NSA Insider Security Post-Snowden

According to a recently declassified report obtained under FOIA, the NSA's attempts to protect itself against insider attacks aren't going very well:

The N.S.A. failed to consistently lock racks of servers storing highly classified data and to secure data center machine rooms, according to the report, an investigation by the Defense Department's inspector general completed in 2016.

[...]

The agency also failed to meaningfully reduce the number of officials and contractors who were empowered to download and transfer data classified as top secret, as well as the number of "privileged" users, who have greater power to access the N.S.A.'s most sensitive computer systems. And it did not fully implement software to monitor what those users were doing.

In all, the report concluded, while the post-Snowden initiative -- called "Secure the Net" by the N.S.A. -- had some successes, it "did not fully meet the intent of decreasing the risk of insider threats to N.S.A. operations and the ability of insiders to exfiltrate data."

Marcy Wheeler comments:

The IG report examined seven of the most important out of 40 "Secure the Net" initiatives rolled out since Snowden began leaking classified information. Two of the initiatives aspired to reduce the number of people who had the kind of access Snowden did: those who have privileged access to maintain, configure, and operate the NSA's computer systems (what the report calls PRIVACs), and those who are authorized to use removable media to transfer data to or from an NSA system (what the report calls DTAs).

But when DOD's inspectors went to assess whether NSA had succeeded in doing this, they found something disturbing. In both cases, the NSA did not have solid documentation about how many such users existed at the time of the Snowden leak. With respect to PRIVACs, in June 2013 (the start of the Snowden leak), "NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." The report offered no explanation for how NSA came to no longer have that spreadsheet just as an investigation into the biggest breach thus far at NSA started. With respect to DTAs, "NSA did not know how many DTAs it had because the manually kept list was corrupted during the months leading up to the security breach."

There seem to be two possible explanations for the fact that the NSA couldn't track who had the same kind of access that Snowden exploited to steal so many documents. Either the dog ate their homework: Someone at NSA made the documents unavailable (or they never really existed). Or someone fed the dog their homework: Some adversary made these lists unusable. The former would suggest the NSA had something to hide as it prepared to explain why Snowden had been able to walk away with NSA's crown jewels. The latter would suggest that someone deliberately obscured who else in the building might walk away with the crown jewels. Obscuring that list would be of particular value if you were a foreign adversary planning on walking away with a bunch of files, such as the set of hacking tools the Shadow Brokers have since released, which are believed to have originated at NSA.

Read the whole thing. Securing against insiders, especially those with technical access, is difficult, but I had assumed the NSA did more post-Snowden.

Tags: , , , ,

Posted on June 22, 2017 at 5:52 AM • 44 Comments

Comments

matteoJune 22, 2017 7:14 AM

They can't keep themself or their data safe...
but they want spy/store/copy on all your data...

PeteJune 22, 2017 7:18 AM

There is an assumption that Snowden "got away" with the NSA's crown jewels. Doubtful. Certainly, there is much more damning information that the stuff he took.

I'd go with the dog ate my homework, excuse. That is more believable than whatever lie comes from any leader in the US security services.

Chris ZweberJune 22, 2017 7:24 AM

Did the Snowden release include any 10x leaps in innovation of what currently exists in the public sector?

With the billions in defense spend there are some real crown jewels in currently unknown technologies.

RapidGeekJune 22, 2017 7:36 AM

This report could be a honeypot. Designed to lead potential leakers to the conclusion that they can get away with taking the data. The idea being to lead their enemy into an ambush.

Andrew GJune 22, 2017 7:44 AM

"NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users."

And yet I'd be willing to bet no one was fired for this gross incompetence. In other words, high-level officials don't think it was important to really keep track of who had privileged access. Which, in turn, kind of suggests the whole audit is security theater.

Who?June 22, 2017 8:02 AM

@ RapidGeek

This report could be a honeypot. Designed to lead potential leakers to the conclusion that they can get away with taking the data. The idea being to lead their enemy into an ambush.

