Yeah, everything I've been seeing seems to be that they seriously threw out everything about being competent in the 1990s, and then blew up into something huge (and incompetent) in the post-9/11. Hayden does not seem to have been a good director at all, at either NSA or CIA, and was responsible for the big push toward contractors as well.

Right? What happened to "No read up and no write down" and all the other gnarly things from the orange book and its colorful friends.

Probably in the 1990s when they moved operational systems from timeshare/unix/etc. multiuser to a bunch of networked Windows desktops for all use, not just office automation (which is how they brought them in originally).

SELinux is no match for a poorly set-up database.

Sure, and SELinux itself can be poorly configured. Security measures in general need to be thought through in the context of the actual deployment. I just meant that mandatory access control of the general sort needed here has obviously been historically on the NSA's radar (moreso than the rest of the world, even) and here they are failing at it, and that's a little bit sad and a little bit funny in addition to everything else that's going on.