1. 29
  1.  

  2. 8

    I’d rather let them have their vulnerabilities. It’s better than mandating backdoors. Then, those of us who want to be secure from remote attacks can simply practice INFOSEC when building our stuff. Whereas, someone wanting to get software more secure across the board is going to need regulation w/ liability for non-compliance with basic, quality-assurance activities. It worked before (TCSEC) and is working now (DO-178C) to make software more robust. Should simply be done again in minimal form focusing on 80/20 rule.

    I elaborated a little more on it here with historical references and a list of assurance activities:

    https://news.ycombinator.com/item?id=14336420

    1. 3

      Sure, but there is a third option, we could ban backdoors and also require security flaws to be disclosed straight away to offending companies (And then publicly disclosing say 3 months later).

      A government could look at this from the defensive side, “We have to tell the company so that we can get our citizen’s and government computers patched ASAP after finding a vulnerability” rather than the offensive, “We found this vulnerability so we have to hoard it so we can use it against the bad guys, our own citizens and government computers be damned!”.

      1. 2

        Sure, but there is a third option, we could ban backdoors and also require security flaws to be disclosed straight away to offending companies (And then publicly disclosing say 3 months later).

        Please cite the hundreds of representatives of the U.S. or other Western legislatures who have publicly stated they would vote yes to a ban of all backdoors in software with a prior, voting history matching that. Otherwise, I call bullshit given they’ve (esp in Five Eyes) been increasing TLA’s power every chance or looking the other way on their schemes. They could’ve done that every time they were approached by cryptographers, INFOSEC experts, etc. Instead, they leave it to hang in the air because their paying or politically-helpful stakeholders want backdoors. They were also told they’d be exempt from the spying. Although laughable, the idiots either believe it or think they’re helpless to stop it within the political constraints they operate under.

        If you want to convince electorates, you have to have a plan that fits enough stakeholders to be acceptable. Then, working to many’s advantage, you might make it work to your advantage. You saying they’ll just do the opposite of what’s in their interest is disproven by their behavior every day. They only did that the few times enough voters rose against them to stop a law. Voters rarely do that being apathetic most of the time.

        1. 2

          I’m not saying a government would do this, or that is the best option, it is just a stance a government could take. It would have some downsides and some strong opposition, but it would also have benefits for the software that citizens are running, companies would get some help finding bugs in their software and they could remove backdoors they were previously compelled to add.

          The common solution for many governments will likely be a mixture of hoarding security flaws and adding backdoors. There may be a small amount disclosing flaws for certain brands, categories, or ages of software, I admit that is definitely not the norm.

          1. 2

            If we’re talking hypothetically, I agree mandatory disclosure would be good. Let’s modify it, though, as it currently says companies make crud, other people do QA for free, and submitting the QA results is mandatory. If submitting is mandatory, then the bounties tiered along severity should be mandatory.

            That way we have incentives to find and submit them.

            1. 2

              Sure there could be mandatory bounties. If that helps fund it that’s fine by me.

              On the other hand if we try to very roughly estimate the amount paid currently per software flaw in another country’s infrastructure:
              Say a pen tester costs a government agency $100,000 pa.
              Say each pen tester finds 3 (No idea?) flaws per year.

              Can we redirect that money into defence instead of offence? As interconnectedness plays a larger and larger part of each citizens’ lives can we pay $33,000 per flaw to help defend them instead, or as well? I’m sure the news outlets don’t even know what a pen tester is and find it boring, and offence is exciting and easy to explain, so the news may be grossly skewed towards offence, but it seems like the government doesn’t take defending our infrastructure and citizens’ technology seriously, take the recent revelations about hoarding security vulnerabilities and the hospital debacle in multiple countries for example.

    2. 12

      I’m sure I’m gonna get flamed to death for this, but I’m against this law. Intelligence services need to collect intelligence and conduct espionage against our nation’s enemies.

      In order to do that, they need to have tools. Exploits are tools.

      1. 15

        I’m in favour of disarmament and to stop seeing the world as being full of “enemies”.

        There’s no reason why governments should be holding secrets, if we are to believe that governments are there by consent of the governed. How can we consent to things we don’t know about?

        1. 4

          Most of the countries in the West have spy agencies or people collecting competitive intelligence. They still compete even if peacefully. They’re not going to stop. If a country gives up its tools/techniques, then the others just get free wins on them. So, the country must keep doing that stuff to stay competitive and protect its citizens’ interests.

          1. 8

            So, who are those enemies? Germans? Mexicans? Russians? The Arab world? The whole world? I’m Mexican. Am I one of your enemies?

            Why does the US have such a large army and why must this army be maintained? What would happen to the use without its army? What would the enemies do? Steal all their jobs? Invade the homeland? Drop a nuke on them? Destroy their intranets, ransom their data?

            1. 3

              The enemies mainly try to compete with us economically by stealing our IP or attempting to scheme in international negotiations or contacts. One part of government routinely catches contract rigging with help of spy agencies. They also steal military secrets. Some turn computers into bots to facilitate real life and online crime. Some want to straight up disrupt our infrastructure randomly or at key points for political reasons.

              These are the enemies Im talking about. They and US have been duking it out long time with some before Internet. Gotta stay ahead. In your country, Id worry about the cartels that are such a strong threat to government that even Mexican military can stop them. Their gangs are disrupting US, too, esp on West side.

              1. 5

                The enemies mainly try to compete with us economically

                Slightly tangential, but regarding international relations I sometimes wonder if “American interests” isn’t actually euphemism for “the interests of American corporations”, which is not really the same thing as “the interests of Americans”.

                1. 3

                  BINGO! You’re thinking in the right direction. I thought that initially but it’s more complex. Americans like all their content on TV (esp celebrities & artists), free services, and plentiful goods made by cheap labor here (illegal immigrants) and elsewhere (low-cost labor offshore). The vote with their wallet on these things and their political votes usually don’t care since the elected officials will continue it. So, they keep benefiting from those forms of corruption that the electorate keeps going. I think we might be able to say those are the interests of actual Americans instead of just corporations since it benefits Americans, they support it financially, and don’t want it to change.

                  Then, there’s all the other stuff that’s solely about rewarding a special interest or corporation that paid politicians good money. You can usually tell in any country if the citizens are losing something, a tiny few are gaining something, the citizens didn’t ask for that, and the few paid off the people moving stuff around on the ledger. The fundamental mechanism of corruption. The Goldman Sachs response to the 2008 financial crisis (after creating it) is one of best examples in U.S. history: a trillion dollars no questions asked with criminal immunity negotiated by a regulator that was ex-CEO. It doesn’t get better than that for bad folks.

                  1. 2

                    Spoiler alert: Politicians’ constituents are actually corporations, not citizens.

              2. 2

                You can apply this competitive frame to almost anything, with the result that things become worse for everyone. You say “they’re not going to stop,” but competing nations have implemented policies that make them less competitive, such as labor protections. There’s no reason government transparency couldn’t gain traction in a similar way, especially if the U.S. took the lead.

                1. 1

                  If a country gives up its tools/techniques, then the others just get free wins on them.

                  The whole point of requiring disclosures is to improve our own defensive capabilities. Others don’t get “free wins” if the disclosures lead to patches and increased security.