No way. The last NSA wants is driving leakers to the conclusion stealing classified information is safe and easy. What if just a few of these leakers are successful because either they are very good getting away with the data or they are just lucky?

In my humble opinion the message NSA would like to transmit is "better get away of data you do not need for your work or there will be consequences."

Retired Secret SquirrelJune 22, 2017 8:15 AM

The Intel Community has never been set up to catch insider threats and its only gotten worse as technology has improved. Their focus has always been on perimeter security and counter-intelligence. They have been an always will be terrible at preventing insider threats.

Anyone who has ever spent even a week at an Intelligence organization knows that all the security is about keeping people out of the facility, they don't care what goes on for the most part once you're inside.
Once you have a security clearance and a badge to access that specific facility, they really don't worry about what you're doing inside

It's like many commercial companies is that regards, if you're an employee and have a badge, then you can enter the facility, once you're in, they're not tracking what you're doing every second of the day.

Who?June 22, 2017 9:43 AM

The best NSA can do to protect itself against insider attacks is doing its work in strict compliance with laws1. Then the only problem they will fight are moles working for other intelligence services2.

1Where laws means "laws known to any lawyer, not the ones imposed by secret courts like FISC." It is important avoiding secret laws and other legal workarounds.
2Moles are a minor risk when compared to leakers, as exfiltrated data will be available only to foreign intelligence services that are plenty of resources to access to the same secret data by other means.

Moneygrubbing ContractorJune 22, 2017 9:54 AM

Above comments about Gov facilities are appalling. Here in contractor-ville, we absolutely know who the Admins are and could list them by system, by name, any time. ...and only Admins are doing data transfers these days (thanks to Mr Manning)

Who?June 22, 2017 10:07 AM

@ Moneygrubbing Contractor

Defense contractors are smaller than NSA and have a hierarchical organization (in other words, a defense contractor is a "cathedral" while NSA looks more like a "bazaar" in the Eric S. Raymond essay.)

I believe NSA will improve its own protection against insiders over time, but it will be a challenging and slow process.

SteveJune 22, 2017 10:20 AM

@Moneygrubbing Contractor

Snowden was a contractor.

Oh, and it's Ms Manning.

Who?June 22, 2017 10:27 AM

@ Steve

Don't know about Manning, Snowden certainly was a contractor. However "Moneygrubbing Contractor" is not talking about the contractors themselves, he is talking about the security of the defense contractor networks versus government ones.

albertJune 22, 2017 10:55 AM

We don't have a DOD IG, we have an -acting- IG (Glenn Fine), formally a Deputy IG. The IG is responsible for the entire DOD. It's a big job, considering all the fraud and waste going on in the military (mostly by private contractors). With 6 divisions and 1500 employees, it's not a small department. The DOD IG appointments require Senate approval. I don't know why one hasn't been appointed yet.

Fine developed quite a good reputation as DOJ IG, his previous post under Clinton. (see https://en.wikipedia.org/wiki/Glenn_A._Fine)

This is interesting. It looks like Fine would make a good IG. I wonder what the Trump administration thinks. Would he want a bulldog in the DOD IG position? We really need one as DOJ IG.

Big bureaucratized governmental institutions have eye-wateringly complex rules and regulations and top-heavy management structures. It's a wonder anything gets done.

-No- amount or quality of vetting will ever assure trustworthiness of employees.

It's absurd to think that 'your people' will approve of and follow illegal or immoral procedures in the performance of their duties. IF you must do that, then be prepared for the consequences.

Like the poor, insider access ye shall have with you always.

. .. . .. --- ....

IonJune 22, 2017 11:35 AM

And that is the state you and many others want to give the power to regulate the Internet, to supervise the IoT and many others. Magical thinking or simple shallow understanding?

James Jesus AngletonJune 22, 2017 11:48 AM

When you're a military grunt who has what it takes at NSA - that is, OCD and not too bright - everything's a threat. That's just how you're indoctrinated, that's how you get your little stars up on the cognitive behavioral token board NSA set up. So naturally now 'insiders' are a threat.

