Why were the keys to the castle given to a contractor, a non-stakeholder? While we may see a certain amount of laxity in this in industry and business (not to say that's okay, it just happens) in such a sensitive environment, one with a very real potential to be the target of espionage, the keys to the castle should only reside in the hands of an employee. An extremely well-trusted one with a complete knowledge of computer security including using the granularity of Unix permissions to create admin accounts and groups with specific perms to do specific functions. A contractor, in the context of the role within the organization, is not a stakeholder. If the company or organization fails the only impact to the contractor is it's time to find another contract ( assuming he wasn't the cause). Time to find another contract is business-as-usual for a contractor. When one speaks of "tight security protocols" this is part of the discussion: a very clear understanding of each position's role within the organization, how it furthers the mission, the liabilities associated with the position and a plan to ameliorate those liabilities. That discussion comes before filling the position with an asset as that also defines the type of asset; in this context it is employee or contractor. The proper answer is that the system administrator, the ultimate holder of all security secrets, the role with complete trust, is someone who has a stake in the success of the mission and is under the direct authority of a key stakeholder if not key himself. A contractor in such a sensitive environment should never have the full authority of that administrator delegated to him. That violates the whole idea of high security and the reason granularity is exposed in the computer security model (implementation-specific). I consider the above to be a rational and reasoned short examination of how and why the assignments of roles and permissions are to be defined in any organization where the word "security" is used as part of the priorities and goals. The higher the need for tight security (say, 1-10) the more scrutiny each role is given and permissions defined. For the NSA I would say the need is 11. But that's all just my opinion late on a Saturday night. I could be wrong.
On Aug 31, 2013, at 21:37, "Ken Schaefer" <[email protected]> wrote: > And what are your qualifications/experience, that allow you to make such a > call? (I’m assuming that you have no inside knowledge of how the NSA works, > and are relying on the public speculation/allegations at el Reg etc.) > > Cheers > Ken > > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Sunday, 1 September 2013 12:03 AM > To: [email protected] > Subject: Re: [NTSysADM] Re: Finally. > > On the evidence, absolutely. > > For an intelligence/espionage operation to be so thoroughly pwned because of > such amazingly poor internal operational security, there can be only one > conclusion - management responsible for internal security should be fired. > > I'm just glad they weren't, and I hope that what Snowden took is enough to > bring them down, and that it's all revealed to the public. > > Kurt > > > On Sat, Aug 31, 2013 at 4:20 AM, Ken Schaefer <[email protected]> wrote: > So, you’re saying that the feared NSA, which has a bunch of un-discovered > rootkits, which able to undertake some of the most advanced espionage in the > world, is managed by idiots? Seriously? > > From: [email protected] [mailto:[email protected]] > On Behalf Of Jon Harris > Sent: Saturday, 31 August 2013 6:17 AM > To: [email protected] > Subject: RE: [NTSysADM] Re: Finally. > > Generally from I have seen in state (Florida) organizations is that they > don't like promoting anyone but a moron into supervisory positions. > Occasionally someone will make a mistake and promote an intelligent person > but not often. I would suspect this is the case with the Feds as well > (worked with them too). Several times I have seen them hire those with less > brains and longer tongues and large lips over those with brains. As long as > this keeps happening then we will continue to see this happen. It will be a > long time before they get rid of all the defective management personnel as I > would think private companies would have little to gain by keeping them > (maybe why they seem to concentrate in public jobs?) and in a government job > it is MUCH harder to get rid of them. > > Jon > > Date: Fri, 30 Aug 2013 14:34:15 -0400 > Subject: Re: [NTSysADM] Re: Finally. > From: [email protected] > To: [email protected] > > +13 > On Aug 30, 2013 11:05 AM, "Kurt Buff" <[email protected]> wrote: > On Fri, Aug 30, 2013 at 10:52 AM, Micheal Espinola Jr > <[email protected]> wrote: > > > > I accidentally hit CTRL-Enter before finishing that email... and > > apparently that's a shortcut to instantly-send a message in Gmail. Yay! I > > love learning new things... but anyways - So, yea, this Forbes article > > was the first I have seen that highlights the real underlying IT problem > > regarding Snowden - aside from other OT issues. > <snip> > >> > >> I may have missed some article by someone else somewhere, but Its to see > >> Forbes 'get it' before anyone else... > >> > >> http://www.forbes.com/sites/timworstall/2013/08/30/if-the-nsa-really-let-edward-snowden-do-this-then-someone-needs-to-be-fired/ > >> > >> -- > >> Espi > > > Agreed- massive failure on the part of many people in the NSA in > implementing security procedures. > > Of course, what Snowden showed, beyond that, is the massive failure > that is government policy and practices regarding > surveillance/espionage in general, so I'm actually quite happy Snowden > was able to do what he did. > > Kurt > >