                  1. 1

                    I see your goal but don’t buy the method to achieve it. There’s simply too many vulnerabilities in these systems for it to be a meaningful difference. The attack crews of nation-states always have vulnerabilities in popular products. That’s despite bug hunters regularly disclosing vulnerabilities for patches. So, one side disclosing what it finds won’t meaningfully increase security if it’s a large system constantly in flux in unsafe language made by vendor who doesn’t care about security. The problem is the vendor’s development model. That’s what you fix with law. Then, we can talk about the benefit of disclosure.

                    Even then, if disclosure is mandated, groups like NSA will request an exemption on national security grounds, not look for bugs in the first place since they can’t use them, or lie about not hoarding them with criminal immunity as always. I mean, we’re talking about rogue-ish, spy agencies here.

                2. 3

                  Way back when, when I was in college, there was a guy going around on a bike, grabbing girls butts, then riding away. This being college, the Serial Groper was cause for widespread panic. Something needed to be done, and so the police increased night patrols in the target areas.

                  Now in a completely transparent society, this would have meant publicly posting “Tuesday night officer Jim will patrol up and down Maple street, and on Wednesday night he will patrol Cherry st, and etc.” After all, as an affected citizen, don’t I have the right to know what the police are up to? We surely don’t want secret police patrols.

                  Of course, such disclosure makes it easy for the groper to avoid arrest. Just the price of a free society, no?

                  1. [Comment removed by author]

                    1. 2

                      The premise was that a government should have no secrets. Not some secrets, no secrets. There’s a reasonable discussion one can have regarding which secrets there should be, but that’s difficult from a starting position of absolutely no secrets.

                      1. [Comment removed by author]

                        1. 3

                          Sorry, the point wasn’t to draw such a direct comparison, but to establish a baseline that complete transparency is often counterproductive. Maybe I’m jaded from previous debates with people who insisted that every government document and email be made public immediately. The example was meant to be trivial and obvious, so as to avoid further side debate. (Was going to use bank robbery, but didn’t want to debate the ethics of the bank system, etc.)

                          1. 1

                            You framed it as a sexual harassment issue

                            The parent to his remark said governments should have no secrets at all. That there was no reason for them to. The framing of “no secrets” with a sexual harassment issue is correct in that he illustrates secrets have their place to stop harm to citizens. It was also an easy to understand example for about any type of person reading. Whether we should have secrets that are mass exploitable with ease to cause same harm to everyone is another point of discussion that you’re bringing up. It wouldn’t fit his framing but that’s not what he was responding to.

                        2. 2

                          Please try to refrain from posting in this way. You had some good points but it is hard to see them past your hysterics.

                          1. [Comment removed by author]

                            1. 1

                              Being triggered is no excuse for acting dickish–in such cases, removing yourself from the offending stimulus is usually the best option.

                          2. 1

                            Not trying to absolve the NSA (they couldn’t protect their tools, they definitely have responsibility), but Microsoft sells their OS with an expectation of security and it failed.

                            In a different universe the NSA would have reported this to MSFT before the leak, and this wouldn’t have happened. We should aim for that. But there’s also another universe in which MSFT is more careful.

                            It is absolutely not an inevitability that there are worm-generating bugs in Windows. We build skyscrapers that don’t fall over all the time.

                            We should work on getting the NSA to get awful exploits like this fixed fast. We should have higher standards for OS issues. We should have people be able to stay updated on security releases. We should attack all angles to make this not happen again. A lot of things aligned for this to happen.

                            1. 1

                              It is absolutely not an inevitability that there are worm-generating bugs in Windows. We build skyscrapers that don’t fall over all the time.

                              Based on past data, I can conclude that making an OS that does not have bugs is much harder than building a skyscrapers that don’t fall over.

                              1. 1

                                If you keep the TCB small, it cost several million over a few years for the TCB w/ the rest done in Design-by-Contract in safish language for 10-50% more. The very first one, GEMSOS, cost $15 million with the most primitive tools with R&D costs included (aka cost of partly inventing INFOSEC). seL4 was just over $2 million. A small team at Microsoft did VerveOS. Another small team did ExpressOS using same tools. These two were safe rather than secure but design/code safety is a prerequisite knocking out most code injection. Hypervisor from DeepSpec was 10+ people over a few years.

                                We occasionally have to deal with new classes of vulnerabilities that are totally unrelated to existing, root causes. Hard to recall when that required total rewrites rather than a fix outside of the software. It’s hard to do a secure TCB but skyscrapers are way harder. Apathy is what stops these big companies. I mean, Microsoft could license VerveOS or Midori to those interested in building on advantages they already had. They could use that stuff internally more than they do. They just don’t care and pay politicians good money to protect their financial security. :)

                            2. 1

                              but exploits like used in WCRY that are wormable, FUCK NO! This is putting everyone at risk.

                              Although I see the point Ted was making, the wormable nature of this exploit does make the comparison meaningless. The actual comparison to these vulnerabilities would be, say, a self-destruct button that could wreck hospitals, banks, military, or logistics. Or some subset of their operation. There’s a phone number to call to get someone to push it without asking questions. The intelligence agencies have the number, say it’s useful, and their uses justify not pulling the plug on that line or disabling that button. Now, some people have the number. They’re using it for evil.

                              And so on and so forth.

                            3. 0

                              In a free society the girls would just carry firearms and defend themselves from physical violation with necessary force.

                              What has happened instead that self-defense was outsourced to a third party who is extremely ineffective and inefficient, so it became impossible for them to work without being given MORE POWER by having the ability to now not only have monopoly on violence but also asymmetric advantage on information. So the solution to the failure of government is once again more government in a run away cycle.

                              As the government gains more power, the sociopaths make their way to the top of the pyramid and we end up with comrade Stalin or dear leader.

                              In the free society scenario, not only was there no need for secret, the girls would want to advertise the fact that some of them walk around with firearms with which they will defend themselves when necessary.

                              1. 7

                                To be clear, you’re saying that the preferred response to someone grabbing your ass without your consent is to shoot, and probably kill, the person doing it?

                                1. 2

                                  I like how you glossed over the phrase “necessary force” to go straight to “preferred response… is to shoot.” That’s not what LibertarianLlama said. Either you’ve seen that commenter say they prefer all small crimes resulting in killing the criminal or you’re assuming a pro-gun stance has a preference for killing. Regardless, most gun owners I know are taught to use gun as deterrence by warning an attacker, optionally a warning shot depending on what risk defender wants to take, and lethal use only if absolutely necessary. Many also carry pepper spray, stay out of risky situations, and so on to reduce odds of them having to kill people. Most people with guns, whether they like them or carry them out of necessity, don’t want to experience the risk of a violent encounter.

                                  At least, that’s my experience reading surveys of gun owners across U.S. and listening to over a hundred of them in the South where people love guns. It’s something good to have but terrible to have to use. Due to the high occurrence of robbery and rape in our area, our family teaches everyone self-defense and proper use of weapons. Almost every one of us have defended ourself from an attacker. A proper defense we see as a necessity because we can’t trust people to always be good to us. Human nature…

                                  1. 3

                                    Fair enough. My brain did admittedly jump to the assumption that “defending themselves with necessary force” involved actually using the weapon he suggested they carry, instead of just threatening to use it against him.

                                    There’s an argument to be made, though, that a gun may actually be less effective compared to, say, a non-lethal weapon such as the pepper spray you describe or a tazer, in a situation such as the one we’re talking about (where the criminal was awful but mostly non-violent). After all, if you’re so hesitant to use your weapon, your threats hold a lot less weight. And even you seem to agree that actually using the gun against him, would be a disproportionate use of force, and a court making a self-defence ruling would probably agree.