That means you're a threat. The cognitive dissonance erodes your grandiose self-image and you stew in your own paranoia juices and do nothing. That's what we see here. NSA is unable to acknowledge their real problem: staff who value rule of law and right to know. Every decent human being lured into that building by NSA liars.

It only gets worse. Every new NSA hire has heard Appelbaum and Wikileaks call for infiltration and exposure. They understand why Snowden did what he did. They heard NSA pukes stammering to Madiha Tahir. They read Alexander Beilinson's letter to AMS. They saw Alec Foster tell NSA, stuff your scholarship. They know what 'We track em, You whack em' means: NSA selects civilian victims for widespread and systematic disappearance, murder, and torture. Thinkers with ethics and autonomous habits of mind, today's Orwells and Hemingways, instead of going to fight in Spain they're going to undermine and dismantle the NSA Stasi. NSA can't weed them out - the warning signs go over their head - so they take them in.

Shadowbrokers, thank you for your service.

Clive RobinsonJune 22, 2017 12:31 PM

I suspect there are two major problems (as I've seen them elsewhere).

The old modle back when the cold war was still hot was "segregation" things had little boxes and rarely got shared without a lot of pain.

The cold war finally went cold and the focus of the IC and those nominally in charge of it like Condi Rice did not adjust their perspectives in the right direction, this ME Terrorism came as a bit of a shock.

After 9/11 there were demands for scalps to nail on the door. The half century of inter agency internecine turf war got highlighted. So the deckchairs had to be rearanged on the poop deck of the IC Titanic. This ment two contra cultural changes,

1, Sharing Intel.
2, Higher efficiency.

The solution in part was "ICT every where" and "third party it" so the party political kickbacks would flow unabated.

Basically every little box got the demolition derby treatment and big data databases became the way of the future. But it was not one third party entiry it was many entities with personnel pulled from all sorts of odd places.

But "increased efficiency" in reality means "get it up and grab the contract payment" then "move on to the next cash pile". Such mentality does not encourage security thinking. Likewise multiple contractors means non existant or close to edge security. But only at the backend. The PC on every desk likewise had a price and that ment lip service to security. We know from what Ed Snowden has said he could download onto memory cards data from other peoples computers using their security credentials. To make it worse it was expected for admins to have memory cards etc to move data around for the users...

But there was also the "sin of non demotion", put simply once you had been given "rights" they were not revoked in the way they should have been. Which means the scope / reach Ed Snowden had through others accounts was way way bigger than it would have been if rights were demoted / revoked in a timely way as peoples jobs changed.

As I've pointed out in the past "Efficiency -v- Security" is in most cases a seesaw you can have one or the other, but rarely both unless real knowledge and experience is applied. Which it was not, because the requirments for that are mind numbingly expensive and time consuming, and when it comes to lip service security with big profit or real security but no profit I'll let you guess which way that coin flip landed on that one.

Further I'll let you guess who gave a dam prior to Ed Snowden and how few give a dam now...

hermanJune 22, 2017 1:49 PM

Well, this sounds like an episode of MASH or Catch22:

The NSA lost their spreadsheet list of admins, so now they don't know who has admin access and they need an admin to read the sudoers files of their servers to see who are the admins...

This so retarded, it has to be true.

Andre GirondaJune 22, 2017 1:59 PM

Tuning deception systems is hard. It requires the human touch and diligence. Government isn't buying into concepts such as OpenCanary or solutions such as Canary.tools -- and who knows what they implementing instead.

There aren't a lot of other workable methods to control the unintentional insider problem, let alone trusted insider. Most DFIR professionals aren't of the counter-deception mindset, and most Red teamers who could be of the defensive mindset are working too-much and too-hard on offensive capabilities because there is more money and fame to be had.

One can implement or buy deception-engagement solutions today, but who will run them? Before Snowden, the technologies and concepts were only theorized. The maturity of these technology platforms isn't quite there -- and SANS or BlackHat don't offer a course in these concepts.

