Please quote where Kurt made the "sole root cause" claim. I dont feel like reading back through archives, and let's not forget you're the one making the claims here.
-- Espi On Mon, Sep 2, 2013 at 9:51 PM, Ken Schaefer <[email protected]> wrote: > From the email you just replied to: > > > Certainly the failure was epic, and heads will/should roll. > > I thought "heads should roll" was a euphemism that was used in the US? Am > I mistaken? Chalk it down to cultural misunderstanding then. > > For the record - I'm not excusing failure. Find me anywhere where I've > said "too bad, shit happens" > > I'm challenging your claim that the sole root cause for this debacle is > "incompetent management". You made the claim - you back it up. For the > record, I put some reasons out there why I think it's not that simple, by > way of explanation for my challenge. However, let's not forget you're the > one making the claims here. > > Cheers > Ken > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Kurt Buff > Sent: Tuesday, 3 September 2013 1:46 PM > To: [email protected] > Subject: Re: [NTSysADM] Re: Finally. > > So, are you stating that it's your belief that nobody in this incident > should be fired? > > And, since you don't like my analogy, let's try another - BP in the Gulf > of Mexico spilled millions of barrels of crude oil. Should nobody be > faulted for failing at that core competency? Or is any failure excusable > because, well, it's at scale, and therefore hard? > > Kurt > > On Sun, Sep 1, 2013 at 8:46 PM, Ken Schaefer <[email protected]> wrote: > > Faulty analysis IMHO > > > > "Making money" is what any for-profit company aims for - not something > that is specific to banking. A bank's aim is to marry savers and borrowers. > Exxon wants to "make money", but it does that through producing energy > products. The NYT aims to "make money", but it does that through selling > access to news. Those are the "core missions" of the organisations in > question. > > > > Likewise, the core mission of the NSA would be to safeguard the USA from > external threats, and it does this through the collection and analysis of > signals intelligence. The core mission of the NSA isn't to "ensure that > nothing ever gets leaked". Just because it has "security" in the name > doesn't mean that it's whatever security thing you think is important. > > > > Certainly the failure was epic, and heads will/should roll. But you > ascribed a single factor as the root cause of the problem, yet you've > provided no analysis to justify that claim. All you've provided is a bunch > of irrelevancies (how much computing power the NSA has, the fact you've > designed more secure systems, and something about banks "making money"). > How does any of that show that institutionalised "management incompetence" > is at fault here? > > > > Cheers > > Ken > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Kurt Buff > > Sent: Monday, 2 September 2013 1:20 PM > > To: [email protected] > > Subject: Re: [NTSysADM] Re: Finally. > > > > This is an agency which has the name of the National *Security* > > Agency. It has, nearly since its inception, been at the forefront of > > both security and computing, with its computing power measured in > > ACRES - see the Bamford books (especially The Puzzle Palace). It was > > also known to insiders as "No Such Agency" or "Never Say Anything", > > and had always been far more secretive (until Bamford published his > > books) than the other major intelligence agencies, such as DIA, CIA, > NRO, etc. > > > > If a bank were to so spectacularly fail at its core mission - to make > money - for reasons *entirely in its control*, you'd call for someone's job > to be vacated, wouldn't you? > > > > The NSA failed spectacularly at *its* core mission - security - and > regardless of the scale of the organization, it failed utterly. This is one > case for which the word 'epic' is warranted. The scope and scale of the > failure is astonishing. Many jobs should be vacated. > > > > Kurt > > > > On Sun, Sep 1, 2013 at 5:21 PM, Ken Schaefer <[email protected]> wrote: > >> Yes, I think it does. > >> > >> Small orgs are much more agile than large enterprises: > >> - it's easy/easier to gather requirements, > >> - requirements have fewer conflicts (because there are fewer > >> stakeholders) > >> - they don't tend to work 24x7 or require 5 9s uptime, so things can > >> be shutdown, upgraded, replaced, migrated with relative ease > >> > >> The bigger and the more "information heavy" the enterprise is, the less > agile it becomes in terms of remediating older systems. Many of the > projects for the bank I work for (as a touch point) register hundreds of > dependencies - some over a thousand. Just moving a data centre (as an > example) is a 42 month exercise. Sometimes things get missed. > >> > >> I personally haven't run into any security architects at any of the > large accounts I've worked at that have your level of confidence in the > systems and processes that they have in-place. So, either they're > incompetent (possible - I'll give you that), or the problem is more complex > than you make it out to be. > >> > >> Personally, I think security in non-trivial environments is hard: how > do I vet every piece of code coming into my environment? How do I audit it > continuously? How do I make sure that no one's restored a backup somewhere? > How do I know no-one's tapped my network? A business user hasn't > mis-applied permissions to an application? Etc. How do I do all of this in > a timely manner, so that I close the holes before they're exploited? There > is no silver bullet that solves this - which is why everyone's still > struggling and we still have incidents. > >> > >> Even in well run organisations, using