Schneier on Security

Nick P • June 10, 2013 12:33 PM

On Snowden.

Bruce thinks he’s a hero. I think he’s a well-intentioned fool. Here’s my reasons.

(Clive R. and Dirk Praet I’d also be interested in your opinions of my claims.)

Traceability isn’t guaranteed

Plenty of people leaked without a trace over the years. The largest leak was Manning, who wasn’t traced: he put too much trust in a person who was an FBI informant. Heck, he wasn’t even detected far as we know! CINDER, their top insider threat detection program, is still just a research project. I’m sure they’re beefing things up a bit but the current culture in intelligence is many connections and more sharing. If someone has need-to-know about something, they can blend into existing activity. It was long ago decided that trying to access control and log absolutely everything was a monumental task that resulted in nothing getting done. Still true. Works to leakers advantage.

Why he really exposed himself

The video and interviews with Snowden tell us some about his personality. He comes off as a cocky, intellectual type at times. It’s no surprise that, while an insider, he ran his mouth too much about what was “wrong” with the company’s actions. He said on video he even griped to his bosses. This company was paid huge sums of money to do these things by the powerful military-industrial complex… whose actions they wholy support. There’s no doubt that Snowden knew this being a long-time defense guy. Was he seriously thinking his Type A personality, six-figure salary bosses were about to give NSA some kind of ultimatuum about ethical issues? Foolishness at its best.

If Snowden was wise, he would know they didn’t care and that this would only red flag him as a possible risk in future counterintel analyses. Not to mention marginalize and reduce career options in his company due to his “disgruntled” behavior or attitude. He should have kept his mouth shut about what he really thought. If he asked questions, it would be rarely, it would be carefully selected coworkers, and done in a way where he came off as non-commital to any particular answer. He would publicly be a company man and good asset. If he couldn’t stand it, he could quit a year or two later to move to better work… without suspicion.

How should he leak in his position?

Snowden claimed to be in a position to essentially see (without detection) much of the dirt as it passed by. He would have also seen which groups had access to what data. He could have easily narrowed his focus to something dirty (incl PRISM) tied to one group, pick files that the group as a whole received, siphoned their contents into new files on a new machine [for metadata reasons], and anonymously leaked it to several groups of reporters with experience dealing with govt insiders. Their reputation and the government’s inevitable response would validate the leak.

Counterintelligence would begin trying to trace him. A decent sized group of people with access to the files would be suspects. If he had leaked things from multiple groups of access, their main hypotheses would be an insider with broad access (including Snowden). Isolating the files to one group means he’s just another suspect in a group with little to no other information to go on. Everyone would have received the file, everyone’s machine might have viewed it, and so on. So long as he made it a careful, one off leak, then there would be no reason for them to look into him any more than another suspect.

There’s many precedents for this strategy inside and outside of government. In a nutshell, it’s called blending in, not drawing attention to yourself, using legitimate [overprivileged] access to your advantage, and misdirecting opponents to focus on someone else. This scenario doesn’t guarantee he wouldn’t be caught: it merely swings the odds enormously in his favor. Those odds say the man’s loved ones would be safe, he’d still be a trusted insider, and he’d wouldn’t be burning through money in Hong Kong with an uncertain future.

Conclusion

Snowden has good intentions. I admire his courage to stand up against the corruption. The problem is that the way he did it artificially created a ton of risk for him, reduced future opportunities to do good from the inside, and will likely result in his actions being just another failed gesture in the War on the Surveillance State. A war which the State is winning.

Nick P • June 10, 2013 12:46 PM

On “Proof” of Abuse of NSA System

(Reposted in part from another thread. I figured it’s more applicable here.)

I think anyone concerned with possible abuse of the current system needs to look less at the system and more at the people running it. Have they abused their positions in a way that benefited them or their business partners at the expense of the American people? Did you say “Yes, many times over for both Bush and Obama administrations?” Then, you have your answer as to whether or not they’d do something unethical with it.

If it…

1. Exists
2. Gives them near omniscience over opponents.
3. Lacks accountability
4. Operates in secrecy.
5. Complements opponent crushing legal powers.

…then corrupt, selfish power players in the US government will almost certainly use it for corrupt, selfish ends. It’s in their nature. Why wouldn’t they do that?

Short answer to NSA defenders: It’s foolish to assume that people who have acted selfishly and criminally for most of their career would do a 180 when given more power, money and secrecy. QED.

Nick P • June 11, 2013 12:40 PM

Why Did Snowden Have So Much Access? Where are the controls, you say?

“Unfettered access is a security concern. I would say a big one.” (Jack)

I agree. Many readers might be wondering “whats going on?” It’s not as nonsensical as it sounds. Access is a tricky subject. I’ve studied so much into government classification, security schemes, and their history I have an idea of how this can be the norm. Let me share a few pieces of it and maybe it will make sense for people. One must understand what leads to the current structure and problems before they can improve it.

The Reason for Overprivileged Access in Defense

The problem started back in the days of timesharing machines when the Orange Book was calling for MultiLevel Secure systems. The idea is people with different access requirements could all use the same system with least privilege, not leak anything to each other, and still get work done. The best systems still had covert channels that allowed leaking at a slow rate.