Outside of the Fort Meade eXperiment (FMX), I haven't seen a framework (they used MITRE ATT&CK) specified for use in cyber deception. Even then, FMX is not even a year old. They've been using ATT&CK for detective capabilities but if you look at the matrix of their outcomes you'll note a ton of gaps while ATT&CK techniques keep increasing in number and diversity.

albertJune 22, 2017 2:16 PM

@Clive,

Don't you think privatization is the DODs major problem, and that includes the IC?

Snowden was a contractor.

There are no good arguments for using contractors for government work, especially intelligence. Ask yourself why can contractors pay more money than the government can, for the same job? Who pays the contractors? The government is non-profit, the contractors are not.

Logically, it makes no sense.

The solution is simple, 'militarize' the IC and get the politics out of it. Get rid of useless 'oversight' like the DHS. We need less bureaucracy, not more.

Nothing is going to happen unless we change the rules.

Don't hold your breath on that.

. .. . .. --- ....

Retired Secret SquirrelJune 22, 2017 3:16 PM

@albert

"The solution is simple, 'militarize' the IC and get the politics out of it. Get rid of useless 'oversight' like the DHS. We need less bureaucracy, not more."

Get the politics out of the IC?
•The Intelligence Community exists to inform Policy Makers (e.g. the President and the National Security Council). They don’t exist in a vacuum.

Get rid of useless 'oversight' like the DHS
•DHS has nothing to do with NSA, oversight or otherwise
•Perhaps you’re mixing up DHS with the ODNI (Office of the Director on National Intelligence), regardless the community does need oversight

Not sure what you mean by militarize the IC, especially in this example.
The National Security Agency is part of the Department of Defense it always has been. The NSA employees civil servants, military enlisted and officers as well as contractors and consultants

As far as the cost of contractors and the contractor vs civil service vs military billets

We have contractors because organizations are only permitted to have so many civil service and military billets. If you want to change the make-up of organizations like the NSA, then talk to Congress, they approve the budgets, this in turn determines manning/billets

For example if the NSA had 100 employees 20 might be civil servants, 40 from the military and the other 40 filled by contractors. The contractor positions are not permanent, they are temporary in many cases. They might only be there for a year and not the next.

If you hire a civil servant and get them in the system meaning, they have been vetted, get their security clearance, etc., you're going to want to keep them around for a while, whereas contractors they can use for a short period of time, weeks, months, maybe a year and then get rid of them. Contractor levels always fluctuate.


JonJune 22, 2017 4:35 PM

Ahh, @albert and @Retired

You have failed to notice that the NSA swears up and down that it does not engage in industrial espionage.

It does not share its data with corporations.

Except when it does...

Hee hee hee.

Jon

albertJune 22, 2017 5:56 PM

@Retired Secret Squirrel,

Points taken. Thanks for the corrections.

The theory of saving money (temporary contractors) sounds good, and might work for wars (which in theory are temporary), but contractors cost a lot more than permanents. I can't imagine the NSA hiring temporaries for anything critical. Aren't we fighting a war on terror? Do we cut loose the temps when we win?

Vetting should be equally thorough for both classes, especially in the IC.

Sorry, but it seems to me that the push for privatization has reached the IC, and it has nothing to do with costs, efficiency, or effectiveness. It has to do with corporate profits. I wouldn't expect Congress to do anything about this. Even if they wanted to, they are inept and mired in partisan BS, and completely run by the corporations.

Privatization is already ruining civil society. It's only going to get worse. Gee, when you think about it, maybe the NSA isn't so bad after all.

Maybe a few leakers isn't the end of the world as we know it:)

. .. . .. --- ....

SteveJune 22, 2017 8:24 PM

@Who: Regarding Ms Manning, I was correcting the poster's gender title.

My point wrt Snowden is that contractors don't have all that sterling of a record, either.

