You may be hearing a knock on the door any minute! Sent from my iPad
On Sep 1, 2013, at 4:03 PM, Webster <[email protected]> wrote: > Not that it means anything to this discussion but I can make a guess as to > some of the software the NSA uses. They have emailed me a couple of times > for copies of my signed scripts since they block Dropbox (pre Snowden). They > have also asked for signed copies of my PDFs since unsigned versions are not > allowed. > > Maybe the NSA reads my site since I get hits from Iran, Iraq and several of > the “stans”. J > > Carl Webster > Consultant and Citrix Technology Professional > http://www.CarlWebster.com > > > From: [email protected] [mailto:[email protected]] > On Behalf Of Daniel Chenault > Sent: Sunday, September 01, 2013 1:08 PM > To: [email protected] > Subject: Re: [NTSysADM] Re: Finally. > > Yes, I do think it matters especially in terms of OpSec (this is not Joe’s > Widget Company we’re talking about after all). Are Lieutenants told the full > details of a battle plan, or only what they need to know to do their job? How > about Sergeants? Continuing the battlefield analogy, what about contractors > (mercenaries in that context)? > If you would prefer, the next time I mention the granularity of “Unix > permission” I will include with that a 20-page discussion on what I mean by > “Unix permissions.” If I mention the 1st Amendment do I have to include the > full text of the amendment? Or can we just stipulate in the interest of > brevity that that is not necessary and is already understood? > Permissions flow downward. The primary one handing out the permissions should > be a stakeholder. The persons below him do have the access he has. Sub-admins > is hardly a new concept; they can be contractors and often are. Authority can > be delegated; responsibility cannot. > > From: Ken Schaefer > Sent: Sunday, September 01, 2013 4:00 AM > To: [email protected] > Subject: RE: [NTSysADM] Re: Finally. > > Do you think it matters, in this case, whether it’s an FTE or a contractor > that has “the keys to the kingdom” – they’d all need to go through the > necessary security clearance, and have the right citizenship etc.? For > someone who /wants/ to betray their country (e.g. for ideological reasons or > monetary inducements), do you think their employment status really matters? > Especially if the penalty for getting caught might include being charged with > treason? > > In a large org like NSA, it’s not a matter of simply knowing “UNIX > permissions” – that’s a gross over-simplification of the types of systems a > large organisation would have. There’d probably be multiple Windows/AD and > Windows/standalone environments, multiple UNIX environments, multiple > mainframe/host environments, plus multiple systems when application > permissions where used. There is no single “key to the kingdom” or a person > that has such a key – except the Head/CEO/etc. > > If you’re saying that every privileged user, from the developer that might > implement a back door, to the network admin who might trace traffic, to the > backup operator that might duplicate a backup to the person who manages the > HR system and who could create a “fake” identity, needs to be an FTE, then I > think you’ll find that just about every large business and government agency > is “in breach” of your fundamental security principles. > > Cheers > Ken > > From: [email protected] [mailto:[email protected]] > On Behalf Of Daniel Chenault > Sent: Wednesday, 4 September 2013 3:08 PM > To: [email protected] > Subject: Re: [NTSysADM] Re: Finally. > > Why were the keys to the castle given to a contractor, a non-stakeholder? > While we may see a certain amount of laxity in this in industry and business > (not to say that's okay, it just happens) in such a sensitive environment, > one with a very real potential to be the target of espionage, the keys to the > castle should only reside in the hands of an employee. An extremely > well-trusted one with a complete knowledge of computer security including > using the granularity of Unix permissions to create admin accounts and groups > with specific perms to do specific functions. > A contractor, in the context of the role within the organization, is not a > stakeholder. If the company or organization fails the only impact to the > contractor is it's time to find another contract ( assuming he wasn't the > cause). Time to find another contract is business-as-usual for a contractor. > When one speaks of "tight security protocols" this is part of the discussion: > a very clear understanding of each position's role within the organization, > how it furthers the mission, the liabilities