> "[...] he has demonstrated absolutely no interest in protecting it"
> "The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace."
This doesn't really make sense and the wording also hints at sensationalism. It reads like a classic case of deflection, making the accused appear considerably more powerful than he actually is.
This, to me, shows a few things:
- the NSA clearly has no clue who accesses "their" data, when, or how
- the NSA will throw anybody under the bus to save face
- the NSA, to this date, still refuse to put their own inadequacy in the balance and traded their integrity for the power to sustain the organization itself at the cost of everything else (including their original purpose)
Why on earth is this organization still allowed to operate at all?
It's hard to give a concise response to a comment going in so many different directions at once, but I'll take a whack at it:
* Should NSA be broken up? I think so. It's a mainstream policy idea. NSA has two conflicting missions --- IAD and SIGINT --- three, if you want to count pure research separately. Splitting up NSA would solve some conflict of interest problems, but would also add the practical benefit of minimizing the number of people who might end up with access to documents like this guy collected.
* Does that mean NSA is lying about the Martin case? No. They could be, but I would not put money on that. Prosecutors definitely shade facts to make their cases sound stronger. But it's less likely that in an extremely high profile federal prosecution like this one, they're going to entirely make things up. With Martin, we're talking about a case where someone hoarded extremely classified documents about ongoing operations against "known enemies of the US" (that's a term that probably has pretty specific meaning). He left them laying in his car. On the back of the printouts were handwritten explanations of tradecraft and terms of art.
If I had to guess, the most likely outcome here is going to be that we are talking about someone with very serious mental health issues who NSA had no business putting within 1000 miles of the information he managed to hoard in his house.
One of the biggest beefs I have with how Americans deal with the NSA is that they're cool with them spying on EU citizens. As long as its not domestic, you guys are cool with it. Its as if when you are not an American, you have no right to basic human rights like privacy according to Americans. Add to that they even did stuff like tap Merkels' phone.. spying on your allies is a serious faux-pas and wtf all rolled into one.
One of the biggest beefs I have with Europeans who take issue at NSA spying on the EU is the misconception they have that their own spy agencies aren't doing the same thing to everyone else: us, Russia, China, and other states in the EU.
More annoying about this argument though is the fact that the leaders of the most powerful EU states, regardless of what they may say to their own citizens, demonstrably benefit from and invite NSA spying. The German NBD, for instance, spied on Austria in collaboration with the NSA --- got caught doing so just last year. It's easy for EU SIGINT agencies to get away with this stuff, because they can launder the unpopular spying they want to do through NSA in private while "blaming" them in public.
If we want to have a world without spying, we should be honest about it. More honest than the conversation is today.
But we should also be careful what we wish for. The prevailing sentiment on HN is that NSA is more or less spying on behalf of Disney's copyright enforcement corps and the Moral Majority. But a lot of the reason we conduct foreign surveillance is to avoid large scale armed conflict. To allow us to head conflict off surgically, and to prevent intractable problems (for instance: unchecked proliferation of nuclear arms to countries that we'd have to invade to keep them from deploying).
I have real, bigly problems with NSA and think it needs drastic reform and completely restructured oversight. But I'm not in the (very large) faction that believes surveillance to be intrinsically evil. I personally feel fortunate to have made it out of the 1970s without disintegrating in a nuclear barrage. That threat is not gone; it is far more realistic than evil AI.
> But I'm not in the (very large) faction that believes surveillance to be intrinsically evil.
I don't think anybody on HN had that impression.
> I personally feel fortunate to have made it out of the 1970s without disintegrating in a nuclear barrage. That threat is not gone; it is far more realistic than evil AI.
So, essentially you're scared and that's why you are ok with surveillance. What I don't get is why you feel that all this surveillance is helping to keep you safe from nuclear barrage?
Personally I'm against mass surveillance of any kind, it is against our collective human rights (which does not stop at the border of the US or any other country), also I'm by extension against any kind of surveillance of the private individuals of any other country by intelligence operatives of my country.
Finally, 'Europeans' and 'Americans' are not entities that you can compare directly, Europeans are typically the citizens of some country and those countries have very different capabilities when it comes to surveillance and usually a very different role on the world stage. You can't compare the intelligence services of say Greece, Germany, Finland, the UK and Slovenia with respect to their capability and you really can't compare their role in Europe as an entity and in the world at large. States are not countries, the USA is a continent sized country with an extremely large federal budget when it comes to things like mass surveillance, military (aka 'defense', but it hasn't been used for that purpose in ages) and so on.
Finally, the reason that you'll find a lot of Europeans taking issue with any kind of spying on allies (also by their own intelligence services, which are most likely just as unhinged as the US ones) is that it isn't all that long ago that there was a large chunk of what is now the EU under the boot of an army of occupation, and that this was kept that way to a large extent by mass surveillance of the citizenry.
I sincerely hope you'll never be given a reason to regret your stance on being 'ok' with mass surveillance, but if you do end up regretting it don't be surprised by any lack of sympathy from my end, of all the people that I know that support this stance you are probably the only one where I will never understand why your position is the way it is.