technology largely from a single > vendor, there's still outages and things that go wrong (e.g. Microsoft's > Azure storage, or the recent O365 outage). I agree that sometimes people do > stupid things - I'm sure that happens in small environments too. But in big > environments, even with the best intentions, smart people and good > processes, things still go wrong. > >> > >> Cheers > >> Ken > >> > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of Kurt Buff > >> Sent: Monday, 2 September 2013 9:52 AM > >> To: [email protected] > >> Subject: Re: [NTSysADM] Re: Finally. > >> > >> Nope. Does that matter? Well, I suppose you think it does, but I doubt > it. With scale should come resources, and the NSA obviously does have > resources, including people with far more training, and who of whom are > smarter, than me. > >> > >> There are no excuses for this. > >> > >> Kurt > >> > >> On Sun, Sep 1, 2013 at 4:25 PM, Ken Schaefer <[email protected]> wrote: > >>> You've designed "more secure" systems at scale (40K+ employees) in an > information heavy organisation (bank, accountancy etc.)? > >>> > >>> Cheers > >>> Ken > >>> > >>> -----Original Message----- > >>> From: [email protected] > >>> [mailto:[email protected]] On Behalf Of Kurt Buff > >>> Sent: Monday, 2 September 2013 4:01 AM > >>> To: [email protected] > >>> Subject: Re: [NTSysADM] Re: Finally. > >>> > >>> Aside from reading all those Le Carre novels? > >>> > >>> I've already designed more secure systems than were obviously in > place, as have many people on this list, perhaps including you. > >>> > >>> Kurt > >>> > >>> On Sat, Aug 31, 2013 at 7:35 PM, Ken Schaefer <[email protected]> wrote: > >>>> And what are your qualifications/experience, that allow you to make > >>>> such a call? (I’m assuming that you have no inside knowledge of how > >>>> the NSA works, and are relying on the public > >>>> speculation/allegations at el Reg etc.) > >>>> > >>>> > >>>> > >>>> Cheers > >>>> > >>>> Ken > >>>> > >>>> > >>>> > >>>> From: [email protected] > >>>> [mailto:[email protected]] > >>>> On Behalf Of Kurt Buff > >>>> Sent: Sunday, 1 September 2013 12:03 AM > >>>> To: [email protected] > >>>> > >>>> > >>>> Subject: Re: [NTSysADM] Re: Finally. > >>>> > >>>> > >>>> > >>>> On the evidence, absolutely. > >>>> > >>>> For an intelligence/espionage operation to be so thoroughly pwned > >>>> because of such amazingly poor internal operational security, there > >>>> can be only one conclusion - management responsible for internal > security should be fired. > >>>> > >>>> I'm just glad they weren't, and I hope that what Snowden took is > >>>> enough to bring them down, and that it's all revealed to the public. > >>>> > >>>> > >>>> > >>>> Kurt > >>>> > >>>> > >>>> > >>>> On Sat, Aug 31, 2013 at 4:20 AM, Ken Schaefer <[email protected]> wrote: > >>>> > >>>> So, you’re saying that the feared NSA, which has a bunch of > >>>> un-discovered rootkits, which able to undertake some of the most > >>>> advanced espionage in the world, is managed by idiots? Seriously? > >>>> > >>>> > >>>> > >>>> From: [email protected] > >>>> [mailto:[email protected]] > >>>> On Behalf Of Jon Harris > >>>> Sent: Saturday, 31 August 2013 6:17 AM > >>>> To: [email protected] > >>>> Subject: RE: [NTSysADM] Re: Finally. > >>>> > >>>> > >>>> > >>>> Generally from I have seen in state (Florida) organizations is > >>>> that they don't like promoting anyone but a moron into supervisory > positions. > >>>> Occasionally someone will make a mistake and promote an intelligent > >>>> person but not often. I would suspect this is the case with the > >>>> Feds as well (worked with them too). Several times I have seen > >>>> them hire those with less brains and longer tongues and large lips > >>>> over those with brains. As long as this keeps happening then we > >>>> will continue to see this happen. It will be a long time before > >>>> they get rid of all the defective management personnel as I would > >>>> think private companies would have little to gain by keeping them > >>>> (maybe why they seem to concentrate in public jobs?) and in a > government job it is MUCH harder to get rid of them. > >>>> > >>>> Jon > >>>> > >>>> > >>>> ________________________________ > >>>> > >>>> Date: Fri, 30 Aug 2013 14:34:15 -0400 > >>>> Subject: Re: [NTSysADM] Re: Finally. > >>>> From: [email protected] > >>>> To: [email protected] > >>>> > >>>> +13 > >>>> > >>>> On Aug 30, 2013 11:05 AM, "Kurt Buff" <[email protected]> wrote: > >>>> > >>>> On Fri, Aug 30, 2013 at 10:52 AM, Micheal Espinola Jr > >>>> <[email protected]> wrote: > >>>>> > >>>>> I accidentally hit CTRL-Enter before finishing that email... and > >>>>> apparently that's a shortcut to instantly-send a message in Gmail. > Yay! I > >>>>> love learning new things... but anyways - So, yea, this Forbes > article was > >>>>> the first I have seen that highlights the real underlying IT > >>>>> problem regarding Snowden - aside from other OT issues. > >>>> <snip> > >>>>>> > >>>>>> I may have missed some article by someone else somewhere, but Its > >>>>>> to see Forbes 'get it' before anyone else... > >>>>>> > >>>>>> > >>>>>> http://www.forbes.com/sites/timworstall/2013/08/30/if-the-nsa-rea > >>>>>> l l y -let-edward-snowden-do-this-then-someone-needs-to-be-fired/ > >>>>>> > >>>>>> -- > >>>>>> Espi > >>>> > >>>> > >>>> Agreed- massive failure on the part of many people in the NSA in > >>>> implementing security procedures. > >>>> > >>>> Of course, what Snowden showed, beyond that, is the massive failure > >>>> that is government policy and practices regarding > >>>> surveillance/espionage in general, so I'm actually quite happy > >>>> Snowden was able to do what he did. > >>>> > >>>> Kurt > >>>> > >>>> > >>> > >>> > >> > >> > > > > > > >
