Perhaps The NSA Should Figure Out How To Keep Its Own Stuff Secret Before Building A Giant Database
from the just-saying... dept
Apparently, the brilliant minds at the NSA are completely bewildered as to how Ed Snowden had access to everything he had access to. They don't think it's possible.Among the questions is how a contract employee at a distant NSA satellite office was able to obtain a copy of an order from the Foreign Intelligence Surveillance Court, a highly classified document that would presumably be sealed from most employees and of little use to someone in his position.And, according to other reports, Snowden delivered much, much more to reporters:
A former senior NSA official said that the number of agency officials with access to such court orders is “maybe 30 or maybe 40. Not large numbers.”
Mr. Snowden has now turned over archives of “thousands” of documents, according to Mr. Greenwald, and “dozens” are newsworthy.In other words, more leaks are to come. But, considering that people are already scrambling to see how one pretty junior IT guy could have access to such things, it's making people wonder just how screwed up the NSA is if information could leak out this way -- and conversely, why should we trust them with our data?
Edward Snowden sounds like a thoughtful, patriotic young man, and I’m sure glad he blew the whistle on the NSA’s surveillance programs. But the more I learned about him this afternoon, the angrier I became. Wait, him? The NSA trusted its most sensitive documents to this guy? And now, after it has just proven itself so inept at handling its own information, the agency still wants us to believe that it can securely hold on to all of our data? Oy vey!Or, as Farhad Manjoo notes later in that same article:
The scandal isn’t just that the government is spying on us. It’s also that it’s giving guys like Snowden keys to the spying program. It suggests the worst combination of overreach and amateurishness, of power leveraged by incompetence. The Keystone Cops are listening to us all.And, on top of that, people are pointing out that if Snowden could walk out with that much supposedly secret information, you have to wonder who else has done so as well, perhaps with much more nefarious intent, such as selling the information to a foreign power or group. Conor Friedersdorf points out that having the NSA collect so much data makes it a key target for the Chinese:
Even assuming the U.S. government never abuses this data -- and there is no reason to assume that! -- why isn't the burgeoning trove more dangerous to keep than it is to foreswear? Can anyone persuasively argue that it's virtually impossible for a foreign power to ever gain access to it? Can anyone persuasively argue that if they did gain access to years of private phone records, email, private files, and other data on millions of Americans, it wouldn't be hugely damaging?And, yet, that's exactly what we've done. If Snowden had access, then it seems only reasonable to assume that he wasn't the only one. Meaning that plenty of others also had access to the same information, and there's a decent chance that it's already leaked to others. The NSA is supposed to be the best of the best, but they don't even seem to know how to keep their secrets secret.
Think of all the things the ruling class never thought we'd find out about the War on Terrorism that we now know. Why isn't the creation of this data trove just the latest shortsighted action by national security officials who constantly overestimate how much of what they do can be kept secret? Suggested rule of thumb: Don't create a dataset of choice that you can't bear to have breached.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: database, ed snowden, it, leaks, nsa, nsa surveillance, risks
Reader Comments
Subscribe: RSS
View by: Time | Thread
YES!!!
Whatever you do, never discuss your beliefs directly and honestly. Just pump out the FUD and the hate!!! Get those clicks, Mikey!! They are more important than the truth!!
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
The data might as well be porn.
Nothing good comes from data hoarding. It's like that one fable with the man who kept a lump of gold in his backyard for the sole purpose of just having it only to be stolen. Even though he was already rich, keeping it just for the sake of keeping it didn't do anyone any good in the long run. It was easily stolen and although he cried about it, the gold didn't have any purpose. It might as well have been a boulder that said "gold" on it.
It's the same with the data. Keeping it as a "just in case" makes them sound like packrats. It doesn't do anyone any good and if it gets stolen, things end up much worse in the long run. That miscellaneous data might as well be filled up with porn. It takes up the same amount of space and if anyone steals it, it's just as valuable to the right buyers.
[ link to this | view in thread ]
[ link to this | view in thread ]
Hey Clapper, I hear John Steele is available.
[ link to this | view in thread ]
Mixed Messages
Is this cyberwar happening or not? I mean, if we have to worry about China hacking into our power companies, gas companies, and sewer lines; putting all this data under one giant "Kick Me" sign is idiotic at best. Or is this cyber-threat not as big as you make it out to be?
Sincerely,
A network administrator with more brains then all of you.
[ link to this | view in thread ]
Keystone Kops
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Continues to support is a LIMITED HANGOUT.
So unlike you puppies who happily go barking your fool heads off down every trail that Mike throws a stick at, I'm going to look for the real dangers.
"Think of all the things the ruling class never thought we'd find out about the War on Terrorism that we now know." -- Oh, pffft! THAT is one of the worst wrong assertions. They don't actually hide it because most people, even when facts are shown to them, will simply refuse to believe it. The ruling class has had their pet technocrats thinking on global control systems since at least when Orwell wrote "1984", and they've got it pretty well figured out. One key trick is to offer "services" like Google which are really honeypots: a commercial, public, even self-funding front for intelligence agencies.
