All mistakes? Interesting generalization. I had a businesswoman tell me all generalizations are false...and I've yet to prove her wrong
- WJR On Tue, Sep 3, 2013 at 2:45 PM, Daniel Chenault <[email protected]> wrote: > Which brings me back to something a successful businessman told me: all > mistakes are due to either laziness or incompetence. > I have yet to prove him wrong. > In the context: I don’t want to do the work of creating a security > protocol and then having to create all the sub-admins and relevant groups. > Let the contractor handle it. That’s lazy > Not only do I not know how to do set security permission I didn’t even > know that could be done. That’s incompetence. > I just can’t wrap my mind around the idea of someone knowingly creating > this open door without there being some pay-off in the end-game. > > *From:* Jon Harris <[email protected]> > *Sent:* Tuesday, September 03, 2013 2:32 PM > *To:* [email protected] > *Subject:* RE: [NTSysADM] Re: Finally. > > Ken I think there is a big difference between cultures in this case. > Government is more of an "old boys club" that promotes (at least from what > I have seen personally) on the basis of who can do what for the person > doing the hiring, or to pay off some "favor" the person or a person > supporting the hire did. These people, at the NSA and a lot of the other 3 > letter GOV, are either former or kin to former military. Not all are but > they are out numbered by those that are. Look at all the really stupid > things the military has done, not just the US but all of them. They let > their ego's control what they think they can do and to whom they can do it. > > Many of the private businesses I have seen would not put up with this > attitude nor would they care if there was a favor owed. They want someone > that can do the job first. Sure some private businesses run as an "old > boys club" but when they do they end up killing the business. Only the GOV > has unlimited resources(1) to keep paying incompetents to run things and to > also protect them from getting fired or prosecuted. > > Jon > > (1) They just up taxes or take money from other things to make up the lost > money. > > > From: [email protected] > > > To: [email protected] > > Subject: RE: [NTSysADM] Re: Finally. > > Date: Tue, 3 Sep 2013 04:51:26 +0000 > > > > From the email you just replied to: > > > > > Certainly the failure was epic, and heads will/should roll. > > > > I thought "heads should roll" was a euphemism that was used in the US? > Am I mistaken? Chalk it down to cultural misunderstanding then. > > > > For the record - I'm not excusing failure. Find me anywhere where I've > said "too bad, shit happens" > > > > I'm challenging your claim that the sole root cause for this debacle is > "incompetent management". You made the claim - you back it up. For the > record, I put some reasons out there why I think it's not that simple, by > way of explanation for my challenge. However, let's not forget you're the > one making the claims here. > > > > Cheers > > Ken > > > > -----Original Message----- > > From: [email protected] [mailto: > [email protected]] On Behalf Of Kurt Buff > > Sent: Tuesday, 3 September 2013 1:46 PM > > To: [email protected] > > Subject: Re: [NTSysADM] Re: Finally. > > > > So, are you stating that it's your belief that nobody in this incident > should be fired? > > > > And, since you don't like my analogy, let's try another - BP in the Gulf > of Mexico spilled millions of barrels of crude oil. Should nobody be > faulted for failing at that core competency? Or is any failure excusable > because, well, it's at scale, and therefore hard? > > > > Kurt > > > > > On Sun, Sep 1, 2013 at 8:46 PM, Ken Schaefer <[email protected]> wrote: > > > Faulty analysis IMHO > > > > > > "Making money" is what any for-profit company aims for - not something > that is specific to banking. A bank's aim is to marry savers and borrowers. > Exxon wants to "make money", but it does that through producing energy > products. The NYT aims to "make money", but it does that through selling > access to news. Those are the "core missions" of the organisations in > question. > > > > > > Likewise, the core mission of the NSA would be to safeguard the USA > from external threats, and it does this through the collection and analysis > of signals intelligence. The core mission of the NSA isn't to "ensure that > nothing ever gets leaked". Just because it has "security" in the name > doesn't mean that it's whatever security thing you think is important. > > > > > > Certainly the failure was epic, and heads will/should roll. But you > ascribed a single factor as the root cause of the problem, yet you've > provided no analysis to justify that claim. All