Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures (techdirt.com) 68
An anonymous reader quotes a report form Techdirt: In the immediate aftermath of an NSA contractor springing numerous leaks back in 2013, the NSA vowed this would never happen again. It has happened again and it hasn't just been documents. It's also been software exploits, which contributed to a worldwide plague of ransomware. The NSA was going to make sure no one could just walk out of work with thousands of sensitive documents. It laid out a plan to exercise greater control over access and fail safe procedures meant to keep free-spirited Snowdens in check. The NSA is the world's most powerful surveillance agency. It is also a sizable bureaucracy. Over the past half-decade, the NSA has talked tough about tighter internal controls. But talk is cheap -- at least labor-wise. Actual implementation takes dedication and commitment. The NSA just doesn't have that in it, according to a recent Inspector General's report: "The nation's cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency's inspector general released Wednesday. Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren't properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they're qualified for the highest-level work they do, according to the overview."
Re: Impersonating me STILL YET AGAIN? apk (Score:2)
I am APK the LORD of HOSTS (Score:1)
See subject & APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / I . a m . a . f u c k i n g / a s s h o l e . r e t a r d . z i p (remove spaces between characters & download).
I am the godlike creator of various GUI front-ends for other people's configuration files.
Watch as I claim I win every argument when in reality I know I lost but that won't stop me from proclaiming my victory.
When presented with
Re: Fact is this is the Deep State At work. (Score:1)
nsa domains not secured (Score:1)
most of the domains (including backchannel ones) are not secured via DNSSEC or have IPv6 address's which goes to show they cant run a network at the best of times...
(excuses about simpler or that they are subject to DDOS are pretty pathetic)
What can the US gov do? (Score:2)
Two contractors working together at all times? They both know one of them never got the needed security clearance?
10 contractors on site and what % cant be trusted? Get the buddy system wrong and risk two people totally lacking in security clearances working together?
One wants to sell NSA secrets? One wants to give away NSA secrets for politics? One is an anti war activist? One with split loyalty to another natio
Re: (Score:2)
Keep things as they are now and watch for any interaction between journalists and whistleblowers? Thats a risk and the data could be published.
Collect on all US journalists who work on gov/mil stories for any sign of a new gov/mil contact?
Watch all US mil/gov workers, contractors for any political and lifestyle changes?
Do security clearances before accepting staff so people with security problems and any split loyalty problems never get a security clearance?
Think of the
Re: (Score:1)
They already do those things mentioed above, and maybe have best friend snitch awards, and concern lines.
THE problem is the gig economy. Both Employer and employee have no loyalty other than collecting a paycheck for as long as possible. No career stability or promotions? Screw that, and some splinter of SJW may pop into ones head.
The you have envy. Contractors geting big bucks for the same work, stealing credit or in the way of a career path.
Treating your employees well is a good start, but ride them hard
Re: (Score:1)
Gawd. Even the serious-looking responses are trolls.
Re: (Score:3)
Re:What can the US gov do? (Score:5, Insightful)
What does "politics" or "faith group" even mean in your post? Many would point to a good chunk of our currently elected lawmakers in the Federal government who are associated with Dominion theology [wikipedia.org], "end timers", and other now-deeply ingrained ideals. Are you wanting non-political persons only? According to the Eastern Orthodox church, every Christian religious group that is associated with the Baptists is considered a "heretical cult". One third of the current US population doesn't believe anything the US intelligence agencies say about foreign politics and blindly believes anything Trump says, another third think his actions are nearly treasonous, so the idea of a "political litmus test" is a very tricky barrier; and is probably illegal anyway (there are Supreme Court cases around this). We currently have POTUS staff who are potentially (I say this because there has yet to be hearings, trials, or such) in violation the Hatch Act, so even the very top of this food chain is contaminated.
If you define a "criminal past" as the FBI does, that only eliminates around 29% of the US population. If you take it further, and cull out anyone with any negative relations with law enforcement, including non-felonies, then it's more like half of black males and almost 40 percent of white males [sagepub.com]. Combined with the low pay, and one ends up in the position we are currently in: not enough people to do the job.
While I understand what your getting at, your idea would require a huge, non-partisan overhaul of the underlying "security form" system. We can't even manage to approve money to have a plan to secure our elections in any meaningful way, and your idea goes directly against the ideals of the current administration and many elected officials. They want people who believe in the scourge of the "Deep State", not people who are willing to go work for the Deep State...by which I define "deep state" as the unelected bureaucratic apparatus that keeps the government functional in it's day-to-day workings. Many of the appointed Cabinet heads have publicly said they want to dismantle the bulk of the Federal government, so good luck finding anyone that fits your list who is willing to take home 80% of the average wage for their position.
Re: (Score:2)
Spies then become a new best friend enjoying that same lifestyle.
Spies just go for the demand to spy to keep the secret.
Thats why most advanced security services don't like criminals. Too much risk and too much talking to new friends.
Re: (Score:2)
Re: (Score:2)
If you take it further, and cull out anyone with any negative relations with law enforcement,
And if you grew up in a town where law enforcement is cozy with the "faith groups" and you are not, you've probably got a few points against you going in to a background check. But this isn't as much of a problem as you might think (or wasn't when I went through the process). The FBI* considers most of these police forces and courts as a bunch of hillbilly hicks, and takes what they say with a grain of salt.
*I have no idea what the situation/policies are like now that OPM has taken over responsibilities fo
Re: (Score:2)
Used to be a time that the church, synogogue, or temple that you went to had little correlation to your political views. Today religion and politics are tightly tied together. Everything's political now, people will judge you on what type of coffee you drink.
