zenpundit.com » Blog Archive » Recommended Reading – Cyber Edition II

Recommended Reading – Cyber Edition II

Top billing! Michael Tanji – 140+ Ed Snowden Edition 1.0Compare and ContrastPrepare for the Pendulum Swing 

I’m not going to belabor the tale of woe those trying to deal with Edward Snowden’s theft are dealing with right now. For a moment I want to opine on some of the secondary and tangential issues that I predict is going to make life in the IC more difficult because of his actions:

  1. Polygraphs. If it is true that he only took the job with BAH to gain access to specific data in order to reveal it, IC polygraph units are going to have to cancel leave through 2025. Moving from one agency to another? Get ready to get hooked up to the box (again). In a sys admin job? Pucker up. That old timer you used to get who realized that people were people and they had lives? He’s going to be replaced by a legion of whippersnappers who will all be gunning to catch the next leaker. Good people will be deep-sixed and those who survive will wonder if it’s worth the ***-pain.
  2. Investigations. When you can’t pick up on obvious problem-children, and when the bottom-line is more important than doing a good job, the bureaucracy will retrench and do what it does best: drop into low gear and distrust outsiders. There are only so many government investigators, and it’s not like there are fewer missions. Coverage will slip, tasks won’t get done, the risk of surprise (you know, what we’re supposed to try and avoid) goes up. 

Global Guerrillas  – Info Bomb,  Positive Control 

Here’s a framework that will allow you to put the stuff you read in the news into context.  

From hat bans to NSA leaks about surveillance programs.  

Problem:  Everybody on the planet IS a potential terrorist.

 Solution:  Put everybody on the planet under positive control.  

Positive control means the continuous monitoring.  

  • Location  GPS phone. Implied by utility use (smart grid).  Car GPS.  CCTV.  Facial recognition everywhere.  Social media data.
  • Network  Phone.  Social media connections.  Proximity.  Network analysis.  
  • Behavior  Economic activity.  Utility use.  Content use.  Usage monitoring.

In the case of positive control, any lack of activity or lapse in data flow is considered a dangerous act.  

Try to hide = something to hide.   

Any blocking of monitoring will be made illegal and a major crime.

Multiple systems with overlapping control will provide a complete cradle to grave blanket. 

There’s no way to avoid this.  It’s already here and nobody cares.  

Polizeros –Steve Gibson on NSA surveillance and PRISM. “Most important show ever”

Gibson’s point is that NSA taps into Tier 1 routers, and splits the data off, hence the name PRISM. They don’t have to tap your house or a server farm, just on the Tier 1 routers. Thus Apple, Facebook, and Google et al are correct in saying NSA didn’t have access to their servers. Forget server farms, the question we need to ask is, do they have access to routers near those companies by tapping the fiber optic lines. NSA targets the bandwidth provider of big high tech companies to tap the routers closest to them. All email is readable on the routers because it’s not encrypted (unless you use encryption software.) Semantic technology is used to analyze the data further. 

Joshua Foust – Can the NSA Search for Americans? Who Knows. and Three Guiding Principles for Reforming the NSA 

Lawfare BlogPhilip Bobbitt on the Snowden Affair and The Miminization and Targeting Procedures: An Analysis

Volokh Conspiracy –What is The “Real Story” About Edward Snowden and His Disclosure of NSA Activities? 

Abu Muqawama – Through a Murky PRISM 

Sic Semper Tyrannis – The Snowden Ruckus By Richard Sale and Clerks often have a lot of access 

Pundita – Out with Obama’s China Pivot; in with the Snowden Pivot, and  Obama’s Insider Threat program: Are you having a bad hair day? I might have to report you as a potential traitor to the United States. 

That’s It!

12 Responses to “Recommended Reading – Cyber Edition II”

  1. Lynn Wheeler Says:

    How Edward Snowden Snuck Through
    http://nation.time.com/2013/06/26/how-edward-snowden-snuck-through/

    a lot of this seems to misdirect from the mechanics of being able to obtain all the information at all. 20yrs ago, open security literature had gov. agency state-of-the-art was not only strict access controls but also behavior based monitoring that would catch employee atypical activity. all of that appears to have gone by the wayside as part of privatising the intelligence community and transition to for-profit operation. It appears that they not only aren’t doing monitoring but don’t appear to even have any idea what may have been taken. References to super administrative privileges imply that provisions requiring multiple individuals have also gone by the wayside.

    If the surveillance stories are to be believed … if the extraction of the information had occurred over the open internet, they would at least be able to determine what has been taken.

  2. Mr. X Says:

    Why should we discuss surveillance when we can discuss endless chicken$&*t about Edward Snowden? And worship the three letter agencies as our gods while ignoring every other whistleblower besides Snowden, especially Tice? Seriously, after all the relentless trolling Joshua Foust has received from State Dept./Demintern groupies suddenly he’s they’re favorite tweep? 

    http://arstechnica.com/tech-policy/2013/06/exclusive-in-2009-ed-snowden-said-leakers-should-be-shot-then-he-became-one/ 

    News flash Mr. Foust: people change. I was a ‘bomb em’ into the stone age’ flag waver too after 9/11 like much of my Generation Y. Then I grew up and realized my government had lied to me and Eisenhower was right about the military industrial complex.
     