You've moved the goalposts, perhaps without realizing it. I'm OK with signals intelligence. I'm not OK with "mass surveillance" in the sense that you probably mean it --- a giant data warehouse in Utah storing and indexing everybody's email.
The comment to which I replied talked about tapping Angela Merkel's phones. If monitoring Werner Faymann's phone calls prevents a war, I'm fine with that --- as, apparently, is Angela Merkel.
Meanwhile, for those of us concerned about dragnet surveillance, the answer is to replace the janky 80s protocols we use to send and receive electronic communications with modern encrypted alternatives.
> I'm OK with signals intelligence. I'm not OK with "mass surveillance" in the sense that you probably mean it --- a giant data warehouse in Utah storing and indexing everybody's email.
They are to all intents and purposes equivalent, it is pointless to be 'for' signals intelligence but 'against' a giant datawarehouse in Utah storing and indexing everybody's email the one results in the other.
Besides email being only a very small part of the picture 'metadata' in the form of who-calls-who, when and how frequently is gold and there is no amount of encryption that will protect you from that data being captured and stored.
In many cases the difference between dragnet surveillance and signals intelligence is as small as whether or not someone (not something) has looked at the data stored.
And that giant data warehouse with all that email exists, it's just that there are three of them right now, one run by Google, one run by Microsoft and another by Yahoo regardless of what intelligence agencies are trying to accomplish in less direct ways. Other email servers are probably so lightly protected in comparison to those you may as well consider them compromised.
Finally, I can think of several simple ways in which even encryption isn't going to make much difference in collecting that data regardless of what is happening on the wire, and I'm sure you can too.
On the whole, the trend seems to be to store more data for longer times on an increasingly larger slice of the world population, some call that 'signals intelligence' when it suits them, others call it dragnet surveillance because that is what it is.
We're talking about: email, web surfing behavior, mobile text messages, location information and so on.
Whether Merkel is ok with having someone else's phone tapped while probably disagreeing with whether or not her own phone is tapped I'm against phone taps without warrants by the country where people reside, foreign entities should simply respect the law of the land and go through the proper channels. That way we don't have to deal with another 'Belgacom' (oh, sorry, Proximus).
It doesn't matter whether you call it signals intelligence or mass surveillance, the key is that it is warrantless surveillance, and that it is usually not your own country doing it.
> Meanwhile, for those of us concerned about dragnet surveillance, the answer is to replace the janky 80s protocols we use to send and receive electronic communications with modern encrypted alternatives.
That's going to make a relatively small impact, it will simply raise the bar for the various agencies to attack the network infrastructure and servers of the more interesting choke points as well as the originating endpoints (consumer computers) a little harder. The only thing that will really stop that is to make it illegal in some treaty. (Not that that will every happen, but it would be a nice change.)
I'm not sure why you believe monitoring Werner Faymann's phone would prevent a war or why it prevented one. Wikipedia has him currently working at the United Nations, what are you getting at here?.
Respectfully, this is like 7 paragraphs of stuff we already know we don't disagree about, followed by the incoherent position that foreign spying is only acceptable when the citizenry of the foreign target agrees with it.
You can have an intellectually coherent position against foreign spying entirely. I'll point out the downsides of that position, but I won't tell you your argument is invalid.
But don't pretend. Either be against spying, own the potential downsides, and/or argue that those downsides don't matter, or accept that spying is coercive --- coercion is built into the concept, which is why we have the special word "spying".
BTW: Merkel authorized and the German NBD participated in SIGINT surveillance of Austria, is why I pulled that particular name out of my hat. Austria is interesting exactly because nobody would expect that particular spying target inside of Europe.
> followed by the incoherent position that foreign spying is only acceptable when the citizenry of the foreign target agrees with it.
Foreign spying on citizens of another country is not ok, period.
Domestic wiretaps/monitoring and so on are acceptable if and only if a judge signs off on it.
Governments spying on each other is acceptable as long as it does not devolve into spying on the rest of the citizens of that country wholesale.
In other words: ordinary citizens should be left alone, if you decide to join the government you're raising the stakes and you should be aware that you will become a 'person of interest' for many other parties.
I hope this clear up my position in a way that there is no room for mis-interpretation.
I'm sure EU governments spy on each other and I'm also sure that EU government officials are aware of this particular fact if only because they themselves are also engaging in it, so nothing of value was communicated with that particular example.
Do you think if any european ally of the US was caught out spying on Barack O.'s phone that the head of that agency would keep their job?
What about if they were caught out because they can't control contractors?
Who has been fired at the NSA after a series of total WTFs? Regardless if you think they do god's work or are in league with the devil, incompetence giving america a black eye ought to be something that has consequences. Apparently it doesn't.
Ptacek... sounds Czech more than any other slavic language (means small bird). If you went through 40 years of communist oppression like Czech people went through, you would have a VERY different stance on these topics
> The prevailing sentiment on HN is that NSA is more or less spying on behalf of Disney's copyright enforcement corps and the Moral Majority.
I'd leave out the moral part. It's too easy to spy on foreign execs, act on insider knowledge and fund political agendas. That's what I would do which is why I'm sure it happens. Accountability determines how rational people act. When we give total secrecy and no accountability to a portion of the population they tend to act.. a certain way.