Re: (Score:2)
They're copying what corporations do. The US government as a whole has gotten far to enamored by contractors. The reasons contractors are used in corporations is to get around corporate rules and procedures; easier to hire, easier to fire, interviews are waived, required trainings are bypassed, their decisions often must be accepted despite opposition from actual employees. You end up with less accountability. With government, there are similar issues. Contractors don't add in to head count so much depe
Flow of secrets (Score:3, Interesting)
NSA continues to spy on the rest of the world, with the help of 5 eyes countries. 5 Eyes countries are protected by 'agreements'. Agreements like 'trade-agreements', are not enforceable when dealing with a bad-actor. If he won't abide by trade-agreements, why would him and his boss in Moscow abide by no-spy agreements?
https://www.usatoday.com/story/news/2017/01/26/report-arrested-russian-intel-officer-allegedly-spied-us/97094696/
This is what happened to US spies, 6 days after Trump got to power, and got access to the unredacted names of the spies mentioned in the pee pee memos, he passed the names over to Putin as revenge:
"A senior Russian intelligence officer and cybersecurity investigator arrested last month on treason charges allegedly was passing information to U.S. intelligence services, according to Russian media outlets. Sergei Mikhailov, who worked for the FSB, the successor to the KGB, was arrested in December, along with Ruslan Stoyanov, a top manager for Russia's largest cybersecurity firm, according to the economic newspaper Kommersant. Stoyanov was also charged with suspicion of treason. In addition, two other people, including Major Dmitry Dokuchaev, also an FSB officer, were arrested in connection with the case, according to Russia's REN-TV. The fourth person was not identified."
Once you start stripped away the privacy protections and replace checks and balances with faith and trust, it only takes one bad actor in the right position to undermine the whole system. One foreign puppet and that's all it takes to flip a nation. Because the nation already did the work needed, and they'll always be people who'll sell out their country in pursuit of their party flag. Fox News (Hannity-Cohen payments), One America News (old man Robert Herring invited to Russia, married a hot sexy Russian woman and turned his news network into a pro-Russia fluff cable network) etc, etc,.
You let NSA spy on everyone on a promise not to look at some of the data, and then you put someone above them who always lies, has dodgy foreign friends, and never keeps promises.
Comment removed (Score:5, Insightful)
Re:SOP (Score:4, Insightful)
Seeing what I have seen in regards to security vulnerabilities reported to institutions and the general paralysis that ensues when anyone brings up real security in just about any organization...none of this surprises me...at all. In fact, I would have predicted nothing would be done, especially given the tell where the institution focuses on a single perpetrator or incident when in fact that is not at all the problem. When their security sucks, and they don't get it and can't fix it because they suck, they spin the focus on Snowden or whatever evil hacker dujour.
The issue is not the NSA's internal security. That's not what causes the leaks we've seen.
The problem is the NSA itself performing domestic spying.
The NSA will remain under attack by the NSA's own workers and the US's own citizens until that changes because the NSA has made itself the enemy.
Strat
Re: (Score:1)
the NSA has made itself the enemy.
So much this.
The NSA has turned into the exact threat it was supposedly instituted to guard against from foreign states.
Re: (Score:2)
Re:SOP -- and despite huge efforts to do it right (Score:2)
The US security services and armed forces did a huge, expensive effort to provide military-grade confidentiality years ago, implemented on Multics, and later on Solaris and HP-UX. More recently, on Linux. Thy even had an example of the 'net, Dockmaster.MIL
They they decided not to use it, because it took a week course to learn how to administer a Trusted Solaris system.
Too much work; didn't do.
Cyber spy media not scanned for viruses? (Score:5, Insightful)
Jesus tapdancing Christ on rollerskates, the FSB must be laughing into their soup
Re: (Score:2)
Re: (Score:2)
For now many nations have great insight into US tasking and other agency thinking due to their well placed generations of human spies.
As long as the spies don't go looking up projects they are not cleared for they can go on spying for decades.
The NSA will find anyone internally searching for projects and terms beyond their approved projects.
As USA only accepted very best into other agencies, that was a guaranteed way to totally understand thinking and top policy
Reliable experts for public encryption policy (?) (Score:2)
And don't forget, kids: this is the agency which is constantly telling us we can safely backdoor encryption!
(Well, maybe that's mainly the FBI, instead. But I still trust them just as much as I'd trust the NSA.)
Too busy (Score:2, Interesting)
Too busy pursuing their mission outside the mission itself and the bounds of constitutional practice.
That said, I have trouble believing this, or really any offer of information to the public from government agencies. Sounds like a honeypot, or a false reveal of vulnerability. Who trusts any of them at face value?
Re: (Score:1)
They should hire someone strong for that (Score:2)
Gov Security at its best or ... (Score:1)
... are there other circumstances hidden from the public?
To me as an outsider it seems most government digital security agencies are more prioritized on spying civilians than actually securing the state they're operating for.
So securing their own assets is not on top of the list as it is described in the article.
But also contractors might have a deal in this, as soon as the security has been tightened they might not be able to perform duties or they're not necessary anymore.
Perhaps a combination of a multi
first things first (Score:2)
Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures
Hey now, they've been pretty busy gathering intel on non standard presidential candidates and stuff.
Sheesh, what's your hurry?
Spies Apply (Score:4, Insightful)
Given that low level people can access info beyond their pay grade, I'd assume spies are everywhere within the system.
If Snowden exposed anything - it's how poor the security is and that people could easily steal data and give it to foreign governments. Should the person desire to do that of course.
Re: (Score:2)
Given that low level people can access info beyond their pay grade,
Who are you calling 'low level'?
-- BOFH
Re: (Score:2)
a relative statement of course.