That approach was derailed by something called Commercial off the Shelf Technology (COTS). It’s benefits included quick time to market, steady feature upgrades, low cost, large labor supply and integration with plenty of products. The Government off-the-Shelft (GOTS) and commercial high assurance products didn’t even compare in features, usability, price or ease of acquisition. And a secure system product update could take several quarters. So, the govt focused more on features (incl security features) and extensions to COTS OS’s/products than assurance of secure operation.

This posed a major problem. A product must be MLS mode to have mutually untrusting users and proper access control. However, without implementation assurance, any MLS features could be circumvented by malicious users or administrators. So, most MLS type systems on classified networks ran (and still do) in what’s called System High mode. This means everyone on the system is cleared for the highest level of secrets that might run through it, but don’t necessarily need to know all of it. (Not authorized, but cleared.) Short version: you have to trust them way more than you want to.

And that was before massive decentralization of client apps, the Internet, USB drives and all the rest. The move toward more COTS meant more subvertable software, more complexity, more integration points, and more setups that were basically System High. I mean, how do you administer a system that has all types of data running through it without potential access to that data? And at every enclave, every network, every integration point, every branch? The problem was more than they could handle using COTS. So, they just extend the System High concept for networks where they decide the functionality they need is more important than assurance of separation or security control.

(Note: There are problems associated with the classification scheme itself, competition rather than cooperation between agencies, sharing with Allies, and so on. I’m ignoring these b/c what few points I mentioned are already nearly insurmountable for an organization like DOD. The rest just… make things worse.)

That was the technical and military/govt management side. What of possible corporate issues with contractors like we see outside of defense? We see companies that want more profit cutting back on things that hinder their operations, like inconvenient security. We also see security vendors focusing more on revenue-generating products and services rather than real security. We also see mismanagement and bureacracy causing security issues in the form of risky procedures and overprivileged insiders. I speculate that defense contractors have these problems as well, although I know not the degree. They can independently lead to issues like Snowden’s broad access and, combined with government’s problems, I imagine even worse can happen.

Now for the 180: Defense can trust their insiders

It might stun regulars to see me of all people say that. My studies showed me the strongest link securing classified information are the people and procedures for handling it. And that scheme works. How can I say that? The proof is in the results. There’s a huge number of people with Secret and Top Secret clearances. They have access to an ENORMOUS amount of potentially damaging information. Yet, you can count the number of serious leaks on your fingertips and I can’t see much operational damage done by most of them. So, although I envision and design “better” approaches, with technical aids, their people-centric approach works the vast majority of the time. And that’s all a defense organization can really hope for, isn’t it?

Conclusion and my current stance on classified INFOSEC

The combination of information sharing, system/network consolidation and massive use of COTS solutions makes technical approaches to maintaining secrecy of DOD’s data infeasible. Their main strategy is to use a combination of disciplined personnel and controls (procedural/technical) to identify, manage and delay the release of potentially damaging information. This strategy has worked over 99% of the time for over half a century. Any improvement or replacement of the existing system intending to accomplish more should incorporate the strategies the current system used to achieve its success.

Nick P • June 11, 2013 3:01 PM

@ Jack

“-> Isn’t most data which is classified really very boring and useless to the general public? So could that skew your results?

-> How can you quantify how much data which is classified that is very interesting to the public, but the public has not found out about?

-> How can you quantify data loss to foreign nations? They would find a lot very interesting which the general public would not find interesting. Beyond moles, which I would guess are relatively rare, there is going to be idle talk and secret surveillance from foreign nations on known workers.”

I said it’s about keeping damaging information secret. The whole point of the classification levels is protecting information that might have a negative impact on US safety, operations, etc. It seems to do that well enough. What is “interesting” to the public varies by person, interest group, and time period. That’s harder to say.

“-> My understanding from talking to people who have had top secret clearance is that they generally do not talk because they have to take a lie detector test every month and piss tests. There are controls on drinking, debt, and so on. And they are made to be wary that anyone could inform on them, or they could be tapped anywhere.

Right, wrong, what say you? :-)”

Sounds on the mark. 😉 It’s also consistent with my notion that the people (and discipline/motivation) are the backbone of keeping the secrets. Throw in compartmentalization, need to know, and extra measures for SAP’s, then you have quite a program that’s still centered on those people’s reliability. Yet, it seems to work most of the time.

“And if you are in REALLY hairy stuff… ”

Someone into really hairy stuff should dig hard into memoirs of covert operators and intelligence directors; declassified documents like MKULTRA and Northwoods; Congressional investigations like Iran-Contra and MLK assassination; links between politicians and elite companies/individuals who don’t have people’s interest at heart. Collectively, there’s enough to make anyone’s hair fall out.

Safe to say, most people just stay out of that world and imagine one that’s quite predictable with two political parties, a legal system that mostly works, a future for college graduates, socio-economic problems that will work themselves out, and so on. It’s so much more peaceful to live that way.