> But I'm not in the (very large) faction that believes surveillance to be intrinsically evil
No one here would ever accuse you of such. But the phrasing lacks specificity. This isn't surveillance by the 7-11 Inc. where daily slurpies are purchased but rather surveillance by a multi trillion-dollar agency with a mandate outside of the public's knowledge or approval. There isn't anything a bit.. spooky about that?
>One of the biggest beefs I have with Europeans who take issue at NSA spying on the EU is the misconception they have that their own spy agencies aren't doing the same thing to everyone else: us, Russia, China, and other states in the EU.
I've never heard of a fellow European claiming this, but I also think that discussions of such issues should be based on evidence rather than speculation and general paranoia.
NSA and GHCQ were unlucky, because such evidence emerged. So they can rightly be criticized on the basis of published evidence about their spy programs.
Speculating about what intelligence agencies do without any evidence and knowledge at all, on the other hand, is quite pointless.
"One of the biggest beefs I have with Europeans who take issue at NSA spying on the EU is the misconception they have that their own spy agencies aren't doing the same thing to everyone else: us, Russia, China, and other states in the EU."
Same thing I kept telling them on Schneier's blog, etc. They sure aren't building those spy buildings as art projects. The worst part is that info on whose involved in spying agreements, even whose in "no-spy" agreements, is so public we have much of it in one Wikipedia article.
Then there's the espionage documents talking all the cases where foreign countries were spying on us. Then there's the Snowden files showing that basically every European country was partnered with NSA spying on who knows who (probably Europeans) with exceptions being Iceland, Switzerland, and maybe one other country (don't recall).
A teacher of mine used to say that people often point a finger at others but are pointing at least three back at themselves as they do so. Europeans are doing it with both hands.
Because there is no probability that we are going to end up in large scale armed conflict with our own citizens. Ask a simple question, get a simple answer.
Why? What if some of them are spying for foreign power or prepare sabotage or are paid up by foreign powers to incite political unrest or, God forbid, political change that might end up in unilateral nuclear disarmament that might end up with destruction of usa with nuclear weapons?
The fact is you can imagine scary enough scenario to justify one thing but can't imagine other scenario to justify another. Thing is ultimately you need to act on some principle and current principle in USA is, us citizens have right to privacy, other people have no right to privacy.
This is silly rule because it creates places like current NSA. If it wasn't ok to spy on foreign citizens there'd be no NSA and if it was ok to spy everybody then NSA would have way more oversight.
Only if NSA knows if they are. But what if they don't know yet? Don't you want them to know rather sooner than later? You could easily achieve that by spying on your citizens rather than on the rest of the humanity your citizens might be spying for.
The premise of the preceding question is that the US somehow goes easy on its own citizens when they do things that might justify electronic surveillance. But that's obviously not true; there's just a different process for it.
> If I had to guess, the most likely outcome here is going to be that we are talking about someone with very serious mental health issues who NSA had no business putting within 1000 miles of the information he managed to hoard in his house.
I agree with you.
That said, this statement is at odds with your statement in regards to lying.
> The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace.
They are certainly lying in terms of how capable he was with the "genius" implications.
The simple truth is NSA internal security is fucking terrible as we are shown time and again that lone wolves are easily able to do this if they so choose. Snowden isn't some magical computer genius of exceptional ability either. He honestly comes across as more of an above-average (but not 1 in 100) IT guy.
I'm willing to bet Martin is "above average" but, once again, not a computer genius mastermind capable of outsmarting competent security practices. It is simply the NSA is not competent at implementing such practices when it comes to internal actors.
I agree with you that NSA security appears to be a total clusterfuck and that this is an instance where Walter Peck is fully justified in coming in and shutting down the Ghost Containment Unit.
A lot of people that know more about this stuff than I do disagree pretty forcefully. Dan Guido on Twitter just reminded me that Martin was specifically read into extremely sensitive programs at NSA; he was one of just a few hundred people with this access.
The court filing is pretty damning. For instance, there's the email he had prepared to send his team in 2007, noting that "they" are "inside the perimeter" and threatening to bring his coworkers "into the light". The emails, the hoarding, the guns, the weird handwritten notes... this looks extremely bad. Keep in mind that he could have been trying to do some terribly stupid things.
> > The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace.
> They are certainly lying in terms of how capable he was with the "genius" implications.
Yes. It's hard to wrap my head around the characterization of him being a genius at cybersecurity, but he's leaving materials obviously marked "top secret" sitting around in his car. It seems a little convenient, almost like a movie plot.
If this guy had decent opsec at all, he would not have been caught with any detectable materials in his house or car; a raid of his house would have uncovered nothing without his cooperation.
Perhaps they had been tracking him for a while and this was a sting that launched at a particular time. Otherwise, I don't understand why he'd have any printed materials in his car, much less with tradecraft instructions on them! Sheesh.
Why would you ever have printed materials with you with secrets on them? Transmit the information digitally protected by encryption. If a skilled operator needed to recover information on printed documents, then I would expect them to expeditiously scan them and destroy them, not keep them sitting around in a car unattended.