DroneJune 23, 2017 1:12 AM

Bumbling Idiots. And now they're hoovering up all our medical records too.

kiss_torJune 23, 2017 2:02 AM

FWIW using Tail's Browser with security level set to high Marcy Wheeler's name didn't show up as the author previously here:
https://motherboard.vice.com/en_us/article/the-nsa-has-done-little-to-prevent-the-next-edward-snowden
(although I could read the article, apparently)

Now both of the Motherboard.Vice articles linked to above seem stuck loading with javascript off (using noscript) or something; in other words, as-is with the current settings, I can no longer read the above article, but get a list of stuff on the left hand side with both Motherboard Vice links.

Who?June 23, 2017 2:15 AM

@ Steve

Indeed, I know who Ms. Manning is. I am not sure —however— she was a defense contractor or a member of the U.S. Army. I think she was the latter.

tyrJune 23, 2017 2:24 AM


My own experiences showed me quite decisively
that any section of an organization is only
as good as the people themselves. All it takes
is one or two idiots to make the most finely
tuned set of gudelines fail dramatically. You
can see this in action when you try to explain
why having an insecure by default password is
a bad idea to some upper level cloddy with a
sense of his own magnificence. I'll bet that
the spreadsheet was tossed by some loon who
thought it was redundant in the 21st century
paperless environment and it must be on a comp
anyway.

I think Nasim Taleb has the best idea. Design
your systems so people have 'skin in the game'
for the current generation that means make it
cost them money for screwing up or terminate
them. If NSA had a few upper types out on the
sidewalk looking for a new job after every
leak things would change drastically. That
would work for the rest of the government as
well. RIFs, budget cuts and mass revoking of
clearances would go a long way towards tighter
security. Rewarding massive incompetence does
not seem to work very well.

ATNJune 23, 2017 3:45 AM

"NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users."

???
That is a joke, the spreadsheet is lost for sure, but if you want a list of priviledged user you shall ask the computer, any priviledged user can do it.
Unless there is a single key to decrypt the top secret documents, but then it is still a joke, everybody has to be considered a priviledged user, the key has to be revoked immediately.

Is any priviledged user able to approve another priviledged user (by giving them the key on a thumb drive)?
Do they have a clue of the number of users? Are they using the same username and password whoever want to connect as "priviledged user"?

I understand major countries cannot stop supporting smaller countries like fiscal paradises, poor peoples, but there is a lot of money to be done by selling secretly stolen data (unlike releasing it in public for nothing), and such fiscal paradises seem to acheive a living above poverty ceilling on last news - that is how you detect corruption levels...

Dan HJune 23, 2017 6:56 AM

@Clive Robinson
"nominally in charge of it like Condi Rice"

Condoleezza Rice who was National Security Advisor and Secretary of State was never in charge of the Intelligence Community. Neither of those roles prior to the creation of the DNI after 9/11 put her as any director of IC. Most of the IC is under the Department of Defense.

"ME Terrorism came as a bit of a shock"

I beg to differ. The USMC barracks bombing and US Embassy bombing in Beirut 1983 along with the US Embassy bombing in Kuwait 1983. US Embassy, Tehran 1979. Pan Am Flight 103, 1988. CIA station chief William Buckley kidnapped in Beirut 1984. TWA Flight 847 in 1985. The cruise ship Achille Lauro in 1985. La Belle Disco bombing in Berlin 1986. There are other incidents. They didn't have the mass numbers of the WTC towers on 9/11, but terrorist threats in the 1980s were always there.

name.withheld.for.obvious.reasonsJune 23, 2017 9:26 AM

From what I understand, and I witnessed contractor presentations in DC, that the intel community now runs under a regime called "Continuous Evaluation". Using the programmatic targeting of "terrorists" (a side channel form of parallel construction), parametric data and rule-based data mining works to discover organizational risks on intel members (SA level 2 or higher are exempt). The same business and communications records that are swept up on citizens is now used to see if you are visiting EFF, the Intercept, ACLU, and calling an IG will generate an instant revocation of a valid clearance. In a sense, a continuous security/clearance background check.

What I like is that it is now being offered as a service to commercial and private organizations.

