It's Time To Split Up NSA Between Spooks and Geeks 122
Hugh Pickens writes "Noah Shachtman writes in Wired that most of us know the National Security Agency as the supersecret spook shop that allegedly slurped up our email and phone calls after the September 11 attacks, but not so many know that the NSA is actually home to two different agencies under one roof: the signals-intelligence directorate, who can tap into any electronic communication, and the information-assurance directorate, the cybersecurity nerds who make sure our government's computers and telecommunications systems are hacker- and eavesdropper-free. 'The problem is, their goals are often in opposition,' writes Shachtman. 'One team wants to exploit software holes; the other wants to repair them.' Users want to know that Google is safeguarding their data and privacy. The trouble is that when Google calls the NSA, everyone watching sees it as a package deal. Google wants geeks, but it runs the risk of getting spies, too."
The NSA practices equal opportunities (Score:1, Funny)
Hats of all colors welcome!
Re:Of course (Score:5, Funny)
Re: (Score:2, Insightful)
You wouldn't actually do it, you'd just tell people you'd done it and hope some of them are gullible enough to fall for it.
Why does Google need to 'partner' with the NSA? (Score:5, Interesting)
Aren't they smart enough and rich enough to hire their own geeks? SIGINT is the main job of NSA, period. If you want to hire the wolf to guard the hen house, you take the consequences.
Re:Why does Google need to 'partner' with the NSA? (Score:5, Informative)
Google & NSA have been in bed together for ages. Heck, you know that thing called Google Earth? It used to be called Keyhole. NSA footed 10% of the bill on that.
Wrong agency. It was the CIA who funded Keyhole through INQTEL.
Re: (Score:2)
NSA has hired most of the smartest math phd's
Re: (Score:2)
Although I immensely respect math PhDs for their understanding and accomplishments, I'm not sure having a PhD in math grants expertise in computer and network security. My guess is their expertise is used largely in encryption efforts. Insofar as that is useful for network security, fine and great, but there's a lot more to network security than just encryption.
I really see no evidence that the NSA has scooped up the smartest math PhDs. In fact, the age of Google is making it harder for the NSA to attract m
Smarts (Score:3, Insightful)
I'm not sure having a PhD in math grants expertise in computer and network security.
It doesn't but you're going to find a pretty heavy correlation between the two. Someone good in math is far more likely than average to have or be able to develop expertise in any given use of computers. The skill sets are different but the skills do overlap to a non-trivial degree. I'm sure a PhD is not required to work in computer security at the NSA but I also suspect they have more PhDs in that role than most employers. Just a guess I'll admit but it seems likely.
My guess is their expertise is used largely in encryption efforts.
I think you are probably correct.
I really see no evidence that the NSA has scooped up the smartest math PhDs.
Cer
Re:Smarts (Score:5, Insightful)
Careful there. Being good at math---being capable of learning higher level math concepts---is not the same as having taken the time to do so. A lot of very people don't bother going beyond a certain point simply because their primary interests lie elsewhere. And to some degree, being too analytical can actually hurt your ability to write good software.
Writing software is not an entirely analytical process. It has some analytical components, particularly in understanding how the parts fit into the whole. However, creating the code itself is also an artistic process in many ways. You must consider all the different ways of doing something and choose the best one, based not just on the current needs, but also on a general feeling about what you might want to do with the code in the future without going overboard.
Thus, good programming requires a very delicate balance between analytical abilities and creative/artistic abilities. Analytical skills are necessary, but not sufficient.
I would actually argue that programming skills tend to be more strongly correlated with musical ability than math education. Good musicians are generally good at analytical tasks, including math, but also have the artistic ability needed to take that critical step back and pay attention to the system design, the UI, etc.
I've always found it staggering how many of my coworkers are musicians. In my department alone, it's at least one in three, and many of the people who aren't musicians have kids who are. Whenever we have a department party, we usually get together a group of people and jam. And my previous employer was the same way.
Some simplification. (Score:1)
Software is engineering. Cryptography is research.
Re: (Score:3, Insightful)
While you make some good points, your arguments are inherently incorrect based upon your misunderstanding of creative problem solving. Here is a link http://en.wikipedia.org/wiki/Creative_problem_solving [wikipedia.org]. Note the second sentence in the second paragraph. Problem solving as a whole is considered the most complex of all intellectual functions. Mathematical problem solving is considered one of the highest, if not the highest, forms of creative problem solving. Also consider for a moment that effectively t
Re: (Score:3, Insightful)
Odd, from what i've seen, most physicists write the worst code of all. Scientists and mathematicians gave us COBOL, BLAS, and LAPACK. They gave us functions with names like xerbla and sgemm. And so on. They tend to create code that is so brilliant that nobody can understand it except the person who wrote it, and after a few weeks, not even that person. That may not be your experience, but the experience is far from uncommon. :-)
And just to be clear, I didn't say that all musicians would be good program
Re: (Score:2)
And this, ladies and gentlemen, is what happens when you edit code too many times without a regression test.
