Which brings me back to something a successful businessman told me: all mistakes are due to either laziness or incompetence. I have yet to prove him wrong. In the context: I don’t want to do the work of creating a security protocol and then having to create all the sub-admins and relevant groups. Let the contractor handle it. That’s lazy Not only do I not know how to do set security permission I didn’t even know that could be done. That’s incompetence. I just can’t wrap my mind around the idea of someone knowingly creating this open door without there being some pay-off in the end-game.
From: Jon Harris Sent: Tuesday, September 03, 2013 2:32 PM To: [email protected] Subject: RE: [NTSysADM] Re: Finally. Ken I think there is a big difference between cultures in this case. Government is more of an "old boys club" that promotes (at least from what I have seen personally) on the basis of who can do what for the person doing the hiring, or to pay off some "favor" the person or a person supporting the hire did. These people, at the NSA and a lot of the other 3 letter GOV, are either former or kin to former military. Not all are but they are out numbered by those that are. Look at all the really stupid things the military has done, not just the US but all of them. They let their ego's control what they think they can do and to whom they can do it. Many of the private businesses I have seen would not put up with this attitude nor would they care if there was a favor owed. They want someone that can do the job first. Sure some private businesses run as an "old boys club" but when they do they end up killing the business. Only the GOV has unlimited resources(1) to keep paying incompetents to run things and to also protect them from getting fired or prosecuted. Jon (1) They just up taxes or take money from other things to make up the lost money. > From: [email protected] > To: [email protected] > Subject: RE: [NTSysADM] Re: Finally. > Date: Tue, 3 Sep 2013 04:51:26 +0000 > > From the email you just replied to: > > > Certainly the failure was epic, and heads will/should roll. > > I thought "heads should roll" was a euphemism that was used in the US? Am I > mistaken? Chalk it down to cultural misunderstanding then. > > For the record - I'm not excusing failure. Find me anywhere where I've said > "too bad, shit happens" > > I'm challenging your claim that the sole root cause for this debacle is > "incompetent management". You made the claim - you back it up. For the > record, I put some reasons out there why I think it's not that simple, by way > of explanation for my challenge. However, let's not forget you're the one > making the claims here. > > Cheers > Ken > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Tuesday, 3 September 2013 1:46 PM > To: [email protected] > Subject: Re: [NTSysADM] Re: Finally. > > So, are you stating that it's your belief that nobody in this incident should > be fired? > > And, since you don't like my analogy, let's try another - BP in the Gulf of > Mexico spilled millions of barrels of crude oil. Should nobody be faulted for > failing at that core competency? Or is any failure excusable because, well, > it's at scale, and therefore hard? > > Kurt > > On Sun, Sep 1, 2013 at 8:46 PM, Ken Schaefer <[email protected]> wrote: > > Faulty analysis IMHO > > > > "Making money" is what any for-profit company aims for - not something that > > is specific to banking. A bank's aim is to marry savers and borrowers. > > Exxon wants to "make money", but it does that through producing energy > > products. The NYT aims to "make money", but it does that through selling > > access to news. Those are the "core missions" of the organisations in > > question. > > > > Likewise, the core mission of the NSA would be to safeguard the USA from > > external threats, and it does this through the collection and analysis of > > signals intelligence. The core mission of the NSA isn't to "ensure that > > nothing ever gets leaked". Just because it has "security" in the name > > doesn't mean that it's whatever security thing you think is important. > > > > Certainly the failure was epic, and heads will/should roll. But you > > ascribed a single factor as the root cause of the problem, yet you've > > provided no analysis to justify that claim. All you've provided is a bunch > > of irrelevancies (how much computing power the NSA has, the fact you've > > designed more secure systems, and something about banks "making money"). > > How does any of that show that institutionalised "management incompetence" > > is at fault here? > > > > Cheers > > Ken > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Kurt Buff > > Sent: Monday, 2 September 2013 1:20 PM > > To: [email protected] > > Subject: Re: [NTSysADM] Re: Finally. > > > > This is an agency which has the name of the National *Security* > > Agency. It has, nearly since its inception, been at the forefront of > > both security and computing, with its computing power measured in > > ACRES - see the Bamford books (especially The Puzzle Palace). It was > > also known to insiders as "No Such Agency" or "Never Say Anything", > > and had always been far more secretive (until Bamford published his > > books) than the other major intelligence agencies, such as DIA, CIA, NRO, > > etc. > > > > If a bank were to so spectacularly fail at its core mission - to make money > > - for reasons *entirely in its control*, you'd call for someone's job to be > > vacated, wouldn't you? > > > > The NSA failed spectacularly at *its* core mission - security - and > > regardless of the scale of the organization, it failed utterly. This is one > > case for which the word 'epic' is warranted. The scope and scale of the > > failure is astonishing. Many jobs should be vacated. > > > > Kurt > > > > On Sun, Sep 1, 2013 at 5:21 PM, Ken Schaefer <[email protected]> wrote: > >> Yes, I think it does. > >> > >> Small orgs are much more agile than large enterprises: > >> - it's easy/easier to gather requirements, > >> - requirements have fewer conflicts (because there are fewer > >> stakeholders) > >> - they don't tend to work 24x7 or require 5 9s uptime, so things can > >> be shutdown, upgraded, replaced, migrated with relative ease > >> > >> The bigger and the more "information heavy" the enterprise is, the less > >> agile it becomes in terms of remediating older systems. Many of the > >> projects for the bank I work for (as a touch point) register hundreds of > >> dependencies - some over a thousand. Just moving a data centre (as an > >> example) is a 42 month exercise. Sometimes things get missed. > >> > >> I personally haven't run into any security architects at any of the large > >> accounts I've worked at that have your level of confidence in the systems > >> and processes that they have in-place. So, either they're incompetent > >> (possible - I'll give you that), or the problem is more complex than you > >> make it out to be. > >> > >> Personally, I think security in non-trivial environments is hard: how do I > >> vet every piece of code coming into my environment? How do I audit it > >> continuously? How do I make sure that no one's restored a backup > >> somewhere? How do I know no-one's tapped my network? A business user > >> hasn't mis-applied permissions to an application? Etc. How do I do all of > >> this in a timely manner, so that I close the holes before they're > >> exploited? There is no silver bullet that solves this - which is why > >> everyone's still struggling and we still have incidents. > >> > >> Even in well run organisations, using technology largely from a single > >> vendor, there's still outages and things that go wrong (e.g. Microsoft's > >> Azure storage, or the recent O365 outage). I agree that sometimes people > >> do stupid things - I'm sure that happens in small environments too. But in > >> big environments, even with the best intentions, smart people and good > >> processes, things still go wrong. > >> > >> Cheers > >> Ken > >> > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of Kurt Buff > >> Sent: Monday, 2 September 2013 9:52 AM > >> To: [email protected] > >> Subject: Re: [NTSysADM] Re: Finally. > >> > >> Nope. Does that matter? Well, I suppose you think it does, but I doubt it. > >> With scale should come resources, and the NSA obviously does have > >> resources, including people with far more training, and who of whom are > >> smarter, than me. > >> > >> There are no excuses for this. > >> > >> Kurt > >> > >> On Sun, Sep 1, 2013 at 4:25 PM, Ken Schaefer <[email protected]> wrote: > >>> You've designed "more secure" systems at scale (40K+ employees) in an > >>> information heavy organisation (bank, accountancy etc.)