[ link to this | view in thread ]
Who has access
"No, this developer doesn't need root access to a group of servers that controls some business critical production application. He should only have access to the develoment environment."
"No, these three application support guys do not need to be able to access a few hundred servers - the app they support is only on this dozen over here."
"No, this DBA doesn't need to be able to do anything he wants to every Oracle database in the domain. He only runs this database over there."
Every organization I've worked with has the same problems. Of course the government is the same way - if not worse. Proper access control takes time, planning, effort, and money. In a business context, people don't want to pay for that, and don't want to deal with the hassle of figuring out and investigating what really is needed, and its always a fight to take away access that someone already has even if they don't need it. In a government context, I'll bet its more about just getting things to work, and then fights about who gets control over this bit of turf. So much of the monitoring infrastructure we're talking about was thrown together quickly, down by multiple contractors, and if my experience in the private sector is similar - competing, conflicting, and changing requirements. Not an ideal situation for proper controls to be put in place.
[ link to this | view in thread ]
Re:
I'm not stating that what the NSA did was right. However, there needs to be some broad level information gathering. Every cop that stands in a public place looking for shifty motion is survailing the public. The issue is how long is this data kept and how is being gathered? what level of data is being gathered and retained.
From what I can tell, the bigger issue is PRISM than the verizon leak. Phone lugs and cellphone tower pings have never required a search warrent. Universities have been using similar anonimitized data to map traffic patterns for years. What was the extent of the contact sharing that google provided is the bigger issue.
[ link to this | view in thread ]
Re: Continues to support is a LIMITED HANGOUT.
[ link to this | view in thread ]
Re:
That is difficult to do, as the starting point is often observed behavior. This requires people out in the community, foreign country etc. like what most people think a spy's job is; but without the exciting the James Bond action bits.
However it is much more comfortable to sit at a computer, where lots of false positives, like angry teenagers will fill in the days reports.
[ link to this | view in thread ]
What about "Need to Know?"
[ link to this | view in thread ]
Let's back up...
Didn't we learn from the Stratfor emails that we're already selling American secrets to others?
We sold secrets to Turkey and other countries based on what Stratfor did for money. So you mean to tell me that we should worry about the Chinese?
I think we should worry more about the profit motive in America.
[ link to this | view in thread ]
Re:
WE.
ALL.
ARE.
THE.
ENEMY.
IF you are a good li'l cog in the machine and keep your head down, don't bitch about anything, and support Empire in all ways, then that doormat is not a problem... (yet)
it is the ne'er-do-wells who talk about rights, the complainers who bitch about kongresskritters, the ones who insist on following the constitution, the ones who have actually read -and believe!- the bill of rights who are 'the enemy'...
haven't you been following the playbook ?
diligent citizens who actually have a copy of the constitution are considered ENEMIES, The They (tm) spy on and infiltrate such crazy people...
KNOWING AND INSISTING ON YOUR 'INALIENABLE' RIGHTS IS THE NUMBER ONE SIGN OF AN ENEMY OF THE STATE...
wake the fuck up, sheeple...
art guerrilla
aka ann archy
eof
[ link to this | view in thread ]
Re: Mixed Messages
[ link to this | view in thread ]
Re:
Pump out the FUD? I'm pretty certain we should be fearful and doubtful of a country that not only once (Manning) but now twice has lets tons of classified documents hemorrhage out into the public... by a couple nobodies who never had the clearance and/or need to know to even have access to these documents in the first place. There's little reason to doubt that the 'powers that be' just hand out sensitive information as party favors.
[ link to this | view in thread ]
Re: Re:
It's not hard to make the leap that all involved have gone, far and away, above what is legal, reasonable, appropriate and, above all, expected.
Many will refrain from speaking freely henceforth. Revelation was the first domino. Revolution will be the last.
[ link to this | view in thread ]
The Chinese don't have to spy on the US
[ link to this | view in thread ]
Re: Continues to support is a LIMITED HANGOUT.
Every time I read one of your posts I say "Well that was the most insane thing I can possibly read" but no, give you less than a week and you have something even more incomprehensible cooked up.
Just stop, think of your friends, your family... no matter what made you turn down this dark path the future only ends if you let it!
[ link to this | view in thread ]
Perhaps the NSA should stop contracting out this stuff to private companies
[ link to this | view in thread ]
Re:
If you have an unethical system built by the lowest bidder and cut corners anywhere you can, you are certain to leave wide-open doors for developers/maintainers to get in and take whatever they want.
You get what you pay for.
[ link to this | view in thread ]
"Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
[ link to this | view in thread ]
Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
[ link to this | view in thread ]
Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
However, my actual takehome is quite a bit larger, as every quarter the company issues a bonus to all employees. The amount varies a bit from quarter to quarter (it's based of company profitability), but is reliable enough to estimate in advance. This amount is y, and is substantial.