                                    1. 1

                                      Oh yeah. I encorage carrying a non-lethal for that reason. Also, in some cases, even shouting what they did aloud when they do it can be punishment or deterrent enough via shaming. Still good to have a lethal in the uncommon case that they escalate to violence with pepper spray not stopping them (they grab person) or among 5% (1 out of 20) immune to it. Some number like that anyway…

                                      1. 1

                                        After all, if you’re so hesitant to use your weapon, your threats hold a lot less weight.

                                        This is such a perverse argument. So what you are saying is that criminals are more likely to attack you when you are carrying a rifle than when you carry a stick because the criminals will think that you won’t use your firearm because you will be hesitant?

                                        1. 1

                                          Not a stick (nice strawman there), but something like a tazer and or can of pepper spray.

                                          And the answer is yes, in some cases. Not everyone is a badass who can convincingly threaten to fearlessly take a human life. To paint a stereotypical example, a trembling, inexperienced 18-year-old girl can easily be a more convincing threat with a tazer or other effective non-lethal weapon than shakily attempting to point a gun at someone.

                                          (On a sidenote, the gun also escalates the level of violence far beyond that of the initial confrontation, which has its own problems. But I’d rather not get into that whole can of worms right now.)

                              2. 1

                                This is an ideal we should all work towards, but from where I sit human nature as it exists today makes such an ideal impossible to realize.

                              3. 8

                                It’s that or backdoors. If backdoors, they’re going to up their power and/or violence. Vulnerability hoarding is the lesser evil. It’s barely unethical, too, given market votes against strong security almost every time, suppliers dont give a damn, and government doesnt either due to bribes, internal politics, & lockin.

                                1. 2

                                  I totally agree. Backdoors weaken the armor for everyone, friend and foe alike.

                                  1. 2

                                    Yeah, but if you rely on exploits then you are betting on “our team” finding more exploits or quicker than “the other team”.
                                    On the otherhand if you implement backdoors then you need to:
                                    a) have the power to compel companies to add them and give you access, what happens when it is an over seas company?
                                    b) ensure “the other team” isn’t given access or steals access to the backdoors.

                                  2. [Comment from banned user removed]

                                    1. 2

                                      Ok, so did we just win on net neutrality given most Americans don’t want FCC trading them for a few companies? Or did the powerful few overrule the apathetic or powerless masses? And what about Patriot Act, software liability, etc? What I see in reality rather than fantasy world you’re describing is a bunch of conflicting interests we have to work through to get a compromise on what we want.

                                      Im picking the choice that allows them to operate on the careless or apathetic but market, academics, or FOSS can continue to make strong security. As Schneier is doing recently, we can then continue to argue against increased laws by showing they have what they need right now. Then, people wanting SIGINT and people wanting security can continue receiving both.

                                      1. 1

                                        Do you disagree that we all live in a society in which the rule of law and some kind of government is probably a necessity?

                                        If you do, then having some kind of intelligence service and conducting espionage against other such entities is a fact of life. This isn’t about the choices you and I make personally, it’s about the opinions we hold and the way we think our society should be run.

                                    2. [Comment from banned user removed]

                                      1. 7

                                        I would argue that choosing to deny the pragmatic fact that the intelligence community is an important part of maintaining national security is also insane. So I guess we can all wander off to the loony bin together, eh ? :)

                                        1. 4

                                          I’m pretty sure people are choosing to learn the wrong things from wannacry by ignoring the inconvenient parts of the timeline. The NSA did tell MS about it, and MS did issue a patch, and then there were news stories about how important the patch was because it fixed a serious vulnerability, and still the hospitals decided not to patch.

                                          It’s hard to see how any disclosure policy would have changed that. The NSA had their hand forced, but the patch was nevertheless out for two months. If the NSA had decided to disclose the vuln in 2014 out of the goodness of their hearts, does anybody think that the hospitals response would be any different?

                                          1. 1

                                            and still the hospitals decided not to patch.

                                            It’s hard to see how any disclosure policy would have changed that.

                                            The problem is clearly that they were not forced to patch by something external. Regulations or court liability are historically what accomplishes this. I lean toward former because latter becomes lawyers playground. Look at healthcare suits in the U.S. right now. All kinds of people rolling around in money-making schemes. Maybe the socialists might have it better with court-based liability for damages done if people are less sue-happy over there. I hear we’re the top place for such bullshit but I’m not sure.

                                            1. 3

                                              I guess the bitcoin ransom is something external forcing them to patch. Though the fine is pretty low to have much effect on a large institution, clearly the libertarian free market has provided an essential service that the statists can’t effect with all their enslaving and thieving. Another victory for crymetocurrencies! /s

                                              1. 1

                                                You may be facetious but honestly sometimes people just have to get burned.

                                                1. 1

                                                  Lol. Great example of where liability on market or criminal side ain’t exactly beneficial. Loved your original comment btw. I gotta drop it on a libertarian crowd at some point. They’ll probably just start talking Social Darwinism or something, though.

                                            2. 3

                                              You’re argument also supports banning software such as Windows in all such critical cases unless they can demonstrate either no vulnerabilities or strong posture of security w/ easy way to update or recover. These kinds of systems existed under DOD regulations before. Some still exist in niche sectors. However, telling intelligence agencies not to do it means it will still get done by non-cooperative agencies, black hats, and so on. The root problem is there’s no requirement to eliminate or liability for preventable defects in software. That’s should be the focus.

                                              1. 3

                                                There is far more risk to our nation as a result of these exploits than to any enemies of ours

                                                This isn’t even remotely true. They use the same systems we do, just look at this heatmap about the same vulnerability you are talking about. Having known many intelligence people over the years I guarantee you that those people were not just sitting on an exploit for years, they were using it. I’m far from the patriot type at all, but I view this more as arms stockpiling than anything else.

                                                Also the moment you allow yourself to start name calling there is a good chance that your guilty of an Ad Hominem fallacy. It does not strengthen an argument or encourage meaningful discussion. It also lowers the quality of the threads here.

                                            3. [Comment removed by author]

                                              1. 1

                                                The NSA is a large organization with multiple wings, they have put a ton of effort into exactly what you are talking about. They maintain a pretty extensive security configuration guides, created SELinux, and even maintain a Github that has a bunch of extremely good projects. In fact if I’m stuck with Windows the DISA STIG script-set is a must have and the only solid non-commercial tool I’ve found.

                                                Also I see that IAD is still using that stupid DoD cert that no one in their right mind trusts.

                                                1. 1

                                                  They also helped in evaluating the most secure systems ever done in industry. Then they killed it off. To their credit, though, they were part of that and their GOTS products w/ Type 1 certs like Inline Media Encryptor are on another level.

                                                  http://lukemuehlhauser.com/wp-content/uploads/Bell-Looking-Back-Addendum.pdf

                                                2. 1

                                                  I see where you were going. However, NSA’s primary mission is subverting security. The conflict of interest means it’s better for independent organization to do it. We can know this since IAD’s efforts were stymied by SIGINT side, their own BS, and Congress after lobbying. Same applies for military groups since they’re inherently offensive. Ideally, one like GAO since they call BS on rest every chance instead of towing the party line.

                                                  1. 2

                                                    I agree it’s better for independent organizations to promote security than the NSA, but you seem to be saying that that’s reason not to call for the NSA to promote security. Is this what you’re saying or am I reading you wrong?

                                                    Personally I’ll take security fixes even if they come from the NSA.

