Comments
Just Another Security Guy • October 12, 2016 7:41 AM
There are no “critical secrets” or national security complications in my work.
But I struggle every single day with the knowledge that my employer is willfully breaking the law, ignoring regulatory requirements and placing the data of all of our customers (and THEIR customers too!) at risk of compromise.
We paid for a 3rd party pen-test which achieved full database access in the first few hours of testing. What was most frightening was the testers told us verbally that they did not believe they were the first ones in. What changed? Nothing.
Not at all the same level of stress as our national intelligence people, but it still takes a toll on the entire security staff.
Ditto JASGs last sentence.
@Bruce
This, from my perspective, is the most substantive and significant issue I have ever seen on this blog. Thank you.
oliver • October 12, 2016 10:07 AM
Oh those poor little snowflakes!?!?!
They are getting upset about work?!?!
Oh no, where is my safe space?
Screw those ppl, they have to lie in the bed, that they made out for them!
I despise those ppl and have nothing but utter contempt for them!
Jared Hall • October 12, 2016 10:42 AM
Yes, Bruce. There is a psychological toll; and it gets worse with age. A good civilian psychiatrist can help people with learning how to containerize things, but you can’t even tell your psychiatrist any details. So, the issues continue to pop back up – memories, actual or related events, politics, etc. Then you start questioning everything, keep looking over your shoulder, and become socially withdrawn. And for many, alcohol and drug abuse follows. I for one trust nobody and have zero respect for any Government law, be it State, Federal, or local. That’s not a good thing.
@Jaded, woops (honest swype believe it or not) Jared*
That meta data leaks, the lack of confidence and care taken of some veterans is visible to the public.
And it spreads.
Sally • October 12, 2016 12:01 PM
Awww… when you ignore all semblance of morality and law and order, treating all other humans in the world like your personal slaves, it has a psychological effect on you??? Imagine that…
Maremi Eisen • October 12, 2016 12:08 PM
This should not be surprising to anyone. The human psyche does not cope well with secrets. This is why most intelligent people understand that there is no such thing as a widespread conspiracy. So few people have the ability to cope with the stress of being privy to secrets that as the radius of a conspiracy increases, the probability that someone with spill the beans increases exponentially.
I often say, “If two people know something, it’s not a secret.”
I submit that the ways in which the human brain works lead us into certain inescapable conditions, and that among these are the need to socialise and communicate. Keeping secrets, by the very nature of the process, isolates the secret-keeper, and solitary confinement ought to be regarded quite literally as torture.
Jim Bob • October 12, 2016 12:52 PM
@Maremi Eisen
Since it’s inherently bad for you to keep any secrets, please post the following here publicly:
Your identifying information (name, SSN, finger print scan, or whatever)
Your location (addresses, geo coordinates, etc)
Every way to contact you (email, phone, etc)
All your financial info (bank account numbers, credit card numbers, expirations, PIN numbers, etc…)
All your access controls (usernames, passwords, and what they belong to)
You will have great relief of mind and a lot less stress, to just let everyone steal your identity and all your money and all your accounts…
Vetch • October 12, 2016 12:59 PM
Amount of dehumanization by certain people in the comments is sad, if not shocking.
Ted • October 12, 2016 1:39 PM
Organizations and the security workforce may also benefit from responsible support.
When asked about data sharing John Cristly</a href>, Cybersecurity Evangelist, CISO, and MSI Senior Fellow, responds</a href>:
“This is an area where I think we need some real governmental reform. It’s a shame when there is data out there on how to protect a company from hackers, but it’s only available to those with certain security clearances or those that subscribe to a paid feed of threat intelligence. Sure, there are local and regional groups that try their best to setup private sharing methods, but I think what is really needed is a directive that all threat intelligence that can help better protect a corporate entity should be made available to those that need it.”
Also, check out Richard Thieme’s interview with Bruce: http://www.thiemeworks.com/an-interview-with-bruce-schneier/
tomb • October 12, 2016 1:41 PM
I don’t know if it still holds true but a special forces operative once told me that severe chronic physical and psychological injuries are frequently ignored in the SoF community exclusively because reporting the injuries will be a career killer. The risk is that psychological issues will limit trust and thereby inhibit career progression while physical injuries will, obviously, limit capabilities. The end result is staying with the brotherhood until one is utterly broken physically and mentally on the extreme end of it.