If someone asks what I make, the honest answer is "x+y". If someone asks my employer what I make, they'll report jsut my salary, the much lower "x".
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
Glenn Greenwald left Salon a while back. He now writes for The Guardian.
[ link to this | view in thread ]
Re: Who has access
[ link to this | view in thread ]
Re: The data might as well be porn.
Not Google, not Facebook, etc.
Look, the technology is now there to amass the data. Everyone is going after it. People are pushing the boundaries of how much info they can gather and what they can do with it.
Seems to me we're headed toward a world where organizations and companies are going to do this because they can.
And here's the tech/libertarian dilemma. If you want to allow companies to amass data, and if you want to minimize government interference and regulations, then every person, company, country, etc. is going to amass data and do whatever the hell they want with it.
Why can't the government collect data just like everyone else? What, you're going to pass laws and regulations restricting what can be done with data going on the Internet? Yeah, sure.
If any entity can gain access, eventually everyone can gain access. Let's deal with that reality instead. Essentially there are no secrets anymore.
[ link to this | view in thread ]
Re: Re: The data might as well be porn.
What kinds of laws do you want passed to prevent private companies from doing such things?
[ link to this | view in thread ]
Re: Re: Re: The data might as well be porn.
[ link to this | view in thread ]
Re: Re: Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
Not to mention, young contractor, not much experience, only a GED from what I've seen. Where are his certifications and years of experience that would demand such a paycheck. Guys who handle much more important network positions in DC only make about 130K.
[ link to this | view in thread ]
Re: Continues to support is a LIMITED HANGOUT.
Nobody is going to take your definition of "danger" seriously.
[ link to this | view in thread ]
Really?
[ link to this | view in thread ]
Re: Re: Re: Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
I've half-kiddingly suggested that perhaps he's been working for China. And given the timing of his disclosures (when Obama was meeting with Xi), it might have been good leverage for China in the talks.
[ link to this | view in thread ]
Which gives some idea of just how skilled the less than best of the best organizations might be.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Let's back up...
[ link to this | view in thread ]
Re: Re: The data might as well be porn.
With enough information it really stops mattering what information you acquire so long as you can relate it to what you already have. Increasing your dataset always comes with the chance of being able to find new value with in it and as computers become more powerful and we build better and better programs for finding patterns and relationships everything starts to matter.
Data mining has already started and it's only going to lead for a rush for data and to find sources and types of data that hold undiscovered value.
It's going to be... interesting...
[ link to this | view in thread ]
Re: Really?
[ link to this | view in thread ]
Re: "Low Level" or "Junior" IT Professionals aren't normally paid $200k salary
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Continues to support is a LIMITED HANGOUT.
That's why trolls keep accusing Mike of not stating his positions clearly even though he actually has, and many times (it's basically "be reasonable"); their idea of a "position" is total, unquestioning acceptance of our current IPR regime and a solid commitment to upward ratcheting. Anything else is classed as "not taking a position." Amirite?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Continues to support is a LIMITED HANGOUT.
I don't think that word, "facts", means what you think it means.
[ link to this | view in thread ]
Re: Re: The data might as well be porn.
Secondly, there's how much damage can be done. Can Google 'hide' my link or sell my details to an advertiser? Ouch!
Can my ISP disconnect me? Bloody pain!
Can the government arrest me and chuck me in solitary for a year? Serious, serious pain.
Once again, the level of control should relate to the amount of potential harm.
I'm sure people know their data is being collected by both corporations and governments. The issue is how much and how transparent the process is, with which checks and balances. Corporations AND government have both got to be kept reined in from their worst excesses.
[ link to this | view in thread ]
Re: Re: Re: The data might as well be porn.
I doubt that data is not going to be collected. And I doubt that companies want limits placed on what they can collect and do with it, so therefore transparency would be good. Have everyone (public and private) tell us what they are collecting and what they are doing with it.
Here's what I have been suggesting.
The NSA didn’t end our right to privacy. We gave it away for free | PandoDaily: "2. Since we’re sharing the information publicly, would the surveillance program be more acceptable, if the NSA simply built a crawler to scrub data from the public Web? Is it really a breach of privacy, when we’ve made everything public in the first place?"
[ link to this | view in thread ]
Secrecy protocols
The fact that Snowden in theory was not supposed to have access to things he accessed (or so they say), makes the NSA maintenance of broad records of Americans activities all the more troubling. Even allowing, for the sake of argument, that standard NSA procedures do not allow access to any data about an identifiable American citizen, whether raw or the result of algorithmic analysis, without a FISA warrant, and even presuming (again for the sake of argument) that all FISA judges are honorable men with a deep commitment to the American constitutional order and the plain meaning of the 4th Amendment, how do we know that rogue agents (or maybe "rogue agents" with orders from Washington, cf. the Cincinnati IRS office) can't and won't access the data in violation of standard NSA procedures?
[ link to this | view in thread ]
[ link to this | view in thread ]