The story does make a bit more sense interpreted through the lens of him being a hoarder with not particularly good opsec. Either that or he's a sloppy spy that they've been tracking for some time, and chose to execute a sting at the right time when he was undertaking vulnerable activities like transporting material or preparing for a drop.
But, the idea that this was a sting does not resonate with the fact that they did not arrest him while serving the search warrant on his house. ... unless they deliberately left him free while observing him, in the hopes of discovering how he contacts his handlers. </speculation>
This is another example of attribution error. People who work in TAO aren't super-spies. They're people with access to a lot of weird random exploits and with very peculiar collections of very deep knowledge into things like the operating systems of Chinese Internet gateway routers and the DLL offsets of whatever versions of Windows Russia is still using.
That's still "hacking". NSA apologists have to be careful when scoffing at the exploits of their various rogue employees: if it was so easy, one really must assume that agents of China, Russia, etc. have done it too.
While I agree with your overall summary, I find it odd that you skip the issue of whether he had special access/ability or is just just one contractor among a group of essentially all NSA employees and contractors given access to a library of all of this information (as stated in a previous article.)
Given the NSAs general behavior and the nature of the Snowden leak in comparison to Manning's, I believe it is more credible that they have virtually everything at a single (and lowest) clearance and compartment, so this:
> If I had to guess, the most likely outcome here is going to be that we are talking about someone with very serious mental health issues who NSA had no business putting within 1000 miles of the information he managed to hoard in his house.
Is simultaneously true and a deflection from how incredibly inevitable this was and how incredibly incompetent they are as an institution. I am all for splitting their capabilities across existing agencies where it makes sense and cancelling programs all together where it doesn't.
I simultaneously agree with the premise that NSA is secured incompetently and also disagree with the idea that everything is at a singe lowest clearance level, which is the opposite of how things have been described to me by people who worked there.
My impression is that they have the NIH and refuse to use standard LSPP in favor of FLASK. They take this so far that they accept no feedback from the SELinux community. While they may have analyzed all the great reasons not to use every competitor, they probably lack oversight and critical evaluation of the EOU problems that causes, leading to less practical security than those using off the shelf software with proper oversight.
1. SIGINT. Collect intelligence anywhere from anyone overseas using electronic communications. This includes offensive hacking and black bag jobs they do via other groups.
2. Information Assurance. The only real requirement I've seen is that they protect COMSEC of DOD and defense contractors. There's less requirements saying they protect computer security. I'm not sure they're even required to protect government as a whole. They have no mandate that I've seen to protect Americans. They even make it illegal for Americans to obtain Type 1, TEMPEST-certified, etc products that they recommend to Defense organizations.
So, those are the jobs. I'm with Schneier and others on splitting them into two. I'd also expand IAD's mission to cover recommendations for mass market and overall government. For now, NSA has no requirement to protect our computer systems. Hard to say if they even have to protect Defense systems vs COMSEC since other laws paid for by lobbyists say DOD must try to buy COTS stuff that's almost all insecure. Can't mandate buying insecure stuff from nefarious companies plus expect strong security simultaneously. I think it's a legal, grey area they're exploiting for maximal SIGINT.
That's a military command with lots of military units that reports to Strategic Command. NSA sort of administers it even though it's not really theirs. Even if we count them as NSA, that would fall under SIGINT in my division of their activities. It would still be SIGINT rather than IAD doing that stuff. So, splitting off IAD wouldn't affect the analysis whether it's NSA's teams doing SIGINT or NSA + STRATCOM's sub-commands doing it with NSA SIGINT personnel.
The premise of this sub thread is that cybercom and NSA proper have fundamentally different missions, in part because they are governed by fundamentally different legal frameworks, and it should therefore also be split from NSA proper. It was not an argument that IAD should not also be split off.
From the reading I have done it sounds as though IAD and SIGINT aren't very close. So much so that there's push by some within the agency to connect them. This recent'ish article talks about it:
I agree that they have very different and conflicting objectives but it sounds as this might already create somewhat of a walled garden between at least two of the three.
But when you hear stories about critical US infrastructure being broken into you have to wonder why aren't these agencies working more closely. You have one agency that specializes in offense and the other defense. Some amount of the offensive should be to help some of the US defenses no?
The more important question to me is how the other government agencies compare to the NSA. I have no reason to suspect that the NSA is below average; everything I have seen suggests that the are probably better than HHS, HUD, etc. and this is very troubling to me.
"Fifty terabytes is equivalent to 50,000 gigabytes. One gigabyte can contain 10,000 pages of documents, the department estimated.
By extrapolation, 50 terabytes can hold 500 million pages."
I can't find the court filing at the moment, but I would be amazed if even a small majority of the 50TB were 'pages of documents'. Looks like he got away with databases to me.
I'm sure you're right, but one of the details here was that they found printed out emails in his car with handwritten notes on the back of them. They're apparently especially skeeved out by the fact that the notes include descriptions of basic tradecraft stuff --- stuff, I guess, he clearly already knew himself --- as if he was preparing them for a third party recipient.