While reading book reviews in the CIA’s unclassified strategic studies journal, I’m also left with the distinct impression that if you even hint at sympathy for criticisms of the CIA status quo or operational methods your career may be in jeopardy. However, it is always acceptable to be openly and severely critical of critics of the CIA.
Bobby • October 12, 2016 2:24 PM
Here is a novel idea :
If you have a job that has a negative impact on your quality of life maybe time to get a different job…..
http418 • October 12, 2016 3:57 PM
As much as my initial response is similar to the majority of this thread, never forget the power that framing has to any given individual. Google “Stanford Prison Experiment” to see just how much power the frame of reference has to controlling an individual’s thoughts and actions. We all wish we were independent thinkers with some universal moral compass, but …
Jack • October 12, 2016 4:16 PM
@http418
Indeed… because if you have all the power so you’re effectively a dictator, then mass murder to stay in power is naturally completely moral, and this should just be TOTALLY ACCEPTABLE to everyone…. right? I mean, it’s just framing, right?
Passing By • October 12, 2016 4:28 PM
I am not confident in the precise meaning of what Yeah Um means in the first post in this thread so I will take his comment in the direction I want to go. One major aspect to this problem is the way that the field of psychology and psychiatry has been confined by the law. Once upon a time talking to one’s psychologist was akin to talking to God. Indeed, the term of art within the legal profession is “the ministerial exception”. But in the name of stamping out child sex abuse, the psychologist’s promise of confidentiality has been gradually diminished. Now there are certain things a client tells their psychologist at the clients own peril because psychologists have a legal duty to betray their own clients.
What’s my point? My point is that one can look at the claims in the linked article and view the problems it outlines as working as intended. We want people to suffer. We believe that if people suffer enough they just won’t do it. The name of the game is “calculated misery”. Playing through the pain is how we tell who the winners are.
Hillbilly Doug • October 12, 2016 8:31 PM
This caught my eye, Richard seems like a very interesting person.
Book – UFOs and Government: A Historical Inquiry
http://www.thiemeworks.com/book-ufos-and-government-a-historical-inquiry/
John Smith • October 12, 2016 8:31 PM
Break out the world’s smallest violin while I shed the world’s smallest tear.
The special snowflakes support and enable the Deep State, commit evil on its behalf, cover up its the evil, persecute the people who take a stand against it, and do this for money.
But the same special snowflakes complain of advserse affects. Sorry snowflakes, not every one is born to be a high-functioning pyschopath. Only about 1%.
And is that your ambition? To be pychopathically immune to the evil you serve and the evil you do? So you can sleep soundly, worry-free, smile and laugh, no matter what?
You want to, as it were, “have it all”?
C U Anon • October 12, 2016 9:02 PM
Passing by :
Playing through the pain is how we tell who the winners are.
No it’s how you tell who is going to be prematurely crippled.
Due to the “no pain no gain” ethos I did irreparable damage to myself as a young adult. Now in mid life I have a simple choice, to use walking sticks or be in a wheel chair because of the damage to my spine, hips, knees and ankles.
It might have been worse I used to “burn through” the usuall winter illnesses like coughs, colds and flu by vigourous exercise. Others that did likewise in the Ronnie Reagan era of the 1980’s not only destroyed the foundations of the economy but their immune systems as well. So both have come back to haunt them.
Clive Robinson • October 12, 2016 11:29 PM
I’ve had to keep a lot of secrets in my time, not all work related some social related.
Whilst I have no problem with work related I have had problems with social related. Put simply my work related are dry dull technical secrets with little or no moral dimension to them and frequently they become public knowledge as things move the technical kife cycle. The social secrets that have caused me problems are those with a moral dimension.
Thus I would suggest it’s not the actual technical side of the secrets but the moral dimensions attached to them that cause the cognative dissonance and PTSD like symptoms of the psychological impact/impairment.
Part of the high compartmentalization of secret and above work is to limit this moral view thus the problems it can cause. I suspect that the big problem with the Ed Snowden revelations and the NSA was not the technical issues of methods and sources, but they opened the Pandora’s box on the moral issues. Suddenly quite a large number of people in the NSA etc were faced with the real reality of their work, not the protective pretence bubble reality that they had built up to stop them having to face the moral dilemmas.
For them they need to realise that whilst tools are agnostic to their use, the real world consequences of the tool usage are not.