                                                    1. 2

                                                      The NSA does provide guidance and aid on security. I’m fine with that. The problem is they also prefer to make security weak so they can attack us. They did that to critical standards and systems. To spot the subversions in their advice, one must already know enough about security to not need it.

                                                      Might as well tell people not to trust NSA for security advice. They’ll save efforts looking elsewhere. Professionals can continue to evaluate their advice in case we find something useful to pass on.

                                                      1. 1

                                                        To spot the subversions in their advice, one must already know enough about security to not need it.

                                                        Wouldn’t security experts be the ones reading the NSA’s vulnerability disclosures?

                                                        1. 1

                                                          Official ones maybe. We can take those. Individual ones maybe not as most projects aren’t run by security experts.

                                                          1. 1

                                                            I still feel like anyone able to patch vulnerabilities would be able to gain from the NSA pointing them out, without being infected by their propaganda.

                                                            1. 1

                                                              Let me modify this: they can benefit from it so long as they can verify the patches are non-malicious.

                                                              1. 2

                                                                Agreed, but I wouldn’t trust any project that merges patches without understanding them anyway. Maybe Microsoft would do that, but not any trustworthy project.

                                                3. 3

                                                  It looks like this is the official Congressional tracking page for the proposed legislation. Text is not yet available, but based on the reporting, the title of the link is wrong.

                                                  The NSA currently undergoes an interagency review process for determining whether to disclose vulnerabilities when they are discovered. This process weighs the NSA’s interest in maintaining a stockpile of exclusive vulnerabilities for use in offensive cyber operations against the broader interest in protecting US military and civilian infrastructure. This review is provided for as part of an Executive Order (which has the force of law, but is immediately superseded by Congress if they pass conflicting legislation), and is administered by the NSA themselves (leading to concerns that they may opt not to consistently engage in the inter-agency review process).

                                                  It sounds like this bill does three things:

                                                  • Makes the inter-agency review process mandatory for all discovered vulnerabilities.
                                                  • Puts the Department of Homeland Security in charge of that review process, rather than the NSA.
                                                  • Requires the yearly publication of an unclassified report on the activities of the DHS committee overseeing this inter-agency review process.

                                                  So, yes, it does require disclosure of vulnerabilities, but not to the public. I (unlike Simba) think this is a good thing. The US maintains a sizable competitive advantage in traditional warfare that we do not enjoy in the cyber domain. The collection and non-disclosure of vulnerabilities is part of how the NSA can develop and maintain such an advantage in this domain. Failing to do so leaves us weaker than other countries who do not have such robust disclosure requirements, and undermines one of the central tenets of US power: that our competitive advantage provides a deterrent against antagonism.

                                                  1. 3

                                                    By the way, for anyone who finds thinking about this stuff interesting, I want to recommend a couple of podcasts and a blog:

                                                    Rational Security Podcast A bunch of Brookings scholars discuss current events with an eye towards national security issues - the cast is a former NSA lawyer, a foreign policy / middle east expert, a journalist with the WSJ, and a governance scholar. Great stuff.

                                                    Laware Podcast/Blog This one goes all over the map discussion national security issues with a focus on legal aspects.

                                                    1. 3

                                                      Yes! I listen to both of these, and they are both excellent. I would also add the following:

                                                      1. Bombshell, a podcast from War on the Rocks (a national security analysis blog similar to Lawfare). It’s both very funny and very thoughtful. Hosted by Loren DeJonge Schulman (Deputy Director of Studies and the Leon E. Panetta Senior Fellow at the Center for a New American Security), Radha Iyengar Plumb (senior economist at the RAND Corporation, former member of the Department of Energy Chief of Staff team, and former Deputy Chief of Staff to the Deputy Secretary of Energy), and Erin Simpson (senior editor of War on the Rocks).
                                                      2. The Editor’s Roundtable, a podcast from Foreign Policy about, well, foreign policy. It’s a discussion between a rotating group of FP contributors, and is excellent.
                                                      1. 3

                                                        +1 to Bombshell! Great podcast. I’d not heard The Editor’s Roundtable. I’ll check it out, thanks!

                                                        Of slightly more variable quality than the others but also very interesting is War College - though it sometimes has a slightly more military bent.

                                                        1. 1

                                                          No problem! Thanks for War College. I’ll add it to my list!

                                                    2. 1

                                                      This sounds well-intentioned enough, if you believe that NSA actually follows laws. But… who would audit them?

                                                      1. 2

                                                        GAO. They did regularly finding lots of problems. They submitted the reports to Congress. The corrupt and apathetic politicians ignored each one. I think they stopped even doing them since they were a waste of money. If there was enforcement, they’re one of the groups that can handle it.

                                                        1. 1

                                                          Okay, there is this meme that the NSA is the wild west, with no supervision and no laws. This is a gross misunderstanding of the state of legal oversight at the NSA.

                                                          Under the FISA Amendments Act of 2008, the Attorney General and the Office of the Director of National Intelligence are responsible for assessing the compliance of the NSA with the requirements set forth in section 702 of the Foreign Intelligence Surveillance Act of 1978. These assessments are reported to the Foreign Intelligence Surveillance Court (the court tasked with overseeing all activities provided for in section 702) and to the relevant congressional committees (the House Intelligence Committee and the Senate Select Committee on Intelligence). [1]

                                                          The NSA also performs their own regular reporting, which is provided to the President’s Intelligence Oversight Board, as well as to the ODNI and AG for consideration in their reporting. In 2015 the NSA declassified a number of these reports, going back 10 years. [2]

                                                          Both the ODNI/AG reports and the NSA internal reports indicate that the NSA does by and large comply with the 702 requirements in a consistent manner, and that when violations occur, they are largely unintentional, and are usually self-reported. When they are intentional or are discovered without self-reporting, they are handled swiftly and well.

                                                          Now, there have been issues in this oversight regime. In 2009 it was discovered that a misunderstanding between the NSA and FISC regarding metadata collection resulted in the NSA going beyond the collection the FISC viewed itself as having authorized. This incident has been used by some as evidence that the NSA actively tries to circumvent the law, and that the FISC, the ODNI/AG reviews, and the NSA self-reporting are insufficient to address abuses. However, the details of this particular issue, and of the response to it once discovered, give little evidence for that interpretation. [3]

                                                          As a summary of what is roughly my own position, I point you to this article by Benjamin Wittes, which analyzes the rule of law and issue of compliance as they apply to the NSA.

                                                          This is not to say that things are perfect, or that I have no issues with the use of the data the NSA collects. I have some concerns about the ability of the FBI to access and make use of the materials the NSA collects, for example. But I also believe that the collection the NSA does is necessary to the defense of the United States (both the government and civilians) and is done with the utmost respect and care for the rule of law and our civil liberties.

                                                          1. 3

                                                            We are obviously coming from very different political perspectives, and I’m not interested in hashing out all that here, though I will say that your position appears almost painfully naive to me.

                                                            Just to clarify, I don’t think that the NSA is at all like ‘the wild west’ (which is itself a myth originating in 1950s Hollywood). Rather, like all bureaucracies, the agency is driven by its (no doubt, very stringent and complex) internal rules, based on its understanding of its mission. My point was that there can be no genuine independent oversight when all of that is secret. (And all the apologetics in the piece you linked doesn’t change that at all for me: in short, I agree with Russ Tice’s assessment of FISA.)

