"We've changed the passwords." Excellent job boys, you deserve a raise. And two-person requirements to access the data? Yeah, that will take 5 years to develop, cost $2 billion, and never really work.
There must be thousands of people who knew this system existed. You can't keep that secret forever, Top Secret clearance or not.
What if the next "national traitor" uses his Top Secret clearance to use that data stream to his own financial benefit? Blackmailing senators on their affairs, or exacting revenge on targets given to him by outside crime bosses.
Maybe I watch too many movies... But for every good guy like Snowden, is a bad guy.
The NSA knew a lot about AQ prior to 9/11. They had intel that could have prevented the USS Cole bombing. If they had worked together better with FBI and CIA prior to 9/11 that attack likely could have been averted as well.
That's the reason no General got fired for Manning. Congress themselves foisted the much-closer integration of intel community elements to prevent another 9/11. Instead of agency in-fighting there would be close cooperation. The analysts doing the actual intel work would no longer have barricades placed in the way of doing their jobs.
Manning betrayed that trust. That alone should have been enough for NSA to change their own internal information security controls so there is definitely more recrimination that should follow (if it hasn't already)... but at the end of the day you can't get around the fact that the less you trust your employees to do their jobs, the more difficult it becomes to do the job at all.
Who's to say this hasn't already happened? I wouldn't put it past the 'Gang of Eight'[1] to use the NSA as a means to maintain their seat in power by quashing opposition, especially since it's been widely reported that the thorough congressional oversight has as many holes as Swiss cheese.
[1] http://en.wikipedia.org/wiki/Gang_of_Eight_(intelligence)
My presumption is that the politicians are playing this down because of perhaps the information the NSA has on them. I assume the power is in the web of information people have on each other. So, a balance is maintained, or something like that. Well, going public seems ineffective. It seems these people have games to play to mitigate the damage caused by public disclosure. You know, divide up the issue, make it black and white, make it about traitors and good guys, and so on. So, maybe the next person who feels a tug of conscience might decide: OK, I have all this info, I can either release it to the voters, who will no doubt be manipulated, or I can bowl up to a few senators and use the information to make them force change, like like the system already seems to.
Makes me think of the end of Clear and Present Danger, where Ryan has some information that could kill off the presidency. The President points out that what he actually has in his hand is a chip which he can play in the halls of power. Perhaps Bradly and Snowden had it wrong. Perhaps why should have played their chips?
Dunno. Is that how it should work? Play them according to their rules? Forget the whole honest, open and decent thing, and get secretly, politically dirty? Do deals under the table? Get change that way?
I really don't like the idea of that at all, but it seems that anything decent and honest is easily disposed of as a matter of routine.
His supervisors, by the way, are at Booz Allen, not the NSA. Although certainly the NSA has to take responsibility for the contractors it does business with.
I think we know that they haven't been because if they truly believe (as they are publicly claiming) that the leaks caused "irreversible and significant damage", then they would publicly fire anyone with any potential role in allowing such a leak to happen (read: failing to prevent it from happening). The responsibility in the chain of command goes all the way up, so in an organization like NSA the security failure cannot be blamed only on Snowden.
If you have no need of any service that requires entering into such a contract, than you can completely ignore PCI.
After all, if somebody asks why this couldn't happen again, you don't say, "We fired the guy who designed this system." You say, "We changed this, this, and this."
He talks about implementing a two-man rule, which is an excellent idea. I'm not sure how that's going to work in practice, though. Is there a way to make the linux root password composed of two passwords?
This could certainly be done via a custom PAM module. Of course, we should also consider that admins will often have physical access to the systems. I can't think up a purely technical solution to enforce the 2 man rule.
Answer that question - and answer it without linking it to "this program" because you've already said "this program doesn't authorize that" and don't link it to "this country" because you've said the laws of this country forbid that type of thing.
Plain and simple.
Does any representation of this information exist in any state (analog, digital, audio, waveform, transcription, encrypted, modified, converted, fucking pantomime) that differs from a layman's understanding of where their communications data resides?
