With apologies to Larry Ellison

When I first learned about NSA’s massive surveillance effort as revealed by Edward Snowden, particularly the Internet data slurping XKEYSCORE program, I almost immediately thought, “Well I guess that’s another fortune Oracle made off my taxes!” Given the latest in-depth report that for the first time provides some technical details about XKEYSCORE, it seems I may owe Oracle an apology: if the latest materials released can be believed (that is, do not contain NSA misinformation planted in the event the program was blown), Oracle made nothing on the deal.

XKEYSCORE: NSA’s Google for the World’s Private Communications” by Marquis-Boire, Greenwald and Lee of The Intercept reveals that NSA used Red Hat Enterprise Linux, Apache and MySQL to build the XKEYSCORE system, not Oracle’s “camel by committee” Database, Solaris O/S or OHS (Oracle HTTP Server). Having worked with both the former open source and latter proprietary Oracle products over a twenty year career in Information Technology, I’m can’t say I’m really surprised. What NSA did was something that had never been done before, and it makes sense that they’d want maximum efficiency, reliability and flexibility to get the job done.

One thing that I was right about, however. Over the years I’ve maintained that while the NSA’s system might impress tech-ignorant Senators, Congressmen and Executive branch bureaucrats, including the Admirals and Generals who command the NSA and our other military intelligence agencies, on close examination it would probably amount to a collection of cleverly crafted regexes (regular expressions) that in the end would never be able to adequately deal with the mass of data being collected.

The parade of terror attacks in the years since 9-11 such as the Boston Bombing and this week’s attack on military recruiting offices in Kentucky are proof that sifting through the private Internet messages of every living soul on the planet is a bad strategy. What we really need are real “ears on the line” and “boots on the ground”, preferably a majority of whom can at least successfully ask for directions to the bathroom in Pashtun, Farsi and a dozen other languages spoken by actual “persons of interest”. This goes double for computer security (vaingloriously now referred to as “cyberwar”), The monumental data breaches experienced by both private industry and government have not only amounted to an egregious failure to detect, but also to counter, serious threats to our security and economic well-being — due to shocking ignorance at the top of what it takes to get the job done (hint: begin with seasoned, mature computer professionals with a track record of not stalking current or potential sexual partners on FaceBook — or World of Warcraft).

This entry was posted in Editorial, Security on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).