you've provided is a bunch > of irrelevancies (how much computing power the NSA has, the fact you've > designed more secure systems, and something about banks "making money"). > How does any of that show that institutionalised "management incompetence" > is at fault here? > > > > > > Cheers > > > Ken > > > > > > -----Original Message----- > > > From: [email protected] > > > [mailto:[email protected]] On Behalf Of Kurt Buff > > > Sent: Monday, 2 September 2013 1:20 PM > > > To: [email protected] > > > Subject: Re: [NTSysADM] Re: Finally. > > > > > > This is an agency which has the name of the National *Security* > > > Agency. It has, nearly since its inception, been at the forefront of > > > both security and computing, with its computing power measured in > > > ACRES - see the Bamford books (especially The Puzzle Palace). It was > > > also known to insiders as "No Such Agency" or "Never Say Anything", > > > and had always been far more secretive (until Bamford published his > > > books) than the other major intelligence agencies, such as DIA, CIA, > NRO, etc. > > > > > > If a bank were to so spectacularly fail at its core mission - to make > money - for reasons *entirely in its control*, you'd call for someone's job > to be vacated, wouldn't you? > > > > > > The NSA failed spectacularly at *its* core mission - security - and > regardless of the scale of the organization, it failed utterly. This is one > case for which the word 'epic' is warranted. The scope and scale of the > failure is astonishing. Many jobs should be vacated. > > > > > > Kurt > > > > > > On Sun, Sep 1, 2013 at 5:21 PM, Ken Schaefer <[email protected]> wrote: > > >> Yes, I think it does. > > >> > > >> Small orgs are much more agile than large enterprises: > > >> - it's easy/easier to gather requirements, > > >> - requirements have fewer conflicts (because there are fewer > > >> stakeholders) > > >> - they don't tend to work 24x7 or require 5 9s uptime, so things can > > >> be shutdown, upgraded, replaced, migrated with relative ease > > >> > > >> The bigger and the more "information heavy" the enterprise is, the > less agile it becomes in terms of remediating older systems. Many of the > projects for the bank I work for (as a touch point) register hundreds of > dependencies - some over a thousand. Just moving a data centre (as an > example) is a 42 month exercise. Sometimes things get missed. > > >> > > >> I personally haven't run into any security architects at any of the > large accounts I've worked at that have your level of confidence in the > systems and processes that they have in-place. So, either they're > incompetent (possible - I'll give you that), or the problem is more complex > than you make it out to be. > > >> > > >> Personally, I think security in non-trivial environments is hard: how > do I vet every piece of code coming into my environment? How do I audit it > continuously? How do I make sure that no one's restored a backup somewhere? > How do I know no-one's tapped my network? A business user hasn't > mis-applied permissions to an application? Etc. How do I do all of this in > a timely manner, so that I close the holes before they're exploited? There > is no silver bullet that solves this - which is why everyone's still > struggling and we still have incidents. > > >> > > >> Even in well run organisations, using technology largely from a > single vendor, there's still outages and things that go wrong (e.g. > Microsoft's Azure storage, or the recent O365 outage). I agree that > sometimes people do stupid things - I'm sure that happens in small > environments too. But in big environments, even with the best intentions, > smart people and good processes, things still go wrong. > > >> > > >> Cheers > > >> Ken > > >> > > >> -----Original Message----- > > >> From: [email protected] > > >> [mailto:[email protected]] On Behalf Of Kurt Buff > > >> Sent: Monday, 2 September 2013 9:52 AM > > >> To: [email protected] > > >> Subject: Re: [NTSysADM] Re: Finally. > > >> > > >> Nope. Does that matter? Well, I suppose you think it does, but I > doubt it. With scale should come resources, and the NSA obviously does have > resources, including people with far more training, and who of whom are > smarter, than me. > > >> > > >> There are no excuses for this. > > >> > > >> Kurt > > >> > > >> On Sun, Sep 1, 2013 at 4:25 PM, Ken Schaefer <[email protected]> wrote: > > >>> You've designed "more secure" systems at scale (40K+ employees) in > an information heavy organisation (bank, accountancy etc.)