• NSA Summer Camps Look to Recruit Them When They’re Young

    July 24, 2015 // 10 Comments »

    nsa summer camp

    Get to them while they’re young, and you’ll have them for life. Who said that? Was it Walt Disney? Willy Wonka? The director of the Hitler Youth?

    Maybe all of them, but it also applies to the NSA. Long a fan of generosity on undergrad campuses, handing out scholarships, grants and internships around the math and foreign language departments, the NSA is now reaching out to become the pedos of the national security state by sponsoring summer spying camps for kids.

    The New York Times tells us about a new National Security Agency cybersecurity program that reaches down into the ranks of American high school and middle school students to teach them the fine art of cracking encrypted passwords. “We basically tried a dictionary attack,” said one patriotic youth as he typed a new command into “John The Ripper,” a software tool that helps test and break passwords. “Now we’re trying a brute-force attack.”

    “Now, I don’t want anybody getting in trouble now that you know how to use this puppy,” one of the camp’s instructors, warned. Of course not. It’s all legal, right?

    Thanks to the NSA, 1,400 youths are attending 43 free overnight and day camps across the country as this summer the agency is making sure that middle- and high-school-age students are learning how to hack, crack and “defend” in cyberspace. The broader goal of GenCyber, as the summer camp programs are called, is to catch the attention of potential cybersecurity recruits and seed interest in an exploding field. No doubt generating a little positive mindspace among the impressionable couldn’t hurt, either, right?

    The NSA’s goal is to grow the program to 200 camps in all 50 states by 2020.

    And each camp is different, given the global reach of the NSA. At California State San Bernardino, the NSA camp open only to local Girl Scouts, and campers will build, program and fly drones. Campers at Norwich University in Vermont will put together their own computers. At Marymount University, visits to nearby NSA HQ break up classroom time. A camp run right on the NSA campus in Maryland will offer soccer, cooking, basketball, recycled art, painting, hockey, drama, board games and jewelry making in addition to hacking classes. At UC Berkeley, many of the students claim they don’t know who Edward Snowden, but they’ll learn about him soon enough — from the NSA — since current events are part of the curriculum.

    But it’s cool. “We’re not trying to make these camps something to make people pro-NSA or to try to make ourselves look good,” NSA’s director of the camps said. “I think we’ll look good naturally just because we’re doing something that I think will benefit a lot of students and eventually the country as a whole.”

    Related Articles:

    Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Posted in NSA, Post-Constitution America

    State Department Post-Manning Information Security Report: D-

    July 22, 2013 // 23 Comments »

    Website Cryptome brings us the Office of Inspector General’s (OIG) Report on the State Department Bureau of Information Resource Management, Office of Information Assurance (IRM/IA). The Report is timely, as IRM/IA is responsible for the Department’s cyber security program. The head of IRM/IA is the State Department’s chief information security officer.

    In other words, these guys are responsible for the State Department’s computer security stuff. After letting some Army private in remote Iraq run WGET against ten years of cables, all apparently unlogged and unmonitored, why would anyone care about computer security at State? After having its cables database posted all shiney and naked on the internet, in a post-Manning era, what could be more important to the organization?

    What’s Wrong at IRM/IA?

    Well, apparently many things, because here are some summary points from the report:

    The Bureau of Information Resource Management, Office of Information Assurance (IRM/IA) was established to address the information security requirements of the E-Government Act. The office does not fulfill all those requirements.

    — The current workload of IRM/IA does not justify its organizational structure, resources, or status as an IRM directorate.

    — The mishandling of the certification and accreditation (C&A) process and contract by IRM/IA has contributed to expired authorizations to operate 52 of the Department’s 309 systems.

    — No single Department bureau has full responsibility for the information systems security officer (ISSO) program, resulting in confusion among personnel on requirements and waste of personnel resources.

    — IRM/IA lacks adequate management controls to monitor its contracts, task orders, and blanket purchase agreements, approximate value of $79 million.

    — IRM/IA has no mission statement and is not engaged in strategic planning.

    More Specifically, What’s Wrong at IRM/IA?

    The basics are pure 2013 Washington: IRM/IA has more contractors than full-time staff (36 vs. 22). With the Snowden story in the news, the report worries that “contractors are performing inherently governmental functions.” With a hint of irony, the report notes that among these, it is contractors who draft responses to OIG audit reports. Not all of those worker bees are happy: during the course of the inspection alone, IRM/IA was handling one formal EEO complaint as well as two employee relations cases.

    Of course all this costs lots of taxpayer money: Funding for IRM/IA activities is $5.9 million per year, plus an annual operating budget in FY13 of about $10 million, with other funds coming from reimbursements and internal bureau transfers. For FY14 planning, the Chief Information Officer increased the IRM/IA budget
    request by an additional $8 million. The bureau runs $79 million in contracts and buys. IRM/IA is
    also supported through the broader Vanguard 2.2.1 contract valued at $2.5 billion. The OIG mentions, almost with an appended “of course,” that that contract “has not been managed appropriately.”

    Also, Some Bad Things

    So it kinda is a bad thing that the OIG says “IRM/IA is not doing enough and is potentially leaving Department systems vulnerable” which of course is the whole point of IRM/IA existing.

    Maybe it is also bad that “IRM/IA performs a limited number of information assurance functions, does not have a lead role in most of the functions it does perform and, for the most part, only compiles information generated by others.” In fact, the bureau shows a “lack of active involvement in many of its stated responsibilities.”

    And this could be a negative: “IRM/IA does not have a vision for the office and specific goals for each of its three divisions.” And so “division chiefs [lack] priorities based on defined goals. As a result, the staff is not proactive in meeting information security requirements.”

