Re: [NTSysADM] Re: Finally.

[Daniel Chenault]

I find I have to side with Kurt although that is not to be seen as negating 
your own valid points Ken.
The NSA is a special case as regards computing and security compared to what 
the vast majority of us are used to in our work-a-day world. I do expect an 
extreme level of security. I do expect a strict definition of who is allowed 
to do what and account permissions being created accordingly. I do expect 
that the person in charge of the computing side be an employee and 
well-versed in the technology being used.
I also expect to win the lottery any day now. Man I'm tired of being 
disappointed!
That latter point is likely the aspect that got violated. If I were the head 
sys dude in that environment, the one with full admin rights everywhere, the 
only person who would have equivalent rights would be my boss and both my 
account and his would be 100% logged and archived to be examined by the 
security wonks (I'd have a separate user account for my regular activities). 
Every single account below me would be restricted to only what was needed 
for them to accomplish their assigned tasks and not one bit more.
But that's just me. YMMV

-----Original Message----- 
From: Ken Schaefer
Sent: Sunday, September 01, 2013 7:21 PM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Re: Finally.
Yes, I think it does.

Small orgs are much more agile than large enterprises:
- it's easy/easier to gather requirements,
- requirements have fewer conflicts (because there are fewer stakeholders)
- they don't tend to work 24x7 or require 5 9s uptime, so things can be 
shutdown, upgraded, replaced, migrated with relative ease

The bigger and the more "information heavy" the enterprise is, the less 
agile it becomes in terms of remediating older systems. Many of the projects 
for the bank I work for (as a touch point) register hundreds of 
dependencies - some over a thousand. Just moving a data centre (as an 
example) is a 42 month exercise. Sometimes things get missed.

I personally haven't run into any security architects at any of the large 
accounts I've worked at that have your level of confidence in the systems 
and processes that they have in-place. So, either they're incompetent 
(possible - I'll give you that), or the problem is more complex than you 
make it out to be.

Personally, I think security in non-trivial environments is hard: how do I 
vet every piece of code coming into my environment? How do I audit it 
continuously? How do I make sure that no one's restored a backup somewhere? 
How do I know no-one's tapped my network? A business user hasn't mis-applied 
permissions to an application? Etc. How do I do all of this in a timely 
manner, so that I close the holes before they're exploited? There is no 
silver bullet that solves this - which is why everyone's still struggling 
and we still have incidents.

Even in well run organisations, using technology largely from a single 
vendor, there's still outages and things that go wrong (e.g. Microsoft's 
Azure storage, or the recent O365 outage). I agree that sometimes people do 
stupid things - I'm sure that happens in small environments too. But in big 
environments, even with the best intentions, smart people and good 
processes, things still go wrong.

Cheers
Ken

-----Original Message-----
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] 
On Behalf Of Kurt Buff
Sent: Monday, 2 September 2013 9:52 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Re: Finally.

Nope. Does that matter? Well, I suppose you think it does, but I doubt it. 
With scale should come resources, and the NSA obviously does have resources, 
including people with far more training, and who of whom are smarter, than 
me.

There are no excuses for this.

Kurt

On Sun, Sep 1, 2013 at 4:25 PM, Ken Schaefer <k...@kj.net.au> wrote:
You've designed "more secure" systems at scale (40K+ employees) in an 
information heavy organisation (bank, accountancy etc.)?

Cheers
Ken

-----Original Message-----
From: listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff
Sent: Monday, 2 September 2013 4:01 AM
To: ntsysadm@lists.myitforum.com
Subject: Re: [NTSysADM] Re: Finally.

Aside from reading all those Le Carre novels?

I've already designed more secure systems than were obviously in place, as 
have many people on this list, perhaps including you.

Kurt

On Sat, Aug 31, 2013 at 7:35 PM, Ken Schaefer <k...@kj.net.au> wrote:
And what are your qualifications/experience, that allow you to make
such a call? (I’m assuming that you have no inside knowledge of how
the NSA works, and are relying on the public speculation/allegations
at el Reg etc.)



Cheers

Ken



From: listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com]
On Behalf Of Kurt Buff
Sent: Sunday, 1 September 2013 12:03 AM
To: ntsysadm@lists.myitforum.com


Subject: Re: [NTSysADM] Re: Finally.



On the evidence, absolutely.

For an intelligence/espionage operation to be so thoroughly pwned
because of such amazingly poor internal operational security, there
can be only one conclusion - management responsible for internal security 
should be fired.

I'm just glad they weren't, and I hope that what Snowden took is
enough to bring them down, and that it's all revealed to the public.



Kurt



On Sat, Aug 31, 2013 at 4:20 AM, Ken Schaefer <k...@kj.net.au> wrote:

So, you’re saying that the feared NSA, which has a bunch of
un-discovered rootkits, which able to undertake some of the most
advanced espionage in the world, is managed by idiots? Seriously?



From: listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com]
On Behalf Of Jon Harris
Sent: Saturday, 31 August 2013 6:17 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] Re: Finally.



Generally from I have seen in state (Florida)  organizations is that
they don't like promoting anyone but a moron into supervisory positions.
Occasionally someone will make a mistake and promote an intelligent
person but not often.  I would suspect this is the case with the Feds
as well (worked with them too).  Several times I have seen them hire
those with less brains and longer tongues and large lips over those
with brains.  As long as this keeps happening then we will continue
to see this happen.  It will be a long time before they get rid of
all the defective management personnel as I would think private
companies would have little to gain by keeping them (maybe why they
seem to concentrate in public jobs?) and in a government job it is MUCH 
harder to get rid of them.

Jon


________________________________

Date: Fri, 30 Aug 2013 14:34:15 -0400
Subject: Re: [NTSysADM] Re: Finally.
From: blazer...@gmail.com
To: ntsysadm@lists.myitforum.com

+13

On Aug 30, 2013 11:05 AM, "Kurt Buff" <kurt.b...@gmail.com> wrote:

On Fri, Aug 30, 2013 at 10:52 AM, Micheal Espinola Jr
<michealespin...@gmail.com> wrote:

I accidentally hit CTRL-Enter before finishing that email...   and
apparently that's a shortcut to instantly-send a message in Gmail.  Yay! 
I
love learning new things...   but anyways - So, yea, this Forbes article 
was
the first I have seen that highlights the real underlying IT problem
regarding Snowden - aside from other OT issues.
<snip>

I may have missed some article by someone else somewhere, but Its
to see Forbes 'get it' before anyone else...


http://www.forbes.com/sites/timworstall/2013/08/30/if-the-nsa-reall
y -let-edward-snowden-do-this-then-someone-needs-to-be-fired/

--
Espi


Agreed- massive failure on the part of many people in the NSA in
implementing security procedures.

Of course, what Snowden showed, beyond that, is the massive failure
that is government policy and practices regarding
surveillance/espionage in general, so I'm actually quite happy
Snowden was able to do what he did.

Kurt