Saturday, August 31, 2013

On Why Heads Should Roll at the NSA

Why’d Ya Have to Do It Evil Genius? » Balloon Juice:
"One of Snowden’s superpowers cited in that NBC story is the ability to “impersonate” high-level officials. This is a garden-variety capability that a lot of users with administrative access have. I have it in a couple of different forms on systems that I manage for clients. From the point of view of security, it’s a necessary evil, and it needs to be carefully controlled and audited. Hype and spin notwithstanding, the huge trove of documents that Snowden extracted from the NSA isn’t evidence that he’s some kind of Lex Luthor who couldn’t be thwarted by mere mortals. Instead, it shows that NSA’s controls were weak, and the NSA’s leadership needs to be held accountable"

'via Blog this'

If your sysadmins can impersonate anyone on a top secret network without any audit trail being generated and with no warning bells going off then you have to think it is a systemic failure and there needs to be several folks lose their jobs.
If I had written, or designed, this system I would be ashamed of myself.
If I was in charge of managing the folks that run it or wrote it I would be expecting to be fired about now.
If the system was generating usable audit trails and nobody was following up that is a level of dereliction of duty that one could argue it rises to criminal behavior, in particular 18 USC § 793 - Gathering, transmitting or losing defense information


(e) Whoever having unauthorized possession of, access to, or control over any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, or note relating to the national defense, or information relating to the national defense which information the possessor has reason to believe could be used to the injury of the United States or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it; or
(f) Whoever, being entrusted with or having lawful possession or control of any document, writing, code book, signal book, sketch, photograph, photographic negative, blueprint, plan, map, model, instrument, appliance, note, or information, relating to the national defense,(1) through gross negligence permits the same to be removed from its proper place of custody or delivered to anyone in violation of his trust, or to be lost, stolen, abstracted, or destroyed, or
(2) having knowledge that the same has been illegally removed from its proper place of custody or delivered to anyone in violation of its trust, or lost, or stolen, abstracted, or destroyed, and fails to make prompt report of such loss, theft, abstraction, or destruction to his superior officer—
Shall be fined under this title or imprisoned not more than ten years, or both.

No comments:

Post a Comment

Not moderated but I do delete spam and I would rather that people not act like assholes.