  3. Isaac Says:

    (couldn’t comment at Tanji’s site)
    Add ‘Insider Threat’ fall-out and the pendulum will defy gravity completely as it swings away. 

  4. Bob Morris Says:

    I know for a fact that some federal agencies have extremely strict rules about data access, monitor everything, and if you accidentally (or otherwise) access data you should not, you better fill out a report quickly and explain what happened because they will know and contact you. And if you don’t have a good explanation you may get walked out of the building.

    Yet Snowden, a contractor, grabbed everything he could and NSA didn’t know. What a Mickey Mouse operation. 

  5. Mr. X Says:

    “Yet Snowden, a contractor, grabbed everything he could and NSA didn’t know. What a Mickey Mouse operation.” Or they’re simply used to low level contractors <ahem> working for the White House accessing everything including Gen. Petraeus phone calls.

    And the useful idiots on Twitter keep fanatically defending these clowns as our glorious defenders from Vlad the Bad’s Eternal Evil Empire and the ChiComs. Ha! They’ve riddled the place with plants who’ve grabbed stuff Snowden didn’t even touch including SIGINT secure comm methods. 

  6. Lynn Wheeler Says:

    x-over from previous
    https://zenpundit.com/?p=23942

    reference to growing “Success of Failure” culture
    http://www.govexec.com/excellence/management-matters/2007/04/the-success-of-failure/24107/

    Booz Allen, the World’s Most Profitable Spy Organization
    http://www.businessweek.com/articles/2013-06-20/booz-allen-the-worlds-most-profitable-spy-organization
    Spies Like Us
    http://www.investingdaily.com/17693/spies-like-us/

    Private contractors like Booz Allen now reportedly garner 70 percent of the annual $80 billion intelligence budget and supply more than half of the available manpower.

    … snip …

    the whistleblower in the “Success of Failure” case was treated very badly. The scenario is for-profit operations have discovered that a series of failures is a lot more revenue than an immediate success (sort of natural evolution of the beltway bandits “leave no money on the table” paradigm). The congressional investigation put the agency on probation for five years (but did little for the whistleblower) and not able to manage its own projects. However, that may have been just a ploy … further privatizing the gov. (solution to the problem of for-profit companies in projects is to have more for-profit involvement … of course, some quarters claim that there is guaranteed 5% kickback to congress on appropriated funds to for-profit companies … which doesn’t happen if it is straight gov. agency)

  7. Lynn Wheeler Says:

    would appear to be regression from 20yrs ago … possibly associated with transition to for-profit operation

    NSA Networks Might Have Been Missing Anti-Leak Technology
    http://www.nextgov.com/cybersecurity/2013/06/nsa-networks-might-have-been-missing-anti-leak-technology/65708/

    Also possibly more technology deployed against external forces than against internal. In the financial industry in the past, open security literature claims that 70-80% of breaches have involved insiders … although it might be more … in the financial services presidential critical infrastructure meetings, a major concern was making sure that the exploit information sharing ISAC not be subject to FOIA.

  8. Lynn Wheeler Says:

    … also not exactly unexpected given the stories about classified details of major weapons systems leaking out over the internet for years.

  9. Lynn Wheeler Says:

    financial industry was using multi-party operations to deal with high-value insider threats … crooks were countering with collusion … 30yrs ago financial industry state-of-the-art was anti-collusion procedures.

    i’ve contended that one of the original motivations for RBAC was making it easier to define multi-party operations … formal association of permissions with roles would allow definitions where no single role had sufficient permissions to perform operation alone.

    what has happened in the last 20yrs????

  10. Mr. X Says:

    Congratulations to McCain, Rubio, Graham and all the other ‘conservatives’ who claim we need the NSA to defend us from nasty threats like ex-KGB Commies, a real live ex-Stasi man approves: 

    http://www.mcclatchydc.com/2013/06/26/195045/memories-of-stasi-color-germans.html#%2EUc3_LPnFXTp

    Reagan is rolling over in his grave wondering how we went from defeating the Evil Empire to resembling it.

  11. zen Says:

    Markus Wolf would have made a fine Senator

  12. Lynn Wheeler Says:

    The Criminal N.S.A.
    http://www.nytimes.com/2013/06/28/opinion/the-criminal-nsa.html

    The equivalent metadata in financial statements is account holder, to whom it was paid, and how much was paid. I was co-author of X9.99 financial industry privacy standard. One of the things we had to take into account was HIPAA regulations where listing the name of a testing laboratory in financial statement would leak privacy information covered by HIPAA (aka an enormous amount of privacy information can leak out just using metadata)


Switch to our mobile site