? > > >>> > > >>> Cheers > > >>> Ken > > >>> > > >>> -----Original Message----- > > >>> From: [email protected] > > >>> [mailto:[email protected]] On Behalf Of Kurt Buff > > >>> Sent: Monday, 2 September 2013 4:01 AM > > >>> To: [email protected] > > >>> Subject: Re: [NTSysADM] Re: Finally. > > >>> > > >>> Aside from reading all those Le Carre novels? > > >>> > > >>> I've already designed more secure systems than were obviously in > place, as have many people on this list, perhaps including you. > > >>> > > >>> Kurt > > >>> > > >>> On Sat, Aug 31, 2013 at 7:35 PM, Ken Schaefer <[email protected]> wrote: > > >>>> And what are your qualifications/experience, that allow you to make > > >>>> such a call? (I’m assuming that you have no inside knowledge of how > > >>>> the NSA works, and are relying on the public > > >>>> speculation/allegations at el Reg etc.) > > >>>> > > >>>> > > >>>> > > >>>> Cheers > > >>>> > > >>>> Ken > > >>>> > > >>>> > > >>>> > > >>>> From: [email protected] > > >>>> [mailto:[email protected]] > > >>>> On Behalf Of Kurt Buff > > >>>> Sent: Sunday, 1 September 2013 12:03 AM > > >>>> To: [email protected] > > >>>> > > >>>> > > >>>> Subject: Re: [NTSysADM] Re: Finally. > > >>>> > > >>>> > > >>>> > > >>>> On the evidence, absolutely. > > >>>> > > >>>> For an intelligence/espionage operation to be so thoroughly pwned > > >>>> because of such amazingly poor internal operational security, there > > >>>> can be only one conclusion - management responsible for internal > security should be fired. > > >>>> > > >>>> I'm just glad they weren't, and I hope that what Snowden took is > > >>>> enough to bring them down, and that it's all revealed to the public. > > >>>> > > >>>> > > >>>> > > >>>> Kurt > > >>>> > > >>>> > > >>>> > > >>>> On Sat, Aug 31, 2013 at 4:20 AM, Ken Schaefer <[email protected]> > wrote: > > >>>> > > >>>> So, you’re saying that the feared NSA, which has a bunch of > > >>>> un-discovered rootkits, which able to undertake some of the most > > >>>> advanced espionage in the world, is managed by idiots? Seriously? > > >>>> > > >>>> > > >>>> > > >>>> From: [email protected] > > >>>> [mailto:[email protected]] > > >>>> On Behalf Of Jon Harris > > >>>> Sent: Saturday, 31 August 2013 6:17 AM > > >>>> To: [email protected] > > >>>> Subject: RE: [NTSysADM] Re: Finally. > > >>>> > > >>>> > > >>>> > > >>>> Generally from I have seen in state (Florida) organizations is > > >>>> that they don't like promoting anyone but a moron into supervisory > positions. > > >>>> Occasionally someone will make a mistake and promote an intelligent > > >>>> person but not often. I would suspect this is the case with the > > >>>> Feds as well (worked with them too). Several times I have seen > > >>>> them hire those with less brains and longer tongues and large lips > > >>>> over those with brains. As long as this keeps happening then we > > >>>> will continue to see this happen. It will be a long time before > > >>>> they get rid of all the defective management personnel as I would > > >>>> think private companies would have little to gain by keeping them > > >>>> (maybe why they seem to concentrate in public jobs?) and in a > government job it is MUCH harder to get rid of them. > > >>>> > > >>>> Jon > > >>>> > > >>>> > > >>>> ________________________________ > > >>>> > > >>>> Date: Fri, 30 Aug 2013 14:34:15 -0400 > > >>>> Subject: Re: [NTSysADM] Re: Finally. > > >>>> From: [email protected] > > >>>> To: [email protected] > > >>>> > > >>>> +13 > > >>>> > > >>>> On Aug 30, 2013 11:05 AM, "Kurt Buff" <[email protected]> wrote: > > >>>> > > >>>> On Fri, Aug 30, 2013 at 10:52 AM, Micheal Espinola Jr > > >>>> <[email protected]> wrote: > > >>>>> > > >>>>> I accidentally hit CTRL-Enter before finishing that email... and > > >>>>> apparently that's a shortcut to instantly-send a message in Gmail. > Yay! I > > >>>>> love learning new things... but anyways - So, yea, this Forbes > article was > > >>>>> the first I have seen that highlights the real underlying IT > > >>>>> problem regarding Snowden - aside from other OT issues. > > >>>> <snip> > > >>>>>> > > >>>>>> I may have missed some article by someone else somewhere, but Its > > >>>>>> to see Forbes 'get it' before anyone else... > > >>>>>> > > >>>>>> > > >>>>>> http://www.forbes.com/sites/timworstall/2013/08/30/if-the-nsa-rea > > >>>>>> l l y -let-edward-snowden-do-this-then-someone-needs-to-be-fired/ > > > >>>>>> > > >>>>>> -- > > >>>>>> Espi > > >>>> > > >>>> > > >>>> Agreed- massive failure on the part of many people in the NSA in > > >>>> implementing security procedures. > > >>>> > > >>>> Of course, what Snowden showed, beyond that, is the massive failure > > >>>> that is government policy and practices regarding > > >>>> surveillance/espionage in general, so I'm actually quite happy > > >>>> Snowden was able to do what he did. > > >>>> > > >>>> Kurt > > >>>> > > >>>> > > >>> > > >>> > > >> > > >> > > > > > > > > > > >