    Well, that could be that the head of the bureau “is not seen regularly in the office.”

    So, the fact that “IRM/IA is not engaged with IT strategic planning in the Department” means that the current Department IT Strategic Plan contains little mention of information assurance functions. Nor is information assurance addressed prominently in the IRM Strategic Plan. While there are references in these plans to the importance of protecting the Department’s worldwide network, the strategy and crosswalk for addressing these factors… is not detailed in the strategic or tactical plans’ goals and objectives.”

    So it is little surprise that the report notes “IRM/IA does not have an office strategic plan. There is no evidence of IRM/IA management engaging in a comprehensive strategic review to assess its current capabilities and future needs. The CISO and his division chiefs have not reviewed operations to determine what information assurance and security functions they are required to perform or are currently handling based on statutory requirements” and that “Policy and outreach in IRM/IA has been inconsistent and ineffective.”

    Most of the regs, rules and guidelines for the Department’s cyber security date from 2007 or earlier and do not mention the latest technologies. For example, there is little mention of State’s beloved social media.There is no mention of cloud computing, which the OIG coolly says “is surprising considering that cloud computing is a strategic goal for the Department overall.”

    This one is hilarious: one of IRM/IA’s “tools,” used to track security vulnerabilities, requires users to note changes by hand on a printed spreadsheet, those changes then being typed manually into a database by
    IRM/IA staff.

    In another accounting “tool,” users are held accountable for their low security scores. Why so such low scores? IRM/IA says their change in the criteria used is at fault but sent no notification to inform users of the change.

    OIG Conclusions

    The OIG concludes its report with a whopping 36 “recommendations” for improvement.

    And yet the bureau’s response to some of this is to ask for an additional deputy position and one more division, in what the report (must be tongue in cheek) calls a “realignment.” That process will require an “organizational assessment” of three months. Not surprising given that apparently contractors wrote the response. Ka-ching!

    So who is in charge of this sad failure of an organization? Guy named William Lay just took over in September 2012 and in a hopeful note the OIG says “the atmosphere in the office has improved.”

    No doubt State will say it will investigate, simply spend more money claiming that is its “solution,” or most likely just ignore this report and execute Bradley Manning.

    Still, in the spirit of public service, maybe we all can help. Why not let William Lay know what you think at CIO@state.gov? It sounds like he could use the help.

    Bonus: Cryptome.org, which was Wikileaks before there was a Wikileaks, is one of my long-time favorite websites. Since 1996 the quirky website has been a source of detailed information, typically without hype or drama, on America’s national security state. Perhaps alone on the web, Cryptome is also an avid publisher of declassified info on older, Cold War, programs. This info is precious to historians, and valuable to those wishing to speculate on where things are headed. At a time when most Americans other than James Bamforddid not even know the NSA existed, Cryptome has been on the story.

    Related Articles:

    Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Posted in NSA, Post-Constitution America

    Get Over it New York

    March 30, 2013 // 7 Comments »

    Just to get ahead of things, a few announcements before we begin. If you plan to send hate mail or death threats after this blog post, please include the key word “HATE” in the subject line to assist me in sorting things. Also, I grieve for all those lost on 9/11. It was a terrible tragedy. None of this is intended to dispute that, but…

    Get over it New York.

    I had the pleasure of a few days in New York City, all for the good. People were themselves, food great, subways running smoothly post-Sandy. But it seems that official New York can’t seem to get past 9/11. On Monday the cops in the subways switched from their weekend soft caps and 9mm pistols to helmets, body armor and M-4s with the long clips. Armed National Guard paroled the Port Authority terminal, literally outfitted for war. Both the cops and the Guard carried milpsec gas masks ready to protect against anthrax and a host of other militarized biochem things. C’mon guys, 9/11 was almost twelve years ago. In the subway, with its low ceilings, packed-to-the- edges crowds and hard surfaces, exactly what are you going to do with a machine gun? Can you sketch out a scenario where the NYPD is going to be exchanging a couple of hundred armor piercing rounds underground where they won’t be killing more people than the bad guys?

    The subways are noisy enough without the endless recorded admonitions to “see something, say something” and report suspicious packages to the proper authorities. No one cares. The homeless guys all had bags and bags with them, maybe filled with empty 40 ouncers, maybe terror bombs, but nobody paid them any attention. I am so very sorry about those who lost their lives on 9/11, particularly the brave first responders. But do we really need that many murals on walls, all resplendent with gas station velvet-painting level burning Twin Towers?

    The indifference of the millions of people and the signs of official excessive panic stand in contrast. Most folks seem to have moved on. It has been almost twelve years and yet… and yet… the NYPD and others seem to want to keep everyone on edge, act as if there has been attack after attack, to keep the sore from healing. Of course some one will write in and explain to me that such vigilance is all that stands between us and the darkness, that when it is my child held in the kabob-stained hands of terror under 51st Street I’ll wish there were armed men protecting her and all that. Save your time.

    Maybe, just maybe, it makes sense to a police state to keep reminding everyone why they need to support and maintain a police state. Maybe the image of the NYPD as gruff but lovable neighborhood guys and gals isn’t enough to justify big budgets and a surveillance state.

    Maybe, just maybe, it is time for New York, officially, to get over 9/11.

    BONUS: Anyone enjoying the media these days can see a preview of the Next Enemy. Even the White House seems to be slowly walking back from Terrorism Everywhere as a justification for Everything, and is prepping us with near-daily stories about the super dangers of cyber-terrorism. Stay tuned for the change over as we head first into midterm elections next year and then as we gear up for the 2016 presidentials. The Chinese are sneaking into our Internets to take over our Facebooking!!!!!!!!

    Related Articles:

    Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.

    Posted in NSA, Post-Constitution America