IIRC, it originally was a completely different sentence that started with "a lot of very good programmers". I ditched the original sentence and added a totally new last half and missed the extra word in the recombining process. My bad.
Re: (Score:3, Interesting)
What Google is doing is business intelligence--learning stuff about people, relationships, web pages and then using that information to sell products, in the current case, Advertising. Walmart does the same thing but they collect data about products and people and sell merchandise. There are dozens of other examples. But what they are doing in parallel is forming huge databases of anonymous (hopefully) people data.
For an agency like the NSA, and what they are tasked to do, this is a huge goldmine of info
Re: (Score:1)
Re: (Score:3, Funny)
Amerika! Amerika ist wunderbar!
Amerikahu akbar!
Re:Why does Google need to 'partner' with the NSA? (Score:5, Insightful)
Because besides having the best "hackers" on the planet, the NSA also has the best sysadmins on the planet. Because the aforementioned 'hackers' practice against them.
This, btw, is why the author's idea is terrible. You want both offense and defense in the same agency so that they can share techniques.
Re: (Score:1)
Where else is Google going to find someone that understands how to configure SELinux so it can be used in real life.
Oh, doh! I referenced real life in the same sentence as SELinux and Google in a Slashdot posting on the NSA.
If the NSA handles SIGINT, who handles SIGTERM? (Score:2, Funny)
And how about SIGHUP?
Re:If the NSA handles SIGINT, who handles SIGTERM? (Score:5, Funny)
SIGSTOP is handled by KAOS.
SIGCONT is handled by CONTROL.
SIGHUP? It's handl#`%${NO CARRIER
Hrmmm (Score:2)
How can one side do their job if the other doesn't point out the exploit?
I feel the same about AV software. If the big AV companies don't have at least a few virus/worm writers on the payroll, how else do they know if their defense software is any good?*
*Less assume for a moment that AV software is somewhat decent.
Nonsensical ... (Score:5, Insightful)
Okay, so TFA is arguing that creating a new agency 'that didn’t include the spooks would' avoid conflict and bring about 'acceptance across the government and the private sector'.
But right in the beginning, it says '[Google] wants geeks, but it runs the risk of getting spies' when it contacts the NSA.
If there is no guarantee that Google doesn't end up getting spooks from the NSA, who can say this new agency won't have spooks in there from the NSA?
Am I missing something here, or is there some magical reason why this new agency won't have spooks embedded there, and it should be trusted any more than the NSA?
Re:Nonsensical ... (Score:5, Insightful)
Re: (Score:2)
The same reason that you don't have spooks in the FBI and DMV?
Re: (Score:2)
The same reason that you don't have spooks in the FBI and DMV?
Yes, neither of those agencies have spooks at all. Nope. Definitely not.
Re: (Score:2)
'Tension normally results in balance.'
... and equally commonly in a broken spring.
And??? (Score:2)
How exactly will splitting the NSA fix this? It's a government agency. If the government wants to give you spies, you get spies. Doesn't matter which 3-letter acronym organization they get their paychecks from.
Re: (Score:2, Interesting)
The government is not a monolithic mind. Bureaucratic distance famously hindered information sharing between various agencies pre-9/11, and that was when it was largely in both agencies' interest to cooperate. That wasn't an isolated instance--it's how bureaucracy works. Someone with control over both agencies could force one agency to subjugate its goals to the others', but it's much more complicated, much more controversial, will receive much more resistance, and is over-all much less likely to be attempt
Re: (Score:3, Interesting)
Spooks & Geeks are Intertwined (Score:1)
Who do you think comes up with the technology to crack encryption of intercept signals?
Hell No (Score:5, Insightful)
We do not need yet another federal agency. Splitting them in two will only result in two bigger agencies with an ever ravenous appetite for more tax funds.
One of the worst things Bush did post 9/11 was creating the spate of new federal agencies. Can anyone say that their flying experience is actually better after TSA was created? Anyone?
