Saturday, November 23, 2013

NSA: The "big stick" of the Executive Branch and how this really affects US security worldwide

***As a former employee (US Navy analyst at NSA), I must say up front "I can neither confirm nor deny any comments made for or against NSA and their collection efforts both internal and external to the US. All questions should be directed to the Public Affairs Office at Ft. Meade, MD."***

Now that I have parroted the official party line, lets talk.

Today I read an very well written, but sad, article in the Wall Street Journal entitled "Missteps Doomed Civilians As Chemical Attack Loomed." The article outlines a series of steps leading up to the mass chemical attacks in Syria on August 21st. Due to efforts of the US collection system (probably NSA and/or CIA), Syrian troops were know to be using chemical weapons on the population prior to this occasion. These attacks led to the death of a small number of civilians, but were unconfirmed by independent sources. Then on the 21st, an order was giving by a senior level person to perform a mass attack on rebel held locations and the civilian population in the area.

"Sources" stated that the communications intercept (the order) was not immediately translated and reported because these attack had become commonplace. It was not until the death toll kept climbing up that the full weight of the intercepted order came to light.

I do not blame the analysts who intercepted, translated, and reported this occurrence. I blame the the 3 branches of the govarnment for this. You see, it was Congress who voted in the shambles of a law known as USA PATRIOT ACT. It was President Bush who approved the law with his signature. It is President Obama who has taken the collection requests to an absurdly high level (the number of collection requests on US citizens met a "critical mass" before the administration decided to stop reporting the numbers.) I also blame the Judicial Branch for slowly eroding the power of the Constitution and Bill of Rights over the years.

I mostly blame the Executive Branch of the government for endangering the US. You see, NSA has a military commander who receives collection orders from the Executive Branch. I don not advocate replacing DIRNSA with a civilian because a civilian would still receive orders from the same source. When orders are given, resources in the already strapped NSA are stretched further. This is simple supply and demand. You have a set number of resources. When you add tasking, something else has to stop being collected and analyzed. In this case, it appears that the Executive branch ramped up tasking on the US populace in a vane attempt to prevent terrorism at home. This left us with fewer resources to stop terrorism abroad.

***Side note - We homeschool. My wife spends a lot of time discussing the law of unintended consequences and their effect on our country. I am beginning to understand the value of this approach.***

Could the mass slaughter of a civilian population have been avoided in Syria? The simple answer is probably not. The long answer is that the Executive Branch already had knowledge of "low level" use of chemical weapons in Syria and did nothing about it. Worse, the Secretary of State opened the door for Russia to step in and solve the chemical weapons dilemma. Finally, the Presidents inability to lead the World (much less the country) in this matter is abysmal.

This leads me to the discussion of what many people are asking of the US government. Many are calling for the dismantling of the NSA and its collection methods. These people don't usually stop there. They often times complain that we monitor (spy) on other countries, including our partners. I say this is the direction we need to move in. The charter of the NSA was to collect on foreign communications and, at one time, were forbidden to spy on US persons. The collection of US persons was not actually forbidden, but the burden of proof and the need to collect on US persons was heavy.

Anyone who says we should NOT be spying on other countries is naive. Just because you are our friends today does not mean you will be our friend tomorrow. Not only this, you will NEVER have a utopian society in which all peoples are friendly to each other. The reason for this is human nature. Ask my 7 year old why communism is such a bad idea and he will tell you it is a great idea until you introduce the human element. After all, if we can't overcome racism, how do you ever think we will reach utopia?

In conclusion, the current "policy" on spying on US persons is stretching already thin resources to a breaking point. This does not allow the NSA to effectively perform its chartered mandates in the collection and analysis of signals from non-US persons. This endangers US interests and persons by requiring poor asset management.

Please feel free to comment.

Thursday, November 21, 2013

The Question of Ethics from an Unethical Blogger

Today I read a blog from Jeffrey Carr (found here What first strikes me is the title, "The Questionable Value and Ethics of TrustedSec's Pen Test of the Website."

Value: the regard that something is held to deserve; the importance, worth, or usefulness of something.

The website requires a user to enter sensitive data into it. It is discovered that the website is subject to simple reconnaissance techniques that my 13 year old can perform, with the help of Google of course. This reconnaissance results in sensitive data being harvested. I think reporting this to the public is valuable. I could be wrong but I doubt it.

Ethics: moral principles that govern a person's or group's behavior

The problem with arguing ethics is that there is no standard by which to judge. Just as the argument that NSA wiretaps of US citizens is unethical cannot be effectively argued one way or the other, this cannot be argued one way or the other. (Author's note: David Kennedy is perhaps the most ethical person I have ever met. Of course, this cannot be proven. By the very definition, it is untenable.)

