NSA Can, But Should They?

Laws and oversight are the mechanisms used in free societies to limit what is allowed to be done out of the things that can be done.

As a 30+ year computer professional (e.g. geek) (who managed to CLEP college English), I fear computer-people and non-computer-people are talking past each other regarding the NSA revelations due to semantics.

Younger computer-people, like Edward Snowden, have grown up in an environment of "if it can be done, it will be done." The only practical restrictions on something are those that the computer system enforces.

Thus, when Mr. Snowden says that any analyst can tap any phone, in a technical sense he is probably correct. Certainly any Systems Administrator, as he apparently was, has the knowledge, tools and "system authority" (e.g computer-enforced authority) to do anything the computer system is capable of. He could not administer the system if he didn't.



The semantic problem occurs with the word "administrator," which almost universally denotes some kind of organizational authority. However, in the world of computers that's not true. Instead, "administrator" is usually applied to a role (login/account) that the computer is configured to grant unlimited or almost unlimited functionality to. A computer system cannot be maintained without administrators (usually several) because many failure modes prevent any other kind of access.

In order to stop errant or malicious programs, run-away processes, make system-wide changes, or do any of countless other critical tasks, systems administrators usually have few if any computer-enforced restrictions. On Microsoft Servers, these "God Rights" are usually referred to as "administrator rights". In Unix/Linux systems, they are embodied in the root user (Superuser). (Thus "rooting a system" means gaining the ability to login as the root user and thus the ability to alter anything in the system.)

An analogy is useful here...

Police have the knowledge, tools, skills and often the motivation to harm or kill anyone they want. There is no physical way to insure that an officer cannot pull out his gun and start shooting random people. We could disarm them as England used to do, but in this country, an unarmed officer would probably be a pretty ineffective one. We have thus designed an extensive set of laws to inflict grave consequences on any officer who might do harmful things outside of a narrow set of acceptable circumstances.

CONCLUSION
The most effective and practical way I've encountered to minimize the risk of unauthorized actions by administrators is to have a number of them, working collaboratively, so they are constantly using and modifying each other's configurations and code. Nothing one administrator does can be hidden from the others. Actions with potential loss of data or downtime are carefully planned as a team and scripted to the greatest extent practical. Major operations such as operating system upgrades and bulk database updates are performed by at least two administrators constantly cross-checking each other on every step.

Large system security, both in the sense of authorized access as well as data preservation and system reliability, cannot be achieved by software alone. It requires thoughtful organizational policies that make effective use of redundant personnel and procedures.

No comments :