AnonJune 23, 2017 11:25 AM

Let's be real here. They're not going to release the numbers, and thus will make up any excuse (i.e. the dog ate my harddrive). Doing so, would mean oversight and change. Changes of this type would bring the intelligence services to a screeching halt in terms of productivity, and no in charge is going to allow that.
Ideas like limiting PRIVAC users, etc look great on paper but are ill-conceived. People who have PRIVAC generally have it for good reason, and I highly doubt they are mostly expendable.

Their biggest problem in their analysis of the Snowden case, is failure to recognize that exactly what should have happened, happened. Employees swear: "I, , do solemnly swear that I will support and defend the Constitution of the United States against all enemies foreign and domestic". Those "domestic enemies" include those wiping their butts with the 4th amendment. The leak was justified, necessary, largely targeted, and responsibly done. There was no problem - hence no corrective action necessary. New regulations that would make their already tough jobs impossible were not needed, so it's no surprise they are being ignored. "Losing" their old list of PRIVAC users allows them to claim to have made the required 90% reduction required without actually doing it ("There were 10x this many people before... on the old list... that the dog ate - honest!").

JardaJune 23, 2017 1:05 PM

There's only one way to secure the NSA data. Anyone who enters the NSA building will leave all his clothes at the entrance. He will receive locked aluminium knickers and a muzzle to prevent using USB flash smugled in body orifices. Voil-la, problem solved.

ThinkJune 24, 2017 12:01 PM

Due to the build up of personnel after 9/11 the NSA had to circumvent budget limitations to hire additional resources (skilled computer technicians). Government employing privatization using money that it didn't earn (so it doesn't hurt to spend it) combined with an attitude of 'I care how it gets spent' as long as the job gets done is always an opportunity for huge profits to be made by a large group opportunists.

Outsourcing the background check and vetting process to private firms (these firms then undoubtedly made large contributions to their elected officials to keep pouring the gravy on the pork) and then allowing these firms to be so profitable as to become wall street hedge fund darlings -- now your income statement is much more important than anyone's or any nation's security you are going to cut corners and spend less time and money to give the NSA their requested product -- skilled individuals that may have technical ability but no real allegiance to anything. Then we have the OPM data breach and now personal secrets are made public.

No one talks about the Russian and Chinese firms that come to the US and buy up bulk background and credit reports at a fraction of the retail cost about every one that they are interested in getting to know personally through a custom build recruitment process. Unhappy about your finances? Are you in the right place, do you have something we can use, do you work at a location we need to know more about? We'll pay you to tell us.


The capitalist profit motive will always provide Russia and China with the fruits of British and American know how and can do attitude through people like Snowden. Why invent the wheel, when you can steal it? Snowden had no family to protect and disrespected the very country, institutions and people which ironically gave him his freedom to be a traitor.

Snowden was a crime of opportunity at first, and then he ran into the SVP (Soviet Network of Recruiters in the US). He would have been well understood due to his family connections (Admiral Barret) and when his attitude was made public via internet postings and through people he spoke with, he would have been helped by other sympathizers within their intelligence framework. His escape was organized to look plausibly haphazard, but in hindsight was pulled of without a hitch and did incredible financial and personal damage to the United States and its allies.

name.withheld.for.obvious.reasonsJune 25, 2017 4:58 PM

@ Think

Really? Without any supporting evidence--including that which is publicly available--your argument falls well short of "thought-out".

How do your comments comport with the Review, written by the FISC, dated 3 October 2011?

Quote directly taken from the review;

NSA's targeting and minization procedures, as the government proposes to apply to the MCT's as to which the "active user" is not known to be a tasked selector, are inconsistent with the requirements of the Fourth Amendment.

In the report the judge of the FISC, John D. Bates, documents repeated abuse of the court, law, and their own processes. His statements should have been viewed as an alert to the oversight bodies (persons authorized/required) and should have triggered a more thorough examination. Instead, congressional and oversight bodies like the IG, failed to make the problems the FISC was documenting into an action to do an internal audit (independently) of NSA use of instruments submitted to the court.