                                                            1. 1

                                                              I am sure we are coming from very different political perspectives. I would say that five years ago I held very different opinions about these issues. I thought Edward Snowden was a patriot who rightfully blew the whistle on abuses within the NSA. I thought the intelligence community was not particularly interested in protecting the civil liberties of the American people. I thought that the IC experienced little meaningful oversight, and was likely full of unchecked abuses.

                                                              I wish you would engage with me on this, as I think that hashing out these issues is important to maintaining a healthy democracy, but also I know that debating people on the internet is tiring, and hard, and not always something a person will want to do.

                                                              I will also say that it is hard not to take offense at having my position described as naïve. Such a description serves little purpose other than to get in the way of understanding. Yes, my posts are citing government reports, and a person’s assessment of how trustworthy such reports are is going to vary. Yes, it may seem that I place undue trust with the government. But seriously, what is gained with dismissal?

                                                              As a final note, I will say that my position changed substantially after I went to work in the federal government. The entirety of my experience has shown that the people in these organizations and organizations like them are good people motivated by a sincere desire to serve their country and its people, and a sincere belief in the rule of law and the defense of civil liberties. You may disagree with this view, but it is not lightly formed nor lightly held, nor is it unquestioning. It is the result of lived experience, and I hope in the future you won’t be so quick to dismiss people with whom you disagree.

                                                              1. 3

                                                                It’s not that I’m altogether unwilling to engage with you on the fundamental issues, just that I’m not interested in doing that here. Clearly you (and nickp) have more time to spend on this discussion than I do.

                                                                What I meant by naïve is simply this: you appear to believe that an organization composed mostly of good and sincere and rule-following people thereby must mostly do good. I don’t think organizations work like that. And believe me, I’m speaking from some lived experience too (mine and that of some ex-NSA coworkers.)

                                                                1. 1

                                                                  That’s a fair perspective to have. And yeah, Nick and I have gone off the deep end a bit in terms of post length. It definitely takes a while.

                                                            2. 3

                                                              “Okay, there is this meme that the NSA is the wild west, with no supervision and no laws. “

                                                              It is. I wonder how you missed that in research. So, let’s start with the revolving door and systematic corruption in DOD, Pentagon, and Congressional oversight. The Congress people get paid bribes (err, contributions) by defense sector, get votes based on what jobs specific programs create/maintain, have stock in the same groups tied to money on defense contracts, and get to vote on budgetary decisions that create those cash flows & jobs. The Pentagon people issuing useless or questionable contracts for tens of millions and up to defense contractors often leave to take six digit jobs with those same contractors doing about nothing. Some go back and forth with steady stream of contracts to contractors regardless of their failures such as overruns or fraud. The defense contractors have been investigated, exposed, sued, and so on going back decades. Those responsible usually move up in government or at least keep their positions. There is almost never criminal charges or forced resignations for revealed corruption since each branch is part of the corruption with the courts often blocked on “national security” grounds. The clip of the Jewel case in Citizenfour where the NSA rep argues the judicial system should have no role in evaluating whether NSA is committing crimes against U.S. citizens is a great example of what they’ve been doing. “Sovreign immunity” was another defense during Bush/Cheney corruption.

                                                              So, that’s the backdrop. The NSA gets authorization to do sigint against enemies then metadata collection against Americans. Americans are lied to told it’s pretty harmless and of little risk to them. The FBI can do national security letters and such but get full surveillance with a warrant a judge signs off on. They say encryption is so hard to handle with implication they’re missing all kinds of convictions. The NSA Director says under oath he’s not collecting data on Americans’ accounts at (insert service here). Clapper says the same thing under oath. They and Congress all say it’s stopping terrorists left and right and would’ve been critically necessary to stop prior ones. There’s corrupt committees and honest but toothless groups like GAO looking into things behind closed doors. So, there’s probably nothing to even whistleblow, right?

                                                              So, leakers start by pointing out they’re lying about mass collection: everything not metadata. There are internal attempts to change things. Those people are ignored. Then, people like Drake and Binney selectively leak just corrupt use of resources in the press on things like Trailblazer vs Thinthread. Government punishes them including FBI raids instead of corrupt parties. Because of course they do when oversight is in on the corruption. Why would you expect reporting anything to them would change anything if they make money off it and look the other way? (So long as it’s secret…)

                                                              Over time, between Snowden and other investigations/leaks, the press finds almost everything in starting paragraph is wrong. They’re collecting everything without warrants inverting innocent until proven guilty & ignoring 4th/5th Amendment. Organizations saying they’re increasing security are secretly weakening it. Commercial organizations offering security were bribed or compelled to weaken it. There weren’t just targeted warrants: FISA warrants were often “targeting criteria” applied to stream of all our activity. We found that it didn’t stop anything at all plus most cases could’ve been caught with traditional, police work. We found FBI almost never had a problem bypassing crypto despite Mueller’s continued lies. Billions wasted and rights eliminated for no gain supported with fraudulent statements. GAO regularly found problems and abuses but Congress didn’t even read the reports. The FISA court never charged them for offenses. The “accountability” was self-reporting where NSA can cherry-pick stuff. Think Enron picking a select portion of it’s books on its own showing it never did fraudulent stuff. Ridiculous. After all was revealed, there were still no criminal charges and most people who lied were doing good financially or politically. The Executive branch instead cracked down on whistleblowers revealing corruption with again no punishment for corrupt officials at any level.

                                                              So, I don’t know where you get the idea that there were legitimate channels internally to report to that would’ve gotten anything done. They’re provably corrupt and in on it. You claim oversight but those doing oversight (GAO & intelligence committees) say they’re regularly ignored or lied to. The latter take bribes to look other way, too. Any accountability comes with ceasing of specific wrongdoing and punishment for wrongdoers. Neither occur here. The only method that resulted in even the slightest change or responses at public or government level were media organizations publishing the wrongdoing that leakers gave them. They were then forced to at least pretend to care but doubled down on plenty of bad stuff.

                                                              Now, I don’t trust Snowden any more than you do. However, his and other leaks on domestic stuff proved government officials systematically lied to American people about these programs, let them die occasionally through gross incompetence that they tried to cover up, wasted billions of dollars, subverted us in ways that put us at risk to foreign powers (who used some of those vectors[1]), had no internal security (see Manning and Snowden) in violation of DOD policy (esp on “controlled interfaces”), and had no interest in protecting us online vs the lies they told. All in all, the domestic leaks were a necessary, good thing showing rampant corruption and incompetence. All the damage that resulted is on Congress, DOD, and NSA for doing all of this unnecessary evil with about zero OPSEC and INFOSEC on it outside the SAP’s they developed it in originally. There’s always a chance a Snowden will happen. So, it’s common sense and DOD policy that benefits of covert op must be weighed against damage due to disclosure. They sold us on something with little to no benefit, proven detriment, and we lost countless money and political goodwill due to disclosure. By my standards or their standards, this has been stuff that should’ve never happened across the board if it’s done for rational, security-related reasons w/ feedback loop assessing effectiveness & cost-benefit. It’s political & economical instead, though.

                                                              [1] Snowden is often accused of “aiding and abbetting” the enemy for the foreign leaks. They’re speculative about the damage he did although I’m sure he blew operations. He should do life, be renditioned, or be executed depending on who you ask in government. The NSA deliberately inserted vulnerabilities into American infrastructure in BULLRUN across the board that weakened us to the enemy. This included tools and standards meant to protect our most critical assets in infrastructure and companies. The enemies attacked us via some of these causing real damage. If Snowden is a traitor, the NSA is even more for straight up knocking the walls down for the enemies to bring their armies in. And for what? All so they can occasionally spy on an American target w/out due process. Terrible risk vs reward analysis that fits by belief in them as wasteful, lying traitors that are currently the greatest digital threat to us in cyberspace given they spend $200+ mil a year weakening all our shit per Snowden leaks. I repeat: the group “protecting us” spends hundreds of millions of dollars to get weaknesses in everything we have that any enemy can hit and is easy for them to find (deniabile backdoors are typical 0-days). That’s damn-near the definition of aiding and abbeitting the enemy.

