet) access
from the same desk as their operational network, they will have an entirely
separate terminal for it, they may even have rules that require a minimum
distance between the two terminals.

------
PavlovsCat
where you are <\---> Rubicon <\---> where a sane person would want to be

~~~
PavlovsCat
Yeah, yeah. Yawn. I'm not hearing any _words_ ;)