At this point, I began reading the swill that follows. The point of the article is to show that the witnesses testimony was swayed by their political beliefs. The arguments are "upheld" by the author in what can only be seen as a completely political tongue-lashing. He seems to be fighting his perceived politics with politics. What? (This reminds me of the "I know you are but what am I arguments of a schoolyard child.)

The author brings up the ethics of publicly "outing" vulnerabilities. David, on more than 1 account, in his verbal testimony and in his report, stated that he contacted the government. He also redacted key information about the vulnerabilities that he reported (clearly stated in the report and in his testimony).

What we have here is an author of a blog that clearly keyed in on a single phrase, David Kennedy speaking on FOX News, and put his political beer goggles on, shut down his ability to reason, and threw a tantrum. What he would have seen if he had performed a simple Google search is that Mr. Kennedy has appeared on CNN and other "liberal" shows several times. As a point of fact, he purposefully spreads the love so as to stay above board. (Plus, he would never hear the end of it from Martin Bos if he did it any other way.)

In conclusion, I could have torn this blog apart line by line and word for word but I have better things to do. So, I will leave you with this: Suck it Jeffrey Carr. SUCK IT!

P.S. One more definition. Slander: the action or crime of making a false spoken statement damaging to a person's reputation. (Used in a sentence: Jeffrey Carr's inaccurate blog article on David Kennedy and TrustedSec was slanderous.)

Correction #1 (Sure to be more) Libel: a published false statement that is damaging to a person's reputation; a written defamation. (Example: Jeffrey wrote therefore he is libel). Thanks to Nick for the correction and sorry to @popehat for not learning a thing from your blog!

Wednesday, November 13, 2013

Top 10 IT/InfoSec terms that need to go!

Many people are sick of buzzwords and want to see them go. I am one of them. I never had a problem with it in the past. Until, that is, non-techies began using them without understanding the implications. 

Here is a list of some of my favorites words or phrases that need to go...

1. Cyber - After many years in the DoD I never got tired of this word. Why is it on my list? Because it is overused by non-DoD peeps when they complain about its use. If you stop complaining about the word, its use will be cut by 3/4.

Image credits - L Macvittie

2. Cloud - When I first used this (10 years ago) it was a picture of an actual cloud to show users that the ISP took over. Now it is so pervasive my kids think of computers before they think of rain.

3. Big data - Uh, what! Why did we ever start using this phrase? Oh, I know. The phrase "lots and lots of data" never caught on. 

4. Black swan - Used to be something until it was EVERYTHING. Just because you suck at business continuity and disaster recovery doesn't mean your problem (experienced by others, by the way) is a black swan.

5. ... for fun and profit - Try to at least be original. Nothing says "I'm a copycat" like this phrase.

6. iWhatever - See number 5.

7. APT - If I can sell you on an idea, I can sell you anything else I want.

8. De-duping - Stop trying to sound cool and use words like efficient.

9. Bloatware - Really, we have to create a new word for unwanted software just because it is on a phone (a.k.a. handheld computer)?

10. Brick - You say you bricked your device. Then you rebooted/restored it. If it is bricked then it will never work again for its intended purpose.

Lets throw one more in for good measure.

11. 4G - Stop using this for anything phone related. It is the 4th generation of mobile phone technology, that is all.

There are others that annoy me but these are the top of my list. Do you have any terms that you want gone? Add them to the Comments sections so they will be used again. 

Monday, November 11, 2013

My misfortune and my new (old) phone

     A few months ago, I had the distinct displeasure of updating my company's Mobile Device policy. It was not the fact that I was writing policy (I actually am one of those weird types who enjoy the nuances of policy writing). The displeasure stemmed from the fact that I purchased the Samsung Infuse and this particular phone did not allow encrypting the handset, a clear violation of said policy. Woe is me. I was discussing this fact with our company's AT&T rep when those fateful words came out; "What kind of phone do you want?" I immediately went tops and asked for a Samsung Note II. His answer, "Give me a few weeks and you'll have it!"

     This sounded like a great deal. In hindsight, it was a mistake. After getting attached to my new Note II, I got a fateful call. I had to return the phone. Now I am back to my Infuse. What was a great phone (when first purchased) is now woefully inadequate. Not only that, but now my development device is no longer usable. I can't play with the Infuse while using it as my only phone. Also, I cannot login to corporate email anymore. (Actually, I can. I just choose to not bypass our technical controls). All of this has led me to technology withdrawals. I feel out of touch when I can't respond to an email while waiting in line at the DMV. I always laughed at those who were not sufficiently connected to the world. I know know their pain.

***On a later note. After a week of using my original phone, I am rather enjoying the freedom of responding in my own time! #silverlining***