                                                              1. 1

                                                                Okay, that is a huge comment, some of it composed solely of assertions with no concrete argument or evidence. I’ll respond where I can, in no particular order:

                                                                1. It sounds like you’d like to separate the disclosure of civilian-affecting programs with solely-foreign programs. It seems to me that the House report I linked in another comment to which you responded makes exactly that distinction. Snowden could have taken substantially greater care to disclose only those materials relevant to the civil liberties interests of the public, rather than the broad disclosure in which he engaged.
                                                                2. I am with you that the NSA’s weakening of existing systems was, based on the information available, a mistake, but it’s also hard to assess these things from the perspective of the public, as we inherently lack access to information about what offensive operational value that weakening had. On it’s face, it seems at the very least questionable, but I also remain willing to change my mind if some declassification in the future reveals the weakening to have served a valuable role in offensive cyber operations.
                                                                3. I do not know that wrongdoing inherently requires the individualized punishment of everyone involved. The addition of systemic protections can be done without punitive action of those operating under bad guidance.
                                                                4. I agree that the press has substantial value in this realm. The ability of the press to report information, and their willingness to do so, along with their collaboration with the IC to weigh disclosures against potential national security harm, is an important one. You are correct that all operations must consider the potential harm of disclosure. It should always be generally assumed that an insider threat exists and either has access or is actively seeking access to any piece of classified material. It is this assumption which informs our classification process and rules. That the government perhaps incorrectly weighed the harm of disclosure does little to sway me against the action itself.
                                                                5. Yes, the NSA pre-Snowden had over-reached in their surveillance activities, and yes oversight at the time was not properly managing the actions of these agencies. But that is not an argument for the broad disclosure in which Snowden was engaged. That is an argument for a more careful and considered whistle-blowing. If there were even a suggestion of effort to effect change prior to the public disclosure, I would be far more sympathetic to Snowden.
                                                                6. Yes, the acquisitions process has many flaws. These flaws are well known, but efforts to improve the system have been extraordinarily slow. It sounds like you and I agree that a lot can be done to improve this process, although I take a less pessimistic view as to the reasons why the system is the way it is, and as to its ability to be redeemed.

                                                                I’ll go ahead and stop here. I’m sure there are other points to be made here, but this seems good enough for now.

                                                                1. 2

                                                                  “solely of assertions with no concrete argument or evidence”

                                                                  Edit to add it would’ve been twice that size with that. I figured you’d just ask about what you wanted specific data on.

                                                                  1. “ It seems to me that the House report I linked in another comment to which you responded makes exactly that distinction. Snowden could have taken substantially greater care to disclose only those materials relevant to the civil liberties interests of the public, rather than the broad disclosure in which he engaged.” I’m in total agreement. My tagline was “Whistleblow and traitor.”

                                                                  2. “as we inherently lack access to information about what offensive operational value that weakening had.” I disagree. Let me reframe it once again for your consideration. Our enemies are moving stuff to more local and potentially secure fabs, homegrown CPU’s, operating systems, etc. They’re air gapping more. They’re doing security as much as they know how. Whereas, while provoking those same enemies into more cyberattacks, NSA and corporate partners are weakening almost everything we have in America for their select few cyber operations. Our medical, banking, military, power plants, and so on intentionally exposed to enemy for massive, one-size-fits-all-style attacks is the kind of event that should never happen under any circumstances. It’s hard to imagine any gains from spying… which they already admitted were almost nothing… being worth making us that vulnerable while our enemies are massively investing in attack tools for those same areas and building up their defenses instead of weakening themselves. It’s asymmetrically bad to the point you’d almost wonder if they were wanting terrorist or state-sponsored hacks to do damage. Quite self-defeating in national security.

                                                                  3. “I do not know that wrongdoing inherently requires the individualized punishment of everyone involved. “ The government regularly punishes individuals and corporations for serious wrongdoing. When it’s one of these events, they don’t. It’s an unethical double standard for dealing with illegal activity. That many of those who would punish have conflicts of interest makes it look more like corruption.

                                                                  4. “It is this assumption which informs our classification process and rules.” It’s against the law of classification to classify an illegal act. General Alexander himself in the video I linked said that they didn’t have technical capability to intercept American’s communications or data because it would be illegal. They have to rely on third parties. So, even by his standards, their interception was all illegal because he straight up said it was. Therefore, any classification of such illegal acts is void since it has to be legal to be classified. There’s no crime in leaking them. However, the FBI etc has been highly interested in punishing whistleblowers showing such things but not those committing them. ;)

                                                                  5. “That is an argument for a more careful and considered whistle-blowing.” Total agreement. It’s what I would’ve done. He straight-up said one time in an interview he didn’t want to have the stuff on him because of the danger. So, he gave it to journalists. That cowardly stuff is very different from the more careful, filtered reporting the journalists are doing. I’d have hid in a rural area or something going through the stuff based on my knowledge of keywords. It was said elsewhere he had all the data organized. That means hard work was already done. So, there’s little to no excuse except him saving his own ass.

                                                                  6. “These flaws are well known, but efforts to improve the system have been extraordinarily slow.” Efforts to improve the system have failed while making those causing the failures billions of dollars. Congress people got campaign contributions from incumbents and votes from benefitting districts. The defense people keep their inflated contracts, budgets, and so on. You’re going to see a system stay mostly the same when the parties in power over it bring in elite status, huge paychecks, and billions in profit. Always remember human nature first then whatever crap politicians claim second. Politicians everywhere lie for money and power.

                                                                  1. 2

                                                                    Hey, it seems we’re reaching agreement! :D

                                                                    I will say that Alexander used very carefully hedged words, and that the NSA’s internal legal reasoning made a distinction between data and metadata which I’m sure was used to justify the answers given in his public testimony. That said, I do think that the testimony was very misleading at best.

                                                                    It is also frustrating that the mechanisms of power are such that certain individuals and organizations remain essentially immune from consequences for the actions you spell out. I wish it were different.

                                                                    The fact of democracy is that leaders are going to make the most effort to represent the people who make themselves most known to / valuable to the leaders. I wish Citizens United had been decided differently, and that the US had more restrictions in place about the contribution of money to elected officials.

                                                                    I’m also with you that the state of the US’ large defense contractors leads to a variety of waste and intransigence, and I wish it would change. There are efforts to change the acquisitions model toward smaller, faster acquisitions, and I have some hope that this process will lessen some of these problems, but I am not optimistic. In this respect, Eisenhower was absolutely right. Too bad no one listened.

                                                                    1. 1

                                                                      “Hey, it seems we’re reaching agreement! :D”

                                                                      It does seem we agree on some key things. That’s always nice. :)

                                                                      “I will say that Alexander used very carefully hedged words”

                                                                      They do more than that. The NSA redefined the meaning of the word collect so they could lie like that. The legal meaning is them intercepting any piece of data. Their meaning is an analyst looking at it. The interception itself didn’t count as collection to them even though it did to everyone else. Also, the programs actually started before any legal action allowed mass surveillance in a USAP under Bush/Cheney. They were already suppressing any investigation into whether it was Constitutional. Don’t let them fool you into thinking it’s all a misunderstanding. They’re systematic in misleading people at the top.