associated with the position and > a plan to ameliorate those liabilities. That discussion comes before filling > the position with an asset as that also defines the type of asset; in this > context it is employee or contractor. The proper answer is that the system > administrator, the ultimate holder of all security secrets, the role with > complete trust, is someone who has a stake in the success of the mission and > is under the direct authority of a key stakeholder if not key himself. > A contractor in such a sensitive environment should never have the full > authority of that administrator delegated to him. That violates the whole > idea of high security and the reason granularity is exposed in the computer > security model (implementation-specific). > I consider the above to be a rational and reasoned short examination of how > and why the assignments of roles and permissions are to be defined in any > organization where the word "security" is used as part of the priorities and > goals. The higher the need for tight security (say, 1-10) the more scrutiny > each role is given and permissions defined. For the NSA I would say the need > is 11. > But that's all just my opinion late on a Saturday night. I could be wrong. > > On Aug 31, 2013, at 21:37, "Ken Schaefer" <[email protected]> wrote: > > And what are your qualifications/experience, that allow you to make such a > call? (I’m assuming that you have no inside knowledge of how the NSA works, > and are relying on the public speculation/allegations at el Reg etc.) > > Cheers > Ken > > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Sunday, 1 September 2013 12:03 AM > To: [email protected] > Subject: Re: [NTSysADM] Re: Finally. > > On the evidence, absolutely. > > For an intelligence/espionage operation to be so thoroughly pwned because of > such amazingly poor internal operational security, there can be only one > conclusion - management responsible for internal security should be fired. > > I'm just glad they weren't, and I hope that what Snowden took is enough to > bring them down, and that it's all revealed to the public. > > Kurt > > > On Sat, Aug 31, 2013 at 4:20 AM, Ken Schaefer <[email protected]> wrote: > So, you’re saying that the feared NSA, which has a bunch of un-discovered > rootkits, which able to undertake some of the most advanced espionage in the > world, is managed by idiots? Seriously? > > From: [email protected] [mailto:[email protected]] > On Behalf Of Jon Harris > Sent: Saturday, 31 August 2013 6:17 AM > To: [email protected] > Subject: RE: [NTSysADM] Re: Finally. > > Generally from I have seen in state (Florida) organizations is that they > don't like promoting anyone but a moron into supervisory positions. > Occasionally someone will make a mistake and promote an intelligent person > but not often. I would suspect this is the case with the Feds as well > (worked with them too). Several times I have seen them hire those with less > brains and longer tongues and large lips over those with brains. As long as > this keeps happening then we will continue to see this happen. It will be a > long time before they get rid of all the defective management personnel as I > would think private companies would have little to gain by keeping them > (maybe why they seem to concentrate in public jobs?) and in a government job > it is MUCH harder to get rid of them. > > Jon > > Date: Fri, 30 Aug 2013 14:34:15 -0400 > Subject: Re: [NTSysADM] Re: Finally. > From: [email protected] > To: [email protected] > > +13 > On Aug 30, 2013 11:05 AM, "Kurt Buff" <[email protected]> wrote: > On Fri, Aug 30, 2013 at 10:52 AM, Micheal Espinola Jr > <[email protected]> wrote: > > > > I accidentally hit CTRL-Enter before finishing that email... and > > apparently that's a shortcut to instantly-send a message in Gmail. Yay! I > > love learning new things... but anyways - So, yea, this Forbes article > > was the first I have seen that highlights the real underlying IT problem > > regarding Snowden - aside from other OT issues. > <snip> > >> > >> I may have missed some article by someone else somewhere, but Its to see > >> Forbes 'get it' before anyone else... > >> > >> http://www.forbes.com/sites/timworstall/2013/08/30/if-the-nsa-really-let-edward-snowden-do-this-then-someone-needs-to-be-fired/ > >> > >> -- > >> Espi > > > Agreed- massive failure on the part of many people in the NSA in > implementing security procedures. > > Of course, what Snowden showed, beyond that, is the massive failure > that is government policy and practices regarding > surveillance/espionage in general, so I'm actually quite happy Snowden > was able to do what he did. > > Kurt > >