Back in the 1970’s and 80’s those designing electronics and software for the defence industries started to lift their heads above the pure technical side of their work. The result was that the defence industry lost a number of key staff that could not be replaced as defence work had pariah status for a while. Part of the way out of it for the defence companies was to outsource work to small companies that rarely if ever got to see anything more than a fraction of what was actually happening and often what they did get to see was a compleat load of nonsence cooked up as a cover story.
I remember some physics PhDs doing research for a company not unrelated to the UK AWE. They were researching plastics that they were told would be used around nuclear reactors. One of the researchers was having problems in that she was seeing an increasing varience between what she thought she was researching and the direction she was being gently pushed in. I gave her a likely reason and a couple of book refrences to read. Needless to say she quickly put two and two together and went and found another job very quickly.
The point is people do not react well when they find they have been lied to by their employers, as the feel robbed of choice and feel a loss of worth. Others take it worse and feal like they have been enslaved or even violated to the point of mental abuse.
Whilst it is perhaps easy for outsiders to say “what did you expect”, we are forgetting that when many of these middle aged or older workers started working for the SigInt agencies the world was a very very different place.
Now for instance the NSA is not the only employer for those with particular skill sets. Those graduating in those fields today have –even despite the recession– quite a few employers to chose from all of whom offer better than GS pay and pension. It’s part of the reason the NSA has a recruiting problem for the key skill areas they need.
Thus a question will arise in the near future about working for the likes of Alphabet Facebook and others skiming out personal data for profit, are they any better than those working for the NSA? And how are they going to feel as and when it becomes clear that those new employers for various reasons become the “middle men” between the talent and the NSA?
At the end of the day the NSA has the money to buy what it can not steal, get for free or on the cheap, thus those new employers are going to be “made offers” they probably can not refuse at some point. The question is what will the employees get told, and what happens when Snowden III blows the gaffe and they find out they have been lied to…
Lucy • October 13, 2016 12:24 AM
@Clive Robinson Interesting how you ended that, when we can already witness Yahoo… (CTO leaving in protest, etc…)
Nick P • October 13, 2016 12:59 AM
@ Lucy
Interesting point. More interesting is where he went afterwards. What a mighty-fine history of defending privacy and business integrity they have. 😉
brian • October 13, 2016 4:41 AM
Living with secrets is hard … isn’t this the point of Jack Nicholson yelling at Tom Cruise in a courtroom in 1992? “You can’t handle the truth!” happened in 1992 – a full 24 years ago – and though there’s a gap between a dramatic exposition and an actual study, I’m pretty confident that this idea has been around for a while.
Burning Wreck • October 13, 2016 7:10 AM
We don’t do pen-testing in Australia, except for banks and a few other high priority industries.The banks, having slightly more interest in security, get most of their work done by professionals from outside the country. Most databases in Australia are in plain text and protected by four letter passwords and luck. Security research in Australia will soon be mostly illegal except at the GG’s discretion. Increasingly the network is so plagued with faults that people are turning to VPNs and Tor to get a reliable connection by bypassing large chunks of the network.It’s often easier to route overseas and back in again.
The GG is going to improve things though by passing the following law I’m posting below because of the evil “hackers”. Yes we are developing psychological problems and our mental health system is so beyond broken that suicide, increasing drug use and drunkenness is becoming a regular occurrence in any area even remotely connected with security. The rest of us are on some kind of medication or wishing for therapy. I don’t even want to think about the networks in our government departments, patching 2.5 million devices at a time for nix just ain’t worth it.
“Individuals and businesses who re-identify government data that has been stripped of identifying details face up to two years jail under new laws proposed today by Attorney-General George Brandis.
Under the bill, security researchers will not automatically be exempt from new laws, in spite of a pledge from Brandis last week that they would be protected.
Under the Privacy Amendment (Re-identification Offence) Bill 2016, reversing the de-identification of published government data after September 29 this year will be a criminal offence that can incur up to two years in prison and 120 penalty units ($21,600), or a civil penalty of up to 600 penalty units ($108,000).
The laws will not apply to government agencies, government service providers, or anyone who has been contracted to provide services on an agency’s behalf, if within the course of their work.
It will also be a criminal offence to publicly disclose revelations that supposedly de-identified data is not really anonymous, with the same maxiumum penalties in effect.