The problem is that nobody can understand numbers that big either. Nobody can really understand what it's like to be 4 billion years old or 100,000 light years across or 500 million pages of documents.
I agree that 10TB can hold at least 500m simple documents.
Minor quibble (although bit groggy so correct me if I am wrong), but surely if 1MB holds 500, 1GB holds 500,000, 1TB 500,000,000 so 10TB holds 5 billion.
I just find it unlikely that 500m (or even 5b) of normal documents detailing operations exist at a single organisation, even with attached multimedia. Certainly possible, but seems off? Databases seem like the more likely chunk of the haul.
Not suggestion anything nefarious going on, just noting it is an odd way to describe the likely data.
Hillary Clinton managed to generate 60k e-mail records over 6 years; assuming a period of 8 years, and a similar rate of e-mail generation, it would only take 6250 employees to generate 500M e-mails. The NSA is estimated to have 30k-40k employees (and many contractors).
All it would take is a few network attached storage devices with high-capacity 3.5" drives. If you have 8 drives per NAS, and each drive is 4 TB, you only need 2 NAS to store data with no redundancy or RAID 5, and 3 or 4 NAS for more redundancy.
P.S. 6 TB drives are now very common, and 8TB drives are widely available, but more expensive.
When everyone screams about security and why we shouldn't be snooped on one of the biggest factors to consider is that inevitably someone who has access to this information will abuse their power.
It's just human nature.
The argument that there can be some process, some security apparatus, or anything in this world to prevent that is just a pipe dream. Someone will abuse their power and ruin someones life that is why no one should have access and that way we are all better off.
Yes. I am caught up in the Chinese hack that stole all the .gov background check information last year. Not only did my pertinent information get stolen, but also everyone who I used as character references. Trust is dead.
Oh wow, I've been a reference for a few friends. Looks like mine was breached too. Incidentally I got the "looks like a state actor is trying to access your gmail account" several years ago, and I think the only value I'd have is as a friend/reference of some people in fairly sensitive government positions.
The most fascinating aspect about this sort of thing in my opinion is the realistic size limit of a "circle of trust".
Considering the frequency of relationship infidelity, I'd estimate the maximum reliable size of a circle of trust at roughly 1.5 people.
Chances are intelligence agencies can use vetting procedures and internal processes to increase that number, but it's still fairly small.
Many major scandals get discovered due to a broken circle of trust... via both professional and interpersonal infidelities.
Human trust and trustworthiness is an act of loyalty and intimacy. Humans are notoriously easy to offend, challenging loyalties and disrupting intimacy. In the private sector, employees frequently jump ship to leverage trade secrets for their own benefit... not necessarily as blatant corporate espionage, but by having "several years of highly relevant industry experience" and applying for a job with a competitor.
Something like Bitcoin requires us to trust any one party very little, but to trust the system's behavior in aggregate.
The safeguards put in place after Manning and Snowden's breaches seem to be intended to mitigate harm, as does "need to know" security clearance, but I wonder if there exist (or will exist) more elaborate distributed trust systems: Suppose that instead of "need to know", everyone else in the intelligence agency department knew some information about what secret information you had viewed or saved that day, week, month... both magnitude and frequency, and frequency of repeated visits to document areas... some sort of footprint that offered an easy heuristic for social detection of deceitful behavior by fellow humans, rather than relying simply on harm-mitigation measures. This culprit would have had a very distinct footprint even if none of his coworkers could themselves access the data or see exactly what it contained.
Disclaimer: I believe that government classification of information ought to be avoided in 95% of the circumstances it is used today. There are reasons to do it, but all information should be declassified within 50 years of its initial classification no matter what, and classification of information for political or selfish reasons (not directly in the national interest) should be a serious crime akin to treason or espionage.
I won't argue against the idea that we have too much classified. It's expensive and counterproductive to try to protect things that are no longer important. That said, 50 years ago, we had detailed and effective designs for nuclear weapons - likely well beyond what's known by, e.g., north Korea. There are probably people alive who'd be placed in danger by the release of information from 50 years ago. Not many, but 50 is within the lifetime of someone who was undercover at age 25. I'm not sure that such a blanket 50 year declassification policy is defensible.
Those are good points. Even if the limit was 75 or 100 years for things like that, it would likely be possible to declassify all but a few "black box" details of the tech. That's the most defensible use of secrecy, since the precise way in which it works is not likely to be the basis for a conspiracy by officials against the public.
"Well, for one thing, I’ve seen pretty much all your tech secrets wrt [sic] regard to compusec [computer security]. Thanks. You made me a much better infosec [information security] practitioner. In exchange, well, I gave you my time, and you failed to allow me to help you . . .
You are missing most of the basics in security practice, while hinking you are the best. It’s the bread and butter stuff that will trip you up. Trust me on this one. Seen it. . . . Dudes/Dudettes, I can’t make this any plainer . . . Listen up . . .
‘They’ are inside the perimeter. . .