                                                                      “In this respect, Eisenhower was absolutely right. Too bad no one listened.”

                                                                      I loved Eisenhower’s approach to dealing with military waste. Especially how he put cost into perspective talking about how many hospitals and schools you lose buying one bomber. He’d have been one of my favorites if he didn’t do Operation Ajax. We and others pay for that to this day. Very worth imitating on acquisitions, though.

                                                                      https://en.wikipedia.org/wiki/1953_Iranian_coup_d%27%C3%A9tat#United_States_role

                                                              2. [Comment from banned user removed]

                                                                1. 0

                                                                  I have seen Snowden, yes. It is inaccurate in a number of ways. But rather than enumerating those ways, I am going to instead make the case that Edward Snowden is not nearly the grand patriot or whistle-blower that he claims to be:

                                                                  • Snowden’s disclosures consisted not only of information relevant to the privacy interests of Americans, but to military, defense, and intelligence programs whose disclosure bears little value except in harming US security.
                                                                  • Snowden has, by the admission of the deputy director of the Russian parliament’s defense and security committee, shared some of his ex-filtrated materials with the Russian government. Presumably these materials are materials that had not been already disclosed to the public, and it is unclear whether said materials are those materials which were published after Snowden’s arrival in Russia.
                                                                  • Snowden’s disclosures resulted in a huge cost to the intelligence community and to the military, as they were forced to assess what had been ex-filtrated. Congressional reports put the costs so far in the millions of dollars.
                                                                  • Whistle-blowing statutes provide protection to those who provide information indicating waste, fraud, abuse, or illegal activity to appropriate law enforcement or oversight authorities. Snowden made no effort to make such disclosures first to those authorities, and instead opted for public disclosure. He is thus not a whistle-blower.
                                                                  • Snowden’s ex-filtration included the ex-filtration of personally identifiable information, including credentials, for thousands of workers in the intelligence community.
                                                                  • Snowden had previously failed training on the requirements of section 702 of the Foreign Intelligence Surveillance Act, indicating a lack of understanding of the protections and limitations provided for in that act.
                                                                  • Snowden was repeatedly reprimanded and counseled by his employer for insubordination. He repeatedly violated the chain of command, escalating an issue all the way up to the executive level two weeks prior to the beginning of his ex-filtration, for which he was reprimanded.
                                                                  • Snowden claims to have been prompted to begin his actions by the congressional testimony of Director of National Intelligence James Clapper, although his ex-filtration predates said testimony by eight months.
                                                                  • Snowden has a history of lying, including claiming to his employer that he had left Army basic training due to breaking his legs, when he in fact left due to shin splints. He also claimed to have a high school degree he did not have, and to have worked as a “senior advisor” at the CIA, which he did not. He also doctored his own performance evaluations, exaggerated his resume to gain better jobs, and stole the answers to an employment exam he sat for.

                                                                  All of these lead me to believe that Snowden is not the great patriot he says he is, but rather a disgruntled employee who decided to get back at the government he believed had wronged him by recklessly disclosing national security secrets while draped in the cloak of a white-blower.

                                                                  The information I presented is summarized in the House Intelligence Committee’s “Executive Summary of Review of the Unauthorized Disclosures of Former National Security Agency Contractor Edward Snowden.” [1]

                                                                  1. 3

                                                                    Let me review these since I know most of the history of US Govt INFOSEC and am impartial toward Snowden. I consider him a whistleblower, a traiter, and a mystery depending on what we’re talking about. Quick look at your reference.

                                                                    1. Says Snowden is reponsible for all this damage since he leaked foreign operations to enemies. This is incorrect since they’re intentionally ignoring a guilty party. Snowden certainly did that damage leaking foreign ops with his share of responsibility. How did he do that, though, given all the DOD rules for protecting classified information in physical or digital form on top of wonderful INFOSEC tools Booz could buy? Oh yeah, because Booz Allen Hamilton had no security protectin TS/SCI information from insider attacks. Not only weak vs TS/SCI recommendations, Booz didn’t even have basic measures that are in place in some small-to-midsized enterprises (SME’s) that they surely could’ve afforded. Had they used the basics, the person doing monitoring would’ve seen Snowden’s tool in action pulling files to one or more computers with multiple, people’s credentials that shouldn’t be going on. They’d have contacted those people to check the anomoly, found they knew nothing about it, blocked or restricted access, and then began an investigation. Certain mitigations would’ve blocked the access in the first place. He’d get away with less data or none at all. The report fails to mention Booz’s incompetence and violation of DOD policy on preventing leaks caused the Snowden leaks. They continue to get billions in contracts, no firings, no criminal charges, and all focus is on Snowden who could be replaced by another whistleblower if the bad INFOSEC persists. Report is already corruption-preserving bullshit even if accurate about Snowden’s betrayal with foreign leaks.

                                                                    https://queue.acm.org/detail.cfm?id=2612261

                                                                    http://www.thedailybeast.com/articles/2013/08/15/booz-allen-keeps-winning-government-security-contracts-after-snowden-leak.html

                                                                    Note: Many of their contracts are for cybersecurity despite no internal security for all these programs. Think that was due to a contract, awarding process with sound audits and accountability? Lol…

                                                                    1. “the Committee found that laws and regulations in effect at the time ofSnowden,s actions afforded him protection.” That’s a straight-up lie. All whistleblowers faced retaliation with nothing done about what they said. No canceled contracts, no termination of those responsible, no charges, nothing. Only whistleblowers were investigated or charges attempted. I hypothesize that it’s likely the media attention was only thing that stopped them from some charges. Whereas, it’s easily provable by comparing domestic leaks to video testimony before Congress of Alexander and Clapper that Snowden performed some legitimate whistleblowing. They’re not in prison for lying under oath, either. Further refutes the claims about going through channels.

                                                                    2. An argument about how computer updates should be managed. It’s irrelevant and even a form of propaganda since they were stating elsewhere he was an infiltrator or something. They can’t keep their own story straight. Snowden later admitted he joined Booz specifically to grab the information claiming ideological motivation. Regardless of actual motivation, his goal was clear. That information, preventing it leaking, and punishing all responsible are the key issues. If anything, the section should be about Booz having no INFOSEC at all in a way that empowered Snowden. The section should focus on how incompetent executives and managers made the leaks so easy. Along with Congressional policies supported by bribes, DOD security policy, and NSA sabotage of security profile that supported it. Then recommendations for terminations or charges along with legal or policy changes.

                                                                    3. The DOD, NSA, FBI, and CIA are… again with concrete proof in their records and the leaks… shown to be serial fabricators with criminal immunity for those fabrications. By CIA’s standards, I rate their source integrity as Low where they would make all this shit up anyway. It could also be true where Snowden does seem to fabricate even when unnecessary. So, this whole section is just unreliable when coming from a source that lies so much.

                                                                    4. “Finally) the Committee remains concerned that more than three years after the start ofthe unauthorized disclosures, NSA, and the IC as a whole} have not done enough to minimize the risk ofanother massive unauthorized disclosure.” The gold in the report. Totally true. Again, no charges, firings, or anything. Just more of the same that they were doing with probably some increased security at Booz. More leakers followed Snowden. Then OPM got hit with the details being some of the worst practices in INFOSEC I’ve ever seen with the gravest results of blackmail material available to our enemies. Again, little response in terms of the Congress, DOD, NSA, and OPM that contributed to that in terms of firings and/or charges for negligence. There were some patsies knocked out but that shit should’ve been on paper or done with high-assurance security that government already has (GOTS). It was too critical. Still no mandate on such things for such secrets.