How much good did creating yet another layer of intelligence bureaucracy do us? Did intelligence get any better after we made the Director of Central Intelligence obsolete by creating a Director of National Intelligence? Not one damn whit. It just grew the federal payroll some more, and added more bloat and bureaucracy.
Vital intelligence work needs to be done, but we need to be trimming down these agencies, not creating new ones.
Re: (Score:2)
Can anyone say that their flying experience is actually better after TSA was created? Anyone?
It's the only way for some of us to actually afford X-ray checkups, you insensitive clod!
Re: (Score:3, Insightful)
The TSA is supposed to make your flying experience better?
Re: (Score:2, Informative)
Not "better".. Safer [aero-news.net]..
Re: (Score:3, Interesting)
The TSA is supposed to herd air travelers in ever larger targets for terrorists in front of machines they use to find shampoo bottles in.
Seriously, how long is it going to take for some terrorist to walk into an airport with a suitcase bomb, sit in line for the TSA till he is in the middle of 100's or even 1000's of people during the holiday season and blow himself up ?
Re: (Score:2)
One of the worst things Bush did post 9/11 was creating the spate of new federal agencies. Can anyone say that their flying experience is actually better after TSA was created? Anyone?
To be fair, the only people who have had their planes fly into buildings aren't around to answer. The rest of us have experienced annoyances at the gates, so the boarding experience is worse, but the actual flying experience is just about the same (except the knowledge that just sitting still during a potential hijacking is dumb, so now people are ever slightly more on edge, but that has nothing to do with the TSA).
Two sides of the same coin (Score:5, Insightful)
Keeping our systems secure, and breaking into the other guys' systems, are damn near the same job. It is a good thing to have the people responsible for both working together, and maybe trading jobs occasionally. There is no American computer security and Russian computer security and Chinese computer security: there is only computer security, and systems which are more or less secure. The NSA has historically been about the only government agency that really seems to get this, and it would be a real mistake to break it up.
Re: (Score:2, Insightful)
[sarcasm]
Yeah, if anything, the NSA has made things LESS secure! I mean, look at SELinux. It's a load of crap!!
[/sarcasm]
Re: (Score:1, Funny)
Yeah, take a good long look at SELinux. You'll find it everywhere - after all, it's been distributed for a decade now! And in the past ten years, they've gone on to... ?
In terms of improving overall American cybersecurity, SELinux has proven marginally more effective than sticking your dick in a toaster.
Let's face it - expecting the NSA to highlight security flaws in commonly deployed software is like expecting a magician to explain his tricks to the audience before he does them.
Re:Two sides of the same coin (Score:4, Interesting)
I've read the article twice and it doesn't support it's own conclusion, if you except as a given that the NSA is bad, a loose cannon in regards to real American's rights it follows logically, if you don't think the NSA is inherently bad the article just panders to the tinfoil hat crowd. Google, an American Corp, and many other Corporations were attacked by an entity that appears was either the Chinese Government, a proxy of the Chinese Government or an entity specifically trying to make it look like the Chinese Government for their own nefarious purposes. Getting the "big guns" involved to help sort out the mess is the only reasonable response, it's what they are supposed to do and what they do.
Re: (Score:1)
Re: (Score:1, Informative)
Um, internal security is a function of the FBI not the NSA - the NSA's job is to gather [electronic, CIA and DIA deal with humInt] on other governments/organizations. It is the FBI's job to investigate domestic ends of these sorts of things and for that, we have warrants, etc. to ensure liberty.
Re: (Score:2)
Re: (Score:2)
The entire idea behind the NSA isn't to spy on Americans. It's to spy on EVERYONE. They spend a fortune monitoring all they can on just about every country on the planet.
Re: (Score:2)
Who ever said that was the entire idea behind the NSA? You do realize that the NSA spies on other countries as well? Just ban them from listening in on Americans, as an official policy, and don't worry about it.
Besides, it's not like disbanding the NSA would actually do anything. There is a reason people say NSA stands for No Such Agency...
Re: (Score:2)
The NSA's policy notwithstanding, isn't it actually against the law for them to gather intelligence domestically? I know, I know, here I go with my pre-9/11 thinking again.
Re: (Score:1)
Re: (Score:2)
The NSA's policy notwithstanding, isn't it actually against the law for them to gather intelligence domestically? I know, I know, here I go with my pre-9/11 thinking again.
They've been spying on Americans for decades now. The Patriot Act just legitimized it.
Re: (Score:3, Informative)
Just ban them from listening in on Americans, as an official policy, and don't worry about it.
I'm sorry but that's purely wishful thinking on your part.
