"NSA" entries

Pursuing adoption of free and open source software in governments

LibrePlanet explores hopes and hurdles.

Free and open source software creates a natural — and even necessary — fit with government. I joined a panel this past weekend at the Free Software Foundation conference LibrePlanet on this topic and have covered it previously in a journal article and talk. Our panel focused on barriers to its adoption and steps that free software advocates could take to reach out to government agencies.

LibrePlanet itself is a unique conference: a techfest with mission — an entirely serious, feasible exploration of a world that could be different. Participants constantly ask: how can we replace the current computing environment of locked-down systems, opaque interfaces, intrusive advertising-dominated services, and expensive communications systems with those that are open and free? I’ll report a bit on this unusual gathering after talking about government.
Read more…

The RSA/NSA controversy concerns you!

This controversy impacts everyone (and here's what we can do about it)

As a cyber security author and CEO of a security consulting company, I was personally shocked by the RSA’s attitude about the alleged secret payments it received from the NSA as well as its willingness to weaken its BSAFE product; especially after the weakness became public in 2006. I was even more shocked by the lack of outrage shown by many security bloggers, analysts, and security company executives.

The speaker-in-protest count has reached 13 speakers who have canceled talks they were scheduled to give at the RSA Conference (RSAC) next week, first and most notably, Mikko Hypponen, who published this open letter. A few outraged others have also spoken out about their decision to cancel their talks, including Dave Kearns and, via Twitter, Adam Langley and Josh Thomas.

Read more…

How did we end up with a centralized Internet for the NSA to mine?

The Internet is naturally decentralized, but it's distorted by business considerations.

I’m sure it was a Wired editor, and not the author Steven Levy, who assigned the title “How the NSA Almost Killed the Internet” to yesterday’s fine article about the pressures on large social networking sites. Whoever chose the title, it’s justifiably grandiose because to many people, yes, companies such as Facebook and Google constitute what they know as the Internet. (The article also discusses threats to divide the Internet infrastructure into national segments, which I’ll touch on later.)

So my question today is: How did we get such industry concentration? Why is a network famously based on distributed processing, routing, and peer connections characterized now by a few choke points that the NSA can skim at its leisure?
Read more…

Four short links: 8 January 2014

Four short links: 8 January 2014

Cognition as a Service, Levy on NSA, SD-Sized Computer, and Learning Research

  1. Launching the Wolfram Connected Devices Project — Wolfram Alpha is cognition-as-a-service, which they hope to embed in devices. This data-powered Brain-in-the-Cloud play will pit them against Google, but G wants to own the devices and the apps and the eyeballs that watch them … interesting times ahead!
  2. How the USA Almost Killed the Internet (Wired) — “At first we were in an arms race with sophisticated criminals,” says Eric Grosse, Google’s head of security. “Then we found ourselves in an arms race with certain nation-state actors [with a reputation for cyberattacks]. And now we’re in an arms race with the best nation-state actors.”
  3. Intel Edison — SD-card sized, with low-power 22nm 400MHz Intel Quark processor with two cores, integrated Wi-Fi and Bluetooth.
  4. N00b 2 L33t, Now With Graphs (Tom Stafford) — open science research validating many of the findings on learning, tested experimentally via games. In the present study, we analyzed data from a very large sample (N = 854,064) of players of an online game involving rapid perception, decision making, and motor responding. Use of game data allowed us to connect, for the first time, rich details of training history with measures of performance from participants engaged for a sustained amount of time in effortful practice. We showed that lawful relations exist between practice amount and subsequent performance, and between practice spacing and subsequent performance. Our methodology allowed an in situ confirmation of results long established in the experimental literature on skill acquisition. Additionally, we showed that greater initial variation in performance is linked to higher subsequent performance, a result we link to the exploration/exploitation trade-off from the computational framework of reinforcement learning.
Four short links: 7 January 2014

Four short links: 7 January 2014

Wearables Mature, Network as Filter, To The Androidmobile, and U R Pwn3d

  1. Pebble Gets App Store (ReadWrite Web) — as both Pebble and MetaWatch go after the high-end watch market. Wearables becoming more than a nerd novelty.
  2. Thinking About the Network as Filter (JP Rangaswami) — Constant re-openings of the same debate as people try and get a synchronous outcome out of an asynchronous tool without the agreements and conventions in place to do it. He says friends are your social filters. You no longer have to read every email. When you come back from vacation, whatever has passed in the stream unread can stay unread but most social tools are built as collectors, not as filters. Looking forward to the rest in his series.
  3. Open Auto AllianceThe OAA is a global alliance of technology and auto industry leaders committed to bringing the Android platform to cars starting in 2014. “KidGamesPack 7 requires access to your history, SMS, location, network connectivity, speed, weight, in-car audio, and ABS control systems. Install or Cancel?”
  4. Jacob Appelbaum’s CCC Talk — transcript of an excellent talk. One of the scariest parts about this is that for this system or these sets of systems to exist, we have been kept vulnerable. So it is the case that if the Chinese, if the Russians, if people here wish to build this system, there’s nothing that stops them. And in fact the NSA has in a literal sense retarded the process by which we would secure the internet because it establishes a hegemony of power, their power in secret to do these things.

Security After the Death of Trust

Not just paying attention, but starting over

[contextly_sidebar id=”214edfe1c80f880bd3aa0ce4d78cf1d0″]

Security has to reboot. What has passed for strong security until now is going to be considered only casual security going forward. As I put it last week, the damage that has become visible over the past few months means that “we need to start planning for a computing world with minimal trust.”