                                                                    So, you’ve delivered a clear piece of government propaganda that mixes truth, lies, and omissions to cover the ass of those really responsible for this mess. What’s in the leaks, DOD policies, and actions of Congress and contractors show there were no convictions or big, believable changes on SIGINT due to any revelations of corruption. That refutes your position and theirs given they acted very little with massive, media attention. They’d act less with secrecy and criminal immunity if oversight is in on corruption. At least it was only 4 pages of bullshit. :)

                                                                    1. 3

                                                                      While I disagree with you, I appreciate that you’re responding to the content of the post.

                                                                      I agree that Booz Allen illustrated extraordinarily poor information security practice, and that Snowden’s ex-filtration of information would have been far more difficult had they had proper mechanisms to restrict access and monitor activity. But I hardly think that Booz’s failures excuse Snowden’s actions, and I don’t think that placing blame is an either/or issue. I both strongly disagree with Snowden’s actions and agree that Booz can, should, and must do more to ensure the security of the information with which they are trusted.

                                                                      On the question of whistle-blowers, the difficulty here is that instances of proper whistle-blowing can occur without any public disclosure. The things the public hears about are the prosecutions (and yes, I think the government enjoys broad leeway in prosecuting whistle-blowers that may need to be curtailed). I do not take as pessimistic a view as you do, and do believe that whistle-blowing can and does occur without retribution being brought upon the whistle-blower.

                                                                      I’m not quite sure I follow the argument you’re making in point 3, so I am going to skip it.

                                                                      On number four, I disagree, but also don’t see much in the way of argument or evidence on which a discussion can be based. I am happy to dig into this more, but for now I’ll leave it be.

                                                                      On number five, the situation is less dire than you make out. Just a couple months ago the leadership of the Office of Personnel Management testified to the House Committee on Oversight and Government Reform about the variety of changes they’re making to their information security practices and architecture to improve their security posture. It’s a work-in-progress, but the gains made so far aren’t nothing, and are continuing. More broadly, there’s been a wide response within the government to the results of President Obama’s Commission on Enhancing National Cybersecurity. It’s slow, and there’s a lot of work still to be done, but the government isn’t just sitting around waiting to be hacked again.

                                                                      Finally, you mention a number of times the issue of bribes, but provide no concrete evidence or chain of reasoning to support this, so I have ignored it. If you’d like to make your argument more substantive, I’d be happy to respond.

                                                                      1. 2

                                                                        “But I hardly think that Booz’s failures excuse Snowden’s actions”

                                                                        Oh, I’m not saying that. Snowden would be guilty in this model. It’s just that Booz would be too with severe punishment for gross negligence.

                                                                        “the difficulty here is that instances of proper whistle-blowing can occur without any public disclosure”

                                                                        It’s possible. It just virtually never happens in practice. So, we must assume the odds are strongly against it working that way. Also, if the crimes are coming top down, then whistleblowing to the top is senseless.

                                                                        “On number four, I disagree, but also don’t see much in the way of argument or evidence on which a discussion can be based. I am happy to dig into this more, but for now I’ll leave it be.”

                                                                        Let’s start with this:

                                                                        https://www.youtube.com/watch?v=oYNXVgYhPOc

                                                                        Alexander, head of NSA at time, testifies to Congress they don’t have the “technological capability” of collecting emails in the US nor the legal authority to do it. Answers no to routinely intercepting the emails of Americans. Answers no to recording Americans’ cellphone conversations. No to recording Google searches. No to text messages. No to Amazon orders. No to bank records. Reiterates at the end that they don’t collect anything in the U.S. without a warrant first.

                                                                        Now, let’s see what the whistleblowers have to say about these statements:

                                                                        https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order

                                                                        https://en.wikipedia.org/wiki/ThinThread

                                                                        https://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html

                                                                        https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html

                                                                        https://theintercept.com/2017/03/13/rand-paul-is-right-nsa-routinely-monitors-americans-communications-without-warrants/

                                                                        https://www.theguardian.com/world/2013/nov/19/fisa-court-documents-nsa-violations-privacy

                                                                        “ less dire than you make out. Just a couple months ago the leadership of the Office of Personnel Management testified to the House Committee on Oversight and Government Reform about the variety of changes they’re making to their information security practices and architecture to improve their security posture.”

                                                                        That’s pretty dire. DOD had been getting hacked for a long time. They had the means to stop a lot with minimizing the rest. A combination of political bribery and beauracracy rewarded people for creating situations such as OPM. Nobody did time for the loss of all the blackmail material. The existing policies requiring security of that stuff aren’t being uniformly enforced or non-compliance severely punished. The better ones from old times aren’t reinstated. Instead, there’s some talk, some scolding, and slow processes in motion while Booz et al move fast and break things on the SIGINT side w/ billions in contracts. CISO probably still has his job, too. ;)

                                                                        “Finally, you mention a number of times the issue of bribes, but provide no concrete evidence or chain of reasoning to support this, so I have ignored it. If you’d like to make your argument more substantive, I’d be happy to respond.”

                                                                        Well, I have to see what you’re aware of. Are you aware U.S. politicians take legal bribes they call campaign contributions from companies who they pay back with legislation that benefits those companies? That they own stock in defense organizations that goes up when they get those wasteful contracts or go to bloody wars? That the “revolving door” of the Pentagon has the people who issue contracts getting financially rewarded by the same private parties they issued contracts to in such a way that it encourages wasteful or illegal activity? I have examples of each. These are foundational to how U.S. lawmakers and executive branch operate plus defense sector.

                                                                      2. 3

                                                                        That’s a good point about internal security (or lack thereof), but it’s probably fair to assume the really big players already knew about this stuff. The smaller adversaries were much less likely to pull off an insider threat.

                                                                        Like BadGuy X learns about some method via Booz sloppiness. That has some value, but he’s not going to tell BadGuy Y about it because that increases the risk the NSA finds out and changes methods. In order for BadGuy X, Y, and Z to learn about something, they must each independently penetrate Booz. Some will, some won’t.

                                                                        Even the people stealing exploits from the NSA have their own reasons to prefer stockpiling to widespread use or disclosure.

                                                                        1. 1

                                                                          In support of your point, the US government long issued reports about IIRC 20+ countries performing espionage against us. They particularly point out that Russia and China have thoroughly infiltrated us stealing all kinds of secrets, including military gear. Our tech also regularly ends up in theirs.

                                                                          Long story short, they already have the material Snowden had given that level of infiltration plus how easy people like Snowden get that level of access. It’s just inevitable in such a context that any competent spy agency has some of those PowerPoints. Numbers game means those with more money have more material. The witch hunts following the leaks will create vacuums that make them desparate to fill positions. Trained spies will get in easier. Maybe even reveal some less successful ones to boost own credibility.

                                                                          The only thing unusual is the group publishing the exploits. Either trolling or sending a message. Most big players would keep them for attacks or plants for intentional misattribution.

                                                              3. 1

                                                                This is off-topic and just going to result in flaming.

                                                                Also, it somehow is missing the law tag.

                                                                1. 1

                                                                  This is off-topic and just going to result in flaming.

                                                                  Also, it somehow is missing the law tag.