? > >>> > >>> Cheers > >>> Ken > >>> > >>> -----Original Message----- > >>> From: [email protected] > >>> [mailto:[email protected]] On Behalf Of Kurt Buff > >>> Sent: Monday, 2 September 2013 4:01 AM > >>> To: [email protected] > >>> Subject: Re: [NTSysADM] Re: Finally. > >>> > >>> Aside from reading all those Le Carre novels? > >>> > >>> I've already designed more secure systems than were obviously in place, > >>> as have many people on this list, perhaps including you. > >>> > >>> Kurt > >>> > >>> On Sat, Aug 31, 2013 at 7:35 PM, Ken Schaefer <[email protected]> wrote: > >>>> And what are your qualifications/experience, that allow you to make > >>>> such a call? (I’m assuming that you have no inside knowledge of how > >>>> the NSA works, and are relying on the public > >>>> speculation/allegations at el Reg etc.) > >>>> > >>>> > >>>> > >>>> Cheers > >>>> > >>>> Ken > >>>> > >>>> > >>>> > >>>> From: [email protected] > >>>> [mailto:[email protected]] > >>>> On Behalf Of Kurt Buff > >>>> Sent: Sunday, 1 September 2013 12:03 AM > >>>> To: [email protected] > >>>> > >>>> > >>>> Subject: Re: [NTSysADM] Re: Finally. > >>>> > >>>> > >>>> > >>>> On the evidence, absolutely. > >>>> > >>>> For an intelligence/espionage operation to be so thoroughly pwned > >>>> because of such amazingly poor internal operational security, there > >>>> can be only one conclusion - management responsible for internal > >>>> security should be fired. > >>>> > >>>> I'm just glad they weren't, and I hope that what Snowden took is > >>>> enough to bring them down, and that it's all revealed to the public. > >>>> > >>>> > >>>> > >>>> Kurt > >>>> > >>>> > >>>> > >>>> On Sat, Aug 31, 2013 at 4:20 AM, Ken Schaefer <[email protected]> wrote: > >>>> > >>>> So, you’re saying that the feared NSA, which has a bunch of > >>>> un-discovered rootkits, which able to undertake some of the most > >>>> advanced espionage in the world, is managed by idiots? Seriously? > >>>> > >>>> > >>>> > >>>> From: [email protected] > >>>> [mailto:[email protected]] > >>>> On Behalf Of Jon Harris > >>>> Sent: Saturday, 31 August 2013 6:17 AM > >>>> To: [email protected] > >>>> Subject: RE: [NTSysADM] Re: Finally. > >>>> > >>>> > >>>> > >>>> Generally from I have seen in state (Florida) organizations is > >>>> that they don't like promoting anyone but a moron into supervisory > >>>> positions. > >>>> Occasionally someone will make a mistake and promote an intelligent > >>>> person but not often. I would suspect this is the case with the > >>>> Feds as well (worked with them too). Several times I have seen > >>>> them hire those with less brains and longer tongues and large lips > >>>> over those with brains. As long as this keeps happening then we > >>>> will continue to see this happen. It will be a long time before > >>>> they get rid of all the defective management personnel as I would > >>>> think private companies would have little to gain by keeping them > >>>> (maybe why they seem to concentrate in public jobs?) and in a government > >>>> job it is MUCH harder to get rid of them. > >>>> > >>>> Jon > >>>> > >>>> > >>>> ________________________________ > >>>> > >>>> Date: Fri, 30 Aug 2013 14:34:15 -0400 > >>>> Subject: Re: [NTSysADM] Re: Finally. > >>>> From: [email protected] > >>>> To: [email protected] > >>>> > >>>> +13 > >>>> > >>>> On Aug 30, 2013 11:05 AM, "Kurt Buff" <[email protected]> wrote: > >>>> > >>>> On Fri, Aug 30, 2013 at 10:52 AM, Micheal Espinola Jr > >>>> <[email protected]> wrote: > >>>>> > >>>>> I accidentally hit CTRL-Enter before finishing that email... and > >>>>> apparently that's a shortcut to instantly-send a message in Gmail. Yay! > >>>>> I > >>>>> love learning new things... but anyways - So, yea, this Forbes article > >>>>> was > >>>>> the first I have seen that highlights the real underlying IT > >>>>> problem regarding Snowden - aside from other OT issues. > >>>> <snip> > >>>>>> > >>>>>> I may have missed some article by someone else somewhere, but Its > >>>>>> to see Forbes 'get it' before anyone else... > >>>>>> > >>>>>> > >>>>>> http://www.forbes.com/sites/timworstall/2013/08/30/if-the-nsa-rea > >>>>>> l l y -let-edward-snowden-do-this-then-someone-needs-to-be-fired/ > >>>>>> > >>>>>> -- > >>>>>> Espi > >>>> > >>>> > >>>> Agreed- massive failure on the part of many people in the NSA in > >>>> implementing security procedures. > >>>> > >>>> Of course, what Snowden showed, beyond that, is the massive failure > >>>> that is government policy and practices regarding > >>>> surveillance/espionage in general, so I'm actually quite happy > >>>> Snowden was able to do what he did. > >>>> > >>>> Kurt > >>>> > >>>> > >>> > >>> > >> > >> > > > > > >