I’ll leave you with this: if you don’t get obnoxious, obvious, and detrimental to my future, then I will not bring you ‘into the light’, as it were. If you do, well, remember that you did it to yourselves"[0]
Limiting the damage disgruntled employees can cause must be very difficult. Presumably drastically reducing the amount of information any individual gets exposed to?
"The Justice Department released its 12-page document ahead of that hearing, detailing new allegations... suggesting he had become heavily armed, accumulating 10 weapons"
10 weapons! It's always funny seeing what coastal types consider "heavily armed", as opposed to "a starter collection".
In my experience, the more guns one owns, the likelier they are to be a hobbyist or collector. It's not like you wield one in each limb and six in your teeth; more != more dangerous.
And this is just the one the found out about, mainly because of ShadowBrokers' public announcement that they have NSA's tools, which prompted the NSA to investigate the issue. But how many of NSA's employees may be selling NSA data silently to others and have been more careful about it?
Same thing with Snowden. They only found out about it when he went public with it. But they want us to trust them to store all of our data.
There are 2 factors here. 1) If he's simply a mediocre IT jockey and then his NSA contractor status resulted in him pulling in $200+k a year, that's a bad look. 2) If he's average and he somehow managed to defeat the NSA at what the NSA does, that's also a bad look.
Now it's likely a policy problem, that contractors can access these quantities of data with access to physically removable media and such seems like a policy problem. On the other hand if he's some kind of computer super genius then he was given a little trust and took advantage of it.
I think it wasn't 500M pages, but 50TB of data; for some reason the press (or whoever is feeding them) is really set on demonizing this guy and making him sound as sketchy as possible.
It was never written that he actually stole 50TB if data, only that they found several hard drives, computers, backups they need to investigate.
If he was for example a movie or music collector, there wouldn't much room on these drives for actual stolen data.
50TB (a few hard drives worth of data) looks very sensationalistic, but is most likely not. Code is not big.
The court filing specifically noted "investigators seized thousands of pages of documents and dozens of computers and other digital storage devices and media containing, conservatively, fifty terabytes of information".
It doesn't say whether that 50TB was all classified govt docs or just that they seized his personal computing equipment to investigate whether it contained any classified data.
My point was that nowhere does it say 500M pages of documents; the press seems to have conflated the 50TB to mean approximately 500M pages (which sounds even bigger).
According to my simplistic math using standard 10x12x15 inch boxes of pages where each box has 5000 sheets, it's about a 15x15x15 meter cube.
15 meters is approximately a 5 story building.
If it's 16lb paper, then about 3,828 metric tonnes.
Obviously the weight of the paper is a huge factor here.
Another way of looking at it: if there are 260 days in a year (not counting weekends), then over a period of, say, 10 years, it amounts to 1.47 metric ton per day.
From the US attorney's response to Mr. Martin's attorney's motion for a detention hearing:
> The Defendant also had encrypted communication and cloud storage apps installed on his mobile device.
...like...their browser linked against libopenssl and they had the stock Google Drive or Apple iCloud apps?
> The antipathy demonstrated in this letter raises grave concerns about the Defendant’s intentions and potential actions should he be released
The letter strikes me as having been written by a person who is fairly odd, but possibly has good motives. It's hard to understand the context but if indeed it was signed by "Hal" and somewhere in/on/near his workplace it's suspicious indeed.
>Defendant has access to highly classified information, whether in his head, in still-hidden physical locations, or stored in cyberspace—and he has demonstrated absolutely no interest in protecting it,” the Justice Department said.
Go on...
>“This makes the Defendant a prime target, and his release would seriously endanger the safety of the country and potentially even the Defendant himself.”
That seems reasonable.
>Prosecutors in August arrested and charged Harold “Hal” Martin III, of Glen Burnie, Md., with theft of government property and unauthorized removal or retention of classified documents.
Hang on: they're indicting him? What Justice Department is this?
>The new filing said the Justice Department would likely charge Mr. Martin with additional crimes, including violating the Espionage Act, an offense that carries much stiffer penalties than the current charges.
I thought we already decided this was no big deal. What is going on here?
I wasn't able to read the WSJ article due to paywall but I read another probably similar piece. At what point would or should Booz Allen Hamilton lose their "preferred contractor status" with the NSA? I mean this is the second one that we at least know about. Perhaps the NSA should rethink hiring contractors?
What the hell are these people doing over there? The NSA really needs a "security section" that actively monitors the usage of resources of its employees. That someone could be siphoning terabytes of classified information over the span of decades is just beyond comprehension.
> That someone could be siphoning terabytes of classified information over the span of decades is just beyond comprehension.
I don't know how ridiculous this is. Security is an ever-evolving field, and a lot of these stringent controls weren't necessarily in place decades ago - for example, what fraction of places were banning USB flash drives even 10 years ago?
The NSA isn't superhuman, and security is hard. I have no love for the agency, but it's not like only complete morons are susceptible to deep insiders exfiltrating data over the course of decades.
Security experts act like it's very trivial and basic to get a fully secure shop up and running if we simply do everything they say. When something fails, the security expert gets fired, and a new one comes on board who will inevitably call the old one "incompetent" and claim that super basic and trivial things were not being followed. Repeat ad infinitum. Some organizations/companies are more vulnerable than others, but I have yet to see one that cannot be compromised by a determined/patient adversary.