In 1976, the Church Committee reports found NSA obtained copies of millions of private telegrams sent from, to or through the United States in its SHAMROCK program. [icdc.com]
On August 17, 2006, District Court Judge Anna Diggs Taylor ruled in ACLU v. NSA [wikipedia.org] that NSA violated the First and Fourth amendment by warrantless tapping American citizens in the aftermath of 9/11.
In April 2009, intelligence officials admits that NSA had been engaged in “over [nytimes.com]
Re: (Score:2)
I don't deny any of it. All I'm saying is that "disbanding" the NSA won't stop any of it. They'll just change their name and set up shop completely secretly, just like before.
Really? You consider that an extreme case? If anyone needs to be wiretapped it's the corrupt US politicians who are responsible for all of this, and if wire-tapping should be occurring anywhere, it should be occurring outside the country...
not a problem (Score:2)
"from" the United States: foreign
"to" the United States: foreign
"through" the United States: foreign
(the missing possibility is "within")
Re: (Score:2)
"to" the United States: foreign person an American citizen
In both cases the American citizen's Fourth Amendment rights were violated.
Re: (Score:2)
I suspect the view is that all communication between persons in the US and persons outside the US are suspect and are subject to monitoring. Always have been, since the inception of the NSA. They are firmly plugged in to all International traffic, always have been and always will be.
Re: (Score:2)
When at least one side is foreign, we can just say we're searching that side. It's in transit to/from him, so that just makes sense.
It'll get searched by his government too. That's how things have worked for millenia.
Re: (Score:2)
They already did, and it made things worse (Score:5, Informative)
This is old info, but NSA used to have a big internal division - the important stuff was at Fort Meade, and the less important stuff was at "FANX", the "Friendship Annex" (out near Friendship Airport, now called Baltimore Washington International). Support functions like personnel were at FANX, and still are.
Computer security was at FANX. Which was a problem. Being banished to FANX was bad for your career. The top NSA people didn't go to the computer security side of the house. So computer security languished for years.
All this was back when the USSR was the enemy, and NSA has changed a lot since then. But they still have Fort Meade and FANX, and less important stuff is still at FANX.
For a while, in the 1980s and 1990s, NSA did do serious computer security evaluations. Industry hated it, because products could fail. The original policy was that a company could submit products for evaluation by NSA. In the first round of evaluation, the NSA people told the company what was wrong, and gave them a chance to fix it. The second round was pass/fail; if NSA could break into it, it failed. There was no third round. Some highly secure systems did pass the tests, but they were not mainstream systems.
The process is now more "industry friendly". [niap-ccevs.org] Evaluations are made by outside labs, paid by the companies being evaluated. Companies can keep trying over and over until they pass. Failures are not publicized. There are versions of Windows that have passed some level of Common Criteria testing.
The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.
Re: (Score:2, Funny)
The "geeks and spies" division in the article is bogus. NSA is all geeks. (Mostly the middle-aged federal employee version thereof.) It's buildings full of people working at desks. There are no "NSA agents". The spies and the guys with guns are at CIA, FBI, DIA, and in the intelligence units of the armed services.
This. I always get a laugh out of people saying "NSA agents"... the classic example was from Sneakers and the "NSA Agents" that were pursuing the decryption box. The only "Agents" that work for the NSA are internal types that manage polygraphs and security clearances. The rest of the people are geeks/nerds... well, actually managers and geeks/nerds. I remember an old joke floating around about the NSA: If the NSA ran a rowing crew it would have 7 people calling out "stroke" (managers) and 1 guy actuall
Re: (Score:2)
I remember an old joke floating around about the NSA: If the NSA ran a rowing crew it would have 7 people calling out "stroke" (managers) and 1 guy actually rowing (geek/nerd).
So shouldn't it be 7 people calling out "stroke" while 1 guy fumbles and reaches for his inhaler? :)
Re: (Score:2)
Man, why did I already blow my mod points? That's hilarious!
It all depends (Score:3, Interesting)
It all depends on what level of Common Criteria evaluation you are talking about. At the higher levels, there is a lab authorized to conduct a product inspection and, once you pass that test, you get a medium level NIAP certificate. If you wish a higher level of CC approval in the US, after this original process NSA itself takes control and does its tests. So the process is still a two step process with NSA involvement...or was about 4 years ago when I was involved in taking an "Orange Book" product through
Re: (Score:3, Interesting)
I'd always assumed the idea of "NSA agents" was a myth, too. But if you visit the National Cryptologic Museum, there's a memorial there - apparently a duplicate of the one at Fort Meade - honoring fallen cryptologists. I seem to remember that a bunch of the names were actually just stars, because their identities were still secret. From the museum's website:
"The Memorial Wall was designed by an NSA employee and is 12 feet wide and eight feet high, centered with a triangle. The words "They Served in Silen
Re: (Score:1, Informative)
I have to say that 153 sounds like an awfully high death toll if we're talking about desk workers.