(Funny to think our conversation leaned toward such a tangent at the same time Bruce posts on conspiracy thinking. The coincidence is to be expected considering what’s in the public consciousness and it’s connection to conspiratorial thinking.)

Nick P • June 13, 2013 12:03 AM

Finally found time to reply to some of these comments.

@ Scott

“Of course he’s a fool! It’s a basic requirement for heroism.”

Funny. True in many cases. I might have to think on that a bit in the future.

“Having failed to get the response you seek at a local level, in that sort of job, most people moved to take the next step and leak might think they have the fibre to go into silent running mode and tough out the search for the leak but I’d guess few would be capable (the same quality the motivates someone to speak out probably means they’ll fail a lie detector)”

One or more other commenters mentioned the lie detector test. That combined with him thinking he doesn’t have what it takes to stealth it out might justify him going for a big spash. I’ll take that as successful refutation of my criticism that he play it stealthy and long-term. It might have been impossible for him personally. My other claims are still open.

@ Dirk Praet

Thanks for the review. I originally avoided replying to it b/c I wanted to let it stand on it’s own, letting others read our stuff & form their own opinion. I just knew you’d have something insightful and experienced to add. 😉

Good points on the tech and collaborators carelessness. A terrible assumption of the old days is that you have to trust your partners to be as good at COMSEC and OPSEC as you are. This often doesn’t pan out. You’re probably right that it was high risk in his case.

” We all know about MLS, PoLP, RBAC, segregation of duties and the like, but it’s a damn hard thing to do and maintain. I’ve seen some decent ones on missions at certain military customers and at one nuclear facility, but most of the time, well …. ”

It’s tough to do and I find it tough to explain the right way to do it sometimes. Especially on setting it up in a way that maximizes what security the organization can get without stopping work from getting done or accidentally encouraging users do end runs around it. It’s one of the few things I don’t have many good books or references on. So far, I give people some academic descriptions, some critiques showing problems in commercial space, and some tips on avoiding problems. You know of any resources that bridge theory and practical examples for people new to it? Any on practical use of MAC in commercial sector might be interesting too.

@ Dirk and Kratoklastes re his personality/psychology

I figure with two responses about this I should clarify. My original post described his bosses as Type A personalities. It was speculation based on what kinds of people often run defense type organizations. I’m not saying they are for sure, but I bet they share a disdain for whiney subordinates griping about their lucrative job.

As for Snowden, I wasn’t saying he had a bad history or anything. He comes off as OK as Dirk noted. I’m alluding the fact that he was complaining to people about the nature of their work. He talked like he tried plenty. So, we have a guy with a high clearance doing administration work on a mission critical, secret program that’s telling quite a few people it’s wrong, it should end, there should be more controls, etc. In many large, rigid organizations this gets labelled disillusioned, disgruntled or rattling the cage. It doesn’t score well with HR and if a leak is suspected it might increase his risk of detection. So, I was opposed to that because… what did he think was going to happen?

Of course, as a few of you noted he was feeling more than thinking so it was probably almost a compulsion for him. It would be too late to take back by the time he came to his senses and considered caution, if he did so. He made it all irrelevant, though, by dropping the big leak and IDing himself.

Nick P • June 13, 2013 2:14 PM

@ Dirk Praet

“The short answer to that would be no. I know you don’t care too much for Trusted Solaris (Extensions),”

I didn’t when I was entirely focused on high assurance. Most B2-A1 type products are dead now. OpenVMS was just EOLed too. (R.I.P.) There’s less and less available for high security or reliability. Argus Technologies was the last set of MAC/CMW type products I looked at. They mainly use Trusted Solaris. Without higher assurance options, I’m much more open these days to products based on TSolaris or SELinux. Low to med assurance mandatory controls are better than no mandatory controls.

“FS was the typical oddball, scatter-brain genius who could solve the most impossible of problems in the blink of an eye as long as he found them interesting, and in that capacity was a welcome and highly respected guest at quite a handfull of US/UK TLA’s and military organisations trying to get their MAC/MLS right.”

I love those kinda people. One got me started in INFOSEC.

“He and his padawan BB at some point fell out of love with Sun as the organisation started to crumble and treating the technical staff as lower lifeforms. I believe to date he’s making a mint writing (undoubtedly very special) code for a financial institution. ”

And that usually happens to them. My friend had a similar fate.

“I’m not sure either of them could help out today, but there is at least one other person making the odd comment on this blog from time to time whom I know probably could. I’ll give him a ping about it. ”

Might be interested in that. To be extra clear, though, I’m not talking about applying MAC and MLS technology in military environments. My long time mission was increasing assurance in commercial sector. I’m mainly looking into principles, tricks and case studies of MAC or MLS application that might benefit businesses of different sizes protecting confidentiality and integrity of data. There’s products available, but how to use them without putting the organization in a straight jacket, you know?

Military and commercial often have to deal with similar problems. So, I’m sure there’s people working defense who might have good ideas to contribute. The results must work in commercial sector, though. My hope is to glean enough useful guidelines and information to write-up something future businesses can use.