Only got themselves to blame..
I'm struggling to feel any sympathy to his co-workers, but is anyone really surprised that even in the NSA people don't quite get the importance of credentials being private?
Edward Snowden persuaded his NSA colleagues to hand over passwords which he later used to download top secret material and leak it to the press. According to a report on Reuters, the whistleblower cribbed login details from up to 25 co-workers, who have now all been questioned and moved on to different jobs. It is not known how …
I'm struggling to feel any sympathy to his co-workers, but is anyone really surprised that even in the NSA people don't quite get the importance of credentials being private?
"I'm struggling to feel any sympathy to his co-workers, but is anyone really surprised that even in the NSA people don't quite get the importance of credentials being private?"
The officials who provide oversight over this whole mass surveillance shebang really need to be investigated themselves. Snowden did all this stuff on their watch, and it has shown that their oversight of these operations has been opaque, inadequate and ineffective.
If they had any sense of duty to the nation they would be working hard to fix the lack of oversight that led to Snowden gaining access to this stuff just by asking people for their credentials, instead of wasting valuable time vilifying Snowden.
I do wonder if any of those cretins have actually considered the possibility that if Snowden could get this info so easily in such a short period of time, then perhaps the angry blow shit up type terrorists already took that same information (and more) several times over.
No surprise at all. Although I do feel some sympathy for the workers who have been reprimanded and maybe even fired for this. As someone who has had the need in the past to work on people's workstations while they were logged in as themselves, it comes as no surprise whatsoever the ease of which people will hand over their passwords.
Ok, I've never worked for the NSA and I don't know what kind of general computer security training they gave their people before Snowden (I'd put money in it being a hell of a lot better now!). But I have worked at small private companies, large multinationals and even public sector. In each scenario, a great deal of trust is placed on sysadmins, as they have to deal with users of varying technical abilities, and have access to highly sensitive information. In every job I've had, the user mindset has been "oh, he works in IT, he's trained in data security. He has more access to my system than I do and can access all sorts of data, so there's no problem handing over my password." Even when I've not asked for it (I try not to, and if the need does arise, I tell them to reset as soon as I've finished).
It might not be right, but it's the way it is in many office environments.
This is the same thing with the IRS. Blatant violations of laws and protocols designed to prevent people in Government from abusing their authority and less than nothing done.
People transferred to a different position. Probably a better one.
A.C. for obvious reasons. Yeah I know they can't probably get my name but at least they have to work at it a little.
You've got to wonder how many of the people holding security credentials stole material from the NSA and sold it to China instead of going to the papers like Snowden.
I'm guessing that for every one Snowden running to the press, there's possibly 100 or 1,000 inside guys selling our private data to foreign governments or to cyber-crime gangs.
Work is no longer what it used to be!
In the "good olde days", as long as you stayed loyal and toed the company line, your pay grade would click up one notch every four years, you were taken care off and you would get a gold watch & a pension after 25!
Today, we are not people, we are "ressources". We know that the HR-vultures always have a beady eye out for cheaper labour than can be abused harder, businesses are contracting and hiring through 3-rd party agents to avoid any costs associated with employing- and disposing of said "ressources", there is generally no training and no career offered (or possible because of reorganisation every 3 years) - and yet - businesses and three-letter agencies assume loyalty from their disposable assets?!
The smart young things especially knows "what the gig" is: "Dump on Them before they dump unto Thee", "Grab the cash, Build a Stash", "Be liquid and rent, everything you "own" will be used to blackmail you" e.t.c.
Well, our leaders wanted a highly competitive society and now they are about to get it.
I have known it be worse that that but NOT in a security situation. In one location the passwords were handed out on the basis of the seniority of the holder and the severity of the impact of the possible actions. Thus the most senior staff member had the passwords that could do all the nasty stuff, e.g. format everything, shut everything down, etc. whereas the staff who knew what they were doing had the password rights that allowed them to turn on the pretty lights. Consequently everyone used the pass word of the most senior staff member! I kid you not.
*Actual commands, details of the rank of people and the location have been obfuscated.
you're really not getting it. let me break it down for you: THERE IS NO ANONYMOUS
> ou've got to wonder how many of the people holding security credentials stole material from the NSA and sold it to China instead of going to the papers like Snowden.
Or even find some other intelligence agency or organised crime group discovers that they were looking at something naughty online and uses that to blackmail them to handover something pretty harmless, and then use the proof that they handed this over to demand something more significant.
"Only got themselves to blame" takes a very simplistic view of how things work. Even in the most paranoid of institutions, people need to be able to have some trust or they would not get things done.
When I was in the army, I worked some time in IT. The generals kept forgetting their passwords, so we ended up assigning the generals passwords which were printed out and kept on a list for everyone to reference. For a while, we made it easy for ourselves by assigning them all the same password.
Now as it turns out, pretty much nobody doing IT was vetted at all (I certainly wasn't and would have failed miserably - being associated with various "known" people - including a guy who was in jail for espoinage). And I had all the generals' passwords.
You can guarantee the same happens in ALL government organisations, spooks or not. It probably happens in most banks too.