NSA also includes CSS (Central Security Service) which provides crypto support to military branches. Some of the NSA/CSS personnel wind up on various missions which can be risky... e.g. manning various posts, on board planes/boats, etc.
Re: (Score:2)
And a lot of important stuff was done there from time to time. And the real important stuff? Not at the Fort. That was done somewhere else. Though the fort does have the cool (at least to us techies), lowe
Moral Responsibility (Score:3, Interesting)
runs the risk of getting spies (Score:2)
Re: (Score:2)
Re: (Score:2)
that makes 'spies' sound like an infestation. suggestions on a spy repellent?
Lets start a cyberwar with China. (Score:1, Insightful)
This is not nonsense nor stupid, (Score:1)
This is only part of cover story on Chinese vs. Google fiasco.
Obviously, Chinese used earlier Google "teaming up" with NSA as part of action pretext, and now someone is wrapping up things. That was not so, it is this, and so on. A bit oblique, but it must be...
Too bad Chinese won't buy it.
One possibility is - they already "did". And stories like these are to cover tracks when both Google and Chinese pull their moves back.
The US needs both under one roof (Score:1, Troll)
The signals-intelligence directorate to hack every trackable device and the information-assurance directorate to make sure the voice print is correct before the drone is released?
You can get it killing Dzokhar Dudayev,
You can get it tracking Abdullah Ocalan,
you can get it hacking wikileaks - -
- matter of fact; I've got it now.
A big predatory ideology in denial needs a big cold agency and the best cold agency is the NSA! No such agency.
Just because you create two, (Score:2)
doesn't mean they won't cooperate (e.g. State Department/CIA).
Better solution (Score:2)
Wouldn't it just be easier to abolish the NSA?
Re: (Score:2)
Wouldn't it just be easier to abolish the NSA?
No. First of all, there's a direct public interest in having a government agency which tries to make sure that commercial crypto is secure. That's economically important. It helps businesses and individuals and benefits the general economy. Second, even the spook half of the NSA needs to exist. SIGINT is important. The problem with the NSA rests on overeager SIGINT attempts which violate our rights. But legitimate SIGINT still needs to occur. And if we abolished the NSA the abuses would likely simply migrat
Re: (Score:2)
Okay, if the NSA is necessary, then we can get rid of the CIA, right?
Split and In Opposition is the only way to oversee (Score:1)
Close and shut down the NSA (Score:1, Interesting)
The NSA has no business existing. Shut down the agency. Secret government agencies have no place operating in an open, free democracy.
Re: (Score:2)
When all governments are open and democratic, you might have a point. How about the ones that aren't. Should the rest of the world force them to change?
How Do We Know the NSA Is Any Smarter Than Google? (Score:1)
We don't know all of what the NSA does, what it spends, how often it succeeds/fails (or even what that means). Nobody is measuring the NSA for cost/effectiveness. One of the few things we _do_ know about the NSA is that some of the shit they pull violates U.S. citizens' constitutional rights.
What we should do is shitcan the current NSA and start over again. But this time build something that is monitored to ensure that, whatever it does, it does that effectively.
Of course the same could be said about the CI
Re: (Score:2)
Actually, Congress has oversight of NSA. Select committees are briefed on what they do and how the money is being budgeted. What you are complaining about is that you are out of the loop. If Congress wanted you to be in the loop, you'd be in the loop. The same can be said for the CIA, FBI, but I doubt there are hundreds of these other government agencies you apparently believe to exist. But then people believe in UFOs too.
Shitcanning the NSA and starting over would create....the NSA. Of course, you'd lose a
Re: (Score:1)
ad hominem (Score:1)
I don't like Noah Shachtman or his work. I last thought about him when he wrote something about Los Alamos, NM, which I know well. His article was misleading and had a misplaced sense of excitement and drama. At the time, I checked out some of his other work and found that it was similar.
I put him in with Dvorak. I ignore what he says.
Am I missing something? (Score:3, Insightful)
How are they in opposition? Isn't the aim to exploit the ones in their systems, and plug the holes in ours.
To make the relationship look lesser evil (Score:1)