Anyone who becomes aware that published de-identified government data can be reversed is required under the legislation to notify the relevant agency in writing “as soon as practicable”.
A civil penalty of 200 units ($36,000) applies to those who fail to do so.
But despite a promise to protect researchers, Brandis’ legislation does not automatically exempt them from the proposed criminal “deterrants”.
Instead, the legislation gives Brandis the power to make a determination to exempt an entity from the laws if he considers it in the “public interest”.”
Paul • October 13, 2016 8:37 AM
Living with secrets is hard?
I tend to the view that human nature is universal (and that there was nothing that the Germans did in the last century that couldn’t happen again if people thought they could get away with it) but …
I find myself wondering about culture as a contingent factor.
Countless obituaries of Brits revealed that they never spoke of what they did in the war. I knew someone who turned out after she died to have worked at Bletchley Park. It was and is a code of honour never to breach the official secrets act. Of course, there have been traitors like Philby and others, but the stiff upper lip culture, as well as boarding school, inculcates a degree of emotional continence acutely different from that of cultures where people wear their hearts on their sleeves and exchange biographies within minutes of meeting — or rush into print after shooting Osama bin Laden.
Then again, tens of thousands of Americans saw what Snowden saw and said nothing.
Fazal Majid • October 13, 2016 10:43 AM
One of the plot devices in Arthur C Clarke’s “2010” (sequel to 2001) is that requiring HAL to keep secrets from the crew is what caused its breakdown and paranoia.
Wowie Ghazzawi • October 13, 2016 6:08 PM
Clive para 7-8 +1,000,000
Thieme’s approach to this awfully emo. He doesn’t seem to appreciate that the state uses classification and compartmentation to make conscientious staff commit serious crimes. Classification and need-to-know deny staff the context to evaluate instructions. That makes it easy for the state to lie about the purpose of the work. Compartmentalization separates staff who might otherwise put the pieces together, before or after the crime. The betrayal and resentment of the duped accomplices are the least of your problems.
There was no ‘compelling necessity’ to the government’s meticulous preparations for the coup de main of 9/11. Government staff undertook COG planning in case of an increasingly improbable nuclear war with an expiring enemy. It never occurred to most planners that CIA could knock over a couple of buildings and roll it all out, setting the constitution aside at a stroke.
This strain of spy-thriller romanticism has been around since the Sixties. Yes, it’s embarrassing when they make a fool of you. But come off the psychobabble. There’s no profound mindbending Matrix here, just crime.
Government Stooge • October 14, 2016 6:00 PM
@Clive writes, Thus a question will arise in the near future about working for the likes of Alphabet Facebook and others skiming out personal data for profit, are they any better than those working for the NSA? And how are they going to feel as and when it becomes clear that those new employers for various reasons become the “middle men” between the talent and the NSA?
When it becomes clear? It is already is clear. All the talent that works for Google already works for the FBI–see, for example, the hundreds strong work force that Google has dedicated to scrubbing the internet of child pornography–and the FBI is a close cousin to the NSA. So either Google is already in bed with the NSA or the handwriting is on the wall.
To anyone who it is not clear that the corporations are the middle men for the government has their head in the sand.
Clive Robinson • October 14, 2016 7:13 PM
@ Government Stooge,
To anyone who it is not clear that the corporations are the middle men for the government has their head in the sand.
You and I are aware of this as are one or two others but by no means all. My point is what happens when an employee who is unaware finaly becomes aware?
In the case of “scrubbing child abuse” in it’s many forms, it is easy to have a positive mental attitude to the work.
But what about when it’s scanning personal corespondance for off shore gambiling or purchases of cannabis?
How about finding those teenagers who download unoficialy ripped music?
How about searching for and identifing medical negligence whistle blowers?
Or just making political comment or other “free speech” that somebody in a position of power takes exception to?
We both know it will be the same tool used in all cases, and the tool is agnostic to it’s use. It’s the use/abuse the “directing mind” puts it to that causes the moral quandary and cognative dissonance.
If you had designed and written a tool for your emoloyer, who said it was to identify and alow the FBI to catch child abusers. And you subsequently found the real use was to round up pro-democracy campaigners in Hong Kong by the main land Chinese government, that were then “disappeared”. How would you feel having been in effect tricked by your employer? What might you do?