I have firsthand knowledge that a certain Australian three letter agency was filling USB ports for non-cleared staff with silicone gel, more than 10 years ago.
> The NSA really needs a "security section" that actively monitors the usage of resources of its employees
And then what? What happens when somebody in the security section decides to do something nefarious? A security section for the security section? An infinite regress of watchers watching watchers?
At the bottom of it all, you have to trust _someone_ eventually. And nobody yet has figured out how to guarantee that a person is or remains trustworthy.
They do seem to be idiots regarding their own internal security. That's the only explanation I can think of. For an organization that is on the forefront of offensive cyberwarefare, they could have been on the forefront of internal security as well. But they aren't.
I wonder if there is social pressure exerted by everyone to assume that someone who has made it through the vetting process is low risk...
Imagine a group of clergy members, how likely is it that they'd want part of their group dynamic to be defending themselves against suspicion of atheism or doubt?
It would seem that the identity aspect of feeling like one was on the defensive might create a psychological blind spot where everyone was pleased/relieved not to have to constantly prove his/her loyalty, thus establishing an implicit trustworthiness rather than an explicit one that would be psychologically challenging. Imagine showing up at work every day and someone reviewing your code with the suspicion that you might have intended to harm the business... regardless of one's level of competence this would be unpleasant, and humans avoid unpleasant things.
I don't have security clearance of any expertise with it, just musing about it.
Full text because stupid paywall and web workaround is lame solution:
WASHINGTON—A former National Security Agency contractor amassed at least 500 million pages of government records, including top-secret information about military operations, by stealing documents bit by bit over two decades, the Justice Department alleged in a court filing submitted Thursday.
Prosecutors in August arrested and charged Harold “Hal” Martin III, of Glen Burnie, Md., with theft of government property and unauthorized removal or retention of classified documents. The case was kept under seal until earlier this month, when some details became public.
The new filing said the Justice Department would likely charge Mr. Martin with additional crimes, including violating the Espionage Act, an offense that carries much stiffer penalties than the current charges.
Mr. Martin’s attorney, Jim Wyda, declined to comment on the new filing. In the past, he has said that Mr. Martin is a patriotic American who has served his country.
A federal court has scheduled a hearing for Friday to consider whether Mr. Martin should be released while awaiting trial. The Justice Department released its 12-page document ahead of that hearing, detailing new allegations about the scope of Mr. Martin’s alleged theft and suggesting he had become heavily armed, accumulating 10 weapons, and had taken sophisticated steps to cover his tracks.
Some former associates had described Mr. Martin as a harmless hoarder who suffered from post-traumatic stress disorder. The new government filing paints a different picture, raising questions about his motives and suggesting he was capable of sharing U.S. secrets with the nation’s adversaries and potentially putting American lives at risk.
The document doesn’t, however, answer one of the big questions in the case: whether Mr. Martin shared any of the stolen classified information with another person or another country. The document offers no evidence that he did but suggested Mr. Martin had the capacity to do so.
The Maryland home of Harold Martin III, a former NSA contractor who the Justice Department alleges stole millions of pages of government records. ENLARGE
The Maryland home of Harold Martin III, a former NSA contractor who the Justice Department alleges stole millions of pages of government records. Photo: Jose Luis Magana/Associated Press
Mr. Martin, a former Naval officer, was most recently a contractor at Booz Allen Hamilton Holding Corp. , a job that placed him inside some of the government’s most secretive programs inside the NSA and the Pentagon. The Justice Department said that a search of his home and his automobile uncovered “thousands of pages of documents and dozens of computers and other storage devices and media containing, conservatively, fifty terabytes of information.”
Fifty terabytes is equivalent to 50,000 gigabytes. One gigabyte can contain 10,000 pages of documents, the department estimated.
By extrapolation, 50 terabytes can hold 500 million pages.
In seeking Friday’s hearing, Mr. Martin’s legal team wrote that he “is neither a flight risk nor a danger to the community, and to the extent either of these factors is a concern, they can be sufficiently addressed with specific release conditions.”
The Justice Department countered Thursday that Mr. Martin “presents a high risk of flight, a risk to the nation, and to the physical safety of others.”
Mr. Martin worked on highly sensitive programs, people familiar with the investigation have said, including those involving an arsenal of cybertools the government has amassed to use against other countries as well as cyberweapons that were in development.
So far, it is unknown what Mr. Martin intended and what, if any, plans he had for the pilfered information.
When the Federal Bureau of Investigation searched Mr. Martin’s home and car in August, it found much of the stolen information in plain sight. Top-secret information was stored in his car, which wasn't parked in a garage. Investigators also found an email chain printed out in that car that was marked “top secret” and contained “highly sensitive information.”
They also found handwritten notes that appeared to describe the NSA’s classified computer infrastructure, the Justice Department said in its filing.
“Among the many other classified documents found in the Defendant’s possession was a document marked as ‘Top Secret/Sensitive Compartmented Information’ (‘TS/SCI’) regarding specific operational plans against a known enemy of the United States and its allies,” the court document said.