So what are our options? I’m not sure if this ordering goes precisely from worst to best, but today this order seems sensible.

Stay the Course

This situation may not be that bad, right?

Read more…

Upward Mobility: Dig Out Your Tin-Foil Hats

Thanks NSA, you've spoiled mobile crowdsourcing for everyone else!

The continual drip-drip-drop of NSA secrets, courtesy of Monsieur Snowden, has provided many of us with a new piece of daily entertainment. But as much fun as it can be to see No Such Agency’s dirty laundry being aired in public, it has a real and lasting affect on how consumers are going to see interacting with their mobile devices. Specifically, it could provide a major setback to the new universe of applications that use crowdsourced data.

There are lots of examples of highly successful apps that are essentially just aggregations of user-provided data. Yelp comes to mind immediately, but another good example is Waze. In both cases, users are providing the service with some fairly private information, where and when they were at a particular location. Waze is even more sensitive, because it is also recording your speed, which might be a bit higher than the posted limits.

Read more…

Four short links: 11 September 2013

Four short links: 11 September 2013

NSA Crypto, Web Traps, Learn by Doing, and Distributed Testing

  1. On the NSA — intelligent unpacking of what the NSA crypto-weakening allegations mean.
  2. Overview of the 2013 OWASP Top 10 — rundown of web evil to avoid. (via Ecryption)
  3. Easy 6502 — teaches 6502 assembler, with an emulator built into the book. This is what programming non-fiction books will look like in the future.
  4. Kochiku — distributing automated test suites for faster validation in continuous integration.

Automation Myths

The NSA Can't Replace 90% of Its System Administrators

In the aftermath of Edward Snowden’s revelations about NSA’s domestic surveillance activities, the NSA has recently announced that they plan to get rid of 90% of their system administrators via software automation in order to “improve security.” So far, I’ve mostly seen this piece of news reported and commented on straightforwardly. But it simply doesn’t add up. Either the NSA has a monumental (yet not necessarily surprising) level of bureaucratic bloat that they could feasibly cut that amount of staff regardless of automation, or they are simply going to be less effective once they’ve reduced their staff. I talked with a few people who are intimately familiar with the kind of software that would typically be used for automation of traditional sysadmin tasks (Puppet and Chef). Typically, their products are used to allow an existing group of operations people to do much more, not attempting to do the same amount of work with significantly fewer people. The magical thinking that the NSA can actually put in automation sufficient to do away with 90% of their system administration staff belies some fundamental misunderstandings about automation. I’ll tackle the two biggest ones here.

1. Automation replaces people. Automation is about gaining leverage–it’s about streamlining human tasks that can be handled by computers in order  to add mental brainpower. As James Turnbull, former VP of Business Development for PuppetLabs, said to me, “You still need smart people to think about and solve hard problems.” (Whether you agree with the types of problems the NSA is trying to solve is a completely different thing, of course.) In reality, the NSA should have been working on automation regardless of the Snowden affair. It has a massive, complex infrastructure. Deploying a new data center, for example, is a huge undertaking; it’s not something you can automate.

Or as Seth Vargo, who works for OpsCode–the creators of configuration management automation software Chef–puts it, “There’s still decisions to be made. And the machines are going to fail.” Sascha Bates (also with OpsCode) chimed in to point out that “This presumes that system administrators only manage servers.” It’s a naive view. Are the DBAs going away, too? Network administrators? As I mentioned earlier, the NSA has a massive, complicated infrastructure that will always require people to manage it. That plus all the stuff that isn’t (theoretically) being automated will now fall on the remaining 10% who don’t get laid off. And that remaining 10% will still have access to the same information.

2. Automation increases security. Automation increases consistency, which can have a relationship with security. Prior to automating something, you might have a wide variety of people doing the same thing in varying ways, hence with varying outcomes. From a security standpoint, automation provides infrastructure security, and makes it auditable. But it doesn’t really increase data/information security (e.g. this file can/cannot live on that server)–those too are human tasks requiring human judgement. And that’s just the kind of information Snowden got his hands on. This is another example of a government agency over-reacting to a low probability event after the fact. Getting rid of 90% of their sysadmins is the IT equivalent of still requiring airline passengers to take off their shoes and cram their tiny shampoo bottles into plastic baggies; it’s security theater.

There are a few upsides, depending on your perspective on this whole situation. First, if your company is in the market for system administrators, you might want to train your recruiters on D.C. in the near future. Additionally, odds are the NSA is going to be less effective than it is right now. Perhaps, like the CIA, they are also courting Amazon Web Services (AWS) to help run their own private cloud, but again, as Sascha said, managing servers is only a small piece of the system administrator picture.

If you care about or are interested in automation, operations, and security, please join us at Velocity New York on October 14-16. Dr. Nancy Leveson will be delivering a fantastic keynote on security and complex systems.

Strata Week: Leaked documents, intel committees, definition of data mining, and Accumulo

Recommended resources from a former analyst

I was pretty cranky before I spoke with Q Ethan McCallum on the phone today.

I was cranky from absorbing the NSA news dominating many data conversations. There is a lot of yammering going on. Some good. Some super bad. My crankiness dissolved a bit after speaking with Q and other Chicago-based people who are working on positive impact data science projects. You’ll be seeing more from Q and these other data science people within the Strata blog very soon. Utilizing data for positive change makes me happy.

My crankiness also dissolved when I decided to not provide summary points on a few articles covering the latest NSA leaks for the Strata Week element. Instead, I decided to pretend that I was an analyst again and think about the resources that I would have wanted to visit in order to form my own insights and analysis.

Recommended Resources for Analysts

Read more…