Whilst I’m not suggesting that you or most others might “go postal” there may well be a few who might. And such behaviour often tends to be indiscriminate in nature.
Abu Dhabi • October 14, 2016 7:49 PM
Clive
At the point that the databases are gathered and inspected by artificial intelligence or a civilian entity the NSA is no longer doing it, they’re just benefactors.
As for going postal, you really believe any of those attacks are truly random?
Truly random.
We can tell when you’re upset, we’ve got an app for that and we can hear it in your voice too.
We know what you search for when you’re sad, when you’re angry, when you’re about to go home and when you’re on your rag. Don’t believe it? The impression we get from the impressions you give are the proof.
Did you not get that memo? Sorry, your security clearance must’ve lapsed the moment you questioned your readers.
Do you believe this crap?
Thankfully, in the future interventions will be done via drone. The controls will be removed from human hands so that the race to the bottom for the most effective killing machines will doubly remove humans from the equation.
Doubly.
Signed, Sealed and Stamped en Triplicate.
Death Warrants for all!
Don’t rock the boat baby.
A man gets onto a train, he’s a wreck.
NTSB says what?
Government Stooge • October 15, 2016 12:19 PM
@Clive writes, “In the case of “scrubbing child abuse” in it’s many forms, it is easy to have a positive mental attitude to the work.”
then later he writes, “We both know it will be the same tool used in all cases, and the tool is agnostic to it’s use.”
I don’t think those two issues are separate. That’s the way it always begins…let’s turn over power to the “good guys” to solve “bad problem x” and then good luck trying to take that power back. In other words, if one is interested in being a tyrant one always starts with the bait that leaves the target audience with a “positive mental attitude” and then once they become conditioned and compromised by their new found treats it becomes very difficult to resist the next set of demands.
FWIW this is one of the reasons I have stopped trusting Tor. I don’t have an inherent problem with the Tor Project getting rid of Applebum because any project is greater than one developer. But it bugs me that they had to smear him with vivid public accusations of sexual misconduct. America has a long and sordid history of smearing people with allegations of sexual misconduct in order to achieve nefarious purposes. Anytime anyone says “we have to do X because Y” and Y relates to sex I wonder what the hell is really going on.
Jeffrey Deutsch • October 15, 2016 6:02 PM
A few of these comments remind me of returning Vietnam vets being spat at and called “Baby Killers!” Plus ça change….
Whatever the particular sins of particular people in particular situations, we’re always going to need people to do, see and know nasty things to protect us. The alternative? “Hey Moscow, Beijing, ISIS and everyone else, free for all!” And last time I checked they don’t exactly have more scruples than we do.
We’re doing a much better job now of caring — physically, mentally and emotionally — for our servicemembers from physical battlefields. Maybe one day we’ll do the same for our veterans of battles that will never make the newspapers.
@Mr. Deutch,
It’s a warning, not a complaint.
We’re just to assume everything is peachy?
They have 100% of our interests at heart?
Maybe some post-it notes huh?
You can’t please everybody, and they’re not catering to the public behind closed doors are they? Lend me your ear and a couple of bucks.
I’m all for security, but eventually the arc of a trend will look like an arrow.
It’s better to voice your concerns than ignore the potentially abusive applications of said ideologies and technology.
Are you in the camp that intrinsicly trusts?
It doesn’t work out very well in real life where unbridled capitalism is concerned.
Just because something equalizes out over time doesn’t make the roadkill delightful.
My Thoughts • October 15, 2016 11:00 PM
It’s not surprising that a lifetime of cognitive dissonance would have grave effects on someone’s health. Assuming that these jobs have to be done, I view these health effects as an inevitable cost our nation must pay, and one which is paid by a few specific people instead of all of us, so that’s a service they do for their country. But I’m also concerned about what these effects have on peoples’ performance and judgement. It could cause them to make mistakes or get paranoid and lose the ability to recognize innocence. I’d like to hear someday that “toughing it out” is not encouraged but rather they get some kind of treatment for cognitive dissonance related symptoms. But I don’t think that will happen because of macho attitudes.
Psychoanalysis • October 18, 2016 10:35 PM
Once sleeping, “Classification” becomes meaningless.
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Yeah um • October 12, 2016 7:17 AM
I’m sorry, but pedophiles have a lot harder time to make sure nothing that they seek out of information, or comment on, can be traced back to them.