Looks like I spoke too soon.
From this evening's New York Times: "Bribery Case Implicates 2 Admirals: Two United States admirals, including the Navy's CHIEF INTELLIGENCE OFFICER, were stripped of their access to classified information on Friday after being implicated in a contracting scandal that federal prosecutors are investigating in San Diego."
Spooks and other people's money. Like flies and dog crap.
Oh it's guaranteed that the NSA and whatnot have been penetrated many, many times. The difference between those occasions and Snowden's, is Snowden was honest and told the world what a cock-up the NSA was, ditto the GCHQ, whereas the ones before him would've sold the info on to interested parties.
You do have to wonder why the NSA, with a multi-billion dollar budget and access to some of the best minds in the business, are not using two-factor logins of some description. Snowden would have fallen at the first hurdle were a random number fob or a fingerprint (or both) needed to get into machines; certainly an override system would have had to have been present also, but such an override would be very heavily audited indeed.
Perhaps there will be some openings in the NSA for people who know about basic security...?
"The officials who provide oversight over this whole mass surveillance shebang really need to be investigated themselves."
No, I don't mean Obama, I'm not really sure how you came to that conclusion... Like or not this stuff didn't start on his watch... I was referring to the various committees, judges etc that are meant to establish the rules and laws which the spooks operate under, monitor their behaviour and enforce sanctions should they fail to comply with the rules/laws.
You need to be able to rely on the man next to you. It is the basis of being honourable and trustworthy.
Funnily the actions of the NSA are opposite to this and yet seem surprised when one of their rank (who appears to have morals) doesnt hold up those values.
I rely on my co-workers to be honorable and trustworthy. I do not give them my passwords.
And I wouldn't hire anyone in a technical position who believed that the sysadmin needed other peoples' passwords. I wouldn't hire somebody to clear paper jams who believed that.
I truly wish I could live in your utopian world.
Sounds like the perfect candidate to clear paper jams.
Wouldn't security screening be more reliable if they just got them to drink a cup of tea and got an expert to read the tea leaves? Or read the bumps on their head?
Yes, I saw that one too. So much for polygraphing - or maybe they forgot that vital question:
"Are you planning to leak all our secrets?"
Duh. For an outfit absorbing a bazillion dollars per annum in budget they sure have shit internal segregation. Whoever was responsible for internal security should get the rubber hose treatment - if I had this security even at a bank I'd expect to be escorted out of the building on the next audit.
especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy
Wonder Woman's lasso of truth (or whatever it's called--actually that was a lucky guess) is more believable. Bizarrely enough, the same guy who invented that also contributed to the invention of the polygraph.
"Wonder Woman's lasso of truth"
That has some foundation in reality. In her prime (and that cute outfit), I would have told Lynda Carter anything.
Even though they're surveilling everything, we're told that all this data they're slurping up is all held safe, they know how to protect it and vet the people who have access to it so we can trust they won't abuse this capability etc. etc. - our private business will remain private.
And they continue with this nonsense even when it's now perfectly clear they could not even protect their own top secret secrets from a low level third party contractor who it appears had access to virtually everything they were doing.
NSA security lapses notwithstanding, it is not clear (yet) that Snowden took anything but the metadata - the slides and documents that describe the data being collected and its processing. From the NSA perspective that's undoubtedly quite awful, maybe worse than the collected data. For those about whom data was collected that could be good news, if you trust that he didn't have access to it, or chose not to bother.
Mention of borrowed passwords, though, suggests he took pains to gain access to systems that contained the collected data, so I would guess some of that went with him as well.
"Trust me, I know what I'm doing." Also spracht Sledge Hammer.
Believe you me, the NSA has been putting backdoors in security products as fast as it can, under the impression that only it can use them. At the same time it's been piling up all this lovely metadata.
Google got rich on metadata. Now when some "interested party" pwns NSA, they'll have the keys to the economy of the US, the UK, the Rest of Europe - sorry, Yorp - and the Rest of the World. In a better world, the NSA would be tarred and feathered and ridden on a rail out of town.
North American Insecurity or Unsecurity?
When I was sysadmin a few years ago, usual helpdesk calls was 'I've forgotten my password' can you tell me what it is. Nobody believed me when I stated I didn't know what their password was, but I could reset it for them to create a new one.
So being sysadmin in a large corporation, I guess many people *think* the sysadmin knows the passwords, and an obscure remark on passing like "Oh, BTW, I need to fix your mail box, what is your password again?" will work.
As part of the yearly cleared security update you have to take an online security refresher course. It now includes a test question part where an admin asks for your password.
OK, suppose the pass mark is 90% ~ and the user gets that one wrong but still gets 91%?
If so, then getting that question wrong should mean 0% - failure to pass.
Is that how it works?
"being sysadmin in a large corporation, I guess many people *think* the sysadmin knows the passwords..."
But the NSA isn't just any large corporation, security is their one and only job. And screening notwithstanding, they should be working on the assumption that at least some of their staff are Chinese, Russian etc spies who got through one or more layer of security. That's why you have multiple layers / levels of security and Chinese walls.