Government lawyers argued that releasing Mr. Martin would present an obvious danger.
“As a result of the extensive publicity this case has received, it is readily apparent to every foreign counterintelligence professional and nongovernmental actor that the Defendant has access to highly classified information, whether in his head, in still-hidden physical locations, or stored in cyberspace—and he has demonstrated absolutely no interest in protecting it,” the Justice Department said. “This makes the Defendant a prime target, and his release would seriously endanger the safety of the country and potentially even the Defendant himself.”
The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace.
In July 2016, according to the document, Mr. Martin went to Connecticut and bought a “detective special” police-package Chevrolet Caprice. The FBI found 10 firearms in his possession, including an AR-style tactical rifle and a shotgun with a flash suppressor.
I'm also Australian and I'm disappointed that you are frightened by inanimate objects. I was taught how to use firearms as a child though so perhaps your lack of exposure has solidified into a misplaced fear as an adult (I hypothesise).
I don't need one at this moment, I just want one since I don't know when I'll need one. It's concealed carry; I just happened to still have it on after wearing it all day.
Because the media embellishes the ownership of guns for some nefarious purpose. I could have said more, as they have reported one technical error, but I did not.
Can you explain how they embellish the ownership of guns for nefarious purposes?
The majority of media coverage I see of guns is in relation to actual gun violence i.e incidents that seem to occur with alarming frequency - whereby someone opening fire in a mall or a movie theater.
What usually follows these incidents in the news cycle are editorials asking why there are more stringent background check as many of these incidents are carried out by unstable people. The evidence seems to suggest that the overwhelming majority of gun owners support these check because most owners are responsible law-abiding stable people. But I don't see these editorials as painting this gun owners in a nefarious light. The NRA lobby yes but responsible gun owner no, I just don't see it. And I like to consider myself as someone tries to consume varied news sources.
The article had nothing to do with guns, yet they mention it in two places, specifically to associate it with possible criminal activity.
The media only reports the bad use of guns. If you want to read about the numerous self defense instances, you'll have to read about it from the gun lobby. The NRA is comprised of 4 million dues paying members, which it represents just as much as it does it's corporate members. I actually prefer the GOA myself.
Also, the article mentions a shotgun with a "flash hider". Thus is pure embellishment. Besides, it's a muzzle break to reduce muzzle lift, not a flash suppressor, which would be pointless in a shotgun that would be used at most tens of yards. Though even a muzzle break would be of questionable use on a shotgun.
"If you want to read about the numerous self defense instances, you'll have to read about it from the gun lobby."
You want to complain about "media embellishments" and inaccurate coverage but then you suggest I should use the most powerful political lobby in the US as a news source? There's no embellishment there? That's an unbiased news source?
Just a cursory glance at some recent media outlet coverage of self defense shootings:
Not as a news source, but a news aggregator. The self defense shootings are buried as a 2nd tier link on a web site, or back of news paper. Crime is on the front page. Of course the gun lobby does not highlight crime or negligent shootings, so I'll give you that.
The use would be in the event someone breaks into your house. Practically speaking, it's easier to wear throughout the day than to be continually donning and doffing as you move about.
Surely there is something a little lighter that one could wear? Perhaps a smaller frame polymer pistol with 8 to 10 rounds of .40 S&W? Isn't .40 S&W more-or-less comparable to .45 ACP?
It has a single stack magazine so it's a thin pistol, which is more amenable to in-waist-band concealed carry than lighter pistols with double stack magazines (i.e glocks). That said, my carry gun is a 3" 1911, primarily because that is most comfortable when driving in cars with bucket type seats. If you are carrying while sitting in a more upright position, a full size 5" 1911 is fine. The weight isn't an issue as mine has aluminum frame, though a traditional 1911 is all steel. Anyway, this is what I carry.
Now a single stack polymer frame would be too small. I'm 6'5", 250 LB, and have big hands. I can't operate the magazine releases on small handguns. My wife carries an HK P2000 sub compact; way too small for my hands. I consider the 1911 the perfect handgun, of course that's a huge argument within the gun culture.
Carrying a pistol in a good holster is roughly the same physical burden as carrying the dozen or so keys I don't use on an hourly basis, or wearing a sportscoat rather than just a tshirt.
Do you wreck your car so often that you go through the inconvenience of wearing a seat belt? Besides, what's so inconvenient about carrying a gun? Put holster on belt, take gun from safe and put in holster; done.
> "The filing described Mr. Martin as computer genius who easily outsmarted government efforts to protect secrets and said he possessed an advanced understanding of how to encrypt messages and hide information in cyberspace."
This doesn't really make sense and the wording also hints at sensationalism. It reads like a classic case of deflection, making the accused appear considerably more powerful than he actually is.
This, to me, shows a few things:
- the NSA clearly has no clue who accesses "their" data, when, or how
- the NSA will throw anybody under the bus to save face
- the NSA, to this date, still refuse to put their own inadequacy in the balance and traded their integrity for the power to sustain the organization itself at the cost of everything else (including their original purpose)
Why on earth is this organization still allowed to operate at all?