The well commented and observed violations have still not received any scrutiny of measurable value. Thus the off-the-reservation behavior and subsequent rationales continue to be highly suspect--AT BEST. When you write your own rules it should not be so difficult to comply with their requirements.

WaelJune 25, 2017 7:05 PM

@name.withheld.for.obvious.reasons,

When you write your own rules it should not be so difficult to comply with their requirements.

I beg to differ, Sir! That's idealistic theory. History has recorded the polar opposite. We call them hypocrites.

65535June 25, 2017 11:12 PM

@ Andrew G

"NSA officials stated that they used a manually kept spreadsheet, which they no longer had, to identify the initial number of privileged users." And yet I'd be willing to bet no one was fired for this gross incompetence. In other words, high-level officials don't think it was important to really keep track of who had privileged access. Which, in turn, kind of suggests the whole audit is security theater. –Andrew G

Yes, it does.

The pdf was 61 pages with 4 pages of useless logos and pictures of buildings and troops, 2 pages redacted overview findings, 4 pages of index, and 5 pages of glossary leaving about 46 pages of detail – which was approximately 35% to 45% blanked out – I would have to agree the Savage-NYT-FOIA-DOD-IG-report pdf was unintelligible and mostly “security theater”!

It is hard to draw any real conclusions with that much blacked-out text, footnotes and diagrams. Now, it the report was full and complete and with no redactions than a better picture could have been drawn. How much do we spend each year on the IC branches? 10 Billion USD, 20 billion USD, or 60 billion dollars? What is the most accurate and timely cost figure on the various IC branches?

GeronimoJune 27, 2017 3:15 AM

After reading one really bad book I can't now claim to be an expert on Snowden. I do not have to say I don't believe journalist gatekeeper Glenn Greenwald ab't Snowden or anything else to do with Russia. I did not believe the simpleminded movie. How did he get access to computers he couldn't have had access to? They were left unguarded, passwords were shared? How did the access lists get lost/ corrupted assuming they were ever complete? Someone in the NSA where he was transferred made it possible?

IMO:
What else happened in 2013? Benghazi? (Not related) What happened b4 the 2014 Congressional elections? Republicans Giuliani and Ralph Peters joined Trump, Buchanan, Graham & Baker on the Religious Right (2011) and came out for Putin over their own President (birthers). Many more elected Republicans couldn't afford to say that publicly bc they were up for election. But for many, including certain "libertarian-ish" elected Republicans that could have/ might have been the only reason. IOW, the RNC went all in long before 2015-16. Putin has oil, Putin claims to be Christian. Sounds good to me. (Cough cough, Projectile vomit)

name.withheld.for.obvious.reasonsJune 28, 2017 5:14 AM

@ Wael

I beg to differ, Sir!

Then, on-guard--referencing the Holy Book of Armaments--prepare to be met with a hypothesis masquerading as LAW.

I am going to skip the whole theoretical science exercise (scientific method is overused and requires the use of "facts), my new HYP->US-CODE model improves the process of development and reduces research costs. A WIN-WIN.

In all seriousness, who has time for that...

WaelJune 28, 2017 11:24 AM

@name.withheld.for.obvious.reasons,

In all seriousness, who has time for that...

Right on :)

NeilJune 30, 2017 8:20 AM

The only reason the spreadsheet or other admin info is not available is because it would embarrass the NSA.

Why it would is the question? There are really two answers.

1. As has already been mentioned it could be the sheer number of people.

or

2. It could be the identity of the people. For example, maybe Obama’s Chief of Staff was still on the list. Remember, Obama made intelligence shareable for political reasons so who knows who had access.

I tend to think the latter is the real reason. Once Congress finds out that the NSA was involved in attempts to steer the election, the NSA is in deep trouble. The NSA will avoid this at all costs.

I agree with another poster, the top people at the NSA should be fired for leaks, and they should be prohibited from working on any classified work or in any government positions that require confidentially.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

← Is Continuing to Patch Windows XP a Mistake? Amazon Patents Measures to Prevent In-Store Comparison Shopping →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.