How hard is it to make sure that all new hires / contractors know not to give their password to anyone?
NSA double-fail, they're not only illegally slurping data, they can't even protect it
Not in the least!
I just had a user hand over their password yesterday, with out asking! The user asked our team to look into why they didn't receive the messages people said they sent! I told the user we can't see that, we have no access to their mailbox, and the pw was in the updated helldesk ticket with in 2 minutes.
Truly amazes me....
A pint as it's already beer:30
Sign them up to a goat fetish mailing list...
"But the NSA isn't just any large corporation, security is their one and only job."
Uh... no. 'Security' is in the name, but in true Orwellian doublespeak, their main purpose is to *break* others security, and obtain all the data they can.
Compartmentalization. Having worked on the periphery of Dept of Defense projects, I've seen quite a bit of this at private contractors. "I have a top secret clearance. So let me see your blueprints." Nope. You have clearance for your project. I have clearance for mine. There are very few people in the DoD chain of command that are authorized to see everything. Never mind the private contractors.
In fact, (and contrary to what I've heard in a few pubs down the road from the plant after work) you're not even supposed to run around telling the public what sort of clearance you've got. Impress the cocktail waitress with some other story.
...Whats sauce for the Goose.....
All new employees in my office are given the same boring speech.
It doesn't matter who asks, never ever give your password to someone else, not me, not your immediate boss and definately do a "friend". Yes I have the means to change your password but no I do not have the means of knowing your current password ( Except when I look over your shoulder and follow your fingers - corporate policy makes this a little difficult though - 9 chars min, 3 different types). If you give your password to someone else then you accept all reponsability for any and all of the resulting consequences.
Giving your password to someone else is like putting your finger on the trigger of a loaded gun.
Very familiar, but what one has to try to do is to make those co-workers and bosses, who stand behind the person who has to enter a password, to voluntarily turn their head. I have seen people in a higher position getting pissed of when asked to look the other way for a second. Some funny memories regarding passwords was a girl at a customer who's password I had to ask for, several other persons present. She got very upset, disturbed and blushing. I finally asked her to write it down and give it to me. What a happy face and a password I can still remember.
PS. Kaptain, my advice for password, long ones, is to have a "story" easy to remember, like "mypussycatwentupthethree", "ilikestormyweatheratsea" and such.
Spill the beans what was it?
I can honestly say that I have never been asked for a password nor have I ever asked anyone for theirs. I have been asked to log into a system and let the technician do something while I watched, or more likely to log in and then demonstrate an issue. I was usually asked to change my password once the job was done - a point was always made to turn away when passwords were entered.
This was not in a 'security activity' as such, but anyone asking to borrow a password would be refused. Anyone requesting a password that carried any operational impacts, would have been invited to join the foreign office and start travelling.
I find it unbelievable that an organisation using the TLA of NSA understood so little and had staff who clearly knew so little about what their job involved,
For one job the 'ever-so-casual-chat' warned about far less blatant risks along the lines of 'never do favours for or accept favours from strangers'. Even selling an account of a holiday or, e,g, nature observations on perhaps a nesting bird to a hobby magazine could be a threat to continued or even any future employment.
>Very familiar, but what one has to try to do is to make those co-workers and bosses, who stand behind the person who has to enter a password, to voluntarily turn their head.
Normally I would make the situation into something funny. If I am at my desk or someone elses for that matter and I need to enter an admin account/password I will ask anyone watching if they are an "undercover agent" trying to get a hold of my password by watching my fingers, always in a light hearted tone. I can't think of many/any occasions where they didn't realise what they were doing and immediately look away.
I always turn away when someone's entering a password/pin, since as administrator, I can copy their /etc/shadow entry, change their password, do anything, and then restore the original entry...after killing auditd.
DoD password rules for administrator rules, as I recall from a few years ago:
Minimum length 13
Two or more upper case letters
Two or more lower case letters
Two or more numerals
Two or more punctuation characters
Changed no less often than every 60 days
Different from all of the last 10 passwords
Different from all passwords used in the last year
Put your story to that.
"Put your story to that."
No story necessary - I think a sheet of a4 with all the rules and a list of the last 10 passwords stuck to the side of the monitor would be helpful, or not much work would be done .
"I have seen people in a higher position getting pissed of when asked to look the other way for a second."
Poor use of social engineering. You turn around, look past them and exclaim, "Look at the t*ts on that secretary!"
As British, did not have to add communists and socialists to his smoke screen.
Bernard Law Mongomery was a commited socialist as was nearly everyone under him and the other 2/3rds of HM armed forces were the same. It didn't last of course but Russia was paranoid about its publicity and had a seriously determined attitude about catching spies.
Even that fat drunk Churchill played into Stalin's hands time and again. Not with little things like all our used air-craft but really big stuff like Eastern Europe. What he wasn't giving to Russia he was letting the USA roll over. The idiot was a far bigger menace than any of the moles Russia had here from Klaus Fuchs on.
I don't doubt for a moment it only got more and more sordid. The absolute antithisis of every James Bond film.